Download:
pdf |
pdf
UNITED STATES OF AMERICA
BEFORE THE
FEDERAL ENERGY REGULATORY COMMISSION
NORTH AMERICAN ELECTRIC
RELIABILITY CORPORATION
)
)
Docket No. RD13-_____
PETITION OF THE
NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION
FOR APPROVAL OF PROPOSED RELIABILITY STANDARD
EOP-004-2 – EVENT REPORTING
Gerald W. Cauley
President and Chief Executive Officer
North American Electric Reliability
Corporation
3353 Peachtree Road, N.E.
Suite 600, North Tower
Atlanta, GA 30326
(404) 446-2560
(404) 446-2595– facsimile
Charles A. Berardesco
Senior Vice President and General Counsel
Holly A. Hawkins
Assistant General Counsel
Stacey Tyrewala
Attorney
North American Electric Reliability
Corporation
1325 G Street, N.W., Suite 600
Washington, D.C. 20005
(202) 400-3000
(202) 644-8099– facsimile
charlie.berardesco@nerc.net
holly.hawkins@nerc.net
stacey.tyrewala@nerc.net
Counsel for the North American Electric
Reliability Corporation
December 31, 2012
�
TABLE OF CONTENTS
I. Executive Summary………………………………………………………………………….. 3
II. Notices and Communications………………………………………………………………... 6
III. Background …………………………………………………………………………………. 6
a. Regulatory Framework
b. NERC Reliability Standards Development Procedure
c. History of Project 2009-01, Disturbance and Sabotage Reporting
IV. Justification for Approval of the Proposed Reliability Standard………………………….. 10
a. Basis and Purpose of Proposed Standard and Improvements in this Revision
b. Enforceability of the Proposed Reliability Standard
V. Summary of the Reliability Standard Development Proceedings………………………….. 19
a.
b.
c.
d.
e.
f.
g.
h.
i.
Overview of the Standard Drafting Team
Standard Authorization Request Development
First Posting – Informal Comment Period
Second Posting – Informal Comment Period
Third Posting – Formal Comment Period and Initial Ballot and Non-Binding Poll
Fourth Posting – Formal Comment Period and Successive Ballot and Non-Binding Poll
Fifth Posting – Formal Comment Period and Successive Ballot and Non-Binding Poll
Sixth Posting – Recirculation Ballot and Non-Binding Poll
Board of Trustees Approval of EOP-004-2
VI. Conclusion……………………………………………………………………………………. 26
Exhibit A — Order No. 672 Criteria
Exhibit B — Proposed Reliability Standard EOP-004-2 Submitted for Approval
Exhibit C — Implementation Plan for Proposed Reliability Standard EOP-004-2 Submitted for
Approval
Exhibit D — Consideration of Comments
Exhibit E — Analysis of how VRFs and VSLs Were Determined Using Commission Guidelines
Exhibit F — Record of Development of Proposed Reliability Standard
Exhibit G — Standard Drafting Team Roster for NERC Standards Development Project 2009-01
i
�UNITED STATES OF AMERICA
BEFORE THE
FEDERAL ENERGY REGULATORY COMMISSION
NORTH AMERICAN ELECTRIC
RELIABILITY CORPORATION
)
)
Docket No. RD13-____
PETITION OF THE
NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION
FOR APPROVAL OF PROPOSED RELIABILITY STANDARD
EOP-004-2 – EVENT REPORTING
The North American Electric Reliability Corporation (“NERC”)1 hereby requests the
Federal Energy Regulatory Commission (“FERC” or the “Commission”) approve, in accordance
with Section 215(d)(1) of the Federal Power Act (“FPA”)2 and Section 39.5 of the Commission’s
regulations, 18 C.F.R. § 39.5 (2012), the proposed Reliability Standard —EOP-004-2—Event
Reporting, and find that the proposed Reliability Standard is just, reasonable, not unduly
discriminatory or preferential, and in the public interest. EOP-004-2 was approved by the NERC
Board of Trustees on November 7, 2012.3
NERC is hereby requesting approval of the proposed Reliability Standard, the associated
implementation plan, Violation Risk Factors (“VRFs”) and Violation Severity Levels (“VSLs”),
and retirement of the currently effective Reliability Standard as detailed below. Specifically,
NERC requests approval of the following:
Approval of proposed Reliability Standard EOP-004-2 included in Exhibit B,
effective the first day of the first calendar quarter that is six months following the
effective date of a Final Rule in this docket;
1
NERC has been certified by the Commission as the electric reliability organization (“ERO”) in accordance
with Section 215 of the Federal Power Act. The Commission certified NERC as the ERO in its order issued July 20,
2006 in Docket No. RR06-1-000. North American Electric Reliability Corp., 116 FERC ¶ 61,062 (2006) (“ERO
Certification Order”).
2
16 U.S.C. § 824o (2012).
3
Unless otherwise designated, all capitalized terms shall have the meaning set forth in the Glossary of Terms
Used in NERC Reliability Standards, available here: http://www.nerc.com/files/Glossary_of_Terms.pdf.
2
�o Retirement of the following standards at midnight of the day immediately
prior to the effective date of EOP-004-2:4
EOP-004-1 – Disturbance Reporting
CIP-001-2a – Sabotage Reporting
Approval of the implementation plan for the proposed EOP-004-2 Reliability
Standard which is included in Exhibit C.
The proposed effective date for the standard is just and reasonable and appropriately
balances the urgency in the need to implement the standards against the reasonableness of the
time allowed for those who must comply to develop necessary procedures, software, facilities,
staffing or other relevant capability. The proposed effective date will allow applicable entities
adequate time to ensure compliance with the requirements in accordance with Order No. 672.5
As required by Section 39.5 of the Commission’s regulations, this petition presents the technical
basis and purpose of the proposed Reliability Standard EOP-004-2 and a demonstration that the
proposed Reliability Standard meets the criteria identified by the Commission in Order No. 672.
I.
EXECUTIVE SUMMARY
The proposed Reliability Standard provides a comprehensive approach to reporting
disturbances and events that have the potential to impact the reliability of the Bulk Electric
System in accordance with several Commission directives. The principal goal of NERC is to
promote the reliability of the Bulk-Power System in North America and this goal is directly
supported by evaluating events, undertaking appropriate levels of analysis to determine the
4
Note, Compliance Application Notice CAN-0016 CIP-001 R1: Sabotage Reporting Procedure will be
deemed to have been retired on midnight of the day immediately prior to the effective date of EOP-004-2.
5
Rules Concerning Certification of the Electric Reliability Organization; and Procedures for the
Establishment, Approval, and Enforcement of Electric Reliability Standards, Order No. 672, FERC Stats. & Regs. ¶
31,204 at P 333, order on reh’g, Order No. 672-A, FERC Stats. & Regs. ¶ 31,212 (2006) (“In considering whether a
proposed Reliability Standard is just and reasonable, FERC will consider also the timetable for implementation of
the new requirements, including how the proposal balances any urgency in the need to implement it against the
reasonableness of the time allowed for those who must comply to develop the necessary procedures, software,
facilities, staffing or other relevant capability.”).
3
�causes of the events, promptly assuring tracking of corrective actions to prevent recurrence, and
providing lessons learned to the industry.
The proposed Reliability Standard requires Responsible Entities to have an Operating
Plan for reporting applicable events to NERC and others (e.g., Regional Entities, applicable
Reliability Coordinators and law enforcement) within 24 hours of the event according to the
procedure specified in their Operating Plan. This requires Responsible Entities to report events
in a timely manner to allow governmental authorities and critical infrastructure members the
opportunity to react in a meaningful manner to such information6 which supports reliability
principles and ultimately helps protect against future malicious physical attacks. The resultsbased approach of EOP-004-2 includes clear criteria for reporting, consistent reporting timelines,
and encourages the development of an internal corporate culture of compliance that is focused on
reliability and communication. The proposed Reliability Standard provides for timely event
analysis and ensures that NERC can develop trends and prepare for a possible next event.
The requirements of the proposed Reliability Standard complement the efforts of the
NERC Bulk-Power System Awareness group and event analysis programs, and the standard
drafting team worked in coordination with the Event Analysis Working Group to develop a list
of the events that are required to be reported for reliability purposes.7 This list is incorporated
into the proposed EOP-004-2 standard as Attachment 1. Attachment 2 (or alternatively
Department of Energy (“DOE”) Form OE-417) is the form to be used by Responsible Entities for
reporting when the threshold for an event listed in Attachment 1 is met.
NERC’s Bulk-Power System Awareness group seeks to provide timely, accurate and
complete information regarding the current status of the Bulk-Power System and threats to its
6
See Order No. 693 at P 470.
See e.g., Event Analysis Process Document – Version 1 at Appendix E, Categorization of Events, available
at: http://www.nerc.com/page.php?cid=5|365.
7
4
�reliable operation, enabling NERC and the industry to understand and learn from events and
ultimately improve the reliability of the Bulk-Power System. The event analysis process also
provides valuable input for training and education, reliability trend analysis efforts and reliability
standards development, all of which support continued reliability improvement.
Proposed Reliability Standard EOP-004-2 is a result of merging EOP-004-1 and CIP001-2a and represents a significant improvement in the identification and reporting of events.
Successful event analysis depends on a collaborative approach in which registered entities,
Regional Entities and NERC work together to achieve a common goal. NERC respectfully
requests that the Commission approve the proposed Reliability Standard as just, reasonable, not
unduly discriminatory or preferential and in the public interest.
II.
NOTICES AND COMMUNICATIONS
Notices and communications with respect to this filing may be addressed to the following:8
Gerald W. Cauley
President and Chief Executive Officer
North American Electric Reliability
Corporation
3353 Peachtree Road, N.E.
Suite 600, North Tower
Atlanta, GA 30326
(404) 446-2560
(404) 446-2595– facsimile
Charles A. Berardesco*
Senior Vice President and General Counsel
Holly A. Hawkins*
Assistant General Counsel
Stacey Tyrewala*
Attorney
North American Electric Reliability
Corporation
1325 G Street, N.W., Suite 600
Washington, D.C. 20005
(202) 400-3000
(202) 644-8099– facsimile
charlie.berardesco@nerc.net
holly.hawkins@nerc.net
stacey.tyrewala@nerc.net
8
Persons to be included on the Commission’s service list are indicated with an asterisk. NERC requests
waiver of the Commission’s rules and regulations to permit the inclusion of more than two people on the service list.
5
�III.
BACKGROUND
a. Regulatory Framework
By enacting the Energy Policy Act of 2005,9 Congress entrusted the Commission with the
duties of approving and enforcing rules to ensure the reliability of the Nation’s Bulk-Power
System, and with the duty of certifying an ERO that would be charged with developing and
enforcing mandatory Reliability Standards, subject to Commission approval. Section 215 of the
FPA states that all users, owners, and operators of the Bulk-Power System in the United States
will be subject to Commission-approved Reliability Standards.10
Section 215(d)(5) of the FPA authorizes the Commission to order the ERO to submit a
new or modified Reliability Standard. Pursuant to Section 215(d)(2) of the FPA and Section
39.5(c)(1) of the Commission’s regulations, the Commission will give due weight to the
technical expertise of the ERO with respect to the content of a Reliability Standard. In Order
No. 693, the Commission noted that it would defer to the “technical expertise” of the ERO with
respect to the content of a Reliability Standard and explained that, through the use of directives,
it provides guidance but does not dictate an outcome. Rather, the Commission will consider an
equivalent alternative approach provided that the ERO demonstrates that the alternative will
address the Commission’s underlying concern or goal as efficiently and effectively as the
Commission’s proposal, example, or directive.11
Section 39.5(a) of the Commission’s regulations requires the ERO to file with the
Commission for its approval each Reliability Standard that the ERO proposes to become
mandatory and enforceable in the United States, and each modification to a Reliability Standard
9
16 U.S.C. § 824o (2012).
See Section 215(b)(1)(“All users, owners and operators of the bulk-power system shall comply with
reliability standards that take effect under this section.”).
11
See Mandatory Reliability Standards for the Bulk-Power System, Order No. 693, FERC Stats. & Regs. ¶
31,242 at PP 31, 186-187, order on reh’g, Order No. 693-A, 120 FERC ¶ 61,053 (2007).
10
6
�that the ERO proposes to be made effective. The Commission has the regulatory responsibility
to approve standards that protect the reliability of the Bulk-Power System and to ensure that such
standards are just, reasonable, not unduly discriminatory or preferential, and in the public
interest.
b. NERC Reliability Standards Development Procedure
The proposed Reliability Standard was developed in an open and fair manner and in
accordance with the Commission-approved Reliability Standard development process.12 NERC
develops Reliability Standards in accordance with Section 300 (Reliability Standards
Development) of its Rules of Procedure and the NERC Standard Processes Manual.13 In its ERO
Certification Order, the Commission found that NERC’s proposed rules provide for reasonable
notice and opportunity for public comment, due process, openness, and a balance of interests in
developing Reliability Standards and thus satisfies certain of the criteria for approving Reliability
Standards. The development process is open to any person or entity with a legitimate interest in
the reliability of the Bulk-Power System. NERC considers the comments of all stakeholders, and
a vote of stakeholders and the NERC Board of Trustees is required to approve a Reliability
Standard before the Reliability Standard is submitted to the Commission for approval.
c. History of Project 2009-01, Disturbance and Sabotage Reporting
Project 2009-01—Disturbance and Sabotage Reporting, was initiated on April 2, 2009,
by PJM Interconnection, L.L.C. as a request for revision to existing standards CIP-001-1,
12
Order No. 672 at P 334 (“Further, in considering whether a proposed Reliability Standard meets the legal
standard of review, we will entertain comments about whether the ERO implemented its Commission-approved
Reliability Standard development process for the development of the particular proposed Reliability Standard in a
proper manner, especially whether the process was open and fair. However, we caution that we will not be
sympathetic to arguments by interested parties that choose, for whatever reason, not to participate in the ERO’s
Reliability Standard development process if it is conducted in good faith in accordance with the procedures
approved by FERC.”).
13
The NERC Rules of Procedure are available here: http://www.nerc.com/page.php?cid=1%7C8%7C169.
The current NERC Standard Processes Manual is available here:
http://www.nerc.com/files/Appendix_3A_StandardsProcessesManual_20120131.pdf.
7
�Sabotage Reporting, and EOP-004-1, Disturbance Reporting. The Standard Authorization
Request was initiated to provide clarity on an appropriate threshold for reporting potential acts of
sabotage as required by CIP-001-1, and to revise several requirements in currently effective
EOP-004-1 that reference out-of-date Department of Energy forms and to eliminate “fill-in-theblank” components.
The Disturbance and Sabotage Reporting drafting team was formed in late 2009. The
drafting team developed EOP-004-2, Event Reporting, by combining the requirements of EOP004-1 and CIP-001-2a into a single reporting standard using the results-based standard
development approach.14 The EOP-004-1 standard contains the requirements for reporting and
analyzing disturbances while the CIP-001-2a standard addresses sabotage procedures and
reporting. The drafting team used the NERC Security Guideline for the Electricity Sector:
Threat and Incident Reporting as a resource.15 In 2010, the drafting team developed a concept
paper that identified the major concepts that the team proposed to be incorporated into the EOP004-2 standard and posted the paper for comments. Additionally, the drafting team worked in
coordination with the Events Analysis Working Group to develop a list of the events that would
be required to be reported for reliability purposes and incorporated that list into Attachment 1 of
the EOP-004-2 standard.
i.
Issues With Respect to Defining the Term “Sabotage”
The drafting team considered the directive by the Commission in Order No. 693 to
“further define the term [sabotage] and provide guidance on triggering events that would cause
14
The results-based initiative is intended to focus the collective effort of NERC and industry participants on
improving the clarity and quality of NERC Reliability Standards by developing performance, risk and competencybased requirements that accomplish a reliability objective through a defense-in-depth strategy, while eliminating
documentation-driven requirements that do not benefit Bulk-Power System reliability.
15
Available here: http://www.nerc.com/files/Incident-Reporting.pdf.
8
�an entity to report an event.”16 However, there was concern among stakeholders that such a
definition could be ambiguous or otherwise subject to interpretation.17 The drafting team
determined that it was almost impossible to determine if a particular act constituted sabotage
without the intervention of law enforcement. There is an inherently subjective component to the
determination of whether or not any particular event is caused by a malicious act and this
determination may vary based on various factors, including the local jurisdiction, given that there
is also a legal component to whether or not a particular act is considered to be deliberate or
malicious. Further, the definition of the term “sabotage” would have to exclude events such as
unintentional operator error, whereas an action by a third party with the same exact
consequences or outcome might be considered “sabotage.” The drafting team thus determined
that attempting to define the term “sabotage” would result in further ambiguity with respect to
the reporting of events. Instead, the drafting team developed a list of events included in
Attachment 1 to provide guidance for reporting events. The drafting team determined that this
method is an equally effective and efficient means of addressing the Commission directive in
accordance with Order No. 693.18
IV.
JUSTIFICATION FOR APPROVAL OF THE PROPOSED RELIABILITY
STANDARD
a. Basis and Purpose of Reliability Standard and Improvements in this
Revision
16
Order No. 693 at P 461 (internal citation omitted).
See e.g., Disturbance and Sabotage Reporting Standard Drafting Team (Project 2009-01) Reporting
Concepts Paper at 3 (“One thing became clear in the [drafting team’s] discussion concerning sabotage: everyone has
a different definition.”). Available here: http://www.nerc.com/filez/standards/Project200901_Disturbance_Sabotage_Reporting.html.
18
Order No. 693 at P 31 (“we do expect the ERO to respond with an equivalent alternative and adequate
support that fully explains how the alternative produces a result that is as effective as or more effective that the
Commission’s example or directive.”).
17
9
�As noted herein, EOP-004-2 merges CIP-001-2a, which addresses sabotage procedures
and reporting, and EOP-004-1,19 which addresses the reporting and analyzing of disturbances,
into a single comprehensive Reliability Standard.20 EOP-004 is part of the Emergency
Preparedness and Operations (“EOP”) body of Reliability Standards. The EOP group of
Reliability Standards consists of eight Reliability Standards that address preparation for
emergencies, necessary actions during emergencies and system restoration and reporting
following disturbances.21 CIP-001 is part of the Critical Infrastructure Protection body of
standards.22
i.
Proposed Reliability Standard, EOP-004-2
Proposed Reliability Standard EOP-004-2 requires reporting of events that impact or may
impact the reliability of the Bulk Electric System, provides clear criteria for reporting, includes
consistent reporting timelines, including a reporting hierarchy for reporting of disturbances, and
19
The Commission approved EOP-004-1 in Order No. 693. See Order No. 693 at P 617.
Requirement R2 of existing Reliability Standard EOP-004-1, which provides that each Reliability
Coordinator, Balancing Authority, Transmission Operator, Generation Operator and Load-Serving Entity must
promptly analyze Bulk Electric System disturbances on its system or facilities, is incorporated into Requirement R1
of the proposed EOP-004-2 Reliability Standard and is addressed by the NERC Bulk-Power System Awareness
group and the NERC events analysis program. The Requirements of EOP-004-2 specify that certain types of events
are to be reported, but do not include explicit provisions to analyze events. However, events reported under EOP004-2 are incorporated into the real-time understanding of the grid that is maintained by the Bulk-Power System
Awareness group. Further, such reports may trigger further scrutiny by the NERC event analysis program. If
warranted, the events analysis program personnel may request that more data for certain events be provided by the
reporting entity or other entities that may have experienced the event.
21
EOP-001 is dedicated to Emergency Operations Planning. EOP-002 is dedicated to Capacity and Energy
Emergencies. EOP-003 is dedicated to Load Shedding Plans. EOP-004 is dedicated to Event Reporting. EOP-005
is dedicated to System Restoration Plans and Blackstart Resources. EOP-006 is dedicated to System Restoration
Coordination, [note there is no EOP-007]. EOP-008 is dedicated to Loss of Control Center Functionality and EOP009 is dedicated to Documentation of Blackstart Generating Unit Test Results.
22
The Commission approved CIP-001-1 in Order No. 693. See Order No. 693 at P 471. On April 21, 2010,
NERC filed a petition for approval of an interpretation to Requirement R2 of CIP-001-1, which was approved in a
letter order issued by the Commission on February 2, 2011. North American Electric Reliability Corporation, Letter
order approving interpretation to CIP-001-1, Docket No. RD10-11-000, (February 2, 2011). On June 21, 2011,
NERC submitted a Petition for Approval of Reliability Standards CIP-001-2a – Sabotage Reporting with a Regional
Variance for Texas Reliability Entity, which was approved in a letter order issued by the Commission on August 2,
2011. North American Electric Reliability Corporation, Letter order approving Petition of the North American
Electric Reliability Corporation for Approval of the Reliability Standard CIP-001-2a – Sabotage Reporting with a
Regional Variance for Texas Reliability Entity, Docket No. RD11-6-000 (August 2, 2011).
20
10
�provides clarity regarding who will receive the reported information. The proposed Reliability
Standard consists of three Requirements. Requirement R1 mandates that Responsible Entities
will have an event reporting Operating Plan for reporting specific types of events. Requirement
R2 establishes a timeframe for reporting of events, and Requirement R3 states that Responsible
Entities must validate the contact information contained in the Operating Plan each calendar
year. The proposed Reliability Standard provides a comprehensive approach to disturbance and
event reporting as explained in further detail below.
Proposed Requirements
R1. Each Responsible Entity shall have an event reporting Operating Plan in accordance with
EOP-004-2 Attachment 1 that includes the protocol(s) for reporting to the Electric Reliability
Organization and other organizations (e.g., the Regional Entity, company personnel, the
Responsible Entity’s Reliability Coordinator, law enforcement, or governmental authority).
[Violation Risk Factor: Lower] [Time Horizon: Operations Planning]
R2. Each Responsible Entity shall report events per their Operating Plan within 24 hours of
recognition of meeting an event type threshold for reporting or by the end of the next business
day if the event occurs on a weekend (which is recognized to be 4 PM local time on Friday to 8
AM Monday local time). [Violation Risk Factor: Medium] [Time Horizon: Operations
Assessment]
R3. Each Responsible Entity shall validate all contact information contained in the Operating
Plan pursuant to Requirement R1 each calendar year. [Violation Risk Factor: Medium] [Time
Horizon: Operations Planning]
Requirement R1
Requirement R1 of proposed Reliability Standard EOP-004-2 requires Responsible
Entities to have an event reporting Operating Plan that includes, but is not limited to the
protocol(s) for reporting, and each organization identified to receive an event report, for event
types specified in Attachment 1 of EOP-004-2. Attachment 1 of EOP-004-2, Reportable Events,
lists: (i) events, (ii) the relevant entity with reporting responsibility and (iii) the threshold for
reporting the event. In these situations, Responsible Entities are requirement to submit EOP004-2 (or DOE Form OE-417) Attachment 2, pursuant to Requirements R1 and R2. The last
11
�column of Attachment 1, “Threshold for Reporting” is a bright line that, if reached, triggers the
obligation for the entity to report that they experienced the applicable event per Requirement 1.
The requirement to have an Operating Plan for reporting specific types of events provides
the entity with a method to have its operating personnel recognize events that affect reliability
and to be able to report them to appropriate parties; e.g., Regional Entities, applicable Reliability
Coordinators, and law enforcement and other jurisdictional agencies when so recognized. In
addition, these event reports are an input to the NERC event analysis program. The results-based
approach of EOP-004-2 encourages the development of a culture of compliance that is focused
on reliability and communication.
It is generally accepted that as a good business practice, every Registered Entity that
owns or operates elements or devices on the grid should have a formal or informal process,
procedure, or steps it takes to gather information necessary to analyze events.23 Requirement R1
mandates that the Responsible Entity establish documentation on how that procedure, process, or
plan is organized. This documentation may be a single document or a combination of various
documents that achieve the reliability objective.
The communication protocol(s) could include a process flowchart, identification of
internal and external personnel or entities to be notified, or a list of personnel by name and their
associated contact information. An existing procedure that meets the requirements of CIP-0012a may be included in this Operating Plan along with other processes, procedures or plans to
meet this requirement.24
23
See e.g., PJM Manual 13, Emergency Operations, available at:
http://www.pjm.com/~/media/documents/manuals/m13.ashx; see also, Midwest ISO Disturbance Reporting
Procedure RTO-OP-023-r9.1, available at: https://www.midwestiso.org/Library/Repository/Procedure/RTO-OP023-r9%201%20Disturbance%20Reporting%20Procedure.pdf.
24
Proposed Reliability Standard EOP-004-2 incorporates existing Reliability Standard CIP-001-2a in its
entirety. CIP-001-2a requires that each Reliability Coordinator, Balancing Authority, Transmission Operator,
Generation Operator and Load-Serving Entity have procedures for recognizing and for making operating personnel
12
�Requirement R2
Requirement R2 of proposed Reliability Standard EOP-004-2 requires Responsible
Entities to report events within 24 hours of recognition of meeting an event type threshold for
reporting, or, if an event occurs on a weekend, by the end of the next business day.25 This
incorporation of a deadline for reporting satisfies the Commission directive in Order No. 693 to
“require an applicable entity to contact appropriate governmental authorities in the event of
sabotage within a specified period of time.”26 Requirement R2 is based on “recognition” of
meeting an event type threshold because basing the reporting of events on when the events
actually occur would be impractical. In practice, an entity may not be immediately aware of
destruction or damage to a remote piece of equipment.27 Further, requiring Responsible Entities
to constantly monitor all equipment and property for destruction or damage would be a waste of
resources and would not serve the best interests of the reliability of the Bulk Electric System.
For these reasons, the drafting team’s incorporation of the term “recognition” is reasonable and
is consistent with the Commission’s support in Order No. 693 for defining the specified period of
time for reporting an event based on when an event is discovered or suspected to be sabotage.28
aware of sabotage events (Requirement R1 of CIP-001-2a), and communicating information concerning sabotage
events to appropriate “parties” in the Interconnection (Requirements R2 through R4 of CIP-001-2a). The
requirements of CIP-001-2a are encompassed by Requirement R1 of EOP-004-2 and Attachment 1.
25
Holidays are not specifically recognized in Requirement R2.
26
Order No. 693 at P 471.
27
See e.g., Comments of Xcel Energy Services, Inc., Docket No. RM06-16-000 (January 3, 2007) at p. 24
(“The triggering event for disclosure of an act of sabotage often will be unclear. That is, it is often not clear whether
an event is the result of an act of sabotage, the result of negligent misconduct by an individual, or by equipment
failure for other reasons. The Xcel Energy Operating Companies operate thousands of miles of bulk power
transmission facilities, and many of these facilities are in remote locations. For this reason, it may require
investigation to determine whether the triggering event was an act of sabotage, or the result of some other cause
(such as weather or unintentional vehicle contact). This investigation will take time –especially if the event occurs at
an unstaffed and/or remote station or facility.”)(internal citation omitted).
28
Order No. 693 at P 470 (“Thus, the Commission directs the ERO to modify CIP-001-1 to require an
applicable entity to contact appropriate governmental authorities in the event of sabotage within a specified period
of time, even if it is a preliminary report. The ERO, through its Reliability Standards development process, is
directed to determine the proper reporting period. In doing so, the ERO should consider suggestions raised by
13
�Each Responsible Entity must report and communicate events according to its Operating
Plan based on the information in Attachment 1 of EOP-004-2. By implementing the event
reporting Operating Plan, the Responsible Entity will assure that NERC has situational
awareness so that NERC can develop trends and prepare for a possible next event, and mitigate
the current event through the event analysis program.
Responsible Entities that have multiple registrations will only have to submit one report
for any individual event.29 For example, if an entity is registered as a Reliability Coordinator,
Balancing Authority and Transmission Operator, the entity would only submit one report for a
particular event rather submitting three reports as each individual registered entity. However,
there may be several reports as a result of any individual event and this is appropriate as it will
provide NERC with a better understanding of the depth and breadth of system conditions based
on the given event.
Requirement R3 of existing Reliability Standard EOP-004-1, which requires each
Reliability Coordinator, Balancing Authority, Transmission Operator, Generation Operator and
Load-Serving Entity experiencing a reportable incident to provide a preliminary written report,
has been incorporated into Requirement R2 of proposed Reliability Standard EOP-004-2.
Requirement R3
Requirement R3 of proposed Reliability Standard EOP-004-2 calls for the Responsible
Entity to validate the contact information contained in the Operating Plan each calendar year.
This requirement helps ensure that the event reporting Operating Plan is up to date and
commenters such as FirstEnergy and Xcel to define the specified period for reporting an incident beginning from
when an event is discovered or suspected to be sabotage, and APPA’s concerns regarding events at unstaffed or
remote facilities, and triggering events occurring outside staffed hours at small entities.”).
29
See Guideline and Technical Basis for EOP-004-2, Multiple Reports for a Single Organization.
14
�Responsible Entities will be able to effectively report events to NERC to assure situational
awareness.
The incorporation of this annual validation in Requirement R3 satisfies the Commission
directive in Order No. 693 to “incorporate a periodic review or updating of the sabotage
reporting procedures and for the periodic testing of the sabotage reporting procedures.”30
Attachment 1: Reportable Events
Attachment 1 of EOP-004-2, Reportable Events, lists (i) events, (ii) the relevant entity
with reporting responsibility and (iii) the threshold for reporting the event. In these situations,
entities are required to submit EOP-004-2 Attachment 2, pursuant to Requirements R1 and R2.
The events addressed in Attachment 1 include, among others: damage or destruction of a
Facility, transmission loss, generation loss and a BES Emergency31 requiring public appeal for
load reduction. Such events and the thresholds identified for reporting these events, are an
equivalent alternative approach that ensures that Responsible Entities respond to events.
Therefore, Attachment 1 addresses the Commission’s underlying concern as efficiently and
effectively as the Commission’s directive to define the term “sabotage.” Collectively,
Requirement R1 and Attachment 1 require entities to properly identify and respond to events to
minimize the adverse impact on the Bulk Electric System.32
In Attachment 1, the drafting team used the term “Facility” as defined in the Glossary of
Terms Used in NERC Reliability Standards.33 A Facility is defined as: “A set of electrical
equipment that operates as a single Bulk Electric System Element (e.g., a line, a generator, a
30
Order No. 693 at P 466.
“BES Emergency” as used in EOP-004-2 is a defined term set forth in the Glossary of Terms Used in
NERC Reliability Standards, available here: http://www.nerc.com/files/Glossary_of_Terms.pdf.
32
This is responsive to the Commission directive at P471 of Order No. 693 requiring NERC to “specify
baseline requirements regarding what issues should be addressed in the procedures for recognizing sabotage events
and making personnel aware of such events”).
33
Available here: http://www.nerc.com/files/Glossary_of_Terms.pdf .
31
15
�shunt compensator, transformer, etc.)” The drafting team does not intend the use of the term
“Facility” to mean a substation or any other facility that one might consider in everyday
discussions regarding the grid. This is intended to mean only a Facility as defined above. The
use of the defined term provides greater clarity for entities regarding the specific types of events
that are to be reported. Through the use of the term “Facility,” all of the equipment within a
substation that is critical to reliability is included.
Attachment 2: Event Reporting Form
Attachment 2 (or alternatively DOE Form OE-417) is the form to be used by Responsible
Entities for reporting when the threshold for an event listed in Attachment 1 is met.
The DOE Office of Electricity Delivery and Energy Reliability uses Form OE-417,
“Emergency Incident and Disturbance Report,” to monitor major system incidents on electric
power systems. Tracking disturbances that impact the integrated generating and transmission
facilities is an important part of DOE’s responsibilities, along with examining issues associated
with insufficient capacity reserves. The form collects information on electric emergency
incidents and disturbances for DOE’s use in fulfilling its overall national security and other
energy management responsibilities. The form is a mandatory filing whenever an electrical
incident or disturbance is sufficiently large enough to cross the reporting thresholds. Reporting
coverage for the Form OE-417 includes all 50 States, the District of Columbia, Puerto Rico, the
U.S. Virgin Islands, and the U.S. Trust Territories.
In an effort to minimize administrative burden, U.S. entities may use the DOE OE-417
form, rather than Attachment 2, to report under EOP-004.34 Pursuant to the DOE’s new online
process, entities may record email addresses associated with their Operating Plan so that when
the report is submitted to DOE, it will automatically be forwarded to the posted email addresses,
34
Canadian entities are required to use Attachment 2 to report events.
16
�thereby eliminating some administrative burden to forward the report to multiple organizations
and agencies.35 This approach is consistent with the Commission’s suggestion in Order No. 693
for NERC to “consider consolidation of the sabotage reporting forms and the sabotage reporting
channels with the appropriate governmental authorities to minimize the impact of these reporting
requirements on all entities.”36
b. Enforceability of the Proposed Reliability Standard, EOP-004-2
The proposed Reliability Standard contains measures that support each standard
requirement by clearly identifying what is required and how the requirement will be enforced.
These measures help provide clarity regarding how the requirements will be enforced, and ensure
that the requirements will be enforced in a clear, consistent, and non-preferential manner and
without prejudice to any party.37 The VSLs also provide further guidance on how NERC will
enforce the requirements of the standard.
i. Violation Risk Factors and Violation Severity Levels
There are three requirements in EOP-004-2. Requirement R1 was assigned a Lower VRF
while Requirements R2 and R3 were assigned a Medium VRF. The VRFs and VSLs for the
proposed standard comport with NERC and Commission guidelines related to their assignment.
For a detailed review of the VRFs, the VSLs, and the analysis of how the VRFs and VSLs were
determined using these guidelines, please see Exhibit E.
V.
SUMMARY OF THE RELIABILITY STANDARD DEVELOPMENT
PROCEEDINGS
35
See http://www.oe.netl.doe.gov/oe417.aspx.
Order No. 693 at P 471.
37
Order No. 672 at P 327 (“There should be a clear criterion or measure of whether an entity is in compliance
with a proposed Reliability Standard. It should contain or be accompanied by an objective measure of compliance
so that it can be enforced and so that enforcement can be applied in a consistent and non-preferential manner.”).
36
17
�The development record for proposed Reliability Standard EOP-004-2 is summarized
below. Exhibit D contains the Consideration of Comments Reports created during the
development of the Reliability Standards. Exhibit F contains the complete record of
development for the standards.
a. Overview of the Drafting Team
When evaluating proposed Reliability Standard, the Commission is expected to give “due
weight” to the technical expertise of the ERO.38 The technical expertise of the ERO is derived
from the drafting team. For this project, the drafting team consisted of four industry experts with
a diversity of experience. A detailed set of biographical information for each of the team
members is included along with the drafting team roster in Exhibit G. The development record
for the proposed EOP-004-2 standard is summarized below.
b. Standard Authorization Request Development
The first draft of the Standard Authorization Request was posted for a 30-day public
comment from April 22, 2009 to May 21, 2009. The drafting team received 40 sets of comments
from 120 people from more than 60 companies representing 9 of the 10 industry segments. Most
commenters agreed on the need for revisions to CIP-001-1 and EOP-004-1, but voiced concerns
on issues including:
38
The applicability of the final requirements;
Whether or not the standards should be merged;
The inclusion of vandalism and the thresholds for defining sabotage; and
Onerous or duplicative reporting required by the current standards.
Section 215(d)(2) of the Federal Power Act; 16 U.S.C. § 824o(d)(2) (2012).
18
�The Disturbance and Sabotage Reporting drafting team was formed in late 2009. In
2010, the drafting team developed a concept paper that identified the major concepts that the
team proposed to be incorporated into the EOP-004-2 standard and posted the paper for a 30-day
public comment period from March 17, 2010 to April 16, 2010. NERC received 41 sets of
comments from 95 different people from approximately 50 companies representing 8 of the 10
industry segments. Most commenters agreed that the guidance in the concept paper should be
used as a foundation for revising the standards. In the concept paper, the drafting team proposed
to consolidate disturbance and event reporting under a single standard in EOP-004.
c. The First Posting – Informal Comment Period
The first draft of EOP-004-2 was posted for a 30-day informal comment period from
September 15, 2010 to October 15, 2010. A mapping document that showed the translation of
CIP-001-1 and EOP-004-1 into EOP-004-2 was posted for guidance with the first draft. There
were 60 sets of comments, with comments from more than 175 different people from
approximately 100 companies representing 9 of the 10 industry segments. In response to
comments, the drafting team made several changes to the draft standard including:
Revised the purpose statement to address the concern that the drafting team went
beyond the reliability intent of the standard by concentrating too much on event
analysis;
Added a proposed working definition for “impact events” to the NERC Glossary
of Terms;
Deleted all references to “situational awareness” and instead using the terms
“industry awareness” where appropriate;
Added Load Serving Entities as applicable entities;
Deleted Requirement R1 and proposed revisions to the NERC Rules of Procedure
to include a central system with responsibility for receiving and distributing
impact event reports;
Revised Requirement R2 to include Operating Plan, Operating Process and
Operating Procedure;
19
�
Removed Parts 2.5 through 2.9 of Requirement R2 and replaced with
Requirement R1, Part 1.4 to require updates to the Impact Event Operating Plan
within 90 days of any change to content;
Rewrote Requirement R3 to eliminate the need to assess the probable cause of an
impact event;
Rewrote Requirement R4 by taking out prescriptive guidance;
Removed Requirement 5, Parts 5.3 and 5.4 and removed Requirements R7 and
R8;
Removed several bright-line criteria from Attachment 1, modifying it to assign
clear responsibility for reporting for each category of impact event, and clarifying
the types of events included in Attachment 1; and
Clarified that NERC will accept DOE OE-417 form in lieu of Attachment 2 if the
responsible entity is required to submit an OE-417 form, and added a process for
the reporting of a Cyber Security Incident.
d. The Second Posting – Informal Comment Period
The second draft of the standard was posted with the implementation plan for a public
30-day informal comment period from March 9, 2011 to April 8, 2011. The drafting team
received 60 sets of comments from 188 different people from approximately 132 different
companies representing all 10 industry segments. Several changes were made to the draft of the
EOP-004-2 standard including:
Deleted proposed definition of “Impact Event”;
Revised the reporting time to 24 hours from 1 hour for most events
Rewrote Requirement R1 to specify that the responsible entity have an Operating
Plan for identifying and reporting events listed in Attachment 1;
Revised the wording in Requirement R2 and R3 to more closely track the actions
that need to be taken for reporting events and communications involving the
Operating Plan;
Rewrote Requirement R4 to more closely match the rationale language on
annually verifying the communication process in its Operating Plan to provide
better guidance to responsible entities; and
Added clarity on which entities report and to whom events should be reported to.
20
�e. Third Posting – Formal Comment Period and Initial Ballot and Non-Binding
Poll
The third draft of the standard was posted for a public 45-day formal comment period
from October 28, 2011 to December 12, 2011, and included an initial ballot and non-binding poll
from December 2, 2011 to December 12, 2011. A mapping document and the VRF/VSL
justification document were provided to aid in the review. The initial ballot for the draft of EOP004-2 received a quorum of 87.97% and a 36.21% approval. The non-binding poll received a
quorum of 85.28% and a 45% approval. The drafting team received 76 sets of comments from
171 individuals from 140 different companies representing nine of the ten industry segments. As
a result of the comments, the drafting team made changes to the draft standard including:
Revised the purpose statement to remove ambiguous language “with the potential
to impact reliability”;
Revised Requirement R1 for clarity and matched the language more closely to
FERC Order No. 693, Paragraph 471, and eliminated Part 1.2 and reworded Part
1.3 (now 1.2);
Removed Part1.4 and made Part 1.5 a new Requirement R4;
Revised Requirement R4 and made it R3;
Deleted Requirement R2 and merged with R3 to eliminate redundancy;
Reformatted the table in Attachment 1 to separate one hour reporting
requirements from 24-hour reporting requirements; and
Revised the language and eliminated redundancy in types of events included in
Attachment 1.
In response to comments on the third draft, the drafting team also addressed in depth the
different processes and reasons for using either the DOE OE-417 form or EOP-004-2
Attachment 2 to report events, and why it was necessary for standard EOP-004-2 to retain
Attachment 2 as a reporting option.
21
�f. Fourth Posting – Formal Comment Period and Successive Ballot and NonBinding Poll
The fourth draft of the EOP-004-2 standard was posted for a public formal comment
period from April 25, 2012 to May 24, 2012 with a ten day successive ballot and non-binding
poll held from May 15, 2012 to May 24, 2012. The mapping document, a “Consideration of
Issues and Directives” document, a VRF/VSL justification document, and a proposed NERC
Rules of Procedure Section 812 document were posted to assist in review. The successive ballot
received a quorum of 84.43% and an approval of 46.18%. The non-binding poll results achieved
a 79.95% quorum and a 52.67% supportive opinion. The drafting team received 87 sets of
comments from 210 different people from approximately 135 different companies representing 9
of the 10 industry segments. Based on the comments received, NERC made the following
changes to the draft standard:
Removed the reporting of Cyber Security Incidents from EOP-004 and directed
the team developing CIP-008-5 to retain this reporting;
Removed Interchange Coordinator, Transmission Service Providers, LoadServing Entity, Electric Reliability Organization and Regional Entity as
Responsible Entities;
Moved most of the “Background” Section language to the “Guidelines and
Technical Basis” Section;
Made minor language changes to the measures and the data retention section.
Revised Attachment 2 to list events in the same order in which they appear in
Attachment 1;
Revised requirement R1 to include the Parts in the main body of the Requirement;
Deleted Requirement R3 and R4 and established a new Requirement R3 to have
the Registered Entity “validate” the contact information in the contact list(s) they
may have for the events applicable to them;
Updated Attachment 1 by assigning event titles and entity responsibilities.
In this iteration, the drafting team noted that NERC had initiated a new effort to forward event
reports to applicable government authorities, so the proposed Section 812 of the NERC Rules of
Procedure was no longer needed and was removed from the project. Due to suggestions received
22
�during this comment period to improve the standard, the drafting team decided to post the
standard for a second successive ballot period.39
g. Fifth Posting – Formal Comment Period and Successive Ballot and NonBinding Poll
A fifth draft of the EOP-004-2 standard was posted for a 30-day public formal comment
period from August 29, 2012 to September 27, 2012, with a second ten-day successive ballot and
non-binding poll held during the last ten days of the comment period, from September 18, 2012
to September 27, 2012. The mapping document, the “Consideration of Issues and Directives”
document, and the VRF/VSL justification document were posted to assist in review. The second
successive ballot received a quorum of 78.54% and an approval of 63.40%, and the non-binding
poll received a 72.59% quorum and a 63.05% supportive opinion. The drafting team received 56
sets of comments from 181 different people from 125 companies, representing 9 of the ten
industry segments. In response to comments received, the drafting team made several changes:
Added language to the Guidelines and Technical Basis section to clarify the
applicability of Requirement R1 and R3 to Distribution Providers;
Added language to the Guidelines and Technical Basis section to clarify that only
one report per event is necessary for entities that are registered in several different
categories of industry segments;
Added clarifying language to Requirement R2 on 24-hour reporting; and
Revised the VSL language for Requirement R1 to address the case in which the
event reporting Operating Plan fails to include event types.
In response to the fifth round of comments, the drafting team explained that the
investigation and analysis portions of the current mandatory and enforceable standards EOP-0041 and CIP-001-2a will not be incorporated in EOP-004-2. Instead, the analysis provisions will
be addressed in the NERC event analysis program upon regulatory approval of EOP-004-2.
39
On July 30, 2012, the drafting team hosted a webinar in order to receive informal feedback and to explain
proposed changes to the standard. The slides are available on the project page:
http://www.nerc.com/filez/standards/Project2009-01_Disturbance_Sabotage_Reporting_RF.html.
23
�h. Sixth Posting – Recirculation Ballot and Non-Binding Poll
Given that EOP-004-2 failed the second successive ballot with 63.4% support, on
October 22, 2012, the drafting team conducted an industry webinar to explain several issues,
including the applicability to Distribution Providers, duplicative reporting, the role of the
Paragraph 81 project and the reporting burden of the standard.40
The sixth and final draft of the EOP-004-2 standard was posted for a recirculation ballot
and non-binding poll from October 24, 2012 to November 5, 2012. The standard received a
quorum of 85.14% and an approval of 71.39%. The non-binding poll resulted in a quorum of
78.93% and an approval of 71.04%.
i. Board of Trustees Approval of EOP-004-2
The final proposed EOP-004-2 standard was presented to the NERC Board of Trustees on
November 7, 2012. NERC staff provided a summary of the proposed standard, as well as a
summary of minority issues and associated drafting team responses. The NERC Board of
Trustees approved the standard, and NERC staff recommended that it be filed with applicable
regulatory authorities.
40
Slides from the webinar are available here:
http://www.nerc.com/docs/standards/dt/Disturbance_and_Sabotage_Reporting_Webinar_20121022_final.pdf.
24
�VI.
CONCLUSION
For the reasons set forth above, NERC respectfully requests that the Commission:
approve the proposed EOP-004-2 Reliability Standard included in Exhibit B,
effective as proposed herein;
approve the implementation plan included in Exhibit C;
approve the retirement of Reliability Standards, effective as proposed herein.
Respectfully submitted,
/s/ Stacey Tyrewala
Gerald W. Cauley
President and Chief Executive Officer
North American Electric Reliability
Corporation
3353 Peachtree Road, N.E.
Suite 600, North Tower
Atlanta, GA 30326
(404) 446-2560
(404) 446-2595– facsimile
Charles A. Berardesco
Senior Vice President and General Counsel
Holly A. Hawkins
Assistant General Counsel
Stacey Tyrewala
Attorney
North American Electric Reliability
Corporation
1325 G Street, N.W., Suite 600
Washington, D.C. 20005
(202) 400-3000
(202) 644-8099– facsimile
charlie.berardesco@nerc.net
holly.hawkins@nerc.net
stacey.tyrewala@nerc.net
Counsel for the North American Electric
Reliability Corporation
December 31, 2012
25
�CERTIFICATE OF SERVICE
I hereby certify that I have served a copy of the foregoing document upon all parties
listed on the official service list compiled by the Secretary in this proceeding.
Dated at Washington, D.C. this 31st day of December, 2012.
/s/ Stacey Tyrewala
Stacey Tyrewala
Attorney for North American Electric
Reliability Corporation
26
�Exhibit A
Order No. 672 Criteria
�EXHIBIT A
Order No. 672 Criteria
In Order No. 672,1 the Commission identified a number of criteria it will use to
analyze Reliability Standards proposed for approval to ensure they are just, reasonable,
not unduly discriminatory or preferential, and in the public interest. The discussion
below identifies these factors and explains how the proposed Reliability Standard has met
or exceeded the criteria:
1. Proposed Reliability Standards must be designed to achieve a specified
reliability goal and must contain a technically sound means to achieve that goal.2
The proposed standard achieves the specific reliability goal of ensuring that
events that may impact the reliability of the Bulk Electric System are reported. Certain
outages, such as those due to vandalism and terrorism, may not be reasonably
preventable. These are the types of events that should be reported to law enforcement.
Entities rely upon law enforcement agencies to respond to and investigate those events
which have the potential to impact a wider area of the Bulk Electric System. The
1
Rules Concerning Certification of the Electric Reliability Organization; and Procedures for the
Establishment, Approval, and Enforcement of Electric Reliability Standards, Order No. 672, FERC Stats. &
Regs. ¶ 31,204, order on reh’g, Order No. 672-A, FERC Stats. & Regs. ¶ 31,212 (2006).
2
Order No. 672 at P 321. The proposed Reliability Standard must address a reliability concern that falls
within the requirements of section 215 of the FPA. That is, it must provide for the reliable operation of
Bulk-Power System facilities. It may not extend beyond reliable operation of such facilities or apply to
other facilities. Such facilities include all those necessary for operating an interconnected electric energy
transmission network, or any portion of that network, including control systems. The proposed Reliability
Standard may apply to any design of planned additions or modifications of such facilities that is necessary
to provide for reliable operation. It may also apply to Cybersecurity protection.
Order No. 672 at P 324. The proposed Reliability Standard must be designed to achieve a specified
reliability goal and must contain a technically sound means to achieve this goal. Although any person may
propose a topic for a Reliability Standard to the ERO, in the ERO’s process, the specific proposed
Reliability Standard should be developed initially by persons within the electric power industry and
community with a high level of technical expertise and be based on sound technical and engineering
criteria. It should be based on actual data and lessons learned from past operating incidents, where
appropriate. The process for ERO approval of a proposed Reliability Standard should be fair and open to
all interested persons.
�inclusion of reporting to law enforcement enables and supports reliability principles such
as protection of Bulk Electric System from malicious physical attack. The proposed
Reliability Standard includes clear criteria for reporting and consistent reporting
timelines.
2. Proposed Reliability Standards must be applicable only to users, owners and
operators of the bulk power system, and must be clear and unambiguous as to
what is required and who is required to comply.3
The proposed revisions to this Reliability Standard apply to the following
Functional Entities: Reliability Coordinators; Balancing Authorities; Transmission
Owners; Transmission Operators; Generator Owners; Generator Operators; and
Distribution Providers. Section 4.1 of proposed Reliability Standard EOP-004-2 is clear
and unambiguous as to who is required to comply, in accordance with Order No. 672.
Further, Requirements R1 through R3 are clear and unambiguous as to what is required,
in accordance with Order No. 672. Requirements R1 through R3 provide clear criteria
for reporting and consistent reporting timelines and provide clarity around who will
receive the information.
3. A proposed Reliability Standard must include clear and understandable
consequences and a range of penalties (monetary and/or non-monetary) for a
violation. 4
The VRFs and VSLs for the proposed standard comport with NERC and
Commission guidelines related to their assignment. The assignment of the severity level
for each VSL is consistent with the corresponding Requirement and the VSLs should
3
Order No. 672 at P 322. The proposed Reliability Standard may impose a requirement on any user,
owner, or operator of such facilities, but not on others.
Order No. 672 at P 325. The proposed Reliability Standard should be clear and unambiguous regarding
what is required and who is required to comply. Users, owners, and operators of the Bulk-Power System
must know what they are required to do to maintain reliability.
4
Order No. 672 at P 326. The possible consequences, including range of possible penalties, for violating a
proposed Reliability Standard should be clear and understandable by those who must comply.
�ensure uniformity and consistency in the determination of penalties. The VSLs do not
use any ambiguous terminology, thereby supporting uniformity and consistency in the
determination of similar penalties for similar violations. For these reasons, the proposed
Reliability Standard includes clear and understandable consequences in accordance with
Order No. 672.
4. A proposed Reliability Standard must identify clear and objective criterion
or measure for compliance, so that it can be enforced in a consistent and nonpreferential manner. 5
The proposed Reliability Standard contains measures that support each
requirement by clearly identifying what is required and how the requirement will be
enforced. These measures help provide clarity regarding how the requirements will be
enforced, and ensure that the requirements will be enforced in a clear, consistent, and
non-preferential manner and without prejudice to any party.
5. Proposed Reliability Standards should achieve a reliability goal effectively
and efficiently — but do not necessarily have to reflect “best practices” without
regard to implementation cost or historical regional infrastructure design.6
The proposed Reliability Standard achieves its reliability goals effectively and
efficiently in accordance with Order No. 672. The proposed standard requires Functional
Entities to report incidents and provide known information at the time of the report and
also includes an illustrated example of a reporting process in an attached flowchart.
6. Proposed Reliability Standards cannot be “lowest common denominator,”
5
Order No. 672 at P 327. There should be a clear criterion or measure of whether an entity is in
compliance with a proposed Reliability Standard. It should contain or be accompanied by an objective
measure of compliance so that it can be enforced and so that enforcement can be applied in a consistent and
non-preferential manner.
6
Order No. 672 at P 328. The proposed Reliability Standard does not necessarily have to reflect the
optimal method, or “best practice,” for achieving its reliability goal without regard to implementation cost
or historical regional infrastructure design. It should however achieve its reliability goal effectively and
efficiently.
�i.e., cannot reflect a compromise that does not adequately protect Bulk-Power
System reliability. Proposed Reliability Standards can consider costs to
implement for smaller entities, but not at consequences of less than excellence in
operating system reliability.7
The proposed Reliability Standard does not reflect a “lowest common
denominator” approach. To the contrary, the proposed standard represents a significant
improvement over the previous version as described herein. Specifically, Attachment 1
provides greater clarity of the types of events that are to be reported as compared to the
previous version of the standard.
7. Proposed Reliability Standards must be designed to apply throughout North
America to the maximum extent achievable with a single Reliability Standard
while not favoring one geographic area or regional model. It should take into
account regional variations in the organization and corporate structures of
transmission owners and operators, variations in generation fuel type and
ownership patterns, and regional variations in market design if these affect the
proposed Reliability Standard.8
The proposed Reliability Standard, EOP-004-2, applies throughout North
America and does not favor one geographic area or regional model.
7
Order No. 672 at P 329. The proposed Reliability Standard must not simply reflect a compromise in the
ERO’s Reliability Standard development process based on the least effective North American practice —
the so-called “lowest common denominator” — if such practice does not adequately protect Bulk-Power
System reliability. Although FERC will give due weight to the technical expertise of the ERO, we will not
hesitate to remand a proposed Reliability Standard if we are convinced it is not adequate to protect
reliability.
Order No. 672 at P 330. A proposed Reliability Standard may take into account the size of the entity that
must comply with the Reliability Standard and the cost to those entities of implementing the proposed
Reliability Standard. However, the ERO should not propose a “lowest common denominator” Reliability
Standard that would achieve less than excellence in operating system reliability solely to protect against
reasonable expenses for supporting this vital national infrastructure. For example, a small owner or
operator of the Bulk-Power System must bear the cost of complying with each Reliability Standard that
applies to it.
8
Order No. 672 at P 331. A proposed Reliability Standard should be designed to apply throughout the
interconnected North American Bulk-Power System, to the maximum extent this is achievable with a single
Reliability Standard. The proposed Reliability Standard should not be based on a single geographic or
regional model but should take into account geographic variations in grid characteristics, terrain, weather,
and other such factors; it should also take into account regional variations in the organizational and
corporate structures of transmission owners and operators, variations in generation fuel type and ownership
patterns, and regional variations in market design if these affect the proposed Reliability Standard.
�8. Proposed Reliability Standards should cause no undue negative effect on
competition or restriction of the grid beyond any restriction necessary for
reliability.9
The proposed Reliability Standard does not restrict the available transmission
capability or limit use of the Bulk-Power System in a preferential manner.
9. The implementation time for the proposed Reliability Standard is
reasonable.10
The proposed effective dates for the standard are just and reasonable and
appropriately balance the urgency in the need to implement the standards against the
reasonableness of the time allowed for those who must comply to develop necessary
procedures, software, facilities, staffing or other relevant capability.
The implementation plan proposes that EOP-004-2 become effective: (i) in those
jurisdictions where regulatory approval is required, on the on the first day of the first
calendar quarter that is six months after applicable regulatory approval, or as otherwise
made effective pursuant to the laws applicable to such ERO governmental authorities;
and (ii) in those jurisdictions where no regulatory approval is required, on the first day of
the first calendar quarter that is six months beyond the date the standard is approved by
the Board of Trustees, or as otherwise made effective pursuant to the laws applicable to
such ERO governmental authorities.
9
Order No. 672 at P 332. As directed by section 215 of the FPA, FERC itself will give special attention to
the effect of a proposed Reliability Standard on competition. The ERO should attempt to develop a
proposed Reliability Standard that has no undue negative effect on competition. Among other possible
considerations, a proposed Reliability Standard should not unreasonably restrict available transmission
capability on the Bulk-Power System beyond any restriction necessary for reliability and should not limit
use of the Bulk-Power System in an unduly preferential manner. It should not create an undue advantage
for one competitor over another.
10
Order No. 672 at P 333. In considering whether a proposed Reliability Standard is just and reasonable,
FERC will consider also the timetable for implementation of the new requirements, including how the
proposal balances any urgency in the need to implement it against the reasonableness of the time allowed
for those who must comply to develop the necessary procedures, software, facilities, staffing or other
relevant capability.
�This will allow applicable entities adequate time to ensure compliance with the
requirements. The proposed effective dates are explained in the proposed
Implementation Plan, attached as Exhibit C.
10. The Reliability Standard was developed in an open and fair manner and in
accordance with the Commission-approved Reliability Standard development
process.11
The proposed Reliability Standard was developed in accordance with NERC’s
Commission-approved, ANSI- accredited processes for developing and approving
Reliability Standards. Section V, Summary of the Reliability Standard Development
Proceedings, details the processes followed to develop the standard (for a more thorough
review, please see the complete development history included as Exhibit F).
These processes included, among other things, multiple comment periods, preballot review periods, and balloting periods. Additionally, all drafting team meetings
were properly noticed and open to the public. The initial and recirculation ballots both
achieved a quorum and exceeded the required ballot pool approval levels.
11. NERC must explain any balancing of vital public interests in the
development of proposed Reliability Standards.12
NERC has identified no competing public interests regarding the request for
approval of this proposed Reliability Standard. No comments were received that
indicated the proposed standard conflicts with other vital public interests.
11
Order No. 672 at P 334. Further, in considering whether a proposed Reliability Standard meets the legal
standard of review, we will entertain comments about whether the ERO implemented its Commissionapproved Reliability Standard development process for the development of the particular proposed
Reliability Standard in a proper manner, especially whether the process was open and fair. However, we
caution that we will not be sympathetic to arguments by interested parties that choose, for whatever reason,
not to participate in the ERO’s Reliability Standard development process if it is conducted in good faith in
accordance with the procedures approved by FERC.
12
Order No. 672 at P 335. Finally, we understand that at times development of a proposed Reliability
Standard may require that a particular reliability goal must be balanced against other vital public interests,
such as environmental, social and other goals. We expect the ERO to explain any such balancing in its
application for approval of a proposed Reliability Standard.
�12. Proposed Reliability Standards must consider any other appropriate factors.13
No other negative factors relevant to whether the proposed Reliability Standard is
just and reasonable were identified.
13
Order No. 672 at P 323. In considering whether a proposed Reliability Standard is just and reasonable,
we will consider the following general factors, as well as other factors that are appropriate for the particular
Reliability Standard proposed.
�Exhibit B
Proposed Reliability Standard EOP-004-2 Submitted for Approval
�EOP-004-2 — Event Reporting
A.
I n t ro d u ct io n
1. Title:
Event Reporting
2. Number:
EOP-004-2
3. Purpose: To improve the reliability of the Bulk Electric System by requiring the reporting
of events by Responsible Entities.
4. Applicability:
4.1.
Functional Entities: For the purpose of the Requirements and the EOP-004
Attachment 1 contained herein, the following functional entities will be collectively
referred to as “Responsible Entity.”
4.1.1. Reliability Coordinator
4.1.2. Balancing Authority
4.1.3. Transmission Owner
4.1.4. Transmission Operator
4.1.5. Generator Owner
4.1.6. Generator Operator
4.1.7. Distribution Provider
5. Effective Dates:
The first day of the first calendar quarter that is six months beyond the date that this
standard is approved by applicable regulatory authorities. In those jurisdictions where
regulatory approval is not required, the standard shall become effective on the first day of
the first calendar quarter that is six months beyond the date this standard is approved by
the NERC Board of Trustees, or as otherwise made effective pursuant to the laws applicable
to such ERO governmental authorities.
6. Background:
NERC established a SAR Team in 2009 to investigate and propose revisions to the CIP-001
and EOP-004 Reliability Standards. The team was asked to consider the following:
1.
2.
3.
4.
CIP-001 could be merged with EOP-004 to eliminate redundancies.
Acts of sabotage have to be reported to the DOE as part of EOP-004.
Specific references to the DOE form need to be eliminated.
EOP-004 had some ‘fill-in-the-blank’ components to eliminate.
1 of 22
�EOP-004-2 — Event Reporting
The development included other improvements to the standards deemed appropriate by
the drafting team, with the consensus of stakeholders, consistent with establishing high
quality, enforceable and technically sufficient Bulk Electric System reliability standards.
The SAR for Project 2009-01, Disturbance and Sabotage Reporting was moved forward for
standard drafting by the NERC Standards Committee in August of 2009. The Disturbance
and Sabotage Reporting Standard Drafting Team (DSR SDT) was formed in late 2009.
The DSR SDT developed a concept paper to solicit stakeholder input regarding the proposed
reporting concepts that the DSR SDT had developed. The posting of the concept paper
sought comments from stakeholders on the “road map” that will be used by the DSR SDT in
updating or revising CIP-001 and EOP-004. The concept paper provided stakeholders the
background information and thought process of the DSR SDT. The DSR SDT has reviewed
the existing standards, the SAR, issues from the NERC issues database and FERC Order 693
Directives in order to determine a prudent course of action with respect to revision of these
standards.
B.
Requirements and Measures
R1. Each Responsible Entity shall have an event reporting Operating Plan in accordance with
EOP-004-2 Attachment 1 that includes the protocol(s) for reporting to the Electric
Reliability Organization and other organizations (e.g., the Regional Entity, company
personnel, the Responsible Entity’s Reliability Coordinator, law enforcement, or
governmental authority). [Violation Risk Factor: Lower] [Time Horizon: Operations
Planning]
M1. Each Responsible Entity will have a dated event reporting Operating Plan that includes,
but is not limited to the protocol(s) and each organization identified to receive an event
report for event types specified in EOP-004-2 Attachment 1 and in accordance with the
entity responsible for reporting.
R2. Each Responsible Entity shall report events per their Operating Plan within 24 hours of
recognition of meeting an event type threshold for reporting or by the end of the next
business day if the event occurs on a weekend (which is recognized to be 4 PM local time
on Friday to 8 AM Monday local time). [Violation Risk Factor: Medium] [Time Horizon:
Operations Assessment]
M2. Each Responsible Entity will have as evidence of reporting an event, copy of the
completed EOP-004-2 Attachment 2 form or a DOE-OE-417 form; and evidence of
submittal (e.g., operator log or other operating documentation, voice recording,
electronic mail message, or confirmation of facsimile) demonstrating the event report was
submitted within 24 hours of recognition of meeting the threshold for reporting or by the
2 of 22
�EOP-004-2 — Event Reporting
end of the next business day if the event occurs on a weekend (which is recognized to be
4 PM local time on Friday to 8 AM Monday local time). (R2)
R3. Each Responsible Entity shall validate all contact information contained in the Operating
Plan pursuant to Requirement R1 each calendar year. [Violation Risk Factor: Medium]
[Time Horizon: Operations Planning]
M3. Each Responsible Entity will have dated records to show that it validated all contact
information contained in the Operating Plan each calendar year. Such evidence may
include, but are not limited to, dated voice recordings and operating logs or other
communication documentation. (R3)
C.
Compliance
1. Compliance Monitoring Process
1.1
Compliance Enforcement Authority
The Regional Entity shall serve as the Compliance Enforcement Authority (CEA)
unless the applicable entity is owned, operated, or controlled by the Regional
Entity. In such cases the ERO or a Regional Entity approved by FERC or other
applicable governmental authority shall serve as the CEA.
1.2
Evidence Retention
The Responsible Entity shall keep data or evidence to show compliance as
identified below unless directed by its Compliance Enforcement Authority to
retain specific evidence for a longer period of time as part of an investigation:
The following evidence retention periods identify the period of time an entity is
required to retain specific evidence to demonstrate compliance. For instances
where the evidence retention period specified below is shorter than the time
since the last audit, the Compliance Enforcement Authority may ask an entity to
provide other evidence to show that it was compliant for the full time period
since the last audit.
•
•
Each Responsible Entity shall retain the current Operating Plan plus each
version issued since the last audit for Requirements R1, and Measure M1.
Each Responsible Entity shall retain evidence of compliance since the last
audit for Requirements R2, R3 and Measure M2, M3.
If a Responsible Entity is found non-compliant, it shall keep information related
to the non-compliance until mitigation is complete and approved or for the
duration specified above, whichever is longer.
The Compliance Enforcement Authority shall keep the last audit records and all
requested and submitted subsequent audit records.
3 of 22
�EOP-004-2 — Event Reporting
1.3
Compliance Monitoring and Enforcement Processes:
Compliance Audit
Self-Certification
Spot Checking
Compliance Investigation
Self-Reporting
Complaint
1.4
Additional Compliance Information
None
4 of 22
�EOP-004-2 — Event Reporting
Table of Compliance Elements
R#
R1
Time
Horizon
Operations
Planning
VRF
Lower
Violation Severity Levels
Lower VSL
Moderate VSL
High VSL
Severe VSL
The Responsible Entity
had an Operating Plan,
but failed to include
one applicable event
type.
The Responsible Entity
had an Operating Plan,
but failed to include
two applicable event
types.
The Responsible Entity
had an Operating Plan,
but failed to include
three applicable event
types.
The Responsible Entity
had an Operating Plan,
but failed to include
four or more
applicable event types.
OR
The Responsible Entity
failed to have an event
reporting Operating
Plan.
5 of 22
�EOP-004-2 — Event Reporting
R#
R2
Time
Horizon
Operations
Assessment
VRF
Violation Severity Levels
Lower VSL
Moderate VSL
High VSL
Severe VSL
The Responsible Entity
submitted an event
report (e.g., written or
verbal) to all required
recipients more than
36 hours but less than
or equal to 48 hours
after meeting an event
threshold for
reporting.
The Responsible Entity
submitted an event
report (e.g., written or
verbal) to all required
recipients more than
48 hours but less than
or equal to 60 hours
after meeting an event
threshold for
reporting.
The Responsible Entity
submitted an event
report (e.g., written or
verbal) to all required
recipients more than
60 hours after meeting
an event threshold for
reporting.
OR
OR
OR
The Responsible Entity
failed to submit an
event report (e.g.,
written or verbal) to
one entity identified in
its event reporting
Operating Plan within
24 hours.
The Responsible Entity
failed to submit an
event report (e.g.,
written or verbal) to
two entities identified
in its event reporting
Operating Plan within
24 hours.
The Responsible Entity
failed to submit an
event report (e.g.,
written or verbal) to
three entities
identified in its event
reporting Operating
Plan within 24 hours.
Medium The Responsible Entity
submitted an event
report (e.g., written or
verbal) to all required
recipients more than
24 hours but less than
or equal to 36 hours
after meeting an event
threshold for
reporting.
OR
The Responsible Entity
failed to submit an
event report (e.g.,
written or verbal) to
four or more entities
identified in its event
reporting Operating
Plan within 24 hours.
OR
The Responsible Entity
failed to submit a
report for an event in
EOP-004 Attachment
1.
6 of 22
�EOP-004-2 — Event Reporting
R#
R3
Time
Horizon
Operations
Planning
VRF
Violation Severity Levels
Lower VSL
Medium The Responsible Entity
validated all contact
information contained
in the Operating Plan
but was late by less
than one calendar
month.
OR
The Responsible Entity
validated 75% but less
than 100% of the
contact information
contained in the
Operating Plan.
D.
Variances
None.
E.
Interpretations
None.
F.
References
Guideline and Technical Basis (attached)
Moderate VSL
High VSL
Severe VSL
The Responsible Entity
validated all contact
information contained
in the Operating Plan
but was late by one
calendar month or
more but less than
two calendar months.
The Responsible Entity
validated all contact
information contained
in the Operating Plan
but was late by two
calendar months or
more but less than
three calendar
months.
The Responsible Entity
validated all contact
information contained
in the Operating Plan
but was late by three
calendar months or
more.
OR
The Responsible Entity
validated 50% and less
than 75% of the
contact information
contained in the
Operating Plan.
OR
The Responsible Entity
validated 25% and less
than 50% of the
contact information
contained in the
Operating Plan.
OR
The Responsible Entity
validated less than
25% of contact
information contained
in the Operating Plan.
7 of 22
�EOP-004-2 — Event Reporting
EOP-004 - Attachment 1: Reportable Events
NOTE: Under certain adverse conditions (e.g. severe weather, multiple events) it may not be possible to report the damage caused
by an event and issue a written Event Report within the timing in the table below. In such cases, the affected Responsible Entity
shall notify parties per Requirement R2 and provide as much information as is available at the time of the notification. Submit
reports to the ERO via one of the following: e-mail: systemawareness@nerc.net, Facsimile 404-446-9770 or Voice: 404-446-9780.
Submit EOP-004 Attachment 2 (or DOE-OE-417) pursuant to Requirements R1 and R2.
Event Type
Entity with Reporting
Responsibility
Threshold for Reporting
Damage or destruction of
a Facility
RC, BA, TOP
Damage or destruction of a Facility within its Reliability
Coordinator Area, Balancing Authority Area or Transmission
Operator Area that results in actions to avoid a BES Emergency.
Damage or destruction of
a Facility
BA, TO, TOP, GO, GOP, DP
Damage or destruction of its Facility that results from actual or
suspected intentional human action.
Physical threats to a
Facility
BA, TO, TOP, GO, GOP, DP
Physical threat to its Facility excluding weather or natural disaster
related threats, which has the potential to degrade the normal
operation of the Facility.
OR
Suspicious device or activity at a Facility.
Do not report theft unless it degrades normal operation of a
Facility.
8 of 22
�EOP-004-2 — Event Reporting
Event Type
Entity with Reporting
Responsibility
Threshold for Reporting
Physical threats to a BES
control center
RC, BA, TOP
Physical threat to its BES control center, excluding weather or
natural disaster related threats, which has the potential to
degrade the normal operation of the control center.
OR
Suspicious device or activity at a BES control center.
BES Emergency requiring
public appeal for load
reduction
Initiating entity is responsible for
reporting
Public appeal for load reduction event.
BES Emergency requiring
system-wide voltage
reduction
Initiating entity is responsible for
reporting
System wide voltage reduction of 3% or more.
BES Emergency requiring
manual firm load
shedding
Initiating entity is responsible for
reporting
Manual firm load shedding ≥ 100 MW.
BES Emergency resulting
in automatic firm load
shedding
DP, TOP
Automatic firm load shedding ≥ 100 MW (via automatic
undervoltage or underfrequency load shedding schemes, or
SPS/RAS).
Voltage deviation on a
Facility
TOP
Observed within its area a voltage deviation of ± 10% of nominal
voltage sustained for ≥ 15 continuous minutes.
9 of 22
�EOP-004-2 — Event Reporting
Event Type
Entity with Reporting
Responsibility
Threshold for Reporting
IROL Violation (all
Interconnections) or SOL
Violation for Major WECC
Transfer Paths (WECC
only)
RC
Operate outside the IROL for time greater than IROL Tv (all
Interconnections) or Operate outside the SOL for more than 30
minutes for Major WECC Transfer Paths (WECC only).
Loss of firm load
BA, TOP, DP
Loss of firm load for ≥ 15 Minutes:
≥ 300 MW for entities with previous year’s demand ≥ 3,000
OR
≥ 200 MW for all other entities
System separation
(islanding)
RC, BA, TOP
Each separation resulting in an island ≥ 100 MW
Generation loss
BA, GOP
Total generation loss, within one minute, of :
≥ 2,000 MW for entities in the Eastern or Western
Interconnection
OR
≥ 1,000 MW for entities in the ERCOT or Quebec Interconnection
Complete loss of off-site
power to a nuclear
generating plant (grid
supply)
TO, TOP
Complete loss of off-site power affecting a nuclear generating
station per the Nuclear Plant Interface Requirement
10 of 22
�EOP-004-2 — Event Reporting
Event Type
Entity with Reporting
Responsibility
Threshold for Reporting
Transmission loss
TOP
Unexpected loss within its area, contrary to design, of three or
more BES Elements caused by a common disturbance (excluding
successful automatic reclosing).
Unplanned BES control
center evacuation
RC, BA, TOP
Unplanned evacuation from BES control center facility for 30
continuous minutes or more.
Complete loss of voice
communication capability
RC, BA, TOP
Complete loss of voice communication capability affecting a BES
control center for 30 continuous minutes or more.
Complete loss of
monitoring capability
RC, BA, TOP
Complete loss of monitoring capability affecting a BES control
center for 30 continuous minutes or more such that analysis
capability (i.e., State Estimator or Contingency Analysis) is
rendered inoperable.
11 of 22
�EOP-004-2 — Event Reporting
EOP-004 - Attachment 2: Event Reporting Form
EOP-004 Attachment 2: Event Reporting Form
Use this form to report events. The Electric Reliability Organization will accept the DOE OE-417 form
in lieu of this form if the entity is required to submit an OE-417 report. Submit reports to the ERO via
one of the following: e-mail: systemawareness@nerc.net , Facsimile 404-446-9770 or voice: 404446-9780.
Task
1.
2.
Comments
Entity filing the report include:
Company name:
Name of contact person:
Email address of contact person:
Telephone Number:
Submitted by (name):
Date and Time of recognized event.
Date: (mm/dd/yyyy)
Time: (hh:mm)
Time/Zone:
3.
4.
Did the event originate in your system?
Yes
No
Unknown
Event Identification and Description:
(Check applicable box)
Damage or destruction of a Facility
Physical Threat to a Facility
Physical Threat to a control center
BES Emergency:
public appeal for load reduction
system-wide voltage reduction
manual firm load shedding
automatic firm load shedding
Voltage deviation on a Facility
IROL Violation (all Interconnections) or
SOL Violation for Major WECC Transfer
Paths (WECC only)
Loss of firm load
System separation
Generation loss
Complete loss of off-site power to a
nuclear generating plant (grid supply)
Transmission loss
unplanned control center evacuation
Complete loss of voice communication
capability
Complete loss of monitoring capability
Written description (optional):
12 of 22
�EOP-004-2 — Event Reporting
Guideline and Technical Basis
Distribution Provider Applicability Discussion
The DSR SDT has included Distribution Providers (DP) as an applicable entity under this
standard. The team realizes that not all DPs will own BES Facilities and will not meet the
“Threshold for Reporting” for any event listed in Attachment 1. These DPs will not have any
reports to submit under Requirement R2. However, these DPs will be responsible for meeting
Requirements R1 and R3. The DSR SDT does not intend for these entities to have a detailed
Operating Plan to address events that are not applicable to them. In this instance, the DSR SDT
intends for the DP to have a very simple Operating Plan that includes a statement that there are
no applicable events in Attachment 1 (to meet R1) and that the DP will review the list of events
in Attachment 1 each year (to meet R3). The team does not think this will be a burden on any
entity as the development and annual validation of the Operating Plan should not take more
that 30 minutes on an annual basis. If a DP discovers applicable events during the annual
review, it is expected that the DP will develop a more detailed Operating Plan to comply with
the requirements of the standard.
Multiple Reports for a Single Organization
For entities that have multiple registrations, the DSR SDT intends that these entities will only
have to submit one report for any individual event. For example, if an entity is registered as a
Reliability Coordinator, Balancing Authority and Transmission Operator, the entity would only
submit one report for a particular event rather submitting three reports as each individual
registered entity.
Summary of Key Concepts
The DSR SDT identified the following principles to assist them in developing the standard:
• Develop a single form to report disturbances and events that threaten the reliability of
the Bulk Electric System
• Investigate other opportunities for efficiency, such as development of an electronic
form and possible inclusion of regional reporting requirements
• Establish clear criteria for reporting
• Establish consistent reporting timelines
• Provide clarity around who will receive the information and how it will be used
During the development of concepts, the DSR SDT considered the FERC directive to “further
define sabotage”. There was concern among stakeholders that a definition may be ambiguous
and subject to interpretation. Consequently, the DSR SDT decided to eliminate the term
sabotage from the standard. The team felt that it was almost impossible to determine if an act
or event was sabotage or vandalism without the intervention of law enforcement. The DSR SDT
felt that attempting to define sabotage would result in further ambiguity with respect to
13 of 22
�EOP-004-2 — Event Reporting
reporting events. The term “sabotage” is no longer included in the standard. The events listed
in EOP-004 Attachment 1 were developed to provide guidance for reporting both actual events
as well as events which may have an impact on the Bulk Electric System. The DSR SDT believes
that this is an equally effective and efficient means of addressing the FERC Directive.
The types of events that are required to be reported are contained within EOP-004 Attachment
1. The DSR SDT has coordinated with the NERC Events Analysis Working Group to develop the
list of events that are to be reported under this standard. EOP-004 Attachment 1 pertains to
those actions or events that have impacted the Bulk Electric System. These events were
previously reported under EOP-004-1, CIP-001-1 or the Department of Energy form OE-417.
EOP-004 Attachment 1 covers similar items that may have had an impact on the Bulk Electric
System or has the potential to have an impact and should be reported.
The DSR SDT wishes to make clear that the proposed Standard does not include any real-time
operating notifications for the events listed in EOP-004 Attachment 1. Real-time
communication is achieved is covered in other standards. The proposed standard deals
exclusively with after-the-fact reporting.
Data Gathering
The requirements of EOP-004-1 require that entities “promptly analyze Bulk Electric System
disturbances on its system or facilities” (Requirement R2). The requirements of EOP-004-2
specify that certain types of events are to be reported but do not include provisions to analyze
events. Events reported under EOP-004-2 may trigger further scrutiny by the ERO Events
Analysis Program. If warranted, the Events Analysis Program personnel may request that more
data for certain events be provided by the reporting entity or other entities that may have
experienced the event. Entities are encouraged to become familiar with the Events Analysis
Program and the NERC Rules of Procedure to learn more about with the expectations of the
program.
Law Enforcement Reporting
The reliability objective of EOP-004-2 is to improve the reliability of the Bulk Electric System by
requiring the reporting of events by Responsible Entities. Certain outages, such as those due to
vandalism and terrorism, may not be reasonably preventable. These are the types of events
that should be reported to law enforcement. Entities rely upon law enforcement agencies to
respond to and investigate those events which have the potential to impact a wider area of the
BES. The inclusion of reporting to law enforcement enables and supports reliability principles
such as protection of Bulk Electric System from malicious physical attack. The importance of
BES awareness of the threat around them is essential to the effective operation and planning to
mitigate the potential risk to the BES.
Stakeholders in the Reporting Process
• Industry
14 of 22
�EOP-004-2 — Event Reporting
•
•
•
•
•
•
•
•
•
•
•
NERC (ERO), Regional Entity
FERC
DOE
NRC
DHS – Federal
Homeland Security- State
State Regulators
Local Law Enforcement
State or Provincial Law Enforcement
FBI
Royal Canadian Mounted Police (RCMP)
The above stakeholders have an interest in the timely notification, communication and
response to an incident at a Facility. The stakeholders have various levels of accountability and
have a vested interest in the protection and response to ensure the reliability of the BES.
Present expectations of the industry under CIP-001-1a:
It has been the understanding by industry participants that an occurrence of sabotage has to be
reported to the FBI. The FBI has the jurisdictional requirements to investigate acts of sabotage
and terrorism. The CIP-001-1-1a standard requires a liaison relationship on behalf of the
industry and the FBI or RCMP. These requirements, under the standard, of the industry have
not been clear and have lead to misunderstandings and confusion in the industry as to how to
demonstrate that the liaison is in place and effective. As an example of proof of compliance
with Requirement R4, Responsible Entities have asked FBI Office personnel to provide, on FBI
letterhead, confirmation of the existence of a working relationship to report acts of sabotage,
the number of years the liaison relationship has been in existence, and the validity of the
telephone numbers for the FBI.
Coordination of Local and State Law Enforcement Agencies with the FBI
The Joint Terrorism Task Force (JTTF) came into being with the first task force being established
in 1980. JTTFs are small cells of highly trained, locally based, committed investigators, analysts,
linguists, SWAT experts, and other specialists from dozens of U.S. law enforcement and
intelligence agencies. The JTTF is a multi-agency effort led by the Justice Department and FBI
designed to combine the resources of federal, state, and local law enforcement. Coordination
and communications largely through the interagency National Joint Terrorism Task Force,
working out of FBI Headquarters, which makes sure that information and intelligence flows
freely among the local JTTFs. This information flow can be most beneficial to the industry in
analytical intelligence, incident response and investigation. Historically, the most immediate
response to an industry incident has been local and state law enforcement agencies to
suspected vandalism and criminal damages at industry facilities. Relying upon the JTTF
15 of 22
�EOP-004-2 — Event Reporting
coordination between local, state and FBI law enforcement would be beneficial to effective
communications and the appropriate level of investigative response.
Coordination of Local and Provincial Law Enforcement Agencies with the RCMP
A similar law enforcement coordination hierarchy exists in Canada. Local and Provincial law
enforcement coordinate to investigate suspected acts of vandalism and sabotage. The
Provincial law enforcement agency has a reporting relationship with the Royal Canadian
Mounted Police (RCMP).
A Reporting Process Solution – EOP-004
A proposal discussed with the FBI, FERC Staff, NERC Standards Project Coordinator and the SDT
Chair is reflected in the flowchart below (Reporting Hierarchy for Reportable Events).
Essentially, reporting an event to law enforcement agencies will only require the industry to
notify the state or provincial or local level law enforcement agency. The state or provincial or
local level law enforcement agency will coordinate with law enforcement with jurisdiction to
investigate. If the state or provincial or local level law enforcement agency decides federal
agency law enforcement or the RCMP should respond and investigate, the state or provincial or
local level law enforcement agency will notify and coordinate with the FBI or the RCMP.
16 of 22
�EOP-004-2 — Event Reporting
Example of Reporting Process including Law
Enforcement
Entity Experiencing An Event in Attachment 1
Report to Law Enforcement ?
Refer to Ops Plan for Reporting
NO
YES
Refer to Ops Plan for communicating
Communicate to
to law enforcement
Law
Enforcement
Report Event to ERO,
Reliability Coordinator
Notification Protocol to
State Agency Law
Enforcement
ERO conducts
investigation
*
State Agency Law
Enforcement coordinates
as appropriate with FBI
ERO
Events Analysis
Criminal act
invoking
federal
jurisdiction ?
ERO Reports Applicable
Events to FERC Per Rules
of Procedure
NO
YES
State Agency Law
Enforcement
Investigates
State Agency Law
Enforcement
notifies FBI
FBI Responds and
makes notification
to DHS
*
Canadian entities will follow law enforcement protocols applicable in
their jurisdictions
17 of 22
�EOP-004-2 — Event Reporting
Disturbance and Sabotage Reporting Standard Drafting Team (Project 2009-01) Reporting Concepts
Introduction
The SAR for Project 2009-01, Disturbance and Sabotage Reporting was moved forward for
standard drafting by the NERC Standards Committee in August of 2009. The Disturbance and
Sabotage Reporting Standard Drafting Team (DSR SDT) was formed in late 2009 and has
developed updated standards based on the SAR.
The standards listed under the SAR are:
• CIP-001 — Sabotage Reporting
• EOP-004 — Disturbance Reporting
The changes do not include any real-time operating notifications for the types of events
covered by CIP-001 and EOP-004. The real-time reporting requirements are achieved through
the RCIS and are covered in other standards (e.g. EOP-002-Capacity and Energy Emergencies).
These standards deal exclusively with after-the-fact reporting.
The DSR SDT has consolidated disturbance and sabotage event reporting under a single
standard. These two components and other key concepts are discussed in the following
sections.
Summary of Concepts and Assumptions:
The Standard:
• Requires reporting of “events” that impact or may impact the reliability of the Bulk
Electric System
• Provides clear criteria for reporting
• Includes consistent reporting timelines
• Identifies appropriate applicability, including a reporting hierarchy in the case of
disturbance reporting
• Provides clarity around of who will receive the information
Discussion of Disturbance Reporting
Disturbance reporting requirements existed in the previous version of EOP-004. The current
approved definition of Disturbance from the NERC Glossary of Terms is:
1. An unplanned event that produces an abnormal system condition.
2. Any perturbation to the electric system.
18 of 22
�EOP-004-2 — Event Reporting
3. The unexpected change in ACE that is caused by the sudden failure of generation or
interruption of load.
Disturbance reporting requirements and criteria were in the previous EOP-004 standard and its
attachments. The DSR SDT discussed the reliability needs for disturbance reporting and
developed the list of events that are to be reported under this standard (EOP-004 Attachment
1).
Discussion of Event Reporting
There are situations worthy of reporting because they have the potential to impact reliability.
Event reporting facilitates industry awareness, which allows potentially impacted parties to
prepare for and possibly mitigate any associated reliability risk. It also provides the raw
material, in the case of certain potential reliability threats, to see emerging patterns.
Examples of such events include:
• Bolts removed from transmission line structures
• Train derailment adjacent to a Facility that either could have damaged a Facility directly
or could indirectly damage a Facility (e.g. flammable or toxic cargo that could pose fire
hazard or could cause evacuation of a control center)
• Destruction of Bulk Electric System equipment
What about sabotage?
One thing became clear in the DSR SDT’s discussion concerning sabotage: everyone has a
different definition. The current standard CIP-001 elicited the following response from FERC in
FERC Order 693, paragraph 471 which states in part: “. . . the Commission directs the ERO to
develop the following modifications to the Reliability Standard through the Reliability Standards
development process: (1) further define sabotage and provide guidance as to the triggering
events that would cause an entity to report a sabotage event.”
Often, the underlying reason for an event is unknown or cannot be confirmed. The DSR SDT
believes that by reporting material risks to the Bulk Electric System using the event
categorization in this standard, it will be easier to get the relevant information for mitigation,
awareness, and tracking, while removing the distracting element of motivation.
Certain types of events should be reported to NERC, the Department of Homeland Security
(DHS), the Federal Bureau of Investigation (FBI), and/or Provincial or local law enforcement.
Other types of events may have different reporting requirements. For example, an event that is
related to copper theft may only need to be reported to the local law enforcement authorities.
19 of 22
�EOP-004-2 — Event Reporting
Potential Uses of Reportable Information
Event analysis, correlation of data, and trend identification are a few potential uses for the
information reported under this standard. The standard requires Functional entities to report
the incidents and provide known information at the time of the report. Further data gathering
necessary for event analysis is provided for under the Events Analysis Program and the NERC
Rules of Procedure. Other entities (e.g. – NERC, Law Enforcement, etc) will be responsible for
performing the analyses. The NERC Rules of Procedure (section 800) provide an overview of
the responsibilities of the ERO in regards to analysis and dissemination of information for
reliability. Jurisdictional agencies (which may include DHS, FBI, NERC, RE, FERC, Provincial
Regulators, and DOE) have other duties and responsibilities.
Collection of Reportable Information or “One stop shopping”
The DSR SDT recognizes that some regions require reporting of additional information beyond
what is in EOP-004. The DSR SDT has updated the listing of reportable events in EOP-004
Attachment 1 based on discussions with jurisdictional agencies, NERC, Regional Entities and
stakeholder input. There is a possibility that regional differences still exist.
The reporting required by this standard is intended to meet the uses and purposes of NERC.
The DSR SDT recognizes that other requirements for reporting exist (e.g., DOE-417 reporting),
which may duplicate or overlap the information required by NERC. To the extent that other
reporting is required, the DSR SDT envisions that duplicate entry of information should not be
necessary, and the submission of the alternate report will be acceptable to NERC so long as all
information required by NERC is submitted. For example, if the NERC Report duplicates
information from the DOE form, the DOE report may be sent to the NERC in lieu of entering
that information on the NERC report.
Ra t io n a le :
During development of this standard, text boxes were embedded within the standard to explain
the rationale for various parts of the standard. Upon BOT approval, the text from the rationale
text boxes was moved to this section.
Rationale for R1:
The requirement to have an Operating Plan for reporting specific types of events provides the
entity with a method to have its operating personnel recognize events that affect reliability and
to be able to report them to appropriate parties; e.g., Regional Entities, applicable Reliability
Coordinators, and law enforcement and other jurisdictional agencies when so recognized. In
addition, these event reports are an input to the NERC Events Analysis Program. These other
parties use this information to promote reliability, develop a culture of reliability excellence,
provide industry collaboration and promote a learning organization.
Every Registered Entity that owns or operates elements or devices on the grid has a formal or
informal process, procedure, or steps it takes to gather information regarding what happened
when events occur. This requirement has the Responsible Entity establish documentation on
20 of 22
�EOP-004-2 — Event Reporting
how that procedure, process, or plan is organized. This documentation may be a single
document or a combination of various documents that achieve the reliability objective.
The communication protocol(s) could include a process flowchart, identification of internal and
external personnel or entities to be notified, or a list of personnel by name and their associated
contact information. An existing procedure that meets the requirements of CIP-001-2a may be
included in this Operating Plan along with other processes, procedures or plans to meet this
requirement.
Rationale for R2:
Each Responsible Entity must report and communicate events according to its Operating Plan
based on the information in EOP-004-2 Attachment 1. By implementing the event reporting
Operating Plan the Responsible Entity will assure situational awareness to the Electric Reliability
Organization so that they may develop trends and prepare for a possible next event and
mitigate the current event. This will assure that the BES remains secure and stable by
mitigation actions that the Responsible Entity has within its function. By communicating events
per the Operating Plan, the Responsible Entity will assure that people/agencies are aware of
the current situation and they may prepare to mitigate current and further events.
Rationale for R3:
Requirement 3 calls for the Responsible Entity to validate the contact information contained in
the Operating Plan each calendar year. This requirement helps ensure that the event reporting
Operating Plan is up to date and entities will be able to effectively report events to assure
situational awareness to the Electric Reliability Organization. If an entity experiences an actual
event, communication evidence from the event may be used to show compliance with the
validation requirement for the specific contacts used for the event.
Rationale for EOP-004 Attachment 1:
The DSR SDT used the defined term “Facility” to add clarity for several events listed in
Attachment 1. A Facility is defined as:
“A set of electrical equipment that operates as a single Bulk Electric System Element
(e.g., a line, a generator, a shunt compensator, transformer, etc.)”
The DSR SDT does not intend the use of the term Facility to mean a substation or any other
facility (not a defined term) that one might consider in everyday discussions regarding the grid.
This is intended to mean ONLY a Facility as defined above.
21 of 22
�EOP-004-2 — Event Reporting
Version History
Version
2
2
Date
Action
Merged CIP-001-2a Sabotage Reporting
and EOP-004-1 Disturbance Reporting
into EOP-004-2 Event Reporting; Retire
CIP-001-2a Sabotage Reporting and
Retired EOP-004-1 Disturbance
Reporting.
November 7,
2012
Adopted by the NERC Board of Trustees
Change Tracking
Revision to entire
standard (Project
2009-01)
22 of 22
�Exhibit C
Implementation Plan for Proposed Reliability Standard EOP-004-2 Submitted for Approval
�Implementation Plan
Project 2009-01 Disturbance and Sabotage Reporting
Implementation Plan for EOP-004-2 – Event Reporting
Approvals Required
EOP-004-2 – Event Reporting
Prerequisite Approvals
None
R evisions to Glossary Term s
None
Applicable Entities
Reliability Coordinator
Balancing Authority
Transmission Owner
Transmission Operator
Generator Owner
Generator Operator
Distribution Provider
Conform ing Changes to Other Standards
None
Effective Dates
In those jurisdictions where regulatory approval is required, this standard shall become effective on the
first day of the first calendar quarter that is six months after applicable regulatory approval or as
otherwise made effective pursuant to the laws applicable to such ERO governmental authorities. In
those jurisdictions where no regulatory approval is required, this standard shall become effective on the
first day of the first calendar quarter that is six months beyond the date this standard is approved by the
Board of Trustees, or as otherwise made effective pursuant to the laws applicable to such ERO
governmental authorities.
�R etirem ents
EOP-004-1 – Disturbance Reporting and CIP-001-2a – Sabotage Reporting should be retired at midnight
of the day immediately prior to the Effective Date of EOP-004-2 in the particular jurisdiction in which
the new standard is becoming effective.
Project 2009-01 Disturbance and Sabotage Reporting
Implementation Plan
2
�Exhibit D
Consideration of Comments
�Project 2009-01
Disturbance and Sabotage Reporting
Related Files
Status:
Adopted by the Board of Trustees on November 6, 2012, pending regulatory
approval.
Background:
This project will entail revision to the following existing standards:
•
•
CIP-001-1 – Sabotage Reporting
EOP-004-1 – Disturbance Reporting
Stakeholders have indicated that identifying potential acts of “sabotage” is
difficult to do in real time, and additional clarity is needed to identify thresholds
for reporting potential acts of sabotage in CIP-001-1. Stakeholders have also
reported that EOP-004-1 has some requirements that reference out-of-date
Department of Energy forms, making the requirements ambiguous. EOP-004-1
also has some ‘fill-in-the-blank’ components to eliminate.
The project will include addressing previously identified stakeholder concerns and
FERC directives; will bring the standards into conformance with the latest
approved version of the ERO Rules of Procedure; and may include other
improvements to the standards deemed appropriate by the drafting team, with
the consensus of stakeholders, consistent with establishing high quality,
enforceable and technically sufficient bulk power system reliability standards.
Draft
Action
Dates
Results
Draft 6
EOP-004-2
Clean | Redline
to last posted
Recirculation Ballot
and Non-binding poll
Info>>
Implementation
Plan
Clean
Supporting
Materials:
Mapping
Vote>>
Summary>>
Ballot
10/24/12 Results>>
11/05/12
(closed)
Non-binding
Poll
Results>>
Consideration of
Comments
�Document
Consideration of
Issues and
Directives
VRF/VSL
Justification
CIP-001-2a
EOP-004-1
Draft 5
EOP-004-2
Clean | Redline
to Last Posted
Implementation
Plan
Clean | Redline
to Last Posted
Successive Ballot and
Non-binding Poll
Info>>
Vote>>
Mapping
Document
Consideration of
Issues and
Directives
VRF/VSL
Justification
09/18/12 - Ballot
09/27/12 Results>>
(closed)
Non-binding
Poll
Results>>
Comments
Received>>
Supporting
Materials:
Comment Form
(Word)
Updated
Summary>>
Consideration of
Comments (7)
Comment Period
Info>>
Submit Comments>>
08/29/12 09/27/12
Meeting
(closed)
Results>>
�CIP-001-2a
EOP-004-1
Draft 4
EOP-004-2
Clean | Redline
to Last Posted
Supporting
Materials:
Comment Form
(Word)
Summary>>
Successive Ballot and
Non-binding Poll
Updated Info>>
Info>>
05/15/1205/24/12
(closed)
Vote>>
Ballot
Results>>
Non-binding
Poll
Results>>
Implementation
Plan
Clean | Redline
to Last Posted
Mapping
Document
Consideration of
Comments (6)
Consideration of
Comment Period
Issues and
Directives
Info>>
VRF/VSL
Justification
04/25/12 Comments
05/24/12
Received>>
(closed)
Submit Comments>>
Proposed NERC
RoP Section 812
CIP-001-2a
CIP-008-3
EOP-004-1
Draft 3
EOP-004-2
Clean | Redline
Join Ballot Pools>>
10/28/11 11/28/11
(closed)
Formal Comment
10/28/11 - Comments
�to Last Posted
Period
Supporting
Materials:
Comment Form
(Word)
Info>>
12/12/11
(closed)
Received>>
Submit Comments>>
Implementation
Plan
Clean | Redline
to Last Posted Initial Ballot and NonBinding Poll
Mapping
12/02/11 Document
Updated Info>>
12/12/11
Info>>
(closed)
VRF/VSL
Justification
Vote>>
Consideration of
Comments (5)
Summary>>
Full
Record>>
Non-Binding
Poll
Results>>
CIP-001-1
EOP-004-1
Draft 2
EOP-004-2
clean | redline to
last posted
Supporting
Materials:
Comment Form
(Word)
Consideration of
Comments (4)
Info>>
Formal Comment
Period>>
03/09/11 - Comments
04/08/11 Received>>
Implementation
Plan
CIP-001-1
EOP-004-1
Draft 1
EOP-004-2
Informal Comment
09/15/10
–
Comments
Received>>
�EOP-004-2
Period
Supporting
Materials:
Comment Form
(Word)
Submit Comments>>
10/15/10
Consideration of
Comments (3)
Info>>
Mapping
Document
Concept Paper
Supporting
Disturbance and
Sabotage
Reporting
Concept Paper
Supporting
Materials:
Comment Form
(Word)
CIP-001-1 Sabotage
Reporting
EOP-004-1 Disturbance
Reporting
Nominations for
Standard
Drafting Team
Supporting
Materials:
Nomination
Form (Word)
Draft 2
Consideration of
Comments (2)
Comment Period
Submit Comments>>
03/17/10 Comments
04/16/10
Received >>
(closed)
Info>>
09/16/09 09/30/09
Submit Nomination>> (closed)
Info>>
�Disturbance and
Sabotage
Reporting SAR 2
Clean | Redline
to Last Posting
Nominations for
SAR Drafting
Info>>
Team
Supporting
Materials:
Nomination
Form (Word)
04/29/09 05/13/09
Submit Nomination>> (closed)
Proposed SAR
Draft SAR
Version 1
Supporting
Materials:
Comment Form
(Word)
Comment Period
Info>>
Submit Comments>>
04/22/09 Comments
05/21/09
Received>>
(closed)
Consideration of
Comments(1)
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and
Sabotage Reporting
The Disturbance and Sabotage Reporting SAR Drafting Team (DSR SAR DT) thanks all
commenters who submitted comments on the first draft SAR. The SAR was posted for a 30day public comment period from April 22, 2009 through May 21, 2009. The stakeholders
were asked to provide feedback on the documents through a special Electronic Comment
Form. There were 40 sets of comments, including comments from more than 120 different
people from over 60 companies representing 9 of the 10 Industry Segments as shown in the
table on the following pages.
http://www.nerc.com/filez/standards/Project2009-01_Disturbance_Sabotage_Reporting.html
The majority of stakeholders agree that there is a reliability related need to support
modifying CIP-001-1 and EOP-004-1. Of those stakeholders providing comments, they
predominantly agreed with the reliability-related reason for the SAR but offered the
following concerns:
1) Concerns with applicability of the requirements: The SAR DT notes that applicability
will be determined by the final requirements that are written for the standard.
2) Concerns on combining the standards: The SAR DT notes that the Purpose of the
SAR indicates that the standards may be merged to eliminate redundancy and
provide clarity. It will be up to the Standard Drafting team to make this
determination through the Standard Development Process (with stakeholder input).
3) Concerns with the definition of sabotage and the inclusion of vandalism, thresholds
for defining sabotage, etc.
4) Concerns on onerous or duplicative reporting: The Brief Description section of the
SAR states “Specific references to the DOE form need to be eliminated”. This should
address its concerns.
The SAR DT does not feel that the SAR should be revised based on these comments. The
SAR DT will forward these comments to the Standard Drafting Team for its consideration in
the drafting of the standards.
The majority of stakeholders agree with the scope of the SAR. Several stakeholders offered
suggestions for items to include in the SAR, however the SAR DT believes that these
comments may be too prescriptive to include with the SAR. The team feels that inclusion of
these types of comments would prevent the Standard Drafting Team from having the ability
to develop standard(s) based on stakeholder consensus. The SAR DT will forward these
comments to the Standard Drafting Team for its consideration. Some of the comments
received include:
1) The inclusion of specific definitions in the SAR (operating personnel, sabotage
events, obligations): The SAR DT believes that this would be too prescriptive and
believe that this should be addressed by the Standard Drafting Team.
2) Consolidate documents covering reporting requirements: The SAR DT agrees and
suggests that the Standard Drafting Team investigate a “one-stop-shopping”
solution for the various reports required, including the DOE report.
116-390 Village Blvd.
Princeton, NJ 08540
609.452.8060 | www.nerc.com
�Stakeholders did not identify any associated business practices for consideration under the
SAR. One stakeholder identified a related standard that references multi-site sabotage.
The team has included a reference to TOP-005, section 2.9 (Appendix 1) in the SAR under
Related Standards. Two stakeholders suggested that Business Practices should not be
considered in a standard. The SAR DT notes that standard development projects must not
invalidate business practices that are already in place and aids in coordination with North
American Energy Standards Board (NAESB).
Many stakeholders had comments regarding applicability of the two standards. Based on
these comments, the SAR DT has added Transmission Owner, Generator Owner and
Distribution Provider to the Applicability section of the SAR as possible entities in the
standard(s) developed under this SAR as the Standard Drafting team may have a need to
include them in the standard(s). The applicability of Load-Serving Entity or Distribution
Provider will ultimately be determined by the Standard Drafting Team as it develops the
requirements through the Standard Development Process. The three main comments were:
1) Regional Reliability Organization applicability: Several commenters do not feel the
RRO should be in the standards. The DSR SAR DT concurs and notes that the SAR
states that “EOP-004 has some ‘fill-in-the-blank’ components to eliminate”. This will
remove the RRO from applicability.
2) Load-Serving Entity/Distribution Provider: Several stakeholders do not feel that the
standards should be applicable to LSEs, but should apply to Distribution Providers.
NERC has recognized, through its Compliance Registry, that there are asset owning
LSEs and non-asset owning LSEs. The SAR DT believes that an asset owning LSE
may be a Distribution Provider based on the Functional Model v4. The team has
added DP to the applicability of the standard as the Standard Drafting team may
have a need to include them in the standard(s). The applicability of LSE or
Distribution Provider will ultimately be determined by the Standard Drafting Team as
it develops the requirements through the Standard Development Process.
3) Transmission Owner/Generator Owner: Several stakeholders have indicated a need
to include the TO as an applicable entity. A couple of those would also include the
GO. The SAR DT discussed the addition of the TO and GO. The team has a concern
that there may be duplication of requirements between the TO/TOP and GO/GOP if
the TO and GO are added to the SAR. That being said, the team added the TO and
GO to the applicability of the SAR so that the Standard Drafting team may consider
these entities for applicability. The applicability of requirements will ultimately be
determined by the Standard Drafting Team as it develops the requirements through
the Standard Development Process.
Stakeholders provided many good comments that should be considered in the development
of the standards under this project. The SAR DT does not believe that these comments
require any significant revisions to the SAR, but will forward these comments to the
Standard Drafting Team for its consideration in drafting the standard(s). The comments
include:
1) Consolidation of reports: The SAR DT agrees with this concept and will forward the
comment to the Standard Drafting Team for its consideration.
2) Concerns about pre-determination of combining CIP-001 and EOP-004 into one
standard: The SAR states: CIP-001 may be merged with EOP-004 to eliminate
redundancies. The two standards may be left separate.
116-390 Village Blvd.
Princeton, NJ 08540
609.452.8060 | www.nerc.com
�3) Reporting criteria in multiple tables: The team agrees that it would be easier if there
were only one table. Part of this scope of this project is to eliminate redundancies
and make general improvements to the standard. The team also agrees that the
requirements developed should be clear in their reliability objective.
If you feel that your comment has been overlooked, please let us know immediately. Our
goal is to give every comment serious consideration in this process! If you feel there has
been an error or omission, you can contact the Vice President and Director of Standards,
Gerry Adamski, at 609-452-8060 or at gerry.adamski@nerc.net. In addition, there is a
NERC Reliability Standards Appeals Process. 1
1
The appeals process is in the Reliability Standards Development Procedures:
http://www.nerc.com/standards/newstandardsprocess.html.
116-390 Village Blvd.
Princeton, NJ 08540
609.452.8060 | www.nerc.com
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and
Sabotage Reporting
Index to Questions, Comments, and Responses
1.
Do you agree that there is a reliability-related reason to support modifying CIP-001-1
and EOP-004-1? If not, please explain in the comment area. .................................12
2.
Do you agree with the scope of the proposed SAR? If not, please explain what should
be added or deleted to the proposed scope. .........................................................20
3.
Are you aware of any associated business practices that we should consider with this
SAR? If yes, please explain in the comment area. ................................................38
4.
CIP-001-1 applies to the Reliability Coordinator, Transmission Operator, Balancing
Authority, Generator Operator, and the Load-serving Entity. EOP-004-1 applies to the
same entities, plus the Regional Reliability Organization. Do you agree with the
applicability of the existing CIP-001-1 and the existing EOP-004-1? If no, please
identify what you believe should be modified. .......................................................43
5.
If you have any other comments on the SAR or proposed modifications to CIP-001-1
and EOP-004-1 that you haven’t provided in response to the previous questions, please
provide them here. ...........................................................................................51
August 13, 2009
4
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
The Industry Segments are:
1 — Transmission Owners
2 — RTOs, ISOs
3 — Load-serving Entities
4 — Transmission-dependent Utilities
5 — Electric Generators
6 — Electricity Brokers, Aggregators, and Marketers
7 — Large Electricity End Users
8 — Small Electricity End Users
9 — Federal, State, Provincial Regulatory or other Government Entities
10 — Regional Reliability Organizations, Regional Entities
Commenter
Organization
Industry Segment
1
1.
Group
Jim Case
SERC OC Standards Review Group
Additional Member
X
Additional Organization
2
3
4
5
6
7
9
10
X
Region
Segment Selection
1. Al McMeekin
SCE&G
SERC
1, 3, 5
2. Eugene Warnecke
Ameren
SERC
1, 3, 5
3. Gary Hutson
SMEPA
SERC
1, 3, 5
4. Melinda Montgomery
Entergy
SERC
1, 3
5. Tom Sims
Southern
SERC
1, 3, 5
6. Marc Butts
Southern
SERC
1, 3, 5
7. Chris Bradley
BREC
SERC
1, 3, 5
8. Tom Kanzlik
SCE&G
SERC
1, 3, 5
9. Paul Turner
Ga Systems Operations Corp.
SERC
3
10. Phil Creech
Progress Energy Carolinas
SERC
1, 3, 5
11. Vicky Budreau
SCPSA
SERC
1, 3, 5, 9
12. Renee Free
SCPSCA
SERC
9
13. Mike Clements
TVA
SERC
1, 3, 5, 9
14. Travis Sykes
TVA
SERC
1, 3, 5
August 13, 2009
8
5
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Commenter
Organization
Industry Segment
1
15. John Troha
2.
SERC
Group
Harry Tom
3
4
5
RFC
Project 2007-02 Operating Personnel Comms
Protocols SDT
Additional Member
2
X
Additional Organization
6
7
X
X
Region
GSOC
SERC
1
HydroOne
NPCC
1, 9
3. Alan Allgower
ERCOT
ERCOT
10
4. Harvie Beavers
Colmac Clarion/Piney Creek LP
RFC
5
5. Mark L. Bradley
ITC
MRO
1
6. Mike Brost
JEA
FRCC
1
7. William D Ellard
CAISO
WECC
10
8. Ronald Goins
MISO
MRO
10
9. Leanne Harrison
PJM
RFC
10
10. James McGovern
ISO-NE
NPCC
10
11. Wayne Mitchell
Entergy
SERC
1
12. John Stephens
City Utilities of Springfield
RFC
1
13. Fred Waites
Southern Company
SERC
1
Kenneth D. Brown
Additional Member
PSEG Enterprise Group Inc Companies
X
Additional Organization
Region
RFC
5
2. James Hebson
PSEG Energy Resources & Trade
RFC
6
3. Gary Grysko
PSEG Power Connecticut
NPCC
5
4. Dominic DiBari
PSEG Texas LLC
ERCOT
5
Guy Zito
Additional Member
Northeast Power Coordinating Council
X
Additional Organization
Region
Segment Selection
1. Ralph Rufrano
New York Power Authority
NPCC
5
2. Alan Adamson
New York State Reliability Council
NPCC
10
August 13, 2009
X
Segment Selection
PSEG Fossil LLC
Group
X
X
1. Clint Bogan
4.
10
Segment Selection
2. Tom Irvine
Group
9
10
1. Lloyd Snyder
3.
8
6
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Commenter
Organization
Industry Segment
1
2
3
4
5
6
7
3. Greg Campoli
New York Independent System Operator
NPCC
2
4. Roger Champagne
Hydro-Quebec TransEnergie
NPCC
2
5. Kurtis Chong
Independent Electricity System Operator
NPCC
2
6. Sylvain Clermont
Hydro-Quebec TransEnergie
NPCC
1
7. Manuel Couto
National Grid
NPCC
1
8. Chris de Graffenried
Consolidated Edison Co. of New York, Inc.
NPCC
1
9. Brian Evans-Mongeon
Utility Services
NPCC
8
10. Mike Garton
Dominion Resources Services, inc.
NPCC
5
11. Mike Gildea
Constellation Energy
NPCC
6
12. Brian Gooder
Ontario Power Generation Incorporated
NPCC
5
13. Kathleen Goodman
ISO - New England
NPCC
2
14. David Kiguel
Hydro One Networks, Inc.
NPCC
1
15. Michael Lombardi
Northeast Utilities
NPCC
1
16. Randy MacDonald
New Brunswick System Operator
NPCC
2
17. Bruce Metruck
New York Power Authority
NPCC
6
18. Robert Pellegrini
The United Illuminating Company
NPCC
1
19. Michael Schiavone
National Grid
NPCC
1
20. Michael Sonnelitter
FPL Energy/NextEra Energy
NPCC
5
21. Peter Yost
Consolidated Edison Co. of New York, Inc.
NPCC
3
22. Lee Pedowicz
Northeast Power Coordinating Council
NPCC
10
23. Gerry Dunbar
Northeast Power Coordinating Council
NPCC
10
5.
Group
Michael Gammon
Additional Member
Kansas City Power & Light
X
X
Additional Organization
Region
X
SPP
1, 3, 5, 6
2. John Breckenridge
Kansas City Power & Light
SPP
1, 3, 5, 6
Ben Li
Additional Member
August 13, 2009
IRC Standards Review Committee
Additional Organization
10
Segment Selection
Kansas City Power & Light
Group
9
X
1. Joe Doetzl
6.
8
X
Region
Segment Selection
7
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Commenter
Organization
Industry Segment
1
2
3
4
5
6
7
1. James Castle
NYISO
NPCC
2
2. Charles Yeung
SPP
SPP
2
3. Anita Lee
AESO
WECC
2
4. Matt Goldberg
ISO-NE
NPCC
2
5. Bill Phillips
MISO
MRO
2
6. Steve Myers
ERCOT
ERCOT
2
7. Lourdes Estrada-Salinero
CAISO
WECC
2
7.
Group
Richard Kafka
Pepco Holdings, Inc. - Affiliates
Additional Member
X
Additional Organization
X
X
Region
RFC
5
2. Tony Gabrielli
Conectiv Energy Supply, Inc.
RFC
5
3. George Gacser
Potomac Electric Power Co.
RFC
1, 3, 5
4. E. W. Stowe
Pepco Holdings, Inc
RFC
1, 3, 5
5. Mark Godfrey
Pepco Holdings, Inc
RFC
1, 3
Sam Ciccone
FirstEnergy
Additional Member
X
Additional Organization
X
X
X
X
Region
Segment Selection
1. Jim Eckels
FE
RFC
1
2. John Martinez
FE
RFC
1
3. John Reed
FE
RFC
1
4. Dave Folk
FE
RFC
1, 3, 4, 5, 6
5. Doug Hohlbaugh
FE
RFC
1, 3, 4, 5, 6
6. Larry Hartley
FE
RFC
3
9.
Group
Jalal Babik
Additional Member
Electric Market Policy
X
Additional Organization
X
Region
X
X
Segment Selection
1. Louis Slade
SERC
6
2. Mike Garton
NPCC
5
August 13, 2009
10
Segment Selection
Conectiv Energy Supply, Inc.
Group
9
X
1. Kara Dundas
8.
8
8
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Commenter
Organization
Industry Segment
1
10.
Group
Denise Koehn
Bonneville Power Administration
Additional Member
1. Theodore Snodgrass
11.
Group
Michael Brytowski
X
Additional Organization
Dispatch
2
3
4
X
5
6
X
X
Region
7
9
10
Segment Selection
WECC
1
MRO NERC Standards Review Subcommittee
Additional Member
X
Additional Organization
Region
Segment Selection
1. Carol Gerou
MRO
MRO
10
2. Neal Balu
WPS
MRO
3, 4, 5, 6
3. Pam Sordet
XCEL
MRO
1, 3, 5, 6
4. Joe DePoorter
MGE
MRO
3, 4, 5, 6
5. Ken Goldsmith
ALTW
MRO
4
6. Jim Haigh
WAPA
MRO
1, 6
7. Terry Harbour
MEC
MRO
1, 3, 5, 6
8. Joseph Knight
GRE
MRO
1, 3, 5, 6
9. Scott Nickels
RPU
MRO
3, 4, 5, 6
10. Dave Rudolph
BEPC
MRO
1, 3, 5, 6
11. Eric Ruskamp
LES
MRO
1, 3, 5, 6
12.
Individual
Stephen V. Fisher
Lands Energy Consulting
13.
Individual
Brent Hebert
Calpine Corporation
X
14.
Individual
Steve Toth
Covanta
X
15.
Individual
Harvie Beavers
Colmac Clarion
X
16.
Individual
Russell A. Noble
Cowlitz County PUD
17.
Individual
Michael Puscas
United Illuminating
18.
Individual
George Pettyjohn
Reliant Energy
August 13, 2009
8
X
X
X
X
9
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Commenter
Organization
Industry Segment
1
2
3
4
5
6
19.
Individual
Judith A. James
Texas Regional Entity
20.
Individual
Edward C. Stein
self
21.
Individual
Chris Scanlon
Exelon
22.
Individual
Mike Davis
WECC
23.
Individual
Jimmy Hartmann
ERCOT ISO
24.
Individual
Rick Terrill
Luminant Power
25.
Individual
Rao Somayajula
ReliabilityFirst Corporation
26.
Individual
Tony Kroskey
Brazos Electric Power Cooperative, Inc.
X
27.
Individual
Paul Golden
PacifiCorp
X
28.
Individual
Terry Harbour
MidAmerican Energy
X
29.
Individual
Darryl Curtis
Oncor Electric Delivery
X
30.
Individual
Chris de Graffenried on
behalf of Con Edison &
O&R
Consolidated Edison Co. of New York, Inc.
X
31.
Individual
Wayne Pourciau
Georgia System Operations Corp.
32.
Individual
Bob Thomas
Illinois Municipal Electric Agency
33.
Individual
Kasia Mihalchuk
Manitoba Hydro
X
X
X
X
34.
Individual
Jim Sorrels
AEP
X
X
X
X
August 13, 2009
7
8
9
10
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
10
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Commenter
Organization
Industry Segment
1
2
3
4
5
6
X
X
35.
Individual
Greg Rowland
Duke Energy
36.
Individual
Howard Rulf
We Energies
X
X
X
37.
Individual
Jianmei Chai
Consumers Energy Company
X
X
X
38.
Individual
Mike Sonnelitter
NextEra Energy Resources, LLC
39.
Individual
D. Bryan Guy
Progress Energy
X
X
X
40.
Individual
Kirit Shah
Ameren
X
X
X
August 13, 2009
X
X
7
8
9
10
X
X
11
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
1. Do you agree that there is a reliability-related reason to support modifying CIP-001-1 and EOP-004-1? If not,
please explain in the comment area.
Summary Consideration: The majority of stakeholders agree that there is a reliability related need to support modifying CIP001-1 and EOP-004-1. Of those stakeholders providing comments, they predominantly agreed with the reliability-related
reason for the SAR but offered the following concerns:
1) Applicability of the requirements: The SAR DT notes that applicability will be determined by the final requirements that are
written for the standard.
2) Combining the standards: The SAR DT notes that the Purpose of the SAR indicates that the standards may be merged to
eliminate redundancy and provide clarity. It will be up to the Standard Drafting team to make this determination through
the Standard Development Process (with stakeholder input).
3) Definition of sabotage and the inclusion of vandalism, thresholds for defining sabotage, etc.
4) Onerous or duplicative reporting: The Brief Description section of the SAR states “Specific references to the DOE form need
to be eliminated”. This should address any concerns.
The SAR DT will forward these comments to the Standard Drafting Team for its consideration in the drafting of the standards.
Organization
Yes or No
Question 1 Comment
No
The EOP-004-1 standard is an unnecessary duplication of existing DOE reporting requirements. This essentially exposes
an entity to fines by NERC, enforced by FERC, for failure to comply with a DOE regulation, which seems improper to us.
In addition, reporting requirements do not have an impact on the reliability of the BES
SERC OC
Standards Review
Group
Response: The DSR SAR DT thanks you for your comment. The Brief Description section of the SAR states “Specific references to the DOE form
need to be eliminated”.
MidAmerican
Energy
No
MidAmerican Energy believes only EOP-004-1 is confusing and needs to modified or clarified. There is no need to
combine the two standards. Standard EOP-004 could be clarified to eliminate references to sabotage which are already
covered by CIP-001-1. Standard EOP-004 should be strictly limited to system events, not sabotage.
Response: The DSR SAR DT thanks you for your comment. The SAR DT notes that the Purpose of the SAR indicates that the standards may be
merged to eliminate redundancy and provide clarity. It will be up to the Standard Drafting Team to make this determination through the Standard
Development Process (with stakeholder input).
August 13, 2009
12
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Yes or No
Bonneville Power
Administration
No
Question 1 Comment
Eliminating a single standard by consolidating two standards does not improve reliability. All of the defined actions are
indeed being taken now.
Response: The DSR SAR DT thanks you for your comment. The SAR DT notes that the Purpose of the SAR indicates that the standards may be
merged to eliminate redundancy and provide clarity. It will be up to the Standard Drafting team to make this determination through the Standard
Development Process (with stakeholder input).
Progress Energy
No
No. It is not clear that the issues listed in a revised standard will improve reliability. Revision based on redundancy is not
sufficient reason for combination. Extensive documentation efforts have been made to comply with the current Standards.
Unless combining these Standards provides compelling Reliability benefit, it is not worth the industry’s resources to revise
existing documentation and processes for the sake of eliminating redundancy. Redundancy issues were raised prior to
the ERO adopting the initial Standard set into law. We have noted the other issues raised in the SAR, however, it is still
unclear where the Reliability benefit of this SAR is evidenced.
Response: The DSR SAR DT thanks you for your comment. Industry consensus indicates that eliminating redundancy between standards is
required to avoid potential double jeopardy issues with compliance to the standards. Furthermore, one of the FERC Order 693 directives for CIP001 is:
Explore ways to reduce redundant reporting, including central coordination of sabotage reports and a uniform reporting format.
Kansas City
Power & Light
Yes
Agree with the SAR that clarity would be helpful in establishing criteria regarding what constitutes sabotage reporting.
Response: The DSR SAR DT thanks you for your comment. One of the FERC Order 693 directives for CIP-001 is:
Define “sabotage” and provide guidance on triggering events that would cause an entity to report an event.
Pepco Holdings,
Inc. - Affiliates
Yes
PHI recommends merging these two standards into one.
Response: The DSR SAR DT thanks you for your comment. The SAR DT notes that the Purpose of the SAR indicates that the standards may be
merged to eliminate redundancy and provide clarity. It will be up to the Standard Drafting team to make this determination through the Standard
Development Process (with stakeholder input).
Electric Market
Policy
August 13, 2009
Yes
Comments: Agree with the statement that sabotage is hard to determine in real time by operations staffs. The
determination of sabotage should be left up to law enforcement. They have the knowledge and peer contacts needed to
adequately determine whether physical or cyber intrusions are merely malicious acts or coordinated efforts (sabotage).
13
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Yes or No
Question 1 Comment
The operators should only be required to report physical and cyber intrusions to law enforcement. All other reporting
requirements should apply to law enforcement once a determination of sabotage has been made. If the recommendations
above are not to be accepted, then we have the following comments:
CIP-001-1
1) R1 states entities shall have procedures for the recognition of and for making their operating personnel aware of
sabotage events on its facilities and multi-site sabotage affecting larger portions of the Interconnection. The SAR notes
that the industry objects to the multi-site requirement, most likely because the term is ambiguous. If this term remains in
the standard, it needs to be clearly defined and responsibilities for obtaining (how do you get this information and from
whom?) and distributing need to be included.
2) R1 audits have shown confusion over the requirement to make operating personnel aware of sabotage events. The
term operating personnel needs to be defined. Are they the individuals responsible for operating the facility, coordinating
with other entities (i.e., RC, BA, TOP, GOP, and LSE)? It has been suggested that notification is required to all personnel
at a facility. Keep in mind the purpose of the standard is to ensure sabotage events are properly reported, not to address
emergency response.
3) R1 The SAR (NERC Audit and Observation Team) notes that Registered Entities have processes and procedures in
place, but not all personnel have been trained. There is no specific training requirement in the standard.
4) R2 & R3 I agree with the SAR that sabotage needs to be defined and these requirements should be more specific with
respect to the information to be communicated. It seems to me that the standard should mirror the criteria contained in
DOE OE-417. The emphasis should be placed on ensuring that the same information communicated to DOE is shared
with the appropriate parties in the Interconnection.
5) R4 I agree with the SAR (NERC Audit and Observation Team) comments regarding the intention of this requirement.
There is no language that directs contact with FBI or RCMP although that is what is implied by the Purpose statement.
6) VRF Comments I’m not sure what is intended by the statement Adequate procedures will insure it is unlikely to lead to
bulk electric system instability, separation, or cascading failures? The purpose of the standard is that of communication.
No operational decisions or actions are directed by this standard, nor does it require entities to address operational
aspects resulting from sabotage.
7) The potential exists for overlapping sabotage reporting requirements at nuclear power plants due to multiple regulators
(Nuclear Regulatory Commission (NRC) 10 CFR 73 and Federal Energy Regulatory Commission (FERC) NUC-001-1).
Some entities may have revised existing NRC driven procedures to accommodate reporting requirements of both
regulators. Because of the restrictions placed on NRC driven documents (i.e., procedures are classified as safeguards
information), it can be difficult to demonstrate compliance to NERC and/or FERC without ensuring that the individuals are
qualified for receipt of such information per 10 CFR 73. Additionally, multiple procedures may have the unintended
consequence of delaying appropriate communication.EOP-004-1Consider removing Attachment 2 as the information is
August 13, 2009
14
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Yes or No
Question 1 Comment
duplicated in DOE Form OE-417. A simple reference to the form should suffice.
Response: The DSR SAR DT thanks you for your comment. The team notes that your comments relate directly to potential revisions of the
standard requirements. The team will pass your comments along to the Standards Drafting Team for its consideration. For item 4, one of the
FERC Order 693 directives for CIP-001 is:
Define “sabotage” and provide guidance on triggering events that would cause an entity to report an event.
Lands Energy
Consulting
Yes
I have worked with 5 Northwest public utilities on developing procedures related to CIP-001-1 and EOP-004-1. All 5
utilities operate electric systems in fairly remote locations and are embedded in a larger utility's Balancing
Authority/Transmission Operator area.
A. CIP-001-1 - Developing procedures to unambiguously identify acts of sabotage has been particularly challenging for
these systems. In general, it's hard for them to determine whether the most prevalent forms of malicious and intentional
system damage that they incur - copper theft and gun shot insulators/equipment - should qualify as acts of sabotage.
Although none of the systems consider copper theft to be acts of sabotage, two of the systems consider gun shot
insulators/equipment to be acts of sabotage. The other systems look for intent to disrupt electric system operations as a
key component of their sabotage identification procedures. Additional guidance from NERC in the form of CIP-001-1
modifications or a companion guidelines document on sabotage identification would provide much needed guidance for
these procedures.
B. EOP-004-1 - This standard was clearly drafted with the larger electric systems in mind. I have one client that serves
3300 commercial/residential customers from 4-115/13 kV substation transformers and one large industrial customer (80%
of its energy load) from a 230/13 kV substation. 75% of the client's load is served from three substations attached to a
long, 115 kV transmission line operated by the Bonneville Power Administration. Whenever the line relays open on a
permanent fault (which happens 2-3 times per year), the client loses over 50% of its customers (but no more than 10-15
MW during winter peak), thereby necessitating the preparation of a Disturbance Report. To allow utilities to concentrate
on operating their systems, without fear of violating EOP-004-1 for failure to report trivial outages, I would remove LSEs
from the obligation to report disturbances - leave the reporting to the BA/TOP for large outages in their footprint.
Response: The DSR SAR DT thanks you for your comment.
A. The team notes that your comments relate directly to potential revisions of the standard requirements. The team will pass your comments
along to the Standards Drafting Team for its consideration.
B. NERC has recognized, through its Compliance Registry, that there are asset owning LSEs and non-asset owning LSEs. The SAR DT believes
that an asset owning LSE may be a Distribution Provider based on the Functional Model v4. The team has added DP to the applicability of the
standard as the Standard Drafting team may have a need to include them in the standard(s). The applicability of LSE or Distribution Provider will
ultimately be determined by the Standard Drafting Team as it develops the requirements through the Standard Development Process. The team
August 13, 2009
15
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Yes or No
Question 1 Comment
will pass your comments along to the Standards Drafting Team for its consideration.
Calpine
Corporation
Yes
Communication of facility status or emergencies between merchant generators registered as GOP and the RC, BA, GOP,
or LSE in which the facility resides should be coordinated for EOP -004 reporting. The reporting to NERC/DOE should
come from the RC, BA, GOP, or LSE.
Response: The DSR SAR DT thanks you for your comment. The team concurs that reporting should be coordinated and will pass your comments
along to the Standards Drafting Team for its consideration.
Covanta
Yes
Yes - the key to Sabotage reporting requirements is identifying what the 'definition' is of an actual or potential 'Sabotage'
event. Like any other standard, if FERC/NERC leave it up to 2000+ entities to establish their own definitions of
'Sabotage', you may likely get 2000+ answers. That is not a controlled and coordinated approach. I offer the following
definition, "Sabotage - Deliberate or malicious destruction of property, obstruction of normal operations, or injury to
personnel by outside agents." Examples of sabotage events could include, but are not limited to, suspicious packages left
near site electrical generating or electrical transmission assets, identified destruction of generating assets, telephone/e
mail received threats to destroy or interrupt electrical generating efforts, etc." These have passed multiple NERC
regional audits and reviews to date.
Response: The DSR SAR DT thanks you for your comment. One of the FERC Order 693 directives for CIP-001 is:
Define “sabotage” and provide guidance on triggering events that would cause an entity to report an event.
The team will pass your comments along to the Standards Drafting Team for its consideration.
Cowlitz County
PUD
Yes
The standards as written now create reporting on local customer quality of service outage events not related to BPS
disturbances. Sabotage reporting has degenerated into reporting of mischievous vandalism and minor theft occurences.
This creates compliance documentation overburden and waste of limited funds needed for true BPS reliability concerns,
and also adds nuisance calls to the FBI and Homeland Security.
Response: The DSR SAR DT thanks you for your comment. One of the FERC Order 693 directives for CIP-001 is:
Define “sabotage” and provide guidance on triggering events that would cause an entity to report an event.
This should address the concern of sabotage vs. vandalism/theft reporting.
Reliant Energy
August 13, 2009
Yes
EOP-004-1 indicates that Generators should analyze disturbances on the bulk electrical system or their facilities.
Generators do not have the capability of analyzing the bulk electrical system other than Frequency. Even so, generators
can not unilaterally respond to what it thinks are disturbances. In the case of CAISO The Participating Generator
16
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Yes or No
Question 1 Comment
Agreement prevents me from making any unilateral moves save for the direst frequency emergencies. If the System
operator or Reliability Coordinator informs the generator that there is a disturbance and that logs and readouts etc. are
required then the generator should respond with all available information for the subject hours or time. Clearer
responsibilities provide clearer results.
Response: The DSR SAR DT thanks you for your comment. While the team agrees that generators may not have the capability to analyze events,
the team note that you concern is regarding applicability of requirements. The final wording of the requirements developed by the Standard
Drafting Team will determine the applicability.
Georgia System
Operations Corp.
Yes
There is a need to eliminate burdensome reporting deadlines which interfere with the reliable operations or recovery of the
BES. There is also a need to move requirements for reporting to NERC or Regional Entities (except for reporting of
threats to physical or cyber security) from the Requirements section of Reliability Standards to elsewhere.
Response: The DSR SAR DT thanks you for your comment. Specific revisions to the requirements will be vetted during the standard development
process.
Illinois Municipal
Electric Agency
Yes
Simplification of reporting requirements should facilitate reliability.
Response: The DSR SAR DT thanks you for your comment.
Duke Energy
Yes
We agree that additional clarity is needed regarding sabotage and disturbance reporting. Requirements should be
tightened up and triggering events/thresholds of materiality need to be better defined.
Response: The DSR SAR DT thanks you for your comment. One of the FERC Order 693 directives for this project is:
Define “sabotage” and provide guidance on triggering events that would cause an entity to report an event.
MRO NERC
Standards Review
Subcommittee
Yes
Colmac Clarion
Yes
United
Illuminating
Yes
August 13, 2009
17
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Yes or No
PSEG Enterprise
Group Inc
Companies
Yes
Northeast Power
Coordinating
Council
Yes
IRC Standards
Review
Committee
Yes
FirstEnergy
Yes
Texas Regional
Entity
Yes
Edward C. Stein
Yes
Exelon
Yes
WECC
Yes
ERCOT ISO
Yes
Luminant Power
Yes
ReliabilityFirst
Corporation
Yes
Brazos Electric
Power
Cooperative, Inc.
Yes
August 13, 2009
Question 1 Comment
18
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Yes or No
PacifiCorp
Yes
Oncor Electric
Delivery
Yes
Consolidated
Edison Co. of
New York, Inc.
Yes
Manitoba Hydro
Yes
AEP
Yes
We Energies
Yes
Consumers
Energy Company
Yes
NextEra Energy
Resources, LLC
Yes
Ameren
Question 1 Comment
Yes
August 13, 2009
19
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
2. Do you agree with the scope of the proposed SAR? If not, please explain what should be added or deleted to the proposed scope.
Summary Consideration: The majority of stakeholders agree with the scope of the SAR. Several stakeholders offered
suggestions for items to include in the SAR, however the SAR DT believes that these comments may be too prescriptive to
include with the SAR. The team feels that inclusion of these types of comments would prevent the Standard Drafting Team
from having the ability to develop standard(s) based on stakeholder consensus. The SAR DT will forward these comments to
the Standard Drafting Team for its consideration. Some of the comments received include:
1
The inclusion of specific definitions in the SAR (operating personnel, sabotage events, obligations): The SAR DT believes
that this would be too prescriptive and believe that this should be addressed by the Standard Drafting Team.
2
Consolidate documents covering reporting requirements: The SAR DT agrees and suggests that the Standard Drafting
Team investigate a “one-stop-shopping” solution for the various reports required, including the DOE report.
Organization
Yes or No
Project 2007-02
Operating
Personnel Comms
Protocols SDT
No
Question 2 Comment
The Operating Personnel Communication Protocols standard drafting team respectfully requests that the Sabotage
Reporting SAR Drafting Team incorporate the following into your proposed SAR: “Each Reliability Coordinator, Balancing
Authority, and Transmission Operator shall have procedures for the communication of information concerning the Cyber
and Physical emergency alerts in accordance with the conditions described in “Attachment 1 Security Emergency Alerts.”
The Operating Personnel Communications Protocols Project 2007-02 was initiated to ensure that real time system
operators use standardized communication protocols during normal and emergency operations to improve situational
awareness and shorten response time. The SDT developed a new COM-003-1 Standard that has yet to be posted and is
dependent upon revising at least two other standards (CIP-001 and TOP Standard).
COM-003 contains requirements that specify:
1. Use of three-part communication;
2. English language;
3. Common time zone;
4. NATO alpha-numeric alphabet;
5. Mutually agreed line identifiers;
6. The use of pre-defined system condition terminology such as those contained in the RCWG Alert Level Guide
and EOP-002-2.
August 13, 2009
20
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Yes or No
Question 2 Comment
This request is based on recent NERC Standards Committee direction to our team to incorporate the Reliability
Coordinator Working Group’s (RCWG) Alert Level Guide into a Standard. The consensus of our team is that a TOP
Standard is the most appropriate location for the Transmission Emergency Alert language from the Guide as the energy
emergency alert language is currently described in EOP-002-2. The RCWG Guide proposes the se of pre-defined system
condition descriptions for use during emergencies for reliability related formation. This guide was developed in response to
a Blackout Report recommendation. Our team placed the Transmission Emergency Alert language into a TOP standard.
Since the Sabotage Reporting SAR DT intends to modify CIP-001, we seek your consent to incorporate the cyber
and physical security alert language to comply with the wishes of the Standards Committee. We believe that the CIP-001
Standard is the most appropriate location for this language for the following reasons:
• The levels of emergency conditions related to the cyber and physical security of the electric system is directly
related to Critical Infrastructure Protection.
• The current version of CIP-001 already requires the timely reporting of actual and suspected security emergency
conditions and the use of pre-defined terminology supports the efficient haring of such information.
The OPCP SDT includes the following text for the record. It is a proposed draft revision of CIP-001.
A. Introduction
1. Title: Security Incidents
2. Number: CIP-001-2
3. Purpose: To ensure the recognition, communication and response to cyber and physical security incidents suspected or
determined to be caused by sabotage.
4. Applicability
4.1. Reliability Coordinators.
4.2. Balancing Authorities.
4.3. Transmission Operators.
4.4. Generator Operators.
4.5. Load Serving Entities.
5. Effective Date: The standard is effective the first day of the first calendar quarter after applicable regulatory approvals (or
the standard otherwise becomes effective the first day of the first calendar quarter after NERC OT adoption in those
jurisdictions where regulatory approval is not required).
August 13, 2009
21
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Yes or No
Question 2 Comment
B. Requirements
R1. Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator Operator, and Load Serving Entity
shall have procedures for the recognition of and for making their operating personnel aware of security threats on its
facilities and multi site security threats affecting larger portions of the Interconnection.
R2. Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator Operator, and Load Serving Entity
shall have procedures for the communication of information concerning the physical and cyber security status of their
facilities in accordance with the conditions described in Attachment 1-CIP-001-1.
R3. Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator Operator, and Load Serving Entity
shall provide its operating personnel with security threat or incident response guidelines, including personnel to contact, for
reporting security threats and incidents.
R4. Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator Operator, and Load Serving Entity
shall establish communications contacts, as applicable, with local Federal Bureau of Investigation (FBI) or Royal Canadian
Mounted Police (RCMP) officials and develop reporting procedures as appropriate to their circumstances.
C. Measures
M1. Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator Operator, and Load Serving
Entity shall have and provide upon request a procedure (either electronic or hard copy) as defined in Requirement 1
M2. Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator Operator, and Load Serving
Entity shall have and provide upon request the procedures or guidelines that will be used to confirm that it meets
Requirements 2 and 3.
M3. Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator Operator, and Load Serving
Entity shall have and provide upon request evidence that could include, but is not limited o procedures, policies, a letter of
understanding, communication records, or other equivalent evidence that will be used to confirm that it has established
communications contacts with the applicable, local FBI or CMP officials to communicate sabotage events (Requirement 4).
D. Compliance
1. Compliance Monitoring Process
1.1. Compliance Enforcement Authority Regional Entity
1.2. Compliance Monitoring Period and Reset
One or more of the following methods will be used to verify compliance:
- Compliance Audits
August 13, 2009
22
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Yes or No
Question 2 Comment
- Self-Certifications
- Spot Checking
- Compliance Violation Investigations
- Self-Reporting
- Complaints
1.3. Data Retention
The Transmission Operator, Transmission Owner, Balancing Authority, Reliability Coordinator, Generator Operator and
Distribution Provider shall keep data or evidence to show compliance as identified below unless directed by its Compliance
Enforcement Authority to retain specific evidence for a longer period of time as part of an investigation:
o The Transmission Operator, Transmission Owner, Balancing Authority, Reliability Coordinator, Generator
Operator and Distribution Provider shall retain its current, in force document and any documents in force since the last
compliance audit.
o If a Transmission Operator, Transmission Owner, Balancing Authority, Reliability Coordinator, Generator
Operator or Distribution Provider is found non-compliant, it shall keep information related to the non-compliance until found
compliant.
o The Compliance Enforcement Authority shall keep the last audit records and all requested and submitted
subsequent audit records.
1.4. Additional Compliance Information
None.
2. Levels of Non-Compliance:
2.1. Level 1: There shall be a separate Level 1 non-compliance, for every one of the following requirements that is in
violation:
2.1.1 Does not have procedures for the recognition of and for making its operating personnel aware of sabotage
events (R1).
2.1.2 Does not have procedures or guidelines for the communication of information concerning sabotage events to
appropriate parties in the Interconnection (R2).
2.1.3 Has not established communications contacts, as specified in R4.
2.2. Level 2: Not applicable.
August 13, 2009
23
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Yes or No
Question 2 Comment
2.3. Level 3: Has not provided its operating personnel with sabotage response procedures or guidelines (R3).
2.4. Level 4:.Not applicable.
E. Regional Differences None.
Version History Version Date Action Change Tracking 0 April 1, 2005 Effective Date New 0 August 8, 2005 Removed
“Proposed” from Effective ate Errata 1 November 1, 2006 Adopted by Board of Trustees Amended 1 April 4, 2007
Regulatory approval — Effective Date New 2 March 2009 Added SEA attachment and updates to Effective Date and
compliance sections. New
Attachment 1-CIP-001-2 Physical Security Emergency Alerts
General requirements
1. Initiation by Reliability Coordinator.
A Physical Security Emergency Alert may be initiated only by a Reliability Coordinator at:
a. The Reliability Coordinator’s own decision,
b. By request from a Transmission Operator,
c. By request from a Balancing Authority, or
d. By request from federal, state, or cal Law Enforcement Officials.
2. Situations for initiating alert.
An Alert may be initiated for the following reasons:
a. A physical threat affecting a control center, grid or generator asset has been identified, or
b. A physical attack affecting a control center, grid or generator asset has occurred or is imminent.
3. Notification.
A Reliability Coordinator who initiates a Physical Security Emergency Alert shall notify all Transmission Operators and
Balancing Authorities in its Reliability Area. The Reliability Coordinator shall also notify other Reliability Coordinators of the
situation via the Reliability Coordinator Information System (RCIS) using the “CIP” category. Additionally, conference calls
between Reliability Coordinators shall be held as necessary to communicate system conditions.
The Reliability Coordinator shall also notify all Transmission Operators and Balancing Authorities in its Reliability Area and
other Reliability Coordinators hen the alert has changed levels or ended.
August 13, 2009
24
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Yes or No
Question 2 Comment
Physical Security Emergency Alert Levels
To ensure that all Reliability Coordinators clearly understand potential and actual Physical Security Emergency Alerts,
NERC as established three levels of Security Emergency Alerts. The Reliability Coordinators will use these terms hen
explaining security alerts to each other. The Reliability Coordinator may declare whatever alert level is necessary, and
need not proceed through the alerts sequentially.
1. Alert 1 – “Control Center / Bulk Electric system asset threat identified” Circumstances: A credible threat of physical attack
on a Bulk Electric System asset has been communicated to the Reliability Coordinator. No physical attack has occurred at
this point. Determining the credibility of any threat is a subjective process, but the following factors should be considered:
a. The nature and specificity of the threat,
b. The timing of the threat,
c. Mode of threat communication, and
d. The criticality of the threatened asset. During a Physical Security Emergency Alert Level 1, Reliability Coordinators,
Transmission Operators and Balancing Authorities shall have the following responsibilities:
i. Notification: The Reliability Coordinator responsible for initiating the Physical Security Emergency Alert shall post
the declaration of the alert level along with the location of the affected facility on the RCIS under “CIP” and notify all
Transmission Operators and Balancing Authorities in its Reliability Area.
ii. Updating Status during the Physical Security Emergency Alert The declaring Entity shall update the reliability
Coordinator of any changes in the situation until the Alert Level 1 is terminated. The Reliability Coordinator shall update the
RCIS as changes occur.
2. Alert 2 – “Verified Physical attack at a single site” circumstances: A Reliability Coordinator, Transmission Operator, or
Balancing Authority has identified a physical attack upon a control center, generator asset, or other bulk electric system
asset. During a Physical Security Emergency Alert Level 2, Reliability Coordinators, Transmission Operators and Balancing
Authorities shall have the following responsibilities:
i. Notification: The Reliability Coordinator responsible for initiating the Physical Security Emergency Alert shall post
the declaration of the alert level along with the location of the affected facility on the RCIS under “CIP” and notify all
Transmission Operators and Balancing Authorities in its Reliability Area.
ii. Updating Status during the Physical Security Emergency Alert The Declaring Entity shall update the Reliability
Coordinator of the situation a minimum of once per hour until the Alert Level 2 is terminated. The Reliability Coordinator
shall update the RCIS as changes occur.
3. Alert 3– “Verified Physical attack at multiple sites” Circumstances: Multiple attacks have been confirmed on control
centers, generator assets or other bulk electric system assets. A Reliability Coordinator shall declare Physical Security
August 13, 2009
25
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Yes or No
Question 2 Comment
Emergency Alert 3 whenever:
a. A Transmission Operator or Balancing Authority reports multiple physical attacks on bulk electric system assets,
b. Multiple Transmission Operators or Balancing authorities report one or more physical attacks on their bulk
electric system assets.
i. Notification: The Reliability Coordinator responsible for initiating the Physical Security Emergency Alert shall post
the declaration of the alert level along with the location of the affected facility on the RCIS under “CIP” and notify all
Transmission Operators and Balancing Authorities in its Reliability Area.
ii. Updating Status during the Physical Security Emergency Alert The declaring Entity(ies) shall update the
Reliability Coordinator of the situation a minimum of once per hour until the Alert Level 3 is terminated. The Reliability
Coordinator shall update the RCIS as changes occur.
4. Alert 0 – “Termination of Alert Level” Circumstances: The threat which prompted the Physical Security Emergency Alert
Level has diminished or has been removed.
i. Notification The Reliability Coordinator responsible for initiating the Physical Security Emergency Alert shall
notify all other Reliability Coordinators via the RCIS, and it shall also notify all Transmission Operators and Balancing
Authorities in its Reliability Area that the Alert Level has been terminated.
Cyber Security Emergency Alerts Cyber Assets – Those programmable electronic devices and communication
networks, including hardware, software, and data, associated with bulk electric system assets.
Cyber Security Incident - Any malicious act or suspicious event that compromises, or attempts to compromise, the
electronic or physical security perimeter of a critical cyber asset or disrupts or attempts to disrupt the operation of a critical
cyber asset.
Critical Cyber Asset – Those cyber assets essential to the reliable operation of critical assets.
Electronic Security Perimeter – The logical border surrounding the network or group of sub-networks to which the
critical cyber assets are connected, and for which access is controlled.
Physical Security Perimeter – The physical border surrounding computer rooms, telecommunications rooms,
operations centers and other locations in which critical cyber assets are housed and for which access is controlled.
General Requirements
1. Initiation - A Cyber Security Emergency Alert shall be initiated by:
a. The Reliability Coordinator’s analysis,
b. By request from any NERC functional Model entity that Com-003-0 is applicable to.
August 13, 2009
26
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Yes or No
Question 2 Comment
c. By request from federal, state, or local Law Enforcement Officials.
2. Situations for initiating alert. An Alert shall be initiated for the following reasons:
a. A cyber threat affecting a control center or bulk electric system asset has been identified, or
b. A cyber attack affecting a control center or bulk electric system has occurred or is imminent.
3. Notification.
An entity who initiates a Cyber Security Emergency Alert shall make notification as per the NERC Functional model or as
Regional / local instruction. The Reliability Coordinator shall notify FBI local office, Electricity Sector Information Sharing
Analysis Center ESISAC) and Department of Homeland Security. The Reliability Coordinator shall also notify as necessary
other Reliability Coordinators of the situation via the Reliability Coordinator Information System (RCIS) sing the “CIP”
category. The Reliability Coordinator shall notify all Transmission Operators and Balancing Authorities in its Reliability Area
and other Reliability Coordinators when the alert has changed levels or ended.
Cyber Security Emergency Alert Levels
To ensure that all applicable entities clearly understand potential and actual Cyber Security Emergency Alerts, three levels
of Security Emergency Alerts shall be sed.
The Reliability Coordinators will use these terms when communicating security alerts to each other. When declaring the
applicable alert level it is important to note that the applicable level can be determined without sequentially proceeding
through levels.
As an example given circumstances an Alert Level 3 could be called without previously being in an Alert Level 1 or Level 2
state.
1. Alert 1 – “Verified Control Center / Bulk Electric System Cyber Asset threat identified or imminent” What is “verified” unknown or unauthorized access to a cyber device, unknown or unauthorized change to a cyber device (i,e., config file, /S,
firmware change. ‘Verified’ could mean the elimination of a false positive in your security monitoring system. ‘Verified’ could
also be the differentiation between malicious and non-malicious (ie human error, not following policy, etc) intent. What is a
“threat” - A threat can be perceived as any action or event that occurs where the monitoring authority was not previously
made aware that that action would occur. With flimsy change control or access controls, field staff or technical staff
performing troubleshooting or other maintenance may access or change devices without notifying the monitoring entity.
The monitoring entity would have to treat this as a threat and take appropriate action to either isolate that device from the
rest of the system, notify appropriate authority, dispatch a crew, etc.
Examples of threats - Over and above the examples above, another threat example could be a notification from DHS or
other security agency that they have reason to believe a hack, virus or other cyber terrorism activity could occur. Also,
noticing a distinct change in network traffic which could imply someone has intercepted your data and can manipulate
August 13, 2009
27
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Yes or No
Question 2 Comment
before sending it from the control room to the device being controlled or manipulating the data coming from the device
before a controller seeing it and forcing them to perform an incorrect control event in reaction to erroneous data.
Circumstances: A credible threat of Cyber attack on a Control Center or Bulk Electric System asset has been
communicated to the Reliability Coordinator. No cyber attack has occurred t this point. Determining the credibility of any
threat is a subjective process, but the following factors should be considered:
a. The nature and specificity of the threat,
b. The timing of the threat,
c. Mode of threat communication, and
d. The criticality of the threatened asset. During a Cyber Security Emergency Alert Level 1, applicable entities shall
have the following responsibilities:
i. Notification An entity who initiates a Cyber Security Emergency Alert Level 1 shall make notification as per the
NERC Functional model r as Regional / local instruction. The Reliability Coordinator shall post the declaration of the alert
level long with the location of the affected facility on the RCIS under “CIP” and notify all Transmission Operators and
Balancing Authorities in its Reliability Area. The Reliability Coordinator shall also notify as necessary the BI local office,
Electricity Sector Information Sharing Analysis Center (ESISAC) and Department of Homeland Security.
ii. Updating Status during the Cyber Security Emergency Alert The declaring Entity shall update those applicable
entities of any changes in the situation until the Alert Level 1 is terminated. The Reliability Coordinator shall update the
RCIS as changes occur.
2. Alert 2 – “Verified Cyber attack on a Control Center or Bulk Electric System asset”
Circumstances: An applicable entity has identified a cyber attack upon a control center or bulk electric system asset. During
a Cyber Security Emergency Alert Level 2, applicable entities shall have the following responsibilities:
i. Notification An entity who initiates a Cyber Security Emergency Alert Level 2 shall make notification as per the
NERC Functional model or as Regional / cal instruction. The Reliability Coordinator responsible shall post the declaration
of the alert level along with the location of the affected facility on the RCIS under “CIP” and notify all Transmission
Operators and Balancing Authorities in its Reliability Area. The Reliability Coordinator shall also notify the FBI local office,
Electricity Sector Information Sharing Analysis Center (ESISAC) and Department of Homeland Security.
ii. Updating Status during the Cyber Security Emergency Alert The declaring Entity shall provide updates of the
situation a minimum of once per hour until the Alert Level 2 is terminated. The Reliability Coordinator shall update the RCIS
as changes occur.
August 13, 2009
28
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Yes or No
Question 2 Comment
3. Alert 3 – “Verified Cyber attack at one or more Control Center or Bulk Electric System cyber asset”
Circumstances: An applicable entity has identified a cyber attack upon a control center or bulk electric system asset and
shall declare a Cyber Security Emergency Alert 3 whenever:
a. A Transmission Operator or Balancing Authority reports one or more cyber attacks on bulk electric system that
render an asset(s) unavailable.
i. Notification An entity who initiates a Cyber Security Emergency Alert Level 3 shall make notification as per the
NERC Functional model or as Regional / local instruction. The Reliability Coordinator shall post the declaration of the alert
level along with the location of the affected facility on the RCIS under “CIP” and notify all Transmission Operators and
Balancing Authorities its Reliability Area. The Reliability Coordinator shall also notify the FBI local office, Electricity Sector
Information Sharing Analysis Center (ESISAC) and Department of Homeland Security.
ii. Updating Status during the Cyber Security Emergency Alert The declaring Entity(ies) shall provide an update of
the situation minimum of once per hour until the Alert Level 3 is terminated. The Reliability Coordinator shall update he
RCIS as changes occur.
4. Alert 0 – “Termination of Alert Level” Circumstances: The threat which prompted the Cyber Security Emergency Alert
Level has diminished or has been removed. i. Notification An entity who initiates a Cyber Security Emergency Alert shall
make notification as per the NERC Functional model or as Regional / local instruction when situation has diminished or
returned to normal. The Reliability Coordinator shall notify all other Reliability Coordinators via the RCIS, and it shall also
notify all Transmission Operators and Balancing Authorities in its Reliability Area that the Alert Level has been terminated.
Response: The DSR SAR DT thanks you for your comment. The standards in this Project 2009-01 SAR are designed to specify reporting
requirements for disturbance and sabotage events. The DSR SAR DT believes that the suggested additions go beyond the intended scope of the
revisions to the standards, and do not feel that communications protocols belong in these reporting standards. The proposed revisions and Alert
Levels are real-time requirements, and the team feels that these would be more appropriately addressed in an IRO or COM standard.
Northeast Power
Coordinating
Council
No
The SAR needs to be more specific in defining its objectives.
CIP-001Requirement R1 currently states:
R1. Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator Operator, and Load Serving Entity
shall have procedures for the recognition of and for making their operating personnel aware of sabotage events on its
facilities and multi-site sabotage affecting larger portions of the Interconnection.
The SDT needs to include the following objectives:
1. Develop clear definitions for the terms “operating personnel” and “sabotage events.” The definition of “operating
personnel,” should be clarified and limited to staff at BES facilities. Operating personnel should report only those events
August 13, 2009
29
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Yes or No
Question 2 Comment
which meet a clear, recognizable threshold as reportable potential sabotage events. There should be a consistent
continent-wide list of examples or typical reportable and non-reportable events to help guide operating personnel. The term
“sabotage event” needs to be defined. Clarification is required regarding when the determination of a sabotage event is
made, e.g., upon first observation (requiring operating personnel be educated in discerning sabotage events), or upon later
investigation by trained security personnel and law enforcement individuals. The terms potential or suspected sabotage
event for reporting purposes should be clarified or defined.
2. Define the obligations of Registered Entity operating personnel - who are required to be aware of such “sabotage
events,” e.g., who, what, where, when, why and how, and what they are to do in response to this awareness. The SDT
should clarify the use of the term “aware” in the standard. “Aware” can be interpreted in accordance with its largely passive,
dictionary-based meaning, where being “aware” simply means knowing about something, such as a sabotage event.
Alternatively, the Reliability Standard meaning of “aware” could refer to more active wording, involving more than mere
awareness, e.g., “alert and quick to respond,” pointing to and requiring a specific affirmative response, i.e., reporting to the
appropriate systems, governmental agencies, and regulatory bodies.
EOP-004 - The SDT needs to work on the following areas.
1. NERC reporting needs to be clarified. For example, Attachment 1 paragraph 6c states: Introduction “The entity on whose
system a reportable disturbance occurs shall notify NERC ... 6. Any action taken by a Generator Operator, Transmission
Operator, Balancing Authority, or Load-Serving Entity that results in: c. Failure, degradation, or misoperation of system
protection, special protection schemes, remedial action schemes, or other operating systems that do not require operator
intervention, which did result in, or could have resulted in, a system disturbance - The sense of Attachment 1 is internally
inconsistent between the introduction (“occurs”) and the required actions in 6c (could have resulted in a system
disturbance). The initial intent appears to be only to report actual system disturbances. Yet, paragraph 6c adds the phrase
“or could have resulted in” a potential system disturbance. This inconsistency should be clarified.
Response: The DSR SAR DT thanks you for your comment.
CIP-001: The inclusion of specific definitions in the SAR as you suggest (operating personnel, sabotage events, obligations) are too prescriptive and
could prevent better definitions from being developed during the Standards Development stage of the project. The team will pass your comments
along to the standard drafting team for its consideration.
EOP-004: Your comment addresses specific revisions to the standard. The team will pass your comments along to the standard drafting team for its
consideration.
Kansas City Power
& Light
No
Agree with the scope of the SAR except for the applicable entities. See response to question #4.
Response: The DSR SAR DT thanks you for your comment. Please see response to Q4.
August 13, 2009
30
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Yes or No
MRO NERC
Standards Review
Subcommittee
No
Question 2 Comment
The MRO NSRS would like to keep the references to the DOE reporting form.
Response: The DSR SAR DT thanks you for your comment. The DSR SAR DT understands your comment to indicate that you would like to see a
“one stop” reporting form for disturbances and sabotage events. The DSR SAR DT agrees with you and will pass this comment along to the standard
drafting team for its consideration in developing the standard(s).
Lands Energy
Consulting
No
I would like to see the SAR expanded to cover the issues I mentioned in my prior comment. Otherwise, the scope of the
SAR looks fine to me.
Response: The DSR SAR DT thanks you for your comment. Please see response to Q1 on other issues.
Bonneville Power
Administration
No
Leave as is, all requirements for reporting are now covered. A common definition of sabotage is already widely available.
Response: The DSR SAR DT thanks you for your comment. Most stakeholders desire more clarity around the definition of sabotage as well as
examples of what is and is not sabotage as opposed to vandalism.
Cowlitz County
PUD
No
Added to the scope:
For EOP-004 add a provision for a reporting flow rather than everything going to the RE and NERC. That is something
going like the DP and TOP reports to the BA, the BA to the RE, and the RE to NERC. This would allow for multiple related
reports to be combined into a single coherent report as the reporting goes up the chain.
For CIP-001 consider reporting flow as above with local law enforcement notification. Let an upper entity in the reporting
chain decide when to contact Federal Agencies such as the BA or the RC.
Response: The DSR SAR DT thanks you for your comment. The DSR SAR DT feels that your comments are “how” comments that should be
addressed in standard drafting stage. The team will pass this comment along to the standard drafting team for its consideration.
Reliant Energy
No
I think Generator operators should be excluded except to provide requested information from the System Operator or
Reliability coordinator.
Response: The DSR SAR DT thanks you for your comment. Other commenters have questioned the ability of Generator Operators to have a wide
area view and to be able to analyze disturbances on the system. The team agrees that generators may not have a wide area view and the capability to
analyze system events. The final wording of the requirements (i.e. reporting vs. data provision) developed by the Standard Drafting Team will
August 13, 2009
31
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Yes or No
Question 2 Comment
determine the applicability to GOPs. The team will pass your comment on to the Standard Drafting Team for its consideration.
ERCOT ISO
No
The scope should be modified to provide for a different treatment of reporting requirements that are administrative in
nature, or that are after-the-fact (thus cannot impact reliability unless analysis and follow-up is not performed; even then,
the impact would be at some future time). Reporting requirements which are of the nature to assist in identification of
system concerns or which serve to prevent or mitigate on-going system problems (including, but not limited to, actual or
attempted sabotage activity) should remain in standards, but should be separate and apart from the administrative
reporting.
Response: The DSR SAR DT thanks you for your comment. The team concurs with the concepts on reporting as you suggest, however the team
does not feel that this should be addressed in the SAR. The team suggests that this is more appropriately addressed in the standard drafting
process, and the team will pass your comment along to the standard drafting team for its consideration in drafting the standard.
MidAmerican
Energy
No
See the responses to questions 1 and 5.
Response: The DSR SAR DT thanks you for your comment. Please see responses to Q1 and Q5.
We Energies
No
Consider including the sabotage issues in IRO-014-1 R 1.1.1 footnote 1 and TOP-005-1 Attachment 1, 2.9.
Response: The DSR SAR DT thanks you for your comment. The team has added references to these two standards in the “Related Standards”
section for the SAR.
NextEra Energy
Resources, LLC
No
The scope of the SAR should not include Generator Operators.
Response: The DSR SAR DT thanks you for your comment. Other commenters have questioned the ability of Generator Operators to have a wide
area view and to be able to analyze disturbances on the system. The team agrees that generators may not have a wide area view and the capability to
analyze system events. The final wording of the requirements (i.e. reporting vs. data provision) developed by the Standard Drafting Team will
determine the applicability to GOPs. The team will pass your comment on to the Standards Drafting Team for its consideration.
Progress Energy
No
No. If this SAR moves forward other standards may need to be considered. For example, in CIP-008, incident reporting for
cyber incidents leads to filing of the OE-417 form.
Response: The DSR SAR DT thanks you for your comment. The SAR states “Specific references to the DOE form need to be eliminated.” This will
remove the linkage that you identify between CIP-001 and CIP-008. There is also a directive from FERC Order 693 in the SAR that states:
August 13, 2009
32
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Yes or No
Question 2 Comment
Consider FirstEnergy’s suggestions to differentiate between cyber and physical security sabotage and develop a threshold of materiality.
This allows the standard drafting team to delineate physical and cyber assets. The DSR SAR DT also notes that CIP-008 might be a good framework
for drafting the standard requirements pertaining to sabotage and disturbance reporting of physical assets.
Ameren
No
There seems to be an open slate including the following language in the scope. The development may include other
improvements to the standards deemed appropriate by the drafting team, with the consensus of stakeholders, consistent
with establishing high quality, enforceable and technically sufficient bulk power system reliability standards (see tables for
each standard at the end of this SAR for more detailed information). The unnamed improvements should be limited to
those requirements that relate only to Disturbance and Sabotage NOT a general wish list (or witch hunt).
Response: The DSR SAR DT thanks you for your comment. The passage that you mention is the intent of each SAR and is a stock statement that is
included in almost every SAR. The SAR is limited to the standards listed in the SAR which is approved by the NERC SC to move to standards
development.
Consolidated
Edison Co. of New
York, Inc.
No
GENERAL CECONY and ORU support the general objectives of the SAR to merge existing standards CIP-001-1 Sabotage
Reporting and EOP-004-1 Disturbance Reporting to improve clarity and remove redundancy.
However, the SAR needs to be more specific in defining its objectives.
CIP-001Requirement R1 currently states:
R1. Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator Operator, and Load Serving Entity
shall have procedures for the recognition of and for making their operating personnel aware of sabotage events on its
facilities and multi-site sabotage affecting larger portions of the Interconnection.
The SDT needs to include the following objectives:
1. Develop clear definitions for the terms operating personnel and sabotage events. The definition of operating personnel,
should be clarified and limited to staff at BES facilities. Operating personnel should report only those events which meet a
clear, recognizable threshold as reportable potential sabotage events. There should be a consistent continent-wide list of
examples or typical reportable and non-reportable events to help guide operating personnel. The term sabotage event
needs to be defined. Clarification is required regarding when the determination of a sabotage event is made, e.g., upon first
observation (requiring operating personnel be educated in discerning sabotage events), or upon later investigation by
trained security personnel and law enforcement individuals. The terms potential or suspected sabotage event for reporting
purposes should be clarified or defined.
2. Define the obligations of Registered Entity operating personnel - who are required to be aware of such sabotage events,
e.g., who, what, where, when, why and how, and what they are to do in response to this awareness. The SDT should clarify
the use of the term aware in the standard. Aware can be interpreted in accordance with its largely passive, dictionary-
August 13, 2009
33
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Yes or No
Question 2 Comment
based meaning, where being aware simply means knowing about something, such as a sabotage event. Alternatively, the
Reliability Standard meaning of aware could refer to more active wording, involving more than mere awareness, e.g., alert
and quick to respond, pointing to and requiring a specific affirmative response, i.e., reporting to the appropriate systems,
governmental agencies, and regulatory bodies.
EOP-004 - The SDT needs to work on the following areas.
1. NERC reporting needs to be clarified. For example, Attachment 1 paragraph 6c states:
Introduction The entity on whose system a reportable disturbance occurs shall notify NERC ... 6. Any action taken by a
Generator Operator, Transmission Operator, Balancing Authority, or Load-Serving Entity that results in: ?c. Failure,
degradation, or misoperation of system protection, special protection schemes, remedial action schemes, or other
operating systems that do not require operator intervention, which did result in, or could have resulted in, a system
disturbance.
The sense of Attachment 1 is internally inconsistent between the introduction (occurs) and the required actions in 6c (could
have resulted in a system disturbance). The initial intent appears to be only to report actual system disturbances. Yet,
paragraph 6c adds the phrase or could have resulted in a potential system disturbance. This inconsistency should be
clarified.
Response: The DSR SAR DT thanks you for your comment.
CIP-001: The inclusion of specific definitions in the SAR as you suggest (operating personnel, sabotage events, obligations) are too prescriptive and
could prevent better definitions from being developed during the standard drafting stage of the project. The team will pass your comments along to
the standard drafting team for its consideration.
EOP-004: Your comment addresses specific revisions to the standard. The team will pass your comments along to the standard drafting team for its
consideration.
Georgia System
Operations Corp.
No
The scope of the SAR should be to move all requirements to report to NERC or Regional Entities out of the Requirements
section of all Reliability Standards to elsewhere. This does not include reporting, communicating, or coordinating between
reliability entities. The NERC/Region reporting requirements could be consolidated in another document and referenced in
the Supporting References section of the Reliability Standards. The deadlines for reporting should be changed to realistic
timeframes that do not interfere with operating the BES or responding to incidents yet still allow NERC and the Regions to
accomplish their missions.
Response: The DSR SAR DT thanks you for your comment. The team does not feel that this should be addressed explicitly in the SAR, but suggests
that this is more appropriately addressed in the standard drafting stage for full industry vetting of the concepts. The team will pass your comment
along to the standard drafting team for its consideration in developing the standard.
August 13, 2009
34
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Yes or No
Question 2 Comment
No
Sabotage is a term of intent that is often determined after the fact by the registered entity and/or law enforcement officials.
In fact, it is often difficult to determine in real-time the intent of a suspicious event. We would suggest that suspicious
events become reportable at the point that the event is determined to have had sabotage intent. The entities should have a
methodology to collect evidence, to have the evidence analyzed, and to report those events that are determined to have
had the intent of sabotage.
AEP
Response: The DSR SAR DT thanks you for your comment. The team concurs that it is difficult to determine sabotage in real-time. The teamdoes
not feel that this should be addressed explicitly in the SAR and suggests that this is more appropriately addressed in the standard drafting stage for
full industry vetting of the concepts. The team will pass your comment along to the standard drafting team for its consideration in developing the
standard.
Duke Energy
No
While we agree with the need for clarity in sabotage and disturbance reporting, we believe that the Standards Drafting
Team should carefully consider whether there is a reliability-related need for each requirement. Some disturbance
reporting requirements are triggered not just to assist in real-time reliability but also to identify lessons-learned
opportunities. If disturbance and sabotage reporting continue to be reliability standards, we believe that all linkages to
lessons-learned/improvements need to be stripped out. We have other forums to identify lessons-learned opportunities
and to follow-up on those opportunities. Also, requirements to report possible non-compliances should be eliminated. We
strongly support voluntary self-reporting, but not mandatory self-reporting.
Response: The DSR SAR DT thanks you for your comment. The team concurs that each requirement should be evaluated for its reliability need, and
the team will pass your comment along to the standard drafting team for its consideration in the drafting stage of the standard.
FirstEnergy
Yes
We agree with the scope but would also like to see the following considered:
1. References to the DOE reporting process in EOP-004 need to be revised. They currently refer to the old EIA form.
2. Besides "sabotage", it may be helpful to clearly define "vandalism". It is vaguely written in the standards. Also, the
process of "public appeals" for the DOE reportable requirements needs to be more clearly defined.
3. Consolidate documents covering reporting requirements. There are currently several documents that require reporting
(EOP-004, CIP-001, DOE oe-417, and NERC's Security Guideline for the Electricity Sector: Threat and Incident Reporting).
NERC also has the "Bulk Power System Disturbance Classification Scale" that does not completely align with all the
reporting requirements. Therefore we recommend keeping this as simple as possible by combining all the reporting
requirements into one standard. It would be beneficial to not require operators to have to go to 4 different documents to
determine what to report on.
Response: The DSR SAR DT thanks you for your comment.
August 13, 2009
35
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Yes or No
Question 2 Comment
The Brief Description of the SAR states: Specific references to the DOE form need to be eliminated.
The team will pass your comment along to the standard drafting team for its consideration.
The team concurs that this should be considered in drafting the standards. The team will pass your comment along to the standard drafting
team for its consideration.
Exelon
Yes
Consolidation of redundant requirements and clarifications of difficult to follow / interpret standards should be a high priority
at NERC.
Response: The DSR SAR DT thanks you for your comment. One of the FERC directives for CIP-001 is: Explore ways to reduce redundant reporting,
including central coordination of sabotage reports and a uniform reporting format.
Electric Market
Policy
Yes
SERC OC
Standards Review
Group
Yes
PSEG Enterprise
Group Inc
Companies
Yes
IRC Standards
Review Committee
Yes
Pepco Holdings,
Inc. - Affiliates
Yes
Calpine
Corporation
Yes
Covanta
Yes
Colmac Clarion
Yes
August 13, 2009
36
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Yes or No
United Illuminating
Yes
Texas Regional
Entity
Yes
Edward C. Stein
Yes
WECC
Yes
Luminant Power
Yes
ReliabilityFirst
Corporation
Yes
Brazos Electric
Power
Cooperative, Inc.
Yes
PacifiCorp
Yes
Oncor Electric
Delivery
Yes
Illinois Municipal
Electric Agency
Yes
Manitoba Hydro
Yes
Consumers Energy
Company
Yes
August 13, 2009
Question 2 Comment
37
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
3. Are you aware of any associated business practices that we should consider with this SAR? If yes, please
explain in the comment area.
Summary Consideration: Stakeholders did not identify any associated business practices for consideration under the SAR.
One stakeholder identified a related standard that references multi-site sabotage. The team has included a reference to TOP005, section 2.9 (Appendix 1) in the SAR under Related Standards. Two stakeholders suggested that Business Practices should
not be considered in a standard. The SAR DT notes that standard development projects must not invalidate business practices
that are already in place. This question is required to be asked per the Standard Drafting Team Guidelines (page 8) and aids in
coordination with North American Energy Standards Board. One stakeholder suggested a “one-stop-shopping” solution. The
SAR DT agrees with this approach and will forward this comment to the Standard Drafting Team.
Organization
Yes or No
MRO NERC Standards
Review Subcommittee
Yes
Luminant Power
Yes
Question 3 Comment
The SAR drafting team should include in the SAR scope a review of the NRC sabotage and event reporting
requirements to ensure there are no overlapping or conflicting requirements between NERC, FERC, and the NRC.
The SAR scope should include a review of the CIP Cyber Security Standards and coordination with the CIP SDT to
ensure that cyber sabotage reporting definitions are in concert, and ensure that cyber sabotage reporting requirements
are not duplicated in multiple standards.
Response: The DSR SAR DT thanks you for your comment. The team notes that your comments relate directly to potential revisions of the standard
itself. Part of this SAR is to eliminate redundancies as well. The team will pass your comments along to the Standards Drafting Team for its
consideration. This project is designed to address physical asset reporting, not cyber assets. Therefore, cyber assets will not be included in this
SAR.
MidAmerican Energy
Yes
Attachment TOP-005, section 2.9 speaks of “Multi-site sabotage” with no definition. The ES-ISAC 2008 advisory is an
associated standard or practice on sabotage. All references to sabotage should be eliminated or retired except for
CIP-001.
Response: The DSR SAR DT thanks you for your comment. The team has included a reference to TOP-005, section 2.9 (Appendix 1) in the SAR
under Related Standards. Project 2009-01 is designed to address physical asset reporting, not cyber asset sabotage and disturbance reporting. The
standard drafting team will remove redundancies per the SAR.
August 13, 2009
38
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Illinois Municipal
Electric Agency
Yes or No
Yes
Question 3 Comment
A one-stop reporting tool/site would facilitate efficient reporting and compliance; e.g., further development of the ESISAC/CIPIS to include all reportable categories and automatic notification of required parties. A single report form
would be best.
Response: The DSR SAR DT thanks you for your comment. The team agrees with your suggestion and will pass this along to the Standard Drafting
Team for its consideration in developing standards.
AEP
Yes
The current reporting process necessitates multiple reports be sent to multiple parties, which is inefficient and may,
inadvertently, result in alignment issues between the separate reports. We would recommend that a single report that
combines NERC (CIPIS) and NERC ESISAC information be provided to NERC (CIPIS) that is systematically
(programmatically) forwarded to all necessary entities. Further, updates to incidents would also go through NERC with
the same electronic processing. Currently, we are not aware of a formal method to report incidents to the FBI, which
should be also included in the distribution. The current reporting mechanism to the FBI JTTF is by telephone and the
NERC platform described would provide more consistent reporting.
Response: The DSR SAR DT thanks you for your comment. The team agrees with your suggestion and will pass this along to the Standard Drafting
Team for its consideration in developing standards. This project is designed to address physical asset reporting, not cyber assets.
Progress Energy
Yes
Yes. If this SAR moves forward other practices such as those required by CIP-008 (cyber incident reporting via the OE417 form) may need to be considered.
Response: The DSR SAR DT thanks you for your comment. The SAR states “Specific references to the DOE form need to be eliminated.” This will
remove the linkage that you identify between CIP-001 and CIP-008. There is also a directive from FERC Order 693 in the SAR that states:
Consider FirstEnergy’s suggestions to differentiate between cyber and physical security sabotage and develop a threshold of materiality.
This allows the standard drafting team to delineate physical and cyber assets. The DSR SAR DT also notes that the general layout and sequencing of
requirements in CIP-008 might be a good framework for drafting the standard requirements pertaining to sabotage and disturbance reporting of
physical assets.
Exelon
No
We are not sure what this question means. Who's Associated Business practices, NERC, Applicable Entities in the
Standard, our business practices?
Response: The DSR SAR DT thanks you for your comment. “Business practices” refers to any business practice of any stakeholder (e.g. North
American Energy Standards Board business practices).
August 13, 2009
39
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
SERC OC Standards
Review Group
Yes or No
No
Question 3 Comment
Business practices should not be considered in a standard.
Response: The DSR SAR DT thanks you for your comment. Standard development projects must not invalidate business practices that are already
in place. This question is required to be asked per the Standard Drafting Team Guidelines (page 8) and aids in coordination with North American
Energy Standards Board.
FirstEnergy
No
Although we are not aware of any NAESB business practices that need to be reviewed in conjunction with these
proposed revisions, the SDT should consider reviewing current RTO procedures and practices that may require the
need for variances in the revised standards.
Response: The DSR SAR DT thanks you for your comment. The Standard Drafting Team will review any procedures or practices that are identified
for potential variances.
Georgia System
Operations Corp.
No
Business practices should not be part of a Reliability Standard. Neither should NERC/Region reporting requirements
(except for reporting of threats to physical or cyber security). NERC may need to take some action in the case of
threats but does not and cannot take any operational action for most of the reporting requirements that are presently in
the Requirements section of the Reliability Standards.
Response: The DSR SAR DT thanks you for your comment. Standard development projects must not invalidate business practices that are already
in place. This question is required to be asked per the Standard Drafting Team Guidelines (page 8) and aids in coordination with North American
Energy Standards Board. The team disagrees with your assertion about reporting. Instances of sabotage are often not identified until after the fact,
and these should be reported to alert other entities of the sabotage and for “lessons learned”.
PSEG Enterprise
Group Inc Companies
No
Northeast Power
Coordinating Council
No
Kansas City Power &
Light
No
IRC Standards Review
Committee
No
August 13, 2009
40
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Yes or No
Pepco Holdings, Inc. Affiliates
No
Electric Market Policy
No
Bonneville Power
Administration
No
Lands Energy
Consulting
No
Covanta
No
Colmac Clarion
No
Cowlitz County PUD
No
United Illuminating
No
Reliant Energy
No
Texas Regional Entity
No
Edward C. Stein
No
PacifiCorp
No
WECC
No
ERCOT ISO
No
ReliabilityFirst
Corporation
No
August 13, 2009
Question 3 Comment
41
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Yes or No
Brazos Electric Power
Cooperative, Inc.
No
Oncor Electric Delivery
No
Consolidated Edison
Co. of New York, Inc.
No
Manitoba Hydro
No
Duke Energy
No
We Energies
No
Consumers Energy
Company
No
NextEra Energy
Resources, LLC
No
Ameren
No
August 13, 2009
Question 3 Comment
42
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
4. CIP-001-1 applies to the Reliability Coordinator, Transmission Operator, Balancing Authority, Generator
Operator, and the Load-serving Entity. EOP-004-1 applies to the same entities, plus the Regional Reliability
Organization. Do you agree with the applicability of the existing CIP-001-1 and the existing EOP-004-1? If no,
please identify what you believe should be modified.
Summary Consideration: Many stakeholders had comments regarding applicability of the two standards. The
three main concerns were:
1
Regional Reliability Organization applicability: Many commenters do not feel the RRO should be in the standards. The DSR
SAR DT concurs and notes that the SAR states that “EOP-004 has some ‘fill-in-the-blank’ components to eliminate”. This will
remove the RRO from applicability.
2
Load-Serving Entity/Distribution Provider: Many stakeholders do not feel that the standards should be applicable to LSEs,
but should apply to Distribution Providers. NERC has recognized, through its Compliance Registry, that there are asset
owning LSEs and non-asset owning LSEs. The SAR DT believes that an asset owning LSE may be a Distribution Provider
based on the Functional Model v4. The team added DP to the applicability of the standard as the Standard Drafting team
may have a need to include them in the standard(s). The applicability of LSE or Distribution Provider will ultimately be
determined by the Standard Drafting Team as it develops the requirements through the Standard Development Process.
3
Transmission Owner/Generator Owner: Many stakeholders have indicated a need to include the TO as an applicable entity.
A couple of those would also include the GO. The SAR DT discussed the addition of both the TO and GO. The team has a
concern that there will be duplication of requirements between the TO/TOP and GO/GOP if the TO and GO are added to the
SAR. That being said, the team added the TO and GO to the applicability of the SAR so that the Standard Drafting team
may consider these entities for applicability. The applicability of requirements will ultimately be determined by the Standard
Drafting Team as it develops the requirements through the Standard Development Process.
Organization
Yes or No
SERC OC Standards
Review Group
No
Question 4 Comment
The EOP-004-1 standard should not apply to the RRO.
Response: The DSR SAR DT thanks you for your comment. The team concurs and notes that the SAR states: EOP-004 has some ‘fill-in-the-blank’
components to eliminate. This will remove the RRO from applicability.
Kansas City Power &
August 13, 2009
No
Do not agree Load Serving Entities need to continue to be included for sabotage. According the NERC Functional Model,
43
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Yes or No
Light
Question 4 Comment
an LSE provides for estimating customer load and provides for the acquisition of transmission and energy to meet
customer load demand. An LSE has no real impact on maintaining the reliability of electric network short of their planning
function. Unfortunately, an LSE needs to be included for disturbance reporting to the DOE under certain conditions for
loss of customer load. This may be a reason to maintain a separation of CIP-001 and EOP-004 so as not to unnecessarily
include an LSE when it is not needed.
Response: The DSR SAR DT thanks you for your comment. NERC has recognized, through its Compliance Registry, that there are asset owning LSEs
and non-asset owning LSEs. The SAR DT believes that an asset owning LSE may be a Distribution Provider based on the Functional Model v4. The
team added DP to the applicability of the standard as the Standard Drafting team may have a need to include them in the standard(s). The applicability
of LSE or Distribution Provider will ultimately be determined by the Standard Drafting Team as it develops the requirements through the standard
drafting stage of the process. The team will pass your comment along to the Standard Drafting Team for its consideration.
IRC Standards Review
Committee
No
We agree with the applicability of CIP-001-1 but question the need to include the RRO in EOP-004-1. Requirement R1 of
EOP-004-1 can be turned into an industry developed and approved procedural requirement with details included in an
appendix; whereas R5 can be changed to a requirement for the responsible entities to act on recommendations and to
self-report compliance. Tracking and reviewing status of recommendation do not need to be performed by the RRO, or any
entity for that matter, if a self-reporting mechanism is developed.
Response: The DSR SAR DT thanks you for your comment. The team concurs and notes that the SAR states: EOP-004 has some ‘fill-in-the-blank’
components to eliminate. This will remove the RRO from applicability.
Pepco Holdings, Inc. Affiliates
No
As specified in Order 693, Regional Reliability Organizations are not to be assigned applicability. The revised standard(s)
should contain the reporting form either directly or by reference and the RRO should be removed. The other EOP-004
requirements for RROs are now considered normal monitoring activities of the Regional Entities.
Response: The DSR SAR DT thanks you for your comment. The team concurs and notes that the SAR states: EOP-004 has some ‘fill-in-the-blank’
components to eliminate. This will remove the RRO from applicability.
FirstEnergy
No
The Regional Reliability Organization should be removed from the applicability of EOP-004-1. Any report they receive
would be from the other entities listed. For consistency, the entities should report to the appropriate law enforcement
agency. A report to the Reliability Entity should also be made for that entities information only.
Response: The DSR SAR DT thanks you for your comment. The team concurs and notes that the SAR states: EOP-004 has some ‘fill-in-the-blank’
components to eliminate. This will remove the RRO from applicability.
Electric Market Policy
August 13, 2009
No
Applicability should not apply to LSE unless they have physical assets. If they do not have such assets, they are unable to
44
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Yes or No
Question 4 Comment
determine how many customers are out, how much load was lost or the duration of an outage. We continue to question
the need for the LSE entity in reliability standards. End use customer load is either connected to transmission or
distribution facilities. So, the applicable planner has to plan for that load when designing its facilities or the load will not
have reliable service. To the extent that energy and capacity for that load is supplied by an entity other than the TO or DP,
the TO or DP should have interconnection requirements that compel the supplier to provide any and all data necessary to
meet the requirements of reliability standards.
Response: The DSR SAR DT thanks you for your comment. NERC has recognized, through its Compliance Registry, that there are asset owning LSEs
and non-asset owning LSEs. The SAR DT believes that an asset owning LSE may be a Distribution Provider based on the Functional Model v4. The
team has added DP to the applicability of the standard as the Standard Drafting team may have a need to include them in the standard(s). The
applicability of LSE or Distribution Provider will ultimately be determined by the Standard Drafting Team as it develops the requirements in the standard
drafting stage of the process. The team will pass your comment along to the Standard Drafting Team for its consideration.
MRO NERC Standards
Review Subcommittee
No
As FERC has directed, the RRO should be removed since they are not owners or operators of the BES.
Response: The DSR SAR DT thanks you for your comment. The team concurs and notes that the SAR states: EOP-004 has some ‘fill-in-the-blank’
components to eliminate. This will remove the RRO from applicability.
Lands Energy
Consulting
No
CIP-001-1 - Yes. In many cases, the staff of an LSE embedded in another entity's BA/TOP area is more likely to discover
an act of sabotage directed toward a BA/TOP-owned facility that could affect the BES than the asset owner. This is
because the LSE likely has more operating staff in the area. I have included a requirement in my clients' Sabotage
Identification and Reporting Procedures that the client treat acts of sabotage to a third party's system discovered by client
employees as though the act was directed toward client facilities. EOP-004-1 - As mentioned before, I would eliminate the
LSE from the applicability list and leave the responsibility for disturbance reporting and response to the TOP/BA.
However, I would retain a responsibility for the LSEs to cooperate (when requested) with any disturbance investigation.
Response: The DSR SAR DT thanks you for your comment. NERC has recognized, through its Compliance Registry, that there are asset owning LSEs
and non-asset owning LSEs. The SAR DT believes that an asset owning LSE may be a Distribution Provider based on the Functional Model v4. The
team has added DP to the applicability of the standard as the Standard Drafting team may have a need to include them in the standard(s). The
applicability of LSE or Distribution Provider will ultimately be determined by the Standard Drafting Team as it develops the requirements in the standard
drafting stage of the process. The team will pass your comment along to the Standard Drafting Team for its consideration.
Calpine Corporation
August 13, 2009
No
The reporting requirements of EOP - 004 are needed for the RC, BA, LSE and the GOP that operates or controls
generation in a system as defined by NERC. (System - A combination of generation, transmission, and distribution
components). A disturbance is described as an unplanned event that produces and abnormal system condition, any
45
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Yes or No
Question 4 Comment
perturbation to the electric system, and the unexpected change in ACE that is caused by the sudden failure of generation
or interruption of load. The GOP operating/controlling generation within a system has the ability to analyze system
conditions to determine if reporting is necessary. A NERC registered GOP that is a merchant generator within another
company’s system does not have the ability for a wide area view and cannot analyze system conditions beyond the
interconnection point of the facility. Moreover, in most cases the reporting requirements outlined in the Interconnection
Reliability Operating Limits and Preliminary Disturbance Report do not apply to the merchant generator that is not a
generation only BA. The applicability of the standard does encompass the true merchant generation entities required to
register as GOP. Similarly, the OE-417 table 1 reporting requirements generally do not apply to a true merchant
generating entity that is required to register as a GOP.
Response: The DSR SAR DT thanks you for your comment. The team agrees that generators may not have a wide area view and the capability to
analyze events. The final wording of the requirements developed by the Standard Drafting Team will determine the applicability. The team will pass
your comment on to the Standards Drafting Team for its consideration. The SAR calls for the removal of references to the DOE form OE-417.
Cowlitz County PUD
No
Replace LSE with DP, and the Regional Reliability Organization with the Regional Entity.
Response: The DSR SAR DT thanks you for your comment. The team has added DP to the applicability of the SAR. The SAR calls for removing the fillin-the-blank standard elements which will remove the RRO.
United Illuminating
No
Add Distribution Provider
Response: The DSR SAR DT thanks you for your comment. The team has added DP to the applicability of the SAR.
Reliant Energy
No
EOOP-004-1 should exclude the generator operator from disturbance reporting except providing the system operator or
reliability coordinator with appropriate unit operation information upon request. Acts of sabotage should be identified
clearly and reported to the indicated authorities.
Response: The DSR SAR DT thanks you for your comment. Other commenters have questioned the ability of Generator Operators to have a wide area
view and to be able to analyze disturbances on the system. The team agrees that generators may not have a wide area view and the capability to
analyze system events. The final wording of the requirements (i.e. reporting vs. data provision) developed by the Standard Drafting Team will determine
the applicability to GOPs. The team will pass your comment on to the Standards Drafting Team for its consideration.
Texas Regional Entity
August 13, 2009
No
Add GO and TO to the list of applicability. The intent of CIP-001-1 when it was first written was to have the proper and
most likely entities associated directly with operations to be the ones to begin the reporting process in the case of
sabotage on the system. In the ERCOT Region and other regions in the US, the GOP may not be physically located at the
site. The GOP is often removed from the minute-by-minute responsibilities of plant operations and, therefore, may be less
46
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Yes or No
Question 4 Comment
able to react to physical sabotage at the location/plant/facility in a timely manner. The concern is that, in the case of an
actual sabotage event, the failure to report to the appropriate authorities in a timely manner may jeopardize the reliability of
the BPS. Therefore, the Generator Owner (GO) should be added to the list of applicability for CIP-001-1, because it is the
GO that is more likely to be on location at the generation site and thus aware of sabotage when it first occurs. This would
disallow for any possible communication gap and put responsibility on all of the appropriate entities to report such an
event. Additionally, and for the same reasons as adding the GO, the Transmission Owner (TO) should also be added to
the list of applicability for reporting sabotage on its facilities.
Response: The DSR SAR DT thanks you for your comment. The SAR DT discussed the addition of the TO and GO. The team was concerned that there
may be duplication of requirements between the TO/TOP and GO/GOP if the TO and GO are added to the SAR. That being said, the team added the TO
and GO to the applicability of the SAR so that the Standard Drafting team may consider these entities for applicability. The applicability of requirements
will ultimately be determined by the Standard Drafting Team as it develops the requirements through the standard drafting Process. The team will pass
your comment along to the Standard Drafting Team for its consideration concerning applicability.
NextEra Energy
Resources, LLC
No
The scope of the proposed SAR should not include the Generator Operator.
Response: The DSR SAR DT thanks you for your comment. Other commenters have questioned the ability of Generator Operators to have a wide area
view and to be able to analyze disturbances on the system. The team agrees that generators may not have a wide area view and the capability to
analyze system events. The final wording of the requirements (i.e. reporting vs. data provision) developed by the Standard Drafting Team will determine
the applicability to GOPs. The team will pass your comment on to the Standards Drafting Team for its consideration.
Exelon
No
CIP-001, remove LSE's from the standard for the reasons identified in the FERC LSE order. Ad TO and DP. EOP-004,
remove LSE's from the standard for the reasons identified in the FERC LSE order. Remove RRO's, they are not a user,
owner, operator of the BES. Add DP or TO. Consider conditional applicability as in the UFLS standards, " the TO or DP
who performs the functions specified in the standard..."
Response: The DSR SAR DT thanks you for your comment. NERC has recognized, through its Compliance Registry, that there are asset owning LSEs
and non-asset owning LSEs. The SAR DT believes that an asset owning LSE may be a Distribution Provider based on the Functional Model v4. The
team has added DP to the applicability of the SAR. The applicability of LSE or Distribution Provider will ultimately be determined by the Standard
Drafting Team as it develops the requirements in the standard drafting stage of the process. The SAR DT discussed the addition of the TO. The team is
concerned that there may be duplication of requirements between the TO/TOP if the TO is added to the SAR. That being said, the team added the TO
and GO to the applicability of the SAR so that the Standard Drafting team may consider these entities for applicability. The applicability of requirements
will ultimately be determined by the Standard Drafting Team as it develops the requirements through the standard drafting Process. The SAR calls for
elimination of fill in the blanks elements, which will remove the RRO from the standard. The team will pass your comment along to the Standard Drafting
Team for its consideration concerning conditional applicability.
August 13, 2009
47
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Yes or No
Question 4 Comment
No
The Regional Reliability Organization is not a registered Functional Entity in the NERC registry. The applicability must be
revised to more appropriately assign the requirements to registered functional entities. Also, the industry needs to
recognize that there are other resources than generation for which the operators need to be included. Perhaps a demandside resource should have a resource operator. This particular SAR may not be the appropriate venue for this, but control
of resources which can be used to mitigate sabotage events or disturbance events may need to be addressed.
ERCOT ISO
Response: The DSR SAR DT thanks you for your comment. The SAR calls for elimination of fill-in-the-blank elements, which will remove the RRO from
the standard. The applicability of requirements will ultimately be determined by the Standard Drafting Team as it develops the requirements in the
standard drafting stage of the process. The team will pass your comment along to the Standard Drafting Team for its consideration concerning
conditional applicability. This SAR is for reporting rather than control actions as you mention.
Brazos Electric Power
Cooperative, Inc.
No
May need to consider adding Transmission Owner. I don't see a need for the RRO to be included as they are not
owner/operators of grid facilities.
Response: The DSR SAR DT thanks you for your comment. The SAR DT discussed the addition of the TO. The team is concerned that there may be
duplication of requirements between the TO/TOP if the TO is added to the SAR. That being said, the TO has been added to the applicability of the SAR
so that the Standard Drafting team may consider these entities for applicability. The applicability of requirements will ultimately be determined by the
Standard Drafting Team as it develops the requirements in the standard drafting stage of the process. The SAR calls for elimination of fill in the blank
elements, which will remove the RRO from the standard. The team will pass your comment along to the Standard Drafting Team for its consideration
concerning conditional applicability.
PacifiCorp
No
LSE's don't generally own/operate facilities/systems that would experience a logical or physical sabotage event.
Response: The DSR SAR DT thanks you for your comment. NERC has recognized, through its Compliance Registry, that there are asset owning LSEs
and non-asset owning LSEs. The SAR DT believes that an asset owning LSE may be a Distribution Provider based on the Functional Model v4. The
team has added DP to the applicability of the SAR. The applicability of LSE or Distribution Provider will ultimately be determined by the Standard
Drafting Team as it develops the requirements in the standard drafting stage of the process.
MidAmerican Energy
No
MidAmerican Energy believes the requirement for the Regional Reliability Organization should be removed from EOP-0041 since the RRO is a holdover from making the standards enforceable. It is no longer appropriate for the regions to be
named as responsible entities within the standards.
Response: The DSR SAR DT thanks you for your comment. The SAR calls for elimination of fill-in-the-blank elements, which will remove the RRO from
the standard.
August 13, 2009
48
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Yes or No
Georgia System
Operations Corp.
No
Question 4 Comment
EOP-004 should be retired. CIP-001 should not apply to LSEs other than those that are retail marketers.
Response: The DSR SAR DT thanks you for your comment. The SAR calls for EOP-004 to be revised. The Standard Drafting Team may, with
stakeholder approval, retire it. CIP-001: NERC has recognized, through its Compliance Registry, that there are asset owning LSEs and non-asset
owning LSEs. The SAR DT believes that an asset owning LSE may be a Distribution Provider based on the Functional Model v4. The team has added
DP to the applicability of the SAR. The applicability of LSE or Distribution Provider will ultimately be determined by the Standard Drafting Team as it
develops the requirements in the standard drafting process.
AEP
No
We would recommend that the Load Serving Entity (LSE) be removed from both standards, and that the Generator Owner
and Transmission Owner be added to the resulting standard.
Response: The DSR SAR DT thanks you for your comment. NERC has recognized, through its Compliance Registry, that there are asset owning LSEs
and non-asset owning LSEs. The SAR DT believes that an asset owning LSE may be a Distribution Provider based on the Functional Model v4. The
team has added DP to the applicability of the SAR. The applicability of LSE or Distribution Provider will ultimately be determined by the Standard
Drafting Team as it develops the requirements in the standard drafting stage of the process. The SAR DT discussed the addition of the TO and GO. The
team has a concern that there may be duplication of requirements between the TO/TOP and GO/GOP if the TO and GO are added to the SAR. That being
said, the team added the TO and GO to the applicability of the SAR so that the Standard Drafting team may consider these entities for applicability. The
applicability of requirements will ultimately be determined by the Standard Drafting Team as it develops the requirements through the standard drafting
Process. The team will pass your comment along to the Standard Drafting Team for its consideration concerning applicability.
Duke Energy
No
It’s unclear to us that the RRO should continue to be an applicable entity.
Response: The DSR SAR DT thanks you for your comment. The team concurs and notes that the SAR states: EOP-004 has some ‘fill-in-the-blank’
components to eliminate. This will remove the RRO from applicability.
Covanta
Yes
It would be a welcome enhancement to the end users to understand to communication link between all "appropriate
parties" who shall be notified of potential or actual sabotage events.... which also needs to be defined.
Response: The DSR SAR DT thanks you for your comment. The team concurs, and will pass this comment on to the standard drafting team for its
consideration.
Edward C. Stein
Yes
WECC
Yes
August 13, 2009
49
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Yes or No
Luminant Power
Yes
ReliabilityFirst
Corporation
Yes
Oncor Electric Delivery
Yes
Consolidated Edison
Co. of New York, Inc.
Yes
Illinois Municipal
Electric Agency
Yes
Manitoba Hydro
Yes
We Energies
Yes
Consumers Energy
Company
Yes
PSEG Enterprise
Group Inc Companies
Yes
Northeast Power
Coordinating Council
Yes
Bonneville Power
Administration
Yes
Colmac Clarion
Yes
Progress Energy
Yes
Ameren
Yes
August 13, 2009
Question 4 Comment
50
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
5. If you have any other comments on the SAR or proposed modifications to CIP-001-1 and EOP-004-1 that you
haven’t provided in response to the previous questions, please provide them here.
Summary Consideration: Stakeholders provided many good comments that should be considered in the development of the
standards under this project. The SAR DT does not believe that these require any revisions to the SAR and will forward these
comments to the Standard Drafting Team for its consideration in developing the standard(s). These include:
1
Consolidation of reports: The SAR DT agrees with this concept and will forward the comment to the Standard Drafting
Team for its consideration.
2
Concerns about pre-determination of combining CIP-001 and EOP-004 into one standard: The SAR states: CIP-001 may be
merged with EOP-004 to eliminate redundancies. The two standards may be left separate.
3
Reporting criteria in multiple tables: The team agrees that it would be easier if there were only one table. Part of this SAR
is to eliminate redundancies and make general improvements to the standard. The team also agrees that the requirements
developed should be clear in their reliability objective.
Organization
PSEG Enterprise Group
Inc Companies
Question 5 Comment
The PSEG Companies ask that the drafting team allow sufficient flexibility for sabotage recognition and reporting requirements such
that nothing precludes utilizing a single corporate-wide program for both bulk electric system assets and other businesses. PSEG's
Sabotage Recognition, Response and Reporting Program is directed to all business areas which are directed to follow the same
internal protocol that also satisfies the NERC Standards requirements. For example, for gas assets, PSEG's gas distribution
business follows the PSEG corporate-wide program for sabotage recognition and response. PSEG agrees that some modifications
should be made to CIP-001 (ex. better define or give examples of sabotage) and EOP-004 to make them clearer? If they are
merged, then Sabotage will not be in the title (or the primary focus) because several of the Disturbances that reporting is required for
in EOP-004 have nothing to do with sabotage. EOP-004 has criteria listed in 4 places to determine when to send a report:
o Criteria listed in EOP-004 Attachment 1
o Criteria listed in EOP-004 Attachment 2
o Criteria listed in top portion of Table 1-EOP-004
o Criteria listed in bottom potion of Table 1-EOP-004
Therefore, it would be much easier if there was one table of criteria for reference that addressed all of the reportable conditions and
all of the applicable reports. If the 2 standards are merged as suggested in the SAR, any differences in the reporting obligation for
actual or attempted sabotage and reporting of disturbances must be clear.
August 13, 2009
51
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Question 5 Comment
Response: The DSR SAR DT thanks you for your comment. The team agrees that it would be easier if there were only one table. Part of this project is
to eliminate redundancies and make general improvements to the standard. The team also agrees that the requirements developed should be clear in
their reliability objective. The team will forward your comment to the standard drafting team for its consideration in the drafting of the standard.
Kansas City Power & Light
If it is desirable to keep CIP-001 and EOP-004 separate, it is recommended the SDT consider adding a reference in CIP-001 to the
DOE reporting form either by name or by internet link in the standard.
Response: The DSR SAR DT thanks you for your comment. The SAR SDT recommends eliminating all references to the DOE report, so there won’t be
a reference to it in CIP-001.
IRC Standards Review
Committee
We suggest that the revision not be conducted with a preconceived notion that the two standards must be combined since there are
some differences between sabotage and emergency system conditions, and in the communication and reporting processes and
channels. We suggest the SDT start off with a neutral position to focus on improving the standards, then assess the pros and cons of
merging the two based on technical merit only.
Response: The DSR SAR DT thanks you for your comment. The SAR states: CIP-001 may be merged with EOP-004 to eliminate redundancies. The two
standards may be left separate.
Pepco Holdings, Inc. Affiliates
Consider CIP-008-2 as potentially having overlaps with the proposed standard
Response: The DSR SAR DT thanks you for your comment. The SAR states “Specific references to the DOE form need to be eliminated.” This will
remove the linkage that you identify between CIP-001 and CIP-008. There is also a directive from FERC Order 693 in the SAR that states:
Consider FirstEnergy’s suggestions to differentiate between cyber and physical security sabotage and develop a threshold of materiality.
This allows the standard drafting team to delineate physical and cyber assets. The DSR SAR DT also notes that CIP-008 might be a good framework for
drafting the standard requirements pertaining to sabotage and disturbance reporting of physical assets.
FirstEnergy
1. Under Industry Need it states: "The existing requirements need to be revised to be more specific and there needs to be more
clarity in what sabotage looks like." The use of the phrase "more specific" should be qualified by adding "while not being too
prescriptive". As with other reliability standards, we do not want a standard that causes unwarranted and unnecessary additional
work and costs to an entity to comply.
2. As pointed out by the NERC Audit and Observation Team in the "Issues to be considered" for CIP-001, clarification is needed
regarding contacting the FBI. Prior audits dwelled heavily on FBI notification. For example, our policy states that Corporate Security
notifies the FBI. In recent events it appears that local law enforcement handles day to day activities. The notification process for
August 13, 2009
52
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Question 5 Comment
contacting the FBI needs clarification along with specific instances in which to call them. Who should make the call to the FBI? It
appears that a protocol needs to be developed to clarify what events require notifying the FBI. It could be as simple as after an
incident a standard form is completed and forwarded to the FBI, letting them decide if follow up is needed.
3. We suggest aligning all reporting requirements for consistency. The items requiring reporting and the timelines to report are very
inconsistent between NERC and the DOE. NERC's timelines are also not consistent with their own Security Guideline for the
Electricity Sector: Threat and Incident Reporting.
Response: The DSR SAR DT thanks you for your comment.
The team concurs that the standards should provide the “what” without the “how”. The standard drafting team will develop the standards using the
NERC Standard Development Process that includes stakeholder consensus. The team does not feel it is necessary to add the “not too prescriptive”
qualifier to the SAR.
The team will forward this comment to the standard drafting team for its consideration in developing the standard(s).
The team concurs with your comment and notes that other commenters have suggested “one stop shopping” reporting for disturbances and
sabotage. The team will forward this comment to the standard drafting team for its consideration in developing the standard(s).
Electric Market Policy
CIP-008-1 Incident Reporting and Response Planning include some requirements that require coordination with the requirements
addressed in this project.
Response: The DSR SAR DT thanks you for your comment. The SAR states “Specific references to the DOE form need to be eliminated.” This will
remove the linkage that you identify between CIP-001 and CIP-008. There is also a directive from FERC Order 693 in the SAR that states:
Consider FirstEnergy’s suggestions to differentiate between cyber and physical security sabotage and develop a threshold of materiality.
This allows the standard drafting team to delineate physical and cyber assets. The DSR SAR DT also notes that CIP-008 might be a good framework for
drafting the standard requirements pertaining to sabotage and disturbance reporting of physical assets.
MRO NERC Standards
Review Subcommittee
A. The SAR states that there may be impact on a related standard, COM-003-1 (page SAR-5). Is the SDT referring to Project 200702, Operating Personnel Communication Protocols? If so, this is a SAR too and should not be used as a reference.
B. CIP-001-1 and EOP-004-1 should be combined into one EOP Standard.
C. Within EOP-004-1 there is industry confusion on what form to submit in the event of an event. There should only be one form for
the new combination Standard eliminating the need for reporting form attachments. It should be the DOE Form, OE-417. Although it
is beyond the scope of this SAR, it would greatly benefit industry if there was a central location on the NERC website containing ALL
reporting forms, including FERC, NERC, DOE, and ESIAC. This would enable the System Operators to efficiently locate the most
current version of the appropriate form in order to report events.
August 13, 2009
53
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Question 5 Comment
D. The word Disturbance is primarily used in other Standards as in, Disturbance Control Standard or system separation due to a
disturbance. Should the NERC definition be updated? Should the word “Sabotage” be defined by NERC? Additionally, we
recommend that one definition of “Sabotage” be utilized industry-wide, instead of varying definitions by multiple groups like the DOE,
ESIAC, etc.
Response: The DSR SAR DT thanks you for your comment.
A. It does reference project 2007-02, and it has been noted in the SAR.
B. Will forward this comment to the standard drafting team for its consideration in developing the standard(s).
C. The team concurs with your comment and notes that other commenters have suggested “one stop shopping” reporting for disturbances and
sabotage. The team will forward this comment to the standard drafting team for its consideration in developing the standard(s).
D. References to DOE are to be removed from the standards per the SAR. FERC Order 693 directives include definition of sabotage for CIP-001.
Lands Energy Consulting
One final comment on CIP-001-1. My clients received universally rude treatment from the FBI field offices when they attempted to
establish the contacts required by the Standard. If the FBI doesn't see value in establishing these contacts, remove the requirement
from the Standard. Making sure the LSE knows the FBI field office phone number is probably all the Standard should require.
Response: The DSR SAR DT thanks you for your comment. The team will forward this comment to the standard drafting team for its consideration in
developing the standard(s).
Colmac Clarion
Need single report for Sabotage so whatever is required results in notification of all parties (State Emergency Management,
Homeland Security, FBI, Grid Reliability Chain of Command). Any and all of these can 'expand' knowledge later but all seem to
require 'instant' notification.
Response: The DSR SAR DT thanks you for your comment. The team concur with your comment and notes that other commenters have suggested
“one stop shopping” reporting for disturbances and sabotage. The team will forward this comment to the standard drafting team for its consideration
in developing the standard(s).
Cowlitz County PUD
August 13, 2009
Local Law enforcement agencies often are not friendly to Federal involvement with smaller problems they consider their "turf." Need
to make sure the small stuff stays with them, however have a system of internal reporting that will catch coordinated sabotage efforts
(multiple attacks on DPs and small BAs) at the RC or RE level who then can report to the Federal agencies. Currently EOP-004-1
requires small entities to report a "disturbance" if half of their firm customer load is lost. For some entities, this can be one small
substation going down due to a bird. The "50% of total demand" requirement should be removed or improved to better define a true
BPS disturbance.
54
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Question 5 Comment
Response: The DSR SAR DT thanks you for your comment. The team will forward this comment to the standard drafting team for its consideration in
developing the standard(s).
Exelon
Exelon agrees this is a worthwhile project and that reliability will be enhanced and the compliance process will be simplified by
clarifying terminology and reporting requirements in these standards. If nothing else, defining "Sabotage" so as to end interpretations
of this term and the related requirements is necessary.
Response: The DSR SAR DT thanks you for your comment.
ERCOT ISO
Due to the fact that both the CIP-001-1 and EOP-004-1 have similar reporting standards, initially combining the two sounds like a
correct analysis. However, after further consideration and due to the critical nature of its intended function involving Security
aspects, the CIP-001 should be intensely evaluated to determine if its intended purpose meets the threshold or criteria to stand
alone. The existing standards for CIP-001-1 Sabotage Reporting may help prevent future mitigation actions caused by sabotage
events. EOP-004-1 Disturbance Reporting is administrative in nature, thus the jeopardy of the Bulk Electric System reliability is
impacted only if analysis is not performed or if corrective follow-up actions are not implemented. Combining EOP-004 Standard
requirements under the umbrella of the CIP -001 Standard would create a high profile Disturbance Reporting Standard. The industry
would be better served if information defining sabotage was provided as well as a technical reference document on recognizing
sabotage that would also clarify or state any personnel training requirements. All aspects of the intended functions must be
reviewed before merging the two standards. At a minimum, we must consider modification that provides improved understanding of
the reporting standards and implications as they are currently written.
Response: The DSR SAR DT thanks you for your comment. The SAR states: CIP-001 may be merged with EOP-004 to eliminate redundancies. The two
standards may be left separate. One of the FERC Order 693 directives for CIP-001 states:
Define “sabotage” and provide guidance on triggering events that would cause an entity to report an event.
The Standard Drafting Team will follow the NERC Standard Development Process in making revisions under this SAR, including a thorough review of
the requirements of both standards. The team will forward this comment to the standard drafting team for its consideration in developing the
standard(s).
MidAmerican Energy
August 13, 2009
Conflicting time frames exist from document updates. Reporting should be consolidated to one form and / or site to minimize
conflicts, confusion, and errors. 1) Reporting requirements for the outage of 50,000 or more customers in EOP-004-1 requires a
report to be made within one hour while the form OE-417 requires a report be made within six hours of the outage. The six hour
reference on the updated OE-417 form is the correct reference. 2) Reporting for either CIP-001 or EOP-004 should center on the
DOE Form OE-417. This would eliminate confusion and simplify reporting for system operators thereby directly enhancing reliability
during system events. This would also eliminate much of the duplicate material and attachments in EOP-004. 3) Although it is
beyond the scope of this SAR, the industry would benefit if there was a central location or link on the NERC website containing all
55
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Question 5 Comment
reporting forms, including FERC, NERC, DOE, and ESIAC. This would enable System Operators to more efficiently locate and report
events.
Response: The DSR SAR DT thanks you for your comment. The team notes that other commenters have suggested “one stop shopping” reporting for
disturbances and sabotage. The team concurs that timeframes for similar reports should be the same. The team will forward this comment to the
standard drafting team for its consideration in developing the standard(s).
Georgia System
Operations Corp.
Entity reporting to NERC/Regions is needed by NERC and the Regions to accomplish their missions of overseeing the reliability of
the BES and enforcing compliance with Reliability Standards. An entity not reporting as quickly as possible does not harm the
integrity of the Interconnection. In fact, it increases the risk to the BES to be investigating details and filling out forms during a time
when attention should be on correcting or mitigating an incident.
Response: The DSR SAR DT thanks you for your comment. The team agrees that non-reporting, in the administrative sense, may not harm the
integrity of the Interconnection. The team suggests that the appropriate avenue for addressing this concern is through the development of Violation
Risk Factors and Violation Severity Levels for each requirement. These compliance elements will be developed during the standard drafting stage of
the development process.
Illinois Municipal Electric
Agency
IMEA recommends the following considerations: Simplification of reportable events and the reporting process should be the
overriding objective. NERC's Security Guideline for the Electricity Sector: Threat and Incident Reporting (Version 2.0) should be
updated to support this standards development initiative. At some point in the process, it may help if examples are given of events
actually reported that did not need to be reported.
Response: The DSR SAR DT thanks you for your comment. The team notes that other commenters have suggested “one stop shopping” reporting for
disturbances and sabotage. The team agrees that NERC’s Security Guide should be in sync with the standards. The team will forward this comment to
the standard drafting team for its consideration in developing the standard(s). One of the FERC Order 693 directives for CIP-001 states:
Define “sabotage” and provide guidance on triggering events that would cause an entity to report an event.
Events that were reported, but didn’t need to be, may be identified in “lessons learned”.
WECC
No
Luminant Power
None
Oncor Electric Delivery
No Additional Comments
August 13, 2009
56
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Question 5 Comment
NextEra Energy
Resources, LLC
No comment.
Ameren
None
August 13, 2009
57
�Consideration of Comments on Disturbance and Sabotage Reporting —
Project 2009-01
The Disturbance and Sabotage Reporting Standard Drafting Team thanks all commenters
who submitted comments on the proposed Concepts Paper for Disturbance and Sabotage
Reporting. The document was posted for a 30-day public comment period from March 17,
2010 through April 16, 2010. Stakeholders were asked to provide feedback on the
standards through a special Electronic Comment Form. There were 41 sets of comments,
including comments from more than 95 different people from approximately 50 companies
representing 8 of the 10 Industry Segments as shown in the table on the following pages.
The comments have been sorted and organized by question number in this report; the
comments are shown in the original format on the following project web page:
http://www.nerc.com/filez/standards/Project2009-1_Disturbance_Sabotage_Reporting.html
Summary Consideration:
Use of “NERC Guideline: Threat and Incident Reporting”
Most stakeholders agree that existing guidance should be used as the foundation for
disturbance reporting. Most commenters felt that the “NERC Guideline: Threat and Incident
Reporting” document contains a lot of detailed information which greatly assists in
determining reporting events and weaning out non important events. The most common
desire was one, common form to be used for reporting and the OE-417 was considered to
be a good starting point. Most respondents thought the form could be streamlined. The
DSR SDT was urged to focus on applicable events and reporting timelines which are not
clear now and to report items that are clearly essential to the reliability of the BES. There
was some concern expressed about “over-reporting”, out of fear of non-compliance rather
than the over the reliability of the BES. There was also a clear desire to separate out
vandalism & copper theft from reporting requirements.
Hierarchy for Reporting Disturbances
Most stakeholders (about 2/3) agree with the concept of developing a reporting hierarchy
for disturbances. Stakeholders who disagreed believed that the RC should be one of many
to receive information on impact events (DOE, RRO, etc.). Such a hierarchy would lead to
reporting delays (leading to lack of situational awareness), be cumbersome and complicated
and clouds responsibility for who is to report what to whom. Other negative comments
believed that a hierarchy would distract the RC’s focus from its primary responsibility.
Those stakeholders who agreed commented that the RC should be the collection point for
reports and information and take the responsibility to forward as required. This is from the
concept that the RC has the “wider view” and can recognize patterns, and has the ability to
“escalate” the reporting process. This would also minimize duplication of reports and
information.
Single Form for All Agencies
Most stakeholders agreed with the concept of having one reporting form for all entities.
Several commenters suggested that there is no need for a standard on reporting as they
considered it administrative in nature. Most dissenters thought there should be a guideline,
rather than an enforceable standard. There is widespread agreement that the one-size-fitsall approach would be very difficult to get agreement on, given the different countries and
September 15, 2010
1
�agencies involved. Many stakeholders pointed out that consistency and simplification were
drivers for one report form. Having multiple recipients, with different information
requirements, seems to support an electronic format that would guide information only to
those who need it. The concept of an electronic reporting tool will need to be further vetted
and developed.
Supplements to NERC Form
Most stakeholders agreed with the concept of entities being able to use information from
other sources such as the OE-417 form, to supplement the NERC report form. Some
thought that duplicate reports were acceptable, as long as the information was not
duplicated (if # of customers lost is required on form A, don’t ask on forms B & C). Several
stakeholders commented on the need for an electronic, one stop reporting tool. This would
avoid duplication while ensuring that the information reported goes only to intended
recipients. With an electronic, one stop reporting tool, reports can be updated/corrected
instantly, without repeating previously submitted information. Some stakeholders cautioned
that the OE-417 can change every three years and this should be taken into account when
developing an electronic reporting tool. Again, such a reporting tool would need to be
vetted and developed to meet reliability needs.
Impact Events
The majority of stakeholders agreed with the concept of “impact events.” Some
stakeholders felt that the introduction of impact events increased the risk that some items
will go unreported. However, most felt that impact events would dramatically increase the
number of reports being submitted, and it would be difficult to separate important
information from background noise. Several respondents felt that the SDT ignored the
FERC Directive, and did not define sabotage and provide guidance as to the triggering
events that would cause an entity to report a sabotage event. Many respondents supplied
the SDT with their own definition of “Sabotage”. The DSR SDT believes that the concept of
impact events and the specificity of what needs to be reported in the standard will be an
equally efficient and effective means of address the FERC directive regarding sabotage.
Some stakeholders felt that impact events add another layer of uncertainty to the reporting.
Even with the switch from sabotage to impact events, several felt that “intent” was still key
to determining reportability.
Regional Differences
Several commenters provided information on regional reporting. The SDT will consider
whether these should be included in the continent-wide standard. These include:
1.
NPCC maintains a document and reporting form (Document C-17 - Procedures
for Monitoring and Reporting Critical Operating Tool Failures) that outlines the
reporting requirements, responsibilities, and obligations of NPCC RCs in
response to unforeseen critical operating tool failures.
2.
For other events that do not meet the OE-417 and EOP-004 reporting criteria,
ReliabilityFirst expects to receive notification of any events involving a
sustained outage of multiple BES facilities (buses, lines, generators, and/or
transformers, etc.) that are in close proximity (electrically) to one another
and occur in a short time frame (such as a few minutes).
3.
WECC sets its loss of load criteria for disturbance reporting at 200 MW rather
than the 300 MW in the NERC reporting form.
4.
SERC and RFC are developing additional requirements at this time. We
suggest that reporting be based on impact to reliability, not on ‘newsworthy’
September 15, 2010
2
�events. We therefore do not agree with such regional efforts and would prefer
a continent wide reporting requirements.
5.
Some entities identified some in-force Regional Standards and other regional
reporting requirements.
Project Scope
Some stakeholders suggested that the SDT has gone beyond its approved scope to “further
define sabotage and provide guidance as to the triggering events that would cause an entity
to report a sabotage event.” Further, there is no requirement to create a Reporting
Standard to define sabotage. The SDT contends that the development of impact events and
the reporting requirements for them will provide the clarity sought in the directive. Other
stakeholders suggested that the SDT should seek to retire sanctionable requirements that
require event reporting in favor of guidelines for reporting. Several commenters suggested
that the introduction of impact events actually expands the reporting requirements. It
should be noted that the list of impact events is expected to be explicit as to who is to
report what to whom and within certain timelines.
Electronic Tool
Several stakeholders provided input as to what they believed an electronic reporting tool
should contain:
1
If the decision is made to go to a single reporting form, it should be
developed to cover any foreseeable event.
2
The SDT should work toward a single form, located in a central location, and
submitted to one common entity (NERC)
3
Reports should be forwarded to the ES-ISAC, not NERC, as the infrastructure
is already in place for efficient sharing with Federal agencies, with the
regional entities and with neighboring asset owners. Reports should flow to
all affected entities in parallel, rather than series (timing issues).
Commenters also suggested that the SDT should consider the impacts of the reporting
requirements on the small and very small utilities.
If you feel that your comment has been overlooked, please let us know immediately. Our
goal is to give every comment serious consideration in this process! If you feel there has
been an error or omission, you can contact the Vice President and Director of Standards,
Herbert Schrayshuen, at 609-452-8060 or at Herb.Schrayshuen@nerc.net. In addition,
there is a NERC Reliability Standards Appeals Process. 1
1
The appeals process is in the Reliability Standards Development Procedures:
http://www.nerc.com/standards/newstandardsprocess.html.
September 15, 2010
3
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting —
Project 2009-01
Index to Questions, Comments, and Responses
1.
The details of reporting requirements and criteria are in the existing EOP-004 standard
and its attachments. The DSR SDT discussed the reliability needs for disturbance
reporting and will consider guidance found in the document “NERC Guideline: Threat
and Incident Reporting” in the development of requirements. Do you agree with using
the existing guidance as the foundation for disturbance reporting? Please explain your
response (yes or no) in the comment area. ........................................................... 12
2.
The DSR SDT is considering developing a reporting hierarchy for disturbances that
requires entities to submit information to the Reliability Coordinator and then for the
Reliability Coordinator to submit the report. Do you agree with this hierarchy concept?
Please explain your response (yes or no) in the comment area. ............................... 24
3.
The goal of the DSR SDT is to have one report form for all functional entities (US,
Canada, Mexico) to submit to NERC. Do you agree with this change? Please explain
your response (yes or no) in the comment area. ................................................... 34
4.
The goal of the DSR SDT is to eliminate the need to file duplicate reports. The
standards will specify information required by NERC for reliability. To the extent that
this information is also required for other reports (e.g. DOE OE-417), those reports will
be allowed to supplement the NERC report in lieu of duplicating the entries in the NERC
report. Do you agree with this concept? Please explain your response (yes or no) in
the comment area. ............................................................................................ 42
5.
In its discussion concerning sabotage, the DSR SDT has determined that the spectrum
of all sabotage-type events is not well understood throughout the industry. In an effort
to provide clarity and guidance, the DSR SDT developed the concept of an impact
event. By developing impact events, it allows us to identify situations in the “gray
area” where sabotage is not clearly defined. Other types of events may need to be
reported for situational awareness and trend identification. Do you agree with this
concept? Please explain your response (yes or no) in the comment area. ................ 51
6.
If you are aware of any regional reporting requirements beyond the scope of CIP-001,
CIP-008 and EOP-004 please provide them here.................................................... 61
7.
If you have any other comments on the Concepts Paper that you haven’t already
provided in response to the previous questions, please provide them here. ............... 65
4
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
The Industry Segments are:
1 — Transmission Owners
2 — RTOs, ISOs
3 — Load-serving Entities
4 — Transmission-dependent Utilities
5 — Electric Generators
6 — Electricity Brokers, Aggregators, and Marketers
7 — Large Electricity End Users
8 — Small Electricity End Users
9 — Federal, State, Provincial Regulatory or other Government Entities
10 — Regional Reliability Organizations, Regional Entities
Commenter
Organization
Industry Segment
1
1.
Group
John Bee
X
Exelon
Additional Member
Additional Organization
2
3
X
4
5
6
Region
ComEd
RFC
1
PECO
RFC
1
3. Ron Schloendorn
PECO
RFC
1
4. John Garavaglia
ComEd
RFC
1
5. Karl Perman
Exelon
NA - Not Applicable
NA
6. Dave Belanger
Exelon Generation Co., LLC
RFC
5
7. Alison MacKellar
Exelon Generation Co., LLC
RFC
5
8. Tom Leeming
ComEd
RFC
1
9. Tom Hunt
PECO
RFC
1
Guy Zito
Additional Member
10
X
Northeast Power Coordinating Council
Additional Organization
Region
Segment Selection
1. Alan Adamson
New York State Reliability Council, LLC
NPCC
NA
2. Michael Schiavone
National Grid
NPCC
1
September 15, 2010
9
Segment Selection
2. Dave Weaver
Group
8
X
1. Dan Brotzman
2.
7
5
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Commenter
Organization
Industry Segment
1
2
3
4
5
6
3. Roger Champagne
Hydro-Quebec TransEnergie
NPCC
2
4. Kurtis Chong
Independent Electricity System Operator
NPCC
2
5. Sylvain Clermont
Hydro-Quebec TransEnergie
NPCC
1
6. Chris de Graffenried
Consolidated Edison Co. of New York, Inc.
NPCC
1
7. Gerry Dunbar
Northeast Power Coordinating Council
NPCC
10
8. Ben Eng
New York Power Authority
NPCC
4
9. Brian Evans-Mongeon
Utility Services
NPCC
8
10. Mike Garton
Dominion Resources Services, Inc.
NPCC
5
11. Brian L. Gooder
Ontario Power Generation Incorporated
NPCC
5
12. Peter Yost
Consolidated Edison Co. of New York, Inc.
NPCC
3
13. David Kiguel
Hydro One Networks Inc.
NPCC
1
14. Michael R. Lombardi
Northeast Utilities
NPCC
1
15. Randy MacDonald
New Brunswick System Operator
NPCC
2
16. Bruce Metruck
New York Power Authority
NPCC
6
17. Lee Pedowicz
Northeast Power Coordinating Council
NPCC
10
18. Robert Pellegrini
The United Illuminating Company
NPCC
1
19. Saurabh Saksena
National Grid
NPCC
1
20. Kathleen Goodman
ISO - New England
NPCC
2
21. Greg Campoli
New York ISO
NPCC
2
3.
Group
Wes Davis (SERC Staff)
and Steve Corbin (Chair of
SERC RCS)
8
9
10
X
SERC Reliability Coordinator Sub-committee
(RCS)
Additional Member
Additional Organization
Region
Segment Selection
1. Steve Corbin
Southeastern RC
SERC
NA
2. Joel Wise
TVA RC
SERC
NA
3. Don Reichenbach
VACAR South RC
SERC
NA
4. Don Shipley
ICTE RC
SERC
NA
5. Robert Rhodes
SPP RC
SERC
NA
6. Stan Williams
PJM RC
SERC
September 15, 2010
7
6
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Commenter
Organization
Industry Segment
1
7. Tim Aliff
4.
Midwest ISO RC
Group
Mike Garton
Electric Market Policy
Additional Member
2
3
4
5
SERC
X
Additional Organization
6
X
X
Region
3
2. Louis Slade
Dominion Resources Services, Inc.
SERC
6
X
MRO's NERC Standards Review Subcommittee
Additional Member
Additional Organization
Region
Segment Selection
1. Chuck Lawrence
American Transmission Company
MRO
1
2. Tom Webb
WPS Corporation
MRO
3, 4, 5, 6
3. Terry Bilke
Midwest ISO Inc.
MRO
2
4. Jodi Jenson
Western Area Power Administration
MRO
1, 6
5. Ken Goldsmith
Alliant Energy
MRO
4
6. Dave Rudolph
Basin Electric Power Cooperative
MRO
1, 3, 5, 6
7. Eric Ruskamp
Lincoln Electric System
MRO
1, 3, 5, 6
8. Joseph Knight
Great River Energy
MRO
1, 3, 5, 6
9. Scott Nickels
Rochester Public Utilties
MRO
4
10. Terry Harbour
MidAmerican Energy Company
MRO
1, 3, 5, 6
6.
Group
Linda Perea
Western Electricity Coodinating Council
Additional Member
1. Steve Rueckert
7.
Group
Kenneth D. Brown
X
Additional Organization
WECC
Additional Member
Region
Segment Selection
WECC
Public Service Enterprise Group Companies
X
Additional Organization
10
X
X
X
Region
Segment Selection
1. Ron Wharton
PSE&G
RFC
1, 3
2. Dave Murray
PSEG Power Connecticut
NPCC
5
3. Jim Hebson
PSEG Energy Resource & Trade
ERCOT
6
4. Jerzy Sluarz
PSEG Fossil
RFC
5
September 15, 2010
10
Segment Selection
RFC
Carol Gerou
9
X
Dominion Resources Services, Inc.
Group
8
NA
1. Michael Gildea
5.
7
7
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Commenter
Organization
Industry Segment
1
2
3
4
5
6
5
Bruce Wertz
.
Odessa Ector Power Partners
ERCOT
5
6
Peter Dolan
.
PSEG Energy Resource & Trade
RFC
6
8.
Group
Laura Zotter
ERCOT ISO
Additional Member
Additional Organization
Region
Segment Selection
ERCOT ISO
ERCOT
2, 10
ERCOT ISO
ERCOT
2, 10
3. Christine Hasha
ERCOT ISO
ERCOT
2, 10
Ben Li
ISO RTO Council Standards Review Committee
Additional Member
X
Additional Organization
Region
Segment Selection
1. Al Dicaprio
PJM
RFC
2
2. Jame Castle
NYISO
NPCC
2
3. Lourdes Estrada-Salinero
CAISO
WECC
2
4. Matt Goldberg
ISO-NE
NPCC
2
5. Steve Myers
ERCOT
ERCOT
2
6. Bill Phillips
MISO
RFC
2
7. Mark Thompson
AESO
WECC
2
8. Charles Yeung
SPP
SPP
2
10.
Group
Denise Koehn
Additional Member
Bonneville Power Administration
X
X
Additional Organization
X
X
Region
Segment Selection
1. Tedd Snodgrass
BPA, Transmission Dispatch
WECC
1
2. Jim Burns
BPA, Transmission Technical Operations
WECC
1
3. Jeff Millennor
BPA, Security & Emergency Response
WECC
1, 3, 5, 6
11.
Group
Jason L. Marshall
Additional Member
September 15, 2010
9
Midwest ISO Standards Collaborators
Additional Organization
10
X
2. Jimmy Hartmann
Group
8
X
1. Steve Myers
9.
7
X
Region
Segment Selection
8
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Commenter
Organization
Industry Segment
1
2
3
4
5
6
7
1. Bob Thomas
IMEA
SERC
4
2. Jim Cyrulewski
JDRJC Associates, LLC
RFC
8
3. Joe Knight
Great River Energy
MRO
1, 3, 5, 6
4. Randi Woodward
Minnesota Power
MRO
1
5. Kirit Shah
Ameren
SERC
1
12.
Group
Sam Ciccone
FirstEnergy
Additional Member
X
Additional Organization
X
X
X
9
X
Region
Segment Selection
1. Doug Hohlbaugh
FE
RFC
1, 3, 4, 5, 6
2. Dave Folk
FE
RFC
1, 3, 4, 5, 6
13.
Individual
Thomas Glock
Arizona Public Service Company
X
X
X
14.
Individual
Sandra Shaffer
PacifiCorp
X
X
X
X
15.
Individual
Brent Ingebrigtson
E.ON U.S. LLC
X
X
X
X
16.
Individual
Steve Fisher
Lands Energy Consulting
17.
Individual
David Kahly
Kootenai Electric Cooperative
18.
Individual
Darryl Curtis
Oncor Electric Delivery Company LLC
X
19.
Individual
Edward Bedder
Orange and Rockland Utilities, Inc.
X
20.
Individual
Kasia Mihalchuk
Manitoba Hydro
X
X
X
X
21.
Individual
Brian Bartos
Bandera Electric Cooperative, Inc.
X
X
22.
Individual
John T. Walker
Portland General Electric
X
23.
Individual
Gregory Miller
BGE
X
September 15, 2010
8
X
9
10
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Commenter
Organization
Industry Segment
1
2
3
4
5
6
24.
Individual
Dan Roethemeyer
Dynegy Inc.
X
25.
Individual
Rick Terrill
Luminant
X
26.
Individual
James Stanton
SPS Consulting Group Inc.
27.
Individual
Andrew Gallo
Calpine Corp.
28.
Individual
Steve Alexanderson
Central Lincoln
29.
Individual
Brenda Frazer
Edison Mission Marketing & Trading
X
30.
Individual
Martin Bauer
USBR
X
31.
Individual
John Alberts
Wolverine Power Supply Cooperative, Inc.
X
X
32.
Individual
Thad Ness
American Electric Power
X
X
33.
Individual
James McCloskey
Central Hudson Gas & Electric
X
X
34.
Individual
Deborah Schaneman
Platte River Power Authority
X
X
35.
Individual
Howard Rulf
We Energies
X
X
36.
Individual
Jianmei Chai
Consumers Energy Company
X
X
37.
Individual
Amir Hammad
Constellation Power Source Generation
38.
Individual
Greg Rowland
Duke Energy
X
X
X
X
39.
Individual
Kirit Shah
Ameren
X
X
X
X
40.
Individual
Dan Rochester
Independent Electricity System Operator
September 15, 2010
7
8
X
X
X
X
X
X
X
X
X
X
X
X
10
9
10
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Commenter
Organization
Industry Segment
1
41.
Individual
Roger Champagne
September 15, 2010
Hydro-Québec TransEnergie (HQT)
2
3
4
5
6
7
8
X
11
9
10
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
1. The details of reporting requirements and criteria are in the existing EOP-004 standard and its
attachments. The DSR SDT discussed the reliability needs for disturbance reporting and will consider
guidance found in the document “NERC Guideline: Threat and Incident Reporting” in the
development of requirements. Do you agree with using the existing guidance as the foundation for
disturbance reporting? Please explain your response (yes or no) in the comment area.
Summary Consideration: Most stakeholders agree that existing guidance should be used as the foundation for disturbance
reporting. Most commenters felt that the “NERC Guideline: Threat and Incident Reporting” document contains a lot of detailed
information which greatly assists in determining reporting events and weaning out non important events. The most common
desire expressed was to have one common form for all reporting, and the OE-417 was suggested as a good starting point.
Most respondents thought the form could be streamlined. The DSR SDT was urged to focus on applicable events and reporting
timelines which are not clear now and to report items that are clearly essential to the reliability of the BES. There was some
concern expressed about “over-reporting”, out of fear of non-compliance rather reporting based on the reliability of the BES.
There was also a clear desire to exclude vandalism & copper theft from reporting requirements.
Several specific suggestions were made to modify existing reporting requirements, and the drafting team will consider these
when developing the proposed requirements.
Organization
ERCOT ISO
Yes or No
Question 1 Comment
Possible
Yes
Parts of the Guideline are helpful, but the guideline goes beyond the scope of the requirements of the current
standards, which could pose potential audit concerns. ERCOT ISO strongly feels this approach for reporting
should be focused on physical events only and cyber event reporting should be contained within CIP-008
only. Continue to keep physical separate from cyber.
Response: The DSR SDT thanks you for your comment. The intent was to look at the posted “NERC Guideline: Threat and Incident Reporting” and
ask the industry if DSR SDT should consider existing guidelines for possible inclusion into the yet to be written requirement(s). The DSR SDT has not
determined at this time what bright line will be used for the yet to be drafted Standard(s). The DSR SDT will take into consideration your comment on
keeping cyber and physical events separate.
Arizona Public Service Company
No
Then Yes
September 15, 2010
APS supports standard revisions which streamline the reporting process for security incidents with a single
form, which aligns both with EIA reporting and NERC Standards requirements, particularly those identified in
the NERC Threat and Incident Reporting Guidelines. This would eliminate users issuing reports to multiple
locations/government entities without a standard form or format. The DOE 417 form which is currently utilized
12
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Yes or No
Question 1 Comment
for reporting purposes is out-dated and does not account for the types of incidents as identified in the NERC
Threat and Incident Reporting Guidelines. The guidelines state that an entity can report security incidents to
the ESISAC , through CIPIS (Critical Infrastructure Protection Information System), and or RCIS (Reliability
Coordinator Information Center). CIPIS refers an entity to the NICC and to the WECC. Additionally, APS
proposes that the terms and timelines of reporting security incidents be clearly identified. Events are often
detected quickly or immediately. Determining whether or not the event was sabotage and/or a reportable
event; however, typically takes much longer. There is no time allowance for an entity to investigate the event
to determine what actually occurred. Currently, DOE 417 provides that acts of sabotage should be reported
within one hour of detection if the impact could affect the reliable operation of the bulk power system. This
may affect the accuracy of the information being provided by an entity on it's initial reporting. Finally,
provisions should be incorporated to address the privacy of information being submitted, including handling
and storage.
Response: The DSR SDT thanks you for your comment. The intent was to look at the posted “NERC Guideline: Threat and Incident Reporting” and
ask the industry if DSR SDT should consider existing guidelines for possible inclusion into the yet to be written requirement(s). The DSR SDT has not
determined at this time what bright line will be used for the yet to be drafted Standard(s) which should streamline the reporting process (what events
and what timeline should be used). c
SPS Consulting Group Inc.
No
At least not exclusively. The current standards and the guidance fail to consider that different registered
entities will have different scopes of awareness for when disturbances may take place. We want to avoid the
situation where a generator (for example) is cited for failure to report a disturbance of which they have way of
knowing occurred.
Response: The DSR SDT thanks you for your comment. The intent was to look at the posted “NERC Guideline: Threat and Incident Reporting” and
ask the industry if DSR SDT should consider existing guidelines for possible inclusion into the yet to be written requirement(s). The DSR SDT will take
into consideration what Registered Entities are to be included within the yet to be written standard(s) based on the SAR and the facilities each type of
Registered Entity is required to have.
Bonneville Power Administration
No
Then Yes
BPA likes the idea of consolidating information and eliminating duplication of reported information. In the
report, don’t include every detail possible found in the “Threat Guideline”. TOP’s are supposed to be
operating the electrical system, not doing investigative work for copper theft incidents (see comment on #5).
Response: The DSR SDT thanks you for your comment. The intent was to look at the posted “NERC Guideline: Threat and Incident Reporting” and
ask the industry if DSR SDT should consider existing guidelines for possible inclusion into the yet to be written requirement(s). The DSR SDT has not
determined at this time what bright line will be used for the yet to be drafted Standard(s). We will consider your specific suggestion for not requiring
reporting of incidents such as copper threat, when we develop the proposed requirements.
September 15, 2010
13
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Lands Energy Consulting
Yes or No
Question 1 Comment
No
My firm provides compliance consulting services to a number of smaller (50-700 MW peak load) LSE/DP
registered entities. EOP-004 creates an obligation for LSEs to report "disturbances" that affect their systems.
A few of the smaller of these systems receive service from Bonneville-owned transmission lines that serve
only 4-6 substations. The NERC Form establishes loss of 50% of the LSE's retail customers as a reportable
disturbances. One of my clients receives service from BPA at 5 substations. A single industrial customer with
a substantially dedicated substation comprises 90% of the utility's MWH load. Were it not for this customer,
the utility would have been well below the registration requirement for a DP/LSE. The balance of the load,
about 15 MW of peak and 4000 retail customers, is served from 5 substations. Four of these substations
serving 3000 customers are served from a long Bonneville 115 kV BES transmission line that runs through a
heavily treed right of way. Every time this single line experiences a permanent outage (which will happen a
few times a year), the utility loses less than 10 MW of load, but 75% of its retail customers. Under the
disturbance reporting criteria, this outage would constitute a reportable disturbance for the utility. When the
NERC disturbance reporting criteria were adopted, I doubt that anyone conceived that they would apply to
cases like I just described. Reporting trivial events like I've just described constitutes a nuisance to the entity
making the report and NERC/WECC for having to process the report. The outage has no earthly effect on the
reliability of the BES and certainly doesn't warrant preparation of any kind of disturbance report.
Response: The DSR SDT thanks you for your comment. The intent was to look at the posted “NERC Guideline: Threat and Incident Reporting” and
ask the industry if DSR SDT should consider existing guidelines for possible inclusion into the yet to be written requirement(s). The DSR SDT will take
into consideration what Registered Entities are to be included within the yet to be written standard(s) based on the NERC Standards Committee
approved SAR. The DSR SDT will review the Commissions concern that, an adversary might determine that a small LSE is the appropriate target
when the adversary aims at a particular population or facility, as stated in FERC Order 693, paragraph 459. The intent of the proposed standard(s) is to
address reporting needed for after-the-fact analyses of events as well as reporting necessary for situational awareness.
SERC Reliability Coordinator
Sub-committee (RCS)
No
Routine minor incidents such as copper theft and gun shots to insulators should not be reported. These types
of minor events do not affect the reliability of the BPS. Existing reporting requirements are satisfactory. The
focus of reporting should be on reliability related incidents and not incidents related to vandalism as such.
Response: The DSR SDT thanks you for your comment. The intent was to look at the posted “NERC Guideline: Threat and Incident Reporting” and
ask the industry if DSR SDT should consider existing guidelines for possible inclusion into the yet to be written requirement(s). Reporting threasholds
will be determined during the next step of the Standards Development process. The DSR SDT agrees with your comments on vandalism but a balance
must be further explored to meet industry and regulatory requirements specifically under FERC Order 693.
Consumers Energy Company
September 15, 2010
No
The existing guidelines ignore the fact that there are currently three overlapping and inconsistent reporting
requirements for disturbances of various types: CIP-001, EOP-004, and DOE OE-417. The reporting should
be such that any single event type needs to be reported only once, and to only a single agency, for any
14
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Yes or No
Question 1 Comment
disturbance. First, CIP-001 events should be reported to the ES-ISAC under one specific requirement (or set
of requirements) and removed from OE-417 and EOP-004, such that all interested agencies obtain their
information from only that one source. Second, OE-417 events should be reportable ONLY to DOE, and,
again, other agencies should obtain their information from only that one source. If NERC wishes to make
such reporting mandatory and enforceable, the NERC requirements should indicate ONLY that such reporting
should be made in accordance with OE-417. Finally, EOP-004 (or similar requirements) should require
reporting to NERC ONLY in the case of events that don’t fit under CIP-001 or OE-417 requirements.
Alternatively, OE-417 should be submitted ONLY to NERC and they should disseminate the information.EOP004 has several issues and inconsistencies:
a. EOP-004 requires that the entity that submits form DOE-417 to provide copies to NERC. The DOE-417
form intermixes NERC entity definitions (e.g. BA, LSE, TO) with generic terms such as “Electric Utilities” and
“Generating Entities”. Is it the Generator Owner or Generator Operator that is required to submit the
information? There should be one form or at least well defined definitions that apply to both forms.
b. EOP-004-1 R3.1 requires submittal within 24 hours, however Table 1-EOP-004-0 which purports to
summarize the standard appears to change this requirement to 1 hour for several disturbances. Additionally,
it incorrectly summaries the reporting time for 50,000 customers, which is 6 hours in DOE-417 and
summarized in Table 1-EOP-004-0 as 1-hour. An attachment to a standard should not be allowed to
supersede the standard or create additional rules.
c. EOP-004-1 R3.1 requires submittal within 24 hours, however Table 1-EOP-004-0 which purports to
summarize the standard appears to change the standard. R3.1 clearly states that events are to be reported
within 24 hours of identification, however Table 1-EOP-004-0 state that the events are to be reported on the
basis of the start of the disturbance. An attachment to a standard should not be allowed to supersede the
standard or create additional rules.
d. EOP-004-1 R3.1 requires submittal within 24 hours, however Table 1-EOP-004-0 which purports to
summarize the standard appears to change the standard. R3.1 clearly states that events are to be reported
within 24 hours of identification, however Table 1-EOP-004-0 states that copies of DOE-417 are required to
be submitted “simultaneously”. It also states that schedules 1 and 2 are due within 24 hours of start of the
event instead of 48 hours for per DOE-417 for schedule 2. An attachment to a standard should not be allowed
to supersede the standard or create additional rules.
e. The requirement of loss of customers should be scaled based on customers served. Loss of 50,000
customers to a utility that serves 100,000 customers is different than loss of 50,000 customers to a utility that
serves 2,000,000 customers.
Response: The DSR SDT thanks you for your comment. The intent was to look at the posted “NERC Guideline: Threat and Incident Reporting” and
September 15, 2010
15
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Yes or No
Question 1 Comment
ask the industry if DSR SDT should consider existing guidelines for possible inclusion into the yet to be written requirement(s). The DSR SDT agrees
that present Reliability Standards can be complicated and lead to confusion when working on maintaining system reliability in the area of reporting per
CIP-001-1 and EOP-004-1. We will consider the disagreements you’ve identified in existing reporting requirements when we develop the proposed
requirements.
Central Lincoln
No
The guidance document makes no distinction between entities that operate 24/7 dispatch and those that
don’t. The 1 hour and even the 24 hour reporting requirements in some cases will be impossible for entities
without 24/7 dispatch to meet without changing business practices. These are the same entities that present
little or no risk to the BES.
Response: The DSR SDT thanks you for your comment. The intent was to look at the posted “NERC Guideline: Threat and Incident Reporting” and
ask the industry if DSR SDT should consider existing guidelines for possible inclusion into the yet to be written requirement(s). The DSR SDT will take
into consideration what Registered Entities are to be included within the yet to be written standard(s) based on the SAR. The DSR SDT will establish
the “requirements necessary for users, owners, and operators of the Bulk-Power-System” as stated in FERC Order 693, paragraph 617 and the
difference in reporting of events on the BES, as stated in the Purpose statement of EOP-004-1. The intent of the proposed standard(s) is to address
reporting needed for after-the-fact analyses of events as well as reporting necessary for situational awareness.
MRO's NERC Standards Review
Subcommittee
No
Then Yes
We agree with using the present documentation but would like just one reporting form. We are concerned
that the guidelines and reporting periods specified within the DOE OE-417 report conflict with the NERC
Guidelines. For example. DOE OE-417 report requires “Suspected Physical or Cyber Impairment” to be
reported within 6 hours. The NERC guidelines indicate “Suspected Activities” are to be reported within 1 hour.
We recommend the SDT use the DOE OE-417 report as a guiding document, and then determine additional
reporting requirements using guidance from the NERC Guideline. FERC Order 693 appears to indicate
conflicts and confusion with NERC reporting requirements and DOE reporting requirements should be
eliminated.
Response: The DSR SDT thanks you for your comment. The intent was to look at the posted “NERC Guideline: Threat and Incident Reporting” and
ask the industry if DSR SDT should consider existing guidelines for possible inclusion into the yet to be written requirement(s). The DSR SDT is
looking to streamline required reporting actions and remove any redundant reporting requirements if at all possible. The DOE Form OE-417 is
currently mandatory under Public Law 93-275 for entities within the juristicion of the U.S Department of Energy. We will consider the disagreements
you’ve identified in existing reporting requirements when we develop the proposed requirements.
Luminant
No
Then Yes
September 15, 2010
While the guidance is generally ok in the “NERC Guideline: Threat and Incidence Reporting”, the reporting
timelines include 1 hour, 2 hours, 4 hours, 6 hours, 8 hours, 24 hours, and 48 hours. Please simplify and
reduce the variation in timelines. When it comes to Sabotage reporting, some time requirements start with
detection, some start with determination of sabotage and some events do not specify the trigger for the
reporting clock to start. Again, please provide clarity and consistency around the start of the timeline for
16
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Yes or No
Question 1 Comment
reporting. Generally, the reporting timing should start with the recognition or determination that a suspected
or known sabotage event occurred.
Response: The DSR SDT thanks you for your comment. The DSR SDT is looking to streamline required reporting actions and remove any redundant
reporting requirements if at all possible. The DSR SDT agrees that present Reliability Standards can be complicated and lead to confusion when
working on maintaining system reliability in the area of reporting per CIP-001-1 and EOP-004-1. We will consider your specific suggestion for less
variation in reporting timeframes, when we develop the proposed requirements.
We Energies
No
Then Yes
While the NERC Guideline includes readily discernible information (and we would like to see that format
carried forward into any future documentation), utilize OE-417 as the foundation document in order to
eliminate reporting redundancies. If supplemental references are necessary for the proposed resolution, list
the document as an official attachment to the standard. Minimize the need to search in multiple locations for
guideline information - some may not be aware supporting documentation exists without explicit reference
within the standard.
Response: The DSR SDT thanks you for your comment. The intent was to look at the posted “NERC Guideline: Threat and Incident Reporting” and
ask the industry if DSR SDT should consider existing guidelines for possible inclusion into the yet to be written requirement(s). The DSR SDT is
looking to streamline required reporting actions and remove any redundant reporting requirements if at all possible. The DSR SDT agrees that present
Reliability Standards can be complicated and lead to confusion when working on maintaining system reliabiltiy in the area of reporting per CIP-001-1
and EOP-004-1. The DOE Form OE-417 is currently mandatory under Public Law 93-275 for entities within the juristicion of the U.S Department of
Energy. We will consider your recommendation regarding listing supplemental references within the body of the standard when we draft the proposed
standard(s).
American Electric Power
Yes
Bandera Electric Cooperative,
Inc.
Yes
Calpine Corp.
Yes
Duke Energy
Yes
Edison Mission Marketing &
Trading
Yes
September 15, 2010
17
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Yes or No
Exelon
Yes
Independent Electricity System
Operator
Yes
PacifiCorp
Yes
Platte River Power Authority
Yes
Central Hudson Gas & Electric
Yes
Question 1 Comment
Central Hudson agrees with using the “NERC Guideline: Threat and Incident Reporting” in the development of
requirements. Central Hudson has currently in place a NERC-DOE Threat and Incident Reporting Table
developed from this NERC Guideline that allows for a quick-reference to all threat and incident reporting
criteria (arranged by category)with a cross-reference to the specfic reporting form (NERC Interconnection
Reliability Operating Limit and Preliminary Disturbance Report, DOE Form OE-417, or NERC ES-ISAC Threat
and Incident Report Form). Central Hudson recommends maintaining the option of utilizing only 1 form, the
DOE Form OE-417, for incidents that require reporting to the DOE and NERC to maintain the streamlined
approach to this reporting process.
Response: The DSR SDT thanks you for your comment. The DSR SDT is looking to have a single reporting report form (per question 3) and
streamline the reporting processes that may be developed within a yet to be written requirement(s).
E.ON U.S. LLC
Yes
E.ON U.S. believe that the guidelines provide greater clarity for reporting forced outages caused by
disturbances and sabotage but there remains issues that in need of further clarification. For example, there
remains too much subjectivity on the reporting of forced outages when there is “identification of valuable
lessons learned”
Response: The DSR SDT thanks you for your comment. The DSR SDT concurs that further clarification is required with the ambigious statement
“identification of valuable lessons learned” contained in the guideline – use of this phrase does not meet the technical writing threshold required for
inclusion in a NERC Standard. The DSR SDT’s intent was to look at the posted NERC Guideline and ask the industry if DSR SDT should consider
existing guidelines for possible inclusion into the yet to be written requirement(s). Recommendation of changes to the “NERC Guideline: Threat and
Incident Reporting” should be submitted to NERC via the Critical Infrastructure Protection Committee. I
Public Service Enterprise Group
Companies
September 15, 2010
Yes
EOP reportable disturbances are familiar concepts in the industry.
18
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Yes or No
Question 1 Comment
Response: The DSR SDT thanks you for your comment and support.
Orange and Rockland Utilities,
Inc.
Yes
However, the SDT needs to maintain clear demarcation for the criteria for reporting events, and only those
events that directly effect the reliability of the BES.
Response: The DSR SDT thanks you for your comment. The DSR SDT has been directed to review all disturbance type activities and submit to the
industry a well thought out set of requirements that clearly define disturbance events and what information is required to enhance an
entity’ssituational awareness. Clear demarcation for the criteria for reporting will be determined in the near future based on the approved SAR and
industry feedback. The intent of the proposed standard(s) is to address reporting needed for after-the-fact analyses of events as well as reporting
necessary for situational awareness.
Wolverine Power Supply
Cooperative, Inc.
Yes
I agree with referencing existing guidelines - However: My concern is that, until all reportable incidents are
analyzed by the parties to which they are reported, their "impact" on the BES will not be quantified.
Therefore, the tendency to want to "report all events so that their impact can be determined" or "report all
events because the information can be utilized for informational purposes, regardless of impact on BES"
might lead to expanded reporting requirements, some of which may have questionable value from a reliability
standpoint.
Response: The DSR SDT thanks you for your comment. The intent was to look at the posted “NERC Guideline: Threat and Incident Reporting” and
ask the industry if the DSR SDT should consider existing guidelines for possible inclusion into the yet to be written requirement(s). The DSR SDT has
been directed to review all disturbance type activities and submit to the industry a well thought out set of requirements that clearly define reportable
events and what information is required to enhance an entity’s situational awareness. Clear demarcation for the criteria for reporting will be
determined in the near future based on the approved SAR and industry feedback. The intent of the proposed standard(s) is to address reporting
needed for after-the-fact analyses of events as well as reporting necessary for situational awareness.
Hydro-Québec TransEnergie
(HQT)
Yes
In considering guidance found in the document “NERC Guideline: Threat and Incident Reporting”, the SDT
should maintain focus on only those items that are absolutely necessary to maintain the reliability of the Bulk
Electric System. In fact, the purpose of reporting per EOP-004 is that disturbances... need to be studied and
understood to minimize the likelihood of similar events in the future.
Northeast Power Coordinating
Council
Yes
In considering guidance found in the document “NERC Guideline: Threat and Incident Reporting”, the SDT
should maintain focus on only those items that are absolutely necessary to maintain the reliability of the Bulk
Electric System. In fact, the purpose of reporting per EOP-004 is that disturbances... need to be studied and
understood to minimize the likelihood of similar events in the future.
Response: The DSR SDT thanks you for your comment. The DSR SDT will establish the “requirements necessary for users, owners, and operators of
September 15, 2010
19
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Yes or No
Question 1 Comment
the Bulk-Power-System” as stated in FERC Order 693, paragraph 617 and the difference in reporting of events on the BES, as stated in the Purpose
statement of EOP-004-1. The intent of the proposed standard(s) is to address reporting needed for after-the-fact analyses of events as well as
reporting necessary for situational awareness.
Western Electricity Coordinating
Council
Yes
It is comprehensive; however, we must keep in mind that the OE-417 is required under Public Law 93-275
and needs to be attached if applicable in the US.
Response: The DSR SDT thanks you for your comment.
Oncor Electric Delivery Company
LLC
Yes
NERC Guideline: Threat and Incident Reporting" document should be used for guidance as it identifies best
practices for reporting.
Response: The DSR SDT thanks you for your comment.
Manitoba Hydro
Yes
The “Threat and Incident Reporting” document contains a lot of detailed information which greatly assists in
determining reporting events and weaning out non important events. The document contains some examples
and expected reporting time lines. Attachment 1-EOP-004, though considerably smaller and condensed it
does contain some detail not mentioned in “Threat and Incident Reporting”. Integrating the “Threat and
Incident Reporting” into Attachment 1-EOP-004, though large in size, has lots of information and is easy to
follow would be a large improvement to existing protocol OR SEE QUESTION 3 COMMENTS. Incidences we
have experienced on our system, in past were difficult to delineate as reportable, who to report to and when.
An improvement to this Standard is welcome.
Response: The DSR SDT thanks you for your comment. The DSR SDT is looking to streamline and remove any redundancies within the NERC
Standard’s requirements.
Constellation Power Source
Generation
Yes
The existing guidance is an excellent base on which to build changes to EOP-004 and CIP-001. However, the
SDT must challenge each item in the different event categories and clarify or omit bullet points that are
seemingly vague. For example, under System Disturbances, a forced outage report is needed when “a
generation asset of 500 MW or above is on a forced outage for unknown reasons, or a forced outage of
generation of 2,000 MW occurs...” Simply removing the 500 MW criteria would make this criterion less vague.
There are other examples of this in the guideline.
Response: The DSR SDT thanks you for your comment. The DSR SDT is looking to streamline and remove any redundancies within the NERC
Standard’s requirements. It is the intent of the SDT to carefully review the different event categories and provide clarity where needed to remove
ambiguity.
September 15, 2010
20
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
ISO RTO Council Standards
Review Committee
Yes or No
Question 1 Comment
Yes
The guidelines in EOP-004 and its attachments should be retained as the foundation for reporting
disturbances. One would note that such EOP Disturbances are relatively well defined reliability impacts. Thus
EOP-004 disturbances are based on HOW certain events impacted the BES. [Sabotage on the other hand
requires an implication of WHY an event occurred.]The original EOP-004 represents a common sense
approach to defining reliability events that may be useful to analyze on a regional basis. In the current
environment, Regions are not sanctionable entities but they still are valuable sources to collect, analyze and
trend the few disturbances that occur in each region. To make use of Regions, however, precludes the use of
sanctionable NERC standards. EOP-004 as written does not meet the NERC requirements for standards but
it does meet the Industry needs for a guideline for reporting events that deserve to be reviewed. The SDT
should propose deleting EOP-004 and use it as a Disturbance Reporting Guideline.
Response: The DSR SDT thanks you for your comment. Regions are required to comply with requirements in NERC Reliability Standards – however
Regions are not sanctioned the same way as users, owners and operators of the bulk power system – if a Region fails to comply with a NERC
Reliability Standard, it can be fined for failure to comply under the ERO’s Rules of Procedure.
USBR
Yes
The reporting outlined in the proposed plan does not include a clear indication of how NERC will use the
information they collect from the entities. Care needs to be taken in addressing the reporting requirements to
not create a more confusing or onerous reporting process.
Response: The DSR SDT thanks you for your comment. It is anticipated that NERC will analyze events to assess trends and identify lessons learned
for industry feedback and reliability improvement.
FirstEnergy
Yes
This guideline appears to be a good starting point for developing consistency in reporting. However, we
believe that after-the-fact event reporting is administrative in nature and seldom rises to the level of mandated
reliability standard requirements. It is not clear what reporting would be made through this effort and how it
differs from reporting made through the NERC Reliability Coordinator Information System (RCIS). With the
initiative for more results-based standards being the goal of NERC, true after the fact reporting-type
requirements should become administrative procedures and only be included in standards if they are truly
required for preserving an Adequate Level of Reliability. If there are aspects that rise to be retained in a
mandatory and enforceable reliability standard, we propose that those associated with sabotage be moved to
CIP-001 and that EOP-004 be focused on operational disturbances that warrant wide-area knowledge.
However, if the RCIS is the mechanism to convey real-time information and that is presently occurring outside
of reliability standards, it is unclear what the delta improvement this project aims to achieve.
Response: The DSR SDT thanks you for your comment. As stated in FERC Order, 693, paragraph 611, “Complete and timely data is essential for
analyzing system disturbances” and in paragraph 617, “the Commission directs the ERO to develop a modification to EOP-004-1 through the
September 15, 2010
21
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Yes or No
Question 1 Comment
Reliabiloity Standards development process that includes any requirements necessary for users, owners, and operators of the Bulk-Power-System to
provide data that will assist NERC in the investigation of a blackout or disturbance”. Some data is needed, therefore, for after-the-fact analyses. In
addition, some data is needed much more quickly for situational awareness. The DSR SDT will analize and determine what constitues a reportable
event and what information is required for situational awareness as opposed to after the fact analyses of events.
Portland General Electric
Yes
This process is in place and utilities are familiar with it. This is a good place to start.
Response: The DSR SDT thanks you for your comment and support.
Ameren
Yes
We agree that it makes sense to build upon existing documentation. However, we do not believe it is
necessary to require event reporting to be in an enforceable standard. Rather the drafting team should
consider developing a reporting guideline document and retiring the EOP-004 standard.
Response: The DSR SDT thanks you for your comment. As stated in FERC Order, 693, paragraph 611, “Complete and timely data is essential for
analyzing system disturbances” and in paragraph 617, “the Commission directs the ERO to develop a modification to EOP-004-1 through the
Reliabiloity Standards development process that includes any requirements necessary for users, owners, and operators of the Bulk-Power-System to
provide data that will assist NERC in the investigation of a blackout or disturbance”. Some data is needed, therefore, for after-the-fact analyses. In
addition, some data is needed much more quickly for situational awareness. As envisioned, the requirements developed under this project will
address both types of reporting requirements.
Midwest ISO Standards
Collaborators
Yes
We agree that it makes sense to build upon existing documentation. However, we do not believe it is
necessary to require event reporting to be in an enforceable standard. Rather the drafting team should
consider developing a reporting guideline document and retiring the EOP-004 standard. This is further
supported by the fact that there is a role in the existing standard for the Regional Entities even though these
requirements can’t be enforced against the Regional Entities because they are not a user, owner or operator
of the system.
Response: The DSR SDT thanks you for your comment. As stated in FERC Order, 693, paragraph 611, “Complete and timely data is essential for
analyzing system disturbances” and in paragraph 617, “the Commission directs the ERO to develop a modification to EOP-004-1 through the
Reliabiloity Standards development process that includes any requirements necessary for users, owners, and operators of the Bulk-Power-System to
provide data that will assist NERC in the investigation of a blackout or disturbance”. Some data is needed, therefore, for after-the-fact analyses. In
addition, some data is needed much more quickly for situational awareness. As envisioned, the requirements developed under this project will
address both types of reporting requirements.
Dynegy Inc.
September 15, 2010
Yes
We agree with using the guidance; however, please consider revising the NERC Guideline: Threat and
Incident Reporting document to (i) lengthen the reporting timelines related to attempted sabotage to allow for
22
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Yes or No
Question 1 Comment
additional time to deem the threat credible, (ii) expand the description of forced outage of generation greater
than 2000 MW to include whether it is at the BA or GO level and if GO level, whether it is for one site or the
combined GO's sites in a Region, and (iii) add a Responsible Party column to the Appendix A matrix.
Response: The DSR SDT thanks you for your comment. Recommendation of changes to the “NERC Guideline: Threat and Incident Reporting” should
submitted to NERC via the Critical Infrastructure Protection Committee since that falls outside the scope of the SAR.
We will consider your specific suggestions for revisions to reporting requirements when we develop the proposed requirements.
BGE
Yes
We have no problem with NERC using the existing guidance as the foundation for disturbance reporting;
however, since this project proposes to investigate incorporation of the Cyber Incident reporting aspects of
CIP-008, we feel that if adopted, this concept should be added to the NERC Guideline document "Threat and
Incident Reporting".
Response: The DSR SDT thanks you for your comment. Recommendation of changes to the “NERC Guideline: Threat and Incident Reporting” should
submitted to NERC via the Critical Infrastructure Protection Committee since that falls outside the scope of the SAR.
Electric Market Policy
Yes
Yes; however, in considering guidance found in the document “NERC Guideline: Threat and Incident
Reporting” the SDT should maintain focus on only those items that are absolutely necessary to maintain the
reliability of the Bulk Electric System. In fact, the purpose of reporting per EOP-004 is that disturbances...
need to be studied and understood to minimize the likelihood of similar events in the future.
Response: The DSR SDT thanks you for your comment. The DSR SDT will establish the “requirements necessary for users, owners, and operators of
the Bulk-Power-System” as stated in FERC Order 693, paragraph 617 and the difference in reporting of events on the BES, as stated in the Purpose
statement of EOP-004-1. As envisioned, the requirements developed under this project will address reporting requirements that are used for after-thefact analyses as well as reporting requirements that are associated with situational awareness.
September 15, 2010
23
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
2. The DSR SDT is considering developing a reporting hierarchy for disturbances that requires entities
to submit information to the Reliability Coordinator and then for the Reliability Coordinator to submit
the report. Do you agree with this hierarchy concept? Please explain your response (yes or no) in
the comment area.
Summary Consideration: Most stakeholders (about 2/3) agree with the concept of developing a reporting hierarchy for
disturbances. Stakeholders who disagreed believed that the RC should be one of many to receive information on impact events
(DOE, RRO, etc.). Such a hierarchy would lead to reporting delays (leading to lack of situational awareness), be cumbersome
and complicated and clouds responsibility for who is to report what to whom. Other negative comments believed that a
hierarchy would distract the RC’s focus from its primary responsibility. Thos stakeholders who agreed commented that the RC
should be the collection point for reports and information and take the responsibility to forward as required. This is from the
concept that the RC has the “wider view” and can recognize patterns, and has the ability to “escalate” the reporting process.
This would also minimize duplication of reports and information.
Org a n iza tio n
BGE
Ye s o r No
Qu e s tio n 2 Co m m e n t
No
As currently worded, BGE opposes the reporting hierarchy concept, since insufficient guidelines were
proposed to prevent translation errors between the responsible entity (RE) and the RC. In addition to creating
possible reporting errors, this also opens a risk that the RC could misrepresent the true intent of an RE’s
report contents if called upon to explain/justify a submitted report. Reporting delays are another concern with
this proposal because the RE would basically be relinquishing control of the reporting process to the RC, while
ultimately retaining the responsibility for ensuring the report gets submitted within the required timeframe.
However, BGE recognizes that avoiding duplication and conflicting reports as well as encouraging
communication are valuable. To make the reporting hierarchy concept acceptable to BGE, the DSR SDT
must develop proper controls to ensure the RE has the ability to control or approve the information submitted
and/or subsequently discussed with the respective authorities, and that it is done within the permissible
timeframe to satisfy compliance requirements.
Re s p o n s e : Th e DS R S DT th a n ks yo u fo r yo u r c o m m e n t. If th e re p o rtin g h ie ra rc h y c o n c e p t is a d o p te d , it will in c lu d e c o n tro ls to e n s u re tim e ly
re p o rtin g , c le a r a c c o u n ta b ility s o th a t ris k is n o t tra n s fe rre d , a n d a m e c h a n s im to e n s u re th e Re s p o n s ib le En tity’s re p o rte d in fo rm a tio n re m a in s a s
s u b m itte d .
September 15, 2010
24
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Org a n iza tio n
Consumers Energy
Company
Ye s o r No
No
Qu e s tio n 2 Co m m e n t
It would be inefficient for RC’s to accumulate ALL disturbance data and submit it, and to bifurcate the reporting based on
type of disturbance above and beyond OE-417 data (which should go ONLY to DOE) would make a standard very involved
for an entity to comply with. We’re discussing after-event data here, not data needed for current operations - and there’s no
reason to make it any more complicated than necessary.
Re s p o n s e : Th e DS R S DT th a n ks yo u fo r yo u r c o m m e n t. In o rd e r fo r a re p o rtin g h ie ra rc h y c o n c e p t to b e a d o p te d , it will re s u lt in re a l e ffie n c y g a in s b y
e lim in a tin g d u p lic a tio n o f re p o rts . It will n o t b e p u rs u e d if th e re s u lt is a c o m p lic a te d o r b u rd e n s o m e p ro c e s s fo r re s p o n s ib le e n titie s .
Exelon
No
Some of the DOE related reporting is driven by distribution events, i.e. outages greater then 50,000 customers, is it realistic
to expect the RC, whose focus is on the transmission system to perform distribution related reporting?
Re s p o n s e : Th e DS R S DT th a n ks yo u fo r yo u r c o m m e n t. Th e DOE Re p o rtin g Fo rm OE 417 is c u rre n tly m a n d a to ry b y P u b lic La w a n d o n ly a p p lie s to US
e n titie s a n d c o n ta in s re p o rtin g th re s h o ld s th a t a re n o t re q u ire d b y NERC. Ou r g o a l is to d e rive re p o rtin g th re s h o ld s th a t m e e t NERC’s n e e d s fo r
in fo rm a tio n o n b u lk e le c tric s ys te m d is tu rb a n c e s a n d re a l-tim e e ve n ts , n o t d is trib u tio n le ve l-o n ly p ro b le m s .
USBR
No
The existing reporting methods collect reports of disturbances and analyze them by committees of the respective
coordinating councils. The new process would introduce a duplicate layer and associated staffing. It would be better to
ensure communication between the existing committees of the respective coordinating councils and the RC rather than
creating a new layer of review tracking and analysis. While the layered reporting hierarchy discussed in the Disturbance
Reporting section of the paper will eventually help with overall event awareness, the additional delays the hierarchical
approach could result in a decrease in situational (timely) awareness. Having more comprehensive information as a result of
the potential enhancements each layer adds to the chain of reporting may not be more valuable than timely and well
disseminated information in an actual disturbance situation. We would suggest the SDT give careful consideration to this
proposed direction. It may be appropriate to consider that expedited reporting of operational impacts would outweigh the
benefit of administratively intensive reporting procedures. The events reported through the existing process have not yielded
material feedback other than statistical analysis. Statistical analysis is not as sensitive to timely reporting. Operational
impacts which may be the result of possible sabotage may be evident through assessment of widespread outage patterns or
following event analysis. Comprehensive event analysis can take anywhere from 15 days to 90 days depending on the
event.
Re s p o n s e : Th e DS R S DT th a n ks yo u fo r yo u r c o m m e n t. We a g re e th a t re p o rtin g tim e lin e s s m u s t b e we ig h e d a g a in s t th e p e rc ie ve d b e n e fits o f a
re p o rtin g h ie ra rc h y. If th e re p o rtin g h ie ra rc h y c o n c e p t is a d o p te d , it s h o u ld in c lu d e c o n tro ls to e n s u re tim e ly re p o rtin g , c le a r a c c o u n ta b ility s o th a t ris k
o f a vio la tio n o f th e s ta n d a rd is n o t tra n s fe rre d , a n d a p ro c e s s to e n s u re th e re s p o n s ib le e n titie s ’ re p o rte d in fo rm a tio n re m a in s a s s u b m itte d . Als o it
m u s t re s u lt in re a l e ffie n c y g a in s a n d s u p p o rt th e re lia b ility o f th e b u lk e le c tric s ys te m .
September 15, 2010
25
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Org a n iza tio n
IS O RTO Co u n c il
S ta n d a rd s Re vie w
Co m m itte e
Ye s o r No
No
Qu e s tio n 2 Co m m e n t
The idea of a reporting hierarchy provides an easy to follow pro forma approach. But disturbance reports should not always
follow a common reporting path. A disturbance on the transmission system for example need not be routed through an “if
applicable” Balancing Authority. To mandate that a BA be in the path is inappropriate. To leave the applicability open is to
create a subjective compliance problem for the impacted BA. Copper theft is another example that should not require
reporting up through the RC. It is a local issue and the Transmission Owner should be able to report this directly to the
appropriate parties. How would a DP, LSE or GO know if an event is an “impact event”? The posed impact events are a
series of conditions for sabotage but not for EOP-type disturbances. The aforementioned entities have no requirement to
monitor and analyze the BES, which then means every event would be an impact event for those entities (not an EOP
disturbance but an impact event). Thus every theft of copper is an impact event mandating a Disturbance Report even
though the SDT notes the RC only has to send it to the “local authorities”. This seems to be a misuse of the RC resources;
every train derailment is an impact event requiring a Disturbance report (is that a commercial train, regional rail line a local
trolley car); every teenage prank would also generate an impact event mandating a disturbance report. The SDT defined
impact events are not appropriate for use in defining disturbances. There is a big difference from creating a set of guidelines
to follow as opposed to creating sanctionable standards
Re s p o n s e : Th e DS R S DT th a n ks yo u fo r yo u r c o m m e n t. Fu rth e rm o re , im p a c t e ve n ts s h o u ld n o t in c lu d e c o p p e r th e ft o r o th e r c o n d itio n s th a t p o s e n o
th re a t to th e re lia b ility o f th e BES . A tra in d e ra ilm e n t is o n ly a n im p a c t e ve n t if it th re a te n s s o m e e le m e n t o f th e b u lk e le c tric s ys te m s u c h a s a
tra n s m is s io n lin e c o rrid o r - th e d e ra illm e n t in its e lf is n o t a n im p a c t e ve n t. S e e m o re o n im p a c t e ve n ts u n d e r th e re s p o n s e s to Qu e s tio n 3.
Bo n n e ville P o we r
Ad m in is tra tio n
No
The RC is made aware of these type of incidents and goes right back to incorporating that in their awareness and to focusing
on system reliability. If the RC is the recipient for further distribution of information of this type they will be forever going back
for more information. Eliminate the middleman in whatever concept you propose, folks have plenty to do now. Let people
make good judgments with the direct field people on the seriousness of the breach with their security personnel contacting
the appropriate law enforcement agency. (Or are you looking to do a simple RE reports to the RC who marks various
category items on a secure website Yes/No category item indicator that can be rolled up in ES-ISAC map board?)
Re s p o n s e : Th e DS R S DT th a n ks yo u fo r yo u r c o m m e n t. Th e Re lia b ility Co o rd in a to r’s s u g g e s te d ro le in th is is to a llo w th e m to in c o rp o ra te th e
re le va n t d a ta fro m re s p o n s ib le e n titie s in th e ir fo o tp rin t fo r fu rth e r a n a lys is .
Du ke En e rg y
No
September 15, 2010
The RC should not be responsible for submitting the report to FERC, NERC or the RRO. The RC may not have the
necessary first hand information concerning the facts of the event. Situation awareness can be maintained by including the
RC in the distribution of any sabotage related reporting.
26
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Org a n iza tio n
S ERC Re lia b ility
Co o rd in a to r S u b c o m m itte e (RCS )
Ye s o r No
No
Qu e s tio n 2 Co m m e n t
The RC should not be responsible for submitting the report to FERC, NERC or the RRO. The RC may not have the
necessary first hand information concerning the facts of the event. Situation awareness can be maintained by including the
RC in the distribution of any sabotage related reporting.
Re s p o n s e : Th e DS R S DT th a n ks yo u fo r yo u r c o m m e n t. If th e re p o rtin g h ie ra rc h y c o n c e p t is a d o p te d , it will in c lu d e c o n tro ls to e n s u re tim e ly
re p o rtin g , c le a r a c c o u n ta b ility s o th a t ris k o f a vio la tio n o f th e s ta n d a rd is n o t tra n s fe rre d , a n d a p ro c e s s to e n s u re th e re s p o n s ib le e n titie s ’ re p o rte d
in fo rm a tio n re m a in s a s s u b m itte d . Als o it m u s t re s u lt in re a l e ffie n c y g a in s a n d s u p p o rt th e re lia b ility o f th e b u lk e le c tric s ys te m .
ERCOT IS O
No
There are some events that are truly local and should be handled by local entities and reported to local authorities (i.e. theft).
If there is an impact or potential to have an impact to the BES or to the region, then hierarchical reporting would be
appropriate.
Re s p o n s e : Th e DS R S DT th a n ks yo u fo r yo u r c o m m e n t. We a g re e - a c le a rly d e fin e d im p a c t e ve n t c rite ria wo u ld d o ju s t a s yo u s u g g e s t - le a ve lo c a l
is s u e s o n th e lo c a l le ve l.
No rth e a s t P o we r
Co o rd in a tin g Co u n c il
No
This is not a standards issue, and NERC should not dictate the reporting structure. It should be left to the RCs and their
members.
Re s p o n s e : Th e DS R S DT th a n ks yo u fo r yo u r c o m m e n t. In d e fin in g a d is tu rb a n c e re p o rtin g h ie ra rc h y we s o u g h t to re a lize e ffic e n c ie s . If th e re p o rtin g
h ie ra rc h y c o n c e p t is a d o p te d , it m u s t re s u lt in re a l e ffie n c y g a in s a n d s u p p o rt th e re lia b ility o f th e b u lk e le c tric s ys te m . It will n o t b e a d o p te d if th e
re s u lt in a c o m p lic a te d o r b u rd e n s o m e p ro c e s s fo r re s p o n s ib le e n titie s .
MRO's NERC
S ta n d a rd s Re vie w
S u b c o m m itte e
No
We agree a coordinated reporting process is beneficial for the entity and the Reliability Coordinator (RC). However, a
hierarchy would likely lengthen the reporting timeframe, or reduce the allotted time for each entity to provide notification to
the RC in order to meet DOE or NERC timelines. Communication and coordination with the RC would likely provide more
accurate and complete data submissions within a timely process and create shared accountability for the report being
submitted.
Re s p o n s e : Th e DS R S DT th a n ks yo u fo r yo u r c o m m e n t. If th e re p o rtin g h ie ra rc h y c o n c e p t is a d o p te d , it will in c lu d e c o n tro ls to e n s u re tim e ly
re p o rtin g , c le a r a c c o u n ta b ility s o th a t ris k o f a vio la tio n o f th e s ta n d a rd is n o t tra n s fe rre d , a n d s o m e m e c h a n s im to e n s u re th e re s p o n s ib le e n titie s ’s
re p o rte d in fo rm a tio n re m a in s a s s u b m itte d .
September 15, 2010
27
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Org a n iza tio n
Mid we s t IS O
S ta n d a rd s
Co lla b o ra to rs
Ye s o r No
No
Qu e s tio n 2 Co m m e n t
We do not agree with developing a hierarchy for reporting for all disturbances and impacting events. For instance, copper
theft is an example of an item that should be reported to the appropriate entities directly by the Transmission Owner. The
RC does not need to be made aware of every copper theft unless it has a direct impact on reliability (affects rating, protection
system, etc.) and the RC should not be burdened with expending resources for this reporting. A further example in which the
hierarchy is not needed would be the case in which only one entity is impacted. If a significant event occurs on one TOP’s
system, then the TOP should be able to handle the reporting of all entities under its purview. If more than one TOP is
involved, then it would be necessary to involve the RC in the reporting.
Re s p o n s e : Th e DS R S DT th a n ks yo u fo r yo u r c o m m e n t. Th e re p o rtin g h ie ra rc h y c o n c e p t is m e a n t to a p p ly o n ly to d is tu rb a n c e re p o rtin g . We a g re e
th a t c o p p e r th e ft a n d o th e r s itu a tio n s th a t d o n o t p o s e a d ire c t th re a t to re lia b ility s h o u ld n ’t b e re p o rte d to NERC th ro u g h th is s ta n d a rd .
FirstEnergy
No
While we appreciate the team's effort to serialize the reporting process, with the electronic communication methods available
today, it seems that reporting can be accomplished simultaneously to multiple entities without shifting the burden of reporting
to others along the communications path. This is particularly true if the reporting format is standardized to a one-size-fits-all
report. Additionally, it would be a great burden to the Reliability Coordinator to review all events perceived by entities to be
malicious sabotage events.
Re s p o n s e : Th e DS R S DT th a n ks yo u fo r yo u r c o m m e n t. Th e re p o rtin g h ie ra rc h y c o n c e p t wo u ld o n ly a p p ly to d is tu rb a n c e re p o rtin g , n o t im p a c t e ve n ts .
Th e Re lia b ility Co o rd in a to r’s s u g g e s te d ro le in th is to a llo w th e m to in c o rp o ra te th e re le ve n t d a te a fro m re s p o n s ib le e n titie s in th e ir fo o tp rin t fo r fu rth e r
a n a lys is . We will c o n s id e r yo u r s u g g e s tio n o f s im u la ta n e o u s s u b m is s io n s a s a m e a n s to e ffe c tive ly n o tify th e n e c e s s a ry p a rtie s .
Edison Mission
Marketing & Trading
Yes
PacifiCorp
Yes
SPS Consulting Group
Inc.
Calpine Corp.
Yes
Yes
September 15, 2010
A Functional Entity such as a Generator Owner/Operator is not always aware that an event, such as a plant trip, is part of a
wider system disturbance that rises to the level of a reportable event under EOP-004. A reporting hierarchy that allows a
Generator to report the facts to its Transmission Operator and have that entity take a wider view to determine whether there
is a disturbance should facilitate the reporting of actual disturbances. The SDT needs to ensure that some thought goes into
the flow of information within the hierarchy and what triggers are needed to drive the reporting up the hierarchy.
28
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Org a n iza tio n
Ye s o r No
Qu e s tio n 2 Co m m e n t
Re s p o n s e : Th e DS R S DT th a n ks yo u fo r yo u r c o m m e n t. A re p o rtin g h ie ra rc h y p ro c e s s m u s t in c lu d e c le a r trig g e rs fo r re p o rtin g a n d p ro vid e a n
e ffic ie n t, we ll-d e fin e d in fo rm a tio n flo w.
We Energies
Yes
A hierarchical approach in conjunction with a single, electronic form would provide consistent reporting timelines, provide
clarity in the reporting process, and provide more accurate and meaningful data submissions while having shared
accountability. Confusion in the current method could be alleviated while providing more consistency in the reporting of an
"impact event".
Re s p o n s e : Th e DS R S DT th a n ks yo u fo r yo u r c o m m e n t.
Arizona Public Service
Company
Yes
All disturbance reporting should go through the RC.
Re s p o n s e : Th e DS R S DT th a n ks yo u fo r yo u r c o m m e n t.
Constellation Power
Source Generation
Yes
As stated in the concept paper, a hierarchy ensures proper communications, but it has the added benefit of reducing
redundancy on the Registered Entities, so long as responsibilities and accountability are clearly established.
Re s p o n s e : Th e DS R S DT th a n ks yo u fo r yo u r c o m m e n t.
Central Hudson Gas &
Electric
Yes
Central Hudson agrees with this reporting hierarchy for disturbances given the "wider-view" of the Reliability Coordinator as
opposed to an entity such as a Transmission Owner or Load-Serving Entity. While, based on past experience, the current
process works if reports are filed to the DOE, RRO, and RC simultaneously via email for example. However, the RC is in a
better position to identify multi-site incidents and escalate the reporting process if necessary.
Re s p o n s e : Th e DS R S DT th a n ks yo u fo r yo u r c o m m e n t.
Wolverine Power Supply
Cooperative, Inc.
Yes
September 15, 2010
From the perspective of a TOP, this seems to alleviate reporting burden and move it up line. I can understand the logic in
wanting the reporting to flow through the RC for awareness purposes, but I can understand the RC's reluctance to bear the
additional potential burden. Again, a focused effort to minimize the necessary reporting to 'true impact events" should be
kept in mind, regardless of who has to report. Collecting reams of data and figuring out what impact it has later should not
be the goal.
29
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Org a n iza tio n
Ye s o r No
Qu e s tio n 2 Co m m e n t
Re s p o n s e : Th e DS R S DT th a n ks yo u fo r yo u r c o m m e n t. We a g re e th a t re g a rd le s s o f a n y re p o rtin g h ie ra rc h y, th e g o a l is to re p o rt o n d is tu rb a n c e s a n d
e ve n ts with m e a n in g fu l im p a c t o n th e b u lk e le c tric s ys te m . S e e Qu e s tio n 3 re s p o n s e s fo r m o re in fo rm a tio n o n h o w we view im p a c t e ve n ts .
Electric Market Policy
Yes
Having the reporting flow through the Reliability Coordinator supports the reliability objective of assessing, monitoring, and
maintaining a wide-area view of the reliability of the Bulk Electric System.
Hydro-Québec
TransEnergie (HQT)
Yes
Having the reporting flow through the Reliability Coordinator supports the reliability objective of assessing, monitoring, and
maintaining a wide-area view of the reliability of the Bulk Electric System. The reporting hierarchy should be to submit the
information to the Reliability Coordinator, and to have the RC submit the report. This would eliminate the duplication of
information.
Orange and Rockland
Utilities, Inc.
Yes
Having the reporting flow through the Reliability Coordinator supports the reliability objective of assessing, monitoring, and
maintaining a wide-area view of the reliability of the Bulk Electric System. The reporting hierarchy should be to submit the
information to the Reliability Coordinator, and to have the RC submit the report. This would eliminate the duplication of
information.
Re s p o n s e : Th e DS R S DT th a n ks yo u fo r yo u r c o m m e n t.
Lands Energy
Consulting
Yes
I would give the RC the authority to establish impact thresholds for reporting. Consistent with my earlier comment, I would
set the materiality threshold for disturbance reporting purposes at LSEs (or a combination of LSEs in the case of BPA)
serving at least 90,000 customers.
Re s p o n s e : Th e DS R S DT th a n ks yo u fo r yo u r c o m m e n t. Re p o rtin g th re s h o ld s in th e s ta n d a rd will m e e t NERC re q u ire m e n ts : Re lia b ility Co o rd in a to r’s
m a y h a ve d iffe re n t re p o rtin g c rite ria to m e e t Re g io n a l re q u ire m e n ts , b u t th e y will n o t a p p e a r in th is ye t to b e writte n S ta n d a rd .
Central Lincoln
Yes
In the west at least, this hierarchy should be extended to include BA’s as indicated in the Concepts Paper. See:
http://www.bpa.gov/corporate/business/reliability/Docs/2007/PNSC_RE_Data_Letter_2_070723.pdf
for the RC’s policy on which entities it chooses to communicate with.
September 15, 2010
30
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Org a n iza tio n
Ye s o r No
Qu e s tio n 2 Co m m e n t
Re s p o n s e : Th e DS R S DT th a n ks yo u fo r yo u r c o m m e n t. Th e h ie ra rc h y c o n c e p t in c lu d e s BAs a s a p p ro p ria te in th e re p o rtin g s tru c tu re .
Luminant
Yes
Luminant believes that one report should be filed with the Reliability Coordinator or one responsible entity, who then files the
report with all applicable entities.
Re s p o n s e : Th e DS R S DT th a n ks yo u fo r yo u r c o m m e n t.
Oncor Electric Delivery
Company LLC
Yes
Oncor agrees that with this reporting hierarchy, in that dual reporting should be eliminated
Re s p o n s e : Th e DS R S DT th a n ks yo u fo r yo u r c o m m e n t.
Portland General Electric
Yes
PGE is familiar with and works closely with WECC today so the hierarchial consideration makes sense.
Re s p o n s e : Th e DS R S DT th a n ks yo u fo r yo u r c o m m e n t.
Platte River Power
Authority
Yes
Situational awareness would be enhanced. All affected entities would be aware of the disturbance and relevant information.
Also, the flow of information between entities would be enhanced and a more comprehensive report could be developed.
Re s p o n s e : Th e DS R S DT th a n ks yo u fo r yo u r c o m m e n t.
Ameren
Yes
The hierarchy is appealing in the fact that the TOP/BA will be kept in the loop and receive critical information from the
Generators, Distribution, LSE, etc. But there will be an inherent delay in reporting due to the fact that at every hand-off of
information there will be questions for additional and/or clarified information, and there is always a possibility for the loss of
information due to the transfer from one entity to the next. Further, this reporting through a hierarchy could also take away
from the operators ability to respond to system events due to being tied to an information transfer ladder.
Re s p o n s e : Th e DS R S DT th a n ks yo u fo r yo u r c o m m e n t. If th e re p o rtin g h ie ra rc h y c o n c e p t is a d o p te d , it will in c lu d e c o n tro ls to e n s u re tim e ly re p o rtin g ,
c le a r a c c o u n ta b ility s o th a t ris k o f a vio la tio n o f th e s ta n d a rd is n o t tra n s fe rre d , a n d s o m e p ro c e s s to e n s u re th e re s p o n s ib le e n titie s ’ re p o rte d
in fo rm a tio n re m a in s a s s u b m itte d . It m u s t a ls o e n s u re th a t it d o e s n o t p la c e a n y e xtra b u rd e n o n o p e ra to rs th a t c o u ld c re a te a n a d d itio n a l ris k to
re lia b ility.
September 15, 2010
31
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Org a n iza tio n
E.ON U.S. LLC
Ye s o r No
Yes
Qu e s tio n 2 Co m m e n t
The hierarchy will simplify reporting from the entity in that the RC is always notified and then the RC notifies other parties as
required, (with the exception of OE-417, which still has to be filled out per law) E.ON U.S. recommends that the drafting team
pay particular attention to the report process to make sure that duplicate reports are not being required. Currently
information on forced outages is already communicated to the RC so formalizing a requirement to provide data to the RC
may represent duplication to reports already provided.
Re s p o n s e : Th e DS R S DT th a n ks yo u fo r yo u r c o m m e n t. Avo id in g d u p lic a tio n is a ke y g o a l o f th e d ra ftin g te a m .
Public Service Enterprise
Group Companies
Yes
The PSEG Companies believe that all entities with a reportable disturbance should report to the RC. The RC is best
positioned to evaluate the impact of the event and forward the information to the appropriate entities. There should not be
any intermediate entities to relay information to the RC as that can introduce delay and has the potential to introduce
transcription errors. Sabotage events should be reported to the RC as well as to law enforcement. CIP-008 reporting is
highly specialized and should be retained in the set of cyber security standards, not merged with CIP-001 and EOP-004.
Re s p o n s e : Th e DS R S DT th a n ks yo u fo r yo u r c o m m e n t. De te c tio n o f c yb e r e ve n ts m a y b e s p e c ia lize d b u t re p o rt o f th e m is n o t. Th re a ts to re lia b ility
m u s t b e re p o rte d n o m a tte r wh a t th e c a u s e . Th e DS R S DT p ro p o s e s u s in g th e th re s h o ld s fo u n d in CIP -008 - th is s ta n d a rd wo u ld p ro vid e a o n e s to p
fo rm to s u b m it th e in fo rm a tio n . No te th a t th e c u rre n t CIP -008 h a s a re p o rtin g re q u ire m e n t to th e ES -IS AC o n ly.
Manitoba Hydro
Yes
The Reporting Concept states that the new hierarchy is, “Affected entity to TOP/ BA to RC. Then the RC will then submit to
NERC and DOE (if required)”.This will enhance the existing requirement EOP-004-1 R4 which states that the RC shall assist
the affected entity by providing representatives to assist in the investigation (this is also all reiterated in Attachment 1-EOP004) .In an disturbance, the local resources would be tied up in the rectification of the problem. Analyzing and reporting the
event (is it reportable, who to report to, what is the timeline) is distracting and time consuming. By leaving the final upper
level steps of reporting to NERC/DOE by the RC would be efficient.
Re s p o n s e : Th e DS R S DT th a n ks yo u fo r yo u r c o m m e n t.
Western Electricity
Coordinating Council
Yes
There should be an established time sequence that allows the RC to review the entities material prior to forwarding to NERC.
By channeling all reports through the RC situational awareness will be enhanced. Instead of "submit information", it should
be clarified that entities submit complete written reports to RC in electronic format.
Response: The DSR SDT thanks you for your comment. If the reporting hierarchy concept is adopted, it will include controls to ensure timely reporting,
clear accountability so that risk of a violation of the standard is not transferred, and a process to ensure the responsible entities’ reported information
remains as submitted.
September 15, 2010
32
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Org a n iza tio n
American Electric Power
Ye s o r No
Yes
Qu e s tio n 2 Co m m e n t
This approach may work as long as there is a uniform process across all of the Reliability Coordinators. AEP owns and
operates BES facilities under three separate RCs and having differing rules and processes would create confusion and
additional burdens. There are some concerns about the time lag of reporting the information and this might not work well in
all cases especially if the information and knowledge are at the local level. AEP recommends that the standard could have a
default hierarchy, but this should not prohibit any entity from reporting directly.
Re s p o n s e : Th e DS R S DT th a n ks yo u fo r yo u r c o m m e n t. Ou r g o a l is u n ifo rm re p o rtin g c rite ria to m e e t s p e c ifie d re q u ire m e n ts . We will c o n s id e r th e
ris ks a n d b e n e fits o f a llo win g a d e fa u lt h ie ra rc h ic a l re p o rtin g s tru c tu re with th e a b ility fo r re s p o n s ib le e n titie s to re p o rt d ire c tly to NERC.
Bandera Electric
Cooperative, Inc.
Yes
This approach, while I suspect will not be universally agreed to, should provide some definitive guidance in reporting.
Re s p o n s e : Th e DS R S DT th a n ks yo u fo r yo u r c o m m e n t.
Dynegy Inc.
Yes
This seems to be straightforward approach in that the RC is the best judge of threats to the overall system and could
eliminate multiple reports of a single event.
Re s p o n s e : Th e DS R S DT th a n ks yo u fo r yo u r c o m m e n t.
Independent Electricity
System Operator
Yes
We do not agree with the need of such a hierarchy setup solely for the purpose of making reports to the need-to-know
entities. All responsible entities (RC, BA, TOP, etc.) need to file a report. With the proposed set up noted under Q3, which we
support, these reports should go directly to NERC. The RC should not be held responsible for forwarding other entities’
reports to NERC, and in doing so subject itself to potential non-compliance.
Re s p o n s e : Th e DS R S DT th a n ks yo u fo r yo u r c o m m e n t. If th e re p o rtin g h ie ra rc h y c o n c e p t is a d o p te d , it will in c lu d e c o n tro ls to e n s u re tim e ly re p o rtin g ,
c le a r a c c o u n ta b ility s o th a t ris k o f a vio la tio n o f th e s ta n d a rd is n o t tra n s fe rre d , a n d a p ro c e s s to e n s u re th e re s p o n s ib le e n titie s ’ re p o rte d in fo rm a tio n
re m a in s a s s u b m itte d .
September 15, 2010
33
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
3. The goal of the DSR SDT is to have one report form for all functional entities (US, Canada, Mexico) to
submit to NERC. Do you agree with this change? Please explain your response (yes or no) in the
comment area.
Summary Consideration: Most stakeholders agreed with the concept of having one reporting form for all entities.
Several commenters suggested that there is no need for a standard on reporting as they considered it administrative in nature.
Most thought it should be a guideline, rather than an enforceable standard.
There is widespread agreement that the one-size-fits-all approach would be very difficult to get agreement on, given the
different countries and agencies involved. Many stakeholders pointed out that consistency and simplification were drivers for
one report form.
Having multiple recipients, with different information requirements, seem to support an electronic format that would guide
information only to those who need it. The concept of an electronic reporting tool would need to be further vetted and
developed.
Organization
Yes or No
Bandera Electric Cooperative,
Inc.
ISO RTO Council Standards
Review Committee
Question 3 Comment
No preference in this area.
No
The SRC supports NERC’s initiative for Results Based Standards. The SRC understood RBS to mean the
results were reliability based quantities not administrative quantities. There is no need for a NERC Reliability
standard on reporting. The idea that all functional entities in each of the said countries will use one form
would be a good idea if and only if all the countries and all of their agencies were willing to accept that form.
The SRC does not believe that those agencies will be willing to cede what information they ask for to NERC;
nor that NERC will be able to create a single form that all such agencies will accept.
Response: The DSR SDT thanks you for your comment. The DSR SDT acknowledges the difficulty in attempting to present a single form. However,
the DSR SDT believes it may be possible to achieve consolidation since the various reports ask repetitive questions. For example, having to provide
contact names, telephone numbers, email addresses on multiple forms is not an effective use of time or resources. Similarly, answering the question
“Describe the event” or “What steps did you take” on multiple reporting forms is also not effective. The DSR SDT does recongnize that it may not be
possible to eliminate reporting to multiple jurisdicational agencies due to legislative or regulatory requirements. The set of results-based standards is
intended to provide a ‘defense-in-depth’ approach to protecting reliability of the bulk power system. While many reports are administrative and are
only used to assess compliance with specific requirements, the reporting addressed in this project is focused on providing data needed to support
September 15, 2010
34
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Yes or No
Question 3 Comment
after-the-fact analyses of events, and reporting information needed to maintain situaitional awareness. As such, the SDT believes that these reporting
requirements do need to be enforceable.
FirstEnergy
No
While one consistent form for reporting may simplify reporting requirements, it would be very difficult to get all
governmental agencies to agree to a one-size-fits all approach.
Response: The DSR SDT thanks you for your comment. The DSR SDT acknowledges the difficulty in attempting to present a single form. However,
the DSR SDT believes it may be possible to achieve consolidation since the various reports ask repetitive questions. For example, having to provide
contact names, telephone numbers, email addresses on multiple forms is not an effective use of time or resources. Similarly, answering the question
“Describe the event” or “What steps did you take” on multiple reporting forms is also not effective. The DSR SDT does recongnize that it may not be
possible to eliminate reporting to multiple jurisdicational agencies due to legislative or regulatory requirements.
Public Service Enterprise Group
Companies
No
While simplification and consistency is a laudable goal, it should not be applied to different governmental
agencies (USA, Canada, Mexico) which may have different structures and processes. Moreover, results
based standards should not include administrative matters such as reporting forms.
Response: The DSR SDT thanks you for your comment. The DSR SDT acknowledges the difficulty in attempting to present a single form. However,
the DSR SDT believes it may be possible to achieve consolidation since the various reports ask repetitive questions. For example, having to provide
contact names, telephone numbers, email addresses on multiple forms is not an effective use of time or resources. Similarly, answering the question
“Describe the event” or “What steps did you take” on multiple reporting forms is also not effective. The DSR SDT does recongnize that it may not be
possible to eliminate reporting to multiple jurisdicational agencies due to legislative or regulatory requirements. The set of results-based standards is
intended to provide a ‘defense-in-depth’ approach to protecting reliability of the bulk power system. While many reports are administrative and are
only used to assess compliance with specific requirements, the reporting addressed in this project is focused on providing data needed to support
after-the-fact analyses of events, and reporting information needed to maintain situaitional awareness. As such, the SDT believes that these reporting
requirements do need to be enforceable.
American Electric Power
Yes
Constellation Power Source
Generation
Yes
Exelon
Yes
PacifiCorp
Yes
Platte River Power Authority
Yes
September 15, 2010
35
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Yes or No
Calpine Corp.
Yes
Question 3 Comment
A single approach is desirable, particularly for those entities that find themselves in multiple regions or
countries.
Response: The DSR SDT thanks you for your comment.
We Energies
Yes
Agree in conjunction with proposed concept that DOE OE-417 will be allowed to supplement the NERC report
in lieu of duplicating entries.
Response: The DSR SDT thanks you for your comment. The DSR SDT acknowledges the difficulty in attempting to present a single form. However,
the DSR SDT believes it may be possible to achieve consolidation since the various reports ask repetitive questions. For example, having to provide
contact names, telephone numbers, email addresses on multiple forms is not an effective use of time or resources. Similarly, answering the question
“Describe the event” or “What steps did you take” on multiple reporting forms is also not effective. The DSR SDT does recongnize that it may not be
possible to eliminate reporting to multiple jurisdicational agencies due to legislative or regulatory requirements.
Consumers Energy Company
Yes
Agreed - to the extent that it’s consistent with the concept that any specific type of data is submitted to ONLY
one entity.
Response: The DSR SDT thanks you for your comment. The DSR SDT acknowledges the difficulty in attempting to present a single form. However,
the DSR SDT believes it may be possible to achieve consolidation since the various reports ask repetitive questions. For example, having to provide
contact names, telephone numbers, email addresses on multiple forms is not an effective use of time or resources. Similarly, answering the question
“Describe the event” or “What steps did you take” on multiple reporting forms is also not effective. The DSR SDT does recongnize that it may not be
possible to eliminate reporting to multiple jurisdicational agencies due to legislative or regulatory requirements.
Arizona Public Service Company
Yes
APS supports the standardization of the form for consistency and format.
Response: The DSR SDT thanks you for your comment.
Bonneville Power Administration
Yes
As long as we don’t make one form that requires extraneous information for the sake of having agreement.
Response: The DSR SDT thanks you for your comment. The DSR SDT acknowledges the difficulty in attempting to present a single form. However,
the DSR SDT believes it may be possible to achieve consolidation since the various reports ask repetitive questions. For example, having to provide
contact names, telephone numbers, email addresses on multiple forms is not an effective use of time or resources. Similarly, answering the question
“Describe the event” or “What steps did you take” on multiple reporting forms is also not effective. The DSR SDT does recongnize that it may not be
possible to eliminate reporting to multiple jurisdicational agencies due to legislative or regulatory requirements.
September 15, 2010
36
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Western Electricity Coordinating
Council
Yes or No
Yes
Question 3 Comment
Canadian and Mexican entities should be consulted on content of report form to assure their "buy in".
Response: The DSR SDT thanks you for your comment. It is DSR SDT’s intent to discuss the need for information with appropriate jurisdictional
agencies.
Central Hudson Gas & Electric
Yes
Central Hudson agrees with this goal if the intent is to develop and implement an electronic version that would
meet DOE requirements as well.
Response: The DSR SDT thanks you for your comment. The DSR SDT acknowledges the difficulty in attempting to present a single form. However,
the DSR SDT believes it may be possible to achieve consolidation since the various reports ask repetitive questions. For example, having to provide
contact names, telephone numbers, email addresses on multiple forms is not an effective use of time or resources. Similarly, answering the question
“Describe the event” or “What steps did you take” on multiple reporting forms is also not effective. The DSR SDT does recongnize that it may not be
possible to eliminate reporting to multiple jurisdicational agencies due to legislative or regulatory requirements.
E.ON U.S. LLC
Yes
E.ON U.S. supports the proposal.
Response: The DSR SDT thanks you for your comment.
MRO's NERC Standards Review
Subcommittee
Yes
However, We believe the primary goal should focus on “each entity” being able to submit one report for all
functional requirements. Entities in the US that are required to submit the DOE OE-417 form should not be
required to submit an additional form developed for other entities (Canada & Mexico). One approach to satisfy
this goal is for NERC to require all entities (US, Canada, & Mexico) to complete the DOE OE-417 form as
their report.
Response: The DSR SDT thanks you for your comment.
Wolverine Power Supply
Cooperative, Inc.
Yes
I can't see how anyone would disagree with this concept - However - I question how practical it will be to
implement, since various agencies would have to collaborate and coordinate to accomplish this task.
Response: The DSR SDT thanks you for your comment. The DSR SDT acknowledges the difficulty in attempting to present a single form. However,
the DSR SDT believes it may be possible to achieve consolidation since the various reports ask repetitive questions. For example, having to provide
contact names, telephone numbers, email addresses on multiple forms is not an effective use of time or resources. Similarly, answering the question
“Describe the event” or “What steps did you take” on multiple reporting forms is also not effective. The DSR SDT does recongnize that it may not be
possible to eliminate reporting to multiple jurisdicational agencies due to legislative or regulatory requirements.
September 15, 2010
37
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Lands Energy Consulting
Yes or No
Question 3 Comment
Yes
I think that the impact approach makes sense and that EOP-004 and CIP-001 are logically connected. Many
entities of which I am aware link Sabotage Reporting Training to Disturbance Reporting obligation awareness
already.
Response: The DSR SDT thanks you for your comment.
Oncor Electric Delivery Company
LLC
Yes
Oncor agrees that by using the same type reporting format, there should be consistency in regard to each
functional entity's expectations.
Response: The DSR SDT thanks you for your comment.
BGE
Yes
One form makes sense to us; less is better is the sense that it makes filing reports easier by not creating
unnecessary complications.
Response: The DSR SDT thanks you for your comment.
Ameren
Yes
One report would be great for this standard. While this standard needs simplification and automation, we
strongly suggest developing a guideline for reporting rather than enforceable standards.
Response: The DSR SDT thanks you for your comment. The DSR SDT acknowledges the difficulty in attempting to present a single form. However,
the DSR SDT believes it may be possible to achieve consolidation since the various reports ask repetitive questions. For example, having to provide
contact names, telephone numbers, email addresses on multiple forms is not an effective use of time or resources. Similarly, answering the question
“Describe the event” or “What steps did you take” on multiple reporting forms is also not effective. The DSR SDT does recongnize that it may not be
possible to eliminate reporting to multiple jurisdicational agencies due to legislative or regulatory requirements. The set of results-based standards is
intended to provide a ‘defense-in-depth’ approach to protecting reliability of the bulk power system. While many reports are administrative and are
only used to assess compliance with specific requirements, the reporting addressed in this project is focused on providing data needed to support
after-the-fact analyses of events, and reporting information needed to maintain situaitional awareness. As such, the SDT believes that these reporting
requirements do need to be enforceable.
Portland General Electric
Yes
PGE supports the efforts of the Standards Drafting Team on the SAR for Project 2009-01 to consolidate the
disturbance and sabotage reporting processes as outlined in the concept paper.
Response: The DSR SDT thanks you for your comment.
Dynegy Inc.
September 15, 2010
Yes
Please keep it short and simple.
38
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Yes or No
Question 3 Comment
Response: The DSR SDT thanks you for your comment.
ERCOT ISO
Yes
Standardization ensures consistency and relevance of the information received.
Response: The DSR SDT thanks you for your comment.
USBR
Yes
The Bureau of Reclamation utilizes a form for tracking unexpected events. This form contains information
which the agency considers important for its one reliability improvement program. The form is also used to
meet NERC standard requirements for protection system operations analysis. This form contains most of
information required by DOE. The SDT should consider requiring the submission of specific information
rather than lock responses in one specific form. In this manner the agency would be avoid duplicate forms,
one for NERC, the other for agency purposes.
Response: The DSR SDT thanks you for your comment.
Central Lincoln
Yes
The existing reporting is needlessly complex. We appreciate the SDT’s goal.
Response: The DSR SDT thanks you for your comment.
SPS Consulting Group Inc.
Yes
There should have probably been one report all along.
Response: The DSR SDT thanks you for your comment.
Duke Energy
Yes
There should only be one report for all functional entities to submit to NERC.
Response: The DSR SDT thanks you for your comment.
SERC Reliability Coordinator
Sub-committee (RCS)
Yes
There should only be one report for all functional entities.
Response: The DSR SDT thanks you for your comment.
Manitoba Hydro
September 15, 2010
Yes
This is a promising idea, though there would be different requirements for the three countries, this could easily
be rectified with “drop down menus”. This electronic form could contain a lot of information without distracting
clutter as you “tree” down the menu depending on the event that occurred. This could also contain electronic
39
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Yes or No
Question 3 Comment
references to information located in Attachment 1-EOP-004 and Threat and Incident Reporting.
Response: The DSR SDT thanks you for your comment. We will consider your specific suggestions when we develop the reporting requirements.
Hydro-Québec TransEnergie
(HQT)
Yes
We agree with the concept that there should be one report form for all functional entities (whether located in
the US, Canada, Mexico) for use in reporting to NERC. This would provide for a consistent reporting format
across the continent.
Response: The DSR SDT thanks you for your comment.
Northeast Power Coordinating
Council
Yes
We agree with the concept that there should be one report form for all functional entities (whether located in
the US, Canada, Mexico) for use in reporting to NERC. This would provide for a consistent reporting format
across the continent.
Response: The DSR SDT thanks you for your comment.
Orange and Rockland Utilities,
Inc.
Yes
We agree with the concept that there should be one report form for all functional entities (whether located in
the US, Canada, Mexico) for use in reporting to NERC. This would provide for a consistent reporting format
across the continent.
Response: The DSR SDT thanks you for your comment.
Midwest ISO Standards
Collaborators
Yes
We agree with the goal of having a single report form but believe there will be a significant challenge to get
varying governmental agencies to agree on single report format.
Response: The DSR SDT thanks you for your comment. The DSR SDT acknowledges the difficulty in attempting to present a single form. However,
the DSR SDT believes it may be possible to achieve consolidation since the various reports ask repetitive questions. For example, having to provide
contact names, telephone numbers, email addresses on multiple forms is not an effective use of time or resources. Similarly, answering the question
“Describe the event” or “What steps did you take” on multiple reporting forms is also not effective. The DSR SDT does recongnize that it may not be
possible to eliminate reporting to multiple jurisdicational agencies due to legislative or regulatory requirements.
Edison Mission Marketing &
Trading
Yes
With the realization that having a common report form may be difficult to coordinate between differen
agencies.
Response: The DSR SDT thanks you for your comment. The DSR SDT acknowledges the difficulty in attempting to present a single form. However,
the DSR SDT believes it may be possible to achieve consolidation since the various reports ask repetitive questions. For example, having to provide
September 15, 2010
40
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Yes or No
Question 3 Comment
contact names, telephone numbers, email addresses on multiple forms is not an effective use of time or resources. Similarly, answering the question
“Describe the event” or “What steps did you take” on multiple reporting forms is also not effective. The DSR SDT does recongnize that it may not be
possible to eliminate reporting to multiple jurisdicational agencies due to legislative or regulatory requirements.
Independent Electricity System
Operator
Yes
Yes, this will simplify the reporting effort. NERC may forward the reports to the other need-to-know entities.
Response: The DSR SDT thanks you for your comment.
Electric Market Policy
Yes
Yes, we agree with the concept that there should be one report form for all functional entities (whether located
in the US, Canada, Mexico) for use in reporting to NERC.
Response: The DSR SDT thanks you for your comment.
September 15, 2010
41
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
4. The goal of the DSR SDT is to eliminate the need to file duplicate reports. The standards will specify
information required by NERC for reliability. To the extent that this information is also required for
other reports (e.g. DOE OE-417), those reports will be allowed to supplement the NERC report in lieu
of duplicating the entries in the NERC report. Do you agree with this concept? Please explain your
response (yes or no) in the comment area.
Summary Consideration: Most stakeholders agreed with the concept of entities being able to use information from other
sources such as the OE-417 form, to supplement the NERC report form. Some thought that duplicate reports were acceptable,
as long as the information was not duplicated (if # of customers lost is required on form A, don’t ask on forms B & C). Several
stakeholders commented on the need for an electronic, one stop reporting tool. This would avoid duplication while ensuring
that the information reported goes only to intended recipients. With an electronic, one stop reporting tool, reports can be
updated/corrected instantly, without repeating previously submitted information. Some stakeholders cautioned that the OE417 can change every three years and this should be taken into account when developing an electronic reporting tool. Again,
such a reporting tool would need to be vetted and developed to meet reliability needs.
Organization
Yes or No
ERCOT ISO
Question 4 Comment
ERCOT ISO agrees with the concept of eliminating the need to file duplicate reports, but as stated in the
Concept Paper, the DOE form (OE-417) is required by law. Based on this, the elimination of EOP-004 (after
the fact reporting) is essential, since the OE-417 is mandatory and all-inclusive.
Response: The DSR SDT thanks you for your comment. We agree that the OE-417 compiles a baseline set of information for disturbances, however, it
does not function as an all-inclusive report of sabotage and cyber security incidents. The DSR SDT certainly seeks to gain effienciencies through the
modification of EOP-004 and CIP-001, which may include the elimination of one or both. Further, the OE-417 is only mandatory for US entities.
Midwest ISO Standards
Collaborators
No
It certainly makes sense to eliminate duplication in reporting and to allow supplemental information to be
submitted in other reports. However, it does not make sense to require reporting to other governmental
agencies through NERC enforceable NERC standards. Those governmental agencies already have legal
authority to compel reporting. Again, we support developing a guideline for reporting rather than enforceable
standards. The guideline could certainly explain the various reporting requirements and supplemental
reporting requirements mentioned in the question without causing the issues we have identified in our
comments.
Response: The DSR SDT thanks you for your comment. The DSR SDT does not envision a NERC standard mandating submission of reports to DOE,
which is mandatory under Public Law for US entities. If the DSR SDT is able to develop a one-stop-shopping electronic form, we plan to develop an
September 15, 2010
42
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Yes or No
Question 4 Comment
option to have the report submitted to NERC, DOE and FERC simultaneously. If an entity chooses to submit the report manually, they will then also be
responsible for following DOE regulations and other mandatory requirements.
Consumers Energy Company
No
NERC should either coordinate with DOE for a single reporting process or simply adopt the DOE’s standard.
Response: The DSR SDT thanks you for your comment. The DSR SDT does not envision a NERC standard mandating submission of reports to DOE,
which is mandatory under Public Law for US entities. If the DSR SDT is able to develop a one-stop-shopping electronic form, we plan to develop an
option to have the report submitted to NERC, DOE and FERC simultaneously. If an entity chooses to submit the report manually, they will then also be
responsible for following DOE regulations and other mandatory requirements. The DOE report does not collect all the information that NERC needs.
E.ON U.S. LLC
No
Reliability standards are federal law enforced by fines that can reach up to $1,000,000 per day of violation.
There is no reason to deliberately include ambiguity, i.e. “gray areas,” in requirements such that registered
entities are left unable to determine what it is they must do or refrain from doing to remain compliant.
“Sabotage” for the purposes of these standards must be defined.
Response: The DSR SDT thanks you for your comment. The intent of the DSR SDT is to develop requirements for reporting that will be clear and
unambiguous with respect to compliance issues. Sabotage will be included in the reporting for “impact events”, but may not be called ‘sabotage’ as
there are many different interpretations of “sabotage”.
ISO RTO Council Standards
Review Committee
No
The concept of eliminating duplication is laudable, but the idea of writing a standard to mandate reporting that
involves reporting to governmental areas does not make sense unless NERC will do all of the reporting for the
Industry. A governmental agency is as likely as not to change the forms they require which would then mean
two different reports (one for NERC and one for the given agency) or that the standard would have to be rewritten every time there is a change.
Response: The DSR SDT thanks you for your comment. The DSR SDT does not envision a NERC standard mandating submission of reports to DOE,
which is mandatory under Public Law for US entities. If the DSR SDT is able to develop a one-stop-shopping electronic form, we plan to develop an
option to have the report submitted to NERC, DOE and FERC simultaneously. If an entity chooses to submit the report manually, they will then also be
responsible for following DOE regulations and other mandatory requirements.
Ameren
No
September 15, 2010
The DOE OE-417 report should not supplement the NERC report due to the fact that the majority of
reportable events are defined in/come from the OE-417 report. The NERC reporting form should be based on
the OE-417 report and then include additional reporting requirements defined by NERC. However, it does not
make sense to require reporting to the governmental agencies through enforceable NERC standards. The
governmental agencies already have legal authority to compel reporting.
43
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Yes or No
Question 4 Comment
Response: The DSR SDT thanks you for your comment. The DSR SDT does not envision a NERC standard mandating submission of reports to DOE,
which is mandatory under Public Law for US entities. If the DSR SDT is able to develop a one-stop-shopping electronic form, we plan to develop an
option to have the report submitted to NERC, DOE and FERC simultaneously. If an entity chooses to submit the report manually, they will then also be
responsible for following DOE regulations and other mandatory requirements.
SERC Reliability Coordinator
Sub-committee (RCS)
No
The requirement should be a single report that satisfies the need for all US governmental agencies as well as
NERC and the RRO’s.
Response: The DSR SDT thanks you for your comment. The intent of the DSR SDT is to develop standards to address the reliability needs for NERC
and not governmental agency reporting criteria.
Western Electricity Coordinating
Council
No
This will work well for the USA entities to save us time in re-entering the same information. We believe that
FERC and NERC and the Regions should have one common reporting form for North America. The OE-417
is not required by law outside of the United States. Canadian and Mexican entities may feel that US DOE has
no jurisdiction in these countries, and therefore no right to required reporting as is stated on the OE-417.
Response: The DSR SDT thanks you for your comment. We agree that the OE-417 report is not required for Canadian or Mexican entities. The DSR
SDT does not envision a NERC standard mandating submission of reports to DOE. If the DSR SDT is able to develop a one-stop-shopping electronic
form, we plan to develop an option to have the report submitted (or not) to NERC, DOE and FERC simultaneously. If an entity chooses to submit the
report manually, they will then also be responsible for following DOE regulations and other mandatory requirements.
American Electric Power
Yes
Edison Mission Marketing &
Trading
Yes
Exelon
Yes
Orange and Rockland Utilities,
Inc.
Yes
PacifiCorp
Yes
Platte River Power Authority
Yes
September 15, 2010
44
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Arizona Public Service Company
Yes or No
Question 4 Comment
Yes
APS supports eliminating the need to file duplicate reports. This standardized form should generate and send
the DOE OE-417 report, totally eliminating duplicate work. Streamline the process.
Response: The DSR SDT thanks you for your comment.
Central Hudson Gas & Electric
Yes
Central Hudson agrees with this concept and, as stated in a previous response, recommends that the ability
of utilizing the DOE OE-417 to supplement the NERC report be maintained.
Response: The DSR SDT thanks you for your comment.
Calpine Corp.
Yes
Clarification, simplicity and the removal of duplicate reporting is beneficial.
Response: The DSR SDT thanks you for your comment.
Constellation Power Source
Generation
Yes
Constellation agrees with the concept of eliminating the need to file duplicate reports. If the single NERC
reporting form is both comprehensive and easy to use, then using a single report should not be an issue. It is
essential that all elements of DOE OE-417, and any similar documents, be incorporated into this single report.
Not incorporating all elements will result in gaps in reporting for all Registered Entities.
Response: The DSR SDT thanks you for your comment.
SPS Consulting Group Inc.
Yes
Duplication is inefficient and casts the whole reporting mechanism in a questionable light.
Response: The DSR SDT thanks you for your comment.
We Energies
Yes
However, also evaluate whether or not DOE OE-417 is sufficient in lieu of a NERC report. If additional
information is required, duplicate format of DOE-OE-417 with additional NERC information listed at the end of
the form.
Response: The DSR SDT thanks you for your comment.
Wolverine Power Supply
Cooperative, Inc.
Yes
I agree with the concept of minimizing duplication - See previous question 3 for concerns.
Response: The DSR SDT thanks you for your comment.
September 15, 2010
45
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
USBR
Yes or No
Question 4 Comment
Yes
It should be clear what information is to be supplemented. The fewer times the information has to be handled
the more efficient the process becomes. If the information exists on a required form, that legal form should be
allowed. Also, if the form is already submitted, then reference to it should be sufficient rather than requiring
resubmission of the form. That would require handling the information again. As explained in the previous
answer, the SDT should recognize that responsible entities have already developed internal reporting
processes which utilize forms for consistent responses. Those forms may contain more information than is
needed by the new standard to be proposed. The entity should be allowed to submit the internal form or else
duplication would be created, which may reduce the effectiveness of an entities reliability improvement
program.
Response: The DSR SDT thanks you for your comment. The DSR SDT envisions a one-stop-shopping form that allows reports to be saved, revised
and resubmitted at a later date without re-entry of data or information. However, as a caution the DSR SDT cannot guarantee the possibility to submit
custom forms.
Lands Energy Consulting
Yes
Less paperwork and fewer requirements to keep in mind during what may be once in a lifetime events are
always good.
Response: The DSR SDT thanks you for your comment.
Luminant
Yes
Luminant agrees with the concept of reducing reporting requirements, but asks the SDT to go even further. In
the concept paper, the SDT discussed that information would not be duplicated on the NERC report and the
DOE OE-417 report. The concept paper described a process where one report would simply supplement the
other, but two reports would still be filed when required. Can the NERC SDT work with the DOE to develop
one report to meet the needs of NERC and the DOE?
Response: The DSR SDT thanks you for your comment. We will consult with the DOE to see if it one report will meet the reporting needs for NERC
and the DOE. NERC reliability needs will take precedence.
Bonneville Power Administration
Yes
Minimizing the number of reports is a good thing. The concept of actually sharing information should be
utilized as much as practical.
Response: The DSR SDT thanks you for your comment.
Oncor Electric Delivery Company
LLC
September 15, 2010
Yes
Oncor agrees that this effort should eliminate file duplication
46
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Yes or No
Question 4 Comment
Response: The DSR SDT thanks you for your comment.
Bandera Electric Cooperative,
Inc.
Yes
One can only assume the number of reports required in this area will continue to increase in terms of scope
and to which agency wants this data. The SDT is encouraged to attempt to find a reporting format and scope
that does not needlessly duplicate or complicate overall reporting obligations.
Response: The DSR SDT thanks you for your comment. We will consult with the DOE and FERC to see if it one report will meet the reporting needs
for NERC, FERC and the DOE. NERC reliability needs will take precedence.
Portland General Electric
Yes
PGE supports reducing the duplication of reporting.
Response: The DSR SDT thanks you for your comment.
Dynegy Inc.
Yes
Short and simple should be the goal.
Response: The DSR SDT thanks you for your comment.
Duke Energy
Yes
Since the OE-417 is a DOE required report, it must be submitted. Including the OE-417 as part of the NERC
electronic form will facilitate reporting to NERC.
Response: The DSR SDT thanks you for your comment. We will consult with the DOE to see if it one report will meet the reporting needs for NERC
and the DOE. NERC reliability needs will take precedence.
Central Lincoln
Yes
The existing reporting is needlessly complex. We appreciate the SDT’s goal.
Response: The DSR SDT thanks you for your comment.
Public Service Enterprise Group
Companies
September 15, 2010
Yes
The PSEG Companies agree with the avoidance of duplicate reports. NERC report forms should not include
anything in the DOE form, and NERC Regional report forms should not include anything in the DOE or NERC
forms. Hence, a DOE report should not "supplement" a NERC form, but rather replace it unless the NERC
form calls for other information for the same reportable incident, and likewise for the DOE - NERC - Regional
form structure. DOE forms would be filed with DOE, NERC and the Regional Entity where the event
originated. NERC forms would be filed with NERC and the region where the event originated and the
Regional form filed only with the Region. In designing the NERC and Regional forms, the need to file multiple
reports should be minimized, and in no event should any of the three (DOE, NERC, Region) forms contain
47
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Yes or No
Question 4 Comment
duplicative information requests.
Response: The DSR SDT thanks you for your comment. We will consider your comment in the development of the reporting structure / forms.
Manitoba Hydro
Yes
This could be easily incorporated into the electronic form. You could be prompted for information required
immediately, and notified for information that could be entered later. This form could contain all the enterable
data that all agencies could require. If the form is live and on line, all entities could be notified (depending on
the entries) of an going event immediately. Form could be web based similar to ARS program or even
integrated into the ARS program.
Response: The DSR SDT thanks you for your comment. We will consider your comment in the development of the reporting structure / forms.
FirstEnergy
Yes
We agree that the simplification and consistency of reporting will improve the reporting of this information. We
support the drafting team's efforts in this area and hope that all regulatory agencies will as well. However, as
we have mentioned in our other comments, the reporting requirements should not be in a reliability standard
unless they are proven to be necessary to maintain an Adequate Level of Reliability of the BES. Reporting of
these events should be required by NERC in arenas outside of the standards.
Response: The DSR SDT thanks you for your comment. The information provided in the reports is either used after the fact for analyses or used to
maintain situational awareness, and is needed for reliability.
MRO's NERC Standards Review
Subcommittee
Yes
We agree with the concept to eliminate duplicate reports. However, we are concerned with the reference of
the DOE OE-417 report being a “supplement” of the NERC report rather than “accepted” as the NERC report.
Response: The DSR SDT thanks you for your comment. Future NERC reliability reporting needs may not totally align with DOE report information.
Therefore, the OE-417 report would not necessarily substitute for the NERC report. The DOE Reporting Form OE 417 is currently mandatory by Public
for US entities.
Hydro-Québec TransEnergie
(HQT)
September 15, 2010
Yes
We agree with the objective of eliminating duplicate reporting. However, EOP-004 currently allows
substitution of DOE OE-417 in place of the NERC Interconnection Reliability Operating Limit and Preliminary
Disturbance Report. As suggested in the Concept Paper, entities meeting the criteria of OE-417 are still
obligated to file a report with DOE. Given that and the fact that CIP-001 requires no actual reporting, it is not
clear where duplication exists today. We agree with the recommendation to eliminate the need for filing
duplicate reports such as the DOE form OE-417. There is no benefit with regard to CIP-001 in filing
separate reports. Duplicate reports introduce the potential for incomplete information to be supplied to
responsible parties.
48
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Yes or No
Question 4 Comment
Removing jurisdictional agencies from the Standard, and having NERC provide either query or situational
awareness to those agencies being considered, might not be easy to achieve. There is an obligation under
law to require entities to report to the DOE on the OE-417 form as amended or modified. This might drive the
“omitted” agencies to have reporting laws enacted as well.
Northeast Power Coordinating
Council
Yes
We agree with the objective of eliminating duplicate reporting. However, EOP-004 currently allows
substitution of DOE OE-417 in place of the NERC Interconnection Reliability Operating Limit and Preliminary
Disturbance Report. As suggested in the Concept Paper, entities meeting the criteria of OE-417 are still
obligated to file a report with DOE. Given that and the fact that CIP-001 requires no actual reporting, it is not
clear where duplication exists today. We agree with the recommendation to eliminate the need for filing
duplicate reports such as the DOE form OE-417. There is no benefit with regard to CIP-001 in filing
separate reports. Duplicate reports introduce the potential for incomplete information to be supplied to
responsible parties.
Removing jurisdictional agencies from the Standard, and having NERC provide either query or situational
awareness to those agencies being considered, might not be easy to achieve. There is an obligation under
law to require entities to report to the DOE on the OE-417 form as amended or modified. This might drive the
“omitted” agencies to have reporting laws enacted as well.
Response: The DSR SDT thanks you for your comment. The DSR SDT has discussed the possibility of consolidating CIP-001 and EOP-004 to create a
single reporting standard. FERC directives require modifications to the standards which also may impose additional reporting requirements (see
paragraph 470 of Order 693).
We concur with your comments regarding the legal obligations to submit certain reports. The DSR SDT is attempting to consult with appropriate
governmental aencies to address this.
BGE
Yes
We agree with this approach, as long as the latest version of the DOE OE-417 form is fully incorporated in the
new single-reporting form, so that it maintains its credibility with the DOE.
Response: The DSR SDT thanks you for your comment. The intent is to maintain credibility with the DOE reporting requirements.
Independent Electricity System
Operator
Yes
We support this concept since it works well for those entities that are not required to file reports with the US
agencies, e.g. the DOE.
Response: The DSR SDT thanks you for your comment.
Electric Market Policy
September 15, 2010
Yes
Yes, we agree with the objective of eliminating duplicate reporting; however, EOP-004 currently allows
49
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Yes or No
Question 4 Comment
substitution of DOE OE-417 in place of the NERC Interconnection Reliability Operating Limit and Preliminary
Disturbance Report. As suggested in the Concept Paper, entities meeting the criteria of OE-417 are still
obligated to file a report with DOE. Given that and the fact that CIP-001 requires no actual reporting, it is not
clear where duplication exists today.
Response: The DSR SDT thanks you for your comment. The DSR SDT has discussed the possibility of consolidating CIP-001 and EOP-004 to create a
single reporting standard. FERC directives require modifications to the standards which also may impose additional reporting requirements (see
paragraph 470 of Order 693).
September 15, 2010
50
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
5. In its discussion concerning sabotage, the DSR SDT has determined that the spectrum of all
sabotage-type events is not well understood throughout the industry. In an effort to provide clarity
and guidance, the DSR SDT developed the concept of an impact event. By developing impact events,
it allows us to identify situations in the “gray area” where sabotage is not clearly defined. Other
types of events may need to be reported for situational awareness and trend identification. Do you
agree with this concept? Please explain your response (yes or no) in the comment area.
Summary Consideration: The majority of stakeholders agreed with the concept of impact events. Some stakeholders felt
that the introduction of impact events increased the risk that some items will go unreported. However, most felt that impact
events would dramatically increase the number of reports being submitted, and it would be difficult to separate important
information from background noise. Several respondents felt that the SDT ignored the FERC Directive, and did not define
sabotage and provide guidance as to the triggering events that would cause an entity to report a sabotage event. Many
respondents supplied the SDT with their own definition of “Sabotage”. The DSR SDT believes that the concept of impact events
and the specificity of what needs to be reported in the standard will be an equally efficient and effective means of addressing
the FERC directive regarding sabotage. Some stakeholders felt that impact events add another layer of uncertainty to the
reporting. Even with the switch from sabotage to impact events, several felt that “intent” was still key to determining
reportability.
Organization
Yes or No
ERCOT ISO
Question 5 Comment
ERCOT ISO recognizes the risks associated with “gray areas” not being clarified. While “gray areas” pose
compliance risk due to differing interpretations, a risk remains that some items will go unreported. A more
prescriptive approach raises an even greater risk of events not being reported. People will not report events
that are not specifically listed, and will not use judgment in determining the need for reporting.
Response: The DSR SDT thanks you for your comment. We agree that a more prescriptive approach could pose greater risks but we will attempt to
clarify and define an approach to assist the industry and stakeholders for reporting impact events.
Constellation Power Source
Generation
September 15, 2010
No
Although defining an impact event would bring clarity to defining sabotage events, adding another situation
would further complicate things. Furthermore, the examples of impact events used all fall under the Sabotage
category in the Threat and Incident Reporting Guideline. Constellation Power Generation suggests the SDT
further clarifies the items in the Sabotage category to ensure all grey area situations are included. Clarification
is also needed in how a Cyber Security Incident (CIP-008) would map into the categories of
Disturbance/Impact Events (CIP-001). To that point, Constellation Power Generation questions whether cyber
related incidents should fall under the spectrum of sabotage type events, or remain separate and be
incorporated in the CIP revisions. Having cyber related incidents separate from other sabotage events would
51
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Yes or No
Question 5 Comment
provide the clarity and guidance that the DSR SDT is striving to achieve.
Response: The DSR SDT thanks you for your comment. We are suggesting the term “Impact Event” be substituted to include all events that would
impact the reliability of the BES. Events now included in reporting requirements that do not impact the reliability of the BES would be excluded from
the reporting unless the DSR SDT clarifies why it should be included and under what specific instances or examples.
Duke Energy
No
As FERC ordered in Order No. 693, the drafting team should further define sabotage and provide guidance as
to the triggering events that would cause an entity to report a sabotage event. Suggested definition:
“Sabotage - the malicious destruction of, or damage to assets of the electric industry, with the intention of
disrupting or adversely affecting the reliability of the electric grid for the purposes of weakening the critical
infrastructure of our nation.”
Response: The DSR SDT thanks you for your comment. The SDR SDT struggles with terms that deal with determing “intent” which may not be
determined until after a lengthy investigation. We will continue to discuss for inclusion in a future draft of this project. The DSR SDT believes that the
concept of impact events and the specificity of what needs to be reported in the standard will be an equally efficient and effective means of addressing
the FERC directive regarding sabotage.
Kootenai Electric Cooperative
No
Impact events seems to add another layer of uncertainty to the reporting. Define a transmission line. Our
transmission lines have very little impact on the grid. It is possible for our lines to cause a local area outage
on our transmission provider - but neither is of national security interest or even regional interest. There is no
power flow going on across the lines other than local power delivery supply. It seems you run more risk of
losing the important reports in the snow of reporting - similar to what we have to avoid on our SCADA
systems for our operators to see the key information.
Response: The DSR SDT thanks you for your comment. The DSR SDT understands your concern and this was discussed a great deal. It is our belief
that criteria of the “impact events” to be reported will be properly defined and discriminated from local events that have no impact on the reliability of
the BES.
SERC Reliability Coordinator
Sub-committee (RCS)
No
Impact events that do not affect reliability should not be reported.
Response: The DSR SDT thanks you for your comment. The DSR SDT agrees but a balance must be further explored to meet industry and regulatory
requirements specifically under FERC Order 693.
Luminant
September 15, 2010
No
Luminant would prefer to report disturbances and sabotage events. The reporting of impact events could lead
to unnecessary reporting. A definition of an “impact event” may be even more confusing than sabotage
52
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Yes or No
Question 5 Comment
events.
Response: The DSR SDT thanks you for your comment. The DSR SDT understands your concern and this was discussed a great deal. It is our belief
that criteria of the “impact events” to be reported will be properly defined and discriminated from local events that have no impact on the reliability of
the BES. We are suggesting the term “Impact Event” be substituted to include only events that would impact the reliability of the BES. Events now
included in reporting requirements that do not impact reliabiltiy of the BES would be excluded from the reporting unless the DSR SDT clarifies why it
should be included and under what specific instances or examples.
Orange and Rockland Utilities,
Inc.
No
Physical and cyber events must be investigated before a determination of sabotage or impact event can be
made. Impact events should define or clarify the circumstances that would or could affect reliability.
Reportable items should be based on impact to reliability, not on ‘newsworthy’ events or to gather information
for trending. It is the law enforcement industry’s responsibility to make a determination of “sabotage” or other.
This determination cannot definitively be made by industry (operating) personnel. If NERC's definition is
expanded for CIP-001 and/or EOP-004, responsibility and timing of reporting needs to addressed so that
appropriate agencies conduct the investigation and assessment. Operating personnel need to remain focused
on the primary responsibility of mitigating the effects.
Response: The DSR SDT thanks you for your comment. The SDR SDT struggles with terms that deal with determing “intent” which may not be
determined until after a lengthy investigation. We will continue to discuss these ideas for inclusion in a future draft of this project. Timing of the
reporting process will be further clarified based upon your comments and those in the industry that have voiced similar concerns.
MRO's NERC Standards Review
Subcommittee
No
Rather than attempting to define a new term (impact event), we suggest that the concept of impact event be
replaced with further defining sabotage and providing guidance on trigger events (impact event) that would
cause an entity to report.
Response: The DSR SDT thanks you for your comment. We will continue to discuss the FERC “Clarification of sabotage” directive and seek further
guidance to meet this directive. The term sabotage has created conflict in its meaning among stakeholders as to when its determined and by whom
and how long an investigation would take to make that call on the intent of the saboteur. The DSR SDT is reviewing what a reportable disturbance
actually is and sabotage may be a sub component of a reportable disturbance event.
Lands Energy Consulting
No
The level of complexity described will overwhelm the 20-200 employee utilities that have yet to see - and will
never see - the kind of sabotage event that scares the Department of Homeland Security.
Response: The DSR SDT thanks you for your comment. The DSR SDT does not intend for the reporting of impact events to overwhelm smaller
entities. If events do not affect the reliability of the BES, then it is our intent that they will be excluded from reporting requirements under our
proposal. We will attempt to clarify and define an approach to assist the industry and stakeholders for reporting impact events. FERC cautioned the
September 15, 2010
53
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Yes or No
Question 5 Comment
industry that acts of sabotage may be “tested” on smaller entities and ultimately on larger entities.
ISO RTO Council Standards
Review Committee
No
The nature of the fact that “gray areas” exists preclude the idea of using a standard to report; particularly a
standard for the vague topic of motivation such as sabotage events and the more defined disturbance events.
Response: The DSR SDT thanks you for your comment. We will attempt to clarify and define an approach to assist the industry and stakeholders for
reporting impact events.
Edison Mission Marketing &
Trading
No
There are too many special circumstances to try and capture. I feel this would be best delivered as a
guideline.
Response: The DSR SDT thanks you for your comment. We are suggesting the term “Impact Event” be substituted to include only events that would
impact the reliability of the BES. Events now included in reporting requirements that do not impact reliability of the BES would be excluded from the
reporting unless the DSR SDT clarifies why it should be included and under what specific instances or examples.
Exelon
No
We agree with the direction to identify impact events examples that would trigger reporting and not be limited
to sabotage reporting only. It is important to note that when an incident occurs, some level of investigation is
required before a determination can be made as to the event is sabotage or not. The focus should be on
reporting events when they occur and allow follow-up investigations to make the sabotage determination.
That being said, care must be taken in the development of any list of impact events so that it doesn’t become
or is misinterpreted to be a definitive list. Therefore if it is not on the list, it is not reportable.
Response: The DSR SDT thanks you for your comment. We concur and plan to allow reports to be submitted, edited and re-submitted in the one-stopshopping reporting tool. We are suggesting the term “Impact Event” be substituted for sabotage andinclude only events that would impact the
reliability of the BES. Events now included in reporting requirements that do not impact reliability of the BES would be excluded from the reporting
unless the DSR SDT clarifies why it should be included and under what specific instances or examples.
Midwest ISO Standards
Collaborators
No
We agree with the idea of identifying impact events but do not support the requirement for these to be always
reported through the hierarchical structure identified in question 2. If an impact event only affects one entity,
that entity should have the reporting requirement.
Response: The DSR SDT thanks you for your comment. The DSRSDT will continue to explore the benefits and weaknesses of the hierarchy reporting
structure.
Hydro-Québec TransEnergie
(HQT)
September 15, 2010
No
We believe that physical and cyber events must be investigated before a determination of sabotage or impact
event can be made. The purpose of the NERC Standards is to maintain the reliability of the BES. Therefore,
54
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Yes or No
Question 5 Comment
impact events should define or clarify the circumstances that would or could affect reliability. Reportable
items should be based on impact to reliability, not on ‘newsworthy’ events or to gather information for
trending. It is the law enforcement industry’s responsibility to make a determination of “sabotage” or other.
This determination cannot definitively be made by industry personnel, there is no expertise or time to
investigate causes. It is the industry’s job to mitigate effects. Examples would help provide for better
guidance/direction. Industry examples would be welcomed to help reinforce developed internal processes for
compliance.
Northeast Power Coordinating
Council
No
We believe that physical and cyber events must be investigated before a determination of sabotage or impact
event can be made. The purpose of the NERC Standards is to maintain the reliability of the BES. Therefore,
impact events should define or clarify the circumstances that would or could affect reliability. Reportable
items should be based on impact to reliability, not on ‘newsworthy’ events or to gather information for
trending. It is the law enforcement industry’s responsibility to make a determination of “sabotage” or other.
This determination cannot definitively be made by industry personnel, there is no expertise or time to
investigate causes. It is the industry’s job to mitigate effects. Examples would help provide for better
guidance/direction. Industry examples would be welcomed to help reinforce developed internal processes for
compliance.
Response: The DSR SDT thanks you for your comment. The SDR SDT struggles with terms that deal with determing “intent” which may not be
determined until after a lengthy investigation. We will continue to discuss issues with sabotage for inclusion in a future draft of this project. Timing of
the reporting process will be further clarified based upon your comments and those in the industry that have voiced similar concerns.
American Electric Power
Yes
Calpine Corp.
Yes
PacifiCorp
Yes
Platte River Power Authority
Yes
Central Lincoln
Yes
September 15, 2010
An act of vandalism may have impact. An act of sabotage may not be impactful alone, but may be part of a
wider coordinated attack. Dictionary definitions speaking of “intent” are not helpful in this regard, since acts of
vandalism and sabotage are both generally committed intentionally. Saboteurs, though, work for a higher
cause. That cause may be political, social, environmental, etc. We ask that the SDT look beyond dictionary
definitions in developing a definition of sabotage.
55
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Yes or No
Question 5 Comment
Response: The DSR SDT thanks you for your comment. The SDR SDT struggles with terms that deal with determing “intent”. The term sabotage has
created conflict in its meaning among stakeholders as to when its determined and by whom and how long an investigation would take to make that call
on the intent of the saboteur. We will strive to meet this challenge with the input on the right language from government agencies and industry
experience expertise.
Bonneville Power Administration
Yes
BPA agrees with providing an industry-wide definition and guideline. We do NOT agree with requiring reports
for every instance of every activity. If your definition is good, you’ll get what is needed and not much chaff.
Response: The DSR SDT thanks you for your comment.
Central Hudson Gas & Electric
Yes
Central Hudson agrees with this concept, particularly if the reporting hierarchy through the RC is implemented
in order to better identify trends.
Response: The DSR SDT thanks you for your comment. The DSRSDT will continue to explore the benefits and weaknesses of the hierarchy reporting
structure.
Wolverine Power Supply
Cooperative, Inc.
Yes
I agree with the concept of focusing on impact instead of the type of event (sabotage, accident, vandalism,
etc.)I hope that the reporting proposal that comes out of this project will clearly make a separation between
true impact events that must be reported per the standards (enforceable), vs. "other" information that may be
(electively - not enforceable) reported, per some set of guidelines.
Response: The DSR SDT thanks you for your comment. We agree reportable items should be based on impact to reliability and with other
commenters that expressed a desire to avoid reporting on ‘newsworthy’ events but to gather meaningful information for trending. We are suggesting
the term “Impact Event” be substituted for sabotage to include only events that would impact the reliability of the BES.
Bandera Electric Cooperative,
Inc.
Yes
In principle, I agree with this concept. Would like for the SDT to pursue this further and seek additional
comments at that time.
Response: The DSR SDT thanks you for your comment. We will seek further comments on the concept and will prepare the beginnings of the first
draft soon.
Oncor Electric Delivery Company
LLC
Yes
Oncor agrees that there are no broadly used guidance documents that detail how an event may be accurately
defined.
Response: The DSR SDT thanks you for your comment. We agree that further industry guidance of a clear and understandable standard should be
sought under the new Results Based approach. We will attempt to clarify and define an approach to assist the industry and stakeholders in reporting
September 15, 2010
56
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Yes or No
Question 5 Comment
impact events.
Portland General Electric
Yes
PGE supports the DSR SDT's efforts to bring clarity and guidance to the spectrum of sabotage-type events.
Response: The DSR SDT thanks you for your comment.
FirstEnergy
Yes
The concept paper makes good progress in this area and the drafting team is on the right track, and agree
that better clarity needs to be developed surrounding sabotage events. However, some of the examples
stated in the paper are too vague and do not address extenuating circumstances or reasons for the events.
One example sighted in the paper is "Bolts removed from transmission line structures." This statement may
be too broad. For instance, if the bolts are removed from the tower and the organization is not experiencing a
labor dispute, it could be considered a sabotage event with wide area implications. However, if the
organization is in the middle of a labor dispute, this would be vandalism and would most likely not be of a
wide area concern. Also, the number and location of towers affected could be an important determination
related to the risk the event imposes on the Bulk Electric System.
Response: The DSR SDT thanks you for your comment. We concur with your comments that the number and location of the towers affected may have
a “local” vs “wide area” concern. However, under the “impact event” reporting that we are proposing, both scenarios above should be reported as
impact events as long as it affects the BES.
Public Service Enterprise Group
Companies
Yes
The PSEG Companies agree with the concept, but reserve judgment on the descriptions of the impacts.
There is clearly a need to better define what constitutes a sabotage incident versus common theft or
vandalism. Moreover, where it may be impossible to determine if any given incident (e.g., several loose bolts
on a transmission tower cross brace could be sabotage or could be human error in construction) falls within
sabotage, a registered entity should not be second guessed in an audit if the registered entity determines not
to report. Excessive unnecessary reporting can mask real incidents.
Response: The DSR SDT thanks you for your comment. The DSR SDT agrees with clearly defining a reportable impact versus common theft. Concern
st
over reporting an incident and the audit process are within the discussions of the DSR SDT and will be fully explored to assist with the 1 Draft. The
ability to identify trends could be very important compared to isolated incidents that do not impact the BES. Every effort to explore this balance of
reporting will be taken into account.
SPS Consulting Group Inc.
September 15, 2010
Yes
The term sabotage was always too narrow a concept for the standards. At times, questionable activities are
not confirmed as sabotage events until well after the fact, forcing the registered entity to speculate on whether
or not to report an activity that may not be a confirmed sabotage event at the time, and hence encounter
another silly violation based on imprecise terminology.
57
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Yes or No
Question 5 Comment
Response: The DSR SDT thanks you for your comment. We are suggesting the term “Impact Event” be substituted to include all events that would
impact the reliability of the BES. Events now included in reporting requirements that do not impact reliability of the BES would be excluded from the
reporting unless the DSR SDT clarifies why it should be included and under what specific instances or examples. Tightening the reporting criteria of
impact events could possibly address the concern expressed by a “violation based on imprecise terminology.”
USBR
Yes
There should be a clear distinction between a cyber event and a cyber event that has a material impact on the
reliability of the bulk electric system. Not all CIP-008 events will carry such a distinction. That being said, CIP
008 cannot be completely incorporated in this process. Denying access to a cyber asset is noteworthy under
CIP008 but may not pose a threat to the reliability of the bulk electric system. Consider recognizing the impact
on the bulk electric system when modifying definitions of adding the bulk electric system description to the
definitions. This will help to clarify that disturbances, as discussed in this effort, are situations that produce an
abnormal condition on the electric power system, not necessarily on ancillary or supporting systems, such as
SCADA systems or the water-related systems at hydroelectric dams.
Response: The DSR SDT thanks you for your comment. We are suggesting in our discusssion to consolidate the location of reporting into one
standard. The industry has demonstrated by comments that it favors streamlining the reporting process to achieve a “one stop shop” approach. We
will continue to explore the possibilities to achieve the best results for all stakeholders. A discussion of advantages /disadvantages will continue to
discover options and alternatives with input from all stakeholders.
Western Electricity Coordinating
Council
Yes
This will help eliminate regional differences in sabotage reporting. The definition should be broad enough so
it covers new types of sabotage that may evolve. Event analysis facilitates situational awareness and if it
requires further investigation regarding developing patterns and severity, it should be handled by law
enforcement if need be.
Response: The DSR SDT thanks you for your comment. The DSR SDT will continue to explore the “Impact Event” definition to allow for new types of
events. Event analysis is clearly a goal of reporting as is situational awareness and hopefully this project will enhance the understanding and clearly
define obligations to all stakeholders.
Manitoba Hydro
Yes
Though there are some specific events already included in this new definition, more could be added to
dissolve specific “gray areas” and as new ones come up. Again these examples could be added into the
electronic form and could contain a large data base which would be available depending on the event that
occurred.
Response: The DSR SDT thanks you for your comment.
September 15, 2010
58
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
BGE
Yes or No
Question 5 Comment
Yes
We agree that "the spectrum of all sabotage-type events is not well understood throughout the industry";
however, we feel that the proposed concept of an "Impact Event" falls short of clarifying what constitutes such
events. We believe that "Impact Events" needs further clarification to eliminate "gray areas" and to provide
more reporting consistency between entities.
Response: The DSR SDT thanks you for your comment. The DSR SDT will continue to clarify the impact events concept and eliminate “gray areas”
while including language to give clarity to the reporting process.
Dynegy Inc.
Yes
We agree with the concept but please provide specific examples. Also, please consider whether there are
any penalties for misinterpreting an incident, who would determine if an event was a threat, and whether this
could result in over reporting non-threats.
Response: The DSR SDT thanks you for your comment. The DSR SDT may include specific examples of impact events and types of reportables events
st
in the 1 draft of the standard (or in supplemental guidance) to help illustrate reportable criteria.
Consumers Energy Company
Yes
We agree with the concept, however, based on the information provided, it may be too vague to be of value.
Terms such as “potential” and “significant” can be subjective and therefore provide little direction. We would
like to see something more specific. Also, inclusion of the destruction of BES assets may be too inclusive and
needs to be restricted to BES assets that will cause a specific level of impact on reliability.
Response: The DSR SDT thanks you for your comment. The SDR SDT struggles with terms that deal with determing “potential” and “significant”.
Specific examples of criteria is being explored and discussed. We will strive to meet this challenge with the input on the right language from
government agencies and industry experience expertise. Your suggestion of restricting to BES assets that will cause a specific level of impact on
reliability will be discussed with the DSR SDT.
Independent Electricity System
Operator
Yes
We agree with the general concept. However, we suggest that the classification of “events” to be compatible if
not identical to those which need to be reported in real time as required in CIP-001, for otherwise it will create
confusion and unnecessary, extra work. Also, this proposal appears to focus on the sabotage-type events
only but the SAR deals with both sabotage and other disturbances (e.g. emergency type of events) reporting.
A parallel type of “impact event” is needed for non-sabotage-type of events.
Response: The DSR SDT thanks you for your comment. The DSR SDT notes that impacts events include both sabotage and non-sabotage types of
events and these events include CIP-001 events.
Electric Market Policy
September 15, 2010
Yes
We believe that physical and cyber events must be investigated before a determination of sabotage or impact
59
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Yes or No
Question 5 Comment
event can be made.
Response: The DSR SDT thanks you for your comment. We agree that sabotage requires investigation. The term “impact event” was developed to
allow immediate reporting of events based on impact to the BES rather than intent.
We Energies
Yes
We would prefer to refer to all sabotage, vandalism, cyber attacks, and other criminal behavior as impact
events. Focusing more on the event's impact on reliability and its ramifications on the systems seems to be
more useful than to try to determine the intent of the perpetrator.
Response: The DSR SDT thanks you for your comment. The DSR SDT agrees with your assessment and will pursue the clarity and criteria examples
to achieve reporting.
September 15, 2010
60
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
6. If you are aware of any regional reporting requirements beyond the scope of CIP-001, CIP-008 and
EOP-004 please provide them here.
Summary Consideration: Several commenters provided information on regional reporting. The SDT will consider whether
these should be included in the continent-wide standard. These include:
1. NPCC maintains a document and reporting form (Document C-17 - Procedures for Monitoring and Reporting Critical
Operating Tool Failures) that outlines the reporting requirements, responsibilities, and obligations of NPCC Reliability
Coordinators in response to unforeseen critical operating tool failures.
2. For other events that do not meet the OE-417 and EOP-004 reporting criteria, ReliabilityFirst expects to receive notification
of any events involving a sustained outage of multiple BES facilities (buses, lines, generators, and/or transformers, etc.)
that are in close proximity (electrically) to one another and occur in a short time frame (such as a few minutes).
3. WECC sets its loss of load criteria for disturbance reporting at 200 MW rather than the 300 MW in the NERC reporting form.
4. SERC and RFC are developing additional requirements at this time.
5. We suggest that reporting be based on impact to reliability, not on ‘newsworthy’ events. We therefore do not agree with
such regional efforts and would prefer a continent wide reporting requirements.
6. MISO RC (MISO OP-023) and RFC (PRC-002-RFC-01).
Organization
Central Hudson Gas & Electric
Question 6 Comment
Although not beyond the scope of these standards, NPCC maintains a document and reporting form (Document C-17 Procedures for Monitoring and Reporting Critical Operating Tool Failures) that outlines the reporting requirements,
responsibilities, and obligations of NPCC RCs in response to unforeseen critical operating tool failures.
Response: The DSR SDT thanks you for your comment. The DSR SDT will examine regional reporting criteria and requirements to determine whether
it should be included in a continent wide standard.
Exelon
At the 2010 RFC Spring Workshop the following disturbance reporting Criteria was rolled out: All events that are required to
be reported by the OE-417 and EOP-004 criteria will use those published procedures. For other events that do not meet the
OE-417 and EOP-004 reporting criteria, ReliabilityFirst expects to receive notification of any events involving a sustained
outage of multiple BES facilities (buses, lines, generators, and/or transformers, etc.) that are in close proximity (electrically)
to one another and occur in a short time frame (such as a few minutes).
September 15, 2010
61
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Question 6 Comment
Response: The DSR SDT thanks you for your comment. The DSR SDT will examine regional reporting criteria and requirements to determine whether
it should be included in a continent wide standard.
Lands Energy Consulting
I believe WECC sets its loss of load criteria for disturbance reporting at 200 MW rather than the 300 MW in the NERC
reporting form.
Response: The DSR SDT thanks you for your comment. The DSR SDT will consider regional criteria when developing reporting thresholds.
Edison Mission Marketing &
Trading
I don't know of any.
Orange and Rockland Utilities,
Inc.
NERC's SDT effort requires a clear, consistent, and comprehensive continent-wide approach, thus mitigating any need for
regional reporting requirements.
Response: The DSR SDT thanks you for your comment. The SDR SDT feels in many instances that region specific standards may be needed.
However, the SDT will provide a clear reporting standard that can be consistently followed continent-wide.
MRO's NERC Standards Review
Subcommittee
No Comment.
Duke Energy
None
Bandera Electric Cooperative,
Inc.
No.
Manitoba Hydro
No.CIP-001 contains references to NERC and the DOE.CIP-008 makes exclusions for facilities regulated by US Nuclear
Regulatory Commission and Canadian Nuclear Safety Commission. It also contains references to ES ISAC (Electricity
Sector Information Sharing and Analysis Center).EOP-004 contains reference to NERC and DOE. There is no reference to
Homeland Security, FBI, etc or to Canadian equivalent references in any of these Standards. When NERC is notified of an
event, it is likely other organizations will have to be notified. There should be some sort of consistency to cover all these
Standards and all notifiable parties at a NERC Standards level.
Response: The DSR SDT thanks you for your comment. The DSR SDT absolutely understands your provided comment and have had detailed
conversations surrounding “who” should be notified and “when”. Most importantly, a level of consistency should exist when reporting disturbances
and sabotage events negatively impacting the BES.
September 15, 2010
62
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Oncor Electric Delivery Company
LLC
Question 6 Comment
Oncor is not aware of any regional reporting requirements beyond the scope of CIP-001, CIP-008 and EOP-004.
Response: The DSR SDT thanks you for your comment.
Dynegy Inc.
Please consider MISO RTO-OP-023.
Response: The DSR SDT thanks you for your comment. The DSR SDT will examine regional reporting criteria and requirements to determine whether
it should be included in a continent wide standard. Please provide a copy of the subject document.
Electric Market Policy
Hydro-Québec TransEnergie
(HQT)
SERC and RFC are developing additional requirements at this time. We suggest that reporting be based on impact to
reliability, not on ‘newsworthy’ events. We therefore do not agree with such regional efforts and would prefer a continent
wide reporting requirements.
Northeast Power Coordinating
Council
Response: The DSR SDT thanks you for your comment. The DSR SDT will examine regional reporting criteria and requirements to determine whether
it should be included in a continent wide standard.
Public Service Enterprise Group
Companies
The PSEG Companies believe that RFC is developing a regional disturbance reporting requirement for events not meeting
the criteria of current DOE and NERC reports.
Response: The DSR SDT thanks you for your comment. The DSR SDT will examine regional reporting criteria and requirements to determine whether
it should be included in a continent wide standard.
Western Electricity Coordinating
Council
There is a need to learn what reporting requirements are required by the Mexican and Canadian entities.
Response: The DSR SDT thanks you for your comment. The DSR SDT is comprised of international members and we are currently researching
requirements that Mexico and Canada may have.
SERC Reliability Coordinator
Sub-committee (RCS)
September 15, 2010
We are not aware of any regional reporting requirements beyond the requirements of CIP-001, CIP-008 and EOP-004.
However, the SERC RRO has shared a list of events of interest that it would like to be made aware of to maintain situation
63
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Question 6 Comment
awareness.
Response: The DSR SDT thanks you for your comment. The SDR SDT feels there will always be a need for the Regional Entities to be kept aware of
certain “hot topic” issues. However, it is the SDT’s intent to provide clear and concise reporting requirements for events impacting the BES.
BGE
We are not aware of any regional requirements beyond the scope of CIP-001, CIP-008 and EOP-004.
Response: The DSR SDT thanks you for your comment.
We Energies
What is meant by beyond the scope of the referenced standards? We Energies also has reporting obligations with the
MISO RC (MISO OP-023), RFC (PRC-002-RFC-01), and the Wisconsin and Michigan Public Service Commissions.
Response: The DSR SDT thanks you for your comment. The DSR SDT will examine regional reporting criteria and requirements to determine whether
it should be included in a continent wide standard. Please provide a copy of the subject reporting requirements for the SDT to review.
September 15, 2010
64
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
7. If you have any other comments on the Concepts Paper that you haven’t already provided in
response to the previous questions, please provide them here.
Summary Consideration: Several stakeholders provided comments in this section. Some stakeholders suggested that the
SDT has gone beyond its approved scope to “further define sabotage and provide guidance as to the triggering events that
would cause an entity to report a sabotage event.” Further, there is no requirement to create a Reporting Standard to define
sabotage. The SDT contends that the development of impact events and the reporting requirements for them will provide the
clarity sought in the directive.
Other stakeholders suggested that the SDT should seek to retire sanctionable requirements that require event reporting in
favor of guidelines for reporting.
Several commenters suggested that the introduction of impact events actually expands the reporting requirements. It should
be noted that the list of impact events is expected to be explicit as to who is to report what to whom and within certain
timelines.
Several stakeholders provided input as to what they believed an electronic reporting tool should contain:
1
If the decision is made to go to a single reporting form, it should be developed to cover any foreseeable event.
2
The SDT should work toward a single form, located in a central location, and submitted to one common entity (NERC)
3
Reports should be forwarded to the ES-ISAC, not NERC, as the infrastructure is already in place for efficient sharing with
Federal agencies, with the regional entities and with neighboring asset owners. Reports should flow to all affected entities
in parallel, rather than series (timing issues).
Commenters also suggested that the SDT should consider the impacts of the reporting requirements on the small, and very
small utilities.
Organization
BGE
Question 7 Comment
1. If we move to a "one size fits all" single reporting form, it is important that the form be properly developed to cover any
foreseeable event, which appears to be the intent of the DSR SDT, as outlined on page 4 of the concept document. Such
an approach should also incorporate a single point of contact for reporting information, to avoid any confusion.
2. We would like clarification that any proposed CIP-008-related reporting requirement (including any linked reporting
requirement between CIP-008 and CIP-001) is only applicable in situations where the incident/event involves a registered
entity’s Critical Cyber Asset.
September 15, 2010
65
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Question 7 Comment
Response (Questions 3&6): The DSR SDT thanks you for your comment. The drafting team will explore clarification that any proposed CIP-008
related reporting requirement between CIP-008 and CIP-001 is only applicable where the incident/event involves a registered entity’s CCA. Note that
CIP-002 through CIP-009 are undergoing revision under project 2008-06 – Order 706 SDT. Note that the current CIP-008 has a reporting requirement
to the ES-ISAC only.
Electric Market Policy
a. NERC should focus efforts on developing specific event reporting criteria and not base the requirement on the definition
of the term ‘sabotage’ but on the reporting criteria itself.
b. The “opportunities for efficiency” discussed in the Concept Paper would be best achieved by focusing on those items
that are necessary to maintain the reliability of the Bulk Electric System. If there are elements that need to be reported
that, do not support this objective, than that reporting should not be required in reliability standards.
Hydro-Québec TransEnergie
(HQT)
a. NERC should focus efforts on developing specific event reporting criteria and not base the requirement on the
definition of the term ‘sabotage’, but on the reporting criteria itself. See comments above.
b. The “opportunities for efficiency” discussed in the Concept Paper would be best achieved by focusing on those items
that are necessary to maintain the reliability of the Bulk Electric System. If there are elements that need to be
reported that do not support this objective, then that reporting should not be required in reliability standards. Consider
making NERC the distributor of reports to other agencies. We recognize that the key is to simplify reporting to a single
form, and to the extent possible, to one agency. “Front line” reliability personnel must have the “timely” knowledge to
know when a situation warrants local, area, regional, or national involvement. Finally, the SDT should keep in mind
the fact that Canadian stakeholders might have some difference in the way reports are made to Security Agencies.
Northeast Power Coordinating
Council
a. NERC should focus efforts on developing specific event reporting criteria and not base the requirement on the definition
of the term ‘sabotage’, but on the reporting criteria itself. See comments above
b. The “opportunities for efficiency” discussed in the Concept Paper would be best achieved by focusing on those items
that are absolutely necessary to maintain the reliability of the Bulk Electric System. If there are elements that need to be
reported that do not support this objective, then that reporting should not be required in reliability standards. Consider
making NERC the distributor of reports to other agencies. We recognize that the key is to simplify reporting to a single
form, and to the extent possible, to one agency. “Front line” reliability personnel must have the “timely” knowledge to
know when a situation warrants local, area, regional, or national involvement.
Response: The DSR SDT thanks you for your comment. The DSR SDT agrees to focus efforts to specific event reporting criteria. SDT believes that
by reporting material risks to the Bulk Electrical System using the impact event categorization it will be easier to get the relevant information for
mitigation, awareness, and tracking, not based on the requirement of defining “sabotage”. The SDT believes that it is the submitter’s responsibility
to submit OE-417 forms to the DOE, as stated by Public Law for US entities. The DSR SDT does recognize that it may not be possible to eliminate
September 15, 2010
66
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Question 7 Comment
reporting to multiple jurisdictional agencies due to legislative or regulatory requirements.
SPS Consulting Group Inc.
Again, please consider the unique scope of the entities to which these standards are to comply. Don't dump all the
requirements on all the applicable entities and perpetuate the current practice of forcing them to parse the requirements
into what is logical or illogical from their perspective. The drafting team should have the expertise to do this. Identify which
requirements apply to which applicable entity.
Response: The DSR SDT thanks you for your comment. The DSR SDT will take into consideration what registered entities and thresholds are to be
included in the revised standard(s) based on the SAR. The DSR SDT will establish the “requirements necessary for users, owners, and operators of
the Bulk-Power-System” as stated in FERC Order 693 and the difference in reporting of events on the BES, as stated in the Purpose statement of
EOP-004-1.
ERCOT ISO
All references to CIP-008 should be removed and we reassert that physical and cyber reporting should be separate. There
is documentation available from the CIPC that the drafting team considered CIP-001 related physical sabotage reporting
and specified cyber incident reporting requirements in CIP-008.ERCOT ISO requests the DSR SDT to continue to improve
its guidelines and to post those guidelines for all to use, but not to create sanctionable standards whose good intentions
could result in unintended adverse consequences for the Industry. ERCOT ISO also suggests that all reporting forms and
guidance should be located in a central, easily accessible location, eliminating confusion and simplify reporting for system
operators thereby directly enhancing reliability during system events. The industry would benefit from a central location or
link on the NERC website containing all reporting forms.
Response: The intent was to look at the posted “NERC Guideline: Threat and Incident Reporting” and ask the industry if the DSR SDT should
consider existing guidelines for possible inclusion into the yet to be written requirement(s). The DSR SDT has not determined at this time what
bright line will be used for the yet to be drafted Standard(s). The DSR SDT will take into consideration your comment on keeping cyber and physical
events separate. We are suggesting in our discussion to consolidate the location of reporting into one standard. The industry has demonstrated
by its comments that it prefers that the reporting process be streamlined to achieve a “one stop shop” approach. We will continue to explore the
possibilities to achieve the best results for all stakeholders. A discussion of advantages /disadvantages will continue to discover options and
alternatives with input from all stakeholders.
Western Electricity Coordinating
Council
As stated previously, for "One stop shopping" we need "buy in" from the foreign nationals. The way to do this is to engage
their opinions and respect their jurisdictional agencies as well.
Response (Question 6): The DSR SDT thanks you for your comment. The DSR SDT does recognize that it may not be possible to eliminate reporting
to multiple jurisdictional agencies due to legislative or regulatory requirements. The SDT acknowledges that it is possible to consolidate various
reports that ask repetitive questions and through this process can work with foreign nationals to receive their “buy in” for a one report form for all
functional entities to submit to NERC.
September 15, 2010
67
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
MRO's NERC Standards Review
Subcommittee
Question 7 Comment
Confusion often arises in the industry between the CIP standards and other reliability standards based on CIP-001 naming
convention. We would suggest the SDT retire CIP-001 and incorporate requirements within the EOP-004 standard or a
new EOP-xxx standard to avoid confusion rising from CIP and other NERC Reliability Standards. Additionally, we assume
the SDT has been created to specifically address FERC Order 693 directives to the ERO which appears to include the
following items:
1. Applicability - “possible revisions to CIP-001-1 that address our concerns regarding the need for wider application of the
Reliability Standard... the ERO should consider whether separate, less burdensome requirements for smaller entities may
be appropriate” (FERC, 2007, para. 460).
2. Definition of Sabotage - “we direct that the ERO further define the term and provide guidance on triggering events that
would cause an entity to report an event... we believe the term sabotage is commonly understood and that common
understanding should suffice in most instances... the ERO should consider FirstEnergy’s suggestions to differentiate
between cyber and physical sabotage and develop a threshold of materiality.” (FERC, 2007, para. 461-462)
3. Periodic Review and Testing - “directs the ERO to incorporate a periodic review or updating of the sabotage reporting
procedures and for the periodic testing of the sabotage reporting procedures.” (FERC, 2007, para. 466)
4. Redundant Reporting - “now direct the ERO to address our underlying concern regarding mandatory reporting of a
sabotage event... Regarding the potential for redundant reporting under CIP-001-1 and other government reporting
standards, and the need for greater coordination... We direct the ERO to explore ways to address these concerns including central coordination of sabotage reports and a uniform reporting format... with the appropriate governmental
agencies that have levied the reporting requirements.” (FERC, 2007, para. 468-469)
5. Specified Time - “the Commission directs the ERO to modify CIP-001-1 to require an applicable entity to contact
appropriate governmental authorities in the event of sabotage within a specified period of time... the ERO should consider
suggestions raised... to define the specified period for reporting an incident beginning from when an event is discovered or
suspected to be sabotage” (FERC, 2007, para. 470).
6. Summary of CIP-001-1 - “the Commission directs the ERO to develop the following modifications... (1) further define
sabotage and provide guidance as to the triggering events... (2) specify baseline requirements regarding... procedures for
recognizing sabotage events... (3) incorporate a periodic review... and for the periodic testing... (4) require an applicable
specified period of time. In addition... address our concerns regarding applicability to smaller entities... consolidation of the
sabotage reporting forms and the sabotage reporting channels with the appropriate governmental authorities to minimize
the impact of these reporting requirements on all entities.” (FERC, 2007, para. 471)
7. Analyze Performance - “at a minimum, generator operators and LSEs should analyze the performance of their
equipment and provide the data... The Commission directs the ERO to consider this concern in future revisions... that
includes any Requirements necessary for users, owners and operators... to provide data that will assist NERC” (FERC,
September 15, 2010
68
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Question 7 Comment
2007, para. 613, 617).
8. Reporting Time Frames - “The Commission directs the ERO to change its Rules of Procedures to assure that the
Commission also receives these reports within the same time frames as the DOE.” (FERC, 2007, para. 618)
Response: The DSR SDT thanks you for your comment. The DSR SDT agrees with your comments to specifically address FERC Order 693
directives to the ERO and will determine a prudent course of action with respect to these standards and pursue the suggestion to retire CIP-001 and
incorporate requirements within the EOP-004 standard to avoid confusion rising from CIP and other NERC Reliability Standards.
Constellation Power Source
Generation
Constellation Power Generation would like clarification that any proposed CIP-008-related reporting requirement
(including any linked reporting requirement between CIP-008 and CIP-001) is only applicable in situations where the
incident/event involves a registered entity’s Critical Cyber Asset. In that vein, we want to emphasize the importance of the
DSR SDT working with the CIP SDT on the cyber related events. If the DSR SDT is going to be adding clarity to cyber
related events, then coordination with the CIP SDT is needed to ensure the same verbiage is being used. Furthermore,
having any duplication of requirements will cause a double jeopardy scenario which would go against the SAR for the
DSR SDT. As stated earlier, Constellation Power Generation also questions whether cyber related incidents should fall
under the spectrum of sabotage type events, or remain separate and be incorporated in the CIP revisions.
Response: The DSR SDT thanks you for your comment. The intent was to look at the posted “NERC Guideline: Threat and Incident Reporting” and
ask the industry if DSR SDT should consider existing guidelines for possible inclusion into the yet to be written requirement(s). The DSR SDT has
not determined at this time what bright line will be used for the yet to be drafted Standard(s). Note that CIP-002 through CIP-009 are undergoing
revision under project 2008-06 – Order 706 SDT.
We Energies
September 15, 2010
Give consideration to combining CIP-001 and EOP-004-1 through a common categorization. For example, “System Risk
Reporting” could encompass both actual and potential events and would minimize the need to cross reference both
standards, and provide one location for event and potential-event reporting. Much of the challenge in this project is in
achieving a common understanding of the words sabotage and terrorism. There are nuances of meaning in the words that
imply a relationship between the attacker and the victim, or a motive other than simple profit or mischief. This nuance of
meaning requires the victim of the damage to discern a relationship or motive which may not be discoverable in the
relatively brief time window during which the entity must report the event. In fact, they may never be known.
Consequently, We Energies recommends elimination of the words sabotage and terrorism from these standards. We also
recommend elimination of the word vandalism since it also implies an ability and duty to discern whether a particular act
(barbed wire thrown over transformer bushings) was done out of pure mischief (vandalism) or with intent to destroy
equipment for a political purpose (terrorism). And if the act was committed by a disgruntled employee, it becomes
sabotage. No wonder there is confusion and indecision. Instead, We Energies recommends using the simple words
“criminal damage”. One need not be a prosecuting attorney or FBI Special Agent to know what this means. Simply ask,
“Does is look like somebody damaged it (or hacked in) intentionally?” and, “Did we give consent?” and you’re done. With
69
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Question 7 Comment
elimination of sabotage, terrorism and vandalism, and all of their baggage, comes the ability to integrate both CIP 001 and
EOP 004. We now have criminal damage (or cyber attack) as just another event to be evaluated against certain predefined impact measures. No value judgments, no speculation. Another benefit of using these simple words and tests is
that operating personnel, whether in the field or at the console, will not require special awareness training in discerning
these nuances of meaning. They already have experience with the equipment or cyber systems and its normal
performance. Operating personnel can readily assess whether an impact event is due to equipment failure, weather or
animal contact vs. intentionally caused by a person. If it appears to be criminal damage, call the local police agency.
Report the event and the impact. Cooperate with the investigation. Share your knowledge of the normal condition of the
equipment or performance of the system. Share your experience with similar events. It will be important to highlight that
the theft of all the grounding pigtails in a substation is different from the act of simply snipping each of them to leave the
equipment electrically floating. The technical condition is the same, but this allows the police to make an inference with
respect to motive, suspect profile, sophistication, etc. That’s their job. They may ask us to speculate on the motive or
skills of the attacker. That's okay. But at least we don't have to know or guess at it for the purpose of determining whether
to report the event. No training required. With respect to notification to the FBI, We Energies recommends that the
standard merely state that the owner of the damaged asset ensure the local office of the FBI is notified. The standard
should permit documentation of either a direct phone call by the asset owner or obtaining an assurance from the local
police that they will do so. There should be no need to prove earlier establishment of a relationship with the FBI. There
should be no expectation that the entity have a signed letter from the FBI Special Agent in Charge acknowledging his
agency’s duty. This document means nothing. With respect to reporting within the industry, We Energies recommends
that the only events to be reported “up the chain” are those that we choose to characterize as “impact events”. That is, the
events that meet some measurable threshold with respect to BES impact. We should describe these efficiently to avoid
over-reporting of trivial events. It is apparent that we are already over-reporting since DHS HITRAC recently fed back to
the industry that copper thieves attacked a substation in San Bernardino, CA taking some of the grounding conductors.
The industry should have the option to report non-impact events that are unusual in some respect and which may have
some mutual industry benefit in terms of prevention, awareness or recovery. Attack attempts with no impact, or
observations of suspicious activity could fall into this optional category. These optional reports could be aggregated by the
entity for the purpose of detecting patterns or trends, or be reported ad hoc. The ES-ISAC should be the recipient of the
reports. It should be the single point of contact since it has the industry insight, engineering expertise and cross-sector
relationships to analyze and return valuable intelligence to the industry. With the ES-ISAC as the recipient of the reports,
efficient sharing with Federal agencies, with the regional entities and with neighboring asset owners could be automated
and rapid. There is much benefit to be gained from this project, primarily in the area of creating clarity and uniformity.
There is some risk that the reporting requirements will become onerous and prescriptive.
Response: The DSR SDT thanks you for your comment. The DSR SDT is proposing to consolidate disturbance and event reporting under a single
standard. The DSR SDT believes that reporting material risks to the Bulk Electrical System by using the impact event categorization, it will be easier
to get the relevant information for mitigation, awareness, and tracking, while removing the distracting element of motivation by the elimination of
the term “sabotage”. The intent is to allow potentially impacted parties to prepare for and possibly mitigate the reliability risk. The NERC Rules of
September 15, 2010
70
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Question 7 Comment
Procedure (section 800) provides an overview of the responsibilities of the ERO in regards to analysis and dissemination of information for
reliability. The SDT is proposing that the new standard specify who has access to reported information and who should be notified about impact
events, because agencies such as the DHS and FBI have other duties and responsibilities - an impact event that is related to copper theft may only
need to be reported to the local law enforcement authorities. The goal of the DSR SDT is create clarity and uniformity by developing a single
reporting form for all functional entities without regard to nationality (US, Canada, Mexico) to submit to NERC with guidance. Ideally, entities would
complete a single form, which could then be distributed to jurisdictional agencies and functional entities as appropriate. The DSR SDT agrees with
your assessment that there should be no expectation that the entity have a signed letter from the FBI Special Agent.
Bandera Electric Cooperative,
Inc.
I commend the SDT for working on this effort and wish them success.
Response: The DSR SDT thanks you for your comment.
Public Service Enterprise Group
Companies
If reporting does become the responsibility of the Reliability Coordinators, the RCIS should be made available view-only to
registered entities with a notification when RC's have posted new entries. That will enhance the situational awareness of
registered entities.
The PSEG Companies disagree with inclusion of CIP-008 reporting requirements as part of the CIP-001 and EOP-004
initiative. CIP-008 reporting as part of the cyber security set of NERC standards is usually managed by specialized
corporate organizations separate from those involved with the other NERC standards, and with highly specialized cyber
skill sets. CIP-008 reporting requirements should remain where they are, and any perceived need for improvement
addressed in the ongoing CIP Version 4 development process.
Response: The DSR SDT thanks you for your comment. The RCIS is a real-time communication and reporting tool and is outside the scope of the
SDT. The goal of the DSR SDT is to develop a form to expedite report completion, sharing and storage. Ideally, entities would complete a single
form, which could then be distributed to jurisdictional agencies and functional entities as appropriate. Functional entities may include the RC, TOP,
and BA for situational awareness. The DSR SDT will take into consideration your comment with inclusion to CIP-008 reporting. However, the
drafting team will explore clarification that any proposed CIP-008-related reporting requirement between CIP-008 and CIP-001 is only applicable
where the incident/event involves a registered entity’s CCA. Note that CIP-002 through CIP-009 are undergoing revision under project 2008-06 –
Order 706 SDT.
Independent Electricity System
Operator
September 15, 2010
In the Background Section of the comment form, it is indicated that the SDT “...is NOT seeking input or guidance on the
definition of physical or cyber sabotage, what type of disturbances should be reported, who should do reporting, or to
whom or what organizations will be receiving the reports.” Yet there are proposed definitions, with examples, in the
concept paper. The SDT should make it absolutely clear that by supporting the general concept as described in the paper,
the commenting entities are not endorsing the proposed definitions, nor the examples as elements to be included in the
standard.
71
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Question 7 Comment
Response: The DSR SDT thanks you for your comment. The DSR SDT will continue to clarify the impact events concept and eliminate “gray areas”
while including language to give clarity to the reporting process. Standards developed under this project will be posted for comment on specific
content.
Luminant
Luminant disagrees with the direction of utilizing impact events, as this is an expansion in scope beyond the simplification
of sabotage and disturbance reporting.
Response: The DSR SDT thanks you for your comment. We are suggesting the term “Impact Event” be substituted to include only events that would
impact the reliability of the BES. The DSR SDT has reviewed the existing standards, the SAR; issues from the NERC database and FERC Order 693
Directives and determine this was a prudent course of action with respect to these standards to provide clear criteria for reporting.
Dynegy Inc.
N/A
Manitoba Hydro
No
Edison Mission Marketing &
Trading
No other comments.
SERC Reliability Coordinator
Sub-committee (RCS)
None.
USBR
The concept of "threat" evaluation criteria is somewhat vague and a great care is needed to ensure it is clear enough that
the most individuals would be able to analyze an event and end up at the same threat. Otherwise it would be almost
impossible to ensure compliance with a requirement which cannot accurately describe criteria to be used to ensure that
proper evaluation has occurred.
Response: The DSR SDT thanks you for your comment. We are suggesting the term “Impact Event” be substituted to include only events that
would impact the reliability of the BES as opposed to requiring a threat evaluation. The DSR SDT intends to develop criteria that will assist entities
in determining which events should be reported.
Wolverine Power Supply
Cooperative, Inc.
The concepts of removing duplication, consolidation, and focusing on "impact events" sound logical. I am concerned that
the focus may drift to expanded reporting, not reduced reporting.
Response: The DSR SDT thanks you for your comment. The DST SDT discussed the reporting of “impact events” and will consider guidance found
in the document, “NERC Guideline: Threat and Incident Reporting” which will include clear criteria to eliminate erroneous or expanded reporting.
September 15, 2010
72
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
ISO RTO Council Standards
Review Committee
Question 7 Comment
The FERC Order merely asked NERC to “further define sabotage and provide guidance as to the triggering events that
would cause an entity to report a sabotage event.” There is no requirement to create a Reporting Standard and no
mention of Disturbance events. There is a strong need to avoid heavy-handed use of NERC standards particularly for
such post event reporting guidelines. The SRC would urge the DSR SDT to continue to improve its guidelines and to post
those guidelines for all to use, but not to create sanctionable standards whose good intentions will inevitably result in
many unintended adverse consequences for the Industry. Rather, the SDT should seek to retire sanctionable
requirements that require event reporting in favor of guidelines for reporting.
Response: The DSR SDT thanks you for your comment. The intent was to look at the posted “NERC Guideline: Threat and Incident Reporting” and
ask the industry if the DSR SDT should consider existing guidelines for possible inclusion into the yet to be written requirement(s). The DSR SDT
has not determined at this time what bright line will be used for the yet to be drafted Standard(s). The DSR SDT will take into consideration your
comment on keeping cyber and physical events separate. We are suggesting in our discussion to consolidate the location of reporting into one
standard. The industry has demonstrated by its comments that the reporting process be streamlined to achieve a “one stop shop” approach. We
will continue to explore the possibilities to achieve the best results for all stakeholders. A discussion of advantages /disadvantages will continue to
discover options and alternatives with input from all stakeholders.
Lands Energy Consulting
The lack of common sense that leads to a 15 MW loss of load resulting from a 115 kV line outage being categorized as a
"reportable disturbance" really hurts the credibility of the entire NERC Compliance Program. The smaller utilities look at
application of EOP-004 in particular to their operation and conclude that either the EO/RRO is: a. stupid; or b. Out to
persecute the smaller utilities. In reality, EOP-004 was drafted for application to Southern California Edison, where loss of
50% of customers would be 2-3 million customers. Now that's really disturbing!
Response: The DSR SDT thanks you for your comment. The DSR SDT intends to develop criteria that will assist entities in determining which
events should be reported. Acts of sabotage may be “tested” on smaller entities before the saboteurs move on the larger entities.
Central Hudson Gas & Electric
The NERC Guideline: Threat and Incident Reporting Attachment A matrix is an extremely beneficial document that
organizes reporting criteria. However, it identifies communications systems failure sub-category under the Equipment
And/Or Systems Failure category as reportable with a reference to OE-417 - Schedule 1, Item 10. Item 10 on Schedule 1
addresses only failures due to attacks (not failures for other reasons).
Response: The DSR SDT thanks you for your comment. The intent was to look at the posted “NERC Guideline: Threat and Incident Reporting” and
ask the industry if the DSR SDT should consider existing guidelines for possible inclusion into the yet to be written requirement(s). The DSR SDT
has not determined at this time what bright line will be used for the yet to be drafted Standard(s). Loss of communications would be considered an
impact event. The reason for the loss of communications is irrelevant.
September 15, 2010
73
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Question 7 Comment
Duke Energy
We don’t think CIP-001, EOP-004 and cyber incident reporting aspects of CIP-008 should all be combined into one
standard, because of the significant differences between sabotage and disturbances. We have suggested that the
drafting team further define sabotage, and we have included a suggested definition in our response to question #5 above.
Sabotage is very specific due to the intent (for the purpose of weakening the critical infrastructure), and the potential
impact to the BES. We believe that sabotage and cyber incident reporting should remain a part of the CIP Standards due
to the emphasis placed on the criticality and vulnerability of the assets needed to support reliable operation of the BES.
Cyber Security and Physical Security could be placed together in the same standard (remain in CIP) and other
disturbances (i.e., accidental, natural) in a separate standard. “One stop shopping” for reporting is still possible as long as
the OE-417 form is included as part of the NERC electronic form. And while we agree with the need for additional clarity
in sabotage and disturbance reporting, we believe that the Standards Drafting Team should carefully consider whether
there is a reliability-related need for each requirement. Some disturbance reporting requirements are triggered not just to
assist in real-time reliability but also to identify lessons-learned opportunities. If disturbance and sabotage reporting
continue to be reliability standards, we believe that all linkages to lessons-learned/improvements need to be stripped out.
We have other forums to identify lessons-learned opportunities and to follow-up on those opportunities.
Response: The DSR SDT thanks you for your comment. The DSR SDT is still evaluating inclusion of CIP-008 reporting requirements with CIP-001
and EOP-004 requirements, Note that the current CIP-008 has a reporting requirement to the ES-ISAC only. The DSR SDT developed the more
inclusive term “impact events” to eliminate using more confusing terms like sabotage (which is not likely to be determined until after a lengthy
investigation). These standards may be combined to have all reporting requirements in a single standard, not because the items to be reported are
necessarily related.
FirstEnergy
We fully agree that sabotage events need to be more clearly defined and reporting requirements need to be better
coordinated. But as we have stated in previous comments, the drafting team needs to determine if standard requirements
need to be developed for this type of reporting or if this is better left to administrative requirements outside the standards
arena. Also, while we appreciate the team's effort to simplify reporting requirements for entities, we are concerned with the
serial communication offered by the concept paper. As an example, the team proposes to have LSE report the incident to
the BA and/or TOP and then have the BA and/or TOP report it to the RC and the RC to report it to NERC and the NERC
report to the regulatory agencies. While this simplifies it for each individual organization, this method introduces many
opportunities for errors and miscommunications. Since this is after-the-fact reporting, it is difficult to defend this type of
communication path when one consistent report could be sent simultaneously to all agencies at the same time from the
originating location.
Response: The DSR SDT thanks you for your comment. The Reliability Coordinator’s suggested role in this is to allow them to incorporate the
relevant data from responsible entities in their footprint for further analysis. We will consider your suggestion of simultaneous submissions as a
means to effectively notify the necessary parties. The SDT believes that it is the submitter’s responsibility to submit OE-417 fo rm s to th e DOE. Th e
DS R S DT d o e s re c o g n ize th a t it m a y n o t b e p o s s ib le to e lim in a te re p o rtin g to m u ltip le ju ris d ic tio n a l a g e n c ie s d u e to le g is la tive o r re g u la to ry
September 15, 2010
74
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Question 7 Comment
re q u ire m e n ts .
Ameren
While we are not opposed to the concept of identifying impact events, we are concerned that the drafting team may
actually be expanding reporting requirements. We do not support expansion of reporting requirements unless a clear
reliability or legal need is identified. Some of the impact events are almost never sabotage and do not warrant reporting
for reliability needs and should not be included. For example, copper theft should not require reporting, in general,
because it is almost never sabotage and rarely impacts reliability. If it does, impact reliability because, for example, the
protection system is impacted and causes more significant potential contingencies, then reporting could be required. Why
is a train derailment near a transmission right of way significant? It would only be significant if an investigation identified
sabotage as the reason. Furthermore, what is considered near?
Midwest ISO Standards
Collaborators
While we are not opposed to the concept of identifying impact events, we are concerned that the drafting team may
actually be expanding reporting requirements. We do not support expansion of reporting requirements unless a clear
reliability or legal need is identified. Some of the impact events are almost never sabotage and do not warrant reporting
for reliability needs and should not be included. For example, copper theft should not require reporting, in general,
because it is almost never sabotage and rarely impacts reliability. If it does impact reliability because, for example, the
protection system is impacted and causes more significant potential contingencies, then reporting could be required. Why
is a train derailment near a transmission right of way significant? It would only be significant if an investigation identified
sabotage as the reason. Furthermore, what is considered near?
Response: The DSR SDT thanks you for your comment. It is not the intent of the DSR SDT to expand reporting requirements but rather to attempt
to clarify and define an approach to assist the industry and stakeholders in reporting impact events. Furthermore, impact events should not include
copper theft or other conditions that pose no threat to the reliability of the BES. A train derailment is only an impact event if it threatens some
element of the power system such as a transmission line corridor - the derailment in itself is not an impact event.
Exelon
You should consider providing clear and concise instructions as to the expectation on submitting forms, i.e. the DOE 417.
There should be no guessing as to when and how reports should be submitted and who should receive them. Specific
details on reporting criteria should be included.
Response : The DSR SDT thanks you for your comment. The DSR SDT intends to develop criteria for reporting impact events.
September 15, 2010
75
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Consideration of Comments on Disturbance and Sabotage Reporting —
Project 2009-01
The Disturbance and Sabotage Reporting Drafting Team thanks all commenters who submitted
comments on its preliminary draft of EOP-004-2 – Impact Event and Disturbance Assessment,
Analysis, and Reporting. This standard was posted for a 30-day informal comment period from
September 15, 2010 through October 15, 2010. Stakeholders were asked to provide feedback
on the standard through a special Electronic Comment Form. There were 60 sets of comments,
including comments from more than 175 different people from approximately 100 companies
representing 9 of the 10 Industry Segments as shown in the table on the following pages.
In this report, the comments have been sorted by question number so that it is easier to see
where there is consensus. The comments are posted in their original format on the following
project page:
http://www.nerc.com/filez/standards/Project2009-01_Disturbance_Sabotage_Reporting.html
Based on stakeholder comments, and also on the results of the observations made by the
Quality Review team, the drafting team made the following significant changes to the standard
following the posting period that ended on October 15, 2011.
Scope: A common thread through most of the comments was that the DSR SDT went beyond
the reliability intent of the standard (reporting) and concentrated too much on the analysis of
the event. The DSR SDT agrees with this response, and revised the purpose as follows:
Original Purpose: Responsible Entities shall report impact events and their known causes to
support situational awareness and the reliability of the Bulk Electric System (BES).
Revised Purpose: To improve industry awareness and the reliability of the Bulk Electric
System by requiring the reporting of Impact Events and their causes, if known, by the
Responsible Entities.
Definitions:
Impact Event: The DSR SDT had proposed a working definition for “impact events” to
support EOP-004 - Attachment 1 as follows:
“An impact event is any event that has either impacted or has the potential to impact the
reliability of the Bulk Electric System. Such events may be caused by equipment failure or
mis-operation, environmental conditions, or human action.”
Many stakeholders indicated that the definition should be added to the NERC Glossary and
the DSR SDT adopted this suggestion.
The types of Impact Events that are required to be reported are contained within EOP-004 Attachment 1. Only the events identified in EOP-004 – Attachment 1 are required to be
reported under this Standard.
Sabotage: FERC Order 693, paragraph 471 states in part: “. . . the Commission directs the
ERO to develop the following modifications to the Reliability Standard through the
Reliability Standards development process: (1) further define sabotage and provide
March 7, 2011
1
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
guidance as to the triggering events that would cause an entity to report a sabotage event.”
The DSR SDT made a conscious, deliberate decision to exclude a strict definition of sabotage
from this standard and sought stakeholder feedback on this issue. Some suggested
adopting the NRC definition of the term sabotage, and the DSR SDT did consider adopting
the NRC definition shown below but determined that the definition is too narrowly focused.
Any deliberate act directed against a plant or transport in which an activity licensed
pursuant to 10 CFR Part 73 of NRC's regulations is conducted or against a component of
such a plant or transport that could directly or indirectly endanger the public health and
safety by exposure to radiation.
Most respondents agreed that in order to be labeled as an act of sabotage, the intent of the
perpetrators must be known. The team felt that it was almost impossible to determine if an
act or event was that of sabotage or merely vandalism without the intervention of law
enforcement after the fact. This would result in further ambiguity with respect to reporting
events, and the timeline associated with the reporting requirements does not lend itself to
the in-depth analysis required to identify a disturbance (or potential disturbance) as
sabotage. The SDT felt that a likely consequence of having to meet this criterion, in the
time allotted, would be an under-reporting of events. Accordingly, all references to
sabotage have been deleted from the standard.
Instead, the SDT concentrated on providing clear guidance on the events that should trigger
a report. The SDT believes that this more than adequately meets the reliability intent of the
Commission as expressed in paragraph 471 of Order 693 in an equally efficient and effective
manner.
Situational Awareness versus Industry Awareness: Some commenters correctly pointed
out that “situational awareness” is a desirable by-product of an effective event reporting
system, and not the driver of that system. Accordingly, all references to “situational
awareness” have been deleted from the standard. The more generic “industry awareness”
has been substituted where appropriate.
Applicability:
The DSR SDT had protracted discussions on the applicability of this standard to the LSE. Per the
Functional Model, the LSE does not own assets and therefore should not be an applicable entity
(no equipment that could experience a “disturbance”). However, the Registry Criteria contains
language that could imply that the LSE does own assets, or is at least responsible for assets. In
addition, the DSR SDT modified Attachment 1 to include reporting of damage or destruction of
Critical Cyber Assets per CIP-002. The LSE, as well as the Interchange Authority and
Transmission Service Provider are applicable entities under CIP-002 and should be included for
Impact Events under EOP-004.
There were several comments that the asset owners (GO/TO) would be less likely than the
asset operators (GOP/TOP) to be aware of an impact event. The DSR SDT recognizes that this
may be true in some cases, but not all. In order to meet the reliability objectives of this
requirement, the applicability for GO/TO will remain as per Attachment 1.
March 7, 2011
2
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Requirement R1:
Based on stakeholder comments, Requirement R1, which assigned the ERO the responsibility
for collecting and distributing impact event reports was deleted. There was strong support for a
central system for receiving and distributing impact event reports (a/k/a one stop shopping).
There was general agreement that NERC was the most likely, logical entity to perform that
function. However several respondents expressed their concern that the ERO could not be
compelled to do so by a requirement in a Reliability Standard (not a User, Owner or Operator of
the BES). In their own comments, NERC did not oppose the concept, but suggested that the
more appropriate place to assign this responsibility would be the NERC Rules of Procedure. The
DSR SDT concurs. The DSR SDT has removed the requirement from the standard and is
proposing to make revisions to the NERC Rules of Procedure as follows:
812. NERC will establish a system to collect impact event reports as established for this
section, from any Registered Entities, pertaining to data requirements identified in
Section 800 of this Procedure. Upon receipt of the submitted report, the system shall
then forward the report to the appropriate NERC departments, applicable regional
entities, other designated registered entities, and to appropriate governmental, law
enforcement, and regulatory agencies as necessary. These reports shall be forwarded
to the Federal Energy Regulatory Commission for impact events that occur in the United
States. The ERO shall solicit contact information from Registered Entities appropriate
governmental, law enforcement and regulatory agencies for distributing reports.
Requirement R2 (now R1 in the revised standard):
There were objections to the use of the term “Operating Plan” to describe the procedure to
identify and report the occurrence of a disturbance. The DSR SDT believes that the use of a
defined term is appropriate and has revised Requirement R1 to include Operating Plan,
Operating Process and Operating Procedure.
Many commenters felt that the requirements around updating the Operating Plan were too
prescriptive, and impossible to comply with during the time frame allowed. The DSR SDT
agrees, and Requirement R2, Parts 2.5 through 2.9 have been eliminated. They have been
replaced with Requirement R1,Part 1.4 to require updating the Impact Event Operating Plan
within 90 days of any change to content.
R1. Each Responsible Entity shall have an Impact Event Operating Plan that includes: [Violation
Risk: Factor Medium] [Time Horizon: Long-term Planning]:
1.1. An Operating Process for identifying Impact Events listed in Attachment 1.
1.2. An Operating Procedure for gathering information for Attachment 2 regarding
observed Impact Events listed in Attachment 1.
1.3. An Operating Process for communicating recognized Impact Events to the following:
1.3.1 Internal company personnel notification(s).
March 7, 2011
3
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
1.3.2. External organizations to notify to include but not limited to the Responsible
Entities’ Reliability Coordinator, NERC, Responsible Entities’ Regional Entity, Law
Enforcement, and Governmental or Provincial Agencies.
1.4. Provision(s) for updating the Impact Event Operating Plan within 90 days of any change
to its content.
Other requirements reference the Operating Plan as appropriate. The requirements of EOP004-2 fit precisely into the definition of Operating Plan:
Operating Plan: A document that identifies a group of activities that may be used to
achieve some goal. An Operating Plan may contain Operating Procedures and Operating
Processes. A company-specific system restoration plan that includes an Operating
Procedure for black-starting units, Operating Processes for communicating restoration
progress with other entities, etc., is an example of an Operating Plan.
Requirement R3 (now R2 in the revised standard):
Requirement R3 has been re-written to exclude the requirement to “assess the initial probable
cause”. The only remaining reference to “cause” is in the Impact Event Reporting Form
(Attachment 2). Here, there is no longer a requirement to assess the probable cause. The
probable cause only needs to be identified, and only if it is known at the time of the submittal
of the report.
R2. Each Responsible Entity shall implement its Impact Event Operating Plan
documented in Requirement R1 for Impact Events listed in Attachment 1 (Parts A
and B). [Violation Risk: Factor Medium] [Time Horizon: Real-time Operations and
Same-day Operations]
Requirement R4 (now R3 in the revised standard):
The DSR SDT did a full review based on comments that were received. R3 now is stream lined
to read:
R3. Each Responsible Entity shall conduct a test of its Operating Process for
communicating recognized Impact Events created pursuant to Requirement R1, Part 1.3
at least annually, with no more than 15 months between such tests. .
The testing of the Operating Process for communicating recognized Impact Events (as stated in
R1) is the main component of this requirement. Several commenters provided input that too
much “how” was previously within R3 and the DSR DST should only provide the “what”. The
DSR SDT did not provide any prescriptive guidance on how to accomplish the required testing
within the rewrite. Testing of the entity’s procedure (R1) could be by an actual exercise of the
process (testing as stated in FERC Order 693 section 471), a formal review process or real time
implementation of the procedure. The DSR SDT reviewed Order 693 and section 465 directs
that processes are “verify that they achieve the desired result”. This is the basis of R3, above.
Requirement R5 (now R4 in the revised standard):
The DSR SDT did a full review based on comments that were received. The major issues that
March 7, 2011
4
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
were provided by commenters involved the inclusion of Requirement R5, Part 5.3 and Part 5.4.
5.3 If the Operating Plan is revised (with the exception of contact information revisions),
training shall be conducted within 30 days of the Operating Plan revisions.
5.4 For internal personnel added to the Operating Plan or those with revised
responsibilities under the Operating Plan, training shall be conducted prior to
assuming the responsibilities in the plan.
Upon detailed review the DSR SDT agrees with the majority of comments received regarding
Requirement R5, Parts 5.3 and 5.4 and has removed Parts 5.3 and 5.4 completely from the
Standard. Training is still the main theme of this requirement (now R4) as it pertains to the
personnel required to implement the Impact Event Operating Plan (R1).
R4 now is stream lined to read:
R4. Each Responsible Entity shall review its Impact Event Operating Plan with those
personnel who have responsibilities identified in that plan at least annually with no
more than 15 calendar months between review sessions
Requirement R6 (now R5 in the revised standard):
The DSR SDT did a full review based on comments that were received. Many comments
received identified concerns on the reporting time lines within Attachment 1., Several
commenters wanted the ability to report impact events to their responsible parties via the DOE
Form OE-417. Upon discussions with the DOE and NERC, the DSR SDT has added the ability to
use the DOE Form OE-417 when the same or similar items are required to be reported to NERC
and the DOE. This will reduce the need to file multiple forms when the same or similar events
must be reported to the DOE and NERC. The reliability intent of reporting impact events within
prescribed guidelines, to provide industry awareness and to start any required analysis
processes can be met without duplicate reporting R5 now is stream lined to read:
R5. Each Responsible Entity shall report Impact Events in accordance with its Impact
Event Operating Plan pursuant to Requirement R1 and Attachment 1 using the form in
Attachment 2 or the DOE OE-417 reporting form.
Requirements R7 and R8:
The DSR SDT did a full review based on comments that were received. The DSR SDT has
determined that R7 and R8 are not required to be within a NERC Standard since Section 800 of
the Rules of Procedure already assigns this responsibility to NERC.
Attachment 1:
The DSR SDT did a full review based on comments that were received. The DSR SDT, the Events
Analysis Working Group (EAWG), NERC Staff (to include NERC Senior VP and Chief Reliability
Officer) had an open discussion involving this topic. The EAWG and the DSR SDT aligned
Attachment 1 with the Event Analysis Program category 1 analysis responsibilities. This will
assure that impact events in EOP-004-2 reporting requirements are the starting vehicle for any
required Event Analysis within the NERC Event Analysis Program. The DSR SDT reviewed the
“hierarchy” of reporting within Attachment 1. To reduce multiple entities reporting the same
impact event, the DSR SDT has stated that the entity that performs the action or is directly
March 7, 2011
5
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
affected by an action will report per EOP-004-2. As an example, during a system emergency,
the TOP or RC may request manual load shedding by a DP or TOP. The DP or TOP would have
the responsibility to report the action that it took if it meets or exceeds the bright-line criteria
established in Attachment 1. Upon reporting, the NERC Event Analysis Program would be made
aware of the impact event and start the Event Analysis Process which is outside the scope of
this Standard. Several bright-line criteria were removed from Attachment 1. These criteria (DC
converter station, 5 generator outages, and frequency trigger limits) were removed after
discussions with the EAWG and NERC staff, who concurred that these items should be removed
from a reporting standard and analysis process.
Several respondents expressed concern that the reporting requirements were redundant. The
general sentiment was that unclear responsibility to report a disturbance could trigger a flood
of event reports. Attachment 1 has been modified to assign clear responsibility for reporting,
for each category of Impact Event.
Some commenters indicated a concern that the list of events in Attachment 1 isn’t as
comprehensive as the existing standard since the existing standard includes bomb threats and
observations of suspicious activities. Others commented that the impact event list should
include deliberate acts against infrastructure. The DSR SDT believes that “observation of
suspicious activity” and “bomb threats” are addressed in Attachment 1 Part B – “Risk to BES
equipment from a non-environmental physical threat”. The SDT has added the phrase, “and
report of suspicious device near BES equipment” to note 3 of the “Attachment 1, Potential
Reliability – Part B” for additional clarity.
Attachment 2:
The proposed Impact Event Report (Attachment 2) generated comments regarding the
duplicative nature of the form when compared to the OE-417. The DSR SDT has added language
to the proposed form to clarify that NERC will accept a DOE OE-417 form in lieu of Attachment
2 if the responsible entity is required to submit an OE-417 form.
In collaboration with the NERC Event Analysis Working Group (EAWG) the DSR SDT modified
the attachment to eliminate confusion. This revised form will be Attachment 2 of the Standard
and collects the only information required to be reported for EOP-004-2. Further information
may be requested through the Events Analysis Process (NERC Rules of Procedure), but the
collection of this information is outside of the scope of EOP-004.
The DSR SDT has also clarified what the form’s purpose with the following addition to the form:
“This form is to be used to report impact events to the ERO.”
Other Standard Issues:
The DSR SDT proposed that combining EOP-004 and CIP-001 would not introduce a reliability
gap between the existing standards and the proposed standard and the industry comments
received confirms this.
Several entities expressed their concern with the fact that Attachment 1 contained most of the
elements already called for in the OE-417. The DSR SDT agrees, and Attachment 1 part 1 has
March 7, 2011
6
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
been modified to even more closely mirror the Department of Energy’s OE-417 Emergency
Incident and Disturbance Report form. Additionally, the standard has been modified to allow
for the use of the OE-417.
There was some concern expressed that there could be confusion between the reporting
requirements in this standard, and those found in CIP-008. The DSR SDT agrees, and
Attachment 1 Part B, has been modified to provide the process for the reporting of a Cyber
Security Incident.
The DSR SDT also believes NERC’s additional concern about what data is applicable is addressed
by the revisions to Attachment 1, and the inclusion of the OE-417 as an acceptable interim
vehicle.
Implementation Plan:
The DSR SDT asked stakeholders to provide feedback on the proposed effective date which
provided entities at least a year following board approval of the standard. Most stakeholders
supported the one year minimum, however based on the revisions made to the requirements,
the drafting team is now proposing that this time period be shortened to between six months
and nine months. The current CIP-001 plan is adequate for the new EOP-004 and training
should be met in the proposed timeline. Note that the Implementation Plan was developed for
the revised Requirements, which do not include an electronic “one-stop shopping” tool. The
tool for ‘one stop shopping’ will be addressed in the proposed revisions to the NERC Rules of
Procedure.
The industry commented on the need for e-mail addresses and fax numbers for back up
purposes. These details were added to the standard and the implementation plan.
The proposed ballot in December was incorrect and has been deleted from the future
development plan. The plan was updated with the correct project plan dates.
If you feel that your comment has been overlooked, please let us know immediately. Our goal is
to give every comment serious consideration in this process! If you feel there has been an error
or omission, you can contact the Vice President and Director of Standards, Herb Schrayshuen,
at 609-452-8060 or at herb.schrayshuen@nerc.net. In addition, there is a NERC Reliability
Standards Appeals Process. 1
Index to Questions, Comments, and Responses
1.
Do you agree with the purpose statement of the proposed standard? Please
explain in the comment box below. …. ........................................................... 19
2.
Do you agree with the applicable entities in the Applicability Section as well as
assignment of applicable entities noted in Attachment 1? Please explain in the
1
The appeals process is in the Reliability Standards Development Procedures:
http://www.nerc.com/standards/newstandardsprocess.html.
March 7, 2011
7
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
comment box below. …. ................................................................................. 35
3.
Do you agree with the requirement R1 and measure M1? Please explain in the
comment box below. …. ................................................................................. 53
4.
Do you agree with the requirement R2 and measure M2? Please explain in the
comment box below. …. ................................................................................. 67
5.
Do you agree with the requirement R3 and measure M3? Please explain in the
comment box below. …. ................................................................................. 90
6.
Do you agree with the requirement R4 and measure M4? Please explain in the
comment box below. …. ............................................................................... 103
7.
Do you agree with the requirement R5 and measure M5? Please explain in the
comment box below. …. ............................................................................... 115
8.
Do you agree with the requirement R6 and measure M6? Please explain in the
comment box below …. ................................................................................ 132
9.
Do you agree with the requirements for the ERO (R7-R8) or is this adequately
covered in the Rules of Procedure (section 802)? Please explain in the
comment box below. …. ............................................................................... 143
10. Do you agree with the impact event list in Attachment 1? Please explain in the
comment box below and provide suggestions for additions to the list of impact
events. …. ..................................................................................................... 155
11.
Do you agree with the use of the Preliminary Impact Event Report
(Attachment 2)? ……………………………………………………………………………...182
12. The DSR SDT has replaced the terms “disturbance” and “sabotage” with the
term “impact events”. Do you agree that the term “impact events” adequately
replaces the terms “disturbance” and “sabotage” and addresses the FERC
directive to “further define sabotage” in an equally efficient and effective
manner? Please explain in the comment box below………………………………192
13. The DSR SDT has combined EOP-004 and CIP-001 into one standard (please
review the mapping document that shows the translation of requirements
from the already approved versions of CIP-001 and EOP-004 to the proposed
EOP-004), EOP-004-3 and retiring CIP-001. Do you agree that there is no
reliability
gap
between
the
existing
standards
and
the
proposed
standard?....................................................................................................201
14. Do you agree with the proposed effective dates? Please explain in the
comment box below…………………………………………………………………………207
March 7, 2011
8
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
15. Do you have any other comments that you have not identified above?.......213
March 7, 2011
9
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
The Industry Segments are:
1 — Transmission Owners
2 — RTOs, ISOs
3 — Load-serving Entities
4 — Transmission-dependent Utilities
5 — Electric Generators
6 — Electricity Brokers, Aggregators, and Marketers
7 — Large Electricity End Users
8 — Small Electricity End Users
9 — Federal, State, Provincial Regulatory or other Government Entities
10 — Regional Reliability Organizations, Regional Entities
Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
1.
Group
Guy Zito
Additional Member Additional Organization
2
3
4
5
6
7
Northeast Power Coordinating Council
Region
9
10
X
Segment
Selection
1.
Alan Adamson
New York State Reliability Council, LLC
NPCC
10
2.
Gregory Campoli
New York Independent System Operator
NPCC
2
3.
Kurtis Chong
Independent Electricity System Operator
NPCC
2
March 1, 2011
8
10
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
2
4.
Sylvain Clermont
Hydro-Quebec TransEnergie
NPCC
1
5.
Chris de Graffenried
Consolidated Edison Co. of New York, Inc. NPCC
1
6.
Gerry Dunbar
Northeast Power Coordinating Council
NPCC
10
7.
Dean Ellis
Dynegy Generation
NPCC
5
8.
Brian Evans-Mongeon
Utility Services
NPCC
8
9.
Mike Garton
Dominion Resources Services, Inc.
NPCC
5
10.
Brian L. Gooder
Ontario Power Generation Incorporated
NPCC
5
11.
Kathleen Goodman
ISO - New England
NPCC
2
12.
Chantel Haswell
FPL Group, Inc.
NPCC
5
13.
David Kiguel
Hydro One Networks Inc.
NPCC
1
14.
Michael R. Lombardi
Northeast Utilities
NPCC
1
15.
Randy MacDonald
New Brunswick System Operator
NPCC
2
16.
Bruce Metruck
New York Power Authority
NPCC
6
17.
Lee Pedowicz
Northeast Power Coordinating Council
NPCC
10
18.
Robert Pellegrini
The United Illuminating Company
NPCC
1
19.
Si Truc Phan
Hydro-Quebec TransEnergie
NPCC
1
20.
Saurabh Saksena
National Grid
NPCC
1
21.
Michael Schiavone
National Grid
NPCC
1
March 1, 2011
3
4
5
6
7
11
8
9
10
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
22.
Peter Yost
Consolidated Edison Co. of New York, Inc. NPCC
2
3
4
5
6
7
3
Jim Case, SERC OC
2.
Group
Chair
SERC OC Standards Review Group
Additional Member Additional Organization
Region
X
X
Segment
Selection
1.
Mike Garton
Dominion Virginia Power
SERC
1, 3
2.
Jim Griffith
Southern
SERC
1, 3, 5
3.
Vicky Budreau
Santee Cooper
SERC
1, 3, 5, 9
4.
Gerry Beckerle
Ameren
SERC
1, 3
5.
Eugens Warnecke
Ameren
SERC
1, 3
6.
Scott McGough
Oglethorpe Power
SERC
5
7.
John Neagle
AEC I
SERC
1, 3, 5
8.
Joel Wise
TVA
SERC
1, 3, 5, 9
9.
Jennifer Weber
TVA
SERC
1, 3, 5, 9
10.
Robert Thomasson
BREC
SERC
1, 3, 5, 9
11.
Derek Bleyle
SCE&G
SERC
1, 3, 5
12.
Gene Delk
SCE&G
SERC
1, 3, 5
13.
Dave Plauck
Calpine
SERC
5
March 1, 2011
12
8
9
10
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
14.
Tom Hanzlik
SCE&G
SERC
1, 3, 5
15.
Randy Castello
Mississippi Power
SERC
1, 3, 5
16.
Doug White
NCEMC
SERC
1, 3, 5, 9
17.
Randy Haynes
Alcoa
SERC
1, 5
18.
Joel Rogers
SMEPA
SERC
1, 3, 5, 9
19.
Mike Bryson
PJM
SERC
2
20.
Rick Meyers
EEI
SERC
1, 5
21.
Tim Hattaway
PowerSouth
SERC
1, 3, 5, 9
22.
Barry Warner
EKPC
SERC
1, 3, 5, 9
23.
Jack Kerr
Dominion Virginia Power. P. SERC
1, 3
24.
Wes Davis
SERC Reliability Corp.
SERC
10
25.
John Troha
SERC Reliability Corp.
SERC
10
3.
Group
Brad Jones
Luminant Energy
2
3
4
5
6
7
X
Additional Member Additional Organization Region Segment Selection
1. Kevin Phillips
4.
Group
Luminant Energy
David Grubbs
ERCOT 6
City of Garland
Additional Member Additional Organization Region
March 1, 2011
X
Segment
13
8
9
10
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
2
3
4
5
6
7
Selection
1.
David Grubbs
ERCOT
1
2.
Fred Sherman
ERCOT
1
3.
Steve Zaragoza
ERCOT
1
4.
Billy Lee
ERCOT
1
5.
Heather Siemens
ERCOT
1
6.
Ronnie Hoeinghaus
ERCOT
1
7.
Matt Carter
ERCOT
1
5.
Group
Terry L. Blackwell
Additional Member Additional Organization
Santee Cooper
Region
X
X
X
X
Segment
Selection
1.
S. T. Abrams
Santee Cooper SERC
1
2.
Rene' Free
Santee Cooper SERC
1
3.
Vicky Budreau
Santee Cooper SERC
1
4.
Glenn Stephens
Santee Cooper SERC
1
Pacific Northwest Small Public Power Utility
6.
Group
March 1, 2011
Steve Alexanderson
Comment Group
X
X
14
8
9
10
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
Additional
Additional
Member
Organization
Region
2
Russell Noble
4
5
6
7
Segment
Selection
3,
1.
3
Cowlitz County PUD No. 1
4,
WECC
5
2.
Dave Proebstel
Clallam County PUD
WECC
3
3.
Ronald Sporseen
Blachly-Lane Electric Cooperative
WECC
3
4.
Ronald Sporseen
Central Electric Cooperative
WECC
3
5.
Ronald Sporseen
Clearwater Power Company
WECC
3
6.
Ronald Sporseen
Douglas Electric Cooperative
WECC
3
7.
Ronald Sporseen
Consumers Power
WECC
3
8.
Ronald Sporseen
Fall River Rural Electric Cooperative
WECC
3
9.
Ronald Sporseen
Northern Lights
WECC
3
10.
Ronald Sporseen
Lane Electric Cooperative
WECC
3
11.
Ronald Sporseen
Lincoln Electric Cooperative
WECC
3
12.
Ronald Sporseen
Raft River Rural Electric Cooperative
WECC
3
13.
Ronald Sporseen
Lost River Electric Cooperative
WECC
3
14.
Ronald Sporseen
Salmon River Electric Cooperative
WECC
3
15.
Ronald Sporseen
Umatilla Electric Cooperative
WECC
3
March 1, 2011
15
8
9
10
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
2
16.
Ronald Sporseen
Coos-Curry Electric Cooperative
WECC
3
17.
Ronald Sporseen
West Oregon Electric Cooperative
WECC
3
18.
Ronald Sporseen
WECC
5
WECC
5
Pacific
Northwest
3
4
5
6
7
8
9
10
Generating
Cooperative
19.
7.
Ronald Sporseen
Group
Power Resources Cooperative
Mallory Huggins
NERC Staff
Additional Member Additional Organization
Region
Segment Selection
1. Earl Shockley
NERC
NA - Not Applicable NA
2. Dave Nevius
NERC
NA - Not Applicable NA
3. Gerry Adamski
NERC
NA - Not Applicable NA
4. Roman Carter
NERC
NA - Not Applicable NA
MRO's
8.
Group
Carol Gerou
Additional Member Additional Organization
NERC
Standards
Review
Subcommittee
X
Region
Segment
Selection
1.
Mahmood Safi
Omaha Public Utility District
MRO
1, 3, 5, 6
2.
Chuck Lawrence
American Transmission Company
MRO
1
March 1, 2011
16
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
3.
Tom Webb
WPS Corporation
4.
Jodi Jenson
Western Area Power Administration MRO
1, 6
5.
Ken Goldsmith
Alliant Energy
MRO
4
6.
Alice Murdock
Xcel Energy
MRO
1, 3, 5, 6
7.
Dave Rudolph
Basin Electric Power Cooperative
MRO
1, 3, 5, 6
8.
Eric Ruskamp
Lincoln Electric System
MRO
1, 3, 5, 6
9.
Joseph Knight
Great River Energy
MRO
1, 3, 5, 6
10.
Joe DePoorter
Madison Gas & Electric
MRO
3, 4, 5, 6
11.
Scott Nickels
Rochester Public Utilties
MRO
4
12.
Terry Harbour
MidAmerican Energy Company
MRO
1, 3, 5, 6
9.
Group
Sam Ciccone
FirstEnergy
MRO
2
3
4
5
6
7
3, 4, 5, 6
X
X
X
X
X
Additional Member Additional Organization Region Segment Selection
1. Dave Folk
FE
RFC
2. Doug Hohlbaugh
FE
RFC
3. Andy Hunter
FE
RFC
4. Kevin Querry
FE
RFC
5. Brian Orians
FE
RFC
March 1, 2011
17
8
9
10
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
6. John Martinez
FE
RFC
7. John Reed
FE
RFC
8. Marissa McLean
FE
RFC
9. Phil Bowers
FE
RFC
10.
Group
Mike Garton
Electric Market Policy
Additional Member Additional Organization
Region
2
3
4
5
6
X
X
X
X
X
X
X
X
7
Segment
Selection
1.
Michael Gildea
Dominion
NPCC
5
2.
Louis Slade
Dominion
SERC
6
3.
John Loftis
Dominion Virginia Power SERC
1
11.
Group
Denise Koehn
Additional
Additional
Member
Organization
Bonneville Power Administration
Region
Segment
Selection
1.
Jim Burns
BPA, Transmission, Technical Operations
WECC
1
2.
Russell Funk
BPA, Transmission, DCC Data System Hardware WECC
1
3.
John Wylder
BPA, Transmission, CC HW Dsgn/Stds Montr &
WECC
1
Admin
March 1, 2011
18
8
9
10
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
12.
Group
Kenneth D. Brown
PSEG Companies
Additional Member Additional Organization
X
Region
2
3
X
4
5
X
6
7
8
9
10
X
Segment
Selection
1.
Ron Wharton
PSE&G System Ops
RFC
1, 3
2.
Jerzy Slusarz
PSEG Fossil
RFC
5, 6
3.
James Hebson
PSEG ER&T
ERCOT
5, 6
4.
Dominick Grasso
PSEG Power Connecticut NPCC
13.
Group
Steve Rueckert
5, 6
WECC
Additional Member Additional Organization Region
X
Segment
Selection
1.
Tom Schneider
WECC WECC
10
2.
John McGee
WECC WECC
10
14.
Group
Richard Kafka
Additional Member Additional Organization
Pepco Holdings, Inc - Affiliates
Region
X
X
X
X
Segment
Selection
1.
Vic Davis
Delmarva Power & Light Co
RFC
1
2.
Dave Thorne
Potomac Electric Power Company RFC
1
March 1, 2011
19
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
15.
Group
Howard Rulf
Additional Member Additional Organization
We Energies
Region
2
3
X
4
X
5
6
7
X
Segment
Selection
1.
Tom Eells
We Energies RFC
3, 4, 5
2.
Fred Hessen
We Energies RFC
3, 4, 5
3.
Brian Heimsch
We Energies RFC
3, 4, 5
16.
Group
Annette M. Bannon
Additional Member Additional Organization
PPL Supply
Region
X
Segment
Selection
1.
Mark Heimbach
17.
Group
J T Wood
Additional Member Additional Organization
PPL Martins Creek, LLC RFC
5
Southern Company - Transmission
Region
X
X
Segment
Selection
1.
Marc Butts
Southern Company Services SERC
1
2.
Andy Tillery
Southern Company Services SERC
1
3.
Jim Busbin
Southern Company Services SERC
1
4.
Phil Winston
Southern Company Services SERC
1
March 1, 2011
20
8
9
10
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
5.
Mike Sanders
Southern Company Services SERC
1
6.
Bob Canada
Southern Company Services SERC
1
7.
Boyd Nation
Southern Company Services SERC
1
8.
Phil Whitmer
Georgia Power Company
SERC
3
9.
Randy Mayfield
Alabama Power Company
SERC
3
10.
Randy Castello
Mississippi Power Company SERC
3
18.
Group
Jason L. Marshall
Midwest ISO Standards Collaborators
Additional Member Additional Organization
Region
2
3
4
5
6
7
X
Segment
Selection
1.
Jim Cyrulewski
JDRJC Associates, LLC RFC
8
2.
Kirit Shah
Ameren
SERC
1
3.
Robert A. Thomasson Sr. Big Rivers
SERC
1, 3
19.
Group
Ben Li
IRC Standards Review Committee
Additional Member Additional Organization Region
X
Segment
Selection
1.
Bill Phillips
MISO
2.
Matt Goldberg
ISO-NE NPCC
March 1, 2011
MRO
2
2
21
8
9
10
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
3.
Charles Yeung
SPP
SPP
2
4.
Mark Thompson
AESO
WECC
2
5.
James Castle
NYISO NPCC
2
6.
Steve Myers
ERCOT ERCOT
2
7.
Greg Van Pelt
CAISO WECC
2
8.
Patrick Brown
PJM
2
RFC
2
3
4
5
6
20.
Individual
Brian Pillittere
Tenaska
21.
Individual
Sandra Shaffer
PacifiCorp
X
X
X
X
7
X
Jana Van Ness, Director
22.
Individual
Regulatory Compliance
Arizona Public Service Company
X
X
X
X
23.
Individual
Brent Ingebrigtson
E.ON U.S. LLC
X
X
X
X
24.
Individual
Brenda Lyn Truhe
PPL Electric Utilities
X
25.
Individual
Greg Froehling
Green Country Energy
X
TransAlta Corporation
X
TransAlta
26.
Individual
March 1, 2011
Centralia
Generation, LLC
22
8
9
10
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
2
3
4
5
27.
Individual
Doug Smeall
ATCO Electric Ltd.
28.
Individual
Dan Roethemeyer
Dynegy Inc.
29.
Individual
Kasia Mihalchuk
Manitoba Hydro
X
X
30.
Individual
Philip Savage
PacifiCorp
X
X
31.
Individual
Brian Reich
Idaho Power Company
X
X
32.
Individual
Chris Hajovsky
RRI Energy, Inc.
33.
Individual
Bill Keagle
BGE
X
34.
Individual
John Brockhan
CenterPoint Energy
X
35.
Individual
Joylyn Faust
Consumers Energy
X
X
X
36.
Individual
Doug White
North Carolina Electric Coops
X
X
X
37.
Individual
Lauri Jones
Pacific Gas and Electric Company
X
X
38.
Individual
Laurie Williams
PNM Resources
X
X
39.
Individual
Val Lehner
ATC
X
March 1, 2011
6
7
X
X
X
X
X
X
X
23
8
9
10
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
40.
Individual
Martin Bauer
US Bureau of Reclamation
41.
Individual
Wayne Pourciau
Georgia System Operations Corporation
42.
Individual
Rex Roehl
Indeck Energy Services
43.
Individual
Jonathan Appelbaum
United Illuminating
Constellation
44.
Power
2
3
4
5
6
X
X
X
X
X
Generation
and
Individual
Amir Y Hammad
Constellation Commodities Group
45.
Individual
Carol Bowman
City of Austin dba Austin Energy
X
46.
Individual
John Bee
Exelon
X
X
X
47.
Individual
Kirit Shah
Ameren
X
X
X
X
48.
Individual
Thad Ness
American Electric Power (AEP)
X
X
X
X
49.
Individual
Joe Knight
Great River Energy
X
X
X
X
50.
Individual
Greg Rowland
Duke Energy
X
X
X
X
51.
Individual
Nathan Lovett
Georgia Transmission Corporation
X
March 1, 2011
7
X
X
24
8
9
10
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
2
3
4
5
52.
Individual
Chris de Graffenried
Consolidated Edison Co. of NY, Inc.
53.
Individual
Kathleen Goodman
ISO New England Inc.
54.
Individual
Amanda Stevenson
E.ON Climate & Renewables
55.
Individual
Christine Hasha
ERCOT ISO
56.
Individual
Terry Harbour
MidAmerican Energy
X
57.
Individual
Michael Gammon
Kansas City Power & Light
X
X
X
58.
Individual
Ron Gunderson
Nebraska Public Power District
X
X
X
59.
Individual
Dan Rochester
Independent Electricity System Operator
60.
Individual
Catherine Koch
Puget Sound Energy
March 1, 2011
6
7
X
X
X
X
X
X
X
25
8
9
10
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
1. Do you agree with the purpose statement of the proposed standard? Please explain in the comment box below.
Summary Consideration: Stakeholders who responded to this question were fairly evenly divided on acceptance of the original
purpose statement with about half supporting the purpose and half suggesting revisions to the purpose. A common thread through
most of the comments was that the DSR SDT went beyond the intent of the standard (reporting) and concentrated too much on the
analysis of the event. Based on these comments, the SDT revised the purpose statement. The new purpose is:
To improve industry awareness and the reliability of the Bulk Electric System by requiring the reporting of Impact Events and
their causes, if known, by the Responsible Entities.
Several commenters noted that the term, “impact event” is not a formally defined term.
definition for “impact events” to develop Attachment 1 as follows:
The DSR SDT has used a working
An impact event is any event that has either impacted or has the potential to impact the reliability of the Bulk Electric
System. Such events may be caused by equipment failure or mis-operation, environmental conditions, or human action.
Many stakeholders indicated that the definition should be added to the NERC Glossary and the DSR SDT adopted this suggestion.
The types of Impact Events that are required to be reported are contained within Attachment 1. Only these events are required to
be reported under this Standard.
Some commenters correctly pointed out that “situational awareness” was a desirable by-product of an effective event reporting
system, and not driver of that system. Accordingly, all references to “situational awareness” have been deleted from the standard.
The more generic “industry awareness” has been substituted where appropriate.
Many commenters noted that the SDT did not define sabotage. FERC Order 693, paragraph 471 states in part: “. . . the Commission
directs the ERO to develop the following modifications to the Reliability Standard through the Reliability Standards development
process: (1) further define sabotage and provide guidance as to the triggering events that would cause an entity to report a sabotage
event.” The DSR SDT made a conscious, deliberate decision to exclude a strict definition of sabotage from this standard and sought
March 1, 2011
26
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
stakeholder feedback on this issue. Some suggested adopting the NRC definition of the term sabotage, and the DSR SDT did
consider adopting the NRC definition shown below but determined that the definition is too narrowly focused.
Any deliberate act directed against a plant or transport in which an activity licensed pursuant to 10 CFR Part 73 of NRC's
regulations is conducted or against a component of such a plant or transport that could directly or indirectly endanger the public
health and safety by exposure to radiation.
Most respondents agreed that in order to be labeled as an act of sabotage, the intent of the perpetrators must be known. The team
felt that it was almost impossible to determine if an act or event was that of sabotage or merely vandalism without the intervention
of law enforcement after the fact. This would result in further ambiguity with respect to reporting events, and the timeline
associated with the reporting requirements does not lend itself to the in-depth analysis required to identify a disturbance (or
potential disturbance) as sabotage. The SDT felt that a likely consequence of having to meet this criterion, in the time allotted,
would be an under-reporting of events. Accordingly, all references to sabotage have been deleted from the standard.
Organization
Ameren
Yes or No
Question 1 Comment
No
The purpose talks about reporting impact events and their known causes. We have no problem with this
generic intent, but the purpose says nothing about the very burdensome expectation of verbal updates to
NERC and Regional Entities (Attachment 1, top of first page), Preliminary Impact Event Reports (Attachment
1, top of first page, are these Attachment 2?), "Actual" Impact Event Reports (Attachment 1 - Part A) and
"Potential" Impact Event Reports (Attachment 1 - Part B). These multiple levels of reporting and events need
to be greatly reduced.
American Electric Power (AEP)
No
It is unclear what the relationship between this project and the newly revamped NERC Event Analysis
Process. We support moving towards one process opposed to separate obligations that may be in conflict.
March 1, 2011
27
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 1 Comment
In addition, AEP supports the concept of a central clearinghouse such as the RCIS that is shared by the
industry. We support fewer punitive requirements and more prompting for using tools to make multiple
entities aware of reliability related issues shortly after the fact.
CenterPoint Energy
No
CenterPoint Energy does not agree with the purpose statement of the proposed standard. The directive from
the Commission in FERC Order 693 and restated in the Guideline and Technical Basis is “...the Commission
directs the ERO to develop the following modifications to the Reliability Standard through the Reliability
Standards development process: 1) further define sabotage and provide guidance as to the triggering events
that would cause and entity to report a sabotage event.” Instead the SDT has introduced another term, impact
event, to address concerns regarding different definitions. The term, impact event and its proposed concept is
too broad. Specifically the concept that an impact event “...has the potential to impact the reliability of the Bulk
Electric System” leaves too much room for an entity and a regulatory body to have a difference of opinion as
to whether an event should be reported. Required reporting should be limited to actual events. The reporting
to follow could become overwhelming for the Responsible Entities, the ERO, and other various organization
and agencies. Furthermore, situational awareness is a term that is associated with aspects of real-time.
Given the analysis required before a report can be submitted, the report will not be real-time and will not
sustain a purpose of supporting situational awareness. (See also comments on Q10 regarding the “Time to
Submit Report”.) A purpose that is more aligned with consolidation of the EOP-004 and CIP-001 standards
would be as follows: Responsible Entities shall report disturbance events and acts of sabotage to support the
reliability of the BES through industry awareness.
Consolidated Edison Co. of NY,
Inc.
No
Comments: The purpose is not clear because it uses the term “impact events”. This term should be a defined
in the NERC glossary, and should not include words such as “potential”.
March 1, 2011
28
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 1 Comment
Duke Energy
No
The Purpose statement says that reporting under this standard supports situational awareness. However this
is in conflict with Section 5. Background, where the DSR SDT makes clear that this standard includes no realtime operating notifications, and that this proposed standard deals exclusively with after-the-fact reporting.
We also disagree with the stated concept of “impact event”. Including the phrase “or has the potential to
impact” in the concept makes it impossibly broad for practical application and compliance.
Electric Market Policy
No
The term “impact events” does not draw a clear boundary around those events that are affected by this
standard. Since this is not a defined term, nor is intended to be a defined term in the NERC glossary, this
standard lacks clarity and is likely to produce significant conflict as an applicable entity attempts to establish
procedures to assure compliance. It appears that situational awareness could not be improved with this
standard since it is only dealing with events after-the-fact, not within the time frame to allow corrective action
by the system operator. As conveyed in Dominion’s comments on NERC Reliability Standards Development
Plan 2011 - 2013, Dominion does not see this draft standard as needing to be in the queue while other
standards having more impact to bulk electric reliability remain incomplete or unfinished.
ERCOT ISO
No
ERCOT ISO believes that according to the timelines allotted in Attachment 1, it may not be possible for the
entity to identify the “known cause” of an event. The requirements list identification of “initial probable cause”.
This is more reasonable under the timelines noted in Attachment 1.
Exelon
No
The purpose states that Responsible Entities SHALL report impact events - this implies that ALL impact
events need to be reported regardless of magnitude, suggest rewording to say "... shall report applicable
impact events ..." to allow for evaluation of each impact for applicability in accordance with Attachment 1).
March 1, 2011
29
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
FirstEnergy
Yes or No
Question 1 Comment
No
Since this standard is after-the-fact reporting, the phrase "situational awareness" may not be appropriate
since that phrase is attributed by a large part of the industry to real-time, minute-to-minute awareness of the
system. We suggest the following rewording of the purpose statement: "To ensure Applicable Entities report
impact events and their known causes to enhance and support the reliability of the Bulk Electric System
(BES)".
Indeck Energy Services
No
Suggestion: "Functional Entities identified in Section 4 shall support situational awareness of impact events
and their known causes."
Independent Electricity System
Operator
No
(1) Our understanding of the proposed revision as conveyed in the SAR was to provide clarity and reduce
redundancy on reporting the latest and even on-going events on the system that may be caused by system
changes and/or sabotage. The intent is to ensure the proper authorities are informed of such events so that
they may take appropriate and necessary actions to identify causes and/or mitigate or limit the extent of
interruptions. We also supported a suggestion in the SAR to assess the merit of merging CIP-001 and EOP004 to remove redundancy, although we suggested that this should not be a presumption when revising the
standard(s).This posting appears to indicate that only EOP-004 will be revised at this time, and CIP-001 which
deals with sabotage reporting will remain in effect. With this assumption, the proposed standard appears to
contain a mixture of reporting two types of events of different time frame - the first type being those events
that need to be reported soon or immediately after they occur (e.g. impact events that appear to be the result
of a sabotage) with an aim to curb/contain these events by the appropriate authorities; the second type being
the events that can be reported sometime well after the fact, e.g. system disturbances due to weather or
switching or other known causes that are not of malicious nature. Combining the two types of requirement
does not appear to be clearly conveyed in the SAR. We therefore suggest the SDT review the main purpose
March 1, 2011
30
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 1 Comment
and content in the proposed EOP-004 to ensure consistency with the SAR, and in relation to the purpose and
requirements already contained in CIP-004.(2) With respect to disseminating reports and related information
after the fact, we wonder if a data collection process, such as RoP 1900, can serve the purpose without
having to create a standard or a requirement to achieve this.(3) Most of the requirements appear to be
administrative in nature and they stipulate the how but not the what, which in our view does not conform with
the Results-based standard concept and does not rise to the level of a reliability standard.(4) A number of
requirements proposed in the draft standard are quite vague and cannot be measured. Details of this
assessment is provided below.
IRC Standards Review
Committee
No
The proposed requirements in the standard are not focused on the core industry concern that current
requirements are unclear as to what types of events warrant entities to report. Per draft 2 of the SAR, “The
existing requirements need to be revised to be more specific - and there needs to be more clarity in what
sabotage looks like.” Instead this proposed standard includes requirements that are more focused on “how”
to report, rather than “what” to report.
The SAR states that: “The development may include other
improvements to the standards deemed appropriate by the drafting team, with consensus on the stakeholders
(emphasis added), consistent with establishing high quality, enforceable and technically sufficient bulk power
system reliability standards.” The SRC believes the scope of the SAR, and likewise the proposed standard, is
inappropriate to the fundamental reliability purpose of what events need to be reported.
The proposed
administrative requirements are difficult to interpret, implement and measure, and do not clarify what type of
sabotage information entities need to report. Although the use of procedures and an understanding by those
personnel accountable seem helpful for ensuring reports are made, the fundamental purpose of clarifying
what types of events should be reported and more importantly what types do not have to be reported, is
lacking in the standard. Also, one of the first issues identified in the SAR for consideration by the drafting
March 1, 2011
31
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 1 Comment
team seems to be ignored, “Consider whether separate, less burdensome requirements for smaller entities
may be appropriate.” The requirements for entities to develop Operating Plans and to have training for those
plans, further adds uncertainty and increases complexity of how entities, large and small, will have to comply
with this standard.
ISO New England Inc.
No
The proposed requirements in the standard are not focused on the core industry concern that current
requirements are unclear as to what types of events warrant entities to report. Per draft 2 of the SAR, “The
existing requirements need to be revised to be more specific - and there needs to be more clarity in what
sabotage looks like.” Instead this proposed standard includes requirements that are more focused on “how”
to report, rather than “what” to report. The draft 2 SAR has never been balloted for approval prior to standard
drafting. In fact, the SAR states, “The development may include other improvements to the standards deemed
appropriate by the drafting team, with consensus on the stakeholders (emphasis added), consistent with
establishing high quality, enforceable and technically sufficient bulk power system reliability standards.” The
scope of the SAR, and likewise the proposed standard, is inappropriate to the fundamental reliability purpose
of what events need to be reported. The proposed administrative requirements are difficult to interpret,
implement and measure, and do not clarify what type of sabotage information entities need to report.
Although the use of procedures and an understanding by those personnel accountable seems helpful for
ensuring reports are made, the fundamental purpose of clarifying what types of events should be reported
and more importantly what types do not have to be reported, is lacking in the standard. Also, one of the first
issues identified in the SAR for consideration by the drafting team seems to be ignored: “Consider whether
separate, less burdensome requirements for smaller entities may be appropriate.” The requirements for
entities to develop Operating Plans and to have training for those plans, further adds uncertainty and
increases complexity of how entities, large and small, will have to comply with this standard.The term “impact
March 1, 2011
32
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 1 Comment
events” does not draw a clear boundary around those events that are affected by this standard. Since this is
not a defined term, nor is intended to be a defined term in the NERC Glossary, this standard lacks clarity and
is likely to produce significant conflict as an applicable entity attempts to establish procedures to assure
compliance. It appears that situational awareness could not be improved with this standard since it is only
dealing with events after-the-fact, not within the time frame to allow corrective action by the system
operator.This draft standard should not have this high a priority while other standards having a greater impact
on Bulk Electric System reliability remain incomplete or unfinished.Regional reporting requirements should be
in Regional Standards, and not be included in a NERC Standard.
Manitoba Hydro
No
Though new purpose greatly clarifies the proposed EOP-004-2 and using “situational awareness” is the key to
this purpose, further clarification of specific items should be added to the purpose. “Responsible Entities shall
report SIGNIFICANT events to support interconnection situational awareness on events that impact the
integrity of the Bulk Electric System, such as islanding, generation, transmission and load losses, load
shedding, operation errors, IROL/SOL violations, sustained voltage excursions, equipment and protection
failures and on suspected or acts of sabotage.”
Nebraska Public Power District
No
The background states there is no real-time reporting requirement in this standard, but the purpose states a
purpose is for situational awareness.
This implies real-time reporting.
The purpose clearly identify the
standard is for after the fact reporting to permit analysis of events, trend data, and identify lessons learned.
North Carolina Electric Coops
No
The term “impact event” is not a defined term in the NERC glossary and does not draw a clear boundary or
give concise guidance to aid in event recognition.
Northeast
Power
Coordinating
March 1, 2011
No
The proposed requirements in the standard are not focused on the core industry concern that current
33
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Council
Yes or No
Question 1 Comment
requirements are unclear as to what types of events warrant entities to report. Per draft 2 of the SAR, “The
existing requirements need to be revised to be more specific - and there needs to be more clarity in what
sabotage looks like.” Instead this proposed standard includes requirements that are more focused on “how”
to report, rather than “what” to report. The draft 2 SAR has never been balloted for approval prior to standard
drafting. In fact, the SAR states, “The development may include other improvements to the standards deemed
appropriate by the drafting team, with consensus on the stakeholders (emphasis added), consistent with
establishing high quality, enforceable and technically sufficient bulk power system reliability standards.” The
scope of the SAR, and likewise the proposed standard, is inappropriate to the fundamental reliability purpose
of what events need to be reported. The proposed administrative requirements are difficult to interpret,
implement and measure, and do not clarify what type of sabotage information entities need to report.
Although the use of procedures and an understanding by those personnel accountable seems helpful for
ensuring reports are made, the fundamental purpose of clarifying what types of events should be reported
and more importantly what types do not have to be reported, is lacking in the standard. Also, one of the first
issues identified in the SAR for consideration by the drafting team seems to be ignored: “Consider whether
separate, less burdensome requirements for smaller entities may be appropriate.” The requirements for
entities to develop Operating Plans and to have training for those plans, further adds uncertainty and
increases complexity of how entities, large and small, will have to comply with this standard.The term “impact
events” does not draw a clear boundary around those events that are affected by this standard. Since this is
not a defined term, nor is intended to be a defined term in the NERC Glossary, this standard lacks clarity and
is likely to produce significant conflict as an applicable entity attempts to establish procedures to assure
compliance. It appears that situational awareness could not be improved with this standard since it is only
dealing with events after-the-fact, not within the time frame to allow corrective action by the system
operator.This draft standard should not have this high a priority while other standards having a greater impact
March 1, 2011
34
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 1 Comment
on Bulk Electric System reliability remain incomplete or unfinished.Regional reporting requirements should be
in Regional Standards, and not be included in a NERC Standard.
Pacific
Gas
and
Electric
No
PG&E recognizes this is an after the fact report, however, the purpose statement should reflect the fact that
this proposed standard is for after-the-fact reporting. If the future intent is for this report to replace current
Company
reporting criteria the purpose statement should be expanded to reflect the true intent of the Standard.
PNM Resources
No
PNM believes the purpose statement should reflect the fact that this proposed standard is for after-the-fact
reporting. It is misleading and may have many thinking it is duplicative work.
PSEG Companies
No
The following sentence should be added.
"This standard is not intended to be for real-time operations
reporting."
RRI Energy, Inc.
No
The purpose does not need to mention "and the reliability of the Bulk Electric System."
This is the
Congressional mandate in FPA Section 215, and could be attached to every Standard, guide, notice and
direction issued by FERC, NERC and Regional Entities. In addition, the purpose references "Responsible
Entities." However, section 4 on "Applicability" references "Functional Entities." These terms should be
consistent.
Therefore, the purpose statement of the proposed standard should be corrected to read,
"Functional Entities identified in Section 4 shall report impact events and their known causes to support
situational awareness."CONSIDERATION: Is the phrase "shall report impact events and their known causes"
really a purpose of the Proposed Standard, or is it instead merely a means to achieve the purpose of
situational awareness? If the latter, the purpose statement can be further shortened to read, "Functional
Entities identified in Section 4 shall support situational awareness of impact events and their known causes."
March 1, 2011
35
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Santee Cooper
Yes or No
Question 1 Comment
No
Since this standard is written to report events after-the-fact and not for a System Operator to perform
corrective action, we believe the words situational awareness should be removed from the purpose.
Situational Awareness is typically used for real-time operations.Also, any events that require reporting should
be clearly defined in Attachment 1 and leave no room for interpretation by an entity.
SERC OC Standards Review
No
The term “impact events” does not draw a clear boundary around those events that are affected by this
standard. Since this is not a defined term, nor is intended to be a defined term in the NERC glossary, this
Group
standard lacks clarity and is likely to produce significant conflict as an applicable entity attempts to establish
procedures to assure compliance. It appears that situational awareness could not be improved with this
standard since it is only dealing with events after-the-fact, not within the time frame to allow corrective action
by the system operator.
United Illuminating
No
UI suggests adding the phrase: and the ERO shall provide quarterly reports; Responsible Entities shall report
impact events and their known causes, and the ERO shall provide quarterly reports, to support situational
awareness and the reliability of the Bulk Electric System (BES).
US Bureau of Reclamation
No
The purpose is more closely related to the concept that "Responsible Entities shall document and analyze
impact events and their known causes and disseminate the impact event documentation to support situational
awareness". Not all impact events are to be reported. The analysis of the impact events is what is needed to
achieve a lessons learned.
We Energies
No
Impact event needs to be clarified first, and DP references in Attachment 1 clarified. Distribution is not BES.
WECC
No
The purpose statement should reflect the fact that this proposed standard is for after-the-fact reporting. It is
March 1, 2011
36
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 1 Comment
misleading and may have many thinking it is duplicative work.
ATC
Yes
ATC agrees with the purpose statement. However, we do not agree with the implied definition of “impact
events” as represented in Attachment 1. (See specific comments about what is included in Attachment 1 for
the type of events that qualify as an “impact event”.)
Bonneville Power Administration
Yes
Known causes are difficult under 1 hour reporting requirements (Unusual events are even harder to narrow
down in 24 hours and may take weeks.) The System Operators and RC’s handle situational awareness and
reliability events, this is an extra wide view and learning for reporting only.
Dynegy Inc.
Yes
Statement is broad enough to cover both Standards.
Great River Energy
Yes
Thank you for the clarification of “known causes”, this will allow entities to report what they currently know
when submitting an impact report.
MRO's NERC Standards Review
Yes
Subcommittee
Puget Sound Energy
Thank you for the clarification of “known causes”, this will allow entities to report what they currently know
when submitting an impact report.
Yes
However, further definition of "known causes" would be helpful as sometime the root cause analysis doesn't
uncover the actual cause for sometime after the timeframes outlined in Attachment 1.
Arizona Public Service Company
Yes
ATCO Electric Ltd.
Yes
March 1, 2011
37
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
BGE
Yes
City of Austin dba Austin Energy
Yes
City of Garland
Yes
Constellation Power Generation
Yes
Question 1 Comment
and Constellation Commodities
Group
E.ON Climate & Renewables
Yes
Georgia
Yes
System
Operations
Corporation
Green Country Energy
Yes
Idaho Power Company
Yes
Kansas City Power & Light
Yes
Luminant Energy
Yes
MidAmerican Energy
Yes
March 1, 2011
38
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Midwest ISO Standards
Yes or No
Question 1 Comment
Yes
Collaborators
NERC Staff
Yes
Pacific Northwest Small Public
Yes
Power Utility Comment Group
PacifiCorp
Yes
PacifiCorp
Yes
Pepco Holdings, Inc - Affiliates
Yes
PPL Electric Utilities
Yes
PPL Supply
Yes
Tenaska
Yes
TransAlta Corporation
Yes
March 1, 2011
39
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
2. Do you agree with the applicable entities in the Applicability Section as well as assignment of applicable entities noted in
Attachment 1? Please explain in the comment box below.
There was no consensus amongst stakeholders who responded to this question regarding the
acceptability of the proposed list of functional entities and the assignment of applicable entities in Attachment 1.
Summary Consideration:
Several respondents replied with their concern that the reporting requirements were redundant. The general sentiment was that
unclear responsibility to report a disturbance could trigger a flood of event reports. Attachment 1 has been modified to assign clear
responsibility for reporting, for each category of Impact Event. There was some concern expressed that there could be confusion
between the reporting requirements in this standard, and those found in CIP-008. The DSR SDT agrees, and Attachment 1 Part B,
has been modified to provide the process for the reporting of a Cyber Security Incident.
The DSR SDT had protracted discussions on the applicability of this standard to the LSE. Per the Functional Model the LSE does not
own assets and therefore should not be an applicable entity (no equipment that could experience a “disturbance”). However, the
Registry Criteria contains language that could imply that the LSE does own assets, or is at least responsible for assets. In addition, the
DSR SDT modified Attachment 1 to include reporting of damage or destruction of Critical Cyber Assets per CIP-002. The LSE, as well
as the Interchange Authority and Transmission Service Provider are applicable entities under CIP-002 and should be included for
Impact Events under EOP-004.
There were several comments that the asset owners (GO/TO) would be less likely than the asset operators (GOP/TOP) to be aware
of an impact event. The DSR SDT recognizes that this may be true in some cases, but not all. In order to meet the reliability
objectives of this requirement, the applicability for GO/TO will remain as per Attachment 1.
Organization
March 1, 2011
Yes or No
Question 2 Comment
40
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
American Electric Power (AEP)
Yes or No
Question 2 Comment
No
AEP does not agree with the addition of the Generator Owner to the standard. The Generator Owner does
not have visibility to the real time operational status of a unit. As a result, the Generator Owner lacks the
ability to recognize impact events and report them to the Regional Entity or NERC within the time frames
specified in the standard.
Reporting requirements for impact events should be the responsibility of the
Generator Operator.
Arizona Public Service Company
No
AZPS recommends excluding 4.1.7 Distribution Providers, as Distribution Providers generally operate at
levels below 100kV.
ATC
No
The Functional Entities identified in Attachment 1 do not align with the current CIP Standard obligations (e.g.
Load Serving Entities are not included).
CenterPoint Energy
No
CenterPoint Energy does not agree with the addition of Transmission Owner and Distribution Provider to the
Applicability section. Transmission Owner and Distribution provider are not currently applicable entities for
either CIP-001 or EOP-004 and should not be included in the proposed combined standard. However,
CenterPoint Energy does agree that LSE should be removed from the Applicability section. CenterPoint
Energy appreciates the SDT’s efforts in assigning entities to each event in Attachment 1. This is an
improvement over the existing EOP-004 standard. It is clear, however, that with multiple entities responsible
for reporting each event, there is no need to expand the Applicability Section to include Transmission Owner
and Distribution Provider.
Consolidated Edison Co. of NY,
Inc.
No
Comments: NERC’s role as the Standard enforcement organization for the power industry will be in conflict if
NERC is also identified as an applicable entity.
March 1, 2011
What compliance organization will audit NERC’s
41
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 2 Comment
performance? This is presently not clear.
Constellation Power Generation
No
Constellation Power Generation and Constellation Commodities Group disagrees with the inclusion of
and Constellation Commodities
Generator Owners. Since one of the goals in revising this standard is to streamline impact event reporting
Group
obligations, Generator Operators are the appropriate entity to manage event reporting as the entity most
aware of events should they arise. At times, the information required to complete a report may warrant input
from entities connected to generation, but the operator remains the best entity to fulfill the reporting obligation.
E.ON Climate & Renewables
No
1. Voltage deviation events are too vague for GOP. How does voltage deviations apply to GOP’s or
specifically renewables i.e., wind farms? 2. Define what an “entity” is. 3. Define what a “generating station” is.
4. Define what a “BES facility” is. 5. Define what a control center is. 6. Renewable energy/generators should
be taken into consideration when crafting the events.
E.ON U.S. LLC
No
The proposed standard does not list the Load Serving Entity as an Applicable Entity, but the possible events
that the standard addresses are within the scope of the LSE. Some functions of the LSE listed within the
Functional Model are addressed in the proposed standard. Existing CIP-001-1a and EOP-004-1 are both
applicable to the LSE.
Electric Market Policy
No
Having the ERO as an applicable entity is concerning as they are also the compliance enforcement authority.
The ERO is responsible for multiple requirements in this standard that shape the ultimate actual rules that the
other applicable entities would be required to meet. For example, establishing and maintaining a system for
receiving and distributing impact events, per R1, would be done solely by the ERO, outside of NERC’s open
process. Attachment 1 is troublesome. The time frames listed are not consistent for similar events. For
example, EEAs are either reported within one or 24 hours depending on the nuance. Having multiple entities
March 1, 2011
42
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 2 Comment
reporting the same event is troublesome, i.e., why does a RC have to report an EEA if the BA is going to
report it? This will lead to conflicting reports for the same event. Attachment 1 seems to be consolidating
time frames from other standards into one for reporting. However, we believe this subject is more complex
than this table reveals and the table needs more clarification.Several of the events require filing a written
formal report within one hour. For example, system separation certainly is going to require an “all hands on
deck” response to the actual event. We note that the paragraph above the table in attachment 1 indicates
that a verbal report would be allowed in certain circumstances, but this is the same issue with the formal
report in that the system operators are concerned with the event and not the reporting requirements.There is
already a DOE requirement to report certain events.
We see no need to develop redundant reporting
requirements in the NERC arena that cross other federal agency jurisdictions.
ERCOT ISO
No
ERCOT ISO recommends that the Electric Reliability Organization be removed from the standard. The
Electric Reliability Organization should not be responsible for reliability functions and therefore should be
excluded from reliability standards.
Exelon
No
Attachment 1, Part B, footnote 1. A GO is unlikely to know if a fuel supply problem would cause a reliability
concern because one GO may not know the demand for an entire region. Attachment 1, Part B, footnote 1.
What is the definition of an "emergency" related to problems with a fuel supply chain? What time threshold of
projected need would constitute a 1 hour report?Attachment 1, Part A - Voltage Deviations - A GOP may not
be able to make the determination of a +/- 10% voltage deviation for ≥ 15 minutes, this should be a TOP
RC function only. Attachment 1, Part A - Generation Loss of ≥ 2, 000 MW for a GO/GOP does not provide
a time threshold. If the 2, 000 MW is from a combination of units in a single location, what is the time
threshold for the combined unit loss? Attachment 1, Part A - Damage or destruction of BES equipment o The
March 1, 2011
43
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 2 Comment
event criteria is ambiguous and does not provide clear guidance; specifically, the note needs to provide more
explicit criteria related to parts (iii) and (iv) to remove the need for interpretation especially since this is a 1
hour reportable occurrence.
In addition, determination of the aggregate impact of damage may not be
immediately understood - does the 1 hour report time clock start on initiation of event or following confirmation
of event?
o The initiating event needs to explicitly state that it is a physical and not cyber. Events related to
cyber sabotage are reported in accordance with CIP-008, "Cyber Security - Incident Reporting and Response
Planning," and therefore any type of event that is cyber initiated should be removed from this Standard. o If
the damage or destruction is related to a deliberate act, consideration should also be given to coordinating
such reporting with existing required notifications to the NRC and FBI as to not duplicate effort or add
unnecessary burden on the part of a nuclear GO/GOP during a potential security event. Attachment 1, Part B
- Loss of off-site power (grid supply) affecting a nuclear generating station - this event classification should be
removed from EOP-004. The impact of loss of off-site power on a nuclear generation unit is dependent on
the specific plant design and may not result in a loss of generation (i.e., unit trip); furthermore, if a loss of offsite power were to result in a unit trip, an Emergency Notification System (ENS) would be required to the
Nuclear Regulatory Commission (NRC). The 1 hour notification in EOP-004 on a loss of off-site power (grid
supply) to a nuclear generating station should be commensurate with other federal required notifications.
Depending on the unit design, the notification to the NRC may be 1 hour, 8 hours or none at all.
Consideration should be given to coordinating such reporting with existing required notifications to the NRC
as to not duplicate effort or add unnecessary burden on the part of a nuclear GO/GOP during a potential
transient on the unit. Attachment 1, Part B - Forced intrusion at a BES facility - Consideration should also be
given to coordinating such reporting with existing required notifications to the NRC and FBI as to not duplicate
effort or add unnecessary burden on the part of a nuclear GO/GOP during a potential security event.
Attachment 1, Part B - Risk to BES equipment from a non-environmental physical threat - this event leaves
March 1, 2011
44
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 2 Comment
the interpretation of what constitutes a "risk" with the reporting entity. Need more specific criteria for this
event.Attachment 1, Part B - Detection of a cyber intrusion to critical cyber assets - Events related to cyber
sabotage are reported in accordance with CIP-008, "Cyber Security - Incident Reporting and Response
Planning," and therefore any type of event that is cyber initiated should be removed from this Standard.
FirstEnergy
No
We do not support the ERO as an applicable entity of a reliability standard because they are not a user,
owner or operator of the bulk electric system. Any expectation of the ERO should be defined in the Rules of
Procedure.
Georgia
System
Operations
No
BES.
Corporation
Georgia
This standard should not apply to distribution systems or Distribution Providers. It should apply only to the
Transmission
No
These events generally are Operator Functions and should not apply to a TO.1. Energy Emergency requiring
system-wide voltage reduction2. Loss of firm load greater than 15 min.3. Transmission loss (multiple BES
Corporation
transmission elements)4. Damage or destruction to BES equipment ( thru operational error or equipment
failure)5. Loss of off-site power affecting a nuclear generating station
Indeck Energy Services
No
---ERO should not be included in this or any other standard! FERC can decide whether NERC is doing a
good job without having standards requirements to audit to. If NERC needs to be included in a standard, then
it should a stand-alone one so that the RSAW for all of the other audits don't need to include those
requirements.
---"Loss of off-site power (grid supply)" is important at control centers and other large
generators. The SDT must use a well-defined standard such as potentially cause a Reportable Disturbance,
to differentiate significant events from others.
---"Footnote 1. Report if problems with the fuel supply chain
result in the projected need for emergency actions to manage reliability." is ambiguous. Everything in the
March 1, 2011
45
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 2 Comment
Standards program can "Affecting BES reliability".
The SDT must use a well-defined standard such as
potentially cause a Reportable Disturbance, to differentiate significant events from others.
---"Footnote 2.
Report if you cannot reasonably determine likely motivation (i.e., intrusion to steal copper or spray graffiti is
not reportable unless it effects the reliability of the BES)." is well intentioned but ambiguous. For example, if I
know the motivation is to blow up the plant, then by this footnote, I don't have to report. The SDT must use a
well-defined standard such as potentially cause a Reportable Disturbance, to differentiate significant events
from others.
Independent Electricity System
No
---All terms should be used from or added to the Glossary.
We do not agree with the inclusion of TO and GO. They are not operating entities and do not need to collect
or provide information pertaining to impact events, which are the results and phenomena observe under
Operator
operating conditions in the operation horizon, and such information collection and provision are the
responsibility of the TOP and GOP.
IRC Standards Review
No
Committee
Entities that have information about possible sabotage events should report these to NERC after the fact and
the standard should simply reflect that. While we agree with the list of functional entities identified in the
Applicability Section, we do not agree with their application in Attachment 1. As the functional entities are
identified in Attachment 1, there is likely going to be duplicate reporting. Why should both the RC and BA
submit a report for an EEA for example?
ISO New England Inc.
No
Having the ERO as an applicable entity raises the issue that they are also the compliance enforcement
authority. The ERO is responsible for multiple requirements in this standard that shape the ultimate actual
rules that the other applicable entities would be required to meet. For example, establishing and maintaining
a system for receiving and distributing impact events, per R1, would be done solely by the ERO, outside of
NERC’s open process.
March 1, 2011
NERC has also offered the opinion that since NERC is not a “user, owner, or
46
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 2 Comment
operator” Standards are not enforceable against the ERO. In Attachment 1 the time frames listed are not
consistent for similar events. For example, EEAs are either reported within one or 24 hours depending on the
nuance. Having multiple entities reporting the same event is troublesome, i.e., why does a RC have to report
an EEA if the BA is going to report it? This will lead to unnecessary and possibly conflicting reports for the
same event. Attachment 1 seems to be consolidating time frames from other standards into one for reporting.
However, this subject is more complex than this table reveals, and the table needs more clarification.Entities
that have information about possible sabotage events should report these to NERC after the fact, and the
standard should simply reflect that.
While we agree with the list of functional entities identified in the
Applicability Section, we do not agree with their application in Attachment 1. As the functional entities are
identified in Attachment 1, it is likely that there is going to be duplicate reporting. Several of the events
require filing a written formal report within one hour. For example, system separation is going to require an
“all hands on deck” response to the actual event. The paragraph above the table in Attachment 1 indicates
that a verbal report would be allowed in certain circumstances, but this is the same issue with the formal
report in that the system operators are concerned with the event and not the reporting requirements.There is
already a DOE requirement to report certain events.
We see no need to develop redundant reporting
requirements through NERC that cross federal agency jurisdictions.
Luminant Energy
No
Inclusion of both GO and GOP will result in duplicate reporting as both are responsible for reporting resourcerelated events such as Generation Loss, Fuel Supply Emergencies and Loss of Off-site power (grid supply).
Recommend including only the GOP as it is critical that the GOP gather and communicate relevant
information to the Reliability Coordinator.
Manitoba Hydro
March 1, 2011
No
Since this Standard is to support situational awareness, more entities should be included such as Load
47
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 2 Comment
Serving Entities (which was removed from EOP-004-1).
MidAmerican Energy
No
While we agree with the list of functional entities identified in the Applicability Section, we do not agree with
their application in Attachment 1. As the functional entities are identified in Attachment 1, there is likely going
to be duplicate reporting. Why should both the RC and BA submit a report for an energy emergency requiring
public appeals?
Midwest ISO Standards
No
Collaborators
While we agree with the list of functional entities identified in the Applicability Section, we do not agree with
their application in Attachment 1. As the functional entities are identified in Attachment 1, there is likely going
to be duplicate reporting. Why should both the RC and BA submit a report for an energy emergency requiring
public appeals?
North Carolina Electric Coops
No
There is a conflict between the ERO being listed as an applicable entity and the fact that the ERO is the
compliance enforcement authority. The ERO is responsible for multiple requirements in this standard that
other applicable entities would be required to meet.Attachment 1 has inconsistent time frames listed for
similar events. For example, EEA’s are either reported within one or 24 hours depending on the nuance.
Also, having more than one entity reporting an EEA can lead to conflicting information for the same event.
Attachment 1 has the RC and the BA both reporting the same EEA event. Attachment 1 consolidates time
frames from other standards for reporting purposes. There should either be a separate standard for
“reporting” that encompasses reporting requirements for all standards or leave the time frames and reporting
requirements in the original individual standards.Several of the events require filing a written formal report
within one hour. For large events like cascading outages or system separation, “all hands on deck” attention
will need to be given to the actual event. Although a verbal report would be allowed in certain circumstances,
attention to the actual event should take precedence over formal reporting requirements.There is already a
March 1, 2011
48
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 2 Comment
DOE requirement to report certain events and no need to develop redundant reporting requirements in the
NERC arena when this information is already available at the federal level at other agencies.
Northeast
Power
Coordinating
No
Having the ERO as an applicable entity raises the issue that they are also the compliance enforcement
authority. The ERO is responsible for multiple requirements in this standard that shape the ultimate actual
Council
rules that the other applicable entities would be required to meet. For example, establishing and maintaining
a system for receiving and distributing impact events, per R1, would be done solely by the ERO, outside of
NERC’s open process.
NERC has also offered the opinion that since NERC is not a “user, owner, or
operator” Standards are not enforceable against the ERO. In Attachment 1 the time frames listed are not
consistent for similar events. For example, EEAs are either reported within one or 24 hours depending on the
nuance. Having multiple entities reporting the same event is troublesome, i.e., why does a RC have to report
an EEA if the BA is going to report it? This will lead to unnecessary and possibly conflicting reports for the
same event. Attachment 1 seems to be consolidating time frames from other standards into one for reporting.
However, this subject is more complex than this table reveals, and the table needs more clarification.Entities
that have information about possible sabotage events should report these to NERC after the fact, and the
standard should simply reflect that.
While we agree with the list of functional entities identified in the
Applicability Section, we do not agree with their application in Attachment 1. As the functional entities are
identified in Attachment 1, it is likely that there is going to be duplicate reporting. Several of the events
require filing a written formal report within one hour. For example, system separation is going to require an
“all hands on deck” response to the actual event. The paragraph above the table in Attachment 1 indicates
that a verbal report would be allowed in certain circumstances, but this is the same issue with the formal
report in that the system operators are concerned with the event and not the reporting requirements.There is
already a DOE requirement to report certain events.
March 1, 2011
We see no need to develop redundant reporting
49
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 2 Comment
requirements through NERC that cross federal agency jurisdictions.
Pacific Gas and Electric
No
Company
Pacific Northwest Small Public
PG&E recognizes the ERO is in R1, however, it does not see where the ERO’s applicability is applied in
Attachment 1.
No
See #15
PNM Resources
No
PNM OTS does not see where the ERO’s applicability is applied in Attachment 1.
PPL Electric Utilities
No
While we agree with the applicable entities in the Applicability Section of the revised standard, we would like
Power Utility Comment Group
the SDT to reconsider the applicable entities identified on Attachment 1, specifically regarding duplication of
reporting e.g. should TO and TOP report?
PPL Supply
No
While we agree with the list of functional entities identified in the Applicability Section, we do not agree with
assignment of applicable entities noted in Attachment 1. As the functional entities are identified in Attachment
1, there will likely be duplicate reporting for many impact events. By applying reporting responsiblities to both
the Gen Owner and Gen Operator, this will result in duplicate reporting for plants with multiple owners. It also
increases the burden on the Gen Operator who is required to report the event to NERC and to other Gen
Owners in a timely manner to allow other Gen Owners to meet the NERC reporting timeline. We suggest that
the reporting requirements associated with generators be applied to the Gen Operator only.
RRI Energy, Inc.
No
Agree with the "Applicability" section functional categories.Agree with the Attachment 1 lists of "Entity with
Reporting Responsibility," with the following exceptions:PART A"Damage or Destruction of BES Equipment" This item has a footnote 1 listed, but nothing at the bottom of the page for a footnote. Assuming the footnote
March 1, 2011
50
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 2 Comment
reference is intended to reference the "Examples" at the bottom of the page, the following concerns exist:(i)
"critical asset" - Is this term intended to reference a "Critical Asset" identified pursuant to the CIP-002 riskbased assessment methodology? If so, it should be capitalized. If not, who determines what constitutes a
lower case "critical asset"? (ii) "Significantly affects the reliability margin of the system..." - If this is intended
to be enforceable, several words need significant clarification and definition, such as "Significantly," "reliability
margin," "system" (BES?), "potential," and "emergency action." The combined ambiguity of just two of those
phrases would most likely result in a court holding this statement as so vague as to be unenforceable. The
combined lack of clarity of all the highlighted words or phrases render this sentence meaningless.(iii)
"Damaged or destroyed due to a non-environmental external cause" - "Non-environmental external cause"
should be a defined term because, as is the case in item (ii) above, it is vague and subject to broad, random
or arbitrary interpretation. Part B provides examples of "non-environmental physical threat" for "Risk to BES
equipment."
Those examples could be referenced here, or different examples included that are more
applicable to the Event.The items highlighted in items (ii) and (iii) above are very similar to the unintended
string of CIP-001 violations that Registered Entities experienced in 2007 and 2008 for failing to provide their
own definition of "sabotage" under a sabotage reporting standard that failed to provide any guidance to the
industry within the standard as to what constituted "sabotage." PART B"Detection of a cyber intrusion to
critical cyber assets" - Capitalize "Critical Cyber Asset."
Santee Cooper
No
Standards cannot be applicable to an ERO because they are the compliance enforcement authority, and the
ERO is not a user, owner, or operator of the BES. Since we are reporting events that may affect the BES,
why does a DP need to be included as an applicable entity for this standard? If the DOE form is going to
continue to be required by DOE, then NERC should accept this form. Entities do not have time to fill out
duplicate forms within the time limits allowed for an event. This is burdensome on an entity. If NERC is going
March 1, 2011
51
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 2 Comment
to require a separate reporting of events from DOE, then NERC should look at these events closely to
determine if any of the defined events should be eliminated or modified from the current DOE form. (For
example: Is shedding 100 MW of firm load really a threat to the BES?)Why does Attachment 1 have multiple
entities reporting the same event? An RC should not have to report an EEA if the BA is required to report it.
This will lead to conflicting reports for the same event.Attachment 1 is just a consolidation of the time frame
from other standards. It appears no review was done for consistency of time frames for similar events.
SERC OC Standards Review
No
We find it interesting that the ERO is listed as an applicable entity. The ERO can’t be an applicable entity
because they are the compliance enforcement authority. The ERO is responsible for multiple requirements in
Group
this standard that shape the ultimate actual rules that the other applicable entities would be required to meet.
NERC seems to be attempting to evade FERC jurisdiction by having a standard that enables it to write new
rules that don’t pass through the normal standards development process with ultimate approval by
FERC.Attachment 1 is troublesome.
The time frames listed are not consistent for similar events.
For
example, EEAs are either reported within one or 24 hours depending on the nuance. Having multiple entities
reporting the same event is troublesome, i.e., why does an RC have to report an EEA if the BA is going to
report it? This will lead to conflicting reports for the same event. Attachment 1 seems to be consolidating
time frames from other standards into one for reporting. However, we believe this subject is more complex
than this table reveals and the table needs more clarification or it should be eliminated and leave the time
frames in the other standards.Several of the events require filing a written formal report within one hour. For
example, system separation certainly is going to require an “all hands on deck” response to the actual event.
We note that the paragraph above the table in attachment 1 indicates that a verbal report would be allowed in
certain circumstances, but this is the same issue with the formal report in that the system operators are
concerned with the event and not the reporting requirements.There is already a DOE requirement to report
March 1, 2011
52
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 2 Comment
certain events. We see no need to develop redundant reporting requirements in the NERC arena that cross
other federal agency jurisdictions.
Southern Company -
No
Transmission
We find it interesting that the ERO is listed as an applicable entity. The ERO is responsible for multiple
requirements in this standard that shapes the ultimate actual rules that the other applicable entities would be
required to meet. Can the NERC/ERO be accountable for a feedback loop to the industry? Feedback is
preferable but would NERC/ERO self-report a violation to the requirement?
We Energies
No
The need for a DP to be included needs to be clarified. The Purpose points to BES. A DP does not have
BES equipment.
WECC
No
The ERO’s applicability is not applied in Attachment 1.
Great River Energy
Yes
We believe that it is important for the ERO to provide valuable Lessons learned to our electrical industry, thus
enhancing the reliability of the BES.
Kansas City Power & Light
Yes
Consideration should be given to the need for a preliminary impact event report to be filed by the Reliability
Coordinator and the Registered Entity. If two reports should be filed, should they both contain the same
information.
MRO's NERC Standards Review
Yes
Subcommittee
TransAlta Corporation
The NSRS believes it is important for the ERO to provide valuable Lessons learned to our electrical industry,
thus enhancing the reliability of the BES.
Yes
Electrical Reliability Organization (ERO) does not appear to be a defined term in the NERC Glossary of
Terms on the NERC website. Last updated April 20, 2010.
March 1, 2011
53
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
US Bureau of Reclamation
Yes or No
Question 2 Comment
Yes
The question is focused on a limited area of Attachment A. There other problematic areas of Attachment 1
will be addressed in subsequent comments.
Ameren
Yes
ATCO Electric Ltd.
Yes
BGE
Yes
Bonneville Power Administration
Yes
City of Austin dba Austin Energy
Yes
City of Garland
Yes
Duke Energy
Yes
Dynegy Inc.
Yes
Green Country Energy
Yes
Idaho Power Company
Yes
Nebraska Public Power District
Yes
NERC Staff
Yes
March 1, 2011
54
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
PacifiCorp
Yes
PacifiCorp
Yes
Pepco Holdings, Inc - Affiliates
Yes
Puget Sound Energy
Yes
Tenaska
Yes
United Illuminating
Yes
March 1, 2011
Question 2 Comment
55
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
3. Do you agree with the requirement R1 and measure M1? Please explain in the comment box below.
There was no consensus amongst stakeholders who responded to this question. There was strong
support for a central system for receiving and distributing impact event reports (a/k/a one stop shopping). There was general
agreement that NERC was the most likely, logical entity to perform that function. However several respondents expressed their
concern that the ERO could not be compelled to do so by a requirement in a Reliability Standard (not a User, Owner or Operator of
the BES). In their own comments, NERC did not oppose the concept, but suggested that the more appropriate place to assign this
responsibility would be the NERC Rules of Procedure. The DSR SDT concurs. The DSR SDT has removed the requirement from the
standard and is proposing to make revisions to the NERC Rules of Procedure as follows:
Summary Consideration:
812. NERC will establish a system to collect impact event reports as established for this section, from any Registered Entities,
pertaining to data requirements identified in Section 800 of this Procedure. Upon receipt of the submitted report, the
system shall then forward the report to the appropriate NERC departments, applicable regional entities, other designated
registered entities, and to appropriate governmental, law enforcement, regulatory agencies as necessary. These reports
shall be forwarded to the Federal Energy Regulatory Commission for impact events that occur in the United States. This can
include state, federal, and provincial organizations. The ERO shall solicit contact information from Registered Entities
appropriate governmental, law enforcement and regulatory agencies contact information for distributing reports.
The DSR SDT also believes NERC’s additional concern about what data is applicable is addressed by the revisions to Attachment 1,
and the inclusion of the OE-417 as an acceptable interim vehicle.
Organization
WECC
Yes or No
Question 3 Comment
R1 is appropriate for after-the-fact reporting. However, as proposed this standard eliminates all real-time
notifications, including the CIP-001-1 R3 notice to appropriate parities in the Interconnection. New
requirement R2.6 lists external parties to notify but it does not include the Reliability Coordinator. It is
March 1, 2011
56
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 3 Comment
important that the RC be notified of suspected sabotage. The RC’s wide-area interconnection view and
interaction with BAs may help recognize coordinated sabotage actions. Any “impact event” where sabotage is
suspected as the root cause should require additional and real-time notifications.
ATC
No
ATC does not agree with R1 for three reasons:1. The ERO cannot be assigned obligations in NERC
Standards. The requirements for the ERO should be addressed by a revision to Section 801 of the Rules of
Procedure.2. This is a fill-in-the-blank requirement. The requirement, positioned as R1, does not allow for the
obligations to be clearly defined. It refers to R6 which refers to R2 and Attachment 1. A clearer structure to
the Standard would be to simply state that the Functional Entities have to meet the reporting obligations
documented in Attachment 1 and delete the current R1.
BGE
No
R1
With the definition of "Impact Event", are we eliminating the term "Disturbance Reporting"?
If we
eliminate disturbance reporting, SDT should remove the reference from the Summary of Concepts and from
the title, otherwise further definition on the distinction between the two terms is needed.R1. What is the
"system" described here? What type of system is anticipated - electronic, programmatic or can it be better
described by using “standard reporting form”?M1. Needs to seek evidence that the "system" was used for
receiving reports, as well as distributing them.M1. Examples are more appropriately used in guidance
documentation than in the standard. Rationale for R1 - Final statement regarding OE-417 needs to be
removed.
The ERO will establish the requirement in their “system” if the standard remains as is. The
Requirement does not require the responsible entities to send OE-417 to DOE.
CenterPoint Energy
No
The ERO does not need to establish a “system for receiving reports” as the “system for receiving reports” is
inherent given the requirements for reporting.
The requirement also seems to add redundancy versus
eliminating redundancy in the distribution of reports to applicable government, provincial or law enforcement
March 1, 2011
57
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 3 Comment
agencies on matters already reported by Responsible Entities. If an event is suspected to be an intentional
criminal act, i.e. “sabotage”, the Responsible Entity would have contacted appropriate provincial or law
enforcement agencies. The ERO is not in a position to add meaningful value to these reports as any
information the ERO may provide is second hand. CenterPoint Energy recommends R1 and M1 be deleted.
City of Garland
No
Reason 1Most of this is duplication of existing processes - More “Big Government” and/or “Overhead” is not
needed. There are already processes in place to notify “real time” 24 X 7 organizations that take action (RC,
BA, TOP, DOE, FBI, Local Law Enforcement, etc) in response to an “impact event”. It is stated in your
document on page five (5) “The proposed standard deals exclusively with after-the -fact reporting.” The
combining of CIP 001 & EOP 004 should not expand on existing implemented reporting requirements nor
should it result in NERC forming a 24 X 7 department to handle 1 hour (near real time) reporting
requirements.Reason 2If this should go forward as drafted, NERC should not establish a “clearing house” for
reporting requirements for Registered Entities without also taking legal responsibility for distributing those
reports to required entities. It states in at least 2 places (Page 6 & Page 22) in the document that Responsible
Entities are ultimately responsible for ensuring that OE-417 is received at the DOE. Thus, a Registered Entity
could be penalized for violating this new standard if it did not file the reports with NERC or it could still be
penalized (both criminal & civil) if they filed the reports with NERC but NERC (for whatever reason) did not
follow through with ensuring the report was properly filed at the DOE.
Consolidated Edison Co. of NY,
No
See response to Question 2.
No
The requirement again states the intent is to “enhance and support situational awareness”, which doesn’t
Inc.
Duke Energy
sync with “after-the-fact reporting”. We question why NERC needs to create this report and system for
March 1, 2011
58
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 3 Comment
distributing impact event reports to various organizations and agencies for after-the-fact reporting, when we
are still required to make real-time reports under other standards. For example, the Rational specifically
recognizes that this standard won’t release us from the DOE’s OE-417 reporting requirement. We don’t see
that this provides value, unless NERC can find a way to eliminate redundancy in reporting.
Electric Market Policy
No
Having the ERO as an applicable entity is concerning as they are also the compliance enforcement authority.
The ERO is responsible for multiple requirements in this standard that shape the ultimate actual rules that the
other applicable entities would be required to meet. Establishing and maintaining a system for receiving and
distributing impact events, per R1, would be done solely by the ERO, outside of NERC’s open process. At
this stage it is not clear how the ERO will develop or effectively maintain a list of “applicable government,
provincial or law enforcement agencies” for distribution as defined in R1. The “rationale for R1” states that
OE-417 could be included as part of the electronic form, but responsible entities will ultimately be responsible
for ensuring that OE-417 reports are received at DOE. This requirement needs to be more definitive with
respect to OE-417. It seems like the better approach would be for the entities to complete OE-417 form and
this standard simply require a copy.
ERCOT ISO
No
Recommend that requirements for the Electric Reliability Organization be removed. However, if the
requirements are retained, ERCOT ISO recommends the following wording change to be consistent with
other standards. “R1. The ERO shall create, implement, and maintain a system for receiving and distributing
impact event reports, received pursuant to Requirement R6, to applicable government, provincial or law
enforcement agencies and Registered Entities to enhance and support situational awareness.”
Exelon
No
This requirement should include explicit communications to the NRC (if applicable) of any reports including a
nuclear generating unit as a jurisdictional agency to ensure notifications to other external agencies are
March 1, 2011
59
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 3 Comment
coordinated with the NRC.
Depending on the event, a nuclear generator operator (NRC licensee) has
specific regulatory requirements to notify the NRC for certain notifications to other governmental agencies in
accordance with 10 CFR 50.72(b)(2)(xi). In general, the DSR SDT should include discussions with the NRC
to ensure communications are coordinated or consider utilizing existing reporting requirements currently
required by the NRC for each nuclear generator operator for consistency.
FirstEnergy
No
FirstEnergy proposes that requirement R1 and Measure M1 be deleted.A requirement assignment to the ERO
is problematic and should not appear in a reliability standard. The team should keep in mind that all
requirements will require VSL assignments that form the basis of sanctions. FE does not believe it is
appropriate for the ERO to be exposed to a compliance violation investigation as the ERO is not a functional
entity as envisioned by the Functional Model. If this "after-the-fact" reporting is truly needed for reliability then
the standard must be written in a manner that does not obligate the ERO to reliability requirements. It would
be acceptable and appropriate for a requirement to reference the "ERO Process" desired by R1, however,
that process should be reflected in the Rules of Procedure and not a reliability standard.
Indeck Energy Services
No
This standard is an inappropriate place to define this requirement. NERC needs to be held accountable, but it
should be independent of the standard. What if NERC fails to do it by the effective date of the standard, all
Registered Entities will violate the standard until NERC is done. The effective date needs to be set based on
NERC completing the system defined in R1.
Independent Electricity System
Operator
No
R1 does not directly convey the need for reporting. The requirement could be written to require the
responsible entities to report impact events to the ERO using a process to be described in the standard and
according to a set of reporting criteria. Whether or not there is a “system” makes little difference if it complies
with the requirement to provide the reports on time. In addition, an ERO established system which, without
March 1, 2011
60
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 3 Comment
being included in the standard and posted for public comment and eventually balloted, may not be acceptable
to the entities that are responsible for reporting to the ERO. Further, a reliability standard should not need to
bother with how the ERO disseminate this information to applicable government, provincial or law
enforcement agencies. This is the obligation of the ERO and if required, can be included in the Rules of
Procedure.
ISO New England Inc.
No
Having the ERO as an applicable entity raises a concern because they are also the Compliance Enforcement
Authority. The ERO is responsible for multiple requirements in this standard that shape the ultimate actual
rules that the other applicable entities would be required to meet. Establishing and maintaining a system for
receiving and distributing impact events, per R1, would be done solely by the ERO, outside of NERC’s open
process. At this stage it is not clear how the ERO will develop or effectively maintain a list of “applicable
government, provincial or law enforcement agencies” for distribution as defined in R1. The “rationale for R1”
states that OE-417 could be included as part of the electronic form, but responsible entities will ultimately be
responsible for ensuring that OE-417 reports are received at DOE. This requirement needs to be more
definitive with respect to OE-417. The better approach would be for the entities to complete OE-417 form and
this standard simply require a copy.
MidAmerican Energy
No
NERC Staff
No
NERC staff is concerned about this requirement’s applicability to the ERO. We feel that such a responsibility
needs mentioning in the Rules of Procedure, the Compliance Monitoring and Enforcement Program (CMEP),
or in a guideline document rather than in a standard requirement. Further, the requirement specifies “how” to
manage the event data, not “what” should be monitored.
March 1, 2011
61
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 3 Comment
North Carolina Electric Coops
No
The ERO cannot be subject to a requirement for which it is the compliance enforcement authority.
Northeast
No
Having the ERO as an applicable entity raises a concern because they are also the Compliance Enforcement
Power
Coordinating
Authority. The ERO is responsible for multiple requirements in this standard that shape the ultimate actual
Council
rules that the other applicable entities would be required to meet. Establishing and maintaining a system for
receiving and distributing impact events, per R1, would be done solely by the ERO, outside of NERC’s open
process. At this stage it is not clear how the ERO will develop or effectively maintain a list of “applicable
government, provincial or law enforcement agencies” for distribution as defined in R1. The “rationale for R1”
states that OE-417 could be included as part of the electronic form, but responsible entities will ultimately be
responsible for ensuring that OE-417 reports are received at DOE. This requirement needs to be more
definitive with respect to OE-417. The better approach would be for the entities to complete OE-417 form and
this standard simply require a copy.
Puget Sound Energy
No
The language of R1 and M1 does not support the DSR SDT’s goal of having a single form and system for
reporting. The standard should specify the form and system rather than deferring that decision to the ERO.
The language of R1 and M1 leaves the form and system to the ERO’s discretion, which could lead to multiple
forms and frequent revisions to them. This would lead to difficulties in tracking the reporting requirements. In
addition, it is impossible to comment intelligently regarding the overall impact of the proposed standard and its
requirements and measures without the reporting form and system being specified in the standard.
Santee Cooper
No
It cannot apply to the ERO.
SERC OC Standards Review
No
The ERO cannot be subject to a requirement for which it is the compliance enforcement authority. The
March 1, 2011
62
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Group
Question 3 Comment
governance in this situation appears incomplete.
US Bureau of Reclamation
No
This standard should describe the ERO process of event documentation, analysis, and dissemination.
Allowing the ERO to develop a event documentation, analysis, and dissemination process, which becomes a
requirement on the Entities, must be derived through the Standards Development Process. The requirement,
as it is currently worded, allows the ERO to develop standard requirements. If the intent is to only develop a
means of collecting, which does not impose a requirement, the wording should state so. Otherwise, if the
ERO wants to require that reports are posted to a specific location by the Entity, then it is a requirement and
must go through the Standards Development Process. Secondly, there is already a single reporting form
identified. It is not clear why the SDT could not accept that form as the reporting tool.
American Electric Power (AEP)
Yes
Overall we support the concepts; however, it is unclear if the ERO can be held accountable for compliance
with NERC Requirements. If this requirement is removed there needs to be some mechanism for the ERO to
establish a single clearinghouse.
City of Austin dba Austin Energy
Yes
Austin Energy would like to see OE-417 incorporated into the electronic form This will reduce the callout of
EOP-004-2 and OE-417 forms in our checklists / documents and one form can be submitted to NERC and
DOE.
E.ON Climate & Renewables
Yes
A generic ERCO approved electronic (form that can be submitted on-line) reporting form will help to add more
clarity & consistency to the Impact event reporting process.
Georgia System Operations
Corporation
March 1, 2011
Yes
Yes it would reduce duplication of effort and should ensure that the various entities and agencies all have
consistent information. It should be simpler and quicker to file than what is needed to meet the current
63
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 3 Comment
standard.However, the system should allow for partial reporting and hierarchical reporting. Entities up the
ladder in a reporting hierarchy may fill in additional info (usually from a wider scope of view) than what lower
level entities are aware of. It would be better for information to go up a hierarchy than for bits and pieces to go
to the ERO from many entities. Terminology may be different in each of the bits and pieces yet the same idea
may be intended. The ERO may mistake multiple reports as being different events when they are all related to
one event.The system should give an entity the ability to select the entities that should receive the impact
event report.If hierarchical reporting is not enabled by the system, then entities should be allowed to work out
a reporting hierarchy as a group and entities at lower levels should not be required to report over the NERC
system. Some higher level entity would enter the information on the NERC system as coordinated by the
entities within a group.
Idaho Power Company
Yes
the SDT must ensure that only a single form is required for compliance (such example OE-417)
IRC Standards Review
Yes
Note that ERCOT does not sign on to this particular comment.
Yes
Although we support situational awareness for the other registered entities, impact event reports should be
Committee
Kansas City Power & Light
distributed anonymously to communicate the information while protecting the registered entity.
Manitoba Hydro
Yes
Yes, keeping R1 generic and pointing to “government”, “Provincial”, “law” encompasses all entities in all major
interconnections.
PacifiCorp
Yes
All efforts need to be made to include OE-417 reporting requirements to safeguard against duplicate reporting
and / or delinquent reporting.One report for all events is more preferable than multiple reports for one event.
March 1, 2011
64
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
RRI Energy, Inc.
Yes or No
Question 3 Comment
Yes
While including the phrase "to enhance and support situational awareness" is a good use of the ResultsBased Standards development tools and framework, the phrase is already included in the purpose statement.
As such, it is unnecessary in Requirement 1. If it were to be included in Requirement 1, then it would also
need to be included in each of the other Requirements 2 through 8. The "Purpose" statement captures this
aptly.
Southern Company -
Yes
Transmission
We do have one concern in that we are hopeful that NERC will develop a system that will allow a one stop
shop of reporting.
Avmeren
Yes
Arizona Public Service Company
Yes
ATCO Electric Ltd.
Yes
Bonneville Power Administration
Yes
Constellation Power Generation
Yes
and Constellation Commodities
Group
Dynegy Inc.
Yes
Great River Energy
Yes
March 1, 2011
65
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Green Country Energy
Yes
Luminant Energy
Yes
Midwest ISO Standards
Yes
Question 3 Comment
Collaborators
MRO's NERC Standards Review
Yes
Subcommittee
Nebraska Public Power District
Yes
Pacific Gas and Electric
Yes
Company
PacifiCorp
Yes
Pepco Holdings, Inc - Affiliates
Yes
PNM Resources
Yes
PPL Electric Utilities
Yes
PPL Supply
Yes
March 1, 2011
66
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Tenaska
Yes
TransAlta Corporation
Yes
United Illuminating
Yes
We Energies
Yes
March 1, 2011
Question 3 Comment
67
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
4. Do you agree with the requirement R2 and measure M2? Please explain in the comment box below.
Most stakeholders who responded to this question indicated disagreement with Requiremnet R2 and
M2 as originally proposed. There were objections to the use of the term “Operating Plan” to describe the procedure to identify and
report the occurrence of a disturbance. The DSR SDT concurs, and Operating plan has been replaced with the generic term
“procedure” where appropriate believe that the use of a defined term is appropriate and has revised Requirement 1 to include
Operating Plan, Operating Process and Operating Procedure.
Summary Consideration:
R1. Each Responsible Entity shall have an Impact Event Operating Plan that includes [Violation Risk: Factor Medium] [Time Horizon:
Long-term Planning]:
1.1.
An Operating Process for identifying Impact Events listed in Attachment 1.
1.2.
An Operating Procedure for gathering information for Attachment 2 regarding observed Impact Events listed in
Attachment 1.
1.3.
An Operating Process for communicating recognized Impact Events to the following:
1.3.1. Internal company personnel notification(s).
1.3.2. External organizations to notify to include but not limited to the Responsible Entities’ Reliability Coordinator,
NERC, Responsible Entities’ Regional Entity, Law Enforcement, and Governmental or Provincial Agencies.
1.4.
Provision(s) for updating the Impact Event Operating Plan within 90 days of any change to its content.
Other requirements reference the Operating Plan as appropriate. The requirements of EOP-004 fit precisely into the definition of
Operating Plan:
Operating Plan: A document that identifies a group of activities that may be used to achieve some goal. An Operating Plan
may contain Operating Procedures and Operating Processes. A company-specific system restoration plan that includes an
Operating Procedure for black-starting units, Operating Processes for communicating restoration progress with other
March 1, 2011
68
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
entities, etc., is an example of an Operating Plan.
Note R2 has been moved to R1 due to elimination of original R1. Many commenters felt that the requirements around updating the
Operating Plan were too prescriptive, and impossible to comply with during the time frame allowed. The DSR SDT agrees, and
Requirement R2 Parts 2.5 through 2.9 have been eliminated. They have been replaced with Requirement R1, Part 1.4 to update the
Operating Plan within 90 days of any change to content.
Organization
Yes or No
Bonneville Power Administration
Question 4 Comment
As long as the 2.4 list is position based, not based on each individual that fills the position. (There is a
concern of listing all 2.4 monitoring/reporting personnel in the company that cover the impact event, since
there are different function groups and shift work. Documentation trails are difficult with personnel changes.)
Because the CIP is being added, it requires an Operating Plan (instead of procedure) with 30 day revision
timelines, so it increases the burden for electrical grid event reporting function. R2.9 language refers to R8
“annual” report; however R8 language is “quarterly” reporting of past year. It appears this standard is going to
be in an update status 4 times per year, plus any event modifications plus personnel changes. This could be
overly burdensome due to the expanding world of cyber security.
Ameren
No
While we agree with the intent to list certain minimum requirments for the Operating Plan, the draft list is too
lengthy and prescriptive. This merely creates opportunites for failure to comply rather the real purpose of
reporting data that can be used to meaningfully increase the reliability of the BES by identifying trends of
events that may otherwise be ignored.
American Electric Power (AEP)
No
Component 2.2 “Method(s) of assessing cause(s) of impact events” is very vague. Furthermore, there are
concerns whether these methods can be accomplished within one hour as might be required per Attachment
March 1, 2011
69
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 4 Comment
1, in addition to operating the system. Component 2.6 - need to add the statement “as appropriate for type of
impact event” Components 2.7 through 2.9 - are good concepts to consider for future inclusion, but at this
point in time these appear to be overreaching objectives. We recommend the SDT take smaller increments
towards future progress at measure and reasonable pace. Furthermore, if Component 2.9 is retained it
should only pertain to lessons learned on the reporting of impact events not all recommendations regarding
remediation of the impact events themselves. Furthermore, the 30 day window to update the Operating Plans
is aggressive considering the other priorities that may be present day to day.
ATC
No
The requirement should be rewritten to simply state that the Functional Entities has to meet the reporting
obligations documented in Attachment 1. How the Functional Entity meets the obligations documented in
Attachment 1 should be determined by the Functional Entity, not the requirement. The prescriptive nature of
this requirement does not support the performance-based Standards that the industry and NERC are striving
towards. In addition, requirement 2.9 creates an alternate method for NERC to develop Standards outside of
the ANSI process. This requirement dictates that Functional Entities are required to incorporate lessons
learned from NERC reports into their Plan, which is a requirement of this Standard.
BGE
No
R2.1 Creates the opportunity for differences in identifying impact events. BGE recommends additional clarity
in the statement. Are we to use Attachment 1 as a “bright line” or can we use our Operating Plan to identify
what an impact event is?R2.4 - 2.6 Does a standard need to specify both internal and external lists? 2.7 - is
“component” defined anywhere?
Is it a component of the BES or a component of the Operating Plan or a
component of the three lists in 2.4 to 2.6?Rationale --- Parts 3.3 and 3.4?? Do you mean 2.3 and 2.4?Is the
Operating Plan under scrutiny (mandatory and compensable) for all items in the last paragraph of the
rationale?
March 1, 2011
70
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
CenterPoint Energy
Yes or No
Question 4 Comment
No
CenterPoint Energy does not agree with R2 and M2 as they are focused on process and procedure.
Compliance with a reporting requirement should be based on a complete and accurate report submitted in a
timely manner. The process an entity uses to accomplish that task is of no consequence. CenterPoint Energy
recommends R2 and M2 be deleted.However, if the SDT feels it is necessary to include this process based
requirement, CenterPoint Energy believes the SDT, in requiring an overly prescriptive Operating Plan, has
expanded the requirement beyond the current CIP-001-1 and EOP-004-1 which only require “...procedures for
the recognition of and for making operating personnel aware...” (CIP-001-1) and “...shall promptly analyze...”
(EOP-004-1). Specifically, R2.2 is not found in the current Standards. “Methods for assessing causes(s) of
impact events” would vary greatly depending upon the type and severity of the event. Responsible Entities
would have a difficult time cataloging these various methods to any specific degree and if they are not specific
then CenterPoint Energy questions their value in a documented method. R2.3 is not found in the current
Standards and is an unnecessary requirement as the method of notification is irrelevant so long as the
notification is made. R2.7, R2.8, and R2.9 are also unnecessary expansions beyond what is currently in CIP001-1 and EOP-004-1. CIP-001-1 requires the Responsible Entity review its procedures annually and
CenterPoint Energy believes this is sufficient. When taken in total, R2 requires seven (7) different processes,
provisions, and methods. CenterPoint Energy recommends R2.2, R2.3, R2.7, R2.8 and R2.9 be deleted and
believes this will not result in a reliability gap.
City of Garland
No
There are 4 “methods” and 2 “provision” required for this requirement - in other words, 6 “paperwork” items
that auditors will audit and likely penalize entities for. On page 1, the statement is made “...proposed standard
in accordance with Results-Based Criteria.” Having to have 4 methods and 2 provisions to end with a report
(all of which is paperwork) is not a “result based” standard. It is like being required to have a "plan to plan on
planning on composing and filing a report". Events need to be analyzed, communicated, and reported and
March 1, 2011
71
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 4 Comment
should be audited as such (results based) - not audited on whether they have a book filled with methods and
provisions.
Consolidated Edison Co. of NY,
No
Inc.
Requirement R2 o Lead-in paragraph - Following the words “Attachment 1” add a period and the words “The
Operating Plans shall” and then delete “that” and make “includes” singular. o R2.1, 2.2, 2.3, 2.7 - Replace the
word “Method(s)” with the word “Procedure(s)”. o 2.6 - After the word “notify” add a period, then insert the
words “For example, external organizations may include” and delete the words “to include but not limited to.”
o 2.8 - After the words “Operating Plan based on” add the word “applicable”.Rational R2After the words
“Every industry participant that owns or operates,” add the words “Bulk Electric System.” Then delete the
words “on the grid.”
Constellation Power Generation
No
Constellation Power Generation and Constellation Commodities Group has several issues with this
and Constellation Commodities
requirement, but in general, this requirement is heavily prescriptive, administrative in nature, and is unclear
Group
whether it will positively impact BES reliability. As examples of administrative requirements that have no
impact on reliability, please consider the following comments: oListing personnel in R2.4, - merely having a
list of personnel does not add to the sufficiency of an Operating Plan, but it does create a burdensome
obligation to maintain a list. As well, specifying “personnel” may limit plans from designating job titles or other
designations that may more appropriately and consistently carry reporting responsibility in the Operating Plan.
oR2.5 is unclear as to the intent of the requirement - what is threshold of notification? Is the list to be those
that have a role in the event response or a list of all within the facility who may receive news notification of the
event?
Also, as explained above for 2.4, a list is not a beneficial to reliability, but is administratively
burdensome. oWhat is the reasoning for the 30 day timeframe in R2.7 R2.8 and R2.9? The timeframe is not
based on a specific necessity, and creates an unreasonable time frame for changing the Operating Plan, in
March 1, 2011
72
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 4 Comment
particular if lessons learned are either short turn adjustments or comprehensive programmatic changes what
warrant more time to properly institute. In addition, coupled with other requirements (R4, R5, R8), the
updating requirements of R2.7, R2.8 and R2.8 potentially create a continually updating Operating Plan which
could create enough confusion to reduce the effectiveness of the Operating Plan. The updating and time
frame requirements do not impact reliability, but again impose significant administrative burden and
compliance exposure.
oR2.9 is particularly problematic for its connection to R8. R8 requires NERC to create
quarterly reports with lessons learned and R2.9 requires the registered entities to amend their Operating
Plans? What if NERC doesn’t write an annual or quarterly report? Are the registered entities out of
compliance? The “summary of concepts” for this latest revision, as written by the SDT, includes the following
items: oA single form to report disturbances and impact events that threaten the reliability of the bulk electric
system oOther opportunities for efficiency, such as development of an electronic form and possible inclusion
of regional reporting requirements oClear criteria for reporting oConsistent reporting timelines
oClarity
around of who will receive the information and how it will be usedMany of the sub-requirements in R2 do not
address any of these items and do not serve to establish a high quality, enforceable and reliability focused
standard. Constellation Power Generation therefore recommends that R2 be amended to read as follows:R2.
Each Applicable Entity identified in Attachment 1 shall have an Operating Plan(s) for identifying, assessing
and reporting impact events listed in Attachment 1 that includes the following components: 2.1. Method(s) for
identifying impact events listed in Attachment 12.2. Method(s) for assessing cause(s) of impact events listed
in Attachment 12.3. Method(s) for making internal and external notifications should an impact event listed in
Attachment 1 occur. 2.4. Method(s) for updating the Operating Plan.2.5 Method(s) for making operation
personnel aware of changes to the Operating Plan.
Consumers Energy
March 1, 2011
No
R 2.7, R 2.8 and R 2.9 are creating a requirement to have procedures to update procedures. Having updated
73
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 4 Comment
procedures should be the requirement, no more.
Duke Energy
No
Sections 2.4 and 2.5 should allow identification of responsible positions/job titles rather than specific people.
Section 2.9 only allows 30 days for updates to our plan based upon lessons learned coming out of an annual
report. 60-90 days would be more appropriate. Also, Section 2.9 says it’s an annual report, while R8 only
requires quarterly reports.
Dynegy Inc.
No
For 2.7, 2.8, 2.9, 30 days is to stringent. Some changes may not warrant changes until a cumulative amount
of changes occur. Suggest making it no later than an annual review.
E.ON Climate & Renewables
No
Administrative burden to some of the components such as 2.5.
Electric Market Policy
No
This is an overly prescriptive requirement given the intent of this standard is after-the-fact reporting. The
requirement to create an Operating Plan lacks continuity with the ERO Event Analysis Process that is
currently slated to begin industry field testing on October 25, 2010. Suggest the SDT coordinate EOP-004-2
efforts with this process.R2.6 establishes an external organization list for Applicable Entity reporting, yet R1
suggests that external reporting will be accomplished via submittal of impact event reports. How will the two
requirements be coordinated?
What governmental agencies are appropriate and how will duplicative
reporting be addressed (for example, DOE, Nuclear Regulatory Commission)? Also, in the “rationale for R2”,
please explain the reference to Parts 3.3 and 3.4.
ERCOT ISO
No
ERCOT ISO recommends the use of “Registered Entity” in place of “Applicable Entity”. This would provide
consistency with other requirements and Attachment 1. Recommend the following changes to the
subrequirements. “2.6. List of external organizations to notify to include but not limited to NERC, Regional
March 1, 2011
74
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 4 Comment
Entity, relevant entities within the interconnection, Law Enforcement, and Governmental or Provincial
Agencies.””2.7. Process for updating the Operating Plan within 30 days of any changes not of an
administrative nature. This includes updates to reflect any lessons learned as a result of an exercise or actual
event.”Remove requirement 2.8 and move content to requirement 2.7.”2.8. Process for updating the
Operating Plan within 30 days of publication the NERC annual report of lessons learned.”Add “2.9. Process to
ensure updates are communicated to personnel responsible for under the Operating Plan within 30 days of
the change being completed.”
Exelon
No
R.2.4 and 2.5 - should not be required to have a list of internal personnel. If an entity has an Operating Plan
that covers internal and external notifications that should be sufficient.R2.2.7, 2.8, 2.9 - R4 requires an annual
drill. Updating the plan if required following an annual drill should be sufficientWhy does an entity need to
develop a stand alone Operating Plan if there is an existing process to address identification, assessing and
reporting certain events?30 day implementation for a component change or lesson learned does not seem
reasonable or commensurate with the potential impact to the BES and should not be a required element of
EOP-004.What is the communication protocol for lessons learned outside of the annual NERC report? What
process will be followed and who will review, evaluate, and disseminate lessons learned that warrant updating
the Operating Plan?
FirstEnergy
No
The term Operating Plan(s) is not the appropriate term for this standard. These should be called Reporting
Plan(s). Operating Plans are usually designed to be applied during the operating timeframe. Parts 2.2 and 2.6
- We suggest changes to these two subparts as well as a new 2.2.1 and 2.6.1 as follows: 2.2. Method(s) for
assessing the initial probable cause(s) of impact events(Add) 2.2.1. Method(s) for assessing the external
organizations to be notified.2.6. List of external organizations to notify in accordance with Part 2.2.1. to
March 1, 2011
75
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 4 Comment
include but not limited to NERC, Regional Entity, and Governmental Agencies.(Add) 2.6.1. Method(s) for
notifying Law Enforcement as determined by Part 2.2.1.Parts 2.4 and 2.6: This should be a list of job titles for
ease of maintenance. An entity may choose to use someone in a job position that is a 24 by 7 operation with
several personnel that cover that position over the 24 by 7 period. Listing each person by name should not
be required as personnel change while the operating responsibility related to the job title can remain constant.
We suggest changing the wording to "2.4. List of the job titles of internal company personnel responsible for
making initial notification(s) in accordance with Parts 2.5.and 2.6.2.5. List of the job titles of internal company
personnel to notify."Part 2.6 - We are under the impression that the phrase "include but not limited to" should
not be used according to the NEW SDT guidelines. We suggest changing this to say "List of external
organizations to notify that includes at a minimum, NERC, Regional Entity, and Governmental Agencies. (A
provincial agency is a governmental agency)."Part 2.7. is overly burdensome. FE suggests the team revise to
simply reflect annual updates that should consider component changes and updates from lessons learned.
This also permits parts 2.8 and 2.9 to be deleted. FE proposes the following text for Requirement R2.7
"Annual review, not to exceed 15 months between reviews, and update as needed of the Reporting Plan that
considers component changes and continuous improvement changes from lessons learned."Parts 2.8 and 2.9
- FE proposes to delete part 2.8 and 2.9. We do not see a need for these changes since the plan must be
updated annually and will cover lessons learned.
Great River Energy
No
A. As detailed in R2, the Operating Plan shall contain provisions for “identifying, assessing, and reporting
impact events”. R2.8, and R2.9 do not have a correlation to R2’s Operating Plan. Where, R2.7 states to
update the Operating Plan when there is a component change. We believe that the components of this
Operating Plan are only 1) indentifying impact events, 2) assessing impact events, and 3) reporting impact
events. R2.8 and R2.9 are based on Lessons Learned (from internal and external sources) and do not fit in
March 1, 2011
76
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 4 Comment
the components of an entity’s Operating Plan. R2.7 requires the Operating Plan to be updated. As written,
every memo, simulations, blog, etc that contain the words “lessons learned” would be required to be in your
Operating Plan. It is solely up to an entity to implement a “Lesson Learned” and not the place for this SDT to
require an Operating Plan to contain Lessons Learned. Recommend that R2.8 and R2.9 be deleted for this
requirement. If R2.8 and R2.9 are not removed, R5.3 will be in a constant state of change. B. In R2.8 &
R2.9, It may be difficult to implement lessons learned within 30 days. We suggest that lessons learned
should be incorporated within 12 calendar months if lessons learned are not deleted from the R2.8 & R2.9.
Green Country Energy
No
Highly administrative version of what could accomplish the same thing. A requirement that the applicable
entitiy shall make appropriate notificatiions as required by attachment A and B events. I can see the need for
review and lessons learned but that needs to be done at a higher level since many entities may be involved in
an "event"
Idaho Power Company
No
The SDT needs to clarify Requirement 2.9 references an annual report issued persuant to requirement R8,
however Requirement 8 references a quarterly report. These requirements should have the same time
frames.
Indeck Energy Services
No
R2 needs to state that the Operating Plan needs to only those Attachment 1 events applicable to the
Registered Entity. The Operating Plan should contain a list of these events so that the other Requirements
can reference the Operating Plan and not Attachment 1 for the list of events. For example a GO/GOP <2,000
MW would not need to address this type of event and it wouldn't be listed in its Operating Plan. It would be
unnecessarily cumbersome, to describe events which are not covered within the Operating Plan.
Independent Electricity System
March 1, 2011
No
R2 is not needed. An entity does not need to have an “operating plan” to identify and report on impact events;
77
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Operator
Question 4 Comment
it needs only to report on the events listed in Attachment 1 in a form depicted in Attachment 2. How does the
entity do this, and whether or not an operating plan is in place, or whether its staff is trained to provide the
report should not need to be included in a reliability standard for so long as the responsible entity provides the
report in the required form on time. If the responsible entity fails to report the listed events in the depicted
format, it will be found non-compliant, and that’s it - no more and no less. If the “operating plan” really means
an established data collection and reporting procedure, then the requirement should be revised to more
clearly convey the intent.
IRC Standards Review
No
Committee
The SRC suggests that this is not, in fact, an Operating Plan. At most, it may be a reporting plan or reporting
procedure. Most of these requirements are administrative and procedural in nature and, therefore, do not
belong as requirements in a Reliability Standard. Perhaps they could be characterized as a best practice and
have an associated set of Guidelines developed and posted on the subject.As proposed, the Operating Plan
is not required to ensure bulk power reliability. As stated in the purpose of this standard, it does not cover any
real-time operating notifications for the types of events covered by CIP-001, EOP-004.
The Operating Plan
requirements as proposed seem only to be suitable for real-time notifications. Since these incidents are
meant to be reportable after-the-fact, familiarity with the reporting requirements and time frames is sufficient.
Unlike the real-time operating notifications which have relatively short reporting time frames, there is sufficient
time for personnel to make appropriate communications within their organizations to make timely after the fact
reports under NERC Section 1600 authority. Would it be feasible for NERC to issue a standing requirement
for timely after-the-fact reports under NERC Section 1600 authority?
ISO New England Inc.
No
This is an overly prescriptive requirement given that the intent of this standard is after-the-fact reporting. The
requirement to create an Operating Plan is an unnecessary burden that offers no additional improvements to
March 1, 2011
78
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 4 Comment
the reliability of the Bulk Electric System, and this is not, in fact, an Operating Plan. At most, it may be a
reporting plan. Most of these requirements are administrative and procedural in nature and, therefore, do not
belong as requirements in a Reliability Standard. Perhaps they could be characterized as a best practice and
have an associated set of Guidelines developed and posted on the subject.As proposed, the Operating Plan
is not required to ensure Bulk Electric System reliability. As stated in the purpose of this standard, it does not
cover any real-time operating notifications for the types of events covered by CIP-001, EOP-004.
Since
these incidents are meant to be reportable after-the-fact, familiarity with the reporting requirements and time
frames is sufficient.Stating reporting requirements directly in the standard would produce a more uniform and
effective result across the industry, contributing towards a more reliable Bulk Electric System.R2.6 establishes
an external organization list for Applicable Entity reporting, yet R1 suggests that external reporting will be
accomplished via submittal of impact event reports. How will the two requirements be coordinated? What
governmental agencies are appropriate, and how will duplicative reporting be addressed (for example, DOE,
Nuclear Regulatory Commission)? Also, in the “rationale for R2”, please explain the reference to Parts 3.3
and 3.4.
Kansas City Power & Light
No
We agree with the rationale for R8 requiring NERC to analyze Impact Events that are reported through R6
and publish a report that includes lessons learned but disagree with R2.9 obligating an entity to update its
Operating Plan based on applicable lessons learned from the report. Whether lessons learned are applicable
to an entity is subjective. If an update based on lessons learned from an annual NERC report is required, the
requirement should clearly state the necessity of the update is determined by the entity and the entity’s
Reliability Coordinator or NERC can not make that determination then find the entity in violation of the
requirement. In addition, if an update based on lessons learned from a NERC report is required, NERC
should publish the year-end report (R8) on approximately the same day annually (i.e. January 31) and allow
March 1, 2011
79
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 4 Comment
an entity at least 60 days to analyze the report and incorporate any changes it deems necessary in its
Operating Plan. In addition, the language using quarterly and annual as a requirements between R2.9 and
R8 is confusing.
MidAmerican Energy
No
R2 and R5 coupled with R8 will drive quarterly updates (in addition to drills, etc) and training to the literally
hundreds to thousands of people per company for the proper internal operating personnel and management
will actually hurt the development of a culture of compliance by overwhelming personnel with constant plan
changes and training.The standards drafting team should remove all 30 day references or provide the
technical basis of why revising plans and training to “changes and lessons learned” quarterly all within 30
days is the right use of reliability resources to improve the grid.The addition of the 30 day constraints and new
vague criteria in Attachment one such as “damage to a BES element through and external cause” or
“transmission loss of multiple BES elements which could mean two or more” is the opposite of clear standards
writing or results based standards. We disagree with requiring an Operating Plan for identifying, assessing,
and reporting impact events.
This is an administrative requirement that has no clear reliability benefit.
Furthermore, it is questionable that event reporting even meets the basic definition of an Operating Plan. Per
the NERC glossary of terms, Operating Plans contain Operating Procedures or Operating Processes which
encompass taking action real-time on the BES not reporting on it. As detailed in R2, the Operating Plan shall
contain provisions for “identifying, assessing, and reporting impact events”. R2.8, and R2.9 do not have a
correlation to R2’s Operating Plan.
Where, R2.7 states to update the Operating Plan when there is a
component change, the components of this Operating Plan are only 1) indentifying impact events, 2)
assessing impact events, and 3) reporting impact events. R2.8 and R2.9 are based on Lessons Learned
(from internal and external sources) and do not fit in the components of an entity’s Operating Plan. R2.7
requires the Operating Plan to be updated. As written, every memo, simulations, blog, etc that contain the
March 1, 2011
80
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 4 Comment
words “lessons learned” would be required to be in your Operating Plan. It is solely up to an entity to
implement a “Lesson Learned” and not the place for this SDT to require an Operating Plan to contain Lessons
Learned.
Recommend that R2.8 and R2.9 be deleted for this requirement.
If R2.8 and R2.9 are not
removed, R5.3 will be in a constant state of change. In R2.8 & R2.9, It may be difficult to implement lessons
learned within 30 days. The NSRS recommends to incorporate lessons learned within 12 calendar months if
lesson learned are not deleted from the R2.8 & R2.9.
Midwest ISO Standards
No
Collaborators
We disagree with requiring an Operating Plan for identifying, assessing, and reporting impact events. This is
an administrative requirement that has no clear reliability benefit. Furthermore, it is questionable that event
reporting even meets the basic definition of an Operating Plan. Per the NERC glossary of terms, Operating
Plans contain Operating Procedures or Operating Processes which encompass taking action real-time on the
BES not reporting on it. What is an impact event? It appears that this undefined, ambiguous term was
substituted for sabotage which is also undefined and ambiguous. One of the SARs stated goals was to
“provide clarity on sabotage events”. This does not provide clarity.
MRO's NERC Standards Review
Subcommittee
No
A. As detailed in R2, the Operating Plan shall contain provisions for “identifying, assessing, and reporting
impact events”. R2.8, and R2.9 do not have a correlation to R2’s Operating Plan. Where, R2.7 states to
update the Operating Plan when there is a component change. The NSRS believes the components of this
Operating Plan are only 1) indentifying impact events, 2) assessing impact events, and 3) reporting impact
events. R2.8 and R2.9 are based on Lessons Learned (from internal and external sources) and do not fit in
the components of an entity’s Operating Plan. R2.7 requires the Operating Plan to be updated. As written,
every memo, simulations, blog, etc that contain the words “lessons learned” would be required to be in your
Operating Plan. It is solely up to an entity to implement a “Lesson Learned” and not the place for this SDT to
March 1, 2011
81
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 4 Comment
require an Operating Plan to contain Lessons Learned. Recommend that R2.8 and R2.9 be deleted for this
requirement. If R2.8 and R2.9 are not removed, R5.3 will be in a constant state of change. B. In R2.8 &
R2.9, It may be difficult to implement lessons learned within 30 days. The NSRS recommends to incorporate
lessons learned within 12 calendar months if lesson learned are not deleted from the R2.8 & R2.9.
North Carolina Electric Coops
No
This requirement dictates details of documentation of after-the-fact reporting of events which cannot impact
reliability of the BES and, as such, should not be a reliability standard. The cost and burden of becoming
auditably compliant with this requirement can be extreme for small entities.
Northeast
Power
Coordinating
No
This is an overly prescriptive requirement given that the intent of this standard is after-the-fact reporting. The
requirement to create an Operating Plan is an unnecessary burden that offers no additional improvements to
Council
the reliability of the Bulk Electric System, and this is not, in fact, an Operating Plan. At most, it may be a
reporting plan. Most of these requirements are administrative and procedural in nature and, therefore, do not
belong as requirements in a Reliability Standard. Perhaps they could be characterized as a best practice and
have an associated set of Guidelines developed and posted on the subject.As proposed, the Operating Plan
is not required to ensure Bulk Electric System reliability. As stated in the purpose of this standard, it does not
cover any real-time operating notifications for the types of events covered by CIP-001, EOP-004.
Since
these incidents are meant to be reportable after-the-fact, familiarity with the reporting requirements and time
frames is sufficient.Stating reporting requirements directly in the standard would produce a more uniform and
effective result across the industry, contributing towards a more reliable Bulk Electric System.R2.6 establishes
an external organization list for Applicable Entity reporting, yet R1 suggests that external reporting will be
accomplished via submittal of impact event reports. How will the two requirements be coordinated? What
governmental agencies are appropriate, and how will duplicative reporting be addressed (for example, DOE,
March 1, 2011
82
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 4 Comment
Nuclear Regulatory Commission)? Also, in the “rationale for R2”, please explain the reference to Parts 3.3
and 3.4.
Pacific Gas and Electric
No
PG&E would like clarification on whether the 30 days, is calendar days or business days.
No
See #15
No
For R 2.7, 2.8 and 2.9, 30 days may be too short a time for large entities with multiple subsidiaries to do the
Company
Pacific Northwest Small Public
Power Utility Comment Group
Pepco Holdings, Inc - Affiliates
necessary notice and coordination. PHI suggests 90 days.
PNM Resources
No
PNM would like clarification on whether the 30 days, is calendar days or business days.
PPL Electric Utilities
No
While we agree with documenting our process, we feel the use of the defined term Operating Plan is not
required and possibly a misuse of the term.
We would like to suggest using the term ‘procedure’.
Additionally, we would like the SDT to confirm/clarify whether Attachment 1 is a complete list of impact
events. Also, please confirm that the Proposed R2.1 language ‘Method(s) for identifying impact events’
means identifying impact event occurrence as opposed to identifying list of impact events. i.e. does R2.1
mean recognize impact event occurrence?
PPL Supply
No
While we agree with concept addressed in R2, we don't agree with use of the defined term Operating Plan.
Consider working the requirement as follows: "Each Applicable Entity identified in Attachment 1 shall have a
documented process or program that includes the following components:..." Also, please consider changing
2.1 to be"Method(s) for recognizing the occurrence of impact events."
March 1, 2011
The current wording could be
83
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 4 Comment
interpreted to mean, "create a list of the impact events."
Puget Sound Energy
No
While the concept of an operating plan is reasonable, the requirements for update in sections 2.7, 2.8 and 2.9
will lead to an immense amount of work for the entities subject to the standard. In addition, constant revisions
to the operating plan makes it difficult to cement a habit through this procedure. The proposed update
schedule does not strike the appropriate balance between the need to respond to lessons learned and the
value of plan continuity.
RRI Energy, Inc.
No
1.
R2 includes the phrase "for identifying, assessing and reporting," followed by R2.1 which states
"identifying," R2.2 which states "assessing" and both R2.3 and R2.6 state "notify" or "making internal and
external notifications" (i.e., reporting). The language is unnecessarily redundant. RECOMMENDATION:
Reword R2 phrase "for identifying, assessing and reporting," to simply state, "for addressing."2. Rationale for
R2 - The rationale section for R2 references in the third paragraph "Parts 3.3 and 3.4." Was this intended to
reference R2.3 and R2.4?
Santee Cooper
No
The words “operating plan” should be removed from the requirement. This standard deals exclusively with
after-the-fact reporting. This requirement is also overly prescriptive.
SERC OC Standards Review
No
This is an overly prescriptive requirement that dictates details of documentation and, as such, has no place in
a reliability standard. NERC needs to trust the RCs to do their jobs; this standard and this requirement in
Group
particular seems to be attempting to codify the actions that an RC would take in response to an event. The
cost and burden of becoming auditably compliant with this requirement is extreme and unrealistic, especially
on small entities
March 1, 2011
84
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Southern Company -
Yes or No
Question 4 Comment
No
The Operating Plan has a different connotation for different operations folks. We suggest that we call it an
Transmission
Tenaska
Impact Event Reporting Plan.
No
We have adequate compliance procedures already in place for the existing CIP-001-1 and EOP-004-1
Standards. The list of required “Operating Plan” components in the proposed R2 is too specific. Maintaining
the “Operating Plan” described in R2 would increase the burden on Registered Entities to comply with the
Standard and this type of "laundry list" Requirement would make it more difficult to prove compliance with
EOP-004-2 during an audit.
United Illuminating
No
R2.9 requires provisions to update the Operating Plan based on the annual ERO report developed in R8. The
ERO report does not appear to be providing lessons learned to be applied to the Operating Plan for impact
event reporting, but more focsed on trends and threats to the BES. Also 30 days after the report is published
by NERC is not enough time for the entity to read, and assess the report, and then to administratively update
the Operating Plan. UI agrees that the Operating Plan should be reviewed annually and updated subsequent
to the review within 30 days.
US Bureau of Reclamation
No
R2 does not reconcile with Attachment A or the sub paragraphs. As an example, the requirement 2.6 states
"List of organizations to notify ...." All sub paragraphs use the term notify. Notify as used in Attachment A is
when a report cannot be provided in the time frame listed in Attachment A. Therefore there is no requirement
in this standard for the Operating Plan to have a provision for reporting.The subparagraph 2.8 indicates that
the Entity must update it plan based on the lessons learned published by NERC. It would be appropriate to
require a review and update of the plan based on the lessons learned.
March 1, 2011
85
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 4 Comment
We Energies
No
R2.3, R2.4: “Part” is not a defined term or used in the NERC Standard Process Manual.R2: Attachments are
not mentioned in the NERC Standard Process Manual. Is this a mandatory or informational part of the
standard?R2.6 (and possibly R2.5): There does not seem to be discretion in notifications. Are all people or
organizations on the notify lists always contacted for every impact event? Even Law Enforcement?R2.7:
What is a “component? A Plan component? A BES component?R2.9: There is no annual NERC report
issued pursuant to R8. R8 requires quarterly reporting.
WECC
No
Need clarification on whether the 30 days is calendar days or business days. As noted in the comment to
question 3, any impact event where sabotage is suspected should be treated differently from those where
sabotage is not suspected.
Arizona Public Service Company
Yes
AZPS agrees with R2, however, the use of the term "Operating Plan" is confusing. A more accurate term
would be "Event Reporting Plan."
ATCO Electric Ltd.
Yes
City of Austin dba Austin Energy
Yes
Georgia System Operations
Yes
Corporation
An entity-developed Operating Plan will allow the flexibility needed to address different entity relationships
around the country, e.g., generating companies, cooperatives, munis, large IOUs, small IOUs, RTOs/ISOs,
non-independent market area, and so on.However, all applicable entities should not be required to report
directly to NERC or the region. The system should allow for partial reporting and hierarchical reporting.
Entities within an area should be allowed to coordinate their plans to define reporting procedures within their
area. They could have an entity at some wide scope top level that reports to NERC and the region the
March 1, 2011
86
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 4 Comment
information collected from multiple narrow scope lower levels within their wide area. If every small lower level
entity directly reported to NERC and the Region, it could create situational confusion rather then situation
awareness.
Manitoba Hydro
Yes
R2 - 2.1 to 2.9 detail what is expected of an Operating Plan for Impact Events.The attachment 1 details the
event, the threshold parameters and time line. Though the threshold parameters in the attachment may be
questioned, this greatly clarifies the expectations of reporting events. Further events should be added to this
list:”Detection of suspected or actual or acts or threats of physical sabotage”
Luminant Energy
Yes
Nebraska Public Power District
Yes
NERC Staff
Yes
PacifiCorp
Yes
PacifiCorp
Yes
TransAlta Corporation
Yes
March 1, 2011
87
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
5. Do you agree with the requirement R3 and measure M3? Please explain in the comment box below.
There was no consensus amongst stakeholders who responded to this question. Requirement R3 has
been re-written to exclude the requirement to “assess the initial probable cause”. The only remaining reference to “cause” is in the
Impact Event Reporting Form (Attachment 2). Here, there is no longer a requirement to assess the probable cause. The probable
cause only needs to identified, and only if it is known at the time of the submittal of the report.
Summary Consideration:
Organization
Ameren
Yes or No
Question 5 Comment
No
There are too many missing details on how this will be accomplished. As stated before, this Draft requires
too much time be invested in verbal reports, "Preliminary" reports, "Final" reports and even "Confidential"
reports (Attachment 2). If the goal is to report ASAP details on events which could impact BES reliability, all
of these reports will need to be made at the worst possible time - when Operators are trying to collect data,
analyze what they find and correct major problems on the system. And if the reports are wrong or not issued
fast enough, the Operators will be keenly aware of potential fines and violations.
American Electric Power (AEP)
No
Not clear how this is different from R6 since it relies on the same timetable in Attachment 1.
ATC
No
ATC believes that this requirement should be deleted and that the SDT should coordinate its goal with the
EAWG. We believe that the lessons learned process and identification of root cause is better covered under
that process than through the NERC Mandatory Standards.
BGE
No
R3. Limits responsibility to Attachment 1 events only and mandates that an “initial probable cause” be
identified.
Are we at liberty to define “initial probable cause” and define time period for completion in the
Operating Plan? BGE believes this could cause wide difference between Operating Plans and the standard
March 1, 2011
88
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 5 Comment
should be more prescriptive by relating to a time-table for the life of an impact event, including expected
identification time, initial assessment time and analysis time leading to the reporting deadlines.BGE
recommends not including examples of evidence in a measure but include it in a Guideline. Including in a
measure will be translated as a requirement by an auditor.
CenterPoint Energy
No
CenterPoint Energy does not agree with R3 and M3 as written as the Company does not agree with the
requirement to have an Operating Plan (see comments to Q4 above). However, if R2 and M2 were to be
deleted, and R3 was revised to read; “Each Applicable Entity shall identify and assess initial probable cause
of events listed in Attachment 1.”, CenterPoint Energy could agree with this requirement.
City of Garland
No
Should be part of R2 or R6 - this is unnecessary duplication
Constellation Power Generation
No
This requirement introduces double jeopardy for registered entities. If an entity does not include methods for
and Constellation Commodities
identifying impact events and for assessing cause per R2.1 and R2.2 in their Operating Plan, they will be out
Group
of compliance with R2. Without the methods in R2 the registered entity is out of compliance with R3 as well
for failing to identify and assess. Constellation Power Generation therefore recommends that R3 be amended
to be incremental to R2 and read as follows: R3. Each Applicable Entity shall implement their Operating
Plan(s) to identify and assess cause of impact events listed in Attachment 1.
Electric Market Policy
No
We think “impact event” needs to be defined in the NERC Glossary to provide the clarity the industry needs to
build audit ready compliant procedures.
ERCOT ISO
No
ERCOT ISO recommends the use of “Registered Entity” in place of “Applicable Entity”. This would provide
consistency with other requirements and Attachment 1. The measure for this requirement notes the obligation
March 1, 2011
89
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 5 Comment
for “documentation”. This is not addressed in the requirement. The measure also notes “on its Facilities”. This
clarification of scope should be addressed in the requirement. R3. Each Registered Entity shall identify,
assess, and document initial probable cause of impact events on its Facilities listed in Attachment 1.
Exelon
No
: Agree that Each Applicable Entity shall identify and assess initial probable cause of impact events; disagree
with aspects and time requirements in Attachment 1.
FirstEnergy
No
M3 - Power flow analysis would be used to assess the impact of the event on the BES, not to determine initial
probable cause. It is more likely that DME would provide the data for the initial probable cause evaluation. We
suggest rewording M3 as follows: "To the extent that an Applicable Entity has an impact event on its Facilities,
the Applicable Entity shall provide documentation of its assessment or analysis. Such evidence could include,
but is not limited to, operator logs, voice recordings, or disturbance monitoring equipment reports. (R3)"
Green Country Energy
No
Actually yes and no... An event may be caused, analyzed and corrected by one entity but most likely it will
involve more. Low Voltage or frequency may not be caused by a generator but the generator will see the
event and to have the generator assess the probable cause seems inappropriate. I can see reporting the
event and duration and making notifications.
Indeck Energy Services
No
R3 should reference the events covered by the Operating Plan, as listed in it, rather than in Attachment 1. If
the Plan is deficient, it is a violation of R2 and not every other Requirement that references the Plan.
Independent Electricity System
Operator
No
We agree that the responsible entity needs to identify and assess initial probable cause of impact events but
not in accordance with any operating plan in R2. Each operating entity (RC, BA, TOP) has an inherent
responsibility to identify the cause of any system events to ensure it complies with a number of related
March 1, 2011
90
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 5 Comment
operational standards. R3, in fact, could be revised to require the Responsible Entity to include the probable
cause of impact events in its report, rather than asking it to “identify and assess” since this is not measurable.
Also, the ERO may be removed from the Applicability Section depending on the response to our comments
under Q9.
IRC Standards Review
No
Committee
Although it is useful for entities to make an initial assessment of a probable cause of an event, this
requirement should stand alone and does not need to be tied to requirement R2, Operating Plan. Quite often,
it takes quite some time for an actual cause to be determined. The determination process may require a root
cause analysis of some complexity.Further, in the case of suspected or potential sabotage, the industry can
only say it doesn’t know, but it may be possible. It really is the law enforcement agencies who make the
determination of whether sabotage is involved and the info may not be made available until an investigation is
completed, if indeed it is ever made available.
ISO New England Inc.
No
We think “impact event” needs to be defined in the NERC Glossary to provide the clarity the industry needs to
build auditable compliance procedures.Although it is useful for entities to make an initial assessment of a
probable cause of an event, this requirement should stand alone and does not need to be tied to requirement
R2, Operating Plan. Quite often, it takes a considerable amount of time for an actual cause to be determined.
The determination process may require a complex root cause analysis.Further, in the case of suspected or
potential sabotage, the industry can only say it doesn’t know, but it may be possible. Law enforcement
agencies make the determination of whether sabotage is involved, and the information may not be made
available until an investigation is completed, if indeed it is ever made available.
Kansas City Power & Light
No
We believe R3 and M3 are unnecessary as a stand alone requirement and measure and propose combining
this requirement and measure with R6 and M6. Identifying and assessing the initial probable cause of an
March 1, 2011
91
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 5 Comment
impact event is the obvious starting point in the reporting process and ultimate completion of the required
report. Evidence to support the identification and assessment of the impact event and evidence to support
the completion and submittal of the report are really one in the same.
Manitoba Hydro
No
Though each local entity should identify and assess initial probable cause of impact events as per their
Operating Plan, the creation of this Operating Plan could be labor intensive and also guidelines for
consistency within an RC region should be created.So “NO” is entered simply because a large time line would
be needed to properly and efficiently implement R3 and R4.
MidAmerican Energy
No
Midwest ISO Standards
No
Collaborators
While we agree that it makes sense to report on the cause of an event, we disagree with the need for an
Operating Plan as identified in R2.
North Carolina Electric Coops
No
The term “impact event” needs to be defined in the NERC Glossary to provide the clarity the industry needs to
build auditably compliant procedures and give guidance on what is proper to report.
Northeast
Power
Coordinating
No
"Impact event” needs to be defined in the NERC Glossary to provide the clarity the industry needs to build
auditable compliance procedures.Although it is useful for entities to make an initial assessment of a probable
Council
cause of an event, this requirement should stand alone and does not need to be tied to requirement R2,
Operating Plan. Quite often, it takes a considerable amount of time for an actual cause to be determined.
The determination process may require a complex root cause analysis.Further, in the case of suspected or
potential sabotage, the industry can only say it doesn’t know, but it may be possible. Law enforcement
agencies make the determination of whether sabotage is involved, and the information may not be made
March 1, 2011
92
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 5 Comment
available until an investigation is completed, if indeed it is ever made available.
Pacific Northwest Small Public
No
Power Utility Comment Group
Comments: When applying R3 to row 11 of attachment 1, the comment group notes that applicable entities
are expected to assess probable cause of BES equipment damage, including that which may be the result of
criminal behavior. At best this would needlessly duplicate the efforts of law enforcement. A more likely result
is that entity involvement would interfere with law enforcement and ultimately hinder prosecution of those
responsible. Also See #15
PPL Electric Utilities
No
We believe the rationale for R3 is good and provides value. However, we feel the clarity was lost when the
rationale was translated to the standards language.
Please consider revising language to refocus on
rationale of assess and report per Attachment 1 as opposed to identify. We suggest changing the word
“identify” to “recognize” and add the Rationale statement to the requirement as follows: “Each Applicable
Entity shall assess the causes of the reportable event and gather available information to the complete the
report.”
PPL Supply
No
Please consider changing the word "identify" to "recognize" and adding the Rationale statement to the
requirement as follows: "Each Applicable Entity shall assess the causes of the reportable event and gather
available information to complete the report."
RRI Energy, Inc.
No
"Identify and assess" - Auditors are as much in need of clearly worded, unambiguous Reliability Standards
are as Registered Entities. This phrase leaves much too wide a range of interpretations, almost guaranteeing
regular and frequent disagreements during an audit between Registered Entity and Regional Entity auditor as
to what constitutes "identify and assess" sufficient to meet the intent of this Requirement. Compounding this
issue is the Rationale for R3 that states an Applicable Entity (which should probably read "applicable
March 1, 2011
93
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 5 Comment
Functional Entity") should "gather enough information to complete the report that is required to be filed."
While Rationale statements are not technically part of the standard, this emphasizes the current wording of
the requirement as subject to random and arbitrary interpretation by auditors and Registered Entities.
RECOMMENDATION: Change "identify and assess" to "document," so that the Requirement now reads
"Each Applicable Entity shall document initial probable cause of impact events..." including an option for
"cause not determined".
Santee Cooper
No
Does the initial probable cause have to be reported within the timing associated in Attachment 1? Entities
may not have enough information that soon to report the initial probable cause. This should be done with
events analysis.
SERC OC Standards Review
No
Group
We think “impact event” needs to be defined in the NERC Glossary to provide the clarity the industry needs to
build auditably compliant procedures.
Tenaska
No
The probable cause of a reportable event is already required to be submitted on the OE-417 form. This
Requirement is redundant.
TransAlta Corporation
No
Clarity required Does an entity have to report on the cause of every “applicable” impact event they witness
even though the event did not originate at their plant, system or region and did not adversely affect them?
Essentially this would require every entity that witnessed an “applicable” event to report on its cause. In most
cases they will not know the cause if they did not create the event. Measure M3 should reference Attachment
1 to indicate the Time to Submit Report’.
We Energies
March 1, 2011
No
A DP may not have Facilities (a BES element). See NERC Glossary definition of Facility.
94
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Bonneville Power Administration
Yes or No
Question 5 Comment
Yes
Known causes are difficult under 1 hour reporting requirements. (Unusual events are even harder to narrow
down in 24 hours and may take weeks.)
Consolidated Edison Co. of NY,
Yes
We agree, however, the term “impact event” must be part of the NERC glossary.
Yes
It directly supports the purpose of the standard.
Yes
While we agree that it makes sense to report on the cause of an event, we disagree with the need for an
Inc.
Georgia System Operations
Corporation
Great River Energy
Operating Plan as identified in R2
MRO's NERC Standards Review
Yes
Subcommittee
Puget Sound Energy
The NSRS thanks the SDT for stating “initial probable cause” as this is in direct correlation to the Purpose
which states “known causes”.
Yes
However, this requirement doesn't address the timing required for this analysis. This may be intentional and
appreciated because at times the analysis can take months when the events are complex in nature.
US Bureau of Reclamation
Yes
This is provided that the report submitted in Attachment A does not include the probable cause. It is highly
unlikely that a probable cause may be determined within the reporting timelines.
Arizona Public Service Company
Yes
ATCO Electric Ltd.
Yes
March 1, 2011
95
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
City of Austin dba Austin Energy
Yes
Duke Energy
Yes
Dynegy Inc.
Yes
Idaho Power Company
Yes
Luminant Energy
Yes
NERC Staff
Yes
Pacific Gas and Electric
Yes
Question 5 Comment
Company
PacifiCorp
Yes
PacifiCorp
Yes
Pepco Holdings, Inc - Affiliates
Yes
PNM Resources
Yes
Southern Company -
Yes
Transmission
March 1, 2011
96
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
United Illuminating
Yes
WECC
Yes
March 1, 2011
Question 5 Comment
97
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
6. Do you agree with the requirement R4 and measure M4? Please explain in the comment box below.
Note R4 has been moved to R3 due to rearranging of requirements. The DSR SDT did a full review
based on comments that were received. R3 now is stream lined to read:
Summary Consideration:
R3. Each Responsible Entity shall conduct a test of its Operating Process for communicating recognized Impact Events created
pursuant to Requirement R1, Part 1.3 at least annually, with no more than 15 months between such tests. The testing of the
procedure (as stated in R1) is the main component of this requirement. Several commenters provided input that too much “how”
was previously within R3 and the DSR DST should only provide the “what”. The DSR SDT did not provide any prescriptive guidance
on how to accomplish the required verification within the rewrite. Testing of the entity’s Operating Process (R1) could be by an
actual exercise of the process (testing as stated in FERC Order 693 section 471), a formal review process or real time implementation
of the process. The DSR SDT reviewed Order 693 and section 465 directs that processes “verify that they achieve the desired result”.
This is the basis of R3, above.
Organization
Ameren
Yes or No
Question 6 Comment
No
Establishing a program with trigger actions expected to require reporting several times a year, combined with
adequate initial, and on-going, training should preclude the need for mandatory drills as an added compliance
burden.
ATC
No
We do not believe that a drill that exercises a written reporting obligation will add additional reliability to the
BES.
BGE
No
M4. BGE recommends not including examples of evidence in a measure but include it in a Guideline.
Including in a measure will be translated as a requirement by an auditor.Rationale for R4:
March 1, 2011
98
If multiple
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 6 Comment
exercises are performed are all of them subject to the sub-R2 requirements and to audit/audit findings?
Bonneville Power Administration
No
There was no drill required for CIP-001 (a drill was in CIP-008, but the purpose did not list combining CIP008). A drill is not needed for reporting Electrical Grid events, designate it as excluded in the intent of the
requirement.
CenterPoint Energy
No
CenterPoint Energy does not agree with R4 and M4. See comments to Q4 above. In addition to the process
vs. results based issue stated above, CenterPoint Energy believes conducting a drill to verify recognition,
analysis, and reporting procedures is a waste of valuable resources and time.
City of Garland
No
Existing CIP 001 and EOP 004 are reporting standards - neither currently requires annual drills or exercises.
Combining these two (2) should not entail expanding the requirements to include drills or exercises. There are
existing drills / exercises that must be performed annually for compliance with CIP 008 & CIP 009 which
require the same basic identifying, assessing, developing lessons learned, responding, and reporting skill
sets. Requiring additional drills or exercises for this new combined standard will provide additional “business
overhead” that results in basically nothing that is not obtained by the CIP 008 / 009 drills as far as securing or
making the BES reliable. It does, however, result in additional audit risk at audit time.
Constellation Power Generation
No
It is not clear how this requirement to conduct drills and exercises relates to the concepts spelled out by the
and Constellation Commodities
SDT:oA single form to report disturbances and impact events that threaten the reliability of the bulk electric
Group
systemoOther opportunities for efficiency, such as development of an electronic form and possible inclusion
of regional reporting requirementsoClear criteria for reportingoConsistent reporting timelines oClarity around
of who will receive the information and how it will be usedR4 does not address any of the above items and
should therefore be removed from this standard.
March 1, 2011
99
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 6 Comment
Consumers Energy
No
NERC should either standardize on a 12 month year or an annual year for reviews.
Dynegy Inc.
No
What is the basis for the drill being annual. This is to stringent. I suggest it be every 3 years.
Electric Market Policy
No
The need for a periodic drill has not been established and appears to be overly restrictive given the intent of
the standard is reporting of impact events. Suggest this requirement be eliminated.
ERCOT ISO
No
ERCOT ISO believes that a drill or exercise of its Operating Plan is unnecessary. The intent of the drill can be
addressed within the training requirements under R5.
Exelon
No
If drills remain as a component of the standard, an effort to consolidate updating an entities plan with a
requirement to drill the plan should be made. .
Each entity/utility should be able to dictate/determine if they
need a drill for a particular event. Is this document implying a drill for every type of event?
FirstEnergy
No
FE suggests that this requirement be deleted. FE does not see a reliability need for conducting a drill on
reporting. This is overly burdensome and should not be included within this reliability standard. Training on
the plan and periodic reminder of reporting obligations should suffice.
Great River Energy
No
We disagree with the need to conduct a drill for reporting
Green Country Energy
No
Another training requirement with what benefit? We must train on all of our NERC requirements now anyway
to insure compliance and that's not a requirement, thats implied and I think thats enough.
Indeck Energy Services
March 1, 2011
No
In M4, it is suggested that data from a real event would be evidence. R4 should be satisfied if the Operating
100
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 6 Comment
Plan is used for a real event within 15 months of the last drill or event.
Independent Electricity System
No
Operator
IRC Standards Review
Along the line of our comments on R2 for an operating plan (whose need we do not agree with), a drill,
exercise, or Real-time implementation of the Operating Plan for reporting is also not necessary.
No
Committee
Similar to our comments on R2 for an Operating Plan, a drill, exercise, or Real-time implementation of its
Operating Plan for reporting is unnecessary. Such things are really training practices. There are already
existing standards requirements regarding training. There is no imminent threat to reliability that requires
these events to be reported in a short time frame as may be required for real-time operating notifications.
ISO New England Inc.
No
The need for a periodic drill has not been established, and appears to be overly restrictive given the intent of
the standard is the reporting of impact events. Suggest this requirement be eliminated.
Similar to our
comments on R2 for an Operating Plan, a drill, exercise, or Real-time implementation of its Operating Plan for
reporting is unnecessary. Such things are training practices.
There are already existing standards
requirements regarding training. There is no imminent threat to reliability that requires these events to be
reported in as short a time frame as may be required for real-time operating conditions notifications.
Kansas City Power & Light
No
We believe R4 and M4 are clearly unnecessary. Thoughtful preparation of an Operating Plan per R2 that
specifically addresses personnel responsibilities and appropriate evidence gathering combined with the
training requirement in R5 is sufficient.
Luminant Energy
No
We support the requirements outlined in R2 which create significant obligations to maintain and update the
required Operating Plan. However, we believe annual drilling for a reporting process seems unnecessary,
particularly given the response horizon of 24 hours for the majority of impact events. If drilling is required, the
March 1, 2011
101
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 6 Comment
standard should allow actual events to fulfill a drilling requirement as stated in the Rationale for R4 and within
the text of M4.
Manitoba Hydro
No
Drills and exercise for implementation of the Operating Plan are important and critical, but as in question 5, or
Requirement R3, careful and detailed creation of the Operating Plan are crucial to facilitate proper training,
drills and exercises.So “NO” is entered simply because a large time line would be needed to properly and
efficiently implement R4 and R3.
MidAmerican Energy
No
Midwest ISO Standards
No
We disagree with the need to conduct a drill for reporting.
No
Requiring a drill for “reporting” is unnecessary and burdensome. Reporting is covered in processes and
Collaborators
North Carolina Electric Coops
procedures and during the normal training cycle. We recommend the elimination of this requirement.
Northeast Power Coordinating
No
Council
The need for a periodic drill has not been established, and appears to be overly restrictive given the intent of
the standard is the reporting of impact events. Suggest this requirement be eliminated.
Similar to our
comments on R2 for an Operating Plan, a drill, exercise, or Real-time implementation of its Operating Plan for
reporting is unnecessary. Such things are training practices.
There are already existing standards
requirements regarding training. There is no imminent threat to reliability that requires these events to be
reported in as short a time frame as may be required for real-time operating conditions notifications.
Pacific Gas and Electric
March 1, 2011
No
PG&E believes the addition of a drill constitutes additional training and should be added to R5. PG&E is
102
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Company
Pacific Northwest Small Public
Question 6 Comment
concerned as to who the target audience for this annual training would affect.
No
See #15
No
PNM feels the addition of a drill or exercise constitutes additional training and believes R4 should be added to
Power Utility Comment Group
PNM Resources
R5. The WECC OTS also is interested as to what level does the annual training target, for instance, the field
personnel. Will they have to complete the exercise/drill?
RRI Energy, Inc.
No
Every employee in a Registered Entity might potentially have exposure to an impact event, and therefore
result in a list of thousands of employees subject to the EOP-004-2 Operating Plan. Does this mean, for
example, an applicable Functional Entity with 3,000 employees, each capable of potentially observing an
impact event, must include them in the drill, exercise, or Real-Time implementation? Such an expectation
would require a hypothetical email notice to be sent to 3,000 employees, advising them "This is a test - You
observe a suspicious vehicle driving around the fence of your power plant. Perform the next action you
should take."
The result in this hypothetical might be 3,000 phone calls and emails to the responsible
employee in the applicable Functional Entity, each needing to be documented and retained for the audit
period.As stated above in question 5, auditors need guidance as much as Registered Entities. Otherwise, it is
observed that they will seek the most stringent approach they observe from the best of the best practices over
the first year of implementation and apply that expectation as the base-case, under which all other
approaches will be deemed violations.
Santee Cooper
March 1, 2011
No
There is no need to drill for administrative reporting! This requirement should be deleted.
103
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
SERC OC Standards Review
Yes or No
Question 6 Comment
No
We think this requirement is unclear - we think it requires a drill for “reporting”, which seems absurd! We
Group
recommend the elimination of this requirement.
Tenaska
No
This Requirement is too specific and places additional burdens on Registered Entities.
US Bureau of Reclamation
No
There is no rationale offered on why 15 months was selected. Without a defined basis the time period is
arbitrary. It would be appropriate to let the Entity determine and document the time interval. That would allow
the time frame to be sensitive to the complexity of the Operating Plan. Some entities aregeographically
dispersed and a single Operating Plan may be difficult to test atone time or within 15 months.The allowance
for real time events or actual use is a good move and maymake it easier to define a suitable time frame by the
Entity.
WECC
No
The addition of a drill or exercise constitutes additional training and believes R4 should be added to R5.
Clarification is needed as to what level does the annual training target, for instance, the field personnel. Will
they have to complete the exercise/drill?
American Electric Power (AEP)
Yes
Arizona Public Service Company
Yes
AZPS agrees with R4, however, the use of the term "Operating Plan" is confusing and leads one to believe an
Operating Drill is necessary for a "reporting plan drill."
A more accurate term to use would be "Event
Reporting Plan."
Georgia System Operations
Corporation
March 1, 2011
Yes
We agree with R4 with "... at least annually, with no more than 15 months ..." replaced with "... at least once
per calendar year, with no more than 15 months ..." as in R5.
104
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
MRO's NERC Standards Review
Yes or No
Question 6 Comment
Yes
The NSRS agrees that to enhance reliability and situational awareness of the BES, the Operating Plan be
Subcommittee
United Illuminating
exercised once per calendar year.
Yes
Suggest R4 be improved to state that a Registered Entity is only required to conduct a drill or execute realtime implementation of the Operating Pan for one impact event listed in the attachment. In other words the
Registered Entity is not required to drill on reporting each type of impact event on an annual basis.
ATCO Electric Ltd.
Yes
City of Austin dba Austin Energy
Yes
Consolidated Edison Co. of NY,
Yes
Inc.
Duke Energy
Yes
Idaho Power Company
Yes
NERC Staff
Yes
PacifiCorp
Yes
PacifiCorp
Yes
Pepco Holdings, Inc - Affiliates
Yes
March 1, 2011
105
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
PPL Electric Utilities
Yes
PPL Supply
Yes
Puget Sound Energy
Yes
Southern
Company
-
Question 6 Comment
Yes
Transmission
TransAlta Corporation
Yes
We Energies
Yes
March 1, 2011
106
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
7. Do you agree with the requirement R5 and measure M5? Please explain in the comment box below.
Most stakeholders who responded to this question indicated disagreement with the originally
proposed Requirement R5 and Measure M5. (Note R5 has been moved to R4 in the revised standard. ) The DSR SDT did a full
review based on comments that were received. The major issues that were provided by commenters was R5.3 and R5.4 and their
contents. Upon detailed review the DSR SDT agrees with the majority of comments received with R5.3 and R5.4 and have removed
them completely from the Standard. Training is still the main theme of this requirement as it pertains to the personnel in the
procedure (R1). R4 now is stream lined to read:
Summary Consideration:
R4. Each Responsible Entity shall review its Impact Event Operating Plan with those personnel who have responsibilities
identified in that plan at least annually with no more than 15 calendar months between review sessions
Organization
Yes or No
Green Country Energy
Question 7 Comment
Same as my comment for question 6
Arizona Public Service Company
No
AZPS believes the required training is too restrictive for minor changes/edits to the Event Reporting Plan.
ATC
No
ATC believes it is an inherent obligation of all Functional Entities to train their appropriate staff to meet all
applicable NERC Standards. Including a training requirement in some, but not all, Standards implies that the
other Standards do not necessitate training. Although this is an important Standard and one that should be
included in a Functional Entities’ training program, ATC does not believe that this Standard is more important
than the other NERC Standards and, therefore, requires a separate training provision
ATCO Electric Ltd.
March 1, 2011
No
R5.3 requires an entity to conduct training within 30 days of a revision to the Operating Plan. For an entity
107
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 7 Comment
that covers a wide area, 30 days may not be sufficient to reach all employees.
BGE
No
Suggested revision to clarify R5:Each Applicable Entity shall provide training to all internal personnel
identified in its Operating Plan on the Operating Plan annually. Training is only on Reporting, pursuant to R2,
not on the Operating Plan?BGE does not believe the SDT needs to identify sub bullets on this requirement.
R5.1 is not logical --- what does it mean?
CenterPoint Energy
No
CenterPoint Energy believes that R5 and M5 are not necessary and should be deleted. CenterPoint Energy
supports an entity training its staff in any reporting responsibilities; however, such training should be the
responsibility of each entity and such requirements do not belong in a NERC standard. In addition,
CenterPoint Energy believes any necessary training requirements are covered in the PER Standards and
therefore the addition of this requirement adds redundancy to the Standards.If a majority of the industry
supports such a requirement, CenterPoint Energy cannot support R5 and M5 as written as we do not agree
with the requirement to develop and maintain an Operating Plan (see comments to Q4 above). CenterPoint
Energy offers the following alternate language: “Each Applicable Entity shall provide training concerning
reporting requirements contained in this Standard to internal personnel involved in the recognition or analysis
of events listed in Attachment 1.
City of Garland
No
This expands beyond the original CIP 001 and EOP 004 - neither explicitly requires training - combining does
not mean expanding. In reality, what practical skill are you going to train on? People who perform the analysis
on an event are going to have job specific training external to this standard and those same folks will maintain
their skill set external to this standard. If it is going to be a results based criteria standard, then let the entities
be responsible. Training on methods to fill out and file paper work does not make the BES more reliable. The
vast majority of other standards do not have a training requirement section and yet, entities manage to be
March 1, 2011
108
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 7 Comment
compliant with those standards. Compared to all the other reliability standards and their requirements, are
penalties for training on filling out paper work really making the BES more secure and reliable?
Consolidated Edison Co. of NY,
No
Inc.
Requirement 5 - Training should be targeted only at those responsible for implementing the Operating Plan
(OP), not all those mentioned in the OP.R5 - After the words “internal personnel” add the words “responsible
for implementing.” The delete the words “identified in” and “for reporting pursuant to Requirement R2.”5.4 Following the words “For internal personnel” add the words “responsible for implementing the Operation
Plan.” Between the words “revised responsibilities” add the word “implementation.”M5 - After the words
“between the people” add the words “responsible for implementing the Operating Plan”
Constellation Power Generation
No
Constellation Power Generation questions how R5 relates to the SDT’s “summary of concepts”:oA single form
and Constellation Commodities
to report disturbances and impact events
that threaten the reliability of the bulk electric systemoOther
Group
opportunities for efficiency, such as development of an electronic form and possible inclusion of regional
reporting requirementsoClear criteria for reportingoConsistent reporting timelines oClarity around of who will
receive the information and how it will be usedHowever, Constellation Power Generation believes that
security awareness is an important aspect of personnel security and proposes an annual training similar to
what was in the previous standards. Constellation Power Generation therefore recommends two requirement
changes that would achieve security awareness without the burdensome administrative aspects. First, as
stated earlier, a sub requirement in R2 should be added which reads as follows: R2.5 Method(s) for making
operation personnel aware of changes to the Operating Plan.Second, this training requirement should be
rewritten as follows: Each Applicable Entity shall provide training to all operation personnel at least annually.
Consumers Energy
No
Again, either 12 month year or annual year, NERC needs to standardize on one or the other. Training should
apply only to those that must take action relevant the reliability of the BES. A plan would likely include
March 1, 2011
109
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 7 Comment
notification of senior officers, however they don’t need to be included in drills and training if they have no
active role.
Duke Energy
No
Strike the word “all” in the requirement. All personnel don’t need to be trained - for example, the plan may
contain references to some personnel as potential sources of the information that will then be reported. Also,
Section 5.3 only allows 30 days for training, which may be impossible with rotating shift personnel and training
schedules. 60 days is more appropriate.
Dynegy Inc.
No
The annual training seems excessive especially if their have been no changes. You have included one
exception for contact information revisions; however, it should be expanded to include exceptions for
minor/non-substantial changes.
Also, make training requirements (after initial training)be required for
substantive changes only.
E.ON Climate & Renewables
No
Redundant with R4.
Electric Market Policy
No
The need for a periodic training has not been established and appears to be overly restrictive given the intent
of the standard is reporting of impact events. Suggest this requirement be eliminated.
Exelon
No
Exelon doesn’t feel that the 30 day requirement is achievable and recommends an annual review.
Training
for all participants in a plan should not be required. Many organizations have dozens if not hundreds of
procedures that a particular individual must use in the performance of various tasks and roles. Checking a
box which states someone read a procedure does not add any value, it is an administrative burden with no
contribution to reliability. It is Exelon’s opinion that training requirements should be covered in the PER
standards and that the audience to be trained should be identified.
March 1, 2011
R5.4 requires internal personnel that
110
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 7 Comment
have responsibilities related to the Operating Plan cannot assume the responsibilities unless they have
completed training. This requirement places an unnecessary burden on the registered entities to track and
maintain a data base of all personnel trained and should not be a requirement for job function. A current
procedure and/or operating plan that addresses each threshold for reporting should provide adequate
assurance that the notifications will be made per an individual's core job responsibilities.
FirstEnergy
No
Requirement R5 and Part 5.1 - The wording in Part 5.1 is too prescriptive and shouldnot require training on
the specific actions of personnel. Also, R5 should not require training for personnel that may only receive the
report and are not required to do anything. Therefore we suggest rewording R5 and 5.1 as follows:"R5. Each
Applicable Entity identified in Attachment 1 shall have a Reporting Plan(s) for identifying, assessing and
reporting impact events listed in Attachment 1 that includes the following components:5.1 The training
includes the personnel required to respond under the Reporting Plan."Part 5.3 - We suggest removing
subpart 5.3. This requirement is overly burdensome and not necessary. We believe that the requirements for
annual review and update of the plan as well as training sufficiently cover reviews of changes to the plan. Part
5.4 - The last phrase "training shall be conducted prior to assuming the responsibilities in the plan" should
account for emergency situations when the entity does not have time to train the replacement before they are
to assume a responsibility.
Great River Energy
No
We believe that this task should be incorporated into the Job Task Analysis for the System Operators and that
this requirement should be deleted as being redundant.
Idaho Power Company
No
The 30 day Requirement is limited with real time operations. Most entities with real time operations utilize a 5
or 6 week rotating schedule to comply with PER-002. the NERC Continuing Education Program allows up to
60 days to comply, this allows the operating shifts to accomadate training within the operating schedule. The
March 1, 2011
111
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 7 Comment
requirement 5.3 should allow 60 days to complete the training.
Indeck Energy Services
No
It is wholly unreasonable to re-train everyone for each change to the Operating Plan. Suggestion: Clarify that
upon changes to the Operating Plan, the Registered Entity may either require full training, or instead distribute
a summary of the change to affected personnel only.
Independent Electricity System
No
Along the line of our comments on R2 for an Operating Plan (whose need we do not agree with), any training
on developing and providing the report is unnecessary. What matters is that the report is provided to the
Operator
needed organizations or entities on time and in the required format according to established procedure. How
this is accomplished goes outside of the purpose of reliability standard requirements.
IRC Standards Review
No
Committee
We do not agree with the need for R5. We do not see the need for a standard requirement that stipulates
training the personnel on reporting events. What matters is that the reports are provided to the needed
organizations or entities on time and in the required format according to established procedure. Stipulating a
training requirement to achieve this reporting is micro-managing and overly prescriptive.
ISO New England Inc.
No
The need for a periodic drill has not been established, and appears to be overly restrictive given that the
intent of the standard is reporting of impact events. Suggest this requirement be eliminated. There are
training standards in place that cover these requirements. We agree the relevant personnel should be
“aware” of the reporting requirements. But there is not a need to have a training program with specific time
frames for reporting impact events. Awareness of these reporting requirements can be achieved through
whatever means are available for entities to employ to train on any of the NERC standards, and need not be
dictated by requirements.
March 1, 2011
112
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Kansas City Power & Light
Yes or No
Question 7 Comment
No
We agree with the need for the Operating plan and the provision of formal training to impacted personnel. We
believe that the personnel references are too open-ended to be productive and measurable. This leaves all
applicable entities open to subjectivity in assessment and may produce a large administrative burden to
demonstrate compliance with no associated benefit to improved reliability.
Luminant Energy
No
Operating Plan revisions communicated through procedure updates and employee acknowledgements of the
same are sufficient when coupled with a procedural training program that occurs according to a programmed
schedule.
Manitoba Hydro
No
The comments in Question 6 and 7 encompass the training aspect of this requirement.
MidAmerican Energy
No
: R5.2. The NSRS agrees that to enhance reliability and situational awareness of the BES, the Operating
Plan be trained once per calendar year.R5.3 As detailed in R2, the Operating Plan shall contain provisions for
“identifying, assessing, and reporting impact events”.
Where, R2.7 states to update the OperatingWe
disagree with the need to provide formal training. We could agree with the need to communicate to System
Operators and other pertinent personnel the criteria for reporting so that they know when system events need
to be reported.
Midwest ISO Standards
No
Collaborators
We disagree with the need to provide formal training. We could agree with the need to communicate to
System Operators and other pertinent personnel the criteria for reporting so that they know when system
events need to be reported.
MRO's NERC Standards Review
Subcommittee
March 1, 2011
No
R5.2. The NSRS agrees that to enhance reliability and situational awareness of the BES, the Operating Plan
be trained once per calendar year.R5.3 As detailed in R2, the Operating Plan shall contain provisions for
113
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 7 Comment
“identifying, assessing, and reporting impact events”. Where, R2.7 states to update the Operating Plan when
there is a component change. The NSRS believes the components of this Operating Plan are 1) indentifying
impact events, 2) assessing impact events, and 3) reporting impact events. These components relate to
training when the Operating Plan is revised per, R5.3, only. As written, every memo, simulations, blog, etc
that contain the words “lessons learned” would be required to be in your Operating Plan and trained on every
time one was issued or heard about internally or externally. Recommend that the Operating Plan be revised
and training occurs when a change occurs to the entity’s Operating Plan, consisting of 1) indentifying impact
events, 2) assessing impact events, and 3) reporting impact events, only.
North Carolina Electric Coops
No
Requiring training to report of after-the-fact events does not improve the reliability of the BES.
We
recommend the elimination of this requirement.
Northeast Power Coordinating
No
Council
The need for a periodic drill has not been established, and appears to be overly restrictive given that the
intent of the standard is reporting of impact events. Suggest this requirement be eliminated. There are
training standards in place that cover these requirements. The relevant personnel should be “aware” of the
reporting requirements. But there is not a need to have a training program with specific time frames for
reporting impact events. Awareness of these reporting requirements can be achieved through whatever
means are available for entities to employ to train on any of the NERC standards, and need not be dictated by
requirements.
Pacific Gas and Electric
Company
No
PG&E believes 30 days is too restrictive due to real-time operations schedule requirements. The schedule is
six weeks and individuals may be on either long change or vacation and therefore unable to complete the
training within 30 days of the identification of the need. Suggest extending to 60 days to meet the training
criteria which follows the NERC Continuing Education revised submittal date for the Individual Learning
March 1, 2011
114
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 7 Comment
Activities (ILA).
Pacific Northwest Small Public
No
See #15
No
Training required within 30 days of a revision to the Operating Plan is not feasible with 5 or 6 week shift
Power Utility Comment Group
PacifiCorp
rotations. A sixty day requirement would be more realistic.
Pepco Holdings, Inc - Affiliates
No
30 days may be too short a time for large entities with multiple subsidiaries to do the necessary notice and
coordination. PHI suggests 90 days.
PNM Resources
No
PNM believes 30 days is too restrictive due to real-time operations schedule requirements. Most work
schedules are either five or six weeks and individuals may be on either long change or vacation and therefore
unable to complete the training within 30 days of the identification of the need. Based on the NERC
Continuing Education revised submittal date for the Individual Learning Activities (ILA), PNM would
recommend 60 days.Creating an Impact Event Report is duplicative and redundant and the WECC OTS feels
this is not necessary.
PPL Electric Utilities
No
We agree with the need for training on one’s process. However, we suggest changes to R5.3. Consider
expanding the exception criteria to exempt non-substantive changes such as errata changes, minor editorial
changes, contact information changes, etc.
We also suggest saying ‘...,training shall be conducted, or
notification of changes made, within 30 days of the procedure revisions.’
PPL Supply
No
We generally agree with R5 but recommend two changes to 5.3. Consider expanding the exception criteria to
exempt non-substantive changes such as errata changes, minor editorial changes, contact information
March 1, 2011
115
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 7 Comment
changes, etc. Also, consider changing "training shall be conducted" to "training or communication/notification
of changes shall be conducted."
Puget Sound Energy
No
The fact that proposed requirement R2 will require frequent updates to the operating plan means that the
training required under this plan will occur quite frequently as well, leading to operator confusion. Even the
comment allowing a review and “sign-off” will not completely mitigate this result.
RRI Energy, Inc.
No
1. This Requirement is structured to result in the same heavy-handed, zero-tolerance approach that has
made CIP-004 one of the top three violated Reliability Standards. The failure in CIP-004 is that, for example,
a seven-year background check or annual training program that is tardy by one day results in a violation.
There is no margin of error, proviso, or cure scenario. Likewise, the proposed R5 in EOP-004-2 makes it a
violation if someone takes their newly established training on the day after the end of 15 months. Systems
configurations are often based on quarterly monitoring for individuals needing to take training. In addition,
when dealing with potentially thousands of employees, it is inevitable that any one of hundreds of reasons
might result in an employee not being included in the tracking system, and rolling past the 15th month.
RECOMMENDATION: To avoid further burden to Regional Entity audit and enforcement personnel as has
been the case in CIP-004, develop a cure process that allows the Registered Entity to correct the training or
background check tardiness with prompt correction, fill out a notification report to submit to NERC, and
proceed with protecting the reliable operation of the BES, rather than tying up Registered Entity and Regional
Entity staffs with data requests, enforcement paperwork and administrative actions.2. The proposed R5.3
requires the entire applicable staff to redo the entire training within 30 days of a change to the Operating Plan.
These Operating Plans will not be short documents, and formal training will not involve a 5 minute soundbite.
However, for such a significant procedure as the Operating Plan, frequent changes and revisions are going to
March 1, 2011
116
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 7 Comment
be very common, especially given the likelihood of frequent clarifications, Compliance Action Notices
("CANs"), and lessons learned issued by NERC and Regional Entities over this very detailed set of new
obligations. It is not unreasonable to expect a Registered Entity to make three or more revisions to their
Operating Plan in a year, which would require training for thousands of employees three times a year, for
what might amount to a single sentence revision. Furthermore, the obligation to retrain on the entire training
program is not limited in this requirement to only those individuals impacted by the revision. Where a change
or revision only impacts 3 possible employees, this standard would require a company with 1,500 employees
subject to the Operating Plan to retake the entire training. RECOMMENDATION: Clarify that upon changes to
the Operating Plan, the Registered Entity may either require full training, or instead distribute a summary of
the change(s) via email to affected personnel only.
Santee Cooper
No
The concept of requiring training on reporting of after-the-fact events does not support or enhance bulk
electric system reliability. We recommend the elimination of this requirement.
SERC OC Standards Review
No
Group
While we support training on an annual basis for the operating plan, the concept of requiring training on
reporting of after-the-fact events does not support or enhance bulk electric system reliability. We recommend
the elimination of this requirement.
Southern Company -
No
Transmission
We suggest that the time frame be changed to 60 or 90 days in 5.3. 5.4 needs to have a time frame
associated with it; we suggest that it be 60 or 90 days.
Tenaska
No
This Requirement is too specific and places additional burdens on Registered Entities.
TransAlta Corporation
No
Measure M5 states applicable entities shall provide training material presented... This measure is unclear as
March 1, 2011
117
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 7 Comment
to whether the meaning is for internal personnel or to be provided to external entities upon request? Please
clarify.
US Bureau of Reclamation
No
The measure is vague and redundant. The Entity is required to provide information to be used to "verify
content". The information may be used to demonstrate compliance but who will verify the content is adequate
and on what basis. Secondly, the measure requires training information be provided twice, once to
demonstrate who participated and then to show who was trained. This is all unnecessary and could be
remedied by simply stating that "evidence shall demonstrate that all individuals listed in the plan have
received training on their role in the plan"
We Energies
No
Please clarify who is to be trained. As written, R5 requires any internal personnel identified in the plan,
including CEO, Vice Presidents, etc., to be trained.
WECC
No
Thirty days is too restrictive due to real-time operations schedule requirements. Most work schedules are
either five or six weeks and individuals may be on either long change or vacation and therefore unable to
complete the training within 30 days of the identification of the need. Based on the NERC Continuing
Education revised submittal date for the Individual Learning Activities (ILA), the requirement should be
changed to require training to be conducted within 60 days.
Bonneville Power Administration
Yes
There was no training required for CIP-001 or in CIP-008. (The proposed EOP-008 purpose did not list
incorporating CIP-008). Training was not really needed for reporting Electrical Grid events.
ERCOT ISO
March 1, 2011
Yes
ERCOT ISO believes the content of training can include an exercise or drill.
118
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
United Illuminating
Yes or No
Question 7 Comment
Yes
R5.3 coupled with the rationale provided is a sensible approach. It is important that the rational is not
forgotten.
Ameren
Yes
American Electric Power (AEP)
Yes
City of Austin dba Austin Energy
Yes
Georgia System Operations
Yes
Corporation
NERC Staff
Yes
PacifiCorp
Yes
March 1, 2011
119
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
8. Do you agree with the requirement R6 and measure M6? Please explain in the comment box below.
There was no consensus amongst stakeholders who responded to this question regarding agreement
with the originally proposed Requirement R6 and Measure M6. (Note R6 been moved to R5 in the revised standard.) The DSR SDT
did a full review based on comments that were received. Many comments indicated concerns with the reporting timelines within
Attachment 1. (The DSR SDT has addressed those comments in response to Question 10).
Summary Consideration:
Several commenters wanted the ability to report impact events to their responsible parties via the DOE Form OE-417. Following
discussions with the DOE and NERC, the DSR SDT has added the ability to use of the DOE Form OE-417 when the same or similar
items are required to be reported to NERC and the DOE. This will reduce the need to file multiple forms when like items must be
reported to the DOE and NERC for the same impact event. The underlying fact is that impact events are to be reported within
prescribed guidelines, thus providing industry awareness and starting of any analysis process. R5 now is stream lined to read:
R5. Each Responsible Entity shall report Impact Events in accordance with the Impact Event Operating Plan pursuant to
Requirement R1 and Attachment 1 using the form in Attachment 2 or the DOE OE-417 reporting form.
Organization
Yes or No
Question 8 Comment
American Electric Power (AEP)
No
It is not clear how this is different from R3 since it relies on the same timetable in Attachment 1.
CenterPoint Energy
No
CenterPoint Energy does not agree with R6 and M6 as written as we do not agree with the requirement to
develop and maintain an Operating Plan (see comments to Q4 above) In addition CenterPoint Energy does
not agree with the timelines required in Attachment 1 (see comments on Q10). CenterPoint Energy offers the
following alternate language: “Each Applicable Entity shall report events outlined in Attachment 1 to
applicable entities including but not limited to; NERC, and appropriate law enforcement agencies."
March 1, 2011
120
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 8 Comment
City of Garland
No
1. The reporting requirements should not be expanded beyond CIP 001 and EOP 004-1. The goal for
combining the two should be to make the process more efficient - not add on extra requirements for
procedures on how to report, drills on reporting, training on reporting, etc. 2. The timelines requiring 1 hour
reporting to the ERO are not needed and provide little realtime benefit to the BES. Real time or near real time
reporting for “people on the ground” such as the RC, BA, TOP, FBI, Local Law Enforcement, DOE, etc. is
necessary. They are in a position to take action in response to an event. On page 5, it states “The proposed
standard deals exclusively with after-the-fact reporting. 1 Hour reporting requirements to the ERO in addition
to existing reporting are not reasonable “after-the-fact” reporting requirements in the midst of an emergency.
Also, there is not a 24X7 ERO center to report events to - why build and staff one when they already exists at
the RC, BA, TOP, DOE, FBI, Local Law Enforcement, etc. - An ERO 24X7 center would be extra overhead
that would provide no additional benefit in the first hour or hours of an emergency.
Consolidated Edison Co. of NY,
No
Inc.
R2 requires applicable entities to have an Operating Plan which are company specific procedures and
process required to be compliant with EOP-004. Therefore, R6 should be deleted since it is redundant with
R2.
Electric Market Policy
No
Entities are already required by other agencies (e.g., DOE, NRC) to report certain events. We see no need to
develop redundant reporting requirements in the NERC arena that cross other federal agency jurisdictions.
ERCOT ISO
No
ISO recommends the following changes to the language of the requirement.R6. Each Applicable Entity shall
report impact events in accordance with Attachment 1.
Exelon
No
The time durations in the attachment are too short, it would be impossible to collect all the data necessary to
report out on an impact event in the defined time to report.The SDT should evaluate each event for the most
March 1, 2011
121
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 8 Comment
appropriate entity responsible to ensure there is minimal confusion on who has the responsibility and
eliminate duplication of reporting when feasible.
FirstEnergy
No
M6 - NERC's system should be capable of making this evidence available for the entities and provide a
"return-receipt" of the reports that we send them. Also, M6 should be revised to state "Applicable Entities" as
opposed to "Registered Entities".
Great River Energy
No
We believe the reporting time lines are too aggressive for some events. Reporting events within an hour is
not reasonable as an entity may still be dealing the event.
This will particularly difficult when support
personnel are not present such as during nights, holidays and weekends.
Indeck Energy Services
No
---This is the first mention of the time lines in Attachment 1. If they are part of the standard, then they
should be incorporated to the Operating Plan in R2 and then need not be mentioned again, only compliance
with the plan. ---In M6, the last part, "evidence to support the type of impact event experienced; the date and
time of the impact event ; as well as evidence of report submittal that includes date and time" is redundant.
All of that should be in the report to NERC. If not, then it's not important to keep.
Independent Electricity System
No
Attachment 1, but not with the requirements indicated in R2.
Operator
IRC Standards Review
Committee
We agree with having a requirement to report impact events in accordance with the timelines outlined in
No
There is not a need for an Operating Plan as proposed. This is not truly an Operating Plan. There are
already other standards which create the requirements for an Operating Plan. This is an administrative
reporting plan and any associated impact upon reliability is far beyond real-time operations.
March 1, 2011
122
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
ISO New England Inc.
Yes or No
Question 8 Comment
No
Entities are already required by other agencies (e.g., DOE, NRC) to report certain events. We see no need to
develop redundant reporting requirements for NERC that cross other federal agency jurisdictions.There is no
need for an Operating Plan as proposed. This is not truly an Operating Plan. There are already other
standards which create the requirements for an Operating Plan. This is an administrative reporting plan and
any associated impact upon reliability is far beyond real-time operations which is implied by the label
“Operating Plan.”
Kansas City Power & Light
No
We believe R3 and M3 are unnecessary as a stand alone requirement and measure and propose combining
these requirements with R6 and M6. Identifying and assessing the initial probable cause of an impact event
is the obvious starting point in the reporting process and ultimate completion of the required report. Evidence
to support the identification and assessment of the impact event and evidence to support the completion and
submittal of the report are really one in the same.
MidAmerican Energy
No
We believe the reporting time lines are too aggressive for some events. Reporting events within an hour is
not reasonable as an entity may still be dealing the event.
This will particularly difficult when support
personnel are not present such as during nights, holidays and weekends.
Midwest ISO Standards
No
Collaborators
We believe the reporting time lines are too aggressive for some events. Reporting events within an hour is
not reasonable as an entity may still be dealing the event.
This will particularly difficult when support
personnel are not present such as during nights, holidays and weekends.
North Carolina Electric Coops
No
There is already a DOE requirement to report certain events. NERC should not be developing redundant
reporting requirements when this information is already available at the federal level from other agencies.
March 1, 2011
123
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Northeast
Power
Coordinating
Yes or No
Question 8 Comment
No
Entities are already required by other agencies (e.g., DOE, NRC) to report certain events. We see no need to
develop redundant reporting requirements for NERC that cross other federal agency jurisdictions.There is no
Council
need for an Operating Plan as proposed. This is not truly an Operating Plan. There are already other
standards which create the requirements for an Operating Plan. This is an administrative reporting plan and
any associated impact upon reliability is far beyond real-time operations which is implied by the label
“Operating Plan".
Pacific Gas and Electric
No
Company
Pacific Northwest Small Public
PG&E believes that if the standard is intended to be an after the fact report, we question the one and/or
twenty-four hour reporting criteria and then the 30 day criteria?
No
See #15
No
PNM believes there seems to be redundancy in reporting based on the time frames in Attachment 1, i.e. OE-
Power Utility Comment Group
PNM Resources
417 and other required reports. If this standard is intended to be an after the fact report, why is there
one/twenty-four hour reporting criteria?
PPL Electric Utilities
No
We understand the rationale for this standard and support the project to combine EOP-004 and CIP-001 as
well as the reporting requirement in CIP-008. We are concerned that it may be difficult to meet Attachment 1
Part B Potential Reliability Impact submittal times as the time to submit is 1 or 24 hour after occurrence. E.g.
Risk to BES equipment, the example given is a major event and easy to conclude. Consider forced intrusion,
risk to BES equipment (increased violence in remote area), or cyber intrusion - should Attachment 1 state
‘report within 24 hours after detection’?
March 1, 2011
124
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
PPL Supply
Yes or No
Question 8 Comment
No
It may be difficult to meet Attachment 1 Part B Potential Reliability Impact submittal times as the time to
submit is 1 or 24 hours after occurrence. Consider changing the Time to Submit Report for Forced intrusion,
Risk to BES equipment, and Detection of a cyber intrusion to be "report within 24 hours after detection".
RRI Energy, Inc.
No
RECOMMENDATION: Clarify that the reporting of impact events shall be to those entities identified in the
Operation Plan section developed specifically in Section 2.6. Reference to Attachment 1 indicates reporting
to "external" parties is the intent for R6.
Santee Cooper
No
If the DOE form is going to continue to be required by DOE, then NERC should accept this form. Entities do
not have time to fill out duplicate forms within the time limits allowed for an event. This is burdensome on an
entity
SERC OC Standards Review
No
Group
There is already a DOE requirement to report certain events. We see no need to develop redundant reporting
requirements in the NERC arena that cross other federal agency jurisdictions.
Southern Company -
No
The time to submit report column needs to be more flexible with time frames.
Tenaska
No
The reporting timelines are currently listed on the OE-417 form. This Requirement is redundant.
TransAlta Corporation
No
R6 should reference Attachment 2 to make it clear that this report form must be used.M6 seems to be
Transmission
requesting evidence that the Confidential Impact Event Report was submitted.
TransAlta suggests the
submission of the actual report is evidence the report was submitted.Records of this submission can be
provided on request.Web Reports Project 2009-01 has indicated online reporting is the direction they are
March 1, 2011
125
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 8 Comment
going.If the impact report becomes an online Web report the entity submitting the report has no way of
confirming the report ended up at the Compliance Enforcement Authority office after it is submitted. There
needs to be some method that demonstrates the report was submitted and received.
We Energies
No
The proposed definition of “impact event” needs to be clarified.
WECC
No
There seems to be redundancy in reporting based on the time frames in Attachment 1, i.e. OE-417 and other
required reports. If this standard is intended to be an after the fact report, why is there one/twenty-four hour
reporting criteria?
Arizona Public Service Company
Yes
AZPS believes that Operating Plan should be replaced with "Event Reporting Plan."
ATC
Yes
ATC does agree that applicable entities report on events identified in Attachment 1 (See our comments about
Attachment 1), but we do not agree that applicable entities should be required by this standard to have an
Operational Plan. Please see our comments to question 4.
BGE
Yes
Comments for clarification:R6. Use of Capital letters in Operating Plan makes it unnecessary to state "created
pursuant to Requirement 2
Bonneville Power Administration
Yes
The requirement needs to specify who (ERO) to report to. Attachment 1 doesn’t say to report to the ERO
either. Clarify or remove the difference between the report submitted and evidence of the type of impact
event required in the measurement.
Georgia System Operations
Yes
It directly supports the purpose of the standard.
Corporation
March 1, 2011
126
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 8 Comment
Green Country Energy
Yes
Now this is an excellent example of all that is needed for this requirement!
Manitoba Hydro
Yes
Attachment 1 details the impact events and the thresholds of which they should be reported.
Puget Sound Energy
Yes
It is assumed that for the purposes of M6, NERC and the regions would already have access to these reports.
Ameren
Yes
ATCO Electric Ltd.
Yes
City of Austin dba Austin Energy
Yes
Constellation Power Generation
Yes
and Constellation Commodities
Group
Duke Energy
Yes
Dynegy Inc.
Yes
Idaho Power Company
Yes
Luminant Energy
Yes
MRO's NERC Standards Review
Yes
March 1, 2011
127
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 8 Comment
Subcommittee
NERC Staff
Yes
PacifiCorp
Yes
PacifiCorp
Yes
Pepco Holdings, Inc - Affiliates
Yes
United Illuminating
Yes
US Bureau of Reclamation
Yes
March 1, 2011
128
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
9. Do you agree with the requirements for the ERO (R7-R8) or is this adequately covered in the Rules of Procedure (section 802)?
Please explain in the comment box below.
There was no consensus amongst the commenters who responded to this question. The DSR SDT did a
full review based on comments that were received. The DSR SDT has determined that R7 and R8 are not required to be within a
NERC Standard since Section 800 of the Rules of Procedure already assigns this responsibility to NERC. The DSR SDT, the Events
Analysis Working Group (EAWG), NERC Staff (to include NERC Senior VP and Chief Reliability Officer) had an open discussion with
this item being a major topic. The DSR SDT and EAWG are working in coordination with each other to provide NERC Staff with
updated language for future inclusion into the Rules of Procedure. NERC Staff, the EAWG and the DSR SDT all supported this new
initiative.
Summary Consideration:
Organization
Yes or No
Question 9 Comment
Ameren
No
NERC's current heavy case load should justify reviewing the impact review table only once every 2 years.
ATC
No
ATC feels the ERO obligations should be covered in the Rules of Procedure.We do not agree with the
requirements assigned to the ERO, but believe that they should be incorporated into the ERO’s Rules of
Procedure
BGE
No
R7. Make Impact Event Table all Capital Letters(it is a title).
or is impact event intended to be capitalized?
R8. Is the term "reportable impact events" new
R8. Does a quarterly report of the year’s reportable impact
events include 12 months of "reportable impact events"? This is confusing.
R8. In the Rationale for R8
Impact Events appears with Capital letters - why now? Shouldn’t it appear with all Capital letters throughout
the document as it is a defined term?
March 1, 2011
R8. There are no previous requirements to report threats (R8.3) or
129
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 9 Comment
lessons learned (R8.5) or trends (R8.2) to an ERO. Is this information from reports to the ERO or from ERO
research?
CenterPoint Energy
No
CenterPoint Energy does not believe this requirement is necessary; however, if the SDT insists on keeping
this requirement then CenterPoint Energy believes it should remain as written. Any change to Attachment 1
should go through the Reliability Standards Development Procedure.
Consolidated Edison Co. of NY,
No
Inc.
See response to Question 2Requirement 7Delete the words “and propose revisions to”Following the words
(Attachment 1) add a period.Following that period add the words “The ERO shall revise the
table”Requirement 8RECOMMEND DELETION OF R8 - CONFIDENTIALITY CONCERNS WILL MAKE
ESTABLISHING A PUBLICATION REQUIRMENT EXTREMELY CHALLENGING.
Constellation Power Generation
No
The impact event table (Attachment #1), as part of a standard, would have to be FERC approved every time it
and Constellation Commodities
is edited. That would cause it to go through NERC’s Standard Development Process, and would cause a
Group
revision to the standard each time. This will also cause revisions to each and every registered entity’s
Operating Plan. Overall, this requirement causes a large administrative burden on all entities, and does not
improve reliability. As stated earlier, the “summary of concepts” for this latest revision, as written by the SDT,
includes the following items:oA single form to report disturbances and impact events
that threaten the
reliability of the bulk electric systemoOther opportunities for efficiency, such as development of an electronic
form and possible inclusion of regional reporting requirementsoClear criteria for reportingoConsistent
reporting timelines oClarity around of who will receive the information and how it will be usedRequirement 7
and 8 do not address any of these items. Furthermore, for R8, it is requiring NERC to send out quarterly
reports, yet entities are supposed to amend their Operating Plans based on an annual NERC report. This
requirement is confusing and is not consistent with earlier requirements. Constellation Power Generation
March 1, 2011
130
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 9 Comment
believes that these two requirements should be removed.
Electric Market Policy
No
Having the ERO as an applicable entity is concerning as they are also the compliance enforcement authority.
ERCOT ISO
No
Recommend that the Electric Reliability Organization be removed. The Electric Reliability Organization should
not be responsible for reliability functions and therefore should be excluded from reliability standards.
FirstEnergy
No
FE disagrees with the ERO as an applicable entity within a reliability standard. See our responses to
Questions 2 and 3 above. We do not believe the desired ERO process is adequately covered in section 802.
Section 802 deals with assessments and not event reporting.
Georgia System Operations
No
Corporation
It should not be necessary for the ERO to require itself to do these things. NERC's authority should be
sufficient to do these things as part of its mission.With quarterly trending and analysis of threats,
vulnerabilities, lessons learned, and recommended actions in R8, R7 (an annual review) should not be
necessary. The quarterly activity could include proposing revisions to Attachment 1 if warranted.An alternative
would be to perform annual trending and analysis of threats, vulnerabilities, lessons learned, recommended
actions, and proposed revisions to Attachment 1 if warranted.Also, the Reliability Standards Development
Procedure has been replaced with the Standard Processes Manual.
Indeck Energy Services
No
Reviewing Attachment 1 annually is unnecessary. Events don't change much and if they do, a SAR is
needed to consider the changes. NERC should not be included in any standard!
Independent Electricity System
Operator
No
We agree with the need to update the list as needed, but it does not have to be the ERO who takes on a
reliability standard to do so. It can simply be an annual project in the standards development work plan to
review Attachment 1 as part of a standard. The industry will then be provided an opportunity to weigh on the
March 1, 2011
131
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 9 Comment
changes. Also, we do not see the reliability results or benefits of R8. The ERO can issue the report quarterly
but who are audiences? What reliability purpose does it serve if no further actions are pursued upon receiving
the report? Can this be done as a standing item for the ERO at, say, the BoT meeting? Or, can this be a part
of the quarterly communication from the ERO to the industry? To make this a reliability standard is an overkill, and does not conform with the results-based standard concept.From our perspective, both R7 and R8 can
be removed, and the ERO can be removed from the Applicability Section as well.
IRC Standards Review
No
Committee
We do not support an annual time frame to update the events list. The list should be updated as needed
through the Reliability Standards Development Process. Any changes to a standard must be made through
the standards development process, and may not be done at the direction of the ERO without going through
the process.
ISO New England Inc.
No
Having the ERO as an applicable entity raises concern as it is also the compliance enforcement authority.
Requirement R7 is unnecessary as there are already requirements in place for three year reviews of all
Standards. R8 contains requirements to release information that should be protected, such as identification
of trends and threats against the Bulk Electric System. This may trigger more threats because it will be
published to unwanted persons in the private sector.We do not support an annual time frame to update the
events list. The list should be updated as needed through the Reliability Standards Development Process.
Any changes to a standard must be made through the standards development process, and may not be done
at the direction of the ERO without going through the process.
Kansas City Power & Light
No
We agree with the rationale for R8 requiring NERC to analyze Impact Events that are reported through R6
and publish a report that includes lessons learned but disagree with R2.9 obligating an entity to update its
Operating Plan based on applicable lessons learned from the report. Whether lessons learned are applicable
March 1, 2011
132
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 9 Comment
to an entity is subjective. If an update based on lessons learned from an annual NERC report is required, the
requirement should clearly state the necessity of the update is determined by the entity and the entity’s
Reliability Coordinator or NERC can not make that determination then find the entity in violation of the
requirement. In addition, if an update based on lessons learned from a NERC report is required, NERC
should publish the year-end report (R8) on approximately the same day annually (i.e. January 31) and allow
an entity at least 60 days to analyze the report and incorporate any changes it deems necessary in its
Operating Plan.
Again, the language referencing annual and quarterly in these two requirements in
confusing.
Manitoba Hydro
No
Rules of Procedure appear to have a different focus then R7 and R8.Briefing on Rules of Procedure
802Assess, review and report on:1.1 overall electric operation1.2 uncertainties and risks1.3 self assessment
of supply and reliability1.4 projects on customer demand1.5 impact of evolving electric market practicesthat
could affect the present and future of the BESBriefing on R7 and R8R7 - ERO shall review and propose
revisions to Attachment 1R8- ERO shall publish quarterly reports on trends, threats, vulnerabilities, lessons
learned and recommended actions.
Midwest ISO Standards
No
Collaborators
We do not agree with the requirements and we do not believe it is adequately covered in section 802. First,
section 802 deals with assessments not event reporting. Secondly, since attachment 1 is part of a standard,
it should not be modified outside of the Reliability Standards Development process.
NERC Staff
No
NERC staff believes that requirements R7 and R8 are not needed because they are intrinsic expectations
from its Rules of Procedure. Furthermore, these elements are necessary for analysis in support of the
Reliability Metrics efforts NERC is leading under its Reliability Assessment and Performance Analysis
March 1, 2011
133
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 9 Comment
program.
North Carolina Electric Coops
No
The ERO cannot be subject to a requirement for which it is the compliance enforcement authority.
Northeast
No
Having the ERO as an applicable entity raises concern as it is also the compliance enforcement authority.
Power
Coordinating
Requirement R7 is unnecessary as there are already requirements in place for three year reviews of all
Council
Standards. R8 contains requirements to release information that should be protected, such as identification
of trends and threats against the Bulk Electric System. This may trigger more threats because it will be
published to unwanted persons in the private sector.We do not support an annual time frame to update the
events list. The list should be updated as needed through the Reliability Standards Development Process.
Any changes to a standard must be made through the standards development process, and may not be done
at the direction of the ERO without going through the process.
Puget Sound Energy
No
This is adequately covered by section 802 of the Rules of Procedure. There seems to be some conflict
between R2.9 and R8 regarding timeframes and the specific elements required.
Santee Cooper
No
Standards cannot be applicable to an ERO because they are the compliance enforcement authority, and the
ERO is not a user, owner, or operator of the BES.
SERC OC Standards Review
No
Group
The ERO cannot be subject to a requirement for which it is the compliance enforcement authority. The
governance in this situation appears incomplete.
United Illuminating
No
The rules of procedure adequately cover this.
US Bureau of Reclamation
No
Requirements 7 and 8 are covered in the Section 801.801. Objectives of the Reliability Assessment and
March 1, 2011
134
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 9 Comment
Performance Analysis Program. The objectives of the NERC reliability assessment and performance analysis
program are to: (1) conduct, and report the results of, an independent assessment of the overall reliability and
adequacy of the interconnected North American bulk power systems, both as existing and as planned; (2)
analyze off-normal events on the bulk power system; (3) identify the root causes of events that may be
precursors of potentially more serious events; (4) assess past reliability performance for lessons learned; (5)
disseminate findings and lessons learned to the electric industry to improve reliability performance; and (6)
develop reliability performance benchmarks. The final reliability assessment reports shall be approved by the
board for publication to the electric industry and the general public.
Bonneville Power Administration
Yes
R2.9 language refers to R8 “annual” report; however R8 language is “quarterly” reporting. It appears this
standard is going to be in an update status 4 times per year minimum, plus any event modifications plus
personnel changes. Overly burdensome.
City of Garland
Yes
R7 - Yes as long as any changes to attachment 1 follow the “Reliability Standards Development Procedure.
R8 - Yes as long as R8.6 is strictly “recommended actions.” They should not become “required actions” as
this bypasses the standard development process.
Duke Energy
Yes
However, R8 only addresses quarterly reports, and R2 Section 2.9 states that there will be an annual report.
Green Country Energy
Yes
I realize this is another burden for the ERO but the information would be good to know what is going on
outside the plant .
Luminant Energy
Yes
Continually refining the Impact Event table to better define which events should be reported would be
extremely valuable. Section 802 does not adequately require such refinement, thus R7 and R8 are
March 1, 2011
135
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 9 Comment
appropriate inclusions to this standard.
MRO's NERC Standards Review
Yes
Subcommittee
RRI Energy, Inc.
Should read “In accordance with Sections 401(2) and 405 of the Rules of Procedures, the ERO can be set as
an applicable entity in a requirement or standard”. As stated in the text box.
Yes
We support the concept that Reliability Standard requirements and obligations that are subject to violations
and penalties should all be contained in the four-corners of the Reliability Standard. If an obligation exists in
the Rules of Procedures that creates a stand-alone responsibility that is subject to violation and penalty, it
should be removed from the Rules of Procedure and inserted into the appropriate Reliability Standard.
ATCO Electric Ltd.
Yes
City of Austin dba Austin Energy
Yes
Dynegy Inc.
Yes
Great River Energy
Yes
Idaho Power Company
Yes
MidAmerican Energy
Yes
Pacific Gas and Electric
Yes
Company
March 1, 2011
136
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
PacifiCorp
Yes
PacifiCorp
Yes
Pepco Holdings, Inc - Affiliates
Yes
PNM Resources
Yes
PPL Electric Utilities
Yes
PPL Supply
Yes
Southern Company -
Yes
Question 9 Comment
Transmission
TransAlta Corporation
Yes
We Energies
Yes
WECC
Yes
March 1, 2011
137
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
10.
Do you agree with the impact event list in Attachment 1? Please explain in the comment box below and provide suggestions for
additions to the list of impact events.
Most commenters who responded to this question disagreed with some aspect of Attachment 1 –
most commenters provided specific suggestions for improvement. The DSR SDT did a full review based on comments that were
received. The DSR SDT, the Events Analysis Working Group (EAWG), NERC Staff (to include NERC Senior VP and Chief Reliability
Officer) had an open discussion with this item being a major topic. The EAWG and the DSR SDT aligned Attachment 1 with the Event
Analysis Program category 1 analysis responsibilities. This will assure that impact events in EOP-004-2 reporting requirements are
the starting vehicle for any required Event Analysis within the Event Analysis Program. The DSR SDT agrees that there are similar
items in the DOE Form OE 417 and EOP-004-2. DOE, NERC and the DSR SDT are in initial talks to try and reduce duplicate reporting
requirements. Until such time in the future that a new process is established between the DOE and NERC, the DSR SDT has revised
the standard to indicate that the use of either the DOE Form OE 417 or Attachment 2 is an acceptable reporting form for applicable
entities. The DSR SDT reviewed the “hierarchy” of reporting within Attachment 1. To reduce multiple entities reporting the same
impact event, the DSR SDT has stated that the entity that performs the action or is directly affected by an action will report per EOP004-2. As an example, during a system emergency, the TOP or RC may request manual load shedding by a DP or TOP. The DP or TOP
would have the responsibility to report the action that they took if they meet or exceed the bright-line criteria established in
Attachment 1. Upon reporting, NERC Event Analysis Program would be made aware of the impact event and start the EA Process
which is outside the scope of this Standard.
Summary Consideration:
Several bright-line criteria were removed from Attachment 1. These criteria (DC converter station, 5 generator outages, and
frequency trigger limits) were removed after discussions with the EAWG and NERC staff, who concurred that these items should be
removed from a reporting standard and analysis process.
Organization
March 1, 2011
Yes or No
Question 10 Comment
138
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
WECC
Question 10 Comment
For strictly after-the-fact reporting the list of Attachment 1 is appropriate. However, as noted in our earlier
comments, actual or suspected sabotage events can have a potentially significant impact on reliability and
should be treated differently, with additional real-time reporting requirements. It is important that such events
be identified and recognized for reliability purposes and that notices include the RC.
Ameren
No
We have numerous comments about the Attachments. (1) What are the requirements for "verbal" reporting
to NERC and Regional entities? (2) What are the requirements for a "Preliminary" Impact Event Report? (3)
The Voltage Deviations Event is unclear (a) Are these consecutive minutes?
measured? (generator terminals? Point of Interconnections? Anywhere?)
(b) Where is the voltage
(c) must each Entity report
separately? (d) What is the +/- 10% measured against (Generator Voltage Schedule?) (4) For Generation loss
events how is an "entity" defined? (a corporate parent? each registered entity? other?) (5) Are the "Examples"
in the Attachment 1 - Part A really Examples, or mandatory situations? (6) Can you define "Damage"? (7)
Can you define "external cause"? (8) Can you give examples of "non-environmental external causes"? (9)
The footnote 1 reference for "Damage or destruction of BES equipment" doesn't match up with the a. and b.
footnotes or the 1. footnote of Attachment A - Part B. (10) How is the Operator supposed to determine what
Event affects the reliability of the BES fast enough to decide whether or not to report? (11) is the Loss of offsite power (grid supply) event to a nuclear plant already covered by NUC-001?(12) What are "critcal cyber
assets" since CIP-002-4 will eliminate that term? (13) When is Attachment 2 supposed to be used? (14) What
is meant by the word "Confidential" in the title of the Attachment 2 report? How would the SDT propose a
GO/GOP handle the reporting for the following situation? A CTG unit is dispatched and the unit is started,
synchronized and put on the bus. Immediately the Operator receives a high gas alarm from the GSU. The
Operator quickly shuts the unit down and de-energizes the GSU. There are no relay targets and no obvious
reason for the problem. After several weeks of analysis it's determined there was an internal fault in the GSU
March 1, 2011
139
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 10 Comment
and it must be replaced. How would the SDT recommend all the reporting requirments in this situation be
addressed with the current draft?
American Electric Power (AEP)
No
Are the times listed for the initial probable reporting under R3 or the reporting under R6?Many of these items
do not constitute emergency conditions. We view many of these as too onerous and would divert operating
staff from monitoring and operating the BES. In addition, some terms (i.e. Frequency Trigger Limits) are not
currently defined terms. Furthermore, there are existing requirements that have obligations for entities to
provide this information to the RC. For example “Detection of a cyber intrusion to critical cyber assets” is
already covered under CIP-008. This creates duplicate (and potentially competing) requirements.AEP also
contends that some of the timelines are very aggressive and not consummate with perceived need for the
information.Transmission loss of multiple BES transmission elements (simultaneous or common-mode
event)within 24 hours after occurrence is overly aggressive and should provide more specific criteria.
Arizona Public Service Company
No
AZPS believes that the list in Attachment 1 would be complete, as long as the text box of examples is
included. The examples demonstrate what is necessary.
ATC
No
ATC has several areas of concern regarding Attachment 1.1. The one hour requirement for reporting will take
the Functional Entities’ focus off of addressing the immediate reliability issues and instead force the FE to
devote valuable resources to filling out forms which will potentially reduce reliability.2. Part A:a. Provide a
definition of “system wide” for the Energy Emergency requiring system-wide voltage reduction.b. Add in the
clarity that for Energy Emergency requiring firm load shed pertains to a single event, not cumulative events.c.
Insert the word “continuous” for Voltage Deviations.d. Take off the TOP for IROL violations. (We believe that
an IROL violation should be reported by the RC and not by the TOP based on the nature of the event.
Requiring both the RC and TOP to report will only result in multiple reports for a single event. The RC is in
March 1, 2011
140
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 10 Comment
the best position to report on an IROL violation for its RC area.)e. Take off the TO, TOP and add the LSE for
Loss of Firm Load. (As a transmission only company ATC does not have contracts with end load users.
Because of this the Loss of Firm Load should be the reporting obligations of the entity closes to the end load
users which is the BA, DP or LSE. Failure to modify this requirement will cause confusion as to which entity
has to report Loss of Firm Load. f. Define a timeframe for Generation Loss g. Multiple should be changed to
“4 or more” for Transmission Loss.(ATC is concerned that this would require reporting of events that have
little or no industry wide benefits but would take up considerable Registered Entity resources.)h. Provide
clarity to and tighten the definition of Damage or destruction of BES equipment. The way it is written now
would require over-reporting of all damaged or destroyed equipment due to a non-environmental external
cause (e.g. broken insulator).3. Part B:a. Take off the TO and TOP for Loss of off-site power. (The GOP has
the responsibility to acquire off-site power and we believe it is the GOP’s sole responsibility to report the Loss
of off-site power. Failure to correct this would result in multiple reporting for the same event.)b. Take off RC
for Risk to BES equipment. (The RC function does not own BES equipment and we believe it is impossible
for them to report on risk to BES equipment if they are not the owner or operator of that equipment. This
standard should be required of the entity that owns/operates BES equipment. c. Provide guidance to the
phrase “reasonably determine” in footnote.d. Examples provided do not provide a clear obligation for an entity
to follow. (Question: How close is the train to the substation? (Inches away from the substation fence, ten
feet away from the substation fence or 500 feet away from the substation fence.) In addition, this standard is
so open to interpretation that no entity can demonstrate compliance with the action. We believe that the only
solution is to delete this reporting requirement. Overall:Multiple Functional Entities impacted by the same
event are required to report. No lead entity is identified. This will result in multiple reports of the same event.
ATC does not believe that this built-in duplicity enhances reliability?
March 1, 2011
141
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
ATCO Electric Ltd.
Yes or No
Question 10 Comment
No
Attachment 1: Part A - Transmission Loss: Only sustained outages should be reportable. Also the reporting
threshold needs to be quantified for impact events, for example:a) Size of DC converter Station > 200 MW.b)
Impact of loss of Multiples BES transmission elements in terms of significant load (> 200 MW for > 15 min).
BGE
No
TOP determines "system-wide" voltage reductions; why place this responsibility on a TO or DP?
- Load
Shedding is automatic load shedding; why 100MW? Does a DP need to provide a Report when directed by
the RC, BA or TOP to shed load or reduce voltage?
Need to define a "BES Transmission Element".
Responsibility"; is it one or is it all entities report?
likely motivation"
- No examples should be included in the standard!
- Table shows multiple entities in "Entity with Reporting
- In an audit who determines "reasonably determined
- Is it justified to expect to have "motivation" knowledge within one hour of an event?
-
Why are the Responsible Entities reporting Interruptible Demand tripped / lost?
Bonneville Power Administration
No
BPA suggests the following:Change loss of multiple BES to 3 or more. Loss of a double circuit configuration
due to lightning doesn’t need a report (it’s a studied contingency).
Add qualifier to damage/destruction of
BES equipment, since a failed PCB or a system transformer normally doesn’t have a MAJOR impact to the
grid.Add qualifier to Loss of “ALL” off-site power affecting nuclear...The unplanned evacuation of control
center is a busy time for the backup control center, yet this standard requires 1 hour reporting. Suggest
changing to 24 hours.
CenterPoint Energy
No
CenterPoint Energy appreciates the efforts of the SDT in identifying the entity with reporting responsibility.
This is an improvement to the event table. CenterPoint Energy is concerned with multiple entities being listed
as having Reporting Responsibility. CenterPoint Energy recommends the SDT limit this to one entity having
responsibility for reporting each event. This would not preclude that entity from coordinating with other entities
March 1, 2011
142
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 10 Comment
to gather data necessary to complete the report. In addition, CenterPoint Energy believes there are several
events that should be removed from the list. “Transmission Loss” is covered by the TPL standards and does
not need to be identified or reported under EOP-004. The loss of a DC converter station or multiple BES
transmission elements may or may not disrupt the reliable operation of the BES, i.e. result in blackout,
cascading outages, or voltage collapse. Likewise “Damage or destruction of BES equipment” in and of itself
should not be the subject of reporting. If the damage or destruction results in true disruption to the reliable
operation of the BES, that impact would be reported under one of the other identified events. “Voltage
Deviations” is another unnecessary event. CenterPoint Energy believes a voltage event of the proposed
magnitude will, more than likely, result in other events identified in Attachment 1 such as; IROL Violation or
Generation Loss and would be reported under one of those triggers. Another concern is the threshold trigger
of +/- 10% for 15 minutes or more. CenterPoint Energy is unclear as to the starting point to determine the
deviation. In other words is the 10% deviation from nominal voltage, such as 138kV or 345kV, or the actual
voltage at the time of the event? Additionally, must the deviation occur over a “wide area” or is such a
deviation at one buss enough to trigger a report? Based upon these ambiguities and concerns CenterPoint
Energy recommends “Voltage Deviations” be deleted from Attachment 1. The examples that follow on page
14 should also be deleted.
City of Garland
No
This report should follow exactly the OE-417 to avoid redundant, possible conflicting, and overall confusion in
reporting.Note: The table has entries that are in conflict with the OE-417 and thus can cause confusion in
filing multiple reports potentially causing an entity to violate Federal Law due to the confusion. By submiting
the same information on different timelines, i.e. one hour reporting under OE-417 and 24 hours under this
Standard, the reports may be significantly different causing confusion from differing reports of the same
event.Although we prfer the events to match the OE-417 events exactly, if the SDT decides to include a
March 1, 2011
143
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 10 Comment
seperate events table we make the following suggestions: Energy Emergency requiring system-wide voltage
reduction: should be reportable at 5% not 3% voltage reduction. The standard should clearly state this was
applicable for BES energy emergency conditions only, not voltage reductions for other reasons.On voltage
deviations: it should be clear that this applies to widespread effects on the BES not a single distribution feeder
that has a low voltage.For the Frequency deviation: Did not see a definition for the FTL (frequency trigger
limit)Generation loss: the reportable loss of generation should be significantly more than 500 MW. The
number of units at the locaton is irrelevent. Ten units at 50 MW each is no more critical than a single 500 MW
unit. Under this standard, if the plant with ten 50 MW units trips it is reportable but an 800 MW single unit is
not reportable. The trip of the 800 MW unit has much more effect on the sytem reliability. Damage or
destruction of BES equipment: Should be limited to specific equipment such as a 765 kV autotransformer not
a 138 kV lightning arrestor. This needs to be eliminated or significantly limited as to the equipment type that
is reportable.
Consolidated Edison Co. of NY,
Inc.
No
It is absolutely essential that the work on EOP-004 and that on the NERC Event Analysis Process (EAP) be
fully coordinated. We find that there are a number of inconsistencies between these two documents. The EAP
and EOP-004 are not aligned. In order to operate and report effectively entities need consistent
requirements.Attachment 1Frequency Deviations - The term “Frequency Trigger Limit (FTL)” is not defined.
Only defined terms should be used, or the term should be defined. If the term is defined in another standard it
should be moved to the Glossary of Terms for wider use.Loss of Firm load for 15 Minutes - The text under the
rightmost column entitled, Time to Submit Report, appears to be incomplete in our copy.Transmission loss
and Damage or destruction of BES equipment - At the end of the wording for both under the column entitled
“Threshold for Reporting” add the words “that significantly affects the integrity of interconnected system
operations.”Examples - Capitalize “Critical Asset” as this is a defined term.
March 1, 2011
144
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Constellation Power Generation
Yes or No
Question 10 Comment
No
Constellation Power Generation and Constellation Commodities Group questions why the generation loss line
and Constellation Commodities
item includes generating facilities of 5 or more generators with an aggregate of 500 MW or greater? The
Group
number of units makes no difference for reporting, as is evident in the generation thresholds written before
this inclusion. The examples of damaged or destroyed BES equipment are confusing, and do not clarify the
reporting event. What if a GSU at a small plant (20 MW) were to fail? Is that reportable? Constellation Power
Generation believes that equipment failures that are not suspicious do not need to be reported. Finally,
Constellation Power Generation and Constellation Commodities Group believes that the “loss of offsite power
affecting a nuclear generation station” should be removed for the following reasons:1)The purpose of this
reliability standard is stated as being: “Responsible Entities shall report impact events and their known causes
to support situational awareness and the reliability of the Bulk Electric System (BES). “ While the “situational
awareness” portion of the purpose could be interpreted as all-inclusive, the real element deals with BES
reliability. Off-site power sources to nuclear units have nothing to do with BES reliability. Why should nuclear
units be treated differently?2)The issue of concern for a loss of offsite power at a nuclear station is continued
power supply (other than emergency diesels) to power equipment to cool the reactor core. A nuclear unit
automatically shuts down when off-site power supply is lost. Availability of off-site power is a reactor safety
concern (i.e., NRC regulatory concern and a one-hour report to the NRC) - not a reliability concern that
FERC/NERC would have jurisdiction over.3)There is a nuclear-specific reliability standard (NUC-001) that
contemplated off-site power availability. That standard contained no reporting requirements outside of those
that may be already established in current procedures. Why try to impose one here?4)A loss of offsite power
will result in an emergency declaration at the nuclear facility. Notifications will be made to federal (NRC),
state, and local authorities.
The control room crew is already overly-burdened with notifications - any
additional call to NERC/Regional Reliability orgs will add insult-to-injury for no beneficial reason. If NERC is
interested, they should obtain info from NRC.5)If all else fails and the item is to remain on the table, it needs
March 1, 2011
145
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 10 Comment
to be clarified as a “complete” loss of off-site power lasting greater than X minutes (i.e., would we have to
report a complete momentary loss that was rectified in short order by an auto-reclose or quick operator
action?).
Duke Energy
No
o General Comment - many timeframes in Attachment 1 are within one hour. This is inconsistent with the
stated aim of the standard, which is after-the-fact reporting, as opposed to real-time operating notifications
under RCIS and other standards (e.g. TOP). This standard should not be structured to require another layer
of real-time reporting. o Voltage Deviation - Plus or minus 10% of what voltage? o Frequency Deviation - this
is Interconnection-wide. Do you really want a report from every RC and BA in the Eastern Interconnection??
o Transmission Loss - “Multiple BES transmission elements” should be changed to “Three or more BES
transmission elements”.
Also, the time to submit the report should be based upon 24 hours after the
occurrence is identified. o Damage or destruction of BES equipment - need clarity on the “Examples”. Is the
intent to report an event that meets any one of the four “part a.” sub-bullets? i. - critical asset should be
capitalized. Disagree with the phrase “has the potential to result” in section iii. - it should just say “results”.
Section iv. is too wide open. It should instead say “Damaged or destroyed with malicious intent to disrupt or
adversely affect the reliability of the electric grid.” o Unplanned Control Center evacuation - see our General
Comment above. Clearly in this case the reporting individuals are evacuating and cannot report in one hour.
24 hours should be more than adequate for after-the-fact reporting. o Fuel Supply Emergency, Loss of offsite power, and Loss of all monitoring or voice communication capability - see our General Comment above.
Time to report should be 24 hours after occurrence is identified. o Forced intrusion, Risk to BES equipment,
Detection of a cyber intrusion to critical cyber assets - time to report should be 24 hours after occurrence is
identified, and critical cyber assets should be capitalized.
March 1, 2011
146
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Dynegy Inc.
Yes or No
Question 10 Comment
No
A 2000 MW loss needs to be more clearly defined by either the BA, ISO, RC, etc. for the applicable
enity.Also, what is the distinction between the "damage or destruction of BES equipment" and the generation
loss of >= 2000 MWs if it is a Critical Asset which is currently drafted as those greater than 1500 MW in
current draft of CIP-002-4. This could lead to 2 events with different thresholds (i.e. 1500 MW and 2000
MWs). Possibly get rid of the 2000MW criteria and let the threshhold level be the same as the Critical Asset
MW level. Or remove the Critical Asset threshhold in the footnote to Attachment 1.
E.ON Climate & Renewables
No
1. Voltage deviation events are too vague for GOP. How does voltage deviations apply to GOP’s or
specifically renewables i.e., wind farms? 2. Define what an “entity” is. 3. Define what a “generating station” is.
4. Define what a “BES facility” is.6. Define what a control center is.
Electric Market Policy
No
1) A particular Event could be applicable to multiple entities and Attachment 1 would require each applicable
entity to report the event. This is duplicative and would appear to overburden the reporting system. 2) Loss
of off-site power (grid supply) reporting for nuclear plants is duplicative of reporting done to satisfy NRC
requirements. Given the activity at a nuclear plant during this event, this additional reporting is not desired.
3) Cyber intrusion remains an event that would need to be reported multiple times (e.g., this standard, OE417, NRC requirements, etc.). 4) Since external reporting for other regulators (e.g., DOE, NRC, etc.) remains
an obligation of the Applicable Entity, suggest that Attachment 1 only contain impact events as defined in the
current version of EOP-004.
ERCOT ISO
No
ERCOT ISO requests the reporting timeframes be changed to reflect a 24 hour requirement for all events in
Attachment 1. During an impact event, operating personnel are generally involved in event resolution and not
available immediately to submit reports. ERCOT ISO requests that the “Detection of a cyber intrusion to a
March 1, 2011
147
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 10 Comment
critical cyber asset” be removed. There are established processes defined for incident response supporting
CIP-008. By including this element in Attachment 1, the Operating requirement R2 would also require
procedure documents for cyber security incident response. This would be redundant and would remove the
responsibility away from the subject matter experts for cyber security incident response.
Exelon
No
The listed Impact Events is lacking specific physical security related events.
.In general, all impact events
need to be as explicit as possible in threshold criteria to eliminate any interpretation on the part of a reporting
entity.
Ambiguity in what constitutes an "impact event" and what the definition of "occurrence" is will
ultimately lead to confusion and differing interpretations.
FirstEnergy
No
1. The table in Att. 1 and the requirements should alleviate the potential for duplicate reporting. For example,
If the RC submits a report regarding a Voltage deviation in its footprint, the report should be submitted by the
RC on behalf of the RC, TOP, and GOP, and not require the TOP and GOP to submit duplicate reports.2.
Regarding the "Note" before the table - We agree that under certain conditions it is not possible to issue a
written report in a given time period. However, the ERO and RE should also be required to confirm receipt of
the verbal communication in writing to prove that the entity communicated the event as these verbal
notifications may be done by an entity using an unrecorded line.3. Organizations with many registered entities
should be permitted to submit one report to cover multiple entities under one parent company name. We
suggest this be made clear in the Tables, the reporting form, and in the requirements.4. Voltage Deviations
Event - We suggest the team provide more clarity with regard to the types and locations of voltage deviations
that constitute an event.5. Examples of BES Equipment in Part A of "Actual Reliability Impact" Table - Is the
phrase "critical asset" referring to the CIP defined term? If so, this should be capitalized.6. Under the "Time to
Submit Report" column of the table, we suggest that all of the phrases end in "after identification of the
March 1, 2011
148
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 10 Comment
occurrence".7. Frequency Trigger Limit (FTL) for the Frequency Deviation event should be replaced with the
values the FTL represent. The FTL is part of the BAAL Standards which have not been approved by the
industry and are not in effect. It is possible that these terms are not used by those not participating in the field
trial of the BAAL standards.
Great River Energy
No
Comments: Please provide a phone number and provision within the Note of EOP-004 - Attachment 1: Impact
Events table for an entity to contact NERC if unable to contact NERC within the time described.Voltage
Deviations - recommend adding the word “(continuous)” after sustained in Threshold column. This could be
interpreted as an aggregate value over any length of time.Frequency deviations - recommend adding the
word “(continuous)” after 15 minutes’ in Threshold column. This could be interpreted as an aggregate value
over any length of time.CIP-008 R1.3 states the entity is to report Cyber Security Incidents to the ES_ISAC.
Does the EOP-004 Attachment 2 fulfill this requirement?We request clarification on the Transmission Loss
threshold events that constitute reporting. We also want clarification on what constitutes the loss of a DC
Converter station and is there a time duration that constitutes the need for reporting or does each trip need to
be reported? For example during a commutation spike the DC line could be lost for less than a minute. Does
this loss require a report to be submitted? Is the SDT stating that each time a company loses their DC line,
they are required to file a report even though it may not have an effect on the bulk system? What is the
threshold for this loss?The SDT needs to clarify that duplicative reporting is not required and that only one
entity needs to report. For instance, the first three categories regarding energy emergencies could be
interpreted to require the BA and RC to both report. The reporting responsibilities in this table should be
clarified based on who has primary reporting responsibility for the task per the NERC Functional Model and
require only one report.
For instance, since balancing load, generation and interchange is the primary
function of a BA per the NERC Functional Model, only the BA should be required to provide this report.The
March 1, 2011
149
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 10 Comment
term Frequency Trigger Limit (FTL) is not currently defined in the NERC Glossary. The term FTL needs to be
introduced at the beginning of the standard and defined as a new term.
Indeck Energy Services
No
Loss of off-site power is important to more than just nuclear plants--but which ones? Control centers or other
large generators. But not small generators! Should there be a common element to Attachment 1, like the
potential to cause a Reportable Disturbance, or maybe there need to be multiple criteria like that.
Independent Electricity System
No
We do not support the 1 hour reporting time frames for Emergency Energy, System Separation, unplanned
Control Center evacuation, Loss of off-site power, Loss of monitoring or voice communication.
Operator
Energy
emergency is broadcast on the RCIS which also goes to the ERO so its explicit reporting is not necessary
(System Operations please verify). During other events listed above, the responsible entities will likely be
concentrating its effort in returning the system to a stable and reliable state. Reporting to anyone not having
direct actions to control, mitigate and contain the disturbances is secondary to restoring the system to t a
reliable state. Since these are after the fact reports for awareness and/or analysis and not for real-time
responses, these can be reported at a later time, up to 24 hours after the initial occurrence without any
detriment to reliability, or at the very earliest: up to 1 hour after the system has returned to a reliable state, or
after the backup control centre is fully functional, or after backup power is restored to the nuclear power plant,
or after monitoring or voice communication is restored.
IRC Standards Review
No
Committee
We do not agree with the requirement to report “detection of a cyber intrusion to critical cyber assets” as this
creates a double jeopardy situation between CIP-008 and EOP-004-2 R2.6. We suggest that physical incident
reporting be part of EOP-004 and cyber security reporting be part of CIP-008.
ISO New England Inc.
March 1, 2011
No
1) A particular Event could be applicable to multiple entities and Attachment 1 would require each applicable
150
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 10 Comment
entity to report the event. This is duplicative and would overburden the reporting system. 2) Loss of off-site
power (grid supply) reporting for nuclear plants is duplicative of reporting done to satisfy NRC requirements.
Given the activity at a nuclear plant during this event, this additional reporting is not desired. 3) Cyber
intrusion remains an event that would need to be reported multiple times (e.g., this standard, OE-417, NRC
requirements, etc.).
4) Since external reporting for other regulators (e.g., DOE, NRC, etc.) remains an
obligation of the Applicable Entity, suggest that Attachment 1 only contain impact events as defined in the
current version of EOP-004.What are the examples at the bottom of page 14 supposed to illustrate? Critical
Asset should have the appropriate capitalization as being a defined term. Is Critical Asset what is intended to
be used here? Should the “a” list be read as ANDs or Ors? Does “loss of all monitoring communications”
mean “loss of all BES monitoring “communications”? Does “loss of all voice communications” mean “loss of
all BES voice communications?”Are the blue boxes footnotes or examples?Does “forced intrusion” mean
“physical intrusion” (which is different from “cyber intrusion”)?Regarding “Risk to BES Equipment,” request
clarification of “non-environmental”. Regarding the train derailment example, the mixture of BES equipment
and facility is confusing. Request clarification for when the clock starts ticking.Regarding “Detection of a cyber
intrusion to critical cyber assets”, there is concern that this creates a double jeopardy situation between CIP008 and EOP-004-2 R2.6. Suggest physical incident reporting be part of EOP-004 and cyber security
reporting be part of CIP-008.
Kansas City Power & Light
No
We agree with the event descriptions listed in Attachment 1 and the review and revision of the impact table by
the ERO is appropriately addressed in R7 but the time periods allowed to complete the new, longer
preliminary report is insufficient. The correlation of this with the timing of the reporting quarterly and annually
or pushing information for other entities' situational awareness does not allow the registered entity adequate
time to thoughtfully consider the event and proposed root cause.
March 1, 2011
151
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Luminant Energy
Yes or No
Question 10 Comment
No
The Impact Events Table might be easier to clarify if organized by Reporting Entity rather than Event Type as
events vary substantially based on the affected BES component. For example, a GO or GOP cannot
adequately determine if an event will significantly affect the reliability margin of the system or if an event
results in an IROL. Examples specific to Reporting Entities would assist in more appropriate report
submissions. Additionally, the footnote under examples of Damage or Destruction of BES Equipment, cites “A
critical asset”. This term must be clarified to indicate whether this refers to a Critical Asset as defined by CIP
002-1.Finally, the Fuel Supply Emergency item requires additional definitions as neither a GO nor a GOP can
reasonably project if an individual fuel supply chain problem will result in the need for emergency actions by
the RC or BA.
MidAmerican Energy
No
New vague criteria in Attachment one such as “damage to a BES element through and external cause” or
“transmission loss of multiple BES elements which could mean two or more” is the opposite of clear standards
writing or results based standards.
Midwest ISO Standards
Collaborators
No
Several categories require duplicate reporting.
For instance, the first three categories regarding energy
emergencies could be interpreted to require the BA and RC to both report. The reporting responsibilities in
this table should be clarified based on who has primary reporting responsibility for the task per the NERC
Functional Model and require only one report. For instance, since balancing load, generation and interchange
is the primary function of a BA per the NERC Functional Model, only the BA should be required to provide this
report. As another option, perhaps the registered entity initiating the action should submit the report. If the
BA did not take action and the RC had to direct the BA to take action, one could argue that perhaps the RC
should submit the report then. However, if the BA takes action appropriately on their own, the BA should
submit it. If the TOP reduces voltage for a capacity and energy emergency per a directive of the BA, then the
March 1, 2011
152
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 10 Comment
BA should report the event.
MRO's NERC Standards Review
No
Subcommittee
Please provide a phone number and provision within the Note of EOP-004 - Attachment 1: Impact Events
table for an entity to contact NERC if unable to contact NERC within the time described.Voltage Deviations recommend adding the word “(continuous)” after sustained in Threshold column. This could be interpreted as
an aggregate value over any length of time.Frequency deviations - recommend adding the word
“(continuous)” after 15 minutes’ in Threshold column. This could be interpreted as an aggregate value over
any length of time.CIP-008 R1.3 states the entity is to report Cyber Security Incidents to the ES_ISAC. Does
the EOP-004 Attachment 2 fulfill this requirement?
Nebraska Public Power District
No
Since the reporting under this standard is for after the fact reporting, the minimum time to report should be the
end of the next business day. The combination of the extremely short time periods to file a report and the
amount of detail required in attachment 2 will lead to a reduction in the reliability of the BES.
System
Operators will be forced to take focus off their primary responsibility to respond to the event in order to
complete the report within the required timeframe (within an hour for some events). During non-business
hours the only personnel available to complete the reports will be those responsible for real-time operation of
the BES. Since the background indicates this standard is only for after the fact reporting, the minimum
required time to submit the report should be one business day to permit completion of the report without
distracting from the real-time operation of the BES. Real-time reporting requirements are covered in other
standards and should be to the Reliability Coordinator and from the Reliability Coordinator to NERC. For after
the fact reporting, there is absolutely no reliability benefit for requiring reporting to be completed on such a
short timeframe. This is especially true due to the amount of data required by Attachment 2.
March 1, 2011
153
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
NERC Staff
Yes or No
Question 10 Comment
No
The SDT should clarify its use of the term “critical asset” in the Examples section under Part A of the table.
The term or versions of the term are used in different contexts in the NERC Reliability Standards. For
instance, in CIP-002-1, Requirement 1, the Critical Asset Identification Method is used to identify its critical
assets. In EOP-008-0, Requirement 1.3, the applicable entity is required to list its “critical facilities” in its
contingency plan for the loss of control center functionality. The team should confirm what it is referring to in
this proposed standard. To avoid confusion, the SDT may want to consider using a different term here or
better clarify its meaning. Further, there exists the potential to have disparate reporting criteria in this
proposed standard relative to the criteria being proposed by the Events Analysis Working Group as part of the
Events Analysis Process document dated October 1, 2010. In particular, the following areas should be
reconciled between the drafting team and the EAWG to ensure a consistent set of threshold criteria:Voltage
Deviations --EOP-004-2: Greater than or equal to 15 minutes --EAWG Process: Greater than or equal to 5
minutesSystem Separation (Islanding) --EOP-004-2: Greater than or equal to 100 MW --EAWG Process:
Greater than or equal to 1000 MWsSystem Separation (Islanding) --EOP-004-2: Does not address intentional
islanding as in the case of Alberta, Florida, New Brunswick--EAWG Process: Addresses intentional islanding
as in the case of Alberta, Florida, New BrunswickSPS/RAS --EOP-004-2: Does not expressly address proper
SPS/RAS operations or failure, degradation, or misoperation of SPS/RAS --EAWG Process: Expressly
addresses proper SPS/RAS operations or failure, degradation, or misoperation of SPS/RASTransmission
Loss --EOP-004-2: Identifies Multiple BES transmission elements --EAWG Process: Provides specificity in
Category 1a and 1b regarding transmission eventsDamage or destruction of BES equipment --EOP-004-2:
Through operational error, equipment failure, or external cause but not linked to loss of load--EAWG Process:
Identifies in Category 2h equipment failures linked to loss of firm system demandsForced intrusion--EOP-0042: Addressed --EAWG Process: Not addressedRisk to BES equipment --EOP-004-2: Addressed --EAWG
Process: Not addressedDetection of a cyber intrusion to critical cyber assets --EOP-004-2: Addressed --
March 1, 2011
154
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 10 Comment
EAWG Process: Not addressed
North Carolina Electric Coops
No
This list is too similar and redundant to the DOE requirements and does not provide any additional clarity on
recognition of sabotage.
Northeast
Power
Coordinating
No
1) A particular Event could be applicable to multiple entities and Attachment 1 would require each applicable
entity to report the event. This is duplicative and would overburden the reporting system. 2) Loss of off-site
Council
power (grid supply) reporting for nuclear plants is duplicative of reporting done to satisfy NRC requirements.
Given the activity at a nuclear plant during this event, this additional reporting is not desired. 3) Cyber
intrusion remains an event that would need to be reported multiple times (e.g., this standard, OE-417, NRC
requirements, etc.).
4) Since external reporting for other regulators (e.g., DOE, NRC, etc.) remains an
obligation of the Applicable Entity, suggest that Attachment 1 only contain impact events as defined in the
current version of EOP-004.What are the examples at the bottom of page 14 supposed to illustrate? Critical
Asset should have the appropriate capitalization as being a defined term. Is Critical Asset what is intended to
be used here? Should the “a” list be read as ANDs or Ors? Does “loss of all monitoring communications”
mean “loss of all BES monitoring “communications”? Does “loss of all voice communications” mean “loss of
all BES voice communications?”Are the blue boxes footnotes or examples?Does “forced intrusion” mean
“physical intrusion” (which is different from “cyber intrusion”)?Regarding “Risk to BES Equipment,” request
clarification of “non-environmental”. Regarding the train derailment example, the mixture of BES equipment
and facility is confusing. Request clarification for when the clock starts ticking.Regarding “Detection of a cyber
intrusion to critical cyber assets”, there is concern that this creates a double jeopardy situation between CIP008 and EOP-004-2 R2.6. Suggest physical incident reporting be part of EOP-004 and cyber security
reporting be part of CIP-008.
March 1, 2011
155
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Pacific Northwest Small Public
Yes or No
Question 10 Comment
No
Footnote 1 is missing from Part A, although it is referenced in column 1 row 11. Is this the Examples? The
Power Utility Comment Group
purpose of the Examples is unclear. Is it meant to limit the scope to those enumerated? This is not stated, but
if not it should be removed since it adds confusion. What is meant by non-environmental? All external causes
of damage or destruction come from the environment by definition. Please specify what is intended or remove
the word.
PacifiCorp
No
Energy Emergency requiring firm load shedding - An SPS/RAS could operate shedding firm load but no
Energy Emergency may exist. This requires clarification.Transmission Loss - Multiple BES transmission
elements. Loss of two transmission lines in the same corridor due to a wildfire could qualify for this reporting.
Once again clarification needed.
Pepco Holdings, Inc - Affiliates
No
Some items with one hour reporting (such as Unplanned Control Center evacuation) may be so disruptive to
operations that one hour is too short. 4 hours suggested.
PPL Electric Utilities
No
While we think providing an impact event list is beneficial, we would like to see Attachment 1 revised and/or
clarified. Refer to response to Question 2 considering duplicate reporting. Regarding impact event ‘Damage
or destruction of BES equipment’ and considering the first example in the ‘Examples’ section, does ‘example
a. i.’ mean if the BES equipment that is damaged is not identified as a critical asset per CIP-002 that no
reporting is required? Clarify the Part A and Part B, specifically:Attachment 1 Part A is labeled ‘Actual
Reliability Impact’. Does this title mean that for all events listed that the ‘threshold for reporting’ is only met if
the event occurs AND there is an actual reliability impact? As opposed to Part B where the threshold for
reporting is met when the event occurs and there is a potential for reliability impact? This could be broad for
event ‘risk to BES equipment’.
March 1, 2011
Providing as much clarity as possible on the ‘threshold for reporting’ is
156
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 10 Comment
beneficial to the industry and will help eliminate confusion with the existing CIP-001 standard regarding
‘potential sabotage’.
PPL Supply
No
Attachment 1 Part A is labeled "Actual Reliability Impact". Does this title mean that for all events listed the
"threshold for reporting" is only met if the event occurs AND there is an actual reliability impact? As opposed
to Part B where the threshold for reporting is met when the event occurs and there is a potential for reliability
impact? This could be broad for events like "Risk to BES equipment."
PSEG Companies
No
For many items, there are multiple entities listed with reporting obligations. For example, loss of off-site
power to a nuclear plant lists RC, BA, TOP, TO, GO and GOP. This appears to result in the potential for the
sending of 6 separate reports within the hour for the same event, which in wide area disturbances overload
the recipients. The drafting team should consider revising the lists where possible to a single, or absolute
minimum number, entity.Those items reportable OE-417 should be removed from Attachment 1.
For
example, voltage reduction, loss of load for greater than 15 minutes.The trigger for voltage reduction should
be the time of issuance of the directive to reduce voltage in an emergency, not when "identified."
Puget Sound Energy
No
The proposed standard does not adequately ensure that the impact events subject to its requirements are
limited to those listed in Attachment 1. In order to ensure that this is true, the term “impact event” should be a
defined term and that definition should clearly limit impact events to those listed in Attachment 1.
Santee Cooper
No
The SDT should review the list of events closely to determine if the defined events actually impact the BES.
(For example: Is shedding 100 MW of firm load really a threat to the BES?)
SERC OC Standards Review
March 1, 2011
No
Will all reporting requirements be removed from other standards to avoid duplication? And will all future
157
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Group
Question 10 Comment
standard revisions include revisions to this standard to incorporate associated reporting requirements?There
is already a DOE requirement to report certain events. We see no need to develop redundant reporting
requirements in the NERC arena that cross other federal agency jurisdictions.
Southern Company -
No
Transmission
The time to submit report column needs to be more flexible with time frames. The Entity with Reporting
Responsibility column needs to be more descriptive in which there are multiple entitles with hierarchy
reporting.
United Illuminating
No
UI agrees but the listing needs to be improved for clarity in certain instances. For example,EOP-004
Attachment 1 Part A - Example iii - uses the phrase “significantly affects the reliability margin of the system.”
Significantly is an immeasurable concept and does not provide guidance to the Entity. The phrase “reliability
margin” is not defined and is open to interpretation. Perhaps utilize “resource adequacy”, if that is all that
intended, or use “adequate level of reliability”.
US Bureau of Reclamation
No
The Attachment is very vague and without modification creates a Pseudo definition of BES equipment in the
example provided. The example now indicates that something is BES equipment if it is "Damaged or
destroyed due to a non-environmental external cause". Perhaps the example should be reworded to "BES
equipment whose operation effects or causes:" and then adjust each of the line items to clarify what was
intended. Next, the Attachment A example redefines reportable levels for Risk to BES Equipment - From a
non-environmental physical threat as "Report copper theft from BES equipment only if it degrades the ability
of equipment to operate correctly". Who makes that determination? Not all events will be known within 24
hours. As example, Risk to BES Equipment - From a non-environmental physical threat may not be known
until more thorough examination or investigation takes place. Also the reportable level appears to be defined
by the Entity. While agree with that, we will end up with the same criticism from FERC when the level is set to
March 1, 2011
158
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 10 Comment
"high" in FERC's mind. The reporting times are unrealistic for complicated events. Notification is reasonable
but not reporting. Many organizations’s have internal processes the reports must be vetted through before
they become public and subject to compliance scrutiny.
We Energies
No
I did not compare this standard to the OE-417 form. Please do not require operators to fill out a second form
during an emergency within one hour.Energy Emergency requiring Public appeal...: “Public “ is not a defined
term.Energy Emergency requiring system-wide voltage...: DP does not control BES voltage.Energy
Emergency requiring firm load shed...: TOP does not have load it would shed for an Energy
Emergency.Frequency Deviations: Why is a BA reporting? This will be every BA in the Interconnection
reporting the same Frequency Deviation.Frequency Deviations: Frequency Trigger Limit is not a defined
term, and is not defined in this standard.Loss of Firm Load...: TO and TOP may coordinate or direct load
shed, but they do not serve firm load.Damage or destruction of BES... There is no footnote 1 on this page. I
assume it is the examples on the page. Are these “examples” of a larger set or are these all that is required?
Critical Asset is a defined term.Forced Intrusion: “facility” or Facility? An RC and BA do not have Facilities.
Georgia System Operations
Corporation
Yes
We support the concept of Impact Events and listing and describing them in a table. However, we have some
concerns.Reporting of impact events should not be applicable to a DP.The timelines outlined in Attachment 1
should be targets to try to meet but it should not be a compliance violation of the reporting requirement if it is
not met. Regarding the NOTE before the table, verbal reports and updates should be allowed for other than
certain adverse conditions like severe weather as well as adverse conditions. The first priority for all entities
should be addressing the effects of the impact event. It may not be possible to assess the damage or the
cause of an impact event in the allotted time. All entities should make their best effort to quickly report under
any circumstances what they know about the event even if it is not complete. They should be allowed to
March 1, 2011
159
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 10 Comment
report up through a hierarchy. The written report should not be issued until adequate information is available.
Change "Preliminary Impact Event Report" to "Confidential Impact Event Report."Capitalization throughout
this table is inconsistent. Sometimes an event is all capitalized. Sometimes not. It is not in synch with the
NERC Glossary. All terms that remain capitalized in the next draft (other than when used as a title or heading)
should be defined in the Glossary of Terms Used in NERC Reliability Standards. Examples of
inconsistencies: Unplanned Control Center evacuation, Loss of off-site power, Voltage Deviations.-Energy
Emergency requiring a public appeal or a system-wide voltage reduction: All The NERC Glossary defines
Energy Emergency as a condition when a LSE has exhausted all other options and can no longer provide its
customers’ expected energy requirements. The events should not be described as an Energy Emergency
requiring public appeal or system-wide voltage reductions. If public appeal and system-wide voltage
reductions are still an option then all options have not been exhausted, the LSE can still provide its customers'
energy requirements, and it is not an Energy Emergency. We suggest using "Energy Emergency Alert" rather
than "Energy Emergency."-Energy Emergency requiring firm load shedding: load shedding via automatic
UFLS or UVLS would not necessarily be due to an Energy Emergency. Other events could cause frequency
or voltage to trigger a load shed. Most likely an entity would be seeing the Energy Emergency coming and
would be using manual load shedding. -Forced intrusion and detection of cyber intrusion to critical cyber
assets: CIP-008 is not referrenced for a forced intrusion. CIP-008 is referenced for a detection of cyber
intrusion impact event. Aren't there reportable events per CIP-008 that involve physical intrusion that are not
intrusions at a BES facility?-Risk to BES equipment: The threshold states that it is for a non-environmental
threat but the examples given are environmental threats. Please clarify.
Manitoba Hydro
Yes
Though R7 indicated Attachment 1 will be reviewed and revised reguarily the immediate addition of:”Detection
of suspected or actual or acts or threats of physical sabotage”should be added.
March 1, 2011
160
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
City of Austin dba Austin Energy
Yes
Green Country Energy
Yes
Idaho Power Company
Yes
Pacific Gas and Electric
Yes
Question 10 Comment
Company
PacifiCorp
Yes
PNM Resources
Yes
RRI Energy, Inc.
Yes
TransAlta Corporation
Yes
March 1, 2011
161
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
11. Do you agree with the use of the Preliminary Impact Event Report (Attachment 2)? Please explain in the comment box
below.
Most commenters who responded to this question disagreed with some aspect of the Preliminary
Impact Event Report. The proposed Preliminary Impact Event Report (Attachment 2) generated comments regarding the duplicative
nature of the form when compared to the OE-417. The DSR SDT has added language to the proposed form to clarify that NERC will
accept a DOE OE-417 form in lieu of Attachment 2 if the responsible entity is required to submit an OE-417 form.
Summary Consideration:
In collaboration with the NERC Event Analysis Working Group (EAWG) the DSR SDT proposes to modify the attachment to eliminate
confusion. This revised form will be used as Attachment 2 of the Standard and is the only required information for EOP-004-2
reporting. Further information may be requested through Events Analysis Process (NERC Rules of Procedure), but this information is
outside of the scope of EOP-004.
The DSR SDT has also clarified what the form is to be used for with the following language added:
“This form is to be used to report impact events to the ERO.”
Organization
Yes or No
Question 11 Comment
City of Austin dba Austin Energy
Austin Energy would like to see OE-417 incorporated into the electronic form This will reduce the callout of
EOP-004-2 and OE-417 forms in our checklists / documents and one form can be submitted to NERC and
DOE.
Independent Electricity System
Operator
TBD
Ameren
No
March 1, 2011
It is unclear when this should be used, or why.
162
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
ATC
No
No. NERC does not have the authority to absolve the Functional Entities of the reporting obligations for the
DOE Form OE-417. Therefore, there will be duplicate reporting requirements and the one hour timeframes
required in Attachment 1 will take valuable resources away from mitigating the event to filling out duplicative
paperwork. It is ATC’s position that the OE-417 report be used as the main reporting template until NERC and
the DOE can develop a single reporting template. Task #14 in the report should be modified to say, “Identify
any known protection system misoperation(s).” If this report is to be filed within 24 hrs, there will not be
enough time to assess all operations to determine any misoperation. As a case in point, it typically takes at
least 24 hrs to receive final lightning data; therefore, not all data is available to make a determination.
ATCO Electric Ltd.
No
Attachment 2 Item 4 implies that an entity is required to analyse and report on an impact event that occurred
outside its system. This is not practical as the entity will not have access to the necessary information.
BGE
No
There is considerable difference between this form and OE-417 necessitating that two forms be completed.
BGE believes that the purpose of combining the standards was to reduce the number of reporting entities and
number of reports to be generated by each entity. BGE believes this fails to accomplish this purpose.
City of Garland
No
The report filed should be the OE-417 ELECTRIC EMERGENCY INCIDENT AND DISTURBANCE REPORT
and should be filed only on OE-417 reportable incidents. If this report is implemented as drafted, companies
with multiple registration numbers and functions should only have to file one report for all functions and
registrations.
Consolidated Edison Co. of NY,
Inc.
No
It is not clear why the DOE form cannot be used. NERC should make every effort to minimize paper work for
entities responding to system events.
Constellation Power Generation
and Constellation Commodities
Group
No
It is unclear if an entity has to answer all the questions. In addition, “Preliminary” is not currently included in
the report title.
Electric Market Policy
No
There is already a DOE requirement to report certain events. We see no need to develop redundant reporting
requirements in the NERC arena that cross other federal agency jurisdictions.
ERCOT ISO
No
ERCOT ISO requests the use of a single report format to meet all requirements from NERC and DOE. There
is no value added in requiring different reporting to different agencies.
March 1, 2011
Question 11 Comment
163
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Exelon
No
Exelon agrees with the use of the report but feels that # 5 should consist of check boxes. #12, 13, and 14 will
take more time then allotted by the reporting requirements to acquire, cannot be accomplished in an
hour.Attachment 2 should have a provision for the reporting entity to enter (N/A) based on function (see
below)Check box #8 A GO/GOP may not have the information to determine what the frequency was prior to
or immediately after an impact event. This information should be the responsibility of a TOP or RC.Check box
#9A GO/GOP may not have the information to determine what transmission facilities tripped and locked out.
This information should be the responsibility of a TO, TOP or RC.Check box #10A GO/GOP may not have the
information to determine the number of affected customers or the demand lost (MW-Minutes). This
information should be the responsibility of a TO, TOP, or RC.
Great River Energy
No
NERC and the DOE need to coordinate and decide on which report they want to use and whichever report it
is needs to include all information required by both entities. The way this standard is currently written there is
the potential that two government entities may need to be reported to is a relatively short period of time. It is
not clear what benefit providing the Compliance Registration ID number provides. Many of the registered
entities employees that will likely have to submit the report, particularly given the one-hour reporting
requirement for some impact events, will not be aware of this registration ID. However, they will know for
what functions they are registered. We recommend removing the need to enter this compliance registration
ID or extending the time frame for reporting to allow back office personnel to complete the form. For item two,
please change “Time/Zone:” with “Time (include time zone)”. As written it is a little confusing.
Idaho Power Company
No
there should only be on report, utilized OE-417
Indeck Energy Services
No
The form needs to identify whether it is a preliminary or final report. An identifier should be created to tie the
final to the preliminary one. Some fields, 1,2 3 5 & 6, are required for the preliminary report and should be
labeled as such. With the 1 hour reporting deadline for some events, the details may not be known. 12 & 13
should be required for the final report. 13 should designate whether the cause is preliminary or final. 7-11 &
14 are optional, and the form should state this, and based on some types of events. It's confusing to have
irrelevant blanks on the form.
IRC Standards Review
Committee
No
Attachment 2 is not referenced in the standard requirements. Is it a part of the standard that an entity must
use to file the impact event reports to a specific recipient. If so, this needs to be referenced in the
standard.We question the need for using a fixed format for reports that vary from “shedding firm load” to
“damaging equipment”. The nature of impact events varies from one event to another and hence a fixed
format or pre-determined form may not be able to provide the appropriate template that is suitable for use for
March 1, 2011
Question 11 Comment
164
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 11 Comment
all events. We urge the SDT to reconsider the use of Attachment 2 for reporting events, with due
consideration to the actual intent of the standard (as pointed out in our comments under Q1).
ISO New England Inc.
No
There is already a DOE requirement to report certain events. There is no need to develop redundant
reporting requirements to NERC that cross other federal agency jurisdictions.The heading on page 16 refers
to EOP-002, but this is Standard EOP-004. If some questions do not require an answer all of the time, then
the form should state that or provide a NA checkbox. While Attachment 1 details some cyber thresholds,
Attachment 2 provides no means to report - which is acceptable if cyber incidents are handled by CIP-008 per
the comment provided for Question 10.The Event Report Template in Appendix A is different from the most
recent version, which is available at:
http://www.nerc.com/docs/eawg/Event_Analysis_Process_WORKINGDRAFT_100110-Clean.pdf
Kansas City Power & Light
No
For easier classification and analysis of events for both external reporting to the ERO and internal reporting
for the applicable entity, the form should include Event Type. The DSR SDT should code each event type
and include the codes as part of Attachment 1.
Manitoba Hydro
No
Though a “Confidential Impact Event Report” is much needed the Attachment 2 needs refinement.Provide an
explanation for each “task”.Isolate and simplify the “Who, When and What” section.Isolate the description of
event.Remove items 7 to 10. Modify Attachment 1, add columns to indicate time of event, quantity, restore
time, etc as required. The Attachment 1 can be attached to Attachment 2. This could simply and speed the
reporting process.
MidAmerican Energy
No
Midwest ISO Standards
Collaborators
No
March 1, 2011
This form differs from the DOE reporting forms. We do not believe different reporting forms should be
required. The DOE form should be sufficient for NERC reporting.It is not clear what benefit providing the
Compliance Registration ID number provides. Many of the registered entities employees that will likely have
to submit the report, particularly given the one-hour reporting requirement for some impact events, will not be
aware of this registration ID. However, they will know for what functions they are registered. We recommend
removing the need to enter this compliance registration ID or extending the time frame for reporting to allow
back office personnel to complete the form. For item two, please change “Time/Zone:” with “Time (include
time zone)”. As written it is a little confusing.
165
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 11 Comment
MRO's NERC Standards Review
Subcommittee
No
Number 4 of the reporting form does not take into consideration of potential impact events. Recommend that
“Did the impact event originate in your system?” to “Did the impact event originate or affect your system?”.
This will provide clarity to entities.
Nebraska Public Power District
No
If the standard requires submission of the report within an hour (which is not appropriate), there must be an
abbreviated form that can be quickly filled out by checking boxes and not require substantial narrative. The
existing form has too much free form text that takes time to enter and with the short timeframe for reporting
will distract the entities responsible for real-time reliabiltiy of the BES from that task by forcing them to
complete after the fact reports. It is unrealistic to expect entities to staff personnel to complete the reporting
24 x 7 for unlikely events, so the task will fall to System Operators who should be focusing on operating the
BES at the time of these events instead of providing after the fact reporting to entities that do not have
responsibility for real-time operation of the BES. Real-time reporting to the RC and/or BA is covered under
other standards and is necessary for the RC to have situational awareness, but is not covered under this
standard. The registered entities may report to the proper law enforcement entities when the situation
warrants, but again this form is not the appropriate way to handle that reporting requirement.
NERC Staff
No
Item 15: A one-line diagram should be attached to assist in the understanding and evaluation of the
event.Two additional items are recommended:--Ongoing reliability impacts/system vulnerability - this would
capture areas where one is not able to meet operating reserves or is in an overload condition, below voltage
limits, etc. in real-time--Reliability impacts with next contingency - this would capture potential impacts as
outlined above with the next contingency.
North Carolina Electric Coops
No
There is already a DOE requirement to report certain events. NERC should not be developing redundant
reporting requirements when this information is already available at the federal level from other agencies.
Northeast Power Coordinating
Council
No
There is already a DOE requirement to report certain events. There is no need to develop redundant
reporting requirements to NERC that cross other federal agency jurisdictions.The heading on page 16 refers
to EOP-002, but this is Standard EOP-004. If some questions do not require an answer all of the time, then
the form should state that or provide a NA checkbox. While Attachment 1 details some cyber thresholds,
Attachment 2 provides no means to report - which is acceptable if cyber incidents are handled by CIP-008 per
the comment provided for Question 10.The Event Report Template in Appendix A is different from the most
recent version, which is available at:
http://www.nerc.com/docs/eawg/Event_Analysis_Process_WORKINGDRAFT_100110-Clean.pdf
March 1, 2011
166
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Pacific Gas and Electric
Company
No
PG&E believes the report is duplicative to the OE-417 reporting criteria.
Pacific Northwest Small Public
Power Utility Comment Group
No
We found no “Preliminary Impact Event Report” in the posted draft standard, so we assume the question is
regarding the “Confidential Impact Report” (Attachment 2). It is unclear what role the form plays, since no
requirement refers to it. If this is the form to report impact events per R6, then R6 should reference it. The
comment group cautions that the use of the word “confidential” should be carefully considered, since many
filled out forms that originally contained the word are now posted on the NERC website for all to see. If there
are limits to the extent and/or duration of the confidentiality this should be clearly stated in the form, or the
word should be avoided.Protection System misoperation reporting is already covered by PRC-004. Including
it here is redundant, and doubly jeopardizes an entity for the same event.
PacifiCorp
No
As previously mentioned all effort should be made to ensure duplicate reporting is not required. OE-417
requirements should be covered by this one form.
Pepco Holdings, Inc - Affiliates
No
The list of events misses many items considered as suspicious or potential sabotage, such as suspicious
observation of critical facilities.
PNM Resources
No
PNM believes the report is duplicative to the OE-417 reporting criteria.
PSEG Companies
No
The top of this form should have the following statement added: "This form is not required if OE-417 is
required to be filed."
Puget Sound Energy
No
Attachment 2 is not referenced in the requirements of the proposed standard. As a result, it is not clear when
its submission would be required.
Santee Cooper
No
If the DOE form is going to continue to be required by DOE, then NERC should accept this form. Entities do
not have time to fill out duplicate forms within the time limits allowed for an event. This is burdensome on an
entity.
SERC OC Standards Review
Group
No
There is already a DOE requirement to report certain events. We see no need to develop redundant reporting
requirements in the NERC arena that cross other federal agency jurisdictions.
March 1, 2011
Question 11 Comment
167
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
TransAlta Corporation
No
We recommend the ‘time to Submit Report’ to start when the event is recognized verses when it occurred.
United Illuminating
No
The standard does not appear to require the use of Attachment 2. Placing the form within the Standard may
require the use of the Standards Development Process to modify the form. UI suggests the form is
maintained outside the Standard to allow it to be adjusted. UI would prefer NERC to establish an internet
based reporting tool to convey the initial reports.
US Bureau of Reclamation
No
There is already a reporting form for disturbances. The SDT should reconcile this standard with all the other
reporting that is being requested and not add more.
We Energies
No
The data required to assess an impact event thoroughly will often not be available or apparent. Immediate
reporting should fall to the RE with assistance/information from the affected entities.There do not seem to be
provisions for when it is impossible to take the time to fill out a form or when it is impossible to send a form.I
did not compare this standard to the OE-417 form. Please do not require operators to fill out a second form
during an emergency within one hour.
WECC
No
The report is duplicative to the OE-417 reporting criteria.
Bonneville Power Administration
Yes
Item 8: list Hz minimum on the second line prior to Hz max since that is the typical frequency excursion
order.The Operating Plan is going to have to include the Compliance Registration ID number, since Operating
Personnel don’t carry that information around and it is not readily available.
Duke Energy
Yes
However, Attachment 2 is titled “Impact Event Reporting Form”.
E.ON Climate & Renewables
Yes
Suggestions on the form: if an entity has not had time to fully determine the cause of an Impact Event such as
for “Question # 4: Did the impact event originate in your system, yes or no?”, perhaps more time is needed
that 24 hours to determine the cause.
FirstEnergy
Yes
Although we agree with the report, it should be clear that organizations with many registered entities can
submit one report to cover multiple entities under one parent company.
Georgia System Operations
Yes
We support having one form for reporting however every applicable entity should not be required to fill it out
and send it to NERC. See previous comments about hierarchical reporting.The title of the report is
March 1, 2011
Question 11 Comment
168
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Corporation
"Confidential Impact Event Report." Some suggested modifications: The form could have a blank added to
enter the event "description" as described in the first column of Attachment 1. The first seven lines contain
information that would most likely be filled out every time. The other lines except line 13 may or may not be
applicable every time. It is required (R3) for an entity to access the initial probable cause of all impact events
so line 13 will most likely be filled out every time. Please move the probable cause line up to line 7 or 8
(depending on if the event description line is added).
PPL Electric Utilities
Yes
Arizona Public Service Company
Yes
Dynegy Inc.
Yes
Green Country Energy
Yes
Luminant Energy
Yes
PacifiCorp
Yes
PPL Supply
Yes
March 1, 2011
Question 11 Comment
For ease, timeliness, and accuracy of reporting an application with an easy to use interface would be
preferred. If the reporting is done via an application, the ability to enter partial data, save and add additional
info prior to submission would be helpful. Additionally, an application with drop downs to select from for
impact event, NERC function, etc would be helpful. #1 - Is the ‘Compliance Registration ID number’ the same
as the NCR number? If this is required, include as separate entry. #2 - is this the date of occurrence or
detection?
169
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
RRI Energy, Inc.
Yes
Southern Company Transmission
Yes
March 1, 2011
Question 11 Comment
170
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
12. The DSR SDT has replaced the terms “disturbance” and “sabotage” with the term “impact events”. Do you agree that the term
“impact events” adequately replaces the terms “disturbance” and “sabotage” and addresses the FERC directive to “further define
sabotage” in an equally efficient and effective manner? Please explain in the comment box below.
There was no consensus amongst commenters who responded to this question. Several commenters
expressed concern that the definition should be added to the glossary. The DSR SDT has proposed a definition for “Impact Events”
to support Attachment 1 as follows:
Summary Consideration:
“An Impact Event is any event that has either impacted or has the potential to impact the reliability of the Bulk Electric
System. Such events may be caused by equipment failure or mis-operation, environmental conditions, or human action.”
The DSR SDT has proposed this definition for inclusion in the NERC Glossary for “Impact Event”. The types of Impact Events that are
required to be reported are contained within Attachment 1. Only these events are required to be reported under this Standard.
Several commenters expressed concern that the team did not define ‘Sabotage’ and FERC directed that the modifications to this
standard include a definition of sabotage. The DSR SDT considered the FERC directive to “further define sabotage” and decided to
eliminate the term sabotage from the standard. The team felt that it was almost impossible to determine if an act or event was that
of sabotage or merely vandalism without the intervention of law enforcement after the fact. This will result in further ambiguity
with respect to reporting events. The term “sabotage” is no longer included in the standard and therefore it is inappropriate to
attempt to define it. The Impact Events listed in Attachment 1 provide guidance for reporting both actual events as well as events
which may have an impact on the Bulk Electric System. The DSR SDT believes that this is an equally effective and efficient means of
addressing the FERC Directive.
Some commenters were concerned that some of the events that require reporting that were specifically listed in the previous
version of the standard are not included in the revised standard. Attachment 1, Part A is to be used for those actions that have
impacted the electric system and in particular the section “Damage or destruction to equipment” clearly defines that all equipment
that intentional or non intentional human error be reported. Attachment 1, Part B covers the similar items but the action has not
fully occurred but may cause a risk to the electric system and is required to be reported.
March 1, 2011
171
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 12 Comment
Bonneville Power Administration
The definition of an impact event in EOP-004-2 seems clear, however the term "mis-operation" still may imply
intent in the action of an individual. The SDT should consider further defining that term.
Independent Electricity System
Operator
We do not have a view on what name is assigned to the reportable events for so long they are listed in
Attachment 1. However, the heading of the Table contains the words “Actual Reliability Impact”, which does
not accurately reflect the content inside the table and which may introduce confusion with the term “impact
event”. We suggest to change them to “Reportable Impact Events”.As we read the Summary of Concept and
Assumption, there appears to be a slightly different lists at the bottom of P. 21. With these events included,
the meaning of “impact event” would seem to be too broad. Rather than calling those events listed in
Attachment 1 “impact events”, why not simply call them “reportable events”?
CenterPoint Energy
No
CenterPoint Energy does not agree that the term “impact event” adequately replaces “disturbances” and
“sabotage”. CenterPoint Energy suggests that just as the SDT has come to consensus on a concept for
impact event, a definition could be derived for sabotage. “Potential”, as used in the SDT’s concept, is a vague
term and indicates an occurrence that hasn’t happened. Required reporting should be limited to actual events.
CenterPoint Energy offers the following definition of “sabotage”: “An actual or attempted act that intentionally
disrupts the reliable operation of the BES or results in damage to, destruction or misuse of BES facilities that
result in large scale customer outages (i.e. 300MW or more).”
City of Garland
No
1 In keeping with a Results Based Standard, the impact event should be a trigger for filing a report. At the
time of the event, one may not know if the event was caused by sabotage. Sabotage that does not affect the
BES should not be a reportable event.
2. To comply with the Commissioners request to define sabotage, Impact Event does not adequately replace
“sabotage”. If someone reports sabotage, people universally have a concept that someone(s) have taken
some type of action to purposely harm, disable, cripple, etc something. Impact Event does not convey that
same concept.
3. If Sabotage is left as a “trigger,” it should not include minor acts of vandalism but only acts that impact
reliability of the BES
Consolidated Edison Co. of NY,
Inc.
March 1, 2011
No
The definition is open for interpretation beyond events identified in Attachment 1. In addition, all Standards
are supposed to have Rationales. In the Draft Standard, the Rationales do not address the concept of
Potential, and how it relates to an actual system event. Additional work needs to be done addressing the
172
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 12 Comment
meaning of “potential”.
Duke Energy
No
We disagree with the stated concept of “impact event”. Including the phrase “or has the potential to
significantly impact” in the concept makes it impossibly broad for practical application and compliance. By not
attempting to define “sabotage”, the standard creates a broad reporting requirement. “Disturbance” is already
adequately defined. “Sabotage” should be defined as “the malicious destruction of, or damage to assets of
the electric industry, with the intention of disrupting or adversely affecting the reliability of the electric grid for
the purposes of weakening the critical infrastructure of our nation.”
Dynegy Inc.
No
The term is fine but FERC wants more specific examples. GO/GOP can't determine the effect on the BES.
E.ON Climate & Renewables
No
Acts of Sabotage is still not defined and if the registered entities are required to reports acts of sabotage,
NERC still needs to define this further.
ERCOT ISO
No
Exelon
No
Need to better define sabotage and provide examples, the term “impact events” create confusions as to what
constitutes an event. The definition of impact event is vague and needs to be quantified or qualified with a
term such as “significant”. Otherwise, almost any event could be deemed to be an impact event. Attachment
1 needs to clearly define that damage or destruction of BES equipment does not include cyber sabotage.
Events related to cyber sabotage are reported in accordance with CIP-008, "Cyber Security - Incident
Reporting and Response Planning," and therefore any type of event that is cyber initiated should be removed
from this Standard. In general, all impact events need to be as explicit as possible in threshold criteria to
eliminate any interpretation on the part of a reporting entity. Ambiguity in what constitutes an "impact event"
and what the definition of "occurrence" is will ultimately lead to confusion and differing interpretations.
FirstEnergy
No
For the most part we support this definition of impact events. However, we have the following suggestions:1.
We believe that it warrants an official NERC glossary definition. 2. The term "potential" in the definition should
point to the specific events detailed in Attachment 1 Part B.3. Since the standard does not cover
environmental events, the phrase "environmental conditions" in the definition is not an impact event in the
context of this standard.
March 1, 2011
173
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Great River Energy
No
We believe the SAR scope regarding addressing sabotage has not been addressed at all. It appears that
impact event essentially replaces sabotage. This standard needs to make it clear that sabotage, in some
cases, cannot be identified until an investigation is performed by the appropriate policing agencies such as
the FBI. Intent plays an important role in determining sabotage and only these agencies are equipped to
make these assessments.
Green Country Energy
No
Yes and no ... Yes impact events is an adequate term however since it is restrained by the tables it may be
helpful to define the term and scope of the term to be more inclusive of sabotage events.
Indeck Energy Services
No
Impact Events is OK. It needs to be balloted as a definition for the Glossary like Protection System.
IRC Standards Review
Committee
No
This term and the FERC directive do not recognize limitations in what a registered entity can do to determine
whether an act of sabotage has been committed. This term should recognize law enforcement’s and other
specialized agencies’, including international agencies’, role in defining acts of sabotage and not hold the
registered entity wholly responsible to do so.
ISO New England Inc.
No
The use of the term “impact events” has simply replaced the terms “disturbance” and “sabotage”, and has not
further defined sabotage as directed by FERC. We do feel that “impact events” needs to be a defined term.
While we agree with the SDT’s new direction, the FERC directive has not been met. This term and the FERC
directive do not recognize limitations in what a registered entity can do to determine whether an act of
sabotage has been committed. This term should recognize law enforcement and other specialized agencies,
including international agencies roles in defining acts of sabotage, and not hold the registered entity wholly
responsible to do so.
Luminant Energy
No
The term “Impact Event” does not adequately replace the term “Sabotage” The Impact Events table seems to
provide the definition of the term “Impact Event”. This table does not include sufficient definition for actual
sabotage events. Additionally, it does not include any provision for suspected sabotage events. Assuming the
Damage or Destruction of BES Equipment event type is intended to cover actual sabotage, the Threshold for
Reporting column should include specific levels of materiality that are specific to Functional Entity. For
instance, a GO and GOP could have a MW level to define materiality as a GO or GOP cannot assess impact
to an IROL or system reliability margin due to equipment damage. A threshold value consistent with
“Generation Loss” in the proposed EOP-004 Attachment 1 would be appropriate.
Manitoba Hydro
No
The majority of the items listed in Attachment 1 are typically and historically operating events. Yes these are
all “impact events”. Sabotage, cyber and security are typically viewed as separate events. These events are
March 1, 2011
Question 12 Comment
174
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 12 Comment
not part of “a typical day of BES operations”. These are outside event and though qualify as “impact events”
should still be treated separately.
Midwest ISO Standards
Collaborators
No
We believe the SAR scope regarding addressing sabotage has not been addressed at all. It appears that
impact event essentially replaces sabotage. This standard needs to make it clear that sabotage, in some
cases, cannot be identified until an investigation is performed by the appropriate policing agencies such as
the FBI. Intent plays an important role in determining sabotage and only these agencies are equipped to
make these assessments.
NERC Staff
No
NERC staff is concerned with the ambiguity of the term “impact event.” The definition of the term is not clear,
in part because it includes using the words “impact” and “event” (and thus violates the frowned-up practice of
using a word to define the word itself). NERC staff recommends the SDT consider using the term “Event.” The
following definition (modified from the one used the INPO Human Performance Fundamentals Desk
Reference, P. 11) would apply: Event: “An unwanted, undesirable change in the state of plants, systems or
components that leads to undesirable consequences to the safe and reliable operation of the Bulk Electric
System. ”Supporting statement following the definition: “An event is often driven by deficiencies in barriers
and defenses, latent organizational weaknesses and conditions, errors in human performance and factors,
and equipment design or maintenance issues.” Further, if this is intended for use in this standard, it should be
presented as an addition to Glossary to avoid confusion with the use of the term event in other standards. Of
course, this would require an analysis of how the term “Event” as defined herein would affect the other
standards to which the term is used. In the end, this is the cleanest manner for the standards.
Northeast Power Coordinating
Council
No
The use of the term “impact events” has simply replaced the terms “disturbance” and “sabotage”, and has not
further defined sabotage as directed by FERC. We do feel that “impact events” needs to be a defined
term.While we agree with the SDT’s new direction, the FERC directive has not been met.This term and the
FERC directive do not recognize limitations in what a registered entity can do to determine whether an act of
sabotage has been committed. This term should recognize law enforcement and other specialized agencies,
including international agencies roles in defining acts of sabotage, and not hold the registered entity wholly
responsible to do so.
Pacific Gas and Electric
Company
No
PG&E believes Attachment 1 Part A or B do not clearing specify “sabotage” events, other than “forced entry”
and the proposed definition of “impact event” does not meet FERC’s directive to “further define sabotage” nor
does it take into consideration their request to address the applicability to smaller entities.
Pacific Northwest Small Public
No
The comment group fails to see how changing the words meet the directive. Sabotage implies an organized
March 1, 2011
175
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Power Utility Comment Group
Question 12 Comment
intentional attack that may or may not result in an electrical disturbance. The distinction between sabotage
and vandalism is important since sabotage on a small system may be the first wave of an attack on many
entities. The proposed standard asks us to treat insulator damage caused by a frustrated hunter (an act of
vandalism) the same as attack by an unfriendly foreign government (an act of sabotage). The comment group
does not agree that these should be treated equally.
Pepco Holdings, Inc - Affiliates
No
The list of events misses many items considered as suspicious or potential sabotage, such as suspicious
observation of critical facilities.
PNM Resources
No
PNM believes the proposed definition of “impact event” does not meet FERC’s directive to “further define
sabotage” nor does it take into consideration their request to address the applicability to smaller entities.
Attachment 1 Part A or B do not clearing specify “sabotage” events, other than “forced entry”.
Puget Sound Energy
No
With some of the tight timeframes for reporting, it is reasonable to focus on impact rather than motivation.
Requiring further analysis of the event in order to assess the possibility that the event was caused by
sabotage, however, may be necessary to address FERC’s concerns with respect to sabotage.
Santee Cooper
No
The term "impact events" needs to be more clearly defined.
US Bureau of Reclamation
No
The two are distinctly different. Disturbances are what happened, sabotage is why. We can easily tell what
happened. Determining why it happened (e.g. sabotage) takes time.
We Energies
No
Impact Event could replace disturbance and sabotage but not in its present form. The proposed definition of
impact event “An impact event is any event that has either impacted or has the potential to impact the
reliability of the Bulk Electric System. Such events may be caused by equipment failure or mis-operation,
environmental conditions, or human action.” Is too vague. The “potential to impact the reliability” is too broad
and open to interpretation. It needs to be specific so entities know what is and is not an impact event and so
an auditor clearly knows what it is. Define “impact event” as the items listed in Attachment 1.As you have
done, focusing on an event’s impact on reliability is more important than determining an individuals intent
(sabotage v.s. theft).
WECC
No
The proposed definition of “impact event” does not meet FERC’s directive to “further define sabotage” nor
does it take into consideration their request to address the applicability to smaller entities. Attachment 1 Part
A or B do not clearing specify “sabotage” events, other than “forced entry”. The purpose of CIP-001-1 and its
requirements is to address the specific issue of possible sabotage of BES facilities. This is entirely different
March 1, 2011
176
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 12 Comment
than a “disturbance” or an “event” on the BES. The proposed definition for “impact events” is essentially any
event that has either impacted the BES or has the potential to impact the BES, caused only by three specific
things; equipment failure or misoperation, environmental conditions, or human action. Several of these
“impact events could be a result of sabotage. Actual or potential sabotage clearly poses a risk to the reliability
of the BES. It is important that the risks related to sabotage be reflected in either EOP or CIP
Ameren
Yes
However, the term Impact Event should be a new defined term. When the SDT determines this, it should use
the term consistently on both pages 5 and 21 of the SDT document.
ATC
Yes
Yes, if ATC’s recommended changes are made to Attachment 1 and the Standard.
BGE
Yes
The defined term “impact events” should be capitalized throughout the document to identify it as a defined
term. Additionally, BGE has noted in several comments that another term is used instead of “impact events”.
These terms should be eliminated and use “impact events” instead.
Electric Market Policy
Yes
The use of the term “impact events’ has simply replaced the terms “disturbance” and “sabotage” and has not
further defined sabotage as directed by FERC. We do feel that impact events needs to be a defined term.
Georgia System Operations
Corporation
Yes
The new term is much more clear than those two terms. This will improve uncertainty and confusion regarding
whether or not something should be reported.
Kansas City Power & Light
Yes
Should the word disturbance be removed from the title of EOP004-2 to avoid confusion and simply be called
Impact Event and Assessment, Analysis and Reporting.
MRO's NERC Standards Review
Subcommittee
Yes
As an industry we have looked at sabotage as a sub component of a disturbance. Sabotage is hard to
measure since it is based on a perpetrator’s intent and thus very hard to determine.
Nebraska Public Power District
Yes
I agree there is a lot of interpretation and confusion as to what sabotage or a Cyber Incident is, so would
welcome better clarity. Whether “impact events” can more effectively clarify, is yet to be seen. “it will be
easier to get the relevant information for mitigation, awareness, and tracking, while removing the distracting
element of motivation.” “An impact event is any situation that has the potential to significantly impact the
reliability of the Bulk Electric System. Such events may originate from malicious intent, accidental behavior, or
natural occurrences.” I do know that Cyber Sabotage may take time or days to become aware so not sure
March 1, 2011
177
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 12 Comment
how that might expedite reporting and awareness.
PPL Electric Utilities
Yes
Refer to clarification requested in question 10 comments.
RRI Energy, Inc.
Yes
Agree. However, strongly encourage this to be made into a defined term in the Glossary of Terms.
SERC OC Standards Review
Group
Yes
We do feel that this needs to be a defined term
United Illuminating
Yes
The term impact event can substitute for sabotage and disturbance. The use of Forced Intrusion is a bright
line for reporting.
American Electric Power (AEP)
Yes
Arizona Public Service Company
Yes
ATCO Electric Ltd.
Yes
City of Austin dba Austin Energy
Yes
Constellation Power Generation
and Constellation Commodities
Group
Yes
Idaho Power Company
Yes
March 1, 2011
178
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
MidAmerican Energy
Yes
North Carolina Electric Coops
Yes
PacifiCorp
Yes
PacifiCorp
Yes
PPL Supply
Yes
Southern Company Transmission
Yes
TransAlta Corporation
Yes
March 1, 2011
Question 12 Comment
179
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
13. The DSR SDT has combined EOP-004 and CIP-001 into one standard (please review the mapping document
that shows the translation of requirements from the already approved versions of CIP-001 and EOP-004 to the
proposed EOP-004), EOP-004-3 and retiring CIP-001. Do you agree that there is no reliability gap between the
existing standards and the proposed standard? Please explain in the comment box below.
While a majority of commenters who responded to this question support combining the two
standards, some commenters suggested that in combining the standards, the team left some gaps in coverage with respect to the
types of events that must be reported. The DSR SDT believes that combining EOP-004 and CIP-001 does not introduce a reliability
gap between the existing standards and the proposed standard and the industry comments received confirms this. Some events that
were specifically identified in the original standard (such as a bomb threat) are covered more generically in the revised standard.
This modification encourages entities to focus on the ‘types’ of events that may be impactive rather than having a finite list that may
omit an event that couldn’t be anticipated when drafting the requirements.
Summary Consideration:
The decision to eliminate the term sabotage from the standard and the retirement of CIP-001 should alleviate all concerns regarding
the term sabotage and its definition. The DSR SDT believes that “observation of suspicious activity” and “bomb threat” is considered
to be included in Part B – “Risk to BES equipment from a non-environmental physical threat”. We have added “and report of
suspicious device near BES equipment” to note 3 of the “Attachment 1, Potential Reliability – Part B”.
Organization
Yes or No
WECC
Question 13 Comment
A potential gap may exist. Attacks on BES facilities, via either vandalism or sabotage, are very different
events than impact events on the system. From a Compliance standpoint, a revised standard to address the
FERC directive on sabotage should be developed as an EOP standard (that is grouped with 693 Standards)
rather than as a CIP Standard (CIP-001-1).
Ameren
No
March 1, 2011
It appears that all requirements have been addressed from the existing standards. However, we believe there
is a reliability gap that continues from the existing standards because sabotage is not defined any better than
180
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 13 Comment
in the existing standards.
Bonneville Power Administration
No
BPA supports the concept behind the revisions to EOP-004-2. Creating a single reporting methodology will
improve the processes and lead to more consistency. BPA recommends that the Standards Drafting Team
(SDT) coordinate any revisions in the reporting requirements with those found in CIP-008-3 to ensure that
there are no conflicts. BPA asks the SDT to consider the impact of these changes on CIP-008-3 and work
with the CIP SDT to ensure that the wording of the two requirements is similar and clear. Based on
Attachment 1 part A of EOP-004-2, certain cyber security events, intrusions for example, would have to be
reported under both EOP-004-2 and CIP-008-3. That puts a burden on a Registered Entity to take additional
steps to coordinate reporting or face potential compliance risk for correctly reporting an event under one
standard and failing to report it under the other standard. The mapping document had errors: a. CIP-001 R1
to EOP-004 R2.9 (annual vs quarterly). b. EOP-004-1 R2 was translated to R2 & R3 of version 2. c. EOP004-1 R3 was translated to R6 of version 2 (which doesn’t say to whom to report).
City of Garland
No
EOP-004-1 R2 did not get translated to EOP-004-2 R2 - table states it is mapped to R1
E.ON U.S. LLC
No
The Version History contained with EOP-004-2 indicates that CIP-001-1 and EOP-004-1 are “Merged”,
however, the actions do not reflect the retirement of CIP-001-1a and therefore, it is unclear if there will be
remaining redundancies or potential gaps with the new version EOP-004-2 and CIP-001-1a.
Electric Market Policy
No
Per the mapping document, some of the existing requirements are awaiting a new reporting procedure being
developed by NERC EAWG. For those requirements that were transferred over, the resulting standard
seems overly complex and lacks clarity.
Exelon
No
Reporting form doesn’t allow for investigations which result in no impact events found or identified.
Georgia Transmission
Corporation
No
The only two events that apply to a TO are the ones related to CIP:1. Forced intrusion (report if motivation
cannot be determined, i.e. to steal copper)2. Detection of a cyber intrusion to critical cyber assets ( criteria of
CIP-008)Everything in this standard applies to a TOP and therefore E-004-2 and CIP-001 should not be
combined
March 1, 2011
181
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Great River Energy
No
It appears that all requirements have been addressed from the existing standards. However, we believe there
is a reliability gap that continues from the existing standards because sabotage is not defined any better than
in the existing standards.
Indeck Energy Services
No
Bomb threat has totally been lost.
Independent Electricity System
Operator
No
We do not agree with the mapping. The proposed mapping attempts to merge the reporting in CIP-001-1
which has more of an on-going awareness nature to alert operating and government authorities of suspected
sabotage to prompt investigation with a possible aim to identify the cause and develop remedies to curb the
sabotage/events. The proposed EOP-004-2 appears to be more of a post-event reporting for need-to-know
purpose only. This is not consistent with the purpose of the SAR.
ISO New England Inc.
No
Per the mapping document, some of the existing requirements are awaiting a new reporting procedure being
developed by the NERC EAWG. For those requirements that were transferred over, the resulting standard
seems overly complex and lacks clarity. EOP-004-3 should be EOP-004-2.
Luminant Energy
No
CIP-001-1 R3.1 includes instructions associated with the DOE OE-417 form. EOP-004-2 R2.6 should include
the DOE as an example of an external organization requiring notification. Additionally, the Rationale for R1
discusses the possibility of one electronic form satisfying US entities with related disturbance reporting
requirements but does not include any information about the likelihood of this outcome. Please elaborate on
the process required to combine these reports.
Midwest ISO Standards
Collaborators
No
It appears that all requirements have been addressed from the existing standards. However, we believe there
is a reliability gap that continues from the existing standards because sabotage is not defined any better than
in the existing standards.
North Carolina Electric Coops
No
Northeast Power Coordinating
Council
No
March 1, 2011
Question 13 Comment
Per the mapping document, some of the existing requirements are awaiting a new reporting procedure being
developed by the NERC EAWG. For those requirements that were transferred over, the resulting standard
seems overly complex and lacks clarity. EOP-004-3 should be EOP-004-2.
182
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Pepco Holdings, Inc - Affiliates
No
The list of events misses many items considered as suspicious or potential sabotage, such as suspicious
observation of critical facilities.
Santee Cooper
No
It is very difficult to assess this question with the standard as currently written.
SERC OC Standards Review
Group
No
US Bureau of Reclamation
No
The two could be combined with no reliability gap based on the concept rather than the proposed standard.
As the standard is currently written, there is a reliability gap. Consider that after the fact reporting of a
sabotage event (other than criminal acts which may have been witnessed) usually take some time to
investigate and analyze.
ATC
Yes
ATC agrees with this effort and does not currently see a reliability gap
BGE
Yes
None.
CenterPoint Energy
Yes
CenterPoint Energy agrees that there is no reliability gap between the existing standards and the proposed
standard. However, CenterPoint Energy believes that the SDT went too far in developing the proposed EOP004-2 and added additional unnecessary requirements. If the comments made above to Q1 - Q12 were to be
incorporated into the proposed Standard, CenterPoint Energy believes the product would be closer to a
results based Standard with no reliability gap.
City of Austin dba Austin Energy
Yes
If we can used OE 417 for NERC and DOE we do not perceive a reliability gap.
Georgia System Operations
Corporation
Yes
The new single standard will cover all necessary reporting requirements that are in the current two standards.
They are being combined into EOP-004-2 not EOP-004-3.
March 1, 2011
Question 13 Comment
183
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Green Country Energy
Yes
With the provision that definition and scope of "impact event" are developed and tables adjusted as needed to
address FERCs concerns specifically ."(1) further define sabotage and provide guidance as to the triggering
events that would cause an entity to report a sabotage event.”
MRO's NERC Standards Review
Subcommittee
Yes
Within the above question, the SDT is asking about EOP-004-2 not -3.
Nebraska Public Power District
Yes
Appears they only changed R1 for CIP-001 and moving R2-R4 directly over to EOP-004-2. R1 adds much
more detail on our part for a company operating plan but would definitely help some of the present confusion.
RRI Energy, Inc.
Yes
Assume reference to EOP-004-3 in the question 13 was meant to reference version 2 (EOP-004-2).
American Electric Power (AEP)
Yes
Arizona Public Service Company
Yes
ATCO Electric Ltd.
Yes
Consolidated Edison Co. of NY,
Inc.
Yes
Constellation Power Generation
and Constellation Commodities
Group
Yes
Duke Energy
Yes
Dynegy Inc.
Yes
ERCOT ISO
Yes
FirstEnergy
Yes
March 1, 2011
Question 13 Comment
184
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Idaho Power Company
Yes
Kansas City Power & Light
Yes
MidAmerican Energy
Yes
NERC Staff
Yes
Pacific Gas and Electric
Company
Yes
PacifiCorp
Yes
PacifiCorp
Yes
PNM Resources
Yes
PPL Electric Utilities
Yes
PPL Supply
Yes
Puget Sound Energy
Yes
Southern Company Transmission
Yes
TransAlta Corporation
Yes
United Illuminating
Yes
We Energies
Yes
March 1, 2011
Question 13 Comment
185
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
14. Do you agree with the proposed effective dates? Please explain in the comment box below.
While most stakeholders who responded to this question supported the 12 months originally proposed
for entities to become compliant, the drafting team has revised this to 6 months. The DSR SDT feels that six months and not more
than nine months is an adequate time frame. The current CIP-001 plan is adequate for the new EOP-004 and training should be met
in the proposed timeline.
Summary Consideration:
The Implementation Plan was developed for the revised Requirements, which do not include an electronic “one-stop shopping” tool.
This topic is to be addressed in the proposed revisions to the NERC Rules of Procedure.
Organization
Yes or No
Independent Electricity System
Operator
Question 14 Comment
We do not agree with the proposed standard. We therefore are unable to agree on any implementation plan.
City of Garland
No
Do not agree with this proposed draft - instead of combining 2 standards to gain efficiency, this expands the
standard with unnecessary paperwork, drills, training, etc.
Constellation Power Generation
and Constellation Commodities
Group
No
Based on the drastic differences between the previous revisions to these standards, and this proposed
revision, 24 months would be a more reasonable timeframe for an effective date.
IRC Standards Review
Committee
No
If the training and Operation Plan requirements are adopted as proposed, this may not be sufficient time for
some entities to comply, particularly those with limited number of staff but perform functions that have multiple
event reporting requirements.
ISO New England Inc.
No
If the training and Operation Plan requirements are adopted as proposed, this may not allow sufficient time for
some entities to comply, particularly those with limited number of staff, but perform functions that have
multiple event reporting requirements.
Kansas City Power & Light
No
April 2011 is too soon for considerations applicable to the creation of an Operating Plan.
March 1, 2011
186
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Manitoba Hydro
No
Though CIP-001-1a already contained provisions for sabotage response guidelines, the new EOP-004-2 R2
(2.1 to 2.9) will require reexamination of existing policies to remain compliant. Upon the approval of
Attachment 1, the existing disturbance guidelines will also have to be reexamined. With the addition of R3
(Identify and assess), R4 (Drills) and R5 (Training), will also require redevelopment of existing processes.
NERC Staff
No
In order to provide explicit dates, the language should be modified to state: “First calendar day of the first
calendar quarter one year after the date of the order providing applicable regulatory authority approval for all
requirements.”
Northeast Power Coordinating
Council
No
The effective dates in Canada need to be defined. The first bullet should be sufficient. If the training and
Puget Sound Energy
No
There are no effective dates listed in the proposed standard. The proposed effective date should allow at
least one year for entities to implement the requirements of the standard. In addition, if requirement R1
remains, then the requirement to implement an operating plan should only be triggered by the ERO’s
finalization of the form and system for reporting impact events and should provide at least six months for the
implementation of the operating plan.
Santee Cooper
No
With the proposed training and drill requirements in the current written standard, one year is not enough time.
United Illuminating
No
UI believes the implementation should be staged. For R1 and R2: First calendar day of the first calendar
quarter one year after applicable regulatory authority approval for all. This provides sufficient time to draft a
procedure Then time needs to be provided to provide training prior to implementation of R3 and R6. UI
believes two calendar quarters should be provided to complete training; therefore R3and R6 is effective six
calendar quarters following regulatory approval. Implementation for R4 should state that the initial calendar
year begins on the date R2 is effective and entities have 12 months following that date to complete their first
drill. R5 requires training once per calendar year. Implementation for R5 should state that the initial calendar
year begins on the date R2 is effective and entities have 12 months following that date to complete their first
drill.
March 1, 2011
Question 14 Comment
Operation Plan requirements are adopted as proposed, this may not allow sufficient time for some entities to
comply, particularly those with limited number of staff, but perform functions that have multiple event reporting
requirements.
187
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
US Bureau of Reclamation
No
There is a 15 month training requirement. If the standard goes into effect in one year, most entities will not
have had an opportunity to develop their new Operating Plans and train their staff. The effective date should
recognize Operating Plans need to be revised and then training needs to be implemented. The most
aggressive schedule is 18 months. Two years would be more appropriate. The implementation date could
recognize the Operating Plan development as one phase and the training as the second.
ATC
Yes
Yes, if ATC’s recommended changes are made to the Standard. However, if the changes are not supported
then ATC recommends that the implantation time be changed to two years. Entities will need time to develop
both the plan called for in this standard and to train the personnel identified in the plan.
BGE
Yes
None.
Exelon
Yes
Agree with the proposed implementation date. A 12 month implementation will provide adequate time to
generate, implement and provide any necessary training by a registered entity.
Ameren
Yes
Arizona Public Service Company
Yes
ATCO Electric Ltd.
Yes
Bonneville Power Administration
Yes
Consolidated Edison Co. of NY,
Inc.
Yes
Duke Energy
Yes
Dynegy Inc.
Yes
E.ON Climate & Renewables
Yes
Electric Market Policy
Yes
March 1, 2011
Question 14 Comment
188
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
ERCOT ISO
Yes
FirstEnergy
Yes
Georgia System Operations
Corporation
Yes
Great River Energy
Yes
Green Country Energy
Yes
Idaho Power Company
Yes
Indeck Energy Services
Yes
Luminant Energy
Yes
MidAmerican Energy
Yes
Midwest ISO Standards
Collaborators
Yes
MRO's NERC Standards Review
Subcommittee
Yes
North Carolina Electric Coops
Yes
Pacific Gas and Electric
Company
Yes
PacifiCorp
Yes
PacifiCorp
Yes
March 1, 2011
Question 14 Comment
189
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Pepco Holdings, Inc - Affiliates
Yes
PNM Resources
Yes
PPL Electric Utilities
Yes
PPL Supply
Yes
RRI Energy, Inc.
Yes
SERC OC Standards Review
Group
Yes
Southern Company Transmission
Yes
TransAlta Corporation
Yes
We Energies
Yes
WECC
Yes
March 1, 2011
Question 14 Comment
190
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
15. Do you have any other comments that you have not identified above?
The DSR SDT has met with the EAWG and has put in place a process to ensure the cooperation and
coordination between the DSR SDT and the EAWG. The impact event list is comprehensive and addresses the needs of the EAWG
and EOP-004.
Summary Consideration:
There were concerns expressed that the impact event list should include deliberate acts against infrastructure. The impact list
includes “Risk to BES equipment from a non-environmental physical threat” the DSR SDT feels that this is inclusive of deliberate acts
against infrastructure.
During discussions around the use and definition of the term sabotage, the DSR SDT considered the NRC definition and decided to
eliminate the use of the term sabotage from EOP-004 and replaced it with impact events. The DSR SDT has developed a definition
for “Impact Events” to support Attachment 1 as follows:
“An Impact Event is any event that has either impacted or has the potential to impact the reliability of the Bulk Electric
System. Such events may be caused by equipment failure or mis-operation, environmental conditions, or human action.”
The DSR SDT has proposed this definition for inclusion in the NERC Glossary for “Impact Event”. The types of Impact Events that are
required to be reported are contained within Attachment 1. Only these events are required to be reported under this Standard. The
DSR SDT considered the FERC directive to “further define sabotage” and decided to eliminate the term sabotage from the standard.
The team felt that it was almost impossible to determine if an act or event was that of sabotage or merely vandalism without the
intervention of law enforcement after the fact. This will result in further ambiguity with respect to reporting events. The term
“sabotage” is no longer included in the standard and therefore it is inappropriate to attempt to define it. The Impact Events listed in
Attachment 1 provide guidance for reporting both actual events as well as events which may have an impact on the Bulk Electric
System. The DSR SDT believes that this is an equally effective and efficient means of addressing the FERC Directive. Attachment 1,
Part A is to be used for those actions that have impacted the electric system and in particular the section “Damage or destruction to
equipment” clearly defines that all equipment that intentional or non intentional human error be reported. Attachment 1, Part B
March 1, 2011
191
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
covers the similar items but the action has not fully occurred but may cause a risk to the electric system and is required to be
reported.
The industry commented on the need for e-mail addresses and fax numbers for back up purposes. These details were added to the
standard and will also be covered in the implementation plan.
The proposed ballot in December was incorrect and has been deleted from the future development plan. The plan was updated
with the correct project plan dates.
Organization
Yes or No
Indeck Energy Services
IRC Standards Review
Committee
Question 15 Comment
Good start on a unified event reporting standard!
No
The standards should be changed to define what a “disturbance” is for reporting in EOP-004. Also, sabotage
reporting requirements in CIP-001 should be rescinded as EOP-004 already has such requirements.
PSEG Companies
Arizona Public Service Company
No
ATCO Electric Ltd.
No
Duke Energy
No
Electric Market Policy
No
FirstEnergy
No
Independent Electricity System
Operator
No
Luminant Energy
No
March 1, 2011
192
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Manitoba Hydro
No
PacifiCorp
No
PPL Supply
No
RRI Energy, Inc.
No
United Illuminating
No
Ameren
Yes
We are concerned with the Future Development Plan. It shows an initial ballot period starting in December.
This standard has significant issues and will need another distinct comment period (and not the formal
comment period in parallel with balloting) prior to balloting.
American Electric Power (AEP)
Yes
The standard needs to be modified to allow the ability for one entity to report on behalf of other entities. For
example the loss of Generation over the threshold could be reported by the RC opposed to the GO
individually, if mutually agreed upon before the fact.
ATC
Yes
ATC believes that it is not evident in this draft that the SDT has worked collaboratively with the Events
Analysis working group to leverage their work. ATC believes that NERC must coordinate this project and the
EAWG efforts. The EAWG is proposing to modify NERC Rules of Procedure but the SDT is suggesting
requirement for the ERO be build within the standard. We believe that the Rules of Procedure is the proper
course to take to for identifying NERC obligations, but what is clear is that NERC itself does not seem to have
an overall plan for event reporting and analysis. Lastly, ATC would like to see the SDT expand the mapping
document to include the work of the EAWG. The industry needs to be presented with a clear picture as to
how all these things will work together along with their reporting obligations. The definition of an “impact
event” needs to be revised. First, if these events are to include any equipment failure or mis-operation that
impacts the BES, the standard is requiring more than is intended based upon the reading of the requirements.
PRC-004 already covers the reporting of protection system mis-operations, and if reading this definition
verbatim, it would lead one to conclude that those same mis-operations reported under PRC-004 shall also be
reported under EOP-004. The definition should be revised to something like: “An impact event is a system
disturbance affecting the Bulk Electric System beyond loss of a single element under normal operating
conditions and does not include events normally reported under PRC-004. Such events may be caused by...”
March 1, 2011
Question 15 Comment
193
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
BGE
Yes
One item that is properly addressed is the removal of Load Serving Entity from the Applicable Functional
Entities. There may be a need to provide some guidance to Functional Entities when there are separate
Transmission Owners and Transmission Operators or Generation Owners and Generation Operators. If they
are separate, there may be redundancy in reporting.From the documentation, it doesn’t seem like the SDT
are combining all reports into one form as we would like to see. In the rational for R1 section, it talks of getting
both forms (NERC and OE-417) together in one document (however it sounds like the forms within the
document are still separate), available electronically, which only seems like a step forward. However, it does
not take away the confusing process for the operators of which part of the form would need to be filled, who
should be set this form depending on what part is filled, if one part of the form is filled out do the other parts
need to be filled, etc. If the forms cannot be consolidated, BGE would rather the forms be separate to reduce
confusion.BGE believes all these reports should require one form with one set of recipients, period.This may
mean that NERC needs to get DOE to modify their OE-417 form.
Bonneville Power Administration
Yes
The document retention times in EOP-004-3 should be spelled out more clearly. The Compliance summary
does so (but needs some punctuation clarification regarding investigation), the SDT should consider making
that part of the requirements or clarifying the wording in the requirements.
CenterPoint Energy
Yes
CenterPoint Energy appreciates the efforts of the SDT in removing outdated and unnecessary language from
the existing EOP-004 standard. Additionally, CenterPoint Energy urges the SDT to also remove the proposed
“how to” prescriptive requirements. CenterPoint Energy believes the SDT team’s focus should be on drafting
a results-based standard for reporting actual system disturbances and acts of sabotage that disrupt the
reliable operation of the BES. The SDT should not delve into trying to identify a list of events that have a
potential reliability impact.As stated in response to Q10, CenterPoint Energy strongly believes that cyberrelated events should not be in the scope of this standard since they are already required to be identified and
reported to appropriate entities under CIP-008. Excluding cyber events from this standard further supports the
elimination of redundancies within the body of standards.
City of Garland
Yes
Do not agree with this proposed draft - instead of combining 2 standards to gain efficiency, this expands the
standard with unnecessary paperwork, drills, training, etc.For reports required under this standard, companies
with multiple registration numbers and functions should only have to file one report for all functions and
registrations.
Consolidated Edison Co. of NY,
Inc.
Yes
Overriding Comment and Concern: It is absolutely essential that the work on EOP-004 and that on the NERC
Event Analysis Process (EAP) be fully coordinated. We find that there are a number of inconsistencies
between these two documents. The EAP and EOP-004 are not aligned. In order to operate and report
March 1, 2011
Question 15 Comment
194
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 15 Comment
effectively entities need consistent requirements.
Constellation Power Generation
and Constellation Commodities
Group
Yes
As stated earlier, the “summary of concepts” for this latest revision, as written by the SDT, includes the
following items: o A single form to report disturbances and impact events that threaten the reliability of the
bulk electric system o Other opportunities for efficiency, such as development of an electronic form and
possible inclusion of regional reporting requirements o Clear criteria for reporting o Consistent reporting
timelines o Clarity around of who will receive the information and how it will be used. Each and every
requirement should be mapped to one of these 5 items; otherwise, it should not be included in this standard.
Summarizing all of the comments above, Constellation Power Generation proposes the following revision to
EOP-004-2:1. Title: Impact Event and Disturbance Assessment, Analysis, and Reporting 2. Number: EOP004-2 3. Purpose: Responsible Entities shall report impact events and their known causes to support
situational awareness and the reliability of the Bulk Electric System (BES). 4. Applicability 4.1. Functional
Entities:4.1.1. Reliability Coordinator 4.1.2. Balancing Authority 4.1.3. Transmission Operator 4.1.4. Generator
Operator 4.1.5. Distribution Provider 4.1.6. Electric Reliability Organization. Requirements and Measures R1.
The ERO shall establish, maintain and utilize a system for receiving and distributing impact event reports,
received pursuant to Requirement R6, to applicable government, provincial or law enforcement agencies and
Registered Entities to enhance and support situational awareness.R2. Each Applicable Entity identified in
Attachment 1 shall have an Operating Plan(s) for identifying, assessing and reporting impact events listed in
Attachment 1 that includes the following components: 2.1. Method(s) for identifying impact events listed in
Attachment 2.2. Method(s) for assessing cause(s) of impact events listed in Attachment 12.3. Method(s) for
making internal and external notifications should an impact event listed in Attachment 1 occur. 2.4. Method(s)
for updating the Operating Plan.2.5 Method(s) for making operation personnel aware of changes to the
Operating Plan.R3. Each Applicable Entity shall implement their Operating Plan(s) to identify and assess
cause of impact events listed in Attachment 1.R4. Each Applicable Entity shall provide training to all operation
personnel at least annually.R5. Each Applicable Entity shall report impact events in accordance with its
Operating Plan created pursuant to Requirement 2 and the timelines outlined in Attachment 1.
Dynegy Inc.
Yes
This does not address the inability of a GO/GOP to determine effects on the BES. Surrounding BES
knowledge is limited for a GO/GOP.
E.ON Climate & Renewables
Yes
Refrain from having redundant reporting forms if at all possible. This can create confusion and lead to
unnecessary penalty amounts and violations for registered entities. Potential” impacts of an event on the
BES need to be clearly defined in the standard.
E.ON U.S. LLC
Yes
The new standard should incorporate all other disturbance, sabotage, or “impact event” reporting standards,
such as CIP-008-3. At the very least it should reference those other standards that have within their scope
March 1, 2011
195
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 15 Comment
same/similar events in order to ensure complete reporting and full compliance. Suggesting that one standard
provides the single reporting procedure, when in actuality it does not, is counterproductive. The discussion of
“impact event” clearly indicates the SDT’s intent to include sabotage events in the proposed standard EOP004-2.
ERCOT ISO
Yes
ERCOT ISO supports the comments provided by the SRC. However, if the standard is to be established,
ERCOT ISO has offered the comments contained herein as improvements to the requirements proposed. The
requirements listed do not take into consideration the hierarchical reporting necessary for events (i.e.: GO to
GOP to BA). The current structure will lead to redundant and conflicting reporting from multiple entities. This
will lead to confusion in the analysis of the event. Any system developed and used to report impact events
must include notification to the other relevant entities (i.e.: Reliability Coordinator, Balancing Authority,
Transmission Operator, and Generator Operator). The proposed standard should not rely on a centralized
system that does not follow the established hierarchy of dissemination of information.
Exelon
Yes
The standard is lacking guidance for DOE Form OE-417 reporting as outlined in the current version of EOP004 and doesn’t contain any non-BES related reporting. What is the governing process for OE-417
reporting?. Need clarification if one entity can respond on behalf to all entities in one company. Need a
provision for entities to provide one report for all entities. Radiological sabotage is a defined term within the
NRC glossary of terms. It would seem that a deliberate act directed towards a plant would also constitute an
"impact event." In general, the DSR SDT should include discussions with the NRC to ensure communications
are coordinated or consider utilizing existing reporting requirements currently required by the NRC for each
nuclear generator operator for consistency. The definition of sabotage is defined by NRC is as follows: Any
deliberate act directed against a plant or transport in which an activity licensed pursuant to 10 CFR Part 73 of
NRC's regulations is conducted or against a component of such a plant or transport that could directly or
indirectly endanger the public health and safety by exposure to radiation.
Georgia System Operations
Corporation
Yes
Light years better than the current CIP-001-1 and EOP-004-1! With some changes from this comment period,
we should have a clearer set of realistic requirements which could likely pass the ballot. Thanks go out to the
drafting team for bringing clarity to this topic. Capitalization throughout this document is inconsistent. It is not
in synch with the NERC Glossary. All terms that remain capitalized in the next draft (other than when used as
a title or heading) should be defined in the Glossary of Terms Used in NERC Reliability Standards. Examples
of not in synch with the Glossary: Registered Entity, Responsible Entity, Law Enforcement. These are not
defined in the Glossary. The requirements that apply to entities should not use the word "analysis."
"Assessment" should be used. Analysis is a different process (an ERO process) and is being addressed by
March 1, 2011
196
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 15 Comment
another group within NERC (Dave Nevius). This EOP-004 drafting team and the NERC analysis group should
closely coordinate such that there are no conflicts and the combined requirements/processes are realistic
(mainly regarding timelines).
Great River Energy
Yes
We are concerned with the Future Development Plan. It shows an initial ballot period starting in December.
This standard has significant issues and will need another distinct comment period (and not the formal
comment period in parallel with balloting) prior to balloting.
Please provide an e-mail address for the
submittal of the report to NERC (and any other parties above a Regional Entity) within this Standard and a fax
number as a backup to electronic submittal.
Green Country Energy
Yes
I think the drafting team has done a wonderful job of beginning the task of combining two related standards. I
ask them to keep in mind the small generators, and others who do not have the wide view capability, that
more than likely react to events that occur wih no knowledge of why they occured, and limited staff to address
administrative standard requirements. Many times the KISS approach is the best approach.
Idaho Power Company
Yes
By including training requirements in each standard, creates confusion and compliance or failure to comply
potentian. PER standards are in place for personel training, these standards should be utilized for adding
requirements that require training for NERC Standards.
ISO New England Inc.
Yes
Request clarification on how RCIS is part of this Standard. The form should be filled out in two stages. First
stage would be the immediately available information. The second stage would be the additional information
such as one line diagrams. There is concern with burdening the reporting operator on filling out forms instead
of operating the Bulk Electric System. Most of the draft requirements are written as administrative in nature,
and this is not most effective. Changes need to be made to (or possibly elimination of) R1, R2, R3.The
standards should be changed to define what a “disturbance” is for reporting in EOP-004. Sabotage reporting
as per CIP-001 should be rescinded as EOP-004 already has such a requirement.
Kansas City Power & Light
Yes
The standard addressed a preliminary report it should also address the requirements of a final report.
MidAmerican Energy
Yes
This entire standard needs to be revised to consider a results based standard.
Midwest ISO Standards
Collaborators
Yes
We are concerned with the Future Development Plan. It shows an initial ballot period starting in December.
This standard has significant issues and will need another distinct comment period (and not the formal
comment period in parallel with balloting) prior to balloting.
March 1, 2011
197
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
MRO's NERC Standards Review
Subcommittee
Yes
Please provide an e-mail address for the submittal of the report to NERC (and any other parties above a
Regional Entity) within this Standard and a fax number as a backup to electronic submittal.EOP-004
Attachment 2: Impact Event Reporting Form (note in the proposed standards it states EOP-002) seems to be
written for Actual Impact Events only. Perhaps another section could be added for “Potential” Impact Events.
NERC Staff
Yes
NERC staff commends the SDT on its work so far. Merging CIP-001 and EOP-004 is a significant
improvement and eliminates some current redundancies for reporting events. NERC staff believes
opportunities to improve the proposed standard still exist. In particular, the team should consider possible
redundancies with the Reliability Coordinator Working Group (RCWG) reporting guidelines, the Electricity
Sector - Information Sharing and Analysis Center (ES-ISAC) reporting requirements for sharing information
across sectors, and the Events Analysis Working Group (EAWG) efforts to develop event reporting
processes. Ideally, the SDT and the EAWG should work together to develop a single consistent set of
reporting criteria that can be utilized in both the EAWG event reporting process and in the requirements of the
EOP-004-2 Reliability Standard.
North Carolina Electric Coops
Yes
Keep in mind that redundancy in reporting requirements from the DOE does not improve or enhance bulk
electric system reliability but rather creates more work for the reporting entity.
Northeast Power Coordinating
Council
Yes
Request clarification on how RCIS is part of this Standard. The form should be filled out in two stages. First
stage would be the immediately available information. The second stage would be the additional information
such as one line diagrams. There is concern with burdening the reporting operator on filling out forms instead
of operating the Bulk Electric System. Most of the draft requirements are written as administrative in nature,
and this is not most effective. Changes need to be made to (or possibly elimination of) R1, R2, R3.The
standards should be changed to define what a “disturbance” is for reporting in EOP-004. Sabotage reporting
as per CIP-001 should be rescinded as EOP-004 already has such a requirement.
Pacific Gas and Electric
Company
Yes
PG&E believes as the training requirements continue to expand, having one training standard that captures
all the training required within the NERC standards will allow for better clarity for the training departments in
providing and meeting all NERC Standard compliance issues.
Pacific Northwest Small Public
Power Utility Comment Group
Yes
The proposed standard has a huge impact on small DPs. DPs that presently do not maintain 24/7 dispatch
centers will need to begin doing so to meet the reporting deadlines such as 1 hour after an occurrence is
identified (possibly identified by a third party) or 24 hour after an occurrence (regardless of when it was
discovered by the DP). The planning, assessing, drilling, training, and reporting requirements (R2-R6), as well
as documentation (M2-M6) by small entities will cause utility rates to rise, will reduce local level of service,
March 1, 2011
Question 15 Comment
198
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 15 Comment
and will not represent a corresponding increase to the reliability of the BES.The SDT concept of clear criteria
for reporting has not been met, since R2 effectively directs the applicable entities to develop their own criteria.
The decision of which types of events will be reported to which external organizations has been left up to the
applicable entity. The comment group notes that there is no coordination of effort required between the
applicable entities and the RCs or TOs that issue reliability directives. Energy Emergencies requiring voltage
reduction or load shedding are likely to be communicated to applicable entities via directives. The likely result
of this lack of coordination is that entities will plan, drill, and train for an event, but when the directive comes it
will not be the one planned, drilled, and trained for. Coordination between those sending and receiving
directives would ensure the probable events and directed responses are the ones planned, drilled, and
trained for.
PacifiCorp
Yes
This is yet another standard with training requirements not covered under any PER standards.Having different
training requirements spread throughout the standards makes it increasingly difficult to ensure all training
requirements are met.Developing a "Training Standard" that lists ALL required training would streamline the
process and aid greatly in compliance monitoring.
Pepco Holdings, Inc - Affiliates
Yes
The EAWG is developing processes that will be enforced through the Rules of Procedure. It may be
inappropriate to reference the EAWG process in the Mapping Document.
PNM Resources
Yes
PNM believes that having one training standard that captures all the training required within the NERC
standards will allow for better clarity for the training departments in providing and meeting all NERC Standard
compliance issues. This will become even more of an issue as training requirements continue to expand.
PPL Electric Utilities
Yes
Combining EOP-004, CIP-001 and CIP-008’s reporting requirements reduces redundancy and will add clarity
to the compliance activities.
Puget Sound Energy
Yes
The DSR SDT’s concepts for implementing a new structure for reporting are appropriate. Proper
implementation of those concepts is likely to result in a very much improved standard. However, the
proposed standard falls well short of implementing the concepts and is not much of an improvement on the
current standard.
Santee Cooper
Yes
We don’t believe that entities should be subjected to duplicate reporting to existing DOE requirements. How
does redundancy in reporting requirements improve or enhance bulk electric system reliability?
SERC OC Standards Review
Yes
We find it disturbing that NERC is headed down a path of codifying requirements that are redundant to
March 1, 2011
199
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Group
Question 15 Comment
existing DOE requirements. How does redundancy in reporting requirements improve or enhance bulk
electric system reliability? Disclaimer:” The comments expressed herein represent a consensus of the views
of the above named members of the SERC OC Standards Review group only and should not be construed as
the position of SERC Reliability Corporation, its board or its officers.”
Southern Company Transmission
Yes
The only concern that we have with the proposed standard is that it feels like it is creating dual, not quite
redundant, reporting requirements for cyber intrusions in concert with CIP-008. Hopefully, there will not have
to be a redundant reporting requirement if we continue to merge efforts with the CIP Drafting Team. Since we
will no longer use the word SABOTAGE in the new EOP-004, we are hoping the industry and the CIP Drafting
Team will give us the criteria they wish for us to use in order to report CIP-008 incidents. We will then
achieve a “ONE STOP SHOP” reporting standard.
Tenaska
Yes
Since the proposed EOP-004-2 Standard does not eliminate the OE-417 reporting requirement, it does not
streamline the existing CIP-001-1 and EOP-004-1 reporting requirements for GO/GOP’s. The "laundry list" of
components required in the Operating Plan described in R2 is too specific and would make it more difficult to
prove compliance during an audit. We prefer that the existing CIP-001-1 and EOP-004-1 Standards remain
unchanged.
TransAlta Corporation
Yes
A Confidential Impact Event Report form is included in attachment 2 but nowhere in the standard does it say
to use this form. This form appears to be similar to the “Preliminary Disturbance Report” form used in EOP004-1. Clarity is required.
US Bureau of Reclamation
Yes
The SDT should consider that in reality it would be more streamlined to require immediate notification of an
event for situational awareness, and then give adequate time for analysis of the cause. Reports that have an
arbitrary rush will be diseased with low quality information and not much value in the long run to the BES. The
Attachment A should be constructed around notification of situational awareness. The reporting timeline
should be constructed around the different levels severity. The more severe the event, usually the more
complicated the event is to analyze. Simple events usually do not have a significant impact.
We Energies
Yes
Please be careful to capitalize defined terms. If the intent is to not use the defined term, use another
word."Forced intrusion" (cutting a fence, breaking in a door) may not be discovered for quite some time after it
occurs. Should it be reported as soon as discovered? Even if there was no impact event (disturbance)?
"Destruction of a Bulk Electric System Component" seems pretty specific. However, if a transformer kicks off
line due to criminal damage, yet is considered repairable, is the event reportable?
March 1, 2011
200
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
WECC
Yes
March 1, 2011
Question 15 Comment
Having one training standard that captures all the training required within the NERC standards will allow for
better clarity for the training departments in providing and meeting all NERC Standard compliance issues.
This will become even more of an issue as training requirements continue to expand.CIP-001-1 has
surprisingly been one of the most violated standards during the initial period. However, most entities have
now developed and demonstrated a decent compliance process. Unless a revised standard to address the
FERC directive on sabotage is developed (as suggested in 13 above) this proposed standard appears to
eliminate sabotage reporting as a reliability standard to the potential detriment of BES reliability.
201
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Consideration of Comments on Disturbance & Sabotage Reporting —
Project 2009-01
The Disturbance & Sabotage Reporting Drafting Team (DSR SDT) thanks all commenters
who submitted comments on the Second Posting of EOP-004-2, Impact Event Reporting
(Project 2009-01).
This standard was posted for a 30-day public comment period from March 9, 2011 through
April 8, 2011. The stakeholders were asked to provide feedback on the standard through a
special Electronic Comment Form. There were 60 sets of comments, including comments
from 188 different people from approximately 132 companies representing 10 of the 10
Industry Segments as shown in the table on the following pages.
In this report, comments have been organized by question to make it easier to see where
there is consensus. Comments may be reviewed in their original format on the project
page:
http://www.nerc.com/filez/standards/Project2009-01_Disturbance_Sabotage_Reporting.html
If you feel that your comment has been overlooked, please let us know immediately. Our
goal is to give every comment serious consideration in this process! If you feel there has
been an error or omission, you can contact the Vice President and Director of Standards,
Herb Schrayshuen, at 404-446-2560 or at herb.schrayshuen@nerc.net. In addition, there is
a NERC Reliability Standards Appeals Process. 1
Summary Consideration: The DSR SDT received many comments regarding the proposed
definition of “Impact Event,” the requirements, and event reporting in Attachment 1. The
main stakeholder concerns were addressed as follows:
•
•
•
1
Many stakeholders disagreed with the need for the definition of “Impact Event” and
felt that the definition was ambiguous and created confusion. The DSR SDT agrees
and has deleted the proposed definition from the standard. The list of events in
Attachment 1 is all-inclusive and no further attempts to define “Impact Event” are
necessary.
Many stakeholders raised concerns with the 1 hour reporting requirement for certain
types of events. The commenters believed that the restoration of service or the
return to a stable bulk power system state may be jeopardized by having to report
certain events within one hour. The DSR SDT agreed and revised the reporting time
to 24 hours for most events, with the exception of damage or destruction of BES
equipment, forced intrusion or cyber related incidents.
Many stakeholders suggested that the reporting of events after the fact only justified
a VRF of “lower” for each requirement. With the revised standard, there are now
three requirements. Requirement 1 specifies that the responsible entity have an
Operating Plan for identifying and reporting events listed in Attachment 1. This is
procedural in nature and justifies a “lower” VRF, as this requirement deals with the
means to report events after the fact. The current approved VRFs for EOP-004-1 are
all “lower” with the exception of Requirement R2 which is a requirement to analyze
The appeals process is in the Standard Processes Manual:.
1
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
•
•
•
events. This standard relates only to reporting events. Analysis of reported events
is addressed through the NERC Events Analysis Program. Proposed changes to the
Electric Reliability Organization Events Analysis Process Field Trial documents that
clarify the role of the Events Analysis program in analyzing reported events will be
posted for stakeholder comment separately.
The two remaining requirements in EOP-004-2 are to report events based on the
specifics in Attachment 1 (R2) and to test the communications protocol of the
Operating Plan once per year (R3). Requirement R2 specifies that an entity is
responsible for reporting events to the appropriate entities in accordance with the
Operating Plan based on Attachment 1. Requirement R3 makes sure that an entity
can communicate information about events. Some of these events are dealing with
potential sabotage events, and part of the reason to communicate these types of
events is to make other entities aware to help prevent further sabotage events from
occurring. Existing CIP-001-1a deals with sabotage events and the approved VRFs
for each of the requirements is “medium.” The VRFs for EOP-004-2 are consistent
with the existing approved VRFs for both EOP-004 and CIP-001.
Several commenters wanted more clarity regarding which entities report and to
whom they report. Many stakeholders were confused regarding law enforcement
notifications and questioned whether certain types of events (IROL, Public Appeal,
etc.) needed to be reported to law enforcement. The background section of the
standard provides guidance with respect to reporting events to law enforcement. For
clarity, the DSR SDT has added the following sentence to the first paragraph under
the heading “Law Enforcement Reporting”: “These are the types of events that
should be reported to law enforcement.” The entire paragraph is:
o “The reliability objective of EOP-004-2 is to prevent outages which could lead
to Cascading by effectively reporting events. Certain outages, such as those
due to vandalism and terrorism, may not be reasonably preventable. These
are the types of events that should be reported to law enforcement. Entities
rely upon law enforcement agencies to respond to and investigate those
events which have the potential to impact a wider area of the BES. The
inclusion of reporting to law enforcement enables and supports reliability
principles such as protection of bulk power systems from malicious physical or
cyber attack. The Standard is intended to reduce the risk of Cascading
events. The importance of BES awareness of the threat around them is
essential to the effective operation and planning to mitigate the potential risk
to the BES.”
Some commenters also questioned whether or not the existing applicability would
result in multiple reports being submitted by different entities for the same event.
NERC staff has indicated that this is acceptable and that having multiple types of
entities report the same event may provide different types of information about the
event.
Commenters also had concerns about the applicability of the standard to Load Serving
Entities who may not own physical assets as well as to the ERO and Regional Entity. The
DSR SDT agrees that the Distribution Provider owns the assets per the Functional Model;
however the LSE is an applicable entity under CIP-002. Events relating the CIP-002 assets
are to be reported by the LSE. These are envisioned to be cyber assets. The DSR SDT also
include the ERO or the RE as applicable entities based on the applicability of CIP-002
2
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Some commenters identified issues with the footnotes in Attachment 1. These were revised
as suggested. There were a few instances where the word “sabotage” remained in the
standard or the flowchart. The DSR SDT has removed all instance of “sabotage” and
replaced them with “event,” and revised the flowchart to remove references to sabotage.
Several commenters were concerned that the DSR SDT and the NERC Events Analysis
Working Group (EAWG) may not be in alignment. The DSR SDT is working in close
coordination with the EAWG and will continue to develop the standard and will make the
EAWG aware of the DSR SDT’s efforts.
The issue of the FERC directives relating to this project was broached by several
commenters. The DSR SDT envisions EOP-004-2 to be a continent-wide reporting standard.
Any follow up investigation or analysis falls under the purview of the NERC Events Analysis
Program under the NERC Rules of Procedure. This process is being revised by the EAWG.
Discussions with FERC staff indicate that the current efforts of the DSR SDT and the EAWG
are sufficient to address the intent of the directive.
After the drafting team completed its consideration of stakeholder comments, the standards
and implementation plan were submitted for quality review. Based on feedback from the
quality review, the drafting team has made two significant revisions to the standard. The
first revision is to add a requirement for implementation of the Operating Plan listed in
Requirement R1. There was only a requirement to report events, but no requirement
specifically calling for updates to the Operating Plan or the annual review. This was
accomplished by having two requirements. The first is Requirement R2 which specifies that
an entity must implement the Operating Plan per Requirement R1, Parts 1.1, 1.2, 1.4 and
1.5:
R2. Each Responsible Entity shall implement the parts of its Operating Plan that
meet Requirement R1, Parts 1.1 and 1.2 for an actual event and Parts 1.4 and 1.5 as
specified.
The second Requirement is R3 which addresses Part 1.3:
R3. Each Responsible Entity shall report events in accordance with its Operating Plan
developed to address the events listed in Attachment 1.
The second revision based on the quality review pertains to Requirement R4. The quality
review suggested revising the requirement to more closely match the language in the
Rationale box that the drafting team developed. This would provide better guidance for
responsible entities as well as provide more clear direction to auditors. The revised
requirement is:
R4. Each Responsible Entity shall verify (through actual implementation for an
event, or through a drill or exercise) the communication process in its Operating
Plan, created pursuant to Requirement 1, Part 1.3, at least annually (once per
calendar year), with no more than 15 calendar months between verification or actual
implementation.
3
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Index to Questions, Comments, and Responses
1.
Do you agree with the revised Purpose Statement of EOP-004-2, Impact Event Reporting? If not,
please explain why not and if possible, provide an alternative that would be acceptable to you.
…. .................................................................................................................. …15
2.
Do you agree with the proposed definition of Impact Event? If not, please explain why not and if
possible, provide an alternative that would be acceptable to you. …. ................................. 23
3.
Do you agree that the DSR SDT has provided and equally efficient and effective solution to the
FERC Order 693 directive to “further define sabotage”? If not, please explain why not and if
possible, provide an alternative that would be acceptable to you. …. ................................. 38
4.
Do you agree with the proposed applicability of EOP-004-2 shown in Section 4 and Attachment 1
of the standard? If not, please explain why not and if possible, provide an alternative that would
be acceptable to you. …. ........................................................................................ 46
5.
Stakeholders suggested removing original Requirements 1, 7 and 8 from the standard and
addressing the reliability concepts in the NERC Rules of Procedure. Do you agree with the
removal of original requirements 1, 7 and 8 (which were assigned to the ERO) and the proposed
language for the Rules of Procedure (Paragraph 812)? If not, please explain why not and if
possible, provide an alternative that would be acceptable to you. …. ................................. 64
6.
Do you agree with the proposed revisions to Requirement 2 (now R1) including the use of
defined terms Operating Plan, Operating Process and Operating Procedure? If not, please explain
why not and if possible, provide an alternative that would be acceptable to you. …. .............. 70
7.
Do you agree with the proposed revisions to Requirement 3 (now R2)? If not, please explain why
not and if possible, provide an alternative that would be acceptable to you. …. .................... 87
8.
Do you agree with the proposed revisions to Requirement 4 (now R3)? If not, please explain why
not and if possible, provide an alternative that would be acceptable to you. …. .................... 98
9.
Do you agree with the proposed revisions to Requirement 5 (now R4)? If not, please explain why
not and if possible, provide an alternative that would be acceptable to you. …. .................. 113
10. Do you agree with the proposed revisions to Requirement 6 (now R5) and the use of either
Attachment 2 or the DOE-OE-417 form for reporting? If not, please explain why not and if
possible, provide an alternative that would be acceptable to you. …. ............................... 123
11. Do you agree with the proposed revisions to Attachment 1? If not, please explain why not and if
possible, provide an alternative that would be acceptable to you. …. ............................... 134
12. Do you agree with the proposed measures for Requirements 1-5? If not, please explain why not
and if possible, provide an alternative that would be acceptable to you. …. ....................... 159
13. Do you agree with the proposed Violation Risk Factors for Requirements 1-5? If not, please
explain why not and if possible, provide an alternative that would be acceptable to you. ….Error! Bookmark n
14. Do you agree with the proposed Violation Severity Levels for Requirements 1-5? If not, please
explain why not and if possible, provide an alternative that would be acceptable to you. ….Error! Bookmark n
15. Do you agree with the proposed Time Horizons for Requirements 1-5? If not, please explain why
not and if possible, provide an alternative that would be acceptable to you. …. .................. 189
16. Do you agree with the proposed Implementation Plan for EOP-004-2? If not, please explain why
not and if possible, provide an alternative that would be acceptable to you. …. .................. 195
17. If you have any other comments you have not already provided in response to the questions
above, please provide them here. …. ...................................................................... 201
4
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
The Industry Segments are:
1 — Transmission Owners
2 — RTOs, ISOs
3 — Load-serving Entities
4 — Transmission-dependent Utilities
5 — Electric Generators
6 — Electricity Brokers, Aggregators, and Marketers
7 — Large Electricity End Users
8 — Small Electricity End Users
9 — Federal, State, Provincial Regulatory or other Government Entities
10 — Regional Reliability Organizations, Regional Entities
Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
1.
Group
David Revill
Additional Member
Additional Organization
Georgia Transmission Corporation &
Oglethorpe Power Corporation
Georgia Transmission Corporation SERC
1
2. Greg Davis
Georgia Transmission Corporation SERC
1
3. Jason Snodgrass
Georgia Transmission Corporation SERC
1
4. Scott McGough
Oglethorpe Power Corporation
5
Group
Additional Member
Guy Zito
3
X
4
X
5
6
7
8
9
10
X
Region Segment Selection
1. John Miller
2.
2
SERC
Northeast Power Coordinating Council
Additional Organization
X
Region Segment Selection
1. Alan Adamson
New York State Reliability Council, LLC
NPCC
10
2. Gregory Campoli
New York Independent System Operator
NPCC
2
3. Kurtis Chong
Independent Electricity System Operator
NPCC
2
4. Sylvain Clermont
Hydro-Quebec TransEnergie
NPCC
1
5. Chris de Graffenried Consolidated Edison Co. of New York, Inc. NPCC
1
6. Gerry Dunbar
Northeast Power Coordinating Council
NPCC
10
7. Si Truc Phan
Hydro-Quebec TransEnergie
NPCC
1
5
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
8. Mike Garton
Dominion Resources Services, Inc.
NPCC
5
9. Brian L. Gooder
Ontario Power Generation Incorporated
NPCC
5
10. Kathleen Goodman
ISO - New England
NPCC
2
11. David Kiguel
Hydro One Networks Inc.
NPCC
1
12. Michael R. Lombardi Northeast Utilities
NPCC
1
13. Randy MacDonald
New Brunswick Power Transmission
NPCC
1
14. Bruce Metruck
New York Power Authority
NPCC
6
15. Chantel Haswell
FPL Group, Inc.
NPCC
5
16. Lee Pedowicz
Northeast Power Coordinating Council
NPCC
10
17. Robert Pellegrini
The United Illuminating Company
NPCC
1
18. Saurabh Saksena
National Grid
NPCC
1
19. Michael Schiavone
National Grid
NPCC
1
20. Wayne Sipperly
New York Power Authority
NPCC
5
21. Donald Weaver
New Brunswick System Operator
NPCC
1
22. Ben Wu
Orange and Rockland Utilities
NPCC
1
23. Peter Yost
Consolidated Edison Co. of New York, Inc. NPCC
3
3.
Group
Denise Koehn
Additional Member
1. Jim Burns
4.
Bonneville Power Administration
Additional Organization
2
3
X
4
X
5
6
X
X
X
X
7
8
9
10
Region Segment Selection
BPA, Transmission, Technical Operations WECC 1
Group
Additional Member
Carol Gerou
Midwest Reliability Organization
Additional Organization
X
X
Region Segment Selection
1. Mahmood Safi
Omaha Public Utility District
MRO
1, 3, 5, 6
2. Chuck Lawrence
American Transmission Company
MRO
1
3. Tom Webb
Wisconsin Public Service Corporation MRO
3, 4, 5, 6
4. Jodi Jenson
Western Area Power Administration
MRO
1, 6
5. Ken Goldsmith
Alliant Energy
MRO
4
6. Alice Ireland
Xcel Energy
MRO
1, 3, 5, 6
7. Dave Rudolph
Basin Electric Power Cooperative
MRO
1, 3, 5, 6
6
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
8. Eric Ruskamp
Lincoln Electric System
MRO
1, 3, 5, 6
9. Joseph Knight
Great River Energy
MRO
1, 3, 5, 6
10. Joe DePoorter
Madison Gas & Electric
MRO
3, 4, 5, 6
11. Scott Nickels
Rochester Public Utilties
MRO
4
12. Terry Harbour
MidAmerican Energy Company
MRO
1, 3, 5, 6
13. Richard Burt
Minnkota Power Cooperative, Inc.
MRO
1, 3, 5, 6
5.
Group
Steve Rueckert
2
3
Western Electricity Coordinating Council
4
5
6
7
8
9
10
X
Additional Member Additional Organization Region Segment Selection
1. Don Pape
WECC
WECC 10
2. Phil O'Donnell
WECC
WECC 10
6.
Group
Annette Bannon
PPL Supply
Additional Member Additional Organization
1.
7.
Mark Heimbach
Group
Additional Member
Region
X
X
5, 6
Pacific Northwest Small Public Power Utility
Comment Group
Additional Organization
X
Segment
Selection
PPL Martins Creek, LLC RFC
Steve Alexanderson
X
X
X
Region Segment Selection
1. Dave Proebstel
Clallam County PUD No.1
WECC 3
2. Russell A. Noble
Cowlitz County PUD No. 1
WECC 3, 4, 5
3. Ronald Sporseen
Blachly-Lane Electric Cooperative
WECC 3
4. Ronald Sporseen
Central Electric Cooperative
WECC 3
5. Ronald Sporseen
Clearwater Power Company
WECC 3
6. Ronald Sporseen
Douglas Electric Cooperative
WECC 3
7. Ronald Sporseen
Fall River Rural Electric Cooperative
WECC 3
8. Ronald Sporseen
Northern Lights
WECC 3
9. Ronald Sporseen
Lane Electric Cooperative
WECC 3
10. Ronald Sporseen
Lincoln Electric Cooperative
WECC 3
11. Ronald Sporseen
Raft River Rural Electric Cooperative
WECC 3
7
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
12. Ronald Sporseen
Lost River Electric Cooperative
WECC 3
13. Ronald Sporseen
Salmon River Electric Cooperative
WECC 3
14. Ronald Sporseen
Umatilla Electric Cooperative
WECC 3
15. Ronald Sporseen
Coos-Curry Electric Cooperative
WECC 3
16. Ronald Sporseen
West Oregon Electric Cooperative
WECC 3
17. Ronald Sporseen
Pacific Northwest Generating Cooperative WECC 3, 4, 8
18. Ronald Sporseen
Power Resources Cooperative
WECC 5
19. Ronald Sporseen
Consumers Power
WECC 1, 3
20. Steven J. Grega
Public Utility District #1 of Lewis County
Group
8.
Patricia Hervochon
2
3
4
5
6
7
8
9
10
WECC 5
PSEG Companies
X
X
Additional Member Additional Organization Region Segment Selection
1. Jeffrey Mueller
PSE&G
3
2. Kenneth Brown
PSE&G
1
3. Peter Dolan
PSEG ER&T
6
4. Eric Schmidt
PSEG ER&T
6
5. Clint Bogan
PSEG Fossil
5
6. Dominic Grasso
PSEG Fossil
5
7. Kenneth Petroff
PSEG Nuclear
5
8. Patricia Hervochon PSEG NERC Compliance
Group
9.
NA
Louis Slade
Dominion
X
X
X
Additional Member Additional Organization Region Segment Selection
1. Lou Roeder
Electric Transmission
SERC
1, 3
2. Mike Garton
Electric Market Policy
NPCC
5, 6
3. Connie Lowe
Electric Market Policy
RFC
5, 6
4. Jack Kerr
Electric Transmission
SERC
3, 1
5. Len Sandberg
Electric Transmission
SERC
10.
Group
David Thorne
3, 1
Pepco Holdings Inc and Affiliates
X
8
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
Additional Member Additional Organization Region
1.
Mark Godfrey
11.
Group
RFC
SPP Standards Review Group
Additional Organization
SPP
1, 4
2. George Allan
Sunflower Electric Power Corporation
SPP
1
3. Michelle Corley
CLECO
SPP
1, 3, 5, 6
4. Robert Cox
Lea County Electric Cooperative
SPP
1, 3
5. Kevin Emery
Carthage Water and Electric
SPP
3
6. Denney Fales
Kansas City Power & Light
SPP
1, 3, 5, 6
7. Louis Guidry
CLECO
SPP
1, 3, 5, 6
8. Jonathan Hayes
SPP
SPP
2
9. Philip Huff
Arkansas Electric Cooperative Corporation
SPP
3, 4, 5, 6
10. Gregory McAuley
Oklamoma Gas & Electric
SPP
1, 3, 5
11. Terri Pyle
Oklahoma Municipal Power Authority
SPP
4
12. Sean Simpson
Board of Public Utilities, City of McPherson, KS SPP
1, 3, 5
13. Tay Sing
Oklahoma Municipal Power Authority
SPP
4
14. Chad Wasinger
Sunflower Electric Power Corporation
SPP
1
15. Mark Wurm
Board of Public Utilities, City of McPherson, KS SPP
1, 3, 5
16. Ron Gunderson
Nebraska Public Power District
MRO
1, 3, 5
17. Bruce Schutte
Nebraska Public Power District
MRO
1, 3, 5
18. Jeff Elting
Nebraska Public Power District
MRO
1, 3, 5
Additional Member
Marie Knox
Additional Organization
5
6
7
8
9
10
X
X
X
X
Region Segment Selection
City Utilities of Springfield, MO
Group
4
1, 3
1. John Allen
12.
3
Segment
Selection
Robert Rhodes
Additional Member
2
Midwest ISO Standards Collaborators
X
Region Segment Selection
1. Bob Thomas
Illinois Municipal Electric Agency RFC
4
2. Jim Cyrulewski
JDRJC Associates, LLC
RFC
8
3. Terry Harbour
MidAmerican
MRO
1
4. Joe O'Brien
NIPSCO
RFC
6
9
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
5. Robert Thomasson Big Rivers Electric Corp.
13.
Group
SERC
Sam Ciccone
2
3
4
5
6
7
8
9
10
1, 3
FirstEnergy
X
X
X
X
Additional Member Additional Organization Region Segment Selection
1. Doug Hohlbaugh
FE
RFC
1, 3, 4, 5, 6
2. Bill Duge
FE
RFC
5
3. John Reed
FE
RFC
1
4. Jim Eckels
FE
RFC
1
5. Kevin Querry
FE
RFC
5
6. Ken Dresner
FE
RFC
5
14.
Group
Gerald Beckerle
SERC OC Standards Review Group
X
Additional Member Additional Organization Region Segment Selection
1. David Trego
Fayetteville PWC
SERC
1, 3, 4, 9
2. Melinda Montgomery Entergy
SERC
1, 3
3. Andy Burch
EEI
SERC
1, 5
4. Eugene Warnecke
Ameren
SERC
1, 3
5. Chuck Feagans
TVA
SERC
1, 3, 5, 9
6. Larry Rodriquez
Entegra Power
SERC
5, 6
7. Gary Hutson
SMEPA
SERC
1, 3, 5, 9
8. Jennifer Weber
TVA
SERC
1, 3, 5, 9
9. Doug White
NCEMC
SERC
1, 3, 5, 9
10. Shaun Anders
CWLP
SERC
1, 3, 5, 9
11. Jake Miller
Dynegy
SERC
5, 6
12. Reggie Wallace
Fayette PWC
SERC
1, 3, 4, 9
13. Dan Roethemeyer
Dynegy
SERC
5, 6
14. Alvis Lanton
SIPC
SERC
1, 3, 5, 9
15. Marc Butts
Southern
SERC
1, 3, 5
16. Robert Thomasson
BREC
SERC
1, 3, 5, 9
SERC
2
17. Srinivas kappagantula PJM
10
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
18. Barry Hardy
OMU
SERC
1, 3, 5, 9
19. Rene' Free
Santee Cooper
SERC
1, 3, 5, 9
20. Greg Matejka
CWLP
SERC
1, 3, 5, 9
SERC Reliability Corp.
SERC
10
21. John Troha
15.
Individual
Srinivas Kappagantula
PJM Interconnection LLC
16.
Individual
Cindy Martin
Southern Company
17.
Individual
Cynthia Oder
SRP
X
18.
Individual
Howard Rulf
We Energies
X
19.
Individual
Brent Ingebrigtson
LG&E and KU Energy LLC
X
20.
Individual
Silvia Parada Mitchell
Compliance & Responsiblity Organization
21.
Individual
John Bee
Exelon
22.
Individual
Jennifer Wright
SDG&E
23.
Individual
Alan Gale
City of Tallahassee (TAL)
24.
Individual
Mace Hunter
Lakeland Electric
25.
Individual
Nathaniel Larson
New Harquahala Generating Co.
26.
Individual
Brian Pillittere
Tenaska
27.
Individual
MIchael Johnson
APX Power Markets
2
3
4
5
6
7
8
9
10
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
11
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
28.
Individual
Jonathan Appelbaum
United Illuminating Co
29.
Individual
Kevin Koloini
American Municipal Power
30.
Individual
Daniel Duff
Liberty Electric Power LLC
X
31.
Individual
Philip Huff
Arkansas Electric Cooperative Corporation
X
32.
Individual
Joe Petaski
Manitoba Hydro
X
33.
Individual
Mike Albosta
Sweeny Cogeneration LP
34.
Individual
Thad Ness
American Electric Power
35.
Individual
Andres Lopez
USACE
36.
Individual
Nathaniel Larson
New Harquahala Generating Co.
37.
Individual
Eric Salsbury
Consumers Energy
38.
Individual
Michael Falvo
Independent Electricity System Operator
39.
Individual
Kirit Shah
Ameren
40.
Individual
Kathleen Goodman
ISO New England, Inc
41.
Individual
Deborah Schaneman
Platte River Power Authority
42.
Individual
Phil Porter
Calpine Corp
43.
Individual
Bill Keagle
BGE
2
X
3
X
4
X
5
X
6
7
8
9
10
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
12
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
44.
Individual
Kenneth A Goldsmith
Alliant Energy
45.
Individual
John Brockhan
CenterPoint Energy
46.
Individual
Martin Kaufman
ExxonMobil Research and Engineering
47.
Individual
Brenda Truhe
PPL Electric Utilities
48.
Individual
Tim Soles
Occidental Power Marketing
49.
Individual
Eric Ruskamp
Lincoln Electric System
X
50.
Individual
Linda Jacobson
Farmington Electric Utility System
X
51.
Individual
Andrew Z Pusztai
American Transmission Company
X
52.
Individual
Michelle D'Antuono
Ingleside Cogeneration LP
53.
Individual
Greg Rowland
Duke Energy
54.
Individual
Amir Hammad
Constellation Power Generation
55.
Individual
Scott Barfield-McGinnis
Georgia System Operations Corporation
Individual
Max Emrick
City of Tacoma, Department of Public
Utilities, Light Division, dba Tacoma Power
57.
Individual
Rex Roehl
Indeck Energy Services
58.
Individual
Patricia Robertson
BC Hydro
56.
2
3
4
5
6
7
8
9
10
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
13
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
59.
Individual
Tony Kroskey
Brazos Electric Power Cooperative
60.
Individual
Jim Eckelkamp
Progress Energy
2
3
X
4
5
6
7
8
9
10
X
X
14
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
1. Do you agree with the revised Purpose Statement of EOP-004-2, Impact Event Reporting? If not, please explain
why not and if possible, provide an alternative that would be acceptable to you.
Summary Consideration: The majority of stakeholders agree with the purpose statement. Some commenters had concerns
with the use of the words "if known” and “industry awareness" and statements on requiring information from an analysis in the
report which may not be known at the time of the report. Comments on this being an “after the fact” report and not real-time
reporting have been addressed by a significant revision to the change in reporting times reflected in Attachment 1.
A number of commenters offered suggestions on the use of terms "situational awareness" versus "industry awareness.” The
DSR SDT used “industry awareness” to address concerns about real-time reporting (which this standard does not cover) and to
avoid confusion with the NERC Situational Awareness organization.
The purpose statement was slightly revised to remove the defined term “Impact Event” and replace with the phrase “events
with the potential to impact reliability”. No other revisions were made.
“To improve industry awareness and the reliability of the Bulk Electric System by requiring the reporting of events with
the potential to impact reliability and their causes, if known, by the Responsible Entities.”
Organization
Exelon
Yes or No
No
Question 1 Comment
Although Exelon agrees that the proposed revision to the purpose statement of EOP-004-2 is better than the
original draft; the DSR SDT should consider aligning the definition with the existing OE-417 terms. "Impact
Events" are not clearly defined as reportable criteria in the DOE forms and may create confusion. Suggest
rewording the purpose statement to simply "Incident Reporting" to align with existing terminology in OE-417
and removing the addition of a new term.
A Purpose Statement is defined as “The reliability outcome achieved through compliance with the
requirements of the standard.” Propose that the purpose should be, “To require a review, assessment and
report of events that could have an adverse material impact on the Bulk Electric System.”
Response: The DSR DT thanks you for your comment.
Form OE-417 report is a DOE report that is not specifically related to BES reliability and is not
applicable outside of the United States. The standard only requires reporting of events. Analysis occurs through the NERC Events Analysis Program.
SDG&E
No
SDG&E does not agree with the revised Purpose Statement because it does not reflect the standard’s
purpose of identifying reporting requirements for impact events. SDG&E recommends the following revised
Purpose Statement:
“To identify the reporting requirements for events considered to have an impact on the reliability of the Bulk
15
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 1 Comment
Electric System and to allow an awareness of these Impact Events to be understood by the industry in
recognizing potential enhancements that may be made to the reliability of the BES.”
Response: The DSR SDT thanks you for your comment. The DSR SDT believes that the existing purpose statement addresses most of your suggested
rewording. The last phrase “recognizing potential enhancements that may be made to the reliability of the BES” is not in the scope of the standard or this
project.
Dominion
No
It is not evident how Impact Event reporting will “improve industry awareness“ as suggested in the Purpose
Statement. The transfer of Requirement R8 (ERO quarterly report) to the Rules of Procedure (paragraph
812) invalidates that claim within the context of this standard. Suggest removing this phrase from the Purpose
Statement.
Response: The DSR DT thanks you for your comment. The ERO will issue reports for industry awareness purposes under the Rules of Procedure. If entities
do not report events to the ERO, then these reports will not be issued.
SPP Standards Review Group
No
We would suggest changing the purpose to read “To improve industry awareness and effectiveness in
addressing risk to the BES by requiring the reporting of Impact Events and their causes, if known, by the
Responsible Entities.”
Response: The DSR DT thanks you for your comment.
which is not covered under the standard.
United Illuminating Co
No
The DSR SDT contends that the phrase “addressing risk to the BES” applies to the analysis of events
UI agrees with the idea but believes the statement can be improved to remove ambiguities. For example:
“if known” can be modifying the word causes, or the word Impact events. To improve industry awareness and
the reliability of the Bulk Electric System by requiring the reporting of identified Impact Events and if known
their causes, if known, by the Responsible Entities.
Response: The DSR SDT thanks you for your comment. The words “if known” are intended to modify the word ‘causes.’ The DSR SDT has revised the existing
wording (from the clean version of the standard) to:
To improve industry awareness and the reliability of the Bulk Electric System by requiring the reporting of events with the potential to impact reliability
and their causes, if known, by the Responsible Entities.
16
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Arkansas Electric Cooperative
Corporation
Yes or No
No
Question 1 Comment
The purpose statement reads "To improve industry awareness of the BES.” We suggest the purpose should
state "To improve industry awareness and effectiveness in addressing risks to the BES.” We feel the
remaining purpose statement is unnecessary.
Response: The DSR SDT thanks you for your comment. The DSR SDT contends that the phrase “addressing risk to the BES” applies to the analysis of events
which is not covered under the standard.
Manitoba Hydro
No
Situational Awareness was replaced by the generic “Industry awareness.” Justification for this was that
Situational Awareness was a byproduct of a successful event reporting system and not a driver.
Using Industry awareness clouds the clarity of the purpose. If personal are properly trained and conscious of
their responsibilities, then they are in fact situationally aware, and will therefore drive the reporting process on
the detection an Impact Event. Industry awareness falsely labels this Standard as unique to the electrical
industry when clearly many outside and international agencies will be notified and involved. Situational
Awareness seems much more appropriate and encompassing. Other then that the Purpose is a large
improvement from the original.
Response: The DSR SDT thanks you for your comment. The DSR SDT changed “situational awareness” to “industry awareness” to address concerns about realtime reporting (which this standard does not cover) and to avoid confusion with the NERC Situational Awareness organization.
Ameren
No
The original Purpose wording was clear, concise and understandable.
Response: The DSR SDT thanks you for your comment. The original purpose statement was in the form of a requirement and not a purpose statement.
ISO New England, Inc
No
The purposed states To improve industry awareness and the reliability of the Bulk Electric System by
requiring the reporting of Impact Events and their causes, if known, by the Responsible Entities. Awareness
by who in the industry?
Response: The DSR SDT thanks you for your comment. The requirements of this standard require that events be reported after-the-fact. The NERC Events
Analysis Program will take certain events reported under this standard and analyze them to provide information to the entire body of users, owners and operators
of the BES.
Calpine Corp
No
The purpose has moved significantly from the originally approved SAR. The purpose should focus on
reporting requirements for reporting electrical disturbances to the Bulk Electric System that exceed specific
thresholds. Sabotage/vandalism/theft are a subset of the reportable events that could have or do cause a
Bulk Electric System Electrical Disturbance. The Standards content should focus on setting requirements to
17
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 1 Comment
report specific types of electrical disturbance events and providing guidance for performing that reporting.
Alternative language: Purpose: To establish reporting requirements for events that either cause, or have the
potential to cause, significant disturbances on the Bulk Electric System.
Response: The DSR SDT thanks you for your comment. The purpose covers the EOP-004 and CIP-001 standards which include disturbance and sabotage. The
use of the word ‘events’ and the definition of the specific events to be reported (see Attachment 1) is a result of combining these two standards as well as the
drafting team’s efforts to address FERC Order 693 Directives. The proposed purpose statement does not adequately address these items.
BGE
No
BGE believes that using the term Impact Events as currently defined is too vague. An alternative statement
would be requiring the reporting of events listed in Attachment 1 and their causes, if known and making the
definition change as noted in question 2.
Response: The DSR SDT thanks you for your comment. The DSR SDT has eliminated the defined term “Impact Events” and uses the generic term “events: in
the purpose statement.
To improve industry awareness and the reliability of the Bulk Electric System by requiring the reporting of events with the potential to impact reliability
and their causes, if known, by the Responsible Entities.
City of Tacoma, Department of
Public Utilities, Light Division, dba
Tacoma Power
No
"To improve industry awareness and the reliability fo the Bulk Electric System by requiring the reporting of
Impact Events and their causes, if known by the Responsible Entities.” The revised purpose statement
includes the phrase, if known. This seems like a huge loophole. They should change it to when discovered
or when notified.
Response: The DSR SDT thanks you for your comment. The intent of “if known” was to make sure that events were reported regardless of whether the cause
was known. It is important for entities to report events and to return the BES to a reliable operating state. Investigation of causes can occur at a later time.
Indeck Energy Services
No
The reporting of events does not improve the reliability of the BES. If someone takes action based on the
reporting, there might be an improvement. Because many of these events are not preventable, such as
sabotage or weather, reporting them won't improve reliability. The original Purpose was satisfactory.
Response: The DSR SDT thanks you for your comment. The requirements of this standard require that events be reported after-the-fact. The NERC Events
Analysis Program will take certain events reported under this standard and analyze them to provide information that will lead to improvements in BES reliability.
Brazos Electric Power
Cooperative
No
Instead of Impact Event could simply call it Event Information Reporting.
18
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 1 Comment
Response: The DSR SDT thanks you for your comment. We have deleted the proposed defined term “Impact Events” and will use the generic term “event.”
Compliance & Responsiblity
Organization
No
See comments set forth in number 2.
Georgia Transmission
Corporation & Oglethorpe Power
Corporation
Yes
We find it unnecessary to state that the purpose of a Reliability Standard is to "improve the reliability of the
Bulk Electric System."
Response: The DSR DT thanks you for your comment.
Midwest Reliability Organization
Yes
The addition of “industry awareness” adds to the scope of this Standard. Whereby an entity is required to
inform the RC and others of actual and potential Impact Events.
Response: The DSR DT thanks you for your comment.
American Municipal Power
Yes
The DSR SDT disagrees. This is an integral part of the purpose of reporting events.
The DSR SDT has streamlined Attachment 1 to ensure that the proper reporting is accomplished.
The purpose is acceptable. I think it could be improved and simplified. There were not any questions on the
title. Consider changing the title to Reportable Events. There were not any questions on the category. I
suggest changing the category from Emergency Operations to Communications. Reporting events can trigger
and be more than just Emergency Operations. I feel the reporting function performed by entities should be
under the Communications category. Title: Reportable Events Purpose: To improve reliability by
communicating timely information about an event or events.
Response: The DSR SDT thanks you for your comment. The DSR SDT revised the existing title of the standard to conform to the intended purpose of reporting
events. The team discussed making this a COM standard during the initial DT discussions but decided to retain the existing EOP-004 standard category and
number. This is not a real-time reporting standard but requires after the fact reporting.
Ingleside Cogeneration LP
Yes
The addition of the modifier if known to reporting the cause of an Impact Event is appropriate. It often proves
counter-productive to speculate as initial conjectures of the cause of an event are easy to come up with, but
difficult to back out of later.
Response: The DSR SDT thanks you for your comment.
Duke Energy
Yes
However, as we have noted previously, the DSR SDT statement that the proposed changes do not include
any real-time operating notifications is inconsistent with requiring notification within one hour for thirteen of the
19
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 1 Comment
twenty listed Events in Attachment 1 Impact Event Table. Also, in the Background discussion, under Law
Enforcement, the DSR SDT states that the objective of EOP-004-2 is to prevent outages which could lead to
Cascading by effectively reporting Impact Events. As we have previously commented, we are still required to
make real-time reports under other standards. Requiring duplicate real-time reporting under EOP-004-2 is a
waste of resources which could otherwise be used to improve reliability.
Response: The DSR SDT thanks you for your comment. We have made significant revisions to Attachment 1 and the reporting time requirements to address
the real-time reporting concern.
Constellation Power Generation
Yes
While CPG generally agrees with the purpose statement, we believe that the term Impact Events should be
removed. Please see CPGs response to Question 2 discussing the term Impact Events.
Response: The DSR SDT thanks you for your comment. We have deleted the proposed defined term “Impact Events” and will use the generic term “event.”
Please see responses to comments on question 2.
Georgia System Operations
Corporation
Yes
We agree with the purpose. However, we do not agree that the purpose will be achieved as this standard is
currently drafted or that the standard is ready for balloting.
Response: The DSR SDT thanks you for your comment. We have made significant revisions to the body of the standard and Attachment 1.
Northeast Power Coordinating
Council
Yes
Bonneville Power Administration
Yes
Western Electricity Coordinating
Council
Yes
PPL Supply
Yes
Pacific Northwest Small Public
Power Utility Comment Group
Yes
PSEG Companies
Yes
20
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Pepco Holdings Inc and Affiliates
Yes
Midwest ISO Standards
Collaborators
Yes
FirstEnergy
Yes
SERC OC Standards Review
Group
Yes
PJM Interconnection LLC
Yes
Southern Company
Yes
SRP
Yes
We Energies
Yes
City of Tallahassee (TAL)
Yes
Lakeland Electric
Yes
New Harquahala Generating Co.
Yes
APX Power Markets
Yes
Liberty Electric Power LLC
Yes
Sweeny Cogeneration LP
Yes
American Electric Power
Yes
USACE
Yes
Question 1 Comment
21
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
New Harquahala Generating Co.
Yes
Independent Electricity System
Operator
Yes
Platte River Power Authority
Yes
Alliant Energy
Yes
CenterPoint Energy
Yes
ExxonMobil Research and
Engineering
Yes
PPL Electric Utilities
Yes
Occidental Power Marketing
Yes
Lincoln Electric System
Yes
Farmington Electric Utility System
Yes
American Transmission
Company
Yes
BC Hydro
Yes
Question 1 Comment
22
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
2. Do you agree with the proposed definition of Impact Event? If not, please explain why not and if possible,
provide an alternative that would be acceptable to you.
Summary Consideration: The majority of the commenters do not agree with the definition and thought the definition as
overly broad, too subjective and confusing. Many commenters questioned whether there was a need for a definition of Impact
Event at all. The DSR SDT discussed the comments and suggestions and decided to incorporate commenters’ suggestion to
delete the definition and rely on the Attachment 1 to stand on its own.
The DSR SDT has deleted the Impact Event definition.
Organization
Georgia Transmission
Corporation & Oglethorpe Power
Corporation
Yes or No
No
Question 2 Comment
We do not think that Impact Event should be defined using a recursive definition, i.e. that the word "impact"
should be used in the definition of the term "Impact Event." Instead, we suggest using an enumerative
definition in that the tables included in Attachment 1 are themselves used to define "Impact Event." If this
definition is not acceptable, we suggest replacing the word "impact" in the definition with the word reduce,
reduced, or potential to reduce the reliability of the BES.
Response: The DSR SDT thanks you for your comment. We have deleted the proposed defined term “Impact Events” and will use the generic term “event.”
Reporting is only required for those events for the given thresholds listed in Attachment 1.
Northeast Power Coordinating
Council
No
Is there a need for this definition? By itself the term is not specific on the types of events that are regarded as
having an impact. The detailed listing of events that fall into a reportable event category, hence the basis for
the Impact Event, is provided in Attachment A. The events that are to be reported can be called anything.
Defining the term Impact Event does not serve the purpose of replacing the details in Attachment A, and such
a term is not used anywhere else in the NERC Reliability Standards. For a complete definition of Impact
Event, all the elements in Attachment A must be a part of it.
Suggest consider not defining the term Impact Event, but rather use words to stipulate the need to have a
plan, to implement the plan and to report to the appropriate entities those events listed in Attachment A.
Response: The DSR SDT thanks you for your comment. We have deleted the proposed defined term “Impact Events” and will use the generic term “event.”
Reporting is only required for those events for the given thresholds listed in Attachment 1.
23
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Bonneville Power Administration
Yes or No
Yes
Question 2 Comment
Agree, but note that this will add many more situations to reporting and it will require more staff time to
accomplish this.
Response: The DSR SDT thanks you for your comment. We have deleted the proposed defined term “Impact Events” and will use the generic term “event.”
Reporting is only required for those events for the given thresholds listed in Attachment 1.
Midwest Reliability Organization
No
The proposed definition is not supported by any of the established bright line criterias that are contained
within attachment 1. This Results Based Standard should close any loop-holes that could be read into any
section, especially the definition. According to rules of writing a definition, a definition should not contain part
of the word that is being defined. Recommend the definition be enhanced to read: Impact Event: Any
Contingency which has either effected or has the potential to effect the Stability of the BES as outlined per
attachment 1. Within this enhanced recommendation, presently defined NERC terms are used (Contingency
and Stability), thus supporting what is current used within our industry. There is also a quantifiable aspect of
as outlined per attachment 1 that clearly defines Impact Events.
Response: The DSR SDT thanks you for your comment. The DSR SDT believes the definition is embodied in Attachment 1 criteria and needs no further
clarification. We have deleted the proposed defined term “Impact Events” and will use the generic term “event.”
Western Electricity Coordinating
Council
No
We question the need for a defined term. It appears that an Impact Event is any event identified in Attachment
1. The use of the defined term combined with the language of Requirement 2 to implement the Impact Event
Operating Plan for Impact Events listed in Attachment 1 may be confusing. Is an Impact Event any event
described by the proposed definition or is an Impact Event any event listed in Attachment 1?
Response: The DSR SDT thanks you for your comment. The DSR SDT agrees the definition could be confusing. We have deleted the proposed defined term
“Impact Events” and will use the generic term “event.” Reporting is only required for those events for the given thresholds listed in Attachment 1.
Dominion
Yes
Dominion agrees with the proposed definition of Impact Events, but notes the use of the phrase has the
potential to impact is somewhat subjective. The concern being a Responsible Entity makes a judgment on an
events potential impact that is viewed differently after-the-fact by an auditor.
Response: The DSR SDT thanks you for your comment. We have deleted the proposed defined term “Impact Events” and will use the generic term “event.”
Reporting is only required for those events for the given thresholds listed in Attachment 1.
Pepco Holdings Inc and Affiliates
No
The two sentence definition will not be adequate to serve well over the course of time. People will have to
read and understand the standard without benefit of the detailed information, explanations and interpretations
24
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 2 Comment
available during the standards development process. Without additional explanation as provided in the
background and the guideline and technical basis sections, to support the definition, the standard will be
subject to confusion and interpretations. Consider adding a lot of the information and explanation that is in
those sections to the standard. Any event could be an impact event. However, only a subset is reportable.
What is really being addressed are reportable events. More specifically after the fact reporting of unplanned
events.
Response: Thank you for your comment. We have deleted the proposed defined term “Impact Events” and will use the generic term “event.” Reporting is only
required for those events for the given thresholds listed in Attachment 1.
Midwest ISO Standards
Collaborators
No
The definition of Impact Event is overly broad because of the use of potential to impact and the Such as list.
Consider routine switching has the potential to result in a mis-operation. This means all routine switching is
an impact event. The Such as list should be struck and potential language should be struck.
Response: Thank you for your comment. The DSR SDT has deleted the proposed defined term “Impact Events” and will use the generic term “event.”
FirstEnergy
No
Although we agree with the definition of Impact Event, we believe that it should be clear that this term is
specific to the events listed in Attachment 1 of the standard. Therefore, we suggest adding the phrase (as
detailed in Attachment 1 of EOP-004-2) in the definition.
Response: Thank you for your comment. We have deleted the proposed defined term “Impact Events” and will use the generic term “event.” Reporting is only
required for those events and for the given thresholds listed in Attachment 1.
SERC OC Standards Review
Group
No
We believe the definition is too broad even considering Attachment 1, footnote1, which, for example, uses the
term significantly and other ambiguous terms. Consideration should be given to limiting the definition to
unplanned events.
Response: Thank you for your comment. We have deleted the proposed defined term “Impact Events” and will use the generic term “event.”
PJM Interconnection LLC
No
The term "Impact Event" has been too broadly defined. According to the current definition, any event
(including routine operations) can have the potential to impact the reliability of the Bulk Electric System and
hence can be an Impact Event. The definition should only include unplanned events. Attachment 1 lists the
events that are reportable. It seems that the definition of Impact Event refers to the events in Attachment 1 as
opposed to defining Impact Event. As such, it is best that the SDT not define Impact Event but use words to
the effect that requires an entity to have a plan and implement it for reporting unplanned events outlined in
Attachment 1. If Impact Event were to be defined, we suggest the following definiton would be a better
25
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 2 Comment
option:"An Impact Event is any unplanned event listed in Attachment I that has either adversely impacted or
has the potential to adversely impact the reliability of the Bulk Electric System."
Response: Thank you for your comment. We have deleted the proposed defined term “Impact Events” and will use the generic term “event.”
SRP
No
Suggest that definition include reference to the fact that this is non-desired occurence, as the word 'impact'
has neither a positivie nor negative implication. This is not a well formed definition as it contains circular
refernces to 'impacted' and 'event' within the definition.
Response: Thank you for your comment. The DSR SDT has deleted the proposed defined term “Impact Events” and will use the generic term “event.”
We Energies
No
From an on-line dictionary, an event is something that happens. Combined with the phrase has the potential
to impact and the definition of Impact Event would include every routine operation performed by any entity.
Taking a generator on or off line, switching a transmission line in or out, traffic driving past a substation, all
have the potential to impact the BES. The Impact Event definition is overly broad and needs to be
significantly narrowed.
Response: Thank you for your comment. The DSR SDT has deleted the proposed defined term “Impact Events” and will use the generic term “event.”
Compliance & Responsiblity
Organization
No
NextEra Energy Inc. (NextEra) appreciates the drafting team providing valuable ideas and a framework on
how to improve and consolidate CIP-001 and EOP-004. However, NextEra also believes that the currently
drafted EOP-004-2 needs to be revised and enhanced to more clearly explain the Responsible Entities’
duties, the definition of sabotage and address FERC directives and concerns.
For example, NextEra is not in favor using the term “Impact Event” which seems to add considerable
confusion of what is or is not sabotage. In Order No. 693, FERC stated its interest in NERC revising CIP-001
to better define sabotage and requiring notification to the certain appropriate federal authorities, such as the
Department of Homeland Security. FERC Order 693 at PP 461, 462, 467, 468, 471.
NextEra has provided an approach that accomplishes FERC’s objectives and remains within the framework of
the drafting team, but also focuses the process of determining and reporting only those sabotage acts that
could impact other BES systems. Today, there are too many events that are being reported as sabotage to all
parties in the Interconnection, when in reality these acts have no material affect or potential impact to other
BES systems other than the one that experienced it.
For example, while the drafting team notes the issue of copper theft is a localized act, there are other
localized acts of sabotage that are committed by an individual, and these acts pose little, if any, impact or
threat to other BES systems other than the one experiencing the sabotage event. Reporting sabotage that
26
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 2 Comment
has no need to sent of everyone does not necessary add to the security or reliability of the BES. Related,
there is a need to clarify some of the current industry confusion on who should (and has the capabilities to) be
reporting to a boarder audience of entities.
Hence, NextEra approach provides a clear definition of sabotage, as well as the process for determining and
reporting sabotage. NextEra further believes that some of the requirements can be consolidated and more
clearly stated, and NextEra has attempted to do that in the approach presented below.
Lastly, NextEra comments on Attachment 1 are submitted in response to question 17. NextEra Approach
Delete definition of Impact Event and its use in the requirements and in Attachment 1 Delete 13, 14, 15 and
19 in Attachment 1 Delete and replace R1 through R5 with the following: New Definition Attempted or Actual
Sabotage: an intentional act that attempts to or does destroy or damage BES equipment or a Critical Cyber
Asset for the purpose of disrupting the operations of BES equipment, Critical Cyber Asset or the BES, and
has a potential to materially threaten or impact the reliability of one or more BES systems (i.e., is one act in a
larger conspiracy to threaten the reliability of the Interconnection or other BES systems).
R1. Each Responsible Entity shall document and implement a procedure (either individually or jointly with
other Responsible Entities) to accomplish the reporting requirements, including the time frames, assigned to
the Responsible Entity as set forth in Attachment 1 items 1 through 12, 16, 17 and 18 for reporting from the
Responsible Entity to its Regional Entity and NERC, using the form in Attachment 2 or the DOE OE-417
reporting form.
R2. Each Responsible Entity shall document and implement a procedure (either individually or jointly with
other Responsible Entities) to report to its internal personnel with a need to know and its Reliability
Coordinator an act of Attempted or Actual Sabotage, using the form in Attachment 2 or the DOE OE-417
reporting form, within one hour after a determination has been made that an act Attempted or Actual
Sabotage has occurred. To make a determination that an act of Attempted or Actual Sabotage has occurred,
the Responsible Entity shall document and implement a procedure that requires it, as soon as practicable
after the discovering an act appearing to be Attempted or Actual Sabotage, to engage local law enforcement
or the Federal Bureau of Investigation or Royal Canadian Mounted Police, as deemed appropriate, to assist
the Registered Entity make such a determination. Upon receiving a report of Attempted or Actual Sabotage
from a Responsible Entity, the Reliability Coordinator shall within one hour forward the report to other
impacted Reliability Coordinators, Responsible Entities, Regional Entities, NERC, Department of Homeland
Security, and the Federal Bureau of Investigation or the Royal Canadian Mounted Police.
R3. Each Responsible Entity shall review (and conduct a test for sabotage only) of its documented procedure
required in R1 and R2 with no more than 15 calendar months between tests for sabotage reporting. If, based
on the review or test, the Responsible Entity determines there is a need to update its documented procedure,
it shall update the procedures within 90 calendar days of the review or test.
27
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 2 Comment
Response: Thank you for your comments and suggestions. The DSR SDT has deleted the proposed defined term “Impact Events” and will use the generic term
“event.” Other revisions were made to the standard based on comments received on specific requirements. The DSR SDT believes that these revisions clarify
the requirements and has provided additional details in response to comments from questions Q3, Q6, Q7, Q8, Q11, Q12, Q13, Q14 and Q17. Please see the
revised standard.
In regards to sabotage, the DSR SDT believes that the reporting of events supports the reliability of the BES. Sabotage usually is determined after the event is
investigated and sabotage may be one aspect of a single event. The intent is to report events (per Thresholds of Reporting in Attachment 1) that have an impact
on BES reliability.
The background section of the standard provides guidance with respect to reporting events to law enforcement. For clarity, the DSR SDT has
added the following sentence to the first paragraph under the heading “Law Enforcement Reporting”: “These are the types of events that
should be reported to law enforcement.” The entire paragraph is:
“The reliability objective of EOP-004-2 is to prevent outages which could lead to Cascading by effectively reporting events. Certain outages,
such as those due to vandalism and terrorism, may not be reasonably preventable. These are the types of events that should be reported to
law enforcement. Entities rely upon law enforcement agencies to respond to and investigate those events which have the potential to impact
a wider area of the BES. The inclusion of reporting to law enforcement enables and supports reliability principles such as protection of bulk
power systems from malicious physical or cyber attack. The Standard is intended to reduce the risk of Cascading events. The importance of
BES awareness of the threat around them is essential to the effective operation and planning to mitigate the potential risk to the BES.”
Exelon
No
The definition of impact events should be reworded to align with OE-417 and to explicitly reference that only
events identified in EOP-004 ? Attachment 1 are to be reported. Suggest the following:"An incident that has
either impacted or has the potential to impact the reliability of the Bulk Electric System. Such events may be
caused by equipment failure or mis-opeation, environmental conditions, or human action as defined in EOP004 Attachment 1." Propose the definition be changed to include material impact and read as follows; Any
event which has either caused or has the potential to cause an adverse material impact to the reliability of the
Bulk Electric System. Such events may be caused by equipment failure or mis-operation, environmental
conditions, or human action?
Response: Thank you for your comment. The DSR SDT has deleted the proposed defined term “Impact Events” and will use the generic term “event.”
Reporting is only required for those events and for the given thresholds listed in Attachment 1.
City of Tallahassee (TAL)
No
While I agree with the overall concept, I am concerned with “or has the potential to impact.” While the
standard makes reference to Attachment 1 Parts A and B, the inclusion of the attachment is not in the
definition. This leaves ambiguity in the definition that could enable second guessing by auditors.
Proposed: “An impact event is any event that has either impacted or has the potential to impact (above the
28
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 2 Comment
thresholds described in EOP-004-2 Attachment 1) the reliability of the Bulk Electric System. Such events may
be caused by equipment failure or mis-operation, environmental conditions, or human action.”
Response: Thank you for your comments. The DSR SDT has deleted the proposed defined term “Impact Events” and will use the generic term “event.”
American Electric Power
No
The definition is too broad and vague. The text in the comment form has the following sentence Only the
events identified in EOP-004 Attachment 1 are required to be reported under this Standard. The definition
should contain that caveat or something similar.
Response: Thank you for your comment. The DSR SDT has deleted the proposed defined term “Impact Events” and will use the generic term “event.” Reporting
is only required for those events and for the given thresholds listed in Attachment 1.
USACE
No
1) You cannot use the terms impact and event to define impact event.
2) The phrase “has the potential to impact” makes the definition too vague. Every action taken to modify the
system or its components has the potential to impact the Bulk Electric System.
3) Recommend to change the definition to “Any occurrence which has adversely affected the reliability of the
Bulk Electric System. Such events may be caused by equipment failure or mis-operation, environmental
conditions, or human action.”
Response: Thank you for your comment. The DSR SDT has deleted the proposed defined term “Impact Events” and will use the generic term “event.” Reporting
is only required for those events and for the given thresholds listed in Attachment 1.
Consumers Energy
No
The definition of Impact Event seems very vague and nebulous. This definition should be modified to be clear
and concise, such that entities clearly understand what is included within the definition.
Response: Thank you for your comment. The DSR SDT has deleted the proposed defined term “Impact Events” and will use the generic term “event.” Reporting
is only required for those events and for the given thresholds listed in Attachment 1.
Ameren
No
The documentation from the SDT included the reliability objective for EOP-004-2 which should be included in
the definition of Impact Event. Our suggested alternate defintion for Impact Event:
"An Impact Event is any event that has either caused, or has the likely potential to cause, an outage which
could lead to Cascading. Such events will be identified as being caused by, to the best of the reporting entity's
information: (1) equipment falure or equipment mis-operation, (2) environmental conditions, and/or (3) human
actions."
29
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 2 Comment
This alternate wording includes the reliability objective and clarifies the three known, or likely, causes of the
Impact Event.
Response: Thank you for your comment. The DSR SDT has deleted the proposed defined term “Impact Events” and will use the generic term “event.” Reporting
is only required for those events and for the given thresholds listed in Attachment 1.
ISO New England, Inc
No
We question the need for this definition since by itself the term is not specific on the types of events that are
regarded as having an impact. The detailed listing of events that fall into a reportable event category, hence
the basis for the Impact Event, is provided in Attachment A. For that matter, these events that are to be
reported can be called anything, or just simply be titled “Event to be Reported” without having to define them.
Defining the term Impact Event does not serve the purpose of replacing the details in Attachment A, and such
a term is not used anywhere else in the NERC reliability standards. In fact, for the term Impact Event to be
fully defined, all the elements in Attachment A must become a part of it.
We therefore suggest the SDT to consider not defining the term Impact Event, but rather use words to
stipulate the need to have a plan, to implement the plan and to report to the appropriate entities those events
listed in Attachment A. If the SDT still wishes to retain a definition despite our reservations noted above, we
strongly suggest an improvement. The proposed definition of Impact Event is overly broad because of the
use of “potential to impact” and the “Such as” list. Consider that routine switching has the potential to result in
a mis-operation. In that regard most routine switching could be interpreted as an impact event. The “Such as”
list should be struck and “potential” language should be struck.
An alternative definition to consider:
An Impact Event is any deliberate action designed to reduce BES reliability; unintended accident that could
result in an Adverse Reliability Impact; or an unusual natural event that causes or could cause an Adverse
Reliability Impact.
Response: Thank you for your comment. The DSR SDT has deleted the proposed defined term “Impact Events” and will use the generic term “event.” Reporting
is only required for those events and for the given thresholds listed in Attachment 1.
Calpine Corp
No
Adding a definition for Impact Event is unnecessary and does not provide useful clarification of the actual
reporting requirement for events that either impact the Bulk Electric System or have the potential to impact the
Bulk Electric System. The all-encompassing nature of the proposed definition seems to conflict with the finite
listing of events that actually require reporting. Although FERC specifically requested additional clarification of
the term sabotage to clarify reporting requirements, the Drafting Team is correct in noting that sabotage
implies intent and that the intent of human acts is not always easily determined. The fact that intent is not
always determinable within the reporting timeframe can be dealt with more simply by requiring (in attachment
30
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 2 Comment
1) that human intrusions that have not been identified within the reporting timeframe as theft or vandalism
should be reported as potential sabotage pending further clarification. This approach negates the need for an
additional definition that may cause confusion regarding which events are reportable and eliminates the
potential for under-reporting based on the assumption that the cause might be theft or vandalism.
Response: Thank you for your comment. The DSR SDT has deleted the proposed defined term “Impact Events” and will use the generic term “event.” Reporting
is only required for those events and for the given thresholds listed in Attachment 1.
BGE
No
Change the definition of “Impact Event”, to add the following phase to the definition “Any event (listed in
Attachment 1) which has either….” Also, the phrase “…or has the potential to impact the reliability…” is too
vague and broad. Such broad statement is unhelpful in clarifying entities’ compliance obligation and
potentially creates conflicted reporting between entities. A clear statement of how the reliability is affected
should be used, i.e., results in contingency emergency situation or IROL.
Response: Thank you for your comment. The DSR SDT has deleted the proposed defined term “Impact Events” and will use the generic term “event.” Reporting
is only required for those events and for the given thresholds listed in Attachment 1.
Alliant Energy
No
The proposed definition is not supported by any of the established bright line criteria that are contained within
attachment 1. This Results Based Standard should close any loop-holes that could be read into any section,
especially the definition. We recommend the definition be enhanced to read: Impact Event: Any Contingency
which has either effected or has the potential to effect the Stability of the BES as outlined per attachment 1.
Within this enhanced recommendation, presently defined NERC terms are used (Contingency and Stability),
thus supporting what is current used within our industry. There is also a quantifiable aspect of as outlined per
attachment 1 that clearly defines Impact Events.
If the above definition is not adopted, we believe it should be rephrased to narrow the scope to those events
that result from malicious intent or human negligence/error.
We are concerned that by using phrases like unintentional or intentional human action in combination with
damage or destruction basically means everything except copper theft becomes a reportable impact event
(including planned actions we must perform to comply with CIP-007 R7).
Response: Thank you for your comment. The DSR SDT has deleted the proposed defined term “Impact Events” and will use the generic term “event.” Reporting
is only required for those events and for the given thresholds listed in Attachment 1.
CenterPoint Energy
No
CenterPoint Energy suggests that the phrase “…or has the potential to impact…” be deleted as it makes the
definition vague and broad. Similar issues encountered in trying to define sabotage may resurface, such as
31
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 2 Comment
varying definitions or interpretations of “potential.” If this standard is to support after-the-fact reporting, the
focus should be on actual events, not potential situations or events. Effective and efficient prevention would
come from analysis of actual events. Resources and reporting could become overwhelmed upon having to
consider “potential.” All references to “potential” should be removed from the standard, guidance, and
attachments.
Response: Thank you for your comment. The DSR SDT has deleted the proposed defined term “Impact Events” and will use the generic term “event.” Reporting
is only required for those events and for the given thresholds listed in Attachment 1.
ExxonMobil Research and
Engineering
No
The use of the word potential is ominous.
Response: Thank you for your comment. The DSR SDT has deleted the proposed defined term “Impact Events” and will use the generic term “event.” Reporting
is only required for those events and for the given thresholds listed in Attachment 1.
Occidental Power Marketing
No
The SDT includes in the definition the "potential to impact the reliability of the BES." This seems vague,
although Attachment 1 clarifies what actually has to be reported. An LSE may have limited or no knowledge
of "potential to impact." The SDT may want to refine the definition, e.g., "to the extent the entities' knowledge
could reasonably reveal the impact."
Response: Thank you for your comment. The DSR SDT has deleted the proposed defined term “Impact Events” and will use the generic term “event.” Reporting
is only required for those events and for the given thresholds listed in Attachment 1.
Lincoln Electric System
No
As currently drafted, the proposed definition of Impact Event appears vague and provides entities minimal
clarity in terms of distinguishing events of significance. Recommend the drafting team reference Attachment
1:
Impact Events Tables within the definition to direct industry towards more specific criteria.
Response: Thank you for your comment. The DSR SDT has deleted the proposed defined term “Impact Events” and will use the generic term “event.” Reporting
is only required for those events and for the given thresholds listed in Attachment 1.
American Transmission
Company
No
ATC does not agree with the proposed definition and further disagrees whether a definition is needed at all.
Proposed Definition: The definition, read outside of the proposed standard, does not provide Registered
Entities with a clear meaning of the purpose of the definition. It is ATCs opinion that the SDT is using the
term Impact Event as an introduction phrase to Attachment 1. ATC would be more comfortable if the
32
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 2 Comment
definition was dropped and the team would re-write the requirement to specifically point to Attachment 1. It is
our opinion that this type of structure would achieve the goal of the team to get Registered Entities to report
on events identified in Attachment 1.The other option is for the team to write into the definition that the events
being discussed are limited to those identified in Attachment 1. Also the language currently being used in the
definition includes potential and such as. These terms should be struck from the definition.
Response: Thank you for your comment. The DSR SDT has deleted the proposed defined term “Impact Events” and will use the generic term “event.” Reporting
is only required for those events and for the given thresholds listed in Attachment 1.
Ingleside Cogeneration LP
No
The SDT includes in the definition the potential to impact the reliabilty of the BES. This seems vague,
although ultimately the events which meet the threshold of a reportable Impact Event are governed by the
tables under Attachment 1. We believe that there should be close, if not perfect, synchronization between the
EROs Event Analysis Process and Attachment 1 since they share the same ultimate goal as EOP-004-2 to
improve industry awareness and BES reliability.
Response: Thank you for your comment. The DSR SDT has deleted the proposed defined term “Impact Events” and will use the generic term “event.” Reporting
is only required for those events and for the given thresholds listed in Attachment 1.
Duke Energy
No
The phrase “…or has the potential to impact…” makes this an impossibly broad definition, and demonstrating
compliance will not be straightforward.
Response: Thank you for your comment. The DSR SDT has deleted the proposed defined term “Impact Events” and will use the generic term “event.” Reporting
is only required for those events and for the given thresholds listed in Attachment 1.
Constellation Power Generation
No
The currently proposed definition is vague and can be easily misinterpreted. Coining a term to define the
events that the DSR SDT hopes to capture in EOP-004-2 is a difficult task, one that may not be necessary.
Replacing the term Impact Events with events in Attachment 1, would eliminate the need to define such a
term.
In addition, the phrase or has the potential to impact the reliability is too vague and broad. Such broad
statement is unhelpful in clarifying entities compliance obligation and potentially creates conflicted reporting
between entities. The language in the reporting requirements should be limited to real impact events, while
information sharing on near miss or deficiency incidents should be handled as good industry practices and not
subject to onerous compliance obligations.
The drafting team should also give careful consideration to the existing reporting and information sharing
currently in place in the industry. When an event occurs, partners in the electric sector are notified as part of
33
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 2 Comment
existing requirements outside of NERC compliance.
Response: Thank you for your comment. The DSR SDT has deleted the proposed defined term “Impact Events” and will use the generic term “event.” Reporting
is only required for those events and for the given thresholds listed in Attachment 1.
Georgia System Operations
Corporation
No
It is not clear for the purposes of complying with this standard what it means to impact reliability. Impact in
what way. To what degree. Do not define this term. An alternative would be to define it as those events listed
in Appendix 1.
Response: Thank you for your comment. The DSR SDT has deleted the proposed defined term “Impact Events” and will use the generic term “event.” Reporting
is only required for those events and for the given thresholds listed in Attachment 1.
Indeck Energy Services
No
It's not a definition. It needs some quantification, such as, a Reportable Disturbance (NERC glossary), a
reportable event under DOE OE-417, sabotage or bomb threat. Defining it as having or potentially having an
impact is no definition. What is an impact? It needs to be quantified or auditors will have license to define it
any way that they want. It shouldn't be a NERC Glossary definition if its only use is in EOP-004. Within EOP004, it can be defined as anything in Attachment 1.
Response: Thank you for your comment. The DSR SDT has deleted the proposed defined term “Impact Events” and will use the generic term “event.” Reporting
is only required for those events and for the given thresholds listed in Attachment 1.
Progress Energy
No
Progress Energy appreciates the Standard Drafting Teams work on this project. Any potential impact is too
vague and impossible to measure. Progress is unsure of how the ERO or Regional Entity measure impact.
Potential is very subjective.
Response: Thank you for your comment. The DSR SDT has deleted the proposed defined term “Impact Events” and will use the generic term “event.” Reporting
is only required for those events and for the given thresholds listed in Attachment 1.
Brazos Electric Power
Cooperative
No
Southern Company
Yes
There is concern that the proposed definition for Impact Event does not allow for prudent judgment and
preliminary situational assessment by the entity to declare a Potential Impact Event (especially threats) as
non-credible. The thresholds for reporting established in Attachment 1 ? Part A provide a somewhat definitive
bright line with regard to those events identified in Part A, but for some of the events in Part B there should be
allowance for an assessment by the entity to reasonably determine whether the event poses a credible threat
34
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 2 Comment
to the reliability of the BES. This is attempted in the footnote to the Forced Intrusion event in Attachment 1 ?
Part B, but we think this allowance for entity assessment and prudent judgment needs to apply more
pervasively, perhaps by including the term credible in the definition of Impact Event or at least by adding the
term credible wherever the term physical threat is used.
Response: Thank you for your comments. We have deleted the proposed defined term “Impact Events” and will use the generic term “event.” The word
“credible” could lead to many interpretations as well. Reporting is only required for those events and for the given thresholds listed in Attachment 1.
American Municipal Power
Yes
The definition of Impact Event is acceptable and an improvement. I feel it could be improved and simplified
further. Consider changing Impact Event to a "reportable event.”
Response: Thank you for your comment. The DSR SDT has deleted the proposed defined term “Impact Events” and will use the generic term “event.”
Reporting is only required for those events and for the given thresholds listed in Attachment 1.
Liberty Electric Power LLC
Yes
I am interpreting the phrase "has the potential" to exclude events which had the potential, but did not impact
the BES. An example would be a generation trip - if the trip had happened during a system emergency it
could have affected the BES, but since it happened under normal conditions there is no reporting
responsibility. Some assurance on this interpretation would be appreciated.
Response: The DSR SDT thanks you for your comment. We have deleted the proposed defined term “Impact Events” and will use the generic term “event.”
Reporting is only required for those events and for the given thresholds listed in Attachment 1.
Manitoba Hydro
Yes
“Disturbance” has a unique and traditional meaning in the electrical industry, basically meaning “a notable
electrical event causing in imbalance of load and generation.” Attempting to include the many scenarios can
that can affect reliability blurred the current vision of “Disturbance” and the addition of “unusual occurrences”
just added to the confusion. It never seemed appropriate to submit an unusual occurrence on a “Disturbance
Report.” “Impact Event” is very encompassing and then detailed specifically in Attachment 1.
Response: Thank you for your comment. The DSR SDT has deleted the proposed defined term “Impact Events” and will use the generic term “event.” Reporting
is only required for those events and for the given thresholds listed in Attachment 1.
Independent Electricity System
Operator
Yes
We do not have any issue with the wording of the definition, but question the need for this definition since by
itself the term is not specific on the types of events that are regarded as having an “impact.” The detailed
listing of events that fall into a reportable event category, hence the basis for the Impact Event, is provided in
Attachment A. For that matter, these events that are to be reported can be called anything. Defining the term
Impact Event does not serve the purpose of replacing the details in Attachment A, and such a term is not
35
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 2 Comment
used anywhere else in the NERC reliability standards. In fact, for the term Impact Event to be fully defined, all
the elements in Attachment A must become a part of it.
We therefore suggest the SDT to consider not defining the term Impact Event, but rather use words to
stipulate the need to have a plan, to implement the plan and to report to the appropriate entities those events
listed in Attachment A.
Response: Thank you for your comment. The DSR SDT has deleted the proposed defined term “Impact Events” and will use the generic term “event.” Reporting
is only required for those events and for the given thresholds listed in Attachment 1.
PPL Electric Utilities
Yes
PPL EU agrees with the definition. We would like to point out that our interpretation of the definition excludes
maintenance work. Our interpretation also concludes that maintenance work that does not go as planned or
goes awry and impacts the reliability of the BES would be an impact event and reported as required per
Attachment 1.
Response: Thank you for your comment. The DSR SDT has deleted the proposed defined term “Impact Events” and will use the generic term “event.” Reporting
is only required for those events and for the given thresholds listed in Attachment 1.
SDG&E
Yes
PPL Supply
Yes
PSEG Companies
Yes
SPP Standards Review Group
Yes
Lakeland Electric
Yes
New Harquahala Generating Co.
Yes
APX Power Markets
Yes
United Illuminating Co
Yes
Arkansas Electric Cooperative
Yes
36
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 2 Comment
Corporation
Sweeny Cogeneration LP
Yes
New Harquahala Generating Co.
Yes
Platte River Power Authority
Yes
Farmington Electric Utility System
Yes
City of Tacoma, Department of
Public Utilities, Light Division, dba
Tacoma Power
Yes
BC Hydro
Yes
Response: Thank you for your response. Most commenters who responded to this question disagreed with the proposed definition and some suggested that the
definition is not needed. In response, the drafting team has deleted the proposed defined term “Impact Events” and will use the generic term “event.” Reporting
is only required for those events and for the given thresholds listed in Attachment 1.
37
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
3. Do you agree that the DSR SDT has provided an equally efficient and effective solution to the FERC Order 693
directive to “further define sabotage”? If not, please explain why not and if possible, provide an alternative
that would be acceptable to you.
Summary Consideration: Most stakeholders agreed that the drafting team addressed the directive to further define
sabotage. Commenters generally agreed that the DSR SDT approach in the currently proposed solution effectively addresses
FERC Order 693 directive. The approach clarifies the triggering event for an entity to take action and, by deleting all references
to "sabotage," in effect removes the very term that had no clear definition.
Organization
Pepco Holdings Inc and Affiliates
Yes or No
No
Question 3 Comment
See #2. With out the explanation contained in background information, over time those that have not been
involved with this standard development will struggle with how to interpret the code words of non
environmental and intentional human action.
Response: The DSR DT thanks you for your comment. This is a Results-based standard and the format includes all of the information, with the exception of the
Rationale boxes, through the ballot and filing of the standard. The background section of the proposed standard will be retained with the standard for future
reference.
Midwest ISO Standards
Collaborators
No
In general, we agree that the standard drafting team has provided an equally efficient and effective
alternative, but we wonder if the SDT has not in essence already defined sabotage in their description for why
they cant define sabotage. It seems that sabotage involves willful intent to destroy equipment. In general,
intent would have to be determined by an investigation of law enforcement. This could be part of the
definition. There might be some obvious acts that could be included without investigation such as detonation
of a bomb. Is it possible for the SDT to use the DOE definition for sabotage? We encourage the SDT to
provide a definition for sabotage.
Response: The DSR DT thanks you for your comment. The DSR SDT believes that the reporting of events supports the reliability of the BES. Sabotage usually
is determined after the event is investigated and that sabotage may be one aspect of a single event. The intent is to report (per Thresholds of Reporting in
Attachment 1) events that have an impact on BES reliability. The background section of the standard provides guidance with respect to reporting events to law
enforcement. For clarity, the DSR SDT has added the following sentence to the first paragraph under the heading “Law Enforcement Reporting”: “These are the
types of events that should be reported to law enforcement.” The entire paragraph is:
o
“The reliability objective of EOP-004-2 is to prevent outages which could lead to Cascading by effectively reporting events. Certain outages, such as those
due to vandalism and terrorism, may not be reasonably preventable. These are the types of events that should be reported to law enforcement. Entities rely
38
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 3 Comment
upon law enforcement agencies to respond to and investigate those events which have the potential to impact a wider area of the BES. The inclusion of reporting
to law enforcement enables and supports reliability principles such as protection of bulk power systems from malicious physical or cyber attack. The Standard is
intended to reduce the risk of Cascading events. The importance of BES awareness of the threat around them is essential to the effective operation and planning
to mitigate the potential risk to the BES.”
Compliance & Responsiblity
Organization
No
See comments set forth in number 2.
Response: The DSR DT thanks you for your comment. Please see the DSR DT response above for question number 2.
Sweeny Cogeneration LP
No
The threshold for reporting what could be sabotage still leaves the door open for second guessing after-thefact. For example, if graffiti is sprayed on a BES asset, the entity is to assume that the event is not to be
reported. However, intent to harm the BES may be discovered at a later point with ramifications to the entity
who did not report it.
A solution may be to strengthen footnote 3 to both reporting tables, which makes an allowance to report if you
cannot reasonably determine likely motivation of sabotage. If acceptable methods to provide justifiable
evidence that reporting was NOT required, then this loophole may be corrected.
Response: The DSR SDT thanks you for your comment. The DSR SDT believes that the reporting of events supports the reliability of the BES. Sabotage usually
is determined after the event is investigated and that Sabotage may be one aspect of a single event. The intent is to report events (per Thresholds of Reporting
in Attachment 1) that have an impact on BES reliability. Attachment 1 has been updated per comments received.
USACE
No
The DSR SDT should have defined sabotage since it helps the SDT working on CIP standards further define
its action. Sabotage can be defined as the deliberate act of destruction, disruption, or damage of assets to
impact the reliability of the BES.
Response: The DSR SDT thanks you for your comment. The DSR SDT believes that the reporting of events supports the reliability of the BES. Sabotage usually
is determined after the event is investigated and that Sabotage may be one aspect of a single event. The intent is to report events (in Attachment 1) that have
an impact on BES reliability. Attachment 1 has been updated per comments received.
Consumers Energy
No
EOP-004 does not appear to address a reliability need. Reporting after-the-fact information such as that
described in Impact Events does not do anything to improve Bulk Electric System reliability. Therefore, we
recommend that CIP-001 be updated to address sabotage events, and that NERC otherwise rely on the
statutory reporting to the DOE that is represented by OE-417 for any after-the fact information. The
remainder of our comments reflects detailed comments on the posted draft, presuming that our objection
39
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 3 Comment
represented above will be disregarded.
Response: The DSR SDT thanks you for your comment. Providing event reporting information will start the event analysis process done by the current NERC
Event Analysis Program. EOP-004-2 is the reporting vehicle to the ERO that will support the analysis phase of any event.
Ameren
No
The SDT did not further define sabotage as directed by FERC, but instead created a new term that does not
address the order. The Term Impact Event has no clarity or quantitative qualities by which an entity can
determine what should be reported. The use of the phrase "has the potential to impact reliability" has such a
vague scope, an auditor can interpret to mean any "off-normal" condition, which makes this standard
impossible to comply with. The SDT should use the DOE definition of sabotage as follows:
Sabotage - Defined by Department of Energy (DOE) as:
An actual or suspected physical or Cyber attack that could impact electric power system adequacy or
reliability
Vandalism that targets components of any security system on the Bulk Electric System
Actual or suspected Cyber or communications attacks that could impact electric power system
adequacy or vulnerability, including ancillary systems which support networks (e.g. batteries)
Any other event which needs to be reported by the Balancing Authority (Transmission Operations) to
the Department of Energy. Sabotage can be the work of a single saboteur, a disgruntled employee or a
group of individuals.
Response: The DSR SDT thanks you for your comment. The DSR SDT believes that the reporting of events supports the reliability of the BES. Sabotage usually
is determined after the event is investigated and that Sabotage may be one aspect of a single event. The intent is to report events (per Thresholds of Reporting
in Attachment 1) that have an impact on BES reliability. Attachment 1 has been updated per comments received. EOP-004-2 sets the minimum reporting
requirements for events.
Calpine Corp
No
The additional definition for “Impact Event” is unnecessary and does not provide useful clarification regarding
actual reporting requirements. Sabotage, whatever the exact definition used, implies intent to damage or
disrupt. The committee correctly notes that determination of actual intent is not always readily available.
However, adding a general expansive definition encompasses all events that might disrupt the Bulk Electric
System does not add clarity to the types of events that require reporting - which are listed in detail in
Attachment 1.The issue can be more simply addressed by replacing the item “Human Intrusion” on
Attachment 1, as follows:
Event: Sabotage (note 3) Entity with Reporting Responsibility: All affected Responsible Entities listed
40
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 3 Comment
in the Applicability Section of this Standard.
Threshold for Reporting: Forced Intrusions at a BES facility that have not been determined within the
reporting period to be theft or vandalism that does not affect the operability of BES equipment.
Note 3 For purposes of reporting under Attachment 1, reportable sabotage includes all forced intrusions at
BES facilities that have potential to cause, or cause, any of the disturbance events listed in Attachment 1 and
have not been determined to be theft or vandalism that did not result in any event listed in Attachment 1.
Responsible Entities are not required to report incidents of theft or vandalism that do not result in disturbance
events. This approach also eliminates the need to reference copper theft as a particular type of theft that does
not require reporting.
Response: The DSR SDT thanks you for your comment. The DSR SDT has deleted the proposed defined term “Impact Events” and will use the generic term
“event.”. Attachment 1 has been updated per comments received. The DSR SDT believes that the reporting of events supports the reliability of the BES.
Sabotage usually is determined after the event is investigated and that Sabotage may be one aspect of a single event. The intent is to report events (per
Thresholds of Reporting in Attachment 1) that have an impact on BES reliability. Footnotes have been updated per comments received.
CenterPoint Energy
No
CenterPoint Energy would agree if the definition for Impact Event was changed as suggested in the response
to Question 2.
Response: The DSR SDT thanks you for your comment. The DSR SDT has deleted the proposed defined term “Impact Events” and will use the generic term
“event.”. Attachment 1 has been updated per comments received. The DSR SDT believes that the reporting of events supports the reliability of the BES.
Duke Energy
No
Sabotage is still identified on the flowchart. Timeframes for reporting on Attachment 1 should be made
consistent with DOE OE-417 reporting. Also on Attachment 1, the Threshold for Reporting on a Forced
Intrusion Event should be Affecting BES reliability instead of At a BES facility.
Response: The DSR SDT thanks you for your comment. The DSR SDT has updated the flowchart. The DOE Form OE-417 is reviewed biennially by the DOE
and can be updated or changed without NERC’s involvement. The DSR SDT has taken into consideration the possible use of Form OE-417 to report events to
NERC and agrees that this will fulfill EOP-004-2’s reporting requirements. The DSR SDT has removed sabotage from the flowchart and has replaced it with:
“Criminal act under federal jurisdiction.”
41
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Indeck Energy Services
Yes or No
No
Question 3 Comment
The SDT hasn't defined sabotage. Attachment 1 does not do justice to the concept of sabotage. Sabotage
should be defined as any intentional damage to BES facilities the causes a Reportable Disturbance,
reportable event under DOE OE-417 or involves a bomb or bomb threat.
Response: The DSR SDT thanks you for your comment. The DSR SDT believes that the reporting of events supports the reliability of the BES. The intent is to
report events (per Thresholds of Reporting in Attachment 1) that have an impact on BES reliability. Sabotage usually is determined after the event is investigated
and that Sabotage may be one aspect of a single event. The DOE Form OE-417 is reviewed biennially by the DOE and can be updated or changed without
NERC’s involvement. The DSR SDT has taken into consideration the possible use of Form OE-417 to report events to NERC and agrees that this will fulfill EOP004-2’s reporting requirements.
Exelon
Yes
Exelon agrees with the DSR SDT in that the currently proposed solution effectively addresses the intent of
FERC Order 693 directive to both clarify the triggering event for an entity to take action and by deleting all
references to "sabotage" in effect removes the very term that had no clear definition.
Response: Thank you for your comment.
Georgia Transmission
Corporation & Oglethorpe Power
Corporation
Yes
We agree with the approach taken by the SDT.
Northeast Power Coordinating
Council
Yes
It is more important to report suspicious events than to determine if an event is caused by sabotage before it
gets reported.
Midwest Reliability Organization
Yes
Sabotage is usually associated with a malicious attack. Entities have always lacked the clinical expertise to
determine if an event was malicious or not. The Impact Event bright line criteria clearly states what the
minimum reporting requirements are.
Manitoba Hydro
Yes
“Impact event”, The DSR SDT reasoning for this. ‘A sabotage event can only be typically determined by law
enforcement after the fact” is very creative and concise!
Response: The DSR SDT thanks you for your comment.
42
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Independent Electricity System
Operator
Yes or No
Yes
Question 3 Comment
We agree since it is more important to report suspicious events than to determine if an event is caused by
sabotage before it gets reported.
Response: The DSR SDT thanks you for your comment.
ISO New England, Inc
Yes
We agree since it is more important to report suspicious events than to determine if an event is caused by
sabotage before it gets reported.
Ingleside Cogeneration LP
Yes
Sabotage cannot be confirmed until after the fact, so we support this initiative.
Bonneville Power Administration
Yes
Western Electricity Coordinating
Council
Yes
PPL Supply
Yes
PSEG Companies
Yes
Dominion
Yes
SPP Standards Review Group
Yes
FirstEnergy
Yes
SERC OC Standards Review
Group
Yes
PJM Interconnection LLC
Yes
Southern Company
Yes
SRP
Yes
43
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
We Energies
Yes
SDG&E
Yes
City of Tallahassee (TAL)
Yes
Lakeland Electric
Yes
New Harquahala Generating Co.
Yes
APX Power Markets
Yes
United Illuminating Co
Yes
American Municipal Power
Yes
Liberty Electric Power LLC
Yes
Arkansas Electric Cooperative
Corporation
Yes
American Electric Power
Yes
New Harquahala Generating Co.
Yes
Platte River Power Authority
Yes
BGE
Yes
Alliant Energy
Yes
ExxonMobil Research and
Engineering
Yes
Question 3 Comment
Well done.
No comments.
44
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
PPL Electric Utilities
Yes
Occidental Power Marketing
Yes
Lincoln Electric System
Yes
Farmington Electric Utility
System
Yes
American Transmission
Company
Yes
Constellation Power Generation
Yes
Georgia System Operations
Corporation
Yes
City of Tacoma, Department of
Public Utilities, Light Division,
dba Tacoma Power
Yes
Brazos Electric Power
Cooperative
Yes
Question 3 Comment
None.
Response: The DSR SDT thanks you for your response. Several commenters proposed revisions to the definition, and after deliberation the SDT has deleted the
proposed defined term “Impact Events” and will use the generic term “event”. Attachment 1 has been updated per comments received. The DSR SDT believes
that the reporting of events supports the reliability of the BES.
45
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
4. Do you agree with the proposed applicability of EOP-004-2 shown in Section 4 and Attachment 1 of the
standard? If not, please explain why not and if possible, provide an alternative that would be acceptable to
you.
Summary Consideration: The SDT believes that it has properly identified registered entities that may potentially have events
and the appropriate types of events. A Registered Entity is only required to submit an events report for events listed in
Attachment 1 if the registered entity was affected by the event. If an event occurs, only affected Registered Entities listed in
Attachment 1 are required to submit a report on the event. The SDT believes that the industry will gain valuable information
from having different perspectives of a single event. Differing viewpoints on the same event will provide for better clarity to all
parties on the actual impact to the bulk electric system. The SDT would like to point out that reporting of events is from the
time of identification not the time of the event. In response to the comments received, the SDT has made numerous
enhancements to Attachment 1. These revisions include:
•
•
•
Added new column “Submit Attachment 2 or DOE OE-417 Report to:” which references Part 1.3 and provide
the time required to submit the report.
Combined Parts A and B into one table and reorganized it so that the events are listed in order of reporting
times (either one hour or 24 hours)
Removed references to “Impact Event” and replaced with the specific language for the event type in the
“Entity with Reporting Responsibility”. For example, replaced “Impact Event” with “automatic load
shedding”.
The ERO and the RE were added as applicable entities to reflect CIP-002 applicability to this standard.
Organization
Georgia Transmission
Corporation & Oglethorpe Power
Corporation
Yes or No
Question 4 Comment
No
We do not believe that GO, TO, TSP, DP, or LSE should be included in the applicability of this standard. It is
our opinion that the reporting requirements lie primarily with the applicable operator and should be limited as
such. We recommend modifications as discussed in our response to question 6 to clearly define what types
of events each Responsible Entity needs to prepare for. Currently, it seems that multiple entities are being
required to report the same event for some events where only one entity should have a reporting
responsibility. However, NERC should not decide which one entity should report a given event.
The entities should have the flexibility to create a process which allows for coordination and communication at
a local level and to work out with neighboring entities who might ultimately report events to the applicable
46
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 4 Comment
organizations.
Response: Thank you for your comments. The SDT disagrees that the operators are the only entities with obligations to report; owners and users may have
very credible and valuable information relating to events. Such information may be extremely beneficial in developing lessons learned and analyzing events.
Your suggestion to allow for local coordination and communication is a practical suggestion and the standard allows for it.
Northeast Power Coordinating
Council
No
Disagree with the following inclusion/exclusion of several entities:
a. The applicable entities listed in Section 4 capture all the entities that are assigned a reporting responsibility
in Attachment 1 of the standard. While some events in Attachment 1 have specific entities identified as
responsible for reporting, certain events refer to the entities listed in specific standards (e.g. CIP-002) as the
responsible entities for reporting. The latter results in IA, TSP and LSE (none of which being specifically
identified as having a reporting responsibility) being included in the Applicability Section. NERC should be
included in the Applicability Section as it is an applicable entity identified in CIP-002-3.
b. If the above approach was not strictly followed, then suggest the SDT review the need to include IA, TSP
and LSE since they generally do not own any Critical Assets and hence will likely not own any Critical Cyber
Assets.
Response: The DSR SDT thanks you for your comment. The SDT believes it needs to follow the requirements of the standards as they currently apply. Since
these entities are applicable to the underlying standards identified in Attachment 1, then they will be subject to reporting. If those standards are modified to
remove the applicability to these functional registrations, then the appropriate SDT can modify the applicability of this standard. The SDT has reviewed the CIP002-3 standard and has included the ERO and the RE in this standard.
Pacific Northwest Small Public
Power Utility Comment Group
No
We believe that facilities used in the local distribution of electric energy should be excluded from these
requirements due the language of 16 U.S.C. ? 824o(a)(1) and 16 U.S.C. ? 824o(i)(1).
Response: The DSR SDT thanks you for your comment. The SDT constructed Attachment 1 based upon the existing requirements in the various reliability
standards and established reporting obligations. The information about events and the analysis of those events will be useful to all owners, operators, and users
of the bulk power system. The SDT has clarified the reporting requirement such that only those affected by the event are required to submit a report.
PSEG Companies
No
The PSEG Companies believe the defining language, roles and responsibilities outlined in Attachment 1 are
unclear and inconsistent. For example fuel supply emergency reporting footnote 2 “Report if problems with
the fuel supply chain result in the projected need for emergency actions to manage reliability” attempts to
clarify the condition for reporting but does not. Whose “emergency actions” are being referred to in the
footnote? It is not clear if those actions would be related to the specific station or the overall Bulk Electric
47
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 4 Comment
System (BES). Can this be interpreted to imply a gas supply issue to one generating station as the result of
pipeline maintenance, or local pressure issues would also requiring reporting? The PSEG Companies believe
the definition of a fuel supply emergency needs to be more specific and less open to broad interpretation.
In addition, the “Time to Submit Report” section of attachment 1 has a significant number of changes from the
previous version. Accelerating the twenty four (24) hour to one (1) hour requirement for submitting the reports
for several of the events takes resources away from managing the actual event. For the above comments
failure to submit a report within 1 hour is a high or severe VSL for a fuel supply emergency. This approach
seems inconsistent with ensuring the operation and reliability of the BES. One (1) hour reporting, in most
cases, is not adequate time to compile the needed information, prepare report, ensure the accuracy, submit,
and simultaneously manage the actual event. We recommend 24 hour reporting for: Damage or destruction to
BES, Fuel Supply Emergency, Forced Intrusion, and Risk to BES equipment sections of Attachment 1.
Response: The DSR SDT thanks you for your comment. The SDT appreciates the observation on Fuel Supply Emergency and has adjusted Attachment 1 to
address it. Reporting under the standard requires that the Registered Entity provide what information it has at the time of the report. The report may not
provide the entire record or identification of the event. If the Registered Entity desires to submit an updated report, it may choose to do so; but there is no
obligation to do so.
The DSR SDT has significantly revised Attachment 1. We have removed the timing column and replaced it with more specific information regarding which form to
submit and to whom the report is to be submitted. All events are now to be reported within 24 hours with the exception of Destruction of BES equipment,
Damage or destruction of Critical Assets and Damage or destruction of Critical Cyber Asset events, Forced Intrusion, Risk to BES equipment and Detection of a
reportable Cyber Security Incident. These events are to be reported within 1 hour. Notification of law enforcement (per Requirement R1, Part 1.3.2) is only
required for these events. The background section of the standard provides guidance with respect to reporting events to law enforcement. For clarity, the DSR
SDT has added the following sentence to the first paragraph under the heading “Law Enforcement Reporting”: “These are the types of events that should be
reported to law enforcement.” The entire paragraph is:
o
“The reliability objective of EOP-004-2 is to prevent outages which could lead to Cascading by effectively reporting events. Certain outages,
such as those due to vandalism and terrorism, may not be reasonably preventable. These are the types of events that should be reported to law enforcement.
Entities rely upon law enforcement agencies to respond to and investigate those events which have the potential to impact a wider area of the BES. The inclusion
of reporting to law enforcement enables and supports reliability principles such as protection of bulk power systems from malicious physical or cyber attack. The
Standard is intended to reduce the risk of Cascading events. The importance of BES awareness of the threat around them is essential to the effective operation
and planning to mitigate the potential risk to the BES.”
Dominion
No
1) Several of the events require filing a written Impact Event report within one hour. System Separation, for
example, is going to require an “all hands on deck” response to the actual event. We note that the paragraph
above Attachment 1, Part A indicates that a verbal report would be allowed in certain circumstances, but this
48
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 4 Comment
is the same issue with the formal report in that the system operators are concerned with managing the event
and not the reporting requirements. Another example would be the Loss of Off-site power to a nuclear
generating plant. Suggest reconsideration of one hour reporting requirement for events requiring extensive
operator actions to mitigate;
2) Several events seem to have the “Threshold for Reporting” contained in footnotes rather than in the table.
For example, Damage or destruction of BES equipment - Footnote 1, Fuel supply emergency - Footnote 2,
etc.) Suggest moving the actual threshold into the table;
3) If one hour reporting remains as indicated in Attachment 1; align/rename events similar to that of the
‘criteria for filing’ events listed in DOE OE-417 for consistency.
Response: Thank you for your comment. Reporting under the standard requires that the Registered Entity provide what information it has at the time of the
report. The report may not provide the entire record or identification of the event. If the Registered Entity desires to submit an updated report, it may choose to
do so; but there is no obligation to do so. Based upon comments received, the SDT has updated the time reporting requirements in Attachment 1. Most events
are to be reported within 24 hours. The DSR SDT has retained a one-hour reporting requirement for those events the DSR SDT believes are the types of event
that would be typically reported to law enforcement and are of a more urgent nature.
SPP Standards Review Group
No
While the SDT has recognized the issue of applicability to GO/TO in its background information with the
Unofficial Comment Form, we still do not feel comfortable with the GO/TO being listed as a responsible entity
when in fact it may be days before they become aware of an event worthy of reporting. If the GOP/TOP
makes the report, are the GO/TO still responsible for filing a report? If the GOP/TOP do not file the report,
would the GO/TO then be non-compliant? This issue appears to put additional risk on the GO/TO over which
they have no control. We need some mechanism to eliminate unnecessary risk while at the same time
ensuring that we have coverage for the BES. Perhaps this could be done through delegation agreements
between the entities involved or through allowances within the standard itself. For example, could the phrase
“appropriate parties in the Interconnection” as currently contained in CIP-001-1, R2 be incorporated into the
standard to basically replace GO/TO?
Response: The DSR SDT thanks you for your comment. The SDT believes that it has properly identified registered entities that may potentially have events and
the appropriate types of events. A Registered Entity is only required to submit an events report for events listed in Attachment 1 if the registered entity was
affected by the event. If an event occurs, only affected Registered Entities listed in Attachment 1 are required to submit a report on the event. Having reports
from different entities for the same event may provide a more complete understanding of the event.
FirstEnergy
No
1.
Attachment 1, Part A - Energy Emergency requiring Public appeal for load reduction - In the current draft
Standard, the applicability has been revised from an RC and BA to "initiating entity.” We can’t see where
the GO/GOP would ever make this determination. Needs to be clarified.
49
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 4 Comment
2.
3.
4.
5.
6.
7.
8.
Attachment 1, Part A - Energy Emergency requiring system-wide voltage reduction - In the current draft
Standard, the applicability has been revised from an RC, TO, TOP, and DP to "initiating entity.” We can’t
see where the GO/GOP would ever make this determination. Needs to be clarified.
Attachment 1, Part A - Voltage Deviations on BES facilities - A GOP may not be able to make the
determination of a +/- 10% voltage deviation for ≥ 15 continuous minutes, this should be a TOP RC
function only.
Attachment 1, Part A - Loss of offsite power (LOOP) classification should not apply to nuclear generators.
The impact of a LOOP is dependent on the design of the specific nuclear unit and may not necessarily
result in a unit trip. If a LOOP did result in a unit trip, the NRC requires notification by the nuclear
GO/GOP via the Emergency Notification System (ENS), and time allowed for that notification (1 hour, 4
hours, 8 hour, or none at all) is, as mentioned above, dependent on the design of the plant. We believe it
would be beneficial if consideration were given to coordinating reporting requirements for nuclear units
with existing required notifications to the NRC to avoid duplication of effort.
Attachment 1 should align NERC Standard NUC-001 concerning the importance of ensuring nuclear
plant safe operation and shutdown. If a transmission entity experiences an event that causes a loss of
off-site power as defined in the nuclear generator’s Nuclear Plant Interface Requirements, then the
responsible transmission entity should report the event within 24 hours after occurrence. Also, for clarity
"grid supply" should be replaced with "source" to ensure that notification occurs on a loss of one or
multiple sources to a nuclear power plant.
Attachment 1, Part A - Damage or destruction of BES equipment. See Nuclear comments on question
17 below.
Attachment 1, Part B - Forced intrusion at a BES facility. See Nuclear comments on question 17 below.
Attachment 1, Part B - Risk to BES equipment from a non-environmental physical threat. What
constitutes a "risk" to the reporting entity is still somewhat ambiguous, and although the DSR SDT has
provided some examples, without more specific criteria for this event the affected entity will have difficulty
in determining within 1 hour if a report is necessary. Also, see Nuclear comments on question 17 below.
Response: The DSR SDT thanks you for your comment. As a general note, the Applicability section of the standard includes each entity that will be responsible
for reporting an event. Attachment 1 has a column “Entity with Reporting Responsibility” to indicate the appropriate entity that is required to report under this
standard. For items 1-3 above, the GO or GOP will not be the likely deficient or initiating entity. This will most likely be the BA, TOP or the RC. For item 4, the
LOOP event is to be reported by the TO and TOP, not the nuclear plant. For item 5, the TO and TOP are to report within 24 hours. The DSR discussed using
“source”, however this indicates a single source whereas “supply” encompasses all sources. For items 6, 7 and 8, please see response to Question 17 comments.
SERC OC Standards Review
Group
No
We agree that all of the entities listed should be responsible for reporting an event, provided they own BES
assets, but guidance should be given for which entity in Attachment 1 actually files the report to avoid
duplication for a single event.
50
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 4 Comment
Response: The DSR SDT thanks you for your comment. The SDT believes that it has properly identified registered entities that may potentially have events and
the appropriate types of events. A Registered Entity is only required to submit an events report for events listed in Attachment 1 if the registered entity was
affected by the event. If an event occurs, only affected Registered Entities listed in Attachment 1 are required to submit a report on the event. Having reports
from the different entities may provide valuable information on understanding the event.
PJM Interconnection LLC
Yes
1. We agree that the entities listed should be responsible for ensuring events are reported, provided they own
BES assets, but more guidance should be provided on which entity in Attachment 1 should actually file the
report to avoid multiple entities reporting a single event. Current Attachment 1 results in significant duplicate
reporting.
2. Although the applicable entities listed in Section 4 capture all entities that are assigned a reporting
responsibility in Attachment 1, some events in Attachment 1 refer to entities applicable under a different
standard (e.g CIP-002) as the responsible entities for reporting. This results in IA, TSP, and LSE (none of
which, generally own Critical Assets and hence not likely own CCAs) as being responsible for reporting an
event. We urge the SDT review the need to include IA, TSP, and LSE in applicable entities. Also, why is
NERC an applicable entity in CIP-002-3 but not in this standard?
Response: Thank you for your comments. 1. The “Entity with Reporting Responsibility” column of Attachment 1 indicates who is responsible for submitting
reports for each event type. It is expected that multiple reports will be received for the same event. Each entity experiencing the event may see something
different. This reporting will allow for a more robust analysis process after the fact. 2. The IA. TSP and LSE are included as applicable entities for EOP-004 only
because they are applicable under CIP-002. The only events that these entities are required to report are related to cyber assets. The ERO and the RE were
added as applicable entities for consistency with CIP-002.
SRP
No
The threshold for Reporting is broad, vague and repetitive. "Three or more BES Transmission Elements" is
vague and could be interpreted as 3 breakers in a large system.
Response: The DSR SDT thanks you for your comment. Based upon comments received, the SDT has modified Attachment 1 accordingly.
We Energies
No
Attachment 1: From the NERC Glossary, an Energy Emergency: A condition when a Load-Serving Entity has
exhausted all other options and can no longer provide its customers’ expected energy requirements. The first
four events listed can only apply to an LSE.
Loss of Firm Load for >15 Minutes: By the NERC Glossary definitions of DP and LSE, the LSE would seem
to be more appropriate than the DP.
With the proposed one-hour reporting requirement, the industry would be undertaking significant regulatory
risk with respect to timely reporting. The requirement to report the crime-based events in the field within one
51
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 4 Comment
hour, as shown in Attachment 1 Part A or Part B will be difficult. We could even discover a theft in progress
with the suspect trapped inside the substation fence and the police attempting to make a safe arrest. We
need more reporting time, especially when they have not even resulted in an outage.
The industry is keenly interested in understanding the benefit of taking on the risk. What analysis, insight,
warnings or recommendations would the ES-ISAC provide to the reporting entity, the industry or to law
enforcement agencies in the hours after such an incident is reported? Note too that DOE requires reporting
of a physical attack within one hour only when it “causes a major interruption or major negative impact on
critical infrastructure facilities or to operations.” In lesser cases, the entity gets up to six hours if it “impacts
electric power system reliability.” DOE has said that it is not interested in copper theft unless it causes one of
these events. If the SDT is working to ensure consistency of reporting requirements, please consider DOE
requirements too. Meeting the reporting deadline will mean that available resources in the control center will
be devoted to ensuring the report is filed on time instead of making the site safe and arranging for prompt
repair. It may even mean that law enforcement won’t be contacted until the forms are filed with the ES-ISAC.
The exception contained in footnote #1 of Attachment 1 with respect to copper theft is not an exception at all.
The majority of copper theft from substations is, in fact, such grounding connectors which may or may not
render the protective relaying inoperative. You could end up receiving reports from all over the USA, Canada
and Mexico, mostly on Monday mornings as weekend copper thefts are discovered. Attachment 1 Part A
table also contains redundancies. One of the cells reads, “Damage or Destruction of Critical Asset.” One
cannot destroy something without damaging it first. Consequently, it is sufficient to simply say, “Damage to a
Critical Asset.” Apply to all cells with the same phrase.
Response: Thank you for your comments. Only Registered Entities affected by the event have to submit a report. Entities that were not affected by the event
are under no obligation to submit a report. Registered Entities are to report what information they have at the submission timeline. The SDT recognizes that a
final report may not be possible at the submission time. The reporting requirements are consistent with the current reporting requirements of the various
authorities. The one hour reporting times are listed as “one hour within recognition of an event”. This should be sufficient to allow the reporting entity time to
submit the report after the event has been recognized. Based upon comments received from many stakeholders, the SDT has modified Attachment 1. The
background section of the standard provides guidance with respect to reporting events to law enforcement. For clarity, the DSR SDT has added the following
sentence to the first paragraph under the heading “Law Enforcement Reporting”: “These are the types of events that should be reported to law enforcement.”
The entire paragraph is:
o
“The reliability objective of EOP-004-2 is to prevent outages which could lead to Cascading by effectively reporting events. Certain outages,
such as those due to vandalism and terrorism, may not be reasonably preventable. These are the types of events that should be reported to law enforcement.
Entities rely upon law enforcement agencies to respond to and investigate those events which have the potential to impact a wider area of the BES. The inclusion
of reporting to law enforcement enables and supports reliability principles such as protection of bulk power systems from malicious physical or cyber attack. The
Standard is intended to reduce the risk of Cascading events. The importance of BES awareness of the threat around them is essential to the effective operation
and planning to mitigate the potential risk to the BES.”
52
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Exelon
Yes or No
Question 4 Comment
No
Remove LSE. As has been determined in previous filings, FERC has ruled that asset owning DP’s must be
registered as LSE’s. The standard as proposed is applicable to DP’s. This addresses any concern with a
“reliability gap” for reporting events that could have an adverse material impact to the BES. See FERC Docket
RC-07-4-003, -6-003, -7-003 paragraphs 24 and 25. “The Commission approves … revisions to the Registry
Criteria to have registered distribution providers also register as the LSE for all load directly connected to their
distribution facilities… The registration of the distribution provider as the LSE for all load directly connected to
its distribution facilities is for the purpose of compliance with the Reliability Standards. As NERC explains,
distribution providers have both the infrastructure and access to information to enable them to comply with the
Reliability Standards that apply to LSEs… The Commission finds that, based on these facts, NERC acted
reasonably in determining that the distribution provider is the most appropriate entity to register as the LSE for
the load directly connected to its distribution facilities.”
Attachment 1, Part A – Energy Emergency requiring Public appeal for load reduction – In the current draft
Standard, the applicability has been revised from an RC and BA to "initiating entity.” As a GO/GOP, I cannot
see any event where a GO/GOP would be the responsible "initiating entity" or have the ability to determine an
"Energy Emergency.” Suggest revising back to specific entities that would be likely responsible for this action
(e.g., RC, BA, TOP). Attachment 1, Part A – Energy Emergency requiring system-wide voltage reduction – In
the current draft Standard, the applicability has been revised from an RC, TO, TOP, and DP to "initiating
entity.” As a GO/GOP, I cannot see any event where a GO/GOP would be the responsible "initiating entity" or
have the ability to determine an "Energy Emergency" related to system-wide voltage reduction. Suggest
revising back to specific entities that would be likely responsible for this action. Attachment 1, Part A –
Voltage Deviations on BES facilities - A GOP may not be able to make the determination of a +/- 10% voltage
deviation for ≥ 15 continuous minutes, this should be a TOP RC function only. Attachment 1,
Part A – Loss of off-site power (grid supply) affecting a nuclear generating station – this event applicability
should be removed in its entirety for a Nuclear Plant Generator Operator. The impact of loss of off-site power
on a nuclear generation unit is dependent on the specific plant design, if it is a partial loss of off-site power
(per the plant specific NPIRs) and may not result in a loss of generation (i.e., unit trip). If a loss of off-site
power were to result in a unit trip, an Emergency Notification System (ENS) would be required to the Nuclear
Regulatory Commission (NRC). Depending on the unit design, the notification to the NRC may be 1 hour, 8
hours or none at all. Consideration should be given to coordinating such reporting with existing required
notifications to the NRC as to not duplicate effort or add unnecessary burden on the part of a Nuclear Plant
Generator Operator during a potential transient on the unit. In addition, if the loss of off-site power were to
result in a unit trip, if the impact to the BES were ≥2,000 MW, then required notifications would be made in
accordance with the threshold for reporting for Attachment 1, Part A – Generation Loss. However, to align
with the importance of ensuring nuclear plant safe operation and shutdown as implemented in NERC
Standard NUC-001, if a transmission entity experiences an event that causes an unplanned loss of off-site
power (source) as defined in the applicable Nuclear Plant Interface Requirements, then the responsible
53
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 4 Comment
transmission entity should report the event within 24 hours after occurrence. In addition, replace the words
"grid supply" to "source" to ensure that notification occurs on an unplanned loss of one or multiple sources to
a nuclear power plant. Suggest rewording as follows (including replacing the words "grid supply" to "source"
and adding in the word "unplanned" to eliminate unnecessary reporting of planned maintenance activities in
the table below): Event Entity with Reporting Responsibility Threshold for Reporting Time to Submit Report
Unplanned loss of off-site power to a Nuclear generating plant (source) as defined in the applicable Nuclear
Plant Interface Requirements (NPIRs) Each transmission entity responsible for providing services related to
NPIRs (e.g., RC, BA, TO, TOP, TO, GO, GOP) that experiences the event causing an unplanned loss of offsite power (source) Unplanned loss of off-site power (source) to a Nuclear Power Plant as defined in the
applicable NPIRs. Within 24 hours after occurrence
Response: Thank you for your comments. The SDT constructed Attachment 1 based upon the existing requirements in the various reliability standards and
established reporting obligations. The LSE is an applicable entity under CIP-002 and CIP-008. The types of events that you list are not applicable to a GO/GOP.
The Applicability section of the standard lists each entity that is applicable for some portion of the standard. The information in Attachment 1 specifies which
entity must report for which type of event. The loss of off-site power is only applicable to the TO and TOP and not the nuclear plant operator.
SDG&E
No
SDG&E recommends that “Load Serving Entity,” “Transmission Service Provider,” and “Interchange Authority”
be removed from the proposed applicability shown in Section 4. These entities do not own assets that could
have an impact on the Bulk Electric System. Additionally, none of these entities is listed as an “Entity with
Reporting Responsibility” in Attachment 1. Finally, “Transmission Service Provider” is covered by either
“Transmission Owner” or “Balancing Authority,” which are entities also listed in the proposed Applicability
section, and “Load Service Entity” and “Interchange Authority” are covered by “Balancing Authority.”
Response: Thank you for your comments. The SDT constructed Attachment 1 based upon the existing requirements in the various reliability standards and
established reporting obligations. The LSE, TSP and IC are applicable entities under CIP-002 and CIP-008.
United Illuminating Co
No
Will an entity be required to develop an Operating Process for every Impact Event in Attachment 1, or only
those events that apply to its Registration. For example, does a DP require evidence of an Operating
Process/Procedure for Voltage Deviations on a BES Facility? Some items in Attachment 1 state “Each RC,
BA, TOP, DP that experiences the Impact Event” (such as Loss of Firm Load). DP’s may have arranged with
TOP and RC to communicate the event to TOP who then will file the NERC report and OE-417. The
requirements in the Standard would allow for this as long as the Operating Plan documents it. Attachment 1
though can be interpreted that this arrangement would not be allowed and each entity shall file its own and
separate report. UI suggests that Attachment 1 be modified to allow for an Entities Operating Plan to rely on
another Entity making the final communication to NERC. “Each RC, BA, TOP, DP that experiences the Impact
Event, either individually or combined on a single filing”
54
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 4 Comment
Response: The DSR SDT thanks you for your comment. The SDT believes that it is not necessary to develop a separate Operating Process for each event,
unless the company requires it. The SDT feels that any Registered Entity affected by an event needs to submit a report. The SDT believes that the Registered
Entity can utilize any resource it has available to complete the reporting obligations and does not believe that Attachment 1 inhibits any options from being used.
Based upon comments received, the SDT has decided to remove the definition of Impact Event from the standard and leave as identified through Attachment 1.
American Municipal Power
No
No, I do not agree. The DP and LSE functions should be removed.
Response: The DSR SDT thanks you for your comment. The SDT constructed Attachment based upon the existing requirements in the various reliability
standards and established reporting obligations. This information will be useful to all owners, operators, and users of the bulk power system. The DP and LSE
are applicable entities under CIP-002 and CIP-008.
Sweeny Cogeneration LP
No
In Attachment 1, Generator Operators who experience a ± 10% sustained voltage deviation for ≥ 15
continuous must issue a report For externally driven events, the GOP will have little if any knowledge of the
cause or remedies taken to address it. We believe the language presently in EOP-004-1 is satisfactory that
any “action taken by a Generator Operator” that results in a voltage deviation has to be reported by the GOP.
Response: Thank you for your comment. Reporting of events is an obligation of affected Registered Entities. Registered Entities who do not experience an
event do not have any reporting obligations.
Independent Electricity System
Operator
No
We disagree with the following inclusion/exclusion of several entities:
a. We assess that the applicable entities listed in Section 4 capture all the entities that are assigned a
reporting responsibility in Attachment 1 of the standard. While some events in Attachment 1 have specific
entities identified as responsible for reporting, certain events refer to the entities listed in specific standards
(e.g. CIP-002) as the responsible entities for reporting. The latter results in IA, TSP and LSE (none of which
being specifically identified as having a reporting responsibility) being included in the Applicability Section. If
our reasoning is correct, we question why NERC was dropped from the Applicability Section as it is an
applicable entity identified in CIP-002-3.
b. If the above approach was not strictly followed, then we’d suggest the SDT review the need to include IA,
TSP and LSE since they generally do not own any Critical Assets and hence will likely not own any Critical
Cyber Assets.
Response: The DSR SDT thanks you for your comment. The SDT believes it needs to follow the requirements of the standards as they currently apply. Since
these entities are applicable to the underlying standards identified in Attachment 1, they will be subject to reporting. If those standards are modified to remove
the applicability to these functional registrations, then the appropriate SDT can modify the applicability of this standard. The SDT has reviewed the CIP-002-3
55
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 4 Comment
standard and have added the ERO and the RE as applicable entities. If an IA, TSP or LSE does not own Critical Assets nor Critical Cyber Assets, then they will
have nothing to report under this standard.
Ameren
No
The 1 hour reporting requirement, as reference in Attachment 1 is inappropriate. In the event an "Impact
Event" were to be discovered the Responsible Entity should focus on public and personnel safety. The
reporting requirement should read "Within 1 hour or as soon as conditions are deemed to be safe." This
statement would be applicable to "Damage or destruction of Critical Asset" The SDT should not put
personnel in the position of choosing to either comply with NERC or address public or co-worker safety. The
Time to Submit Report states "within 1 hour after occurrence is identified" This gives an auditor a wide area
to question. If personnel report the occurrence 1 hour after identified, but 24 hours after it occurred, we are
subject to the personal beliefs of the auditor that the event was not identified 24 hours ago, and reported 24
hours late. This will also be difficult to measure as the operator will have to document in the plant log the time
the event was identified, while possibly dealing with Emergency Conditions. In the Note above the Actual
Reliability Impact Table, the SDT identifies that under certain conditions, NERC / RRO staff may not be
available for continuous 24 hour reporting. The SDT should consider the same stipulations apply to operating
personnel and they should not be held to a higher standard that NERC / RRO.
Response: Thank you for your comment. The reporting timelines for most events have been changed from 1 hour to 24 hours. The events that retain the one
hour requirement are those that are more closely related to sabotage type events. The DSR SDT chose the wording “upon identification of an event” to allow for
cases where an event may not be recognized for some time due to an asset being in a remote location for example. It is expected that an auditor will follow what
is written in the standard rather their personal preference. In the note above Attachment 1, it does not state that the ERO may not be available. This note is
related to R3.3 of EOP_004-1 and provides for delayed reporting by an entity during storms or other such instances.
ISO New England, Inc
No
We disagree with the following inclusion/exclusion of several entities:
a. We acknowledge that the applicable entities listed in Section 4 capture all the entities that are assigned a
reporting responsibility in Attachment 1 of the standard. While some events in Attachment 1 have specific
entities identified as responsible for reporting, certain events refer to the entities listed in specific standards
(e.g. CIP-002) as the responsible entities for reporting. The latter results in IA, TSP and LSE (none of which
being specifically identified as having a reporting responsibility) being included in the Applicability Section. If
our reasoning is correct, we question why NERC was dropped from the Applicability Section as it is an
applicable entity identified in CIP-002-3.
b. If the above approach was not strictly followed, then we’d suggest the SDT review the need to include IA,
TSP and LSE since they generally do not own any Critical Assets and hence will likely not own any Critical
Cyber Assets.
c. There is still significant duplicate reporting included. For instance, why do both the RC and TOP to report
56
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 4 Comment
voltage deviations? As written, a voltage deviation on the BES would require both to report. The same would
hold true for IROLs. Perhaps IROLs should only be reported by the RC to be consistent with the recently
FERC approved Interconnection Reliability Operating Limit standards.
Response: The DSR SDT thanks you for your comment. (a) The SDT believes it needs to follow the requirements of the standards as they currently apply.
Since these entities are applicable to the underlying standards identified in Attachment 1, then they will be subject to reporting. If those standards are modified
to remove the applicability to these functional registrations, then the appropriate SDT can modify the applicability of this standard. The SDT has reviewed the
CIP-002-3 standard and have added the ERO and the RE as applicable entities. (b) The IA, TSP and LSE are included in the Applicability only as it relates to CIP002 events listed in the table. (c) The DSR SDT has removed the RC from “Voltage Deviations” and the TOP from the IROL to address the comment.
Calpine Corp
No
Expanding the current applicability of CIP-001-1 and EOP-004-1 to the GO function is unnecessary and will
result in numerous duplicate reports, self-certifications, spot checks, and audits reviews, with no benefit to the
reliability of the Bulk Electric System. The GOP is the appropriate applicable entity for generation facilities.
Response: The DSR SDT thanks you for your comment. The SDT believes that it has properly identified registered entities that may potentially have events and
the appropriate types of events. A Registered Entity is only required to submit an events report for events listed in Attachment 1 if the registered entity was
affected by the event. If an event occurs, only affected Registered Entities listed in Attachment 1 are required to submit a report on the event. Having reports
from the different entities may provide valuable information on understanding the event. The SDT would like to point out that reporting of events is from the
time of identification not the time of the event.
Occidental Power Marketing
No
Load Serving Entities that do not own or operate BES assets (or assets that support the BES) should not be
included in the Applicability. The SDT includes LSEs based on CIP-002; however, if the LSE does not have
any BES assets (or assets that support the BES), CIP-002 should also not be applicable because the LSE
could not have any Critical Assets or Critical Cyber Assets. It is understood that the SDT is trying to comply
with FERC Order 693, Sections 460 and 461; however, Section 461 also states: "Further, when addressing
such applicability issues, the ERO should consider whether separate, less burdensome requirements for
smaller entities may be appropriate to address these concerns." A qualifier in the Applicability of EOP-004-2
that would include only LSEs that own, operate or control BES assets (or assets that support the BES) would
seem appropriate and acceptable to FERC.
Response: The DSR SDT thanks you for your comment. The SDT believes it needs to follow the requirements of the standards as they currently apply. Since
these entities are applicable to the underlying standards identified in Attachment 1, then they will be subject to reporting. The LSE is an applicable entity under
CIP-002 and CIP-008. If those standards are modified to remove the applicability to these functional registrations, then the appropriate SDT can modify the
applicability of this standard.
57
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
American Transmission
Company
Yes or No
No
Question 4 Comment
First, under Part A, the reporting requirement for three or more BES Transmission Elements will create
confusion. The NERC definition for an Element is: “Any electrical device with terminals that may be
connected to other electrical devices such as a generator, transformer, circuit breaker, bus section, or
transmission line. An element may be comprised of one or more components.” This could be interpreted to
be three potential transformers on a bus section; therefore, any bus section would require a report. It is
suggested that this be reworded to indicate three or more BES transmission lines, bus sections, or
transformers.
Second, under Part A, the reporting requirement for “Damage or destruction of BES equipment” is too broad
and needs to be modified. For example, an output contact on a relay could be damaged unintentionally
during routine testing resulting in a reportable event. It is suggested that the list of BES equipment and full
intent of this be further defined in the footnote. The intent needs to be clarified, such as “events that have an
immediate and significant impact to the stability or reliability of the BES.”
Third, under Part A, the reporting requirement for “Damage or destruction of a Critical Cyber Asset” is too
broad and needs to be modified. For example, an output contact on a relay could be damaged unintentionally
during routine testing resulting in a reportable event.
Response: Thank you for your comments. (1) The event “Transmission Loss” has been modified to remove the word Element. This now refers to Facilities. 2.
If damage to a contact on a relay poses a reliability threat, then it should be reported. There is a footnote for this the type of event that helps clarify what is
expected to be reported. It states:
1 BES equipment that: i) Affects an IROL; ii) Significantly affects the reliability margin of the system (e.g., has the potential to result in the need for emergency
actions); iii) Damaged or destroyed due to intentional or unintentional human action which removes the BES equipment from service. Do not report copper theft
from BES equipment unless it degrades the ability of equipment to operate correctly (e.g., removal of grounding straps rendering protective relaying inoperative).
3. This relates only to Critical Cyber Assets identified under CIP-002. If a relay contact is identified under CIP-002 as a Critical Cyber Asset, then its damage or
destruction should be reported.
Ingleside Cogeneration LP
No
Owners and operators of facilities whose total removal from the BES would not meet any reportable threshold
under Attachment 1 should not have to create and maintain Operating documents. The same would be true
of any LSE, TSP, or IA that does not oversee any Critical Cyber Assets as identified under CIP-002. A
statement to that effect could be made in Section 4 of EOP-004-2.
Response: Thank you for your comments. Requirements under Standards can only be enforced against Registered Entities, not whether or not they own or
operate certain types of assets. The SDT believes it needs to follow the requirements of the standards as they currently apply. Since these entities are applicable
to the underlying standards identified in Attachment 1, then they will be subject to reporting. If those standards are modified to remove the applicability to these
58
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 4 Comment
functional registrations, then the appropriate SDT can modify the applicability of this standard.
Duke Energy
No
Section 4 is fine, but on Attachment 1, Entity with Reporting Responsibility should just identify “Initiating entity”
for every Event, as was done with the first three Events. That way you avoid errors in leaving an entity off, or
including an entity incorrectly (as was done with the GOP on Voltage Deviations).
Response: Thank you for comment. The SDT considered your comment in the development of Attachment 1 decided against including the Initiating Entity
designation as it was not appropriate in those cases. Based upon comments received, the SDT has modified Attachment 1 accordingly.
Constellation Power Generation
No
As stated in comments to earlier versions of EOP-004-2, CPG disagrees with the inclusion of Generator
Owners. Since one of the goals in revising this standard is to streamline impact event reporting obligations,
Generator Operators are the appropriate entity to manage event reporting as the entity most aware of events
should they arise. At times, the information required to complete a report may warrant input from entities
connected to generation, but the generator operator remains the best entity to fulfill the reporting obligation.
Response: Thank you for your comment. The SDT has chosen not to distinguish between Registered Entities as far as reporting. Instead the SDT has included
Registered Entities which are involved or potentially involved in the types of events. Registered Entities need to recognize that only entities that are affected by
the event have the reporting obligation.
Georgia System Operations
Corporation
No
We do not agree that this standard assigns clear responsibility for reporting. It seems that multiple entities are
being required to report the same event for some events. Only one entity should report. See comments later
regarding Attachment 1. NERC should not decide which ONE entity should report. The entities should be
allowed to decide this (and include it in the Impact Event Operating Plan) and to let NERC or the region know
who will report (or give them a copy of the plan).
Response: Thank you for your comment. The SDT has chosen not to distinguish between Registered Entities as far as reporting. Instead the SDT has included
Registered Entities which are involved or potentially involved in the types of events. Registered Entities need to recognize that only entities that are affected by
the event have the reporting obligation.
Indeck Energy Services
No
Voltage Deviations should not be reportable by GOP. That's why we have TOP's.
Damage or destruction of BES equipment should be reportable only if it causes or could cause a Reportable
Disturbance, reportable DOE OE-417 event or sabotage (as defined above). Otherwise, an auditor could
require reporting of a relay failure caused by human error even though the relay was in test mode and no BES
impact was experienced. This category could be dropped in favor of the next one, damage to Critical Asset.
Fuel Supply Emergency needs a definition. For natural gas, various conditions could be referred to as
59
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 4 Comment
emergencies, but unless they actually affect generation, they should not need to be reported. Fuel Supply
Emergencies that cause a Reportable Disturbance or reportable DOE OE-417 event should be reported.
It is unclear why Forced Intrusion should be reportable under EOP-004. If it causes a problem, it will be
reportable as another category and is one more unpreventable event. Forced Intrusion isn't, in many cases,
as the exceptions try to define, an impact event at all, but could be a cause, which would be reported as the
cause of an impact event.
Risk to BES Equipment is not well defined. It should be expanded to Risk to BES Equipment from a nonenvironmental physical threat within a reasonable distance of the Equipment. A train derailment on the line
past the plant would likely be known, whereas one that was 1/2 mile or more away with flammable materials
might not be known about unless a public warning was made.
Response: The DSR SDT thanks you for your comment. Voltage Deviation reporting no longer applies to the GOP. There is a footnote on Damage or
Destruction to BES equipment that addresses your comment. It states:
1
BES equipment that: i) Affects an IROL; ii) Significantly affects the reliability margin of the system (e.g., has the potential to result in the need for emergency actions); iii)
Damaged or destroyed due to intentional or unintentional human action which removes the BES equipment from service. Do not report copper theft from BES equipment unless
it degrades the ability of equipment to operate correctly (e.g., removal of grounding straps rendering protective relaying inoperative).
Fuel Supply Emergency has been removed from Attachment 1. Forced Intrusion is an event could be related to sabotage. Identification and reporting of such
events may help identify trends. The footnote associated with Risk TO BES Equipment addresses your comment:
Examples include a train derailment adjacent to BES equipment that either could have damaged the equipment directly or has the potential to damage the equipment (e.g. flammable
or toxic cargo that could pose fire hazard or could cause evacuation of a BES facility control center) and report of suspicious device near BES equipment.
Brazos Electric Power
Cooperative
No
Inclusion of LSE and DP is questionable.
Response: The DSR SDT thanks you for your comment. The SDT believes that it has properly identified registered entities that may potentially have events and
the appropriate types of events. A Registered Entity is only required to submit an events report for events listed in Attachment 1 if the registered entity was
affected by the event. The LSE and DP are applicable entities under CIP-002 and CIP-008. If an event occurs, only affected Registered Entities listed in
Attachment 1 are required to submit a report on the event. Having reports from the different entities may provide valuable information on understanding the
event. The SDT would like to point out that reporting of events is from the time of identification not the time of the event.
60
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Manitoba Hydro
Yes or No
Question 4 Comment
Yes
All registered entities are included. This means all field and office personal involved will create a 360 degree
view of the BES, and fulfill “Situational awareness of the industry.” In Attachment 1, the “Entity with Reporting
Responsibility” entities vary. It might be clearer to leave all impact levels “Entity with Reporting Responsibility”
as the RC, BA and TOP, as these are likely the only parties that will report as required. All other entities must
report to the RC, BA and TOP.
Response: Thank you for your comment. The SDT had previously considered a hierarchal approach to report; however, this concept was rejected by the
industry.
American Electric Power
Yes
AEP agrees, but it further supports the notion that this standard should not apply to the IA, TSP, and LSE
functions.
Response: The DSR SDT thanks you for your comment. The SDT constructed Attachment based upon the existing requirements in the various reliability
standards and established reporting obligations. The LSE, TSP and IC are applicable entities under CIP-002 and CIP-008. The information about an event will be
useful to all owners, operators, and users of the bulk power system.
Southern Company
Yes
This will cause the duplication of reporting for some events.
Reference EOP-004 Attachment 1: Impact Events Table; Event - Loss of Firm Load for ≥ 15 minutes (page 15
of standard)
This requires the RC, BA, TOP, and DP to report. So if a storm front goes through our system and takes out
400MW of load in Alabama and Georgia the PCC would have to report as the RC, BA, and TOP. Alabama
Power and Georgia Power would also have to report as DPs. The way it is now the PCC reports for any of
these events.
Response: The DSR SDT thanks you for your comment. The SDT believes that it has properly identified registered entities that may potentially have events and
the appropriate types of events. A Registered Entity is only required to submit an events report for events listed in Attachment 1 if the registered entity was
affected by the event. If an event occurs, only affected Registered Entities listed in Attachment 1 are required to submit a report on the event. Having reports
from the different entities for the same event may provide a more complete understanding of the event.
Pepco Holdings Inc and Affiliates
Yes
More guidance is needed for which entity in Attachment 1 actually files the report to avoid duplicate filing.
Response: The DSR SDT thanks you for your comment. The SDT believes that it has properly identified registered entities that may potentially have events and
the appropriate types of events. A Registered Entity is only required to submit an events report for events listed in Attachment 1 if the registered entity was
affected by the event. If an event occurs, only affected Registered Entities listed in Attachment 1 are required to submit a report on the event. Having reports
61
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 4 Comment
from different entities for the same event may provide a more complete understanding of the event.
Midwest ISO Standards
Collaborators
Yes
Bonneville Power Administration
Yes
Midwest Reliability Organization
Yes
Western Electricity Coordinating
Council
Yes
PPL Supply
Yes
City of Tallahassee (TAL)
Yes
New Harquahala Generating Co.
Yes
APX Power Markets
Yes
Liberty Electric Power LLC
Yes
Arkansas Electric Cooperative
Corporation
Yes
USACE
Yes
New Harquahala Generating Co.
Yes
Platte River Power Authority
Yes
BGE
Yes
Alliant Energy
Yes
No comments.
62
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
ExxonMobil Research and
Engineering
Yes
PPL Electric Utilities
Yes
Lincoln Electric System
Yes
Farmington Electric Utility System
Yes
City of Tacoma, Department of
Public Utilities, Light Division, dba
Tacoma Power
Yes
Progress Energy
Yes
Question 4 Comment
Response: The DSR SDT thanks you for your comment. Several commenters provided suggestions that led to modifications of Attachment 1.
63
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
5. Stakeholders suggested removing original Requirements 1, 7 and 8 from the standard and addressing the
reliability concepts in the NERC Rules of Procedure. Do you agree with the removal of original requirements 1,
7 and 8 (which were assigned to the ERO) and the proposed language for the Rules of Procedure (Paragraph
812)? If not, please explain why not and if possible, provide an alternative that would be acceptable to you.
Summary Consideration: Most commenters agreed with the removal of R1, R7 and R8. The SDT has provided suggested
language to NERC for inclusion into the Rules of Procedure.
Organization
Midwest ISO Standards
Collaborators
Yes or No
No
Question 5 Comment
We see no issue with imposing requirements on NERC. However, we are not opposed to making these
changes in the Rules of Procedure either.
Response: Thank you for your comments. We are pursuing changes to the Rules of Procedure.
SERC OC Standards Review
Group
No
We agree that the ERO should not have requirements applicable to them, but disagree with changing or
revising the Rules of Procedure (ROP) giving this reporting responsibility solely to NERC. This responsibility
may be performed by NERC but other learning organizations should also be considered for performing this
responsibility. In addition, the proposed wording of the revision to the ROP appears to place the responsibility
of notifying the appropriate law enforcement with NERC rather than with the local responsible entity.
Response: Thank you for your comments. The responsibility for notifying law enforcement remains with the entity and has been clarified in Attachment 1.
PJM Interconnection LLC
No
We agree that the standard should not have requirements applicable to the ERO, but disagree with revising
the NERC Rules of Procedure (RoP) to include suggested Section 812. The reporting responsibility should
not be solely given to NERC. Other learning organizations must also be considered for performing this
responsibility. Additionally, the proposed wording of Section 812 appears to imply that NERC will notify the
appropriate law enforcement agencies as opposed to the local responsible entity.
Response: Thank you for your comments. The responsibility for notifying law enforcement remains with the entity and has been clarified in Attachment 1.
SDG&E
No
SDG&E agrees with removing original Requirements 1, 7, 8 from the standard. In addition, SDG&E
recommends that the standard reference Section 812 of the Rules of Procedure.
64
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 5 Comment
Response: Thank you for your comments.
Duke Energy
No
Proposed language for Section 812 is very confusing. Is the NERC “system” really going to perform all
notifications: “applicable regional entities, other designated registered entities, and to appropriate
governmental, law enforcement, and regulatory agencies as necessary?” Is it intended that the NERC
“system” will relieve registered entities of the obligation to make these other reports? Is there an
implementation plan to achieve that objective? It appears that this current version of EOP-004-2 has the
potential for significantly creating redundant reporting. Will the NERC reports be protected from FOIA
disclosure? How will FERC Order 630 be followed (CEII disclosure)?
Response: Thank you for your comments. The SDT expects any system would facilitate the reporting to organizations specified in the submitted report. Until
such time that the system can be established, the Registered Entity will be obligated to make the notifications as specified in its Operating Plan(s). The SDT has
proposed an amendment to the NERC Rules of Procedure to assist in the development of a single reporting process for all three obligations.
ExxonMobil Research and
Engineering
No
Brazos Electric Power
Cooperative
No
Ingleside Cogeneration LP
Yes
Abstain from commenting on this question.
Ingleside Cogeneration agrees that the NERC Rules of Procedure are the appropriate location for ERO
assigned activities. However, we would like to get a solid commitment from NERC that the Events Analysis
Process and the Reliability Assessment and Performance Analysis Group (RAPA) data analysis requirements
for Protection System Misoperations is coordinated through a single process. Their unique data needs are
understandable, but should not require the downstream entity to evaluate what is required by each subcommittee - and which reporting template to use.
Response: Thank you for your comments. Your comment addresses a concern that is beyond the scope of this project and cannot be addressed here. The SDT
has communicated with the NERC Events Analysis Working Group and DOE in efforts to develop a single reporting process. The SDT will continue to work with
those organizations to complete this task.
Northeast Power Coordinating
Council
Yes
Agree with the proposed removal, but have not assessed the proposed language for RoP para. 812 because
unable to access it (not on the RoP page).
Response: Thank you for your comments.
65
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Bonneville Power Administration
Yes or No
Yes
Question 5 Comment
Ensure distribution of trends.
Response: Thank you for your comments.
Midwest Reliability Organization
Yes
The ERO is not a user, owner or operator of the BES and the best place to contain their responsibilities, is in
the Rules of Procedure.
Response: Thank you for your comments.
Pepco Holdings Inc and Affiliates
Yes
Agree that NERC should not have requirements applicable to them.
Response: Thank you for your comments.
American Municipal Power
Yes
A software solution may provide an easy expansion for reporting EOP-004, CIP-001, and additional
standards.
Response: Thank you for your comments.
Manitoba Hydro
Yes
Agree with R1, a central system for receiving and distributing reports. There is limited time and resources for
control operators to follow up and ensure ALL required entities have received all information required in a
timely manner. Agree with R7 and R8.
Response: Thank you for your comments.
Sweeny Cogeneration LP
Yes
We agree that these requirements appropriately belong in the NERC Rules of Procedure. However, we are
concerned with the multiple reporting requirements being driven by EOP-004-2, CIP-008-3, the ERO Events
Analysis Team, the Reliability Assessment and Performance Analysis Group (RAPA). It is imperative that
these efforts be consolidated into a single procedure using a single reporting template.
Response: Thank you for your comments. The DSR SDT agrees with the concept of the single reporting template and is working with other agencies to see if the
single form would be achievable.
Western Electricity Coordinating
Council
Yes
66
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
PPL Supply
Yes
Pacific Northwest Small Public
Power Utility Comment Group
Yes
PSEG Companies
Yes
Dominion
Yes
SPP Standards Review Group
Yes
FirstEnergy
Yes
Southern Company
Yes
SRP
Yes
We Energies
Yes
Compliance & Responsiblity
Organization
Yes
Exelon
Yes
City of Tallahassee (TAL)
Yes
New Harquahala Generating Co.
Yes
APX Power Markets
Yes
United Illuminating Co
Yes
Liberty Electric Power LLC
Yes
Question 5 Comment
67
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Arkansas Electric Cooperative
Corporation
Yes
American Electric Power
Yes
USACE
Yes
New Harquahala Generating Co.
Yes
Independent Electricity System
Operator
Yes
ISO New England, Inc
Yes
Platte River Power Authority
Yes
Calpine Corp
Yes
BGE
Yes
Alliant Energy
Yes
CenterPoint Energy
Yes
PPL Electric Utilities
Yes
Occidental Power Marketing
Yes
Lincoln Electric System
Yes
Farmington Electric Utility System
Yes
American Transmission
Company
Yes
Question 5 Comment
No comments.
68
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Constellation Power Generation
Yes
Georgia System Operations
Corporation
Yes
City of Tacoma, Department of
Public Utilities, Light Division, dba
Tacoma Power
Yes
Indeck Energy Services
Yes
Progress Energy
Yes
Question 5 Comment
None.
69
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
6. Do you agree with the proposed revisions to Requirement 2 (now R1) including the use of defined terms
Operating Plan, Operating Process and Operating Procedure? If not, please explain why not and if possible,
provide an alternative that would be acceptable to you.
Summary Consideration: Stakeholders were fairly evenly divided on this question. Overall, there appears to be a
misconception on what is and isn’t included in the Operating Plan(s). The SDT believes that current Sabotage Reporting
substantially meets the requirements outlined in the standard, albeit there may be some needed alterations to accommodate
the new standard. The updated subrequirement is a result of a FERC directive in Order No. 693. The DSR SDT removed
references to Operating Process and Operating Procedure and revised the Requirement to:
R1. Each Responsible Entity shall have an Operating Plan that includes: [Violation Risk: Factor: Lower] [Time Horizon:
Operations Planning]
1.1.
A process for identifying events listed in Attachment 1.
1.2.
A process for gathering information for Attachment 2 regarding events listed in Attachment 1.
1.3.
A process for communicating events listed in Attachment 1 to the Electric Reliability Organization, the
Responsible Entity’s Reliability Coordinator and the following as appropriate:
•
Internal company personnel
•
The Responsible Entity’s Regional Entity
•
Law enforcement
•
Governmental or provincial agencies
1.4.
Provision(s) for updating the Operating Plan within 90 calendar days of any change in assets, personnel, other
circumstances that may no longer align with the Operating Plan; or incorporating lessons learned pursuant to R3.
1.5.
A Process for ensuring the responsible entity reviews the Operating Plan at least annually (once each calendar
year) with no more than 15 months between reviews.
Organization
Georgia Transmission
Corporation & Oglethorpe Power
Yes or No
No
Question 6 Comment
The terms "Operating Procedure, Operating Plan, and Operating Process," while included in the NERC
glossary, are not consistently used throughout the body of NERC standards as they are used in R1 of EOP-
70
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Corporation
Question 6 Comment
004-2. As such, we do not see a reliability benefit in using the defined terms over the more commonly used
terms of simply "plans, processes, and procedures.” In part 1.1 of R1, we think that the requirement should
clearly indicate that a particular Responsible Entity's Impact Event Plan should only be required to include
those particular Impact Events for which the Responsible Entity has the reporting obligation. Therefore, we
suggest the following modification to R1:
"1.1 An Operating Process for identifying Impact Events listed in Attachment 1 for those Impact Events where
the Responsible Entity is identified as having the reporting responsibility."
Additionally, in part 1.3 of R1, we believe the language to be vague and will introduce the need for further
clarification either through an interpretation or the CAN process in part because the verb tenses of the subsub-requirements do not agree and it appears to require notification to all listed parties for every Impact Event
instead of only those that make sense for a particular event.
As such, we suggest adding a column to the tables in Attachment 1 that identifies precisely which
organizations should be notified in the case of a particular Impact Event and modifying part 1.3.2 to read:
"1.3.2 External organizations to notify as specified in Attachment 1."
Currently, as written, the standard could be interpreted to require notification to law enforcement for an IROL
violation, for instance. Furthermore, we are concerned that as written, the standard may require that the same
event must be reported by multiple responsible entities. Our current process uses notification between
Responsible Entities (i.e. from a TO to a TOP and then from the TOP to NERC) to allow for a centralized and
coordinated notification to law enforcement, NERC, etc. We are concerned that the requirement as written
does not appear to allow this flexibility and may require both the TO and TOP to report the same event in
order to prove compliance with the Standard.
Response: Thank you for your comments. The SDT believes that in order for a term to become consistent with the body of the reliability standards, each SDT
will have to incorporate the terms as the opportunity to revise each standard arises. The SDT envisions that each Registered Entity will develop Operating Plan(s)
appropriate to meet its obligations as outlined in the standard. Part 1.3 has been revised to indicate that each report must be sent to the ERO and the Registered
Entity’s Reliability Coordinator and the remaining entities as appropriate. Law Enforcement would certainly not be interested in an IROL violation, but they would
be interested in Forced Intrusion.
Bonneville Power Administration
No
Not sure that a 90-day update is needed to be sent to CEF.
Response: Thank you for your comments. That is not required in the standard. The SDT believes that it is unnecessary to forward any update to any
organization outside of the Registered Entity. Updates should be used to inform internal personnel of any Operating Plan changes.
71
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Pacific Northwest Small Public
Power Utility Comment Group
Yes or No
Question 6 Comment
No
1.4 makes no sense. The operating plan update and the change to its content occur simultaneously. Perhaps
the SDT meant to say “Provision(s) for updating the Impact Event Operating Plan within 90 days of
identification of a needed change to its content. This would be consistent with the “lessons learned” language
of the prior version.
Response: Thank you for your comment. The DSR SDT added additional detail to Part 1.4 to address the broader term “content.”
PSEG Companies
No
The PSEG Companies believe that sections 1.3 and 1.3.2 will require notification of law enforcement
agencies for all Impact Events defined in Attachment 1. This is appropriate for some events if there has been
destruction to BES equipment, for example, but not in certain operational events. It should not be necessary
to notify law enforcement that a non sabotage event like an IROL violation, generation loss or voltage
deviation has occurred.
Response: Thank you for your comments. The DSR SDT feels that the Registered Entity will establish Operating Plan(s) appropriate for its needs including the
specification of how and when law enforcement agencies are contacted. Part 1.3 has been revised to indicate that each report must be sent to the ERO and the
Registered Entity’s Reliability Coordinator and the remaining entities as appropriate. Law Enforcement would certainly not be interested in an IROL violation, but
they would be interested in Forced Intrusion. Attachment 1 language has been updated to say “The parties identified…” which should be included in the entity’s
Operating Plan(s).
Dominion
No
The requirement for Responsible Entities to establish an Impact Event Operating Plan, Operating Process,
and Operating Procedure seems overly cumbersome and prescriptive. The use of these NERC defined terms
create additional compliance burden for little, if any, improvement to reliability. Suggest simplification by
requiring the Responsible Entities to have a procedure to report Impact Events, to the appropriate parties,
pursuant to EOP-004.
In addition, we request clarification of R1.4. It seems circular to us in that it requires the plan to be updated
within 90 days of when it changes. Is the intent that any necessary changes identified in the annual review
required by R4 be incorporated in a revision to the plan within 90 days of the review? If so, R1.4 belongs
under R4. If not, we do not understand the requirement.
What starts the 90 day count down?
Response: Thank you for your comment. The language in Requirement R1, Part 1.4 was inserted in response to a directive in FERC Order 693. The SDT feels
that the directive requires Registered Entities to update their Operating Plan(s) within 90 days of the time the entity identified the need for the change, such as a
new telephone number, personnel staff name/title, or addition/deletion of person or organization. The DSR SDT has made changes to better clarify “content.”
72
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Pepco Holdings Inc and Affiliates
Yes or No
No
Question 6 Comment
An Operating Plan, Operating Process or Operating Procedure implies something different than an after the
fact reporting activity.
Response: Thank you for your comment. An Operating Plan is more than an after the fact reporting activity. The Operating Plan(s) incorporates the tasks or
steps involved in the identification of events, establishing which internal personnel are to be involved in the communications and or reporting, and establishing the
list of outside organizations to be contacted when an event happens.
SPP Standards Review Group
No
We would suggest rewording Part 1.3.2 to read “External organizations to notify may include but are not
limited to the Responsible Entity’s Reliability Coordinator, NERC, Responsible Entity’s Regional Entity, Law
Enforcement and Governmental or Provincial Agencies.”
We would also suggest the following for Part 1.4: “Provision(s) for updating the Impact Event Operating Plan
within 90 days of any known changes to its content.”
Would also suggest adding “as requested” at the end of M1.
Response: Thank you for your comments. (1) Requirement R1, Part 1.3 has been updated to “as appropriate” to address the parties to communicate event to.
(2) The SDT agrees with your suggestions and has made similar word changes. 3) Agreed.
Midwest ISO Standards
Collaborators
No
We do not believe that the use of the Operating Process, Operating Procedure, and Operating Plan for a
reporting requirement is consistent with their definitions and certainly not with the intent of the definitions. For
instance, an Operating Process is intended to meet an operating goal. What operating goal does this
requirement meet?
An Operating Procedure includes tasks that must be completed by “specific operating positions.” This
reporting requirement could be met by back office personnel. We also believe that parts 1.3 and 1.3.2 under
Requirement 1 will require notification of law enforcement agencies for all Impact Events defined in
Attachment 1. While some should require notification to law enforcement such as when firm load is shed,
others certainly would not. For instance, law enforcement does not need to know that an IROL violation,
generation loss or voltage deviation occurred.
Response: Thank you for your comments. The Glossary Definition of Operating Plan is:
A document that identifies a group of activities that may be used to achieve some goal. An Operating Plan may contain Operating Procedures and
Operating Processes. A company-specific system restoration plan that includes an Operating Procedure for black-starting units, Operating Processes for
communicating restoration progress with other entities, etc., is an example of an Operating Plan.
The definition uses “goal” rather than “operating goal”. The goal of the Operating Plan is to ensure that entities know how to identify the events listed in
73
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 6 Comment
Attachment 1 and report them to the appropriate parties. The SDT disagrees with your views on Operating Process, Operating Procedure, and Operating Plan.
The SDT appropriately describes the task at hand. The SDT feels that the Operating Plan can identify when law enforcement agencies need to be notified without
specification from the SDT. The Background section of the standard contains a heading for “Law Enforcement” and provides clarification regarding the types of
events that should be reported to law enforcement.
FirstEnergy
No
1. We believe that the use of stringent definitions for an entity’s process requires too much of the “how”
instead of the “what.” As long as the entity has a process, procedure (or whatever they want to call it) that
includes the necessary information detailed in sub-parts 1.1 through 1.4 then that should suffice.
2. In sub-part 1.3, we suggest adding the phrase “as applicable” to clarify that not every event will require a
notification to, for example, law enforcement.
3. In sub-part 1.4, we suggest adding clarification that the 90-day framework is only required for substantive
changes and that all other minor editorial changes can be updated within a year.
Response: Thank you for your comments. (1) The SDT agrees with your suggestion that the entity can best determine what is included in its Operating Plan.
The SDT does not envision instructing an entity on what or how of the Operating Plan(s). (2) The SDT feels that the Operating Plan can identify when law
enforcement agencies need to be notified without specification from the SDT. (3) The update requirement comes from a FERC directive in Order No. 693. The
SDT has validated the intent of the directive and has included that intent in the requirement. The SDT feels that the directive requires Registered Entities to
update their Operating Plan(s) within 90 days of the time the entity identified the need for the change, such as a new telephone number, personnel staff
name/title, or addition/deletion of person or organization. The DSR SDT has made changes to better clarify “content.”
SERC OC Standards Review
Group
No
This is a reporting requirement and should not be confused with Operating Plans that have specific operating
actions and goals. Each entity should prepare its own event reporting guideline that address impact events,
identification, information gathering, and communication without specifying a specific format such as
Operating Plans, Operating Process and Operating Procedures.
Response: Thank you for your comment. The SDT agrees with your viewpoint and believes that your statement is consistent with the intent of the requirement.
PJM Interconnection LLC
No
1. This is an “after-the-fact” reporting requirement and should not be confused with Operating Plans that have
specific operating actions and goals. Each entity should prepare its own impact event operating guideline that
addresses impact events, identification of impact events, information gathering, and communication without
specifying a specific format such as Operating Plans, Operating Process, and Operating Procedures. In fact,
all three documents mentioned can all be a single document.
2. 1.3.2 requires notification of law enforcement agencies for all events listed in Attachment 1. This is
essentially not true. For example, firm load is shed requires notification to law enforcement but an IROL
74
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 6 Comment
violation, generation loss, or voltage deviation do not.
Response: Thank you for your comment. (1) The SDT disagrees with your viewpoint that this requirement specifies after-the-fact reporting. The reporting
requirement is later in the standard. The SDT agrees with your viewpoint on the operating guideline you provide and believes that your statement is consistent
with the intent of the requirement. (2) The SDT believes that the Registered Entity’s Operating Plan(s) can establish when and how law enforcement agencies
are notified.
We Energies
No
R1.2: By its NERC Glossary definition, an Operating Procedure is too prescriptive for data collection. An
Operating Procedure requires specific steps to be taken by specific people in a specific order. We would
have to predict every event that could happen to have every step in proper order to collect the data. It will be
impossible to comply with this requirement.
R1.3: Change “Impact Event” to “Impact Event listed in Attachment 1.”
Response: Thank you for your comment. The SDT has changed R1 to simply “Operating Plan. The term “Impact Event” has been removed from the standard
and R1 and its Parts refer to Attachment 1 as appropriate.
Compliance & Responsiblity
Organization
No
See comments to 2. Also, although NextEra agrees that a documented procedure is appropriate, NextEra
does not favor the current approach of pre-defined layers of processes and documentation that seem to
overly complicate, and, possibly contradict, already established internal methods by which a company
implements policies, procedures and processes. Thus, NextEra’s options suggest using a more generic
approach that allows entities more flexibility to establish documents and processes, and demonstrate
compliance. Such a generic approach was used in NextEra’s proposed options set forth in response to
number 2.
Response: Thank you for your comments. The SDT believes that most entities already have plans to mostly satisfy the requirements of EOP-004. These would
be the procedures that are required under existing CIP-001, R1 and R2.
Exelon
No
R.1 Does an entity need to develop a standalone Operating Plan if there is an existing process to address
identification, assessing and reporting certain events?
Suggest rewording to state "Each Responsible Entity shall have an Impact Event Operating Plan or equivalent
implementing process that includes:"
Disagree these new terms are required. Commonly accepted descriptions of programs, processes and
procedures exist in registrar entities that would suffice. For example, R1 could use “Impact Event evaluation
75
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 6 Comment
and reporting process” as a generic term to describe what is required. This would allow an entity to utilize any
existing protocols or management guidelines and naming conventions in effect in their organization.
Response: Thank you for your comments. The SDT The SDT believes that most entities already have plans to mostly satisfy the requirements of EOP-004.
These would be the procedures that are required under existing CIP-001, R1 and R2. The Registered Entity will need to examine its current processes to ensure
that all aspects of the new requirements are addressed. Thank you for the suggested re-wording. The SDT revised “Impact Event Operating Plan” to just
“Operating Plan”, thus allowing the entity to implement the requirements as needed.
Tenaska
No
We already have adequate procedures in place to address sabotage and other significant events, pursuant to
the existing CIP-001-1 and EOP-004-1 Standards. The requirement to develop a new Impact Event
Operating Plan would increase the administrative burden on Registered Entities to comply with the proposed
Standard, without providing a foreseeable improvement in system reliability.
The “laundry list” of required Impact Event Operating Plan components is too specific and would make it more
difficult to prove compliance with EOP-004-2 during an audit.
A revised version of the proposed R5 is the only Requirement that is necessary to achieve the stated purpose
of Project 2009-01.
Response: Thank you for your comments. The SDT The SDT believes that most entities already have plans to mostly satisfy the requirements of EOP-004.
These would be the procedures that are required under existing CIP-001, R1 and R2 and these should mostly meet the intent of EOP-004. The Registered Entity
will need to examine its current processes to ensure that all aspects of the new requirements are addressed. The Parts of R1 are not prescriptive and only provide
the minimum information that is required to be in the Operating Plan. The SDT has removed R2 and revised R5 (now R2) to eliminate any duplication.
United Illuminating Co
No
Does R1.1 require an Operating Process for each Impact Event in attachment 1 or an Operating Process that
in general applies to all Impact Events?
Response: Thank you for question. The SDT feels that the Registered Entity can have an Operating Plan that in general applies to all events.
American Municipal Power
No
No, remove R1. R1 is not an acceptable requirement nor should this be an operation. Focusing on a plan
and procedure is overly prescriptive and costly. The only requirement should be to have an entity submit a
report. Let the entity decide how they want to implement the reporting.
Response: Thank you for your comment. The SDT agrees that the Registered Entity can decide on the how to implement the reporting; however, this
requirement mandates that the Registered Entity document its process.
76
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Arkansas Electric Cooperative
Corporation
Yes or No
No
Question 6 Comment
We appreciate the effort the team has taken in improving the requirements since the last posting. For 1.3, it
appears to suggest the communication must always include communicating to internal personnel and ALL
external organizations. We suggest removing the reference to 1.3.1 and 1.3.2 and move 1.3.1 and 1.3.2 to
1.4 and 1.5 respectively. For 1.3.2, modify to state "Internal company personnel notification(s) deemed
necessary by the Responsible Entity.” For 1.4, we feel the term "content" is too broad as used here. For
example, if the FBI changes the contact info for the JTTF, the Responsible Entity may not find out until an
incident or annual exercise. Or if the contact person for the state agency changes position without notifying
us, it would require us to then change the plan within 90 days. We suggest an annual review of the plan is
sufficient for the objective of this requirement.
Response: Thank you for your comments. The SDT has added language “as appropriate” to allow the entity to make its own determination who to contact. The
term “content” has been removed and replaced with more detail. The requirement for updates requires changes within 90-days. The SDT believes that the
timeline for updating can only be based upon the notification to the Registered Entity. The SDT believes that 90-days from the date the Registered Entity is
notified or made aware of the change is a suitable time period to update the document.
Manitoba Hydro
No
Plan, Process and Procedure are all too interchangeable with each other and have no value being used in
“one paragraph” as they do not differentiate from one or other.
The terms “identify”, “gather” and “communicate” better describe “Process, plan or procedure” so simplify
to:1.4. Identification of Impact Events as listed in Attachment 1.1.5. Gathering information for inclusion into
Attachment 2 regarding observed Impact Events listed in Attachment 1.1.6. Communicate recognized Impact
Events to the following:
Response: Thank you for your comments. The SDT has revised R1 to only include an Operating Plan. Part 1.2 has been revised to “A process for gathering
information…”
American Electric Power
No
Even best developed plans, processes and procedures do not always lend themselves to address the issues
at hand. There needs to be flexibility to allow entities to first address the reliability concern and second report
correspondingly. Currently, this requirement is overly prescriptive and places unnecessary emphasis on the
means to an end and not the outcome. The outcome for this requirement is to report Impact Events.
Response: Thank you for your comments. While the SDT appreciates your views, it disagrees with your assessment. The outcome of this requirement is not to
report events; the outcome is to ensure that the Registered Entity has Operating Plan(s) for the identification of events, establishing which internal personnel are
involved, identification of outside agencies to be notified, and having a provision for updating the plan(s). Reporting of events is a requirement later in the
standard.
77
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Consumers Energy
Yes or No
No
Question 6 Comment
Requirement R1, “Have a plan…” with all of the listed criteria, seems to present a serious compliance risk to
applicable entities without a direct reliability benefit, as long as entities still indentify and report relevant
events. Ad-hoc procedures, as discussed within the R1 “Rationale” have been acknowledged within the
rationale to be working effectively, and should remain sufficient without having a documented and by
inference, signed, approved, dated document with revision history (as is being demanded today by
compliance auditors wherever a “documented plan” is specified within the requirements).
Response: Thank you for your comments. While the SDT appreciates your views, it disagrees with your assessment. The SDT believes that most entities already
have plans to mostly satisfy the requirements of EOP-004. These would be the procedures that are required under existing CIP-001, R1 and R2. The measure
calls for a current, dated, in force Operating Plan to be provided.
ISO New England, Inc
No
We do not believe that the use of the Operating Process, Operating Procedure, and Operating Plan for a
reporting requirement is consistent with their definitions nor with the intent of the definitions. For instance, an
Operating Process is intended to meet an operating goal. What operating goal does this requirement meet?
An Operating Procedure includes tasks that must be completed by “specific operating positions.” This
reporting requirement could be met by back office personnel. We suggest that R1.3.2 delete the list of
entities to notify. The terms used to identify who to notify are not defined terms and can lead to subjective
interpretations. As written, the requirement does not aid the Applicable entity or the Compliance enforcers in
clearly including or excluding who to notify.
We also believe that parts 1.3 and 1.3.2 under Requirement 1 will require notification of law enforcement
agencies for all Impact Events defined in Attachment 1. While some should require notification to law
enforcement such as when there has been destruction to BES equipment, others certainly would not. For
instance, law enforcement does not need to know that an IROL violation, generation loss or voltage deviation
occurred.
We believe the reporting time lines are too aggressive for some events. Reporting events within an hour is not
reasonable as an entity may still be dealing the event. This will be particularly difficult when support personnel
are not present such as during nights, holidays and weekends.
We further suggest that as explicit statement that “reliable operations must ALWAYS take precedence to
reporting times” be included in the standard.
Response: Thank you for your comments. While the SDT appreciates your views, it disagrees with your assessment.
(P1) The outcome of this requirement is not to report events; the outcome is to ensure that the Registered Entity has Operating Plan(s) for the identification of
events, establishing which internal personnel are involved, identification of outside agencies to be notified, and having a provision for updating the plan(s). The
78
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 6 Comment
SDT feels that current Sabotage Reporting guides already provides much of the information needed in the new R1.
(P2) We have revised Requirement R1, Part 1.3 to “A process for communicating events listed in Attachment 1 to the Electric Reliability Organization, the
Responsible Entity’s Reliability Coordinator and the following as appropriate:” This should address your concern regarding law enforcement notification.
(P3) We have revised most reporting times to 24 hours. Events of a “sabotage” type nature remain at one hour.
(P4) While the DSR SDT sees the point you are trying to make, we do not believe that reporting the events in Attachment 1, under the times listed, is
burdensome. At the least, this can be accomplished by back office personnel who are not involved in restoration or other reliability efforts.
Calpine Corp
No
In the “Rationale for R1”, the draft states:
“Every industry participant that owns or operates elements or devices on the grid has formal or informal
process, procedure, or steps it takes to gather information regarding what happened and why it happened
when Impact Events occur. This requirement has the Registered Entity establish documentation on how that
procedure, process, or plan is organized.”
Absent substantial evidence that the proposed requirement addresses an actual systemic problem with the
“formal or informal process, procedure, or steps it takes” for internal and external evaluation and notification of
items listed in Attachment 1, there is no obvious need for this additional paperwork burden, which in most
cases will result in a written procedure that documents another existing written procedure or procedures, that
will be maintained for the sole purpose of demonstrating compliance with the requirement. Failure to properly
report events is currently sanctionable under CIP-001-1 and EOP-004-1 and will continue to be sanctionable
under proposed EOP-004-2. Adding a requirement to implement an “Impact Event Operating Plan”,
“Operating Procedure”, and “Operating Process” is unnecessary.
However, if the requirement is maintained, the related Measure M1 should state in plain language exactly
what elements are required for compliance. Statements such as “The Impact Event Operating Plan may
include, but not be limited to, the following?” begs the question regarding what other elements are required to
demonstrate compliance. As written, M1 requires that entities provide an “Impact Event Operating Plan”, but
does specify the required elements of the plan.
In the absence of much more detailed instruction on exactly what elements must be included in the various
documents, the proposed requirement will create confusion with both compliance and enforcement of the
requirement. An example of each of the various required documents would be helpful. Any difficulty in
developing such an example would be instructive of the probable compliance issues that would ensure from
the necessarily varying approaches taken by disparate entities attempting to meet the requirement.
Response: The DSR SDT thanks you for your comment. Requirement R1 comes from existing CIP-001, R1. The SDT believes it has addressed these concerns
by removing the terms “Operating Procedure” and “Operating Process” and has generically referred to them in the elements of the Operating Plan outlined in
79
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 6 Comment
Parts 1.1-1.5 of the requirement.
BGE
No
This seems overly restrictive in its use. Requirement is now telling entities how to resolve situations, not
giving them a requirement to resolve the situation.
Response: Thank you for your comments. The requirement is written so that an entity has an Operating Plan that contains certain items. The SDT does not
specify in the standard how the entity meets these obligations nor does it specify the form nor format of these items.
80
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
ExxonMobil Research and
Engineering
Yes or No
Question 6 Comment
No
The requirement to notify State Law Enforcement deviates from existing government security requirements
that Petrochemical Facilities (Cogenerators) are required to follow. Per the Maritime Transportation Security
Act of 2002 (MTSA) and the Chemical Facility Anti-Terrorism Standard (CFATS), Petrochemical Facilities are
required to report the security incidents identified in EOP-004 Revision 2 to the National Response Center
which is staffed by the United States Coast Guard. The National Response Center coordinates incident
reporting to both the Department of Homeland Security and Federal Bureau of Investigation. Requiring
Petrochemical Facilities to report security incidences to State Law Enforcement agencies duplicates their
reporting of incidences to the appropriate law enforcement agencies. EOP-004 Revision 2 should be
modified to synergize with existing federal security regulations so that those facilities that are required to
comply with the MTSA and CFATS are, by default, compliant with EOP-004 Revision 2 when they comply
with these existing federal security regulations.
It is unclear, from the documentation provided in this revision of EOP-004, which entities a Responsible Entity
is required to notify when certain types of Impact Events occur. Previously, CIP-001 included a similarly
vague instruction that required notifications to the 'appropriate parties in the interconnection' and the
FBI/RCMP. The Standard Drafting Team should identify which NERC Functional Entities should be notified
when each of the Impact Events identified in Attachment 1 occurs.
Current revisions of CIP-001 Revision 1 or EOP-004 Revision 1 do not include corresponding requirements to
update procedures within a certain time frame. It's difficult to foresee a situation where an Entity would initiate
a change to its response plan without being required to update the formal response plan documentation per
their management of change process. Additionally, failure to update the procedure would result in the entity
deviating from the procedure any time an impact event occurred, which would automatically force a violation
of EOP-004-2 R2 for failure to properly implement their Operating Process. Furthermore, the only changes
occurring between review cycles should be revisions to the contact information for third parties. It is beyond
an entity's power to require third parties to notify the entity when the third party changes their contact
information, and, as such, this requirement burdens registered facilities with responsibility for compliance for
items that are beyond their realm of control.
Response: Thank you for your comments. (P1) The SDT believes that the requirement does not mandate contact to State Law Enforcement agencies; but
merely to include them if appropriate. While we have tried to coordinate with the US DOE, Federal security regulations are outside the scope of this project. (P2)
We have revised Requirement R1, Part 1.3 to “A process for communicating events listed in Attachment 1 to the Electric Reliability Organization, the Responsible
Entity’s Reliability Coordinator and the following as appropriate:” Each type of event should be assessed by the entity to determine whether or not law
enforcement needs to be notified,
(P3)The subrequirement for updating comes from a FERC directive in Order No. 693. If the Registered Entity’s Operating Plan(s) have a provision for updating,
then the entity only needs to verify that the updating does not exceed 90 days from the date of being aware.
81
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Farmington Electric Utility System
Yes or No
No
Question 6 Comment
consider rewording 1.4; the wording implies a change to content already occurred, so it would be updated
concurrently ? consider, updating the plan within 90 days of discovery of content requiring a change?
Response: Thank you for your comment. The SDT agrees with your suggestion and has revised Requirement R1, Part 1.4 to: Provision(s) for updating the
Operating Plan within 90 calendar days of any change in assets, personnel, other circumstances that may no longer align with the Operating Plan; or
incorporating lessons learned pursuant to R3.
Constellation Power Generation
No
Per NERC’s glossary of terms, an Operating Plan can include Operating Process documents and Operating
Procedures. An Operating Process identifies general tasks while an Operating Procedure identifies specific
tasks.
CPG is unclear as to why R1.1 and R1.3 require the use of an Operating Process while R1.2 requires an
Operating Procedure.
CPG believes that R1.2 should be changed to require the use of an Operating Process instead of Operating
Procedure. R1.2 is merely requiring an entity to fill out the necessary forms should an event occur, so
requiring a clear and concise step by step procedure for filling out a form only adds a compliance burden to
an entity instead of improving the reliability of the BES.
CPG does agree with the DSR SDT that an entity should have a process in place mandating that the proper
paperwork be completed in a timely manner should an event occur.
Response: Thank you for your comments. The SDT has modified Requirement R1, Part 1.1 and Part 1.3 to a “process” as part of the elements of the
referenced “Operating Plan” in R1. The SDT has also changed “Operating Procedure” to a “process” in R1.2. This sub-requirement provides for establishing the
list of internal personnel to be notified in the case of an event, not the reporting of the event.
Georgia System Operations
Corporation
No
-R1.3.2: “Law Enforcement”, “Governmental Agencies”, and “Provincial Agencies” are not proper
nouns/names and are not defined in the NERC Glossary. They should not be capitalized.
-R1.4: Keeping documents current and in force should be a matter of an entit
Response: Thank you for your comments. The SDT agrees with your suggestions on capitalization and has made the corrections. The update provision comes
from a FERC directive in Order No. 693.
Indeck Energy Services
No
The terms are not important and many plans or procedures already exist and restructuring them to match the
82
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 6 Comment
terms is wasteful. R1 is too prescriptive.
R1 should state that a written document should show how the entity will comply with EOP-004.
R1.2 is superfluous and should be deleted. The data must be gathered and the process will vary with the
event. Trying to define the multitude of possibilities for the collection process is not productive and leaves
open the possibility of missing something for an auditor to nit pick.
R1.3 should just be a written communications plan/process/procedure for external notifications.
R1.4 is redundant because it can't be changed within 90 days until the content has already been changed.
R1.4 should be deleted. The Violation Risk Factor should be Low, if any, because this is historical reporting,
with little or no reliability consequence.
Response: The SDT disagrees with your viewpoints associated with R1 because the requirement only specifies the elements required, now how to implement
them. The SDT believes that many Registered Entities will be able to use their current Sabotage Reporting processes, with some slight modification to address
the new sub-requirements. Requirement R1, Part 1.2: The requirement is written so that it is not prescriptive and allows the entity to identify the steps it will
take to gather information for filing the report. The DSR SDT does not envision this as being a tome that contains specific data gathering protocol for each event
type. Requirement R1, Part 1.3: Has been revised to: “1.3. A process for communicating recognized impact events listed in EOP-004 - Attachment 1 that
includes to the Electric Reliability Organization, the Responsible Entity’s Reliability Coordinator and , but is not limited to the following as appropriate :” For
Requirement R1, Part 1.4, the update provision comes from a FERC directive in Order No. 693. In addition, the SDT believes that the update is required within 90
days from the date of being notified of the change or update. With the revised standard, there are now three requirements. Requirement 1 specifies that the
responsible entity have an Operating Plan for identifying and reporting events listed in Attachment 1. This is procedural in nature and justifies a “lower” VRF.
This requirement is administrative in nature and deals with the means to report events after the fact. The current approved VRFs for EOP-004-1 are all lower with
the exception of Requirement R2 which is a requirement to analyze events. This standard relates only to reporting events. The analysis portion is addressed
through the NERC Rules of Procedure and the Events Analysis Program. The two remaining requirements in EOP-004-2 are to report events based on the
specifics in Attachment 1 (R2) and to test the communications protocol of the Operating Plan once per year (R3). Requirement 2 specifies that an entity is
responsible for reporting events in accordance with the Operating Plan based on Attachment 1. Requirement 3 is insurance to make sure that an entity can
communicate information about events. Requirement 2 specifies that the responsible entity must report an event to the appropriate entities. Some of these
events are dealing with potential sabotage events. Part of the reason to report these types of events is to make other entities aware to help prevent further
sabotage events from occurring. Existing CIP-001-1a deals with sabotage events and the approved VRFs for each of the requirements is “medium.” The VRFs for
EOP-004-2 comport with the existing approved VRFs for both EOP-004 and CIP-001.
Midwest Reliability Organization
Yes
This is a NERC defined term and will assist entities in maintaining compliance with this (proposed) Standard.
Response: Thank you for your comment.
83
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Western Electricity Coordinating
Council
Yes or No
Question 6 Comment
Yes
Are "Law Enforcement" considered a "Governmental Agency" (they are listed separately and both required) If
not, is there any qualifiers on whether Law Enforcement or Governmental Agency refers to municipal, county,
state or federal or any combination”
Since the term "Provincial" is associated with "Governmental" it tends to indicate State level. As it is written
now an auditor would require documentation of “some” Law Enforcement (other than company security) and
an additional communication to at least “some” Agency which could be considered Governmental. Municipal
or higher.
Contact with City police or Sheriff and either city or county government rep would satisfy.
Additional clarity would help from a compliance enforcement perspective.
Response: Thank you for your comments. The SDT expects that Registered Entities will identify the proper outside organizations needed for their organization.
The SDT feels that law enforcement agencies include federal, state, provincial, or local law agencies and these are not the same as governmental or regulatory
agencies. Please refer to the Background section of the standard for further clarification on law enforcement notifications.
Alliant Energy
Yes
This is a NERC defined term and will assist entities in maintaining compliance with this (proposed) Standard.
We believe the reference to Attachment 2 in R1.2 should be revised to the DOE Form and utilize only one
reporting form, if at all possible.
Response: Thank you for your comments. The DSR SDT continues to work with the DOE to develop a single reporting form that is acceptable to both.
Occidental Power Marketing
Yes
However, only LSEs with BES assets (or assets that support the BES) should be included in the Applicability
section of the standard.
Response: Thank you for your comment. LSE applicability is related to their applicability under CIP-002 and CIP-008.
City of Tacoma, Department of
Public Utilities, Light Division, dba
Tacoma Power
Yes
However, there needs to be some clarity on which government agencies (if not the FBI) are responsible for
reporting these type of events.
Response: Thank you for your comments. Each Registered Entity should be aware of any reporting obligations it may have to various government agencies
(federal, state/provincial, local). To the extent they exist, the notification needs to be included in the entity’s Operating Plan(s).
Northeast Power Coordinating
Yes
84
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 6 Comment
Council
PPL Supply
Yes
Southern Company
Yes
SRP
Yes
SDG&E
Yes
City of Tallahassee (TAL)
Yes
New Harquahala Generating Co.
Yes
Liberty Electric Power LLC
Yes
APX Power Markets
Yes
Sweeny Cogeneration LP
Yes
USACE
Yes
New Harquahala Generating Co.
Yes
Independent Electricity System
Operator
Yes
Platte River Power Authority
Yes
CenterPoint Energy
Yes
PPL Electric Utilities
Yes
Lincoln Electric System
Yes
85
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
American Transmission
Company
Yes
Ingleside Cogeneration LP
Yes
Duke Energy
Yes
Progress Energy
Yes
Question 6 Comment
86
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
7. Do you agree with the proposed revisions to Requirement 3 (now R2)? If not, please explain why not and if
possible, provide an alternative that would be acceptable to you.
Summary Consideration: The slight majority of commenters agreed with the language of Requirement R2. A significant
minority opinion exists where commenters suggest revisiting R2 and R5 to eliminate potential redundancy and confusion.
Similar comments were received pertaining to Requirement 5 (question 10 below). The DSR SDT has revised Attachment 1 to
indicate that entities must submit Attachment 2 or the DOE OE-417 form. This information was contained in Requirement R5.
The intent of the two requirements is to have entities make appropriate notifications and report impact events contained in
Attachment 1. By eliminating R2 and revising R5 (now R2), the DSR SDT has maintained the intent of the requirements while
eliminating potential confusion and redundancy. The revised requirements are shown below:
R2. Each Responsible Entity shall implement its Impact Event Operating Plan documented in Requirement R1 for Impact
Events listed in Attachment 1 (Parts A and B). [Violation Risk: Factor Medium] [Time Horizon: Real-time Operations and Sameday Operations]
Old R5, New R2. Each Responsible Entity shall report impact events in accordance with its Operating Plan developed to address
the events listed in Attachment 1. [Violation Risk: Factor: Medium] [Time Horizon: Operations Assessment].
Organization
Georgia Transmission
Corporation & Oglethorpe Power
Corporation
Yes or No
No
Question 7 Comment
We are concerned with having a separate requirement to implement the Plan.
Is this requirement necessary on its own? Should R1 instead require a Responsible Entity to "document and
implement" an Impact Event Operating Plan? More specifically, if an Entity does not have an Impact Event,
are they in violation of this requirement?
If merging this requirement with R1 is not acceptable we suggest moving the language from the measure to
the requirement as such: "To the extent that a Reponsible Entity has an Impact Event on its Facilities, Each
Responsible Entity shall implement?"
Additionally, R1 uses the phrase "recognized Impact Event" where as R2 simply uses the term "Impact
Event." The phrase "recognized Impact Event" should be used consistently in R2 as well.
Response: The DSR SDT thanks you for your comment. The DSR SDT has deleted requirement 2 and revised requirements 1 and 5 to address your concern.
The DSR SDT believes that the requirement should remain separate to eliminate the possibility of double jeopardy. Old R5, New R2. Each Responsible
Entity shall report impact events in accordance with its Operating Plan developed to address the events listed in Attachment 1. [Violation
Risk: Factor: Medium] [Time Horizon: Operations Assessment].
87
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Bonneville Power Administration
Yes or No
No
Question 7 Comment
Minimize the number of requirements. Not sure what the new R2 intends that is different than having a valid
plan (signed?). Why can't R1 have develop and implement? R5 is the reporting. Implement should be with
R1 or R5 depending on the interpretation.
Response: The DSR SDT thanks you for your comment.
The DSR SDT has deleted requirement 2 and revised requirements 1 and 5 to address your concern. The DSR SDT believes that the requirement should remain
separate to eliminate the possibility of double jeopardy. Old R5, New R2. Each Responsible Entity shall report impact events in accordance with its
Operating Plan developed to address the events listed in Attachment 1. [Violation Risk: Factor: Medium] [Time Horizon: Operations
Assessment].
PSEG Companies
No
Fuel supply emergency, as discussed in response to question 4 above, is not a defined condition. This event
should be removed.
Response: The DSR SDT thanks you for your comment. The DSR SDT has deleted Fuel Supply Emergency from Attachment 1. This item was removed in
coordination with the NERC Events Analysis Working Group and the proposed Events Analysis Program.
SERC OC Standards Review
Group
No
We agree with the concept, but disagree with the use of the term “Operating Plan” as a defined term in line
with our comments in question 6 above.
Response: The DSR SDT thanks you for your comment. Please see response to comments in Question 6 The DSR SDT has revised R1 to eliminate the use of
Operating Process and Operating Procedure and have used more generic terms.
PJM Interconnection LLC
No
We agree with the concept but disagree with the use of the term “Operating Plan” as a defined term in line
with our comments in Question 6 above.
88
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 7 Comment
Response: The DSR SDT thanks you for your comment. Please see response to comments in Question 6
Compliance & Responsiblity
Organization
No
See comments set forth in number 2.
Response: The DSR SDT thanks you for your comment. Please see response to question 2.
Exelon
No
Agree that each Responsible Entity shall implement the [Impact] Events listed in Attachment 1 (Parts A and
B); however, disagree with certain events, reporting responsibilities, threshold for reporting and time to submit
reports as currently outlined in Attachment 1 (Parts A and B).
Also suggest that R.2 be reworded to state for applicable [Impact] Events listed in Attachment 1 (Parts A and
B). This requirement should only be applied to those events applicable to the registered entity.R2 is
redundant to R1. No entity could claim to have met R1 if their plan / process was not operational and
approved in the manner consistent with any other approved program, process, guideline etc. within their
company.
Response: The DSR SDT thanks you for your comment.
The DSR SDT has significantly revised Attachment 1. We have removed the timing column and replaced it with more specific information regarding which form to
submit and to whom to submit the report. All events are now to be reported within 24 hours with the exception of Destruction of BES equipment, Damage or
destruction of Critical Assets and Damage or destruction of Critical Cyber Asset events, Forced Intrusion, Risk to BES equipment and Detection of a reportable
Cyber Security Incident. These events are to be reported within 1 hour. Notification of law enforcement per Part 1.3.2 is also required for these events only.
The DSR SDT has also eliminated R2 and revised R5 for clarity and to eliminate potential redundancy. The DSR SDT believes that the requirement should remain
separate to eliminate the possibility of double jeopardy. Old R5, New R2. Each Responsible Entity shall report impact events in accordance with its
Operating Plan developed to address the events listed in Attachment 1. [Violation Risk: Factor: Medium] [Time Horizon: Operations
Assessment].
Tenaska
No
The proposed Impact Event Operating Plan should not be required.
Response: The DSR SDT thanks you for your comment.
89
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 7 Comment
The DSR SDT has revised R1 to only include development of an Operating Plan that includes the Parts of R1. This Operating Plan is required so that the entity’s
personnel will know what to do in the event of an event, how to report the event and to whom the report should be sent.
American Municipal Power
No
No, remove R2. R2 is not an acceptable requirement nor should this be an operation. Focusing on a plan is
overly prescriptive and costly. The only requirement should be to have an entity submit a report. Let the
entity decide how they want to implement the reporting.
Response: The DSR SDT thanks you for your comment.
The DSR SDT has eliminated R2 and revised R5 for clarity and to eliminate potential redundancy. Old R5, New R2. Each Responsible Entity shall report
impact events in accordance with its Operating Plan developed to address the events listed in Attachment 1. [Violation Risk: Factor: Medium]
[Time Horizon: Operations Assessment].
American Electric Power
No
Requirement 5 and Requirement 2 are redundant. We recommend Requirement 2 be replaced with the
language in Requirement 5. “Each Responsible Entity shall report Impact Events in accordance with the
Impact Event Operating Plan pursuant to Requirement R1 and Attachment 1 using the form in Attachment 2
or the DOE OE-417.”
Response: The DSR SDT thanks you for your comment. The DSR SDT has eliminated R2 and revised R5 for clarity and to eliminate potential redundancy. The
old Requirement R5 has been revised as the new Requirement R2, which reads: Each Responsible Entity shall report impact events in
accordance with its Operating Plan developed to address the events listed in Attachment 1. [Violation Risk: Factor: Medium] [Time Horizon:
Operations Assessment].
ISO New England, Inc
No
Fuel Supply Emergency is not a defined condition. We suggest that the SDT poll the ballot body regarding
the reporting of Fuel Supply Emergencies. Fuel Supply is an economic consideration and the concept of Fuel
Supply Emergency is subjective. A resource that uses coal or oil may vary its supplies based on economic
considerations (the price of the fuel). For a conservative BA a fuel-on-demand supply line can be viewed as a
fuel supply emergency whereas the resource owner sees the matter as good business. Moreover, the
release of such reports to the public can have unintended consequences. Fuel disruptions caused by contract
negotiations when reported to the public can result in non-union transportation employees being physically
90
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 7 Comment
harmed by fuel supply organizers thus resulting in the loss of non-contract fuel. Further, this information may
aggravate the situation by causing the cost of fuel to be inflated by suppliers when demand is great.
If this event is not deleted, then we would suggest that the definition be constrained to “declared” fuel supply
emergencies. Suggest the deletion of category: Risk to BES equipment. Because of the broad definition of
BES, the risk to BES equipment is overly broad and can be applied to any risk to any “part of” any BES asset.
The footnote helps identify what the SDT was intending, however, the words themselves can result in overly
broad findings by compliance enforcement people.
Response: The DSR SDT thanks you for your comment. The DSR SDT has deleted Fuel Supply Emergency from Attachment 1. This item was removed in
coordination with the NERC Events Analysis Working Group and the proposed Events Analysis Program.
Calpine Corp
No
Requirement R2 is unnecessary for the same reasons listed above in answer to question 6 regarding
Requirement R1. A new Reliability Standard requirement is not needed to verify that internal notifications are
made within Registered Entities or to ensure that Registered Entities notify local law enforcement of
suspicious activity, sabotage, theft, or vandalism. Such notifications are made by any company, and this
requirement does not clearly enhance the reliability of the Bulk Electric System. Requirement R5 provides
sanction in the event that events listed in Attachment 1 are not made appropriately. However, if the
requirement is maintained, the related Measure M2 should state in plain language exactly what elements are
required for compliance. In the absence of much more detailed instruction on exactly what elements must be
included in the various documents, the proposed requirement will create confusion with both compliance and
enforcement of the requirement. A detailed example of example documentation would be helpful. Any
difficulty in developing such an example would be instructive of the probable compliance issues that would
ensure from the necessarily varying approaches that would be taken by disparate entities attempting to meet
the requirement.
Response: The DSR SDT thanks you for your comment. The DSR SDT has eliminated R2 and revised R5 for clarity and to eliminate potential redundancy. Old
R5, New R2. Each Responsible Entity shall report impact events in accordance with its Operating Plan developed to address the events listed
in Attachment 1. [Violation Risk: Factor: Medium] [Time Horizon: Operations Assessment].
CenterPoint Energy
No
CenterPoint Energy recommends deleting the current R2 as it is an inherent part of the current R5. For an
entity to “report Impact Events in accordance with the Impact Event Operating Plan pursuant to R1” (see R5),
the entity must “implement its Impact Operating Plan documented in Requirement 1?” (see R2). Including
91
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 7 Comment
both requirements is unnecessary and duplicative. Likewise, M2 should be deleted.
Response: The DSR SDT thanks you for your comment. The DSR SDT has eliminated R2 and revised R5 for clarity and to eliminate potential redundancy. Old
R5, New R2. Each Responsible Entity shall report impact events in accordance with its Operating Plan developed to address the events listed
in Attachment 1. [Violation Risk: Factor: Medium] [Time Horizon: Operations Assessment].
ExxonMobil Research and
Engineering
No
The notification requirement and documentation in Attachment 1 do not clearly identify which entities need to
be notified for each type of event detailed in Attachment 1. While it makes sense to notify the Reliability
Coordinator, NERC, Regional Entity, Law Enforcement and other Governmental Agencies for sabotage type
events, it does not seem proper to notify Law Enforcement agencies of a system disturbance that is
unrelated to improper human intervention. Furthermore, it is our belief that a time frame of 1 hour is a short
window for making a verbal notification to third parties, and an impossibly short window for requiring the
submittal of a completed form regardless of the simplicity. When a Petrochemical Facility experiences an
impact event, the initial focus should emphasize safe control of the chemical process. For those cases where
registered entities are required to submit a form within 1 hour, the Standard Drafting Team should alter the
requirement to allow for verbal notification during the first few hours following the initiation of an Impact Event
(i.e. allow the facility time to appropriately respond to and gain control of the situation prior to making a
notification which may take several hours) and provide separate notifications windows for those parties that
will need to respond to an Impact Event immediately and those entities that need to be informed that one
occurred for the purposes of investigating the cause of and response to an Impact Event. For example, a
GOP should immediately notify a TOP when it experiences a forced outage of generation capacity as soon as
possible, but there is no immediate benefit to notify NERC when site personnel are responding to the event in
order to gain control of of the situation and determine the extent of the problem. The existing standard’s
requirement to file an initial report to entities, such as NERC, within 24 hours seems reasonable provided that
proper real time notifications are made and the Standard Drafting Team reinstates EOP-004 Revision 1's
Requirement 3.3, which allows for the extension of the 24 hour window during adverse conditions, into the
requirement section of EOP-004 [the current revision locates this extension in Attachment 1, which, according
to input received from Regional Entities, means that the extension would not be enforceable].
Response: The DSR SDT thanks you for your comment. The DSR SDT has eliminated R2 and revised R5 for clarity and to eliminate potential redundancy. Old
R5, New R2. Each Responsible Entity shall report impact events in accordance with its Operating Plan developed to address the events listed
in Attachment 1. [Violation Risk: Factor: Medium] [Time Horizon: Operations Assessment].
The DSR SDT has significantly revised Attachment 1. We have removed the timing column and replaced it with more specific information regarding which form to
submit and to whom to submit the report. All events are now to be reported within 24 hours with the exception of Destruction of BES equipment, Damage or
destruction of Critical Assets and Damage or destruction of Critical Cyber Asset events in Part A and Forced Intrusion, Risk to BES equipment and Detection of a
reportable Cyber Security Incident in Part B. These events are to be reported within 1 hour. Notification of law enforcement per Part 1.3.2 is also required for
92
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 7 Comment
No
ATC does not agree with the proposed language in Requirement 3. ATC is concerned that, in order to
demonstrate compliance, an entity will have to show that each step in the plan was followed which will likely
leave entities facing the choice of choosing between different compliance violations. If the plan is not
followed, but the report is made within the time given, then an entity is in violations of their plan. If the plan is
followed, but the report does not get filed within the time allotted, then they face a possible violation of the
time to report. ATC believes that the team should enforce the position that the report being filed in the time
allotted is key, not that they necessarily follow and document that their plan was followed. Depending on the
situation, the internal reporting will vary; however, based on the purpose of the Standard, the key is to get a
report to NERC.
these events only.
American Transmission
Company
Response: The DSR SDT thanks you for your comment. The DSR SDT has eliminated R2 and revised R5 for clarity and to eliminate potential redundancy. Old
R5, New R2. Each Responsible Entity shall report impact events in accordance with its Operating Plan developed to address the events listed
in Attachment 1. [Violation Risk: Factor: Medium] [Time Horizon: Operations Assessment].
Georgia System Operations
Corporation
No
-We suggest moving the language from the measure to the requirement as such:"To the extent that a
Reponsible Entity has an Impact Event on its Facilities, each Responsible Entity shall
implement?"Additionally, R1 uses the phrase "recognized Impact Event"
Response: The DSR SDT thanks you for your comment.
Requirement 2 has been deleted along with its associated Measure M2. R1 no longer references “recognized” events.
City of Tacoma, Department of
Public Utilities, Light Division, dba
Tacoma Power
No
There are generally several events during the year. If the process is well documented, a drill or exercise is
excessive. It should be sufficient to say “provide training.”
Response: The DSR SDT thanks you for your comment.
This appears to be related to R3 in question 8. If an event occurs during the year, additional testing is not required.
Indeck Energy Services
No
R2 is direct and to the point. The Violation Risk Factor should be Low, if any, because this is historical
reporting, with little or no reliability consequence.
93
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 7 Comment
Response: The DSR SDT thanks you for your comment. With the revised standard, there are now three requirements. Requirement 1 specifies that the
responsible entity have an Operating Plan for identifying and reporting events listed in Attachment 1. This is procedural in nature and justifies a “lower” VRF.
This requirement is administrative in nature and deals with the means to report events after the fact. The current approved VRFs for EOP-004-1 are all lower with
the exception of Requirement R2 which is a requirement to analyze events. This standard relates only to reporting events. The analysis portion is addressed
through the NERC Rules of Procedure and the Events Analysis Program. The two remaining requirements in EOP-004-2 are to report events based on the
specifics in Attachment 1 (R2) and to test the communications protocol of the Operating Plan once per year (R3). Requirement 2 specifies that an entity is
responsible for reporting events in accordance with the Operating Plan based on Attachment 1. Requirement 3 is insurance to make sure that an entity can
communicate information about events. Requirement 2 specifies that the responsible entity must report an event to the appropriate entities. Some of these
events are dealing with potential sabotage events. Part of the reason to report these types of events is to make other entities aware to help prevent further
sabotage events from occurring. Existing CIP-001-1a deals with sabotage events and the approved VRFs for each of the requirements is “medium.” The VRFs for
EOP-004-2 comport with the existing approved VRFs for both EOP-004 and CIP-001.
Midwest Reliability Organization
Yes
This clearly states that an entity’s Operating Plan is to be used for reporting of Impact Events.
Response: The DSR SDT thanks you for your comment.
Dominion
Yes
Dominion agrees subject to the comments provided in Question #6. In addition, Requirement R2 appears
duplicative of Requirement R5.Suggest R2 be clarified relative to the intent.
Response: The DSR SDT thanks you for your comment. Please see responses to comments in Question 6. R2 was deleted and R5 was revised. Old R5, New
R2. Each Responsible Entity shall report impact events in accordance with its Operating Plan developed to address the events listed in
Attachment 1. [Violation Risk: Factor: Medium] [Time Horizon: Operations Assessment]. The DSR SDT has revised R1 to eliminate the use of
Operating Process and Operating Procedure and have used more generic terms.
Manitoba Hydro
Yes
Removing “assess the initial probable cause” from the statement removes the ambiguity in the same way as
replacing sabotage with impact level. Let the staff trained in this field determine probable cause after the fact.
Response: The DSR SDT thanks you for your comment.
Occidental Power Marketing
Yes
However, only LSEs with BES assets (or assets that directly support the BES) should be included in the
Applicability section of the standard.
Response: The DSR SDT thanks you for your comment. Attachment 1 specifies which types of events are required to be reported by each entity.
94
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Constellation Power Generation
Yes or No
Yes
Question 7 Comment
Although CPG agrees with the wording of Requirement 2, CPG has several comments and suggested
changes regarding the Attachments, to which this requirement points. Please see those comments below.
Response: The DSR SDT thanks you for your comment. Please see responses below.
Northeast Power Coordinating
Council
Yes
Western Electricity Coordinating
Council
Yes
Pacific Northwest Small Public
Power Utility Comment Group
Yes
Pepco Holdings Inc and Affiliates
Yes
SPP Standards Review Group
Yes
Midwest ISO Standards
Collaborators
Yes
FirstEnergy
Yes
Southern Company
Yes
SRP
Yes
We Energies
Yes
SDG&E
Yes
City of Tallahassee (TAL)
Yes
New Harquahala Generating Co.
Yes
95
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
APX Power Markets
Yes
United Illuminating Co
Yes
Liberty Electric Power LLC
Yes
Arkansas Electric Cooperative
Corporation
Yes
Sweeny Cogeneration LP
Yes
USACE
Yes
New Harquahala Generating Co.
Yes
Independent Electricity System
Operator
Yes
Platte River Power Authority
Yes
BGE
Yes
Alliant Energy
Yes
PPL Electric Utilities
Yes
Lincoln Electric System
Yes
Farmington Electric Utility System
Yes
Ingleside Cogeneration LP
Yes
Duke Energy
Yes
Question 7 Comment
No comments.
96
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Brazos Electric Power
Cooperative
Yes
Progress Energy
Yes
Question 7 Comment
Response: The DSR SDT thanks you for your comment. Based on stakeholder comments, Requirement R2 was deleted and R5 was revised. Old R5, New R2.
Each Responsible Entity shall report impact events in accordance with its Operating Plan developed to address the events listed in Attachment
1. [Violation Risk: Factor: Medium] [Time Horizon: Operations Assessment].
97
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
8. Do you agree with the proposed revisions to Requirement 4 (now R3)? If not, please explain why not and if
possible, provide an alternative that would be acceptable to you.
Summary Consideration: There were several issues that commenters raised regarding removing the requirement. Below is a
summary:
1)
Review annual component CAN0010 states: Regardless of the registered entity’s documented definition of annual, it will
not supersede any requirement stated in the standard. The DSR SDT is defining “annual” within this Standard (and only for
this Standard).
2)
Remove R3-requirement – Several stakeholders believed the testing to be onerous. The language of the requirement
was revised to indicate that only the communications portion of the Operating Plan is required to be tested. Each Responsible
Entity shall conduct a test of the communication process in its Operating Plan, created pursuant to Requirement 1, Part 1.3, at
least annually (once per calendar year), with no more than 15 calendar months between tests.
3)
Unclear if actual events would qualify for a test in the requirement – The language in the measure was revised to add
“Implementation of the communication process as documented in its Operating Plan for an actual event may be used as
evidence to meet this requirement. “
4)
VRF is too high on R3 – With the revised standard, there are now three requirements. Requirement R1 specifies that the
responsible entity have an Operating Plan for identifying and reporting events listed in Attachment 1. This is procedural in
nature and justifies a “lower” VRF. This requirement is administrative in nature and deals with the means to report events after
the fact. The current approved VRFs for EOP-004-1 are all lower with the exception of Requirement R2 which is a requirement
to analyze events. This standard relates only to reporting events. The analysis portion is addressed through the NERC Rules of
Procedure and the Events Analysis Program. The two remaining requirements in EOP-004-2 are to report events based on the
specifics in Attachment 1 (R2) and to test the communications protocol of the Operating Plan once per year (R3). Requirement
R2 specifies that an entity is responsible for reporting events in accordance with the Operating Plan based on Attachment 1.
Requirement R3 is insurance to make sure that an entity can communicate information about events. Requirement R2 specifies
that the responsible entity must report an event to the appropriate entities. Some of these events are dealing with potential
sabotage events. Part of the reason to report these types of events is to make other entities aware to help prevent further
sabotage events from occurring. Existing CIP-001-1a deals with sabotage events and the approved VRFs for each of the
requirements is “medium.” The VRFs for EOP-004-2 comport with the existing approved VRFs for both EOP-004 and CIP-001.
Organization
Yes or No
Question 8 Comment
98
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Georgia Transmission
Corporation & Oglethorpe Power
Corporation
Yes or No
No
Question 8 Comment
With the current CAN on the definition of annual, we do not believe that the additional qualification that the
test shall be conducted "with no more that 15 calendar months between tests" is necessary. If instead the
team believes that, in order to support the reliability of the BES, tests should be performed at least every 15
months, then the requirement should be to perform a test at least every 15 calendar months and remove the
annual component.
Response: The DSR SDT thanks you for your comment.
The DSR SDT intends for each Responsible Entity to verify that its Operating Process for communicating recognized events is correct so that the entity can
respond appropriately in the case of an actual event. Per the CAN, “Regardless of the registered entity’s documented definition of annual, it will not supersede any
requirement stated in the standard.” The team believes the requirement is specifying what the team believes to be appropriate.
Northeast Power Coordinating
Council
No
The annual testing requirement is too frequent for a reporting, and not an operational process. The testing
interval should be extended to five years.
Response: The DSR SDT thanks you for your comment.
The DSR SDT intends for each Responsible Entity to verify that its Operating Process for communicating recognized events is correct so that the entity can
respond appropriately in the case of an actual event. We feel that five years is too long of an interval between tests as contact information contained in the plan
may change more often. A one year test is more likely to catch problems with the Operating Plan. If an entity has an event, then they do not need to test the
plan during the annual cycle.
Bonneville Power Administration
No
Too burdensome to go through EACH and ALL individual Impacts and report each one on a drill basis with
outside entities. One or two scenarios may be OK.
Response: The DSR SDT thanks you for your comment. It is not intended to perform a test for each type of event listed in Attachment 1. The entity is free to
choose any single event to test its operating plan. The DSR SDT intends for each Responsible Entity to verify that its Operating Process for communicating
recognized events is correct so that the entity can respond appropriately in the case of an actual event. The test under R3 Operating Plan is to test the
communication aspect of your Operating Plan.
Dominion
No
: The need to conduct a test of its Operating Process has not been established and is overly restrictive given
that the purpose of the standard is to report Impact Events.
Response: The DSR SDT thanks you for your comment.
The DSR SDT intends for each Responsible Entity to verify that its Operating Process for communicating recognized events is correct so that the entity can
99
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 8 Comment
respond appropriately in the case of an actual event. The SDT thinks it is critical to test the Operating Plan to verify that employees know the appropriate actions
to take and that there are no issues with the reporting procedures. Not testing the Operating Plan could result in employees being unprepared to communicate
and report for an actual event.
SPP Standards Review Group
No
The SDT included a formal review process in the discussion of R4 in the Background Information in the
Unofficial Comment Form as one of three options for demonstrating compliance with the testing requirements
of R4, yet M3 only contains two of those options ? a mock Impact Event exercise and a real-time
implementation of its Operating Process. The third option, a formal review process, is missing from M3 and
needs to be added. We would suggest the following for M3: ?In the absence of an actual Impact Event, the
Responsible Entity shall provide evidence that it conducted a mock Impact Event and followed its Operating
Process for communicating recognized Impact Events created pursuant to Requirement R1, Part 1.3 or
conducted a formal review of its Operating Process. The time period between tests, actual Impact Events or
formal reviews shall be no more than 15 calendar months. Evidence may include, but is not limited to,
operator logs, voice recordings or documentation.
Response: The DSR SDT thanks you for your comment.
The DSR SDT intends for each Responsible Entity to verify that its Operating Process for communicating recognized events is correct so that the entity can
respond appropriately in the case of an actual event. The standard now has only three requirements. The requirement to test the communications process is
important so that any issues or errors in the Operating Plan can be identified. The team feels that a formal review will not be able to identify any of these errors
unless the communications process is tested.
Midwest ISO Standards
Collaborators
No
We appreciate the drafting team recognizes that actual implementation of the plan for a real event should
qualify as a ?test?. However, we are concerned that review of this requirement in isolation of the background
material and information provided by the drafting team may cause a compliance auditor to believe that a test
cannot be met by actual implementation. Furthermore, we do not believe testing a reporting procedure is
necessary. Periodic reminders to personnel responsible for implementing the procedure make sense but
testing it does not add to reliability. If they don?t report an event, it will become obvious with all the tools
(SAFNR project) the regulators have to observe system operations.
Response: The DSR SDT thanks you for your comment. We have added the following to the measure: “Implementation of the communication process as
documented in its Operating Plan for an actual event may be used as evidence to meet this requirement.”
FirstEnergy
No
We believe that a separate requirement for testing the reporting process is unnecessary. The FERC directive
that required periodic testing was directed at sabotage events per CIP-001. Since the proposed standard
100
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 8 Comment
moves the responsibility for classifying an event as sabotage from the entity to the applicable law
enforcement authority, the need for a periodic drill is no longer necessary. We believe that Requirement R4
should suffice in ensuring that the individuals involved in the process are aware of their responsibilities.
Response: The DSR SDT thanks you for your comment. The DSR SDT intends for each Responsible Entity to verify that its Operating Process for communicating
recognized events is correct so that the entity can respond appropriately in the case of an actual event. The standard now has only three requirements. The
requirement to test the communications process is important so that any issues or errors in the Operating Plan can be identified.
SERC OC Standards Review
Group
No
Annual testing of an ?after-the-fact? reporting procedure does not add to the reliability of the BES!
Response: The DSR SDT thanks you for your comment. The DSR SDT intends for each Responsible Entity to verify that its Operating Process for communicating
recognized events is correct so that the entity can respond appropriately in the case of an actual event. The standard now has only three requirements. The
requirement to test the communications process is important so that any issues or errors in the Operating Plan can be identified. This will allow for reporting to
the appropriate entities in the case of an actual event.
PJM Interconnection LLC
No
1. This is an ?after-the-fact? reporting requirement (administrative in nature). Annual testing of such a
requirement does not add to the reliability of the BES.
2. R3 attempts to define ?Annual? for the Registered Entity to test its Operating Process. We believe R3
should follow the NERC definition of Annual as defined in the NERC Compliance Application Notice (CAN) ?
CAN-0010 ? Definition of Annual as opposed to creating a new definition of Annual ? or ? refer to an entity?s
defined use of the term annual.
Response: The DSR SDT thanks you for your comment. The DSR SDT intends for each Responsible Entity to verify that its Operating Process for communicating
recognized events is correct so that the entity can respond appropriately in the case of an actual event. The standard now has only three requirements. The
requirement to test the communications process is important so that any issues or errors in the Operating Plan can be identified. This will allow for reporting to
the appropriate entities in the case of an actual event.
The DSR SDT intends for each Responsible Entity to verify that its Operating Process for communicating recognized events is correct so that the entity can
respond appropriately in the case of an actual event. Per the CAN, “Regardless of the registered entity’s documented definition of annual, it will not supersede any
101
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 8 Comment
requirement stated in the standard.” The team believes the requirement is specifying what the team believes to be appropriate.
We Energies
No
A test of the Operating Process for communication would be placing telephone calls. This requirement would
have virtually every entity in North America calling NERC, Regional Entities, FERC/Provincial Agency, Public
Service Commission, FBI/RCMP, local Police, etc. annually. Every entity will probably be asking for a
confirmation letter from each telephone call for proof of compliance. This is an unnecessary requirement.
Delete it.
Response: The DSR SDT thanks you for your comment.
The DSR SDT intends for each Responsible Entity to verify that its Operating Process for communicating recognized events is correct so that the entity can
respond appropriately in the case of an actual event. The standard now has only three requirements. The requirement to test the communications process is
important so that any issues or errors in the Operating Plan can be identified. This will allow for reporting to the appropriate entities in the case of an actual
event.
Compliance & Responsiblity
Organization
No
See comments set forth in number 2.
Also, while NextEra understands the need to have a testing requirement for sabotage (Order 693 at P 446), it
does not find it necessary to have a testing requirement for the other events. At this time in the process,
additional requirements for the sake of having a requirement are likely to detract from reliability. Thus,
NextEra requests that the testing requirement be limited to sabotage related events.
Response: The DSR SDT thanks you for your comment. Please see responses to Question 2 above. Each entity may choose an event type for which to perform
the communications process test. It need not be performed for each and every event type listed in Attachment 1. The test must include all aspects of the
communications process, including NERC and the RE. The measure for R3 was revised to make it explicit that evidence for compliance for R3 includes an actual
event.
M3. The Responsible Entity shall provide evidence that it conducted a test of the communication process as documented in its Operating Plan impact events
created pursuant to Requirement R1, Part 1.3. Implementation of the communication process as documented in its Operating Plan for an actual impact event
may be used as evidence to meet this requirement. The time period between an actual impact event or test shall be no more than 15 months. Evidence may
include, but is not limited to, operator logs, voice recordings, or dated documentation of a test. (R3)
Exelon
No
- Each entity should be able to determine if they need a drill for a particular event. Is this document implying
that the annual drill covering all applicable [Impact] Events?
102
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 8 Comment
- A provision should be added to be able to take credit for an existing drill/exercise that could incorporate the
required communications to meet the intent of R.3 to alleviate the burden on conducting a standalone annual
drill. The DSR SDT needs to provide more guidance on the objectives and format of the drill expected (e.g.,
table top, simulator, mock drill).
- A provision should be added to R.3 to allow for an actual event to be used as credit for the annual
requirement. It would seem that the intent is as such based on the wording in M.3; however, it needs to be
explicit in the Requirement.
- Must a test include communicating to NERC or the Region?
Response: The DSR SDT thanks you for your comment. Each entity may choose an event type for which to perform the communications process test. It need
not be performed for each and every event type listed in Attachment 1. The test must include all aspects of the communications process, including NERC and the
RE. The measure for R3 was revised to make it explicit that evidence for compliance for R3 includes an actual event.
M3. The Responsible Entity shall provide evidence that it conducted a test of the communication process as documented in its Operating Plan impact events
created pursuant to Requirement R1, Part 1.3. Implementation of the communication process as documented in its Operating Plan for an actual impact event
may be used as evidence to meet this requirement. The time period between an actual impact event or test shall be no more than 15 months. Evidence may
include, but is not limited to, operator logs, voice recordings, or dated documentation of a test. (R3)
City of Tallahassee (TAL)
No
Comments: The verbiage “at least annually, with no more than 15 months between such tests” is an attempt
to define annually. If you want every 15 months say “at least every 15 months.” Otherwise just say annual
and let the entities decide what that is, as is being done with other “annual” requirements.
Additionally, while the Measure (M3) implies that an actual event would suffice it is not stated in the
requirement, and the entire plan should be tested, not just a component. Proposed: Each Responsible Entity
shall conduct a test of its Impact Event Operating Plan at least annually. A test of the Impact Event Operating
Plan can range from a paper drill, to the response to an actual event.
Response: The DSR SDT thanks you for your comment. The language now reads: “annually (once per calendar year), with no more than 15 calendar months
between tests”. This comports with the intent and with the recent CAN from NERC on the use of “Annual”. The intent of the requirement is to verify that an
entity’s personnel can communicate with other entities when a real event occurs. It is expected that such a test will include all aspects of the communications
process. The measure was revised to clarify that an actual event can be used in lieu of a test. R3 reads:
“Each Responsible Entity shall conduct a test of the communication process as documented in its Operating Plan, created pursuant to Requirement 1, Part 1.3,
impact events at least annually, (once per calendar year), with no more than 15 calendar months between tests.”
103
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Tenaska
Yes or No
No
Question 8 Comment
The proposed Impact Event Operating Plan should not be required, therefore any tests of the Operating
Process should not be required.
Response: The DSR SDT thanks you for your comment. Stakeholder consensus indicates that the majority of stakeholders agree with the Operating Plan
requirement.
American Municipal Power
No
No, remove R3. R3 is not an acceptable requirement nor should this be an operation. Focusing on a test is
overly prescriptive and costly. The only requirement should be to have an entity submit a report. Let the
entity decide how they want to implement the reporting.
Response: The DSR SDT thanks you for your comment. The intent of the requirement is to verify that an entity’s personnel can communicate with other entities
when a real event occurs. It is expected that such a test will include all aspects of the communications process. The measure was revised to clarify that an
actual event can be used in lieu of a test. This should not be a costly nor burdensome requirement.
Liberty Electric Power LLC
No
It is not the proper role of the standards to dictate how an entity conducts training. Large utilities with backup
control rooms and enough personnel can conduct routine drills without disturbing operations, but this is not
always the case for small entities. Further, classroom training where emergency responses are discussed can
be a better tool at times for assuring compliance with operating procedures. I would suggest R3 read "Each
entity shall assure that personnel are aware of the requirements of EOP-004 and capable of responding as
required.”
Response: The DSR SDT thanks you for your comment. The DSR SDT agrees and has removed the training Requirement, R4.
Sweeny Cogeneration LP
No
We do not see a reliability benefit in the planning and execution of tests or drills to ensure that regulatory
reporting is performed in a timely fashion. It is sufficient that penalties can be assessed against entities that
do not properly respond in accordance with EOP-004-2, leaving it to us to determine how to avoid them.
Response: The DSR SDT thanks you for your comment. The intent of the requirement is to verify that an entity’s personnel can communicate with other entities
when a real event occurs. It is expected that such a test will include all aspects of the communications process. The measure was revised to clarify that an
actual event can be used in lieu of a test.
American Electric Power
No
It is unclear if actual events would qualify for a test in the requirement; however, the associated measure and
rationale appear to support this. We suggest the requirement be restated to allow for actual events to count
for this requirement.
104
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 8 Comment
Response: The DSR SDT thanks you for your comment. The intent of the requirement is to verify that an entity’s personnel can communicate with other entities
when a real event occurs. It is expected that such a test will include all aspects of the communications process. The measure was revised to clarify that an
actual event can be used in lieu of a test.
New Harquahala Generating Co.
No
M3. In the absence of an actual Impact Event, the Responsible Entity shall provide evidence that it conducted
a mock Impact Event and followed its Operating Process for communicating recognized Impact Events
created pursuant to Requirement R1, Part 1.3. The time period between actual and or mock Impact Events
shall be no more than 15 months. Evidence may include, but is not limited to, operator logs, voice recordings,
or documentation. (R3). The measure for R3 needs to make it clear that “exercise/drill/actual employment”
can be a classroom exercise, utilizing scenarios for discussion. It should not be necessary to fully test the
plan by making actual phone calls, notifications etc.
Response: The DSR SDT thanks you for your comment. The intent of the requirement is to verify that an entity’s personnel can communicate with other entities
when a real event occurs. It is expected that such a test will include all aspects of the communications process including making actual phone calls, etc. The
measure was revised to clarify that an actual event can be used in lieu of a test. The purpose of the requirement is to ensure that the communications process
works.
ISO New England, Inc
No
We appreciate and agree with the drafting team recognizes that actual implementation of the plan for a real
event should qualify as a “test.” However, we are concerned that review of this requirement in isolation and
without the benefit of the background material and information provided by the drafting team may cause a
compliance auditor to believe that a test cannot be met by actual implementation. Furthermore, we do not
believe testing a reporting procedure is necessary. Periodic reminders to personnel responsible for
implementing the procedure make sense but testing it does not add to reliability. If they don’t report an event,
it will become obvious to compliance auditors. Recommend using language similar to CIP-009. “Each
Responsible Entity shall conduct a an exercise of its operating process for communicating recognized Impact
Events created pursuant to Requirement R1, Part 1.3 at least annually, with no more than 15 calendar
months between exercises.” An exercise can range from a paper drill, to a full operational exercise, to
reporting of actual incident Also, we question the need to conduct a test annually. Since this is only a
reporting Standard and, as such, has no direct impact on reliability, we suggest modifying the testing
requirement to once every three years.
CIP-009-3
R.2 Exercises —The recovery plan(s) shall be exercised at least annually. An exercise of the recovery plan(s)
can range from a paper drill, to a full operational exercise, to recovery from an actual incident.
M2. The Responsible Entity shall make available its records documenting required exercises as specified in
105
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 8 Comment
Requirement R2.
Response: The DSR SDT thanks you for your comment. The intent of the requirement is to verify that an entity’s personnel can communicate with other
entities when a real event occurs. It is expected that such a test will include all aspects of the communications process. The measure was revised to clarify that
an actual event can be used in lieu of a test.
Calpine Corp
No
Absent substantial evidence that the proposed requirement addresses an actual systemic problem with actual
submittal of reports of electrical disturbances, Requirement R4 should be removed. Failure to properly report
events is currently sanctionable under CIP-001-1 and EOP-004-1 and will continue to be sanctionable under
proposed EOP-004-2. Entities are capable of implementing procedures appropriate to ensure compliance
with the actual reporting requirements without the addition of this “test.”
Alternately, if this requirement for annual tests is retained, it should be supplemented with a detailed example
of an acceptable test and acceptable documentation of the test to avoid future compliance and enforcement
issues. Stating “evidence may include, but is not limited to...” provides broad and unnecessary opportunity for
future compliance and enforcement issues. Any difficulty the committee might encounter in developing such a
detailed example would be instructive of the probable compliance and issues that would ensure from
implementation of the requirement.
Response: The DSR SDT thanks you for your comment. The DSR SDT intends for each Responsible Entity to verify that its Operating Process for communicating
recognized events is correct so that the entity can respond appropriately in the case of an actual event. The requirement is written so that it is not prescriptive
and allows the entity flexibility in how it tests its communications process.
BGE
No
Requirement 3 (formerly R4) should be removed altogether because it is covered by the new R4. The topic of
Disturbance Reporting is covered several times each year during operator training classes and the operators
are tested on the material. Actual issued Disturbance Reports throughout the year are also covered during
training class.
Response: The DSR SDT thanks you for your comment. R4 was a training requirement which has been revised and incorporated into Requirement R1, Part 1.5.
This now calls for an annual review of the Operating Plan rather than training. The intent of the review is to ensure that the plan is up to date.
Georgia System Operations
Corporation
No
-With the current CAN on the definition of annual, we do not believe that the additional qualification that the
test shall be conducted "with no more that 15 calendar months between tests" is necessary. Although we
understand the additional qualification
106
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 8 Comment
Response: The DSR SDT thanks you for your comment. The CAN language defers to the standard drafting team for any qualifications on “annual.” The DSR
SDT prefers the existing language.
Indeck Energy Services
No
For smaller entities, for which few of the Attachment 1 events apply (eg a 75 MW wind farm), a drill is overkill.
Reviewing the procedure during training should be sufficient. The solution is to require a drill for any entity for
which any of the Attachment 1 events would cause a Reportable Disturbance or reportable DOE OE-417
event and training review for any other entities. The Violation Risk Factor should be Low, if any, because this
is historical reporting, with little or no reliability consequence.
Response: The DSR SDT thanks you for your comment. The DSR SDT intends for each Responsible Entity to verify that its Operating Process for communicating
recognized events is correct so that the entity can respond appropriately in the case of an actual event. Any drill or exercise that meets the intent of the
requirement is acceptable.
VRF: With the revised standard, there are now three requirements. Requirement R1 specifies that the responsible entity have an Operating Plan for identifying
and reporting events listed in Attachment 1. This is procedural in nature and justifies a “lower” VRF. This requirement is administrative in nature and deals with
the means to report events after the fact. The current approved VRFs for EOP-004-1 are all lower with the exception of Requirement R2 which is a requirement
to analyze events. This standard relates only to reporting events. The analysis portion is addressed through the NERC Rules of Procedure and the Events
Analysis Program. The two remaining requirements in EOP-004-2 are to report events based on the specifics in Attachment 1 (R2) and to test the
communications protocol of the Operating Plan once per year (R3). Requirement R2 specifies that an entity is responsible for reporting events in accordance with
the Operating Plan based on Attachment 1. Requirement R3 is insurance to make sure that an entity can communicate information about events. Requirement
R2 specifies that the responsible entity must report an event to the appropriate entities. Some of these events are dealing with potential sabotage events. Part
of the reason to report these types of events is to make other entities aware to help prevent further sabotage events from occurring. Existing CIP-001-1a deals
with sabotage events and the approved VRFs for each of the requirements is “medium.” The VRFs for EOP-004-2 comport with the existing approved VRFs for
both EOP-004 and CIP-001.
ExxonMobil Research and
Engineering
No
The annual (15 month) time window for conducting annual performance tests appears to be reasonable.
However, the required scope of the test is vague. The Standard Drafting Team should modify the testing
requirement to include boundary criteria such as whether notifications to third parties and law enforcement
are required or if the test is limited to internal notifications and response processes. Furthermore, the current
measure associated with this requirement, EOP-004 Revision 2 Measure 3, implies, that if an Impact Event
occurs, the registered entity can count the activation of its Impact Event Operating Plan as a test and extend
the test window 15 months from the date of activation. The Standard Drafting Team should revise the
requirement to clarify that the test window resets when a site initiates its Impact Event Operating Plan in
response to a real Impact Event as requirement criteria should not be included in a measure.
107
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 8 Comment
Response: The DSR SDT thanks you for your comment.
The DSR SDT intends for each Responsible Entity to verify that its Operating Process for communicating recognized events is correct so that the entity can
respond appropriately in the case of an actual event. It is expected that such a test will include all aspects of the communications process. The measure was
revised to clarify that an actual event can be used in lieu of a test.
Occidental Power Marketing
No
We understand that this requirement is meant to comply with FERC Order 693, Section 466; however, there
needs to be more specificity concerning what sort of "test" would be accepted for auditing purposes. Also,
only LSEs with BES assets should be included in the Applicability section of the standard.
Response: The DSR SDT thanks you for your comment.
The DSR SDT intends for each Responsible Entity to verify that its Operating Process for communicating recognized events is correct so that the entity can
respond appropriately in the case of an actual event. The requirement is written so that it is not prescriptive and allows the entity flexibility in how it tests its
communications process.
Lincoln Electric System
No
As currently drafted, requirement R3 states one must “conduct a test” whereas the associated Measure
requests evidence that one “conducted a mock Impact Event.” The Rationale box lends to further confusion
by referencing a “drill or exercise” as a process to verify one’s Operating Process. To avoid potential
confusion between R3 and M3, as well as to maintain consistency with the Rationale box, recommend the
drafting team replace the word “test” with “drill or exercise” within R3 and the associated Measure.
Response: The DSR SDT thanks you for your comment. The DSR SDT intends for each Responsible Entity to verify that its Operating Process for communicating
recognized events is correct so that the entity can respond appropriately in the case of an actual event. It is not a common practice to include explanatory text in
a requirement. The Results-based standards format allows the Rationale boxes to serve this role. The Rationale box includes language that indicates that an
actual implementation of the plan counts as a test.
Farmington Electric Utility System
No
The measure for R3 indicates an actual Impact Event would count as a test, consider aligning the requirement
with the measure to clarify an Impact Event could be considered a test.
Response: The DSR SDT thanks you for your comment. The DSR SDT intends for each Responsible Entity to verify that its Operating Process for communicating
recognized events is correct so that the entity can respond appropriately in the case of an actual event. It is not a common practice to include explanatory text in
a requirement. The Results-based standards format allows the Rationale boxes to serve this role. The Rationale box includes language that indicates that an
actual implementation of the plan counts as a test.
108
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Ingleside Cogeneration LP
Yes or No
Question 8 Comment
No
Since the reporting of event data to regulatory agencies does not support a front-line operations capability to
mitigate or restore a BES impairment, regular simulations are not needed. Those notification items which test
coordination between operating entities can be addressed in emergency operations exercises.
Response: The DSR SDT thanks you for your comment. We concur with your comment. The DSR SDT intends for each Responsible Entity to verify that its
Operating Process for communicating recognized events is correct so that the entity can respond appropriately in the case of an actual event.
Constellation Power Generation
No
As CPG stated in comments to earlier versions of EOP-004-2, this requirement adds a substantial compliance
burden with little to no reliability improvement to the BES. Numerous entities in the NERC footprint have
created fleet wide compliance programs for their facilities, instead of overseeing multiple stand alone
compliance programs. This was done not just for the ease of administration, but it also greatly improves the
reliability of the BES by ensuring consistency across multiple facilities. By requiring each responsible entity to
test the Operating Process, those under a fleet wide compliance program will end up testing the same
Operating Process numerous times. This would be inefficient, ineffective and unnecessarily costly. If the
testing requirement remains, then the Responsible Entity should be able to take credit for testing of the
Operating Process regardless of which entity in the fleet tested it. Alternatively, the drafting team should
consider removing Requirement 3 (formerly R4) because in practice it is covered by the new R4. As
discussed below R4 needs refinement, but the topic of Disturbance Reporting is covered during annual
training.
Response: The DSR SDT thanks you for your comment. The DSR SDT intends for each Responsible Entity to verify that its Operating Process for communicating
recognized events is correct so that the entity can respond appropriately in the case of an actual event. If the intent of this requirement is fulfilled by another
exercise or drill conducted by the responsible entity, then that will meet the requirement.
Duke Energy
Yes
We understand that the objective of this requirement is to test the Operating Process for communicating
Impact Events; and that such test could be an actual exercise, a formal review, or a real-time implementation.
But given that R1.4 requires updating the Operating Plan within 90 days of any changes, we believe the VRF
for R3 should be LOW instead of MEDIUM.
Response: The DSR SDT thanks you for your comment. With the revised standard, there are now three requirements. Requirement R1 specifies that the
responsible entity have an Operating Plan for identifying and reporting events listed in Attachment 1. This is procedural in nature and justifies a “lower” VRF.
This requirement is administrative in nature and deals with the means to report events after the fact. The current approved VRFs for EOP-004-1 are all lower with
the exception of Requirement R2 which is a requirement to analyze events. This standard relates only to reporting events. The analysis portion is addressed
through the NERC Rules of Procedure and the Events Analysis Program. The two remaining requirements in EOP-004-2 are to report events based on the
specifics in Attachment 1 (R2) and to test the communications protocol of the Operating Plan once per year (R3). Requirement R2 specifies that an entity is
109
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 8 Comment
responsible for reporting events in accordance with the Operating Plan based on Attachment 1. Requirement R3 is insurance to make sure that an entity can
communicate information about events. Requirement R2 specifies that the responsible entity must report an event to the appropriate entities. Some of these
events are dealing with potential sabotage events. Part of the reason to report these types of events is to make other entities aware to help prevent further
sabotage events from occurring. Existing CIP-001-1a deals with sabotage events and the approved VRFs for each of the requirements is “medium.” The VRFs for
EOP-004-2 comport with the existing approved VRFs for both EOP-004 and CIP-001.
Progress Energy
Yes
Do all individuals who are assigned roles and responsibilities in the Impact Event Operating Plan have to be
involved with the test each time? Since there are multiple different types of Impact Events, it seems likely
that only a subset of those Impact Events would be tested during an annual test, and therefore only a subset
of individuals with responsibilities in the Impact Event Operating Plan would participate. For example, one
test may exercise the Operating Process for properly reporting damage to a power plant that is a Critical
Asset, and personnel from the Distribution Provider would not be involved in that test. Would such a scenario
meet the requirement for the annual test? If so, it seems that some aspects of the Plan may never actually
be required to be tested. This is ok, since R4 requires an annual review with personnel with responsibilities
in the Impact Event Operating Plan. It must be made clear what is required in the annual test.
Response: The DSR SDT thanks you for your comment. The DSR SDT intends for each Responsible Entity to verify that its Operating Process for communicating
recognized events is correct so that the entity can respond appropriately in the case of an actual event. The requirement is written so that it is not prescriptive
and allows the entity flexibility in how it tests its communications process.
Manitoba Hydro
Yes
This requirement appears to be written so as to leave how each entity tests this procedure is up to them and
not how. The testing of this procedure could vary vastly from entity to entity, meaning there is no set protocol
on this procedure. As long as this requirement remains open, it is fair.
Response: The DSR SDT thanks you for your comment.
United Illuminating Co
Yes
: FERC did state in Order 693 that the reporting procedure requires testing. UI is concerned that the scope of
the requirement is unspecified. Does the exercise require only one type of Impact Event to be exercised per
period, or is an entity required to simulate each Impact Event and notification
Response: The DSR SDT thanks you for your comment. The DSR SDT intends for each Responsible Entity to verify that its Operating Process for communicating
recognized events is correct so that the entity can respond appropriately in the case of an actual event. If your communications process differs by event type,
then all communications should be tested.
110
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Southern Company
Yes or No
Yes
Question 8 Comment
This will cause all of the entities listed in R1.3.2 to receive test communications from all of the applicable
entities annually.
Response: The DSR SDT thanks you for your comment. The DSR SDT intends for each Responsible Entity to verify that its Operating Process for communicating
recognized events is correct so that the entity can respond appropriately in the case of an actual event. The standard now has only three requirements. The
requirement to test the communications process is important so that any issues or errors in the Operating Plan can be identified. This will allow for reporting to
the appropriate entities in the case of an actual event.
SRP
Yes
SDG&E
Yes
New Harquahala Generating Co.
Yes
APX Power Markets
Yes
Arkansas Electric Cooperative
Corporation
Yes
Platte River Power Authority
Yes
Alliant Energy
Yes
CenterPoint Energy
Yes
USACE
Yes
Independent Electricity System
Operator
Yes
PPL Electric Utilities
Yes
American Transmission
Company
Yes
111
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
City of Tacoma, Department of
Public Utilities, Light Division, dba
Tacoma Power
Yes
Brazos Electric Power
Cooperative
Yes
Midwest Reliability Organization
Yes
Western Electricity Coordinating
Council
Yes
Pacific Northwest Small Public
Power Utility Comment Group
Yes
PSEG Companies
Yes
Pepco Holdings Inc and Affiliates
Yes
Question 8 Comment
112
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
9. Do you agree with the proposed revisions to Requirement 5 (now R4)? If not, please explain why not and if
possible, provide an alternative that would be acceptable to you.
Summary Consideration: A significant number of commenters indicated that there was confusion surrounding the use of the
term “review” in Requirements R3 and R4. Similar comments suggested that the measure for Requirement R4 has a training
connotation, which is inconsistent with the language in the requirement, which uses the term “review.” The DSR SDT has
eliminated Requirement R4 and added a part to Requirement 1, Part 1.5, to require a process for ensuring that the event
Operating Plan is reviewed at least annually, with no more than 15 calendar months between review sessions. Eliminating R4
and adding Part 1.5 maintains the intent while eliminating potential confusion and redundancy.
Other commenters suggested revisions to the use of the term annual. The DSR SDT reviewed the NERC definition of Annual as
defined in the NERC Compliance Application Notice (CAN) CAN-0010, which provides drafting teams latitude to define the term
within a requirement as they intend it to be used.
Organization
Georgia Transmission
Corporation & Oglethorpe
Power Corporation
Yes or No
No
Question 9 Comment
We do not believe that the requirement should specify that the plan must be reviewed with those personnel
who have responsibilities identified in that plan as there is no requirement in R1 that the plan must identify
any specific personnel responsibilities. Additionally, we seek clarification on whether review in this instance
means train as indicated in the measure.
Response: The DSR SDT thanks you for your comment. The DSR SDT has eliminated requirement R4 and added a Part under Requirement R1, to require a
process for ensuring that the event Operating Plan is reviewed at least annually, with no more than 15 calendar months between review sessions. By adding
this Part to Requirement R1, the SDT has eliminated confusion and redundancy around the use of the term “review” and the training connotation in the
Measure.
Dominion
No
The need to periodically review its Impact Event Operating Plan has not been established and is overly
restrictive (annually) given that the purpose of the standard is to report Impact Events. Suggest removing this
requirement
Response: The DSR SDT thanks you for your comment. The DSR SDT has eliminated requirement R4 and added a Part under Requirement R1, to require a
process for ensuring that the event Operating Plan is reviewed at least annually, with no more than 15 calendar months between review sessions. The DSR SDT
113
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 9 Comment
‘s intent is to ensure that there is no gap in the review of the Operating Plan even though the plan has provision(s) for updating the event Operating Plan within
90 days of any change to its content. By adding this Part to Requirement R1, the SDT has eliminated confusion and redundancy around the use of the term
“review” and the training connotation in the Measure.
SPP Standards Review Group
No
There is confusion surrounding the use of the term review in R3 and R4. In R3 and the suggested revision to
M3 in Question 8, review is an analysis of the plan by a specific group tasked to determine if the plan requires
updating or modifying to remain viable. Review in R4 has training connotations for all personnel who have
responsibilities identified in the plan. Although we understand the use of review in R4 is new to this version of
EOP-004-2, we believe it may be more appropriate to use training rather than review in R4. And further, we
feel the training should be focused on those specific portions of the plan that apply to specific job functions.
Response: The DSR SDT thanks you for your comment. The DSR SDT has eliminated Requirement R4 and added a Part under Requirement R1, to require a
process for ensuring that the event Operating Plan is reviewed at least annually, with no more than 15 calendar months between review sessions. By adding
this Part to Requirement R1, the SDT has eliminated confusion and redundancy around the use of the term “review” and the training connotation in the
Measure.
FirstEnergy
No
We believe that Requirement 4 does not warrant a Medium risk factor. For example, a simple review of the
process does not have the same impact on the Bulk Electric System as the implementation of the Operating
Plan per R2. Therefore, we believe R4 is at best a Low risk to the BES.
Response: The DSR SDT thanks you for your comment. The DSR SDT has eliminated Requirement R4 and has re-evaluated the Violation Risk Factors for each
requirement. With the revised standard, there are now three requirements. Requirement R1 specifies that the responsible entity have an Operating Plan for
identifying and reporting events listed in Attachment 1. This is procedural in nature and justifies a “lower” VRF. This requirement is administrative in nature and
deals with the means to report events after the fact. The current approved VRFs for EOP-004-1 are all lower with the exception of Requirement R2 which is a
requirement to analyze events. This standard relates only to reporting events. The analysis portion is addressed through the NERC Rules of Procedure and the
Events Analysis Program. The two remaining requirements in EOP-004-2 are to report events based on the specifics in Attachment 1 (R2) and to test the
communications protocol of the Operating Plan once per year (R3). Requirement R2 specifies that an entity is responsible for reporting events in accordance with
the Operating Plan based on Attachment 1. Requirement R3 is insurance to make sure that an entity can communicate information about events. Requirement 2
specifies that the responsible entity must report an event to the appropriate entities. Some of these events are dealing with potential sabotage events. Part of
the reason to report these types of events is to make other entities aware to help prevent further sabotage events from occurring. Existing CIP-001-1a deals with
sabotage events and the approved VRFs for each of the requirements is “medium.” The VRFs for EOP-004-2 comport with the existing approved VRFs for both
EOP-004 and CIP-001.
We Energies
No
Include that this is for internal personnel as stated in the associated measure.
114
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 9 Comment
Response: The DSR SDT thanks you for your comment. The DSR SDT has eliminated Requirement R4 and the associated Measure.
Compliance & Responsibility
Organization
No
See comments set forth in number 2
Response: Thank you for your comments and suggestions. Please see responses to question 2.
Exelon
No
Need more guidance on what personnel are expected to participate in the annual review.
Training for all participants in a plan should not be required. Many organizations have dozens if not hundreds
of procedures that a particular individual must use in the performance of various tasks and roles. Checking a
box that states someone read a procedure does not add any value. This is an administrative burden with no
contribution to reliability. If the intention is that internal personnel who have responsibilities related to the
Operating Plan cannot assume the responsibilities unless they have completed training. This requirement
places an unnecessary burden on the registered entities to track and maintain a database of all personnel
trained and should not be a requirement for job function. A current procedure and/or operating plan that
addresses each threshold for reporting should provide adequate assurance that the notifications will be made
per an individual's core job responsibilities.
Response: Thank you for your comments. The DSR SDT intends for each Responsible Entity to verify that its Operating Process for communicating
recognized events is correct so that the entity can respond appropriately in the case of an actual event. The requirement is written so that it is not prescriptive
and allows the entity flexibility in how it tests its communications process.
City of Tallahassee (TAL)
No
The verbiage at least annually, with no more than 15 months between review sessions is an attempt to define
annually. If you want every 15 months say at least every 15 months. Otherwise just say annual and let the
entities decide what that is, as is being done with other annual requirements.
Response: Thank you for your comment. The DSR SDT took into consideration the CAN on the definition of ‘Annual” and wrote the requirement to meet the
intent of the team.
Tenaska
No
The proposed Impact Event Operating Plan should not be required.
Response: The DSR SDT thanks you for your comment. The DSR SDT considers the proposed event Operating Plan a document that identifies the activities
to achieve the purpose to improve industry awareness and the reliability of the Bulk Electric System.
The DSR SDT has revised R1 to only include
development of an Operating Plan that includes the sub-requirements of R1.
115
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
American Municipal Power
Yes or No
No
Question 9 Comment
No, remove R4. R4 is not an acceptable requirement nor should this be an operation. Focusing on a plan
and personnel tracking is overly prescriptive. The only requirement should be to have an entity submit a
report. Let the entity decide how they want to implement the reporting.
Response: The DSR SDT thanks you for your comment. The DSR SDT has taken into consideration your comment, eliminated Requirement R4, and added
Requirement R1, Part 1.5. The SDT agrees that the Registered Entity can decide on the how to implement the reporting; however, this requirement mandates
that the Registered Entity document its process.
Liberty Electric Power LLC
No
Again, the entity should determine the need for review of any procedure. Changing circumstances may dictate
a shorter cycle, but no changes could dictate a longer review. I will note that spill prevention plans are
required to be reviewed every five years, so I question the need for an 18-month review of the EOP plan.
Response: The DSR SDT thanks you for your comment. The review provisions are designed to ensure that contact information for internal and external
organizations are correct and up to date.
Arkansas Electric Cooperative
Corporation
No
We appreciate the effort the team has taken in improving the requirements since the last posting. We request
the team clarify if this also includes personnel observing and reporting the requirements or only those
specifically listed in the plan. The measure seems to indicate it only includes those listed in the plan, but this
is not clear in the requirement. If it includes those personnel involved in observing and notifying management,
then this might include a significant portion of the organization. In either case, we feel the requirement should
be modified as "review applicable portions of its Impact Event Operating Plan....
Response: The DSR SDT thanks you for your comment. The training provisions of the standard have been removed. The DSR SDT intent is to ensure that
the Registered Entity has Operating Plan(s) for the identification of events, establishing which internal personnel are involved, identification of outside agencies
to be notified, and having a provision for updating the plan(s). The SDT feels that current Sabotage Reporting guidelines already provide much of the
information needed in the new R1.
Calpine Corp
No
Failure to properly report events is currently sanctionable under CIP-001-1 and EOP-004-1 and will continue
to be sanctionable under proposed EOP-004-2. Entities are capable of implementing procedures appropriate
to ensure compliance with the actual reporting requirements without the addition a formal requirement to
annually review their internal procedures with personnel. In the unlikely event that an entity cannot attain this
level of operating competence without implementation of a new requirement, such Entities would be subject to
enforcement under Requirement R5. Absent substantial evidence of systemic problems by Entities in
contacting local law enforcement properly or failures to complete event reports to appropriate agencies when
provided with clear guidance on the events to be reported, this requirement is unnecessary.
116
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 9 Comment
Response: The DSR SDT thanks you for your comment. The DSR SDT has deleted Requirement R2 and revised Requirements R1 and R5 to address your
concern. Requirement R5 (now R2) reads:
R2. Each Responsible Entity shall report events in accordance with its Operating Plan developed to address the events listed in Attachment 1.
ExxonMobil Research and
Engineering
No
Its unclear whether R4 is a training requirement to train all individuals who may be required to implement its
Impact Event Operating Plan on an annual basis or a requirement for an Entity to review the Impact Event
Operating Plan with at least one person from each position that has a role in the Impact Event Operating Plan
in order to complete a quality review of the Impact Event Operating Plan. The SDT should clarify the intent of
the requirement. If the intent is that both of the aforementioned interpretations is expected to occur, the SDT
should break R4 into two requirements so that an entity is not violation of Requirement R4 when the entity
fails to comply with one of the two imbedded requirements (e.g. if the quality review is not performed but all
individuals were trained).
Response: The DSR SDT thanks you for your comment. The DSR SDT has deleted Requirement R4 and added a new Part 1.5 under R1 to address your
concern. Part 1.5 calls for an annual review of the plan.
Constellation Power
Generation
No
The purpose of this requirement as currently worded is unclear. It seems to insinuate that a formal review of
the Operating Plan takes place annually, and that any and all personnel identified in the plant are part of the
review. If that is correct, than CPG believes this requirement is echoing Requirement 3. These two
requirements can be incorporated into one. Furthermore, the Measure for R4 is too prescriptive, going so far
as to specifically describe how this formal review should take place. It even states that the Responsible Entity
needs to present documentation showing that the personnel in the plan were trained, yet there is no
requirement for training. CPG would like the DSR SDT to revisit the purpose and intent of this requirement,
alone and in concert with R3. If there are indeed similar then consolidate them into one requirement.
Response: The DSR SDT thanks you for your comment. The DSR SDT has deleted Requirement R4 and added a new Part 1.5 under R1 to address your
concern. Part 1.5 calls for an annual review of the plan.
Georgia System Operations
Corporation
No
With the current CAN on the definition of annual, we do not believe that the additional qualification that the
test shall be conducted "with no more that 15 calendar months between reviews" is necessary. Remove "with
no more that 15 calendar months between reviews.
Response: The DSR SDT thanks you for your comment. The SDT has revised the term annual to align with the definition in the NERC Compliance Application
117
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 9 Comment
Yes
We agree with the concept, but disagree with the use of the term Operating Plan as a defined term in line with
our comments in question 6 above.
Notice (CAN) CAN-0010.
SERC OC Standards Review
Group
Response: The DSR SDT thanks you for your comment. The DSR SDT believes that the use of a defined term “Operating Plan” to describe the procedure to
identify and report the occurrence of a disturbance is appropriate and has revised Requirement R1 to remove the terms Operating Process and Operating
Procedure to eliminate confusion.
PJM Interconnection LLC
Yes
1. We agree with the concept but disagree with the use of the term Operating Plan as a defined term in line
with our comments to Question 6 above.
2. R4 attempts to define Annual for the Registered Entity to review its Impact Operating Plan. We believe R4
should follow the NERC definition of Annual as defined in the NERC Compliance Application Notice (CAN)
CAN-0010 Definition of Annual as opposed to creating a new definition of Annual or refer to an entities
defined use of the term annual.
Response: The DSR SDT thanks you for your comment. Please see responses to question 6 above. The DSR SDT reviewed the NERC definition of Annual as
defined in the NERC Compliance Application Notice (CAN) CAN-0010. The NERC CAN provides drafting teams latitude to define annual within a Requirement as
they believe is appropriate in the context of a particular standard.
United Illuminating Co
Yes
As written it is a training burden. Certain persons will have only one step in one operating procedure to
perform. There is no necessity to review the entire Operating Plan with them. For example, Field Personnel
need to know that if they see something not right to report it immediately. In this instance there is no benefit
to review the Operating Procedure/Process for firm load shedding with them.
Response: The DSR SDT thanks you for your comment. The training requirement has been removed. The DSR SDT intends for each Responsible Entity to
verify that its Operating Process for communicating recognized events is correct so that the entity can respond appropriately in the case of an actual event.
The DSR SDT has removed R4 to eliminate potential confusion and redundancy around the training connotation.
Manitoba Hydro
Yes
Removing the extreme details within 30 days of revision and train before given responsibility and giving
leeway to when this training is necessary, will allow training to be integrated into other existing training
schedules. Inclusion of 5.3 and 5.4 would require unique set of time lines and additional resources to monitor
and implement.
Response: The DSR SDT thanks you for your comment. The training provisions of the standard have been removed.
118
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Occidental Power Marketing
Yes or No
Yes
Question 9 Comment
However, only LSEs with BES assets (or assets that directly support the BES) should be included in the
Applicability section of the standard.
Response: The DSR SDT thanks you for your comment. Attachment 1 specifies which types of events are required to be reported by each entity. LSE is
included here due to CIP-002-3 applicability.
Farmington Electric Utility
System
Yes
A review of the Impact Event Operating Plan can be interrupted as an informal examination of the plan. The
measure for R4 indicates evidence of a review, parties conducting the review AND when internal training
occurred. It should be clarified in R4 training is expected as part of the review for personnel with
responsibilities. This is an improvement from the previous 5.3 and 5.4, however, the team should consider
adding back, and review/training shall be conducted prior to assuming the responsibility in the plan.
Response: The DSR SDT thanks you for your comment. The DSR SDT has deleted Requirement R4 and added a new Part 1.5 under R1 to address your
concern. Part 1.5 calls for an annual review of the plan.
Ingleside Cogeneration LP
Yes
Yearly refresher training on the reporting process is appropriate. Ingleside Cogeneration also agrees that a
review with those individuals with assigned responsibilities under the Operating Plan is a better way to frame
the requirement.
Response: The DSR SDT thanks you for your comment. The DSR SDT has deleted Requirement R4 and added a new Part 1.5 under R1 to address your
concern. Part 1.5 calls for an annual review of the plan.
Indeck Energy Services
R4 is redundant with R3 and should be deleted. The Violation Risk Factor should be Low, if any, because
this is historical reporting, with little or no reliability consequence.
Response: The DSR SDT thanks you for your comment. The DSR SDT has deleted Requirement R4 and revised R3. With the revised standard, there are now
three requirements. Requirement R1 specifies that the responsible entity have an Operating Plan for identifying and reporting events listed in Attachment 1.
This is procedural in nature and justifies a “lower” VRF. This requirement is administrative in nature and deals with the means to report events after the fact.
The current approved VRFs for EOP-004-1 are all lower with the exception of Requirement R2 which is a requirement to analyze events. This standard relates
only to reporting events. The analysis portion is addressed through the NERC Rules of Procedure and the Events Analysis Program. The two remaining
requirements in EOP-004-2 are to report events based on the specifics in Attachment 1 (R2) and to test the communications protocol of the Operating Plan
once per year (R3). Requirement R2 specifies that an entity is responsible for reporting events in accordance with the Operating Plan based on Attachment 1.
Requirement R3 is insurance to make sure that an entity can communicate information about events. Requirement R2 specifies that the responsible entity
must report an event to the appropriate entities. Some of these events are dealing with potential sabotage events. Part of the reason to report these types of
events is to make other entities aware to help prevent further sabotage events from occurring. Existing CIP-001-1a deals with sabotage events and the
119
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 9 Comment
approved VRFs for each of the requirements is “medium.” The VRFs for EOP-004-2 comport with the existing approved VRFs for both EOP-004 and CIP-001.
Northeast Power Coordinating
Council
Yes
Bonneville Power
Administration
Yes
Midwest Reliability
Organization
Yes
Western Electricity
Coordinating Council
Yes
Pacific Northwest Small Public
Power Utility Comment Group
Yes
PSEG Companies
Yes
Pepco Holdings Inc and
Affiliates
Yes
Midwest ISO Standards
Collaborators
Yes
Southern Company
Yes
SRP
Yes
SDG&E
Yes
New Harquahala Generating
Co.
Yes
120
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
APX Power Markets
Yes
Sweeny Cogeneration LP
Yes
American Electric Power
Yes
USACE
Yes
New Harquahala Generating
Co.
Yes
Independent Electricity
System Operator
Yes
ISO New England, Inc
Yes
Platte River Power Authority
Yes
BGE
Yes
Alliant Energy
Yes
CenterPoint Energy
Yes
PPL Electric Utilities
Yes
Lincoln Electric System
Yes
American Transmission
Company
Yes
Duke Energy
Yes
City of Tacoma, Department
Yes
Question 9 Comment
No comments.
121
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 9 Comment
of Public Utilities, Light
Division, dba Tacoma Power
Brazos Electric Power
Cooperative
Yes
Progress Energy
Yes
122
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
10.
Do you agree with the proposed revisions to Requirement 6 (now R5) and the use of either Attachment 2 or
the DOE-OE-417 form for reporting? If not, please explain why not and if possible, provide an alternative that
would be acceptable to you.
Summary Consideration: The slight majority of commenters suggested revisiting R2 and R5 to eliminate potential
redundancy and confusion. The intent of the two requirements is to have entities utilize the DOE Form OE-417 to
report events listed on Attachment 1. If the entity completes DOE Form OE-417 to report an event, it does not
have to transcribe the same information onto Attachment 2 but may be required to submit the form to the DOE and
NERC. By eliminating R2 and revising R5 (now R2), the DSR SDT has maintained the intent of the requirements.
R2. Each Responsible Entity shall report events in accordance with its Operating Plan developed to address the
events listed in Attachment 1.
Organization
Northeast Power Coordinating
Council
Yes or No
Question 10 Comment
No
R5 stipulates the use of Attachment 2 or the DOE-417, which is the vehicle for reporting only. This is the how
part, not the what. The vehicle for reporting can easily be included in R2 where an entity is required to
implement (execute) the Operating Plan upon detection of an Impact Event. Suggest combining R2 with
R5.
Response: The DSR SDT thanks you for your comment. The DSR SDT has also eliminated R2 and revised R5 (now R2) for clarity and to eliminate potential
redundancy.
R2. Each Responsible Entity shall report events in accordance with its Operating Plan developed to address the events listed in Attachment 1.
Dominion
No
Dominion does not agree because the Requirement is too restrictive giving the Responsible Entity the choice
on reporting forms as either Attachment 2 or DOE OE-417. The use of Attachment 2 or DOE OE-417 may be
appropriate when reporting to NERC, however, Requirement R 1.3.2 requires the Responsible Entities Impact
Event Operating Plan to address notifications to non-NERC entities such as Law Enforcement or
Governmental Agencies. It is likely that these organizations have specific reporting requirements or forms
that will not line up the options prescribed in Requirement R5.Suggest revising Requirement R5 to not require
the use of these two forms as the only options. If these 2 forms are used, suggest aligning the Event names in
Attachment 1 to be similar to the criteria for filing event names in the DOE OE-417 to allow for consistency.
123
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 10 Comment
Also suggest aligning the time to submit for similar event names in each form.
Response: The DSR SDT thanks you for your comment. The DSR SDT has revised Attachment 1 to indicate that entities must submit Attachment 2 or the DOE
OE-417 form. This information was contained in Requirement 5. The intent of the two requirements is to have entities make appropriate notifications and report
events contained in Attachment 1. By eliminating R2 and revising R5 (now R2), the DSR SDT has maintained the intent of the requirements while eliminating
potential confusion and redundancy.
R2. Each Responsible Entity shall report events in accordance with its Operating Plan developed to address the events listed in Attachment 1.
The DSR SDT has enhanced Attachment 1 and clarified the intent of each event, threshold and reporting time limits. The DSR SDT removed the column, Time to
Submit Report and replaced it with Submit Attachment 2 or DOE OE-417 Report.
SPP Standards Review Group
No
We feel there is redundancy between R2 and R5. To eliminate this redundancy, we propose to take the
phrase using the form in Attachment 2 or the DOE OE-417 reporting form and adding it at the end of R2.
Then what is left of R5 could be deleted. The new R2 would read Each Responsible Entity shall implement its
Impact Event Operating Plan documented in Requirement R1 for Impact Events listed in Attachment 1 (Parts
A and B) using the form in Attachment 2 or the DOE OE-417 reporting form.?
Response: The DSR SDT has revised Attachment 1 to indicate that entities must submit Attachment 2 or the DOE OE-417 form. This information was contained
in Requirement 5. The intent of the two requirements is to have entities make appropriate notifications and report events contained in Attachment 1. By
eliminating R2 and revising R5 (now R2), the DSR SDT has maintained the intent of the requirements while eliminating potential confusion and redundancy.
R2. Each Responsible Entity shall report events in accordance with its Operating Plan developed to address the events listed in Attachment 1.
Midwest ISO Standards
Collaborators
No
Requirement 2 and Requirement 5 appear to be very similar. Requirement 2 requires implementation of the
Operating Plan, Operating Process and/or Operating Procedure in Requirement 1. The Operating Procedure
requires gathering and reporting of information for the form in Attachment 2. What does Requirement 5 add
that is not already covered in Requirement 2 except the ability to use the DOE OE-417 reporting form which
Response: The DSR SDT thanks you for your comment. The intent of the two requirements is to have entities utilize the DOE Form OE-417 to report events
listed on Attachment 1. If the entity completes DOE Form OE-417 to report an event, they do not have to transcribe onto attachment 2 but may be required to
submit it to the U.S. Department of Energy (DOE) and NERC. By eliminating R2 and revising R5 (now R2), the DSR SDT has maintained the intent of the
requirements.
R2. Each Responsible Entity shall report events in accordance with its Operating Plan developed to address the events listed in Attachment 1.
FirstEnergy
No
We believe that Requirement 5 does not warrant a Medium risk factor. Not using a particular form is strictly
124
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 10 Comment
administrative in nature and the VRF should be Low.
Response: The DSR SDT thanks you for your comment. With the revised standard, there are now three requirements. Requirement R1 specifies that the
responsible entity have an Operating Plan for identifying and reporting events listed in Attachment 1. This is procedural in nature and justifies a “lower” VRF.
This requirement is administrative in nature and deals with the means to report events after the fact. The current approved VRFs for EOP-004-1 are all lower with
the exception of Requirement R2 which is a requirement to analyze events. This standard relates only to reporting events. The analysis portion is addressed
through the NERC Rules of Procedure and the Events Analysis Program. The two remaining requirements in EOP-004-2 are to report events based on the
specifics in Attachment 1 (R2) and to test the communications protocol of the Operating Plan once per year (R3). Requirement R2 specifies that an entity is
responsible for reporting events in accordance with the Operating Plan based on Attachment 1. Requirement R3 is insurance to make sure that an entity can
communicate information about events. Requirement R2 specifies that the responsible entity must report an event to the appropriate entities. Some of these
events are dealing with potential sabotage events. Part of the reason to report these types of events is to make other entities aware to help prevent further
sabotage events from occurring. Existing CIP-001-1a deals with sabotage events and the approved VRFs for each of the requirements is “medium.” The VRFs for
EOP-004-2 comport with the existing approved VRFs for both EOP-004 and CIP-001.
PJM Interconnection LLC
No
R5 seems redundant as R2 already requires an entity to report any Impact Events by executing/implementing
its Impact Event Operating Plan. R5 merely stipulates the use of Attachment 2 or DOE-417, which an entity
automatically would use for reporting purposes while implementing its Impact Event Operating Plan.
Response: The DSR SDT thanks you for your comment. The intent of the two requirements is to have entities utilize the DOE Form OE-417 to report events
listed on Attachment 1. If the entity completes DOE Form OE-417 to report an event, they do not have to transcribe onto attachment 2 but may be required to
submit it to the U.S. Department of Energy (DOE) and NERC. By eliminating R2 and revising R5 (now R2), the DSR SDT has maintained the intent of the
requirements.
R2. Each Responsible Entity shall report events in accordance with its Operating Plan developed to address the events listed in Attachment 1.
Exelon
No
Agree that each Responsible Entity should be able to use either Attachment 2 or the DOE OE-417 form for
reporting; however, a GO/GOP will not have the ability to respond to Attachment 2 Task numbers 8, 9, 10, 11,
and 12. Suggest that the DSR SDT either evaluate a shortened form version, provide a note or provision for
"N/A" based on registration, or revise form to be submitted by the most knowledgeable functional entity (e.g.,
TOP or RC).Need clear guidance as to which form is to be used for which Impact Event, we feel that one and
only one form should be used to eliminate confusion. Attachment 2 has an asterisk on #s 7, 8, 9, 10 and 11
there is not reference corresponding to it.
Response: The DSR SDT thanks you for your comment. The DSR SDT has updated Attachment 2 to per comments received.
125
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Tenaska
Yes or No
Question 10 Comment
No
R5 should be changed to Each Responsible Entity shall report Impact Events listed in Attachment 1 using the
form in Attachment 2 or the DOE OE-417 reporting form. This revised version of the proposed R5 is the only
Requirement that is necessary to achieve the stated purpose of Project 2009-01. The proposed R1 through
R4 should be deleted and R5 should be changed to R1.
Response: The DSR SDT thanks you for your comment. The SDT agrees the reporting is a fundamental aspect, but the operation plans are integral piece of the
BES. The DSR SDT believes that the revisions created will provide clarity for the requirements. Please see the revised standard.
American Municipal Power
No
R5 is not an acceptable requirement, but it can be improved. Each Responsible Entity shall report "Impact
Events" to _____________ (address specified in attachment 1, website, entity, email address, or fax, etc.)
Focusing on a plan and procedure is overly prescriptive. The only requirement should be to have an entity
submit a report. Let the entity decide how they want to implement the reporting.
Response: The DSR SDT thanks you for your comment. The DSR SDT has eliminated R2 and revised R5 (now R2) for clarity and to eliminate potential
redundancy. The SDT agrees that the Registered Entity can decide on the how to implement the reporting; however, this requirement mandates that the
Registered Entity document its process.
R2. Each Responsible Entity shall report events in accordance with its Operating Plan developed to address the events listed in Attachment 1.
Arkansas Electric Cooperative
Corporation
No
We appreciate the effort the team has taken in improving the requirements since the last posting. For R5, we
suggest including the reporting form as part of the plan in R1. Otherwise, a violation of R5 would also indicate
a violation of R2.
Response: The DSR SDT thanks you for your comment. The DSR SDT has also eliminated R2 and revised R5 (now R2) for clarity and to eliminate potential
redundancy.
R2. Each Responsible Entity shall report events in accordance with its Operating Plan developed to address the events listed in Attachment 1.
American Electric Power
No
This should be one-step covered by the implementation in requirement 2. We like the ability to use one form
(i.e. NERC Attachment 2 or the DOE-417); however, we would prefer to have this information only be
reported once.
Response: The DSR SDT thanks you for your comment. EOP-004-2 allows entities to utilize the DOE Form OE-417 to report events listed on Attachment 1. If
the entity completes DOE Form OE-417 to report an event, they do not have to transcribe onto attachment 2 but may be required to submit it to the U.S.
Department of Energy (DOE) and NERC.
126
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Consumers Energy
Yes or No
No
Question 10 Comment
We understand that DOE is migrating to an on-line reporting facility rather than the email-submitted OE-417.
If they do so, Form OE-417will not be available for providing to NERC, and the reporting specified by EOP004 will be duplicative of that for DOE. We recommend that NERC, RFC and the DOE work cooperatively to
enable a single reporting system in which on-line reports are made available to all appropriate parties.
Response: The DSR SDT thanks you for your comment. The SDT agrees with the concept of the single reporting template and is working with other agencies to
see if the single form would be achievable.
Independent Electricity System
Operator
No
R5 stipulates the use of Attachment 2 or the DOE-417, which is the vehicle for reporting only. This is the how
part, not the what. The vehicle for reporting can easily be included in R2 where an entity is required to
implement (execute) the Operating Plan upon detection of an Impact Event. We suggest the SDT combine R2
with R5.
Response: The DSR SDT thanks you for your comment. The DSR SDT has also eliminated R2 and revised R5 (now R2)for clarity and to eliminate potential
redundancy.
R2. Each Responsible Entity shall report events in accordance with its Operating Plan developed to address the events listed in Attachment 1.
Ameren
No
The "Responsible Entity" should be limited to those functions with the most oversight such as the BA, RC, or
TOP. Otherwise there will be multiple DOE OE-417 reports sent by multiple entities.
Response: Thank you for your comments. The DSR SDT has reviewed and updated the entities that need to report an event. Some have been reduced to a
single entity where others have multiple entities. These multiple entities will have different views of the event, and will be able to provide the ERO and others
with a different view of what has happened. The entire Attachment 1 has been updated to reflect the comments that were received.
ISO New England, Inc
No
R5 stipulates the use of Attachment 2 or the DOE-417, which is the vehicle for reporting only. This is the how
part, not the what. The vehicle for reporting can easily be included in R2 where an entity is required to
implement (execute) the Operating Plan upon detection of an Impact Event. We suggest the SDT combine R2
with R5.
Response: The DSR SDT thanks you for your comment. The DSR SDT has also eliminated R2 and revised R5 (now R2) for clarity and to eliminate potential
redundancy.
Calpine Corp
No
The use of DOE OE-417 is acceptable, but the language of Requirement R5 should be modified. The
disturbance event form must be filled out correctly, irrespective of the requirements of an Entities Impact
Event Operating Plan. Reference to that Plan does not add clarity to the requirement to report events. The
127
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 10 Comment
requirement should delete the reference to the Impact Event Operating Plan? and simply state: Each
Responsible Entity shall report events listed in Attachment 1 using the provided form, or where also required
to complete the current version of DOE OE-417, that form. Although one of the primary stated purposes of
the original SAR was to simplify the reporting process by creating a single form, the fact that some entities are
already required to report substantially identical information to DOE argues for retention of the use of the DOE
form.
Response: The DSR SDT thanks you for your comment. DSR SDT has deleted requirement 2 and revised requirements R1 and R5 (now R2) to address your
concern. The entire Attachment 1 has been updated to reflect the comments that were received.
BGE
No
Language needs to be more specific on when to use Attachment 2 or DOE-OE-417.
Response: The DSR SDT thanks you for your comment. Attachment 2 should be the normal reporting vehicle unless the entity is required to submit an OE-417
to the DOE. This keeps the entity from having to file two distinctly different reports for the same event.
Alliant Energy
No
We believe Attachment 2 should be deleted, and NERC should work with the DOE to have one form for all
events, if possible. It makes the reporting procedure much simpler, only having to use one form.
Response The DSR SDT thanks you for your comment. EOP-004-2 allows entities to utilize the DOE Form OE-417 to report events listed on Attachment 1. If the
entity completes DOE Form OE-417 to report an event, they do not have to transcribe onto attachment 2 but may be required to submit it to the U.S. Department
of Energy (DOE) and NERC. The DSR SDT is currently working with the DOE to make revisions to Form OE-417 that would achieve the objective of your
comment. We will continue to pursue this.
ExxonMobil Research and
Engineering
No
The notification requirement and documentation in Attachment 1 do not clearly identify which entities need to
be notified for each type of event detailed in Attachment 1. While it makes sense to notify the Reliability
Coordinator, NERC, Regional Entity, Law Enforcement and other Governmental Agencies for sabotage type
events, it does not seem proper to notify Law Enforcement agencies of a system disturbance that is unrelated
to improper human intervention. Furthermore, it is our belief that a time frame of 1 hour is a short window for
making a verbal notification to third parties, and an impossibly short window for requiring the submittal of a
completed form regardless of the simplicity. When a Petrochemical Facility experiences an impact event, the
initial focus should emphasize safe control of the chemical process. For those cases where registered
entities are required to submit a form within 1 hour, the Standard Drafting Team should alter the requirement
to allow for verbal notification during the first few hours following the initiation of an Impact Event (i.e. allow
the facility time to appropriately respond to and gain control of the situation prior to making a notification which
may take several hours) and provide separate notifications windows for those parties that will need to respond
to an Impact Event immediately and those entities that need to be informed that one occurred for the
128
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 10 Comment
purposes of investigating the cause of and response to an Impact Event. For example, a GOP should
immediately notify a TOP when it experiences a forced outage of generation capacity as soon as possible, but
there is no immediate benefit to notify NERC when site personnel are responding to the event in order to gain
control of the situation and determine the extent of the problem. The existing standards requirement to file an
initial report to entities, such as NERC, within 24 hours seems reasonable provided that proper real time
notifications are made and the Standard Drafting Team reinstates EOP-004 Revision 1's Requirement 3.3,
which allows for the extension of the 24 hour window during adverse conditions, into the requirement section
of EOP-004 [the current revision locates this extension in Attachment 1, which, according to input received
from Regional Entities, means that the extension would not be enforceable].
Response: The DSR SDT thanks you for your comment. The SDT envisions that each Registered Entity will develop Operating Plan(s) appropriate to meet its
obligations as outlined in the standard. The SDT doesn’t feel it necessary to prescribe to the Registered Entity any particular interpretation on how to achieve
compliance, including who the information should be reported to. The entire Attachment 1 has been updated to reflect the comments that were received.
American Transmission
Company
No
Attachment 2, Task #14 in the report should be modified to read, Identify any known protection system
misoperation(s). If this report is filed quickly, there is not enough time to assess all operations to determine
any misoperation. As a case in point, it typically takes at least 24 hrs. to receive final lightning data; therefore,
not all data is available to make a proper determination of a misoperation
Response: The DSR SDT thanks you for your comment. The entire Attachment 1 has been updated to reflect your comment.
Constellation Power Generation
No
The requirements for filling out the DOE-OE-417 form are not necessarily the same as the requirements
prescribed in Attachment 1. CPG suggests that the drafting team create a new requirement, spelling out when
an entity is required to complete the DOE-OE-417 form.
Response: The DSR SDT thanks you for your comment. Any entity that is obligated to submit Form OE-417 may submit that completed form to NERC in lieu of
Attachment 2.
Georgia System Operations
Corporation
No
R5: This standard should not require all Responsible Entities to report the same event. Entities should be
allowed to report in a hierarchical manner. They should be allowed to coordinate impact event plans and
include in their plans the entity that has the responsibility for reporting various events. Flexibility should be
allowed to provide different reporting entities depending on the type of event. In R5, does each Responsible
Entity shall report Impact Events in accordance with the Impact Event Operating Plan? Allow this hierarchical
reporting and flexibility? An entity should be allowed to report to another operating entity by whatever
reporting form or mechanism works and then the other entity reports to NERC using the required NERC or
DOE form. Add "To the extent that a Responsible Entity had an Impact Event," at the beginning of R5 and
129
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 10 Comment
M5.
Response: The DSR SDT thanks you for your comment. Each entity is required to report their portion of the event, however they can coordinate. The DSR SDT
has reviewed and updated the entities that need to report an event. Some have been reduced to a single entity where others have multiple entities. These
multiple entities will have different views of the event, will be able to provide the ERO and others with a different views of what has happened. The DSR SDT
understands that there may be multiple reports (for certain events) that are required by different government agencies. NERC will continue to streamline the
reporting process as we move into the future. The DSR SDT has also eliminated R2 and revised R5 (now R2) for clarity and to eliminate potential redundancy.
Indeck Energy Services
No
The Violation Risk Factor should be Low, if any, because this is historical reporting, with little or no reliability
consequence.
Response: The DSR SDT thanks you for your comment. With the revised standard, there are now three requirements. Requirement R1 specifies that the
responsible entity have an Operating Plan for identifying and reporting events listed in Attachment 1. This is procedural in nature and justifies a “lower” VRF.
This requirement is administrative in nature and deals with the means to report events after the fact. The current approved VRFs for EOP-004-1 are all lower with
the exception of Requirement R2 which is a requirement to analyze events. This standard relates only to reporting events. The analysis portion is addressed
through the NERC Rules of Procedure and the Events Analysis Program. The two remaining requirements in EOP-004-2 are to report events based on the
specifics in Attachment 1 (R2) and to test the communications protocol of the Operating Plan once per year (R3). Requirement R2 specifies that an entity is
responsible for reporting events in accordance with the Operating Plan based on Attachment 1. Requirement R3 is insurance to make sure that an entity can
communicate information about events. Requirement R2 specifies that the responsible entity must report an event to the appropriate entities. Some of these
events are dealing with potential sabotage events. Part of the reason to report these types of events is to make other entities aware to help prevent further
sabotage events from occurring. Existing CIP-001-1a deals with sabotage events and the approved VRFs for each of the requirements is “medium.” The VRFs for
EOP-004-2 comport with the existing approved VRFs for both EOP-004 and CIP-001.
Bonneville Power Administration
Yes
Reporting form OK. Note that the Frequency Maximum/Minimum Section should be clarified. A Gen Loss
doesn't usually experience a high (maximum) frequency, just the low immediately following the event.
Response: The DSR SDT thanks you for your comment
Midwest Reliability Organization
Yes
This will reduce any double reporting to the ERO and FERC.
PPL Supply
Yes
Reporting consistency and timelines may need to be reviewed for example: Fuel Supply Emergency - OE417 requires reporting within 6 hours / Attachment 1 Part B requires reporting within 1 hour.
Response: The DSR SDT thanks you for your comment The DSR SDT has significantly revised Attachment 1 and deleted Fuel Supply Emergency from
Attachment 1. This item was removed in coordination with the NERC Events Analysis Working Group and the proposed Events Analysis Program. All events are
130
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 10 Comment
now to be reported within 24 hours with the exception of Destruction of BES equipment, Damage or destruction of Critical Assets and Damage or destruction of
Critical Cyber Asset events in Part A and Forced Intrusion, Risk to BES equipment and Detection of a reportable Cyber Security Incident in Part B.
SERC OC Standards Review
Group
Yes
We agree with the concept, but disagree with the use of the term Operating Plan as a defined term in line with
our comments in question 6 above.
Response: The DSR SDT thanks you for your comment. The SDT agrees with your viewpoint and believes that your statement is consistent with the intent of the
requirement. (refer to question 6)
United Illuminating Co
Yes
Put it’s before Impact Event Operating Plan.
Response: The DSR SDT thanks you for your comment. Please see the revised standard.
Manitoba Hydro
Yes
The DOE-OE-417 appears more intuitive and descriptive (and on line ability), but having the either or option is
fine.DOE-OE-417 Form is mentioned several time in this Standard, but no link to this document.
Response: The DSR SDT thanks you for your comment. Please see the revised standard.
CenterPoint Energy
Yes
CenterPoint Energy agrees with the idea of streamlining the reporting process through the use of existing
report forms. However, as noted in the response to Question 11, the Company has concerns about the DOE
OE-417 Form, specifically the timeframes in which to submit reports. CenterPoint Energy will be making the
same recommendation to extend reporting timeframes during the DOE OE-417 report revision process when
the current form expires on 12/31/11. Any future changes to the DOE Form could also impact reporting for
this requirement.
Response: The entire Attachment 1 has been updated to reflect the comments that were received. Footnotes in Attachment 1 have been updated to reflect the
comments that the DSR SDT received. The DOE Form OE-417 is under review by the U.S. Department of Energy (DOE) and can be updated or changed without
NERC’s involvement. The DSR SDT has taken into consideration the use of OE-417 to report events to NERC and agrees that this will fulfill EOP-004-2’s reporting
requirements.
PPL Electric Utilities
Yes
We would like to suggest the language be changed such that submission via a NERC system would be
acceptable in addition to the use of the Attachment 2 Form or the DOE OE-417 form. The standard would
then accommodate the proposed revision to NERC Rules of Procedure 812. NERC will establish a system to
collect impact events reports??
131
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 10 Comment
Response: The DSR SDT thanks you for your comment. The SDT expects any system would facilitate the reporting to organizations specified in the submitted
report. Until such time that the system can be established, the Registered Entity will be obligated to make the notifications as specified in its Operating Plan(s).
The DSR SDT is currently working with the U.S. Department of Energy (DOE) to make revisions to Form OE-417that would achieve the objective of your
comment, and will continue to pursue this.
Ingleside Cogeneration LP
Yes
Although our preference would be to have a single form, Ingleside Cogeneration realizes that is not likely in
the near term. We would like to see that remain as a goal of the project team or the ERO.
Response: The DSR SDT thanks you for your comment. The DSR SDT is currently working with the DOE to make revisions to Form Form OE-417that would
achieve the objective of your comment, and will continue to pursue this.
Duke Energy
Yes
There is so much overlap between Attachment 2 and the DOE OE-417 that we believe the DOE OE-417
should be revised to include the additional items that must be reported to NERC, so that there is only one
form to submit to NERC and DOE.
Response: The DSR SDT thanks you for your comment. The DSR SDT is currently working with the DOE to make revisions to Form OE-417 that would achieve
the objective of your comment, and will continue to pursue this.
Western Electricity Coordinating
Council
Yes
Pacific Northwest Small Public
Power Utility Comment Group
Yes
PSEG Companies
Yes
Pepco Holdings Inc and Affiliates
Yes
Southern Company
Yes
SRP
Yes
We Energies
Yes
132
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Compliance & Responsibility
Organization
Yes
SDG&E
Yes
City of Tallahassee (TAL)
Yes
New Harquahala Generating Co.
Yes
APX Power Markets
Yes
Liberty Electric Power LLC
Yes
Sweeny Cogeneration LP
Yes
USACE
Yes
New Harquahala Generating Co.
Yes
Platte River Power Authority
Yes
Occidental Power Marketing
Yes
Lincoln Electric System
Yes
Farmington Electric Utility System
Yes
City of Tacoma, Department of
Public Utilities, Light Division, dba
Tacoma Power
Yes
Brazos Electric Power
Cooperative
Yes
Question 10 Comment
133
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
11. Do you agree with the proposed revisions to Attachment 1? If not, please explain why not and if possible,
provide an alternative that would be acceptable to you.
Summary Consideration: Most commenters expressed concerns with the reporting times listed in Attachment 1. Upon
review of comments received concerning Attachment 1, the DSR SDT did a thorough review and updated the entire document,
along with all Footnotes. The DSR SDT removed the column, Time to Submit Report and replaced it with Submit Attachment 2
or DOE OE-417 Report. There were many noted comments that a one hour reporting time frame does not coincide with an
after the fact reporting Standard. The DSR SDT reviewed each time frame to report and has extended most of the time frames
to 24 hours. There are a few events that have a one hour reporting requirement that was not changed because these are
events that would generally be reported to law enforcement authorities and prompt reporting is in the interest of BES reliability.
Duplicate reporting of events was minimized where possible. There are several events that will require reporting by multiple
entities to achieve a complete enough picture to facilitate industry awareness.
Organization
Georgia Transmission
Corporation & Oglethorpe Power
Corporation
Yes or No
Question 11 Comment
No
As stated above in response to question 6, we believe that a column should be added to the tables to
explicitly indicate what external organizations should receive the communications of a particular Impact Event
type. Additionally we have concerns with the following table items: Threshold for reporting Transmission Loss:
As stated, this will require the reporting of almost all transmission outages. This is particularly true taking into
consideration the current work of the drafting team to define the Bulk Electric System. The loss of a single
115kV network line could meet the threshold for reporting as the definition of Element includes both the line
itself and the circuit breakers. Instead, we recommend the following threshold "Three or more BES
Transmission lines." This threshold has consistency with CIP-002-4 and draft PRC-002-2. This threshold
also needs additional clarification as to the timeframe involved. Is the intent the reporting of the loss of 3 or
more BES Transmission Elements anytime within a 24 hour period or must they be lost simultaneously?
Also, we recommend that these three losses be the result of a related event to require reporting.Entity with
Reporting Responsibility for Loss of Off-site power to a nuclear generating plant (grid supply): The reporting
responsibility should clarify that this is only entities included in the Nuclear Plan Interface Requirements.
Response: The DSR DT thanks you for your comment. Upon review the DSR SDT has included a column to indicate the minimum parties who are required to
receive the entity’s notification. The Threshold for Reporting has been updated to reflect comments that have been received.
Northeast Power Coordinating
No
As indicated under Question 4, we question the need to include IA, TSP and LSE in the responsible entities
134
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Council
Question 11 Comment
for reporting.
Response: The DSR DT thanks you for your comment. The DSR SDT has established that CIP-002 and CIP-008 are applicable to an IA, TSP, and LSE.
These entities will report a Cyber Security Incident per Attachment 2 (or OE-417) as the vehicle to inform the ERO, their Regional Entity and their Reliability
Coordinator.
Bonneville Power Administration
No
Generally OK, but there are too many events to report. The loss of 3 BES elements for a large geographic
entity for a (5 county?) windstorm that has little impact to the system is not needed. 3 elements within the
same minute could be acceptable and 6? elements still out within an hour ... or something to that affect could
work.
Response: The DSR DT thanks you for your comment. Upon review the DSR SDT has included a column to indicate the minimum parties who are
required to receive the entity’s notification. The Threshold for Reporting has been updated to reflect comments that have been received.
Midwest Reliability Organization
No
1) Section 9 of the Impact Reporting Form states: "List transmission facilities (lines, transformers, busses,
etc.) tripped and locked out.” But Part A of Attachment 1 states: "Three or more BES Transmission
Elements.” a. Should section 9 state: "List transmission facilities (lines, transformers, busses, etc.) tripped or
locked out"? b. Should section 9 state: "List transmission elements (lines, transformers, busses, etc.) tripped
or locked out"? This will align the reporting criteria with the actual reporting form.2) Section 13 of the Impact
Reporting Form states: "Identify the initial probable cause or known root cause of the actual or potential
Impact Event if know at the time of submittal of Part I of this report:.” Recommend that "of Part I" be removed
since there is no Part 2.3) Every Threshold in attachment 1 gives a clear measurable bright line, except:
?Transmission Loss?. As presently written ?Three or more BES Transmission Elements? could imply that a
Report will be required to be submitted if a BES transmission substation is removed from service to perform
maintenance. Or there could be three separate elements within a large substation that are out of service (and
don?t effect each other) that will require a Report. Upon review of the TPL standards, there are normally
planned items that our industry plans for. It is recommended that the Threshold for Reporting of Transmission
Loss be enhanced to read: ?Two or more BES Transmission Elements that exceed TPL Category D operating
criteria or its successor?. This threshold now is based on a actively enforced NERC Standard, and each RC
and TOP are aware of what this bright line is.
Response: The DSR DT thanks you for your comment. Upon review the DSR SDT has included a column to indicate the minimum parties who are
required to receive the entity’s notification. The Threshold for Reporting has been updated to reflect comments that have been received. Attachment 2 has been
updated to reflect the changes noted in your comments and changes per the received comments.
PPL Supply
No
Recommendation: Add a column in Attachment 1 to acknowledge the events that require a OE-417 Report
135
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 11 Comment
and list the number under Schedule 1 that required Form OE-417Report. This would add accuracy and
consistency among reporting entities.
Response: The DSR DT thanks you for your comment. The DOE Form OE-417 is under review by the DOE and can be updated or changed without
NERC’s involvement. The DSR SDT has taken into consideration the use of OE-417 to report events to NERC and agrees that this will fulfill EOP-004-2’s reporting
requirements.
Pacific Northwest Small Public
Power Utility Comment Group
No
The comment group is composed of smaller entities that do not all maintain 24/7 administrative support. While
many of the 1 hour reporting thresholds do not affect us, some do. Others may come into play as standards
are revised, such as the CIPs. We ask the SDT to consider the identification or verification that starts the
clock on these may come at inopportune times for meeting a one hour deadline for these entities. Restoration
may be delayed in an attempt to meet these time limits. Safety should always be the number one priority, and
restoration and continuity of service second. We see reporting of these events much further down the list. We
note that FERC order 693, paragraph 471 does not dictate a specific reporting time period and therefore we
suggest timing requirements that promote situational awareness but allow smaller entities needed flexibility.
FERC order 693, paragraph 470 directed the ERO to consider ?APPA?s concerns regarding events at
unstaffed or remote facilities, and triggering events occurring outside staffed hours at small entities.? Our
comment group does not believe the SDT has adequately responded to APPA?s concerns but rather took the
1 hour Homeland security requirement referenced in paragraph 470 verbatim. While a report within an hour
might be ideal, it is not always practicable. We suggest: 1) as soon as possible after service has been
restored to critical services within the service territory, or 2) By the COB the first business day after
discovery. Our comment group realizes the difficulty in wording standards/requirements that lump small
entities in with larger ones and we believe our suggestion achieves some balance. Expecting smaller entities
to achieve timing requirements that can only be normally met under ideal conditions at large entities is not
feasible or fair.
Response: The DSR DT thanks you for your comment. Upon review the DSR SDT has included a column to indicate the minimum parties who are
required to receive the entity’s notification. The Threshold for Reporting has been updated to reflect comments that have been received. EOP-004-2 requires an
entity to “push” information to certain parties for industry awareness. Since this Standard is an after the fact reporting Standard, reporting times for a majority of
event types reporting times for a majority of event types have been extended to allow the impacted entity to recover from the event and then report. The
starting time to report is upon an entity’s recognized the event, per Submit Report column of Attachment 1.
PSEG Companies
No
For the reasons cited in response to question 4 above the language roles and responsibilities remain
inconsistent and unclear. The Time to Report changes are unreasonable and there is significant duplicate
reporting required.
136
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 11 Comment
Response: The DSR DT thanks you for your comment. Upon review the DSR SDT has included a column to indicate the minimum parties who are
required to receive the entity’s notification. The Threshold for Reporting has been updated to reflect comments that have been received. EOP-004-2 requires an
entity to “push” information to certain parties for industry awareness. Since this Standard is an after the fact reporting Standard, reporting times for a majority of
event types have been extended to allow the impacted entity to recover from the event and then report.
Dominion
No
1) A particular Event could be applicable to multiple entities and Attachment 1 would require each applicable
entity to report the event. This is duplicative and would appear to overburden the reporting system. 2) Loss
of off-site power (grid supply) reporting for nuclear plants is duplicative of reporting done to satisfy NRC
requirements. Given the activity at a nuclear plant during this event, this additional reporting is not desired.
3) Cyber intrusion remains an event that would need to be reported multiple times (e.g., this standard, OE417, NRC requirements, etc.). 4) Since external reporting for other regulators (e.g., DOE, NRC, etc.) remains
an obligation of the Applicable Entity, suggest that Attachment 1 only contain impact events as defined in the
current version of EOP-004.
Response: The DSR DT thanks you for your comment.
The DSR SDT has reviewed and updated the functional entities that need to report an event.
Some have been reduced to a single entity where others have multiple entities. These multiple entities will have different views of the event, and will be able to
provide the ERO and others with a different view of what has happened. The DSR SDT understands that there may be multiple reports (for certain events) that
are required by different governing agencies. NERC will continue to streamline the reporting process in the future.
Pepco Holdings Inc and Affiliates
No
The entity responsible for reporting is not clear. Is the initiating entity the same as requesting entity or
implementing entity? In the paper it indicates the DT intent is for the entity that performs the action or is
directly affected will report.It seems that the proposal would result in a significant amount of duplicate
reporting.
Response: The DSR DT thanks you for your comment. The DSR SDT believes it is clear that the reporting entity is the entity that experiences an event or
initiates the event (per Threshold for Reporting in Attachment 1). The DSR SDT will ensure that the supporting guideline clearly states this. The DSR SDT has
reviewed and updated the entities that need to report an event. Some have been reduced to a single entity where others have multiple entities. These multiple
entities will have different views of the event, and will be able to provide the ERO and others with a different view to what has happened.
SPP Standards Review Group
No
Threshold for Reporting ? Some of the thresholds used to trigger event reporting seem arbitrary. For example,
why were three BES Transmission Elements selected for the transmission loss trigger? What?s significant
with three? There may be situations where one element can impact reliability more than other situations
where three or more lines may be lost. The defining line should be impact to reliability, not a simple count of
elements. Also, timing of the loss of these elements is important. If the three elements are lost over a 3-day
span, does this trigger an event report? We would think not and would like to see that clarification in the
137
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 11 Comment
standard.Public appeals ? Some entities may utilize load reduction (Demand Response, interruptible loads,
etc) in the normal course of daily operation in lieu of committing additional generation resources. Because this
is not an Energy Emergency as defined in the NERC Glossary, would such an event trigger the filing of an
Impact Event report under EOP-004-2? We would like clarification on this issue.Multiple entity reporting
responsibility ? Several of the triggering events in Attachment 1 list multiple entity reporting responsibility. The
SDT needs to clarify precisely who has the actual reporting responsibility for those events. For example, if a
DP loses ? 300 MW (or ? 200 MW depending on size) of load who files the report? Is it the DP, TOP, BA or
RC? Attachment 1 would lead us to believe all four are required to file reports. This redundancy is
unnecessary and creates unneeded paperwork. Surely this redundancy is not the intent of the SDT.Reporting
timeframe ? The timeframes for reporting these after-the-fact reports need to be thoroughly reviewed and, we
believe, realigned. Which is more important to the reliability of the BES, operating and controlling the BES
following an Impact Event or filing a report describing that event? Most operating desks are staffed by a single
operator at nights and on weekends. Their focus should be on operating the system, not filing a report with
NERC or DOE within one hour.There appears to be inconsistency in the reporting times among the triggering
events. There doesn?t appear to be any logic regarding how the times were selected. Shouldn?t impact to the
reliability of the BES be that basis? Why is a BA with 50 MW of load who makes a public appeal to customers
for load reduction required to report within 1 hour while an IROL violation doesn?t need to be reported for 24
hours? Clearly the IROL violation has a greater impact on the reliability of the BES. Therefore, shouldn?t
these types of reports be filed sooner than those events with less impact on BES reliability?Risk to BES
equipment ? The Threshold for Reporting this event indicates that only those events associated with a nonenvironmental physical threat should be reported. The train derailment example in the footnote then
conversely describes just such an environmental threat with flammable or toxic cargo. Which should it be?
Additionally, how does one determine the applicability of a potential threat? Is this time dependent, is it threat
dependent, how do we factor all this in?
Response: The DSR DT thanks you for your comment. The DSR SDT believes it is clear that the reporting entity is the entity that experiences an event or
initiates the event (per Threshold for Reporting in Attachment 1). The DSR SDT will ensure that the supporting guideline clearly states this. The DSR SDT has
reviewed and updated the entities that need to report an event. Some have been reduced to a single entity where others have multiple entities. These multiple
entities will have different views of the event, and will be able to provide the ERO and others with a different view to what has happened. The entire Attachment
1 has been updated to reflect the comments that were received.
FirstEnergy
No
Nuclear facilities should be explicitly excluded from the events which have CIP standards as the threshold for
reporting since they are exempt from the CIP standards.
Response: The DSR DT thanks you for your comment. The DSR SDT understands that nuclear facilities are exempt from CIP Standards but the Loss of
Off Site Power to a nuclear generating plant is a Transmission Owner’s and Transmission Operator’s responsibility and needs to be reported to the ERO and their
138
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 11 Comment
Regional Entity for the follow up as described by the Event Analysis Program.
SERC OC Standards Review
Group
No
While we agree with the changes made, we do not believe the goal of eliminating duplicate reporting has
been accomplished. In addition, the threshold for transmission loss does not adequately translate to previous
?loss of major system components? which had a threshold of ?significantly affects the integrity of
interconnected system operations?.
Response: The DSR DT thanks you for your comment. The DSR SDT has reviewed and updated the entities that need to report an event. Some have
been reduced to a single entity where others have multiple entities. These multiple entities will have different views of the event, and will be able to provide the
ERO and others with a different view of what has happened. The entire Attachment 1 has been updated to reflect the comments that were received.
PJM Interconnection LLC
No
There is still a significant amount of duplicate reporting involved in Attachment 1, which needs to be cleared.
See comments to Question 4.
Response: The DSR DT thanks you for your comment. The DSR SDT has reviewed and updated the entities that need to report an event. Some have
been reduced to a single entity where others have multiple entities. These multiple entities will have different views of the event, and will be able to provide the
ERO and others a different view of what has happened. The entire Attachment 1 has been updated to reflect the comments that were received.
We Energies
No
It appears that the footnotes only apply one place in the table. Place the footnote in the table where it
applies.Voltage Deviations on BES Facilities: 10% compared to what? Rated?Forced Intrusion: ?At a BES
facility? facility or Facility?
Response: The DSR DT thanks you for your comment. The entire Attachment 1 has been updated to reflect the comments that were received. The
Footnotes have been reviewed and updated per comments received.
LG&E and KU Energy LLC
No
In Attachment 1, the existing EOP-004-1 Attachment 1, point 6 includes an ?Or? for the entities (RC, TOP,
GOP) for a, b and c. The way the SDT has pulled this apart, they have included the GOP as having an
impact on the Voltage Deviations on BES Facilities. The TOP monitors the transmission system and directs
GOPs when they need to change in order to protect the system reliability. This is not something the GOP is
responsible for monitoring. The GOP is required to be at the TOP assigned voltage schedule and that
actually falls under VAR-002 already. Please remove the GOP from the line of ?Voltage Deviations on BES
Equipment.? The way EOP-004-1 Attachment 1 point 6 is currently written, the GOP is an ?or? and does fall
into parts b or c, where part 6b is similar to the proposed line ?Damage or destruction of BES equipment?
identified in the proposed EOP-004-2 Attachment 1. However, currently the GO/GOP reports ?Loss of Major
System Components? on EOP-004-1 within 24 hours of determining damage to the equipment. The
proposed ?One hour? is too tight of a window as the GO/GOP often do not know the extent of damage that
139
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 11 Comment
soon. Typically the OEM is called upon to come and do a thorough inspection and assess the extent of
damage, of if there even is any damage; once the ?loss of major system components? is determined, then
the 24 hour clock begins today.
Response: The DSR DT thanks you for your comment. The DSR SDT has reviewed and updated the entities that need to report an event. Some have
been reduced to a single entity where others have multiple entities. These multiple entities will have different views of the event, and will be able to provide the
ERO and others with a different view of what has happened. The entire Attachment 1 has been updated to reflect the comments that were received.
Compliance & Responsiblity
Organization
No
See comments set forth in number 2
Exelon
No
Attachment 1, Part A ? Energy Emergency requiring Public appeal for load reduction ? In the current draft
Standard, the applicability has been revised from an RC and BA to "initiating entity.” As a GO/GOP, I cannot
see any event where a GO/GOP would be the responsible "initiating entity" or have the ability to determine an
"Energy Emergency.” Suggest revising back to specific entities that would be likely responsible for this action
(e.g., RC, BA, TOP). Attachment 1, Part A ? Energy Emergency requiring system-wide voltage reduction ? In
the current draft Standard, the applicability has been revised from an RC, TO, TOP, and DP to "initiating
entity.” As a GO/GOP, I cannot see any event where a GO/GOP would be the responsible "initiating entity" or
have the ability to determine an "Energy Emergency" related to system-wide voltage reduction. Suggest
revising back to specific entities that would be likely responsible for this action.Attachment 1, Part A ? Voltage
Deviations on BES facilities - A GOP may not be able to make the determination of a +/- 10% voltage
deviation for ? 15 continuous minutes, this should be a TOP RC function only. Attachment 1, Part A ?
Generation Loss of ? 2, 000 MW for a GOP does not provide a time threshold. If the 2, 000 MW is from a
combination of units in a single location, what is the time threshold for the combined unit loss? Suggest that a
time threshold be added for clarity.Attachment 1, Part A ? Loss of off-site power (grid supply) affecting a
nuclear generating station ? this event applicability should be removed in its entirety for a Nuclear Plant
Generator Operator. The impact of loss of off-site power on a nuclear generation unit is dependent on the
specific plant design, if it is a partial loss of off-site power (per the plant specific NPIRs) and may not result in
a loss of generation (i.e., unit trip). If a loss of off-site power were to result in a unit trip, an Emergency
Notification System (ENS) would be required to the Nuclear Regulatory Commission (NRC). Depending on
the unit design, the notification to the NRC may be 1 hour, 8 hours or none at all. Consideration should be
given to coordinating such reporting with existing required notifications to the NRC as to not duplicate effort or
add unnecessary burden on the part of a Nuclear Plant Generator Operator during a potential transient on the
unit. In addition, if the loss of off-site power were to result in a unit trip, if the impact to the BES were ?2,000
MW, then required notifications would be made in accordance with the threshold for reporting for Attachment
1, Part A ? Generation Loss. However, to align with the importance of ensuring nuclear plant safe operation
and shutdown as implemented in NERC Standard NUC-001, if a transmission entity experiences an event
140
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 11 Comment
that causes an unplanned loss of off-site power (source) as defined in the applicable Nuclear Plant Interface
Requirements, then the responsible transmission entity should report the event within 24 hours after
occurrence. In addition, replace the words "grid supply" to "source" to ensure that notification occurs on an
unplanned loss of one or multiple sources to a nuclear power plant. Suggest rewording as follows (including
replacing the words "grid supply" to "source" and adding in the word "unplanned" to eliminate unnecessary
reporting of planned maintenance activities in the table below):Event Entity with Reporting Responsibility
Threshold for Reporting Time to Submit ReportUnplanned loss of off-site power to a Nuclear generating plant
(source) as defined in the applicable Nuclear Plant Interface Requirements (NPIRs) Each transmission entity
responsible for providing services related to NPIRs (e.g., RC, BA, TO, TOP, TO, GO, GOP) that experiences
the event causing an unplanned loss of off-site power (source) Unplanned loss of off-site power (source) to a
Nuclear Power Plant as defined in the applicable NPIRs. Within 24 hours after occurrenceAttachment 1, Part
A ? Damage or destruction of BES equipment ? The event criteria is still ambiguous and does not provide
clear guidance; specifically, the determination of the aggregate impact of damage may not be immediately
understood ? it does not seem reasonable to expect that the 1 hour report time clock starts on identification of
an occurrence. Suggest that the 1 hour report time clock begins following confirmation of event. ? The
initiating event needs to explicitly state that it is a physical and not cyber. ? If the damage or destruction is
related to a deliberate act, consideration should also be given to coordinating such reporting with existing
required notifications to the NRC and FBI as to not duplicate effort or add unnecessary burden on the part of
a nuclear GO/GOP during a potential security event (see additional comments in response to item 17 below).
Attachment 1, Part A ? Damage or destruction of Critical Cyber Asset The events that are associated with
Critical Cyber Assets should be removed from this Standard. Critical Cyber Asset related events are better
addressed in the reporting of Cyber Security Incidents which is already included in Attachment 1, Part B and
the CIP standards currently require details about Critical Cyber Assets to be protected with access to that
information restricted to only specifically authorized personnel.Attachment 1, Part A ? Damage or destruction
of Critical Asset The events that are associated with Critical Assets should be removed from this Standard.
Critical Assets are typically whole control centers, substations or generation plants and the damage or
destruction of individual pieces of equipment at one of these locations will usually not have much impact to
the BES. Any important impacts located at these sites are already addressed in the other existing [Impact]
Event types or would be addressed in the Cyber Security Incident event which is already included in
Attachment 1, Part B. The CIP standards also currently require that details about Critical Assets and Critical
Cyber Assets must be protected with access to that information restricted to only specifically authorized
personnel. The identification of Critical Asset is also only an interim step used to identify the Critical Cyber
Assets that need to have cyber security protections and the NERC Project 2008-06 CSO706 Standards
Drafting Team is currently expecting to eliminate the requirement to identify Critical Assets in the draft
revisions they are currently working on. Attachment 1, Part B ? Forced intrusion at a BES facility ?
Consideration should also be given to coordinating such reporting with existing required notifications to the
NRC and FBI as to not duplicate effort or add unnecessary burden on the part of a nuclear GO/GOP during a
141
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 11 Comment
potential security event (see additional comments in response to item 17 below).Attachment 1, Part B ? Risk
to BES equipment from a non-environmental physical threat ? this event leaves the interpretation of what
constitutes a "risk" with the reporting entity. Although the DSR SDT has provided some examples, there
needs to be more specific criteria for this event as this threshold still remains ambiguous and will lead to
difficulty in determining within 1 hour if a report is necessary. Consideration should also be given to
coordinating such reporting with existing required notifications to the NRC and FBI as to not duplicate effort or
add unnecessary burden on the part of a nuclear GO/GOP during a potential security event (see additional
comments in response to item 17 below).Attachment 1, Part B ? Detection of a reportable Cyber Security
IncidentAlthough the DSR SDT agreed that there may be confusion between reporting requirements in this
draft and the current CIP-008, "Cyber Security ? Incident Reporting and Response Planning", Part B now
requires a 1 hour report after occurrence. The DSR SDT should verify the timing and reporting required for
these Cyber Security Incident events is coordinated with the NERC Project 2008-06 CSO706 Standards
Drafting Team.
Response: The DSR DT thanks you for your comment. The DSR SDT has reviewed and updated the entities that need to report an event. Some have
been reduced to a single entity where others have multiple entities. These multiple entities will have different views of the event, and will be able to provide the
ERO and others with a different view of what has happened. The entire Attachment 1 has been updated to reflect the comments that were received. The DSR
SDT has worked closely with NERC Staff, the Event Analysis Working Group, Project 2008-06 and the U.S. Department of Energy to ensure that EOP-004-2
captures what FERC has directed and will improve the reliability of the BES.
SDG&E
No
For ?Detection of a reportable Cyber Security Incident,? Attachment 1 identifies the threshold for reporting as:
?that meets the criteria in CIP-008 (or its successor)?; however, CIP-008 has no specified criteria, so this is
an unusable threshold. Additionally, SDG&E recommends that the timing of any follow-up and/or final reports
required by the standard be listed in the Attachment 1 table.
Response: The DSR DT thanks you for your comment. CIP-008 states that an entity will report a Cyber Security Incident to the ES-ISAC. EOP-004-2,
Attachment 2 is the vehicle to report a Cyber Security Incident. It is also required to be sent to their RC which will give them the industry awareness of a single
event or is it a multiple event within their area.
City of Tallahassee (TAL)
No
One hour should be expanded. While I realize the importance of getting information to
NERC/ESISAC/whoever, most of the 1-hour requirements are tied to events that may not be resolved within
one hour. This will result in stopping restoration efforts or monitoring to submit paperwork. Calling in
additional assistance, while certainly a possibility, may not be feasible to accomplish in sufficient time to meet
the one-hour deadline. If any of these events were to truly have a detrimental effect on the BES, the effects
would have already been felt.Recommend all 1-hour reports be extended to 4-hours. This should also be
placed on the list to modify Form OE-417report time lines.
142
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 11 Comment
Response: The DSR DT thanks you for your comment. The DSR SDT has reviewed and updated the entities that need to report an event. Some have
been reduced to a single entity where others have multiple entities. These multiple entities will have different views of the event, and will be able to provide the
ERO and others with a different view of what has happened. The entire Attachment 1 has been updated to reflect the comments that were received. The DOE
Form OE-417 is not governed by NERC but the DSR SDT is proposing to allow an entity to use it to report an event in lieu of Attachment 2.
Lakeland Electric
No
Event ? Transmission lossThreshold for Reporting ? Revise to ?Loss of three or more BES Transmission
elements within a 15 minute period?. This change would capture a sequence of transmission element losses
and remove the question if timing that will arise if other transmission elements trip, cascade, due to loss of the
first element. There may also be a need for a footnote to clarify that a transmission element that is removed
from service by a transmission operator to prevent uncontrolled cascading would be classified as a loss
(something for the SDT to consider). Event ? Energy Emergency requiring Public appeal for load
reductionThreshold for Reporting ? Add a footnote: Repeated public appeals for the same initiating Impact
Event shall be reported as one Public Appeal Event. The initiation and release to the media of the Public
appeal(s) should be the reportable event. Question: would an internal request to large industrial customers for
voluntary load reductions be reportable under this Event?
Response: The DSR DT thanks you for your comment. The DSR SDT has reviewed and updated the entities that need to report an event. Some have
been reduced to a single entity where others have multiple entities. These multiple entities will have different views of the event, and will be able to provide the
ERO and others with a different view of what has happened. The entire Attachment 1 has been updated to reflect the comments that were received. Demand
responsive load is not covered within this proposed Standard unless it fulfills a Threshold of Reporting within Attachment 1. Footnotes have been update to
reflect comments received.
Arkansas Electric Cooperative
Corporation
No
We appreciate the effort the team has taken in improving the requirements since the last posting. Event
Forced Intrusion: The timeframe is very small given the possibly minimal risk to the BES. It often takes much
longer than 1 hour after verification of intrusion to determine the intrusion was only for copper theft. We
suggest a 24 hour time frame or tie the timeframe to the "verification of forced intrusion.”
Response: The DSR DT thanks you for your comment. The entire Attachment 1 has been updated to reflect the comments that were received.
Manitoba Hydro
No
Reporting for CCA's should be limited to damage associated with a detected cyber security incident.
Response: The DSR DT thanks you for your comment. The entire Attachment 1 has been updated to reflect the comments that were received. Damage
or destruction of Critical Cyber Assets s is per CIP-002 and may not fall into the category of Cyber Security Response as outlined by an entity.
Sweeny Cogeneration LP
No
In Attachment 1, Part A, Generator Operators who experience a ? 10% sustained voltage deviation for ? 15
143
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 11 Comment
continuous must issue a report For externally driven events, the GOP will have little if any knowledge of the
cause or remedies taken to address it. We believe the language presently in EOP-004-1 is satisfactory that
any ?action taken by a Generator Operator? that results in a voltage deviation has to be reported by the GOP.
Response: The DSR DT thanks you for your comment. The entire Attachment 1 has been updated to reflect the comments that were received.
American Electric Power
No
The time to submit a report for the inclusion of the damage or destruction of BES equipment, critical asset, or
critical cyber asset is too aggressive. The critical cyber asset reporting is redundant with CIP-008.
Furthermore, reporting equipment failures within an hour for Critical Assets is going to overwhelm operators
that need to focus on the restoration efforts. Self-evident equipment failures at a Critical Asset (such as a
tube leak at a generator which is a Critical Asset) should not be required to be reported. Maybe the wording
should be stated as an ?abnormal occurrence? rather than ?equipment failure.?It would be helpful if there
was a defining or a footnote that defines the nature and/or duration for loss of some equipment. For example,
is a transmission loss for sustain or momentary outages?
Response: The DSR DT thanks you for your comment. The Implementation Plan for this project now includes a provision to retire the requirement in CIP008 for reporting (Requirement 1, Part 1.3). The entire Attachment 1 has been updated to reflect the comments that were received.
USACE
No
The "Potential Reliability Impact" table should be taken out. Refered to previous comment on our position on
potentail impacts.
Response: The DSR DT thanks you for your comment.
awareness.
Consumers Energy
No
The DSR SDT believes that potential events are required to be reported to provide industry
1. In reference to the Impact Event addressing ?Loss of Firm load for greater than or equal to 15 minutes?,
this is likely to occur for most entities most frequently during storm events, where the loss of load builds slowly
over time. In these cases, exceeding the threshold may not be apparent until a considerable time has lapsed,
making the submittal time frame impossible to meet. Even more, it may be very difficult to determine if/when
300 MW load (for the larger utilities) has been lost during storm events, as the precise load represented by
distribution system outages may not be determinable, since this load is necessarily dynamic. Suggest that
the threshold be modified to ?Within 1 hour after detection of exceeding 15-minute threshold?. Additionally,
these criteria are specifically storm related wide spread distribution system outages. These events do not
pose a risk to the BES.2. Many of the Impact Events listed are likely to occur, if they occur, at widelydistributed system facilities, making reporting ?Within 1 hour after occurrence is identified? possibly
impractical, particularly in order to provide any meaningful information. Please give consideration to clearly
permitting some degree of investigation by the entity prior to triggering the ?time to submit?3. Referring to the
144
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 11 Comment
?Transmission Loss? Impact Event, please provide more specificity. Is this intended to address :- anytime
that three or more BES Transmission Elements are out of service, - only when three or more BES
Transmission Elements are concurrently out-of-service due to unscheduled events, - only when three or
more BES Transmission Elements are simultaneously automatically forced out-of-service, or- only when
three or more BES Transmission Elements are forced from service in some proximity to each other? It is not
unusual, for a large transmission system, that this many elements may be concurrently forced out-of-service
at widely-separated locations for independent reasons.4. Referring to the ?Fuel Supply Emergency? Impact
Event, OE-417 requires 6-hour reporting, where the Impact Event Table requires 1-hour reporting. The
reporting period for EOP-004-2 should be consistent with OE-417.5. For that matter, the SDT should carefully
compare the Impact Event Table with OE-417. Where similar Impact Events are listed, consistent
terminology should be used, and identical reporting periods specified. Where the Impact Event Table
contains additional events, they should be clarified as being distinct from OE-417 to assist entities in
implementation. Further, since OE-417 must be reviewed and updated every three years, EOP-004 should
defer to the reporting time constraints within OE-417 wherever listed in order to assure that conflicting
reporting requirements are not imposed.
Response: The DSR DT thanks you for your comment. The DSR SDT has reviewed’ Loss of Firm Load’ as a reporting event, and believe the reporting
requirement currently approved in EOP-004-1 should remain in EOP-004-2. The DSR SDT has removed the ‘Fuel Supply Emergencies’ event after considering
comments the DSR SDT received on this event. The DOE Form OE-417 is reviewed biennially by the DOE and can be updated or changed without NERC’s
involvement. The DSR SDT has taken into consideration the use of Form O- 417 to report events to NERC and agrees that this will fulfill EOP-004-2’s reporting
requirements. The entire Attachment 1 has been updated to reflect the comments that were received.
Independent Electricity System
Operator
No
As indicated under Q4, we question the need to include IA, TSP and LSE in the responsible entities for
reporting.
Response: The DSR DT thanks you for your comment. The DSR SDT has established that CIP-002-4 and CIP-008-3 are applicable to an IA, TSP, and LSE.
These entities will report a Cyber Security Incident per Attachment 2 (or OE-417) as the vehicle to inform the ERO, their Regional Entity and their Reliability
Coordinator.
Ameren
No
See response to question 4.
Response: The DSR DT thanks you for your comment. Please see question 4 response.
ISO New England, Inc
No
As indicated under Q4, we question the need to include IA, TSP and LSE in the responsible entities for
reporting. There is still significant duplicate reporting included. For instance, why do both the RC and TOP to
report voltage deviations? As written, a voltage deviation on the BES would require both to report. The same
145
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 11 Comment
would hold true for IROLs. Perhaps IROLs should only be reported by the RC to be consistent with the
recently FERC approved Interconnection Reliability Operating Limit standards. Also, the CIP reporting
requirements duplicate was is already contained in the CIP Standards, specifically CIP-008. Also, we are
required to intentionally destroy Critical Cyber Assets when they are retired, why would we be required to
report this?
Response: The DSR DT thanks you for your comment. The DSR SDT has established that CIP-002-3 and CIP-008-3 are applicable to an IA, TSP, and LSE.
These entities will report a Cyber Security Incident per Attachment 2 (or OE-417) as the vehicle to inform the ERO, their Regional Entity and their Reliability
Coordinator. If a Critical Cyber Asset (CCA) was to be retired, the entity would declassify it as a CCA and therefore it would not be required to be reported. The
Implementation Plan for this project now includes a provision to retire the requirement in CIP-008 for reporting (Requirement 1, Part 1.3)
Calpine Corp
No
1. Additional clarity on the nature of reportable ?Fuel Emergencies? is needed. Does loss of interruptible gas
transportation require reporting? 2. Additional clarity on the threshold for ?damage or destruction of BES
equipment? is needed. Footnote 1 on page 16 states, in part ?Significantly affects the reliability margin of the
system (e.g. has the potential to result the need for emergency actions?. For generating facilities, does this
statement refer specifically to the parallel requirement to report any loss of generation >= 2,000 in the Eastern
or Western Connection or >= 1,000 in the ERCOT or Quebec Interconnection? If not, exactly what level of
damage at a generating plant requires reporting? Use of imprecise terms such as ?significantly? sets the
stage for future compliance and enforcement confusion.3. Additional clarity is required for ?Detection of
reportable Cyber Security Incident.” Is this item intended to apply only to Critical Cyber Assets, or is it an
extension of the requirement to all applicable entities irrespective of their Critical Asset status? If it applies
only to Critical Cyber Assets, does this reporting requirement create redundant reporting (as reporting is
already required under CIP-008-4)? CIP-008-4 requires reporting only of events affecting Critical Cyber
Assets. If a more expansive application is intended, what equipment or systems are to be included in the
reporting requirement?
Response: The DSR DT thanks you for your comment. The event of Fuel Supply Emergencies has been removed per comments the DSR SDT received.
The entire Attachment 1 has been updated to reflect the comments that were received. Footnotes in Attachment 1 have been updated to reflect the comments
that the DSR SDT received. Damage to BES equipment’s foot note has been enhanced to mean that the BES piece of equipment is required to be removed from
service. CIP-008 states that an entity will report a Cyber Security Incident to the ES-ISAC. EOP-004-2, Attachment 2 is the vehicle to report a Cyber Security
Incident.
BGE
No
For the following Events (Damage or destruction of BES equipment, Damage of destruction of Critical Asset,
and Damage or destruction of a Critical Cyber Asset), submitting a report within 1 hour after occurrence is
identified is too short of a time frame. Generally, the initial time period is spent in recovering from the
situation and restoring either electric service or restoring computer services to assure proper operations. To
146
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 11 Comment
distract from the restoration to normal activities to focus on a report would be detrimental to reliability.
Notification of an event may perhaps be made by phone call within 1 hour but completing a report should be
required no less than 6 or 12 hours. Determining a cause (especially external or intentional) could take longer
than 1 hour to determine and complete a report.It is important to consider the imposition created by a
compliance obligation and weigh it against the other demands before the operator at that time. A compliance
obligation should avoid becoming a distraction from reliability related work. Under impact event type
scenarios, in the first hour of the event, the primary concern should be coping with/resolving the event.
Response: The DSR DT thanks you for your comment. The entire Attachment 1 has been updated to reflect the comments that were received. Footnotes
in Attachment 1 have been updated to reflect the comments that the DSR SDT received. Damage to BES equipment’s foot note has been enhanced to mean that
the BES piece of equipment is required to be removed from service.
Alliant Energy
No
The item relating to Loss of Firm Load for > 15 minutes should be revised to 500 MW and 300 MW. For many
companies, a storm moving across their system could cause more than 300 MW of firm load to be lost, but
there is no impact on the BES, so why does the detailed reporting need to be done?The items relating to
?damage or destruction? need to be revised to not be so wide. As currently written, a plan by a company to
raze a facility could be considered a violation and must be reported. We believe it needs to tightened to
malicious intent or human negligence/error.
Response: The DSR DT thanks you for your comment. The DSR SDT has reviewed Loss of Firm load and believe the reporting requirement presented
approved in EOP-004-1 is substantial and should remain within EOP-004-2. If a Critical Cyber Asset (CCA) was to be retired, the entity would declassify it as a
CCA and therefore it would not be required to be reported.
CenterPoint Energy
No
(1) CenterPoint Energy believes that the ?Entity with Reporting Responsibility? for the first three events in
Part A should be clarified. There could still be confusion regarding the ?initiating entity? for events where one
entity directs another to take action. From the text on page 5 of the Unofficial Comment Form, it appears that
the SDT intended for the ?initiating entity? to be the entity that takes action. To make this clear in Attachment
1, CenterPoint Energy recommends replacing ?initiating entity? with ?Each (insert applicable entities) that
(insert action). For example, for ?Energy Emergency requiring a Public appeal? the Entity with Reporting
Responsibility should be ?Each?that issues a public appeal for load reduction?. (2) Part A: The threshold for
reporting ?System Separation? should not be fixed at greater than or equal to 100 MW for all entities, but
rather should be scaled to previous year?s demand as in ?Loss of Firm load for greater than or equal to 15
minutes?, so that for entities with demand greater than or equal to 3000 MW, the island would be greater than
or equal to 300MW. (3) Part A: The one hour reporting requirements are unreasonable and burdensome. The
Background text indicates that ?proposed changes do not include any real-time operating notifications??
CenterPoint Energy believes all one hour reporting requirements could potentially divert resources away from
147
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 11 Comment
responding to the event. In many instances the event may still be developing within one hour. Likewise, the
24 hour reporting requirements are also burdensome. CenterPoint Energy recommends changing all
reporting requirements to 48 hours. CenterPoint Energy acknowledges that the DOE OE-417 report requires
certain one hour and 6 hour reporting. Those requirements should also be extended, and CenterPoint Energy
will be making the same recommendation during the DOE OE-417 report revision process when the current
form expires on 12/31/11.(4) Part B: CenterPoint Energy is very concerned with the ?events? listed under
Attachment 1 ? Potential Reliability Impact ? Part B and believes Part B should be deleted. These arbitrary
?events? with ?potential reliability impact? and reporting times place unnecessary burden on entities to report
?situations? that would rarely impact the reliability of the BES. Entities should be aware of developing
situations; however, this standard should not require reporting of such occurrences.(5) Part B: Of particular
concern is the overly broad ?Risk to BES equipment? and the example provided in the footnote. CenterPoint
Energy believes the SDT has already identified the events with the greatest risk to impact the BES in Part A.
Also including ?potential reliability impact? situations in Part B inappropriately dilutes attention away from the
truly important events. The industry, NERC and FERC should not lose sight of the forest for the trees.
Response: The DSR DT thanks you for your comment. The entire Attachment 1 has been updated to reflect the comments that were received. Footnotes
in Attachment 1 have been updated to reflect the comments that the DSR SDT received. The DOE Form OE-417 is under review by the DOE and can be updated
or changed without NERC’s involvement. The DSR SDT has taken into consideration the use of OE-417 to report events to NERC and agrees that this will fulfill
EOP-004-2’s reporting requirements.
ExxonMobil Research and
Engineering
No
The notification requirement and documentation in Attachment 1 do not clearly identify which entities need to
be notified for each type of event detailed in Attachment 1. While it makes sense to notify the Reliability
Coordinator, NERC, Regional Entity, Law Enforcement and other Governmental Agencies for sabotage type
events, it does not seem proper to notify Law Enforcement agencies of a system disturbance that is
unrelated to improper human intervention. Furthermore, it is our belief that a time frame of 1 hour is a short
window for making a verbal notification to third parties, and an impossibly short window for requiring the
submittal of a completed form regardless of the simplicity. When a Petrochemical Facility experiences an
impact event, the initial focus should emphasize safe control of the chemical process. For those cases where
registered entities are required to submit a form within 1 hour, the Standard Drafting Team should alter the
requirement to allow for verbal notification during the first few hours following the initiation of an Impact Event
(i.e. allow the facility time to appropriately respond to and gain control of the situation prior to making a
notification which may take several hours) and provide separate notifications windows for those parties that
will need to respond to an Impact Event immediately and those entities that need to be informed that one
occurred for the purposes of investigating the cause of and response to an Impact Event. For example, a
GOP should immediately notify a TOP when it experiences a forced outage of generation capacity as soon as
possible, but there is no immediate benefit to notify NERC when site personnel are responding to the event in
order to gain control of of the situation and determine the extent of the problem. The existing standard?s
148
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 11 Comment
requirement to file an initial report to entities, such as NERC, within 24 hours seems reasonable provided that
proper real time notifications are made and the Standard Drafting Team reinstates EOP-004 Revision 1's
Requirement 3.3, which allows for the extension of the 24 hour window during adverse conditions, into the
requirement section of EOP-004 [the current revision locates this extension in Attachment 1, which, according
to input received from Regional Entities, means that the extension would not be enforceable].
Response: The DSR DT thanks you for your comment. The entire Attachment 1 has been updated to reflect the comments that were received. Footnotes
in Attachment 1 have been updated to reflect the comments that the DSR SDT received.
PPL Electric Utilities
No
We very much appreciate the work performed by SDT and consideration of all the comments received. While
we agree with the majority of the Attachment 1 changes, we suggest the SDT add further clarification to
Attachment 1, Part A, Event 'Transmission Loss'. Does this mean permanent loss? Do two lines and a pole
constitute a loss of three elements? E.g. Consider the loss of a 230 kV line with two tapped transformers.
This does not have a significant effect on the BES, yet would it be reportable? We would prefer Attachment
1, Part A, ?Threshold Reporting? be clarified. E.g. ?Three or more "unrelated" pieces of equipment for a
single event?.
Response: The DSR DT thanks you for your comment. The entire Attachment 1 has been updated to reflect the comments that were received. Footnotes
in Attachment 1 have been updated to reflect the comments that the DSR SDT received.
Lincoln Electric System
No
While LES supports the bright line criteria listed in Attachment 1 for reporting Impact Events, we have
concerns regarding the reporting threshold for ?Transmission loss?. For Transmission loss of three or more
Transmission Elements, LES supports the MRO NSRS? suggested wording of ?Two or more BES
Transmission Elements that exceed TPL Category D operating criteria or its successor.?
Response: The DSR DT thanks you for your comment. The entire Attachment 1 has been updated to reflect the comments that were received.
American Transmission
Company
No
Energy Emergency requiring Public AppealATC believes that the phrase ?initiating entity? is unclear and
could be interpreted in multiple ways. 1) the entity has the authority to call for public appeals, 2) the entity has
the authority to declare an Energy Emergency, or 3) the entity determines and identifies the need for the
Energy EmergencyTypically the BA?s call for public appeals, so does every BA that calls for the public appeal
have to make a filing?The RC declares the need for an Energy Emergency, so are they the initiating entity? A
TOP could also identify the need for public appeals and notify the RC about the request. In this case, is the
TOP the initiating entity?Given the above examples, ATC believes that the SDT needs to clarify who is
required to make the filing. Voltage Deviations on BES FacilitiesATC believes that this should be clarified
because one may assume that a loss of a single bus in which voltage goes to zero for more than 15 minutes
149
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 11 Comment
is reportable. It is ATC understands that what the SDT means is a voltage dip, not an outage to a BES
facility. However, given the brief description, ATC is not 100% sure whether there is a clear understanding of
the standard?s intent.Energy Emergency resulting in automatic firm load shedding Please provide additional
clarify.ATC believes that the SDT should not use the term ?Impact Event? when identifying the entity with
reporting responsibility. The term ?Impact Event? is identified in the standard and points to Attachment 1 but
now is being used outside of that context and requires entities to interpret what qualifies as an Impact
Event.The above observation also applies to those other events that use the term ?Impact Event? to describe
Reporting Responsibility.Footnote 1: ATC would like the phrase ?as determined by the equipment owner?
added to the footnote. This simple phrase will allow entities to be sure that they are responsible for
determining if the damage significantly affects the reliability margin of the system. Without this phrase,
entities could be subject to non-compliance actions based on differences of opinions to the extent of the
damage on the system. The other option the SDT has is to provide additional clarity on what qualifies as a
significant affect.Time to Submit Report:ATC strongly disagrees with the 1 hour time to submit a report
because it does not fit with the purpose of this standard. The purpose of this standard is to increase
awareness, however, requiring a one-hour reporting window following the event provides little to no benefit.
ATC believes that these events should have a 24 hour reporting window which allows for a reasonable
amount of time to gather information and report the issue.If the SDT disagrees with this observation, ATC
believes a complete explanation should be provided on why knowledge of an event within an hour is
significantly better than having the knowledge of the event in a 24 hour time period. ATC strongly believes
that NERC will gain as much or more knowledge of the event by giving entities time to understand the event
and report.
Response: The DSR DT thanks you for your comment. The entire Attachment 1 has been updated to reflect the comments that were received.
Duke Energy
No
? Attachment 1 contains three reportable events (Damage or destruction of Critical Asset, Damage or
destruction of a Critical Cyber Asset, and Detection of a reportable Cyber Security Incident) that overlap with
CIP-008-3 Cyber Security Incident Reporting and Response Planning and could result in redundant or
conflicting content between the two standards. We propose either of the following options:1. Remove the
requirement for reporting these events from EOP-004-2 and add the timing and reporting requirements into
CIP-008-3, R1.3. ?Process for reporting Cyber Security Incidents to the Electricity Sector Information Sharing
and Analysis Center (ES-ISAC). The Responsible Entity must ensure that all reportable Cyber Security
Incidents are reported to the ES-ISAC either directly or through an intermediary.? OR2. Replace the reporting
requirement in CIP-008-3, R1.3. with a reference to report as required in EOP-004-2.? Also, as noted in our
comment to Question #4 above, the Attachment 1 Section ?Entity with Reporting Responsibility? should just
identify ?Initiating entity? for every Event, as was done with the first three Events. That way you avoid errors
in leaving an entity off, or including an entity incorrectly (as was done with the GOP on Voltage Deviations).
We note that LSE is listed in the standard as an Applicable entity, and should be included in Attachment 1.
150
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 11 Comment
Our suggestion would handle this oversight. We also note that CIP-001 does not include Distribution Provider
in the list of applicable entities, but EOP-004-2 does include the DP.? We reiterate our comment to Question
#1 above that the DSR SDT statement that the proposed changes do not include any real-time operating
notifications is inconsistent with requiring notification within one hour for thirteen of the twenty listed Events in
Attachment 1.? The last six events refer to the entity that experiences the potential Impact Event. We believe
that the word ?potential? should be struck, as this creates an impossibly broad reporting requirement.?
Footnote 1 should be revised to strike the phrase ?has the potential to? from the parenthetical, as this creates
an impossibly broad reporting requirement.? The Impact Event ?Risk to BES equipment? should be revised to
?Risk to BES equipment that results in the need for emergency actions?. The accompanying footnote 4
should be revised to read as follows: Examples could include a train derailment adjacent to BES equipment
(e.g. flammable or toxic cargo that would cause the evacuation of a BES facility control center), or a report of
a suspicious device near BES equipment.
Response: The DSR DT thanks you for your comment. The entire Attachment 1 has been updated to reflect the comments that were received. CIP-008
states that an entity will report a Cyber Security Incident to the ES-ISAC. EOP-004-2, Attachment 2 is the vehicle to report a Cyber Security Incident. The DSR
SDT has reviewed and updated the entities that need to report an event. Some have been reduced to a single entity where others have multiple entities. These
multiple entities will have different views of the event, and will be able to provide the ERO and others with a different view of what has happened. The DSR SDT
understands that there may be multiple reports (for certain events) that are required by different government agencies. NERC will continue to streamline the
reporting process as we move into the future.
Constellation Power Generation
No
CPG has the following concerns regarding Attachment 1: ?Real-Time - On page 5 of the proposed standard,
the team noted that ?the proposed changes do not include any real-time operating notifications.? However,
several events in Attachment 1 require that documentation be completed and submitted to the ERO within 1
hour. For generation sites that are unmanned, or only have 1 to 2 operators on site at all times, a 1 hour
requirement is not only onerous but is essentially ?real time.??Response within 1 hour - It is important to
consider the imposition created by a compliance obligation and weigh it against the other demands before the
operator at that time. A compliance obligation should avoid becoming a distraction from reliability related
work. Under impact event type scenarios, in the first hour of the event, the primary concern should be coping
with/resolving the event. Other notification requirements exists based on required agency response relative to
the concern at hand (e.g. public evacuations, fire assistance, etc.) Notification within an hour under EOP-004
does not appear to represent a relevant benefit to resolving the situation and the potential cost would be
borne by reliability and recovery efforts. Anything performed within the first hour of the event must be to
benefit the public or benefit the restoration of power.?Damage or destruction of BES equipment ? the
reporting requirement of 1 hour is extremely onerous. A good example is the failure of a major piece of
equipment at a remote combustion turbine generation site. Combustion turbine generation sites are not
usually manned with many people. If a failure of a major piece of equipment were to occur, the few people on
site need to complete communications to affected entities, communications to their management, as well as
151
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 11 Comment
emergency switching and ensuring that no other pieces of equipment are effected or harmed. There is little
time to complete a form in 1 hour. This should be changed to 48 hours. The form is also inadequate for this
type of event.
o Using the example above of a failure of a major piece of equipment, CPG is not sure if
it?s reportable per Attachment 1, which further proves that Attachment 1 is not clear. Per the footnote
regarding damage to BES equipment, the failure would not be reportable, as it does not affect IROL, given the
information at the plant it does not significantly affect the reliability margin of the system, and was not
damaged or destroyed due to intentional or unintentional human action. However, it would be reportable per
the table as the table states ?equipment failure? and ?external cause.? Clarification is needed.?Damage or
destruction of Critical Asset ? This item should be removed or significantly refined. For generation assets, a
critical asset is essentially the entire plant, so in many cases the information reported at this level would not
be useful if the valuable details reside at the equipment level. If it is not removed, then see the notes above
on the 1 hour requirement for the completion of the form. ?Fuel supply emergency ? 1 hour for reporting the
document is unreasonable. See the earlier notes. ?Risk to BES equipment ? ?From a non-environmental
physical threat? This item is too vague and subjective. A catch all category to capture a broad list of potential
risks is problematic for entities to manage in their compliance programs and to audit. This should be
removed.
Response: The DSR DT thanks you for your comment. The entire Attachment 1 has been updated to reflect the comments that were received.
Georgia System Operations
Corporation
No
Energy Emergency requiring public appeal for load reduction:-The NERC Glossary defines ?Energy
Emergency? as a ?condition when a Load-Serving Entity has exhausted all other options and can no longer
provide its customers? expected energy requirements.? Per EOP-002, an Energy Emergency Alert may be
initiated by the RC upon RC sole discretion, upon BA request, or upon LSE request.-Question: Is it intended
that the LSE reports the event if the LSE requests an alert, the BA reports the event if the BA requests an
alert, and the RC reports it if it is a RC sole discretion decision? What if an alert is not initiated? Is it an
Energy Emergency? Is it an impact event? Who must initiate the public appeal? Since it must be reported
within a certain time after the issuance of the public appeal, is it not an impact event until after the initiation of
the public appeal (which should be after the initiation of the alert)? Shouldn?t the reporting of the impact event
be done by the initiator of the public appeal? The event should probably be the public appeal and not the
Energy Emergency.-?Public? should not be capitalized.-The reliability objective of this standard is not
achieved by NERC knowing of this within 1 hour and the need for NERC to know this within 1 hour to meet its
objective of analyzing events has not been justified or explained.? Energy Emergency requiring system-wide
voltage reduction: See Energy Emergency requiring public appeal for load reduction above regarding
requesting Energy Emergency Alerts. If this event is to be reported within a certain time after ?the event?, at
what time is the event marked? Or is it within a certain time after the initiation of the voltage reduction and, if
so, shouldn?t the reporting of the impact event be done by the initiator of the voltage reduction? The event
should probably be the system-wide voltage reduction and not the Energy Emergency. The reliability objective
152
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 11 Comment
of this standard is not achieved by NERC knowing of this within 1 hour and NERC does not need to know this
within 1 hour and the need for NERC to know this within 1 hour to meet its objective of analyzing events has
not been justified or explained.Energy Emergency requiring manual firm load shedding:-See Energy
Emergency requiring public appeal for load reduction above regarding requesting Energy Emergency Alerts. If
this event is to be reported within a certain time after ?the event?, at what time is the event marked? Or is it a
certain time after the initiation of the shedding of load, if so, shouldn?t the reporting of the impact event be
done by the initiator of the shedding of the load? If the RC directs a BA to shed load, then the BA directs a DP
to do it, then the DP sheds the load, who is the initiator of the load shedding? The event should probably be
the firm load shedding and not the Energy Emergency.-The reliability objective of this standard is not
achieved by NERC knowing of this within 1 hour and the need for NERC to know this within 1 hour to meet its
objective of analyzing events has not been justified or explained.Energy Emergency resulting in automatic
firm load shedding:Whenever load is automatically shed both the DP and the TOP ?experience? the event.
So does the BA and the LSE. This event includes ?or? between ?DP? and ?TOP.? Is that intentional? Other
events in the table do not include either an ?and? or an ?or.? The entities are separated only by commas.
NERC should not require multiple entities to report the same event. See comment for R5 above. If a DP
"experiences" an automatic load shedding doesn't the TOP also experience it? Both should not report the
same event.-The reliability objective of this standard is not achieved by NERC knowing of this within 1 hour
and the need for NERC to know this within 1 hour to meet its objective of analyzing events has not been
justified or explained.Voltage deviations on BES Facilities:-Should GOs/GOPs be required instead to report to
BAs when this condition exists with the BA then reporting to NERC? The idea of a deviation "on BES
Facilities" is not clear. On any one Facility? On all Facilities in an area? How wide of an area?-?Voltage
Deviation? is not proper noun/name and is not defined in the NERC Glossary. It should not be
capitalized.IROL violation: Multiple entities should not report the same event. Please define ?IROL Violation?
or use lowercase. It is assumed that ?IROL Violation? means operation ?outside the IROL for a time greater
than IROL TV.?Loss of firm load for ? 15 minutes:-Multiple entities should not report the same event. The
reliability objective of this standard is not achieved by NERC knowing of this within 1 hour and the need for
NERC to know this within 1 hour to meet its objective of analyzing events has not been justified or explained.
?Firm Demand? is defined but not ?Firm load.?System separation (islanding):-Multiple entities should not
report the same event. A DP separating from the transmission system should not be a reportable event for a
DP in and of itself. If it leads to a sufficient loss of load, it is reportable as above.-The reliability objective of
this standard is not achieved by NERC knowing of this within 1 hour and the need for NERC to know this
within 1 hour to meet its objective of analyzing events has not been justified or explained. The words
?separation? and ?islanding? should not be capitalized.Generation loss:-Should GOs/GOPs be required
instead to report to BAs when their generation is lost with the BA then reporting to NERC when the total is ?
2,000 MW? A ?loss? of generation should be clarified. Is the discovery of damaged equipment in an offline
plant which makes the plant unavailable for an extended period of time a ?loss? of generation?-It should be
clarified if this event means the concurrent loss of the generation or losing the generation non-concurrently
153
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 11 Comment
but they are concurrently unavailable. What is the time window for losing the generation? Lost within seconds
of each other? Minutes? Hours?Loss of off-site power to a nuclear generating plant (grid supply):-Multiple
entities should not report the same event.-?Off? should be lowercase.Transmission loss:-RCs should not be
required to report the loss of transmission elements to NERC. A ?loss? of a BES Transmission Element
should be clarified.It should be clarified if this event means the concurrent loss of elements or the nonconcurrent loss of the elements but they are concurrently unavailable. What is the time window for losing the
elements? When elements are lost, it will be difficult to differentiate if they are BES Transmission Elements or
not. Alarms don't immediately identify this. It could lead to gross over-reporting if no distinction is made by a
TOP and the TOP reports all losses of 3 elements. It may still be over-reporting (from a
reasonableness/practicality basis) even if the differentiation could be easily made and only BES Transmission
Elements are reported. Threshold for reporting Transmission Loss: As stated, this will require the reporting of
almost all transmission outages. This is particularly true taking into consideration the current work of the
drafting team to define the Bulk Electric System. The loss of a single 115kV network line could meet the
threshold for reporting as the definition of Element includes both the line itself and the circuit breakers.
Instead, we recommend the following threshold "Three or more BES Transmission lines." This threshold has
consistency with CIP-002-4 and draft PRC-002-2. This threshold also needs additional clarification as to the
timeframe involved. Is the intent the reporting of the loss of 3 or more BES Transmission Elements anytime
within a 24 hour period or must they be lost simultaneously? Also, we recommend that the three losses be
the result of a related event to require reporting.Damage or destruction of BES equipment that i. affects an
IROL; ii. significantly affects the reliability margin of the system (e.g., has the potential to result in the need for
emergency actions); or iii. damaged or destroyed due to intentional or unintentional human action (Do not
report copper theft from BES equipment unless it degrades the ability of equipment to operate correctly, e.g.,
removal of grounding straps rendering protective relaying inoperative.):-What is ?BES equipment?? Would an
operator know which equipment is BES equipment and which is not or which BES equipment affects an IROL
(if we had one) or which does not? It is a judgment call as to whether the effect was significant or not or if it
has the potential or not. Multiple entities should not report the same event. Unplanned control center
evacuation:-?Control Center? should be lowercase.-The reliability objective of this standard is not achieved by
NERC knowing of this within 1 hour and the need for NERC to know this within 1 hour to meet its objective of
analyzing events has not been justified or explained.Fuel supply emergency:Multiple entities should not report
the same event. Should GOs/GOPs be required instead to report to BAs when they have a fuel supply
emergency with the BA then reporting to NERC if the situation is projected to require emergency action at the
BA level?-The reliability objective of this standard is not achieved by NERC knowing of this within 1 hour and
the need for NERC to know this within 1 hour to meet its objective of analyzing events has not been justified
or explained.Loss of all monitoring or voice communication capability (affecting a BES control center for ? 30
minutes):-Does this event mean that ALL capability at both the primary and backup control centers or just
one?Forced intrusion at a BES facility (report if you cannot reasonably determine likely motivation, i.e.,
intrusion to steal copper or spray graffiti is not reportable unless it affects (affects ? not effects) the reliability
154
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 11 Comment
of the BES):-What is a ?BES facility?? It is not clear for the purposes of complying with this standard what it
means to affect the reliability of the BES. Deferred for ECMS review and additional comments.Risk to BES
equipment (examples include a train derailment adjacent to BES equipment that either could have damaged
the equipment directly or has the potential to damage the equipment, e.g., flammable or toxic cargo that could
pose fire hazard or could cause evacuation of a BES facility control center, and report of suspicious device
near BES equipment.):-In the footnote, delete ?could have? from ??either could have damaged?? Something
that could cause evacuation of a control center does not pose a risk to damaging BES equipment. The
threshold is ?from a non-environmental physical threat? but the example (toxic cargo) IS an environmental
threat.
Response: The DSR DT thanks you for your comment. The entire Attachment 1 has been updated to reflect the comments that were received. The DSR
SDT reviewed the term ‘Energy Emergency’ and has removed it from Attachment 1.
City of Tacoma, Department of
Public Utilities, Light Division, dba
Tacoma Power
No
The one hour reporting timeline is unrealistic for this event. In general it looks like other events requiring the 1
hour reporting timeline are for event that are ?initiated? by the system operator. (ie load shedding, public load
reduction, EEP?). Loss of BES equipment is in general 24 hour reporting timeline. It should be, ?as soon as
possible but within 24 hours.”
Response: The DSR DT thanks you for your comment. The entire Attachment 1 has been updated to reflect the comments that were received.
Indeck Energy Services
No
Comments were included in previous comments.
Response: The DSR DT thanks you for your comment. The entire Attachment 1 has been updated to reflect the comments that were received.
BC Hydro
For the change from 24hr to 1hr reporting for events, 1 hour goes extremely quickly in these types of events
and it will be difficult to report anything meaningful. As the RC is kept informed during the event why is the
report required within 1hr?
Response: The DSR DT thanks you for your comment. The entire Attachment 1 has been updated to reflect the comments that were received. EOP-0042 is an after the fact reporting Standard. The entity experiencing an event is required to inform their RC per other NERC Standards.
Brazos Electric Power
Cooperative
No
Question applicability to DP.
Response: The DSR DT thanks you for your comment. The DSR SDT has reviewed and updated the entities that need to report an event. Some have
been reduced to a single entity where others have multiple entities. These multiple entities will have different views of the event, and will be able to provide the
155
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 11 Comment
ERO and others with a different view of what has happened. The entire Attachment 1 has been updated to reflect the comments that were received.
Progress Energy
No
Progress Energy appreciates the effort of the Standard Drafting Team, but we do have some issues with the
content of Attachment 1. The loss of three Transmission Elements can occur with a single transmission line
outage. Progress is concerned that the possible frequency of this type of reporting could be an extreme
burden. Under the column ?Entity with Reporting Responsibility,? why do all related entities have to report
the same event? (i.e. do the RC and the TOP in the RC footprint both have to report an event, or is it
either/or? The word ?Each? implies separate reports. What is the Reliability-based need for both an RC and
the BA/TOP/GO within the footprint to file the same report for the same event?) For vertically integrated
companies it should be clear that only one report is required per Impact Event that will cover the reporting
requirements for all registered entities within that company.The ?damage or destruction of BES equipment?
footnote contains the language ?Significantly affects the reliability margin?.? The word significantly should
not be used in a Standard because it is subjective. Reliability margin is also undefined. System Operators
must be trained on how to comply with the Standard, and thus objective criteria must be developed for
reporting. ?1 hour after occurrence? places a burden on System Operators for reporting when response to
and information gathering dealing with the Impact Event may still be occurring. There is a note that states
that the timing guidelines may not be met ?under certain conditions?? but then requires a call to both its
Regional Entity and notification to NERC. The focus should be on the event response and this type of
reporting should occur ?within an hour or as soon as practical.? It is unclear what the voltage deviations of +10% based on (i.e. is that +-10% of nominal voltage? This may require new alarm set-points to be placed in
service in Energy Management Systems in order for entities to able to prove in an audit that they reported all
occurrences of voltage exceeding the 10% limit for 15 minutes or more. It has been stated by Regional Entity
audit and enforcement personnel that attestations cannot be used to ?prove the positive.?)The word
?potential? should be removed from Attachment 1 and from the definition of Impact Event. An event is either
an Impact Event or not. If an entity has to evacuate its control center facility temporarily for a small fire, or
any other such minor occurrence, then it activates its EOP-008 compliant backup control center, and there is
no impact to reliability, then why does there need to be a report generated?The ?Forced Intrusion? category
is problematic. The footnote 3 states: ?Report if you cannot reasonably determine likely motivation (i.e.,
intrusion to steal copper or spray graffiti is not reportable unless it effects (sic) the reliability of the BES).?
?Reasonably determine likely motivation? makes this subjective. If someone breaks into a BES substation
fence to steal copper, is interrupted and leaves, then entity personnel determine someone tried to break into
the substation, but cannot determine why, then this table requires a report to be filed within an hour. It is
unclear what the purpose of such a report would be. Progress agrees that multiple reports in a short time
across multiple entities may indicate a larger issue.
Response: The DSR DT thanks you for your comment. The entire Attachment 1 has been updated to reflect the comments that were received. Footnotes
156
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 11 Comment
have been updated per comments received.
Liberty Electric Power LLC
Yes
A qualified yes here - please clarify footnote 1 to the table. Are the listed qualifications "and" or "or"
statements -IOW, if destruction of BES equipment through human error does not have the potential to result
in the need for emergency actions, is it still reportable? If a 18-240 KV step-up transformer suffers minor
damage because a conservator tank was valved out, is this reportable under this definition?
Response: The DSR DT thanks you for your comment. Footnotes have been update to reflect comments received. This proposed Standard is targeted at
BES level Thresholds for Reporting as outlined in Attachment 1.
Ingleside Cogeneration LP
Yes
We believe that there should be close, if not perfect, synchronization between the ERO?s Event Analysis
Process and Attachment 1 since they share the same ultimate goal as EOP-004-2 to improve industry
awareness and BES reliability.
Response: The DSR DT thanks you for your comment. EOP-004-2 is an after the fact reporting Standard and the reports submitted by entities complying
with the standard may be used by the NERC Event Analysis Program to review reported events. The Event Analysis Program may change their categories of
events at anytime, but revisions to an approved standard must follow the standards development process embodied in the NERC Standard Processes Manual.
Despite the differences in process, the DSR SDT is working closely with the Event Analysis Working Group to ensure alignment between the standard and the
program to the maximum extent possible.
Occidental Power Marketing
Yes
There does not appear to be any reportable events for LSEs that do not own, operate, or control BES assets
(or assets that directly support the BES) in Attachment 1. This would support removing such entities from the
Applicability.
Response: The DSR DT thanks you for your comment. The DSR SDT understands that every LSE may not own or operate BES assets. If of the LSE does
not own or operate BES assets, then EOP-004-2 would not be applicable to that LSE. Since CIP-002 and CIP-008 are applicable to LSEs they will be required to
be applicable under EOP-004-2 for cyber incidents.
Farmington Electric Utility System
Yes
Platte River Power Authority
Yes
New Harquahala Generating Co.
Yes
Western Electricity Coordinating
Yes
157
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 11 Comment
Council
Midwest ISO Standards
Collaborators
Yes
Southern Company
Yes
SRP
Yes
New Harquahala Generating Co.
Yes
APX Power Markets
Yes
American Municipal Power
Yes
158
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
12. Do you agree with the proposed measures for Requirements 1-5? If not, please explain why not and if
possible, provide an alternative that would be acceptable to you.
Summary Consideration: The majority of commenters agree with the proposed measures. Since two requirements were
removed, the DSR SDT did a complete review of the Requirements and associated Measure and assured that Measurements did
not add to any Requirement. The Measures have been rewritten to reflect strict accuracy to each Requirement and provide a
minimum measure required for an entity to be compliant.
Organization
Georgia Transmission
Corporation & Oglethorpe Power
Corporation
Yes or No
No
Question 12 Comment
Several of the measures appear to introduce items that are not required by the standard. For instance, R3
requires that a test of the communications process be performed, however Measure 3 indicates that a mock
impact event be performed. Measure 4 indicates that personnel be listed in the plan and be trained on the
plan, however there is no requirement to include people in the plan or to train them.
Response: The DSR SDT thanks you for your comment. Each measure has been rewritten for the associated requirement to reflect only what is within the
requirement.
Northeast Power Coordinating
Council
No
Concerns with M5:a. As suggested in the response to Question 10 above, R5 should be combined with R2;
b. If R5 to remain as is, then M5 goes beyond the requirement in R5 in that it asks for evidence to support the
type of Impact Event experienced. Attachment 2 already requires the reporting entity to provide all the details
pertaining to the Impact Event. It is not clear what kind of additional evidence is needed to ?support the type
of Impact Event experienced?. Also, the date and time of the Impact Event is provided in the reporting form.
Why the need to provide additional evidence on the date and time of the Impact Event?
Response: The DSR SDT thanks you for your comment. Requirement 2 has been deleted as requested by the industry. Requirement R5 (now R2) was revised
along with the measure:
R2. Each Responsible Entity shall report events in accordance with its Operating Plan developed to address the events listed in Attachment 1. [Violation Risk:
Factor: Medium] [Time Horizon: Operations Assessment].
M2. Responsible Entities shall provide a record of the type of event experienced; a dated copy of the Attachment 2 form or OE-417 report; and dated and time-
159
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 12 Comment
stamped transmittal records to show that the event was reported.
Pacific Northwest Small Public
Power Utility Comment Group
No
It is unclear when reporting to the Compliance Enforcement Authority is required. Does the registered entity
report initially, and then anytime a change to the plan is made, or a drill is performed. Or is the information
only provided following a request of the Compliance Enforcement Authority, and if so what is the acceptable
time limit to respond?
Response: The DSR SDT thanks you for your comment. The Measure is designed to inform applicable entities of the minimum acceptable evidence needed to
prove compliance with a requirement. The reference to Compliance Enforcement Authority has been removed since it does not assist an entity in the minimum
level of evidence needed per the requirement.
Dominion
No
1) M1 is open ended. Suggest adding ?on request? to the end of the sentence as written; 2) M4 requires
evidence of ?when internal personnel were trained; however, Requirement R4 does not require training.
Response: The DSR SDT thanks you for your comment. The Measure is designed to inform applicable entities of the minimum acceptable evidence needed to
prove compliance with a requirement. The reference to Compliance Enforcement Authority has been removed since it does not assist an entity in the minimum
level of evidence needed per the requirement.
SPP Standards Review Group
No
The measures are written as if they are adding requirements to the standards. Using wording such as ?shall
provide? gives this implication. We would suggest wording such as ?examples of acceptable evidence to
demonstrate compliance may be??See Question 6 for comments regarding M1.See Question 8 for comments
regarding M3.
Response: The DSR SDT thanks you for your comment. Each measure has been rewritten for the associated requirement to reflect only what is within the
requirement.
Midwest ISO Standards
Collaborators
No
We disagree with Measurement 4. It implies that the review must be conducted in person. Why could other
means such as a web training or a reminder memo not satisfy the requirement? Because Requirement 1 does
not require submittal of the Operating Plan, Operating Process and/or the Operating Procedure,
Measurement 1 should only require submittal to the Compliance Enforcement Authority upon its request.
Response: The DSR SDT thanks you for your comment. Each measure has been rewritten for the associated requirement to reflect only what is within the
requirement. Requirement 4 has been deleted.
FirstEnergy
No
Measure M4 includes the phrase ?when internal personnel were trained on the responsibilities in the plan?
implies the Requirement R4 requires training. R4 is only requiring the review of a document of the necessary
160
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 12 Comment
personnel and that the rest of the measure covers the needed evidence for R4. This phrase in the measure
should be removed. We suggest the following for M4:M4. Responsible Entities shall provide the materials
presented to verify content and the association between the people listed in the plan and those who
participated in the review, documentation showing who was present.
Response: The DSR SDT thanks you for your comment. Each measure has been rewritten for the associated requirement to reflect only what is within the
requirement. Requirement 4 has been deleted.
SERC OC Standards Review
Group
No
The measures should be revised to match the general nature of the comments we have made on each
requirement.
Response: The DSR SDT thanks you for your comment. Each measure has been rewritten for the associated requirement to reflect only what is within the
requirement.
PJM Interconnection LLC
No
1. We disagree with M4 as it seems to indicate that all training needs to be in person and precludes any form
of Computer Based Training (CBT). 2. As indicated in 10, R5 is redundant as R2 already required an entity to
report any Impact Events by executing/implementing its Impact Event Operating plan. If R5 is to remain as is,
then M5 goes beyond the requirement by requiring the entity to produce evidence of compliance for the type
of Impact Event experienced. It is not clear as to what additional evidence is needed to ?support the type of
Impact Event experienced?.
The DSR SDT thanks you for your comment. Each measure has been rewritten for the associated requirement to reflect only what is within the requirement.
We Energies
No
M1 contains a redundancy: It currently reads, ?Each Responsible Entity shall provide the current in force
Impact Event Operating Plan to the Compliance Enforcement Authority.? (?In force? is the same as
?current?.)M2: Change ?Impact Event? to ?Impact Event listed in Attachment 1?.M3: This is an additional
requirement. R3 does not require a mock Impact Event. R3 requires a test of the communicating Operating
Process. As stated above, R3 and M3 should be deleted.M4: This is written assuming classroom training.
R4 does not require formal training much less classroom training. R4 requires that those (internal) personnel
who have responsibilities in the plan review the Impact Event Operating Plan.M5: When we report, how do
we show to an auditor that we reported ?using the plan?? Delete the reference to ?the plan?.
Response: The DSR SDT thanks you for your comment. Each measure has been rewritten for the associated requirement to reflect only what is within the
requirement.
161
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 12 Comment
Compliance & Responsiblity
Organization
No
See comments set forth in number 2.
Exelon
No
? M1 - Suggest rewording to state "Each Responsible Entity shall provide the current revision of the Impact
Event Operating Plan or equivalent implementing process"? M3 ? Need to provide more guidance on
evidence of compliance to meet R.3 The DSR SDT needs to provide more guidance on the objectives and
format of the drill expected (e.g., table top, simulator, mock drill) and what evidence will be required to
illustrate compliance.? M5 - Suggest that the DSR SDT provide a note or provision to allow for the DOE OE417 reporting form be submitted by the most knowledgeable functional entity (e.g., the TOP or RC)
experiencing the event.
Response: The DSR SDT thanks you for your comment. Each measure has been rewritten for the associated requirement to reflect only what is within the
requirement.
City of Tallahassee (TAL)
No
M3 & M4 should be modified if comments above (#8 and #9) are incorporated.M4 - Providing the ?materials
presented? is beyond the scope of compliance. This constitutes a review of the training program which is
beyond the scope of the standard. Review of attendance sheets should be sufficient. The personnel will be
listed in the Plan/Process/Procedure. Modify M4: Responsible Entities shall provide evidence of those who
participated in the review, showing who was present and when internal personnel were trained on their
responsibilities in the plan.
Response: The DSR SDT thanks you for your comment. Each measure has been rewritten for the associated requirement to reflect only what is within the
requirement.
Tenaska
No
The proposed R1 through R4 should be deleted and a revised version of R5 should become R1. The
proposed measures for the new R1 should be revised accordingly.
Response: The DSR SDT thanks you for your comment. Each measure has been rewritten for the associated requirement to reflect only what is within the
requirement.
American Municipal Power
No
M1-M4 should be eliminated and M5 should be revised to incorporate a simplified R5. M5 - Date and time of
submitted report
Response: The DSR SDT thanks you for your comment. Each measure has been rewritten for the associated requirement to reflect only what is within the
requirement.
162
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Liberty Electric Power LLC
Yes or No
No
Question 12 Comment
Due to disagreement with R3 and R4.
Response: The DSR SDT thanks you for your comment. Each measure has been rewritten for the associated requirement to reflect only what is within the
requirement.
Arkansas Electric Cooperative
Corporation
No
We applaud the drafting team's effort in crafting more meaningful measures. However, we have concerns with
the measures reading like requirements in stating Responsible Entities "shall" do something. We suggest
crafting the measures to provide acceptable, but not all exclusive, forms of evidence by stating something
similar to "Acceptable forms of evidence may include??
Response: The DSR SDT thanks you for your comment. Each measure has been rewritten for the associated requirement to reflect only what is within the
requirement.
New Harquahala Generating Co.
No
See R3 comments
Response: The DSR SDT thanks you for your comment. Please see R3 responses.
Consumers Energy
No
We understand that DOE is migrating to an on-line reporting facility rather than the email-submitted OE-417.
If they do so, Form OE-417will not be available for providing to NERC, and the reporting specified by EOP004 will be duplicative of that for DOE. We recommend that NERC, RFC and the DOE work cooperatively to
enable a single reporting system in which on-line reports are made available to all appropriate parties.
Response: The DSR SDT thanks you for your comment. The DSR SDT has been working with the U.S. Department of Energy (DOE) to streamline the reporting
process. The DOE Form OE-417 will be accepted at NERC if you are reporting an event to the DOE.
Independent Electricity System
Operator
No
We do not have any issues with Measures M1, M2 and M4, but have a concern with M3 and a couple of
concerns with M5:M3: This Measure contains a requirement for the Responsible Entities to conduct a mock
Impact Event. We disagree to have this included in the Measure. R3 requires the Responsible Entity to
conduct a test of its Operating Process for communicating recognized Impact Events created pursuant to
Requirement R1, Part 1.3. The Measure should adhere to this condition only. We suggest to change the
wording to:The Responsible Entity shall provide evidence that it conducted a test of it its Operating Process
for communicating recognized Impact Events created pursuant to Requirement R1, Part 1.3. The time period
between actual and or mock Impact Events shall be no more than 15 months. Evidence may include, but is
not limited to, operator logs, voice recordings, documentation or a report on an actual Impact Event.M5: a. As
163
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 12 Comment
suggested above, R5 should be combined with R2;b. If R5 to remain as is, then M5 goes beyond the
requirement in R5 in that it asks for evidence to support the type of Impact Event experienced. Attachment 2
already requires the reporting entity to provide all the details pertaining to the Impact Event. It is not clear
what kind of additional evidence is needed to ?support the type of Impact Event experienced?. Also, the date
and time of the Impact Event is provided in the reporting from. Why do we need to provide additional evidence
on the date and time of the Impact Event?
Response: The DSR SDT thanks you for your comment. Each measure has been rewritten for the associated requirement to reflect only what is within the
requirement. Requirement R5 (now R2) was revised along with the measure:
R2. Each Responsible Entity shall report events in accordance with its Operating Plan developed to address the events listed in Attachment 1. [Violation Risk:
Factor: Medium] [Time Horizon: Operations Assessment].
M2. Responsible Entities shall provide a record of the type of event experienced; a dated copy of the Attachment 2 form or OE-417 report; and dated and timestamped transmittal records to show that the event was reported.
ISO New England, Inc
No
We do not have any issues with Measures M1, M2 and M4, but have a comment on M3 and a couple of
concerns with M5:M3: This Measure contains a requirement for the Responsible Entities to conduct a mock
Impact Event. We disagree to have this included in the Measure. R3 requires the Responsible Entity to
conduct a test of its Operating Process for communicating recognized Impact Events created pursuant to
Requirement R1, Part 1.3. The Measure should adhere to this condition only. We suggest to change the
wording to:The Responsible Entity shall provide evidence that it conducted a test of it its Operating Process
for communicating recognized Impact Events created pursuant to Requirement R1, Part 1.3. The time period
between actual and or mock Impact Events shall be no more than 15 months. Evidence may include, but is
not limited to, operator logs, voice recordings, documentation or a report on an actual Impact Event.M5:a. As
suggested above, R5 should be combined with R2;b. If R5 to remain as is, then M5 goes beyond the
requirement in R5 in that it asks for evidence to support the type of Impact Event experienced. Attachment 2
already requires the reporting entity to provide all the details pertaining to the Impact Event. It is not clear
what kind of additional evidence is needed to ?support the type of Impact Event experienced?. Also, the date
and time of the Impact Event is provided in the reporting from. Why do we need to provide additional evidence
on the date and time of the Impact Event?c. We disagree with Measurement 4. It implies that the review must
be conducted in person. Why couldn?t other means such as web training or a reminder memo not satisfy the
requirement?
Response: The DSR SDT thanks you for your comment. Each measure has been rewritten for the associated requirement to reflect only what is within the
requirement. Requirement R5 (now R2) was revised along with the measure:
164
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 12 Comment
R2. Each Responsible Entity shall report events in accordance with its Operating Plan developed to address the events listed in Attachment 1. [Violation Risk:
Factor: Medium] [Time Horizon: Operations Assessment].
M2. Responsible Entities shall provide a record of the type of event experienced; a dated copy of the Attachment 2 form or OE-417 report; and dated and timestamped transmittal records to show that the event was reported.
Calpine Corp
No
Requirements R1, R2, R3, and R4 are unnecessary, as discussed above. The measure for Requirement R5
should focus on the need to report accurately and promptly, not on a Responsible Entity?s ?Operating Plan?.
If the Requirements are retained, the measures should state in much greater detail what actions and
documentation are required for compliance.
Response: The DSR SDT thanks you for your comment. Each measure has been rewritten for the associated requirement to reflect only what is within the
requirement. Requirement R5 (now R2) was revised along with the measure:
R2. Each Responsible Entity shall report events in accordance with its Operating Plan developed to address the events listed in Attachment 1. [Violation Risk:
Factor: Medium] [Time Horizon: Operations Assessment].
M2. Responsible Entities shall provide a record of the type of event experienced; a dated copy of the Attachment 2 form or OE-417 report; and dated and timestamped transmittal records to show that the event was reported.
CenterPoint Energy
No
M1: CenterPoint Energy recommends that the phrase ?current in force? be updated to ?current? or ?currently
effective?. Additionally, CenterPoint Energy suggests clarifying M1 by adding ?within 30 days upon request?,
which would be consistent with language found in measures in other standards. The revised measure would
read, ?Each Responsible Entity shall provide the currently effective Impact Event Operating Plan to the
Compliance Enforcement Authority within 30 days upon request.? M2: If R2 is deleted (as recommended in
response to Question 7), then M2 should be deleted.
Response: The DSR SDT thanks you for your comment. Each measure has been rewritten for the associated requirement to reflect only what is within the
requirement. R2 was deleted along with the measure M2.
ExxonMobil Research and
Engineering
No
Measure M3 introduces a psuedo-requirement by implying you are able to reset the testing clock if you
implement our Impact Event Operating Plan in response to an Impact Event. This should be covered in
Requirement R3. Measure M4 should refer to positions and evidence that people occupying those positions
participated in the annual review of the Impact Event Operating Plan. Given the number of individuals
involved in operations and the cycle of promotions and reassignments, it?s unreasonable to expect an entity
165
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 12 Comment
to identify specific individuals in their Impact Event Operating Plan. As the one hour time window is not long
enough for entities to report all types of events when responding to the impact the Imact Event had on its
facility, Measure M5 should be modified to include voice recordings and log book entries to capture verbal
information reported to required parties.
Response: The DSR SDT thanks you for your comment. Each measure has been rewritten for the associated requirement to reflect only what is within the
requirement.
Constellation Power Generation
No
See CPG?s earlier comments regarding the Requirements and Measures.
Response: The DSR SDT thanks you for your comment. See response to comments on Requirements and Measures.
Georgia System Operations
Corporation
No
There are a lot of inconsistencies between the requirements and the measures. The measures add
requirements that are not stated in the requirements. The measures need to be made consistent with the
requirements and to not add to them. Also see comments on requirements earlier for language to move from
the measures into the requirements.M2: Remove "on its Facilities." The word "its" leads to a lot of confusion
regarding who reports what. Attachment 1 should make clear "what" needs to be reported. The entities'
operating plan should make it clear as to who should report each "what." Furthermore, not all Impact Events
are "on Facilities."M3: Replace "that it conducted a mock Impact Event" with "that it conducted a test of its
Operating Process.” Delete "The time period between actual and or mock Impact Events shall be nor more
than 15 months."M4: The measure says that documentation showing when personnel were trained is
required. R4 does not require training. The requirement and the measure should be made clear and
consistent.
Response: The DSR SDT thanks you for your comment. Each measure has been rewritten for the associated requirement to reflect only what is within the
requirement.
City of Tacoma, Department of
Public Utilities, Light Division, dba
Tacoma Power
No
M3 -The testing of the Plan by drill or mock impact event is unnecessary and burdensome.
Response: The DSR SDT thanks you for your comment. The Measure M3 has been revised as follows:
M3. The Responsible Entity shall provide evidence that it conducted a test of the communication process in its Operating Plan events created pursuant to
Requirement R1, Part 1.3. Implementation of the communication process as documented in its Operating Plan for an actual event may be used as evidence to
meet this requirement. The time period between an actual event or test shall be no more than 15 months. Evidence may include, but is not limited to, operator logs,
166
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 12 Comment
voice recordings, or dated documentation of a test. (R3)
The intent of R3 is to ensure that the communications process of the Operating Plan works when needed. The annual test is not burdensome and an actual event
will take the place of the test.
Farmington Electric Utility System
No
See comments in requirements for R3 and R4
Response: The DSR SDT thanks you for your comment. See response to comments on R3 and R4.
Indeck Energy Services
No
M1 is OK. M2 should be about implementation, not about any particular events--M5 is about events.
Implementation would include distribution and training. M3 should be modified to reflect a training review by
entities that cannot cause a Reportable Disturbance or reportable DOE OE-417 event and for the others
documentation of an actual event (which is not included in the present M3) or a drill or mock event. M4 is OK.
M5 should only include the reports submitted and the date of submission. Further evidence of the event is
redundant.
Response: The DSR SDT thanks you for your comment. Each measure has been rewritten for the associated requirement to reflect only what is within the
requirement.
Brazos Electric Power
Cooperative
No
M2 and M5 appear to duplicate each other.
Response: The DSR SDT thanks you for your comment. Each measure has been rewritten for the associated requirement to reflect only what is within the
requirement. R2/M2 have been deleted and R5/M5 is now R2/M2.
Progress Energy
No
M3 states that ?In the absence of an actual Impact Event, the Responsible Entity shall provide evidence that
it conducted a mock Impact Event?? Does this mean that, if an entity experiences an Impact Event that is
reportable, then the entity does not have to perform its annual test? If so, this should be made clear in the
Requirement.
Response: The DSR SDT thanks you for your comment. That is the intent of the requirement. The Rationale box has been revised to express this intent. The
measure now reads:
The Responsible Entity shall provide evidence that it conducted a test of the communication process in its Operating Plan for events created pursuant
to Requirement R1, Part 1.3. Implementation of the communication process as documented in its Operating Plan for an actual event may be used as
evidence to meet this requirement. The time period between an actual event or test shall be no more than 15 months. Evidence may include, but is
167
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 12 Comment
not limited to, operator logs, voice recordings, or dated documentation of a test. (R3)
Occidental Power Marketing
Yes
In general, the measures are okay. However, as mentioned above for R3, there needs to be more specificity
as to what is acceptable as a "mock Impact Event" for auditing purposes--especially for small entities such as
LSEs that do not own, operate, or control BES assets.
Response: The DSR SDT thanks you for your comment. Each measure has been rewritten for the associated requirement to reflect only what is within the
requirement.
SDG&E
Yes
Lakeland Electric
Yes
New Harquahala Generating Co.
Yes
Bonneville Power Administration
Yes
Midwest Reliability Organization
Yes
PSEG Companies
Yes
Pepco Holdings Inc and Affiliates
Yes
Southern Company
Yes
SRP
Yes
APX Power Markets
Yes
Manitoba Hydro
Yes
Sweeny Cogeneration LP
Yes
American Electric Power
Yes
168
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
USACE
Yes
Ameren
Yes
BGE
Question 12 Comment
No position or comments.
Platte River Power Authority
Yes
Alliant Energy
Yes
PPL Electric Utilities
Yes
Lincoln Electric System
Yes
American Transmission
Company
Yes
Ingleside Cogeneration LP
Yes
Duke Energy
Yes
169
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
13. Do you agree with the proposed Violation Risk Factors for Requirements 1-5? If not, please explain why not
and if possible, provide an alternative that would be acceptable to you.
Summary Consideration: Many stakeholders suggested that the reporting of events after the fact only justified a VRF of
Lower for each requirement. With the revised standard, there are now three requirements. Requirement 1 specifies that the
responsible entity have an Operating Plan for identifying and reporting events listed in Attachment 1. This is procedural in
nature and justifies a “lower” VRF. This requirement is administrative in nature and deals with the means to report events after
the fact. The current approved VRFs for EOP-004-1 are all lower with the exception of Requirement R2 which is a requirement
to analyze events. This standard relates only to reporting events. The analysis portion is addressed through the NERC Rules of
Procedure and the Events Analysis Program. The two remaining requirements in EOP-004-2 are to report events based on the
specifics in Attachment 1 (R2) and to test the communications protocol of the Operating Plan once per year (R3). Requirement
2 specifies that an entity is responsible for reporting events in accordance with the Operating Plan based on Attachment 1.
Requirement 3 is insurance to make sure that an entity can communicate information about events. Requirement 2 specifies
that the responsible entity must report an event to the appropriate entities. Some of these events are dealing with potential
sabotage events. Part of the reason to report these types of events is to make other entities aware to help prevent further
sabotage events from occurring. Existing CIP-001-1a deals with sabotage events and the approved VRFs for each of the
requirements is “medium.” The VRFs for EOP-004-2 comport with the existing approved VRFs for both EOP-004 and CIP-001.
Organization
Northeast Power Coordinating
Council
Yes or No
No
Question 13 Comment
If R5 is to remain as is, then the VRF should be a Lower, not a Medium. R5 stipulates the form to be used. It
is a vehicle to convey the needed information, and as such it is an administrative requirement. Failure to use
the form provided in Attachment 2 or the DOE form does not lead to unreliability.
Response: The DSR SDT thanks you for your comment. With the revised standard, there are now three requirements. Requirement 1 specifies that the
responsible entity have an Operating Plan for identifying and reporting events listed in Attachment 1. This is procedural in nature and justifies a “lower” VRF.
This requirement is administrative in nature and deals with the means to report events after the fact. The current approved VRFs for EOP-004-1 are all lower with
the exception of Requirement R2 which is a requirement to analyze events. This standard relates only to reporting events. The analysis portion is addressed
through the NERC Rules of Procedure and the Events Analysis Program. The two remaining requirements in EOP-004-2 are to report events based on the
specifics in Attachment 1 (R2) and to test the communications protocol of the Operating Plan once per year (R3). Requirement 2 specifies that an entity is
responsible for reporting events in accordance with the Operating Plan based on Attachment 1. Requirement 3 is insurance to make sure that an entity can
communicate information about events. Requirement 2 specifies that the responsible entity must report an event to the appropriate entities. Some of these
events are dealing with potential sabotage events. Part of the reason to report these types of events is to make other entities aware to help prevent further
sabotage events from occurring. Existing CIP-001-1a deals with sabotage events and the approved VRFs for each of the requirements is “medium.” The VRFs for
EOP-004-2 comport with the existing approved VRFs for both EOP-004 and CIP-001.
170
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Bonneville Power Administration
Yes or No
No
Question 13 Comment
R2, R3 and R4 should be lower VRFs than R5 and R1.
Response: The DSR SDT thanks you for your comment. With the revised standard, there are now three requirements. Requirement 1 specifies that the
responsible entity have an Operating Plan for identifying and reporting events listed in Attachment 1. This is procedural in nature and justifies a “lower” VRF.
This requirement is administrative in nature and deals with the means to report events after the fact. The current approved VRFs for EOP-004-1 are all lower with
the exception of Requirement R2 which is a requirement to analyze events. This standard relates only to reporting events. The analysis portion is addressed
through the NERC Rules of Procedure and the Events Analysis Program. The two remaining requirements in EOP-004-2 are to report events based on the
specifics in Attachment 1 (R2) and to test the communications protocol of the Operating Plan once per year (R3). Requirement 2 specifies that an entity is
responsible for reporting events in accordance with the Operating Plan based on Attachment 1. Requirement 3 is insurance to make sure that an entity can
communicate information about events. Requirement 2 specifies that the responsible entity must report an event to the appropriate entities. Some of these
events are dealing with potential sabotage events. Part of the reason to report these types of events is to make other entities aware to help prevent further
sabotage events from occurring. Existing CIP-001-1a deals with sabotage events and the approved VRFs for each of the requirements is “medium.” The VRFs for
EOP-004-2 comport with the existing approved VRFs for both EOP-004 and CIP-001.
PSEG Companies
No
If Requirements 1-5 remain intact the Violation Risk Factor should be reduced to a Lower not a Medium since
this is an administrative requirement and does not impact the reliability of the BES.
Response: The DSR SDT thanks you for your comment. With the revised standard, there are now three requirements. Requirement 1 specifies that the
responsible entity have an Operating Plan for identifying and reporting events listed in Attachment 1. This is procedural in nature and justifies a “lower” VRF.
This requirement is administrative in nature and deals with the means to report events after the fact. The current approved VRFs for EOP-004-1 are all lower with
the exception of Requirement R2 which is a requirement to analyze events. This standard relates only to reporting events. The analysis portion is addressed
through the NERC Rules of Procedure and the Events Analysis Program. The two remaining requirements in EOP-004-2 are to report events based on the
specifics in Attachment 1 (R2) and to test the communications protocol of the Operating Plan once per year (R3). Requirement 2 specifies that an entity is
responsible for reporting events in accordance with the Operating Plan based on Attachment 1. Requirement 3 is insurance to make sure that an entity can
communicate information about events. Requirement 2 specifies that the responsible entity must report an event to the appropriate entities. Some of these
events are dealing with potential sabotage events. Part of the reason to report these types of events is to make other entities aware to help prevent further
sabotage events from occurring. Existing CIP-001-1a deals with sabotage events and the approved VRFs for each of the requirements is “medium.” The VRFs for
EOP-004-2 comport with the existing approved VRFs for both EOP-004 and CIP-001.
Dominion
No
All the VRFs are "Medium.” Since the requirements deal with after-the-fact reporting and the administration of
reporting plans, procedures, and processes; all VRFs should be "Lower.”
Response: The DSR SDT thanks you for your comment. With the revised standard, there are now three requirements. Requirement 1 specifies that the
responsible entity have an Operating Plan for identifying and reporting events listed in Attachment 1. This is procedural in nature and justifies a “lower” VRF.
This requirement is administrative in nature and deals with the means to report events after the fact. The current approved VRFs for EOP-004-1 are all lower with
171
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 13 Comment
the exception of Requirement R2 which is a requirement to analyze events. This standard relates only to reporting events. The analysis portion is addressed
through the NERC Rules of Procedure and the Events Analysis Program. The two remaining requirements in EOP-004-2 are to report events based on the
specifics in Attachment 1 (R2) and to test the communications protocol of the Operating Plan once per year (R3). Requirement 2 specifies that an entity is
responsible for reporting events in accordance with the Operating Plan based on Attachment 1. Requirement 3 is insurance to make sure that an entity can
communicate information about events. Requirement 2 specifies that the responsible entity must report an event to the appropriate entities. Some of these
events are dealing with potential sabotage events. Part of the reason to report these types of events is to make other entities aware to help prevent further
sabotage events from occurring. Existing CIP-001-1a deals with sabotage events and the approved VRFs for each of the requirements is “medium.” The VRFs for
EOP-004-2 comport with the existing approved VRFs for both EOP-004 and CIP-001.
Pepco Holdings Inc and Affiliates
No
This standard involves after the fact reporting of events. Other standards deal with the real time notifications.
How do the risk factors between the two line up? A VRF of Low would seem appropriate, since a violation
would not affect the reliability of the BES.
Response: The DSR SDT thanks you for your comment. With the revised standard, there are now three requirements. Requirement 1 specifies that the
responsible entity have an Operating Plan for identifying and reporting events listed in Attachment 1. This is procedural in nature and justifies a “lower” VRF.
This requirement is administrative in nature and deals with the means to report events after the fact. The current approved VRFs for EOP-004-1 are all lower with
the exception of Requirement R2 which is a requirement to analyze events. This standard relates only to reporting events. The analysis portion is addressed
through the NERC Rules of Procedure and the Events Analysis Program. The two remaining requirements in EOP-004-2 are to report events based on the
specifics in Attachment 1 (R2) and to test the communications protocol of the Operating Plan once per year (R3). Requirement 2 specifies that an entity is
responsible for reporting events in accordance with the Operating Plan based on Attachment 1. Requirement 3 is insurance to make sure that an entity can
communicate information about events. Requirement 2 specifies that the responsible entity must report an event to the appropriate entities. Some of these
events are dealing with potential sabotage events. Part of the reason to report these types of events is to make other entities aware to help prevent further
sabotage events from occurring. Existing CIP-001-1a deals with sabotage events and the approved VRFs for each of the requirements is “medium.” The VRFs for
EOP-004-2 comport with the existing approved VRFs for both EOP-004 and CIP-001.
SPP Standards Review Group
No
These are reporting requirements and therefore do not deserve the “medium” VRF. We suggest making the
VRFs for all requirements for EOP-004-2 “low.”
Response: The DSR SDT thanks you for your comment. With the revised standard, there are now three requirements. Requirement 1 specifies that the
responsible entity have an Operating Plan for identifying and reporting events listed in Attachment 1. This is procedural in nature and justifies a “lower” VRF.
This requirement is administrative in nature and deals with the means to report events after the fact. The current approved VRFs for EOP-004-1 are all lower with
the exception of Requirement R2 which is a requirement to analyze events. This standard relates only to reporting events. The analysis portion is addressed
through the NERC Rules of Procedure and the Events Analysis Program. The two remaining requirements in EOP-004-2 are to report events based on the
specifics in Attachment 1 (R2) and to test the communications protocol of the Operating Plan once per year (R3). Requirement 2 specifies that an entity is
responsible for reporting events in accordance with the Operating Plan based on Attachment 1. Requirement 3 is insurance to make sure that an entity can
172
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 13 Comment
communicate information about events. Requirement 2 specifies that the responsible entity must report an event to the appropriate entities. Some of these
events are dealing with potential sabotage events. Part of the reason to report these types of events is to make other entities aware to help prevent further
sabotage events from occurring. Existing CIP-001-1a deals with sabotage events and the approved VRFs for each of the requirements is “medium.” The VRFs for
EOP-004-2 comport with the existing approved VRFs for both EOP-004 and CIP-001.
Midwest ISO Standards
Collaborators
No
All violation risk factors should be Lower. All requirements are administrative in nature. While they are
necessary because a certain amount of regulatory reporting will always be required, a violation will not in any
direct or indirect way lead to reliability problem on the Bulk Electric System
Response: The DSR SDT thanks you for your comment. With the revised standard, there are now three requirements. Requirement 1 specifies that the
responsible entity have an Operating Plan for identifying and reporting events listed in Attachment 1. This is procedural in nature and justifies a “lower” VRF.
This requirement is administrative in nature and deals with the means to report events after the fact. The current approved VRFs for EOP-004-1 are all lower with
the exception of Requirement R2 which is a requirement to analyze events. This standard relates only to reporting events. The analysis portion is addressed
through the NERC Rules of Procedure and the Events Analysis Program. The two remaining requirements in EOP-004-2 are to report events based on the
specifics in Attachment 1 (R2) and to test the communications protocol of the Operating Plan once per year (R3). Requirement 2 specifies that an entity is
responsible for reporting events in accordance with the Operating Plan based on Attachment 1. Requirement 3 is insurance to make sure that an entity can
communicate information about events. Requirement 2 specifies that the responsible entity must report an event to the appropriate entities. Some of these
events are dealing with potential sabotage events. Part of the reason to report these types of events is to make other entities aware to help prevent further
sabotage events from occurring. Existing CIP-001-1a deals with sabotage events and the approved VRFs for each of the requirements is “medium.” The VRFs for
EOP-004-2 comport with the existing approved VRFs for both EOP-004 and CIP-001.
FirstEnergy
No
1. We believe that Requirement 5 does not warrant a “Medium” risk factor. Not using a particular form is
strictly administrative in nature and the VRF should be “Low.”
2. We believe that Requirement 4 does not warrant a “Medium” risk factor. For example, a simple review of
the process does not have the same impact on the Bulk Electric System as the implementation of the
Operating Plan per R2. Therefore, we believe R4 is at best a “Low” risk to the BES.
Response: The DSR SDT thanks you for your comment. With the revised standard, there are now three requirements. Requirement 1 specifies that the
responsible entity have an Operating Plan for identifying and reporting events listed in Attachment 1. This is procedural in nature and justifies a “lower” VRF.
This requirement is administrative in nature and deals with the means to report events after the fact. The current approved VRFs for EOP-004-1 are all lower with
the exception of Requirement R2 which is a requirement to analyze events. This standard relates only to reporting events. The analysis portion is addressed
through the NERC Rules of Procedure and the Events Analysis Program. The two remaining requirements in EOP-004-2 are to report events based on the
specifics in Attachment 1 (R2) and to test the communications protocol of the Operating Plan once per year (R3). Requirement 2 specifies that an entity is
responsible for reporting events in accordance with the Operating Plan based on Attachment 1. Requirement 3 is insurance to make sure that an entity can
communicate information about events. Requirement 2 specifies that the responsible entity must report an event to the appropriate entities. Some of these
173
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 13 Comment
events are dealing with potential sabotage events. Part of the reason to report these types of events is to make other entities aware to help prevent further
sabotage events from occurring. Existing CIP-001-1a deals with sabotage events and the approved VRFs for each of the requirements is “medium.” The VRFs for
EOP-004-2 comport with the existing approved VRFs for both EOP-004 and CIP-001.
SERC OC Standards Review
Group
No
How can an after-the-fact report require a VRF greater than low?
Response: The DSR SDT thanks you for your comment. With the revised standard, there are now three requirements. Requirement 1 specifies that the
responsible entity have an Operating Plan for identifying and reporting events listed in Attachment 1. This is procedural in nature and justifies a “lower” VRF.
This requirement is administrative in nature and deals with the means to report events after the fact. The current approved VRFs for EOP-004-1 are all lower with
the exception of Requirement R2 which is a requirement to analyze events. This standard relates only to reporting events. The analysis portion is addressed
through the NERC Rules of Procedure and the Events Analysis Program. The two remaining requirements in EOP-004-2 are to report events based on the
specifics in Attachment 1 (R2) and to test the communications protocol of the Operating Plan once per year (R3). Requirement 2 specifies that an entity is
responsible for reporting events in accordance with the Operating Plan based on Attachment 1. Requirement 3 is insurance to make sure that an entity can
communicate information about events. Requirement 2 specifies that the responsible entity must report an event to the appropriate entities. Some of these
events are dealing with potential sabotage events. Part of the reason to report these types of events is to make other entities aware to help prevent further
sabotage events from occurring. Existing CIP-001-1a deals with sabotage events and the approved VRFs for each of the requirements is “medium.” The VRFs for
EOP-004-2 comport with the existing approved VRFs for both EOP-004 and CIP-001.
PJM Interconnection LLC
No
All VRFs should be lower as Requirements 1-5 are all administrative in nature. A violation of any of these
requirements does not directly or indirectly affect the reliability of the BES.
Response: The DSR SDT thanks you for your comment. With the revised standard, there are now three requirements. Requirement 1 specifies that the
responsible entity have an Operating Plan for identifying and reporting events listed in Attachment 1. This is procedural in nature and justifies a “lower” VRF.
This requirement is administrative in nature and deals with the means to report events after the fact. The current approved VRFs for EOP-004-1 are all lower with
the exception of Requirement R2 which is a requirement to analyze events. This standard relates only to reporting events. The analysis portion is addressed
through the NERC Rules of Procedure and the Events Analysis Program. The two remaining requirements in EOP-004-2 are to report events based on the
specifics in Attachment 1 (R2) and to test the communications protocol of the Operating Plan once per year (R3). Requirement 2 specifies that an entity is
responsible for reporting events in accordance with the Operating Plan based on Attachment 1. Requirement 3 is insurance to make sure that an entity can
communicate information about events. Requirement 2 specifies that the responsible entity must report an event to the appropriate entities. Some of these
events are dealing with potential sabotage events. Part of the reason to report these types of events is to make other entities aware to help prevent further
sabotage events from occurring. Existing CIP-001-1a deals with sabotage events and the approved VRFs for each of the requirements is “medium.” The VRFs for
EOP-004-2 comport with the existing approved VRFs for both EOP-004 and CIP-001.
We Energies
No
All VRFs should be Lower. They are all administrative and will not affect BES Reliability.
174
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 13 Comment
Response: The DSR SDT thanks you for your comment. With the revised standard, there are now three requirements. Requirement 1 specifies that the
responsible entity have an Operating Plan for identifying and reporting events listed in Attachment 1. This is procedural in nature and justifies a “lower” VRF.
This requirement is administrative in nature and deals with the means to report events after the fact. The current approved VRFs for EOP-004-1 are all lower with
the exception of Requirement R2 which is a requirement to analyze events. This standard relates only to reporting events. The analysis portion is addressed
through the NERC Rules of Procedure and the Events Analysis Program. The two remaining requirements in EOP-004-2 are to report events based on the
specifics in Attachment 1 (R2) and to test the communications protocol of the Operating Plan once per year (R3). Requirement 2 specifies that an entity is
responsible for reporting events in accordance with the Operating Plan based on Attachment 1. Requirement 3 is insurance to make sure that an entity can
communicate information about events. Requirement 2 specifies that the responsible entity must report an event to the appropriate entities. Some of these
events are dealing with potential sabotage events. Part of the reason to report these types of events is to make other entities aware to help prevent further
sabotage events from occurring. Existing CIP-001-1a deals with sabotage events and the approved VRFs for each of the requirements is “medium.” The VRFs for
EOP-004-2 comport with the existing approved VRFs for both EOP-004 and CIP-001.
LG&E and KU Energy LLC
Compliance & Responsiblity
Organization
No
See comments set forth in number 2.
Response: The DSR SDT thanks you for your comment. See response to comments on Question 2.
Exelon
No
R.4 should be a low risk factor, this is an administrative requirement with no contribution to reliability.
Response: The DSR SDT thanks you for your comment. With the revised standard, there are now three requirements. Requirement 1 specifies that the
responsible entity have an Operating Plan for identifying and reporting events listed in Attachment 1. This is procedural in nature and justifies a “lower” VRF.
This requirement is administrative in nature and deals with the means to report events after the fact. The current approved VRFs for EOP-004-1 are all lower with
the exception of Requirement R2 which is a requirement to analyze events. This standard relates only to reporting events. The analysis portion is addressed
through the NERC Rules of Procedure and the Events Analysis Program. The two remaining requirements in EOP-004-2 are to report events based on the
specifics in Attachment 1 (R2) and to test the communications protocol of the Operating Plan once per year (R3). Requirement 2 specifies that an entity is
responsible for reporting events in accordance with the Operating Plan based on Attachment 1. Requirement 3 is insurance to make sure that an entity can
communicate information about events. Requirement 2 specifies that the responsible entity must report an event to the appropriate entities. Some of these
events are dealing with potential sabotage events. Part of the reason to report these types of events is to make other entities aware to help prevent further
sabotage events from occurring. Existing CIP-001-1a deals with sabotage events and the approved VRFs for each of the requirements is “medium.” The VRFs for
EOP-004-2 comport with the existing approved VRFs for both EOP-004 and CIP-001.
City of Tallahassee (TAL)
No
R1 is administrative in nature (must have a document) and should be Lower.
175
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 13 Comment
Response: The DSR SDT thanks you for your comment. The DSR SDT concurs and has assigned a “lower” VRF for Requirement R1.
United Illuminating Co
No
R3 should be Low. It is a test of the communication Plan which is use of telephone and email.
Response: The DSR SDT thanks you for your comment. With the revised standard, there are now three requirements. Requirement 1 specifies that the
responsible entity have an Operating Plan for identifying and reporting events listed in Attachment 1. This is procedural in nature and justifies a “lower” VRF.
This requirement is administrative in nature and deals with the means to report events after the fact. The current approved VRFs for EOP-004-1 are all lower with
the exception of Requirement R2 which is a requirement to analyze events. This standard relates only to reporting events. The analysis portion is addressed
through the NERC Rules of Procedure and the Events Analysis Program. The two remaining requirements in EOP-004-2 are to report events based on the
specifics in Attachment 1 (R2) and to test the communications protocol of the Operating Plan once per year (R3). Requirement 2 specifies that an entity is
responsible for reporting events in accordance with the Operating Plan based on Attachment 1. Requirement 3 is insurance to make sure that an entity can
communicate information about events. Requirement 2 specifies that the responsible entity must report an event to the appropriate entities. Some of these
events are dealing with potential sabotage events. Part of the reason to report these types of events is to make other entities aware to help prevent further
sabotage events from occurring. Existing CIP-001-1a deals with sabotage events and the approved VRFs for each of the requirements is “medium.” The VRFs for
EOP-004-2 comport with the existing approved VRFs for both EOP-004 and CIP-001.
American Municipal Power
No
No, this is not acceptable. Eliminate R1-R4. Change R5 to Lower.
Response: The DSR SDT thanks you for your comment. With the revised standard, there are now three requirements. Requirement 1 specifies that the
responsible entity have an Operating Plan for identifying and reporting events listed in Attachment 1. This is procedural in nature and justifies a “lower” VRF.
This requirement is administrative in nature and deals with the means to report events after the fact. The current approved VRFs for EOP-004-1 are all lower with
the exception of Requirement R2 which is a requirement to analyze events. This standard relates only to reporting events. The analysis portion is addressed
through the NERC Rules of Procedure and the Events Analysis Program. The two remaining requirements in EOP-004-2 are to report events based on the
specifics in Attachment 1 (R2) and to test the communications protocol of the Operating Plan once per year (R3). Requirement 2 specifies that an entity is
responsible for reporting events in accordance with the Operating Plan based on Attachment 1. Requirement 3 is insurance to make sure that an entity can
communicate information about events. Requirement 2 specifies that the responsible entity must report an event to the appropriate entities. Some of these
events are dealing with potential sabotage events. Part of the reason to report these types of events is to make other entities aware to help prevent further
sabotage events from occurring. Existing CIP-001-1a deals with sabotage events and the approved VRFs for each of the requirements is “medium.” The VRFs for
EOP-004-2 comport with the existing approved VRFs for both EOP-004 and CIP-001.
Liberty Electric Power LLC
No
See Q 12.
Response: The DSR SDT thanks you for your comment. Please see response to Question 12.
176
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Manitoba Hydro
Yes or No
No
Question 13 Comment
Reduce the Long Term Planning items to Lower VRF. The planning items will not have the same impact on
the reliability of the system as real time operations.
Response: The DSR SDT thanks you for your comment. Each Requirement is in the Operations Assessment or Operations Planning time horizon. With the
revised standard, there are now three requirements. Requirement R1 specifies that the responsible entity have an Operating Plan for identifying and reporting
events listed in Attachment 1. This is procedural in nature and justifies a “lower” VRF. This requirement is administrative in nature and deals with the means to
report events after the fact. The current approved VRFs for EOP-004-1 are all lower with the exception of Requirement R2 which is a requirement to analyze
events. This standard relates only to reporting events. The analysis portion is addressed through the NERC Rules of Procedure and the Events Analysis Program.
The two remaining requirements in EOP-004-2 are to report events based on the specifics in Attachment 1 (R2) and to test the communications protocol of the
Operating Plan once per year (R3). Requirement R2 specifies that an entity is responsible for reporting events in accordance with the Operating Plan based on
Attachment 1. Requirement R3 is insurance to make sure that an entity can communicate information about events. Requirement R2 specifies that the
responsible entity must report an event to the appropriate entities. Some of these events are dealing with potential sabotage events. Part of the reason to report
these types of events is to make other entities aware to help prevent further sabotage events from occurring. Existing CIP-001-1a deals with sabotage events
and the approved VRFs for each of the requirements is “medium.” The VRFs for EOP-004-2 comport with the existing approved VRFs for both EOP-004 and CIP001.
Independent Electricity System
Operator
No
If R5 were to remain as is, then the VRF should be a Lower, not a Medium since R5 stipulates the form to be
used. It is a vehicle to convey the needed information, and as such it is an administrative requirement. Failure
to use the form provided in Attachment 2 or the DOE form does not give rise to unreliability.
Response: The DSR SDT thanks you for your comment. With the revised standard, there are now three requirements. Requirement 1 specifies that the
responsible entity have an Operating Plan for identifying and reporting events listed in Attachment 1. This is procedural in nature and justifies a “lower” VRF.
This requirement is administrative in nature and deals with the means to report events after the fact. The current approved VRFs for EOP-004-1 are all lower with
the exception of Requirement R2 which is a requirement to analyze events. This standard relates only to reporting events. The analysis portion is addressed
through the NERC Rules of Procedure and the Events Analysis Program. The two remaining requirements in EOP-004-2 are to report events based on the
specifics in Attachment 1 (R2) and to test the communications protocol of the Operating Plan once per year (R3). Requirement 2 specifies that an entity is
responsible for reporting events in accordance with the Operating Plan based on Attachment 1. Requirement 3 is insurance to make sure that an entity can
communicate information about events. Requirement 2 specifies that the responsible entity must report an event to the appropriate entities. Some of these
events are dealing with potential sabotage events. Part of the reason to report these types of events is to make other entities aware to help prevent further
sabotage events from occurring. Existing CIP-001-1a deals with sabotage events and the approved VRFs for each of the requirements is “medium.” The VRFs for
EOP-004-2 comport with the existing approved VRFs for both EOP-004 and CIP-001.
ISO New England, Inc
No
If R5 is to remain as is, then the VRF should be a Lower, not a Medium since R5 stipulates the form to be
177
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 13 Comment
used. It is a vehicle to convey the needed information, and as such it is an administrative requirement. Failure
to use the form provided in Attachment 2 or the DOE form has no impact on reliability.
All violation risk factors should be Lower. All requirements are administrative in nature. While they are
necessary because a certain amount of regulatory reporting will always be required, a violation will not in any
direct or indirect affect reliability.
Response: The DSR SDT thanks you for your comment. With the revised standard, there are now three requirements. Requirement 1 specifies that the
responsible entity have an Operating Plan for identifying and reporting events listed in Attachment 1. This is procedural in nature and justifies a “lower” VRF.
This requirement is administrative in nature and deals with the means to report events after the fact. The current approved VRFs for EOP-004-1 are all lower with
the exception of Requirement R2 which is a requirement to analyze events. This standard relates only to reporting events. The analysis portion is addressed
through the NERC Rules of Procedure and the Events Analysis Program. The two remaining requirements in EOP-004-2 are to report events based on the
specifics in Attachment 1 (R2) and to test the communications protocol of the Operating Plan once per year (R3). Requirement 2 specifies that an entity is
responsible for reporting events in accordance with the Operating Plan based on Attachment 1. Requirement 3 is insurance to make sure that an entity can
communicate information about events. Requirement 2 specifies that the responsible entity must report an event to the appropriate entities. Some of these
events are dealing with potential sabotage events. Part of the reason to report these types of events is to make other entities aware to help prevent further
sabotage events from occurring. Existing CIP-001-1a deals with sabotage events and the approved VRFs for each of the requirements is “medium.” The VRFs for
EOP-004-2 comport with the existing approved VRFs for both EOP-004 and CIP-001.
Calpine Corp
No
Requirements R1, R2, R3, and R4 are unnecessary, as discussed above. If retained, the violation risk factors
should be low for those Requirements, as they all simply support the requirement to actually report correctly
stated in Requirement R5.
Response: The DSR SDT thanks you for your comment. With the revised standard, there are now three requirements. Requirement 1 specifies that the
responsible entity have an Operating Plan for identifying and reporting events listed in Attachment 1. This is procedural in nature and justifies a “lower” VRF.
This requirement is administrative in nature and deals with the means to report events after the fact. The current approved VRFs for EOP-004-1 are all lower with
the exception of Requirement R2 which is a requirement to analyze events. This standard relates only to reporting events. The analysis portion is addressed
through the NERC Rules of Procedure and the Events Analysis Program. The two remaining requirements in EOP-004-2 are to report events based on the
specifics in Attachment 1 (R2) and to test the communications protocol of the Operating Plan once per year (R3). Requirement 2 specifies that an entity is
responsible for reporting events in accordance with the Operating Plan based on Attachment 1. Requirement 3 is insurance to make sure that an entity can
communicate information about events. Requirement 2 specifies that the responsible entity must report an event to the appropriate entities. Some of these
events are dealing with potential sabotage events. Part of the reason to report these types of events is to make other entities aware to help prevent further
sabotage events from occurring. Existing CIP-001-1a deals with sabotage events and the approved VRFs for each of the requirements is “medium.” The VRFs for
EOP-004-2 comport with the existing approved VRFs for both EOP-004 and CIP-001.
ExxonMobil Research and
No
VRFs, VSLs, and THs ideally should be based on the impact event type; alternatively a low VRF seems more
178
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Engineering
Question 13 Comment
appropriate for this requirements of this standard.
Response: The DSR SDT thanks you for your comment. With the revised standard, there are now three requirements. Requirement 1 specifies that the
responsible entity have an Operating Plan for identifying and reporting events listed in Attachment 1. This is procedural in nature and justifies a “lower” VRF.
This requirement is administrative in nature and deals with the means to report events after the fact. The current approved VRFs for EOP-004-1 are all lower with
the exception of Requirement R2 which is a requirement to analyze events. This standard relates only to reporting events. The analysis portion is addressed
through the NERC Rules of Procedure and the Events Analysis Program. The two remaining requirements in EOP-004-2 are to report events based on the
specifics in Attachment 1 (R2) and to test the communications protocol of the Operating Plan once per year (R3). Requirement 2 specifies that an entity is
responsible for reporting events in accordance with the Operating Plan based on Attachment 1. Requirement 3 is insurance to make sure that an entity can
communicate information about events. Requirement 2 specifies that the responsible entity must report an event to the appropriate entities. Some of these
events are dealing with potential sabotage events. Part of the reason to report these types of events is to make other entities aware to help prevent further
sabotage events from occurring. Existing CIP-001-1a deals with sabotage events and the approved VRFs for each of the requirements is “medium.” The VRFs for
EOP-004-2 comport with the existing approved VRFs for both EOP-004 and CIP-001.
Georgia System Operations
Corporation
No
Failing to report to NERC any of many of the listed events does not present a reliability risk. The exception to
this would be those threat events where the ES-ISAC needs to be notified. The object of the standard is to
prevent or reduce the risk of Cascading. Reporting system situations to appropriate operating entities who
can take some mitigating action (e.g., a LSE reporting to its BA or a BA reporting to its RC) and reporting
threats to law enforcement officials could prevent or reduce the risk of Cascading but reporting to NERC
(except for events where the ES-ISAC needs to know) is unlikely to do that. Reporting of most of the listed
events to NERC does not meet the objective of this standard and should be removed from this standard.
Such events should be reported to NERC through some other (than a Reliability Standard) requirement for
reporting to NERC so that NERC can accomplish its mission of analyzing events. Analyzing events may lead
to an understanding that could reduce the future risk of Cascading but analyzing events cannot be performed
in time to reduce any impending risks.
Response: The DSR SDT thanks you for your comment. With the revised standard, there are now three requirements. Requirement 1 specifies that the
responsible entity have an Operating Plan for identifying and reporting events listed in Attachment 1. This is procedural in nature and justifies a “lower” VRF.
This requirement is administrative in nature and deals with the means to report events after the fact. The current approved VRFs for EOP-004-1 are all lower with
the exception of Requirement R2 which is a requirement to analyze events. This standard relates only to reporting events. The analysis portion is addressed
through the NERC Rules of Procedure and the Events Analysis Program. The two remaining requirements in EOP-004-2 are to report events based on the
specifics in Attachment 1 (R2) and to test the communications protocol of the Operating Plan once per year (R3). Requirement 2 specifies that an entity is
responsible for reporting events in accordance with the Operating Plan based on Attachment 1. Requirement 3 is insurance to make sure that an entity can
communicate information about events. Requirement 2 specifies that the responsible entity must report an event to the appropriate entities. Some of these
events are dealing with potential sabotage events. Part of the reason to report these types of events is to make other entities aware to help prevent further
sabotage events from occurring. Existing CIP-001-1a deals with sabotage events and the approved VRFs for each of the requirements is “medium.” The VRFs for
179
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 13 Comment
EOP-004-2 comport with the existing approved VRFs for both EOP-004 and CIP-001.
Indeck Energy Services
No
If there are any, they should all be Low because this is reporting of historical events. There is no direct effect
on BES reliability. Some effect could occur if someone reacts to the reports, but many are concerning
unpreventable events.
Response: The DSR SDT thanks you for your comment. With the revised standard, there are now three requirements. Requirement 1 specifies that the
responsible entity have an Operating Plan for identifying and reporting events listed in Attachment 1. This is procedural in nature and justifies a “lower” VRF.
This requirement is administrative in nature and deals with the means to report events after the fact. The current approved VRFs for EOP-004-1 are all lower with
the exception of Requirement R2 which is a requirement to analyze events. This standard relates only to reporting events. The analysis portion is addressed
through the NERC Rules of Procedure and the Events Analysis Program. The two remaining requirements in EOP-004-2 are to report events based on the
specifics in Attachment 1 (R2) and to test the communications protocol of the Operating Plan once per year (R3). Requirement 2 specifies that an entity is
responsible for reporting events in accordance with the Operating Plan based on Attachment 1. Requirement 3 is insurance to make sure that an entity can
communicate information about events. Requirement 2 specifies that the responsible entity must report an event to the appropriate entities. Some of these
events are dealing with potential sabotage events. Part of the reason to report these types of events is to make other entities aware to help prevent further
sabotage events from occurring. Existing CIP-001-1a deals with sabotage events and the approved VRFs for each of the requirements is “medium.” The VRFs for
EOP-004-2 comport with the existing approved VRFs for both EOP-004 and CIP-001.
City of Tacoma, Department of
Public Utilities, Light Division, dba
Tacoma Power
No
Progress Energy
No
BGE
Yes
Platte River Power Authority
Yes
Alliant Energy
Yes
Midwest Reliability Organization
Yes
Southern Company
Yes
SRP
Yes
No comments.
180
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
SDG&E
Yes
New Harquahala Generating Co.
Yes
APX Power Markets
Yes
Arkansas Electric Cooperative
Corporation
Yes
Sweeny Cogeneration LP
Yes
USACE
Yes
New Harquahala Generating Co.
Yes
Occidental Power Marketing
Yes
Lincoln Electric System
Yes
Farmington Electric Utility System
Yes
American Transmission
Company
Yes
Ingleside Cogeneration LP
Yes
Duke Energy
Yes
Question 13 Comment
181
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
14. Do you agree with the proposed Violation Severity Levels for Requirements 1-5? If not, please explain why
not and if possible, provide an alternative that would be acceptable to you.
Summary Consideration: Most commenters agreed with the VSLs. The DSR SDT has deleted R4 and R2, and R5 has become
R2. The VSLs have been aligned with the revised requirements. The ‘Severe’ rating for excessively long reporting times has
been retained as the DSR SDT believes that fairly reflects the definition of ‘Severe’ i.e., The performance or product measured
does not substantively meet the intent of the requirement.
Org a n iza tio n
Yes or No
Northeast Power Coordinating
Council
No
Qu e s tio n 14 Co m m e n t
No major issues with the proposed VSLs. However, because of the preceding comments, want to see the
next revision of the draft.
Re s p o n s e : The DSR SDT thanks you for your comment.
Bonneville Power
Administration
No
For R5 VSL's: suggest moving the 1-2 hours down one level to Moderate and move the >2 hours down to
High with a range of 2-8 hours. Leave the "Failed to Submit" in the Severe category.
Re s p o n s e : The DSR SDT thanks you for your comment. The DSR SDT has increased most reporting timeframes to 24 hours. Those that still require 1 hour
reporting have been adjusted to better align with the 24 hour VSLs. Namely, taking twice as long to report is a ‘Medium’ VSL. The ‘Severe’ rating for excessively
long reporting times has been retained as the DSR SDT believes that fairly reflects the definition of ‘Severe’ i.e., The pe rforma nce or product me a s ure d doe s not
s ubs ta ntive ly me e t the inte nt of the re quire me nt.
Western Electricity Coordinating
Council
Regarding the proposed VSLs for R3, since communication testing involves multiple parties it would be
more appropriate to base severity level on the number of applicable parties which were not tested rather
than how long after 15 months it took to do the test. The standard already builds in a 3 month leeway, In
reality the way it is written almost guarantees a lower severity level.
Re s p o n s e : The DSR SDT thanks you for your comment. VSLs reflect the degree to which the requirements are met. The DSR SDT envisions that
communication testing will include all parties referenced in the entity’s operating plan. Failure to test any part of that communication process is a failure of that
Part of the requirement.
Pepco Holdings Inc and
Affiliates Org a n iza tio n
No
This standard involves after the fact reporting of events. Other standards deal with the real time
notifications. How do the severity level between the two line up? See above VRF comments.
182
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Org a n iza tio n
Yes or No
Qu e s tio n 14 Co m m e n t
Re s p o n s e : The DSR SDT thanks you for your comment. The DSR SDT believe the VSLs appropriately align with the NERC Guidelines.
SPP Standards Review Group
No
Requirement 4: We would suggest the following:Low ? The Responsible Entity reviewed its Impact Event
Operating Plan with those personnel who have responsibilities identified in that plan in more than 15
calendar months but less than 18 calendar months since the last review.Moderate - The Responsible Entity
reviewed its Impact Event Operating Plan with those personnel who have responsibilities identified in that
plan in more than 18 calendar months but less than 21 calendar months since the last review.High - The
Responsible Entity reviewed its Impact Event Operating Plan with those personnel who have
responsibilities identified in that plan in more than 21 calendar months but less than 24 calendar months
since the last review.Severe - The Responsible Entity failed to review its Impact Event Operating Plan with
those personnel who have responsibilities identified in that plan within 24 calendar months since the last
review.Requirement 5: With our suggested deletion of Requirement 5, we further suggest deleting the
VSLs associated with Requirement 5.
Re s p o n s e : The DSR SDT thanks you for your comment. The DSR SDT has deleted R4 and R2, and R5 has become R2.
SERC OC Standards Review
Group
No
The VSLs should reflect the comments on the requirements above.
Re s p o n s e : The DSR SDT thanks you for your comment. The DSR SDT has deleted R4 and R2, and R5 has become R2. The VSLs have been aligned with the
revised requirements.
PJM Interconnection LLC
No
VSLs should reflect the comments on the VRFs above.
Re s p o n s e : The DSR SDT thanks you for your comment. The DSR SDT believe the VSLs appropriately align with the NERC Guidelines.
We Energies
No
Change the VRFs as indicated above and the Time Horizons as indicated below.
Re s p o n s e : The DSR SDT thanks you for your comment. Please see responses to those comments.
Compliance & Responsiblity
Organization
No
See comments set forth in number 2.
Re s p o n s e : The DSR SDT thanks you for your comment. Please see responses Question 2.
183
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Org a n iza tio n
Exelon
Yes or No
No
Qu e s tio n 14 Co m m e n t
Suggest rewording the 1 hour reporting for High and Severe to state "communicate or submit" a report
within ? depending on the severity of the event, an actual report may not be feasible. Similar to an NRC
event report, a provision should be made for verbal notifications in lieu of an actual submitted report. An
entity should not be penalized for failing to submit a written report within 1 hour if the communications were
completed within the 1 hour time period meeting the intent of the Standard.
Re s p o n s e : The DSR SDT thanks you for your comment. Attachment 1 allows you to provide a verbal report under the conditions you contemplate.
SDG&E
No
This Reliability Standard provides a list of reporting requirements that are applicable to registered entities,
thus it is a paperwork exercise; therefore, SDG&E recommends that none of the requirements should
exceed a ?Moderate? Violation Severity Level. Failure on the part of an applicable Registered Entity to
provide an event report will have no immediate impact on the Bulk Electric System.
Re s p o n s e : The DSR SDT thanks you for your comment. VSLs describe how fully an entity meets the requirements and are not a measure of severity or impact.
These items are captured in the VRFs.
American Municipal Power
No, this is not acceptable. Eliminate R1-R4 and change R5. Severe: n/aHigh VSL: n/aMedium VSL: No
report for a reportable eventLow VSL: Late report for a reportable event
Re s p o n s e : The DSR SDT thanks you for your comment. The DSR SDT has deleted R4 and R2, and R5 has become R2. The VSLs have been aligned with the
revised requirements.
Liberty Electric Power LLC
No
See Q 12.
Re s p o n s e : The DSR SDT thanks you for your comment. Please see responses to Question 12.
Consumers Energy
No
1. In reference to the Impact Event addressing ?Loss of Firm load for greater than or equal to 15 minutes?,
this is likely to occur for most entities most frequently during storm events, where the loss of load builds
slowly over time. In these cases, exceeding the threshold may not be apparent until a considerable time
has lapsed, making the submittal time frame impossible to meet. Even more, it may be very difficult to
determine if/when 300 MW load (for the larger utilities) has been lost during storm events, as the precise
load represented by distribution system outages may not be determinable, since this load is necessarily
dynamic. Suggest that the threshold be modified to ?Within 1 hour after detection of exceeding 15-minute
threshold?. Additionally, these criteria are specifically storm related wide spread distribution system
outages. These events do not pose a risk to the BES.2. Many of the Impact Events listed are likely to
occur, if they occur, at widely-distributed system facilities, making reporting ?Within 1 hour after occurrence
184
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Org a n iza tio n
Yes or No
Qu e s tio n 14 Co m m e n t
is identified? possibly impractical, particularly in order to provide any meaningful information. Please give
consideration to clearly permitting some degree of investigation by the entity prior to triggering the ?time to
submit?.3. Referring to the ?Fuel Supply Emergency? Impact Event, OE-417 requires 6-hour reporting,
where the Impact Event Table requires 1-hour reporting. The reporting period for EOP-004-2 should be
consistent with OE-417.
Re s p o n s e : The DSR SDT thanks you for your comment. The DSR SDT has increased almost all reporting timeframe to 24 hours. Also, the fuel supply
emergency has been removed from Attachment 1. Reporting period was chosen to meet NERC needs, you may have more restrictive periods for OE-417, but
that is outside the jurisdiction of the DSR SDT.
Calpine Corp
No
Requirements R1, R2, R3, and R4 are unnecessary, as discussed above. If retained, the violation risk
factors should be low for those requirements, as they all simply support the requirement to actually report
correctly stated in Requirement R5.
Re s p o n s e : The DSR SDT thanks you for your comment. The DSR SDT has deleted R4 and R2, and R5 has become R2. The VSLs have been aligned with the
revised requirements.
CenterPoint Energy
No
CenterPoint Energy believes that the Severe VSL for R5 (Reporting) in the current draft incorrectly equates
2X reporting with failure to submit a report. CenterPoint Energy believes the VSLs for R5 should all reflect
a factor increase in time. For example, the lower VSL should be 1.5X the reporting time frame. The
Moderate VSL should be 2x the reporting time frame. The High VSL should be 3x the reporting time frame.
The Severe VSL should be failure to report.
Re s p o n s e : The DSR SDT thanks you for your comment. The DSR SDT has deleted R4 and R2, and R5 has become R2. The VSLs have been aligned with the
revised requirements. The ‘Severe’ rating for excessively long reporting times has been retained as the DSR SDT believes that fairly reflects the definition of
‘Severe’ i.e., The pe rforma nce or product me a s ure d doe s not s ubs ta ntive ly me e t the inte nt of the re quire me nt.
ExxonMobil Research and
Engineering
No
VRFs, VSLs, and THs ideally should be based on the impact event type; alternatively a low VRF seems
more appropriate for the requirements of this standard.
Re s p o n s e : The DSR SDT thanks you for your comment. The DSR SDT believe the VSLs and time horizons appropriately align with the requirements and
NERC Guidelines. With the revised standard, there are now three requirements. Requirement R1 specifies that the responsible entity have an Operating Plan
for identifying and reporting events listed in Attachment 1. This is procedural in nature and justifies a “lower” VRF. This requirement is administrative in
nature and deals with the means to report events after the fact. The current approved VRFs for EOP-004-1 are all lower with the exception of Requirement R2
which is a requirement to analyze events. This standard relates only to reporting events. The analysis portion is addressed through the NERC Rules of
Procedure and the Events Analysis Program. The two remaining requirements in EOP-004-2 are to report events based on the specifics in Attachment 1 (R2)
185
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Org a n iza tio n
Yes or No
Qu e s tio n 14 Co m m e n t
and to test the communications protocol of the Operating Plan once per year (R3). Requirement R2 specifies that an entity is responsible for reporting events
in accordance with the Operating Plan based on Attachment 1. Requirement R3 is insurance to make sure that an entity can communicate information about
events. Requirement R2 specifies that the responsible entity must report an event to the appropriate entities. Some of these events are dealing with potential
sabotage events. Part of the reason to report these types of events is to make other entities aware to help prevent further sabotage events from occurring.
Existing CIP-001-1a deals with sabotage events and the approved VRFs for each of the requirements is “medium.” The VRFs for EOP-004-2 comport with the
existing approved VRFs for both EOP-004 and CIP-001.
Indeck Energy Services
No
There should be only Lower VSL's. This is reporting of historical events and there is no direct effect on
BES reliability. How does missing 3 parts of R1 compare to tripping a 4,000 MW generating station
because vegetation was not properly managed? Just because there are 4 levels, doesn't mean that all
Standards need to use them all. If you step back, and think about causes of cascading outages, reporting
events 1 hour or 24 hours later has no significance. There is no direct preventative causation either.
Re s p o n s e : The DSR SDT thanks you for your comment. VSLs describe how fully an entity meets the requirements and are not a measure of severity or impact
to the BES. These items are captured in the VRFs.
Progress Energy
No
Progress disagrees with the High and Severe VSLs listed for R5. If an entity experiences an Impact Event
and fails to submit a report within an hour as required, it may be that there are multiple mitigating
circumstances. It is not reasonable to require reporting within an hour since identifying a reportable event
often takes longer than this time period.
Re s p o n s e : The DSR SDT thanks you for your comment. The DSR SDT has increased almost all reporting timeframe to 24 hours. Also, VSLs describe how fully
an entity meets the requirements and are not a measure of severity or impact to the BES. These items are captured in the VRFs.
Georgia System Operations
Corporation
Independent Electricity System
Operator
No
None.
We do not have any major issues with the proposed VSLs. However, in view of our comments on some of
the Questions, above, we reserve our comments upon seeing a revised draft.
Re s p o n s e : The DSR SDT thanks you for your comment.
ISO New England, Inc
We do not have any major issues with the proposed VSLs. However, in view of our comments on some of
the Questions, above, we reserve our comments upon seeing a revised draft.
186
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Org a n iza tio n
Yes or No
Qu e s tio n 14 Co m m e n t
Re s p o n s e : The DSR SDT thanks you for your comment.
Midwest Reliability Organization
Yes
Midwest ISO Standards
Collaborators
Yes
Southern Company
Yes
SRP
Yes
City of Tallahassee (TAL)
Yes
New Harquahala Generating
Co.
Yes
APX Power Markets
Yes
United Illuminating Co
Yes
Arkansas Electric Cooperative
Corporation
Yes
Manitoba Hydro
Yes
Sweeny Cogeneration LP
Yes
American Electric Power
Yes
New Harquahala Generating
Co.
Yes
Platte River Power Authority
Yes
187
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Org a n iza tio n
Yes or No
BGE
Yes
Alliant Energy
Yes
Occidental Power Marketing
Yes
Lincoln Electric System
Yes
Farmington Electric Utility
System
Yes
American Transmission
Company
Yes
Ingleside Cogeneration LP
Yes
Duke Energy
Yes
City of Tacoma, Department of
Public Utilities, Light Division,
dba Tacoma Power
Yes
Qu e s tio n 14 Co m m e n t
No comments.
188
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
15.Do you agree with the proposed Time Horizons for Requirements 1-5? If not, please explain why not and if
possible, provide an alternative that would be acceptable to you.
Summary Consideration: Many stakeholders suggested that the Time Horizons for this standard should be
Operations Assessment or Operations Planning rather than Long Term Planning. The DSR SDT agrees. The DSR
SDT has deleted R2, and R5 has become R2 with a time horizon of Operations Assessment, which is defined as ‘follow-up
evaluations and reporting of real time operations’. R4 has been deleted and the time horizon for R1 and R3 has been changed
to Operations Planning.
Org a n iza tio n
Northeast Power Coordinating
Council
Ye s o r No
Qu e s tio n 15 Co m m e n t
No
For the purpose of developing and updating an Impact Event Operating Plan, there should not be any
requirements that fall into the Long-term planning horizon. As the name implies, the plan is used in the
operating time frame. Consistent with other plans such as system restoration plans which need to be updated
and tested annually, most of the Time Horizons in that standard (EOP-005-2) are either Operations Planning
or Real-time Operations. Suggest the Time Horizon for R1, R3 and R4 be changed to Operations Planning.
Re s p o n s e : The DSR SDT thanks you for your comment. The DSR SDT has deleted R2, and R5 has become R2 with a time horizon of Operations Assessment,
which is defined as ‘follow-up evaluations and reporting of real time operations’. R4 has been deleted and the time horizon for R1 and R3 has been changed to
Operations Planning.
Bonneville Power Administration
No
Depends on the answer to #7. If implementation means a signed and valid Plan, then it should be with Long
Term. If reporting the events, then it should be Real-Time/Same Day Operations.
Re s p o n s e : The DSR SDT thanks you for your comment. The DSR SDT has deleted the separate requirement to ‘implement the plan’. The reporting obligation is
now R2 with a time horizon of Operations Assessment, which is defined as ‘follow-up evaluations and reporting of real time operations’.
189
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
SPP Standards Review Group
No
Based on our previous comments in response to Question 11, we feel that the Time Horizon for R2 should be
lengthened. Assigning it a Real-time Operations and Same ?day Operations timeframe has too much of an
impact on real-time operations. Pushing it back will allow support personnel to do the after-the-fact reporting
and keep this burden off of the operators.
Re s p o n s e : The DSR SDT thanks you for your comment. The reporting obligation is now R2 with a time horizon of Operations Planning, which is defined as
‘follow-up evaluations and reporting of real time operations’.
Midwest ISO Standards
Collaborators
No
R2 and R5 should be Operations Assessment since it deals with after the fact reporting. R3 should included
Operations Assessment since an actual event could be used as the test.
Re s p o n s e : The DSR SDT thanks you for your comment. The DSR SDT has deleted R2, and R5 has become R2 with a time horizon of Operations Planning, which
is defined as ‘follow-up evaluations and reporting of real time operations’. R4 has been deleted and the time horizon for R1 and R3 have been changed to
Operations Planning
SERC OC Standards Review
Group
No
R2 and R5 should be in the Operations Assessment time horizon.
Re s p o n s e : The DSR SDT thanks you for your comment. The DSR SDT has deleted R2, and R5 has become R2 with a time horizon of Operations Planning, which
is defined as ‘follow-up evaluations and reporting of real time operations’. R4 has been deleted and the time horizon for R1 and R3 have been changed to
Operations Planning
PJM Interconnection LLC
No
R2 and R5 should be in Operations Assessment Time Horizon as they deal with ?after-the-fact? reporting.
Re s p o n s e : The DSR SDT thanks you for your comment. The DSR SDT has deleted R2, and R5 has become R2 with a time horizon of Operations Planning, which
is defined as ‘follow-up evaluations and reporting of real time operations’. R4 has been deleted and the time horizon for R1 and R3 have been changed to
Operations Planning
We Energies
No
R2 and R5 should be Operations Assessment.
Re s p o n s e : The DSR SDT thanks you for your comment. The DSR SDT has deleted R2, and R5 has become R2 with a time horizon of Operations Planning, which
is defined as ‘follow-up evaluations and reporting of real time operations’. R4 has been deleted and the time horizon for R1 and R3 have been changed to
Operations Planning
190
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Consumers Energy
No
1. In reference to the Impact Event addressing ?Loss of Firm load for greater than or equal to 15 minutes?,
this is likely to occur for most entities most frequently during storm events, where the loss of load builds slowly
over time. In these cases, exceeding the threshold may not be apparent until a considerable time has lapsed,
making the submittal time frame impossible to meet. Even more, it may be very difficult to determine if/when
300 MW load (for the larger utilities) has been lost during storm events, as the precise load represented by
distribution system outages may not be determinable, since this load is necessarily dynamic. Suggest that the
threshold be modified to ?Within 1 hour after detection of exceeding 15-minute threshold?. Additionally, these
criteria are specifically storm related wide spread distribution system outages. These events do not pose a
risk to the BES.2. Many of the Impact Events listed are likely to occur, if they occur, at widely-distributed
system facilities, making reporting ?Within 1 hour after occurrence is identified? possibly impractical,
particularly in order to provide any meaningful information. Please give consideration to clearly permitting
some degree of investigation by the entity prior to triggering the ?time to submit?.3. Referring to the ?Fuel
Supply Emergency? Impact Event, OE-417 requires 6-hour reporting, where the Impact Event Table requires
1-hour reporting. The reporting period for EOP-004-2 should be consistent with OE-417.
Re s p o n s e : The DSR SDT thanks you for your comment. The DSR SDT has increased almost all reporting timeframe to 24 hours. Also, the fuel supply emergency
has been removed from Attachment 1. Reporting period was chosen to meet NERC needs, you may have more restrictive periods for OE-417, but that is outside
the jurisdiction of the DSR SDT.
Independent Electricity System
Operator
No
For the purpose of developing and updating an Impact Event Operating Plan, there should not be any
requirements that fall into the Long-term planning horizon. As the name implies, the plan is used in the
operating time frame. And consistent with other plans such as system restoration plan which needs to be
updated and tested annually, most of the Time Horizons in that standard (EOP-005-2) are either Operations
Planning or Real-time Operations. We suggest the Time Horizon for R1, R3 and R4 be changed to Operations
Planning.
Re s p o n s e : The DSR SDT thanks you for your comment. The DSR SDT has deleted R2, and R5 has become R2 with a time horizon of Operations Planning, which
is defined as ‘follow-up evaluations and reporting of real time operations’. R4 has been deleted and the time horizon for R1 and R3 have been changed to
Operations Planning
191
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
ISO New England, Inc
No
For the purpose of developing and updating an Impact Event Operating Plan, there should not be any
requirements that fall into the Long-term planning horizon. As the name implies, the plan is used in the
operating time frame. And consistent with other plans such as system restoration plan which needs to be
updated and tested annually, most of the Time Horizons in that standard (EOP-005-2) are either Operations
Planning or Real-time Operations. We suggest the Time Horizon for R1, R3 and R4 be changed to Operations
Planning. The Time Horizon for R2 and R5 should be changed to Operations Assessment since they both
deal with after the fact reporting.
Re s p o n s e : The DSR SDT thanks you for your comment. The DSR SDT has deleted R2, and R5 has become R2 with a time horizon of Operations Planning, which
is defined as ‘follow-up evaluations and reporting of real time operations’. R4 has been deleted and the time horizon for R1 and R3 have been changed to
Operations Planning
ExxonMobil Research and
Engineering
No
VRFs, VSLs, and THs ideally should be based on the impact event type; alternatively a low VRF seems more
appropriate for this requirements of this standard.
Re s p o n s e : The DSR SDT thanks you for your comment. With the revised standard, there are now three requirements. Requirement R1 specifies that the
responsible entity have an Operating Plan for identifying and reporting events listed in Attachment 1. This is procedural in nature and justifies a “lower” VRF.
This requirement is administrative in nature and deals with the means to report events after the fact. The current approved VRFs for EOP-004-1 are all lower with
the exception of Requirement R2 which is a requirement to analyze events. This standard relates only to reporting events. The analysis portion is addressed
through the NERC Rules of Procedure and the Events Analysis Program. The two remaining requirements in EOP-004-2 are to report events based on the
specifics in Attachment 1 (R2) and to test the communications protocol of the Operating Plan once per year (R3). Requirement R2 specifies that an entity is
responsible for reporting events in accordance with the Operating Plan based on Attachment 1. Requirement R3 is insurance to make sure that an entity can
communicate information about events. Requirement R2 specifies that the responsible entity must report an event to the appropriate entities. Some of these
events are dealing with potential sabotage events. Part of the reason to report these types of events is to make other entities aware to help prevent further
sabotage events from occurring. Existing CIP-001-1a deals with sabotage events and the approved VRFs for each of the requirements is “medium.” The VRFs for
EOP-004-2 comport with the existing approved VRFs for both EOP-004 and CIP-001.
The DSR SDT believe the VSLs and revised time horizons appropriately align.
City of Tacoma, Department of
Public Utilities, Light Division, dba
Tacoma Power
No
Why shorten the normal process?
Re s p o n s e : The DSR SDT thanks you for your comment. The DSR SDT has revised most of the reporting timelines 24 hours.
192
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Indeck Energy Services
No
These requirements have no time horizon. There about history and not about the future.
Re s p o n s e : The DSR SDT thanks you for your comment. All NERC standards must have a time horizon associated with each requirement. Time horizons are used
as a factor in determining size of a sanction.
American Municipal Power
No
USACE
No
Pepco Holdings Inc and Affiliates
Yes
However, do they line up with the corresponding real time reporting procedures as mentioned above, #13 and
#14?
Re s p o n s e : The DSR DT thanks you for your comment. Please see responses to comments #13 and #14. Since the time for reporting impact events is no more
than 24 hours, the time horizon has been revised to Operations Planning.
Midwest Reliability Organization
Yes
PPL Supply
Yes
Dominion
Yes
FirstEnergy
Yes
Southern Company
Yes
SRP
Yes
City of Tallahassee (TAL)
Yes
New Harquahala Generating Co.
Yes
APX Power Markets
Yes
United Illuminating Co
Yes
193
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Liberty Electric Power LLC
Yes
Arkansas Electric Cooperative
Corporation
Yes
Manitoba Hydro
Yes
Sweeny Cogeneration LP
Yes
New Harquahala Generating Co.
Yes
Platte River Power Authority
Yes
BGE
No position or comments.
Alliant Energy
Yes
CenterPoint Energy
Yes
PPL Electric Utilities
Yes
Occidental Power Marketing
Yes
Lincoln Electric System
Yes
Farmington Electric Utility System
Yes
American Transmission
Company
Yes
Ingleside Cogeneration LP
Yes
Duke Energy
Yes
194
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Georgia System Operations
Corporation
Yes
None.
16. Do you agree with the proposed Implementation Plan for EOP-004-2? If not, please explain why not and if
possible, provide an alternative that would be acceptable to you.
Summary Consideration: The majority of commenters agreed with the Implementation Plan. The DSR SDT believe the
revisions made as part of this comment period have made the standard easier to implement. This latest revision more closely
aligns with existing EOP-004 requirements, which entities are already complaint with. Consequently the effective date remains
as first calendar day of the third calendar quarter following the regulatory approval/BOT adoption as applicable.
Org a n iza tio n
Pepco Holdings Inc and Affiliates
Ye s o r No
Qu e s tio n 16 Co m m e n t
No
The proposed time line is too short. It is easy to revise procedures. However developing training and
integrating the training into the schedule takes time. Shorter time frame takes away adequate time to
integrate into the training plan and disrupts operator schedules. Since notifications already exist and after the
fact reporting does not impact BES reliability, why the need to expedite? There are many other training
activities that must be coordinated with this.
Re s p o n s e : The DSR SDT thanks you for your comment. The DSR SDT believe the revisions made as part of this comment period have made the standard easier
to implement. This latest revision more closely aligns with existing EOP-004 requirements, which entities are already complaint with.
FirstEnergy
No
We believe the previous proposal for a 12 month implementation was more appropriate and suggest the team
revert back to that timeframe.
Re s p o n s e : The DSR SDT thanks you for your comment. The DSR SDT believe the revisions made as part of this comment period have made the standard easier
to implement. This latest revision more closely aligns with existing EOP-004 requirements, which entities are already complaint with.
Southern Company
No
The implementation time should be 12 months after approval regardless of the elapsed time taken to get the
standard approved.
195
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Re s p o n s e : The DSR SDT thanks you for your comment. The DSR SDT believe the revisions made as part of this comment period have made the standard easier
to implement. This latest revision more closely aligns with existing EOP-004 requirements, which entities are already complaint with.
Exelon
No
The DSR SDT reduced the implementation from one year to between six and nine months based on the
revised standard requirements. Exelon disagrees with the proposed shortened implementation timeframe.
The current revision to EOP-004 still requires an entity to generate, implement and provide any necessary
training for the "Impact Event Operating Plan" by a registered entity. Commenters previously supported a one
year minimum; but the requirements for implementation have not changed measurably - six to nine months is
not adequate to implement as written.
Re s p o n s e : The DSR SDT thanks you for your comment. The DSR SDT believe the revisions made as part of this comment period have made the standard easier
to implement. This latest revision more closely aligns with existing EOP-004 requirements, which entities are already complaint with.
SDG&E
No
SDG&E recommends a 9 month minimum timeframe for implementation.
Re s p o n s e : The DSR SDT thanks you for your comment. The DSR SDT believe the revisions made as part of this comment period have made the standard easier
to implement. This latest revision more closely aligns with existing EOP-004 requirements, which entities are already complaint with.
United Illuminating Co
No
The SDT should be specific that on the effective date an Entity will have the Operating documented and
approved. The SDT should be specific that the first simulation is required to occur 15 months following the
effective date. The SDT should be specific that the first annual review shall occur with in 15 months after the
effective date.
Re s p o n s e : The DSR SDT thanks you for your comment. The DSR SDT believe the revisions made as part of this comment period have made the standard easier
to implement. This latest revision more closely aligns with existing EOP-004 requirements, which entities are already complaint with.
American Electric Power
No
With the scope of applicable functions expanding, more time will be required to develop broader processes
and training. This will need to be extended for 18 months to get the process implemented and everyone
trained.
Re s p o n s e : The DSR SDT thanks you for your comment. The DSR SDT believe the revisions made as part of this comment period have made the standard easier
to implement. This latest revision more closely aligns with existing EOP-004 requirements, which entities are already complaint with.
CenterPoint Energy
No
CenterPoint Energy prefers the previously accepted timeline of 1 year.
196
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Re s p o n s e : The DSR SDT thanks you for your comment. The DSR SDT believe the revisions made as part of this comment period have made the standard easier
to implement. This latest revision more closely aligns with existing EOP-004 requirements, which entities are already complaint with.
Georgia System Operations
Corporation
No
There is nothing about the revisions that were made to the requirements that shortens the time needed by the
industry to get prepared for this revision. The removal of requirements for NERC does not shorten the
requirements for the industry. Eighteen months (or 12 months minimum) should be alloted to prepare for this
revision.
Re s p o n s e : The DSR SDT thanks you for your comment. The DSR SDT believe the revisions made as part of this comment period have made the standard easier
to implement. This latest revision more closely aligns with existing EOP-004 requirements, which entities are already complaint with.
Brazos Electric Power
Cooperative
No
A one year implementation is needed to develop and implement formal documents to meet requirements.
Re s p o n s e : The DSR SDT thanks you for your comment. The DSR SDT believe the revisions made as part of this comment period have made the standard easier
to implement. This latest revision more closely aligns with existing EOP-004 requirements, which entities are already complaint with.
City of Tacoma, Department of
Public Utilities, Light Division, dba
Tacoma Power
No
The implementation Plan was to move up the timeline and we do not see why this needs to be pushed
forward on a shortened timeline. It should remain at the one year implementation schedule especially if
annual exercises are not removed from the standard requirements as this take some time to prepare.
Re s p o n s e : The DSR SDT thanks you for your comment. The DSR SDT believe the revisions made as part of this comment period have made the standard easier
to implement. This latest revision more closely aligns with existing EOP-004 requirements, which entities are already complaint with.
ExxonMobil Research and
Engineering
Recommend 4th calendar quarter instead of 3rd.
Re s p o n s e : The DSR SDT thanks you for your comment. The DSR SDT believe the revisions made as part of this comment period have made the standard easier
to implement. This latest revision more closely aligns with existing EOP-004 requirements, which entities are already complaint with.
Consumers Energy
No
Dominion
Yes
Dominion agrees with the Implementation Plan; however, notes that the title for EOP-004-2 is inconsistent
with the actual proposed standard.
197
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Re s p o n s e : The DSR SDT thanks you for your comment. The DSR SDT believe the revisions made as part of this comment period have made the standard easier
to implement. This latest revision more closely aligns with existing EOP-004 requirements, which entities are already complaint with.
Farmington Electric Utility System
Re s p o n s e :
unchanged.
Yes
Nine months would be preferred
The DSR SDT thanks you for your comment.
Northeast Power Coordinating
Council
Yes
Bonneville Power Administration
Yes
Midwest Reliability Organization
Yes
PPL Supply
Yes
SPP Standards Review Group
Yes
Midwest ISO Standards
Collaborators
Yes
SERC OC Standards Review
Group
Yes
PJM Interconnection LLC
Yes
SRP
Yes
We Energies
Yes
Compliance & Responsiblity
Organization
Yes
City of Tallahassee (TAL)
Yes
The majority of stakeholders agree with the proposed implementation plan and it will remain
198
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Lakeland Electric
Yes
New Harquahala Generating Co.
Yes
APX Power Markets
Yes
American Municipal Power
Yes
Liberty Electric Power LLC
Yes
Arkansas Electric Cooperative
Corporation
Yes
Manitoba Hydro
Yes
Sweeny Cogeneration LP
Yes
USACE
Yes
New Harquahala Generating Co.
Yes
Independent Electricity System
Operator
Yes
ISO New England, Inc
Yes
Platte River Power Authority
Yes
BGE
Yes
Alliant Energy
Yes
PPL Electric Utilities
Yes
No comments.
199
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Occidental Power Marketing
Yes
Lincoln Electric System
Yes
American Transmission
Company
Yes
Ingleside Cogeneration LP
Yes
Duke Energy
Yes
Indeck Energy Services
Yes
200
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
17. If you have any other comments you have not already provided in response to the questions above, please
provide them here.
Summary Consideration: The majority of comments received relate to Attachment 1 and the Flowchart in the
background section. The DSR SDT has made conforming revisions to each based on the comments received. The
Flowchart waqs updated to remove references to sabotage and replaced with “Criminal act invoking federal
jurisdiction”. In response to the comments received, the SDT has made numerous enhancements to Attachment 1.
These revisions include:
•
•
•
Added new column “Submit Attachment 2 or DOE OE-417 Report to:” which references Part 1.3 and provide
the time required to submit the report.
Combined Parts A and B into one table and reorganized it so that the events are listed in order of reporting
times (either one hour or 24 hours)
Removed references to “Impact Event” and replaced with the specific language for the event type in the
“Entity with Reporting Responsibility”. For example, replaced “Impact Event” with “automatic load
shedding”.
The ERO and the RE were added as applicable entities to reflect CIP-002 applicability to this standard.
Organization
Georgia Transmission
Corporation & Oglethorpe Power
Corporation
Yes or No
Question 17 Comment
In the discussion and related flowchart described as "A Reporting Process Solution - EOP-004," the
discussion suggests that Industry should notify the state law enforcement agency and then allow the state
agency to coordinate with local law enforcement. It has been our experience that we receive very good
response from local law enforcement and they have existing processes to notify state or federal agencies as
necessary. It appears the recommendation is to bypass the local law enforcement, but it is not clear that
representatives from state or local law enforcement were included in this discussion (see proposal discussed
with "FBI, FERC Staff, NERC Standards Project Coordinator and SDT Chair"). It would be helpful to see
some additional clarification to understand why the state agency was chosen over local or federal agencies.
Finally, we would like to express our gratitude to the DSR SDT for their hard work in making improvements to
the NERC standards for event reporting.
201
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 17 Comment
Response: The DSR DT thanks you for your comment.
The Flowchart has been updated. The DSR SDT has reviewed all comments and believes it is the
responsibility of the Reporting Entity to contact the appropriate law enforcement officials.
Bonneville Power Administration
Work needed on Part A Damage or Destruction of BES equipment. The Note 1 is OK, but the Threshold
doesn't match well. If a PCB is damaged by lightning or an earthquake, Note 1 (human action) doesn't
require Reporting (proper interpretation), but the Threshold still requires "equipment damage.”
Response: The DSR DT thanks you for your comment.
footnote has been revised.
Midwest Reliability Organization
On the Impact Reporting Form, number 7,8,9,10, and 11 have an astrict (*) but nothing describes what the
astrict means. Recommend a foot note be added to state: * If applicable to the reported Impact Event.
Response: The DSR DT thanks you for your comment.
Western Electricity Coordinating
Council
Attachment 1 has been updated concerning Destruction of BES equipment and the associated
Attachment 1, Part B has been updated to reflect these noted changes.
Actual Reliability Impact Table comments: Note that per the NERC glossary "Energy Emergency" only is
defined for an LSE. Energy Emergency is the precursor term in the first three lines. Thus logically an LSE is
the only entity which would be initiating the event and responsible for reporting for first three items. We don't
believe that is the intent.We suggest you consider just eliminating ?Energy Emergency? and going with:?
Public appeal for load reduction? system-wide voltage reduction? manual firm load sheddingFor Loss of Off
site power at Nuc Station is reporting really expected of each of the entities listed? (lots of reports) We
suggest you consider just the Nuclear GOP and perhaps the associated TOP. Perhaps you could use the CIP
approach as in the next two rows and say Applicable GOP and Transmission Entities under NUC-0012Potential Reliability Impact Table Comments:For Fuel Supply Emergency, Forced Intrusion, Risk to BES
Equipment, Cyber Security Incident where owner/operator are both listed (GO/GOP or TO/TOP) could
consider perhaps reporting to be assigned to only one rather than both.
Response: The DSR DT thanks you for your comment. The DSR SDT has removed the use of “Energy Emergency” and has updated Loss of offsite power
to a nuclear generating plant within Attachment 1.
Fuel Supply emergency has been removed from Attachment 1 per comments received. The entire
Attachment 1 has been updated per comments received.
Pacific Northwest Small Public
Power Utility Comment Group
All five requirements refer to Attachment 1 Part A either directly, or indirectly by referring to R1 plans.
Attachment 1 Part A, though, only provides the thresholds required for reporting (R5). No thresholds are
provided for planning (R1) or the requirements referencing the plan (R2-R4). Strictly interpreted, an entity
would be required to plan for any amount of firm load loss exceeding 15 minutes (for example), implement the
202
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 17 Comment
plan for any amount and then report only those events that exceeded the applicable 200 or 300 MW level. An
entity that had a peak load of less than 200 MW would still need to meet R1-R4 regarding load loss. We
believe the SDT intended to use common thresholds for all the requirements. Suggest relabeling the
Attachment 1 Part A column header from ?Threshold for Reporting? to ?Threshold.?We also fail to see how
an entity?s size in MWh affects the threshold for reporting firm load loss.
Response: The DSR DT thanks you for your comment. The DSR SDT has revised each Requirement and Attachment 1. There are other events within
Attachment 1 that a responsible entity will be required to report.
Dominion
The following comments are provided on the Reporting Hierarchy for Impact Events EOP-004-2: 1) A
reference to sabotage still exists in a ?decision block?; 2) The ?entry block? only specifies ?actual Impact
Events? and does not address ?potential?; 3) Hierarchy is misspelled in the title.Attachment 2: Impact Event
Reporting Form; in questions 7, 8, 9, 10, 11 what is the purpose of the *(asterisk) behind each Task that is
named?
Response: The DSR DT thanks you for your comment.
to reflect comments received.
Pepco Holdings Inc and Affiliates
The Flowchart has been updated based on comments received. Attachment 2 has been updated
IRO-000-1, Sec D1.5 and TOP-007, Sec D1.1 there are ?after the fact? reporting requirements for IROL
violations. Since IROL violations are included in this standard, should those standards be modified?Should
the standard include a specific statement that this standard deals only with after the fact and other standards
deal with real time reporting?Since this standard deals with after the fact reporting, consideration should be
given to extending the time to report as defined in Attachment 1. One hour does not seem to be reasonable.
Response: The DSR DT thanks you for your comment. The DSR SDT has reviewed TOP-007 and note that the 72 hour issue is not defined within a
Requirement. This issue has been forwarded to the “NERC Issues Data base.” Attachment 1 has been updated to reflect this event to 24 hours per comments
received.
SPP Standards Review Group
In Attachment 2 just before the table, the statement is made that ?NERC will accept the DOE OE-417 form in
lieu of this form if the entity is required to submit an OE-417 report.? But the last sentence in the Guideline
and Technical Basis white paper, it is stated that ? For example, if the NERC Report duplicates information
from the DOE form, the DOE report may be included or attached to the NERC report, in lieu of entering that
information on the NERC report.? These are in conflict with each other. Which is correct? We prefer the
former over the latter.In Attachment 2 in Tasks 7-11 an asterisk appears in those tasks. To what does this
asterisk refer?
203
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 17 Comment
Response: The DSR DT thanks you for your comment. The DSR SDT’s White Paper was the initial road map for the SDT to follow. The DSR SDT has
proposed allowing entities to use the DOE Form OE-417 to report events listed within Attachment 1.
Midwest ISO Standards
Collaborators
We believe the reporting time lines are too aggressive for some events. Reporting events within an hour is not
reasonable as an entity may still be dealing with the event. This will be particularly difficult when support
personnel are not present such as during nights, holidays, and weekends.
Response: The DSR DT thanks you for your comment. Attachment 1 has been updated per comments received.
FirstEnergy
FE offers the following additional comments and suggestions:
1. In the Background section of EOP-004-2, on page 6 under Stakeholders in the Reporting Process, we
suggest adding ?Regional Entity? and ?Nuclear Regulatory Commission?.
2. The DSR SDT makes reference to comments that Exelon provided that suggested adopting the NRC
definition of "sabotage." We feel the comment made by Exelon in their previous submittal was to ensure that
the DSR SDT included the Nuclear Regulatory Commission (NRC) as a key Stakeholder in the Reporting
Process and FE agrees with this suggestion. Nuclear generator operators already have specific regulatory
requirements to notify the NRC for certain notifications to other governmental agencies in accordance with 10
CFR 50.72(b)(s)(xi). We ask that the DSR SDT contact the NRC about this project to ensure that existing
communication and reporting that a licensee is required to perform in response to a radiological sabotage
event (as defined by the NRC) or any incident that has impacted or has the potential to impact the BES does
not create either duplicate reporting, conflicting reporting thresholds or confusion on the part of the nuclear
generator operator. We believe this is a similar situation as what was recently resolved between NERC and
the NRC concerning the applicability of CIPs 002 ? 009 for nuclear plants. Each nuclear generating site
licensee must have an NRC approved Security Plan that outlines applicable notifications to the FBI.
Depending on the severity of the security event, the nuclear licensee may initiate the Emergency Plan (EPlan). We ask that the proposed "Reporting Hierarchy for Impact Event EOP-004-2," flow chart be
coordinated with the NRC to ensure it does not conflict with existing expected NRC requirements and protocol
associated with site specific Emergency and Security Plans.
Response: The DSR DT thanks you for your comment. 1. We have added these as requested. 2. The NRC was added to the list on page 6 as requested.
The events in Attachment 1 that are applicable to nuclear plants are: Generation loss (>1,000 MW WECC, >2,000 MW Elsewhere); Destruction of BES
Equipment; Damage or destruction of Critical Asset per CIP-002; Damage or destruction of a Critical Cyber Asset per CIP-002; Forced Intrusion; Risk to BES
Equipment; and Detection of a Reportable Cyber Security incident. Two of these events are addressed in the situation that you mention above (CIP-002). The
other events should be reported to both the NRC and ERO if they occur. These are considered to be sabotage type events.
204
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
SERC OC Standards Review
Group
Yes or No
Question 17 Comment
In Attachment 1, the reporting timeline should be no less than the end of the next business day for after-thefact reporting of events. If reporting in a time frame less than this is required for reliability, the groups or
organizations receiving the reports should be included in the functional model. The emphasis should be on
giving the operators the time to respond to events and not to reporting requirements.?The comments
expressed herein represent a consensus of the views of the above named members of the SERC OC
Standards Review group only and should not be construed as the position of SERC Reliability Corporation, its
board or its officers.?
Response: The DSR DT thanks you for your comment.
have been revised to 24 hours.
PJM Interconnection LLC
In the Compliance Enforcement Authority Section on Page 11, the second bullet says ?If the Responsible
Entity works for the Regional Entity, then the Regional Entity will establish an agreement with the ERO or
another entity approved by the ERO and FERC (i.e. another Regional Entity) to be responsible for compliance
enforcement?. We are not sure what this exactly implies or means. Additional clarification is required.
Response: The DSR DT thanks you for your comment.
model obligation.
Southern Company
Attachment 1 has been updated to reflect comments received. Many of the reporting time frames
The statement that PJM is referring to applies to Regional Entities that also have a functional
Need guidance for incorporating disturbance reporting that is in CIP-008.
Response: The DSR DT thanks you for your comment. EOP-004-2 is the reporting vehicle for CIP-008. CIP-008-4, Requirement 1, Part 1,3 will be retired
upon approval of EOP-004-2.
We Energies
Attachment 2: What do the asterisks refer to? I didn?t see a comment or description related to them.#7 &
#10: What is ?tripped?? Automatic or manual or both.#13: This report has no Part 1.Flowchart: By the
flowchart, the only time an OE-417 is filed is when I do not need to contact Law Enforcement. The Reporting
Hierarchy flow chart should be modified. In the lower right corner it indicates that if sabotage is not confirmed,
the state law enforcement agency investigates. Law enforcement agencies will not investigate an incident
that is not a crime. Note too that state law enforcement agencies do not even investigate these kinds of
events unless and until requested by local law enforcement. The local law enforcement agency always has
initial jurisdiction until surrendered or seized by a superior agency?s authority. Evidence Retention is
incomplete. From the NERC Standards Process Manual: ?Evidence Retention: Identification, for each
requirement in the standard, of the entity that is responsible for retaining evidence to demonstrate
compliance, and the duration for retention of that evidence.?
205
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 17 Comment
Response: The DSR DT thanks you for your comment.
been updated per your comment.
Compliance & Responsiblity
Organization
Nuclear power plants (a need for a revised approach)With respect to sabotage, damage or destruction of BES
equipment, damage or destruction of a Critical Asset, damage or destruction of a Critical Cyber Asset, forced
intrusion, etc., nuclear plants already have a responsibility to report the events to the FBI and the Nuclear
Regulatory Commission (NRC). Performing another report to NERC, with potentially different requirements,
within 60 minutes of an event does not seem necessary or practical. It would also be difficult, during an
event, to report to external organizations, including but not limited to the Responsible Entities? Reliability
Coordinator, NERC, Responsible Entities? Regional Entity, Law Enforcement, and Governmental or
Provincial Agencies when operations personnel are pre-occupied with an abnormal or emergency situation.
Further, nuclear plants already have an obligation to report the loss of off site power to NRC. Similarly, now
that cyber assets will be regulated by the NRC, these reporting requirements should not be applicable to a
nuclear power plant. Thus, there is a need to exempt nuclear power plants from these requirements or
provide more flexibility to such plants, given its pre-existing NRC reporting requirements.Attachment 1.There
is no explanation for why a report must be submitted within one hour of a event. As stated with respect to
nuclear, an entity should not be prioritizing between stabilizing the system and reporting. One approach that
would help balance conflicting priorities is to start the time frame after ?all is clear.? Another approach could
involve the use of target times, with an allowance for exceptions during emergencies or situations in which it
is impracticable. Another alternative is to have two times: an earlier ?target reporting time? and second later
?mandatory reporting time.? Further, the current wording suggests that a generator owner or generator
operator will be able to determine the impact or potential impact on the BES. This is not realistic, given that
impacts to the BES are generally only understood at a transmission operator or reliability coordinator level.
Thus, the concept of relying on generators to determine impacts on the BES needs to be eliminated.Also, as
written, for a generator, Attachment 1 appears to require a report when a lighting arrestor fails at a Critical
Asset. NextEra cannot see any justification for reporting such an event, and this is another reason why
Attachment 1 needs more review and revision prior to the next draft of EOP-004-2. This one reason why
NextEra has suggested a materiality test for reporting in a definition of Attempted or Actual Sabotage.
Response: The DSR DT thanks you for your comment.
outside the scope of this project.
Exelon
Attachment 1 and Attachment 2 have been updated per comments received. The Flowchart has
Attachment 1 has been updated per comments received. Any NRC requirements or comments fall
The DSR SDT makes reference to comments that were previously provided that suggested adopting the NRC
definition of "sabotage." Respectfully, this commenter believes the DSR SDT did not understand the intent of
the original comment. The comment made by Exelon in the October 15, 2009 submittal was to ensure that
the DSR SDT made an effort to include the Nuclear Regulatory Commission (NRC) as a key Stakeholder in
206
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 17 Comment
the Reporting Process and to consider utilizing existing reporting requirements currently required by the NRC
for each nuclear generator operator.Depending on the event, a nuclear generator operator (NRC licensee)
also has specific regulatory requirements to notify the NRC for certain notifications to other governmental
agencies in accordance with 10 CFR 50.72, "Immediate notification requirements for operating nuclear power
reactors," paragraph (b)(2)(xi).The one hour notification requirement for an intrusion event would also meet an
emergency event classification at a nuclear power plant. If an operations crew is responsible for the one hour
notification and if separate notifications must be completed within the Emergency Plan event response, then
an evaluation in accordance with 10 CFR 50.54, "Conditions of licensees," paragraph (q), would need to be
performed to ensure that this notification requirement would not impact the ability to implement the
Emergency Plan.At a minimum the DSR SDT should communicate this project to the NRC to ensure that
existing communication and reporting that a licensee is required to perform in response to a radiological
sabotage event (as defined by the NRC) or any incident that has impacted or has the potential to impact the
BES does not create either duplicate reporting, conflicting reporting thresholds or confusion on the part of the
nuclear generator operator. Note that existing reporting/communication requirements are already established
with the FBI, DHS, NORAD, FAA, State Police, LLEA and the NRC depending on the event. There are
existing nuclear plant specific memorandums of understanding between the NRC and the FBI and each
nuclear generating site licensee must have a NRC approved Security Plan that outlines applicable
notifications to the FBI. Depending on the severity of the security event, the nuclear licensee may initiate the
Emergency Plan. The proposed "Reporting Hierarchy for Impact Event EOP-004-2," needs to be
communicated and coordinated with the NRC to ensure that the flow chart does not conflict with existing
expected NRC requirements and protocol associated with site specific Emergency and Security Plans.
Propose allowing for verbal reporting via telephone, for 1 hr. reporting with a follow up using the forms.With
the revised standard EOP-004-2 it eliminates the #8; loss of electric service >= 50K, however, that
requirement is still required for the DOE-OE-417 form. The question is do we still have to send it to NERC /
Region if NERC/ Region does not specifically still have that as a requirement? Also, with that requirement, on
the current EOP-004-1 it says that schedule 1 has to be filled out within 1 hour? This doe not coincide with
DOE-OE-417 form. The bottom line, it looks like there is inconsistency as to what is reportable per EOP-004-2
and DOE-OE-417 form, some of the items are redundant, some are not, but better guidance is needs as to
which form to use when. The SDT should have a Webaniar with the industry to create an understanding as
to who is responsible to report what and at what time.
Response: The DSR DT thanks you for your comment. The NRC issues falls outside the scope of this project
City of Tallahassee (TAL)
Attachment 2 (Impact Event Reporting Form) items 8, 9, 10, and 11 have an asterisk but no identification as
to what the asterisks refer to.
Response: The DSR DT thanks you for your comment.
The asterisk was addressed at the bottom of the second page of the form. Attachment 2 has been
207
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 17 Comment
updated to align with the types of events that are to be reported.
APX Power Markets
The reporting of Impact Events needs to be clear spelled out and if moving some of that to State Agencies it
needs to be consistent in all States at the same time and which State it should be reported to. We have a 24hour Desk in one state that handles facilites in many other States. If there is an Impact Event that needs to
be reported, where is that report sent to. The State the facility resides in or the State where our 24-hour Desk
resides in.
Response: The DSR DT thanks you for your comment. Attachment 1 has been updated per comments received and a new column has been added to reflect
who the impacted entity is required to report to.
Arkansas Electric Cooperative
Corporation
We appreciate the added context through the use of extended background information, rationale statements,
and corresponding guideline and hope this context will remain in line with the Standards through the ballot
and approval process. We have a few suggestions and questions related to this context. Our comments for
this question relate to the contextual information. First of all, in the diagram on page 8, we suggest the
appropriate question to ask is "Is event associated with potential criminal activity?" rather than "Report to Law
Enforcement?? Also, it would be helpful to make clear the communication flow associated with the State
Agency is the responsibility of the State Agency and not the Responsible Entity. This could be shown with a
different colored background that calls this process out separately. In the rationale box for R3, it states "The
DSR SDT intends?? We propose this should read similar to "The objective of this requirement is?? Overall,
we suggest the SDT review the guidance document to make sure any changes made to the requirements are
consistent with the guidance.
Response: The DSR DT thanks you for your comment. The flowchart has been updated per comments received. The Rationale box will be removed upon this
Standard being Filled for approval.
American Electric Power
We still do not agree that LSE, TSP and IA should be included in the applicability of this standard. Having
processes to report to local or federal law enforcement agencies is ?legislating the obvious?. The focus on
this standard should only be on Impact Event reporting to reliability entities.
Response: The DSR DT thanks you for your comment. Attachment 1 has been reviewed and updated. The LSE, TSP, and IA are required under the CIP
Standards and Attachment 1 is based on reporting per the CIP requirements.
Consumers Energy
1. We appreciate the aggregation of redundant standards on this subject, but have some concerns about the
content of the aggregated standard as listed below and in reference to previous questions on this comment
form.2. It is not clear whether an event that meets OE-417 reporting criteria but is not defined within EOP-
208
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 17 Comment
004-2 is an Impact Event; for example, ?loss of 50,000 or more customers for 1 hour or more? is required to
be reported to DOE as a OE-417 type 11 event but it is not clear whether EOP-004-2 requires that such
events be also reported to NERC. The ?Reporting Hierarchy? flow chart seems to suggest that any OE-417
must still be filed with NERC/RE. If the flow chart is not consistent with the intent of the Requirements, it must
be clarified.3. NERC implies active involvement of law enforcement. This assumes that law enforcement has
the resources to be involved in an Impact Event investigation and fulfill the standard reporting requirements.
This is an unrealistic expectation as we have experienced first-hand, a lack of response by law enforcement
agencies as their resources shrink due to economic issues. Additionally, NERC is asking that we place
credence in law enforcement, on our behalf, to make a definitive decision about the reporting of events. Refer
to page 6 of EOP-004-2 under ?Law Enforcement Reporting?: ??Entities rely upon law enforcement
agencies to respond and investigate those Impact Events which have the potential of wider area affect?? In
many cases, the internal security function must work with system operations personnel to thoroughly
understand the system and the effects of certain events. It is unrealistic to think law enforcement would be in
a position to make BES decisions within the timeframe given without having system operations experience. It
is our experience that external agencies do not understand the integration / inter-connectivity, resiliency, or
implications of our energy infrastructure.4. Within Michigan, a ?Michigan Fusion Center: Michigan Intelligence
Operations Center (MIOC)? has been established. - Today, we share information such as substation issues
and identity theft (not internal issues) to the MIOC. The MIOC is trending incidents on critical infrastructure
assets and sectors around the state. The private sector is encouraged to report to the Fusion Center. If
NERC is collecting this type of information for future studies and trending / analysis, they should coordinate
with each state?s Fusion Center.
Response: The DSR DT thanks you for your comment. The DSR SDT has reviewed and updated the Requirements per the comments received. Attachment 1
has been updated and the team has an additional column to reflect where a report should be sent. EOP-004-2 does not define what “law enforcement”” is and
that will be left up to each entity.
Ameren
The following is a list of our greatest concerns. (1) We are concerned about the lack of definitions and use of
critical non-capitalized terms. As an example, there is a reportable Impact Event if there is a +/- 10% Voltage
Deviation for 15 minutes or more on BES Facilities. As a first example, why is the term Voltage Deviation
capitalized when it is not in the NERC Glossary and not proposed to be added? Where is the deviation
measured - at any BES metering device? What is the deviation to be reported - the nominal voltage? the
high-side of the Voltage Schedule? the low-side of the Voltage Schedule? the generator terminals? when a
unit is starting up? All of these are possible interpretations, but < 1% of them would ever result in a
Cascading outage - which is the reliability objective of this Standard. A second example is a Generation loss.
The threshold for reporting is 2,000 MW, or more, for the Eastern or Western Interconnection. Is this
simultaneous loss of capacity over the entire Interconnection? Or, cumulative loss within 1 hour? Or,
cumulative loss within 24 hours? How many individual GOPs have responsibility for > 2,000 MW? It seems
209
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 17 Comment
this would more effectively apply only to an RC and/or BA. The likelihood that one GOP would lose that much
generation at once is probably remote. A third example would be the damage or destruction of BES
equipment event. The term "equipment" was left lower case with a footnote explanation that includes "?due
to intentional or unintentional human action?.” This is likely to require the determination of intent by the
human involved, which will almost certainly impossible to determine within the 1 hour reporting time. Also,
what is the definition of the terms "damage" and "destruction"? Once again, if the reliability intent is to ONLY
report Events that have a likely chance of leading to Cascading, this will greatly reduce the potentially
enormous reporting burden. that could result without this type of clarification. (2) Without a very thorough
understanding of the definitions of the terms requiring reporting, the 1 hour reporting constraint on most
events will likely require that we frequently overreport events to minimize any chance of non-compliance. A
webinar explaining expected reporting requirements would very useful and valuable. It is also unclear why so
many Impact Events require such a short reporting time period. There will almost certainly be many times at
2:00 AM on a weekend when experts and the appropriate personnel will be available to quickly analyze an
event and decide, within 1 hour, if a report is necessary. (3) Have all the new Impact Event reporting
requirements been checked against reporting requirements from other Standards? For example, the Voltage
Deviation Event would appear to potentially overlap/conflict with instructions from a TOP for VAR-002
compliance. Since VAR-002-2 is now in draft, has the SDT worked with that Team to determine if the
requirements dovetail?
Response: The DSR DT thanks you for your comment. The DSR SDT has updated the Requirements within EOP-004-2 and both Attachments 1 and 2 per
comments received. Many of the reporting time frames have been extended to 24 hours per comments received. Voltage deviation is no longer capitalized. All
event types are not intended to be new defined terms for the NERC Glossary and have been revised to lower case words. The reporting of voltage deviations is no
longer applicable to the GOP which obviates the need to coordinate with the VAR-002 standard drafting team.
ISO New England, Inc
Under the ?Law Enforcement Reporting? it is stated ?The Standard is intended to reduce the risk of
Cascading involving Impact Events. The importance of BES awareness of the threat around them is essential
to the effective operation and planning to mitigate the potential risk to the BES.? We question whether a
reporting standard can ?reduce the risk of cascading? and wonder if the reference to the threat ?around
them? refers to law enforcement? We would expect that the appropriate operating personnel are the only
entities that would be able to mitigate the potential risk to the BES.As it currently stands there is a potential
duplication between the reporting requirements under EOP-004-2 (i.e. Attachment 2 Form) and the ERO
Event Analysis Process that is undergoing field test (i.e. Event Report Form). This will result in entities
(potentially multiple) reporting same event under two separate processes using two very similar forms. Is this
the intent or will information requirements be coordinated further prior to adoption in order to meet the
declared objective that the impact event reporting under EOP-004 be ?the starting vehicle for any required
Event Analysis within the NERC Event Analysis Program?
210
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 17 Comment
Response: The DSR DT thanks you for your comment. The Background section was provided to assist entities in understanding the DSR SDT’s process for
updating CIP-001 and EOP-004, only.
Calpine Corp
Focusing on reporting of actual disturbance events as listed in Attachment 1 based on potential or actual
impact to the Bulk Electric System will provide maximum benefit to system reliability without adding needless
levels of new documentation generated to demonstrate compliance. Absent significant evidence of systemic
problems in the industry with past reporting attributable to causes other than a lack of clear guidance on the
types events that require reporting, the proposed Standard should focus on the single issue of correct
reporting, without attempting to micromanage how Entities internally manage such reporting.
Response: The DSR DT thanks you for your comment. The DSR SDT has updated the requirements andAttachments 1 and 2 per comments received.
BGE
Please provide a Mapping Document which shows where the four CIP-001 requirements map to in the new
EOP-004-2, and note if any of the CIP-001 requirements have been eliminated. A Mapping Document was
provided during the first Comment Period, but not during the second Comment Period. A Mapping Document
will be very helpful to companies in aligning standard owners in reviewing this proposal and in transitioning
compliance programs when the revised standard is approved.
Response: The DSR DT thanks you for your comment. The DSR SDT has a current Mapping Document and it will be updated to reflect the changes that the
DSR SDT has made to EOP-004-2. This Mapping document will be posted with the standard when it is posted for comment and ballot.
CenterPoint Energy
•
CenterPoint Energy believes the flowchart found on page 8 identifying the reporting hierarchy for EOP-004 is
helpful. CenterPoint Energy believes the DOE reporting items should also be included on the right side of the
chart. Some of the issues with CIP-001 were a result of law enforcement?s preference and procedures for
notification. Law enforcement?s preferences and procedures should be considered for this draft. (Reference:
http://www.fbi.gov/contact-us/when)
Response: The DSR DT thanks you for your comment. The DSR SDT has updated the flowchart and a current Mapping Document and it will be updated to
reflect the changes that the DSR SDT has made to EOP-004-2. The background section of the standard provides guidance with respect to
reporting events to law enforcement. For clarity, the DSR SDT has added the following sentence to the first paragraph under the heading
“Law Enforcement Reporting”: “These are the types of events that should be reported to law enforcement.” The entire paragraph is:
“The reliability objective of EOP-004-2 is to prevent outages which could lead to Cascading by effectively reporting events. Certain outages,
such as those due to vandalism and terrorism, may not be reasonably preventable. These are the types of events that should be reported to
law enforcement. Entities rely upon law enforcement agencies to respond to and investigate those events which have the potential to impact
211
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 17 Comment
a wider area of the BES. The inclusion of reporting to law enforcement enables and supports reliability principles such as protection of bulk
power systems from malicious physical or cyber attack. The Standard is intended to reduce the risk of Cascading events. The importance of
BES awareness of the threat around them is essential to the effective operation and planning to mitigate the potential risk to the BES.”
PPL Electric Utilities
We thank the SDT for addressing so many Industry concerns with the 2010 draft of EOP-004-2. We feel the
current draft version of EOP-004-2 is a significant improvement over current EOP-004-1 and CIP-001-1
standard and the previous draft. Thank you for your time.
Response: Thank you for your comment.
Occidental Power Marketing
Occidental Power Marketing appreciates the extensive work accomplished by the SDT and their
responsiveness to comments. Also, the presentation of this draft with its extensive explanation of the SDT's
considerations during development of the draft were very helpful in preparing our comments.
Response: Thank you for your comment.
Constellation Power Generation
CPG has the following comments regarding Attachment 2:?Generally, this attachment is inadequate for all
events. The real-life experience with the recent SW cold snap demonstrated that the questions inadequately
capture what may be of greatest concern in the situation. ?Question 4 ? this question is vague. It should be
removed. ?Question 7 ? the role of generation in an event may not always be related to a trip. As
experienced with the recent SW cold snap, this question may inadequately capture information relevant to the
situation at hand. The drafting team should reassess how best to gather information relevant to the event and
useful for evaluation.?Question 8 ? generation is not required to monitor frequency during events, so this
would not be answered. This question also assumes that frequency had been impacted, which is not always
the case (i.e., the plant could not come online). ?The asterisk on some questions in Attachment 2 is not
defined.
Response: The DSR DT thanks you for your comment. The DSR SDT has updated the requirements and Attachments 1 and 2 per comments received.
Attachment 2 has been streamlined to match the types of events that are to be reported. The purpose of this standard is to have events reported. Once
reported, the events are included in the NERC Events Analysis Program for possible further investigation. The asterisk has been removed from Attachment 2.
Georgia System Operations
Corporation
Attachment 2: Impact Event Reporting Form-Instructions for filling out this form are needed.-Line 7,
Generation tripped off-line: What is the asterisk for after this task and after the many others following? This
should only be reported by a BA. Does generation ?tripped off-line? mean the same as generation ?lost??Line 9, List of transmission facilities (lines, transformers, buses, etc.) tripped and locked-out: Does this means
the same as BES Transmission Elements lost?-Line 10: The column headings in white text on lighter blue
212
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 17 Comment
background at the top do not seem to apply from this line on.-Line 11, Restoration Time: Restoration of what?
Initial/Final clock time? Transmission? What about transmission? Generation/Demand?-Line 13, Identify the
initial probable cause or known root cause of the actual or potential Impact Event if known at time of submittal
of Part I of this report: ?At the time of submittal of Part I of this report??? Where is Part II? Did you mean Part
A? Is Part B to be submitted at a different time?Background-Page 5, last sentence which is continued on
page 6: This standard does not recognize the various ?versions? of companies in the industry. The standard
is made applicable to a long list of registered entity types. In many cases, many of these entities are wrapped
into one company. A company may be responsible for ?everything? in a geographic area. It may be almost
every registered entity type with no other registered entities within its geographic area. There should be no
conflicts or need for coordination with others for this company. Everything would be coordinated internally
within that one company before being reported to NERC and no one else would be reporting to
NERC.However, sometimes one company is only a LSE. When an LSE-only is having a LSE impact event,
the LSE should report to some higher operating entity like its BA and should not report to NERC. Reporting
should be done in a hierarchical manner within appropriate operating entities and then reported to NERC at
the RC (or BA) level or as agreed among entities in any coordinated impact event reporting plans. The RC,
BA, TOP, and LSE should not all be held accountable for reporting the same event.This standard does not
deal exclusively with after-the-fact reporting. Some events deal with the condition of the system (risk of
possible future events) or condition of an entity?s ability to operate (supplying fuel, covering load, etc.) or with
a threat to the BES.-Page 6, Summary of Concepts: A single form may have been an objective but it is
obviously not a concept being implemented by the standard. There are two forms.-Page 6, Law Enforcement
Reporting: The object of the standard may be to prevent or reduce the risk of Cascading. Reporting system
situations to appropriate operating entities who can take some mitigating action (e.g., a LSE reporting to its
BA or a BA reporting to its RC) and reporting threats to law enforcement officials could prevent or reduce the
risk of Cascading but reporting to NERC is unlikely to a do that. Reporting of most of the listed events to
NERC does not meet the objective of this standard and should be removed from this standard. Such events
should be reported to NERC through some other (than a Reliability Standard) requirement for reporting to
NERC so that NERC can accomplish its mission of analyzing events. Analyzing events may lead to an
understanding that could reduce the future risk of Cascading but not any impending risks.-Page 6,
Stakeholders: What is ?Homeland Security ? State?? We know what the Department of Homeland Security
and the State Department are but this term is not clear. -Page 6, ?State Regulators?, ?Local Law
Enforcement?, and State Law Enforcement?: These are not proper nouns/names and are not defined in the
NERC Glossary. They should not be capitalized.-Pages 7 & 8, Law enforcement: Is each entity required to
determine procedures for reporting to law enforcement and work it out with the state law enforcement
agency? Do the state law enforcement agencies know this? Or is there a pre-determine procedure that is
already worked out with the state law enforcement agency that entities are to follow?
•
Response: The DSR DT thanks you for your comment. The DSR SDT has updated the requirements and Attachments 1 and 2 per comments received.
213
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 17 Comment
Attachment 2 has been streamlined to match the types of events that are to be reported. The purpose of this standard is to have events reported. Once
reported, the events are included in the NERC Events Analysis Program for possible further investigation. The background section of the standard
provides guidance with respect to reporting events to law enforcement. For clarity, the DSR SDT has added the following sentence to the
first paragraph under the heading “Law Enforcement Reporting”: “These are the types of events that should be reported to law
enforcement.” The entire paragraph is:
“The reliability objective of EOP-004-2 is to prevent outages which could lead to Cascading by effectively reporting events. Certain outages,
such as those due to vandalism and terrorism, may not be reasonably preventable. These are the types of events that should be reported to
law enforcement. Entities rely upon law enforcement agencies to respond to and investigate those events which have the potential to impact
a wider area of the BES. The inclusion of reporting to law enforcement enables and supports reliability principles such as protection of bulk
power systems from malicious physical or cyber attack. The Standard is intended to reduce the risk of Cascading events. The importance of
BES awareness of the threat around them is essential to the effective operation and planning to mitigate the potential risk to the BES.”
City of Tacoma, Department of
Public Utilities, Light Division, dba
Tacoma Power
We like the option to use the OE_417 as the reporting form for these events.
Response: The DSR DT thanks you for your comment. EOP-004-2 allows entities to utilize the DOE Form OE-417 to report events.
Indeck Energy Services
This revision seriously missed the mark.
Response: The DSR DT thanks you for your comment. The DSR SDT has updated the requirements and Attachments 1 and 2 per comments received.
Progress Energy
Progress thanks the Standard Drafting Team for their efforts on this project.The BES definition is still being
revised under ?Project 2010-17: Proposed Definition of Bulk Electric System.? ?BES equipment? is
mentioned several times in this Standard. A better definition of BES is important to the effectiveness of this
Standard and integral to entities ability to comply with the Standard requirements. In Attachment 2, on the
Impact Event Reporting form, item 10 is ?Demand Tripped? and the categories include ?FIRM? and
?INTERRUPTIBLE.? It is unclear why interruptible load is included on the reporting form.
Response: The DSR DT thanks you for your comment. The definition of BES will apply to this standard after it is approved by stakeholders, the NERC BOT and
FERC. The DSR SDT has updated the requirements, Attachments 1 and 2 per comments received. Attachment 2 has been streamlined to match the types of
events that are to be reported. The purpose of this standard is to have events reported. Once reported, the events are included in the NERC Events Analysis
Program for possible further investigation. Firm and Interruptible load have been removed from the list of reportable events in Attachment 1.
214
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
215
�Consideration of Comments
Disturbance and Sabotage Reporting (Project 2009-01)
The Disturbance and Sabotage Reporting Drafting Team thanks all commenters who submitted
comments on the second formal posting for Project 2009-01—Disturbance and Sabotage Reporting.
The standard was posted for a 45-day public comment period from October 28, 2011 through
December 12, 2011 and included an initial ballot during the last 10 days of the comment period.
Stakeholders were asked to provide feedback on the standard and associated documents through a
special electronic comment form. There were 76 sets of comments, including comments from
approximately 171 different people from approximately 140 companies representing nine of the ten
Industry Segments as shown in the table on the following pages.
All comments submitted may be reviewed in their original format on the standard’s project page:
http://www.nerc.com/filez/standards/Project2009-01_Disturbance_Sabotage_Reporting.html
If you feel that your comment has been overlooked, please let us know immediately. Our goal is to give
every comment serious consideration in this process! If you feel there has been an error or omission,
you can contact the Vice President of Standards and Training, Herb Schrayshuen, at 404-446-2560 or at
herb.schrayshuen@nerc.net. In addition, there is a NERC Reliability Standards Appeals Process.1
Summary Consideration
EOP-004-2 was posted for a 45-day formal comment period and initial ballot from October 28December 12, 2011. The DSR SDT received comments from stakeholders to improve the readability
and clarity of the requirements of the standard. The revisions that were made to the standard are
summarized in the following paragraphs.
Purpose Statement
The DSR SDT revised the purpose statement to remove ambiguous language “with the potential to
impact reliability”. The Purpose statement now reads:
“To improve the reliability of the Bulk Electric System by requiring the reporting of events by
Responsible Entities.”
1
The appeals process is in the Standard Processes Manual
http://www.nerc.com/files/Appendix_3A_Standard_Processes_Manual_Rev%201_20110825.pdf
�Operating Plan
Based on stakeholder comments, Requirement R1 was revised for clarity. Part 1.1 was revised to
replace the word “identifying” with “recognizing” and Part 1.2 was eliminated. This also aligns the
language of the standard with FERC Order 693, Paragraph 471.
“(2) specify baseline requirements regarding what issues should be addressed in the procedures
for recognizing {emphasis added} sabotage events and making personnel aware of such
events;”
Requirement R1, Part 1.3 (now Part 1.2) was revised by eliminating the phrase “as appropriate” and
adding language indicating that the Responsible Entity is to define its process for reporting and with
whom to report events. Part 1.2 now reads:
“1.2 A process for communicating each of the applicable events listed in EOP-004
Attachment 1 in accordance with the timeframes specified in EOP-004 Attachment 1 to the
Electric Reliability Organization and other organizations needed for the event type; i.e. the
Regional Entity; company personnel; the Responsible Entity’s Reliability Coordinator; law
enforcement governmental or provincial agencies.”
The SDT envisions that most entities will only need to slightly modify their existing CIP-001 Sabotage
Reporting procedures to comply with the Operating Plan requirement in this proposed standard. As
many of the features of both sabotage reporting procedures and the Operating Plan are substantially
similar, the SDT feels that some information in the sabotage reporting procedures may need to
updated and verified.
Operating Plan Review and Communications Testing
Requirement R1, Part 1.4 was removed and Requirement 1, Part, 1.5 was separated out as new
Requirement 4. Requirement R4 was revised and is now R3. FERC Order 693, Paragraph 466 includes
provisions for periodic review and update of the Operating Plan:
“466. The Commission affirms the NOPR directive and directs the ERO to incorporate a periodic
review or updating of the sabotage reporting procedures and for the periodic testing of the
sabotage reporting procedures.”
2
�Requirement R3 requires an annual test of the communication portion of Requirement R1 while
Requirement R4 requires an annual review of the Operating Plan.:
“R3. Each Responsible Entity shall conduct an annual test, not including notification to the
Electric Reliability Organization, of the communications process in Part 1.2.”
“R4. Each Responsible Entity shall conduct an annual review of the event reporting Operating
Plan in Requirement R1.”
The DSR SDT envisions that the annual test will include verification that communication information
contained in the Operating Plan is correct. As an example, the annual update of the Operating Plan
could include calling “others as defined in the Responsibility Entity’s Operating Plan” (see Part 1.2) to
verify that their contact information is up to date. If any discrepancies are noted, the Operating Plan
would be updated. Note that there is no requirement to test the reporting of events to the Electric
Reliability Organization and the Responsible Entity’s Reliability Coordinator.
Operating Plan Implementation
Most stakeholders indicated that Requirements R2 and R3 were redundant and having both in the
standard was not necessary. Requirement R2 called for implementation of Parts 1.1, 1.2, 1.4 and 1.5.
Requirement R3 called for reporting events in accordance with the Operating Plan. The DSR SDT
deleted Requirement R2 based on stakeholder comments and revised R3 (now R2) to:
“R2. Each Responsible Entity shall implement its event reporting Operating Plan for applicable
events listed in EOP-004 Attachment 1, and in accordance with the timeframe specified in EOP004 Attachment1.”
Reporting Timelines
The DSR SDT received many comments regarding the various entries of Attachment 1. Many
commenters questioned the reliability benefit of reporting events to the ERO within 1 hour. Most of
the events with a one hour reporting requirement were revised to 24 hours based on stakeholder
comments; those types of events are currently required to be reported within 24 hours in the existing
mandatory and enforceable standards. The only remaining type of event that is to be reported within
one hour is “A reportable Cyber Security Incident” as it is required by CIP-008 and FERC Order 706,
Paragraph 673:
3
�“direct the ERO to modify CIP-008 to require each responsible entity to contact appropriate
government authorities and industry participants in the event of a cyber security incident as
soon as possible, but in any event, within one hour of the event…”
The table was reformatted to separate one hour reporting and 24 hour reporting. The last column of
the table was also deleted and the information contained in the table was transferred to the sentence
above each table. These sentences are:
“One Hour Reporting: Submit Attachment 2 or DOE-OE-417 report to the parties identified
pursuant to Requirement R1, Part 1.2 within one hour of recognition of the event.”
“Twenty-four Hour Reporting: Submit Attachment 2 or DOE-OE-417 report to the parties
identified pursuant to Requirement R1, Part 1.2 within twenty-four hour of recognition of the
event.”
Note that the reporting timeline of 24 hours starts when the situation has been determined as a threat,
not when it may have first occurred.
Cyber-Related Events
The ‘Damage or Destruction’ events specifically relating to Critical Assets and Critical Cyber Assets were
removed from Attachment 1. Stakeholders pointed out these events are adequately addressed through
the CIP-008 and ”Damage or Destruction of a Facility “reporting thresholds. CIP-008 addresses Cyber
Security Incidents which are defined as:
“Any malicious act or suspicious event that:
• Compromises, or was an attempt to compromise, the Electronic Security Perimeter or
Physical Security Perimeter of a Critical Cyber Asset, or,
• Disrupts, or was an attempt to disrupt, the operation of a Critical Cyber Asset.”
A Critical Asset is defined as:
“Facilities, systems, and equipment which, if destroyed, degraded, or otherwise rendered
unavailable, would affect the reliability or operability of the Bulk Electric System.”
Since there is an existing event category for damage or destruction of Facilities, having a separate event
for “Damage or Destruction of a Critical Asset” is unnecessary.
4
�Damage or Destruction
The event for “Destruction of BES equipment” has been revised to “Damage or destruction of a
Facility”. The threshold for reporting information was expanded for clarity:
“Damage or destruction of a Facility that: affects an IROL
OR
Results in the need for actions to avoid an Adverse Reliability Impact
OR
Results from intentional human action.”
Facility Definition
The DSR SDT used the defined term “Facility” to add clarity for this event as well as other events in
Attachment 1. A Facility is defined as:
“A set of electrical equipment that operates as a single Bulk Electric System Element (e.g., a line,
a generator, a shunt compensator, transformer, etc.)”
The DSR SDT did not intend the use of the term Facility to mean a substation or any other facility (not a
defined term) that one might consider in everyday discussions regarding the grid. This is intended to
mean ONLY a Facility as defined above.
Physical Threats
Several stakeholders expressed concerns relating to the “Forced Intrusion” event. Their concerns
related to ambiguous language in the footnote. The SDR SDT discussed this event as well as the event
“Risk to BES equipment”. These two event types had overlap in the perceived reporting requirements.
The DSR SDT removed “Forced Intrusion” as a category and the “Risk to BES equipment” event was
revised to “Any physical threat that could impact the operability of a Facility”.
Using judgment is unavoidable for this type of event. This language was chosen because the
Responsible Entity is the best position to exercise this judgment and determine whether or not an
event poses a threat to its Facilities. The DSR SDT believes this revised event type will minimize
administrative burden and ensure that events meaningful to industry awareness are reported.
5
�The footnote regarding this event type was expanded to provide additional guidance in:
“Examples include a train derailment adjacent to a Facility that either could have damaged a
Facility directly or could indirectly damage a Facility (e.g. flammable or toxic cargo that could
pose fire hazard or could cause evacuation of a control center). Also, report any suspicious
device or activity at a Facility. Do not report copper theft unless it impacts the operability of a
Facility.”
Use of DOE OE-417
The DSR SDT received many comments requesting consistency with DOE OE-417 thresholds and
timelines. These items, as well as, the Events Analysis Working Group’s (EAWG) requirements were
considered in creating Attachment 1, but differences remain for the following reasons:
• EOP-004 requirements were designed to meet NERC and the industry’s needs; accommodation
of other reporting obligations was considered as an opportunity not a ‘must-have’
• OE-417 only applies to US entities, whereas EOP-004 requirements apply across North America
• NERC has no control over the criteria in OE-417, which can change at any time
• Reports made under EOP-004 provide a minimum set of information, which may trigger further
information requests from EAWG as necessary
In an effort to minimize administrative burden, US entities may use the OE-417 form rather than
Attachment 2 to report under EOP-004. The SDT was informed by the DOE of its new online process
coming later this year. In this process, entities may be able to record email addresses associated with
their Operating Plan so that when the report is submitted to DOE, it will automatically be forwarded to
the posted email addresses, thereby eliminating some administrative burden to forward the report to
multiple organizations and agencies.
Miscellaneous
Other minor edits were made to Attachment 1. Several words were capitalized but not defined terms.
The DSR SDT did not intend for these terms to be capitalized (defined terms) and these words were
reverted to lower case. The event type “Loss of monitoring or all voice communication capability” was
divided into two separate events as “Loss of monitoring capability” and “Loss of all voice
communication capability”.
6
�Attachment 2 was updated to reflect the revisions to Attachment 1. The reference to “actual or
potential events” was removed. Also, the event type of “other” and “fuel supply emergency” was
removed as well.
It was noted that ‘Transmission Facilities’ is not a defined term in the NERC Glossary. Transmission and
Facilities are separately defined terms. The combination of these two definitions are what the DSR SDT
has based the applicability of “Transmission Facilities” in Attachment 1.
Index to Questions, Comments, and Responses
1.
The DSR SDT has revised EOP-004-2 to remove the training requirement R4 based on stakeholder
comments from the second formal posting. Do you agree this revision? If not, please explain in the
comment area below.…. .................................................................................................................... 18
2.
The DSR SDT includes two requirement regarding implementation of the Operating Plan specified
in Requirement R1. The previous version of the standard had a requirement to implement the
Operating plan as well as a requirement to report events. The two requirements R2 and R3 were
written to delineate implementation of the Parts of R1. Do you agree with these revisions? If not,
please explain in the comment area below.…. ................................................................................. 42
R2. Each Responsible Entity shall implement the parts of its Operating Plan that meet Requirement
R1, Parts 1.1 and 1.2 for an actual event and Parts 1.4 and 1.5 as specified.
R3. Each Responsible Entity shall report events in accordance with its Operating Plan developed to
address the events listed in Attachment 1.
3.
The DSR SDT revised reporting times for many events listed in Attachment 1 from one hour to 24
hours. Do you agree with these revisions? If not, please explain in the comment area below.…. .. 79
4.
Do you have any other comment, not expressed in the questions above, for the DSR
SDT?..............156
7
�The Industry Segments are:
1 — Transmission Owners
2 — RTOs, ISOs
3 — Load-serving Entities
4 — Transmission-dependent Utilities
5 — Electric Generators
6 — Electricity Brokers, Aggregators, and Marketers
7 — Large Electricity End Users
8 — Small Electricity End Users
9 — Federal, State, Provincial Regulatory or other Government Entities
10 — Regional Reliability Organizations, Regional Entities
Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
1.
Group
Gerald Beckerle
SERC OC Standards Review Group
Additional Member Additional Organization Region Segment Selection
1.
Charlie Cook
TVA
2.
Jake Miller
Dynegy
SERC
5
3.
Joel Wise
TVA
SERC
1, 3, 5, 6
4.
Tim Hattaway
PowerSouth
SERC
1, 5
5.
Robert Thomasson BREC
SERC
1
6.
Shaun Anders
CWLP
SERC
1, 3
7.
Jim Case
Entergy
SERC
1, 3, 6
8.
Tim Lyons
OMU
SERC
3, 5
9.
Len Sandberg
Dominion Virginia Power SERC
1, 3, 5, 6
LGE-KU
3
10. Brad Young
5, 6, 1, 3
SERC
X
2
3
X
4
5
6
7
8
9
10
�Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
11. Larry Akens
TVA
SERC
1, 3, 5, 6
12. Mike Hirst
Cogentrix
SERC
5
13. Wayne Van Liere
LGE-KU
SERC
3
14. Scott Brame
NCEMC
SERC
1, 3, 4, 5
15. Steve Corbin
SERC Reliability Corp.
SERC
10
16. John Johnson
SERC Reliability Corp.
SERC
10
17. John Troha
SERC Reliability Corp.
SERC
10
2.
Guy Zito
Group
Additional Member
Northeast Power Coordinating Council
Additional Organization
3
4
5
6
7
8
9
10
X
Region Segment Selection
1.
Alan Adamson
New York State Reliaiblity Council, LLC
NPCC 10
2.
Greg Campoli
New York Independent System Operator
NPCC 2
3.
Sylvain Clermont
Hydro-Quebec TransEnergie
NPCC 1
4.
Chris de Graffenried Consolidated Edison Co. of New York, Inc. NPCC 1
5.
Gerry Dunbar
Northeast Power Coordinating Council
NPCC 10
6.
Ben Wu
Orange and Rockland Utilities
NPCC 1
7.
Peter Yost
Consolidated Edison co. of New York, Inc. NPCC 3
8.
Kathleen Goodman ISO - New England
NPCC 2
9.
Chantel Haswell
FPL Group, Inc.
NPCC 5
Hydro One Networks Inc.
NPCC 1
10. David Kiguel
2
11. Michael R. Lombardi Northeast Utilities
NPCC 1
12. Randy Macdonald
New Brunswick Power Transmission
NPCC 9
13. Bruce Metruck
New York Power Authority
NPCC 6
14. Lee Pedowicz
Northeast Power Coordinating Council
NPCC 10
15. Robert Pellegrini
The United Illuminating Company
NPCC 1
16. Si-Truc Phan
Hydro-Quebec TransEnergie
NPCC 1
17. David Ramkalawan Ontario Power Generation, Inc.
NPCC 5
18. Saurabh Saksena
National Grid
NPCC 1
19. Michael Schiavone
National Grid
NPCC 1
20. Wayne Sipperly
New York Power Authority
NPCC 5
21. Tina Teng
Independent Electricity System Operator
NPCC 2
22. Donald Weaver
New Brunswick System Operator
NPCC 2
9
�Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
3.
Group
Steve Alexanderson
Additional Member
Pacific Northwest Small Public Power Utility
Comment Group
Additional Organization
Russell A. Noble
Cowlitz County PUD No. 1
WECC 3, 4, 5
2.
Ronald Sporseen
Blachly-Lane Electric Cooperative
WECC 3
3.
Ronald Sporseen
Central Electric Cooperative
WECC 3
4.
Ronald Sporseen
Consumers Power
WECC 1, 3
5.
Ronald Sporseen
Clearwater Power Company
WECC 3
6.
Ronald Sporseen
Douglas Electric Cooperative
WECC 3
7.
Ronald Sporseen
Fall River Rural Electric Cooperative
WECC 3
8.
Ronald Sporseen
Northern Lights
WECC 3
9.
Ronald Sporseen
Lane Electric Cooperative
WECC 3
10. Ronald Sporseen
Lincoln Electric Cooperative
WECC 3
11. Ronald Sporseen
Raft River Rural Electric Cooperative
WECC 3
12. Ronald Sporseen
Lost River Electric Cooperative
WECC 3
13. Ronald Sporseen
Salmon River Electric Cooperative
WECC 3
14. Ronald Sporseen
Umatilla Electric Cooperative
WECC 3
15. Ronald Sporseen
Coos-Curry Electric Cooperative
WECC 3
16. Ronald Sporseen
West Oregon Electric Cooperative
WECC 3
17. Ronald Sporseen
Pacific Northwest Generating Cooperative WECC 3, 4, 8
18. Ronald Sporseen
Power Resources Cooperative
4.
Emily Pennel
Additional Member
Additional Organization
X
6
7
8
9
10
X
X
Region Segment Selection
SPP
1, 4
2. Clem Cassmeyer
Western Farmer's Electric Cooperative
SPP
1, 3, 5
3. Michelle Corley
Cleco Power
SPP
1, 3, 5
4. Kevin Emery
Carthage Water and Electric Plant
SPP
NA
5. Jonathan Hayes
Southwest Power Pool
SPP
2
6. Philip Huff
Arkansas Electric Cooperative Corporation SPP
3, 4, 5, 6
7. Ashley Stringer
Oklahoma Municipal Power Authority
4
Patricia Robertson
5
Southwest Power Pool Regional Entity
City Utilities of Springfield
Group
X
4
WECC 5
1. John Allen
5.
3
Region Segment Selection
1.
Group
2
SPP
BC Hydro
X
X
X
X
10
�Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
2
3
4
5
6
7
8
9
10
Additional Member Additional Organization Region Segment Selection
1. Patricia Robertson
BC Hydro
WECC 1
2. Rama Vinnakota
BC Hydro
WECC 2
3. Pat Harrington
BC Hydro
WECC 3
4. Clement Ma
BC Hydro
WECC 5
5. Daniel O'Hearn
BC Hydro
WECC 6
6.
Group
Mary Jo Cooper
ZGlobal on behalf of City of Ukiah, Alameda
Municipal Power, Salmen River Electric, City
of Lodi
X
X
Additional Member Additional Organization Region Segment Selection
1. Elizabeth Kirkley
City of Lodi
WECC 3
2. Colin Murphey
City of Ukiah
WECC 3
3. Douglas Draeger
Alameda Municipal Power
WECC 3
4. Ken Dizes
Salmen River Electric Coop WECC 3
7.
Group
WILL SMITH
MRO NSRF
Additional Member Additional Organization Region Segment Selection
1.
MAHMOOD SAFI
MRO
1, 3, 5, 6
2.
CHUCK LAWRENCE ATC
OPPD
MRO
1
3.
TOM WEBB
WPS
MRO
3, 4, 5, 6
4.
JODI JENSON
WAPA
MRO
1, 6
5.
KEN GOLDSMITH
ALTW
MRO
4
6.
ALICE IRELAND
NSP (XCEL)
MRO
1, 3, 5, 6
7.
DAVE RUDOLPH
BEPC
MRO
1, 3, 5, 6
8.
ERIC RUSKAMP
LES
MRO
1, 3, 5, 6
9.
JOE DEPOORTER
MGE
MRO
3, 4, 5, 6
10. SCOTT NICKELS
RPU
MRO
4
11. TERRY HARBOUR
MEC
MRO
1, 3, 5, 6
12. MARIE KNOX
MISO
MRO
2
13. LEE KITTELSON
OTP
MRO
1, 3, 4, 5
14. SCOTT BOS
MPW
MRO
1, 3, 5, 6
15. TONY EDDLEMAN
NPPD
MRO
1, 3, 5
11
�Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
16. MIKE BRYTOWSKI
GRE
MRO
1, 3, 5, 6
17. RICHARD BURT
MPC
MRO
1, 3, 5, 6
8.
Group
Steve Rueckert
No Additional members listed.
Western Electricity Coordinating Council
9.
Imperial Irrigation District
Group
Jesus Sammy Alcaraz
2
3
4
5
6
7
8
9
10
X
X
X
X
X
X
Additional Member Additional Organization Region Segment Selection
1. Tino Zaragoza
IID
WECC 1
2. Jesus Sammy Alcaraz IID
WECC 3
3. Diana Torres
IID
WECC 4
4. Marcela Caballero
IID
WECC 5
5. Cathy Bretz
IID
WECC 6
10.
Group
Additional Member
ACES Power Marketing Standards
Collaborators
Jean Nitz
Additional Organization
Region Segment Selection
1. Chris Bradley
Big Rivers Electric Corporation
SERC
1
2. Erin Woods
East Kentucky Power Cooperative
SERC
1, 3, 5
3. Susan Sosbe
Wabash Valley Power Association
RFC
3
4. Scott Brame
North Carolina Electric Membership Corporation RFC
5. Shari Heino
Brazos Electric Power Cooperative, Inc.
ERCOT 1
6. Lindsay Shepard
Western Farmers Electric Cooperative
SPP
11.
Group
Frank Gaffney
X
5, 1, 3, 4
1, 5
Florida Municipal Power Agency
X
X
X
X
X
X
X
X
X
Additional Member Additional Organization Region Segment Selection
1. Timothy Beyrle
City of New Smyrna Beach FRCC
4
2. Greg Woessner
KissimmeeUtility Authority FRCC
3
3. Jim Howard
Lakeland Electric
FRCC
3
4. Lynne Mila
City of Clewiston
FRCC
3
5. Joe Stonecipher
Beaches Energy Services FRCC
1
6. Cairo Vanegas
Fort Pierce Utility Authority FRCC
4
7. Randy Hahn
Ocala Utility Services
3
12.
Group
Terry L. Blackwell
FRCC
Santee Cooper
Additional Member Additional Organization Region Segment Selection
12
�Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
1. S. T. Abrams
Santee Cooper
SERC
1
2. Wayne Ahl
Santee Cooper
SERC
1
3. Rene Free
Santee Cooper
SERC
1
13.
Group
Sacramento Municipal Utility District
(SMUD)
Joe Tarantino
2
X
3
X
4
X
5
6
X
X
X
X
X
X
7
8
9
10
Additional Member Additional Organization Region Segment Selection
1. Kevin Smith
14.
Group
BANC
WECC 1
Robert Rhodes
Additional Member
SPP Standards Review Group
Additional Organization
Region Segment Selection
1. John Allen
City Utilities of Springfield
SPP
1, 4
2. Clem Cassmeyer
Western Farmer's Electric Cooperative
SPP
1, 3, 5
3. Michelle Corley
Cleco Power
SPP
1, 3, 5
4. Kevin Emery
Carthage Water and Electric Plant
SPP
NA
5. Jonathan Hayes
Southwest Power Pool
SPP
2
6. Philip Huff
Arkansas Electric Cooperative Corporation SPP
3, 4, 5, 6
7. Ashley Stringer
Oklahoma Municipal Power Authority
4
15.
Group
Connie Lowe
X
SPP
Dominion
X
X
X
X
Additional Member Additional Organization Region Segment Selection
1. Louis Slade
RFC
3, 6
2. Michael Crowley
SERC
1, 3
3. Mike Garton
NPCC 5, 6
4. Michael Gildea
MRO
16.
Group
Sam Ciccone
5, 6
FirstEnergy
X
Additional Member Additional Organization Region Segment Selection
1. Doug Hohlbaugh
FE
RFC
1, 3, 4, 5, 6
2. Larry Raczkowski
FE
RFC
1, 3, 4, 5, 6
3. Jim Eckels
FE
RFC
1
4. John Reed
FE
RFC
1
5. Ken Dresner
FE
RFC
5
6. Bill Duge
FE
RFC
5
7. Kevin Querry
FE
RFC
5
13
�Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
17.
Group
PPL Electric Utilities and PPL Supply
Organizations`
Annette M. Bannon
2
3
X
4
5
X
6
7
8
9
10
X
Additional Member Additional Organization Region Segment Selection
1. Brenda Truhe
PPL Electric Utilities
RFC
1
2. Annette Bannon
PPL Generation
RFC
5
3. Annette Bannon
PPL Generation
WECC 5
4. Mark Heimbach
PPL EnergyPlus
MRO
5. Mark Heimbach
PPL EnergyPlus
NPCC 6
6. Mark Heimbach
PPL EnergyPlus
RFC
6
7. Mark Heimbach
PPL EnergyPlus
SERC
6
8. Mark Heimbach
PPL EnergyPlus
SPP
6
9. Mark Heimbach
PPL EnergyPlus
WECC 6
18.
Group
Tom McElhinney
6
Electric Compliance
X
X
X
X
X
X
Additional Member Additional Organization Region Segment Selection
1. Ted Hobson
FRCC
1
2. John Babik
FRCC
5
3. Garry Baker
19.
Group
3
Michael Gammon
Kansas City Power & Light
X
Additional Member Additional Organization Region Segment Selection
1. Scott Harris
KCP&L
SPP
1, 3, 5, 6
2. Monica Strain
KCP&L
SPP
1, 3, 5, 6
3. Brett Holland
KCP&L
SPP
1, 3, 5, 6
4. Jennifer Flandermeyer KCP&L
SPP
1, 3, 5, 6
20.
Individual
Stewart Rake
Luminant Power
21.
Individual
PacifiCorp
Individual
Sandra Shaffer
Janet Smith, Regulatory
Affairs Supervisor
23.
Individual
Jim Eckelkamp
24.
Individual
25.
Individual
22.
X
X
X
X
X
X
X
X
X
Progress Energy
X
X
X
X
Silvia Parada Mitchell
Compliance & Responsbility Office
X
X
X
X
Antonio Grayson
Southern Comnpany
X
X
X
X
Arizona Public Service Company
14
�Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
2
3
4
5
6
Individual
John Brockhan
CenterPoint Energy
X
Individual
28. Individual
Brenton Lopez
Bo Jones
Salt River Project
Westar Energy
X
X
X
X
X
X
X
X
29.
Individual
Michael Johnson
APX Power Markets (NCR-11034)
30.
Individual
David Proebstel
Clallam County PUD No.1
31.
Individual
Michael Moltane
ITC
32.
Individual
Tracy Richardson
Springfield Utility Board
33.
Individual
Kasia Mihalchuk
Manitoba Hydro
34.
Individual
Individual
Kevin Conway
Intellibind
Chris Higgins / Jim
Burns / Ted Snodgrass /
Jeff Millennor / Russell
Funk
Bonneville Power Administration
36.
Individual
Chris de Graffenried
37.
Individual
38.
39.
26.
27.
X
X
X
X
X
X
X
Consolidated Edison Co. of NY, Inc.
X
X
X
X
David Burke
Orange and Rockland Utilities, Inc.
X
X
Individual
Alice Ireland
Xcel Energy
X
X
X
X
Individual
Greg Rowland
X
X
X
X
X
X
X
X
Rodney Luck
Duke Energy
Los Angeles Department of Water and
Power
Individual
42. Individual
Daniel Duff
Lisa Rosintoski
Liberty Electric Power
Colorado Springs Utilities
43.
Independent Electricity System Operator
Individual
Michael Falvo
John Bee on Behalf of
Exelon
Individual
John D. Martinsen
Exelon
Public Utility District No. 1 of Snohomish
County
46.
Individual
RoLynda Shumpert
South Carolina Electric and Gas
47.
Individual
Kathleen Goodman
ISO New England
41.
44.
45.
Individual
10
X
X
Individual
9
X
X
40.
8
X
X
35.
7
X
X
X
X
X
X
X
X
X
X
X
X
X
X
15
�Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
48.
Individual
2
3
5
6
Texas Reliability Entity
Individual
50. Individual
Andrew Z. Pusztai
Anthony Jablonski
American Transmission Company, LLC
ReliabilityFirst
X
51.
Individual
Don Schmit
Nebraska Public Power District
52.
Individual
Dennis Sismaet
Seattle City Light
X
X
X
X
8
9
10
53.
Individual
John Seelke
PSEG
X
54.
Individual
Barry Lawson
NRECA
55.
Individual
Terry Harbour
MidAmerican Energy
56.
Individual
Thad Ness
57.
Individual
58.
X
X
X
X
X
X
X
X
X
X
American Electric Power
X
X
X
X
Guy Andrews
Georgia System Operations Corporation
X
X
X
X
Individual
Ed Davis
Individual
Margaret McNaul
Entergy Services
Thompson Coburn LLP on behalf of Miss.
Delta Energy Agency
60.
Individual
Bob Thomas
Illinois Municipal Electric Agency
61.
Individual
Kirit Shah
Ameren
X
X
62.
Individual
Linda Jacobson-Quinn
FEUS
63.
Individual
Tom Foreman
Lower Colorado River Authority
X
X
64.
Individual
Richard Salgo
NV Energy
65.
Individual
Nathan Mitchell
American Public Power Association
66.
Individual
Angela Summer
Southwestern Power Administration
67.
Individual
Michelle R D'Antuono
Ingleside Cogeneration LP
68.
Individual
Tim Soles
Occidental Power Services, Inc. (OPSI)
69.
Individual
Michael Lombardi
Northeast Utilities
X
X
X
70.
Individual
Andrew Gallo
City of Austin dba Austin Energy
X
X
71.
Individual
James Sauceda
Energy Northwest - Columbia
72.
Individual
Scott Berry
Indiana Municipal Power Agency
59.
7
X
Curtis Crews
49.
4
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
16
�Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
Individual
Maggy Powell
Constellation Energy on behalf of Baltimore
Gas & Electric, Constellation Power
Generation, Constellation Energy
Commodities Group, Constellation Control
and Dispatch, Constellation NewEnergy and
Constellation Energy Nuclear Group.
74.
Individual
Michael Brytowski
Great River Energy
75.
Individual
Christine Hasha
Electric Reliability Council of Texas, Inc.
76.
Individual
Darryl Curtis
Oncor Electric Delivery Company LLC
73.
2
3
4
5
6
X
X
X
X
X
X
X
X
7
8
9
10
X
X
17
�1.
The DSR SDT has revised EOP-004-2 to remove the training requirement R4 based on stakeholder comments from the second
formal posting. Do you agree this revision? If not, please explain in the comment area below.
Summary Consideration: As a result of the industry comments, the SDT has further modified the standard as follows:
- Requirement R1, Part 1.3 (now Part 1.2) was revised to add clarifying language by eliminating the phrase “as appropriate” and
indicating that the Responsible Entity is to define its process for reporting and with whom events are communicated.
- Combined relevant parts of Requirement R1, Parts 1.4, 1.5 and Requirement R4 into Requirement 1, Part 1.3.
- Deleted the requirement for drills or exercises
- Clarified that only Registered Entities conduct annual tests of the communication process outlined in Requirement 1, Part 1.2
- Changed the review of the Operating Plan to 'annually'
The DSR SDT envisions the testing under Requirement R1, Part 1.3 will include verification of contact information contained in the
Operating Plan is correct. As an example, the annual review of the Operating Plan could include calling “others as defined in the
Responsibility Entity’s Operating Plan” (see Part 1.2) to verify their contact information is up to date. If any discrepancies are noted,
the Operating Plan would be updated.
Despite some industry opposition, both the periodic review of the Operating Plan and the testing requirements were maintained to
meet the intent of FERC Order 693, Paragraph 466:
“The Commission affirms the NOPR directive and directs the ERO to incorporate a periodic review or updating of the sabotage
reporting procedures and for the periodic testing of the sabotage reporting procedures.”
Organization
Yes or No
Beaches Energy Services, City of
Negative
Question 1 Comment
First, I wish to thank the SDT for their hard work and making significant
progress in significant improvements in the standard. I commend the
18
�Organization
Yes or No
Green Cove Springs
Question 1 Comment
direction that the SDT is taking. There are; however, a few unresolved issues
that cause me to not support the standard at this time. 1. An issue of
possible differences in interpretation between entities and compliance
monitoring and enforcement is the phrase in 1.3 that states “the following
as appropriate”. Who has the authority to deem what is appropriate? The
requirements should be clear that the Responsible Entity is the decision
maker of who is appropriate, otherwise there is opportunity for conflict
between entities and compliance. Requirement R1, Part 1.3 (now Part 1.2)
was revised to add clarifying language by eliminating the phrase “as
appropriate” and indicating that the Responsible Entity is to define its
process for reporting and with whom to communicate events to as stated in
the entity’s Operating Plan.
In addition, 1.4 is onerous and burdensome regarding the need to revise the
plan within 90 days of “any” change, especially considering the ambiguity of
“other circumstances”. “Other circumstances” is open to interpretation and
a potential source of conflict.
Requirement R1, Part 1.4 was removed from the standard.
Response: Thank you for your comment. Please see response above.
New Brunswick Power Transmission
Corporation
Negative
It is NBPT’s opinion that because this is a standard associated with reporting
events after an occurrence, it is overly burdensome to require drills and
exercises for verification purposes as described in R4.
Requirement R4 related to an annual test of the communication portion of
Requirement R1 by a drill or exercise. This has been revised to:
R3. Each Responsible Entity shall conduct an annual test, not including
notification to the Electric Reliability Organization, of the communications
19
�Organization
Yes or No
Question 1 Comment
process in Part 1.2.
Response: Thank you for your comment. Please see response above.
United Illuminating Co.
Negative
R4 is not clear what is expected. There is a difference between testing a
process that consists of identify an event then select commuication contacts
versus needing to test contacts for each event in Attachment 1 and drill each
event and document each event drill.
Requirement R4 related to an annual test of the communication portion of
Requirement R1 by a drill or exercise and this has been removed. This has
been revised to:
R3. Each Responsible Entity shall conduct an annual test, not including
notification to the Electric Reliability Organization, of the communications
process in Part 1.2.
The DSR SDT envisions that the testing under Requirement r3 will include
verification of contact information contained in the Operating Plan is correct.
As an example, the annual review of the Operating Plan could include calling
“others as defined in the Responsible Entity’s Operating Plan” (see part 1.2)
to verify that their contact information is up to date. If any discrepancies are
noted, the Operating Plan would be updated.
In R2 the phrase "as specified" should be replaced or completed, as
specified by what.
The DSR SDT has deleted Requirement R2 based on stakeholder comments
and revised R3 (now R2) to read: “Each Responsible Entity shall implement
its event reporting Operating Plan for applicable events listed in EOP-004
Attachment 1, and in accordance with the timeframe specified in EOP-004
20
�Organization
Yes or No
Question 1 Comment
Attachment1.”
Response: Thank you for your comment. Please see response above.
City of Farmington
Negative
R4 requires verification through a drill or exercise the communication
process created as part of R1.3. Clarification of what a drill or exercise
should be considered. In order to show compliance to R4 would the entity
have to send a pseudo event report to Internal Personnel, the Regional
Entity, NERC ES-ISAC, Law Enforcement, and Governmental or provincial
agencies listed in R1.3 to verify the communications plan? It would not be a
burden on the entity so much, however, I’m not sure the external parties
want to be the recipient of approximately 2000 psuedo event reports
annually.
Requirement R4 related to an annual test of the communication portion of
Requirement R1 by a drill or exercise and this has been removed. This has
been revised to:
R3. Each Responsible Entity shall conduct an annual test, not including
notification to the Electric Reliability Organization, of the communications
process in Part 1.2.
The DSR SDT envisions that the testing under Requirement R3 will include
verification of contact information contained in the Operating Plan is correct.
As an example, the annual review of the Operating Plan could include calling
“others as defined in the Responsible Entity’s Operating Plan” (see part 1.2)
to verify that their contact information is up to date. If any discrepancies are
noted, the Operating Plan would be updated.
Response: Thank you for your comment. Please see response above.
Hydro One Networks, Inc.
Negative
Referring to Requirement R4, the communication process can be verified
without having to go through a drill or exercise. Any specific testing or
21
�Organization
Yes or No
Question 1 Comment
verification of the process is the responsibility of the Responsible Entity.
Requirement R4 related to an annual test of the communication portion of
Requirement R1 by a drill or exercise and this has been removed This has
been revised to:
R3. Each Responsible Entity shall conduct an annual test, not including
notification to the Electric Reliability Organization, of the communications
process in Part 1.2.
The DSR SDT envisions that the testing under Requirement R3 will include
verification of contact information contained in the Operating Plan is correct.
As an example, the annual review of the Operating Plan could include calling
“others as defined in the Responsible Entity’s Operating Plan” (see part 1.2)
to verify that their contact information is up to date. If any discrepancies are
noted, the Operating Plan would be updated.
Despite some industry opposition, both periodic review of the Operating Plan
and the test requirements were maintained to meet the intent of FERC Order
693, paragraph 466: “The Commission affirms the NOPR directive and
directs the ERO to incorporate a periodic review or updating of the sabotage
reporting procedures and for the periodic testing of the sabotage reporting
procedures.”
Response: Thank you for your comment. Please see response above.
Ameren Services
Negative
The current language in the parenthesis of R4 suggests that the training
requirement was actually not removed, in that "a drill or exercise"
constitutes training. As documented in the last sentence of the Summary of
Key Concepts section, "The proposed standard deals exclusively with afterthe-fact reporting." We feel that training, even if it is called drills or exercises
is not necessary for an after-the-fact report.
Requirement R4 related to an annual test of the communication portion of
22
�Organization
Yes or No
Question 1 Comment
Requirement R1 by a drill or exercise and this has been removed. This has
been revised to:
R3. Each Responsible Entity shall conduct an annual test, not including
notification to the Electric Reliability Organization, of the communications
process in Part 1.2.
The DSR SDT envisions that the testing under Requirement R3 will include
verification of contact information contained in the Operating Plan is correct.
As an example, the annual review of the Operating Plan could include calling
“others as defined in the Responsible Entity’s Operating Plan” (see part 1.2)
to verify that their contact information is up to date. If any discrepancies are
noted, the Operating Plan would be updated.
Despite some industry opposition, both periodic review of the Operating Plan
and the test requirements were maintained to meet the intent of FERC Order
693, paragraph 466: “The Commission affirms the NOPR directive and
directs the ERO to incorporate a periodic review or updating of the sabotage
reporting procedures and for the periodic testing of the sabotage reporting
procedures.”
Response: Thank you for your comment. Please see response above.
Liberty Electric Power LLC
Negative
Voting no due to training not being an option to fill the "drill" requirement.
The reason for R4 seems to be to assure personnel will respond to an event
in accordance with the entity procedure. Entities meet their obligations for
other regulatory requirements with training, and should be permitted to do
so for R4.
Requirement R4 related to an annual test of the communication portion of
Requirement R1 by a drill or exercise and this has been removed. This has
been revised to:
R3. Each Responsible Entity shall conduct an annual test, not including
23
�Organization
Yes or No
Question 1 Comment
notification to the Electric Reliability Organization, of the communications
process in Part 1.2.
The DSR SDT envisions that the testing under Requirement R3 will include
verification of contact information contained in the Operating Plan is correct.
As an example, the annual review of the Operating Plan could include calling
“others as defined in the Responsible Entity’s Operating Plan” (see part 1.2)
to verify that their contact information is up to date. If any discrepancies are
noted, the Operating Plan would be updated. This language does not
preclude the verification of contact information taking place during a
training event.
Response: Thank you for your comment. Please see response above.
ACES Power Marketing, Hoosier
Energy Rural Electric Cooperative,
Inc., Sunflower Electric Power
Corporation, Great River Energy
Negative
We appreciate the efforts of the SDT in considering the comments of
stakeholders from prior comment periods. We believe this draft is greatly
improved over the previous version and we agree with the elimination of
the term "sabotage" which is a difficult term to define. The determination of
an act of sabotage should be left to the proper law enforcement authorities.
However, we also realize that the proper authorities would be hard pressed
to make these determinations without reporting from industry when there
are threats to BES equipment or facilities. We understand and agree there
should be verification of the information required for such reporting
(contact information, process flow charts, etc). But we still believe
improvements can be made to the draft standard. The use of the words “or
through a drill or exercise” in Requirement R4 still implies that training is
required if no actual event has occurred. When you conduct a fire “drill” you
are training your employees on evacuation routes and who they need to
report to. Not only are you verifying your process but you are training your
employees as well. It is imperative that the information in the Event
24
�Organization
Yes or No
Question 1 Comment
Reporting process is correct but we don't agree that performing a drill on
the process is necessary. We recommend modifying the requirement to
focus on verifying the information needed for appropriate communications
on an event. And we agree this should take place at least annually.
Requirement R4 related to an annual test of the communication portion of
Requirement R1 by a drill or exercise and this has been removed. This has
been revised to:
R3. Each Responsible Entity shall conduct an annual test, not including
notification to the Electric Reliability Organization, of the communications
process in Part 1.2.
The DSR SDT envisions that the testing under Requirement R3 will include
verification of contact information contained in the Operating Plan is correct.
As an example, the annual review of the Operating Plan could include calling
“others as defined in the Responsible Entity’s Operating Plan” (see part 1.2)
to verify that their contact information is up to date. If any discrepancies are
noted, the Operating Plan would be updated.
This language does not preclude the verification of contact information
taking place during a training event.
Response: Thank you for your comment. Please see response above.
Florida Municipal Power Agency
No
First, we wish to thank the SDT for their hard work and making significant
progress in significant improvements in the standard. We commend the
direction that the SDT is taking. There are; however, a few unresolved issues
that cause us to not support the standard at this time. An issue of possible
differences in interpretation between entities and compliance monitoring
and enforcement is the phrase in 1.3 that states “the following as
appropriate”. Who has the authority to deem what is appropriate? The
25
�Organization
Yes or No
Question 1 Comment
requirements should be clear that the Responsible Entity is the decision
maker of who is appropriate, otherwise there is opportunity for conflict
between entities and compliance.
Requirement R1, Part 1.3 (now Part 1.2) was revised to add clarifying
language by eliminating the phrase “as appropriate” and indicating that the
Responsible Entity is to define its process for reporting and with whom to
communicate events to as stated in the entity’s Operating Plan. Part 1.2 now
reads: “A process for communicating each of the applicable events listed in
EOP-004 Attachment 1 in accordance with the timeframes specified in EOP004 Attachment 1 to the Electric Reliability Organization and other
organizations needed for the event type; i.e. the Regional Entity; company
personnel; the Responsible Entity’s Reliability Coordinator; law enforcement
governmental or provincial agencies.”
In addition, 1.4 is onerous and burdensome regarding the need to revise the
plan within 90 days of “any” change, especially considering the ambiguity of
“other circumstances”. “Other circumstances” is open to interpretation and
a potential source of conflict.
Requirement R1, Part 1.4 was removed from the standard.
Response: Thank you for your comment. Please see response above.
Illinois Municipal Electric Agency
No
IMEA agrees with the removal of the training requirement, but also believes
verification is not a necessary requirement for this standard; therefore, R4 is
not necessary and should be removed.
Requirement R4 related to an annual test of the communication portion of
Requirement 1. This has been revised to:
R3. Each Responsible Entity shall conduct an annual test, not including
26
�Organization
Yes or No
Question 1 Comment
notification to the Electric Reliability Organization, of the communications
process in Part 1.2.
The DSR SDT envisions that the testing under Requirement R3 will include
verification of contact information contained in the Operating Plan is correct.
As an example, the annual review of the Operating Plan could include calling
“others as defined in the Responsible Entity’s Operating Plan” (see part 1.2)
to verify that their contact information is up to date. If any discrepancies are
noted, the Operating Plan would be updated.
Response: Thank you for your comment. Please see response above.
Indiana Municipal Power Agency
No
IMPA does not believe that R4 is necessary. In addition, if a drill or exercise
is used to verify the communication process, some of the parties listed in
R1.3 may not want to participate in the drill or exercise every 15 months,
such as law enforcement and governmental agencies. IMPA would propose
a contacting these agencies every 15 months to verify their contact
information only and updating their information in the plan as needed,
without performing a drill or exercise.
This has been revised to:
R3. Each Responsible Entity shall conduct an annual test, not including
notification to the Electric Reliability Organization, of the communications
process in Part 1.2.
The DSR SDT envisions that the testing under Requirement R3 will include
verification of contact information contained in the Operating Plan is correct.
As an example, the annual review of the Operating Plan could include calling
“others as defined in the Responsible Entity’s Operating Plan” (see Part 1.2)
to verify that their contact information is up to date. If any discrepancies are
noted, the Operating Plan would be updated.
The testing requirement is included in the Standard to meet the intent of
27
�Organization
Yes or No
Question 1 Comment
FERC Order 693, paragraph 466: “The Commission affirms the NOPR
directive and directs the ERO to incorporate a periodic review or updating of
the sabotage reporting procedures and for the periodic testing of the
sabotage reporting procedures.”
Response: Thank you for your comment. Please see response above.
ISO New England
No
Please see further comments; we do not believe R4 is a necessary
requirement in the standard and suggest it be deleted.
Requirement R4 related to an annual test of the communication portion of
Requirement 1. This has been revised to:
R3. Each Responsible Entity shall conduct an annual test, not including
notification to the Electric Reliability Organization, of the communications
process in Part 1.2.
The DSR SDT envisions that the testing under Requirement R3 will include
verification of contact information contained in the Operating Plan is correct.
As an example, the annual review of the Operating Plan could include calling
“others as defined in the Responsible Entity’s Operating Plan” (see Part 1.2)
to verify that their contact information is up to date. If any discrepancies are
noted, the Operating Plan would be updated.
The testing requirement is included in the Standard to meet the intent of
FERC Order 693, paragraph 466: “The Commission affirms the NOPR
directive and directs the ERO to incorporate a periodic review or updating of
the sabotage reporting procedures and for the periodic testing of the
sabotage reporting procedures.”
28
�Organization
Yes or No
Question 1 Comment
Response: Thank you for your comment. Please see response above.
Northeast Power Coordinating
Council
No
Requirement R4 is unnecessary. Whether or not the process, plan,
procedure, etc. is “verified” is of no consequence. EOP standards are
intended to have entities prepare for likely events (restoration/evacuation),
and to provide tools for similar unforeseen events (ice storms, tornadoes,
earthquakes, etc.). They should not force a script when results are what
matters.
Requirement R4 related to an annual test of the communication portion of
Requirement 1. This has been revised to:
R3. Each Responsible Entity shall conduct an annual test, not including
notification to the Electric Reliability Organization, of the communications
process in Part 1.2.
The DSR SDT envisions that the testing under Requirement R3 will include
verification of contact information contained in the Operating Plan is correct.
As an example, the annual review of the Operating Plan could include calling
“others as defined in the Responsible Entity’s Operating Plan” (see Part 1.2)
to verify that their contact information is up to date. If any discrepancies are
noted, the Operating Plan would be updated.
The testing requirement is included in the Standard to meet the intent of
FERC Order 693, paragraph 466: “The Commission affirms the NOPR
directive and directs the ERO to incorporate a periodic review or updating of
the sabotage reporting procedures and for the periodic testing of the
sabotage reporting procedures.”
Response: Thank you for your comment. Please see response above.
29
�Organization
Southern Company
Yes or No
No
Question 1 Comment
Southern agrees with removing the training requirement of R4 from the
previous version of the standard. However, Southern suggests that drills
and exercises are also training and R4 in this revised standard should be
removed in its entirety
The “drill or exercise” language has been deleted. Requirement R4 related to
an annual test of the communication portion of Requirement 1. This has
been revised to:
R3. Each Responsible Entity shall conduct an annual test, not including
notification to the Electric Reliability Organization, of the communications
process in Part 1.2.
The DSR SDT envisions that the testing under Requirement R3 will include
verification of contact information contained in the Operating Plan is correct.
As an example, the annual review of the Operating Plan could include calling
“others as defined in the Responsible Entity’s Operating Plan” (see Part 1.2)
to verify that their contact information is up to date. If any discrepancies are
noted, the Operating Plan would be updated.
The testing requirement is included in the Standard to meet the intent of
FERC Order 693, paragraph 466: “The Commission affirms the NOPR
directive and directs the ERO to incorporate a periodic review or updating of
the sabotage reporting procedures and for the periodic testing of the
sabotage reporting procedures.”
Response: Thank you for your comment. Please see response above.
Ameren
No
The current language in the parenthesis of R4 suggests that the training
requirement was actually not removed, in that "a drill or exercise"
constitutes training. As documented in the last sentence of the Summary of
30
�Organization
Yes or No
Question 1 Comment
Key Concepts section, "The proposed standard deals exclusively with afterthe-fact reporting." We feel that training, even if it is called drills or
exercises is not necessary for an after-the-fact report.
The “drill or exercise” language has been deleted. Requirement R4 related to
an annual test of the communication portion of Requirement 1. This has
been revised to:
R3. Each Responsible Entity shall conduct an annual test, not including
notification to the Electric Reliability Organization, of the communications
process in Part 1.2.
The DSR SDT envisions that the testing under Requirement R3 will include
verification of contact information contained in the Operating Plan is correct.
As an example, the annual review of the Operating Plan could include calling
“others as defined in the Responsible Entity’s Operating Plan” (see part 1.2)
to verify that their contact information is up to date. If any discrepancies are
noted, the Operating Plan would be updated.
The testing requirement is included in the Standard to meet the intent of
FERC Order 693, paragraph 466: “The Commission affirms the NOPR
directive and directs the ERO to incorporate a periodic review or updating of
the sabotage reporting procedures and for the periodic testing of the
sabotage reporting procedures.”
Response: Thank you for your comment. Please see response above.
Liberty Electric Power
No
Training should be left in the standard as an option, along with an actual
event, drill or exercise, to demonstrate that operating personnel have
knowledge of the procedure.
The “drill or exercise” language has been deleted. Requirement R4 related
31
�Organization
Yes or No
Question 1 Comment
to an annual test of the communication portion of Requirement 1. This has
been revised to:
R3. Each Responsible Entity shall conduct an annual test, not including
notification to the Electric Reliability Organization, of the communications
process in Part 1.2.
The DSR SDT envisions that the testing under Requirement R3 will include
verification of contact information contained in the Operating Plan is correct.
As an example, the annual review of the Operating Plan could include calling
“others as defined in the Responsible Entity’s Operating Plan” (see part 1.2)
to verify that their contact information is up to date. If any discrepancies are
noted, the Operating Plan would be updated.
This language does not preclude the verification of contact information
taking place during a training event.
Response: Thank you for your comment. Please see response above.
SERC OC Standards Review Group
No
We agree with removing the training requirement of R4; however we
believe that drills and exercises are also training and R4 should be removed
in its entirety because drills and exercises on an after the fact process do not
enhance reliability.
The “drill or exercise” language has been removed. Requirement R4 related
to an annual test of the communication portion of Requirement 1 This has
been revised to:
R3. Each Responsible Entity shall conduct an annual test, not including
notification to the Electric Reliability Organization, of the communications
process in Part 1.2.
The DSR SDT envisions that the testing under Requirement R3 will include
32
�Organization
Yes or No
Question 1 Comment
verification of contact information contained in the Operating Plan is correct.
As an example, the annual review of the Operating Plan could include calling
“others as defined in the Responsible Entity’s Operating Plan” (see part 1.2)
to verify that their contact information is up to date. If any discrepancies are
noted, the Operating Plan would be updated.
The testing requirement is included in the Standard to meet the intent of
FERC Order 693, paragraph 466: “The Commission affirms the NOPR
directive and directs the ERO to incorporate a periodic review or updating of
the sabotage reporting procedures and for the periodic testing of the
sabotage reporting procedures.”
Response: Thank you for your comment. Please see response above.
ACES Power Marketing Standards
Collaborators/Great River Energy
No
We understand and agree there should be verification of the information
required for such reporting (contact information, process flow charts, etc).
But we still believe improvements can be made to the draft standard, in
particular to requirement R4. The use of the words “or through a drill or
exercise” still implies that training is required if no actual event has
occurred. When you conduct a fire “drill” you are training your employees
on evacuation routes and who they need to report to. Not only are you
verifying your process but you are training your employees as well. It is
imperative that the information in the Event Reporting process is correct but
we don't agree that performing a drill on the process is necessary. We
recommend modifying the requirement to focus on verifying the
information needed for appropriate communications on an event. And we
agree this should take place at least annually.
Requirement R4 related to an annual test of the communication portion of
Requirement R1 by a drill or exercise and this has been removed. This has
33
�Organization
Yes or No
Question 1 Comment
been revised to:
R3. Each Responsible Entity shall conduct an annual test, not including
notification to the Electric Reliability Organization, of the communications
process in Part 1.2.
The DSR SDT envisions that the testing under Requirement R3 will include
verification of contact information contained in the Operating Plan is correct.
As an example, the annual review of the Operating Plan could include calling
“others as defined in the Responsible Entity’s Operating Plan” (see part 1.2)
to verify that their contact information is up to date. If any discrepancies are
noted, the Operating Plan would be updated.
This language does not preclude the verification of contact information
taking place during a training event.
Response: Thank you for your comment. Please see response above.
Ingleside Cogeneration LP
Yes
: Yes. Ingleside Cogeneration LP agrees that training on an incident
reporting operations plan should be at the option of the entity. However,
we recommend that a statement be included in the “Guideline and
Technical Basis” section that encourages drills and exercises be coincident
with those conducted for Emergency Operations. Since front-line operators
must send out the initial alert that a reportable condition exists, such
exercises may help determine how to manage their reporting obligations
during the early stages of the troubleshooting process. This is especially true
where a notification must be made within an hour of discovery - a very short
time period.
The “drill or exercise” language has been removed. Requirement R4 related
to an annual test of the communication portion of Requirement 1. This has
34
�Organization
Yes or No
Question 1 Comment
been revised to:
R3. Each Responsible Entity shall conduct an annual test, not including
notification to the Electric Reliability Organization, of the communications
process in Part 1.2.
The DSR SDT envisions that the testing under Requirement R3 will include
verification of contact information contained in the Operating Plan is correct.
As an example, the annual review of the Operating Plan could include calling
“others as defined in the Responsible Entity’s Operating Plan” (see part 1.2)
to verify that their contact information is up to date. If any discrepancies are
noted, the Operating Plan would be updated.
This language does not preclude the verification of contact information
taking place during a training event.
Response: Thank you for your comment. Please see response above.
American Public Power Association
Yes
APPA agrees that removal of the training requirement was an appropriate
revision to limit the burden on small registered entities. However, APPA
requests clarification from the SDT on the current draft of R4. If no event
occurs during the calendar year, a drill or exercise of the Operating Plan
communication process is required. APPA believes that if this drill or
exercise is required, then it should be a table top verification of the internal
communication process such as verification of phone numbers and stepping
through a Registered Entity specific scenario. This should not be a full drill
with requirements to contact outside entities such as law enforcement,
NERC, the RC or other entities playing out a drill scenario. This full drill
would be a major burden for small entities.
The “drill or exercise” language has been removed. Requirement R4 related
to an annual test of the communication portion of Requirement 1. This has
35
�Organization
Yes or No
Question 1 Comment
been revised to:
R3. Each Responsible Entity shall conduct an annual test, not including
notification to the Electric Reliability Organization, of the communications
process in Part 1.2.
The DSR SDT envisions that the testing under Requirement R3 will include
verification of contact information contained in the Operating Plan is correct.
As an example, the annual review of the Operating Plan could include calling
“others as defined in the Responsible Entity’s Operating Plan” (see part 1.2)
to verify that their contact information is up to date. If any discrepancies are
noted, the Operating Plan would be updated.
Response: Thank you for your comment. Please see response above.
FirstEnergy
Yes
FirstEnergy supports this removal and thanks the drafting team.
Response: Thank you for your comment. Please see response above.
Compliance & Responsbility Office
Yes
See comments in response to Question 4.
Response: Thank you for your comment. See response to Question 4.
NV Energy
Yes
Thank you for responding to the stakeholder comments on this issue.
Yes
Yes, we support removal of the training requirement.
Response: Thank you for your comment.
Constellation Energy on behalf of
Baltimore Gas & Electric,
Constellation Power Generation,
Constellation Energy Commodities
36
�Organization
Yes or No
Question 1 Comment
Group, Constellation Control and
Dispatch, Constellation NewEnergy
and Constellation Energy Nuclear
Group.
Response: Thank you for your comment.
Pacific Northwest Small Public Power
Utility Comment Group
Yes
Southwest Power Pool Regional
Entity
Yes
BC Hydro
Yes
ZGlobal on behalf of City of Ukiah,
Alameda Municipal Power, Salmen
River Electric, City of Lodi
Yes
MRO NSRF
Yes
Western Electricity Coordinating
Council
Yes
Imperial Irrigation District
Yes
Santee Cooper
Yes
Sacramento Municipal Utility District
(SMUD)
Yes
37
�Organization
Yes or No
SPP Standards Review Group
Yes
Dominion
Yes
PPL Electric Utilities and PPL Supply
Organizations`
Yes
Electric Compliance
Yes
Kansas City Power & Light
Yes
Luminant Power
Yes
PacifiCorp
Yes
Arizona Public Service Company
Yes
CenterPoint Energy
Yes
Salt River Project
Yes
Westar Energy
Yes
APX Power Markets (NCR-11034)
Yes
Clallam County PUD No.1
Yes
ITC
Yes
Springfield Utility Board
Yes
Question 1 Comment
38
�Organization
Yes or No
Manitoba Hydro
Yes
Intellibind
Yes
Bonneville Power Administration
Yes
Consolidated Edison Co. of NY, Inc.
Yes
Orange and Rockland Utilities, Inc.
Yes
Xcel Energy
Yes
Duke Energy
Yes
Colorado Springs Utilities
Yes
Independent Electricity System
Operator
Yes
Exelon
Yes
Public Utility District No. 1 of
Snohomish County
Yes
South Carolina Electric and Gas
Yes
American Transmission Company,
LLC
Yes
Nebraska Public Power District
Yes
Question 1 Comment
39
�Organization
Yes or No
Seattle City Light
Yes
PSEG
Yes
MidAmerican Energy
Yes
American Electric Power
Yes
Georgia System Operations
Corporation
Yes
FEUS
Yes
Lower Colorado River Authority
Yes
Southwestern Power Administration
Yes
Occidental Power Services, Inc.
(OPSI)
Yes
Northeast Utilities
Yes
City of Austin dba Austin Energy
Yes
Energy Northwest - Columbia
Yes
Electric Reliability Council of Texas,
Inc.
Yes
Oncor Electric Delivery Company LLC
Yes
Question 1 Comment
40
�Organization
Yes or No
Question 1 Comment
Progress Energy
Los Angeles Department of Water
and Power
Texas Reliability Entity
ReliabilityFirst
NRECA
Entergy Services
Thompson Coburn LLP on behalf of
Miss. Delta Energy Agency
41
�2.
The DSR SDT includes two requirement regarding implementation of the Operating Plan specified in Requirement R1. The
previous version of the standard had a requirement to implement the Operating plan as well as a requirement to report events.
The two requirements R2 and R3 were written to delineate implementation of the Parts of R1. Do you agree with these
revisions? If not, please explain in the comment area below.
R2. Each Responsible Entity shall implement the parts of its Operating Plan that meet Requirement R1, Parts 1.1 and 1.2 for an
actual event and Parts 1.4 and 1.5 as specified.
R3. Each Responsible Entity shall report events in accordance with its Operating Plan developed to address the events listed in
Attachment 1.
Summary Consideration: Most stakeholders believed that Requirements R2 and R3 were redundant and having both in the standard
was not necessary. Requirement R2 called for implementation of Parts 1.1, 1.2, 1.4 and 1.5. Requirement R3 called for reporting
events in accordance with the Operating Plan. The DSR SDT deleted Requirement R2 based on stakeholder comments and revised R3
(now R2) to:
“R2. Each Responsible Entity shall implement its event reporting Operating Plan for applicable events listed in EOP-004 Attachment 1,
and in accordance with the timeframe specified in EOP-004 Attachment1.”
Organization
Yes or No
Ameren Services
Negative
Question 2 Comment
(2) The new wording while well intentioned, effectively does not add clarity and
leads to confusion. From our perspective, R1, which requires and Operating Plan,
which is defined by the NERC glossary as: "A document that identifies a group of
activities that may be used to achieve some goal. An Operating Plan may contain
Operating Procedures and Operating Processes. A company-specific system
restoration plan that includes an Operating Procedure for black-starting units,
Operating Processes for communicating restoration progress with other entities,
etc., is an example of an Operating Plan."
The DSR SDT thanks you for your comment. The SDT has made changes to the
42
�Organization
Yes or No
Question 2 Comment
requirements highlighted in your comments.
FERC Order 693, Paragraph 466 includes provisions for periodic review and update of
the Operating Plan: “466. The Commission affirms the NOPR directive and directs the
ERO to incorporate a periodic review or updating of the sabotage reporting procedures
and for the periodic testing of the sabotage reporting procedures.”
(3) Is not a proper location for an after-the-fact reporting standard? In fact it could
be argued that after-the-fact reports in and of themselves do not affect the reliability
of the bulk electric system.
The DSR SDT does not agree with this comment. Reporting of an event will give the
Electric Reliability Organization and your Reliability Coordinator the situational
awareness of what has occurred on your part of the BES. Plus as described in your
Operating Plan, you would have communicated the event as you saw fit. By
broadcasting that an event has occurred you will increase the awareness of your
company (as described in your Operating Plan) and increase the awareness of the
Electric Reliability Organization and your Reliability Coordinator.
(4) But considering the proposed standard as written with the Operating Plan in
requirement R1, and implementation of the Operating Plan in requirement R2
(except the actual reporting which is in R3) and then R3 which requires implementing
the reporting section R1.3, it is not clear how these requirements can be kept
separate in either implementation nor by the CEA.
Most stakeholders believed that Requirements R2 and R3 were redundant and having
both in the standard was not necessary. Requirement R2 called for implementation
of Parts 1.1, 1.2, 1.4 and 1.5. Requirement R3 called for reporting events in
accordance with the Operating Plan. The DSR SDT deleted Requirement R2 based on
stakeholder comments and revised R3 (now R2). The test and review requirement is
43
�Organization
Yes or No
Question 2 Comment
included in the Standard to meet the intent of FERC Order 693, paragraph 466: “The
Commission affirms the NOPR directive and directs the ERO to incorporate a periodic
review or updating of the sabotage reporting procedures and for the periodic testing
of the sabotage reporting procedures.”
(5) The second sentence in the second paragraph of “Rationale for R1” states:“The
main issue is to make sure an entity can a) identify when an event has occurred and
b) be able to gather enough information to complete the report.” This is crucial for a
Standard like this that is intended to mandate actions for events that are frequently
totally unexpected and beyond normal planning criteria. This language needs to be
added to Attachment 1 by the DSR SDT as explained in the rest of our comments.
The DSR SDT has updated the Rationale for Part 1.2 (previous Part 1.3) to read as:
“Part 1.2 could include a process flowchart, identification of internal and external
personnel or entities to be notified, or a list of personnel by name and their
associated contact information.” Whereas Part 1.2 now states:
“1.2 A process for communicating each of the applicable events listed in EOP-004
Attachment 1 in accordance with the timeframes specified in EOP-004 Attachment 1 to
the Electric Reliability Organization and other organizations needed for the event type;
i.e. the Regional Entity; company personnel; the Responsible Entity’s Reliability
Coordinator; law enforcement governmental or provincial agencies.”
Response: Thank you for your comment. Please see response above.
Old Dominion Electric Coop.
Negative
I disagree with two things in the presently drafted standard. First, I do not feel a
separate requirement to implement the plan is necessary (R2),
Most stakeholders believed that Requirements R2 and R3 were redundant and having
both in the standard was not necessary. Requirement R2 called for implementation of
44
�Organization
Yes or No
Question 2 Comment
Parts 1.1, 1.2, 1.4 and 1.5. Requirement R3 called for reporting events in accordance
with the Operating Plan. The DSR SDT deleted Requirement R2 based on stakeholder
comments and revised R3 (now R2) to read:
“R2. Each Responsible Entity shall implement its event reporting Operating Plan for
applicable events listed in EOP-004 Attachment 1, and in accordance with the
timeframe specified in EOP-004 Attachment1.”
and I do not think that verification of the communications process should require a
minimum of a drill or exercise. This is verified now under th current standard CIP-001
through verifice contact with the appropriate authorities and this should be enough
to verify that the communications for the plan is in place.
The “drill or exercise” language has been removed. Requirement R4 related to an
annual test of the communication portion of Requirement 1. This has been revised
to:
R3. Each Responsible Entity shall conduct an annual test, not including notification to
the Electric Reliability Organization, of the communications process in Part 1.2. The
DSR SDT envisions that the testing under Requirement R3 will include verification of
contact information contained in the Operating Plan is correct. As an example, the
annual review of the Operating Plan could include calling “others as defined in the
Responsible Entity’s Operating Plan” (see part 1.2) to verify that their contact
information is up to date. If any discrepancies are noted, the Operating Plan would
be updated.
Response: Thank you for your comment. Please see response above.
ACES Power Marketing,
Hoosier Energy Rural Electric
Cooperative, Inc., Sunflower
Electric Power Corporation,
Negative
Requirement R2 requires Responsible Entities to implement the various subrequirements in R1. We believe it is unnecessary to state that an entity must
implement their Operating Plan in a separate requirement. Having a separate
requirement seems redundant. If the processes in the Operating Plan are not
45
�Organization
Yes or No
Great River Energy/ ACES
Power Marketing Standards
Collaborators/ Great River
Energy
Question 2 Comment
implemented, the entity is non-compliant with the standard.
Most stakeholders believed that Requirements R2 and R3 were redundant and having
both in the standard was not necessary. Requirement R2 called for implementation of
Parts 1.1, 1.2, 1.4 and 1.5. Requirement R3 called for reporting events in accordance
with the Operating Plan. The DSR SDT deleted Requirement R2 based on stakeholder
comments and revised R3 (now R2) to read:
“R2. Each Responsible Entity shall implement its event reporting Operating Plan for
applicable events listed in EOP-004 Attachment 1, and in accordance with the
timeframe specified in EOP-004 Attachment1.”
There doesn’t need to be an extra requirement saying entities need to implement
their Operating Plan.
The test and review requirement is included in the Standard to meet the intent of
FERC Order 693, paragraph 466: “The Commission affirms the NOPR directive and
directs the ERO to incorporate a periodic review or updating of the sabotage
reporting procedures and for the periodic testing of the sabotage reporting
procedures.”
Response: Thank you for your comment. Please see response above.
Hydro One Networks, Inc.
Negative
Requirement R2 seems to not be necessary. Who would have a plan and not
implement it? This may also introduce double jeopardy issues should some entity not
have a plan as required in R1. They would be unable to implement something they
did not have so automatically non-compliant with R1 and R2. o Requirements R2 and
R3 seem to be redundant. Isn't implementing the Operating Plan the same as
reporting events in accordance with its Operating Plan?
Most stakeholders believed that Requirements R2 and R3 were redundant and having
both in the standard was not necessary. Requirement R2 called for implementation of
46
�Organization
Yes or No
Question 2 Comment
Parts 1.1, 1.2, 1.4 and 1.5. Requirement R3 called for reporting events in accordance
with the Operating Plan. The DSR SDT deleted Requirement R2 based on stakeholder
comments and revised R3 (now R2) to read:
“R2. Each Responsible Entity shall implement its event reporting Operating Plan for
applicable events listed in EOP-004 Attachment 1, and in accordance with the
timeframe specified in EOP-004 Attachment1.”
The standard mentions collecting information for Attachment 2, but the standard
does not state what to do with Attachment 2. Is it merely a record for demonstrating
compliance with R3?
The DSR SDT has updated Requirement R2 to read: “Each Responsible Entity must
report and communicate events according to its Operating Plan based on the
information in Attachment 1.”
The DSR SDT has also added the following statement to Attachment 1 for 1 hour
reporting time frame and 24 hour reporting time frame, respectfully:
“One Hour Reporting: Submit Attachment 2 or DOE-OE-417 report to the parties
identified pursuant to Requirement R1, Part 1.2 within one hour of recognition of the
event”
And
“Twenty-four Hour Reporting: Submit Attachment 2 or DOE-OE-417 report to the
parties identified pursuant to Requirement R1, Part 1.2 within twenty-four hour of
recognition of the event.”
Response: Thank you for your comment. Please see response above.
47
�Organization
Yes or No
Question 2 Comment
Beaches Energy Services, City
of Green Cove Springs
Negative
Requirements R2 and R3 are to implement the Operating Plan. Hence, R3 should be a
bullet under R2 and not a separate requirement. In addition, for R2, the phrase
“actual event” is ambiguous and should mean: “actual event that meets the criteria
of Attachment 1” I suggest the following wording to R2 (which will result in
eliminating R3) “Each Responsible Entity shall implement its Operating Plan: o For
actual events meeting the threshold criteria of Attachment 1, in accordance with
Requirement R1 parts 1.1, 1.2 and 1.3
Most stakeholders believed that Requirements R2 and R3 were redundant and having
both in the standard was not necessary. Requirement R2 called for implementation of
Parts 1.1, 1.2, 1.4 and 1.5. Requirement R3 called for reporting events in accordance
with the Operating Plan. The DSR SDT deleted Requirement R2 based on stakeholder
comments and revised R3 (now R2) to read:
“R2. Each Responsible Entity shall implement its event reporting Operating Plan for
applicable events listed in EOP-004 Attachment 1, and in accordance with the
timeframe specified in EOP-004 Attachment1.”
o For review and updating of the Operating Plan, in accordance with Requirement R1
parts 1.4 and 1.5” Note that I believe that if the SDT decides to not combine R2 and
R3, then we disagree with the distinction between the two requirements.
Requirements R2 and R3 have been combined. Requirement 1, Part 1.4 was removed.
The division of implementing R1 through R2 and R3 as presented is “implementing”
vs. “reporting”. We believe that the correct division should rather be
“implementation” of the plan (which includes reporting) vs. revisions to the plan.
The DSR SDT has updated Requirement R2 to read as: “R2. Each Responsible Entity
shall implement the Operating Plan that meets Requirement R1 for events listed in
Attachment 1.”
FERC Order 693 section 617 states “…the Commission directs the ERO to develop a
48
�Organization
Yes or No
Question 2 Comment
modification to EOP-004-1 through the reliability Standards development process that
includes any Requirement necessary for users, owners, and operators of the BulkPower System to provide data…”. In order for entities to provide data they are
required to implement their Operating Plan.
Response: Thank you for your comment. Please see response above.
Ameren
No
(1) The new wording while well intentioned, effectively does not add clarity and
leads to confusion. From our perspective, R1, which requires and Operating Plan,
which is defined by the NERC glossary as: "A document that identifies a group of
activities that may be used to achieve some goal. An Operating Plan may contain
Operating Procedures and Operating Processes. A company-specific system
restoration plan that includes an Operating Procedure for black-starting units,
Operating Processes for communicating restoration progress with other entities,
etc., is an example of an Operating Plan."
The DSR SDT has maintained Requirement 1 with the wording of “Operating Plan”
which gives entities the flexibility of containing an Operating Process or Operating
Procedure, as stated as “An Operating Plan may contain Operating Procedures and
Operating Processes. Please note the use of “may contain” in the NERC approved
definition.
Requirement 1 now reads as”
Each Responsible Entity shall have an Operating Plan that includes:
1.1. A process for recognizing each of the events listed in EOP-004 Attachment 1.
1.2. A process for communicating each of the applicable events listed in EOP-004
Attachment 1 in accordance with the timeframes specified in EOP-004
Attachment 1 to the Electric Reliability Organization and other organizations
needed for the event type; i.e. the Regional Entity; company personnel; the
49
�Organization
Yes or No
Question 2 Comment
Responsible Entity’s Reliability Coordinator; law enforcement governmental or
provincial agencies.
(2) Is not a proper location for an after-the-fact reporting standard? In fact it could
be argued that after-the-fact reports in and of themselves do not affect the reliability
of the bulk electric system.
The DSR SDT does not agree with this comment. Reporting of an event will give the
Electric Reliability Organization and your Reliability Coordinator the situational
awareness of what has occurred on your part of the BES. Plus as described in your
Operating Plan, you would have communicated the event as you saw fit. By
broadcasting that an event has occurred you will increase the awareness of your
company (as described in your Operating Plan) and increase the awareness of the
Electric Reliability Organization and your Reliability Coordinator.
(3) But considering the proposed standard as written with the Operating Plan in
requirement R1, and implementation of the Operating Plan in requirement R2
(except the actual reporting which is in R3) and then R3 which requires implementing
the reporting section R1.3, it is not clear how these requirements can be kept
separate in either implementation nor by the CEA.
Most stakeholders believed that Requirements R2 and R3 were redundant and having
both in the standard was not necessary. Requirement R2 called for implementation
of Parts 1.1, 1.2, 1.4 and 1.5. Requirement R3 called for reporting events in
accordance with the Operating Plan. The DSR SDT deleted Requirement R2 based on
stakeholder comments and revised R3 (now R2).
The test and review requirement is included in the Standard to meet the intent of
FERC Order 693, paragraph 466: “The Commission affirms the NOPR directive and
directs the ERO to incorporate a periodic review or updating of the sabotage
reporting procedures and for the periodic testing of the sabotage reporting
50
�Organization
Yes or No
Question 2 Comment
procedures.”
(4) The second sentence in the second paragraph of “Rationale for R1” states: “The
main issue is to make sure an entity can a) identify when an event has occurred and
b) be able to gather enough information to complete the report.” This is crucial for a
Standard like this that is intended to mandate actions for events that are frequently
totally unexpected and beyond normal planning criteria. This language needs to be
added to Attachment 1 by the DSR SDT as explained in the rest of our comments
The DSR SDT has updated the Rationale for Part 1.2 (previous Part 1.3) to read as:
“Part 1.2 could include a process flowchart, identification of internal and external
personnel or entities to be notified, or a list of personnel by name and their
associated contact information.” Whereas Part 1.2 now states:
“1.2 A process for communicating each of the applicable events listed in EOP-004
Attachment 1 in accordance with the timeframes specified in EOP-004 Attachment 1
to the Electric Reliability Organization and other organizations needed for the event
type; i.e. the Regional Entity; company personnel; the Responsible Entity’s Reliability
Coordinator; law enforcement governmental or provincial agencies.”
Response: Thank you for your comment. Please see response above.
American Electric Power
No
AEP prefers to avoid requirements that are purely administrative in nature.
Requirements should be clear in their actions of supporting of the BES. For example,
we would prefer requirements which state what is to be expected, and allowing the
entities to develop their programs, processes, and procedures accordingly. It has
been our understanding that industry, and perhaps NERC as well, seeks to reduce the
amount to administrative (i.e. document-based) requirements. We are confident
51
�Organization
Yes or No
Question 2 Comment
that the appropriate documentation and administrative elements would occur as a
natural course of implementing and adhering to action-based requirements. In light
of this perspective, we believe that that R1 and R2 is not necessary, and that R3
would be sufficient by itself. Our comments above notwithstanding, AEP strongly
encourages the SDT to consider that R2 and R3, if kept, be merged into a single
requirement as a violation of R2 would also be a violation of R3. Two violations
would then occur for what is essentially only a single incident. Rather than having
both R2 and R3, might R3 be sufficient on its own? R2 is simply a means to an end of
achieving R3.
Most stakeholders believed that Requirements R2 and R3 were redundant and having
both in the standard was not necessary. Requirement R2 called for implementation
of Parts 1.1, 1.2, 1.4 and 1.5. Requirement R3 called for reporting events in
accordance with the Operating Plan. The DSR SDT deleted Requirement R2 based on
stakeholder comments and revised R3 (now R2).
.
The test and review requirement is included in the Standard to meet the intent of
FERC Order 693, paragraph 466: “The Commission affirms the NOPR directive and
directs the ERO to incorporate a periodic review or updating of the sabotage
reporting procedures and for the periodic testing of the sabotage reporting
procedures.”
If there is a need to explicitly reference implementation, that could be addressed as
part of R1. For example, R1 could state “Each Responsible Entity shall implement an
Operating Plan that includes...”R1 seems disjointed, as subparts 1.4 and 1.5
(updating and reviewing the Operating Plan) do not align well with subparts 1.1
through 1.3 which are process related. If 1.4 and 1.5 are indeed needed, we
recommend that they be a part of their own requirement(s). Furthermore, the
action of these requirements should be changed from emphasizing provision(s) of a
process to demonstrating the underlying activity.
52
�Organization
Yes or No
Question 2 Comment
The DSR SDT has maintained Requirement 1 with the wording of “Operating Plan”
which gives entities the flexibility of containing an Operating Process or Operating
Procedure, as stated as “An Operating Plan may contain Operating Procedures and
Operating Processes. Please note the use of “may contain” in the NERC approved
definition.
Requirement 1 now reads as ”Each Responsible Entity shall have an Operating Plan
that includes:
1.1. A process for recognizing each of the events listed in EOP-004 Attachment 1.
1.2. A process for communicating each of the applicable events listed in EOP-004
Attachment 1 in accordance with the timeframes specified in EOP-004
Attachment 1 to the Electric Reliability Organization and other organizations
needed for the event type; i.e. the Regional Entity; company personnel; the
Responsible Entity’s Reliability Coordinator; law enforcement governmental or
provincial agencies.
1.4 AEP is concerned by the vagueness of requiring provision(s) for updating the
Operating Plan for “changes”, as such changes could occur frequently and
unpredictably.
Part 1.4 was removed from the standard.
It is the sole responsibility of the Applicable Entity to determine when an annual
review of the Operating Plan is required. The Operating Plan has the minimum
requirement for an annual review. You may review your Operating Plan as often as
you see appropriate.
Response: Thank you for your comment. Please see response above.
Occidental Power Services,
No
Attachment 1 and R3 require event reports to be sent to the ERO and the entity’s RC
and to others “as appropriate.” Although this gives the entity some discretion, it
53
�Organization
Yes or No
Inc. (OPSI)
Question 2 Comment
might also create some “Monday morning quarterbacking” situations. This is
especially true for the one hour reporting situations as personnel that would be
responding to these events are the same ones needed to report the event. OPSI
suggests that the SDT reconsider and clarify reporting obligations with the objective
of sending initial reports to the minimum number of entities on a need-to-know
basis.
Requirement R1, Part 1.3 (now Part 1.2) was revised to add clarifying language by
eliminating the phrase “as appropriate” and indicating that the Responsible Entity is
to define its process for reporting and with whom to communicate events to as stated
in the entity’s Operating Plan.
The DSR SDT also received many comments regarding the various events of
Attachment 1. Many commenters questioned the reliability benefit of reporting
events to the ERO and their Reliability Coordinator within 1 hour. Most of the events
with a one hour reporting requirement were revised to 24 hours based on stakeholder
comments as well as those types of events are currently required to be reported
within 24 hours in the existing mandatory and enforceable standards. The only
remaining type of event that is to be reported within one hour is “A reportable Cyber
Security Incident” as it required by CIP-008.
FERC Order 706, paragraph 673 states: “…each responsible entity to contact
appropriate government authorities and industry participants in the event of a cyber
security incident as soon as possible, but, in any event within one hour of the event…”
Response: Thank you for your comment. Please see response above.
Ingleside Cogeneration LP
No
Attachment 1 and requirement R3 are written in a manner which would seem to
indicate that internal personnel and law enforcement personnel would have to be
copied on the submitted form - either Attachment 2 or OE-417. We believe the
intent is to submit such forms to the appropriate recipients only (e.g.; the ERO and
54
�Organization
Yes or No
Question 2 Comment
the DOE). The requirement should be re-written to clarify that this is the case.
The DSR SDT thanks you for your comment. Requirement 1 has been updated and
now reads as”
Each Responsible Entity shall have an Operating Plan that includes:
1.1. A process for recognizing each of the events listed in EOP-004 Attachment 1.
1.2. A process for communicating each of the applicable events listed in EOP-004
Attachment 1 in accordance with the timeframes specified in EOP-004
Attachment 1 to the Electric Reliability Organization and other organizations
needed for the event type; i.e. the Regional Entity; company personnel; the
Responsible Entity’s Reliability Coordinator; law enforcement governmental or
provincial agencies.
The Applicable Entity’s Operating Plan is to contain the process for reporting events
listed in Attachment 1 to the Electric Reliability Organization, the Responsible Entity’s
Reliability Coordinator and for communicating to others as defined in the Responsible
Entity’s Operating Plan. All events in Attachment 1 are required to be reported to the
Electric Reliability Organization and the Responsible Entity’s Reliability Coordinator.
The Operating Plan may include: internal company personnel, your Regional Entity, law
enforcement, and governmental or provisional agencies, as you identify within your
Operating Plan. This gives you the flexibility to tailor your Operating Plan to fit your
company’s needs and wants.
Response: Thank you for your comment. Please see response above.
Florida Municipal Power
Agency
No
Both requirements are to implement the Operating Plan. Hence, R3 should be a
bullet under R2 and not a separate requirement. In addition, for R2, the phrase
“actual event” is ambiguous and should mean: “actual event that meets the criteria
of Attachment 1”We suggest the following wording to R2 (which will result in
eliminating R3)”Each Responsible Entity shall implement its Operating Plan: o For
actual events meeting the threshold criteria of Attachment 1 in accordance with
55
�Organization
Yes or No
Question 2 Comment
Requirement R1 parts 1.1, 1.2 and 1.3
Most stakeholders believed that Requirements R2 and R3 were redundant and having
both in the standard was not necessary. Requirement R2 called for implementation of
Parts 1.1, 1.2, 1.4 and 1.5. Requirement R3 called for reporting events in accordance
with the Operating Plan. The DSR SDT deleted Requirement R2 based on stakeholder
comments and revised R3 (now R2) to read:
“R2. Each Responsible Entity shall implement its event reporting Operating Plan for
applicable events listed in EOP-004 Attachment 1, and in accordance with the
timeframe specified in EOP-004 Attachment1.”
o For review and updating of the Operating Plan in accordance with Requirement R1
parts 1.4 and 1.5”Note that we believe that if the SDT decides to not combine R2 and
R3, then we disagree with the distinction between the two requirements.
The test and review requirement is included in the Standard to meet the intent of FERC
Order 693, paragraph 466: “The Commission affirms the NOPR directive and directs
the ERO to incorporate a periodic review or updating of the sabotage reporting
procedures and for the periodic testing of the sabotage reporting procedures.”
The division of implementing R1 through R2 and R3 as presented is “implementing”
vs. “reporting”. We believe that the correct division should rather be
“implementation” of the plan (which includes reporting) vs. revisions to the plan.
The DSR SDT has updated Requirement R2 to read as: “R2. Each Responsible Entity
shall implement the Operating Plan that meets Requirement R1 for events listed in
Attachment 1.”
FERC Order 693 section 617 states “…the Commission directs the ERO to develop a
modification to EOP-001-1 through the reliability Standards development process
that includes any Requirement necessary for users, owners, and operators of the
56
�Organization
Yes or No
Question 2 Comment
Bulk-Power System to provide data…”. In order for entities to provide data they are
required to implement their Operating Plan.
Response: Thank you for your comment. Please see response above.
Indiana Municipal Power
Agency
No
Both requirements seem to be implementing the Operating Plan which means R3
should be a bullet under R2 and not a separate requirement. IMPA supports making
R2 and R3 one requirement and eliminating the current R3 requirement.
Most stakeholders believed that Requirements R2 and R3 were redundant and having
both in the standard was not necessary. Requirement R2 called for implementation of
Parts 1.1, 1.2, 1.4 and 1.5. Requirement R3 called for reporting events in accordance
with the Operating Plan. The DSR SDT deleted Requirement R2 based on stakeholder
comments and revised R3 (now R2) to read:
“R2. Each Responsible Entity shall implement its event reporting Operating Plan for
applicable events listed in EOP-004 Attachment 1, and in accordance with the
timeframe specified in EOP-004 Attachment1.”
In addition, R2 needs to be clarified when addressing an actual event. IMPA
recommends saying “an actual event that meets the criteria of Attachment 1.”
The DSR SDT has implemented your suggestion.
Requirement R2now reads as: “Each Responsible Entity shall implement its event
reporting Operating Plan for applicable events listed in EOP-004 Attachment 1, and in
accordance with the timeframe specified in EOP-004 Attachment1.”.
Response: Thank you for your comment. Please see response above.
57
�Organization
CenterPoint Energy
Yes or No
No
Question 2 Comment
CenterPoint Energy believes the current R2 is unnecessary and duplicative. Upon
reporting events as required by R3, entities will be implementing the relevant parts
of their Operating Plan that address R1.1 and R1.2. This duplication is clear when
reading M2 and M3. Acceptable evidence is an event report. R2 should be modified
to remove this duplicative requirement.
Most stakeholders believed that Requirements R2 and R3 were redundant and having
both in the standard was not necessary. Requirement R2 called for implementation of
Parts 1.1, 1.2, 1.4 and 1.5. Requirement R3 called for reporting events in accordance
with the Operating Plan. The DSR SDT deleted Requirement R2 based on stakeholder
comments and revised R3 (now R2) to read:
“R2. Each Responsible Entity shall implement its event reporting Operating Plan for
applicable events listed in EOP-004 Attachment 1, and in accordance with the
timeframe specified in EOP-004 Attachment1.”
Response: Thank you for your comment. Please see response above.
Orange and Rockland Utilities,
Inc./Consolidated Edison Co.
Of NY, Inc.
No
Comments:
o R1.3 should be revised as follows: A process for communicating
events listed in Attachment 1 to the Electric Reliability Organization, the Responsible
Entity’s Reliability Coordinator and the following as determined by the responsible
entity: ["appropriate: - deleted] [otherwise it is not clear who determines what
communication level is appropriate] o R1.4 should be revised as follows:
Provision(s) for updating the Operating Plan following ["within 90 calendar days of
any" - deleted] change in assets or personnel (if the Operating Plan specifies
personnel or assets) , ["other circumstances" - deleted] that may no longer align with
the Operating Plan; or incorporating lessons learned pursuant to Requirement R3.
o R1.5 should be deleted. Responsible Entities can determine the frequency of
Operating Plan updates. Requirement 1.4 requires updating the Operating Plan
within 90 calendar days for changes in “assets, personnel.... or incorporating lessons
58
�Organization
Yes or No
Question 2 Comment
learned”.
Requirement 1 has been updated and now reads as”
Each Responsible Entity shall have an Operating Plan that includes:
1.1. A process for recognizing each of the events listed in EOP-004 Attachment 1.
1.2. A process for communicating each of the applicable events listed in EOP-004
Attachment 1 in accordance with the timeframes specified in EOP-004
Attachment 1 to the Electric Reliability Organization and other organizations
needed for the event type; i.e. the Regional Entity; company personnel; the
Responsible Entity’s Reliability Coordinator; law enforcement governmental or
provincial agencies.
This requirement eliminates the need for Requirement 1.5 requiring a review of the
Operating Plan on an annual basis.
The test and review requirement is included in the Standard to meet the intent of
FERC Order 693, paragraph 466: “The Commission affirms the NOPR directive and
directs the ERO to incorporate a periodic review or updating of the sabotage
reporting procedures and for the periodic testing of the sabotage reporting
procedures.”
Response: Thank you for your comment. Please see response above.
ISO New England
No
In accordance with the results-based standards concept, all that is required, for the
“what” is that company X reported on event Y in accordance with the reporting
requirements in attachment Z of the draft standard. Therefore, we proposed the
only requirement that is necessary is R3, which should be re-written to read..."Each
59
�Organization
Yes or No
Question 2 Comment
Responsible Entity shall report to address the events listed in Attachment 1."
Requirement 1 and 2 is the basis of the “what” you have described in your comment.
Whereas Attachment 1 contains a minimum list of events that apply to Requirement
1, this is why Requirement R2 was rewritten as: “R2. Each Responsible Entity shall
implement the Operating Plan that meets Requirement R1 for events listed in
Attachment 1.”
The DSR SDT was directed to incorporate certain items such as; FERC Order 693,
paragraph 466: “The Commission affirms the NOPR directive and directs the ERO to
incorporate a periodic review or updating of the sabotage reporting procedures and
for the periodic testing of the sabotage reporting procedures.”
Response: Thank you for your comment. Please see response above.
SERC OC Standards Review
Group
No
It is confusing why R3 is not considered part of R2, which deals with implementation
of the Operating Plan and it appears that R3 could be interpreted as double
jeopardy. We suggest deleting R3.
Most stakeholders believed that Requirements R2 and R3 were redundant and having
both in the standard was not necessary. Requirement R2 called for implementation of
Parts 1.1, 1.2, 1.4 and 1.5. Requirement R3 called for reporting events in accordance
with the Operating Plan. The DSR SDT deleted Requirement R2 based on stakeholder
comments and revised R3 (now R2) to read:
“R2. Each Responsible Entity shall implement the Operating Plan that meets
Requirement R1 for events listed in Attachment 1.”
Response: Thank you for your comment. Please see response above.
60
�Organization
Oncor Electric Delivery
Company LLC
Yes or No
Question 2 Comment
No
NERC's Event Analysis Program tends to parallel many of the reporting requirements
as outlined in EOP-004 Version 2. Oncor recommends that NERC considers ways of
streamlining the reporting process by either incorporating the Event Analysis
obligations into EOP-004-2 or reducing the scope of the Event Analysis program as
currently designed to consist only of "exception" reporting.
The Event Analysis Program may use a reported event as a basis to analyze an event.
The reporting required in EOP-004-2 provides the input to the Events Analysis
Process. The processes of the Event Analysis Program fall outside the scope of this
project, but the DSR SDT has collaborated with them of events contained in
Attachment 1.
Response: Thank you for your comment. Please see response above.
NV Energy
No
On my read of the Standard, R2 and R3 appear to be duplicative, and I can't really
distinguish the difference between the two. The action required appears to be the
same for both requirements. Even the Measures for these two sound similar. It is
not clear to me what it means to "implement" other than to have evidence of the
existence and understanding of roles and responsibilities under the "Operating Plan."
I suggest elimination of R2 and inclusion of a line item in Measure 1 calling for
evidence of the existence of an "Operating Plan" including all the required elements
in R1.
Most stakeholders believed that Requirements R2 and R3 were redundant and having
both in the standard was not necessary. Requirement R2 called for implementation of
Parts 1.1, 1.2, 1.4 and 1.5. Requirement R3 called for reporting events in accordance
with the Operating Plan. The DSR SDT deleted Requirement R2 based on stakeholder
comments and revised R3 (now R2) to read:
“R2 Each Responsible Entity shall implement its event reporting Operating Plan for
applicable events listed in EOP-004 Attachment 1, and in accordance with the
timeframe specified in EOP-004 Attachment1.”
61
�Organization
Yes or No
Question 2 Comment
Response: Thank you for your comment. Please see response above.
Northeast Power Coordinating
Council
No
R1.3 should be revised as follows: A process for communicating events listed in
Attachment 1 to the Electric Reliability Organization, the Responsible Entity’s
Reliability Coordinator and the following as determined by the responsible
entity:...Without this change it is not clear who determines what communication
level is appropriate.
Requirement 1, Part 1.3 (now Part 1.2) was updated per comments received.
1.2 A process for communicating each of the applicable events listed in EOP-004
Attachment 1 in accordance with the timeframes specified in EOP-004 Attachment 1 to
the Electric Reliability Organization and other organizations needed for the event type;
i.e. the Regional Entity; company personnel; the Responsible Entity’s Reliability
Coordinator; law enforcement governmental or provincial agencies.
R1.4 should be revised as follows: Provision(s) for updating the Operating Plan
following any change in assets or personnel (if the Operating Plan specifies personnel
or assets), that may no longer align with the Operating Plan; or incorporating lessons
learned pursuant to Requirement R3. R1.5 should be deleted. Responsible Entities
can determine the frequency of Operating Plan updates. Requirement 1.4 requires
updating the Operating Plan within 90 calendar days for changes in “assets,
personnel.... or incorporating lessons learned”, (or our preceding proposed revision).
Requirement 1, part 1.4 has been deleted and Requirement R2 has been updated to
read as: “R2. Each Responsible Entity shall implement its event reporting Operating
Plan for applicable events listed in EOP-004 Attachment 1, and in accordance with
the timeframe specified in EOP-004 Attachment1.”
This requirement eliminates the need for Requirement 1.5 requiring a review of the
Operating Plan on an annual basis.
62
�Organization
Yes or No
Question 2 Comment
The only true requirement that is results-based, not administrative and is actually
required to support the Purpose of the Standard is R3.
The DSR SDT revised the purpose statement to remove ambiguous language “with the
potential to impact reliability”. The Purpose statement now reads:
“To improve the reliability of the Bulk Electric System by requiring the reporting of
events by Responsible Entities.”
Response: Thank you for your comment. Please see response above.
Illinois Municipal Electric
Agency
No
R2 is not necessary, and should be removed. Subrequirement R1.4 is also not
necessary and should be removed.
Most stakeholders believed that Requirements R2 and R3 were redundant and having
both in the standard was not necessary. Requirement R2 called for implementation of
Parts 1.1, 1.2, 1.4 and 1.5. Requirement R3 called for reporting events in accordance
with the Operating Plan. The DSR SDT deleted Requirement R2based on stakeholder
comments and revised R3 (now R2) to read:
“R2. Each Responsible Entity shall implement its event reporting Operating Plan for
applicable events listed in EOP-004 Attachment 1, and in accordance with the
timeframe specified in EOP-004 Attachment1.”
Response: Thank you for your comment. Please see response above.
Kansas City Power & Light
No
Requirement R1.1 is confusing regarding the “process for identifying events listed in
Attachment 1”. Considering Attachment 1, the Events Table, already identifies the
events required for reporting, please clearly describe in the requirement what the
“process” referred to in requirement R1.1 represents.
The DSR SDT has reviewed FERC Order 693 and paragraph 471 states: “…(2) specify
63
�Organization
Yes or No
Question 2 Comment
baseline requirement regarding what issues should be addressed in the procedures for
recognizing sabotage events and making personnel aware of such events…”
The DSR SDT has written Requirement 1, Part 1.1 to read as: “A process for recognizing
each of the events listed in EOP-004 Attachment 1”. An Applicable Entity may rely on
SCADA alarms as a process for recognizing an event or being made aware of an event
through a scheduled Facility check. The DSR SDT has not been overly prescriptive on
part 1.1 but has allowed each Applicable Entity to determine their own process for
recognizing events listed in Attachment 1.
Response: Thank you for your comment. Please see response above.
Luminant Power
No
Requirements R1, R2, and R4 are burdensome administrative requirements and are
contradictory to the NERC stated Standards Development goals of reducing
administrative requirements by moving to performance requirements.
Most stakeholders believed that Requirements R2 and R3 were redundant and having
both in the standard was not necessary. Requirement R2 called for implementation of
Parts 1.1, 1.2, 1.4 and 1.5. Requirement R3 called for reporting events in accordance
with the Operating Plan. The DSR SDT deleted Requirement R2 based on stakeholder
comments and revised R3 (now R2) to read:
“R2. Each Responsible Entity shall implement its event reporting Operating Plan for
applicable events listed in EOP-004 Attachment 1, and in accordance with the
timeframe specified in EOP-004 Attachment1.”
Requirement R1, Part 1.3 (now Part 1.2) was revised to indicate that the Responsible
Entity is to define its process for reporting and with whom to report events. Part 1.2
now reads:
“1.2
A process for communicating each of the applicable events listed in EOP004 Attachment 1 in accordance with the timeframes specified in EOP-004
64
�Organization
Yes or No
Question 2 Comment
Attachment 1 to the Electric Reliability Organization and other organizations
needed for the event type; i.e. the Regional Entity; company personnel; the
Responsible Entity’s Reliability Coordinator; law enforcement governmental or
provincial agencies.”
There is only one Requirement needed in this standard: “The Responsible Entity
shall report events in accordance with Attachment 1.” Attachment 1 should describe
how events should be reported by what Entity to which party within a defined
timeframe. If this requirement is met, all the other proposed requirements have no
benefit to the reliability of the Bulk Electric System. Per the NERC Standard
Development guidelines, only items that provide a reliability benefit should be
included in a standard.
The DSR SDT has updated Attachment 1 to a minimum threshold for Applicable Entities
to report contained events. Requirement R2 has been updated to reflect that
Applicable Entities shall implement their Operating Plan per Requirement 1 for events
listed in Attachment 1. Requirement R2 reads as: “R2. Each Responsible Entity shall
implement its event reporting Operating Plan for applicable events listed in EOP-004
Attachment 1, and in accordance with the timeframe specified in EOP-004
Attachment1.”
Response: Thank you for your comment. Please see response above.
Xcel Energy
No
Suggest modifying R3 to indicate this is related to R 1.3.Each Responsible Entity shall
report events to entities specified in R1.3 and as identified as appropriate in its
Operating Plan.
Requirement R3 called for reporting events in accordance with the Operating Plan.
The DSR SDT deleted Requirement R2 based on stakeholder comments and revised R3
65
�Organization
Yes or No
Question 2 Comment
(now R2)
R2. Each Responsible Entity shall implement its event reporting Operating Plan for
applicable events listed in EOP-004 Attachment 1, and in accordance with the
timeframe specified in EOP-004 Attachment1.”
Response: Thank you for your comment. Please see response above.
Colorado Springs Utilities
No
The act of implementing the plan needs to include reporting events per R1, subrequirement 1.3. R2 should simply state something like, “Each Responsible Entity
shall implement the Operating Plan that meets the requirements of R1, as applicable,
for an actual event or as specified.” Suggest eliminating R3 which, seems to create
double jeopardy effect.
Requirement R2 was updated to reflect comments received to read as: “R2. Each
Responsible Entity shall implement its event reporting Operating Plan for applicable
events listed in EOP-004 Attachment 1, and in accordance with the timeframe
specified in EOP-004 Attachment 1.” R3 was deleted.
Response: Thank you for your comment. Please see response above.
Intellibind
No
The language proposed is not clear and will continue to add confusion to entities
who are trying to meet these requirements. It is not clear that the drafting team can
put itself in the position of how the auditors will interpret and implement
compliance against thithe R2 requirement. Requirements should be written to stand
alone, not reference other requirements (or parts of the requirments. If the R1 parts
1.1, 1.2, 1.4 and 1.5 are so significant for this requirement, then they should be
rewritten in R2.
Most stakeholders believed that Requirements R2 and R3 were redundant and having
66
�Organization
Yes or No
Question 2 Comment
both in the standard was not necessary. Requirement R2 called for implementation of
Parts 1.1, 1.2, 1.4 and 1.5. Requirement R3 called for reporting events in accordance
with the Operating Plan. The DSR SDT deleted Requirement R2 based on stakeholder
comments and revised R3 (now R2) to read:
“R2. Each Responsible Entity shall implement its event reporting Operating Plan for
applicable events listed in EOP-004 Attachment 1, and in accordance with the
timeframe specified in EOP-004 Attachment 1.”
Response: Thank you for your comment. Please see response above.
Southern Company
No
These requirements as drafted in this revised standard potentially create a situation
where an entity could be deemed non-compliant for both R2 and R3. For example, if
a Responsible Entity included a reporting obligation in its Operating Plan, and failed
to report an event, the Responsible Entity could be deemed non-compliant for R2 for
not “implementing” its plan and for R3 for not reporting the event to the appropriate
entities. A potential solution to address this would be to add Requirement 1, Part
1.3 to Requirement 2 and remove Requirement 3 in its entirety.
Most stakeholders believed that Requirements R2 and R3 were redundant and having
both in the standard was not necessary. Requirement R2 called for implementation of
Parts 1.1, 1.2, 1.4 and 1.5. Requirement R3 called for reporting events in accordance
with the Operating Plan. The DSR SDT deleted Requirement R2 based on stakeholder
comments and revised R3 (now R2) to read:
“R2. Each Responsible Entity shall implement its event reporting Operating Plan for
applicable events listed in EOP-004 Attachment 1, and in accordance with the
timeframe specified in EOP-004 Attachment 1.”
We also request clarification on Measure M3. Which records should have “dated
and time-stamped transmittal records to show that the event was reported”? Some
of the communication is handled via face-to-face conversation or through telephone
67
�Organization
Yes or No
Question 2 Comment
conversation.
Measurement 3 has been deleted since Requirement 3 has been deleted. The new
Measurement 2 allows for “…or other documentation”. This may be in any form that
the Applicable Entity wishes to maintain that they met Requirement 2. The Electric
Reliability Organization does allow “Attestations” along with voice recordings as
proof of compliance.
Response: Thank you for your comment. Please see response above.
Independent Electricity
System Operator
No
We agree with the revision to R2 and R3, but assess that a requirement to enforce
implementation of Part 1.3 in Requirement R1 is missing. Part 1.3 in Requirement R1
stipulates that:1.3. A process for communicating events listed in Attachment 1 to the
Electric Reliability Organization, the Responsible Entity’s Reliability Coordinator and
the following as appropriate: o Internal company personnel o The Responsible
Entity’s Regional Entity o Law enforcement o Governmental or provincial
agenciesThe implementation of Part 1.3 is not enforced by R2 or R3 or any other
Requirements in the standard. Suggest to add another requirement or expand
Requirement R4 (and M4) to require the implementation of this Part in addition to
verifying the process.
Most stakeholders believed that Requirements R2 and R3 were redundant and having
both in the standard was not necessary. Requirement R2 called for implementation of
Parts 1.1, 1.2, 1.4 and 1.5. Requirement R3 called for reporting events in accordance
with the Operating Plan. The DSR SDT deleted Requirement R2 based on stakeholder
comments and revised R3 (now R2) to read:
“R2. Each Responsible Entity shall implement its event reporting Operating Plan for
applicable events listed in EOP-004 Attachment 1, and in accordance with the
timeframe specified in EOP-004 Attachment 1.”
Requirement 1 has been updated and now reads as”
68
�Organization
Yes or No
Question 2 Comment
Each Responsible Entity shall have an Operating Plan that includes:
1.1 A process for recognizing each of the events listed in EOP-004 Attachment 1.
1.2 A process for communicating each of the applicable events listed in EOP-004
Attachment 1 in accordance with the timeframes specified in EOP-004 Attachment 1 to
the Electric Reliability Organization and other organizations needed for the event type;
i.e. the Regional Entity; company personnel; the Responsible Entity’s Reliability
Coordinator; law enforcement governmental or provincial agencies.
Response: Thank you for your comment. Please see response above.
Independent Electricity
System Operator
Affirmative
The IESO believes that a requirement to enforce implementation of Part 1.3 in
Requirement R1 is missing. Part 1.3 in Requirement R1 stipulates that: 1.3. A process
for communicating events listed in Attachment 1 to the Electric Reliability
Organization, the Responsible Entity’s Reliability Coordinator and the following as
appropriate: o Internal company personnel o The Responsible Entity’s Regional
Entity o Law enforcement o Governmental or provincial agencies The
implementation of Part 1.3 is not enforced by R2 or R3 or any other Requirements in
the standard. The IESO suggests that another requirement be added or Requirement
R4 (and M4) be expanded to require the implementation of this Part in addition to
verifying the process.
Most stakeholders believed that Requirements R2 and R3 were redundant and having
both in the standard was not necessary. Requirement R2 called for implementation of
Parts 1.1, 1.2, 1.4 and 1.5. Requirement R3 called for reporting events in accordance
with the Operating Plan. The DSR SDT deleted Requirement R2 based on stakeholder
comments and revised R3 (now R2) to read:
“R2. Each Responsible Entity shall implement its event reporting Operating Plan for
applicable events listed in EOP-004 Attachment 1, and in accordance with the
69
�Organization
Yes or No
Question 2 Comment
timeframe specified in EOP-004 Attachment 1.”
Requirement 1 has been updated and now reads as”
Each Responsible Entity shall have an Operating Plan that includes:
1.1 A process for recognizing each of the events listed in EOP-004 Attachment 1.
1.2 A process for communicating each of the applicable events listed in EOP-004
Attachment 1 in accordance with the timeframes specified in EOP-004 Attachment 1 to
the Electric Reliability Organization and other organizations needed for the event type;
i.e. the Regional Entity; company personnel; the Responsible Entity’s Reliability
Coordinator; law enforcement governmental or provincial agencies.
Response: Thank you for your comment. Please see response above.
Bonneville Power
Administration
Yes
BPA believes the measures for R2 are unclear since they are similar to R3’s reporting
measures.
Response: Thank you for your comment. The SDT has revised the standard to have a single implementation requirement with a
single associated measure.
Compliance & Responsbility
Office
Yes
See comments in response to Question 4.
Response: Thank you for your comment. See response to Question 4.
Constellation Energy on
behalf of Baltimore Gas &
Electric, Constellation Power
Generation, Constellation
Energy Commodities Group,
Yes
While we support the delineation of the different activities associated with
implementation and reporting, further clarification would be helpful. R1. 1.3: As
currently written, it is somewhat confusing, in particular the use of the qualifier “as
appropriate”.
The DSR SDT has updated Requirement 1, Part 1.2 to read as: “A process for
70
�Organization
Constellation Control and
Dispatch, Constellation
NewEnergy and Constellation
Energy Nuclear Group.
Yes or No
Question 2 Comment
communicating each of the applicable events listed in EOP-004 Attachment 1 in
accordance with the timeframes specified in EOP-004 Attachment 1 to the Electric
Reliability Organization and other organizations needed for the event type; i.e. the
Regional Entity; company personnel; the Responsible Entity’s Reliability Coordinator;
law enforcement governmental or provincial agencies.”
In addition, the use of the word “communicating” to capture both reporting to
reliability authorities and notifying others may leave the requirement open to
question. Below is a proposed revision: 1.3 A process for reporting events listed in
Attachment 1 to the Electric Reliability Organization, the Responsible Entity’s
Reliability Coordinator and for communicating to others as defined in the
Responsible Entity’s Operating Plan, such as: o Internal company personnel o The
Responsible Entity’s Regional Entity o Law Enforcement o Government or provincial
agenciesR1, 1.4: the last phrase of the requirements seems to be leftover from an
earlier version. The requirement should end after the word “Plan”.R1, 1.5: “Process”
should not be capitalized. While we understand the intent of the draft language and
appreciate the effort to streamline the requirements, we propose an adjusted
delineation below that we feel tracks more cleanly to the structure of a compliance
program. Proposed revised language:R2. Each Responsible Entity shall implement its
Operating Plan to meet Requirement R1, parts 1.1 and 1.2 for an actual event(s).M2.
Responsible Entities shall provide evidence that it implemented it Operating Plan to
meet Requirement R1, Parts 1.1 and 1.2 for an actual event.
The DSR SDT has updated Requirement 1, Part 1.2 to read as: “A process for
communicating each of the applicable events listed in EOP-004 Attachment 1 in
accordance with the timeframes specified in EOP-004 Attachment 1 to the Electric
Reliability Organization and other organizations needed for the event type; i.e. the
Regional Entity; company personnel; the Responsible Entity’s Reliability Coordinator;
71
�Organization
Yes or No
Question 2 Comment
law enforcement governmental or provincial agencies.”
The Applicable Entity’s Operating Plan is to contain the process for reporting events
listed in Attachment 1 to the Electric Reliability Organization, the Responsible Entity’s
Reliability Coordinator and for communicating to others as defined in the Responsible
Entity’s Operating Plan. All events in Attachment 1 are required to be reported to the
Electric Reliability Organization and the Responsible Entity’s Reliability Coordinator.
The Operating Plan may include: internal company personnel, your Regional Entity, law
enforcement, and governmental or provisional agencies, as you identify within your
Operating Plan. This gives you the flexibility to tailor your Operating Plan to fit your
company’s needs and wants.
DSR SDT has revised R2. Each Responsible Entity shall implement its event reporting
Operating Plan for applicable events listed in EOP-004 Attachment 1, and in
accordance with the timeframe specified in EOP-004 Attachment 1.
DSR SDT has revised M2. “Each Responsible Entity will have, for each event
experienced, a dated copy of the completed EOP-004 Attachment 2 form or DOE form
OE-417 report submitted for that event; and dated and time-stamped transmittal
records to show that the event was reported supplemented by operator logs or other
operating documentation. Other forms of evidence may include, but are not limited to,
dated and time stamped voice recordings and operating logs or other operating
documentation for situations where filing a written report was not possible.
Evidence may include, but is not limited to, an submitted event report form
(Attachment 2) or a submitted OE-417 report, operator logs, or voice recording.R3.
Each Responsible Entity shall implement its Operating Plan to meet Requirement R1,
parts 1.4 and 1.5.M3. Responsible Entities shall provide evidence that it
implemented it Operating Plan to meet Requirement R1, Parts 1.4 and 1.5. Evidence
may include, but is not limited to, dated documentation of review and update of the
Operating Plan.
72
�Organization
Yes or No
Question 2 Comment
R4. Each Responsible Entity shall verify (through implementation for an actual event,
or through a drill, exercise or table top exercise) the communication process in its
Operating Plan, created pursuant to Requirement 1, Part 1.3, at least annually (once
per calendar year), with no more than 15 calendar months between verification.
M4. The Responsible Entity shall provide evidence that it verified the communication
process in its Operating Plan for events created pursuant to Requirement R1, Part
1.3. Either implementation of the communication process as documented in its
Operating Plan for an actual event or documented evidence of a drill, exercise, or
table top exercise may be used as evidence to meet this requirement. The time
period between verification shall be no more than 15 months. Evidence may include,
but is not limited to, operator logs, voice recordings, or dated documentation of a
verification.
Requirement 4 (now R3) was revised as:
R3. Each Responsible Entity shall conduct an annual test, not including notification to
the Electric Reliability Organization, of the communications process in Part 1.2.
[Violation Risk Factor: Medium] [Time Horizon: Operations Planning]
M3. Each Responsible Entity will have dated and time-stamped records to show that
the annual test of Part 1.2 was conducted. Such evidence may include, but are not
limited to, dated and time stamped voice recordings and operating logs or other
communication documentation. The annual test requirement is considered to be
met if the responsible entity implements the communications process in Part 1.2
for an actual event. (R3)
Response: Thank you for your comment. Please see response above.
Exelon
Yes
Why is the reference to R1.3 missing from EOP-004-2 Requirement R2?
73
�Organization
Yes or No
Question 2 Comment
R1.3 was associated with implementation in R3 which was removed from the
standard. DSR SDT has revised R2 to read as: “Each Responsible Entity shall
implement its event reporting Operating Plan for applicable events listed in EOP-004
Attachment 1, and in accordance with the timeframe specified in EOP-004
Attachment 1.”
Response: Thank you for your comment. Please see response above.
Pacific Northwest Small Public
Power Utility Comment Group
Yes
Southwest Power Pool
Regional Entity
Yes
BC Hydro
Yes
ZGlobal on behalf of City of
Ukiah, Alameda Municipal
Power, Salmen River Electric,
City of Lodi
Yes
MRO NSRF
Yes
Western Electricity
Coordinating Council
Yes
Imperial Irrigation District
Yes
Santee Cooper
Yes
74
�Organization
Yes or No
Sacramento Municipal Utility
District (SMUD)
Yes
SPP Standards Review Group
Yes
Dominion
Yes
FirstEnergy
Yes
PPL Electric Utilities and PPL
Supply Organizations`
Yes
Electric Compliance
Yes
PacifiCorp
Yes
Arizona Public Service
Company
Yes
Salt River Project
Yes
Westar Energy
Yes
APX Power Markets (NCR11034)
Yes
Clallam County PUD No.1
Yes
ITC
Yes
Springfield Utility Board
Yes
Question 2 Comment
75
�Organization
Yes or No
Manitoba Hydro
Yes
Duke Energy
Yes
Liberty Electric Power
Yes
Public Utility District No. 1 of
Snohomish County
Yes
South Carolina Electric and
Gas
Yes
American Transmission
Company, LLC
Yes
Nebraska Public Power
District
Yes
Seattle City Light
Yes
PSEG
Yes
MidAmerican Energy
Yes
Georgia System Operations
Corporation
Yes
FEUS
Yes
Lower Colorado River
Authority
Yes
Question 2 Comment
76
�Organization
Yes or No
American Public Power
Association
Yes
Northeast Utilities
Yes
City of Austin dba Austin
Energy
Yes
Energy Northwest - Columbia
Yes
Electric Reliability Council of
Texas, Inc.
Yes
Question 2 Comment
R2 and R3 appear redundant.
Progress Energy
Los Angeles Department of
Water and Power
Texas Reliability Entity
ReliabilityFirst
NRECA
Entergy Services
Thompson Coburn LLP on
behalf of Miss. Delta Energy
Agency
77
�Organization
Yes or No
Question 2 Comment
Southwestern Power
Administration
78
�3.
The DSR SDT revised reporting times for many events listed in Attachment 1 from one hour to 24 hours. Do you agree with
these revisions? If not, please explain in the comment area below.
Summary Consideration: The DSR SDT appreciates the industry comments on the difficulty associated with reporting events that
impact reliability. However, the SDT desires to point out that it is not the objective of this standard to provide an analysis of the
event; but to provide the known facts of the events at the reporting threshold of onehour or 24hours depending upon the type of
event. The SDT worked with the DOE and the NERC EAWG to develop reporting timelines consistent between the parties in an effort
to promote consistency and uniformity.
The SDT has not established any requirement for a final or follow up report. The obligation is to report the facts known at the time.
Once the report has been provided to the parties identified in the Operating Plan, no further action is required. All one hour
reporting timelines have been changed to 24 hours with the exception of a ‘Reportable Cyber Security Incident’. This is maintained
due to FERC Order 706, Paragraph 673:
“…direct the ERO to modify CIP-008 to require each responsible entity to contact appropriate government authorities and
industry participants in the event of a cyber security incident as soon as possible, but in any event, within one hour of the
event…”
For the remaining events, 24 hours should provide sufficient time to manage the incident in real-time before having to report, and is
consistent with current in-force standard EOP-004-1.
Organization
Yes or No
Ameren Services
Negative
Question 3 Comment
(6)By our count there are still six of the nineteen events listed with a one hour
reporting requirement and the rest are all within 24 hour after the occurrence (or
recognition of the event). This in our opinion, is reporting in real-time, which is
against one of the key concepts listed in the background section:"The DSR SDT
wishes to make clear that the proposed Standard does not include any real-time
operating notifications for the events listed in Attachment 1. Real-time reporting is
achieved through the RCIS and is covered in other standards (e.g. the TOP family of
79
�Organization
Yes or No
Question 3 Comment
standards). The proposed standard deals exclusively with after-the-fact reporting."
All one hour reporting timelines have been changed to 24 hours with the exception of
a ‘Reportable Cyber Security Incident’. This is maintained due to FERC Order 706,
Paragraph 673:
“…direct the ERO to modify CIP-008 to require each responsible entity to contact
appropriate government authorities and industry participants in the event of a cyber
security incident as soon as possible, but in any event, within one hour of the event…”
For the remaining events, 24 hours should provide sufficient time to manage the
incident in real-time before having to report and is consistent with current in-force
standard EOP-004-1.
(7)We believe the earliest preliminary report required in this standard should at the
close of the next business day. Operating Entities, such as the RC, BA, TOP, GOP, DP,
and LSE should not be burdened with unnecessary after-the-fact reporting while they
are addressing real-time operating conditions. Entities should have the ability to
allow their support staff to perform this function during the next business day as
needed. We acknowledge it would not be an undue burden to cc: NERC on other
required governmental reports with shorter reporting timeframes, but NERC should
not expand on this practice.
No preliminary report is required within the revised standard. Also, timelines have
been revised (Please see response to item (6) above).
(8)We agree with the extension in reporting times for events that now have 24 hours
of reporting time. As a GO there are still too many potential events that still require a
1 hour reporting time that is impractical, unrealistic and could lead to inappropriate
escalation of normal failures. For example, the sudden loss of several control room
display screens for a BES generator at 2 AM in the morning, with only 1 hour to
report something, might be mistakenly interpreted as a cyber-attack. The reality is
80
�Organization
Yes or No
Question 3 Comment
most likely something far more mundane such as the unexpected failure of an
instrument transformer, critical circuit board, etc.
All one hour reporting timelines have been changed to 24 hours with the exception of
a ‘Reportable Cyber Security Incident’. This is maintained due to FERC Order 706,
Paragraph 673:
“…direct the ERO to modify CIP-008 to require each responsible entity to contact
appropriate government authorities and industry participants in the event of a cyber
security incident as soon as possible, but in any event, within one hour of the event…”
For the remaining events, 24 hours should provide sufficient time to manage the
incident in real-time before having to report and is consistent with current in-force
standard EOP-004-1.
(9) The "EOP-004 Attachment 1: Events Table" is quite lengthy and written in a
manner that can be quite subjective in interpretation when determining if an event is
reportable. We believe this table should be clear and unambiguous for consistent
and repeatable application by both reliability entities and a CEA. The table should be
divided into sections such as: 9a) Events that affect the BES that are either clearly
sabotage or suspected sabotage after review by an entity's security department and
local/state/federal law enforcement.(b) Events that pose a risk to the BES and that
clearly reach a defined threshold, such as load loss, generation loss, public appeal,
EEAs, etc. that entities are required to report by the end of the next business day.(c)
Other events that may prove valuable for lessons learned, but are less definitive than
required reporting events. These events should be reported voluntarily and not be
subject to a CEA for non-reporting.(d)Events identified through other means outside
of entity reporting, but due to their nature, could benefit the industry by an event
report with lessons learned. Requests to report and perform analysis on these type
of events should be vetted through a ERO/Functional Entity process to ensure
resources provided to this effort have an effective reliability benefit.
81
�Organization
Yes or No
Question 3 Comment
The DSR SDT has modified Attachment 1 to bring more clarity. The more subjective
events were rewritten as follows:
• The ‘Damage or Destruction’ event category has been revised to say ‘to a
Facility’, (a defined term) and thresholds have be modified to provide clarity.
The footnote was deleted
• ‘Forced intrusion’ and ‘Risk to BES Equipment’ have been combined under a new
event type called ‘A physical threat that could impact the operability of a
Facility’. Using judgment is unavoidable for this type of event. This language
was chosen because the Responsible Entity is the best position to exercise this
judgment and determine whether or not an event poses a threat to its
Facilities. The DSR SDT believes this revised event type will minimize
administrative burden and ensure that events meaningful to industry
awareness are reported. Note that the reporting timeline (now revised to 24
hours) starts when the situation has been determined as a threat, not when it
may have first occurred. Also, the footnote only contains examples.
These two remaining event categories that aren’t related to power system
phenomena are essential as they effectively translate the intent of CIP-001 into EOP004.
(10)Any event reporting shall not in any manner replace or inhibit an Entity's
responsibility to coordinate with other Reliability Entities (such as the RC, TOP, BA,
GOP as appropriate) as required by other Standards, and good utility practice to
operate the electric system in a safe and reliable manner.
The DSR SDT agrees and believes the revised reporting timelines support that
concept.
(11) The 1 hour reporting maximum time limit for all GO events in Attachment 1
should be lengthened to something reasonable - at least 24 hours. Operators in our
energy centers are well-trained and if they have good reason to suspect an event
82
�Organization
Yes or No
Question 3 Comment
that might have serious impact on the BES will contact the TOP quickly. However,
constantly reporting events that turn out to have no serious BES impact and were
only reported for fear of a violation or self-report will quickly result in a cry wolf
syndrome and a great waste of resources and risk to the GO and the BES. The risk to
the GO will be potential fines, and the risk to the BES will be ignoring events that
truly have an impact of the BES.
All one hour reporting timelines have been changed to 24 hours with the exception of
a ‘Reportable Cyber Security Incident’. This is maintained due to FERC Order 706,
Paragraph 673:
“…direct the ERO to modify CIP-008 to require each responsible entity to contact
appropriate government authorities and industry participants in the event of a cyber
security incident as soon as possible, but in any event, within one hour of the event…”
For the remaining events, 24 hours should provide sufficient time to manage the
incident in real-time before having to report and is consistent with current in-force
standard EOP-004-1.
(12)The 2nd and 3rd Events on Attachment 1 should be reworded so they do not use
terms that may have been deleted from the NERC Glossary by the time FERC
approves this Standard.
The ‘Damage or Destruction’ events specifically relating to Critical Assets and Critical
Cyber Assets were removed from Attachment 1, as these events are adequately
addressed through the CIP-008 and ‘Damage or Destruction of a Facility’ reporting
thresholds.
(13) The terms “destruction” and “damage” are key to identifying reportable events.
Neither has been defined in the Standard. The term destruction is usually defined as
100% unusable. However, the term damage can be anywhere from 1% to 99%
83
�Organization
Yes or No
Question 3 Comment
unusable and take anywhere from 5 minutes to 5 months to repair. How will we
know what the SDT intended, or an auditor will expect, without additional
information?
The ‘Damage or Destruction’ event category has been revised to say ‘ …to a Facility’, (a
defined term) and thresholds have be modified to provide clarity.
The DSR SDT used the defined term “Facility” to add clarity for several events listed in
Attachment 1. A Facility is defined as:
“A set of electrical equipment that operates as a single Bulk Electric System
Element (e.g., a line, a generator, a shunt compensator, transformer, etc.)”
The DSR SDT does not intend the use of the term Facility to mean a substation or any
other facility (not a defined term) that one might consider in everyday discussions
regarding the grid. This is intended to mean ONLY a Facility as defined above.
(14)We also do not understand why “destruction of BES equipment” (first item
Attachment 1, first page) must be reported < 1 hour, but “system separation
(islanding) > 100 MW” (Attachment 1, page 3) does not need to be reported for 24
hours.
All one hour reporting timelines have been changed to 24 hours with the exception of
a ‘Reportable Cyber Security Incident’. This is maintained due to FERC Order 706,
Paragraph 673:
“…direct the ERO to modify CIP-008 to require each responsible entity to contact
appropriate government authorities and industry participants in the event of a cyber
security incident as soon as possible, but in any event, within one hour of the event…”
For the remaining events, 24 hours should provide sufficient time to manage the
84
�Organization
Yes or No
Question 3 Comment
incident in real-time before having to report and is consistent with current in-force
standard EOP-004-1.
(15)The first 2 Events in Attachment 1 list criteria Threshold for Reporting as
“...operational error, equipment failure, external cause, or intentional or
unintentional human action.” The term “intentional or unintentional human action”
appears to cover “operational error” so these terms appear redundant and create
risk of misreporting. Can this be clarified?
The second event has been deleted and the language has been clarified in the
‘Threshold for Reporting’ column in the ‘Damage or Destruction’ event category. The
updated Threshold for Reporting now reads as:
“Damage or destruction of a Facility that:
• Affects an IROL (per FAC-014)
OR
• Results in the need for actions to avoid an Adverse Reliability Impact
OR
•
Results from intentional human action.”
(16)The footnote of the first page of Attachment 1 includes the explanation “...ii)
Significantly affects the reliability margin of the system...” However, the GO is
prevented from seeing the system and has no idea what BES equipment can affect
the reliability margin of the system. Can this be clarified by the SDT?
The footnote has been deleted and relevant information moved to the ‘Threshold for
Reporting column in the ‘Damage or Destruction’ event category.
(17) The use of the term “BES equipment” is problematic for a GO. NERC Team 201085
�Organization
Yes or No
Question 3 Comment
17 (BES Definition) has told the industry its next work phase will include identify
The term “BES equipment” is no longer used. The ‘Damage or Destruction’ event
category has been revised to say ‘to a Facility’, (a defined term) and thresholds have
be modified to provide clarity.
The DSR SDT used the defined term “Facility” to add clarity for several events listed in
Attachment 1. A Facility is defined as:
“A set of electrical equipment that operates as a single Bulk Electric System
Element (e.g., a line, a generator, a shunt compensator, transformer, etc.)”
The DSR SDT does not intend the use of the term Facility to mean a substation or any
other facility (not a defined term) that one might consider in everyday discussions
regarding the grid. This is intended to mean ONLY a Facility as defined above.
Response: Thank you for your comment. Please see response above.
Beaches Energy Services, City
of Green Cove Springs
Negative
3. Att. 1, going from 1 to 24 hrs: The times don’t seem aggressive enough for some of
the Events related to generation capacity shortages, e.g., we would think public
appeal, system wide voltage reduction and manual firm load shedding ought to be
within an hour. These are indicators that the BES is “on the edge” and to help BES
reliability, communication of this status is important to Interconnection-wide
reliability.
This standard concerns after-the-fact reporting. It is assumed that Responsible
Entities will make appropriate real-time notifications as per other applicable
standards, operating agreements, and good utility practice. This standard does not
preclude a Responsible Entity from reporting more quickly than required by
Attachment 1.
86
�Organization
Yes or No
Question 3 Comment
4. The Rules of Procedure language for data retention (first paragraph of the
Evidence Retention section) should not be included in the standard, but instead
referred to within the standard (e.g., “Refer to Rules of Procedure, Appendix 4C:
Compliance Monitoring and Enforcement Program, Section 3.1.4.2 for more
retention requirements”) so that changes to the RoP do not necessitate changes to
the standard.
The DSR SDT believes that although the evidence retention language is the same as
the current RoP, it is not specifically linked, so changes to the RoP will not necessitate
changes to the standard.
In R4, it might be worth clarifying that, in this case, implementation of the plan for an
event that does not meet the criteria of Attachment 1 and going beyond the
requirements R2 and R3 could be used as evidence. Consider adding a phrase as such
to M4, or a descriptive footnote that in this case, “actual event” may not be limited
to those in Attachment 1.
Most stakeholders believed that Requirements R2 and R3 were redundant and having
both in the standard was not necessary. Requirement R2 called for implementation of
Parts 1.1, 1.2, 1.4 and 1.5. Requirement R3 called for reporting events in accordance
with the Operating Plan. The DSR SDT deleted Requirement R2 based on stakeholder
comments and revised R3 (now R2) to read:
“R2. Each Responsible Entity shall implement its event reporting Operating Plan for
applicable events listed in EOP-004 Attachment 1, and in accordance with the
timeframe specified in EOP-004 Attachment1. ”
Comments to Attachment 1 table: On “Damage or destruction of Critical Asset” and
“... Critical Cyber Asset”, Version 5 of the CIP standards is moving away from the
87
�Organization
Yes or No
Question 3 Comment
binary critical/non-critical paradigm to a high/medium/low risk paradigm. Suggest
adding description that if version 5 is approved by FERC, that “critical” would be
replaced with “high or medium risk”, or include changing this standard to the scope
of the CIP SDT, or consider posting multiple versions of this standard depending on
the outcome of CIP v5 in a similar fashion to how FAC-003 was posted as part of the
GO/TO effort of Project 2010-07.
The ‘Damage or Destruction’ events specifically relating to Critical Assets and Critical
Cyber Assets were removed from Attachment 1, as these events are adequately
addressed through the CIP-008 and ‘Damage or Destruction of a Facility’ reporting
thresholds.
On “forced intrusion”, the phrase “at BES facility” is open to interpretation as “BES
Facility” (e.g., controversy surrounding CAN-0016) which would exclude control
centers and other critical/high/medium cyber system Physical Security Perimeters
(PSPs). We suggest changing this to “BES Facility or the PSP or Defined Physical
Boundary of critical/high/medium cyber assets”. This change would cause a change
to the applicability of this reportable event to coincide with CIP standard
applicability. On “Risk to BES equipment”, that phrase is open to too wide a range of
interpretation; we suggest adding the word “imminent” in front of it, i.e., “Imminent
risk to BES equipment”. For instance, heavy thermal loading puts equipment at risk,
but not imminent risk. Also, “non-environmental” used as the threshold criteria is
ambiguous. For instance, the example in the footnote, if the BES equipment is near
railroad tracks, then trains getting derailed can be interpreted as part of that BES
equipment’s “environment”, defined in Webster’s as “the circumstances, objects, or
conditions by which one is surrounded”. It seems that the SDT really means “nonweather related”, or “Not risks due to Acts of Nature”.
‘Forced intrusion’ and ‘Risk to BES Equipment’ have been combined under a new
event type called ‘A physical threat that could impact the operability of a Facility’.
Using judgment is unavoidable for this type of event. This language was chosen
88
�Organization
Yes or No
Question 3 Comment
because the Responsible Entity is the best position to exercise this judgment and
determine whether or not an event poses a threat to its Facilities. The DSR SDT
believes this revised event type will minimize administrative burden and ensure that
events meaningful to industry awareness are reported. Note that the reporting
timeline (now revised to 24 hours) starts when the situation has been determined as
a threat, not when it may have first occurred. Also, the footnote only contains
examples.
On “public appeal”, in the threshold, the descriptor “each” should be deleted, e.g., if
a single event causes an entity to be short of capacity, do you really want that entity
reporting each time they issue an appeal via different types of media, e.g., radio, TV,
etc., or for a repeat appeal every several minutes for the same event?
To clarify your point, the threshold has been changed to ‘Public appeal or load
reduction event’.
Should LSE be an applicable entity to “loss of firm load”? As proposed, the DP is but
the LSE is not. In an RTO market, will a DP know what is firm and what is non-firm
load? Suggest eliminating DP from the applicability of “system separation”. The
system separation we care about is separation of one part of the BES from another
which would not involve a DP.
The DSR SDT believes the current applicability is correct and the threshold provides
sufficient discrimination to drive the proper Applicable Entities to report.
On “Unplanned Control Center Evacuation”, CIP v5 might add GOP to the
applicability, another reason to add revision of EOP-004-2 to the scope of the CIP v5
drafting team, or in other ways coordinate this SDT with that SDT. Consider posting a
couple of versions of the standard depending on the outcome of CIP v5 in a similar
fashion to the multiple versions of FAC-003 posted with the GO/TO effort of Project
2010-07.
The DSR SDT believes the current applicability is correct. The ‘Damage or Destruction’
events specifically relating to Critical Assets and Critical Cyber Assets were removed
89
�Organization
Yes or No
Question 3 Comment
from Attachment 1, as these events are adequately addressed through the CIP-008
and ‘Damage or Destruction of a Facility’ reporting thresholds. Note that EOP-008-0
is only Applicable to Balancing Authorities, Transmission Operators and Reliability
Coordinators, this is the basis for the “Entity with reporting Responsibilities” and
reads as” “Each RC, BA, TOP that experiences the event”.
Response: Thank you for your comment. Please see response above.
Arkansas Electric Cooperative
Corporation
Negative
AECC appreciates the efforts of the SDT to address our comments from the previous
posting and feels the Standards have shown great improvement in the current
posting. Our negative vote stems from concerns around the 1 hour reporting
requirements for events having no size thresholds and ambiguity for external entity
reporting in R1.3. Please refer to the comments submitted by the SPP Standards
Review Group.
All one hour reporting timelines have been changed to 24 hours with the exception of
a ‘Reportable Cyber Security Incident’. This is maintained due to FERC Order 706,
Paragraph 673:
“…direct the ERO to modify CIP-008 to require each responsible entity to contact
appropriate government authorities and industry participants in the event of a cyber
security incident as soon as possible, but in any event, within one hour of the event…”
For the remaining events, 24 hours should provide sufficient time to manage the
incident in real-time before having to report and is consistent with current in-force
standard EOP-004-1. Also, Attachment 1 provides the flexibility to make a verbal
report under adverse conditions. For the revised event category ‘A physical threat
that could impact the operability of a Facility’ the reporting timeline of 24 hours
starts when the situation has been determined as a threat, not when it may have first
occurred.
Response: Thank you for your comment. Please see response above.
90
�Organization
Yes or No
PowerSouth Energy
Cooperative
Negative
Question 3 Comment
Attachment 1 needs to be eliminated. It is confusing to operators and doesn't
enhance the reliability of the BES.
Attachment 1 is the basis for EOP-004-2; it contains the events and thresholds for
reporting. OE-417, as well as, the EAWG’s requirements were considered in creating
Attachment 1, but there remain differences for the following reasons:
•
EOP-004 requirements were designed to meet NERC and the industry’s needs;
accommodation of other reporting obligations was considered as an
opportunity not a ‘must-have’
•
OE-417 only applies to US entities, whereas EOP-004 requirements apply across
North America
•
NERC has no control over the criteria in OE-417, which can change at any time
•
Reports made under EOP-004 provide a minimum set of information, which may
trigger further information requests from EAWG as necessary
In an effort to minimize administrative burden, US entities may use OE-417 rather
than Attachment 2 to report under EOP-004. Note you may have to report the same
event more quickly to the DOE than is required by EOP-004, but this cannot be helped
due to bullet point 2 above.
Response: Thank you for your comment. Please see response above.
Clark Public Utilities
Negative
Attachment 1 provides confusion not clarification. Just use the OE-417 reporting
form for any and all events identified in that form for any one-hour or six-hour
reporting. Utilities are required by law to provide the DOE notification and the SDT
has just confused the situation by attempting (as it appears) to rename the one-hour
reporting events. In some instances, Attachment 1 contradicts the DOE reporting.
Public appeals for load reduction are required within 24 hours (according to the
Events Table) but OE-417 requires such pubic appeals to be reported within one
91
�Organization
Yes or No
Question 3 Comment
hour.
Clark recommends the Events Table show first the one hour reporting of OE-417,
then the six hour reporting of OE-417, and finally any additional reporting that is
desired but not reportable to DOE. This will help in not confusing seemingly related
events. The table should indicate which form is to be used and should mandate Form
OE-417 for all DOE reportable events and the Attachment 2: Event Reporting Form
for all reportable events not subject to the DOE reporting requirements.
Attachment 1 is the basis for EOP-004-2; it contains the events and thresholds for
reporting. OE-417, as well as, the EAWG’s requirements were considered in creating
Attachment 1, but there remain differences for the following reasons:
•
EOP-004 requirements were designed to meet NERC and the industry’s needs;
accommodation of other reporting obligations was considered as an
opportunity not a ‘must-have’
•
OE-417 only applies to US entities, whereas EOP-004 requirements apply across
North America
•
NERC has no control over the criteria in OE-417, which can change at any time
•
Reports made under EOP-004 provide a minimum set of information, which may
trigger further information requests from EAWG as necessary
In an effort to minimize administrative burden, US entities may use OE-417 rather
than Attachment 2 to report under EOP-004. Note you may have to report the same
event more quickly to the DOE than is required by EOP-004, but this cannot be helped
due to bullet point 2 above.
Clark questions whether the event labeled Forced Intrusion really needs to be
reported in one hour. It can take several hours to determine if a forced entry actually
occurred. Clark is also unsure if reporting forced intrusions at these facilities (if no
other disturbance occurs) will provide any information useful in preventing system
disturbances but believes this event should be changed to a 24 hour notification.
92
�Organization
Yes or No
Question 3 Comment
‘Forced intrusion’ and ‘Risk to BES Equipment’ have been combined under a new
event type called ‘A physical threat that could impact the operability of a Facility’.
Using judgment is unavoidable for this type of event. This language was chosen
because the Responsible Entity is the best position to exercise this judgment and
determine whether or not an event poses a threat to its Facilities. The DSR SDT
believes this revised event type will minimize administrative burden and ensure that
events meaningful to industry awareness are reported. Note that the reporting
timeline (now revised to 24 hours) starts when the situation has been determined as
a threat, not when it may have first occurred.
The event labeled Detection of a reportable Cyber Security Incident should have the
Entity with Reporting Responsibility changed to the following: “Applicable Entities
under CIP-008.” The Threshold for Reporting on this event is based on the criteria in
CIP-008. If an entity is not an applicable entity under CIP-008, it should not have a
reporting requirement based on CIP-008 that appears in EOP-004.
The ‘Damage or Destruction’ events specifically relating to Critical Assets and Critical
Cyber Assets were removed from Attachment 1, as these events are adequately
addressed through the CIP-008 and ‘Damage or Destruction of a Facility’ reporting
thresholds.
Response: Thank you for your comment. Please see response above.
City of Farmington
Negative
Attachment 1: BES equipment is too vague - consider changing to BES facility and
including that reduces the reliability of the BES in the footnote. Is the footnote an
and or an or?
The ‘Damage or Destruction’ event category has been revised to say ‘to a Facility’, (a
defined term) and thresholds have be modified to provide clarity.
The DSR SDT used the defined term “Facility” to add clarity for several events listed in
Attachment 1. A Facility is defined as:
93
�Organization
Yes or No
Question 3 Comment
“A set of electrical equipment that operates as a single Bulk Electric System
Element (e.g., a line, a generator, a shunt compensator, transformer, etc.)”
The DSR SDT does not intend the use of the term Facility to mean a substation or any
other facility (not a defined term) that one might consider in everyday discussions
regarding the grid. This is intended to mean ONLY a Facility as defined above.
Attachment 1: Version 5 of CIP Requirements the use of the terms Critical Asset and
Critical Cyber Asset. The drafting team should consider revising the table to be
flexible so it will not require modification when new versions of CIP become
effective. Clarify if Damage or Destruction is physical damage (aka - cyber incidents
would be part of CIP-008 covered separately in Attachment 1.)
The ‘Damage or Destruction’ events specifically relating to Critical Assets and Critical
Cyber Assets were removed from Attachment 1, as these events are adequately
addressed through the CIP-008 and ‘Damage or Destruction of a Facility’ reporting
thresholds.
Attachment 1: Unplanned Control Center evacuation - remove “potential” from the
reporting responsibility Attachment 1:
The ‘potential’ language has been removed. The threshold for Reporting now reads
as: “Each RC, BA, TOP that experiences the event”.
SOL Tv - is not defined.
The SOL Violation (WECC only) event has been revised to remove Tv and replace it
with “30 minutes” to be consistent with TOP-007-WECC requirements. The event has
94
�Organization
Yes or No
Question 3 Comment
also been revised to indicate an SOL associated with a Major WECC transfer path.
Attachment 2 - 3: change to, “Did the event originate in your system?” The
requirement only requires reporting for Events - not potential events. This implies if
there is potential for an event to occur, the entity should report (potential of a public
appeal or potential to shed firm load)
The ‘actual or potential’ language has been removed.
Attachment 2 4: “Damage or Destruction to BES equipment” should be “Destruction
of BES Equipment” like it is in Attachment 1 and “forced intrusion risk to BES
equipment” remove “risk”
The ‘Damage or Destruction’ event category has been revised to say ‘…to a Facility’,
(a defined term) and thresholds have be modified to provide clarity. Also, the
reporting timeline is now 24 hours.
‘Forced intrusion’ and ‘Risk to BES Equipment’ have been combined under a new
event type called ‘A physical threat that could impact the operability of a Facility’.
Using judgment is unavoidable for this type of event. This language was chosen
because the Responsible Entity is the best position to exercise this judgment and
determine whether or not an event poses a threat to its Facilities. The DSR SDT
believes this revised event type will minimize administrative burden and ensure that
events meaningful to industry awareness are reported. Note that the reporting
timeline (now revised to 24 hours) starts when the situation has been determined as
a threat, not when it may have first occurred.
The OE-417 requires several of the events listed in Attachment 1 be reported within
1 hour. FEUS recommends the drafting team review the events and the OE-417 form
and align the reporting window requirements. For example, public appeals, load
shedding, and system separation have a 1 hour requirement in OE-417.
OE-417, as well as, the EAWG’s requirements were considered in creating Attachment
95
�Organization
Yes or No
Question 3 Comment
1, but there remain differences for the following reasons:
•
EOP-004 requirements were designed to meet NERC and the industry’s needs;
accommodation of other reporting obligations was considered as an
opportunity not a ‘must-have’
•
OE-417 only applies to US entities, whereas EOP-004 requirements apply across
North America
•
NERC has no control over the criteria in OE-417, which can change at any time
•
Reports made under EOP-004 provide a minimum set of information, which may
trigger further information requests from EAWG as necessary
In an effort to minimize administrative burden, US entities may use OE-417 rather
than Attachment 2 to report under EOP-004. Note you may have to report the same
event more quickly to the DOE than is required by EOP-004, but this cannot be helped
due to bullet point 2 above.
Response: Thank you for your comment. Please see response above.
Wisconsin Public Service Corp.
Negative
EOP-004 Attachment 1 states: That any Damage or destruction of a Critical Cyber
Asset per CIP-002 Applicable Entities under CIP-002 Through intentional or
unintentional human action. Requires reporting in 1 hour of recognition of event.
This is too low of a threshold for reporting. Unintentional damage could be caused by
an individual spilling coffee on a laptop. Hardly the item for a report.
The ‘Damage or Destruction’ events specifically relating to Critical Assets and Critical
Cyber Assets were removed from Attachment 1, as these events are adequately
addressed through the CIP-008 and ‘Damage or Destruction of a Facility’ reporting
thresholds.
Response: Thank you for your comment. Please see response above.
96
�Organization
Yes or No
Question 3 Comment
ACES Power Marketing,
Hoosier Energy Rural Electric
Cooperative, Inc., Sunflower
Electric Power Corporation,
Great River Energy
Negative
For many of the events listed in Attachment 1, there would be duplicate reporting
the way it is written right now. For example, in the case of a fire in a substation
(Destruction of BES equipment), the RC, BA, TO, TOP and perhaps the GO and GOP
could all experience the event and each would have to report on it. This seems quite
excessive and redundant. We recommend eliminating this duplicate reporting.
The DSR SDT has tried to minimize duplicative reporting, but recognizes there may be
events that trigger more than one report. The current applicability ensures an event
that could affect just one of the entities with reporting responsibility isn’t missed.
Response: Thank you for your comment. Please see response above.
Consumers Energy
Negative
Forced intrusion needs to be specifically defined. A 1-hour report requirement is not
necessary but for critical events that would have wide-ranging impact.
All one hour reporting timelines have been changed to 24 hours with the exception of
a ‘Reportable Cyber Security Incident’. This is maintained due to FERC Order 706,
Paragraph 673:
“…direct the ERO to modify CIP-008 to require each responsible entity to contact
appropriate government authorities and industry participants in the event of a cyber
security incident as soon as possible, but in any event, within one hour of the event…”
For the remaining events, 24 hours should provide sufficient time to manage the
incident in real-time before having to report and is consistent with current in-force
standard EOP-004-1. Also, Attachment 1 provides the flexibility to make a verbal
report under adverse conditions. For the revised event category ‘A physical threat
that could impact the operability of a Facility’ the reporting timeline of 24 hours
starts when the situation has been determined as a threat, not when it may have first
occurred.
97
�Organization
Yes or No
Question 3 Comment
Requirements 2 and 3 should be combined into a single requirement.
The DSR SDT deleted Requirement R2 based on stakeholder comments and revised R3
(now R2) to:
“R2. Each Responsible Entity shall implement its event reporting Operating Plan
for applicable events listed in EOP-004 Attachment 1, and in accordance with the
timeframe specified in EOP-004 Attachment 1.”
Response: Thank you for your comment. Please see response above.
MidAmerican Energy Co.
Negative
MidAmerican Energy believes Attachment 1 expands the scope of what must be
reported beyond what is required by FERC directives and beyond what is needed to
improve security of the BES. Based on our understanding of Attachment 1, the
category of “damage or destruction of a critical cyber asset” will likely result in
hundreds or thousands of small equipment failures being reported to NERC and DOE,
with no improvement to security. For example, hard drive failures, server failures,
PLC failures and relay failures could all meet the criteria of “damage or destruction of
a critical cyber asset.” which would be required reporting in 1 hour.
All one hour reporting timelines have been changed to 24 hours with the exception of
a ‘Reportable Cyber Security Incident’. This is maintained due to FERC Order 706,
Paragraph 673:
“…direct the ERO to modify CIP-008 to require each responsible entity to contact
appropriate government authorities and industry participants in the event of a cyber
security incident as soon as possible, but in any event, within one hour of the event…”
For the remaining events, 24 hours should provide sufficient time to manage the
incident in real-time before having to report and is consistent with current in-force
standard EOP-004-1. Also, Attachment 1 provides the flexibility to make a verbal
report under adverse conditions. For the revised event category ‘A physical threat
98
�Organization
Yes or No
Question 3 Comment
that could impact the operability of a Facility’ the reporting timeline of 24 hours
starts when the situation has been determined as a threat, not when it may have first
occurred.
EOP-004-2 needs to clearly state that initial reports can be made by a phone call,
email or another method, in accordance with paragraph 674 of FERC Order 706.
MidAmerican recommends replacing Attachment 1 and Attachment 2 with the
categories and timeframes that are listed in OE-417. This eliminates confusion
between government requirements in OE-417 and NERC standards.
Attachment 1 provides the flexibility to make a verbal report. The header of
Attachment 1 states:
“NOTE: Under certain adverse conditions (e.g. severe weather, multiple events) it may
not be possible to report the damage caused by an event and issue a written Event
Report within the timing in the table below. In such cases, the affected Responsible
Entity shall notify parties per R1 and provide as much information as is available at the
time of the notification. Reports to the ERO should be submitted to one of the
following: e-mail: esisac@nerc.com, Facsimile: 609-452-9550, Voice: 609-452-1422.”
Attachment 2 provides the flexibility to make a verbal report. The header of
Attachment 2 states:
“This form is to be used to report events. The Electric Reliability Organization and the
Responsible Entity’s Reliability Coordinator will accept the DOE OE-417 form in lieu of
this form if the entity is required to submit an OE-417 report. Reports to the ERO
should be submitted via one of the following: e-mail: esisac@nerc.com, Facsimile:
609-452-9550, voice: 609-452-1422.”
OE-417, as well as, the EAWG’s requirements were considered in creating Attachment
1, but there remain differences for the following reasons:
•
EOP-004 requirements were designed to meet NERC and the industry’s needs;
99
�Organization
Yes or No
Question 3 Comment
accommodation of other reporting obligations was considered as an
opportunity not a ‘must-have’
•
OE-417 only applies to US entities, whereas EOP-004 requirements apply across
North America
•
NERC has no control over the criteria in OE-417, which can change at any time
•
Reports made under EOP-004 provide a minimum set of information, which may
trigger further information requests from EAWG as necessary
In an effort to minimize administrative burden, US entities may use OE-417 rather
than Attachment 2 to report under EOP-004. Note you may have to report the same
event more quickly to the DOE than is required by EOP-004, but this cannot be helped
due to bullet point 2 above.
Response: Thank you for your comment. Please see response above.
MidAmerican Energy Co.
Negative
MidAmerican Energy believes Attachment 1 expands the scope of what must be
reported beyond what is required by FERC directives and beyond what is needed to
improve security of the BES. EOP-004-2 needs to clearly state that initial reports can
be made by a phone call, email or another method, in accordance with paragraph
674 of FERC Order 706. MidAmerican recommends replacing Attachment 1 and
Attachment 2 with the categories and timeframes that are listed in OE-417. This
eliminates confusion between government requirements in OE-417 and NERC
standards.
Attachment 1 provides the flexibility to make a verbal report. The header of
Attachment 1 states:
“NOTE: Under certain adverse conditions (e.g. severe weather, multiple events) it may
not be possible to report the damage caused by an event and issue a written Event
Report within the timing in the table below. In such cases, the affected Responsible
100
�Organization
Yes or No
Question 3 Comment
Entity shall notify parties per R1 and provide as much information as is available at the
time of the notification. Reports to the ERO should be submitted to one of the
following: e-mail: esisac@nerc.com, Facsimile: 609-452-9550, Voice: 609-452-1422.”
Attachment 2 provides the flexibility to make a verbal report. The header of
Attachment 2 states:
“This form is to be used to report events. The Electric Reliability Organization and the
Responsible Entity’s Reliability Coordinator will accept the DOE OE-417 form in lieu of
this form if the entity is required to submit an OE-417 report. Reports to the ERO
should be submitted via one of the following: e-mail: esisac@nerc.com, Facsimile:
609-452-9550, voice: 609-452-1422.”
OE-417, as well as, the EAWG’s requirements were considered in creating Attachment
1, but there remain differences for the following reasons:
•
EOP-004 requirements were designed to meet NERC and the industry’s needs;
accommodation of other reporting obligations was considered as an
opportunity not a ‘must-have’
•
OE-417 only applies to US entities, whereas EOP-004 requirements apply across
North America
•
NERC has no control over the criteria in OE-417, which can change at any time
•
Reports made under EOP-004 provide a minimum set of information, which may
trigger further information requests from EAWG as necessary
In an effort to minimize administrative burden, US entities may use OE-417 rather
than Attachment 2 to report under EOP-004. Note you may have to report the same
event more quickly to the DOE than is required by EOP-004, but this cannot be helped
due to bullet point 2 above.
101
�Organization
Yes or No
Question 3 Comment
Response: Thank you for your comment. Please see response above.
Seattle City Light
Negative
Overarching Concern related to EOP-004-2 draft: The contemporaneous drafting
efforts related to both the proposed Bulk Electric System ("BES") definition changes,
as well as the CIP standards Version 5, could significantly impact the EOP-004-2
reporting requirements. Caution needs to be exercised when referencing these
definitions, as the definitions of a BES element could change significantly and Critical
Assets may no longer exist. As it relates to the proposed reporting criteria, it is
debatable as to whether or not the destruction of, for example, one relay would be a
reportable incident under this definition going forward given the current drafting
team efforts.
The ‘Damage or Destruction’ events specifically relating to Critical Assets and Critical
Cyber Assets were removed from Attachment 1, as these events are adequately
addressed through the CIP-008 and ‘Damage or Destruction of a Facility’ reporting
thresholds.
Related to “Reportable Events” of Attachment 1: 1. A reportable event is stated as,
“Risk to the BES”, the threshold for reporting is, “From a non-environmental physical
threat”. This appears to be a catch-all event, and basically every other event in
Attachment 1 should be reported because it is a risk to the BES. Due to the
subjectivity of this event, suggest removing it from the list.
‘Forced intrusion’ and ‘Risk to BES Equipment’ have been combined under a new
event type called ‘A physical threat that could impact the operability of a Facility’.
Using judgment is unavoidable for this type of event. This language was chosen
because the Responsible Entity is the best position to exercise this judgment and
determine whether or not an event poses a threat to its Facilities. The DSR SDT
believes this revised event type will minimize administrative burden and ensure that
events meaningful to industry awareness are reported. Note that the reporting
timeline (now revised to 24 hours) starts when the situation has been determined as
102
�Organization
Yes or No
Question 3 Comment
a threat, not when it may have first occurred.
2. A reportable event is stated as, “Damage or destruction of Critical Asset per CIP002”. The term“Damage” would have to be defined in order for an entity to
determine a threshold for what qualifies as “Damage” to a CA. One could argue that
normal“Damage” can occur on a CA that is not necessary to report. There should also
be caution here in adding CIP interpretation within this standard. Reporting
Thresholds 1.
The ‘Damage or Destruction’ events specifically relating to Critical Assets and Critical
Cyber Assets were removed from Attachment 1, as these events are adequately
addressed through the CIP-008 and ‘Damage or Destruction of a Facility’ reporting
thresholds.
The SDT made attempts to limit nuisance reporting related to copper thefts and so
on which is supported. However a number of the thresholds identified in EOP-004-2
Attachment 1 are very low and could congest the reporting process with nuisance
reporting and reviewing. An example is the “BES Emergency requiring manual firm
load shedding of greater than or equal to 100 MW or the Loss of Firm load for = 15
Minutes that is greater than or equal to 200 MW (300 MW if the manual demand is
greater than 3000 MW). In many cases these low thresholds represent reporting of
minor wind events or other seasonal system issues on Local Network used to provide
distribution service.
These thresholds reflect those used in the current in-force EOP-004-1, and haven’t
congested the reporting process to date.
Firm Demand 1. The use of Firm Demand in the context of the draft Standards could
be used to describe commercial arrangements with a customer rather than a
103
�Organization
Yes or No
Question 3 Comment
reliability issue. Clarification of Firm Demand would be helpful
The DSR SDT did not use the words ‘Firm Demand’ anywhere in the proposed
standard.
Response: Thank you for your comment. Please see response above.
Constellation Energy;
Constellation Energy
Commodities Group;
Constellation Power Source
Generation, Inc.
Negative
Please see the comments offered in the concurrent comment form. While
Constellation is voting negative on this ballot, we recognize the progress made by
the drafting team and find the proposal very close to acceptable. It should be noted
that our negative vote is due to remaining concerns with the Attachment 1: Event
Table categories language. In the comment form Constellation proposes revisions to
both the requirement language and to the Event Table language; however, the Event
Table language is the greater hurdle
All one hour reporting timelines have been changed to 24 hours with the exception of
a ‘Reportable Cyber Security Incident’. This is maintained due to FERC Order 706,
Paragraph 673:
“…direct the ERO to modify CIP-008 to require each responsible entity to contact
appropriate government authorities and industry participants in the event of a cyber
security incident as soon as possible, but in any event, within one hour of the event…”
For the remaining events, 24 hours should provide sufficient time to manage the
incident in real-time before having to report and is consistent with current in-force
standard EOP-004-1. Also, Attachment 1 provides the flexibility to make a verbal
report under adverse conditions. For the revised event category ‘A physical threat
that could impact the operability of a Facility’ the reporting timeline of 24 hours
starts when the situation has been determined as a threat, not when it may have first
occurred.
104
�Organization
Yes or No
Question 3 Comment
Response: Thank you for your comment. Please see response above.
Salt River Project
Negative
Related to “Reportable Events” of Attachment 1: 1. A reportable event is stated as,
“Risk to the BES”, the threshold for reporting is, “From a non-environmental physical
threat”. This as appears to be a catch-all event, and basically every other event
should be reported because it is a risk to the BES. Due to the subjectivity of this
event, suggest removing it from the list.
‘Forced intrusion’ and ‘Risk to BES Equipment’ have been combined under a new
event type called ‘A physical threat that could impact the operability of a Facility’.
Using judgment is unavoidable for this type of event. This language was chosen
because the Responsible Entity is the best position to exercise this judgment and
determine whether or not an event poses a threat to its Facilities. The DSR SDT
believes this revised event type will minimize administrative burden and ensure that
events meaningful to industry awareness are reported. Note that the reporting
timeline (now revised to 24 hours) starts when the situation has been determined as
a threat, not when it may have first occurred.
2. A reportable event is stated as, “Damage or destruction of Critical Asset per CIP002”. The term “Damage” would have to be defined in order for an entity to
determine a threshold for what qualifies as “Damage” to a CA. One could argue that
normal “Damage” can occur on a CA that is not necessary to report. There should
also be caution here in adding CIP interpretation within this standard.
The ‘Damage or Destruction’ events specifically relating to Critical Assets and Critical
Cyber Assets were removed from Attachment 1, as these events are adequately
addressed through the CIP-008 and ‘Damage or Destruction of a Facility’ reporting
thresholds.
Response: Thank you for your comment. Please see response above.
Southern California Edison Co.
Negative
SCE and WECC are in agreement on one key point (removing the requirement to
105
�Organization
Yes or No
Question 3 Comment
determine if an act was "sabotage"), however, I continue to believe SCE will find the
one-hour reporting requirement difficult to manage.
All one hour reporting timelines have been changed to 24 hours with the exception of
a ‘Reportable Cyber Security Incident’. This is maintained due to FERC Order 706,
Paragraph 673:
“…direct the ERO to modify CIP-008 to require each responsible entity to contact
appropriate government authorities and industry participants in the event of a cyber
security incident as soon as possible, but in any event, within one hour of the event…”
For the remaining events, 24 hours should provide sufficient time to manage the
incident in real-time before having to report and is consistent with current in-force
standard EOP-004-1. Also, Attachment 1 provides the flexibility to make a verbal
report under adverse conditions. For the revised event category ‘A physical threat
that could impact the operability of a Facility’ the reporting timeline of 24 hours
starts when the situation has been determined as a threat, not when it may have first
occurred.
Response: Thank you for your comment. Please see response above.
City of Redding
Negative
The following comments are directed toward Attachment 1: We commend the SDT
for properly addressing the sabotage issue. However, additional confusion is caused
by introducing term "damage". As “damage” is not a defined term it would be
beneficial for the drafting team to provide clarification for what is meant by
“damage”.
The ‘Damage or Destruction’ event category has been revised to say ‘…to a Facility’,
(a defined term) and thresholds have be modified to provide clarity. Also, the
reporting timeline is now 24 hours.
106
�Organization
Yes or No
Question 3 Comment
The threshold for reporting “Each public Appeal for load reduction” should clearly
state the triggering is for the BES Emergency as routine “public appeal" for
conservation could be considered a threshold for the report triggering..
The DSR SDT believes the current language of the event category ‘BES Emergency...’
clearly excludes routine conservation requests. The Threshold for Reporting has been
updated to read as: “Public appeal for load reduction event”.
Regarding the SOL violations in Attachment 1 the SOL violations should only be those
that affect the WECC Paths.
The SOL Violation (WECC only) event has been revised to remove Tv and replace it
with “30 minutes” to be consistent with TOP-007-WECC requirements. The event is
now “SOL for Major WECC Transfer Paths (WECC only)”. .
Response: Thank you for your comment. Please see response above.
Avista Corp.
Negative
The VSLs associated with not reporting in an hour for some of the events
(Destruction of BES Equipment) is too severe. Operators need to be able to deal with
events and not worry about reporting until the system is secure. Back office
personnel are only available 40-50 hours per week, so the reporting burden falls on
the Operator.
The DSR SDT believes the VSL is appropriate for the only remaining 1 hour event.
Response: Thank you for your comment. Please see response above.
Avista Corp.
Negative
There is definitely a need to communicate and report out system events to NERC,
RCs, and adjacent utilities. However, this new standard has gone too far with regards
to reporting of certain events within a 1 hour timeframe and the associated VSLs for
going beyond the hour time period. Operators need to be able to deal with the
system events and not worry about reporting out for the “Destruction of BES
107
�Organization
Yes or No
Question 3 Comment
equipment” (first row in Attachment 1 -Reportable Events). Operators only have 4050 hours out of 168 hours in a week where supporting personnel are also on shift, so
this reporting burden will usually fall on the Operators not back office support. Again
this is another example of the documentation requirements of a standard being
more important than actually operating the system.
All one hour reporting timelines have been changed to 24 hours with the exception of
a ‘Reportable Cyber Security Incident’. This is maintained due to FERC Order 706,
Paragraph 673:
“…direct the ERO to modify CIP-008 to require each responsible entity to contact
appropriate government authorities and industry participants in the event of a cyber
security incident as soon as possible, but in any event, within one hour of the event…”
For the remaining events, 24 hours should provide sufficient time to manage the
incident in real-time before having to report and is consistent with current in-force
standard EOP-004-1. Also, Attachment 1 provides the flexibility to make a verbal
report under adverse conditions. For the revised event category ‘A physical threat
that could impact the operability of a Facility’ the reporting timeline of 24 hours
starts when the situation has been determined as a threat, not when it may have first
occurred.
The “Destruction of BES equipment” event is too ambiguous and will lead to
interpretations by auditors to determine violations. The ambiguity will also lead to
the reporting of all BES equipment outages to avoid potential violations of the
standard. It usually takes more than an hour to determine the cause and extent of an
outage.
The ‘Damage or Destruction’ event category has been revised to say ‘…to a Facility’,
(a defined term) and thresholds have be modified to provide clarity. Also, the
reporting timeline is now 24 hours.
108
�Organization
Yes or No
Question 3 Comment
Response: Thank you for your comment. Please see response above.
National Association of
Regulatory Utility
Commissioners
Negative
Therequirement that any event with the potential to impact reliability be reported is
overly broad and requires more focus.
‘Forced intrusion’ and ‘Risk to BES Equipment’ (which this footnote referenced) have
been combined under a new event type called ‘A physical threat that could impact
the operability of a Facility’. Using judgment is unavoidable for this type of event. This
language was chosen because the Responsible Entity is the best position to exercise
this judgment and determine whether or not an event poses a threat to its Facilities.
The DSR SDT believes this revised event type will minimize administrative burden and
ensure that events meaningful to industry awareness are reported. Note that the
reporting timeline (now revised to 24 hours) starts when the situation has been
determined as a threat, not when it may have first occurred.
Response: Thank you for your comment. Please see response above.
Alameda Municipal Power,
Salmon River Electric
Cooperative
Negative
We feel that the drafting team has done an excellent job of providing clarify and
reasonable reporting requirements to the right functional entity. We support the
modifications but would like to have two additional minor modification in order to
provide additional clarification to the Attachment I Event Table. We suggest the
following clarifications: For the Event: BES Emergency resulting in automatic firm
load shedding Modify the Entity with Reporting Responsibility to: Each DP or TOP
that experiences the automatic load shedding within their respective distribution
serving or Transmission Operating area.
The DSR SDT believes the current language is sufficient and cannot envision how a
BA, TOP, or DP could ‘experience the automatic load shedding’ if it didn’t take place
in its balancing, transmission operating, or distribution serving area.
109
�Organization
Yes or No
Question 3 Comment
For the Event: Loss of Firm load for = 15 Minutes Modify the Entity with Reporting
Responsibility to: Each BA, TOP, DP that experiences the loss of firm load within their
respective balancing, Transmission operating, or distribution serving area. With
these modifications or similar modifications we fully support the proposed Standard.
The DSR SDT believes the current language is sufficient and cannot envision how a
BA, TOP, or DP could ‘experience the loss of firm load’ if it didn’t take place in its
balancing, transmission operating, or distribution serving area.
Response: Thank you for your comment. Please see response above.
Orange and Rockland Utilities,
Inc.
No
o Generally speaking the SDT should work with the NERC team drafting the Events
Analysis Process (EAP) to ensure that the reporting events align and use the same
descriptive language. o EOP-004 should use the exact same events as OE-417.
These could be considered a baseline set of reportable events. If the SDT believes
that there is justification to add additional reporting events beyond those identified
in OE-417, then the event table could be expanded.
o If the list of reportable
events is expanded beyond the OE-417 event list, the supplemental events should be
the same in both EOP-004-2 and in the EAP Categories 1 through 5.
OE-417, as well as, the EAWG’s requirements were considered in creating Attachment
1, but there remain differences for the following reasons:
•
EOP-004 requirements were designed to meet NERC and the industry’s needs;
accommodation of other reporting obligations was considered as an
opportunity not a ‘must-have’
•
OE-417 only applies to US entities, whereas EOP-004 requirements apply across
North America
•
NERC has no control over the criteria in OE-417, which can change at any time
•
Reports made under EOP-004 provide a minimum set of information, which may
110
�Organization
Yes or No
Question 3 Comment
trigger further information requests from EAWG as necessary
In an effort to minimize administrative burden, US entities may use OE-417 rather
than Attachment 2 to report under EOP-004.
o It is not clear what the difference is between a footnote and “Threshold for
Reporting”. All information should be included in the body of the table, there should
be no footnotes.
All footnotes are deleted and appropriate content moved to ‘Thresholds for
Reporting’ with the exception of the footnote relating to the new event category ‘A
physical threat that could impact the operability of a Facility’. This remaining
footnote provides examples only.
o Event: “Risk to BES equipment” should be deleted. This is too vague and
subjective. Will result in many “prove the negative” situations.’
‘Forced intrusion’ and ‘Risk to BES Equipment’ have been combined under a new
event type called ‘A physical threat that could impact the operability of a Facility’.
Using judgment is unavoidable for this type of event. This language was chosen
because the Responsible Entity is the best position to exercise this judgment and
determine whether or not an event poses a threat to its Facilities. The DSR SDT
believes this revised event type will minimize administrative burden and ensure that
events meaningful to industry awareness are reported. Note that the reporting
timeline (now revised to 24 hours) starts when the situation has been determined as
a threat, not when it may have first occurred.
o Event: “Destruction of BES equipment” is again too vague. The footnote refers
to equipment being “damaged or destroyed”. There is a major difference between
111
�Organization
Yes or No
Question 3 Comment
destruction and damage.
The ‘Damage or Destruction’ event category has been revised to say ‘to a Facility’, (a
defined term) and thresholds have be modified to provide clarity.
o Event: “Damage or Destruction of a Critical Asset or Critical Cyber Asset” should
be deleted. Disclosure policies regarding sensitive information could limit an entity’s
ability to report. Unintentional damage to a CCA does not warrant a report.
The ‘Damage or Destruction’ events specifically relating to Critical Assets and Critical
Cyber Assets were removed from Attachment 1, as these events are adequately
addressed through the CIP-008 and ‘Damage or Destruction of a Facility’ reporting
thresholds.
o Event: “BES Emergency requiring public appeal for load reduction” should be
modified to note that this does not apply to routine requests for customer
conservation during high load periods
The DSR SDT believes the current language of the event category ‘BES Emergency...’
clearly excludes routine conservation requests.
Response: Thank you for your comment. Please see response above.
Ameren
No
(1)By our count there are still six of the nineteen events listed with a one hour
reporting requirement and the rest are all within 24 hour after the occurrence (or
recognition of the event). This in our opinion, is reporting in real-time, which is
against one of the key concepts listed in the background section:"The DSR SDT
wishes to make clear that the proposed Standard does not include any real-time
operating notifications for the events listed in Attachment 1. Real-time reporting is
achieved through the RCIS and is covered in other standards (e.g. the TOP family of
112
�Organization
Yes or No
Question 3 Comment
standards). The proposed standard deals exclusively with after-the-fact reporting."
All one hour reporting timelines have been changed to 24 hours with the exception of
a ‘Reportable Cyber Security Incident’. This is maintained due to FERC Order 706,
Paragraph 673:
“direct the ERO to modify CIP-008 to require each responsible entity to contact
appropriate government authorities and industry participants in the event of a cyber
security incident as soon as possible, but in any event, within one hour of the event…”
For the remaining events, 24 hours should provide sufficient time to manage the
incident in real-time before having to report and is consistent with current in-force
standard EOP-004-1. Also, Attachment 1 provides the flexibility to make a verbal
report under adverse conditions. For the revised event category ‘A physical threat
that could impact the operability of a Facility’ the reporting timeline of 24 hours
starts when the situation has been determined as a threat, not when it may have first
occurred.
(2)We believe the earliest preliminary report required in this standard should at the
close of the next business day. Operating Entities, such as the RC, BA, TOP, GOP, DP,
and LSE should not be burdened with unnecessary after-the-fact reporting while they
are addressing real-time operating conditions. Entities should have the ability to
allow their support staff to perform this function during the next business day as
needed. We acknowledge it would not be an undue burden to cc: NERC on other
required governmental reports with shorter reporting timeframes, but NERC should
not expand on this practice.
No preliminary report is required within the revised standard.
(3)We agree with the extension in reporting times for events that now have 24 hours
of reporting time. As a GO there are still too many potential events that still require
113
�Organization
Yes or No
Question 3 Comment
a 1 hour reporting time that is impractical, unrealistic and could lead to
inappropriate escalation of normal failures. For example, the sudden loss of several
control room display screens for a BES generator at 2 AM in the morning, with only 1
hour to report something, might be mistakenly interpreted as a cyber-attack. The
reality is most likely something far more mundane such as the unexpected failure of
an instrument transformer, critical circuit board, etc.
All one hour reporting timelines have been changed to 24 hours with the exception of
a ‘Reportable Cyber Security Incident’. This is maintained due to FERC Order 706,
Paragraph 673:
“direct the ERO to modify CIP-008 to require each responsible entity to contact
appropriate government authorities and industry participants in the event of a cyber
security incident as soon as possible, but in any event, within one hour of the event…”
For the remaining events, 24 hours should provide sufficient time to manage the
incident in real-time before having to report and is consistent with current in-force
standard EOP-004-1. Also, Attachment 1 provides the flexibility to make a verbal
report under adverse conditions. For the revised event category ‘A physical threat
that could impact the operability of a Facility’ the reporting timeline of 24 hours
starts when the situation has been determined as a threat, not when it may have first
occurred.
Response: Thank you for your comment. Please see response above.
Duke Energy
No
All events in Attachment 1 should have reporting times of no less than 24 hours. As
stated on page 6 of the current draft of the standard: “The DSR SDT wishes to make
clear that the proposed Standard does not include any real-time operating
notifications for the events listed in Attachment 1. Real-time reporting is achieved
through the RCIS and is covered in other standards (e.g. the TOP family of standards).
The proposed standard deals exclusively with after-the-fact reporting.”We maintain
114
�Organization
Yes or No
Question 3 Comment
that a report which is required to be made within one hour after an event is, in fact,
a real time report. In the first hour or even several hours after an event the operator
may appropriately still be totally committed to restoring service or returning to a
stable bulk power system state, and should not stop that recovery activity in order to
make this “after-the-fact” report.
All one hour reporting timelines have been changed to 24 hours with the exception of
a ‘Reportable Cyber Security Incident’. This is maintained due to FERC Order 706,
Paragraph 673:
“direct the ERO to modify CIP-008 to require each responsible entity to contact
appropriate government authorities and industry participants in the event of a cyber
security incident as soon as possible, but in any event, within one hour of the event…”
For the remaining events, 24 hours should provide sufficient time to manage the
incident in real-time before having to report and is consistent with current in-force
standard EOP-004-1. Also, Attachment 1 provides the flexibility to make a verbal
report under adverse conditions. For the revised event category ‘A physical threat
that could impact the operability of a Facility’ the reporting timeline of 24 hours
starts when the situation has been determined as a threat, not when it may have first
occurred.
Response: Thank you for your comment. Please see response above.
American Public Power
Association
No
APPA echoes the comments made by Central Lincoln: We do not believe the SDT has
adequately addressed the FERC Order to “Consider whether separate, less
burdensome requirements for smaller entities may be appropriate.” The one and 24
hour reporting requirements continue to be burdensome to the smaller entities that
do not maintain 24/7 dispatch centers. The one hour reporting requirement means
that an untimely “recognition” starts the clock and reporting will become a higher
115
�Organization
Yes or No
Question 3 Comment
priority than restoration. The note regarding adverse conditions does not help unless
we were to consider the very lack of 24/7 dispatch to be such a condition. APPA
recommends the SDT evaluate a less burdensome requirement for smaller entities
with reporting requirements in Attachment 1. This exception needs to address the
fact that not all entities have 24 hour 7 day a week operating personnel.
All one hour reporting timelines have been changed to 24 hours with the exception of
a ‘Reportable Cyber Security Incident’. This is maintained due to FERC Order 706,
Paragraph 673:
“direct the ERO to modify CIP-008 to require each responsible entity to contact
appropriate government authorities and industry participants in the event of a cyber
security incident as soon as possible, but in any event, within one hour of the event…”
For the remaining events, 24 hours should provide sufficient time to manage the
incident in real-time before having to report and is consistent with current in-force
standard EOP-004-1. Also, Attachment 1 provides the flexibility to make a verbal
report under adverse conditions. For the revised event category ‘A physical threat
that could impact the operability of a Facility’ the reporting timeline of 24 hours
starts when the situation has been determined as a threat, not when it may have first
occurred.
The DSR SDT believes that reliability is best served by imposing reporting criteria based
on impact to the BES rather than an arbitrary entity size threshold. With these latest
revisions, all the proposed event categories provide thresholds that will capture the
appropriate entities and provide a manageable timeframe.
However, APPA cautions the SDT that changes to this standard may expose entities
to reporting violations on DOE-OE-417 which imposes civil and criminal penalties on
reporting events to the Department of Energy. APPA recommends that the SDT
reach out to DOE for clarification of reporting requirements for DOE-OE-417 for small
entities, asking DOE to change their reporting requirement to match EOP-004-2. If
116
�Organization
Yes or No
Question 3 Comment
DOE cannot change their reporting requirement the SDT should provide an
explanation in the guidance section of Reliability Standard EOP-004-2 that addresses
these competing FERC/DOE directives.
OE-417, as well as, the EAWG’s requirements were considered in creating Attachment
1, but there remain differences for the following reasons:
•
EOP-004 requirements were designed to meet NERC and the industry’s needs;
accommodation of other reporting obligations was considered as an
opportunity not a ‘must-have’
•
OE-417 only applies to US entities, whereas EOP-004 requirements apply across
North America
•
NERC has no control over the criteria in OE-417, which can change at any time
•
Reports made under EOP-004 provide a minimum set of information, which may
trigger further information requests from EAWG as necessary
In an effort to minimize administrative burden, US entities may use OE-417 rather
than Attachment 2 to report under EOP-004. Note you may have to report the same
event more quickly to the DOE than is required by EOP-004, but this cannot be helped
due to bullet point 2 above.
Response: Thank you for your comment. Please see response above.
BC Hydro
No
As an event would be verbally reported to the RC, all the one hour requirements to
submit a written report should be moved from one hour to 24 hours.
All one hour reporting timelines have been changed to 24 hours with the exception of
a ‘Reportable Cyber Security Incident’. This is maintained due to FERC Order 706,
Paragraph 673:
“direct the ERO to modify CIP-008 to require each responsible entity to contact
117
�Organization
Yes or No
Question 3 Comment
appropriate government authorities and industry participants in the event of a cyber
security incident as soon as possible, but in any event, within one hour of the event…”
For the remaining events, 24 hours should provide sufficient time to manage the
incident in real-time before having to report and is consistent with current in-force
standard EOP-004-1. Also, Attachment 1 provides the flexibility to make a verbal
report under adverse conditions. For the revised event category ‘A physical threat
that could impact the operability of a Facility’ the reporting timeline of 24 hours
starts when the situation has been determined as a threat, not when it may have first
occurred.
Response: Thank you for your comment. Please see response above.
Bonneville Power
Administration
No
BPA believes that the first three elements in Attachment 1 are too generic and
should be with only the intentional human criterion. The suspicious device needs to
be determined as a threat (and not left behind tools) before requiring a report.
The ‘Damage or Destruction’ event category has been revised to say ‘to a Facility’, (a
defined term) and thresholds have be modified to provide clarity. These thresholds
include intentional human action as well as impact-based for those cases when cause
isn’t known. The determination of a threat as you suggest is now part of the revised
event type called ‘A physical threat that could impact the operability of a Facility’.
Using judgment is unavoidable for this type of event. This language was chosen
because the Responsible Entity is the best position to exercise this judgment and
determine whether or not an event poses a threat to its Facilities. The DSR SDT
believes this revised event type will minimize administrative burden and ensure that
events meaningful to industry awareness are reported. Note that the reporting
timeline (now revised to 24 hours) starts when the situation has been determined as
a threat, not when it may have first occurred.
118
�Organization
Yes or No
Question 3 Comment
Response: Thank you for your comment. Please see response above.
CenterPoint Energy
No
CenterPoint Energy agrees with the revision that allows more time for reporting
some events; however, some 1 hour requirements remain. The Company does not
agree with this timeframe for any event.
All one hour reporting timelines have been changed to 24 hours with the exception of
a ‘Reportable Cyber Security Incident’. This is maintained due to FERC Order 706,
Paragraph 673:
“direct the ERO to modify CIP-008 to require each responsible entity to contact
appropriate government authorities and industry participants in the event of a cyber
security incident as soon as possible, but in any event, within one hour of the event…”
For the remaining events, 24 hours should provide sufficient time to manage the
incident in real-time before having to report and is consistent with current in-force
standard EOP-004-1. Also, Attachment 1 provides the flexibility to make a verbal
report under adverse conditions. For the revised event category ‘A physical threat
that could impact the operability of a Facility’ the reporting timeline of 24 hours
starts when the situation has been determined as a threat, not when it may have first
occurred.
Response: Thank you for your comment Please see response above.
Consolidated Edison Co. of
NY, Inc.
No
Comments: We have a number of comments on Attachment 1 and will make them
here: o Generally speaking the SDT should work with the NERC team drafting the
Events Analysis Process (EAP) to ensure that the reporting events align and use the
same descriptive language. o EOP-004 should use the exact same events as OE-417.
These could be considered a baseline set of reportable events. If the SDT believes
that there is justification to add additional reporting events beyond those identified
in OE-417, then the event table could be expanded. o If the list of reportable events
119
�Organization
Yes or No
Question 3 Comment
is expanded beyond the OE-417 event list, the supplemental events should be the
same in both EOP-004-2 and in the EAP Categories 1 through 5.
OE-417, as well as, the EAWG’s requirements were considered in creating Attachment
1, but there remain differences for the following reasons:
•
EOP-004 requirements were designed to meet NERC and the industry’s needs;
accommodation of other reporting obligations was considered as an
opportunity not a ‘must-have’
•
OE-417 only applies to US entities, whereas EOP-004 requirements apply across
North America
•
NERC has no control over the criteria in OE-417, which can change at any time
•
Reports made under EOP-004 provide a minimum set of information, which may
trigger further information requests from EAWG as necessary
In an effort to minimize administrative burden, US entities may use OE-417 rather
than Attachment 2 to report under EOP-004.
o It is not clear what the difference is between a footnote and “Threshold for
Reporting”. All information should be included in the body of the table, there should
be no footnotes.
All footnotes are deleted and appropriate content moved to ‘Thresholds for
Reporting’ with the exception of the footnote relating to the new event category ‘Any
physical threat that could impact the operability of a Facility’. This remaining
footnote provides examples only.
o Event: “Risk to BES equipment” should be deleted. This is too vague and
subjective. Will result in many “prove the negative” situations.’
120
�Organization
Yes or No
Question 3 Comment
‘Forced intrusion’ and ‘Risk to BES Equipment’ have been combined under a new
event type called ‘A physical threat that could impact the operability of a Facility’.
Using judgment is unavoidable for this type of event. This language was chosen
because the Responsible Entity is the best position to exercise this judgment and
determine whether or not an event poses a threat to its Facilities. The DSR SDT
believes this revised event type will minimize administrative burden and ensure that
events meaningful to industry awareness are reported. Note that the reporting
timeline (now revised to 24 hours) starts when the situation has been determined as
a threat, not when it may have first occurred.
o Event: “Destruction of BES equipment” is again too vague. The footnote refers to
equipment being “damaged or destroyed”. There is a major difference between
destruction and damage.
The ‘Damage or Destruction’ event category has been revised to say ‘to a Facility’, (a
defined term) and thresholds have be modified to provide clarity.
o Event: “Damage or Destruction of a Critical Asset or Critical Cyber Asset” should be
deleted. Disclosure policies regarding sensitive information could limit an entity’s
ability to report. Unintentional damage to a CCA does not warrant a report.
The ‘Damage or Destruction’ events specifically relating to Critical Assets and Critical
Cyber Assets were removed from Attachment 1, as these events are adequately
addressed through the CIP-008 and ‘Damage or Destruction of a Facility’ reporting
thresholds.
o Event: “BES Emergency requiring public appeal for load reduction” should be
modified to note that this does not apply to routine requests for customer
conservation during high load periods.
121
�Organization
Yes or No
Question 3 Comment
The DSR SDT believes the current language ‘BES Emergency...’ clearly excludes
routine conservation requests.
Response: Thank you for your comment. Please see response above.
Electric Reliability Council of
Texas, Inc.
No
Destruction of BES equipment: 1. Request that the term “destruction” be clarified.
The ‘Damage or Destruction’ event category has been revised to say ‘to a Facility’, (a
defined term) and thresholds have be modified to provide clarity.
Damage or destruction of Critical Asset per CIP-002: 1. Request that the terms
“damage” and “destruction” be clarified. 2. Is the expectation that an entity report
each individual device or system equipment failure or each mistake made by
someone administering a system?
The ‘Damage or Destruction’ events specifically relating to Critical Assets and Critical
Cyber Assets were removed from Attachment 1, as these events are adequately
addressed through the CIP-008 and ‘Damage or Destruction of a Facility’ reporting
thresholds.
3. Request that “initial indication of the event” be changed to “confirmation of the
event”. Event monitoring and management systems may receive many events that
are determined to be harmless and put the entity at no risk. This can only be
determined after analysis of the associated events is performed.
The ‘initial indication of the event’ is no longer part of the threshold for ‘Damage or
Destruction of a Facility’
Risk to BES equipment: Request that the terms “risk” be clarified.
‘Forced intrusion’ and ‘Risk to BES Equipment’ have been combined under a new
event type called ‘A physical threat that could impact the operability of a Facility’.
122
�Organization
Yes or No
Question 3 Comment
Using judgment is unavoidable for this type of event. This language was chosen
because the Responsible Entity is the best position to exercise this judgment and
determine whether or not an event poses a threat to its Facilities. The DSR SDT
believes this revised event type will minimize administrative burden and ensure that
events meaningful to industry awareness are reported. Note that the reporting
timeline (now revised to 24 hours) starts when the situation has been determined as
a threat, not when it may have first occurred.
Response: Thank you for your comment. Please see response above.
Exelon
No
Due to the size of the service territories in ComEd and PECO it’s difficult to get to
some of the stations within in an hour to analyze an event which causes concern
with the 1 hour criteria. It is conceivable that the evaluation of an event could take
longer then one hour to determine if it is reportable. Exelon cannot support this
version of the standard until the 1 hour reporting criteria is clarified so that the
reporting requirements are reasonable and obtainable. Exelon has concerns about
the existing 1 hour reporting requirements and feels that additional guidance and
verbiage is required for clarification. We would like a better understanding when the
1 hour clock starts please consider using the following clarifying statement, in the
statements that read, “recognition of events” please consider replacing the word
“recognition” with the word “confirmation” as in a “confirmed event”
All one hour reporting timelines have been changed to 24 hours with the exception of
a ‘Reportable Cyber Security Incident’. This is maintained due to FERC Order 706,
Paragraph 673:
“direct the ERO to modify CIP-008 to require each responsible entity to contact
appropriate government authorities and industry participants in the event of a cyber
security incident as soon as possible, but in any event, within one hour of the event…”
For the remaining events, 24 hours should provide sufficient time to manage the
incident in real-time before having to report and is consistent with current in-force
123
�Organization
Yes or No
Question 3 Comment
standard EOP-004-1. Also, Attachment 1 provides the flexibility to make a verbal
report under adverse conditions. For the revised event category ‘A physical threat
that could impact the operability of a Facility’ the reporting timeline of 24 hours
starts when the situation has been determined as a threat, not when it may have first
occurred.
Response: Thank you for your comment. Please see response above.
Energy Northwest - Columbia
No
Energy Northwest - Columbia (ENWC) has concerns about the existing 1 hour
reporting requirements and feels that additional guidance and verbiage is required
for clarification. ENWC would like the word "recognition" in the statement that
reads, "recognition of events," be replaced by "confirmation" as in "confirmed
event."Also, we would like clarification as to when the 1 hour clock starts. Please
consider changing recognition in "within 1 hour of recognition of event" and
incorporating in "confirmation."
All one hour reporting timelines have been changed to 24 hours with the exception of
a ‘Reportable Cyber Security Incident’. This is maintained due to FERC Order 706,
Paragraph 673:
“direct the ERO to modify CIP-008 to require each responsible entity to contact
appropriate government authorities and industry participants in the event of a cyber
security incident as soon as possible, but in any event, within one hour of the event…”
For the remaining events, 24 hours should provide sufficient time to manage the
incident in real-time before having to report and is consistent with current in-force
standard EOP-004-1. Also, Attachment 1 provides the flexibility to make a verbal
report under adverse conditions.
Response: Thank you for your comment. Please see response above.
124
�Organization
Indiana Municipal Power
Agency
Yes or No
No
Question 3 Comment
IMPA believes that some of the times may not be aggressive enought that are
related to generation capacity shortages.
This standard concerns after-the-fact reporting. It is assumed that Responsible
Entities will make appropriate real-time notifications as per other applicable
standards, operating agreements, and good utility practice. This standard does not
preclude a Responsible Entity from reporting more quickly than required by
Attachment 1.
In addition, IMPA believes clarity needs to be added when saying within 1 hour of
recognition of event. For example, A fence cutting may not be discovered for days at
a remote substation and then a determination has to be made if it was “forced
intrusion” - Does that one hour apply once the determination is made that is was
“forced intrusion” or from the time the discovery was made? Some of the 1 hour
time limits can be expanded to allow for more time, such as forced intrusion,
destruction of BES equipment, Risk to BES equipment, etc.
‘Forced intrusion’ and ‘Risk to BES Equipment’ have been combined under a new
event type called ‘Any physical threat that could impact the operability of a Facility’.
Timelines start at the moment the Responsible Entity determines the event
represents a threat, not when it first occurred.
Response: Thank you for your comment. Please see response above.
Luminant Power
No
Luminant agrees with the changes the SDT made, however, the timeline should be
modified to put higher priority activities before reporting requirements. The SDT
should consider allowing entities the ability to put the safety of personnel, safety of
the equipment, and possibly the stabilization of BES equipment efforts prior to
initiating the one hour reporting timeline. Reporting requirements should not be
prioritized above these important activities. The requirement to report one hour
after the recognition of such an event may not be sufficient in all instances. Entities
125
�Organization
Yes or No
Question 3 Comment
should not have a potential violation as a result of putting these priority issues first
and not meeting the one hour reporting timeline.
All one hour reporting timelines have been changed to 24 hours with the exception of
a ‘Reportable Cyber Security Incident’. This is maintained due to FERC Order 706,
Paragraph 673:
“direct the ERO to modify CIP-008 to require each responsible entity to contact
appropriate government authorities and industry participants in the event of a cyber
security incident as soon as possible, but in any event, within one hour of the event…”
Actions taken to maintain the reliability of the BES in real-time always take
precedence over reporting. The revised thresholds should ensure there is no perverse
driver to act differently.
Response: Thank you for your comment. Please see response above.
MidAmerican Energy
No
MidAmerican Energy agrees with the direction of consolidating CIP-001, EOP-004 and
portions of CIP-008. However, we have concerns with some of the events included in
Attachment 1 and reporting timelines. EOP-004-2 needs to clearly state that initial
reports can be made by a phone call, email or another method, in accordance with
paragraph 674 of FERC Order 706.
All one hour reporting timelines have been changed to 24 hours with the exception of
a ‘Reportable Cyber Security Incident’. This is maintained due to FERC Order 706,
Paragraph 673:
“direct the ERO to modify CIP-008 to require each responsible entity to contact
appropriate government authorities and industry participants in the event of a cyber
security incident as soon as possible, but in any event, within one hour of the event…”
For the remaining events, 24 hours should provide sufficient time to manage the
incident in real-time before having to report. Also, Attachment 1 provides the
flexibility to make a verbal report under adverse conditions.
126
�Organization
Yes or No
Question 3 Comment
MidAmerican Energy believes draft Attachment 1 expands the scope of what must
be reported beyond what is required by FERC directives and beyond what is needed
to improve security of the BES. Based on our understanding of Attachment 1, the
category of “damage or destruction of a critical cyber asset” will result in hundreds
or thousands of small equipment failures being reported to NERC and DOE, with no
improvement to security. For example, hard drive failures, server failures, PLC
failures and relay failures could all meet the criteria of “damage or destruction of a
critical cyber asset.”
The DSR SDT agrees and the ‘Damage or Destruction’ events specifically relating to
Critical Assets and Critical Cyber Assets were removed from Attachment 1, as these
events are adequately addressed through the CIP-008 and ‘Damage or Destruction of
a Facility’ reporting thresholds.
We recommend replacing Attachment 1 and Attachment 2 with the categories and
timeframes that are listed in OE-417. This eliminates confusion between government
requirements in OE-417 and NERC standards.
OE-417, as well as, the EAWG’s requirements were considered in creating Attachment
1, but there remain differences for the following reasons:
•
EOP-004 requirements were designed to meet NERC and the industry’s needs;
accommodation of other reporting obligations was considered as an
opportunity not a ‘must-have’
•
OE-417 only applies to US entities, whereas EOP-004 requirements apply across
North America
•
NERC has no control over the criteria in OE-417, which can change at any time
•
Reports made under EOP-004 provide a minimum set of information, which may
127
�Organization
Yes or No
Question 3 Comment
trigger further information requests from EAWG as necessary
In an effort to minimize administrative burden, US entities may use OE-417 rather
than Attachment 2 to report under EOP-004.
Reporting timelines and reporting formFERC Order 706, paragraph 676, directed
NERC to require a responsible entity to “at a minimum, notify the ESISAC and
appropriate government authorities of a cyber security incident as soon as possible,
but, in any event, within one hour of the event, even if it is a preliminary report.” In
paragraph 674, FERC stated that the Commission agrees that, in the “aftermath of a
cyber attack, restoring the system is the utmost priority.” They clarified: “the
responsible entity does not need to initially send a full report of the incident...To
report to appropriate government authorities and industry participants within one
hour, it would be sufficient to simply communicate a preliminary report, including
the time and nature of the incident and whatever useful preliminary information is
available at the time. This could be accomplished by a phone call or another
method.” While FERC did not order completion of a full report within one hour in
Order 706, the draft EOP-004 Attachment 1 appears to require submittal of formal
reports within one hour for six of the categories, unless there have been “certain
adverse conditions” (in which case, as much information as is available must be
submitted at the time of notification).
It is assumed that Responsible Entities will make appropriate real-time notifications
as per other applicable standards, operating agreements, and good utility practice.
As stated above, all one hour reporting timelines have been changed to 24 hours with
the exception of a ‘Reportable Cyber Security Incident’. This is maintained due to
FERC Order 706, Paragraph 673. For the remaining events, 24 hours should provide
sufficient time to manage the incident in real-time before having to report. Also,
Attachment 1 provides the flexibility to make a verbal report under adverse
conditions, which would certainly include the aftermath of a cyber attack that had
128
�Organization
Yes or No
Question 3 Comment
major impact on the BES.
The Violation Severity Levels are extreme for late submittal of a report. For example,
it would be a severe violation to submit a report more than three hours following an
event for an event requiring reporting in one hour.
The DSR SDT believes the VSL is appropriate now that it only applies to the remaining
1 hour reportable event, which is the Reportable Cyber Event under CIP-008.
MidAmerican Energy suggests incorporating the language from FERC Order 706,
paragraph 674, into the EOP-004 reporting requirement to allow preliminary
reporting within one hour to be done through a phone call or another method to
allow the responsible entity to focus on recovery and/or restoration, if
needed.MidAmerican Energy agrees with the use of DOE OE-417 for submittal of the
full report of incidents under EOP-004 and CIP-008. We would note there are two
parts to this form -- Schedule 1-Alert Notice, and Schedule 2-Narrative Description.
Since OE-417 already requires submittal of a final report that includes Schedule 2
within 48 hours of the event, MidAmerican Energy believes it is not necessary to
include a timeline for completion of the final report within the EOP-004 standard.
We would note that Schedule 2 has an estimated public reporting burden time of
two hours so it is not realistic to expect Schedule 2 to be completed within one hour.
Events included in Attachment 1:MidAmerican Energy believes draft Attachment 1
expands the scope of what must be reported beyond what is required by FERC
directives and beyond what is needed to improve security of the BES. The categories
listed in Attachment 1 with one-hour reporting timelines cause the greatest concern.
None of these categories are listed in OE-417, and all but the last row would not be
considered a Cyber Security Incident under CIP-008, unless there was malicious or
suspicious intent.
All one hour reporting timelines have been changed to 24 hours with the exception of
129
�Organization
Yes or No
Question 3 Comment
a ‘Reportable Cyber Security Incident’. This is maintained due to FERC Order 706,
Paragraph 673:
“direct the ERO to modify CIP-008 to require each responsible entity to contact
appropriate government authorities and industry participants in the event of a cyber
security incident as soon as possible, but in any event, within one hour of the event…”
For the remaining events, 24 hours should provide sufficient time to manage the
incident in real-time before having to report. Also, Attachment 1 provides the
flexibility to make a verbal report under adverse conditions.
Response: Thank you for your comment. Please see response above.
SERC OC Standards Review
Group
No
No event should have a reporting time less than at the close of the next business
day. Any reporting of an event that requires a less reporting time should only be to
entities that can help mitigate an event such as an RC or other Reliability Entity.
All one hour reporting timelines have been changed to 24 hours with the exception of
a ‘Reportable Cyber Security Incident’. This is maintained due to FERC Order 706,
Paragraph 673:
“direct the ERO to modify CIP-008 to require each responsible entity to contact
appropriate government authorities and industry participants in the event of a cyber
security incident as soon as possible, but in any event, within one hour of the event…”
For the remaining events, 24 hours should provide sufficient time to manage the
incident in real-time before having to report and is consistent with current in-force
standard EOP-004-1. Also, Attachment 1 provides the flexibility to make a verbal
report under adverse conditions.
Response: Thank you for your comment. Please see response above.
130
�Organization
Southwestern Power
Administration
Yes or No
Question 3 Comment
No
One hour is not enough time to make these assessments for all of the six items in
attachment 1. All timing requirements should be made the same in order to simplify
the reporting process.
All one hour reporting timelines have been changed to 24 hours with the exception of
a ‘Reportable Cyber Security Incident’. This is maintained due to FERC Order 706,
Paragraph 673:
“direct the ERO to modify CIP-008 to require each responsible entity to contact
appropriate government authorities and industry participants in the event of a cyber
security incident as soon as possible, but in any event, within one hour of the event…”
For the remaining events, 24 hours should provide sufficient time to manage the
incident in real-time before having to report and is consistent with current in-force
standard EOP-004-1. Also, Attachment 1 provides the flexibility to make a verbal
report under adverse conditions.
Response: Thank you for your comment. Please see response above.
ITC
No
See comments to Question #4
Response: Thank you for your comment. See response to Question 4.
Southern Company
No
Southern request clarification on one of the entries in Attachment 1. The concern is
with the last row on page 21 of Draft 3. What is the basis for “Voltage deviations”?
The Threshold is ±10% sustained for ≥ 15 minutes. Is the voltage deviation
based on the Voltage Schedule for that particular timeframe, or is it something else
(pre-contingency voltage level, nominal voltage, etc.)?
A sustained voltage deviation of ± 10% on the BES is significant deviation and is
indicative of a shortfall of reactive resources either pre- or post-contingency. The DSR
SDT is indifferent to which of nominal, pre-contingency, or scheduled voltage, is used
131
�Organization
Yes or No
Question 3 Comment
as the baseline, but for simplicity and to promote a common understanding suggest
using nominal voltage.
In addition, the second row of Attachment 1 lists “Damage or destruction of a
Critical Cyber Asset per CIP-002” as a reportable event. The threshold includes
“...intentional or unintentional human action” and gives us 1 hour to report. The
term “damage” may be overly broad and, without definition, is not limited in any
way. If a person mistypes a command and accidentally deletes a file, or renames
something, or in any way changes anything on the CCA in error, then this could be
considered “damage” and becomes a reportable event. The SDT should consider
more thoroughly defining what is meant by “damage”. Should it incorporate the
idea that the essential functions that the CCA is performing must be adversely
impacted?
The DSR SDT agrees and the ‘Damage or Destruction’ events specifically relating to
Critical Assets and Critical Cyber Assets were removed from Attachment 1, as these
events are adequately addressed through the CIP-008 and ‘Damage or Destruction of
a Facility’ reporting thresholds.
Lastly, no event should have a reporting time shorter than at the close of the next
business day. Any reporting of an event that requires a shorter reporting time
should only be to entities that can help mitigate an event such as an RC or other
Reliability Entity.
All one hour reporting timelines have been changed to 24 hours with the exception of
a ‘Reportable Cyber Security Incident’. This is maintained due to FERC Order 706,
Paragraph 673:
“direct the ERO to modify CIP-008 to require each responsible entity to contact
appropriate government authorities and industry participants in the event of a cyber
132
�Organization
Yes or No
Question 3 Comment
security incident as soon as possible, but in any event, within one hour of the event…”
For the remaining events, 24 hours should provide sufficient time to manage the
incident in real-time before having to report and is consistent with current in-force
standard EOP-004-1. Also, Attachment 1 provides the flexibility to make a verbal
report under adverse conditions.
Response: Thank you for your comment. Please see response above.
FEUS
No
The OE-417 requires several of the events listed in Attachment 1 be reported within
1 hour. FEUS recommends the drafting team review the events and the OE-417 form
and align the reporting window requirements. For example, public appeals, load
shedding, and system seperation have a 1 hour requirement in OE-417.
OE-417 thresholds and reporting timelines were considered in creating Attachment 1,
but there remain differences for the following reasons:
•
EOP-004 requirements were designed to meet NERC and the industry’s needs;
accommodation of other reporting obligations was considered as an
opportunity not a ‘must-have’
•
OE-417 only applies to US entities, whereas EOP-004 requirements apply across
North America. Non-US Responsible Entities cannot be obligated to report in
shorter timelines simply to make the two forms line up. The current in-force
EOP-004 requires 24 hour reporting on the items you have identified and so
does the latest version of EOP-004-2
•
NERC has no control over the criteria in OE-417, which can change at any time
In an effort to minimize administrative burden, US entities may use OE-417 rather
than Attachment 2 to report under EOP-004.
133
�Organization
Yes or No
Question 3 Comment
Response: Thank you for your comment. Please see response above.
SPP Standards Review Group
No
The purpose of the reporting requirement should be clear either in the text of the
requirements or through an explanation that is embodied in the language of the
approved set of standards. This would be consistent with a “Results-based”
architecture. What is lacking in the proposed language of this standard is recognition
that registered entities differ in size and relevance of their impact on the Bulk
Electric System. Also, events that are reportable differ in their impact on the
registered entity. A “one-size fits all” approach to this standard may cause smaller
entities with low impact on the grid to take extraordinary measures to meet the
reporting/timing requirements and yet be too “loose” for larger more sophisticated
and impacting entities to meet the same requirements. Therefore, we believe
language of the standard must clearly state the intent that entities must provide
reports in a manner consistent with their capabilities from a size/reliability impact
perspective and from a communications availability perspective. Timing
requirements should allow for differences and consider these variables.Also, we
would suggest including language to specifically exclude situations where
communications facilities may not be available for reporting. For example, in
situations where communications facilities have been lost, initial reports would be
due within 6 hours of the restoration of those communication facilities.
The DSR SDT has reviewed Attachment 1 and made revisions to Event types, used the
NERC approved term ‘Facility’, and revised some of the language under ‘Entity with
Reporting Responsibility’ to ensure that these reportable events correctly represent
the relative impact to the BES. Also, all one hour reporting timelines have been
changed to 24 hours with the exception of a ‘Reportable Cyber Security Incident’. This
is maintained due to FERC Order 706, Paragraph 673:
“direct the ERO to modify CIP-008 to require each responsible entity to contact
appropriate government authorities and industry participants in the event of a cyber
security incident as soon as possible, but in any event, within one hour of the event…”
134
�Organization
Yes or No
Question 3 Comment
For the remaining events, 24 hours should provide sufficient time to manage the
incident in real-time before having to report and is consistent with current in-force
standard EOP-004-1. Also, Attachment 1 provides the flexibility to make a verbal
report under adverse conditions.
We would also suggest that Attachment 1 be broken into two distinct parts such that
those events which must be reported within 1 hour standout from those events that
have to be reported within 24 hours.
The DSR SDT agrees and has implemented your suggestion.
Response: Thank you for your comment. Please see response above.
Kansas City Power & Light
No
The reportable events listed in Attachment 1 can be categorized as events that have
had a reliability impact and those events that could have a reliability impact. The
listed events that could have a reliability impact should have a 24 hour reporting
requirement and the events that have had a reliability impact are appropriate at a 1
hour reporting. The following events with a 1 hour report requirement are
recommended to change to 24 hour: Forced Intrusion and Risk to BES Equipment.
All one hour reporting timelines have been changed to 24 hours with the exception of
a ‘Reportable Cyber Security Incident’. This is maintained due to FERC Order706,
Paragraph 673:
“direct the ERO to modify CIP-008 to require each responsible entity to contact
appropriate government authorities and industry participants in the event of a cyber
security incident as soon as possible, but in any event, within one hour of the event…”
For the remaining events, 24 hours should provide sufficient time to manage the
incident in real-time before having to report and is consistent with current in-force
standard EOP-004-1. Also, Attachment 1 provides the flexibility to make a verbal
report under adverse conditions.
135
�Organization
Yes or No
Question 3 Comment
In addition, the Attachment 1 Events Table is incomplete as many of the listed
events are incomplete regarding reporting time requirements and event
descriptions.
Attachment 1 has been revised to more clearly indicate reporting timelines and some
of the event descriptions were changed to add clarity.
Also recommend removing (ii) from note 5 with event “Destruction of BES
equipment” as this part of the note is already described in the event description and
insinuates reporting of equipment losses that do not have a reliability impact.
This footnote has been deleted
The events, “Damage or destruction of Critical Asset per CIP-002” and “Damage or
destruction of a Critical Cyber Asset per CIP-002”, does not have sufficient clarity
regarding what that represents. A note similar in nature to Note 5 for BES
equipment is recommended.
The ‘Damage or Destruction’ events specifically relating to Critical Assets and Critical
Cyber Assets were removed from Attachment 1, as these events are adequately
addressed through the CIP-008 and ‘Damage or Destruction of a Facility’ reporting
thresholds.
Response: Thank you for your comment. Please see response above.
Los Angeles Department of
Water and Power
No
The reporting time of within 1 hour of recognition for a "Forced Intrusion" (last event
category on page 20 of Draft 3, dated October 25, 2011) when considered with the
associated footnote “Report if you cannot reasonably determine likely motivation” is
overly burdensome and unrealistic. What is “reasonably determine likely
motivation” is too general and requires further clarity. For example, LADWP has
numerous facilities with extensive perimeter fencing. There is a significant
136
�Organization
Yes or No
Question 3 Comment
difference between a forced intrusion like a hole or cut in a property line fence of a
facility versus a forced intrusion at a control house. Often cuts in fences, after
further investigation, are determined to be cases of minor vandalism. An
investigation of this nature will take much more than the allotted hour. The NERC
Design Team needs to develop difference levels for the term “Force Intrusion” that
fit the magnitude of the event and provide for adequate time to determine if the
event was only a case of minor vandalism or petty thief. The requirement, as
currently written, would unnecessarily burden an entity in reporting events that after
given more time to investigate would more than likely not have been a reportable
event.
‘Forced intrusion’ and ‘Risk to BES Equipment’ have been combined under a new
event type called ‘A physical threat that could impact the operability of a Facility’.
Using judgment is unavoidable for this type of event. This language was chosen
because the Responsible Entity is the best position to exercise this judgment and
determine whether or not an event poses a threat to its Facilities. The DSR SDT
believes this revised event type will minimize administrative burden and ensure that
events meaningful to industry awareness are reported. Note that the reporting
timeline (now revised to 24 hours) starts when the situation has been determined as
a threat, not when it may have first occurred.
Response: Thank you for your comment. Please see response above.
Northeast Power Coordinating
Council
No
The SDT should work with the NERC team drafting the Events Analysis Process (EAP)
to ensure that the reporting events align and use the same descriptive language.EOP004 should use the exact same events as OE-417. These could be considered a
baseline
set of reportable events. If the SDT believes that there is justification to
add additional reporting events beyond those identified in OE-417, then the event
table could be expanded. If the list of reportable events is expanded beyond the OE417 event list, the supplemental events should be the same in both EOP-004-2 and
137
�Organization
Yes or No
Question 3 Comment
in the EAP Categories 1 through 5.
OE-417 thresholds and reporting timelines were considered in creating Attachment 1,
but there remain differences for the following reasons:
•
EOP-004 requirements were designed to meet NERC and the industry’s needs;
accommodation of other reporting obligations was considered as an
opportunity not a ‘must-have’
•
OE-417 only applies to US entities, whereas EOP-004 requirements apply across
North America. Non-US Responsible Entities cannot be obligated to report in
shorter timelines simply to make the two forms line up. The current in-force
EOP-004 requires 24 hour reporting on the items you have identified and so
does the latest version of EOP-004-2
•
NERC has no control over the criteria in OE-417, which can change at any time
In an effort to minimize administrative burden, US entities may use OE-417 rather
than Attachment 2 to report under EOP-004.
It is not clear what the difference is between a footnote and “Threshold for
Reporting”. All information should be included in the body of the table, there should
be no footnotes.
All footnotes are deleted and appropriate content moved to ‘Thresholds for
Reporting’ with the exception of the footnote relating to the new event category ‘A
physical threat that could impact the operability of a Facility’. This remaining
footnote provides examples only.
Event: Risk to BES equipment should be deleted. This is too vague and subjective.
This will result in many “prove the negative” situations.
‘Forced intrusion’ and ‘Risk to BES Equipment’ have been combined under a new
138
�Organization
Yes or No
Question 3 Comment
event type called ‘A physical threat that could impact the operability of a Facility’.
Using judgment is unavoidable for this type of event. This language was chosen
because the Responsible Entity is the best position to exercise this judgment and
determine whether or not an event poses a threat to its Facilities. The DSR SDT
believes this revised event type will minimize administrative burden and ensure that
events meaningful to industry awareness are reported. Note that the reporting
timeline (now revised to 24 hours) starts when the situation has been determined as
a threat, not when it may have first occurred.
Event: Damage or Destruction of a Critical Asset or Critical Cyber Asset should be
deleted. Disclosure policies regarding sensitive information could limit an entity’s
ability to report. Unintentional damage to a CCA does not warrant a report.
The ‘Damage or Destruction’ events specifically relating to Critical Assets and Critical
Cyber Assets were removed from Attachment 1, as these events are adequately
addressed through the CIP-008 and ‘Damage or Destruction of a Facility’ reporting
thresholds.
Event: BES Emergency requiring public appeal for load reduction should be modified
to note that this does not apply to routine requests for customer conservation during
high load periods.
The DSR SDT believes the current language of the event category ‘BES Emergency...’
clearly excludes routine conservation requests.
Response: Thank you for your comment. Please see response above.
Florida Municipal Power
Agency
No
The times don’t seem aggressive enough for some of the Events related to
generation capacity shortages, e.g., we would think public appeal, system wide
voltage reduction and manual firm load shedding ought to be within an hour. These
are indicators that the BES is “on the edge” and to help BES reliability,
139
�Organization
Yes or No
Question 3 Comment
communication of this status is important to Interconnection-wide reliability.
This standard concerns after-the-fact reporting. It is assumed that Responsible
Entities will make appropriate real-time notifications as per other applicable
standards, operating agreements, and good utility practice. This standard does not
preclude a Responsible Entity from reporting more quickly than required by
Attachment 1.
Response: Thank you for your comment. Please see response above.
NorthWestern Energy
Affirmative
In Attachment 1 NorthWestern Eneergy does not agree with the Transmission loss
event, the threshold for reporting is “Unintentional loss of Three or more
Transmission Facilities (excluding successful automatic reclosing).” There are lots of
instances where this can happen and not have any major impacts to the BES. This
reporting requirement is stemming from the Event Analysis Reporting Requirements
and in many instances does not constitute an emergency.
You are correct. This event is used as a trigger to the Events Analysis Process.
Also, in Attachment 1 it is not clear when the DOE OE-417 form MUST be submitted.
It give an option to use this form or another form but does not state when it must be
used - confusing.
For the purposes of EOP-004, Responsible Entities may use either Attachment 2 or
OE-417. Submission of OE-417 to the DOE is mandatory for US entities and outside
the scope of NERC. Giving you the option to submit OE-417 to NERC and your RC to
satisfy EOP-004 is permitted as a matter of convenience so you don’t have to submit
two different forms for the same event.
Response: Thank you for your comment. Please see response above.
Rutherford EMC
Affirmative
The SDT should consider adding a clause in the standard exempting small DP/LSEs
140
�Organization
Yes or No
Question 3 Comment
from the standard if the DP/LSE annually reviews and approves that it owns no
facilities or equipment creating an event as decribed in Attachment 1.
The DSR SDT believes that reliability is best served by imposing reporting criteria based
on impact to the BES rather than an arbitrary entity size threshold. With these latest
revisions, all the proposed event categories provide thresholds that will capture the
appropriate entities and provide a manageable timeframe.
Response: Thank you for your comment. Please see response above.
Fort Pierce Utilities Authority
Affirmative
The triggering event “Detection of a reportable Cyber Security Incident” listed in
Attachment 1 assigns essentially all utilities reporting responsibility. This is not in line
its reporting threshold, which is an event meeting the criteria in CIP-008. Shouldn’t
the responsibility fall on only those responsible for compliance with CIP-008, version
3 or 4, as determined by CIP-002? The SDT should also give additional consideration
to necessary provisions to make it align with the proposed CIP-008-5.
The ‘Entity with Reporting Responsibility’ has been changed to reflect your comment
to ‘Each Responsible Entity applicable under CIP-008 that experiences the Cyber
Security Incident.
Response: Thank you for your comment. Please see response above.
Nebraska Public Power
District
Yes
Although 24 hours is a vast improvement, one business day would make more sense
for after the fact reporting.
All one hour reporting timelines have been changed to 24 hours with the exception of
a ‘Reportable Cyber Security Incident’. This is maintained due to FERC Order 706,
Paragraph 673:
“direct the ERO to modify CIP-008 to require each responsible entity to contact
appropriate government authorities and industry participants in the event of a cyber
141
�Organization
Yes or No
Question 3 Comment
security incident as soon as possible, but in any event, within one hour of the event…”
For the remaining events, 24 hours should provide sufficient time to manage the
incident in real-time before having to report and is consistent with current in-force
standard EOP-004-1. Also, Attachment 1 provides the flexibility to make a verbal
report under adverse conditions.
Response: Thank you for your comment. Please see response above.
FirstEnergy
Yes
Although we agree with the timeframes for reporting, we have other concerns as
listed in our response to Question 4.
Response: Thank you for your comment. Please see response to question 4.
Intellibind
Yes
Does this reporting conflict with reporting for DOE, and Regions? If so, what
reporting requirements will the entity be held accountable to? Managing multiple
reporting requirements for the multiple agencies is very problematic for entities and
this standard should resolve those reporting requirments, as well as reduce the
reporting down to one form and one submission. Reporting to ESISAC should take
care of all reporting by the company. NERC should route all reports to the DOE, and
regions through this mechanism.
OE-417 thresholds and reporting timelines were considered in creating Attachment 1,
but there remain differences for the following reasons:
•
EOP-004 requirements were designed to meet NERC and the industry’s needs;
accommodation of other reporting obligations was considered as an
opportunity not a ‘must-have’
•
OE-417 only applies to US entities, whereas EOP-004 requirements apply across
North America. Non-US Responsible Entities cannot be obligated to report in
shorter timelines simply to make the two forms line up. NERC has no control
over the criteria in OE-417, which can change at any time
142
�Organization
Yes or No
Question 3 Comment
In an effort to minimize administrative burden, US entities may use OE-417 rather
than Attachment 2 to report under EOP-004. NERC cannot take on the statutory
obligation of US entities to report to the DOE.
Response: Thank you for your comment. Please see response above.
Dominion
Yes
Dominion appreciates the changes that have been made to increase the 1 hr
reporting time to 24 hours.
Response: Thank you for your comment.
APX Power Markets (NCR11034)
Yes
In my opinion the remaining items with 1 hour reporting requirements will in most
cases require the input of in-complete information, since you maybe aware of the
outage/disturbance, but not aware of any reason for it. If that is acceptable just to
get the intitial report that there was an outage/disturbance then we are OK. I
believe it would help to have that clarifed in the EOP, or maybe a CAN can be created
for that.
All one hour reporting timelines have been changed to 24 hours with the exception of
a ‘Reportable Cyber Security Incident’. This is maintained due to FERC Order 706,
Paragraph 673:
“direct the ERO to modify CIP-008 to require each responsible entity to contact
appropriate government authorities and industry participants in the event of a cyber
security incident as soon as possible, but in any event, within one hour of the event…”
For the remaining events, 24 hours should provide sufficient time to manage the
incident in real-time before having to report and is consistent with current in-force
standard EOP-004-1. Also, Attachment 1 provides the flexibility to make a verbal
report under adverse conditions.
143
�Organization
Yes or No
Question 3 Comment
Response: Thank you for your comment. Please see response above.
Compliance & Responsbility
Office
Yes
See comments in response to Question 4.
Response: Thank you for your comment. See response to Question 4.
Lower Colorado River
Authority
Yes
The proposed reporting form for EOP-004-2 is less extensive than the Brief Report
required by the Event Analysis process, but there is some duplication of efforts. EOP004 has an “optional” Written Description section for the event, while the Brief
Report requires more detailed information such as a sequence of events,
contributing causes, restoration times, etc. Please clarify whether Registered Entities
will still be required to submit both forms. Please also ensure there will not be
duplication of efforts between the two reports. Although this is fairly minor, the
clarification should be addressed.
Reports made under EOP-004 provide a minimum set of information, which may
trigger further information requests from EAWG as necessary.
Response: Thank you for your comment. Please see response above.
City of Austin dba Austin
Energy
Yes
The proposed reporting form for EOP-004-2 is less extensive than the Brief Report
required by the Event Analysis process, but there is some duplication of efforts. EOP004 has an “optional” Written Description section for the event, while the Brief
Report requires more detailed information such as a sequence of events,
contributing causes, restoration times, etc. Please clarify whether Registered Entities
will still be required to submit both forms. Please also ensure there will not be
duplication of efforts between the two reports. Although this is fairly minor, the
clarification should be addressed.
Reports made under EOP-004 provide a minimum set of information, which may
144
�Organization
Yes or No
Question 3 Comment
trigger further information requests from EAWG as necessary.
Response: Thank you for your comment. Please see response above.
Public Utility District No. 1 of
Snohomish County
Yes
The proposed reporting form for EOP-004-2 is less extensive than the Brief Report
required by the Event Analysis process, but there is some duplication of efforts. The
EOP-004 has an “optional” Written Description section for the event, while the Brief
Report requires more detailed information such as a sequence of events,
contributing causes, restoration times, etc. Please clarify if both forms will still be
required to be submitted. We also need to ensure that there won’t be a duplication
of efforts between the two reports. This is fairly minor, but the clarification need
should be addressed.
Reports made under EOP-004 provide a minimum set of information, which may
trigger further information requests from EAWG as necessary.
Response: Thank you for your comment. Please see response above.
Seattle City Light
Yes
The proposed reporting form for EOP-004-2 is less extensive than the Brief Report
required by the Event Analysis process, but there is some duplication of efforts. The
EOP-004 has an “optional” Written Description section for the event, while the Brief
Report requires more detailed information such as a sequence of events,
contributing causes, restoration times, etc. Please clarify if both forms will still be
required to be submitted. We also need to ensure that there won’t be a duplication
of efforts between the two reports. This is fairly minor, but the clarification need
should be addressed.
Reports made under EOP-004 provide a minimum set of information, which may
trigger further information requests from EAWG as necessary.
Response: Thank you for your comment. Please see response above.
145
�Organization
Salt River Project
Yes or No
Question 3 Comment
Yes
The proposed reporting form for EOP-004-2 is less extensive than the Brief Report
required by the NERC Event Analysis process, but there is some duplication of
efforts. EOP-004 has an “optional” Written Description section for the event, while
the Brief Report requires more detailed information such as a sequence of events,
contributing causes, restoration times, etc. Please clarify whether Registered Entities
will still be required to submit both forms. Please also ensure there will not be
duplication of efforts between the two reports. Although this is fairly minor, the
clarification should be addressed.
Reports made under EOP-004 provide a minimum set of information, which may
trigger further information requests from EAWG as necessary.
Response: Thank you for your comment. Please see response above.
Constellation Energy on
behalf of Baltimore Gas &
Electric, Constellation Power
Generation, Constellation
Energy Commodities Group,
Constellation Control and
Dispatch, Constellation
NewEnergy and Constellation
Energy Nuclear Group.
Yes
We agree with the change to the reporting times in Attachment 1. While this is an
improvement, other concerns with the language in the events table language
remain. Please see additional details below:General items: o All submission
instructions (column 4 in Events Table) should qualify the recognition of the event as
“of recognition of event as a reportable event.”
Column 4 has been deleted. The table headings now state that Responsible Entities
must submit the report within X hours of recognition of event.
o Is the ES-ISAC the appropriate contact for the ERO given that these two entities are
separate even though they are currently managed by NERC?
Yes. This is the current reporting contact and this is the advice that the DSR SDT team
received from NERC.
In addition, are the phone numbers in the Attachment 1 NOTE accurate? Is it
possible they will change in a different cycle than the standard?
146
�Organization
Yes or No
Question 3 Comment
Yes. The standard will require updating should the phone number change.
Specific Event Language: o Destruction of BES Equipment, footnote: Footnote 1,
item iii confuses the clarification added in items i. and ii. Footnote 1 should be
modified to state BES equipment that (i) an entity knows will affect an IROL or has
been notified the loss affects an IROL; (ii) significantly affects the reserve margin of a
Balancing Authority or Reserve Sharing Group. Item iii should be dropped.
The ‘Damage or Destruction’ event category has been revised to say “to a Facility’, (a
defined term) and thresholds have be modified to provide clarity. Footnotes for this
event have been deleted.
o Damage or destruction of Critical Asset per CIP-002: Within the currently
developing revisions to CIP-002 (version 5), Critical Asset will be retired as a glossary
term. As well as addressing the durability of this event category, additional
delineation is needed regarding which asset disruptions are to be reported. A CA as
currently defined incorporates assets in a broad perspective, for instance a
generating plant may be a Critical Asset. As currently written in Attachment 1,
reporting may be required for unintended events, such as a boiler leak that takes a
plant offline for a minor repair. Event #1 - Destruction of BES Equipment - captures
incidents at the relevant equipment regardless of whether they are a Critical Asset or
not. We recommend dropping this event. However, if reference to CIP-002 assets
remains, it will be important to capture reporting of the events relevant to reliability
and not just more events. o Damage or destruction of a Critical Cyber Asset per CIP002: Because CCAs are defined at the component level, including this trigger is
appropriate; however, as with CAs, the CCA term is scheduled to be retired under
CIP-002 version 5.
The ‘Damage or Destruction’ events specifically relating to Critical Assets and Critical
Cyber Assets were removed from Attachment 1, as these events are adequately
147
�Organization
Yes or No
Question 3 Comment
addressed through the CIP-008 and ‘Damage or Destruction of a Facility’ reporting
thresholds.
o Forced Intrusion: The footnote confuses the goal of including this event category.
In addition, “forced” doesn’t need to define the incident. Constellation proposes the
following to better define the event:Intrusion that affects or attempts to affect the
reliable operation of the BES (1)(1) Examples of "affecting reliable operation of the
BES are": (i) device operations, (ii) protective equipment degradation, (iii)
communications systems degradation including telemetered values and device
status. o Risk to BES equipment: This category is too vague to be effective and the
footnote further complicates the expectations around this event. The catch all
concept of reporting potential risks to BES equipment is problematic. It’s not clear
what the reliability goal of this category is. Risk is not an event, it is an analysis. How
are entities to comply with this “event”, never mind within an hour? It appears that
the information contemplated within this scenario would be better captured within
the greater efforts underway by NERC to assess risks to the BES. This event should
be removed from the Attachment 1 list in EOP-004.
‘Forced intrusion’ and ‘Risk to BES Equipment’ (which this footnote referenced) have
been combined under a new event type called ‘A physical threat that could impact
the operability of a Facility’. Using judgment is unavoidable for this type of event. This
language was chosen because the Responsible Entity is the best position to exercise
this judgment and determine whether or not an event poses a threat to its Facilities.
The DSR SDT believes this revised event type will minimize administrative burden and
ensure that events meaningful to industry awareness are reported. Note that the
reporting timeline (now revised to 24 hours) starts when the situation has been
determined as a threat, not when it may have first occurred.
o BES Emergency requiring system-wide voltage reduction: the Entity with Reporting
Responsibility should be limited to RC and TOP.
148
�Organization
Yes or No
Question 3 Comment
Entity with Reporting Responsibility states ‘Initiating entity is responsible for
reporting’, which the DSR SDT feels is adequate direction in conjunction with the
event: BES Emergency requiring system-wide voltage reduction.
o Voltage deviations on BES Facilities: The Threshold for Reporting language needs
more detail to explain +/- 10% of what? Proposed revision: ± 10% outside the
voltage schedule band sustained for ≥ 15 continuous minutes o IROL Violation
(all Interconnections) or SOL Violation (WECC only): Should “Interconnections” be
capitalized? o Transmission loss: The reporting threshold should provide more
specifics around what constitutes Transmission Facilities. One minor item, under the
Threshold for Reporting, “Three” does not need to be capitalized.
Both Transmission and Facilities are defined terms and the DSR SDT feels this gives
sufficient direction.
Response: Thank you for your comment. Please see response above.
Pacific Northwest Small Public
Power Utility Comment Group
Yes
While we agree with the revisions as far as they went, we do not believe the SDT has
adequately addressed the FERC Order to “Consider whether separate, less
burdensome requirements for smaller entities may be appropriate.” The one and 24
hour reporting requirements continue to be burdensome to the smaller entities that
do not maintain 24/7 dispatch centers. The one hour reporting requirement means
that an untimely “recognition” starts the clock and reporting will become a higher
priority than restoration. The note regarding adverse conditions does not help unless
we were to consider the very lack of 24/7 dispatch to be such a condition.
All one hour reporting timelines have been changed to 24 hours with the exception of
a ‘Reportable Cyber Security Incident’. This is maintained due to FERC Order 706,
Paragraph 673:
“direct the ERO to modify CIP-008 to require each responsible entity to contact
appropriate government authorities and industry participants in the event of a cyber
149
�Organization
Yes or No
Question 3 Comment
security incident as soon as possible, but in any event, within one hour of the event…”
For the remaining events, 24 hours should provide sufficient time to manage the
incident in real-time before having to report and is consistent with current in-force
standard EOP-004-1. Also, Attachment 1 provides the flexibility to make a verbal
report under adverse conditions. For the revised event category ‘A physical threat
that could impact the operability of a Facility’ the reporting timeline of 24 hours
starts when the situation has been determined as a threat, not when it may have first
occurred.
The DSR SDT believes that reliability is best served by imposing reporting criteria based
on impact to the BES rather than an arbitrary entity size threshold. With these latest
revisions, all the proposed event categories provide thresholds that will capture the
appropriate entities and provide a manageable timeframe.
Response: Thank you for your comment. Please see response above.
Clallam County PUD No.1
Yes
While we agree with the revisions as far as they went, we do not believe the SDT has
adequately addressed the FERC Order to “Consider whether separate, less
burdensome requirements for smaller entities may be appropriate.” The one and 24
hour reporting requirements continue to be burdensome to the smaller entities that
do not maintain 24/7 dispatch centers. The one hour reporting requirement means
that an untimely “recognition” starts the clock and reporting will become a higher
priority than restoration. The note regarding adverse conditions does not help unless
we were to consider the very lack of 24/7 dispatch to be such a condition.
All one hour reporting timelines have been changed to 24 hours with the exception of
a ‘Reportable Cyber Security Incident’. This is maintained due to FERC Order 706,
Paragraph 673:
“direct the ERO to modify CIP-008 to require each responsible entity to contact
appropriate government authorities and industry participants in the event of a cyber
150
�Organization
Yes or No
Question 3 Comment
security incident as soon as possible, but in any event, within one hour of the event…”
For the remaining events, 24 hours should provide sufficient time to manage the
incident in real-time before having to report and is consistent with current in-force
standard EOP-004-1. Also, Attachment 1 provides the flexibility to make a verbal
report under adverse conditions. For the revised event category ‘A physical threat
that could impact the operability of a Facility’ the reporting timeline of 24 hours
starts when the situation has been determined as a threat, not when it may have first
occurred.
The DSR SDT believes that reliability is best served by imposing reporting criteria based
on impact to the BES rather than an arbitrary entity size threshold. With these latest
revisions, all the proposed event categories provide thresholds that will capture the
appropriate entities and provide a manageable timeframe.
Response: Thank you for your comment. Please see response above.
Illinois Municipal Electric
Agency
Yes
With the understanding this is within 24 hrs., and good professional judgment
determines the amount of time to report the event to appropriate parties.
Response: Thank you for your comment.
Ingleside Cogeneration LP
Yes
Yes. Any reporting that is mandated during the first hour of an event must be
subject to close scrutiny. Many of the same resources that are needed to
troubleshoot and stabilize the local system will be engaged in the reporting - which
will impair reliability if not carefully applied. We believe that the ERO should
reassess the need for any immediate reporting requirements on a regular basis to
confirm that it provides some value to the restoration process.
All one hour reporting timelines have been changed to 24 hours with the exception of
a ‘Reportable Cyber Security Incident’. This is maintained due to FERC Order 706,
151
�Organization
Yes or No
Question 3 Comment
Paragraph 673:
“direct the ERO to modify CIP-008 to require each responsible entity to contact
appropriate government authorities and industry participants in the event of a cyber
security incident as soon as possible, but in any event, within one hour of the event…”
For the remaining events, 24 hours should provide sufficient time to manage the
incident in real-time before having to report and is consistent with current in-force
standard EOP-004-1. Also, Attachment 1 provides the flexibility to make a verbal
report under adverse conditions. For the revised event category ‘A physical threat
that could impact the operability of a Facility’ the reporting timeline of 24 hours
starts when the situation has been determined as a threat, not when it may have first
occurred.
Response: Thank you for your comment. Please see response above.
Southwest Power Pool
Regional Entity
Yes
ZGlobal on behalf of City of
Ukiah, Alameda Municipal
Power, Salmen River Electric,
City of Lodi
Yes
MRO NSRF
Yes
Western Electricity
Coordinating Council
Yes
Imperial Irrigation District
Yes
152
�Organization
Yes or No
ACES Power Marketing
Standards Collaborators
Yes
Santee Cooper
Yes
Sacramento Municipal Utility
District (SMUD)
Yes
Electric Compliance
Yes
PacifiCorp
Yes
Arizona Public Service
Company
Yes
Westar Energy
Yes
Springfield Utility Board
Yes
Manitoba Hydro
Yes
Xcel Energy
Yes
Liberty Electric Power
Yes
Colorado Springs Utilities
Yes
Independent Electricity
System Operator
Yes
South Carolina Electric and
Yes
Question 3 Comment
153
�Organization
Yes or No
Question 3 Comment
Gas
ISO New England
Yes
American Transmission
Company, LLC
Yes
PSEG
Yes
American Electric Power
Yes
Georgia System Operations
Corporation
Yes
NV Energy
Yes
Occidental Power Services,
Inc. (OPSI)
Yes
Northeast Utilities
Yes
Great River Energy
Yes
Oncor Electric Delivery
Company LLC
Yes
PPL Electric Utilities and PPL
Supply Organizations`
Progress Energy
154
�Organization
Yes or No
Question 3 Comment
Texas Reliability Entity
ReliabilityFirst
NRECA
Entergy Services
Thompson Coburn LLP on
behalf of Miss. Delta Energy
Agency
155
�4.
Do you have any other comment, not expressed in questions above, for the DSR SDT?
Summary Consideration: The issues addressed in this question resulted in the DSR SDT reviewing and updating each requirement,
Attachment 1 and Attachment 2. The DSR SDT has removed ambiguous language such as “risk” and “potential” based on comments
received. All of the time frames in Attachment 1 have been moved to 24 hours upon recognition with the exception to reporting of CIP008 events that remains one hour per FERC Order 706. Attachment 2 has been rewritten to mirror Attachment 1 events for entities who
wish to use Attachment 2 in lieu of the DOE Form OE 417. VSLs have been reviewed to match the updated requirements.
Organization
Cleco Corporation, Cleco
Power, Cleco Power LLC
Yes or No
Abstain
Question 4 Comment
Cleco does not use the VSL or VRF.
Response: Thank you for your comment
Oklahoma Gas and Electric Co.
Abstain
Please see comments on SPP ballot
Response: Thank you for your comment. See response to those comments.
Alberta Electric System
Operator
Abstain
The Alberta Electric System Operator will need to modify parts of this standard to fit
the provincial model when it develops the Alberta Reliability Standard.
Response: Thank you for your comment.
Gainesville Regional Utilities
Affirmative
Looking forward to the added clarity.
Response: Thank you for your comment.
156
�Organization
Manitoba Hydro
Yes or No
Question 4 Comment
Affirmative
Manitoba Hydro is voting affirmative but would like to point out the following issues:
-Attachment 1: The term ‘Transmission Facilities’ used in Attachment 1 is capitalized,
but it is not a defined term in the NERC glossary. The drafting team should clarify
what is meant by ‘Transmission Facilities’ and remove the capitalization. –
The DSR SDT has reviewed the NERC Glossary of Terms and notes that Transmission
and Facilities are both defined. The combination of these two definitions are what
the DSR SDT has based the applicability of “Transmission Facilities” in Attachment 1.
Attachment 2: The inclusion of ‘fuel supply emergency’ in Attachment 2 creates
confusion as it infers that reporting a ‘fuel supply emergency’ may be required by the
standard even though it is not listed as a reportable event in Attachment 1. On a
similar note, it is not clear what the drafting team is hoping to capture by including a
checkbox for ‘other’ in Attachment 2.
The DSR SDT has removed both “fuel supply emergency” and “other” from
Attachment 2.
Response: Thank you for your comment. Please see response above.
Oncor Electric Delivery
Affirmative
NERC's Event Analysis Program tends to parallel many of the reporting requirements
as outlined in EOP-004 Version 2. Oncor recommends that NERC consider ways of
streamlining the reporting process by either incorporating the Event Analysis
obligations into EOP-004-2 or reducing the scope of the Event Analysis program as
currently designed to consist only of "exception" reporting.
The reporting of events as required in EOP-004 is the input to the Events Analysis
Program. Events are reported to the ERO and the EAP will follow up as per the EAP
processes and procedures.
157
�Organization
Yes or No
Question 4 Comment
Response: Thank you for your comment. Please see response above.
City Utilities of Springfield,
Missouri
Affirmative
SPRM supports the comments from SPP.
Response: Thank you for your comment. Please see response to comments from SPP.
Kootenai Electric Cooperative
Affirmative
The changes are an improvement over the existing standards.
Response: Thank you for your comment.
Empire District Electric Co.
Affirmative
We agree with the comments provided by SPP
Response: Thank you for your comment. Please see response to SPP comments.
Lakeland Electric
Negative
1. Further clarity is needed. For example the standard stipulates in R1.3 ". .as
appropriate." Who deems what is appropriate? Also in R1.4 ". .other circumstances"
is open to interpretation.
Requirement R1, Part 1.3 (now Part 1.2) was revised to add clarifying language by
eliminating the phrase “as appropriate” and indicating that the Responsible Entity is
to define its process for reporting and with whom to communicate events to as
stated in the entity’s Operating Plan.
Requirement R1, Part 1.4 was removed from the standard
2. Remove paragraph 1 of the data retention section as it parrots the Rules of
Procedure, Appendix 4C: Compliance Monitoring and Enforcement Program, Section
3.1.4.2. Possibly place a pointer to the CMEP in the data retention section.
The item in question is standard boilerplate language that is being placed in all NERC
standards.
158
�Organization
Yes or No
Question 4 Comment
Response: Thank you for your comment. Please see response above.
CPS Energy
Negative
oR1.4: CPS Energy believes that “updating the Operating Plan within 90 calendar
days of any change...” is a very burdensome compliance documentation
requirement.
Requirement R1, Part 1.4 was removed from the standard.
oAttachment 1: Events Table: In DOE OE-417 local electrical systems with less than
300MW are excluded from reporting certain events since they are not significant to
the BES. CPS Energy believes that the benefit of reporting certain events on systems
below this value would outweigh the compliance burden placed on these small
systems.
Upon review of the DOE OE 417, it states “Local Utilities in Alaska, Hawaii, Puerto
Rico, the U.S. Virgin Islands, and the U.S. Territories - If the local electrical system is
less than 300 MW, then only file if criteria 1, 2, 3 or 4 are met”. Please be advised
this exception applies to entities outside the continental USA.
Response: Thank you for your comment. Please see response above.
Lakeland Electric
Negative
An issue of possible differences in interpretation between entities and compliance
monitoring and enforcement is the phrase in 1.3 that states “the following as
appropriate”. Who has the authority to deem what is appropriate?
Requirement R1, Part 1.3 (now Part 1.2) was revised to add clarifying language by
eliminating the phrase “as appropriate” and indicating that the Responsible Entity is
to define its process for reporting and with whom to communicate events to as stated
in the entity’s Operating Plan
159
�Organization
Yes or No
Question 4 Comment
Response: Thank you for your comment. Please see response above.
Dynegy Inc.; Southern Illinois
Power Coop.; Louisville Gas
and Electric Co.
Negative
Comments submitted as part of the SERC OC; I agree with the comments of the SERC
OC Standards Review group that have been provided to NERC.; We are a signatory to
the SERC OC RRG comments filed last week.
Response: Thank you for your comment. Please see response to the SERC OC RRG comments.
Hydro One Networks, Inc.
Negative
First and foremost we are not supportive of continuance of standards that are not
"results based". Standards written to gather data, make reports etc. should not be
written. There should be other processes for reporting in place that will not be
subject to ERO oversight and further compliance burdens.
The DSR SDT has been following the guidance set by NERC to write a “results based”
standard. As with any process there may be many different ways to achieve the
same outcome. The NERC Quality Process has not indicated any request to update
this Standard, concerning the Results Based Standard format.
o We are disappointed that the standard does not appear to reduce reporting
requirements nor does it promote more efficient reporting. We encourage the SDT
to take a results based approach and coordinate and reduce reporting through
efficiencies between the various agencies and NERC.
The DSR SDT is staying within scope of the approved SAR and will be forwarding your
concern of efficiencies between various agencies and NERC
o The Purpose statement is very broad, and “...by requiring the reporting of events
with the potential to impact reliability and their causes...” on the Bulk Electric System
it can be said that every event occurring on the Bulk Electric System would have to
be reported. There is already an event analysis process in place. Could this reporting
160
�Organization
Yes or No
Question 4 Comment
be effectively performed in that effort?
The DSR SDT revised the purpose statement to remove ambiguous language “with the
potential to impact reliability”. The Purpose statement now reads:
“To improve the reliability of the Bulk Electric System by requiring the reporting
of events by Responsible Entities.”
o The standard prescribes different sets of criteria, and forms.
Attachment 1 is the basis for EOP-004-2; it contains the events and thresholds for
reporting. OE-417, as well as, the EAWG’s requirements were considered in creating
Attachment 1, but there remain differences for the following reasons:
•
EOP-004 requirements were designed to meet NERC and the industry’s needs;
accommodation of other reporting obligations was considered as an
opportunity not a ‘must-have’
•
OE-417 only applies to US entities, whereas EOP-004 requirements apply across
North America
•
NERC has no control over the criteria in OE-417, which can change at any time
•
Reports made under EOP-004 provide a minimum set of information, which may
trigger further information requests from EAWG as necessary
In an effort to minimize administrative burden, US entities may use OE-417 rather
than Attachment 2 to report under EOP-004. Note you may have to report the same
event more quickly to the DOE than is required by EOP-004, but this cannot be helped
due to bullet point 2 above.
o There should be one recipient of event information. That recipient should be a
161
�Organization
Yes or No
Question 4 Comment
“clearinghouse” to ensure the proper dissemination of information.
The DSR SDT is proposing revisions to the NERC Rules of Procedure that address your
comment:
812. NERC Reporting Clearinghouse
NERC will establish a system to collect report forms as established for this section or
standard, from any Registered Entities, pertaining to data requirements identified in
Section 800 of this Procedure. Upon receipt of the submitted report, the system shall
then forward the report to the appropriate NERC departments, applicable regional
entities, other designated registered entities, and to appropriate governmental, law
enforcement, regulatory agencies as necessary. This can include state, federal, and
provincial organizations.
o Why is this standard applicable to the ERO?
The ERO is applicable to CIP-008 and therefore is applicable to this proposed
Standard.
Response: Thank you for your comment. Please see response above.
FirstEnergy Corp., FirstEnergy
Energy Delivery, FirstEnergy
Solutions, Ohio Edison
Company
Negative
FirstEnergy appreciates the hard work of the drafting team and believes it has made
great improvements to the standards. However, we must vote negative at this time
until a few issues are clarified per our comments submitted through the formal
comment period.
Response: Thank you for your comment. Please see response to your other comments.
Lakeland Electric
Negative
In general; here has not been sufficient prudency review for the standard, especially
R1, to justify a performance based standard around a Frequency Response Measure
Based on your short comment, Requirement 1 has been modified as requested by
stakeholders. The DSR SDT cannot answer the issue of Frequency Response Measures
162
�Organization
Yes or No
Question 4 Comment
since it is not within the scope of the SAR.
Response: Thank you for your comment. Please see response above.
Northeast Power Coordinating
Council
Negative
NPCC believes that further revision of the standard is necessary so is not able to
support the VSLs at this time. Comments to the standard will be made in the formal
comment period.
Response: Thank you for your comment. Please see responses to your other comments.
Central Lincoln PUD; BlachlyLane Electric Co-op; Central
Electric Cooperative, Inc.
(Redmond, Oregon);
Clearwater Power Co.;
Consumers Power Inc.; CoosCurry Electric Cooperative,
Inc; Fall River Rural Electric
Cooperative; Lane Electric
Cooperative, Inc.; Northern
Lights Inc.; Pacific Northwest
Generating Cooperative; Raft
River Rural Electric
Cooperative; Umatilla Electric
Cooperative; West Oregon
Electric Cooperative, Inc.;
Cowlitz County PUD
Negative
Please see comments submitted by the Pacific Northwest Small Public Power Utility
Comment Group.
Response: Thank you for your comment. Please see responses to comments of the Pacific Northwest Small Public Power Utility
163
�Organization
Yes or No
Question 4 Comment
Comment Group.
Rochester Gas and Electric
Corp.
Negative
RG&E supports comments to be submitted to NPCC.
New Brunswick System
Operator
Negative
See comments submitted by the NPCC Reliability Standards Committee and the IRC
Standards Review Committee.
Florida Municipal Power Pool
Negative
See FMPA's comments
Response: Thank you for your comment. See responses to those comments.
Commonwealth of
Massachusetts Department of
Public Utilities
Negative
Standards written to gather data, make reports etc. should not be written. There
should be other processes for reporting in place that will not be subject to ERO
oversight and further compliance burdens.
FERC Order 693 section 617 states “…the Commission directs the ERO to develop a
modification to EOP-004-1 through the reliability Standards development process that
includes any Requirement necessary for users, owners, and operators of the BulkPower System to provide data…”. In order for entities to provide data they are
required to implement their Operating Plan. EOP-004-2 will satisfy this FERC directive.
Response: Thank you for your comment. Please see response above.
Hydro One Networks, Inc.
Negative
Suggested key concepts for the SDT consideration in this standard: ? Develop a single
form to report disturbances and events that threaten the reliability of the bulk
electric system ? Investigate other opportunities for efficiency, such as development
of an electronic form and possible inclusion of regional reporting requirements ?
Establish clear criteria for reporting ?
The DSR SDT has only provided one form within this proposed Standard, please see
164
�Organization
Yes or No
Question 4 Comment
Attachment 2. Based on stakeholder feedback, the DSR SDT has allowed
stakeholders to use the DOE Form OE 417. Please note that not every Stakeholder in
NERC wishes to use the DOE Form OE 417.
Establish consistent reporting timelines ?
All one hour reporting timelines have been changed to 24 hours with the exception of
a ‘Reportable Cyber Security Incident’. This is maintained due to FERC Order 706,
Paragraph 673:
“…direct the ERO to modify CIP-008 to require each responsible entity to contact
appropriate government authorities and industry participants in the event of a cyber
security incident as soon as possible, but in any event, within one hour of the event…”
For the remaining events, 24 hours should provide sufficient time to manage the
incident in real-time before having to report and is consistent with current in-force
standard EOP-004-1.
Provide clarity around who will receive the information and how it will be used ?
Explore other opportunities beside a standard to effectively achieve the same
outcome. Standards should be strictly results based, whose purpose is to achieve an
adequate level of reliability on the BES.
The DSR SDT has clearly stated who will receive the information: Part 1.3 (now Part 1.2)
was revised to add clarifying language by eliminating the phrase “as appropriate” and
indicating that the Responsible Entity is to define its process for reporting and with
whom to report events. Part 1.2 now reads:
“1.2 A process for communicating each of the applicable events listed in EOP004 Attachment 1 in accordance with the timeframes specified in EOP-004
Attachment 1 to the Electric Reliability Organization and other organizations
165
�Organization
Yes or No
Question 4 Comment
needed for the event type; i.e. the Regional Entity; company personnel; the
Responsible Entity’s Reliability Coordinator; law enforcement governmental or
provincial agencies.”
The information received will be mainly used for situational awareness and other
processes.
Response: Thank you for your comment. Please see response above.
Orlando Utilities Commission
Negative
The contemporaneous drafting efforts related to both the proposed Bulk Electric
System ("BES") definition changes, as well as the CIP standards Version 5, could
significantly impact the EOP-004-2 reporting requirements. Caution needs to be
exercised when referencing these definitions, as the definitions of a BES element
could change significantly and Critical Assets may no longer exist. As it relates to the
proposed reporting criteria, it is debatable as to whether or not the destruction of,
for example, one relay would be a reportable incident under this definition going
forward given the current drafting team efforts.
The ‘Damage or Destruction’ events specifically relating to Critical Assets and Critical
Cyber Assets were removed from Attachment 1, as these events are adequately
addressed through the CIP-008 and ‘Damage or Destruction of a Facility’ reporting
thresholds.
Response: Thank you for your comment. Please see response above.
James A Maenner
Negative
The information in section “5 Background” should be moved from the standard to a
supporting document.
The DSR SDT will refer to guidance within the Standards Development process on the
proper place to maintain Background information.
166
�Organization
Yes or No
Question 4 Comment
The reporting exemption language for weather in the Note on Attachment 1 - Events
Table should be included in R3, not just a note.
Most stakeholders believed that Requirements R2 and R3 were redundant and having
both in the standard was not necessary. Requirement R2 called for implementation of
Parts 1.1, 1.2, 1.4 and 1.5. Requirement R3 called for reporting events in accordance
with the Operating Plan. The DSR SDT deleted Requirement R2based on stakeholder
comments and revised R3 (now R2) to:
“R2. Each Responsible Entity shall implement its event reporting Operating Plan for
applicable events listed in EOP-004 Attachment 1, and in accordance with the
timeframe specified in EOP-004 Attachment 1.”
The “Guideline and Technical Basis”, last 3 pages, should be moved from the
standard to a supporting document.
The Guideline and Technical Basis section is a part of the Results-Based Standard
format and the information contained in it is in the correct place.
Response: Thank you for your comment. Please see response above.
Kansas City Power & Light Co.
Negative
The proposed Standard is in need of additional work to complete the Attachment 1,
complete the VSL's, and clarify language and content within the proposed standard.
The DSR SDT has reviewed and revamped all Requirements and both Attachments
based on stakeholders feedback. This will provide clarity for entities to follow.
Response: Thank you for your comment. Please see response above.
167
�Organization
Yes or No
SERC Reliability Corporation
Negative
Question 4 Comment
The purpose of the standard "To improve industry awareness and the reliability of
the Bulk Electric System by requiring the reporting of events with the potential to
impact reliability and their causes, if known, by the Responsible Entities" has not
been achieved as written. There is the potential for the information and data
contemplated by this standard to be useful in achieving the stated purpose through
follow-on activities of the industry, the regions, and NERC. However, as drafted,
Attachment 1 will inform the ERO of the existence of only a portion of the "events
with the potential to impact reliability and their causes, if known".
The DSR SDT revised the purpose statement to remove ambiguous language “with the
potential to impact reliability”. The Purpose statement now reads:
“To improve the reliability of the Bulk Electric System by requiring the reporting of
events by Responsible Entities.”
Events listed in Appendix E to the ERO Event Analysis Process document should be
incorporated into the standard instead of hardwiring inconsistency by requiring a
different set of events. Alternatively, the SDT should explore deleting Attachment 1
and instead referencing the ERO Event Analysis process (which as a learning
organization will have systematic changes to the reporting thresholds over time). At
first this may seem contrary to the SDT objective of eliminating fill-in-the-blank
aspects of the existing standard but the SDT should explore the Commission's
willingness to accept a reference document for reporting thresholds. Additionally, it
is unclear how NERC's role as the ES-ISAC is supported through the requirements of
this reliability standard. It appears to undermine the ability of NERC (ES-ISAC) to be
made timely aware of threats to the critical infrastructure--at odds with it's purpose.
Thus, this draft does not achieve the elimination of redundant reporting envisioned
in the SAR, nor does it achieve the objective of supporting NERC in the analysis of
disturbances or blackouts.
The DSR SDT is following NERC’s ANSI approved process for standards development.
168
�Organization
Yes or No
Question 4 Comment
The ERO Events Analysis process does not have the frame work as required by the
ANSI development process. Within this proposed Standard, when an Attachment 1
event is recognized, the ERO (which is the ES-ISAC) will be one of the first to be
notified, as will the entities Reliability Coordinator. This will enhance situational
awareness as per the entity’s Operation Plan and this Standard.
FERC Order 693 section 617 states “…the Commission directs the ERO to develop a
modification to EOP-004-1 through the reliability Standards development process
that includes any Requirement necessary for users, owners, and operators of the
Bulk-Power System to provide data…”. In order for entities to provide data they are
required to implement their Operating Plan. EOP-004-2 will satisfy this FERC
directive.
Response: Thank you for your comment. Please see response above.
Tucson Electric Power Co.
Negative
The tie between an Operating Plan and reportable disturbance events is not clear.
Being the exception, I feel that a reportable disturbance methodology should be part
of an Emergency Operating Plan.
EOP-004-2 provides Applicable Entities with the minimum report requirements for
events contained in Attachment 1. NERC has defined Operating Plan in part as: "A
document that identifies a group of activities that may be used to achieve some goal.
An Operating Plan may contain Operating Procedures and Operating Processes.” An
entity may include a reportable disturbance methodology within their Operating Plan
since this Standard does not preclude it.
Response: Thank you for your comment. Please see response above.
United Illuminating Co.
Negative
The VSL table is mistyped. R2 lists 1.1 and 1.5. R4 VRF should be lower.
169
�Organization
Yes or No
Question 4 Comment
Requirement R4 (now R3) calls for conducting an annual test of the communications
process in Requirement 1, Part 1.2. It is not strictly administrative in nature and
therefore does not meet the VRF guideline for a Lower VRF. .
Response: Thank you for your comment. Please see response above.
PSEG Energy Resources &
Trade LLC, PSEG Fossil LLC,
Public Service Electric and Gas
Co.
Negative
There are several items that need clarification. See PSEG's separately provided
comments.
Response: Thank you for your comment. Please see response to your other comments.
Kansas City Power & Light Co.
Negative
There is no VSL for R4.
The VSL for Requirement R4 was inadvertently redlined in the redline version of the
standard, but it was present in the clean version.
Response: Thank you for your comment. Please see response above.
Ameren Services
Negative
We believe that these [VRFs and VSLs] will change as we expect some changes in the
draft standard.
Response: Thank you for your comment.
New York State Department
of Public Service
Negative
While the proposed standard consolidates many reporting requirements, the
requirement that any event with the "potential to impact reliability" be reported is
overly broad and will prove to be burdensome and distracting to system operations.
The DSR SDT revised the purpose statement to remove ambiguous language “with the
potential to impact reliability”. The Purpose statement now reads:
170
�Organization
Yes or No
Question 4 Comment
“To improve the reliability of the Bulk Electric System by requiring the reporting of
events by Responsible Entities.”
Response: Thank you for your comment. Please see response above.
Springfield Utility Board
o The Draft 3 Version History still lists the term “Impact Event” instead of “Event”.
This has been corrected.
o Draft 3 of EOP-004-2 - Event Reporting does not provide a definition for the term
“Event” nor does the NERC Glossary of Terms Used in Reliability Standards. SUB
recommends that “Event” be listed and defined in “Definitions and Terms Used in
the Standard” as well as the NERC Glossary, providing a framework and giving
guidance to entities for how to determine what should be considered an “Event” (ex:
sabotage, unusual occurrence, metal theft, etc.).
The DSR SDT has reviewed this issue and has changed “Event” to “event”.
Attachment 1 contains each reportable ‘event”.
Response: Thank you for your comment. Please see response above.
Northeast Utilities
- Incorporate NERC Event Analysis Reporting into this standard. Make the
requirements more specific to functional registrations as opposed to having
requirements applicable to “Responsible Entities”.- The description of a Transmission
Loss Event in A
Attachment 1 is the basis for EOP-004-2; it contains the events and thresholds for
reporting. OE-417, as well as, the EAWG’s requirements were considered in creating
Attachment 1. The DSR SDT has reviewed and reworded “Entities with Reporting
Responsibilities” to require the minimum amount of entities who will be required to
report each event.
Response: Thank you for your comment. Please see response above.
171
�Organization
Progress Energy
Yes or No
Question 4 Comment
(1) Attachment 1 lists “Destruction of BES Equipment” as a reportable event but then
lists “equipment failure” as one of several thresholds for reporting, with a one hour
time limit for reporting. It is simply not common sense to think of the simple failure
of a single piece of equipment as “destruction of BES equipment”. Does the
standard really expect that every BES equipment failure must be reported within one
hour, regardless of cause or impact to BES reliability? What is the purpose of such
extensive reporting?
The DSR SDT has modified Attachment 1 to bring more clarity. The more subjective
events were rewritten as follows:
• The ‘Damage or Destruction’ event category has been revised to say ‘to a
Facility’, (a defined term) and thresholds have be modified to provide clarity.
The footnote was deleted
(2) The same comment as (1) above is applicable to the “Damage or destruction of
Critical Asset” because one threshold is simple “equipment failure” as well.
The ‘Damage or Destruction’ events specifically relating to Critical Assets and Critical
Cyber Assets were removed from Attachment 1, as these events are adequately
addressed through the CIP-008 and ‘Damage or Destruction of a Facility’ reporting
thresholds.
(3) Footnote 2 (page 20) says copper theft is not reportable “unless it effects the
reliability of the BES”, but footnote 1 on the same page says copper theft is
reportable if “it degrades the ability of equipment to operate properly”. In this
instance, the proposed standard provides two different criteria for reporting one of
the most common events on the same page.
The DSR SDT has removed all footnotes with the exception of the updated event within
Attachment 1 that states: “A physical threat that could impact the operability of a
Facility”. This event has the following footnote, which states: “Examples include a
172
�Organization
Yes or No
Question 4 Comment
train derailment adjacent to a Facility that either could have damaged a Facility
directly or could indirectly damage a Facility (e.g. flammable or toxic cargo that could
pose fire hazard or could cause evacuation of a control center). Also report any
suspicious device or activity at a Facility. Do not report copper theft unless it impacts
the operability of a Facility.”
(4) Forced Intrusion must be reported if “you cannot determine the likely
motivation”, and not based on a conclusion that the intent was to commit sabotage
or intentional damage. This would require reporting many theft related instances of
cut fences and forced doors (including aborted theft attempts where nothing is
stolen) which would consume a great deal of time and resources and accomplish
nothing. This criteria is exactly the opposite of the existing philosophy of only
reporting events if there is an indication of an intent to commit sabotage or cause
damage.
‘Forced intrusion’ and ‘Risk to BES Equipment’ have been combined under a new
event type called ‘A physical threat that could impact the operability of a Facility’.
Using judgment is unavoidable for this type of event. This language was chosen
because the Responsible Entity is the best position to exercise this judgment and
determine whether or not an event poses a threat to its Facilities. The DSR SDT
believes this revised event type will minimize administrative burden and ensure that
events meaningful to industry awareness are reported. Note that the reporting
timeline (now revised to 24 hours) starts when the situation has been determined as
a threat, not when it may have first occurred. Also, the footnote only contains
examples.
(5) “Risk to BES equipment...from a non-environmental physical threat” is reportable,
but this is an example of a vague, open ended reporting requirement that will either
173
�Organization
Yes or No
Question 4 Comment
generate a high volume of unproductive reports or will expose reporting entities to
audit risk for not reporting potential threats that could have been reported. The
standard helpfully lists train derailments and suspicious devices as examples of
reportable events.
‘Forced intrusion’ and ‘Risk to BES Equipment’ have been combined under a new
event type called ‘A physical threat that could impact the operability of a Facility’.
Using judgment is unavoidable for this type of event. This language was chosen
because the Responsible Entity is the best position to exercise this judgment and
determine whether or not an event poses a threat to its Facilities. The DSR SDT
believes this revised event type will minimize administrative burden and ensure that
events meaningful to industry awareness are reported. Note that the reporting
timeline (now revised to 24 hours) starts when the situation has been determined as
a threat, not when it may have first occurred. Also, the footnote only contains
examples.
The existing CAN for CIP-001 (CAN-0016) is already asking for a list of events that
were analyzed so the auditors can determine if a violation was committed due to
failure to report. I can envision the CAN for this new standard requiring a list of all
“non-environmental physical threats” that were analyzed during the audit period to
determine if applicable events were reported. This could generate a great deal of
work simply to provide audit documentation even if no events actually occur that are
reportable. It would also be easy for an audit team to second guess a decision that
was made by an entity not to report an event (what is risk?...how much risk was
present due to the event?...). Also, the reporting for this vague criteria must be
done within one hour. Any event with a one hour reporting requirement should be
crystal clear and unambiguous.
The DSR SDT has reworded and updated Attachment 1 per comments received and
believes that the language used obviates the need for CAN-016. CAN-0016 has been
174
�Organization
Yes or No
Question 4 Comment
remanded.
(6) Transmission Loss...of three or more Transmission Facilities” is reportable.
“Facility” is a defined term in the NERC Glossary, but “Transmission Facility” is not a
defined term, which will lead to confusion when this criteria is applied. This
requirement raises many confusing questions. What if three or more elements are
lost due to two separate or loosely related events - is this reportable or not? What
processes will need to be put in place to count elements that are lost for each event
and determine if reporting is required? Why must events be reported that fit an
arbitrary numerical criteria without regard to any material impact on BES reliability?
The DSR SDT used the defined term “Facility” to add clarity for several events listed in
Attachment 1. A Facility is defined as:
“A set of electrical equipment that operates as a single Bulk Electric System
Element (e.g., a line, a generator, a shunt compensator, transformer, etc.)”
The DSR SDT does not intend the use of the term Facility to mean a substation or any
other facility (not a defined term) that one might consider in everyday discussions
regarding the grid. This is intended to mean ONLY a Facility as defined above.
Both Transmission and Facilities are defined terms and the DSR SDT feels this gives
sufficient direction.
Response: Thank you for your comment. Please see response above.
MRO NSRF
: The MRO NSRF wishes to thank the SDT for incorporating changes that the industry
had with reporting time periods and aligning this with the Events Analysis Working
Group and Department of Energy’s OE 417 reporting form.
175
�Organization
Yes or No
Question 4 Comment
Response: Thank you for your comment.
FirstEnergy
1. Attachment 1 - Regarding the 1st event listed in the table, “Destruction of BES
Equipment” and its accompanying Footnote 1, we believe that this event should be
broken into two separate events that incorporate the specifics in the footnote as
follows: a. “Destruction of BES equipment that associated with an IROL per FAC014-2.” Regarding the 1st event we have proposed - We have proposed this be
made specific to IROL as stated in Footnote 1 part i. Also, we believe that only the RC
and TOP would have the ability to quickly determine and report within 1 hour if the
destruction is associated with an IROL. The other entities listed would not necessarily
know if the event affects and IROL. Therefore, we also propose that the Entities with
Reporting Responsibilities (column 2) be revised to only include the RC and TOP.
The DSR SDT agrees with your comment and made the following changes:
‘Threshold for Reporting’ column in the ‘Damage or Destruction’ event category. The
updated Threshold for Reporting now reads as:
“Damage or destruction of a Facility that:
• Affects an IROL (per FAC-014)
OR
• Results in the need for actions to avoid an Adverse Reliability Impact
OR
•
Results from intentional human action.”
b. "Destruction of BES equipment that removes the equipment from service.”
Regarding the 3rd event we have proposed - We have proposed this be made
specific to destruction of BES equipment that removes the equipment from service
as stated in Footnote 1 part iii. Also, the other part of footnote 1 part iii which states
“Damaged or destroyed due to intentional or unintentional human action” is not
176
�Organization
Yes or No
Question 4 Comment
required since it is covered in the threshold for reporting. Also the term “Damaged”
in this part iii is not appropriate since these events are limited to equipment that has
been destroyed. We also propose that the Entities with Reporting Responsibilities
(column 2) for this event would remain the same as it states now since any of those
entities may observe out of service BES equipment.Regarding part ii of footnote 1,
we do not believe that this event needs to be separated. Regarding the phrase
“significantly affects the reliability margin of the system be clarified so that it is not
left up to the entity to interpret a “significant” affect. Lastly, since we have
incorporated parts i and iii into the two separate events and removed part ii as
proposed above, the only statement that needs to be left in the Footnote 1 is: “Do
not report copper theft from BES equipment unless it degrades the ability of
equipment to operate correctly (e.g., removal of grounding straps rendering
protective relaying inoperative).”
The DSR SDT has removed all footnotes with the exception of the updated event within
Attachment 1 that states: “Any physical threat that could impact the operability of a
Facility”. This event has the following footnote, which states: “Examples include a
train derailment adjacent to a Facility that either could have damaged a Facility
directly or could indirectly damage a Facility (e.g. flammable or toxic cargo that could
pose fire hazard or could cause evacuation of a control center). Also report any
suspicious device or activity at a Facility. Do not report copper theft unless it impacts
the operability of a Facility.”
2. Attachment 1 - We ask that the team add an “Event #” column to the table so that
each of the events listed can be referred to by #, such as Event 1, Event 2, etc.
The DSR SDT believes that the minimum reporting attributes are contained in
Attachment 1.
3. Attachment 1 - Event titled “Damage or destruction of a Critical Cyber Asset per
177
�Organization
Yes or No
Question 4 Comment
CIP-002”, the proposed threshold for reporting seems incomplete. We suggest the
threshold for this event match the threshold for the Critical Asset event which states:
“Initial indication the event was due to operational error, equipment failure, external
cause, or intentional or unintentional human action.”4. Attachment 1 - Events titled
“Damage or destruction of a Critical Assets per CIP-002” and “Damage or destruction
of a Critical Cyber Asset per CIP-002” seem ambiguous due to the term “damage”.
We suggest removal of “damage” or clarity as to what is considered a damaged
asset.5. VSL Table - Instead of listing every entity, it may be more efficient to simply
say “The Responsible Entity” in the VSL for each requirement.6. Guideline and
Technical Basis section - This section does not provide guidance on each of the
requirements of the standard. We suggest the team consider adding guidance for the
requirements.
The ‘Damage or Destruction’ events specifically relating to Critical Assets and Critical
Cyber Assets were removed from Attachment 1, as these events are adequately
addressed through the CIP-008 and ‘Damage or Destruction of a Facility’ reporting
thresholds.
Response: Thank you for your comment. Please see response above.
Southwest Power Pool
Regional Entity
1. EOP-004-2 R1.4 states entities must update their Operating Plans within 90
calendar days of incorporating lessons learned pursuant to R3. However, neither R3
nor Attachment 1 include a timeline for incorporating lessons learned. It is unclear
when the “clock starts” on incorporating improvements or lessons learned. Within
90 days of what? 90 days of the event? 90 days from when management approved
the lesson learned? Auditors need to know the trigger for the 90-day clock.
Requirement R1, Part 1.4 was removed from the standard.
2. The Event Analysis classification includes Category 1C “failure or misoperation of
178
�Organization
Yes or No
Question 4 Comment
the BPS SPS/RAS”. This category is not included in EOP-004-2’s Attachment 1. This
event, “failure or misoperation of the BPS SPS/RAS”, needs to either be added to
Attachment 1 or removed from the Event Analysis classification. It is important that
EOP-004-2 Attachment 1 and the Event Analysis categories match up.Thank you for
your work on this standard.
Attachment 1 is the basis for EOP-004-2; it contains the events and thresholds for
reporting. OE-417, as well as, the EAWG’s requirements were considered in creating
Attachment 1, but there remain differences for the following reasons:
•
EOP-004 requirements were designed to meet NERC and the industry’s needs;
accommodation of other reporting obligations was considered as an
opportunity not a ‘must-have’
•
OE-417 only applies to US entities, whereas EOP-004 requirements apply across
North America
•
NERC has no control over the criteria in OE-417, which can change at any time
•
Reports made under EOP-004 provide a minimum set of information, which may
trigger further information requests from EAWG as necessary
In an effort to minimize administrative burden, US entities may use OE-417 rather
than Attachment 2 to report under EOP-004. Note you may have to report the same
event more quickly to the DOE than is required by EOP-004, but this cannot be helped
due to bullet point 2 above.
Response: Thank you for your comment. Please see response above.
Independent Electricity
System Operator
1. Measures M1, M2 and M3: Suggest to achieve consistent wording among them by
saying the leading part to “Each Responsible Entity shall provide....”
The DSR SDT is following the guidance within the Standards Development process on
179
�Organization
Yes or No
Question 4 Comment
the wording pertaining to items outside the realm of a requirement.
2. In our comments on the previous version, we suggested the SDT to review the
need to include IA, TSP and LSE for some of the reporting requirements in
Attachment 1. The SDT’s responded that it had to follow the requirements of the
standards as they currently apply. Since these entities are applicable to the
underlying standards identified in Attachment 1, they will be subject to reporting.
We accept this rationale. However, the revised Attachment 1 appears to be still
somewhat discriminative on who needs to report an event. For example, the event
of “Detection of a reportable Cyber Security Incident” (6th row in the table) requires
reporting by a list of responsible entities based on the underlying requirements in
CIP-008, but the list does not include the IA, TSP and LSE. We again suggest the SDT
to review the need for listing the specific entities versus leaving it general by saying:
“Applicable Entities under CIP-008” for this particular item, and review and establish
a consistent approach throughout Attachment 1.
The ‘Damage or Destruction’ events specifically relating to Critical Assets and Critical
Cyber Assets were removed from Attachment 1, as these events are adequately
addressed through the CIP-008.
3. VSLs: a. Suggest to not list all the specific entities, but replace them with “Each
Responsible Entity” to simplify the write-up which will allow readers to get to the
violation condition much more quickly. b. For R1, it is not clear whether the
conditions listed under the four columns are “OR” or “AND”. We believe it means
“OR”, but this needs to be clarified in the VSL table.4. The proposed implementation
plan conflicts with Ontario regulatory practice respecting the effective date of the
standard. It is suggested that this conflict be removed by appending to the
implementation plan wording, after “applicable regulatory approval” in the Effective
Dates Section on P. 2 of the draft standard and P. 1 of the draft implementation plan,
to the following effect: “, or as otherwise made effective pursuant to the laws
applicable to such ERO governmental authorities.”
The DSR SDT is following the guidance within the Standards Development process on
180
�Organization
Yes or No
Question 4 Comment
the wording pertaining to items outside the realm of a requirement.
Response: Thank you for your comment. Please see response above.
NRECA
1. Please ensure that the work of the SDT is done in close coordination with Events
Analysis Process (EAP) work being undertaken by the PC/OC and BOT, and with any
NERC ROP additions or modifications. NRECA is concerned that the EAP work being
done by these groups is not closely coordinated even though their respective work
products are closely linked -- especially since the EAP references information in EOP004.
Attachment 1 is the basis for EOP-004-2; it contains the events and thresholds for
reporting. OE-417, as well as, the EAWG’s requirements were considered in creating
Attachment 1, but there remain differences for the following reasons:
•
EOP-004 requirements were designed to meet NERC and the industry’s needs;
accommodation of other reporting obligations was considered as an
opportunity not a ‘must-have’
•
OE-417 only applies to US entities, whereas EOP-004 requirements apply across
North America
•
NERC has no control over the criteria in OE-417, which can change at any time
•
Reports made under EOP-004 provide a minimum set of information, which may
trigger further information requests from EAWG as necessary
In an effort to minimize administrative burden, US entities may use OE-417 rather
than Attachment 2 to report under EOP-004. Note you may have to report the same
event more quickly to the DOE than is required by EOP-004, but this cannot be helped
due to bullet point 2 above.
181
�Organization
Yes or No
Question 4 Comment
2. The SDT needs to be consistent in its use of "BES" and "BPS" - boths acronyms are
used throughout the SDT documents. NRECA strongly prefers the use of "BES" since
that is what NERC standards are written for.
The DSR SDT has used BES within EOP-004-2. All references to BPS have been
removed.
3. Under “Purpose” section of standard, 3rd line, add “BES” between “impact” and
“reliability.” Without making this change the "Purpose" section could be
misconstrued to refer to reliability beyond the BES.
The DSR SDT revised the purpose statement to remove ambiguous language “with the
potential to impact reliability”. The Purpose statement now reads:
“To improve the reliability of the Bulk Electric System by requiring the reporting of
events by Responsible Entities.”
4. In the Background section there is reference to the Events Analysis Program. Is
that the same thing as the Events Analysis Process? Is it something different? Is it
referring to a specific department at NERC? Please clarify in order to reduce
confusion. Also in the Background section there is reference to the Events Analysis
Program personnel. Who is this referring to -- NERC staff in a specific department?
Please clarify.
The DSR SDT was explaining that the DSR SDT and has been coordinating with the
“Events Analysis Working Group.
5. In M1 please be specific regarding what “dated” means.
This is a common term used with many NERC Standards and simply means that your
evidence is dated and time stamped.
6. In M3 please make it clear that if there wasn’t an event, this measure is not
applicable
182
�Organization
Yes or No
Question 4 Comment
The DSR SDT has not implied that Applicable Entities need to prove that something
did not happen.
7. In R4 it is not clear what “verify” means. Please clarify.
R4 (now R3) was revised to remove “verify”
R3. Each Responsible Entity shall conduct an annual test, not including notification to
the Electric Reliability Organization, of the communications process in Part 1.2.
8. In Attachment 1 there are references to Critical Asset and Critical Cyber Asset.
These terms will likely be eliminated from the NERC Glossary of Terms when CIP V5
moves forward and is ultimately approved by FERC. This could create future
problems with EOP-004 if CIP V5 is made effective as currently drafted.
The ‘Damage or Destruction’ events specifically relating to Critical Assets and Critical
Cyber Assets were removed from Attachment 1, as these events are adequately
addressed through the CIP-008.
9. In Attachment 1 the one hour timeframe for submitting data for the first 7 items
listed is very tight. Other than being required by the EOE )E-417 form, NRECA
requests that the SDT provide further support for this timeframe. If there are not
distinct reasons why 1 hour is the right timeframe for this, then other timeframes
should be explored with DOE.
The DSR SDT also received many comments regarding the various events of
Attachment 1. Many commenters questioned the reliability benefit of reporting
events to the ERO and their Reliability Coordinator within 1 hour. Most of the events
with a one hour reporting requirement were revised to 24 hours based on stakeholder
comments as well as those types of events are currently required to be reported
within 24 hours in the existing mandatory and enforceable standards. The only
remaining type of event that is to be reported within one hour is “A reportable Cyber
183
�Organization
Yes or No
Question 4 Comment
Security Incident” as it required by CIP-008.
FERC Order 706, paragraph 673 states: “…each responsible entity to contact
appropriate government authorities and industry participants in the event of a cyber
security incident as soon as possible, but, in any event within one hour of the event…”
Note that members of NRECA may be required to submit the DOE Form OE 417, and
this agency’s reporting requirements are not within scope of the project.
10. While including Footnote 1 is appreciated, NRECA is concerned that this footnote
will create confusion in the compliance and audit areas and request the SDT to
provide more definitive guidance to help explain what these "Events" refer to.
NRECA has the same comment on Footnote 2 and 3. Specifically in Footnote 3, how
do you clearly determine and audit from a factual standpoint something that “could
have damaged” or “has the potential to damage the equiment?”
The DSR SDT has removed all footnotes with the exception of the updated event within
Attachment 1 that states: “A physical threat that could impact the operability of a
Facility”. This event has the following footnote, which states: “Examples include a
train derailment adjacent to a Facility that either could have damaged a Facility
directly or could indirectly damage a Facility (e.g. flammable or toxic cargo that could
pose fire hazard or could cause evacuation of a control center). Also report any
suspicious device or activity at a Facility. Do not report copper theft unless it impacts
the operability of a Facility.”
11. In the Guideline and Technical Basis section, in the 1st bullet, how do you
determine, demonstrate and audit for something that “may impact” BES reliability?
This statement has been removed per comments received.
12. On p. 28, first line, this sentence seems to state that NERC, law enforcement and
other entities - not the responsible entity - will be doing event analysis. My
understanding of the current and future Event Analysis Process is that the
184
�Organization
Yes or No
Question 4 Comment
responsible entity does the event analysis. Please confirm and clarify.
EOP-004-2 requires Applicable Entities to “report “ and “communicate” as stated in
Requirement 1, Part 1.2: “A process for communicating each of the applicable events
listed in EOP-004 Attachment 1 in accordance with the timeframes specified in EOP004 Attachment 1 to the Electric Reliability Organization and other organizations
needed for the event type; i.e. the Regional Entity; company personnel; the
Responsible Entity’s Reliability Coordinator; law enforcement governmental or
provincial agencies.”
The Event Analysis Program may use a reported event as a basis to analyze an event.
The processes of the Event Analysis Program fall outside the scope of this project, but
the DSR SDT has collaborated with them of events contained in Attachment 1.
The Standard does not require the Applicable Entity to analyze a reported event.
Response: Thank you for your comment. Please see response above.
Exelon
1. Please replace the text “Operating Plan” with procedure(s). Many companies have
procedure(s) for the reporting and recognition of sabotage events. These
procedures extend beyond operating groups and provide guidance to the entire
company.
Thank you for your comment. The DSR SDT intends on keeping “Operating Plan”
within EOP-004-2 since NERC has it defined as:
“A document that identifies a group of activities that may be used to achieve some goal.
An Operating Plan may contain Operating Procedures and Operating Processes. A
company-specific system restoration plan that includes an Operating Procedure for
black-starting units, Operating Processes for communicating restoration progress with
other entities, etc., is an example of an Operating Plan”. As stated, the Operating Plan
may contain Operating procedures or Operating Processes. This will give Applicable
Entities the greatest flexibility in achieving compliance with this Standard.
185
�Organization
Yes or No
Question 4 Comment
2. The Loss of Off-site power event criteria is much improved from the last draft of
EOP 004-2; however, some clarification is needed to more accurately align with NERC
Standard NUC-001 in both nomenclature and intent. Specifically, as Exelon has
previously commented, there are many different configurations supplying offsite
power to a nuclear power plant and it is essential that all configurations be
accounted for. As identified in the applicability section of NUC-001 the applicable
transmission entities may include one or more of the following (TO, TOP, TP, TSP, BA,
RC, PC, DP, LSE, and other non-nuclear GO/GOPs). Based on the response to
previous comments submitted for Draft 2, Exelon understands that the DSR SDT
evaluated the use of the word “source” but dismissed the use in favor of “supply”
with the justification “[that] ‘supply’ encompasses all sources”. Exelon again
suggests that the word “source” is used as the event criteria in EOP-004-2 as this
nomenclature is commonly used in the licensing basis of a nuclear power plant. By
revising the threshold criteria to “one or more” Exelon believes the concern the DSR
SDT noted is addressed and ensures all sources are addressed. In addition, by
revising the threshold for reporting to a loss of “one or more” will ensure that all
potential events (regardless of configuration of off-site power supplies) will be
reported by any applicable transmission entity specifically identified in the nuclear
plant site specific NPIRs.As previously suggested, Exelon again proposes that the loss
of an off-site power source be revised to an “unplanned” loss to account for planned
maintenance that is coordinated in advance in accordance with the site specific
NPIRs and associated Agreements. This will also eliminate unnecessary reporting for
planned maintenance.Although the loss of one off-site power source may not result
in a nuclear generating unit trip, Exelon agrees that an unplanned loss of an off-site
power source regardless of impact should be reported within the 24 hour time limit
as proposed. Suggest that the Loss of Offsite power to a nuclear generating plant
event be revised as follows:Event: Unplanned loss of any off-site power source to a
Nuclear Power PlantEntity with Reporting Responsibility: The applicable
Transmission Entity that owns and/or operates the off-site power source to a
186
�Organization
Yes or No
Question 4 Comment
Nuclear Power Plant as defined in the applicable Nuclear Plant Interface
Requirements (NPIRs) and associated Agreements.Threshold for Reporting:
Unplanned loss of one or more off-site power sources to a Nuclear Power Plant per
the applicable NPIRs.
Based on comments received, this event has been updated within Attachment 1 to
read as:
“Complete loss of off-site power to a nuclear generating plant (grid supply)”.
3. Attachment 1 Generation loss event criteria Generation lossThe ≥ 2000
MW/≥ 1000 MW generation loss criteria do not provide a time threshold or
location criteria. If the 2000 MW/1000 MW is intended to be from a combination of
units in a single location, what is the time threshold for the combined unit loss? For
example, if a large two unit facility in the Eastern Interconnection with an aggregate
full power output of 2200 MW (1100 MW per unit) trips one unit (1100 MW) [T=0
loss of 1100 MW] and is ramping back the other unit from 100% power and 2 hours
later the other unit trips at 50% power [550 MW at time of trip]. The total loss is
2200 MW; however, the loss was sustained over a 2 hour period. Would this
scenario require reporting in accordance with Attachment 1? What if it happened in
15 minutes? 1 hour? 24 hours? Exelon suggests the criteria revised to include a time
threshold for the total loss at a single location to provide this additional guidance to
the GOP (e.g., within 15 minutes to align with other similar threshold conditions).
Threshold for Reporting ï€ â‰¥ 2,000 MW unplanned total loss at a single location
within 15 minutes for entities in the Eastern or Western Interconnection ≥ 1000
MW unplanned total loss at a single location within 15 minutes for entities in the
ERCOT or Quebec Interconnection
The DSR SDT has not modified this event since it is being maintained as it is presently
enforceable within EOP-004-1.
4. Exelon appreciates that the DSR SDT has added the NRC to the list of Stakeholders
in the Reporting Process, but does not agree with the SDT response to FirstEnergy’s
187
�Organization
Yes or No
Question 4 Comment
comment to Question 17 [page 206] that stated “NRC requirements or comments fall
outside the scope of this project.” Quite the contrary, this project should be
communicated and coordinated with the NRC to eliminate confusion and duplicative
reporting requirements. There are unique and specific reporting criteria and
coordination that is currently in place with the NRC, the FBI and the JTTF for all
nuclear power plants. If an event is in progress at a nuclear facility, consideration
should be given to coordinating such reporting as to not duplicate effort, introduce
conflicting reporting thresholds, or add unnecessary burden on the part of a nuclear
GO/GOP who’s primary focus is to protect the health and safety of the public during
a potential radiological sabotage event (as defined by the NRC) in conjunction with
potential impact to the reliability of the BES.
The DSR SDT has established a minimum amount of reporting for events listed in
Attachment 1. The NRC does not fall under the jurisdiction of NERC and so therefore
it is not within scope of this project.
5. Attachment 1 Detection of a reportable Cyber Security Incident event criteria.The
threshold for reporting is “that meets the criteria in CIP-008”. If an entity is exempt
from CIP-008, does that mean that this reportable event is therefore also not
applicable in accordance with EOP-004-2 Attachment 1?
If an entity is exempt from CIP-008, then they do not have to report this type of event.
Entities can report any situation at anytime to whomever they wish. If an entity is
responsible for items that fall under a Cyber Security Incident, then they would report
per this standard.
Response: Thank you for your comment. Please see response above.
Duke Energy
1. Reporting under EOP-004-2 should be more closely aligned with Events Analysis
Reporting.
Attachment 1 is the basis for EOP-004-2; it contains the events and thresholds for
reporting. OE-417, as well as, the EAWG’s requirements were considered in creating
188
�Organization
Yes or No
Question 4 Comment
Attachment 1, but there remain differences for the following reasons:
•
EOP-004 requirements were designed to meet NERC and the industry’s needs;
accommodation of other reporting obligations was considered as an
opportunity not a ‘must-have’
•
OE-417 only applies to US entities, whereas EOP-004 requirements apply across
North America
•
NERC has no control over the criteria in OE-417, which can change at any time
•
Reports made under EOP-004 provide a minimum set of information, which may
trigger further information requests from EAWG as necessary
In an effort to minimize administrative burden, US entities may use OE-417 rather
than Attachment 2 to report under EOP-004. Note you may have to report the same
event more quickly to the DOE than is required by EOP-004, but this cannot be helped
due to bullet point 2 above.
2. Attachment 1 - Under the column titled “Entity with Reporting Responsibility”,
several Events list multiple entities, using the phrase “Each RC, BA, TO, TOP, GO,
GOP, DP that experiences...” or a similar phrase requiring that multiple entities
report the same event. We believe these entries should be changed so that multiple
reports aren’t required for the same event.
The DSR SDT agrees that there may be some dual reporting for the same event. The
minimum Applicable Entities have been review and updated where updates could be
made. The DSR SDT believes that a dual report will provide a clearer picture of the
breadth and depth of an event the Electric Reliability Organization and the Applicable
Entities Reliability Coordinator.
3. Attachment 1 - The phrase “BES equipment” is used several times in the Events
Table and footnotes to the table. “Equipment” is not a defined term and lacks
clarity. “Element” and “Facility” are defined terms. Replace “BES equipment” with
189
�Organization
Yes or No
Question 4 Comment
“BES Element” or “BES Facility”.
The DST SDT has removed the term “equipment” from Attachment 1 per comments
received.
4. Attachment 1 - The Event “Risk to BES equipment” is unclear, since some amount
of risk is always present. Reword as follows: “Event that creates additional risk to a
BES Element or Facility.”
The DSR SDT has removed this event from Attachment 1. Several stakeholders
expressed concerns relating to the “Forced Intrusion” event. Their concerns related to
ambiguous language in the footnote. The SDR SDT discussed this event as well as the
event “Risk to BES equipment”. These two event types had overlap in the perceived
reporting requirements. The DSR SDT removed “Forced Intrusion” as a category and the
“Risk to BES equipment” event was revised to “A physical threat that could impact the
operability of a Facility”.
5. Attachment 1 - The Threshold for Reporting Voltage deviations on BES Facilities is
identified as “+ 10% sustained for > 15 continuous minutes.” Need to clarify + 10%
of what voltage? We think it should be nominal voltage.
A sustained voltage deviation of ± 10% on the BES is significant deviation and is
indicative of a shortfall of reactive resources either pre- or post-contingency. The DSR
SDT is indifferent to which of nominal, pre-contingency, or scheduled voltage, is used
as the baseline, but for simplicity and to promote a common understanding suggest
using nominal voltage.
6. Attachment 1 - Footnote 1 contains the phrase “has the potential to”. This phrase
should be struck because it creates an impossibly broad compliance responsibility.
Similarly, Footnote 3 contains the same phrase, as well as the word “could” several
times, which should be changed so that entities can reasonably comply.
190
�Organization
Yes or No
Question 4 Comment
The DSR SDT has removed all footnotes with the exception of the updated event within
Attachment 1 that states: “A physical threat that could impact the operability of a
Facility”. This event has the following footnote, which states: “Examples include a
train derailment adjacent to a Facility that either could have damaged a Facility
directly or could indirectly damage a Facility (e.g. flammable or toxic cargo that could
pose fire hazard or could cause evacuation of a control center). Also report any
suspicious device or activity at a Facility. Do not report copper theft unless it impacts
the operability of a Facility.”
7. Attachment 1 - The “Unplanned Control Center evacuation” Event has the word
“potential” in the column under “Entity with Reporting Responsibility”. The word
“potential” should be struck.8. Attachment 2 - Includes “fuel supply emergency”,
which is not listed on Attachment 1.
The DSR SDT has removed the word “potential” from this event. It now reads as:
“Each RC, BA, TOP that experiences the event”
Response: Thank you for your comment. Please see response above.
Energy Northwest - Columbia
1. The Loss of Off-site power event criteria is much improved from the last draft of
EOP 004-2; however, some clarification is needed to more accurately align with NERC
Standard NUC-001 in both nomenclature and intent. Specifically, there are many
different configurations supplying offsite power to a nuclear power plant and it is
essential that all configurations be accounted for. As identified in the applicability
section of NUC-001 the applicable transmission entities may include one or more of
the following (TO, TOP, TP, TSP, BA, RC, PC, DP, LSE, and other non-nuclear
GO/GOPs). Based on the response to previous comments submitted for Draft 2,
Energy Northwest understands that the DSR SDT evaluated the use of the word
“source” but dismissed the use in favor of “supply” with the justification “[that]
‘supply’ encompasses all sources”. Energy Northwest suggests that the word
191
�Organization
Yes or No
Question 4 Comment
“source” is used as the event criteria in EOP-004-2 as this nomenclature is commonly
used in the licensing basis of a nuclear power plant. By revising the threshold criteria
to “one or more” Energy Northwest believes the concern the DSR SDT noted is
addressed and ensures all sources are addressed. In addition, by revising the
threshold for reporting to a loss of “one or more” will ensure that all potential events
(regardless of configuration of off-site power supplies) will be reported by any
applicable transmission entity specifically identified in the nuclear plant site specific
NPIRs.Energy Northwest proposes that the loss of an off-site power source be
revised to an “unplanned” loss to account for planned maintenance that is
coordinated in advance in accordance with the site specific NPIRs and associated
Agreements. This will also eliminate unnecessary reporting for planned
maintenance.Although the loss of one off-site power source may not result in a
nuclear generating unit trip, Energy Northwest agrees that an unplanned loss of an
off-site power source regardless of impact should be reported within the 24 hour
time limit as proposed. Suggest that the Loss of Offsite power to a nuclear
generating plant event be revised as follows:Event: Unplanned loss of any off-site
power source to a Nuclear Power PlantEntity with Reporting Responsibility: The
applicable Transmission Entity that owns and/or operates the off-site power source
to a Nuclear Power Plant as defined in the applicable Nuclear Plant Interface
Requirements (NPIRs) and associated Agreements.Threshold for Reporting:
Unplanned loss of one or more off-site power sources to a Nuclear Power Plant per
the applicable NPIRs.
Based on comments received, this event has been updated within Attachment 1 to
read as:
“Complete loss of off-site power to a nuclear generating plant (grid supply)”.
2. Please consider changing "Operating Plan" with "Procedure(s)". Procedures extend
beyond operating groups and provide guidance to the entire company.
192
�Organization
Yes or No
Question 4 Comment
The DSR SDT intends on keeping “Operating Plan” within EOP-004-2 since NERC has it
defined as:
“A document that identifies a group of activities that may be used to achieve some goal.
An Operating Plan may contain Operating Procedures and Operating Processes. A
company-specific system restoration plan that includes an Operating Procedure for
black-starting units, Operating Processes for communicating restoration progress with
other entities, etc., is an example of an Operating Plan”. As stated, the Operating Plan
may contain Operating procedures or Operating Processes. This will give Applicable
Entities the greatest flexibility in achieving compliance with this Standard.
Response: Thank you for your comment. Please see response above.
Colorado Springs Utilities
Agree with concept to combine CIP-001 into EOP-004. Agree with elimination of
“sabotage” concept. Appreciate the attempt to combine reporting requirements, but
it seems that in practice will still have separate reporting to DOE and NERC/Regional
Entities. EOP-004-2 A.5. “Summary of Key Concepts” refers to Att. 1 Part A and Att. 1
Part B. I believe these have now been combined. EOP-004-2 A.5. “Summary of Key
Concepts” refers to development of an electronic reporting form and inclusion of
regional reporting requirements. It is unfortunate no progress was made on this
front.
Response: Thank you for your comment. The DSR SDT is providing a proposed revision to the NERC Rules of Procedure to address
the electronic reporting concept. These proposed revisions will be posted with the standard.
American Transmission
Company, LLC
ATC appreciates the work of the SDT in incorporating changes that the industry had
with reporting time periods and aligning this with the Events Analysis Working Group
and Department of Energy’s OE 417 reporting form.
Response: Thank you for your comment.
193
�Organization
Manitoba Hydro
Yes or No
Question 4 Comment
Attachment 1 - The term ‘Transmission Facilities’ used in Attachment 1 is capitalized,
but it is not a defined term in the NERC glossary. The drafting team should clarify this
issue.
Both Transmission and Facilities are defined terms and the DSR SDT feels this gives
sufficient direction.
Attachment 2 - The inclusion of ‘Fuel supply emergency’ in Attachment 2 creates
confusion as it infers that reporting a ‘fuel supply emergency’ may be required by the
standard even though ‘fuel supply emergency’ is not listed in Attachment 1. On a
similar note, it is not clear what the drafting team is hoping to capture by including a
checkbox for ‘other’ in Attachment 2.
The DSR SDT has removed both “fuel supply emergency” and “other” from
Attachment 2.
Response: Thank you for your comment. Please see response above.
NV Energy
Attachment 1 includes an item "Detection of a reportable cyber security incident."
The reporting requirement is a report via Attachment 2 or the OE417 report form
submittal. However, under CIP-008, to which this requirement is linked, the
reporting is accomplished via NERC's secure CIPIS reporting tool. This appears to be
a conflict in that the entity is directed to file reporting under CIP-008 that differs
from this subject standard.
CIP-008-4, Requirement 1, Part 1.3 states that an entity must have:
1.3 Process for reporting Cyber Security Incidents to the Electricity Sector
Information Sharing and Analysis Center (ES-ISAC). The Responsible Entity
must ensure that all reportable Cyber Security Incidents are reported to the ESISAC either directly or through an intermediary.
194
�Organization
Yes or No
Question 4 Comment
EOP-004-2 also allows for submittal of the report to the ESISAC.
Attachment 1 also includes a provision for reporting the "loss of firm load greater
than or equal to 15 minutes in an amount of 200MW (or 300MW for peaks greater
than 3000MW). This appears to be a rather low threshold, particularly in comparison
with the companion loss of generation reporting threshold elsewhere in the
attachment. The volume of reports triggered by this low threshold will likely lead to
an inordinate number of filed reports, sapping NERC staff time and deflecting
resources from more severe events that require attention. I suggest either an
increase in the threshold, or the addition of the qualifier "caused by interruption/loss
of BES facilities" in this reporting item. This qualifier would therefore exclude
distribution-only outages that are not indicative of a BES reliability issue.
The DSR SDT has not modified this event since it is being maintained as it is presently
enforceable within EOP-004-1.
Response: Thank you for your comment. Please see response above.
BC Hydro
Attachment 1: Reportable Events: BC Hydro recommends further defining “BES
equipment” for the events Destruction of BES equipment and Risk to BES equipment.
Attachment 1: Reportable Events: BC Hydro recommends defining the Forced
intrusion event as the wording is very broad and open to each entities interpretation.
What would be a forced intrusion ie entry or only if equipment damage occurs?
The DSR SDT has modified Attachment 1 to bring more clarity. The more subjective
events were rewritten as follows:
• The ‘Damage or Destruction’ event category has been revised to say ‘ to a
Facility’, (a defined term) and thresholds have be modified to provide clarity.
195
�Organization
Yes or No
Question 4 Comment
The footnote was deleted
• ‘Forced intrusion’ and ‘Risk to BES Equipment’ have been combined under a new
event type called ‘A physical threat that could impact the operability of a
Facility’. Using judgment is unavoidable for this type of event. This language
was chosen because the Responsible Entity is the best position to exercise this
judgment and determine whether or not an event poses a threat to its
Facilities. The DSR SDT believes this revised event type will minimize
administrative burden and ensure that events meaningful to industry
awareness are reported. Note that the reporting timeline (now revised to 24
hours) starts when the situation has been determined as a threat, not when it
may have first occurred. Also, the footnote only contains examples.
These two remaining event categories that aren’t related to power system phenomena
are essential as they effectively translate the intent of CIP-001 into EOP-004.
Response: Thank you for your comment. Please see response above.
ISO New England
Attachment 1should be revisited. “Equipment Damage” is overly vague and will also
potentially result in reporting on equipment failures which may simply be related to
the age and/or vintage of equipment.
The DSR SDT has revised this event based on comments received. The new event is
“Damage or destruction of a Facility” which has a threshold of “Damage or destruction
of a Facility that:
Affects an IROL (per FAC-014)
OR
Results in the need for actions to avoid an Adverse Reliability Impact
OR
196
�Organization
Yes or No
Question 4 Comment
Results from intentional human action.”
Response: Thank you for your comment. Please see response above.
Constellation Energy on
behalf of Baltimore Gas &
Electric, Constellation Power
Generation, Constellation
Energy Commodities Group,
Constellation Control and
Dispatch, Constellation
NewEnergy and Constellation
Energy Nuclear Group.
Background Section: The background section in this revision of EOP-004 reads more
like guidance than a background of the development of the event reporting
standard. Because of the background remains as part of the standard, the language
raises questions as to role it plays relative to the standard language. For instance,
the Law Enforcement Reporting section states:”Entities rely upon law enforcement
agencies to respond to and investigate those events which have the potential to
impact a wider area of the BES.” It’s not clear how “potential to impact to a wider
area of the BES” is defined and where it fits into the standard. As well, and perhaps
more problematic, is the Reporting Hierarchy for Reportable Events flow chart.
While the flow chart concept is quite useful as a guidance tool, the flow chart
currently in the Background raises questions. For instance, the Procedure to Report
to Law Enforcement sequence does not map to language in the requirements.
Further, Entities would not know about the interaction between law enforcement
agencies.
The DSR SDT included the flow chart as an example of how an entity might report and
communicate an event. For clarity, we have added the phrase “Example of Reporting
Process Including Law Enforcement” to the top of the page.
Please see additional recommended revisions to the requirement language and to
the Events Table in the Q2 and Q3 responses.
The DSR SDT has removed the wording of “potential” based on comments received.
Attachment 2: Event Reporting Form: The review of the form is one of the many
aspects to compare with the developments within the Events Analysis Process (EAP)
developments. We support the effort to create one form for submissions. The
197
�Organization
Yes or No
Question 4 Comment
recent draft EAP posted as part of Planning Committee and Operating Committee
agendas includes a form requiring a few bits of additional relevant information when
compared to the EOP-004 form. This may be a valuable approach to avoid follow up
inquiries that may result if the form is too limited. We suggest that consideration be
given to the proposed EAP form. One specific note on the Proposed EOP-004
Attachment 2: The “Potential event” box in item 3 should be eliminated to track with
the removal of the “Risk to the BES” category.
The DSR SDT has updated Attachment 2 to remove potential event and “Risk to the
BES” category based on comments received.
Response: Thank you for your comment. Please see response above.
Bonneville Power
Administration
BPA believes that Attachment 1 has too many added reportable items because
unintentional, equipment failure & operational errors are included in the first three
items.
A. Change to only “intentional human action”. Otherwise, the first item “destruction
of BES equipment” is too burdensome, along with its short time reporting time: i. - If
a single transformer fails that shouldn’t require a report. ii.- Emergency actions have
to be taken for any failure of equipment, e.g. a loss of line reduces a path SOL and
requires curtailments to reduce risk to the system.
The DSR SDT has modified Attachment 1 to bring more clarity. The more subjective
events were rewritten as follows:
• The ‘Damage or Destruction’ event category has been revised to say ‘to a
Facility’, (a defined term) and thresholds have be modified to provide clarity.
The footnote was deleted
B. The item for “risk to BES” is not necessary until the suspicious object has been
identified as a threat. If what turns out to be air impact wrench left next to BES
198
�Organization
Yes or No
Question 4 Comment
equipment, that should not be a reportable incident as this current table implies.
‘Forced intrusion’ and ‘Risk to BES Equipment’ have been combined under a new
event type called ‘A physical threat that could impact the operability of a Facility’.
Using judgment is unavoidable for this type of event. This language was chosen
because the Responsible Entity is the best position to exercise this judgment and
determine whether or not an event poses a threat to its Facilities. The DSR SDT
believes this revised event type will minimize administrative burden and ensure that
events meaningful to industry awareness are reported. Note that the reporting
timeline (now revised to 24 hours) starts when the situation has been determined as
a threat, not when it may have first occurred. Also, the footnote only contains
examples.
These two remaining event categories that aren’t related to power system phenomena
are essential as they effectively translate the intent of CIP-001 into EOP-004.
C. The nuclear “LOOP” should be only reported if total loss of offsite source (i.e. 2 of
2 or 3 of 3) when supplying the plants load. If lightning or insulator fails causing one
of the line sources to trip that’s not a system disturbance especially if it is just used
as a backup. It should only be a NRC process if they want to monitor that.
The DSR SDT has updated this event per your comment, it now reads as: “Complete
loss of off-site power to a nuclear generating plant (grid supply)”
The VRF/VSL: BPA believes that the VRF for R2 & R4 should be “Lower”. The DSR
SDT has reviewed and updated the two new requirements and believe the VRF’s
follow the NERC Standard development process.
Response: Thank you for your comment. Please see response above.
CenterPoint Energy
CenterPoint Energy appreciates the SDT’s consideration of comments and removal of
the term, Impact Event. However, the Company still suggests removing the phrase
“with the potential to impact” from the purpose as it is vast and vague. An
199
�Organization
Yes or No
Question 4 Comment
alternative purpose would be "To improve industry awareness and the reliability of
the Bulk Electric System by requiring the reporting of events that impact reliability
and their causes if known". The focus should remain on those events that truly
impact the reliability of the BES.
The DSR SDT revised the purpose statement to remove ambiguous language “with the
potential to impact reliability”. The Purpose statement now reads:
“To improve the reliability of the Bulk Electric System by requiring the reporting of
events by Responsible Entities.”
CenterPoint Energy remains very concerned about the types of events that the SDT
has retained in Attachment 1 as indicated in the following comments: Destruction of
BES Equipment - The loss of BES equipment should not be reportable unless the
reliability of the BES is impacted.
The DSR SDT has modified Attachment 1 to bring more clarity. The more subjective
events were rewritten as follows:
• The ‘Damage or Destruction’ event category has been revised to say ‘to a
Facility’, (a defined term) and thresholds have be modified to provide clarity.
The footnote was deleted
Footnote 5, iii should be modified to tie the removal of a piece of equipment from
service back to reliability of the BES. Risk to BES equipment: This Event is too vague
to be meaningful and should be deleted. The Event should be modified to “Detection
of an imminent physical threat to BES equipment”.
The SDR SDT discussed this event as well as the event “Risk to BES equipment”. These
two event types had overlap in the perceived reporting requirements. The DSR SDT
removed “Forced Intrusion” as a category and the “Risk to BES equipment” event was
revised to “A physical threat that could impact the operability of a Facility”.
200
�Organization
Yes or No
Question 4 Comment
Using judgment is unavoidable for this type of event. This language was chosen because
he Responsible Entity is the best position to exercise this judgment and determine
whether or not an event poses a threat to its Facilities. The DSR SDT believes this revised
event type will minimize administrative burden and ensure that events meaningful to
ndustry awareness are reported.
The footnote regarding this event type was expanded to provide additional guidance in:
“Examples include a train derailment adjacent to a Facility that either could have
damaged a Facility directly or could indirectly damage a Facility (e.g. flammable or
toxic cargo that could pose fire hazard or could cause evacuation of a control center).
Also report any suspicious device or activity at a Facility. Do not report copper theft
unless it impacts the operability of a Facility.”
Any reporting time frame of 1 hour is unreasonable; Entities will still be responding
to the Event and gathering information. A 24 hour reporting time frame would be
more reasonable and would still provide timely information.
All one hour reporting timelines have been changed to 24 hours with the exception of
a ‘Reportable Cyber Security Incident’. This is maintained due to FERC Order 706,
Paragraph 673:
“…direct the ERO to modify CIP-008 to require each responsible entity to contact
appropriate government authorities and industry participants in the event of a cyber
security incident as soon as possible, but in any event, within one hour of the event…”
For the remaining events, 24 hours should provide sufficient time to manage the
incident in real-time before having to report and is consistent with current in-force
standard EOP-004-1.
201
�Organization
Yes or No
Question 4 Comment
System Separation: The 100 MW threshold is too low for a reliability impact. A more
appropriate threshold is 500 MW.
The DSR SDT has reviewed your request and have determined the event as written
“Each separation resulting in an island of generation and load ≥ 100 MW” does
impact the reliability of the BES.
Loss of Monitoring or all voice communication capability: The two elements of this
Event should be separated for clarity as follows: “Loss of monitoring of Real-Time
conditions” and “Loss of all voice communication capability.”
The DSR SDT has broken this event down into two distinct events: “Loss of all voice
communication capability” and “Complete or partial loss of monitoring capability”,
per comments received.
Response: Thank you for your comment. Please see response above.
Orange and Rockland Utilities,
Inc./Consolidated Edison Co.
of NY, Inc.
Comments:
o Requirement 4 does not specifically state details necessary for an
entity to achieve compliance. Requirement 4 should provide more guidance as to
what is required in a drill. Audit / enforcement of any requirement language that is
too broad will potentially lead to Regional interpretation, inconsistency, and
additional CANs.
o R4 should be revised to delete the 15 month requirement. CAN-0010 recognizes
that entities may determine the definition of annual.
Requirement R4 has been revised as you suggested.
o The Purpose of the Standard should be revised because some of the events being
reported on have no impact on the BES. Revise Purpose as follows: To improve
industry awareness and the reliability of the Bulk Electric System by requiring the
reporting of [add] "major system events.” [delete - “with the potential to impact
202
�Organization
Yes or No
Question 4 Comment
reliability and their causes, if known, by the Responsible Entities.”]
The DSR SDT revised the purpose statement to remove ambiguous language “with the
potential to impact reliability”. The Purpose statement now reads:
“To improve the reliability of the Bulk Electric System by requiring the reporting of
events by Responsible Entities.”
Response: Thank you for your comment. Please see response above.
Entergy Services
Entergy agrees with and supports comments submitted by the SERC OC Standards
Review group.
Response: Thank you for your comment.
ITC
Footnote 1 and the corresponding Threshold For Reporting associated with the first
Event in Attachment 1 are not consistent and thus confusing. Qualifying the term
BES equipment through a footnote is inappropriate as it leads to this confusion. For
instance, does iii under Footnote 1 apply only to BES equipment that meet i and ii or
is it applicable to all BES equipment?
The SDR SDT discussed this event as well as the event “Risk to BES equipment”. These
two event types had overlap in the perceived reporting requirements. The DSR SDT
removed “Forced Intrusion” as a category and the “Risk to BES equipment” event was
revised to “A physical threat that could impact the operability of a Facility”.
Using judgment is unavoidable for this type of event. This language was chosen
because the Responsible Entity is the best position to exercise this judgment and
determine whether or not an event poses a threat to its Facilities. The DSR SDT believes
this revised event type will minimize administrative burden and ensure that events
meaningful to industry awareness are reported.
203
�Organization
Yes or No
Question 4 Comment
The footnote regarding this event type was expanded to provide additional guidance
in:
“Examples include a train derailment adjacent to a Facility that either could have
damaged a Facility directly or could indirectly damage a Facility (e.g. flammable or
toxic cargo that could pose fire hazard or could cause evacuation of a control center).
Also report any suspicious device or activity at a Facility. Do not report copper theft
unless it impacts the operability of a Facility.”
The inclusion of equipment failure, operational error and unintentional human
action within the threshold of reporting for “destruction” required in the first 3
Events listed in Attachment 1 is also not appropriate. It is clear through operational
history that the intent of the equipment applied to the system, the operating
practices and personnel training developed/delivered to operate the BES is to result
in reliable operation of the BES which has been accomplished exceedingly well given
past history. This is vastly different than for intentional actions and should be
excluded from the first 3 events listed in Attachment. To the extent these issues are
present in another event type they will be captured accordingly.
The DSR SDT has modified Attachment 1 to bring more clarity. The more subjective
events were rewritten as follows:
• The ‘Damage or Destruction’ event category has been revised to say ‘to a
Facility’, (a defined term) and thresholds have be modified to provide clarity.
The footnote was deleted
• ‘Forced intrusion’ and ‘Risk to BES Equipment’ have been combined under a new
event type called ‘A physical threat that could impact the operability of a
Facility’. Using judgment is unavoidable for this type of event. This language
was chosen because the Responsible Entity is the best position to exercise this
judgment and determine whether or not an event poses a threat to its
204
�Organization
Yes or No
Question 4 Comment
Facilities. The DSR SDT believes this revised event type will minimize
administrative burden and ensure that events meaningful to industry
awareness are reported. Note that the reporting timeline (now revised to 24
hours) starts when the situation has been determined as a threat, not when it
may have first occurred. Also, the footnote only contains examples.
These two remaining event categories that aren’t related to power system phenomena
are essential as they effectively translate the intent of CIP-001 into EOP-004.
Footnote 1 should be removed and the Threshold for Reporting associated with the
first three events in Attachment 1 should be updated only to include intentional
human action. This will also result in including all BES equipment that was
intentionally damaged in the reporting requirement and not just the small subset
qualified by the existing footnote 1. This provides a much better data sample for law
enforcement to make assessments from than the smaller subset qualified by what
we believe the intent of footnote 1 is.
The SDR SDT discussed this event as well as the event “Risk to BES equipment”. These
two event types had overlap in the perceived reporting requirements. The DSR SDT
removed “Forced Intrusion” as a category and the “Risk to BES equipment” event was
revised to “A physical threat that could impact the operability of a Facility”.
Using judgment is unavoidable for this type of event. This language was chosen
because the Responsible Entity is the best position to exercise this judgment and
determine whether or not an event poses a threat to its Facilities. The DSR SDT believes
this revised event type will minimize administrative burden and ensure that events
meaningful to industry awareness are reported.
The footnote regarding this event type was expanded to provide additional guidance
in:
205
�Organization
Yes or No
Question 4 Comment
“Examples include a train derailment adjacent to a Facility that either could have
damaged a Facility directly or could indirectly damage a Facility (e.g. flammable or
toxic cargo that could pose fire hazard or could cause evacuation of a control center).
Also report any suspicious device or activity at a Facility. Do not report copper theft
unless it impacts the operability of a Facility.”
Response: Thank you for your comment. Please see response above.
APX Power Markets (NCR11034)
For Attachment 1 and the events titled "Unplanned Control Center evacuation" and
"Loss of monitoring or all voice communication capabiliy".RC, BA, and TOP are the
only listed entity types listed for reporting responsibility. We are a GOP that offers a
SCADA service in several regions and those type of events could result in a loss of
situational awareness for the regions we provide services. I believe the requirement
for reporting should not be limited to Entity Type, but on their impact for situational
awareness to the BES based on the amount of generation they control (specific to
our case), or other criteria that would be critical to the BES (i.e. voltage, frequency).
Note that EOP-008-0 is only applicable to Balancing Authorities, Transmission
Operators and Reliability Coordinators, this is the basis for the “Entity with reporting
Responsibilities” and reads as” “Each RC, BA, TOP that experiences the event”.
Response: Thank you for your comment. Please see response above.
ACES Power Marketing
Standards Collaborators/
Great River Energy
For many of the events listed in Attachment 1, there would be duplicate reporting
the way it is written right now. For example, in the case of a fire in a substation
(Destruction of BES equipment), the RC, BA, TO, TOP and perhaps the GO and GOP
could all experience the event and each would have to report on it. This seems quite
excessive and redundant. We recommend eliminating this duplicate reporting.
The DSR SDT has tried to minimize duplicative reporting, but recognizes there may be
206
�Organization
Yes or No
Question 4 Comment
events that trigger more than one report. The current applicability ensures an event
that could affect just one of the entities with reporting responsibility isn’t missed.
Response: Thank you for your comment. Please see response above.
Intellibind
I do not see that the rewrite of this standard is meeting the goal of clear reliability
standards, and in fact the documents are looking more like legal documents. Though
the original EOP-004 and CIP-001 was problematic at times, this rewrite, and the
need to have such extensive guidance, attachments, and references for EOP-004-2
will create an even more difficult standard to properly meet to ensure compliance
during an audit. Though CIP-001 and EOP-004 were related, combining them in a
single standard is not resolving the issues, and is in fact complicating the
tasks.Requirements in this standard should deal with only one specific issue, not deal
with multiple tasks. I am not sure how an auditor will consistently audit against R2,
and how a violation will be categorized when an entity implements all portions of
their Operating Plan, however fails to fully address all the requirements in R1,
thereby not fully implementing R2, in strict interpretation.
The DSR SDT does not agree that the proposed EOP-004-2 “will create an even more
difficult standard to properly meet to ensure compliance during an audit”. The DSR SDT
main concern is the reporting of events per Attachment 1 is in-line with the Purpose of
this Standard that states: “To improve the reliability of the Bulk Electric System by
requiring the reporting of events by Responsible Entities.” The NERC Reliability
Standards are designed to support the reliability of the BES.
Requirement R2has been updated to read as: ““R2. Each Responsible Entity shall
implement its event reporting Operating Plan for applicable events listed in EOP-004
Attachment 1, and in accordance with the timeframe specified in EOP-004
Attachment1.” Based on comments received.
The drafting team should not set up a situation where an entity is in double jeopardy
for missing an element of a requirement.I also suggest that EOP-004-2 be given a
207
�Organization
Yes or No
Question 4 Comment
new EOP designation rather than calling it a revision. This way implementation can
be better controlled, since most companies have written specific CIP-001 and EOP004 document that will not simple transfer over to the new version. This standard is
a drastic departure from the oringial versions. I appreciate the level of work that is
going into EOP-004-2, it appears that significant time and effort has been going into
the supporting documentation. It is my opinion that if this much material has to be
created to state what the standard really requires, then the standard is flawed.
When there are 21 pages of explanation for five requirements, especially when we
have previously had 16 pages that originally covered 2 separate reliability standards,
we need to reevaluate what we are really doing.
The DSR SDT has revised EOP-004 and CIP-001 using the results based standard
development process. This process calls for the drafting team to develop
documentation regarding its thoughts during the development process. This allows
for a more robust standard which contains background material for an entity to have
sufficient guidance to show compliance with the standard.
Response: Thank you for your comment. Please see response above.
Imperial Irrigation District
IID strongly believes the reporting flowchart should not be part of a standard. The
suggestion is to replace it with a more clear, right to the point requirement.
The DSR SDT has discussed this issue and believes it would be too prescriptive to have
a flow chart as a requirement. If desired, an entity can have a flow chart as part of
the Operating Plan as stated in Requirement 1.
Response: Thank you for your comment. Please see response above.
Illinois Municipal Electric
Agency
IMEA appreciates this opportunity to comment. IMEA appreciates the SDT's efforts
to simplify reporting requirements by combining CIP-001 with EOP-004. [IMEA
encourages NERC to continue working towards a one-stop-shop to simplify reporting
on ES-ISAC.] IMEA supports, and encourages SDT consideration of, comments
208
�Organization
Yes or No
Question 4 Comment
submitted by APPA and Florida Municipal Power Agency.
Response: Thank you for your comment. Please see the responses to the other comments that you mention.
Westar Energy
In Requirement 1.3, the statement “and the following as appropriate” is vague and
subject to interpretation. Who determines what is appropriate? We feel it would be
better if the SDT would specify for each event, which party should be notified.
Requirement R1, Part 1.3 (now Part 1.2) was revised to add clarifying language by
eliminating the phrase “as appropriate” and indicating that the Responsible Entity is to
define its process for reporting and with whom to report events. Part 1.2 now reads:
“1.2 A process for communicating each of the applicable events listed in EOP-004
Attachment 1 in accordance with the timeframes specified in EOP-004 Attachment 1 to
the Electric Reliability Organization and other organizations needed for the event type;
i.e. the Regional Entity; company personnel; the Responsible Entity’s Reliability
Coordinator; law enforcement governmental or provincial agencies.”
Response: Thank you for your comment. Please see response above.
South Carolina Electric and
Gas
In terms of receiving reports, is it the drafting teams expectation that separate
reports be developed by both the RC and the TOP, GO, BA, etc. for an event that
occurs on a company's system that is within the RC's footprint? One by the RC and
one by the TOP, GO, BA, etc. In terms of meeting reporting thresholds, is it the
drafting teams expectation that the RC aggregate events within its RC Area to
determine whether a reporting threshold has been met within its area for the
quantitative thresholds?
The DSR SDT has tried to minimize duplicative reporting, but recognizes there may be
events that trigger more than one report. The current applicability ensures an event
209
�Organization
Yes or No
Question 4 Comment
that could affect just one of the entities with reporting responsibility isn’t missed.
It is possible for the Applicable Entities within the Reliability Coordinator’s area to be
part of a JRO/CFR but this is outside the scope of this Project.
Response: Thank you for your comment. Please see response above.
Occidental Power Services,
Inc. (OPSI)
Load Serving Entities that do not own or operate BES assets should not be included in
the Applicability. In current posting, the SDT states that it includes LSEs based on
CIP-002; however, if the LSE does not have any BES assets, CIP-002 should also not
be applicable, because the LSE could not have any Critical Assets or Critical Cyber
Assets. It is understood that the SDT is trying to comply with FERC Order 693,
Section 460 and 461; however, Section 461 also states “Further, when addressing
such applicability issues, the ERO should consider whether separate, less
burdensome requirements for smaller entities may be appropriate to address these
concerns.” A qualifier in the Applicability of EOP-004-2 that would include only LSEs
that own or operate BES assets would seem appropriate. The proposed CIP-002
Version V has such a qualifier in that it applies to a “Load-Serving Entity that owns
Facilities that are part of any of the following systems or programs designed,
installed, and operated for the protection or restoration of the BES: o A UFLS
program required by a NERC or Regional Reliability Standard o A UVLS program
required by a NERC or Regional Reliability Standard”The SDT should consider the
same wording in the Applicability section of EOP-004-2 on order to be consistent
with what will become the standing version of CIP-002 (Version 5).
The DSR SDT has “considered” section 460 and 461 of FERC Order 693 and has tried
to minimize duplicative reporting, but recognizes there may be events that trigger
more than one report. The current applicability ensures an event that could affect just
one of the entities with reporting responsibility isn’t missed.
The DSR SDT wishes to draw your attention to section 459 of FERC Order 693 which
states: “ … an adversary may target a small user, owner or operator because it may
210
�Organization
Yes or No
Question 4 Comment
have similar equipment or protections as a larger facility, that is, the adversary may
use an attack against a smaller facility as a training ‘exercise’”.
Response: Thank you for your comment. Please see response above.
American Electric Power
M4: Recommend removing the text “for events” so that it instead reads “The
Responsible Entity shall provide evidence that it verified the communication process
in its Operating Plan created pursuant to Requirement R1, Part 1.3.”R4: It is not clear
to what extent the verification needs to be applied if the process used is complex
and includes a variety of paths and/or tasks. The draft team may wish to consider
changing the wording to simply state “each Responsible Entity shall test each of the
communication paths in the operating plan”. We also recommend dropping “once
per calendar year” as it is inconstant with the measure itself which allows for 15
months.
The DSR SDT has revised R4 (now R3 and the associated measure M3:
M3. Each Responsible Entity will have dated and time-stamped records to show that
the annual test of Part 1.2 was conducted. Such evidence may include, but are not
limited to, dated and time stamped voice recordings and operating logs or other
communication documentation. The annual test requirement is considered to be met
if the responsible entity implements the communications process in Part 1.2 for an
actual event. (R3)
Response: Thank you for your comment. Please see response above.
Indiana Municipal Power
Agency
Many of the items listed in Attachment 1 are onerous and burdensome when it
comes to making judgments or determinations. What one may consider “Risk to BES
equipment” another person may not make the same determination. Clarity needs to
211
�Organization
Yes or No
Question 4 Comment
be added to make the events easier to determine and that will result in less issues
when it comes to compliance audits.
IMPA does not understand the usage of the terms Critical Asset and Critical Cyber
Asset as they will be retired with CIP version 5.IMPA believes the data retention
requirements are way too complicated and need to be simplified. It seems like it
would be less complicated if one data retention period applied to all data associated
with this standard.
The DSR has revised many of the events listed in Attachment 1 to provide clarity. We
have also removed the references to Critical Asset and Critical Cyber Asset.
On “public appeal”, in the threshold, the descriptor “each” should be deleted, e.g., if
a single event causes an entity to be short of capacity, do you really want that entity
reporting each time they issue an appeal via different types of media, e.g., radio, TV,
etc., or for a repeat appeal every several minutes for the same event?
The DSR SDT has updated the Public Appeal event to read as: “Public appeal for load
reduction event” based on comments received.
Response: Thank you for your comment. Please see response above.
MidAmerican Energy
MidAmerican proposes eliminating the phrase “with no more than 15 months
between reviews” from R1.5. While we agree this is best practice, it creates the need
to track two conditions for the review, eliminates flexibility for the responsible entity
and does not improve security to the Bulk Electric System. There has not been a
directive from FERC to specify the definition of annual within the standard itself. In
conjunction with this comment, the Violation Severity Levels for R4 should be revised
to remove the references to months.
The DSR SDT has removed this phrase from the requirement (now R3).
212
�Organization
Yes or No
Question 4 Comment
Response: Thank you for your comment. Please see response above.
Oncor Electric Delivery
Company LLC
NERC's Event Analysis Program tends to parallel many of the reporting requirements
as outlined in EOP-004 Version 2. Oncor recommends that NERC considers ways of
streamlining the reporting process by either incorporating the Event Analysis
obligations into EOP-004-2 or reducing the scope of the Event Analysis program as
currently designed to consist only of "exception" reporting.
The DSR SDT has reviewed the Event Analysis Programs criteria. The DSR SDT has
determined that Attachment 1 covers the minimum reporting requirements.
Response: Thank you for your comment. Please see response above.
Compliance & Responsbility
Office
NextEra Energy, Inc. (NextEra) appreciates the DSR SDT revising proposed EOP-004-2,
based on the previous comments of NextEra and the stakeholders. NextEra,
however, believes that EOP-004-2 needs additional refinement prior to approval.
R1.3In R1.3, NextEra is concerned that the term “internal company personnel” is
unclear and may be misinterpreted. For example, NextEra does not believe this term
should include all company or corporate personnel, or even all personnel in the
Responsible Entity’s company or business unit. Instead, the definition of personnel
should be limited to those who could be directly impacted by the event or are
working on the event. Thus, NextEra suggests that the language in R1.3 be revised to
read: “Internal Responsible Entity personnel whose tasks require them to take
specific actions to mitigate, stop the spread and/or normalize the event, or
personnel who are directly impacted by the event.” NextEra is concerned that R1.3,
as written, will be interpreted differently from company to company, region to
region, auditor to auditor, and, therefore, may result in considerable confusion
during actual events as well as during the audits/stop checks of EOP-004-2
compliance.
213
�Organization
Yes or No
Question 4 Comment
The DSR SDT has written Requirement R1, Part 1.2 in a way to allow the entity to
determine who should receive the communication within your company as stated in
your Operating Plan.
Also, in R1.3, NextEra is concerned that many of the events listed in Attachment A
already must be reported to NERC under its trial (soon to be final) Event Analysis
Reporting requirements (Event Analysis). NextEra believes duplicative and different
reporting requirements in EOP-004-2 and the Event Analysis rules will cause
confusion and inefficiencies during an actual event, which will likely be
counterproductive to promoting reliability of the bulk power system. Thus, NextEra
believes that any event already covered by NERC’s Event Analysis should be deleted
from Attachment 1. Events already covered include, for example, loss of monitoring
or all voice, loss of firm load and loss of generation. If this approach is not
acceptable, NextEra proposes, in the alternative, that the reporting requirements
between EOP-004-2 and Event Analysis be identical. For instance, in EOP-004-2,
there is a requirement to report any loss of firm load lasting for more than 15
minutes, while the Event Analysis only requires reporting the of loss of firm load
above 300 megawatts and lasting more than 15 minutes. Similarly, EOP-004-2
requires the reporting of any unplanned control center evacuation, while the Event
Analysis only requires reporting after the evacuation of the control center that lasted
30 minutes or more. Thus, NextEra requests that either EOP-004-2 not address
events that are already set forth in NERC’s Event Analysis, or, in the alternative, for
those duplicative events to be reconciled and made identical, so the thresholds set
forth in the Event Analysis are also used in EOP-004-2.
The DSR SDT has worked with the EAWG to develop Attachment 1. At one point they
matched. The event for loss of load matches and we revised the “unplanned control
center evacuation” event to be for 30 minutes or more.
In addition, NextEra believes that a reconciliation between the language “of
recognition” in Attachment 1 and “process to identify” in R1.1 is necessary. NextEra
prefers that the language in Attachment 1 be revised to read “ . . . of the
214
�Organization
Yes or No
Question 4 Comment
identification of the event under the Responsible Entity’s R1.1 process.” For
instance, the first event under the “Submit Attachment 2 . . . .” column should read:
“The parties identified pursuant to R1.3 within 1 hour of the identification of an
event under the Responsible Entity’s R1.1 process.” This change will help eliminate
confusion, and will also likely address (and possibly make moot) many of the
footnotes and qualifications in Attachment 1, because a Responsible Entity’s process
will likely require that possible events are properly vetted with subject matter
experts and law enforcement, as appropriate, prior to identifying them as “events”.
Thus, only after any such vetting and a formal identification of an event would the
one hour or twenty-four hour reporting clock start to run. R1.4, R1.5, R3 and
R4NextEra is concerned with the wording and purpose of R1.4, R1.5, R3 and R4.
The language was revised in Requirement 1, Part 1.1 to “recognize” based on other
comments received.
For example, R1.4 requires an update to the Operating Plan for “. . . any change in
assets, personnel, other circumstances . . . .” This language is much too broad to
understand what is required or its purpose. Further, R1.4 states that the Operating
Plan shall be updated for lessons learned pursuant to R3, but R3 does not address
lessons learned. Although there may be lessons learned during a post event
assessment, there is no requirement to conduct such an assessment. Stepping back,
it appears that the proposed EOP-004-2 has a mix of updates, reviews and
verifications, and the implication that there will be lessons learned. Given that EOP004-2 is a reporting Standard, and not an operational Standard, NextEra is not
inclined to agree that it needs the same testing and updating requirements like EOP005 (restoration) or EOP-008 (control centers). Thus, it is NextEra’s preference that
R1.4, R1.5 and R4 be deleted, and replaced with a new R1.4 as follows:R1.4 A
process for ensuring that the Responsibly Entity reviews, and updates, as appropriate
its Operating Plan at least annually (once each calendar year) with no more than 15
months between reviews.If the DSR SDT does not agree with this approach, NextEra,
in the alternative, proposes a second approach that consolidates R1.4, R1.5 and R4 in
a new R1.4 as follows:R1.4 A process for ensuring that the Responsibly Entity tests
215
�Organization
Yes or No
Question 4 Comment
and reviews its Operating Plan at least annually (once each calendar year) with no
more than 15 months between a test and review. Based on the test and review, the
Operating Plan shall be updated, as appropriate, within 90 calendar days. If an
actual event occurs, the Responsible Entity shall conduct a post event assessment to
identify any lessons learned within 90 calendar days of the event. If the Responsible
Entity identifies any lessons learned in post event assessment, the lessons learned
shall be incorporated in the Operating Plan within 90 calendar days of the date of the
final post event assessment. NextEra purposely did not add language regarding
“any change in assets, personnel etc,” because that language is not sufficiently clear
or understandable for purposes of a mandatory requirement. Although it may be
argued that it is a best practice to update an Operating Plan for certain changes,
unless the DST SDT can articulate specific, concrete and understandable issues that
require an updated Operating Plan prior to an annual review, NextEra recommends
that the concept be dropped.
Requirement 1, Part 1.4 was merged with Part 1.5 as well as R4. The resulting
requirement is now Requirement 3:
“Each Responsible Entity shall conduct an annual test, not including notification to
the Electric Reliability Organization, of the communications process in Part 1.2.
[Violation Risk Factor: Medium] [Time Horizon: Operations Planning]
Nuclear Specific ConcernsEOP-004-2 identifies the Nuclear Regulatory Commission
(NRC) as a stakeholder in the Reporting Process, but does not address the status of
reporting to the NRC in the Event Reporting flow diagram on page 9. Is the NRC
considered Law Enforcement as is presented in the diagram? Since nuclear stations
are under a federal license, some of the events that would trigger local/state law
enforcement at non-nuclear facilities would be under federal jurisdiction at a nuclear
site.
The process flowchart is an example of how an entity might operate. If an event
requires notification of the NRC, this would be an example of notification of a
regulatory authority. It is anticipated that the reporting entity would also notify law
216
�Organization
Yes or No
Question 4 Comment
enforcement if appropriate.
There are some events listed in Attachment 1 that seem redundant or out of place.
For example, a forced intrusion is a one hour report to NERC. However, if there is an
ongoing forced intrusion at a nuclear power plant, there are many actions taking
place, with the NRC Operations Center as the primary contact which will mobilize the
local law enforcement agency, etc.
The DSR SDT removed “Forced Intrusion” as a category and the “Risk to BES
equipment” event was revised to “Any physical threat that could impact the
operability of a Facility”.
It is unclear that reporting to NERC in one hour promotes reliability or the resolution
of an emergency in progress.
All one hour reporting timelines have been changed to 24 hours with the exception of
a ‘Reportable Cyber Security Incident’. This is maintained due to FERC Order 706,
Paragraph 673:
“…direct the ERO to modify CIP-008 to require each responsible entity to contact
appropriate government authorities and industry participants in the event of a cyber
security incident as soon as possible, but in any event, within one hour of the event…”
For the remaining events, 24 hours should provide sufficient time to manage the
incident in real-time before having to report and is consistent with current in-force
standard EOP-004-1.
Also, is there an ability to have the NRC in an emergency notify NERC? The same
concerns related to cyber security events.Procedures versus PlanNextEra also
suggests replacing "Operating Plan" with "procedures". Given that EOP-004-2 is a
reporting Standard and not an operational Standard, it is typical for procedures that
address this standard to reside in other departments, such as Information
Management and Security. In other words, the procedures needed to address the
requirements of EOP-004-2 are likely broader than the NERC-defined Operating Plan.
217
�Organization
Yes or No
Question 4 Comment
Within your Operating Plan you are required to “report” events to the ERO and your
RC and communicate this information (to others) as you define it within your
company’s Operating Plan. This will allow you to customize any events as you see fit.
Clean-Up ItemsIn Attachment 1, Control Centers should be capitalized in all columns
so as not to be confused with control rooms.
Since “control center” is not a defined term, it has been revised to lower case.
Also, the final product should clearly state that the process flow chart that is set
forth before the Standard is for illustrative purposes, so there is no implication that a
Registered Entity must implement multiple procedures versus one comprehensive
procedure to address different reporting requirements.
The introduction of the flow chart is clearly marked “Example of Reporting Process
including Law Enforcement”.
Response: Thank you for your comment. Please see response above.
PacifiCorp
No comment.
Arizona Public Service
Company
No comments
PPL Electric Utilities and PPL
Supply Organizations`
Our comments center around the footnotes and events 'Destruction of BES
equipment' and 'Loss of Off-site power to a nuclear generating plant'. We request
the SDT consider adding a statement to the standard that acknowledges that not all
registered entities have visibility to the information in the footnotes. E.G.
Destruction of BES equipment. A GO/GOP does not necessarily know if loss of
specific BES equipment would affect any IROL and therefore would not be able to
consider this criteria in its reporting decision. Loss of BES equipment would be
reported to the BA/RC and the BA/RC would know of an IROL impact and the BA/RC
218
�Organization
Yes or No
Question 4 Comment
is the appropriate entity to report. We request the SDT consider the information in
the footnotes for inclusion in the table directly. Consider Event 'Destruction of BES
equipment'. Is footnote 1 a scoping statement? Is it part of the threshold? Is it the
impact? Is it defining Destruction? If the BES equipment was destroyed by weather
and does not affect an IROL, then is no report is needed? Alternatively, do you still
apply the threshold and say it was external cause and therefore report?
Several event categories were removed or combined to improve Attachment 1. The
footnotes that you mention were removed and included in the threshold for reporting
column. If an entity does not experience an event, then they should not report on it.
As you suggest, most GO /GOPs do not see the transmission system. It is anticipated
that they will report for events on their Facilities.
We suggest including a flowchart on how to use Attachment 1 with an example. The
flowchart would explain the order in which to consider the event and the threshold,
and footnotes if they remain. Regarding Attachment 1 Footnote 1 'do not report
copper theft...unless it degrades the ability of equipment to operate correctly.', is
this defining destruction as not operating correctly ? or is the entirety of footnote 1 a
definition of destruction? Regarding Attachment 1 Footnote 1, iii, we request this be
changed for consistency with the Event and suggest removing damage from the
footnote. i.e. The event is 'destruction' whereas the footnote says 'damaged or
destroyed'. The standard does not provide guidance on damage vs destruction
which could lead to differing reporting conclusions. Is the reporting line out of
service, beyond repair, or is it timeframe based? Regarding Attachment 1 Footnote 2
' to steal copper... unless it affects the reliability of the BES', is affecting the reliability
of the BES a consideration in all the events? PPL believes this is the case and request
this statement be made. This could be included in the flowchart as a decision point.
Regarding Event 'Loss of Off-site power to a nuclear generating plant', the threshold
for reporting does not designate if the off-site loss is planned and/or unplanned - or
if the reporting threshold includes the loss of one source of off-site power or is the
reporting limited to when all off-site sources are unavailable. PPL recommends the
event be ‘Total unplanned loss of offsite power to a nuclear generating plant (grid
219
�Organization
Yes or No
Question 4 Comment
supply)’Thank you for considering our comments.
The SDR SDT discussed “Forced Intrusion” as well as the event “Risk to BES
equipment”. These two event types had overlap in the perceived reporting
requirements. The DSR SDT removed “Forced Intrusion” as a category and the “Risk to
BES equipment” event was revised to “A physical threat that could impact the
operability of a Facility”.
Using judgment is unavoidable for this type of event. This language was chosen
because the Responsible Entity is the best position to exercise this judgment and
determine whether or not an event poses a threat to its Facilities. The DSR SDT believes
this revised event type will minimize administrative burden and ensure that events
meaningful to industry awareness are reported.
The footnote regarding this event type was expanded to provide additional guidance
in:
“Examples include a train derailment adjacent to a Facility that either could have
damaged a Facility directly or could indirectly damage a Facility (e.g. flammable or
toxic cargo that could pose fire hazard or could cause evacuation of a control center).
Also report any suspicious device or activity at a Facility. Do not report copper theft
unless it impacts the operability of a Facility.”
The DSR SDT has updated the Requirements based on comments received along with
updating Attachment 1 and 2. Please review the updated standard for all your
concerns.
Response: Thank you for your comment. Please see response above.
City of Austin dba Austin
Overarching Concern related to EOP-004-2 draft:The contemporaneous drafting
efforts related to both the proposed Bulk Electric System ("BES") definition changes
220
�Organization
Energy
Yes or No
Question 4 Comment
and CIP Standards Version 5 could significantly impact the EOP-004-2 reporting
requirements. Caution needs to be exercised when referencing these definitions, as
the definition of a BES element could change significantly and the concepts of
“Critical Assets” and “Critical Cyber Assets” no longer exist in Version 5 of the CIP
Standards.
The ‘Damage or Destruction’ events specifically relating to Critical Assets and Critical
Cyber Assets were removed from Attachment 1, as these events are adequately
addressed through the CIP-008 and ‘Damage or Destruction of a Facility’ reporting
thresholds.
Additionally, it is debatable whether the destruction of, for example, one relay
would be a reportable incident given the proposed language. Related to “Reportable
Events” of Attachment 1:1. The “Purpose” section of the Standard indicates it is
designed to require the reporting of events “with the potential to impact reliability”
of the BES. Footnote 1 and the “Threshold for Reporting” associated with the Event
described as “Destruction of BES equipment” expand the reporting scope beyond
that intent. For example, a fan on a generation unit can be destroyed because a plant
employee drops a screwdriver into it. We believe such an event should not be
reportable under EOP-004-2. Yet, as written, a Responsible Entity could interpret
that event as reportable (because it would be “unintentional human action” that
destroyed a piece of equipment associated with the BES). If the goal of the SDT was
to include such events, we think the draft Standard goes too far in requiring
reporting. If the SDT did not intend to include such events, the draft Standard should
be revised to make that fact clear.
‘Forced intrusion’ and ‘Risk to BES Equipment’ have been combined under a new
event type called ‘A physical threat that could impact the operability of a Facility’.
Using judgment is unavoidable for this type of event. This language was chosen
because the Responsible Entity is the best position to exercise this judgment and
determine whether or not an event poses a threat to its Facilities. The DSR SDT
221
�Organization
Yes or No
Question 4 Comment
believes this revised event type will minimize administrative burden and ensure that
events meaningful to industry awareness are reported. Note that the reporting
timeline (now revised to 24 hours) starts when the situation has been determined as
a threat, not when it may have first occurred.
2. Item iii) in Footnote 1 seems redundant with the Threshold for Reporting.3. The
word “Significantly” in item ii) of footnote 1 introduces an element of subjectivity.
What is “significant” to one person may not be significant to someone else.4. The
word “unintentional” in Item iii) of footnote 1 may introduce nuisance reporting.
The SDT should consider: (1) changing the Event description to “Damage or
destruction of BES equipment” (2) removing the footnote and (3) replacing the
existing “Threshold for Reporting” with the following language:”Initial indication the
event: (i) was due to intentional human action, (ii) affects an IROL or (iii) in the
opinion of the Responsible Entity, jeopardizes the reliability margin of the system
(e.g., results in the need for emergency actions)”
The SDR SDT revised this event to “Damage or destruction of a Facility” and removed the
footnote. The threshold for reporting now reads:
Damage or destruction of a Facility that:
Affects an IROL (per FAC-014)
OR
Results in the need for actions to avoid an Adverse Reliability Impact
OR
Results from intentional human action.
5. One reportable event is “Risk to the BES” and the threshold for reporting is, “From
a non-environmental physical threat.” This appears to be intended as a catch-all
reportable event. Due to the subjectivity of this event description, we suggest
removing it from the list.
The ‘Damage or Destruction’ events specifically relating to Critical Assets and Critical
222
�Organization
Yes or No
Question 4 Comment
Cyber Assets were removed from Attachment 1, as these events are adequately
addressed through the CIP-008 and ‘Damage or Destruction of a Facility’ reporting
thresholds.
6. One reportable event is “Damage or destruction of Critical Asset per CIP-002.” The
SDT should define the term “Damage” in order for an entity to determine a threshold
for what qualifies as “Damage” to a CA. Normal “damage” can occur on a CA that
should not be reportable (e.g. the screwdriver example, above).
The ‘Damage or Destruction’ events specifically relating to Critical Assets and Critical
Cyber Assets were removed from Attachment 1, as these events are adequately
addressed through the CIP-008 and ‘Damage or Destruction of a Facility’ reporting
thresholds.
7. For the event called “BES Emergency requiring public appeal for load reduction,”
the SDT should make it clear who should report such an event. For example, in the
ERCOT Region, there is a requirement that ERCOT issue public appeals for load
reduction (See ERCOT Protocols Section 6.5.9.4). As the draft of EOP-004-2 is
currently written, every Registered Entity in the ERCOT Region would have to file a
report when ERCOT issues such an appeal. Such a requirement is overly burdensome
and does not enhance the reliability of the BES. The Standard should require that the
Reliability Coordinator file a report when it issues a public appeal to reduce load.
The DSR SDT has tried to minimize duplicative reporting, but recognizes there may be
events that trigger more than one report. The current applicability ensures an event
that could affect just one of the entities with reporting responsibility isn’t missed.
Reporting Thresholds1. See Paragraph 1 in the “Related to 'Reportable Events' of
Attachment 1” section, above. 2. We believe damage or destruction of Critical
223
�Organization
Yes or No
Question 4 Comment
Assets or CCAs resulting from operational error, equipment failure or unintentional
human action should not be reportable under this Standard. We recommend
changing the thresholds for “Damage or destruction of Critical Asset...” and “Damage
or destruction of a [CCA]” to “Initial Indication the event was due to external cause
or intentional human action.” 3. We support the SDT’s attempted to limit nuisance
reporting related to copper thefts. However, a number of the thresholds identified
in EOP-004-2 Attachment 1 are very low and could clog the reporting process with
nuisance reporting and reviewing. An example is the “BES Emergency requiring
manual firm load shedding” of ≥ 100 MW or “Loss of Firm load for ≥ 15
Minutes” that is ≥ 200 MW (300 MW if the manual demand is greater than 3000
MW). In many cases, those low thresholds would require reporting minor wind
events or other seasonal system issues on a local network used to provide
distribution service. Firm Load1. The use of the term “Firm load” in the context of
the draft Standard seems inappropriate. “Firm load” is not defined in the NERC
Glossary (although “Firm Demand” is defined). If the SDT intended to use “Firm
Demand,” they should revise the draft Standard to use that language. If the SDT
wishes to use the term “Firm load” they should define it. [For example, we
understand that some load agrees to be dropped in an emergency. In fact, in the
ERCOT Region, we have a paid service referred to as “Emergency Interruptible Load
Service” (EILS). If the SDT intends that “Firm load” means load other than load which
has agreed to be dropped, it should make that fact clear.]
The thresholds and events listed in Attachment 1 are currently required under DOE
OE-417 and NERC reporting requirements.
Comments to Attachment 21. The checkbox for “fuel supply emergency” should be
deleted because it is not listed as an Event on Attachment 1.
The DSR SDT has removed both “fuel supply emergency” and “other” from
Attachment 2.
224
�Organization
Yes or No
Question 4 Comment
2. There should be separation between “forced intrusion” and “Risk to BES
equipment.” They are separate Events on Attachment 1.
Several stakeholders expressed concerns relating to the “Forced Intrusion” event.
Their concerns related to ambiguous language in the footnote. The SDR SDT discussed
this event as well as the event “Risk to BES equipment”. These two event types had
overlap in the perceived reporting requirements. The DSR SDT removed “Forced
Intrusion” as a category and the “Risk to BES equipment” event was revised to “A
physical threat that could impact the operability of a Facility”.
Using judgment is unavoidable for this type of event. This language was chosen
because the Responsible Entity is the best position to exercise this judgment and
determine whether or not an event poses a threat to its Facilities. The DSR SDT believes
this revised event type will minimize administrative burden and ensure that events
meaningful to industry awareness are reported.
Comments to Guideline and Technical BasisThe last paragraph appears to state NERC
will accept an OE-417 form as long as it contains all of the information required by
the NERC form and goes on to state the DOE form “may be included or attached to
the NERC report.” If the intent is for NERC to accept the OE-417 in lieu of the NERC
report, this paragraph should be clarified.
The DSR SDT received many comments requesting consistency with DOE OE-417
thresholds and timelines. These items as well as the Events Analysis Working Group’s
(EAWG) requirements were considered in creating Attachment 1, but there remain
differences for the following reasons:
•
•
EOP-004 requirements were designed to meet NERC and the industry’s needs;
accommodation of other reporting obligations was considered as an opportunity
not a ‘must-have’
OE-417 only applies to US entities, whereas EOP-004 requirements apply across
225
�Organization
Yes or No
Question 4 Comment
•
•
North America
NERC has no control over the criteria in OE-417, which can change at any time
Reports made under EOP-004 provide a minimum set of information, which may
trigger further information requests from EAWG as necessary
In an effort to minimize administrative burden, US entities may use the OE-417 form
rather than Attachment 2 to report under EOP-004. The SDT was informed by the DOE
of its new online process coming later this year. In this process, entities may be able to
record email addresses associated with their Operating Plan so that when the report is
submitted to DOE, it will automatically be forwarded to the posted email addresses,
thereby eliminating some administrative burden to forward the report to multiple
organizations and agencies.
Response: Thank you for your comment. Please see response above.
Salt River Project/ Lower
Colorado River Authority
Overarching Concern related to EOP-004-2 draft:The contemporaneous drafting
efforts related to both the proposed Bulk Electric System ("BES") definition changes
and CIP Standards Version 5, could significantly impact the EOP-004-2 reporting
requirements. Caution needs to be exercised when referencing these definitions, as
the definition of a BES element could change significantly and the concepts of
“Critical Assets” and “Critical Cyber Assets” no longer exist in Version 5 of the CIP
Standards.
The ‘Damage or Destruction’ events specifically relating to Critical Assets and Critical
Cyber Assets were removed from Attachment 1, as these events are adequately
addressed through the CIP-008 and ‘Damage or Destruction of a Facility’ reporting
thresholds.
Additionally, it is debatable whether the destruction of, for example, one relay would
226
�Organization
Yes or No
Question 4 Comment
be a reportable incident given the proposed language. Related to “Reportable
Events” of Attachment 1:1. The “Purpose” section of the Standard indicates it is
designed to require the reporting of events “with the potential to impact reliability”
of the BES. Footnote 1 and the “Threshold for Reporting” associated with the Event
described as “Destruction of BES equipment” expand the reporting scope beyond
that intent. For example, a fan on a generation unit can be destroyed because a plant
employee drops a screwdriver into it. We believe such an event should not be
reportable under EOP-004-2. Yet, as written, a Responsible Entity could interpret
that event as reportable (because it would be “unintentional human action” that
destroyed a piece of equipment associated with the BES). If the goal of the SDT was
to include such events, we think the draft Standard goes too far in requiring
reporting. If the SDT did not intend to include such events, the draft Standard should
be revised to make that fact clear.
‘Forced intrusion’ and ‘Risk to BES Equipment’ have been combined under a new
event type called ‘A physical threat that could impact the operability of a Facility’.
Using judgment is unavoidable for this type of event. This language was chosen
because the Responsible Entity is the best position to exercise this judgment and
determine whether or not an event poses a threat to its Facilities. The DSR SDT
believes this revised event type will minimize administrative burden and ensure that
events meaningful to industry awareness are reported. Note that the reporting
timeline (now revised to 24 hours) starts when the situation has been determined as
a threat, not when it may have first occurred.
2. Item iii) in Footnote 1 seems redundant with the Threshold for Reporting.3. The
word “Significantly” in item ii) of footnote 1 introduces an element of subjectivity.
What is “significant” to one person may not be significant to someone else.4. The
word “unintentional” in Item iii) of footnote 1 may introduce nuisance reporting.
The SDT should consider: (1) changing the Event description to “Damage or
destruction of BES equipment” (2) removing the footnote and (3) replacing the
227
�Organization
Yes or No
Question 4 Comment
existing “Threshold for Reporting” with the following language:”Initial indication the
event: (i) was due to intentional human action, (ii) affects an IROL or (iii) in the
opinion of the Responsible Entity, jeopardizes the reliability margin of the system
(e.g., results in the need for emergency actions)”
The SDR SDT discussed this event as well as the event “Risk to BES equipment”. These
two event types had overlap in the perceived reporting requirements. The DSR SDT
removed “Forced Intrusion” as a category and the “Risk to BES equipment” event was
revised to “A physical threat that could impact the operability of a Facility”.
Using judgment is unavoidable for this type of event. This language was chosen
because the Responsible Entity is the best position to exercise this judgment and
determine whether or not an event poses a threat to its Facilities. The DSR SDT believes
this revised event type will minimize administrative burden and ensure that events
meaningful to industry awareness are reported.
The footnote regarding this event type was expanded to provide additional guidance
in:
“Examples include a train derailment adjacent to a Facility that either could have
damaged a Facility directly or could indirectly damage a Facility (e.g. flammable or
toxic cargo that could pose fire hazard or could cause evacuation of a control center).
Also report any suspicious device or activity at a Facility. Do not report copper theft
unless it impacts the operability of a Facility.”
5. One reportable event is, “Risk to the BES” and the threshold for reporting is,
“From a non-environmental physical threat.” This appears to be intended as a catchall reportable event. Due to the subjectivity of this event description, we suggest
removing it from the list.
The ‘Damage or Destruction’ events specifically relating to Critical Assets and Critical
228
�Organization
Yes or No
Question 4 Comment
Cyber Assets were removed from Attachment 1, as these events are adequately
addressed through the CIP-008 and ‘Damage or Destruction of a Facility’ reporting
thresholds.
6. One reportable event is, “Damage or destruction of Critical Asset per CIP-002.”
The SDT should define the term “Damage” in order for an entity to determine a
threshold for what qualifies as “Damage” to a CA. Normal “damage” can occur on a
CA that should not be reportable (e.g. the screwdriver example, above). Reporting
Thresholds1. We believe damage or destruction of Critical Assets or CCAs resulting
from operational error, equipment failure or unintentional human action should not
be reportable under this Standard. We recommend changing the thresholds for
“Damage or destruction to Critical Assets ...” and “Damage or destruction of a [CCA]”
to “Initial Indication the event was due to external cause or intentional human
action.”
The ‘Damage or Destruction’ events specifically relating to Critical Assets and Critical
Cyber Assets were removed from Attachment 1, as these events are adequately
addressed through the CIP-008 and ‘Damage or Destruction of a Facility’ reporting
thresholds.
2. We support the SDT’s attempted to limit nuisance reporting related to copper
thefts. However, a number of the thresholds identified in EOP-004-2 Attachment 1
are very low and could clog the reporting process with nuisance reporting and
reviewing. An example is the “BES Emergency requiring manual firm load shedding”
of ≥ 100 MW or “Loss of Firm load for ≥ 15 Minutes” that is ≥ 200 MW
(300 MW if the manual demand is greater than 3000 MW). In many cases, those low
thresholds would require reporting minor wind events or other seasonal system
issues on a local network used to provide distribution service. Firm Demand1. The
use of the term “Firm load” in the context of the draft Standard seems inappropriate.
229
�Organization
Yes or No
Question 4 Comment
“Firm load” is not defined in the NERC Glossary (although “Firm Demand” is defined).
If the SDT intended to use “Firm Demand,” they should revised the draft Standard. If
the SDT wishes to use the term “Firm load” they should define it. [For example, we
understand that some load agrees to be dropped in an emergency. In fact, in the
ERCOT Region, we have a paid service referred to as “Emergency Interruptible Load
Service” (EILS). If the SDT intends that “Firm load” means load other than load which
has agreed to be dropped, it should make that fact clear.]
The thresholds and event types in Attachment 1 are from current DOE OE-417 and
NERC reporting requirements.
Comments to Attachment 21. The checkbox for “fuel supply emergency” should be
deleted because it is not listed as an Event on Attachment 1.
The DSR SDT has removed both “fuel supply emergency” and “other” from
Attachment 2.
2. There should be separation between “forced intrusion” and “Risk to BES
equipment.” They are separate Events on Attachment 1.
Several stakeholders expressed concerns relating to the “Forced Intrusion” event. Their
concerns related to ambiguous language in the footnote. The SDR SDT discussed this
event as well as the event “Risk to BES equipment”. These two event types had overlap
in the perceived reporting requirements. The DSR SDT removed “Forced Intrusion” as a
category and the “Risk to BES equipment” event was revised to “A physical threat that
could impact the operability of a Facility”.
Using judgment is unavoidable for this type of event. This language was chosen
because the Responsible Entity is the best position to exercise this judgment and
determine whether or not an event poses a threat to its Facilities. The DSR SDT believes
this revised event type will minimize administrative burden and ensure that events
230
�Organization
Yes or No
Question 4 Comment
meaningful to industry awareness are reported.
Comments to Guideline and Technical BasisThe last paragraph appears to state NERC
will accept an OE-417 form as long as it contains all of the information required by
the NERC form and goes on to state the DOE form “may be included or attached to
the NERC report.” If the intent is for NERC to accept the OE-417 in lieu of the NERC
report, this paragraph should be clarified.
The DSR SDT received many comments requesting consistency with DOE OE-417
thresholds and timelines. These items as well as the Events Analysis Working Group’s
(EAWG) requirements were considered in creating Attachment 1, but there remain
differences for the following reasons:
•
•
•
•
EOP-004 requirements were designed to meet NERC and the industry’s needs;
accommodation of other reporting obligations was considered as an opportunity
not a ‘must-have’
OE-417 only applies to US entities, whereas EOP-004 requirements apply across
North America
NERC has no control over the criteria in OE-417, which can change at any time
Reports made under EOP-004 provide a minimum set of information, which may
trigger further information requests from EAWG as necessary
In an effort to minimize administrative burden, US entities may use the OE-417 form
rather than Attachment 2 to report under EOP-004. The SDT was informed by the DOE
of its new online process coming later this year. In this process, entities may be able to
record email addresses associated with their Operating Plan so that when the report is
submitted to DOE, it will automatically be forwarded to the posted email addresses,
thereby eliminating some administrative burden to forward the report to multiple
organizations and agencies.
231
�Organization
Yes or No
Question 4 Comment
Response: Thank you for your comment. Please see response above.
Public Utility District No. 1 of
Snohomish County/Seattle
City Light
Overarching Concern related to EOP-004-2 draft:The contemporaneous drafting
efforts related to both the proposed Bulk Electric System ("BES") definition changes,
as well as the CIP standards Version 5, could significantly impact the EOP-004-2
reporting requirements. Caution needs to be exercised when referencing these
definitions, as the definitions of a BES element could change significantly and Critical
Assets may no longer exist.
The ‘Damage or Destruction’ events specifically relating to Critical Assets and Critical
Cyber Assets were removed from Attachment 1, as these events are adequately
addressed through the CIP-008 and ‘Damage or Destruction of a Facility’ reporting
thresholds.
As it relates to the proposed reporting criteria, it is debatable as to whether or not
the destruction of, for example, one relay would be a reportable incident under this
definition going forward given the current drafting team efforts. Related to
“Reportable Events” of Attachment 1:1. A reportable event is stated as, “Risk to the
BES”, the threshold for reporting is, “From a non-environmental physical threat”.
This appears to be a catch-all event, and basically every other event in Attachment 1
should be reported because it is a risk to the BES. Due to the subjectivity of this
event, suggest removing it from the list.
‘Forced intrusion’ and ‘Risk to BES Equipment’ have been combined under a new
event type called ‘A physical threat that could impact the operability of a Facility’.
Using judgment is unavoidable for this type of event. This language was chosen
because the Responsible Entity is the best position to exercise this judgment and
determine whether or not an event poses a threat to its Facilities. The DSR SDT
believes this revised event type will minimize administrative burden and ensure that
232
�Organization
Yes or No
Question 4 Comment
events meaningful to industry awareness are reported. Note that the reporting
timeline (now revised to 24 hours) starts when the situation has been determined as
a threat, not when it may have first occurred.
2. A reportable event is stated as, “Damage or destruction of Critical Asset per CIP002”. The term “Damage” would have to be defined in order for an entity to
determine a threshold for what qualifies as “Damage” to a CA. One could argue that
normal “Damage” can occur on a CA that is not necessary to report. There should
also be caution here in adding CIP interpretation within this standard.
The ‘Damage or Destruction’ events specifically relating to Critical Assets and Critical
Cyber Assets were removed from Attachment 1, as these events are adequately
addressed through the CIP-008 and ‘Damage or Destruction of a Facility’ reporting
thresholds.
Reporting Thresholds1. The SDT made attempts to limit nuisance reporting related to
copper thefts and so on which is supported. However a number of the thresholds
identified in EOP-004-2 Attachment 1 are very low and could congest the reporting
process with nuisance reporting and reviewing. An example is the “BES Emergency
requiring manual firm load shedding of greater than or equal to 100 MW or the Loss
of Firm load for ≥ 15 Minutes that is greater than or equal to 200 MW (300 MW if
the manual demand is greater than 3000 MW). In many cases these low thresholds
represent reporting of minor wind events or other seasonal system issues on Local
Network used to provide distribution service. Firm Demand1. The use of Firm
Demand in the context of the draft Standards could be used to describe commercial
arrangements with a customer rather than a reliability issue. Clarification of Firm
Demand would be helpful
The DSR SDT has updated the requirements based on comments received along with
updating Attachment 1 and 2. Please review the updated standard for all your
233
�Organization
Yes or No
Question 4 Comment
concerns.
Response: Thank you for your comment. Please see response above.
Pacific Northwest Small Public
Power Utility Comment Group
Project 2008-06 proposes to withdraw the terms “Critical Asset” and “Critical Cyber
Asset” from the NERC Glossary. In order to avoid a reliability gap when this occurs,
we propose including High and Medium Impact BES Cyber Systems and Assets.
The ‘Damage or Destruction’ events specifically relating to Critical Assets and Critical
Cyber Assets were removed from Attachment 1, as these events are adequately
addressed through the CIP-008 and ‘Damage or Destruction of a Facility’ reporting
thresholds.
The revised wording to add, “as appropriate” to R1.3 is a concern. We understand
the SDT’s intent to not require all the bulleted parties to be notified for every event
type. But will a good faith effort on the part of the registered entity to deem
appropriateness be subject to second guessing and possible sanctions by the
Compliance Enforcement Authority if they disagree? We note that CIP-001 required
an interpretation to address this issue, but cannot assume that interpretation will
carry over. We suggest spelling out exactly who shall deem appropriateness.
The phrase “as appropriate” was removed and Requirement 1, Part 1.2 was revised
to:
A process for communicating each of the applicable events listed in EOP-004
Attachment 1 in accordance with the timeframes specified in EOP-004 Attachment 1
to the Electric Reliability Organization and other organizations needed for the event
type; i.e. the Regional Entity; company personnel; the Responsible Entity’s Reliability
Coordinator; law enforcement governmental or provincial agencies.
R4 continues to be an onerous requirement for smaller entities. Verification was not
234
�Organization
Yes or No
Question 4 Comment
part of the SAR and we are not convinced it is needed for reliability. We are unsure
how a DP with no generation, no BES assets, no Critical Cyber Assets, and less than
100 MW of load; would meet R4. Shall they drill for impossible events? We ask that
R4 be removed. At a minimum it should exclude entities that cannot experience the
events of Attachment 1.Entities that cannot experience the events of Attachment
1should likewise be exempt from R1.2, 1.3, R2, and R3.
Requirement R4 (now R3) was revised to :
Each Responsible Entity shall conduct an annual test, not including notification to the
Electric Reliability Organization, of the communications process in Part 1.2.
Requirement R1, Part 1.1 specifies that an entity must have a process for recognizing
“applicable events”. An entity is only required to have the Operating Plan as it relates
to events applicable to that entity. The DSR SDT envisions that the testing under
Requirement R3 will include verification of contact information contained in the
Operating Plan is correct. As an example, the annual review of the Operating Plan
could include calling “others as defined in the Responsible Entity’s Operating Plan”
(see Part 1.2) to verify that their contact information is up to date. If any
discrepancies are noted, the Operating Plan would be updated. This language does
not preclude the verification of contact information taking place during a training
event. The DSR SDT has updated the Requirements based on comments received
along with updating Attachment 1 and 2. Please review the updated Standard for all
your concerns.
Response: Thank you for your comment. Please see response above.
Clallam County PUD No.1
Project 2008-06 proposes to withdraw the terms “Critical Asset” and “Critical Cyber
Asset” from the NERC Glossary. In order to avoid a reliability gap when this occurs,
235
�Organization
Yes or No
Question 4 Comment
we propose including High and Medium Impact BES Cyber Systems and Assets.
The ‘Damage or Destruction’ events specifically relating to Critical Assets and Critical
Cyber Assets were removed from Attachment 1, as these events are adequately
addressed through the CIP-008 and ‘Damage or Destruction of a Facility’ reporting
thresholds.
The revised wording to add, “as appropriate” to R1.3 is a concern. We understand
the SDT’s intent to not require all the bulleted parties to be notified for every event
type. But will a good faith effort on the part of the registered entity to deem
appropriateness be subject to second guessing and possible sanctions by the
Compliance Enforcement Authority if they disagree? We note that CIP-001 required
an interpretation to address this issue, but cannot assume that interpretation will
carry over. We suggest spelling out exactly who shall deem appropriateness.
Part 1.3 (now Part 1.2 was revised to:
1.2 A process for communicating each of the applicable events listed in EOP-004
Attachment 1 in accordance with the timeframes specified in EOP-004 Attachment 1
to the Electric Reliability Organization and other organizations needed for the event
type; i.e. the Regional Entity; company personnel; the Responsible Entity’s Reliability
Coordinator; law enforcement governmental or provincial agencies.
R4 continues to be an onerous requirement for smaller entities. Verification was not
part of the SAR and we are not convinced it is needed for reliability. We are unsure
how a DP with no generation, no BES assets, no Critical Cyber Assets, and less than
100 MW of load; would meet R4. Shall they drill for impossible events? We ask that
R4 be removed. At a minimum it should exclude entities that cannot experience the
events of Attachment 1. Entities that cannot experience the events of Attachment
1should likewise be exempt from R1.2, 1.3, R2, and R3.
Part 1.1 has been revised to include “applicable events listed in EOP-004, Attachment
236
�Organization
Yes or No
Question 4 Comment
1.” If an entity cannot experience an event, then it would not be an applicable event.
Requirement R4 (now R3) has been revised to:
R3. Each Responsible Entity shall conduct an annual test, not including notification to
the Electric Reliability Organization, of the communications process in Part 1.2.
[Violation Risk Factor: Medium] [Time Horizon: Operations Planning]
The DSR SDT envisions that the testing under R3 will include verification of contact
information contained in the Operating Plan is correct. As an example, the annual
review of the Operating Plan could include calling “others as defined in the
Responsible Entity’s Operating Plan” (see Part 1.2) to verify that their contact
information is up to date. If any discrepancies are noted, the Operating Plan would
be updated. This language does not preclude the verification of contact information
taking place during a training event.
Response: Thank you for your comment. Please see response above.
FEUS
R4 requires verification through a drill or exercise the communication process
created as part of R1.3. Clarification of what a drill or exercise should be considered.
In order to show compliance to R4 would the entity have to send a pseudo event
report to Internal Personnel, the Regional Entity, NERC ES-ISAC, Law Enforcement,
and Governmental or provincial agencies listed in R1.3 to verify the communications
plan? It would not be a burden on the entity so much, however, I’m not sure the
external parties want to be the recipient of approximately 2000 psuedo event
reports annually.
Requirement R4 (now R3) related to an annual test of the communication portion of
Requirement R1 by a drill or exercise and this has been removed. Requirement R1, R3
now reads: “Each Responsible Entity shall conduct an annual test, not including
notification to the Electric Reliability Organization, of the communications process in
Part 1.2.”The DSR SDT envisions that the testing under Requirement 3 will include
237
�Organization
Yes or No
Question 4 Comment
verification of contact information contained in the Operating Plan is correct. As an
example, the annual review of the Operating Plan could include calling “others as
defined in the Responsible Entity’s Operating Plan” (see Part 1.2) to verify that their
contact information is up to date. If any discrepancies are noted, the Operating Plan
would be updated. This language does not preclude the verification of contact
information taking place during a training event.
Attachment 1: BES equipment is too vague - consider changing to BES facility and
including that reduces the reliability of the BES in the footnote. Is the footnote an
and or an or?Attachment 1: Version 5 of CIP Requirements remove the terms Critical
Asset and Critical Cyber Asset. The drafting team should consider revising the table
to include BES Cyber Systems. Clarify if Damage or Destruction is physical damage
(aka - cyber incidents would be part of CIP-008.)
The ‘Damage or Destruction’ events specifically relating to Critical Assets and Critical
Cyber Assets were removed from Attachment 1, as these events are adequately
addressed through the CIP-008 and ‘Damage or Destruction of a Facility’ reporting
thresholds.
Attachment 1: Unplanned Control Center evacuation - remove “potential” from the
reporting responsibility
The DSR SDT has removed both “fuel supply emergency” and “other” from
Attachment 2.
Attachment 2 - 3: change to, “Did the event originate in your system?” The
requirement only requires reporting for Events - not potential events.
The DSR SDT has streamlined Attachment 2, per comments received.
238
�Organization
Yes or No
Question 4 Comment
Attachment 2 4: “Damage or Destruction to BES equipment” should be “Destruction
of BES Equipment” like it is in Attachment 1 and “forced intrusion risk to BES
equipment” remove “risk”
The DSR SDT has streamlined Attachment 2 to reflect the events of Attachment 1, per
comments received.
Response: Thank you for your comment. Please see response above.
ReliabilityFirst
ReliabilityFirst thanks the SDT for their effort on this project. ReliabilityFirst has a
number of concerns/questions related to the draft EOP-004-2 standard which
include the following:1. General Comment - The SDT should consider any possible
impacts that could arise related to the applicability of Generator Owners that may or
may not own transmission facilities. This will help alleviate any potential or
unforeseen impacts on these Generator Owners
The DSR SDT cannot apply items such as GO/TO issues when NERC and the Regions
are not in agreement to what the issue and solution is.
2. General Comment - Though the rationale boxes contain useful editorial
information for each requirement, they should rather contain the technical rationale
or answer the question “why is this needed” for each requirement. The rationale
boxes currently seem to contain suggestions on how to meet the requirements.
ReliabilityFirst suggests possibly moving some of the statements in the “Guideline
and Technical Basis” into the rationale boxes, as some of the rationale seems to be
contained in that section.
The DSR SDT will continue to update rationale boxes per comments received.
3. General comment - The end of Measure M4 is incorrectly pointing to R3. This
should refer to R4.
Measurement 4 has been corrected.
4. General Comment - ReliabilityFirst recommends the “Reporting Hierarchy for
239
�Organization
Yes or No
Question 4 Comment
Reportable Events” flowchart should be removed from the “Background” section and
put into an appendix. ReliabilityFirst believes the flowchart is not really background
information, but an outline of the proposed process found in the new standard.
The DSR SDT provided a flow chart for stakeholders to use if desired. EOP-004-2 sets
a minimum level of reporting per the events described in Attachment 1. The DSR SDT
has received negative feedback in past drafts, the DSR SDT was too prescriptive.
5. Applicability Comment - ReliabilityFirst questions the newly added applicability for
both the Regional Entity (RE) and ERO. Standards, as outlined in many, if not all, the
FERC Orders, should have applicability to users, owners and operators of the BES and
not to the compliance monitoring entities (e.g. RE and ERO). Any requirements
regarding event reporting for the RE and ERO should be dealt with in the NERC Rules
of Procedure and/or Regional Delegation Agreements. It is also unclear who would
enforce compliance on the ERO if the ERO remains an applicable entity.
The ERO is an Applicable Entity under the current version of CIP-008 and therefore
they are held to EOP-004-2. Note, this proposed Standard has been through two
Quality Reviews and there has been no rejection from NERC .
6. Requirement Comment - ReliabilityFirst believes the process for communicating
events in Requirement R1, Part 1.3 should be all inclusive and therefore include the
bullet points. Bullet points are considered to be “OR” statements and thus
ReliabilityFirst believes they should be characterized as sub-parts. Listed below is an
example:1.3. A process for communicating events listed in Attachment 1 to the
following:1.3.1 Electric Reliability Organization, 1.3.2 Responsible Entity’s Reliability
Coordinator 1.3.3 Internal company personnel 1.3.4 The Responsible Entity’s
Regional Entity 1.3.5 Law enforcement 1.3.6 Governmental or provincial agencies
Requirement R4 related to an annual test of the communication portion of
Requirement R1 by a drill or exercise and this has been removed. Requirement R3
now reads: “Each Responsible Entity shall conduct an annual test, not including
notification to the Electric Reliability Organization, of the communications process in
240
�Organization
Yes or No
Question 4 Comment
Part 1.2. ”. The DSR SDT envisions that the testing under Requirement R3 will include
verification of contact information contained in the Operating Plan is correct. As an
example, the annual review of the Operating Plan could include calling “others as
defined in the Responsible Entity’s Operating Plan” (see Part 1.2) to verify that their
contact information is up to date. If any discrepancies are noted, the Operating Plan
would be updated.
7. Requirement Comment - ReliabilityFirst questions why Requirement R1, Part 1.1
and Part 1.2 are not required to be verified when performing a drill or exercise in
Requirement R4? ReliabilityFirst believes that performing a drill or exercise utilizing
the process for identifying events (Part 1.1) and the process for gathering
information (Part 1.2) are needed along with the verification of the process for
communicating events as listed in Part 1.3.
Requirement R4 related to an annual test of the communication portion of
Requirement R1 by a drill or exercise and this has been removed. Requirement R3
now reads: “Each Responsible Entity shall conduct an annual test, not including
notification to the Electric Reliability Organization, of the communications process in
Part 1.2. ”. The DSR SDT envisions that the testing under Requirement R3 will include
verification of contact information contained in the Operating Plan is correct. As an
example, the annual review of the Operating Plan could include calling “others as
defined in the Responsible Entity’s Operating Plan” (see Part 1.2) to verify that their
contact information is up to date. If any discrepancies are noted, the Operating Plan
would be updated.
8. Compliance Section Comment - Section 1.1 states “If the Responsible Entity works
for the Regional Entity...” and ReliabilityFirst questions the intent of this language.
ReliabilityFirst is unaware of any Responsible Entities who work for a Regional Entity.
Also, if the Regional Entity and ERO remain as applicable entities, in Section 1.1 of
241
�Organization
Yes or No
Question 4 Comment
the standard, it is unclear who will act as the Compliance Enforcement Authority
(CEA).
The DSR SDT has followed the guidance in the Standards Development process to
assure that “template” information is correct. The language included is directly from
NERC guideline documents
9. Compliance Section Comment - ReliabilityFirst recommends removing the second,
third and fourth paragraphs from Section 1.2 since ReliabilityFirst believes entities
should retain evidence for the entire time period since their last audit.
The DSR SDT has followed the guidance in the Standards Development process to
assure that “template” information is correct. The language included is directly from
NERC guideline documents
10. Compliance Section Comment - ReliabilityFirst recommends modifying the fifth
paragraph from Section 1.2 as follows: “If a Registered Entity is found non-compliant,
it shall keep information related to the non-compliance until found compliant or until
a data hold release is issued by the CEA.” ReliabilityFirst believes, as currently
stated, the CEA would be required to retain information for an indefinite period of
time.
The DSR SDT has followed the guidance in the Standards Development process to
assure that “template” information is correct. The language included is directly from
NERC guideline documents.
11. Compliance Section Comment - ReliabilityFirst recommends removing the sixth
paragraph from Section 1.2 since the requirement for the CEA to keep the last audit
records and all requested and submitted subsequent audit records is already covered
in the NERC ROP.
The DSR SDT has followed the guidance in the Standards Development process to
assure that “template” information is correct. The language included is directly from
242
�Organization
Yes or No
Question 4 Comment
NERC guideline documents
12. Attachment 1 Comment - It is unclear what the term/acronym “Tv” is referring
to. It may be beneficial to include a footnote clarifying what the term “Tv” stands
for.
Tv is based on FAC-010 and the DSR SDT believes that this is clear to affected
stakeholders.
13. VSL General Comment - although ReliabilityFirst believes that the applicability is
not appropriate, as the REs and ERO are not users, owners, or operators of the Bulk
Electric System, the Regional Entity and ERO are missing from all four sets of VSLs, if
the applicability as currently written stays as is. If the Regional Entity and ERO are
subject to compliance for all four requirements, they need to be included in the VSLs
as well. Furthermore, for consistency with other standards, each VSL should begin
with the phrase “The Responsible Entity...”
The DSR SDT will follow the guidance in the Standards Development process to assure
that “template” information is correct.
14. VSL 4 Comment - The second “OR” statement under the “Lower” VSL should be
removed. By not verifying the communication process in its Operating Plan within
the calendar year, the responsible entity completely missed the intent of the
requirement and is already covered under the “Severe” VSL category.
The DSR SDT will follow the guidance in the Standards Development process to assure
that “template” information is correct.
Response: Thank you for your comment. Please see response above.
Northeast Power Coordinating
Requirement 4 does not specifically state the details necessary for an entity to
243
�Organization
Council
Yes or No
Question 4 Comment
achieve compliance. Requirement 4 should provide more guidance as to what is
required in a drill. Audit/enforcement of any requirement language that is too broad
will potentially lead to Regional interpretation, inconsistency, and additional
CANs.R4 should be revised to delete the 15 month requirement. CAN-0010
recognizes that entities may determine the definition of annual.The standard is too
specific, and drills down into entity practices, when the results are all that should be
looked for.The standard is requiring multiple reports.
Requirement R4 related to an annual test of the communication portion of
Requirement R1 by a drill or exercise and this has been removed. Requirement R3
now reads: “Each Responsible Entity shall conduct an annual test, not including
notification to the Electric Reliability Organization, of the communications process in
Part 1.2. ”. The DSR SDT envisions that the testing under Requirement R3 will include
verification of contact information contained in the Operating Plan is correct. As an
example, the annual review of the Operating Plan could include calling “others as
defined in the Responsible Entity’s Operating Plan” (see Part 1.2) to verify that their
contact information is up to date. If any discrepancies are noted, the Operating Plan
would be updated.
The Purpose of the Standard is very broad and should be revised because some of
the events being reported on have no impact on the BES. Revise Purpose wording as
follows: To improve industry awareness and the reliability of the Bulk Electric System
“by requiring the reporting of major system events with the potential to impact
reliability and their causes...” on the Bulk Electric System it can be said that every
event occurring on the Bulk Electric System would have to be reported.
The DSR SDT revised the purpose statement to remove ambiguous language “with the
potential to impact reliability”. The Purpose statement now reads:
“To improve the reliability of the Bulk Electric System by requiring the reporting
of events by Responsible Entities.”
244
�Organization
Yes or No
Question 4 Comment
Referring to Requirement R4, the testing of the communication process is the
responsibility of the Responsible Entity. There is an event analysis process already in
place.The standard prescribes different sets of criteria, and forms.There should be
one recipient of event information. That recipient should be a “clearinghouse” to
ensure the proper dissemination of information.
EOP-004 is a standard that requires reporting of events to the ERO. The events
analysis program receives these reports and determines whether further analysis is
appropriate.
Why is this standard applicable to the ERO?
NERC as the ERO is currently a Responsible Entity under CIP-008, and therefore the
proposed EOP-004-2 has the ERO as a Responsible Entity.
Requirement R2 is not necessary. It states the obvious.Requirements R2 and R3 are
redundant.The standard mentions collecting information for Attachment 2, but
nowhere does it state what to do with Attachment 2.
Most stakeholders believed that Requirements R2 and R3 were redundant and having
both in the standard was not necessary. Requirement R2 called for implementation of
Parts 1.1, 1.2, 1.4 and 1.5. Requirement R3 called for reporting events in accordance
with the Operating Plan. The DSR SDT deleted Requirement R2 based on stakeholder
comments and revised R3 (now R2) to:
“Requirement R2. Each Responsible Entity shall implement its event reporting Operating
Plan for applicable events listed in EOP-004 Attachment 1, and in accordance with the
timeframe specified in EOP-004 Attachment 1.”
245
�Organization
Yes or No
Question 4 Comment
None of the key concepts identified on page 5 of the standard are clearly stated or
described in the requirements: o Develop a single form to report disturbances and
events that threaten the reliability of the bulk electric system.
OE-417, as well as, the EAWG’s requirements were considered in creating Attachment
1, but there remain differences for the following reasons:
•
EOP-004 requirements were designed to meet NERC and the industry’s needs;
accommodation of other reporting obligations was considered as an
opportunity not a ‘must-have’
•
OE-417 only applies to US entities, whereas EOP-004 requirements apply across
North America
•
NERC has no control over the criteria in OE-417, which can change at any time
•
Reports made under EOP-004 provide a minimum set of information, which may
trigger further information requests from EAWG as necessary
In an effort to minimize administrative burden, US entities may use OE-417 rather
than Attachment 2 to report under EOP-004. Note you may have to report the same
event more quickly to the DOE than is required by EOP-004, but this cannot be helped
due to bullet point 2 above.
o Investigate other opportunities for efficiency, such as development of an
electronic form and possible inclusion of regional reporting requirements. o
Establish clear criteria for reporting. o Establish consistent reporting timelines.
The DSR SDT does allow entities to use the DOE Form OE 417 in lieu of Attachment 2
to report an event. Attachment 1 has been updated to provide consistent criteria for
reporting as well as reporting timelines. All one hour reporting timelines have been
changed to 24 hours with the exception of a ‘Reportable Cyber Security Incident’.
This is maintained due to FERC Order 706, Paragraph 673:
246
�Organization
Yes or No
Question 4 Comment
“…direct the ERO to modify CIP-008 to require each responsible entity to contact
appropriate government authorities and industry participants in the event of a cyber
security incident as soon as possible, but in any event, within one hour of the event…”
For the remaining events, 24 hours should provide sufficient time to manage the
incident in real-time before having to report and is consistent with current in-force
standard EOP-004-1.
o Provide clarity for who will receive the information and how it will be used. The
standard’s requirements should be reviewed with an eye for deleting those that are
redundant, or do not address the Purpose or intent of the standard.
Requirement R1 has been updated and now reads as”
Each Responsible Entity shall have an Operating Plan that includes:
1.1. A process for recognizing each of the events listed in EOP-004 Attachment 1.
1.2. A process for communicating each of the applicable events listed in EOP-004
Attachment 1 in accordance with the timeframes specified in EOP-004
Attachment 1 to the Electric Reliability Organization and other organizations
needed for the event type; i.e. the Regional Entity; company personnel; the
Responsible Entity’s Reliability Coordinator; law enforcement governmental or
provincial agencies.
The Applicable Entity’s Operating Plan is to contain the process for reporting events
listed in Attachment 1 to the Electric Reliability Organization, the Responsible Entity’s
Reliability Coordinator and for communicating to others as defined in the Responsible
Entity’s Operating Plan. All events in Attachment 1 are required to be reported to the
Electric Reliability Organization and the Responsible Entity’s Reliability Coordinator.
The Operating Plan may include: internal company personnel, your Regional Entity, law
enforcement, and governmental or provisional agencies, as you identify within your
Operating Plan. This gives you the flexibility to tailor your Operating Plan to fit your
247
�Organization
Yes or No
Question 4 Comment
company’s needs and wants.
Response: Thank you for your comment. Please see response above.
American Public Power
Association
Requirement R1:1.3. A process for communicating events listed in Attachment 1 to
the Electric Reliability Organization, the Responsible Entity’s Reliability Coordinator
and the following as appropriate: o Internal company personnel o The Responsible
Entity’s Regional Entity o Law enforcement o Governmental or provincial agencies
APPA believes that including the list of other entities needing to be included in a
process for communicating events under 1.3 may open this requirement up for
interpretation. APPA requests that the SDT remove from the requirement the listing
of; “Internal company personnel, The Responsible Entity’s Regional Entity, Law
enforcement & Governmental or provincial agencies” and include these references in
a guidance document. The registered entities need to communicate with the ERO
and the RC if applicable for compliance with this standard and to maintain the
reliability of the BES. Communication with other entities such as internal company
personnel, law enforcement and the Regional Entity are expected, but do not impact
the reliability of the BES. This will simplify the reporting structure and will not be
burdensome to registered entities when documenting compliance. If this is not an
acceptable solution, APPA suggests revising 1.3 to remove the wording “the
following as appropriate” and add “other entities as determined by the Responsible
Entity. Examples of other entities may include, but are not limited to:” Then it is
clear that the list is examples and should not be enforced by the auditor.
Requirement R1 has been updated and now reads as
”Each Responsible Entity shall have an Operating Plan that includes:
1.1. A process for recognizing each of the events listed in EOP-004 Attachment 1.
1.2. A process for communicating each of the applicable events listed in EOP-004
Attachment 1 in accordance with the timeframes specified in EOP-004
248
�Organization
Yes or No
Question 4 Comment
Attachment 1 to the Electric Reliability Organization and other organizations
needed for the event type; i.e. the Regional Entity; company personnel; the
Responsible Entity’s Reliability Coordinator; law enforcement governmental or
provincial agencies.
The Applicable Entity’s Operating Plan is to contain the process for reporting events
listed in Attachment 1 to the Electric Reliability Organization, the Responsible Entity’s
Reliability Coordinator and for communicating to others as defined in the Responsible
Entity’s Operating Plan. All events in Attachment 1 are required to be reported to the
Electric Reliability Organization and the Responsible Entity’s Reliability Coordinator.
The Operating Plan may include: internal company personnel, your Regional Entity, law
enforcement, and governmental or provisional agencies, as you identify within your
Operating Plan. This gives you the flexibility to tailor your Operating Plan to fit your
company’s needs and wants.
1.4. Provision(s) for updating the Operating Plan within 90 calendar days of any
change in assets, personnel, other circumstances that may no longer align with the
Operating Plan; or incorporating lessons learned pursuant to Requirement R3. APPA
understands that the SDT is following the FERC order requiring a 90 day limit on
updates to any changes to the plan. However, APPA believes that “updating the
Operating Plan within 90 calendar days of any change...” is a very burdensome
compliance documentation requirement. APPA reminds the SDT that including DPs
in this combined standard has increased the number of small Responsible Entities
that will be required to document compliance. APPA requests that the SDT combine
requirement 1.4 and 1.5 so the Operating Plan will be reviewed and updated with
any changes on a yearly basis. If this is not an acceptable solution, APPA suggests
that the “Lower VSL” exclude a violation to 1.4. The thought being, a violation of 1.4
by itself is a documentation error and should not be levied a penalty.
Requirement 1, Part 1.4 has been removed from the standard.
Attachment 1: Events TableAPPA believes that the intent of the SDT was to mirror
the DOE OE-417 criteria in reporting requirements. With the inclusion of DP in the
249
�Organization
Yes or No
Question 4 Comment
Applicability, however, APPA believes the SDT created an unintended excessive
reporting requirement for DPs during insignificant events.
Attachment 1 is the basis for EOP-004-2; it contains the events and thresholds for
reporting. OE-417, as well as, the EAWG’s requirements were considered in creating
Attachment 1, but there remain differences for the following reasons:
•
EOP-004 requirements were designed to meet NERC and the industry’s needs;
accommodation of other reporting obligations was considered as an
opportunity not a ‘must-have’
•
OE-417 only applies to US entities, whereas EOP-004 requirements apply across
North America
•
NERC has no control over the criteria in OE-417, which can change at any time
•
Reports made under EOP-004 provide a minimum set of information, which may
trigger further information requests from EAWG as necessary
In an effort to minimize administrative burden, US entities may use OE-417 rather
than Attachment 2 to report under EOP-004. Note you may have to report the same
event more quickly to the DOE than is required by EOP-004, but this cannot be helped
due to bullet point 2 above.
APPA recommends that a qualifier be added to the events table. In DOE OE-417
local electrical systems with less than 300MW are excluded from reporting certain
events since they are not significant to the BES.
APPA believes that the benefit of reporting certain events on systems below this
value would not outweigh the compliance burden placed on these small systems.
Therefore, APPA requests that the standard drafting team add the following qualifier
to the Events Table of Attachment 1: “For systems with greater than 300MW peak
load.” This statement should be placed in the Threshold for Reporting column for
the following Events: BES Emergency requiring appeal for load reduction, BES
250
�Organization
Yes or No
Question 4 Comment
Emergency requiring system-wide voltage reduction, BES Emergency requiring
manual firm load shedding, BES Emergency resulting in automatic firm load
shedding. This will match the DOE OE-417 reporting criteria and relieve the burden
on small entities.
Upon review of the DOE OE 417, it states “Local Utilities in Alaska, Hawaii, Puerto
Rico, the U.S. Virgin Islands, and the U.S. Territories - If the local electrical system is
less than 300 MW, then only file if criteria 1, 2, 3 or 4 are met”. Please be advised
this exception applies to entities outside the continental USA.
The DSR SDT has tried to minimize duplicative reporting, but recognizes there may be
events that trigger more than one report. The current applicability ensures an event
that could affect just one of the entities with reporting responsibility isn’t missed.
Definition of “Risk to BES equipment”:The SDT attempted to give examples of the
Event category “Risk to BES equipment” in a footnote. This footnote gives the
Responsible Entity and the Auditor a lot of room for interpretation. APPA suggests
that the SDT either define this term or give a triggering mechanism that the industry
would understand. One suggestion would be “Risk to BES equipment: An event that
forces a Facility Owner to initiate an unplanned, non-standard or conservative
operating procedure.” Then list; “Examples include train derailment adjacent to BES
Facilities that either could have damaged the equipment directly or has the potential
to damage the equipment...” This will allow the entity to have an operating
procedure linked to the event. If this suggestion is taken by the SDT then the
Reporting column of Attachment 1 needs to be changed to: “The parties identified
pursuant to R1.3 within 1 hour of initiating conservative operating procedures.”
’Forced intrusion’ and ‘Risk to BES Equipment’ have been combined under a new
event type called ‘A physical threat that could impact the operability of a Facility’.
Using judgment is unavoidable for this type of event. This language was chosen
because the Responsible Entity is the best position to exercise this judgment and
251
�Organization
Yes or No
Question 4 Comment
determine whether or not an event poses a threat to its Facilities. The DSR SDT
believes this revised event type will minimize administrative burden and ensure
that events meaningful to industry awareness are reported. Note that the
reporting timeline (now revised to 24 hours) starts when the situation has been
determined as a threat, not when it may have first occurred. Also, the footnote
only contains examples.
Response: Thank you for your comment. Please see response above.
Western Electricity
Coordinating Council
Results-based standards should include, within each requirement, the purpose or
reason for the requirement. The requirements of this standard, while we support the
requirements, do not include the goal or proupose of meeting each stated
requirement. The Measures all include language stating “the responsible entity shall
provide...”. During a quality review of a WECC Regional Reliability Standard we were
told that the “shall provide” language is essentially another requirement to provide
something. If it is truly necessary to provide this it should be in the requirements. It
was suggested to us that we drop the “shall provide” language and just start each
Measure with the “Evidence may include but is not limited to...”.
The DSR SDT changed each instance of “shall” to “will” within the measures. We will
defer to NERC Quality Review comments for any additional revisions.
Response: Thank you for your comment. Please see response above.
Sacramento Municipal Utility
District (SMUD)
SMUD and BANC agree with the revised language in EOP-004-1 requirements, but we
have identified the following issues in A-1:We commend the SDT for properly
addressing the sabotage issue. However, additional confusion is caused by
introducing term "damage". As "damage" is not a defined term it would be
beneficial for the drafting team to provide clarification for what is meant by
"damage".
252
�Organization
Yes or No
Question 4 Comment
The DSR SDT has modified Attachment 1 to bring more clarity. The more subjective
events were rewritten as follows:
• The ‘Damage or Destruction’ event category has been revised to say ‘ to a
Facility’, (a defined term) and thresholds have be modified to provide clarity.
The footnote was deleted
• ‘Forced intrusion’ and ‘Risk to BES Equipment’ have been combined under a new
event type called ‘A physical threat that could impact the operability of a
Facility’. Using judgment is unavoidable for this type of event. This language
was chosen because the Responsible Entity is the best position to exercise this
judgment and determine whether or not an event poses a threat to its
Facilities. The DSR SDT believes this revised event type will minimize
administrative burden and ensure that events meaningful to industry
awareness are reported. Note that the reporting timeline (now revised to 24
hours) starts when the situation has been determined as a threat, not when it
may have first occurred. Also, the footnote only contains examples.
These two remaining event categories that aren’t related to power system phenomena
are essential as they effectively translate the intent of CIP-001 into EOP-004.
As discussed in prior comment forms, the DSR SDT has elected not to define
“sabotage”. As defined in an Entity’s operating Plan, the requirement is to report and
communicate an event as listed in Attachment 1. EOP-004-2 does not require
analysis of any event listed in Attachment 1.
The threshold for reporting "Each public Appeal for load reduction" should clearly
state the triggering is for the BES Emergency as routine "public appeal" for
conservation could be considered a threshold for the report triggering.
To clarify your point, the threshold has been changed to ‘Public appeal or load
reduction event’.
253
�Organization
Yes or No
Question 4 Comment
Regarding the SOL Violations in Attachment 1 the SOL Violations should only be
those that affect the WECC paths.
The DSR SDT has included the following language for WECC’s SOL violation in
Attachment 1:
“IROL Violation (all Interconnections) or SOL Violation for Major WECC Transfer Paths
(WECC only)”
The SDT made attempts to limit nuisance reporting related to copper thefts and so
on which is supported. However a number of the thresholds identified in EOP-004-2
Attachment 1 are very low and could congest the reporting process with nuisance
reporting and reviewing.
The DSR SDT made reports made under EOP-004 provide a minimum set of
information, which may trigger further information requests from EAWG as
necessary.
Response: Thank you for your comment. Please see response above.
Southern Comnpany
Southern has the following comments:(1) In Requirement R1.4, we request the SDT
to clarify what is meant by the term “assets”?
The DSR SDT has deleted Requirement R1, Part 1.4, thus “assets” is not contained in
EOP-004-2 based on comments received.
2) If requirement 4 is not deleted, should we have to test every possible event
described in our Operating Plan or each event listed in Attachment 1 to verify
communications?
The DSR SDT has deleted Requirement R4 based on comments received.
(3) In the last paragraph of the “Summary of Key Concepts” section on page 6 of
254
�Organization
Yes or No
Question 4 Comment
Draft 3, there is a statement that “Real-time reporting is achieved through the
RCIS...” The only reporting required on RCIS by the Standards is for EEAs and TLRs.
Please review and modify this language as needed.
The DSR SDT believes “The DSR SDT wishes to make clear that the proposed Standard
does not include any real-time operating notifications for the events listed in
Attachment 1. Real-time reporting is achieved through the RCIS and is covered in other
standards (e.g. the TOP family of standards). The proposed standard deals exclusively
with after-the-fact reporting” is correct.
(4) Evidence Retention (page 12 of Draft 3): The 3 calendar year reference has no
bearing on a Standard that may be audited on a cycle greater than 3 years.
The DSR SDT has updated the Evidence Retention section with standard language
provided by NERC staff.
(5) In the NOTE for Attachment 1 (page 20 of Draft 3), what is meant by “periodic
verbal updates” and to whom should the updates be made?
The DSR SDT has updated the note in question to remove the language of “periodic
verbal updates”, it now reads as:
“NOTE: Under certain adverse conditions (e.g. severe weather, multiple events) it may
not be possible to report the damage caused by an event and issue a written Event
Report within the timing in the table below. In such cases, the affected Responsible
Entity shall notify parties per R1 and provide as much information as is available at the
time of the notification. Reports to the ERO should be submitted to one of the following:
e-mail: esisac@nerc.com, Facsimile: 609-452-9550, Voice: 609-452-1422.”
(6) There are Prerequisite Approvals listed in the Implementation Plan. Is it
appropriate to ask industry to vote on this Standard Revision that has a prerequisite
approval of changes in the Rules of Procedure that have not been approved?
The proposed revisions to the Rules of Procedure should have been posted with the
255
�Organization
Yes or No
Question 4 Comment
standard. This posting will occur with the successive ballot of EOP-004-2.
(7) We believe the reporting of the events in Attachment 1 has no reliability benefit
to the Bulk Electric System. We suggest that Attachment 1 should be removed.
The DSR SDT disagrees with this comment. Attachment 1 is the minimum set of
events that will be required to report and communicate per your Operating Plan will
be aware of system conditions.
Response: Thank you for your comment. Please see response above.
Texas Reliability Entity
Substantive comments:1.ERO and Regional Entities should not be included in the
Applicability of this standard. Just because they may be subject to some CIP
requirements does not mean they also have to be included here. The ERO and
Regional Entities do not operate equipment or systems that are integral to the
operation of the BES. Also, none of the VSLs apply to the ERO or to Regional Entities.
The DSR SDT is following guidance that NERC has provided to the DSR SDT. The ERO
and the RE are applicable entities under CIP-008. Reporting of Cyber Security
Incidents is the responsibility of the ERO and the RE.
2.The first entry in the Events Table should say “Damage or destruction of BES
equipment.” Equipment may be rendered inoperable without being “destroyed,”
and entities should not have to determine within one hour whether damage is
sufficient to cause the equipment to be considered “destroyed.” Footnote 1 refers
to equipment that is “damaged or destroyed.”
The ‘Damage or Destruction’ event category has been revised to say ‘to a Facility’, (a
defined term) and thresholds have be modified to provide clarity.
The DSR SDT used the defined term “Facility” to add clarity for several events listed in
256
�Organization
Yes or No
Question 4 Comment
Attachment 1. A Facility is defined as:
“A set of electrical equipment that operates as a single Bulk Electric System
Element (e.g., a line, a generator, a shunt compensator, transformer, etc.)”
The DSR SDT does not intend the use of the term Facility to mean a substation or any
other facility (not a defined term) that one might consider in everyday discussions
regarding the grid. This is intended to mean ONLY a Facility as defined above.
3.In the Events Table, consider whether the item for “Voltage deviations on BES
facilities” should also be applicable to GOPs, because a loss of voltage control at a
generator (e.g. failure of an automatic voltage regulator and power system stabilizer)
could have a similar impact on the BES as other reportable items.
The DSR SDT disagrees with this comment. Attachment 1 is the minimum set of
events that will be required to report and communicate per your Operating Plan will
be aware of system conditions.
4.In the Events Table, under Transmission Loss, does this item require that at least
three Facilities owned by one entity must be lost to trigger the reporting
requirement, or is the reporting requirement also to be triggered by loss of three
Facilities during one event or occurrence that are owned by two or three different
entities?
The DSR SDT has stated in Attachment 1 that “Each TOP that experiences the
transmission loss”. This would mean per individual TOP.
5.In the Events Table, under Transmission Loss, it is unclear how Facilities are to be
counted to determine when “three or more” Facilities are lost. In the NERC Glossary,
Facility is ambiguously defined as “a set of electrical equipment that operates as a
single Bulk Electric System Element (e.g., a line, a generator, a shunt compensator,
transformer, etc.).” In many cases, a “set of electrical equipment” can be selected
and counted in different ways, which makes this item ambiguous.
257
�Organization
Yes or No
Question 4 Comment
Both Transmission and Facilities are defined terms and the DSR SDT feels this gives
sufficient direction.
6.In the Events Table, under Transmission Loss, it appears that a substation bus
failure would only count as a loss of one Facility, even though it might interrupt flow
between several transmission lines. We believe this type of event should be
reported under this standard, and appropriate revisions should be made to this
entry.
The DSR SDT used the defined term “Facility” to add clarity for this event as well as other
events in Attachment 1. A Facility is defined as:
“A set of electrical equipment that operates as a single Bulk Electric System
Element (e.g., a line, a generator, a shunt compensator, transformer, etc.)”
The DSR SDT does not intend the use of the term Facility to mean a substation or any
other facility (not a defined term) that one might consider in everyday discussions
regarding the grid. This is intended to mean ONLY a Facility as defined above.
7.In the Events Table, under Transmission Loss, consider including generators that
are lost as a result of transmission loss events when counting Facilities. For example,
if a transmission line and a transformer fail, resulting in a generator going off-line,
that should count as a loss of “three or more” facilities and be reportable under this
standard.
Attachment 1 is the minimum set of events that will be required to report and
communicate per your Operating Plan will be aware of system conditions.
8.In the Events Table, under “Unplanned Control Center evacuation” and “Loss of
monitoring or all voice communication capability,” GOPs should be included. GOPs
also operate control centers that would be subject to these kinds of occurrences.
Attachment 1 is the minimum set of events that will be required to report and
258
�Organization
Yes or No
Question 4 Comment
communicate per your Operating Plan will be aware of system conditions.
9.In the Events Table, under “Loss of monitoring or all voice communication
capability,” we suggest adding that if there is a failure at one control center, that
event is not reportable if there is a successful failover to a backup system or control
center.
The DSR SDT has split this event into two separate events based on comments
received, it now reads as: “Loss of all voice communication capability” and “Complete
or partial loss of monitoring capability”.
10.”Fuel supply emergency” is included in the Event Reporting Form, but not in
Attachment 1, so there is no reporting threshold or deadline provided for this type of
event.
Attachment 2 was updated to reflect the revisions to Attachment 1. The reference to
“actual or potential events” was removed. Also, the event type of “other” and “fuel
supply emergency” was removed as well.
Clean-up items:1.In R1.5, capitalize “Responsible Entity” and lower-case “process”.
The DSR SDT has deleted Requirement 1, part 1.5.
2.In footnote 1, add “or” before “iii)” to clarify that this event type applies to
equipment that satisfies any one of these three conditions.
All footnotes are deleted and appropriate content moved to ‘Thresholds for
Reporting’ with the exception of the footnote relating to the new event category ‘A
physical threat that could impact the operability of a Facility’. This remaining
footnote provides examples only.
3.In the Event Reporting Form, “forced intrusion” and “Risk to BES equipment” are
run together and should be separated.
‘Forced intrusion’ and ‘Risk to BES Equipment’ have been combined under a new
259
�Organization
Yes or No
Question 4 Comment
event type called ‘A physical threat that could impact the operability of a Facility’.
Using judgment is unavoidable for this type of event. This language was chosen
because the Responsible Entity is the best position to exercise this judgment and
determine whether or not an event poses a threat to its Facilities. The DSR SDT
believes this revised event type will minimize administrative burden and ensure that
events meaningful to industry awareness are reported. Note that the reporting
timeline (now revised to 24 hours) starts when the situation has been determined as
a threat, not when it may have first occurred.
VSLs:1.We support the substance of the VSLs, but the repeated long list of entities
makes the VSLs extremely difficult to read and decipher. The repeated list of entities
should be replaced by “Responsible Entities.” 2.If the ERO and Regional Entities are
to be subject to requirements in this standard (which we oppose), they need to be
added to the VSLs.
The DSR SDT has revised the VSLs to eliminate the list of entities and lead with
“Responsible Entity”.
Response: Thank you for your comment. Please see response above.
Suggest removing 1.4 since 1.5 ensures a annual review. . The implementation of the
plan should also include the necessary reporting.
Requirement R1, Part 1.4 has been removed.
Response: Thank you for your comment. Please see response above.
Electric Compliance
The concepts of “Critical Assets” and “Critical Cyber Assets” no longer exist in Version
5 of the CIP Standards and so this may cause confusion. Recommend modifying to
be in accordance with Version 5. Additionally, it is debatable whether the
260
�Organization
Yes or No
Question 4 Comment
destruction of, for example, one relay would be a reportable incident given the
proposed language. We recommend modifying the language to insure nuisance
reporting is minimized. One reportable event is, “Risk to the BES” and the threshold
for reporting is, “From a non-environmental physical threat.” This appears to be a
catch-all reportable event. Due to the subjectivity of this event description, we
suggest removing it from the list.
The ‘Damage or Destruction’ events specifically relating to Critical Assets and Critical
Cyber Assets were removed from Attachment 1, as stakeholders pointed out that these
events were adequately addressed through the CIP-008 and ‘Damage or Destruction of a
Facility “reporting thresholds. CIP-008 addresses Cyber Security Incidents which are
defined as:
“Any malicious act or suspicious event that:
• Compromises, or was an attempt to compromise, the Electronic Security
Perimeter or Physical Security Perimeter of a Critical Cyber Asset, or,
• Disrupts, or was an attempt to disrupt, the operation of a Critical Cyber
Asset.”
A Critical Asset is defined as:
“Facilities, systems, and equipment which, if destroyed, degraded, or otherwise
rendered unavailable, would affect the reliability or operability of the Bulk
Electric System.”
Since there is an existing event category for damage or destruction of Facilities, having a
separate event for “Damage or Destruction of a Critical Asset” is unnecessary.
Footnote 1 and the “Threshold for Reporting” associated with the Event described as
“Destruction of BES equipment” expand the reporting scope. For example, a fan on a
261
�Organization
Yes or No
Question 4 Comment
transformer can be destroyed because a technician drops a screwdriver into it. We
believe such an event should not be reportable under EOP-004-2. Yet, as written, a
Responsible Entity could interpret that event as reportable (because it would be
“unintentional human action” that destroyed a piece of equipment associated with
the BES). If the goal of the SDT was to include such events, we think the draft
Standard goes too far in requiring reporting. If the SDT did not intend to include such
events, the draft Standard should be revised to make that fact clear. Proposed
Footnote: BES equipment that become damaged or destroyed due to intentional or
unintentional human action which removes the BES equipment from service that i)
Affects an IROL; ii) Significantly affects the reliability margin of the system (e.g., has
the potential to result in the need for emergency actions); iii). Do not report copper
theft from BES equipment unless it degrades the ability of equipment to operate
correctly (e.g., removal of grounding straps rendering protective relaying
inoperative).
All footnotes are deleted and appropriate content moved to ‘Thresholds for
Reporting’ with the exception of the footnote relating to the new event category ‘A
physical threat that could impact the operability of a Facility’. This remaining
footnote provides examples only.
The word “Significantly” in item ii) of footnote 1 and “as appropriate” in section 1.3
introduces elements of subjectivity. What is “significant” or “appropriate” to one
person may not be to someone else.
All footnotes are deleted and appropriate content moved to ‘Thresholds for
Reporting’ with the exception of the footnote relating to the new event category ‘A
physical threat that could impact the operability of a Facility’. This remaining
footnote provides examples only.
In section 1.4, we believe that revising the plan within 90 days of “any” change
should be changed to 180 days or else classes of events should be made so that only
262
�Organization
Yes or No
Question 4 Comment
substantial changes are required to made within the 90 day timeframe.
Requirement R1, Part 1.4 was removed from the standard.
Response: Thank you for your comment. Please see response above.
Georgia System Operations
Corporation
The ERO and the Regional Entity should not be listed as Responsible Entities. The
ERO and the Regional Entity should not have to meet the requirements of this
standard, especially reporting to itself.
The ERO and the RE are applicable under the CIP-008 standard and are therefore
applicable under EOP-004.
Attachment 1 (all page numbers are from the clean draft):Page 20, destruction of
BES equipment: part iii) of the footnote adds damage as an event but the heading is
for destruction. Is it just for destruction? Or is it for damage or destruction?
The DSR SDT has modified Attachment 1 to bring more clarity. The ‘Destruction’ event
category has been revised to include damage or destruction of a Facility’, (a defined
term) and thresholds have be modified to provide clarity. The footnote was deleted
Page 21, Risk to BES equipment: Footnote 3 gives an example where there is
flammable or toxic cargo. These are environmental threats. However, the threshold
for reporting is for non-environmental threats. Which is it?
For this event, environmental threats are considered to be severe weather,
earthquakes, etc. rather than an external threat.
Page 21, BES emergency requiring public appeal for load reduction: A small deficient
263
�Organization
Yes or No
Question 4 Comment
entity within a BA may not initiate public appeals. The BA is typically the entity which
initiates public appeals when the entire BA is deficient. The initiating entity should be
the responsible entity not the deficient entity.
The DSR SDT revised this event to indicate the “initiating” entity is responsible for
reporting.
Page 21, BES emergency requiring manual firm load shedding: If a RC directs a DP to
shed load and the DP initiates manually shedding its load as directed, is the RC the
initiating entity? Or is it the DP?
The DSR SDT believes the wording of “initiating entity” provides enough clarity for
each applicable entity to understand. In this case, the RC made the call to shed load
and therefore should report.
Page 22, system separation (islanding): a DP does not have a view of the system to
see that the system separated or how much generation and load are in the island.
Remove DP.
The DSR SDT disagrees with your comment. DP’s may be the first to recognize that
they are islanded or separated from the system.
Attachment 2 (all page numbers are from the clean draft):Page 25: fuel supply
emergencies will no longer be reportable under the current draft.
The DSR SDT has removed both “fuel supply emergency” and “other” from
Attachment 2 based on comments received.
Miscellaneous typos and quality issues (all page numbers are from the clean
draft):Page 5, the last paragraph: There are two cases where Parts A or B are
referred to. Attachment 1 no longer has two parts (A & B).Page 27, Discussion of
Event Reporting: the second paragraph has a typo at the beginning of the sentence.
264
�Organization
Yes or No
Question 4 Comment
The DSR SDT has corrected these typos.
Response: Thank you for your comment. Please see response above.
Thompson Coburn LLP on
behalf of Miss. Delta Energy
Agency
The first three incident categories designated on Attachment 1 as reportable events
should be modified. As the Standard is current drafted, each incident category (i.e.,
destruction of BES equipment, damage or destruction of Critical Assets, and damage
or destruction of Critical Cyber Assets) requires reporting if the event was due to
unintentional human action. For example, under the reporting criteria as drafted,
inadvertently dropping and damaging a piece of computer equipment designated as
a Critical Cyber Asset while moving or installing it would appear to require an event
report within an hour of the incident.
The ‘Damage or Destruction’ events specifically relating to Critical Assets and Critical
Cyber Assets were removed from Attachment 1, as stakeholders pointed out that these
events were adequately addressed through the CIP-008 and ‘Damage or Destruction of a
Facility “reporting thresholds. CIP-008 addresses Cyber Security Incidents which are
defined as:
“Any malicious act or suspicious event that:
• Compromises, or was an attempt to compromise, the Electronic Security
Perimeter or Physical Security Perimeter of a Critical Cyber Asset, or,
• Disrupts, or was an attempt to disrupt, the operation of a Critical Cyber
Asset.”
A Critical Asset is defined as:
“Facilities, systems, and equipment which, if destroyed, degraded, or otherwise
rendered unavailable, would affect the reliability or operability of the Bulk
Electric System.”
265
�Organization
Yes or No
Question 4 Comment
Since there is an existing event category for damage or destruction of Facilities, having a
separate event for “Damage or Destruction of a Critical Asset” is unnecessary.
MDEA requests that the Drafting Team consider modifying footnote 1 and each of
the first three event categories to reflect that reportable events include only those
that (i) affect an IROL; (ii) significantly affect the reliability margin of the system; or
(iii) involve equipment damage or destruction due to intentional human action that
results in the removal of the BES equipment, Critical Assets, and/or Critical Cyber
Assets, as applicable, from service.
All footnotes are deleted and appropriate content moved to ‘Thresholds for
Reporting’ with the exception of the footnote relating to the new event category ‘A
physical threat that could impact the operability of a Facility’. This remaining
footnote provides examples only.
Footnote 2 (which now pertains only to the fourth incident category - forced
intrusions) should also apply to the first three event categories. Specifically,
responsible entities should report intentional damage or destruction of BES
equipment, damage or destruction of Critical Assets, and damage or destruction of
Critical Cyber Assets if either the damage/destruction was clearly intentional or if
motivation for the damage or destruction cannot reasonably be determined and the
damage or destruction affects the reliability of the BES.
All footnotes are deleted and appropriate content moved to ‘Thresholds for
Reporting’ with the exception of the footnote relating to the new event category ‘A
physical threat that could impact the operability of a Facility’. This remaining
footnote provides examples only.
Attachment 1 is also unclear to the extent that the incident category involving
reports for the detection of reportable Cyber Security Incidents includes a reference
to CIP-008 as the reporting threshold. While entities in various functional categories
266
�Organization
Yes or No
Question 4 Comment
(i.e., RCs, BAs, TOPs/TOs, GOPs/GOs, and DPs) are listed as being responsible for the
reporting of such events, some entities in these functional categories may not
currently be subject to CIP-008. If it is the Drafting Team’s intent to limit event
reports for Cyber Security Incidents to include only registered entities subject to CIP008, that clarification should be incorporated into the listing of entities with
reporting responsibility for this incident category in Attachment 1.
The “Entity with reporting responsibility” for the event “A reportable Cyber Security
Incident” has been revised to “Each Responsible Entity applicable under CIP-008-4 or
its successor that experiences the Cyber Security Incident”.
Response: Thank you for your comment. Please see response above.
Luminant Power
The following comments all apply to Attachment 1: o As a general comment, SDT
should specifically list the entities the reportable event applies to in the table for
clarity. Do not use general language referencing another standard or statements
such as “Deficient entity is responsible for reporting”, “Initiating entity is responsible
for reporting”, or other similar statements used currently in the table. This leaves
this open and subject to interpretation.
The DSR SDT disagrees with your comment. This language provides the most
flexibility for applicable entities and maintains a minimum level of who is required to
report or communicate events based an entity’s Operating Plan, as described in
Requirement 1.
Also, there are a number of events that do not apply to all entities. o Destruction of
BES equipment should be Intentional Damage or Destruction of BES equipment.
Unintentional actions occur and should not be a requirement for reporting under
disturbance reporting.
The event for “Destruction of BES equipment” has been revised to “Damage or
destruction of a Facility”. The threshold for reporting information was expanded for
267
�Organization
Yes or No
Question 4 Comment
clarity:
“Damage or destruction of a Facility that: affects an IROL
OR
Results in the need for actions to avoid an Adverse Reliability Impact
OR
Results from intentional human action.”
o Actions or situations affecting equipment or generation unit availability due to
human error, equipment failure, unintentional human action, external cause, etc. are
reported in real time to the BA and other entities as required by other NERC
Standards. Disturbance reporting should avoid the type of events that, for instance,
would cause the total or partial loss of a generating unit under normal operational
circumstances. There are a number of issues with the table in this regard.
The DSR SDT has removed such language based on comments received.
o For clarity, consider changing the table to identify for each event type “who”
should be notified. This appears to be missing from the table overall.
The DSR SDT has updated Requirement R1, Part 1.2 to read as: ““1.2 A process for
communicating each of the applicable events listed in EOP-004 Attachment 1 in
accordance with the timeframes specified in EOP-004 Attachment 1 to the Electric
Reliability Organization and other organizations needed for the event type; i.e. the
Regional Entity; company personnel; the Responsible Entity’s Reliability Coordinator;
law enforcement governmental or provincial agencies.”
o Reportable Events, the meaning for the Event labeled “Destruction of BES
equipment” is not clear. Footnote 1 adds the language “iii) Damaged or destroyed
due to intentional or unintentional human action which removes the BES equipment
268
�Organization
Yes or No
Question 4 Comment
from service.” This language can be interpreted to mean that any damage to any BES
equipment caused by human action, regardless of intention, must be reported within
1 hour of recognition of the event. This requirement will be overly burdensome. If
this is not the intent of the definition of “Destruction of BES equipment”, the
footnote should be re-worded. As such, it is subjective and left open to
interpretation. It should focus only on intentional actions to damage or interrupt
BES functionality. It should not be worded as such that every item that trips a unit or
every item that is damaged on a unit requires a report. That is where the language
right now is not clear. There are and will continue to be unintentional human error
that results in taking equipment out of service. This standard was meant to replace
sabotage reporting.
All footnotes are deleted and appropriate content moved to ‘Thresholds for
Reporting’ with the exception of the footnote relating to the new event category ‘A
physical threat that could impact the operability of a Facility’. This remaining
footnote provides examples only.
o Damage or destruction of Critical Asset per CIP-002 and Damage or destruction of a
Critical Cyber Asset per CIP-002 should be removed from the table as Intentional
Damage or Destruction of BES equipment would cover this as well.
The ‘Damage or Destruction’ events specifically relating to Critical Assets and Critical
Cyber Assets were removed from Attachment 1, as stakeholders pointed out that these
events were adequately addressed through the CIP-008 and ‘Damage or Destruction of a
Facility “reporting thresholds. CIP-008 addresses Cyber Security Incidents which are
defined as:
“Any malicious act or suspicious event that:
• Compromises, or was an attempt to compromise, the Electronic Security
Perimeter or Physical Security Perimeter of a Critical Cyber Asset, or,
• Disrupts, or was an attempt to disrupt, the operation of a Critical Cyber
269
�Organization
Yes or No
Question 4 Comment
Asset.”
A Critical Asset is defined as:
“Facilities, systems, and equipment which, if destroyed, degraded, or otherwise
rendered unavailable, would affect the reliability or operability of the Bulk
Electric System.”
Since there is an existing event category for damage or destruction of Facilities, having a
separate event for “Damage or Destruction of a Critical Asset” is unnecessary.
o Risk to BES equipment should be removed from the table as it is very subjective
and broad. At a minimum, the 1 hour reporting timeline should begin after
recognition and assessment of the incident. As an example, a fire close to BES
equipment may not truly be a threat to the equipment and will not be known until
an assessment can be made to determine the risk.
The DSR SDT has removed this event based on comments received.
o Detection of a Reportable Cyber Security incident should be removed from the
table as this is covered by CIP-008 requirements. Having this in two separate
standards is double jeopardy and confusing to entities.
The ‘Damage or Destruction’ events specifically relating to Critical Assets and Critical
Cyber Assets were removed from Attachment 1, as stakeholders pointed out that these
events were adequately addressed through the CIP-008 and ‘Damage or Destruction of a
Facility “reporting thresholds. CIP-008 addresses Cyber Security Incidents which are
defined as:
“Any malicious act or suspicious event that:
270
�Organization
Yes or No
Question 4 Comment
• Compromises, or was an attempt to compromise, the Electronic Security
Perimeter or Physical Security Perimeter of a Critical Cyber Asset, or,
• Disrupts, or was an attempt to disrupt, the operation of a Critical Cyber
Asset.”
A Critical Asset is defined as:
“Facilities, systems, and equipment which, if destroyed, degraded, or otherwise
rendered unavailable, would affect the reliability or operability of the Bulk
Electric System.”
Since there is an existing event category for damage or destruction of Facilities, having a
separate event for “Damage or Destruction of a Critical Asset” is unnecessary.
o Generation Loss event reporting should only apply to the BA. These authorities
have the ability and right to contact generation resources to supply necessary
information needed for reporting. This would also eliminate redundant reporting by
multiple entities for the same event.
The DSR SDT has tried to minimize duplicative reporting, but recognizes there may be
events that trigger more than one report. The current applicability ensures an event
that could affect just one of the entities with reporting responsibility isn’t missed.
o Suggest that Generation Loss MW loss would match up with the 1500 MW level
identified in CIP Version 4 or Version 5 for consistency between future CIP standards
and this disturbance reporting standard. This would then cover CIP and significant
MW losses that should be reported.
The DSR SDT disagrees as this threshold is based on the current EOP-004-1.
o The Generation Loss MW loss amount needs to have a time boundary. Luminant
271
�Organization
Yes or No
Question 4 Comment
would suggest a loss of 1500 MW within 15 minutes.
The DSR SDT disagrees as this threshold is based on the current EOP-004-1.
o Unplanned Control Center evacuation should not apply to entities that have
backup Control Centers where normal operations can continue without impact to the
BES.
The DSR SDT disagrees with your comment. By reporting and communicating per an
entity’s Operating Plan, you will provide situational awareness to entities per your
Operating Plan.
o Loss of monitoring or all voice communication capability should be separated. Also
the 24 hour reporting requirement may not be feasible if communications is down
for longer than 24 hours.
The DSR SDT has split this event into two separate events based on comments
received, it now reads as: “Loss of all voice communication capability” and “Complete
or partial loss of monitoring capability”.
Luminant would suggest removal of the communication reporting event as there are
a number of things that could cause this to occur for longer than the reporting
requirement allows, thus putting entities at jeopardy of a potential violation that is
out of their control. How does an entity report if all systems and communications are
down for more than 24 hours? What about in instances of a partial or total
blackout? These events could last much longer than 24 hours. All computer
communication would likely also be down thus rendering electronic reporting
unavailable.
EOP-004-2 only requires an entity to report and communicate per their Operating
Plan within the time frames set in Attachment 1.
Response: Thank you for your comment. Please see response above.
272
�Organization
Kansas City Power & Light
Yes or No
Question 4 Comment
The implementation plan indicates that much of CIP-008 is retained. The reporting
requirements in CIP-008 and the required reportable events outlined in Attachment
1 are an overlap with CIP-008-3 R1.1 which says “Procedures to characterize and
classify events as reportable Cyber Security Incidents” and CIP-008-3 R1.3 which
requires processes to address reporting to the ES-ISAC. There is also a NERC
document titled, Security Guideline for the Electricity Sector: Threat and Incident
Reporting, which is a guideline to “assist entities to identify and classify incidents for
reporting to the ES-ISAC”. The SDT should consider the content of the Security
Guideline for the Electricity Sector: Threat and Incident Reporting when considering
the reporting requirements proposed EOP-004. The efforts to incorporate CIP-008
into EOP-004 are insufficient and will result in serious confusion between proposed
EOP-004 and CIP-008 and reporting expectations. Considering the complexity CIP
incident reporting and the interests of ES-ISAC, it may be beneficial to leave CIP-008
out of the proposed EOP-004 and limit EOP-004 to the reporting interests of NERC.
Attachment 2 (or the DOE Form OE 417) is the reporting form to be used for reporting
a “Cyber Security Incident”.
The flowchart states, “Notification Protocol to State Agency Law Enforcement”.
Please correct this to, “Notification to State, Provincial, or Local Law Enforcement”,
to be consistent with the language in the background section part, “A Reporting
Process Solution - EOP-004”.
The DSR SDT has updated the “Example of reporting _Process including Law
Enforcement”, and please note that this is only an “example”.
Measure 4 is not clear enough regarding the extent to which drills should be
performed. Does the measure mean that all events in the events list need to be
drilled or is drilling a subset of the events list sufficient? Please clearly indicate the
extent of drilling that is required or clearly indicate in the requirement the extent of
the drills to be performed is the responsibility of the Responsible Entity to identify in
their “processes”.
273
�Organization
Yes or No
Question 4 Comment
Requirement R4 (now R3) has been revised and the measure now reads:
Each Responsible Entity will have dated and time-stamped records to show that the
annual test of Part 1.2 was conducted. Such evidence may include, but are not
limited to, dated and time stamped voice recordings and operating logs or other
communication documentation. (R3)
Evidence Retention - it is not clear what the phrase “prior 3 calendar years”
represents in the third paragraph of this section regarding data retention for
requirements and measures for R2, R3, R4 and M2, M3, M4 respectively. Please
clarify what this means. Is that different than the meaning of “since the last audit for
3 calendar years” for R1 and M1?
This has been revised for clarity and to be consistent with NERC Guidance documents.
The new evidence retention reads:
Each Responsible Entity shall retain the current, in force document plus the
‘date change page’ from each version issued since the last audit or the
current and previous version for Requirements R1, R4 and Measures M1, M4.
Each Responsible Entity shall retain evidence from prior 3 calendar years for
Requirements R2, R3 and Measures M2, M3.
VSL for R2 under Severe regarding R1.1 may require revision considering the
comment regarding R1.1 in item 2 previously stated. In addition, the VRF for R2 is
MEDIUM. R2 is administrative regarding the implementation of the requirements
specified in R1. Documentation and maintenance should be considered LOWER.
There is no VSL for R4 and a VSL for R4 needs to be proposed.
The DSR SDT reviewed and updated both VSL’s for the new requirements.
Response: Thank you for your comment. Please see response above.
274
�Organization
SPP Standards Review Group
Yes or No
Question 4 Comment
The inclusion of optional entities to which to report events in R1.3 introduces
ambiguity into the standard that we feel needs to be eliminated. We propose the
following replacement language for R1.3:A process for communicating events listed
in Attachment 1 to the Electric Reliability Organization, the Responsible Entity’s
Reliability Coordinator and the Responsible Entity’s Regional Entity.We would also
propose to incorporate the law enforcement and governmental or provincial
agencies mentioned in R1.3 in Attachment 1 by adding them to the existing language
for each of the event cells. For example, the first cell in that column would read:The
parties identified pursuant to R1.3 and applicable law enforcement and
governmental or provincial agencies within 1 hour of recognition of event.Similarly,
the phrase ‘...and applicable law enforcement and governmental or provincial
agencies...’ should be inserted in all the remaining cells in the 4th column.
Requirement R1, Part 1.3 (now Part 1.2) was revised to add clarifying language by
eliminating the phrase “as appropriate” and indicating that the Responsible Entity is to
define its process for reporting and with whom to report events. Requirement R1,Part
1.2 now reads:
“1.2
A process for communicating each of the applicable events listed in EOP-004
Attachment 1 in accordance with the timeframes specified in EOP-004
Attachment 1 to the Electric Reliability Organization and other organizations
needed for the event type; i.e. the Regional Entity; company personnel; the
Responsible Entity’s Reliability Coordinator; law enforcement governmental or
provincial agencies.”
Response: Thank you for your comment. Please see response above.
Santee Cooper
The on-going development of the definition of the BES could have significant impacts
on reporting requirements associated with this standard.The event titled “Risk to the
275
�Organization
Yes or No
Question 4 Comment
BES” appears to be a catch-all event and more guidance needs to be provided on this
category.
Several stakeholders expressed concerns relating to the “Forced Intrusion” event. Their
concerns related to ambiguous language in the footnote. The SDR SDT discussed this
event as well as the event “Risk to BES equipment”. These two event types had overlap
in the perceived reporting requirements. The DSR SDT removed “Forced Intrusion” as a
category and the “Risk to BES equipment” event was revised to “A physical threat that
could impact the operability of a Facility”.
Using judgment is unavoidable for this type of event. This language was chosen
because the Responsible Entity is the best position to exercise this judgment and
determine whether or not an event poses a threat to its Facilities. The DSR SDT believes
this revised event type will minimize administrative burden and ensure that events
meaningful to industry awareness are reported.
The event titled “Damage or Destruction of a Critical Asset or Critical Cyber Asset per
CIP-002” is ambiguous and further guidance is recommended. Ambiguity in a
standard leaves it open to interpretation for all involved.
The ‘Damage or Destruction’ events specifically relating to Critical Assets and Critical
Cyber Assets were removed from Attachment 1, as stakeholders pointed out that these
events were adequately addressed through the CIP-008 and ‘Damage or Destruction of a
Facility “reporting thresholds. CIP-008 addresses Cyber Security Incidents which are
defined as:
“Any malicious act or suspicious event that:
• Compromises, or was an attempt to compromise, the Electronic Security
Perimeter or Physical Security Perimeter of a Critical Cyber Asset, or,
276
�Organization
Yes or No
Question 4 Comment
• Disrupts, or was an attempt to disrupt, the operation of a Critical Cyber
Asset.”
A Critical Asset is defined as:
“Facilities, systems, and equipment which, if destroyed, degraded, or otherwise
rendered unavailable, would affect the reliability or operability of the Bulk
Electric System.”
Since there is an existing event category for damage or destruction of Facilities, having a
separate event for “Damage or Destruction of a Critical Asset” is unnecessary.
Response: Thank you for your comment. Please see response above.
Florida Municipal Power
Agency
The Rules of Procedure language for data retention (first paragraph of the Evidence
Retention section) should not be included in the standard, but instead referred to
within the standard (e.g., “Refer to Rules of Procedure, Appendix 4C: Compliance
Monitoring and Enforcement Program, Section 3.1.4.2 for more retention
requirements”) so that changes to the RoP do not necessitate changes to the
standard.
The language incorporated in this section of the standard is boilerplate language
provided by NERC staff for inclusion in each standard.
In R4, it might be worth clarifying that, in this case, implementation of the plan for an
event that does not meet the criteria of Attachment 1 and going beyond the
requirements R2 and R3 could be used as evidence. Consider adding a phrase as such
to M4, or a descriptive footnote that in this case, “actual event” may not be limited
to those in Attachment 1.
277
�Organization
Yes or No
Question 4 Comment
Most stakeholders believed that Requirements R2 and R3 were redundant and having
both in the standard was not necessary. Requirement R2 called for implementation of
Parts 1.1, 1.2, 1.4 and 1.5. Requirement R3 called for reporting events in accordance
with the Operating Plan. The DSR SDT deleted Requirement R2based on stakeholder
comments and revised R3 (now R2) to:
“Requirement R2. Each Responsible Entity shall implement its event reporting Operating
Plan for applicable events listed in EOP-004 Attachment 1, and in accordance with the
timeframe specified in EOP-004 Attachment 1.”
Comments to Attachment 1 table:On “Damage or destruction of Critical Asset” and
“... Critical Cyber Asset”, Version 5 of the CIP standards is moving away from the
binary critical/non-critical paradigm to a high/medium/low risk paradigm. Suggest
adding description that if version 5 is approved by FERC, that “critical” would be
replaced with “high or medium risk”, or include changing this standard to the scope
of the CIP SDT, or consider posting multiple versions of this standard depending on
the outcome of CIP v5 in a similar fashion to how FAC-003 was posted as part of the
GO/TO effort of Project 2010-07.
The ‘Damage or Destruction’ events specifically relating to Critical Assets and Critical
Cyber Assets were removed from Attachment 1, as stakeholders pointed out that these
events were adequately addressed through the CIP-008 and ‘Damage or Destruction of a
Facility “reporting thresholds. CIP-008 addresses Cyber Security Incidents which are
defined as:
“Any malicious act or suspicious event that:
• Compromises, or was an attempt to compromise, the Electronic Security
Perimeter or Physical Security Perimeter of a Critical Cyber Asset, or,
• Disrupts, or was an attempt to disrupt, the operation of a Critical Cyber
278
�Organization
Yes or No
Question 4 Comment
Asset.”
A Critical Asset is defined as:
“Facilities, systems, and equipment which, if destroyed, degraded, or otherwise
rendered unavailable, would affect the reliability or operability of the Bulk
Electric System.”
Since there is an existing event category for damage or destruction of Facilities, having a
separate event for “Damage or Destruction of a Critical Asset” is unnecessary.
On “forced intrusion”, the phrase “at BES facility” is open to interpretation as “BES
Facility” (e.g., controversy surrounding CAN-0016) which would exclude control
centers and other critical/high/medium cyber system Physical Security Perimeters
(PSPs). We suggest changing this to “BES Facility or the PSP or Defined Physical
Boundary of critical/high/medium cyber assets”. This change would cause a change
to the applicability of this reportable event to coincide with CIP standard
applicability.
The DSR SDT has modified Attachment 1 to bring more clarity. The more subjective
events were rewritten as follows:
• The ‘Damage or Destruction’ event category has been revised to say ‘ to a
Facility’, (a defined term) and thresholds have be modified to provide clarity.
The footnote was deleted
• ‘Forced intrusion’ and ‘Risk to BES Equipment’ have been combined under a new
event type called ‘A physical threat that could impact the operability of a
Facility’. Using judgment is unavoidable for this type of event. This language
was chosen because the Responsible Entity is the best position to exercise this
judgment and determine whether or not an event poses a threat to its
279
�Organization
Yes or No
Question 4 Comment
Facilities. The DSR SDT believes this revised event type will minimize
administrative burden and ensure that events meaningful to industry
awareness are reported. Note that the reporting timeline (now revised to 24
hours) starts when the situation has been determined as a threat, not when it
may have first occurred. Also, the footnote only contains examples.
These two remaining event categories that aren’t related to power system phenomena
are essential as they effectively translate the intent of CIP-001 into EOP-004.
On “Risk to BES equipment”, that phrase is open to too wide a range of
interpretation; we suggest adding the word “imminent” in front of it, i.e., “Imminent
risk to BES equipment”. For instance, heavy thermal loading puts equipment at risk,
but not imminent risk. Also, “non-environmental” used as the threshold criteria is
ambiguous. For instance, the example in the footnote, if the BES equipment is near
railroad tracks, then trains getting derailed can be interpreted as part of that BES
equipment’s “environment”, defined in Webster’s as “the circumstances, objects, or
conditions by which one is surrounded”. It seems that the SDT really means “nonweather related”, or “Not risks due to Acts of Nature”.
The DSR SDT has modified Attachment 1 to bring more clarity. The more subjective
events were rewritten as follows:
• The ‘Damage or Destruction’ event category has been revised to say ‘ to a
Facility’, (a defined term) and thresholds have be modified to provide clarity.
The footnote was deleted
• ‘Forced intrusion’ and ‘Risk to BES Equipment’ have been combined under a new
event type called ‘A physical threat that could impact the operability of a
Facility’. Using judgment is unavoidable for this type of event. This language
was chosen because the Responsible Entity is the best position to exercise this
judgment and determine whether or not an event poses a threat to its
280
�Organization
Yes or No
Question 4 Comment
Facilities. The DSR SDT believes this revised event type will minimize
administrative burden and ensure that events meaningful to industry
awareness are reported. Note that the reporting timeline (now revised to 24
hours) starts when the situation has been determined as a threat, not when it
may have first occurred. Also, the footnote only contains examples.
These two remaining event categories that aren’t related to power system phenomena
are essential as they effectively translate the intent of CIP-001 into EOP-004.
On “public appeal”, in the threshold, the descriptor “each” should be deleted, e.g., if
a single event causes an entity to be short of capacity, do you really want that entity
reporting each time they issue an appeal via different types of media, e.g., radio, TV,
etc., or for a repeat appeal every several minutes for the same event?
The DSR SDT has updated the event concerning “public appeals” based on comments
received and now reads as: “Public appeal for load reduction event”.
Should LSE be an applicable entity to “loss of firm load”? As proposed, the DP is but
the LSE is not. In an RTO market, will a DP know what is firm and what is non-firm
load? Suggest eliminating DP from the applicability of “system separation”. The
system separation we care about is separation of one part of the BES from another
which would not involve a DP.
The DSR SDT believes the “Entity with Reporting Responsibility” maintains the
minimum number and type of entities that will be required to report such an event.
On “Unplanned Control Center Evacuation”, CIP v5 might add GOP to the
applicability, another reason to add revision of EOP-004-2 to the scope of the CIP v5
drafting team, or in other ways coordinate this SDT with that SDT. Consider posting a
couple of versions of the standard depending on the outcome of CIP v5 in a similar
fashion to the multiple versions of FAC-003 posted with the Go/TO effort of Project
2010-07.
281
�Organization
Yes or No
Question 4 Comment
The DSR SDT can only provide information on approved standards, not yet to be
defined standards.
Response: Thank you for your comment. Please see response above.
Dominion
There is still inconsistency in Attachment 1 vs. the DOE OE-417 form; in future
changes, Dominion suggests align/rename events similar to that of the ‘criteria for
filing’ events listed in the DOE OE-417, by working in coordination with the DOE.
Thank you for your comment. Attachment 1 is the basis for EOP-004-2; it contains
the events and thresholds for reporting. OE-417, as well as, the EAWG’s requirements
were considered in creating Attachment 1, but there remain differences for the
following reasons:
•
EOP-004 requirements were designed to meet NERC and the industry’s needs;
accommodation of other reporting obligations was considered as an
opportunity not a ‘must-have’
•
OE-417 only applies to US entities, whereas EOP-004 requirements apply across
North America
•
NERC has no control over the criteria in OE-417, which can change at any time
•
Reports made under EOP-004 provide a minimum set of information, which may
trigger further information requests from EAWG as necessary
In an effort to minimize administrative burden, US entities may use OE-417 rather
than Attachment 2 to report under EOP-004. Note you may have to report the same
event more quickly to the DOE than is required by EOP-004, but this cannot be helped
due to bullet point 2 above.
Please note that not all entities in North America are required to submit the DOE
Form OE 417.
Minor comment; in the Background section, the drafting team refers to bulk power
282
�Organization
Yes or No
Question 4 Comment
system (redline page 5; 1st paragraph and page 7; 2nd paragraph) rather than bulk
electric system.
This has been revised to Bulk Electric System.
The note in Attachment 1 states in part that “the affected Responsible Entity shall
notify parties per R1 and ...” Dominion believes the correct reference to be R3. In
addition, capitalized terms “Event” and “Event Report” are used in this note.
Dominion believes the terms should be non-capitalized as they are not NERC defined
terms.
The DSR SDT has updated this note based on comments received and now reads as:
“NOTE: Under certain adverse conditions (e.g. severe weather, multiple events) it may
not be possible to report the damage caused by an event and issue a written event
report within the timing in the table below. In such cases, the affected Responsible
Entity shall notify parties per R1 and provide as much information as is available at the
time of the notification. Reports to the ERO should be submitted to one of the following:
e-mail: esisac@nerc.com, Facsimile: 609-452-9550, Voice: 609-452-1422.”
Attachment 1 - “Detection of a reportable Cyber Security Incident - That meets the
criteria in CIP-008”. This essentially equates the criteria to be defined by the entity
in its procedures as required by CIP-008 R1.1., additional clarification should be
added in Attachment 1 to make this clear.
The DSR SDT believes that this event language provides enough clarity by providing
the minimum events to be reported.
The last sentence in Attachment 2 instructions should clarify that the email, facsimile
and voice communication methods are for ERO notification only.
The DSR SDT agrees and has revised the sentence to include “to the ERO”.
Dominion continues to believe that the drill or exercise specified in R4 is
283
�Organization
Yes or No
Question 4 Comment
unnecessary. Dominion suggests deleting this activity in the requirement.
Requirement R4 related to an annual test of the communication portion of
Requirement R1 by a drill or exercise and this has been removed. Requirement R3
now reads: “Each Responsible Entity shall conduct an annual test, not including
notification to the Electric Reliability Organization, of the communications process in
Part 1.2. ”.
The DSR SDT envisions that the testing under Requirement R3 will include verification
of contact information contained in the Operating Plan is correct. As an example, the
annual review of the Operating Plan could include calling “others as defined in the
Responsible Entity’s Operating Plan” (see Part 1.2) to verify that their contact
information is up to date. If any discrepancies are noted, the Operating Plan would
be updated.
Response: Thank you for your comment. Please see response above.
Ingleside Cogeneration LP
We are encouraged that the 2009-01 project team has eliminated duplicate
reporting requirements from multiple organizations and governmental agencies.
Ingleside Cogeneration LP believes that there are further improvements that can be
made in this area - as the remaining overlap seem to be a result of legalities and
preferences, not technical issues. We would like to see an ongoing commitment by
NERC for a single process that will consolidate and automate data entry, submission,
and distribution.
Attachment 1 is the basis for EOP-004-2; it contains the events and thresholds for
reporting. OE-417, as well as, the EAWG’s requirements were considered in creating
Attachment 1, but there remain differences for the following reasons:
•
EOP-004 requirements were designed to meet NERC and the industry’s needs;
accommodation of other reporting obligations was considered as an
284
�Organization
Yes or No
Question 4 Comment
opportunity not a ‘must-have’
•
OE-417 only applies to US entities, whereas EOP-004 requirements apply across
North America
•
NERC has no control over the criteria in OE-417, which can change at any time
•
Reports made under EOP-004 provide a minimum set of information, which may
trigger further information requests from EAWG as necessary
In an effort to minimize administrative burden, US entities may use OE-417 rather
than Attachment 2 to report under EOP-004. Note you may have to report the same
event more quickly to the DOE than is required by EOP-004, but this cannot be helped
due to bullet point 2 above.
Please note that not all entities in North America are required to submit the DOE
Form OE 417.
Response: Thank you for your comment. Please see response above.
SERC OC Standards Review
Group
We believe that reporting of the events in Attachment 1 has no reliability benefit to
the bulk electric system. In addition, Attachment 1, in its current form, is likely to be
impossible to implement consistently across North America. A requirement, to be
considered a reliability requirement, must be implementable. We suggest that
Attachment 1 should be removed.
The DSR SDT disagrees with this comment. Attachment 1 is the minimum set of events
that will be required to report and communicate per your Operating Plan will be aware
of system conditions.
We have a question about what looks like a gap in this standard: Assuming one of
thedrivers for the standard is to protect against a coordinated physical or cyber
attack on the grid, what happens if the attack occurs in 3-4 geographically diverse
areas? State or provisional law enforcement officials are not accountable under the
standard, so we have no way of knowing if they report the attack to the FBI or the
285
�Organization
Yes or No
Question 4 Comment
RCMP. Even if one or two of them did, might not the FBI, in different parts of the
country, interpret it as vandalism, subject to local jurisdiction?It seems that NERC is
the focal point that would have all the reports and, ideally, some knowledge how the
pieces fit together. It looks like NERC’s role is to solely pass information on
“applicable” events to the FERC. Unless the FERC has a 24x7 role not shown in the
standard, should not NERC have some type of assessment responsibility to makes
inquiries at the FBI/RCMP on whether they are aware of the potential issue and are
working on it?”The comments expressed herein represent a consensus of the views
of the above named members of the SERC OC Standards Review group only and
should not be construed as the position of SERC Reliability Corporation, its board or
its officers.”
Requirement R1, Part 1.2 was updated and now reads as: “A process for communicating
each of the applicable events listed in EOP-004 Attachment 1 in accordance with the
timeframes specified in EOP-004 Attachment 1 to the Electric Reliability Organization
and other organizations needed for the event type; i.e. the Regional Entity; company
personnel; the Responsible Entity’s Reliability Coordinator; law enforcement
governmental or provincial agencies.”
By reporting to the ERO all events, this will allow the ERO to coordinate with other
agencies as they see fit.
Response: Thank you for your comment. Please see response above.
ZGlobal on behalf of City of
Ukiah, Alameda Municipal
Power, Salmen River Electric,
City of Lodi
We feel that the drafting team has done an excellent job of providing clarification
and reasonable reporting requirements to the right functional entity. However we
feel additional clarification should be made in the Attachment I Event Table. We
suggest the following modifications:For the Event: BES Emergency resulting in
automatic firm load sheddingModify the Entity with Reporting Responsibility to: Each
DP or TOP that experiences the automatic load shedding within their respective
distribution serving or Transmission Operating area.
The DSR SDT believes the “Entity with Reporting Responsibility” contains the minimum
286
�Organization
Yes or No
Question 4 Comment
entities that will be required to report and reads as: “Each DP or TOP that experiences
the automatic load shedding”
For the Event: Loss of Firm load for ≥ 15 MinutesModify the Entity with Reporting
Responsibility to: Each BA, TOP, DP that experiences the loss of firm load within their
respective balancing, Transmission operating, or distribution serving area.
The DSR SDT believes the “Entity with Reporting Responsibility” contains the minimum
entities that will be required to report and reads as: “Each BA, TOP, DP that experiences
the loss of firm load”
Response: Thank you for your comment. Please see response above.
PSEG
We have several comments:1. The “Law Enforcement Reporting” section on p. 6 is
unclearly written. The first three sentences are excerpted here: “The reliability
objective of EOP-004-2 is to prevent outages which could lead to Cascading by
effectively reporting events. Certain outages, such as those due to vandalism and
terrorism, may not be reasonably preventable. These are the types of events that
should be reported to law enforcement.”The outages described prior to the last
sentence are “vandalism and terrorism.” The next sentence states “Entities rely
upon law enforcement agencies to respond to and investigate those events which
have the potential to impact a wider area of the BES.” If the SDT intended to only
have events reported to law enforcement that could to Cascading, it should state so
clearly and succinctly. But other language implies otherwise.
The DSR SDT has updated the “Example of reporting _Process including Law
Enforcement”, and please note that this is only an “example”.
a. The footnote 1 on Attachment 1 (p. 20) states: “Do not report copper theft from
BES equipment unless it degrades the ability of equipment to operate correctly (e.g.,
287
�Organization
Yes or No
Question 4 Comment
removal of grounding straps rendering protective relaying inoperative).” Rendering
a relay inoperative may or may not lead to Cascading.
The DSR SDT has removed all footnotes with the exception of the updated event within
Attachment 1 that states: “A physical threat that could impact the operability of a
Facility”. This event has the following footnote, which states: “Examples include a
train derailment adjacent to a Facility that either could have damaged a Facility
directly or could indirectly damage a Facility (e.g. flammable or toxic cargo that could
pose fire hazard or could cause evacuation of a control center). Also report any
suspicious device or activity at a Facility. Do not report copper theft unless it impacts
the operability of a Facility.”
b. With regard to “forced intrusion,” footnote 2 on Attachment 1 states: “Report if
you cannot reasonably determine likely motivation (i.e., intrusion to steal copper or
spray graffiti is not reportable unless it effects (sic) the reliability of the BES.” The
criterion, or criteria, for reporting an event to law enforcement needs to be
unambiguous. The SDT needs to revise this “Law Enforcement Section” so that is
achieved. The “law enforcement reporting” criterion, or criteria, should also be
added to the flow chart on p. 9. We suggest the following as a starting point for the
team to discuss: there should be two criteria for reporting an event to law
enforcement: (1) BES equipment appears to have been deliberately damaged,
destroyed, or stolen, whether by physical or cyber means, or (2) someone has
gained, or attempted to gain, unauthorized access by forced or unauthorized entry
(e.g., via a stolen employee keycard badge) into BES facilities, including by physical or
cyber means.
The DSR SDT has modified Attachment 1 to bring more clarity. The more subjective
events were rewritten as follows:
The ‘Damage or Destruction’ event category has been revised to say ‘ to a Facility’, (a
defined term) and thresholds have be modified to provide clarity. The footnote was
288
�Organization
Yes or No
Question 4 Comment
deleted
‘Forced intrusion’ and ‘Risk to BES Equipment’ have been combined under a new event
type called ‘A physical threat that could impact the operability of a Facility’. Using
judgment is unavoidable for this type of event. This language was chosen because the
Responsible Entity is the best position to exercise this judgment and determine whether
or not an event poses a threat to its Facilities. The DSR SDT believes this revised event
type will minimize administrative burden and ensure that events meaningful to industry
awareness are reported. Note that the reporting timeline (now revised to 24 hours)
starts when the situation has been determined as a threat, not when it may have first
occurred. Also, the footnote only contains examples.
These two remaining event categories that aren’t related to power system phenomena
are essential as they effectively translate the intent of CIP-001 into EOP-004.
2. The use of the terms “communicating events” in R1.3, and the use of the term
“communication process” are confusing because in other places such as R3 the term
“reporting” is used. If the SDT intends “communicating” to mean “reporting” as that
later term is used in R3, it should use the same “reporting” term in lieu of
“communicating” or “communication” elsewhere. Inconsistent terminology causes
confusion. PSEG prefers the word “reporting” because it is better understood.
Requirement R1, Part 1.3 (now Part 1.2) was revised to add clarifying language by
eliminating the phrase “as appropriate” and indicating that the Responsible Entity is to
define its process for reporting and with whom to report events. Requirement R1, Part
1.2 now reads:
“1.2 A process for communicating each of the applicable events listed in EOP-004
Attachment 1 in accordance with the timeframes specified in EOP-004 Attachment 1 to
the Electric Reliability Organization and other organizations needed for the event type;
i.e. the Regional Entity; company personnel; the Responsible Entity’s Reliability
Coordinator; law enforcement governmental or provincial agencies.”
289
�Organization
Yes or No
Question 4 Comment
The SDT envisions that most entities will only need to slightly modify their existing CIP001 Sabotage Reporting procedures in order to comply with the Operating Plan
requirement in this proposed standard. As many of the features of both are
substantially similar, the SDT feels that some information may need to updated and
verified.
3. Attachment 1 needs to more clearly define what is meant by “recognition of an
event.”a. When equipment or a facility is involved, it would better state within “X”
time (e.g., 1 hour) of “of confirmation of an event by the entity that either owns or
operates the Element or Facility.”
Based on stakeholder comments, Requirement R1 was revised for clarity. Requirement
R1, Part 1.1 was revised to replace the word “identifying” with “recognizing” and Part
1.2 was eliminated. This also aligns the language of the standard with FERC Order 693,
Paragraph 471.
“(2) specify baseline requirements regarding what issues should be addressed in
the procedures for recognizing {emphasis added} sabotage events and making personnel
aware of such events;”
b. Other reports should have a different specification of the starting time of the
reporting deadline clock. For example, in the requirement for reporting a “BES
Emergency requiring public appeal for load reduction,” it is unclear what event is
required to be reported - the “BES Emergency requiring public appeal” or “public
appeal for load reduction.” If the later is intended, then the event should be
reported within “24 hours after a public appeal for load reduction is first issued.”
These statements need to be reviewed and customized for each event by the SDT so
they are unambiguous.
All one hour reporting timelines have been changed to 24 hours with the exception of a
290
�Organization
Yes or No
Question 4 Comment
‘Reportable Cyber Security Incident’. This is maintained due to FERC Order 706,
Paragraph 673:
“…direct the ERO to modify CIP-008 to require each responsible entity to contact
appropriate government authorities and industry participants in the event of a cyber
security incident as soon as possible, but in any event, within one hour of the event…”
For the remaining events, 24 hours should provide sufficient time to manage the
incident in real-time before having to report and is consistent with current in-force
standard EOP-004-1.
In summary, the starting time for the reporting clock to start running should be made
clear for each event. This will require that the SDT review each event and customize
the starting time appropriately. The phrase “recognition of an event” should not be
used because it is too vague.
Based on stakeholder comments, Requirement R1 was revised for clarity. Part 1.1 was
revised to replace the word “identifying” with “recognizing” and Part 1.2 was
eliminated. This also aligns the language of the standard with FERC Order 693,
Paragraph 471.
“(2) specify baseline requirements regarding what issues should be addressed in
the procedures for recognizing {emphasis added} sabotage events and making personnel
aware of such events;”
4. When EOP-004-2 refers to other standards, it frequently omits the version of the
standard. Example: see the second and third row of Attachment 1 that refers to
“CIP-002.” Include the version on all standards referenced.
References to CIP-002 have been removed from the standard. The intent of referencing
those standards is to prevent rewriting the standard within EOP-004-2. The threshold
for reporting CIP-008 events is written as “That meets the criteria in CIP-008-4 or its
successor.”
291
�Organization
Yes or No
Question 4 Comment
Response: Thank you for your comment. Please see response above.
Ameren
Yes. We have the other comments as follow:(1) The "EOP-004 Attachment 1: Events
Table" is quite lengthy and written in a manner that can be quite subjective in
interpretation when determining if an event is reportable. We believe this table
should be clear and unambiguous for consistent and repeatable application by both
reliability entities and a CEA.
The DSR SDT has reviewed and further revised Attachment 1 based on comments
received. We believe that it is both concise and easily interpreted.
The table should be divided into sections such as: 9a) Events that affect the BES that
are either clearly sabotage or suspected sabotage after review by an entity's security
department and local/state/federal law enforcement.(b) Events that pose a risk to
the BES and that clearly reach a defined threshold, such as load loss, generation loss,
public appeal, EEAs, etc. that entities are required to report by the end of the next
business day.(c) Other events that may prove valuable for lessons learned, but are
less definitive than required reporting events. These events should be reported
voluntarily and not be subject to a CEA for non-reporting.
The DSR SDT received many comments regarding the various entries of Attachment 1.
Many commenters questioned the reliability benefit of reporting events to the ERO
within 1 hour. Most of the events with a one hour reporting requirement were revised
to 24 hours based on stakeholder comments as well as those types of events are
currently required to be reported within 24 hours in the existing mandatory and
enforceable standards. The only remaining type of event that is to be reported within
one hour is “A reportable Cyber Security Incident” as it required by CIP-008 and FERC
Order 706, Paragraph 673:
“direct the ERO to modify CIP-008 to require each responsible entity to contact
appropriate government authorities and industry participants in the event of a
292
�Organization
Yes or No
Question 4 Comment
cyber security incident as soon as possible, but in any event, within one hour of
the event…”
The table was reformatted to separate one hour reporting and 24 hour reporting. The
last column of the table was also deleted and the information contained in it was
transferred to the sentence above each table. These sentences are:
“One Hour Reporting: Submit Attachment 2 or DOE-OE-417 report to the parties
identified pursuant to Requirement R1, Part 1.2 within one hour of recognition of
the event.”
“Twenty-four Hour Reporting: Submit Attachment 2 or DOE-OE-417 report to the
parties identified pursuant to Requirement R1, Part 1.2 within twenty-four hour
of recognition of the event.”
(d)Events identified through other means outside of entity reporting, but due to
their nature, could benefit the industry by an event report with lessons learned.
Requests to report and perform analysis on these type of events should be vetted
through a ERO/Functional Entity process to ensure resources provided to this effort
have an effective reliability benefit.
The DSR SDT has deleted the “lessons learned” language. Requirement R4 now only
requires an annual review of the Operating Plan - the '90 days' and ' other
circumstances' elements have been removed.
(2)Any event reporting shall not in any manner replace or inhibit an Entity's
responsibility to coordinate with other Reliability Entities (such as the RC, TOP, BA,
GOP as appropriate) as required by other Standards, and good utility practice to
operate the electric system in a safe and reliable manner.
The DSR SDT concurs with your comment.
293
�Organization
Yes or No
Question 4 Comment
(3) The 1 hour reporting maximum time limit for all GO events in Attachment 1
should be lengthened to something reasonable - at least 24 hours. Operators in our
energy centers are well-trained and if they have good reason to suspect an event
that might have serious impact on the BES will contact the TOP quickly. However,
constantly reporting events that turn out to have no serious BES impact and were
only reported for fear of a violation or self-report will quickly result in a cry wolf
syndrome and a great waste of resources and risk to the GO and the BES. The risk to
the GO will be potential fines, and the risk to the BES will be ignoring events that
truly have an impact of the BES.
The DSR SDT received many comments regarding the various entries of Attachment 1.
Many commenters questioned the reliability benefit of reporting events to the ERO
within 1 hour. Most of the events with a one hour reporting requirement were
revised to 24 hours based on stakeholder comments as well as those types of events
are currently required to be reported within 24 hours in the existing mandatory and
enforceable standards. The only remaining type of event that is to be reported within
one hour is “A reportable Cyber Security Incident” as it required by CIP-008 and FERC
Order 706, Paragraph 673:
“direct the ERO to modify CIP-008 to require each responsible entity to contact
appropriate government authorities and industry participants in the event of a cyber
security incident as soon as possible, but in any event, within one hour of the event…”
The table was reformatted to separate one hour reporting and 24 hour reporting.
The last column of the table was also deleted and the information contained in it was
transferred to the sentence above each table. These sentences are:
“One Hour Reporting: Submit Attachment 2 or DOE-OE-417 report to the parties
identified pursuant to Requirement R1, Part 1.2 within one hour of recognition of the
294
�Organization
Yes or No
Question 4 Comment
event.”
“Twenty-four Hour Reporting: Submit Attachment 2 or DOE-OE-417 report to the
parties identified pursuant to Requirement R1, Part 1.2 within twenty-four hour of
recognition of the event.”
(4)The 2nd and 3rd Events on Attachment 1 should be reworded so they do not use
terms that may have been deleted from the NERC Glossary by the time FERC
approves this Standard.
The ‘Damage or Destruction’ events specifically relating to Critical Assets and Critical
Cyber Assets were removed from Attachment 1, as these events are adequately
addressed through the CIP-008 and ‘Damage or Destruction of a Facility’ reporting
thresholds.
(5) The terms “destruction” and “damage” are key to identifying reportable events.
Neither has been defined in the Standard. The term destruction is usually defined as
100% unusable. However, the term damage can be anywhere from 1% to 99%
unusable and take anywhere from 5 minutes to 5 months to repair. How will we
know what the SDT intended, or an auditor will expect, without additional
information?
The DSR SDT has modified Attachment 1 to bring more clarity. The more subjective
events were rewritten as follows:
The ‘Damage or Destruction’ event category has been revised to say ‘ to a Facility’, (a
defined term) and thresholds have be modified to provide clarity. The footnote was
deleted
‘Forced intrusion’ and ‘Risk to BES Equipment’ have been combined under a new
295
�Organization
Yes or No
Question 4 Comment
event type called ‘A physical threat that could impact the operability of a Facility’.
Using judgment is unavoidable for this type of event. This language was chosen
because the Responsible Entity is the best position to exercise this judgment and
determine whether or not an event poses a threat to its Facilities. The DSR SDT
believes this revised event type will minimize administrative burden and ensure that
events meaningful to industry awareness are reported. Note that the reporting
timeline (now revised to 24 hours) starts when the situation has been determined as
a threat, not when it may have first occurred. Also, the footnote only contains
examples.
These two remaining event categories that aren’t related to power system
phenomena are essential as they effectively translate the intent of CIP-001 into EOP004.
(6)We also do not understand why “destruction of BES equipment” (first item
Attachment 1, first page) must be reported < 1 hour, but “system separation
(islanding) > 100 MW” (Attachment 1, page 3) does not need to be reported for 24
hours.
The DSR SDT has modified Attachment 1 to bring more clarity. The more subjective
events were rewritten as follows:
The ‘Damage or Destruction’ event category has been revised to say ‘to a Facility’, (a
defined term) and thresholds have be modified to provide clarity. The footnote was
deleted
‘Forced intrusion’ and ‘Risk to BES Equipment’ have been combined under a new
event type called ‘A physical threat that could impact the operability of a Facility’.
Using judgment is unavoidable for this type of event. This language was chosen
because the Responsible Entity is the best position to exercise this judgment and
determine whether or not an event poses a threat to its Facilities. The DSR SDT
believes this revised event type will minimize administrative burden and ensure that
events meaningful to industry awareness are reported. Note that the reporting
296
�Organization
Yes or No
Question 4 Comment
timeline (now revised to 24 hours) starts when the situation has been determined as
a threat, not when it may have first occurred. Also, the footnote only contains
examples.
These two remaining event categories that aren’t related to power system
phenomena are essential as they effectively translate the intent of CIP-001 into EOP004.
(7)The first 2 Events in Attachment 1 list criteria Threshold for Reporting as
“...operational error, equipment failure, external cause, or intentional or
unintentional human action.” The term “intentional or unintentional human action”
appears to cover “operational error” so these terms appear redundant and create
risk of misreporting. Can this be clarified?
The DSR SDT has updated this language based on comments received and now reads
as: ” Damage or destruction of a Facility that:
Affects an IROL (per FAC-014)
OR
Results in the need for actions to avoid an Adverse Reliability Impact
OR
Results from intentional human action.”
(8)The footnote of the first page of Attachment 1 includes the explanation “...ii)
Significantly affects the reliability margin of the system...” However, the GO is
prevented from seeing the system and has no idea what BES equipment can affect
the reliability margin of the system. Can this be clarified by the SDT?
The DSR SDT has removed all footnotes with the exception of the updated event within
Attachment 1 that states: “A physical threat that could impact the operability of a
Facility”. This event has the following footnote, which states: “Examples include a
297
�Organization
Yes or No
Question 4 Comment
train derailment adjacent to a Facility that either could have damaged a Facility
directly or could indirectly damage a Facility (e.g. flammable or toxic cargo that could
pose fire hazard or could cause evacuation of a control center). Also report any
suspicious device or activity at a Facility. Do not report copper theft unless it impacts
the operability of a Facility.”
(9) The use of the term “BES equipment” is problematic for a GO. NERC Team 201017 (BES Definition) has told the industry its next work phase will include identifying
the interface between the generator and the transmission system. The 2010-17
current effort at defining the BES still fails to clearly define whether or not generator
tie-lines are part of the BES. In addition, NERC Team 2010-07 may also be assigned
the task of defining the generator/transmission interface and possibly whether or
not these are BES facilities. Can the SDT clarify the use of this term? For example,
does it include the entire generator lead-line from the GSU high-side to the point of
interconnection? Does it include any station service transformer supplied from the
interconnected BES?
The DSR SDT has modified Attachment 1 to bring more clarity. The more subjective
events were rewritten as follows:
• The ‘Damage or Destruction’ event category has been revised to say ‘ to a
Facility’, (a defined term) and thresholds have be modified to provide clarity.
The footnote was deleted
• ‘Forced intrusion’ and ‘Risk to BES Equipment’ have been combined under a new
event type called ‘A physical threat that could impact the operability of a
Facility’. Using judgment is unavoidable for this type of event. This language
was chosen because the Responsible Entity is the best position to exercise this
judgment and determine whether or not an event poses a threat to its
Facilities. The DSR SDT believes this revised event type will minimize
administrative burden and ensure that events meaningful to industry
awareness are reported. Note that the reporting timeline (now revised to 24
hours) starts when the situation has been determined as a threat, not when it
298
�Organization
Yes or No
Question 4 Comment
may have first occurred. Also, the footnote only contains examples.
These two remaining event categories that aren’t related to power system phenomena
are essential as they effectively translate the intent of CIP-001 into EOP-004.
Response: Thank you for your comment. Please see response above.
Performance Analysis
Subcommittee
There continues to be some confusion regarding whether the loss of firm load was
consistent with the planned operation of the system or was an unintended
consequence. As such it might be helpful if instead of a single check box for loss of
firm load there were two check boxes 1) loss of firm load – consequential and 2) loss
of firm load non-consequential.
Thank you for your comment. The DSR SDT believes that Attachment 2 contains the
minimum amount of information under this standard. Any entity reporting an event
can add as much information as they see fit.
Response: Thank you for your comment. Please see response above.
Southwestern Power
Administration's
"Attachment 1 contains elements that do not need to be included, and redundant
elements such as:
Forced intrusion at BES Facility - A facility break-in does not necessarily mean that the
facility has been impacted or has undergone damage or destruction.
The DSR SDT discussed this event as well as the event “Risk to BES equipment”. These
two event types had overlap in the perceived reporting requirements. The DSR SDT
removed “Forced Intrusion” as a category and the “Risk to BES equipment” event was
299
�Organization
Yes or No
Question 4 Comment
revised to “Any physical threat that could impact the operability of a Facility”.
Using judgment is unavoidable for this type of event. This language was chosen
because the Responsible Entity is the best position to exercise this judgment and
determine whether or not an event poses a threat to its Facilities. The DSR SDT believes
this revised event type will minimize administrative burden and ensure that events
meaningful to industry awareness are reported.
The footnote regarding this event type was expanded to provide additional guidance
in:
“Examples include a train derailment adjacent to a Facility that either could have
damaged a Facility directly or could indirectly damage a Facility (e.g. flammable or
toxic cargo that could pose fire hazard or could cause evacuation of a control center).
Also report any suspicious device or activity at a Facility. Do not report copper theft
unless it impacts the operability of a Facility.”
Detection of a reportable Cyber Security Incident per CIP-008 - If entities are
addressing this requirement in CIP-008, why do so again in EOP-004 (Attachment 2EOP-004, Reporting Requirement number 5)?
The reporting aspects of CIP-008 have been removed from CIP-008 and are included in
EOP-004. Please see the Implementation Plan with regards to the retirement of CIP008, R1.3
Transmission Loss: Each TOP that experiences transmission loss of three or more
facilities - This element should be removed or rewritten so that it only applies when
the loss includes a contingent element of an IROL facility."
The DSR SDT disagrees with limiting this type of event to only “a contingent element
300
�Organization
Yes or No
Question 4 Comment
of an IROL facility.” It is important for situational awareness and trending analysis to
have these types of events reported.
Response: Thank you for your comment. Please see response above.
The Performance Analysis
Subcommittee
There continues to be some confusion regarding whether the loss of firm load was
consistent with the planned operation of the system or was an unintended
consequence. As such it might be helpful if instead of a single check box for loss of
firm load there were two check boxes 1) loss of firm load – consequential and 2) loss
of firm load non-consequential.
The DSR SDT believes that this information should be obtained in follow up through
the Events Analysis Program. The reporting entity may have concerns or difficulties in
determining if load is consequential or non-consequential in its initial analysis for the
report. Further investigation outside of the reporting time of 24 hours may be
needed to make this determination.
Response: Thank you for your comment. Please see response above.
Xcel Energy
Los Angeles Department of
Water and Power
Liberty Electric Power
Nebraska Public Power
District
Southwestern Power
Administration
301
�Organization
Yes or No
Question 4 Comment
Electric Reliability Council of
Texas, Inc.
END OF REPORT
302
�Consideration of Comments
Disturbance and Sabotage Reporting – Project 2009-01
The Disturbance and Sabotage Reporting Drafting Team thanks all commenters who submitted comments on the
draft standard EOP-004-2. This standard was posted for a 30-day public comment period from April 25, 2012
through May 24, 2012. Stakeholders were asked to provide feedback on the standards and associated
documents through a special electronic comment form. There were 87 sets of comments, including comments
from approximately 210 different people from approximately 135 companies representing 9 of the 10 Industry
Segments as shown in the table on the following pages.
All comments submitted may be reviewed in their original format on the standard’s project page:
http://www.nerc.com/filez/standards/Project2009-01_Disturbance_Sabotage_Reporting.html
If you feel that your comment has been overlooked, please let us know immediately. Our goal is to give every
comment serious consideration in this process! If you feel there has been an error or omission, you can contact
the Vice President of Standards and Training, Herb Schrayshuen, at 404-446-2560 or at
herb.schrayshuen@nerc.net. In addition, there is a NERC Reliability Standards Appeals Process. 1
1
The appeals process is in the Standard Processes Manual:
http://www.nerc.com/files/Appendix_3A_Standard_Processes_Manual_Rev%201_20110825.pdf
�Summary Consideration: The DSR SDT received several suggestions for improvement to the standard.
As a result of these revisions, the DSR SDT is posting the standard for a second successive ballot period.
The DSR SDT has removed reporting of Cyber Security Incidents from EOP-004 and have asked the team
developing CIP-008-5 to retain this reporting. With this revision, the Interchange Coordinator,
Transmission Service Providers, Load-Serving Entity, Electric Reliability Organization and Regional Entity
were removed as Responsible Entities.
Most of the language contained in the “Background” Section was moved to the “Guidelines and
Technical Basis” Section. Minor language changes were made to the measures and the data retention
section. Attachment 2 was revised to list events in the same order in which they appear in Attachment
1.
Requirement R1 was revised to include the Parts in the main body of the Requirement. The Measure
and VSLs were updated accordingly.
Following review of the industry’s comments, the SDT has re-examined the FERC Directive in Order 693
and has dropped both R3 and R4, as they were written and established a new Requirement R3 to have
the Registered Entity “validate” the contact information in the contact list(s) they may have for the
events applicable to them. This validation needs to be performed each calendar year to ensure that the
list(s) have current and up-to-date contact data.
R3.
Each Responsible Entity shall validate all contact information contained in the Operating
Plan per Requirement R1each calendar year. [Violation Risk Factor: Medium] [Time
Horizon: Operations Planning]
The SDT reviewed, discussed and updated Attachment 1 based on comments received for commenters,
FERC directives and what is required for combining CIP-001 and EOP-004 into EOP-004-2. Under the
Event Column, the SDT starts to classify each type of an event by assigning an “Event” title. The DSRSDT
then updated the “Entity with Reporting Responsibilities” column to simply state which entity has the
responsibility to report if they experience an event. The last column, “Threshold for Reporting” is a
bright line that, if reached, the entity needs to report that they experienced the applicable event per
Requirement 1.
The DSR SDT proposed a revision to the NERC Rules of Procedure (Section 812). The SDT has learned
that NERC has started a new effort to forward event reports to applicable government authorities. As
such, Section 812 is no longer needed and will be removed from this project.
2
�Index to Questions, Comments, and Responses
1.
The DSR SDT has revised EOP-004-2 by removing Requirement 1, Part 1.4 and separating Parts 1.3
and 1.5 into new Requirements R3 and R4. Requirement R3 calls for an annual test of the
communications portion of the Operating Plan and Requirement R4 requires an annual review of
the Operating Plan. Do you agree with this revision? If not, please explain in the comment area
below. …. ...................................................................................................................19
2.
The DSR SDT made clarifying revisions to Attachment 1 based on stakeholder feedback. Do you
agree with these revisions? If not, please explain in the comment area below. …. ....................46
3.
The DSR SDT has proposed a new Section 812 to be incorporated into the NERC Rules of
Procedure. Do you agree with the proposed addition? If not, please explain in the comment area
below. …. ................................................................................................................. 169
4.
Do you have any other comment, not expressed in the questions above, for the DSR SDT? …. . 183
3
�The Industry Segments are:
1 — Transmission Owners
2 — RTOs, ISOs
3 — Load-serving Entities
4 — Transmission-dependent Utilities
5 — Electric Generators
6 — Electricity Brokers, Aggregators, and Marketers
7 — Large Electricity End Users
8 — Small Electricity End Users
9 — Federal, State, Provincial Regulatory or other Government Entities
10 — Regional Reliability Organizations, Regional Entities
Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
1.
Group
Guy Zito
Additional Member Additional Organization
1.
Alan Adamson
Northeast Power Coordinating Council
Region
New York State Reliability Council, LLC
2
3
4
5
6
7
8
9
10
X
Segment
Selection
NPCC
10
4
�Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
2.
Greg Campoli
NewYorkl Independent System Operator
NPCC
2
3.
Sylvain Clermont
Hydro-Quebec TransEnergie
NPCC
1
4.
Chris de Graffenried
Consolidated Edison Co. of New York, Inc. NPCC
1
5.
Gerry Dunbar
Northeast Power Coordinating Council
NPCC
10
6.
Mike Garton
Dominion Resources Services, Inc.
NPCC
5
7.
Kathleen Goodman
ISO - New England
NPCC
2
8.
Michael Jones
National Grid
NPCC
1
9.
David Kiguel
Hydro One Networks Inc.
NPCC
1
10.
Michael Lombardi
Northeast Utilities
NPCC
1
11.
Randy MacDonald
New Brunswick Power Transmission
NPCC
9
12.
Bruce Metruck
New York Power Authority
NPCC
6
13.
Silvia Parada Mitchell
NextEra Energy, LLC
NPCC
5
14.
Lee Pedowicz
Northeast Power Coordinating Council
NPCC
10
15.
Robert Pellegrini
The United Illuminating Company
NPCC
1
16.
Si Truc Phan
Hydro-Quebec TransEnergie
NPCC
1
17.
David Ramkalawan
Ontario Power Generation, Inc.
NPCC
5
2
3
4
5
6
7
8
9
10
5
�Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
18.
Peter Yost
Consolidated Edison Co. of New York, Inc. NPCC
3
19.
Michael Schiavone
National Grid
NPCC
1
20.
Wayne Sipperly
New York Power Authority
NPCC
5
21.
Tina Teng
Independent Electricity System Operator
NPCC
2
22.
Donald Weaver
New Brunswick System Operator
NPCC
2
23.
Ben Wu
Orange and Rockland Utilities
NPCC
1
2.
Group
Kent Kujala
DECo
2
3
X
4
X
5
6
7
8
9
10
X
Additional Member Additional Organization Region Segment Selection
1. Barbara Holland
RFC
3, 4, 5
2. Alexander Eizans
RFC
3, 4, 5
3.
Group
Greg Rowland
Duke Energy
X
X
X
X
Additional Member Additional Organization Region Segment Selection
1. Doug Hils
Duke Energy
RFC
1
2. Ed Ernst
Duke Energy
SERC
3
3. Dale Goodwine
Duke Energy
SERC
5
4. Greg Cecil
Duke Energy
RFC
6
4.
Group
Brenda Hampton
Luminant
X
6
�Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
Additional Member
1. Mike Laney
5.
Group
Additional Organization
Patricia Robertson
5
6
7
8
9
10
BC Hydro
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Additional Organization Region Segment Selection
WECC 2
2. Pat G. Harrington
BC Hydro
WECC 3
3. Clement Ma
BC Hydro
WECC 5
Group
4
5
1. Venkatarmakrishnan Vinnakota BC Hydro
6.
3
Region Segment Selection
Luminant Generation Company, LLC
Additional Member
2
Chris Higgins
Bonneville Power Administration
Additional Member Additional Organization Region Segment Selection
1. James
Burns
WECC 1
2. John
Wylder
WECC 1
3. Kristy
Humphrey
WECC 1
7.
Group
Jesus Sammy Alcaraz
Imperial Irrigation District (IID)
X
Additional Member Additional Organization Region Segment Selection
1. Joel Fugett
IID
WECC 1, 3, 4, 5, 6
2. Cathy Bretz
IID
WECC 1, 3, 4, 5, 6
8.
Group
Connie Lowe
Dominion
7
�Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
2
3
4
5
6
7
8
9
10
Additional Member Additional Organization Region Segment Selection
1. Michael Crowley
SERC
2. Mike Garton
NPCC 5, 6
3. Randi Heise
MRO
5
4. Louis Slade
RFC
5
9.
Group
Robert Rhodes
Additional Member
1, 3, 5, 6
SPP Standards Review Group
Additional Organization
X
Region Segment Selection
1.
Matt Bordelon
CLECO Power
SPP
1, 3, 5
2.
Michelle Corley
CLECO Power
SPP
1, 3, 5
3.
Gary Cox
Southwestern Power Administration
SPP
1, 5
4.
Dan Lusk
Xcel Energy
SPP
1, 3, 5, 6
5.
Stephen McGie
City of Coffeyville
SPP
NA
6.
John Payne
KEPCO
SPP
4
7.
Terri Pyle
Oklahoma Gas & Electric
SPP
1, 3, 5
8.
Sean Simpson
Board of Public Utilities, City of McPherson, KS SPP
NA
9.
Ashley Stringer
Oklahoma Municipal Power Authority
4
SPP
8
�Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
10. Mike Swearingen
Tri-County Electric Cooperative
SPP
4
11. Michael Veillon
CLECO Power
SPP
1, 3, 5
12. Mark Wurm
Board of Public Utilities, City of McPherson, KS SPP
NA
13. Jonathan Hayes
Southwest Power Pool
SPP
2
14. Julie Lux
Westar Energy
SPP
1, 3, 5, 6
15. Greg McAuley
Oklahoma Gas & Electric
SPP
1, 3, 5
10.
Frank Gaffney
Group
Florida Municipal Power Agency
2
3
X
X
X
X
4
X
5
6
X
X
X
X
7
8
9
10
Additional Member Additional Organization Region Segment Selection
1. Timothy Beyrle
City of New Smyrna Beach FRCC
4
2. Jim Howard
Lakeland Electric
FRCC
3
3. Greg Woessner
Kissimmee Utility Authority FRCC
3
4. Lynne Mila
City of Clewiston
FRCC
3
5. Joe Stonecipher
Beaches Energy Services FRCC
1
6. Cairo Vanegas
Fort Pierce Utility Authority FRCC
4
7. Randy Hahn
Ocala Utility Services
3
11.
Group
Brent Ingebrigtson
No additional members listed.
FRCC
LG&E and KU Services
9
�Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
12.
Group
WILL SMITH
MRO NSRF
X
2
X
3
X
4
X
5
X
6
X
7
8
9
10
X
Additional Member Additional Organization Region Segment Selection
1.
MAHMOOD SAFI
2.
OPPD
MRO
1, 3, 5, 6
CHUCK LAWRENCE ATC
MRO
1
3.
TOM WEBB
WPS
MRO
3, 4, 5, 6
4.
JODI JENSON
WAPA
MRO
1, 6
5.
KEN GOLDSMITH
ALTW
MRO
4
6.
ALICE IRELAND
XCEL
MRO
1, 3, 5, 6
7.
DAVE RUDOLPH
BEPC
MRO
1, 3, 5, 6
8.
ERIC RUSKAMP
LES
MRO
1, 3, 5, 6
9.
JOE DEPOORTER
MGE
MRO
3, 4, 5, 6
10. SCOTT NICKELS
RPU
MRO
4
11. TERRY HARBOUR
MEC
MRO
3, 5, 6, 1
12. MARIE KNOX
MISO
MRO
2
13. LEE KITTELSON
OTP
MRO
1, 3, 4, 5
14. SCOTT BOS
MPW
MRO
1, 3, 5, 6
10
�Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
15. TONY EDDLEMAN
NPPD
MRO
1, 3, 5
16. MIKE BRYTOWSKI
GRE
MRO
1, 3, 5, 6
17. THERESA ALLARD
MPC
MRO
1, 3, 5, 6
13.
Stephen J. Berger
Group
Additional
Member
1.
3
Region
PPL Generation, LLC on Behalf of its NERC Registered
Entities
5
WECC
5
MRO
6
4.
NPCC
6
5.
SERC
6
6.
SPP
6
7.
RFC
6
8.
WECC
6
2.
Mark Heimbach
14.
Group
Joe Tarantino
PPL EnergyPlus, LLC
SMUD & BANC
5
6
X
X
X
X
7
8
9
10
Segment
Selection
RFC
3.
4
PPL Corporation NERC Registered Affiliates
Additional
Organization
Annette Bannon
2
X
X
X
Additional Member Additional Organization Region Segment Selection
11
�Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
1. Kevin Smith
15.
Group
BANC
2
3
4
5
6
7
8
9
10
WECC 1
Albert DiCaprio
ISO/RTO Standards Review Committee
X
Additional Member Additional Organization Region Segment Selection
1.
Terry Bilke
MISO
RFC
2
2.
Greg Campoli
NY ISO
NPCC
2
3.
Gary DeShazo
CAISO
WECC 2
4.
Matt Goldberg
ISO NE
NPCC
2
5.
Kathleen Goodman ISO NE
NPCC
2
6.
Stephanie Monzon
PJM
RFC
2
7.
Steve Myers
ERCOT
ERCOT 2
8.
Bill Phillips
MSO
RFC
2
9.
Don Weaver
NBSO
NPCC
2
10. Charles Yeung
SPP
SPP
2
16.
Sam Ciccone
Group
FirstEnergy
X
X
X
X
X
Additional Member Additional Organization Region Segment Selection
1. Bill Duge
FE
RFC
12
�Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
2. Doug Hohlbaugh
17.
FE
Group
Additional Member
1.
Bill Hutchison
2.
2
3
4
5
6
7
8
9
10
RFC
Jason Marshall
ACES Power Marketing Standards
Collaborators
Additional Organization
Southern Illinois Power Cooperative
Region Segment Selection
SERC
1
Robert A. Thomasson Big Rivers Electric Corporation
SERC
1
3.
Shari Heino
Brazos Electric Power Cooperative
ERCOT 1
4.
John Shaver
Arizona Electric Power Cooperative
WECC 4, 5
5.
John Shaver
Southwest Transmission Cooperative
WECC 1
6.
Michael Brytowski
Great River Energy
MRO
7.
Scott Brame
North Carolina Electric Membership Corporation SERC
18.
Group
Pawel Krupa
X
Seattle City Light
1, 3, 5, 6
1, 3, 4, 5
X
X
X
X
X
Additional Member Additional Organization Region Segment Selection
1.
Pawel Krupa
Seattle City Light
WECC 1
2.
Dana Wheelock
Seattle City Light
WECC 3
3.
Hao Li
Seattle City Light
WECC 4
19.
Group
Scott Kinney
Avista
X
13
�Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
2
3
4
5
6
7
8
9
10
Additional Member Additional Organization Region Segment Selection
1.
Ed Groce
Avista Corp
WECC 5
2.
Bob Lafferty
Avista Corp
WECC 3
20.
Group
Additional Member
Ron Sporseen
PNGC Comment Group
Additional Organization
X
X
X
X
Region Segment Selection
1.
Joe Jarvis
Blachly-Lane Electric Cooperative
WECC 3
2.
Dave Markham
Central Electric Cooperative
WECC 3
3.
Dave Hagen
Clearwater Power Company
WECC 3
4.
Roman Gillen
Consumers Power Inc.
WECC 1, 3
5.
Roger Meader
Coos-Curry Electric Cooperative
WECC 3
6.
Bryan Case
Fall River Electric Cooperative
WECC 3
7.
Rick Crinklaw
Lane Electric Cooperative
WECC 3
8.
Annie Terracciano
Northern Lights Inc.
WECC 3
9.
Aleka Scott
PNGC Power
WECC 4
10. Heber Carpenter
Raft River Rural Electric Cooperative WECC 3
11. Steve Eldrige
Umatilla Electric Cooperative
WECC 1, 3
14
�Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
12. Marc Farmer
West Oregon Electric Cooperative
WECC 4
13. Margaret Ryan
PNGC Power
WECC 8
14. Stuart Sloan
Consumers Power Inc.
WECC 1
21.
Jennifer Eckels
Group
Colorado Springs Utilities
2
3
4
5
6
X
X
X
X
X
X
X
X
7
8
9
10
Additional Member Additional Organization Region Segment Selection
1. Lisa Rosintoski
WECC 6
2. Charlie Morgan
WECC 3
3. Paul Morland
WECC 1
Individual
Janet Smith, Regulatory
Affairs Supervisor
Arizona Public Service Company
23.
Individual
Antonio Grayson
Southern Company Services
X
X
X
X
24.
Individual
Jim Eckelkamp
Progress Energy
X
X
X
X
25.
Individual
Sasa Maljukan
Hydro One
X
26.
Individual
John Brockhan
CenterPoint Energy
X
27.
Individual
Philip Huff
22.
Individual
Barry Lawson
Arkansas Electric Cooperative Corporation
National Rural Electric Cooperative
Association (NRECA)
29.
Individual
Brian Evans-Mongeon
Utility Services
30.
Individual
E Hahn
MWDSC
31.
Individual
Scott McGough
Georgia System Operations Corporation
32.
Individual
Don Jones
Texas Reliability Entity
28.
X
X
X
X
X
X
X
X
X
X
15
�Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
2
3
Individual
Jonathan Appelbaum
United Illuminating Company
34.
Individual
Dan Roethemeyer
Dynegy Inc.
35.
Individual
Anthony Jablonski
ReliabilityFirst
36.
Individual
Joe Petaski
Manitoba Hydro
37.
Individual
Michelle R. D'Antuono
Ingleside Cogeneration LP
38.
Individual
Tim Soles
Occidental Power Services, Inc.
39.
Individual
Alice Ireland
Xcel Energy
X
X
40.
Individual
Andrew Gallo
City of Austin dba Austin Energy
X
X
41.
Individual
Thad Ness
American Electric Power
X
42.
Individual
Ed Davis
Entergy
X
43.
Individual
Jack Stamper
Clark Public Utilities
X
Individual
45. Individual
Tracy Richardson
Wayne Sipperly
Springfield Utility Board
New York Power Authority
X
X
46.
Individual
David Thorne
Pepco Holdings Inc
X
X
47.
Individual
Chris de Graffenried
Consolidated Edison Co. of NY, Inc.
X
X
48.
Individual
David Burke
Orange and Rockland Utilities, Inc.
X
X
49.
Individual
Larry Raczkowski
FirstEnergy Corp
X
X
50.
Individual
Linda Jacobson-Quinn
Farmington Electric Utility System
51.
Individual
Michael Falvo
Independent Electricity System Operator
52.
Individual
John Seelke
Public Service Enterprise Group
X
53.
Individual
Terry Harbour
MidAmerican Energy
X
54.
Individual
Brenda Lyn Truhe
X
Individual
John Martinsen
PPL Electric Utilities
Public Utility District No. 1 of Snohomish
County
55.
5
6
7
8
9
10
X
33.
44.
4
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
16
�Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
2
X
56.
Individual
Russell A. Noble
Cowlitz County PUD
57.
Individual
Thomas Washburn
FMPP
58.
Individual
Bob Thomas
Illinois Municipal Electric Agency
59.
Individual
Andrew Z. Pusztai
Amercican Transmission Company, LLC
X
60.
Individual
Brenda Frazer
Edison Mission Marketing & Trading, Inc.
X
61.
Individual
Kenneth A Goldsmith
Alliant Energy
62.
Individual
Eric Salsbury
Consumers Energy
63.
Individual
Kirit Shah
Ameren
64.
Individual
Howard Rulf
We Energies
65.
Individual
Brian J Murphy
NextEra Energy Inc
66.
Individual
Kathleen Goodman
ISO New England Inc
X
Individual
68. Individual
Mark B Thompson
Maggy Powell
Alberta Electric System Operator
Exelon Corporation and its affiliates
X
69.
Individual
Keith Morisette
Tacoma Power
70.
Individual
Dennis Sismaet
Seattle City Light
71.
Individual
Scott Miller
MEAG Power
72.
Individual
Patrick Brown
Essential Power, LLC
73.
Individual
Gregory Campoli
New York Independent System Operator
74.
Individual
Don Schmit
Nebraska Public Power District
X
75.
Individual
David Revill
GTC
X
76.
Individual
Scott Berry
Indiana Municipal Power Agency
77.
Individual
Christine Hasha
ERCOT
78.
Individual
Molly Devine
Idaho Power Co.
79.
Individual
Rebecca Moore Darrah
MISO
67.
3
4
X
5
6
7
8
9
10
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
17
�Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
3
4
5
6
7
8
9
10
X
80.
Individual
Nathan Mitchell
American Public Power Association
81.
Individual
Tony Kroskey
Brazos Electric Power Cooperative
X
82.
Individual
Darryl Curtis
Oncor Electric Delivery
X
83.
Individual
Denise Lietz
Puget Sound Energy, Inc.
X
84.
Individual
Steve Alexanderson
X
Individual
Mauricio Guardado
Central Lincoln
Los Angeles Department of Water and
Power
86.
Individual
James Tucker
Deseret Power
X
87.
Individual
Michael Gammon
Kansas City Power & Light
X
85.
2
X
X
X
X
X
X
X
X
X
X
X
18
�1. The SDT has revised EOP-004-2 by removing Requirement 1, Part 1.4 and separating Parts 1.3 and 1.5 into new
Requirements R3 and R4. Requirement R3 calls for an annual test of the communications portion of the Operating
Plan and Requirement R4 requires an annual review of the Operating Plan. Do you agree with this revision? If not,
please explain in the comment area below.
Summary Consideration: Following review of the industry’s comments, the SDT has re-examined the FERC Directive in Order 693
and has dropped both R3 and R4, as they were written and established a new Requirement R3 to have the Registered Entity
“validate” the contact information in the contact list(s) they may have for the applicable events to their functional registration(s).
This validation needs to be performed on a calendar year period to ensure that the list(s) have current and up-to-date contact
data.
Organization
Northeast Power Coordinating
Council
Yes or No
Question 1 Comment
No
Regarding Requirement R3, add the following wording from Measure M3 to
the end of R3 after the wording “in Part 1.2.”: The annual test requirement
is considered to be met if the responsible entity implements the
communications process in Part 1.2 for an actual event. This language must
be in the Requirement to be considered during an audit. Measures are not
auditable.
Regarding Requirement R4, replace the words “an annual review” with the
words “a periodic review. “Add the following to R4: The frequency of such
periodic reviews shall be specified in the Operating Plan and the time
between periodic reviews shall not exceed five (5) years. This does not
preclude an annual review in an Entity’s operating plan. The Entity will then
be audited to its plan. If the industry approves a five (5) year periodic
review ‘cap’, and FERC disagrees, then FERC will have to issue a directive,
state its reasons and provide justification for an annual review that is not
arbitrary or capricious. Adding the one year “test” requirement adds to the
administrative tracking burden and adds no reliability value.
19
�Organization
Yes or No
Question 1 Comment
Response: The SDT thanks you for your comment. The SDT has removed R4 and revised R3 that calls for the responsible entity
to validate contact information contain in the Operating Plan each calendar year as described in Requirement R1. The “Annual
review” is used to ensure that the event reporting Operating Plan is up to date. If an entity experiences an event,
communication evidence from the event may be used to show compliance.
DECo
No
Should only have annual "review" requirement rather than test.
Response: The SDT thanks you for your comment. The SDT has made changes to the requirements highlighted in your comment.
Duke Energy
No
Under R3, we agree with testing communications internally. Just as the ERO
is excluded under R3, other external entities should also be excluded.
External communications should be verified under R4.
Response: The SDT thanks you for your comment. Due to industry opposition, the SDT revised Requirement R3 to remove test
to “validate” contact information contained in the Operating Plan. If an entity experiences an actual event, communication
evidence from the event may be used to show compliance with the validation requirement for the specific contacts used for the
event.
Dominion
No
While Dominion believes these are positive changes, we are concerned that
placing actual calls to each of the “other organizations needed for the event
type; i.e. the Regional Entity; company personnel; the Responsible Entity’s
Reliability Coordinator; law enforcement, governmental or provincial
agencies” may be seen by one or more of those called as a ‘nuisance call’.
Given the intent is to insure validity of the contact information (phone
number, email, etc), we suggest revising the standard language to support
various forms of validation to include, documented send/receipt of email,
documented verification of phone number (use of phone book, directory
assistance, etc).
Response: The SDT thanks you for your comment. The SDT has made changes to the requirement highlighted in your comment.
20
�Organization
SPP Standards Review Group
Yes or No
Question 1 Comment
No
There needs to be a more granular definition of which entities should be
included in the annual testing requirement in R3. To clarify what must be
tested we propose the following language to replace the last sentence in
M3. The annual test requirement is considered to be met if the responsible
entity implements any communications process in the Operating Plan during
an actual event. If no actual event was reported during the year, at least one
of the communication processes in the Operating Plan must be tested to
satisfy the requirement. We do not believe the time-stamping requirement
in M3 and M4 contribute to the reliability of the BES. A dated review should
be sufficient.
Response: The SDT thanks you for your comment. The SDT has made changes to the requirement highlighted in your
comments. The Responsible Entity shall validate all contact information contained in the Operating Plan per Requirement R1
each calendar year. If an entity experiences an actual event, communication evidence from the event may be used to show
compliance with the validation requirement for the specific contacts used for the event. Time-stamping has been removed.
Florida Municipal Power Agency
No
First, FMPA believes the standard is much improved from the last posting
and we thank the SDT or their hard work. Having said that, there are still a
number of issues, mostly due to ambiguity in terms, which cause us to vote
Negative. R3 and R4 should be combined into a single requirement with two
subparts, one for annual testing, and another to incorporate lessons learned
from the annual testing into the plan (as opposed to an annual review).The
word “test” is ambiguous as used in R3, e.g., does a table top drill count as a
“test”? Is the intent to “test” the plan, or “test” the phone numbers, or
what?
Response: The SDT thanks you for your comment. The SDT has made changes to the requirement highlighted in your comment.
MRO NSRF
No
R3 states: Each Responsible Entity shall conduct an annual test, not including
notification to the Electric Reliability Organization, of the communications
process in Part 1.2. R1.2 states: A process for communicating each of the
21
�Organization
Yes or No
Question 1 Comment
applicable events listed in EOP-004 Attachment 1 in accordance with the
timeframes specified in EOP-004 Attachment 1 to the Electric Reliability
Organization and other organizations needed for the event type; i.e. the
Regional Entity; company personnel; the Responsible Entity’s Reliability
Coordinator; law enforcement, governmental or provincial agencies. With
the use of “i.e.” the SDT is mandating that each other entity must be
contacted. The NSRF believes that the SDT meant that “e.g.” should be used
to provide examples. The SDT may wish to add another column to
Attachment 1 to provide clarity. R3 requires and annual test that would
include notification of:”other organizations needed for the event type; i.e.
the Regional Entity; company personnel; the Responsible Entity’s Reliability
Coordinator; law enforcement, governmental or provincial agencies.”Since
NERC see no value in receiving these test notification we are doubtful other
entities identified in R1.2 would find them of value. The real purpose of this
requirement appears to be to assure operators are trained in the use of the
procedure, process, or plan that assures proper notification. PER-005
already requires a systematic approach to training. It is hard to comprehend
an organization not identifying this as a Critical Task, and if they failed to
identify it as a Critical Task that this would not be a violation. Therefore this
requirement is not required. Furthermore organizations test their response
to events in accordance with CIP-008 R1.6. Therefore this requirement is
covered by other standards and is not needed.
The SDT may need to
address this within M3, by stating “... that the annual test of the
communication process of 1.2 (e.g. communication via e-mail, fax, phone,
etc) was conducted”.
R4 states: Each Responsible Entity shall conduct an annual review of the
event reporting Operating Plan in Requirement R1. We question the value of
requiring an annual review. If the Standard does not change, there seems
little value in requiring an annual review. This appears to be an
administrative requirement with little reliability value. It would likely be
identified as a requirement that that should be eliminated as part of the
22
�Organization
Yes or No
Question 1 Comment
request by FERC to identify strictly administrative requirements in FERC’s
recent order on FFTR. We suggest it be eliminated.
Response: The SDT thanks you for your comment. Requirement R3 called for test of all contact information contain. The SDT
deleted Requirement R4 based on stakeholder comments and revised R3 so that each Responsible Entity shall validate all
contact information contained in the Operating Plan per Requirement R1 each calendar year. Requirement R3 will help ensure
that the event reporting Operating Plan is up to date and entities will be able to effectively report events to assure situational
awareness to the Electric Reliability Organization.
The annual review requirement was maintained to meet the intent of NERC Order 693, Paragraph 466. The Commission does
not specify a review period, as suggested; rather, believes that the appropriate period should be determined through the ERO’s
Reliability Standards.
“The Commission affirms the NOPR directive and directs the ERO to incorporate a periodic review or updating of the sabotage
reporting procedures and for the periodic testing of the sabotage reporting procedures.”
ISO/RTO Standards Review
Committee
No
The SRC offers comments regarding the posted draft requirements;
however, by so doing, the SRC does not indicate support of the proposed
requirements. Following these comments, please see the latter part of the
SRC’s response to Question 4 below for an SRC proposed alternative
approach: Regarding the proposed posted requirements, without indicating
support of those requirements, the SRC concurs with the changes as they
provide better streamlining of the four key requirements, with enhanced
clarity. However, we are unclear on the intent of Requirement R3, in
particular the phrase “not including notification to the Electric Reliability
Organization” which begs the question on whether or not the test requires
notifying all the other entities as if it were a real event. This may create
confusion in ensuring compliance and during audits. Suggest the SDT to
review and modify this requirement as appropriate. Regarding part 1.2, the
SRC requests that the text be terminated after the word “type” and before
“i.e.” As written, the requirement does not allow for the entity to
add/remove others as necessary. Please consider combining R3 and R4.
23
�Organization
Yes or No
Question 1 Comment
These can be accomplished at the same time. The process should be
evaluated to determine effectiveness when an exercise or test is conducted.
The SDT is asked to review the proposal and to address the issue of
requirements vs. bullets vs. sub-requirements. It is suggested that each
requirement be listed independently, and that each sub-step be bulleted.
Response: The SDT thanks you for your comment. The SDT has made changes to the requirement highlighted in your comment.
ACES Power Marketing Standards
Collaborators
No
(1) We agree with removing Part 1.4 and we agree with a requirement to
periodically review the event reporting Operating Plan. However we are not
convinced the review of the Operating Plan needs to be conducted annually.
The event reporting Operating Plan likely will not change frequently so a
biannual review seems more appropriate.
(2) We also do not believe that Requirement R3 is needed at all.
Requirement R3 compels the responsible entity to test their Operating Plan
annually. We do not see how testing an Operating Plan that is largely
administrative in nature contributes to reliability. Given that the drafting
team is obligated to address the FERC directive regarding periodic testing,
we suggest the Operating Plan should be tested biannually. This would still
meet the FERC directive requiring periodic testing.
Response: The SDT thanks you for your comment. The SDT deleted Requirement R4 based on stakeholder comments and
revised R3 so that each Responsible Entity shall validate all contact information contained in the Operating Plan per
Requirement R1 each calendar year. Requirement R3 will help ensure that the event reporting Operating Plan is up to date and
entities will be able to effectively report events to assure situational awareness to the Electric Reliability Organization.
Southern Company Services
No
There are approximately 17 event types for which Responsible Entities must
have a process for communicating such events to the appropriate entities
and R3 states that “The Responsible Entity shall conduct an annual test of
the communications process”. It is likely that the same communications
process will be used to report multiple event types, so Southern suggest that
24
�Organization
Yes or No
Question 1 Comment
the Responsible Entities conduct an annual test for each unique
communications process. Southern suggest that this requirement be revised
to state “Each Responsible Entity shall conduct an annual test of each unique
communications process addressed in R1.2”.
o In Attachment 1, for Event: “Damage or destruction of a Facility”, SDT
should consider removing “Results from actual or suspected intentional
human action” from the “Threshold for Reporting” column. The basis for this
suggestion is as follows:
o The actual threshold should be measurable, similar to the thresholds
specified for other events in Attachment 1. [Note: The first two thresholds
identified (i.e., “Affects and IROL” and “Results in the need for actions to
avoid an Adverse Reliability Impact”) are measurable and sufficiently qualify
which types of Facility damage should be reported.]
o The determination of human intent is too subjective. Including this as a
threshold will cause many events to be reported that otherwise may not
need to be reported. (e.g., Vandalism and copper theft, while addressed
under physical threats, is more appropriately classified as damage. These are
generally intentional human acts and would qualify for reporting under the
current guidance in Attachment 1. They may be excluded from reporting by
the threshold criteria regarding IROLs and Adverse Reliability Impact, if the
human intent threshold is removed.)
o It may be more appropriate to address human intent in the event
description as follows: “Damage or destruction of a Facility, whether from
natural or human causes”. Let the thresholds related to BES impact dictate
the reporting requirement.
o In Attachment 1, for Event: “Complete or partial loss of monitoring
capability”, SDT should consider changing the threshold criteria to state:
“Affecting a BES control center for ≥ 30 continuous minutes such that
analysis capability (State Estimator, Contingency Analysis) is rendered
25
�Organization
Yes or No
Question 1 Comment
inoperable.” There may be instances where the tools themselves are out of
commission, but the control center personnel have sufficiently accurate
models and alternate methods of performing the required analyses.
Response: The SDT thanks you for your comment. The SDT has made changes to the requirement highlighted in your initial
comment.
The SDT reviewed, discussed and updated Attachment 1 based on comments received, FERC directives and what is required for
combining CIP-001 and EOP-004 into EOP-004-2. Under the Event Column, the SDT starts to classify each type of an event by
assigning an “Event” title. The DSR SDT then updated the “Entity with Reporting Responsibilities” column to simply state what
entity has the responsibility to report if they experience an event. The last column, “Threshold for Reporting” is a bright line
that, if reached, the entity needs to report that they experienced the applicable event per Requirement 1.
Damage or destruction of a Facility:
The SDT removed all language under “Entity with Reporting Responsibility,” with the exception of entity(s) that are required to
report an applicable event. The SDT removed this language so the entities within this column are clearly stated and identified.
Under the “Threshold for Reporting” column, a bright line was updated based on currently enforced Reliability Standards, FERC
directives and industry comments to state;
Damage or destruction of a Facility within its Reliability Coordinator Area, Balancing Authority Area or Transmission Operator
Area that results in the need for actions to avoid a BES Emergency.
This language gives the required guidance of who has to report within its Area that results in need for actions to avoid a BES
Emergency (as defined by NERC: Any abnormal system condition that requires automatic or immediate manual action to
prevent or limit the failure of transmission facilities or generation supply that could adversely affect the reliability of the Bulk
Electric System).
This relates to either a completely destroyed Facility where an action is required to avoid a BES Emergency, or a Facility that is
damaged to a point that actions are required to avoid a BES Emergency. By reporting either a “damaged or destroyed” Facility,
within 24 hours, it will give the ERO (and whoever else the entity wishes to inform per R1) the situational awareness that the
electrical system has been reconfigured or may need to be reconfigured, thus supporting reliable operations of each
interconnection.
26
�Organization
Progress Energy
Yes or No
Question 1 Comment
No
It should be clear that the Operating Plan can be multiple procedures. It is
an unnecessary burden to have entities create a new document outlining
the Operating Plan. Having to create a new Operating Plan would not
improve reliability and would further burden limited resources. The annual
testing required by R3 should be clarified. Do all communication paths need
to be annually tested or just one path? An actual event may only utilize one
communication 'leg' or 'path' and leave others untested and utilized.
Entities may have a corporate level procedure that 'hand-shakes' with more
localized procedures that make up the entire Operating Plan. Must all
communications processes be tested to fulfill the requirement? If an entity
has 'an actual event' it is not necessarily true that their Operating Plan has
been exercised completely, yet this one 'actual event' would satisfy M3 as
written.
Response: The SDT thanks you for your comment. Regarding your initial comment on the need to create a new document, the
SDT believes that a Registered Entity with a procedure under CIP-001 will be able to utilize that document as the starting point
for the Operating Plan here. The SDT feels that many of the necessary components will already exist in that document and the
Registered Entity should only need to edit it accordingly for the types of Events applicable to them. The SDT has made changes
to the standard highlighted in your comment.
Hydro One
No
In the Requirement R3, we suggest adding the following wording from
Measure M3 to the end of R3 after the wording “in Part 1.2.”: The annual
test requirement is considered to be met if the responsible entity
implements the communications process in Part 1.2 for an actual event. This
language must be in the Requirement to be considered during an audit.
Measures are not auditable.
Statement “... not including notification to the ERO...” as it stands now is
confusing. We suggest that this statement is either reworded (and explained
in the Rational for this requirement) or outright removed for clarity
purposes In the requirement R4, we suggest replacing the words “an annual
27
�Organization
Yes or No
Question 1 Comment
review” with the words “a periodic review.” Add the following to R4: The
frequency of such periodic reviews shall be specified in the Operating Plan
and the time between periodic reviews shall not exceed five (5) years. This
does not preclude an annual review in an Entity’s operating plan. The Entity
will then be audited to its plan. If the industry approves a five (5) year
periodic review ‘cap,’ and FERC disagrees, then FERC will have to issue a
directive, state it reasons and provide justification for an annual review that
is not arbitrary or capricious. Adding the one year “test” requirement adds
to the administrative tracking burden and adds no reliability value.
The table in the standard is clear regarding what events need to be
reported. An auditor may want to see a test for "each" of the applicable
events listed in EOP-004 Attachment 1.If the requirement for "an" annual
test remains in the standard in R3, then it should be made clear that a test is
not required for "each" of the applicable events listed in Attachment 1
(reference to R1.2.)
Response: The SDT thanks you for your comment. Each Responsible Entity must report and communicate events according to
its Operating Plan based on the information in EOP-004 Attachment 1. The SDT removed the Operating Plan Process from
Requirement 1 and revised the measure to meet the communications of Requirement R1, “to implement an operating plan
within the time frames specified in Attachment 1.” Requirement R3 called for test of all contact information contained. The
SDT deleted Requirement R4 based on stakeholder comments and revised R3 so that each Responsible Entity shall validate all
contact information contained in the Operating Plan per Requirement R1 each calendar year. Requirement R3 will help ensure
that the event reporting Operating Plan is up to date and entities will be able to effectively report events to assure situational
awareness to the Electric Reliability Organization.
CenterPoint Energy
No
CenterPoint Energy recommends that “and implement” be added after
“Each Responsible Entity shall have” in Requirement R1. After such revision,
Requirement R2 will not be needed as noted in previous comments
submitted by the Company.
28
�Organization
Yes or No
Question 1 Comment
CenterPoint Energy also believes that Requirement R3 is not needed as an
annual review encompassing the elements of the test described in the draft
is sufficient.
Response: The SDT thanks you for your comment. The SDT considered the consolidation of the first and second requirements.
However, since the requirements have the Registered Entity perform two distinct steps, a single requirement cannot be written
to achieve multiple tasks. Each task must stand on its own and be judged singly.
The annual review helps ensure that the event reporting Operating Plan is up to date and entities will be able to effectively
report events to assure situational awareness to the Electric Reliability Organization.
Arkansas Electric Cooperative
Corporation
No
AECC supports the comments submitted by ACES Power Marketing.
Response: The SDT thanks you for your comment. Please review the response directed to them.
MWDSC
No
Transmission Owners (TO) should not be included as a "Responsible Entity"
for this or other requirements because the Operating Plan is usually
prepared by the Transmission Operator (TOP). For TOs who are not also
TOPs, there are usually delegation agreements. CIP-001 never directly
applied to TOs.
Response: The SDT thanks you for your comment. The SDT disagrees with your assessment, as the TOs are physical owners of
the equipment that would be affected by this standard. As Owners of the equipment, they need to be reporting on what is
happening to their equipment.
Manitoba Hydro
No
(R1.1 and 1.2) It is unclear whether or not R1.1 and R1.2 require a separate
recognition and communication process for each of the event types listed in
Attachment 1 or if event types can be grouped as determined appropriate
by the responsible entity given that identical processes will apply for
multiple types of events. Manitoba Hydro suggests that wording is revised so
29
�Organization
Yes or No
Question 1 Comment
that multiple event types can be addressed by a single process as deemed
appropriate by the Responsible Entity.
(R3) It is unclear whether or not R3 requires the testing of the
communications process for each separate event type identified in
Attachment 1. If so, this would be extremely onerous. Manitoba Hydro
suggests that only unique communication processes (as identified by the
Responsible Entity in R1.2) require an annual test and that testing should not
be required for each type of event listed in Attachment 1. As well, Manitoba
Hydro believes that testing the communications process alone is not as
effective as also providing training to applicable personnel on the
communications process. Manitoba Hydro suggests that R3 be revised to
require annual training to applicable personnel on the communications
process and that only 1 test per unique communications process be required
annually.
Response: The SDT thanks you for your comment. The SDT has made changes to the requirements highlighted in your
comments. Each Responsible Entity must report and communicate events according to its Operating Plan based on the
information in EOP-004 Attachment 1. The SDT has attempted to clarify that it is the choice of the Registered Entity on whether
one, or more than one, contact list(s) is needed for the differing types applicable to them. Depending upon your needs of who
you have an obligation to report, you can elect to have one or multiple lists.
Requirement R3 called for test of all contact information contained. The SDT deleted Requirement R4 based on stakeholder
comments and revised R3 so that each Responsible Entity shall validate all contact information contained in the Operating Plan
per Requirement R1 each calendar year. Requirement R3 will help ensure that the event reporting Operating Plan is up to date
and entities will be able to effectively report events to assure situational awareness to the Electric Reliability Organization.
Occidental Power Services, Inc.
No
There should be an exception for LSEs with no BES assets from having an
Operating Plan and, therefore, from testing and review of such plan. These
LSEs have no reporting responsibilities under Attachment 1 and, if they have
nothing ever to report, why would they have to have an Operating Plan and
have to test and review it? This places an undue burden on small entities
30
�Organization
Yes or No
Question 1 Comment
that cannot impact the BES.
Response: The SDT thanks you for your comment. LSEs, as being applicable under the Cyber Security standards, were included
in the applicability of this standard. Since the SDT is proposing to keep the Cyber Security reporting requirements in CIP-008,
LSEs have been removed from the applicability of this standard. This action will not negate the LSE responsibilities under that
standard and your comments will need to be addressed there.
Xcel Energy
No
1) In R1.2, We understand what the drafting team had intended here.
However, we are concerned that the way this requirement is drafted, using
i.e., it could easily be interpreted to mean that you must notify all of those
entities listed. Instead, we are suggesting that the requirement be rewritten
to require entities to define in their Operating Plan the minimum
organizations/entities that would need to be notified for applicable events.
We believe this would remove any ambiguity and make it clear for both the
registered entity and regional staff. We recommend the requirement read
something like this: 1.2. A process for communicating each of the applicable
events listed in EOP-004 Attachment 1 in accordance with the timeframes
specified in EOP-004 Attachment 1 to applicable internal and external
organizations needed for the event type, as defined in the Responsible
Entity’s Operating Plan.
2) We also suggest that R3 be clarified as to whether communications to all
organizations must be tested or just those applicable to the test event
type/scenario.
Response: The SDT thanks you for your comment. The SDT has made changes to the requirements highlighted in your
comments.
American Electric Power
No
R3: How many different scenarios need to be tested? For example, reporting
sabotage-related events might well be different than reporting reliabilityrelated events such as those regarding loss of Transmission. While these
31
�Organization
Yes or No
Question 1 Comment
examples might vary a great deal, other such scenarios may be very similar
in nature in terms of communication procedures. Perhaps solely testing the
most complex procedure would be sufficient. AEP agrees with the changes
with R3 calling for an annual test provided the requirement R2 is modified to
include the measure language “The annual test requirement is considered to
be met if the responsible entity implements the communications process in
Part 1.2 for an actual event.”
M3: While we agree that “the annual test requirement is considered to be
met if the responsible entity implements the communications process in
Part 1.2 for an actual event”, we believe it would be preferable to include
this text in R3 in addition to M3. Measures included in earlier standards
(some of which are still enforced today) had little correlation to the
requirement itself, and as a result, those measures were seldom referenced.
M3: It would be unfair to assume that every piece of evidence required to
prove compliance would be dated and time-stamped, so we recommend
removing the text “dated and time-stamped” from the first sentence so that
it reads “Each Responsible Entity will have records to show that the annual
test of Part 1.2 was conducted.” The language regarding dating and time
stamps in regards to “voice recordings and operating logs or other
communication” is sufficient.
Response: The SDT thanks you for your comment. Based on stakeholder comments the SDT revised R3 so that each Responsible
Entity shall validate all contact information contained in the Operating Plan per Requirement R1 each calendar year.
Requirement R3 will help ensure that the event reporting Operating Plan is up to date and entities will be able to effectively
report events to assure situational awareness to the Electric Reliability Organization. The SDT agrees with the point raised on
time-stamping and has removed it from the standard.
Entergy
No
The requirement for a “time stamped record” of annual review is
unreasonable and unnecessary. A dated document showing that a review
was performed should be sufficient.
32
�Organization
Yes or No
Question 1 Comment
Response: The SDT thanks you for your comment. The SDT has made changes to the requirements highlighted in your
comment. The SDT has removed time-stamping from the standard.
New York Power Authority
No
Please see comments submitted by NPCC Regional Standards Committee
(RSC).
Response: The SDT thanks you for your comment. Please review the response to the commenter.
Consolidated Edison Co. of NY, Inc.
No
Requirement R3: Following the sentence ending “in Part 1.2” add the
following wording from the Measure to R3: The annual test requirement is
considered to be met if the responsible entity implements the
communications process in Part 1.2 for an actual event. This language must
be in the Requirement to be considered during an audit. Measures are not
auditable. Requirement R4: Replace the words “an annual review” with the
words “a periodic review.”Following the first sentence in R4 add: The
frequency of such periodic reviews shall be specified in the Operating Plan
and the time between periodic reviews shall not exceed five (5) years.
Orange and Rockland Utilities, Inc.
No
Requirement R3: Following the sentence ending “in Part 1.2” add the
following wording from the Measure to R3: The annual test requirement is
considered to be met if the responsible entity implements the
communications process in Part 1.2 for an actual event. This language
must be in the Requirement to be considered during an audit. Measures are
not auditable.
Requirement R4: Replace the words “an annual review”
with the words “a periodic review.” Following the first sentence in R4 add:
The frequency of such periodic reviews shall be specified in the Operating
Plan and the time between periodic reviews shall not exceed five (5) years.
Response: The SDT thanks you for your comment. Based on stakeholder comments the SDT revised R3 so that each Responsible
Entity shall validate all contact information contained in the Operating Plan per Requirement R1 each calendar year.
Requirement R3 will help ensure that the event reporting Operating Plan is up to date and entities will be able to effectively
33
�Organization
Yes or No
Question 1 Comment
report events to assure situational awareness to the Electric Reliability Organization. The SDT considered various time frames
for the action needed and felt that a calendar year was necessary due to the FERC Directive in Order 693 and to ensure that
contact information remained useful in a timely manner.
MidAmerican Energy
No
See the NSRF comments. The real purpose of this requirement appears to
be to assure operators are trained in the use of the procedure, process, or
plan that assures proper notification. PER-005 already requires a systematic
approach to training. Reporting to other affected entities is a PER-005
system operator task. Therefore this requirement already covered by PER005 and is not required. Organizations are also required to test their
response to events in accordance with CIP-008 R1.6. Therefore this
requirement is covered by other standards and is not needed. Inclusion of
this standard would place entities in a double or possible triple jeopardy.
The SDT may need to expand M3 reporting options, by stating “... that the
annual test of the communication process of 1.2 (e.g. communication via email, fax, phone, ect) was conducted”.
R4 is an administrative requirement with little reliability value and should be
deleted. It would likely be identified as a requirement that that should be
eliminated as part of the request by FERC to identify strictly administrative
requirements in FERC’s recent order on FFTR.
Response: The SDT thanks you for your comment. The SDT asks you to review the response to that commenter. The SDT
disagrees with your understanding of the real purpose. Reporting of events listed in Attachment 1 is necessary for personnel
beyond the operators.
The SDT deleted Requirement R4 based on stakeholder comments and revised Requirement R3 so that each Responsible Entity
shall validate all contact information contained in the Operating Plan per Requirement R1 each calendar year. Requirement R3
will help ensure that the event reporting Operating Plan is up to date and entities will be able to effectively report events to
assure situational awareness to the Electric Reliability Organization.
Illinois Municipal Electric Agency
No
IMEA reluctantly (in recognition of the SDT's efforts and accomplishments to
date) cast a Negative vote for this project primarily based on R3 because it is
34
�Organization
Yes or No
Question 1 Comment
attempting to fix a problem that does not exist and impacts small entity
resources in particular. IMEA is not aware of seeing any information
regarding a trend, or even a single occurrence for that matter, in a failure to
report an event due to failure in reporting procedures. A small entity is less
likely to experience a reportable event, and therefore is less likely to be able
to take advantage of the provision in M3 to satisfy the annual testing
through implementation of an actual event. If there is a problem that needs
to be fixed, it would make much more sense to replace the language in R3
with a simple requirement for the RC, BA, IC, TSP, TOP, etc. to inform the TO,
DP, LSE if there is a change in contact information for reporting an event. It
is hard to believe that an RC, BA, IC, TSP, TOP, etc. is going to want to be
annually handling numerous inquiries from entities regarding the accuracy
of contact information. The impact of unnecessary requirements on entity
resources, particularly small entities', is finally starting to get some
meaningful attention at NERC and FERC. It would be a mistake to adopt
another unnecessary requirement as currently specified in R3.
Response: The SDT thanks you for your comment. The SDT has revised Requirement R3 to help ensure that the event reporting
Operating Plan is up to date and entities will be able to effectively report events to assure situational awareness to the Electric
Reliability Organization.
Amercican Transmission Company,
LLC
No
ATC recommends eliminating R4 altogether. If R3, the annual test, is
conducted as part of the Operating Plan, R4 is merely administrative, and
does not add value to reliability.
Response: The SDT thanks you for your comment. The SDT deleted Requirement R4 based on stakeholder comments and
revised Requirement R3 so that each Responsible Entity shall validate all contact information contained in the Operating Plan
per Requirement R1 each calendar year. Requirement R3 will help ensure that the event reporting Operating Plan is up to date
and entities will be able to effectively report events to assure situational awareness to the Electric Reliability Organization.
NextEra Energy Inc
No
NextEra Energy, Inc. (NextEra) does not agree that annual reviews and
35
�Organization
Yes or No
Question 1 Comment
annual tests should be mandated via Reliability Standards; instead, NextEra
believes it is more appropriate to require that the Operating Plan be up-todate and reviewed/tested as the Responsible Entity deems necessary. These
enhancements provide for a robust Operating Plan, without arbitrary
deadlines for a review and testing. It also provides Responsible Entities of
different sizes and configurations the flexibility to efficiently and effectively
integrate compliance with operations.
Thus, NextEra requests that R1 be revised to read: “Each Responsible Entity
shall have an up-to-date event reporting Operating Plan that is tested and
reviewed as the Responsible Entity deems necessary and includes: ...”.
Consistent with these changes NextEra also requests that R3 and R4 be
deleted.
Response: The SDT thanks you for your comment. While the SDT recognizes the simplicity that your comment would bring, it
cannot be implemented in that manner. For auditability reasons, each task must be separate and distinct in order for the
performance to be assessed. Alternatively, the SDT has re-constructed three distinct requirements that can be judged and
evaluated on their own with compromising the others.
ISO New England Inc
No
Due to the FERC mandate to assign VRFs/VSLs, we do not support using
subrequirements and, instead, favor the use of bullets when the
subrequirements are not standalone but rely on the partent requirement.
Response: The SDT thanks you for your comment. The SDT has revised the language and removed all subrequirements.
Exelon Corporation and its affiliates
No
It’s not clear that R3 and R4 need to be separated. Consider revising R3 to
read: “Through use or testing, verify the operability of the plan on an annual
basis” and dropping R4.
Response: The SDT thanks you for your comment. The SDT has made changes to the requirements highlighted in your
comment.
36
�Organization
Indiana Municipal Power Agency
Yes or No
Question 1 Comment
No
IMPA does not believe that both R3 and R4 are necessary and they are
redundant to a degree. Generally, when performing an annual review of a
process or procedure, the call numbers for agencies or entities are verified
to be up to date. Also, in R3, what does “test” mean. It could mean have
different meanings to registered entities and to auditors which does not
promote consistency among the industry. IMPA recommends going with an
annual review of the process and having the telephone numbers verified
that are in the event reporting Operating Plan. IMPA also believes that the
local and federal law enforcement agencies would rather go with a
verification of contact information over being besieged by "test" reports.
The way R3 is written gives the appearance that the SDT did not want to
overwhelm the ERO with all of the "test" reports from the registered entities
(by excluding them from the test notification).
Response: The SDT thanks you for your comment. The SDT has made changes to the requirements highlighted in your
comment.
ERCOT
No
ERCOT has joined the IRC comments on this project and offers these
additional comments. ERCOT requests that the measure be updated to say
“acceptable evidence may include”. As written, the measure reads that
there is only one way to comply with the requirement. The Standards should
note "what" an entity is required to do and not prescribe the "how".
Response: The SDT thanks you for your comment. The SDT has made changes to the standard highlighted in your comment.
Brazos Electric Power Cooperative
No
Please see the comments submitted by ACES Power Marketing.
Response: The SDT thanks you for your comment. Please review the response to that commenter.
Central Lincoln
No
The new language of R3 and R4 provide nothing to clarify the word “annual.”
We note that while a Compliance Application Notice was written on this,
37
�Organization
Yes or No
Question 1 Comment
Central Lincoln believes that standards should be written so they do not rely
on the continually changing CANs. CAN-0010 itself implies that “annual”
should be defined within the standards themselves. We suggest: R3 Each
Responsible Entity shall conduct a test of the communications process in R1
Part 1.2, not including notification to the Electric Reliability Organization, at
least once per calendar year with no more than 15 calendar months
between tests.R4 Each Responsible Entity shall conduct a review of the
event reporting Operating Plan in Requirement R1. at least at least once per
calendar year with no more than 15 calendar months between reviews.
Response: The SDT thanks you for your comment. The SDT has made changes to the requirements highlighted in your
comment.
Kansas City Power & Light
No
Requirement 3 requires a test of the communications in the operating plan.
A test implies a simulation of the communications part of the operating plan
by actual communications being conducted pursuant to the plan. It is not
appropriate to burden agencies with testing of communications under a test
environment. Recommend the drafting team consider a confirmation of the
contact information with various agencies as the operations plan dictates.
Response: The SDT thanks you for your comment. SDT has made changes to the requirements highlighted in your comment.
Bonneville Power Administration
Yes
BPA believes that the annual testing and review as described in R3 is too
cumbersome and unnecessary for entities with large footprints to inundate
federal and local enforcement bodies such as the FBI for “only” testing and
the documenting for auditing purposes. BPA suggests that testing be
performed on a bi-annual or longer basis.
Response: The SDT thanks you for your comment. The SDT has made changes to the requirements highlighted in your
comment; however, the SDT has decided that the period will be shorter than your suggestion based upon comments received
from all parties.
38
�Organization
Seattle City Light
Yes or No
Yes
Question 1 Comment
This is a great improvement over the prior CIP and EOP versions. However,
please see #4 for overall comment.
Response: The SDT thanks you for your comment. Please review the response to Question 4.
Utility Services
Yes
While agreeing with the change, confusion may exist with the CAN that
exists for the term "Annual". Utility Services suggests that the language be
changed to "Every calendar year" or something equivalent. Given
everything that transpired in the discussion on the term annual, using a
different phrase may be advantageous.
Response: The SDT thanks you for your comment. The SDT has made changes to the requirement highlighted in your comment.
United Illuminating Company
Yes
R3 should be clear that the annual test of the plan does not mean each
communication path for each applicable event on an annual basis.
Response: The SDT thanks you for your comment. Requirement R3 has been rewritten to address comments like yours and
other industry members. While testing is no longer a part of the requirement, validating the contact information associated
with each contact list for each applicable event type is.
Ingleside Cogeneration LP
Yes
Ingleside Cogeneration LP agrees that it is appropriate to test reporting
communications on an annual basis, primarily to validate that phone
numbers, email ids, and contact information is current. We appreciate the
project team’s elimination of the terms “exercise” and “drill”, which we
believe connotates a formalized planning and assessment process. An
annual review of the Operating Plan implies a confirmation that linkages to
sub-processes remain intact and that new learnings are captured. We also
agree that it is appropriate only to require an updated Revision Level Control
chart entry as evidence of compliance - it is very likely that no updates are
required after the review is complete. In our view, both of these
requirements are sufficient to assure an effective assessment of all facets of
39
�Organization
Yes or No
Question 1 Comment
the Operating Plan. As such, we fully agree with the project team’s decision
to delete the requirement to update the plan within 90 days of a change. In
most cases, our internal processes will address the updates much sooner,
but there is no compelling reason to include it as an enforceable
requirement.
Response: The SDT thanks you for your comment.
City of Austin dba Austin Energy
Yes
Austin Energy (AE) supports the requirements for (1) an annual test of the
communications portion of the Operating Plan (R3) and (2) an annual review
of the Operating Plan (R4); however, we offer a slight modification to the
measures associated with those requirements. AE does not believe that
records evidencing such test and reviews need to be time-stamped to
adequately demonstrate compliance with the requirements. In each case,
we recommend that the first sentence of M3 and M4 start with “Each
Responsible Entity will have dated records to show that the annual ...”
Response: The SDT thanks you for your comment. The SDT has removed the time-stamping provision in the standard.
Springfield Utility Board
Yes
o SUB supports the removal of Requirement 1, Part 1.4, as well the
separation of Parts 1.3 and 1.5, agreeing that they are their own separate
actions. o The Draft 4 Version History still lists the term “Impact Event”
rather than “Event”.
Response: The SDT thanks you for your comment. The SDT has made changes highlighted in your comment.
FirstEnergy Corp
Yes
FE agrees with the revision but has the following comments and suggestions:
1. We request clarity and guidance on R3 (See our comments in Question 4 for
further consideration). Also, we suggest a change in the phrase “shall conduct
an annual test” to “shall conduct a test each calendar year, not to exceed 15
calendar months between tests”. This wording is consistent with other
40
�Organization
Yes or No
Question 1 Comment
standards in development such as CIP Version 5.2.
2. In R4 we suggest a change in the phrase “shall conduct an annual review” to
“shall conduct a review each calendar year, not to exceed 15 calendar months
between reviews”. This wording is consistent with other standards in
development such as CIP Version 5.
Response: The SDT thanks you for your comment. The SDT deleted Requirement R4 based on stakeholder comments and
revised Requirement R3 so that each Responsible Entity shall validate all contact information contained in the Operating Plan
per Requirement R1 each calendar year. Requirement R3 will help ensure that the event reporting Operating Plan is up to date
and entities will be able to effectively report events to assure situational awareness to the Electric Reliability Organization.
Independent Electricity System
Operator
Yes
We concur with the changes as they provide better streamlining of the four
key requirements, with enhanced clarity. However, we are unclear on the
intent of Requirement R3, in particular the phrase “not including notification
to the Electric Reliability Organization” which begs the question on whether
or not the test requires notifying all the other entities as if it were a real
event. This may create confusion in ensuring compliance and during audits.
Suggest the SDT to review and modify this requirement as appropriate.
Response: The SDT thanks you for your comment. The SDT has revised the standard’s language to address this concern.
Public Utility District No. 1 of
Snohomish County
Yes
This is an excellent improvement over the prior CIP and EOP versions.
However, please see #4 for overall comment.
Seattle City Light
Yes
This is a great improvement over the prior CIP and EOP versions. However,
please see #4 for overall comment.
MEAG Power
Yes
This is a great improvement over the prior CIP and EOP versions. However,
please see #4 for overall comment.
Response: The SDT thanks you for your comment. Please review the response to Question 4.
41
�Organization
Tacoma Power
Yes or No
Question 1 Comment
Yes
Tacoma Power agrees with the requirement but would suggest removing all
instances the word “Operating” from the Standard. The requirements
should read, “ Each Responsible Entity shall have an “Event Reporting
Plan...”.The term Operating in this context is confusing as there are many
other “Operating Plans” for other defined emergencies. This standard is
about “Reporting” and should be confined to that.
Response: The SDT thanks you for your comment. The SDT has chosen to include “Operating” due to the definition in the NERC
Glossary. The SDT believes Operating Plan clearly defines what is needed in this standard.
Idaho Power Co.
Yes
But this is going to require that we create a new Operating Plan with test
procedures and revision history.
Response: The SDT thanks you for your comment. The SDT believes that an existing procedure, that meets the requirements of
CIP-001-2a, may well be the starting point for the Operating Plan in this standard, or could go a long way towards achieving the
requirements in this standard. The SDT revised Requirement R3 to remove test to “validate” contact information contained in
the Operating Plan. If an entity experiences an actual event, communication evidence from the event may be used to show
compliance with the validation requirement for the specific contacts used for the event.
American Public Power Association
Yes
APPA appreciates the SDT making these requirements clearer as requested
in our comments on the previous draft standard.
Response: The SDT thanks you for your comment.
Puget Sound Energy, Inc.
Yes
This draft is a considerable improvement on the previous draft in terms of
clarity and will be much easier for Responsible Entities to implement. Puget
Sound Energy appreciates the drafting team’s responsiveness to
stakeholder’s concerns and the opportunity to comment on the current
draft. The drafting team should revise Requirement R2 to state that the
“activation” of the Operating Plan is required only when an event occurs,
instead of using the term “implement”. “Implementation” could also refer
42
�Organization
Yes or No
Question 1 Comment
to the activities such as distributing the plan to operating personnel and
training operating personnel on the use of the plan. These activities are not
triggered by any event and, since it is clear from the measure that this
requirement is intended to apply only when there has been a reportable
event, the requirement should be revised to state that as well.
The drafting team should revise measure M2 to require reports to be
“supplemented by operator logs or other reporting documentation” only “as
necessary”. In many cases, the report itself and time-stamped record of
transmittal will be the only documents necessary to demonstrate
compliance with requirement R2.Under Requirement R3, using an actual
event as sufficient for meeting the requirement for conducting an annual
test would likely fall short of demonstrating compliance with the entire
scope of the Operating Plan. R1.2 requires "a process for communicating
EACH of the applicable events listed....". If the actual event is only one of
many "applicable" events, is it sufficient to only exercise one process flow?
If there is no actual event during the annual time-frame, do all the process
flows then have to be exercised?
Response: The SDT thanks you for your comment. The SDT appreciates the suggestion; however, to be consistent with other
reliability standards, the SDT has elected to continue to use the word “Implement.” Your suggestion could end up creating
confusion and misunderstandings since the context is not used elsewhere.
The SDT has revised the language the requirements and measures as a result of your and other commenter’s remarks.
FMPP
See FMPA's comments
Response: The SDT thanks you for your comment. Please review the response to the FMPA comments.
43
�Organization
Yes or No
Luminant
Yes
BC Hydro
Yes
Imperial Irrigation District (IID)
Yes
LG&E and KU Services
Yes
PPL Corporation NERC Registered
Affiliates
Yes
Avista
Yes
PNGC Comment Group
Yes
Colorado Springs Utilities
Yes
Arizona Public Service Company
Yes
Georgia System Operations
Corporation
Yes
Texas Reliability Entity
Yes
Dynegy Inc.
Yes
Clark Public Utilities
Yes
Pepco Holdings Inc
Yes
Farmington Electric Utility System
Yes
Question 1 Comment
44
�Organization
Yes or No
Public Service Enterprise Group
Yes
PPL Electric Utilities
Yes
Cowlitz County PUD
Yes
Edison Mission Marketing & Trading,
Inc.
Yes
Ameren
Yes
We Energies
Yes
GTC
Yes
MISO
Yes
Oncor Electric Delivery
Yes
Los Angeles Department of Water
and Power
Yes
Deseret Power
Yes
Question 1 Comment
45
�2. The SDT made clarifying revisions to Attachment 1 based on stakeholder feedback. Do you agree with these revisions? If not,
please explain in the comment area below.
Summary Consideration:
The SDT reviewed, discussed and updated Attachment 1 based on comments received for commenters, FERC directives and what is
required for combining CIP-001 and EOP-004 into EOP-004-2. Under the Event Column, the SDT starts to classify each type of an event
by assigning an “Event” title. The DSR SDT then updated the “Entity with Reporting Responsibilities” column to simply state which
entity has the responsibility to report if they experience an event. The last column, “Threshold for Reporting” is a bright line that, if
reached, the entity needs to report that they experienced the applicable event per Requirement 1.
Organization
Northeast Power Coordinating
Council
Yes or No
Question 2 Comment
No
Regarding Attachment 1, language identical to event descriptions in the NERC Event
Analysis Process and FERC OE-417 should be used. Creating a third set of event
descriptions is not helpful to system operators. Recommend aligning the Attachment
1 wording with that contained in Attachment 2, DOE Form OE-417 and the EAP
whenever possible.
The SDT reviewed, discussed and updated Attachment 1 based on comments
received, FERC directives and what is required for combining CIP-001 and EOP-004
into EOP-004-2. Using identical terminology will be difficult to achieve as the DOE
form and EAP have differing processes for identification of the reportable
incidences. The SDT has tried to set up the reportable events in the standard to be
as similar as possible to the other organizations without being tied to their specific
language. Attachment 2 has been modified to match the events types listed in
Attachment 1.
The following pertains to Attachment 1:Replace the Attachment 1 “NOTE” with the
following clarifying wording: NOTE: The Electric Reliability Organization and the
Responsible Entity’s Reliability Coordinator will accept the DOE OE-417 form in lieu of
Attachment 2 if the entity is required to submit an OE-417 report. Submit reports to
46
�Organization
Yes or No
Question 2 Comment
the ERO via one of the following: e-mail: esisac@nerc.com, Facsimile: 609-452-9550,
Voice: 609-452-1422. Initial submittal by Voice within the reporting time frame is
acceptable for all events when followed by a hardcopy submittal by Facsimile or email as and if required.
The SDT thanks you with your comment. First, the SDT believes that you intended
the comment to address the “Note” on Attachment 2, not Attachment 1. The SDT
does not believe that a hardcopy report is necessary if the organization has made
voice contact.
The proposed “events” are subjective and will lead to confusion and questions as to
what has to be reported.
The SDT disagrees and has established “events” to be reported based on bright line
criteria. The events are consistent with previous versions of the CIP-001 and EOP004 standards, as well as incidences being reporting to the DOE and EAP.
Event: A reportable Cyber Security Incident. All reportable Cyber Security Incidents
may not require “One Hour Reporting.” A “one-size fits all” approach may not be
appropriate for the reporting of all Cyber Security Incidents. The NERC “Security
Guideline for the Electricity Sector: Threat and Incident Reporting” document
provides time-frames for Cyber Security Incident Reporting. For example, a Cyber
Security Compromise is recommended to be reported within one hour of detection,
however, Information Theft or Loss is recommended to be reported within 48 hours.
Recommend listing the Event as “A confirmed reportable Cyber Security Incident.
The existing NERC “Security Guideline for the Electricity Sector: Threat and Incident
Reporting” document uses reporting time-frames based on “detection” and
“discovery.” Recommend using the word confirmed because of the investigation
time that may be required from the point of initial “detection” or “discovery” to the
point of confirmation, when the compliance “time-clock” would start for the
reporting requirement in EOP-004-2.
The SDT is revising the standard to not contain reporting for Cyber Security
incidents. Under the revisions, CIP-008-3 and successive versions will retain the
47
�Organization
Yes or No
Question 2 Comment
reporting requirements.
Event: Damage or destruction of a Facility Threshold for Reporting: revise language
on third item to read: Results from actual or suspected intentional human action,
excluding unintentional human errors.
The SDT reviewed, discussed and updated “Damage and destruction of a Facility”
based on comments received, FERC directives and what is required for combining
CIP-001 and EOP-004 into EOP-004-2. The new “threshold” now states:
“Damage or destruction of a Facility within its Reliability Coordinator Area,
Balancing Authority Area or Transmission Operator Area that results in the need for
actions to avoid a BES Emergency.”
This language gives the required guidance of who has to report within its Area that
results in need for actions to avoid a BES Emergency (as defined by NERC: Any
abnormal system condition that requires automatic or immediate manual action to
prevent or limit the failure of transmission facilities or generation supply that could
adversely affect the reliability of the Bulk Electric System).
This relates to either a completely destroyed Facility where an action is required to
avoid a BES Emergency, or a Facility that is damaged to a point that actions are
required to avoid a BES Emergency. By reporting either a “damaged or destroyed”
Facility, within 24 hours, it will give the ERO (and whoever else the entity wishes to
inform per Requirement R1) the situational awareness that the electrical system
has been reconfigured or may need to be reconfigured, thus supporting reliable
operations of each interconnection.
Event: Any physical threat that could impact the operability of a Facility This Event
category should be deleted. The word “could” is hypothetical and therefore
48
�Organization
Yes or No
Question 2 Comment
unverifiable and un-auditable. The word “impact” is undefined. Please delete this
reporting requirement, or provide a list of hypothetical “could impact” events, as well
as a specific definition and method for determining a specific physical impact
threshold for “could impact” events other than “any.”
The SDT removed all language under “Entity with Reporting Responsibility” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Physical threat to its Facility excluding weather related threat, which has the
potential to degrade the normal operation of the Facility
Or
Suspicious device or activity at a Facility
Do not report copper theft unless it degrades normal operations of a Facility.”
This language gives the required guidance that if there is a physical threat that has
the potential to degrade a Facility’s normal operation or a suspicious device or
activity is discovered at a Facility, it is required to be reported within 24 hours, this
will give the ERO (and whomever else the entity wishes to inform per Requirement
R1) the situational awareness that the Facility has a potential of not being able to
operate as it is designed. The SDT also states that copper theft is not a reportable
event unless it degrades the normal operation of a Facility.
Event: BES Emergency requiring public appeal for load reduction. Replace wording in
the Event column with language from #8 on the OE-417 Reporting Form to eliminate
reporting confusion. Following this sentence add, “This shall exclude other public
49
�Organization
Yes or No
Question 2 Comment
appeals, e.g., made for weather, air quality and power market-related conditions,
which are not made in response to a specific BES event.”
The SDT disagrees with quantifying a use of public appeals reporting for different
types of events. The important item here is that a public appeal was issued for load
reduction. A report is required to inform the ERO (and whoever else the entity
wishes to inform per Requirement R1) of your current status and provide them with
the situational awareness of the status of your system.
Event: Complete or partial loss of monitoring capability Event wording: Delete the
words “or partial” to conform the wording to the NERC Event Analysis Process.
The SDT reviewed, discussed and updated Attachment 1 based on comments
received, FERC directives and what is required for combining CIP-001 and EOP-004
into EOP-004-2. This event now only applies to “Complete loss of monitoring
capability affecting a BES control center for 30 continuous minutes or more such
that analysis capability (State Estimator, Contingency Analysis) is rendered
inoperable.” This will only apply to an RC, BA, or TOP who have this capability to
start with.
Event: Transmission Loss Revise to BES Transmission Loss
The SDT removed all language under “Entity with Reporting Responsibility” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Unexpected loss, contrary to design, of three or more BES Elements caused by a
common disturbance (excluding successful automatic reclosing).”
Event: Generation Loss Revise to BES Generation Loss
The SDT removed all language under “Entity with Reporting Responsibility” with
the exception of entity(s) that are required to report an applicable event. The SDT
50
�Organization
Yes or No
Question 2 Comment
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Total generation loss, within one minute, of ≥ 2,000 MW for entities in the Eastern
or Western Interconnection
OR
≥ 1,000 MW for entities in the ERCOT or Quebec Interconnection.”
The SDT believes that if an entity reaches this threshold, it needs to be reported
and most likely this will be BES connected generation assets.
Response: The SDT thanks you for your comment.
DECo
No
On pg 17 in the Rationale Box for EOP-004 Attachment 1: The set of terms is specific
then includes the word ETC. Then further lists areas to exclude. Then on Pg 23 of
document it includes train derailment near a transmission right of way and forced
entry attempt into a substation facility as reportable. These conflict. Also see conflict
when in pg 21 states the DOE OE417 would be excepted in lieu of the NERC form, but
on the last pg it states the DOE OE417 should be attached to the NERC report
indicating the NERC report is still required.
Response: The SDT thanks you for your comment. While the SDT would like to point out the “etc.” is the last word in the
definition of Facility; the SDT has removed footnote 1 and the forced intrusion statement has been removed. The SDT has
updated to remove the conflict of “attached to the NERC report…” The SDT agrees with your comments and have revised the
standard to address these discrepancies.
Duke Energy
No
(1)We disagree with reporting CIP-008 incidents under this standard. We agree with
the one-hour notification timeframe, but believe it should be in CIP-008 to avoid
double jeopardy.
The SDT has discussed this issue with Project 2008-06, Cyber Security SDT and we
have remanded the one-hour event back to CIP-008. The next version of EOP-004-2
will not contain a one hour reporting requirement.
(2)Damage or destruction of a Facility - Need clarity on how a vertically integrated
51
�Organization
Yes or No
Question 2 Comment
entity must report. For example a GOP probably won’t know if an IROL will be
affected. Also, there shouldn’t be multiple reports from different functional entities
for the same event. Suggest splitting this table so that GO, GOP, DP only reports
“Results from actual or suspected intentional human action”.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Damage or destruction of its Facility that results from actual or suspected
intentional human action.
This language gives the required guidance that if there is actual intentional human
action that damages or destroys a Facility, it is required to be reported within 24
hours, this will give the ERO (and whoever else the entity wishes to inform per R1)
the situational awareness that the Facility was ’damaged or destroyed‘
intentionally by a human.”
This event was written to cover the increase of “Entity with Reporting
Responsibility,” and removing the RC since they do not own Facility(s).
The SDT also included a second part of this event being “suspected intentional
human action.” This language was required to give an entity the reporting
responsibility to report to the ERO (and whoever else the entity wishes to inform
per Requirement R1) the situational awareness that they suspect that their Facility
was damaged or destroyed by intentional human action. The SDT envisions that
entities could further define what a suspected intentional human action is within
their Operating Plan.
(3)Generation Loss - Need more clarity on the threshold for reporting. For example if
52
�Organization
Yes or No
Question 2 Comment
we lose one 1000 MW generator at 6:00 am and another 1000 MW generator at 4:00
pm, is that a reportable event?
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Total generation loss, within one minute, of ≥ 2,000 MW for entities in the Eastern
or Western Interconnection
OR
≥ 1,000 MW for entities in the ERCOT or Quebec Interconnection.”
Response: The SDT thanks you for your comment.
Luminant
No
Luminant appreciates the work of the SDT to modify Attachment 1 to address the
concerns of the stakeholders. However, we are concerned that the threshold for
reporting a Generation Loss in the ERCOT interconnection established by this revision
is set at ≥ 1,000MW, which is not consistent with the level of single generation
contingency used in ERCOT planning and operating studies. That level of contingency
is currently set at the size of the largest generating unit in ERCOT, which is 1,375MW.
For this reason, Luminant believes that the minimum threshold for reporting of a
disturbance should be > 1,375MW for the ERCOT Interconnection.
Response: The SDT thanks you for your comment. The SDT removed all language under “Entity with Reporting Responsibility,”
with the exception of entity(s) that are required to report an applicable event. The SDT removed this language so the entities
within this column are clearly stated and identified. Under the “Threshold for Reporting” column, a bright line was updated based
on currently enforced Reliability Standards, FERC directives and industry comments to state:
“Total generation loss, within one minute, of ≥ 2,000 MW for entities in the Eastern or Western Interconnection
OR
≥ 1,000 MW for entities in the ERCOT or Quebec Interconnection.”
The SDT discussed this issue and believes that ERCOT could change contingency level in the future, and this event is also applicable
to the Quebec Interconnection.
53
�Organization
BC Hydro
Yes or No
No
Question 2 Comment
BC Hydro supports the revisions to EOP-004 and would vote Affirmative with the
following change. Attachment 1 has a One Hour Reporting requirement. BC Hydro
proposes a One Hour Notification with the Report submitted within a specified
timeframe afterward.
Response: The SDT thanks you for your comment. The SDT has removed all incidences involving one-hour reporting threshold;
therefore, the SDT does not see the need to make this change.
Bonneville Power
Administration
No
BPA believes that clarifying language should be added to transmission loss event.
(Page 19) [a report should not be required if the number of elements is forced
because of pre-designed or planned configuration. System studies have to take such
a configuration into account possible wording could be. Unintentional loss of three
or more Transmission Facilities (excluding successful automatic reclosing or planned
operating configuration)]
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Unexpected loss, contrary to design, of three or more BES Elements caused by a
common disturbance (excluding successful automatic reclosing).”
In addition, under the “Event” of Complete or partial loss of monitoring capability,
BPA believes that “partial loss” is not sufficiently specific for BPA to write compliance
operating procedures and suggest defining partial loss or removing it from the
standard. Should the drafting team add clarifying language to remove “or partial
loss” and address BPA’s concerns on over emphasis on software tool to the operation
of the system. BPA would change its negative position to affirmative.
The SDT has revised the language on this point in Attachment 1.
Response: The SDT thanks you for your comment.
54
�Organization
SPP Standards Review Group
Yes or No
Question 2 Comment
No
To obtain an understanding of the drivers behind the events in Attachment 1, we
would like to see where these events come from. If the events are required in
standards, refer to them. If they are in the existing event reporting list, indicate so. If
they are coming from the EAP, let us know. We have a concern that, as it currently
exists, Attachment 1 can increase our reporting requirements considerably.
The SDT reviewed, discussed and updated Attachment 1 based on comments
received, FERC directives and what is required for combining CIP-001 and EOP-004
into EOP-004-2. Reportable events should be similar, but not identical to the
events reported to DOE or EAP.
We also have concerns about what appears to be a lack of coordination between EAP
reporting requirements and those contained in Attachment 1. For example, the EAP
reporting requirement is for the complete loss of monitoring capability whereas
Attachment 1 adds the requirement for reporting a partial loss of monitoring
capability. It appears that some of the EAP reporting requirements are contained in
Attachment 1. We have concerns that this is beyond the scope of the SAR and should
not be incorporated in this standard.
The SDT has revised the language on this point in Attachment 1. It should be noted
that the EAP can use reports submitted under EOP-004-2 as the initial notification
of an event that could be further addressed in the EAP.
We have concern with several of the specific event descriptions as contained in
Attachment 1:
Damage or destruction of a Facility - We are comfortable with the proposed
definition of Adverse Reliability Impact but have concerns with the existing definition
of ARI.
Any physical threat that could impact the operability of a Facility1 - We take
exception to this event in that is goes beyond what is currently required in EOP-0041, including DOE reporting requirements, and the EAP reporting requirements. We do
not understand the need for this event type and object to the potential for excessive
55
�Organization
Yes or No
Question 2 Comment
reporting required by such an event type. Additionally, we are concerned about the
potential for multiple reporting of a single event. This same concern applies to
several other events including Damage or destruction of a Facility, Loss of firm load
for ≥ 15 minutes, System separation, etc. When multiple entities are listed as the
Entity with Reporting Responsibility, Attachment 1 appears to require each entity in
the hierarchy to submit a report. There should only be one report and it should be
filed by the entity owning the event. The SDT addressed this issue in its last posting
but the issue still remains and should be reviewed again.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Damage or destruction of a Facility within its Reliability Coordinator Area,
Balancing Authority Area or Transmission Operator Area that results in the need for
actions to avoid a BES Emergency.”
This language gives the required guidance of who has to report within its Area that
results in need for actions to avoid a BES Emergency (as defined by NERC: Any
abnormal system condition that requires automatic or immediate manual action to
prevent or limit the failure of transmission facilities or generation supply that could
adversely affect the reliability of the Bulk Electric System).
This relates to either a completely destroyed Facility where an action is required to
avoid a BES Emergency, or a Facility that is damaged to a point that actions are
required to avoid a BES Emergency. By reporting either a “damaged or destroyed”
Facility, within 24 hours, it will give the ERO (and whoever else the entity wishes to
inform per Requirement R1) the situational awareness that the electrical system
has been reconfigured or may need to be reconfigured, thus supporting reliable
operations of each interconnection.
The SDT understands that there may be several reports of a single event; and as the
SDT has stated before, that this will give the ERO a better understanding of the
56
�Organization
Yes or No
Question 2 Comment
depth and breathe of system conditions based on the given event.
BES Emergency resulting in automatic firm load shedding - For some reason, not
stipulated in the Consideration of Comments, the action word in the Entity with
Reporting Responsibility was changed from ‘experiences’ to ‘implements’. We
recommend changing it back to ‘experiences’. Automatic load shedding is not
implemented. It does not require human intervention. It’s automatic. Voltage
deviation on a Facility - Similar to the comment on automatic load shedding above,
the action word was changed from ‘experiences’ to ‘observes’. We again recommend
that it be changed back to ‘experiences’. Using observes obligates a TOP, who is able
to see a portion of a neighboring TOP’s area, to submit a report if that TOP observed
a voltage deviation in the neighboring TOP’s area. The only reporting entity in this
event should be the TOP within whose area the voltage deviation occurred.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Automatic firm load shedding ≥ 100 MW (via automatic undervoltage or
underfrequency load shedding schemes, or SPS/RAS).”
This language clearly states that an entity reports if the threshold is reached.
Complete or partial loss of monitoring capability - Clarification on partial loss of
monitoring capability and inoperable are needed. Also, the way the Threshold is
written, it implies that a State Estimator and Contingency Analysis are required. To
tone this down, insert the qualifier ‘such as’ in front of State Estimator.
The SDT reviewed, discussed and updated Attachment 1 based on comments
received, FERC directives and what is required for combining CIP-001 and EOP-004
into EOP-004-2. This event now only applies to “Complete loss of monitoring
capabilities” for a RC, BA, or TOP when there is a complete loss of monitoring
57
�Organization
Yes or No
Question 2 Comment
capabilities for 30 continuous minutes where their State Estimator or Contingency
Analysis is inoperable. This will only apply to an RC, BA, or TOP who have this
capability to start with.
Response: The SDT thanks you for your comment.
Florida Municipal Power
Agency
No
The bullet on “any physical threat” is un-measurable. What constitutes a “threat”?
FMPA likes the language used in the comment form discussing this item concerning
the judgment of the Responsible Entity, but, the way it is worded in Attachment 1 will
mean the judgment of the Compliance Enforcement Authority, not the Responsible
Entity. Presumably, the Responsible Entity will need to develop methods to identify
physical threats in accordance with R1; hence, FMPA suggests rewording to: “Any
physical threat recognized by the Responsible Entity through processes established in
R1 bullet 1.1”. We understand this introduces circular logic, but, it also introduces the
“judgment of the Responsible Entity” into the bullet.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Physical threat to its Facility excluding weather related threat, which has the
potential to degrade the normal operation of the Facility
Or
Suspicious device or activity at a Facility
Do not report copper theft unless it degrades normal operations of a Facility.”
This language gives the required guidance that if there is a physical threat that has
the potential to degrade a Facility’s normal operation or a suspicious device or
58
�Organization
Yes or No
Question 2 Comment
activity is discovered at a Facility, it is required to be reported within 24 hours, this
will give the ERO (and whoever else the entity wishes to inform per Requirement
R1) the situational awareness that the Facility has a potential of not being able to
operate as it is designed. The SDT also states that copper theft is not a reportable
event, unless it degrades the normal operation of a Facility.
On the row of the table on voltage deviation, replace the word “observes” with
“experiences”. It is possible for one TOP to “observe” a voltage deviation on another
TOP’s system. It should be the responsibility of the TOP experiencing the voltage
deviation on its system to report, not the one who “observes”. On the row on
islanding, it does not make sense to report islanding for a system with load less than
the loss of load metrics and we suggest using the same 300 MW threshold for a
reporting threshold. On the row on generation loss, some clarification on what type
of generation loss (especially in the time domain) would help it be more measurable,
e.g., concurrent forced outages. One the row on transmission loss, the same clarity is
important, e.g., three or more concurrent forced outages.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Automatic firm load shedding ≥ 100 MW (via automatic undervoltage or
underfrequency load shedding schemes, or SPS/RAS).”
This language clearly states that an entity reports if the threshold is reached.
On the row on loss of monitoring, while FMPA likes the threshold for “partial loss of
monitoring capability” for those systems that have State Estimators, small BAs and
TOPs will not need or have State Estimators and the reporting threshold becomes
ambiguous. We suggest adding something like loss of monitoring for 25% of
monitored points for those BAs and TOPs that do not have State Estimators.
59
�Organization
Yes or No
Question 2 Comment
The SDT reviewed, discussed and updated Attachment 1 based on comments
received, FERC directives and what is required for combining CIP-001 and EOP-004
into EOP-004-2. This event now only applies to “Complete loss of monitoring
capabilities” for a RC, BA, or TOP when there is a complete loss of monitoring
capabilities for 30 continuous minutes where their State Estimator or Contingency
Analysis is inoperable. This will only apply to an RC, BA, or TOP who have this
capability to start with.
Response: The SDT thanks you for your comment.
LG&E and KU Services
No
The SDT should consider more clearly defining the Threshold for Reporting for the
Event: “Any physical threat that could impact the operability of a Facility” to only
address those events that have an Adverse Reliability Impact. Some proposed
language might be: “Threat to a Facility excluding weather related threats that could
result in an Adverse Reliability Impact.”For those events specifically defined in the
ERO Events Analysis Process, the SDT should consider revising the language to be
more consistent with the language included in the ERO Events Analysis Process. Here
is some recommended language:
1. EVENT: Transmission loss THRESHOLD FOR REPORTING: “Unintentional loss,
contrary to design, of three or more BES Transmission Facilities (excluding successful
automatic reclosing) caused by a common disturbance.
The SDT has taken your comment into consideration and this threshold for
reporting now states:
“Unexpected loss, contrary to design, of three or more BES Elements caused by a
common disturbance (excluding successful automatic reclosing).”
2. EVENT: “Complete or partial loss of monitoring capability” - could be revised to
read “Complete loss of SCADA control or monitoring functionality” THRESHOLD FOR
REPORTING: “Affecting a BES control center for ≥ 30 continuous minutes such
that analysis tools (e.g. State Estimator, Contingency Analysis) are rendered
inoperable”.
The SDT reviewed, discussed and updated Attachment 1 based on comments
60
�Organization
Yes or No
Question 2 Comment
received, FERC directives and what is required for combining CIP-001 and EOP-004
into EOP-004-2. This event now only applies to:
“Complete loss of monitoring capability affecting a BES control center for 30
continuous minutes or more such that analysis capability (State Estimator,
Contingency Analysis) is rendered inoperable.” This will only apply to an RC, BA, or
TOP who have this capability to start with.
Response: The SDT thanks you for your comment.
MRO NSRF
No
R1.2 states: A process for communicating each of the applicable events listed in EOP004 Attachment 1 in accordance with the timeframes specified in EOP-004
Attachment 1 to the Electric Reliability Organization and other organizations needed
for the event type; i.e. the Regional Entity; company personnel; the Responsible
Entity’s Reliability Coordinator; law enforcement, governmental or provincial
agencies. This implies not only does NERC need to be notified within the specified
time period but that: “other organizations needed for the event type; i.e. the
Regional Entity; company personnel; the Responsible Entity’s Reliability Coordinator;
law enforcement, governmental or provincial agencies.” are also required to be
notified within in the time periods specified. We suggest a forth column be added to
the table to clearly identify who must be notified within the specified time period or
that R1.2 be revised to clearly state that only NERC must be notified to comply with
the standard. With the use of “i.e.” the SDT is mandating that each other entity must
be contacted. The NSRF believes that the SDT meant that “e.g.” should be used to
provide examples. The SDT may wish to add another column to Attachment 1 to
provide clarity.
The SDT has made the required change concerning replacing “i.e.” with “e.g.”
Also with regards to Attachment 1, the following comments are provided:
1. Instead of referring to CIP-008 (in the 1 hour reporting section), quote the words
from CIP-008, this will require coordination of future revisions but will assure clarity
in reporting requirements.
The SDT has discussed this issue with Project 2008-06, Cyber Security SDT and we
61
�Organization
Yes or No
Question 2 Comment
have remanded the one-hour event back to CIP-008. The next version of EOP-004-2
will not contain a one hour reporting requirement.
2. Under “Damage or destruction of a Facility” a. The wording “affects an IROL (per
FAC-014),” is too vague. Many facilities could affect an IROL, not as many if lost
would cause an IROL. b. Adverse Reliability Impact is defined as:”The impact of an
event that results in frequency-related instability; unplanned tripping of load or
generation; or uncontrolled separation or cascading outages that affects a
widespread area of the Interconnection.”There are an infinite number of routine
events that result in the loss of generation plants due to inadvertent actions that
somehow also damaged equipment. Any maintenance activity that damaged a piece
of equipment that causes a unit to trip or results in a unit being taken off line in a
controlled manner would now be reportable. This seems to be an excessive
reporting requirement. Recommend that Adverse Reliability Impact be deleted and
be replaced with actual EEA 2 or EEA 3 level events. c. The phrase “Results from
actual or suspected intentional human action.” This line item used the term
“suspected” which relates to “sabotage”. Recommend the following: Results from
actual or malicious human action intended to damage the BES.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
Damage or destruction of a Facility within its Reliability Coordinator Area,
Balancing Authority Area or Transmission Operator Area that results in the need for
actions to avoid a BES Emergency.
This language gives the required guidance of who has to report within its Area that
results in need for actions to avoid a BES Emergency (as defined by NERC: Any
62
�Organization
Yes or No
Question 2 Comment
abnormal system condition that requires automatic or immediate manual action to
prevent or limit the failure of transmission facilities or generation supply that could
adversely affect the reliability of the Bulk Electric System).
This relates to either a completely destroyed Facility where an action is required to
avoid a BES Emergency, or a Facility that is damaged to a point that actions are
required to avoid a BES Emergency. By reporting either a “damaged or destroyed”
Facility, within 24 hours, it will give the ERO (and whoever else the entity wishes to
inform per R1) the situational awareness that the electrical system has been
reconfigured or may need to be reconfigured, thus supporting reliable operations of
each interconnection.
3. “Any physical threat that could impact the operability of a Facility1”The example
provided by the drafting team of a train derailment exemplifies why this requirement
should be deleted. A train derailment of a load of banana’s more than likely would
not threaten a nearby BES Facility. However a train carrying propane that derails
carrying propane could even if it were 10 miles away. Whose calculation will be used
to determine if an event could have impacted the asset? As worded there is too
much ambiguity left to the auditor. We suggest the drafting team clarify by saying
“Any event that requires the a BES site be evacuated for safety reasons”
Furthermore if weather events are excluded, we are hard pressed to understand why
this information is important enough to report to NERC. So barring an explanation of
the purpose of this requirement, including why weather events would be excluded,
we suggest the requirement be deleted. Please note that if you align this with
“Physical attack” with #1 of the OE-417. This clearly states what the SDT is looking
for.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
63
�Organization
Yes or No
Question 2 Comment
comments to state:
“Physical threat to its Facility excluding weather related threat, which has the
potential to degrade the normal operation of the Facility
Or
Suspicious device or activity at a Facility
Do not report copper theft unless it degrades normal operations of a Facility.”
This language gives the required guidance that if there is a physical threat that has
the potential to degrade a Facility’s normal operation or a suspicious device or
activity is discovered at a Facility, it is required to be reported within 24 hours, this
will give the ERO (and whoever else the entity wishes to inform per Requirement
R1) the situational awareness that the Facility has a potential of not being able to
operate as it is designed. The SDT also states that copper theft is not a reportable
event unless it degrades the normal operation of a Facility.
4. The phrase “or partial loss of monitoring capability” is too vague. Further
definitions of “inoperable” are required to assure consistent application of this
requirement. Recommend that “Complete loss of SCADA affecting a BES control
center for ≥ 30 continuous minutes such that analysis tools of State Estimator
and/or Contingency Analysis are rendered inoperable. Or, Complete loss of the
ability to perform a State Estimator or Contingency Analysis function, the threshold of
30 mins is too short. A 60 min threshold will align with EOP-008-1, R1.8. Since this is
the time to implement the contingency back up control center plan.
The SDT reviewed, discussed and updated Attachment 1 based on comments
received, FERC directives and what is required for combining CIP-001 and EOP-004
into EOP-004-2. This event now only applies to:
“Complete loss of monitoring capability affecting a BES control center for 30
64
�Organization
Yes or No
Question 2 Comment
continuous minutes or more such that analysis capability (State Estimator,
Contingency Analysis) is rendered inoperable.” This will only apply to an RC, BA, or
TOP who have this capability to start with.
5. Event: Voltage deviation on a Facility. ATC believes that the term “observes” for
Entity with Reporting Responsibility be changed back to “experiences” as originally
written. The burden should rest with the initiating entity in consistency with other
Reporting Responsibilities. Also, for Threshold for Reporting, ATC believes the
language should be expanded to - plus or minus 10% “of target voltage” for greater
than or equal to 15 continuous minutes.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Observed voltage deviation of ± 10% of nominal voltage sustained for ≥ 15
continuous minutes.”
This language clearly states that if the threshold is met, the entity needs to submit a
report within 24 hours.
6. Event: Transmission loss. ATC recommends that Threshold for Reporting be
changed to read “Unintentional loss of four, or more Transmission Facilities,
excluding successful automatic reclosing, within 30 seconds of the first loss
experienced and for 30 continuous minutes. Technical justification or Discussion for
this recommended change: In the instance of a transformer-line-transformer,
scenario commonly found close-in to Generating stations, consisting of 3 defined
“facilities”, 1 lightning strike can cause automatic unintentional loss by design.
Increase the number of facilities to 4. In a normal shoulder season day, an entity may
experience the unintentional loss of a 138kv line from storm activity, at point A in the
morning, a loss of a 115kv line from a different storm 300 miles from point A in the
afternoon, and a loss of 161kv line in the evening 500 miles from point A due to a
65
�Organization
Yes or No
Question 2 Comment
failed component, if it is an entity of significant size. Propose some type of time
constraint. Add time constraint as proposed, 30 seconds, other than automatic
reclosing. In the event of dense lightning occurrence, the loss of multiple
transmission facilities may occur over several minutes to several hours with no
significant detrimental effect to the BES, as load will most certainly be affected (lost
due to breaker activity on the much more exposed Distribution system) as well. Any
additional loss after 30 seconds must take into account supplemental devices with
intentional relay time delays, such as shunt capacitors, reactors, or load tap changers
on transformers activating as designed, arresting system decay. In addition,
Generator response after this time has significant impact. Please clarify or completely
delete why this is included within this version when no basis has been give and it is
not contained within the current enforceable version.
The SDT reviewed, discussed and updated Attachment 1 based on comments
received, FERC directives and what is required for combining CIP-001 and EOP-004
into EOP-004-2.
The SDT has taken your comment into consideration and this threshold for
reporting now states:
“Unexpected loss, contrary to design, of three or more BES Elements caused by a
common disturbance (excluding successful automatic reclosing).”
7. Modify the threshold of “BES emergency requiring a public appeal...” to include,
“Public appear for a load reduction event resulting for a RC or BA implementing its
emergency operators plans documented in EOP-001.” The reason is that normal
public appeals for conservation should be clearly excluded.
The SDT disagrees since it is clearly stated that a report is required for “Public
appeal for load reduction event.” The SDT has not discussed a reporting
mechanism for “conservation.”
8. Add a time threshold to complete loss of off-site power to a nuclear plant.
Nuclear plants are to have backup diesel generation that last for a minimum amount
of time. A threshold recognizing this 4 hour or longer window needs to be added
66
�Organization
Yes or No
Question 2 Comment
such as complete loss of off-site power to a nuclear plant for more than 4 hours.
The SDT reviewed, discussed and updated Attachment 1 based on comments
received, FERC directives and what is required for combining CIP-001 and EOP-004
into EOP-004-2.
The SDT has taken your comment into consideration and this threshold for
reporting now states:
“Complete loss of off-site power affecting a nuclear generating station per the
Nuclear Plant Interface Requirement.” As stated in this event Threshold, the TOP’s
NIPR may have additional guidance concerning the complete loss of offsite power
affecting a nuclear plant.
9. Delete “Transmission loss”. The loss of a specific number of elements has no
direct bearing on the risk of a system cascade. Faults and storms can easily result in
“unintentional” the loss of multiple elements. This is a flawed concept and needs to
be deleted
The SDT reviewed, discussed and updated Attachment 1 based on comments
received, FERC directives and what is required for combining CIP-001 and EOP-004
into EOP-004-2.
The SDT has taken your comment into consideration and this threshold for
reporting now states:
“Unexpected loss, contrary to design, of three or more BES Elements caused by a
common disturbance (excluding successful automatic reclosing).”
Response: The SDT thanks you for your comment.
PPL Corporation NERC
Registered Affiliates
No
1.) PPL Generation thanks the SDT for the changes made in this latest proposal. We feel our
previous comments were addressed. PPL Generation offers the following additional
comments. Regarding the event ‘Transmission Loss’: For your consideration, please
consider adding a footnote to the event ‘Transmission Loss’ such that weather events do
not need to be reported. Also please consider including operation contrary to design in
the language and not just in the example. E.g. consistent with the NERC Event Analysis
table, the threshold would be, ‘Unintentional loss, contrary to design, of three or more
67
�Organization
Yes or No
Question 2 Comment
BES Transmission Facilities.’
The SDT reviewed, discussed and updated Attachment 1 based on comments
received, FERC directives and what is required for combining CIP-001 and EOP-004
into EOP-004-2.
The SDT has taken your comment into consideration and this threshold for
reporting now states:
“Unexpected loss, contrary to design, of three or more BES Elements caused by a
common disturbance (excluding successful automatic reclosing).” The SDT has
removed all footnotes within Attachment 1.
2.) PPL Generation proposes the following changes in Attachment 1 to the first entry in the
“Threshold for Reporting” column to make it clear that independent GO/GOPs are
required to act only within their sphere of operation and based on the information that is
available to the GO/GOPs: Damage or destruction of a Facility that: Affects an IROL (per
FAC-014, not applicable to GOs and GOPs) OR Results in the need for actions to avoid an
Adverse Reliability Impact (not applicable to GOs and GOPs) OR Results from actual or
suspected intentional human action (applicable to all).
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Damage or destruction of a Facility within its Reliability Coordinator Area,
Balancing Authority Area or Transmission Operator Area that results in the need for
actions to avoid a BES Emergency.”
This language gives the required guidance of who has to report within its Area that
results in need for actions to avoid a BES Emergency (as defined by NERC: Any
68
�Organization
Yes or No
Question 2 Comment
abnormal system condition that requires automatic or immediate manual action to
prevent or limit the failure of transmission facilities or generation supply that could
adversely affect the reliability of the Bulk Electric System).
This relates to either a completely destroyed Facility where an action is required to
avoid a BES Emergency, or a Facility that is damaged to a point that actions are
required to avoid a BES Emergency. By reporting either a “damaged or destroyed”
Facility, within 24 hours, it will give the ERO (and whoever else the entity wishes to
inform per Requirement R1) the situational awareness that the electrical system
has been reconfigured or may need to be reconfigured, thus supporting reliable
operations of each interconnection.
The SDT also developed another to read:
“Damage or destruction of its Facility that results from actual or suspected
intentional human action.”
This language gives the required guidance that if there is actual intentional human
action that damages or destroys a Facility, it is required to be reported within 24
hours, this will give the ERO (and whoever else the entity wishes to inform per
Requirement R1) the situational awareness that the Facility was “damaged or
destroyed” intentionally by a human.
This event was written to cover the increase of “Entity with Reporting
Responsibility” and removing the RC since they do not own Facility(s).
The SDT also included a second part of this event being “suspected intentional
human action.” This language was required to give an entity the reporting
responsibility to report to the ERO (and whoever else the entity wishes to inform
per Requirement R1) the situational awareness that they suspect that their Facility
was damaged or destroyed by intentional human action. The SDT envisions that
entities could further define what a suspected intentional human action is within
69
�Organization
Yes or No
Question 2 Comment
their Operating Plan.
Response: The SDT thanks you for your comment.
ISO/RTO Standards Review
Committee
No
The SRC response to this question does not indicate support of the proposed
requirement. Please see the latter part of the SRC’s response to Question 4 below for
an SRC proposed alternative approach:
Response: The SDT thanks you for your comment. Please review response to Question 4 comment.
ACES Power Marketing
Standards Collaborators
No
The drafting team made a number of positive changes to Attachment 1. However,
there are a few changes that have introduced new issues and there are a number of
existing issues that have yet to be fully addressed. One of the existing issues is that
the reporting requirements will result in duplicate reporting. Considering that one of
the stated purposes is to eliminate redundancy, we do not see how the scope of the
SAR can be considered to be met until all duplicate reporting is eliminated.
The SDT acknowledges that reporting of the same event will come from multiple
parties. However, as the industry has learned from recent events, NERC needs to
have perspectives from a variety of entities instead of just one party’s viewpoint.
Reliability can be improved from learning how the differing parties see or
experience the event. Sometimes, the differing perspectives have provided
valuable insight on the true nature of the event. Therefore, the SDT believes that
having multiple reports will aid reliability as we can learn from everyone’s
experiences.
70
�Organization
Yes or No
Question 2 Comment
More specifics on our concerns are provided in the following discussion.
(1) In the “Damage or destruction of a Facility” event, the statement “Affects an IROL
(per FAC-014)” in the “Threshold for Reporting” is ambiguous. What does it mean? If
the loss of a Facility will have a 1 MW flow change on the Facilities to which the IROL
applies, is this considered to have affected the IROL? We suggest a more direct
statement that damage or destruction occurred on a Facility to which the IROL
applies or to one of the Facilities that comprise an IROL contingency as identified in
FAC-014-2 R5.1.3. Otherwise, there will continue to be ambiguity over what
constitutes “affects”.
(2) In the “Damage or destruction of a Facility” event, the threshold regarding
“intentional human action” is ambiguous and suffers from the same difficulties as
defining sabotage. What constitutes intentional? How do we know something was
intentional without a law enforcement investigation? This is the same issue that
prevented the drafting team from defining sabotage.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
Damage or destruction of a Facility within its Reliability Coordinator Area,
Balancing Authority Area or Transmission Operator Area that results in the need for
actions to avoid a BES Emergency.
This language gives the required guidance of who has to report within its Area that
results in need for actions to avoid a BES Emergency (as defined by NERC: Any
abnormal system condition that requires automatic or immediate manual action to
71
�Organization
Yes or No
Question 2 Comment
prevent or limit the failure of transmission facilities or generation supply that could
adversely affect the reliability of the Bulk Electric System).
This relates to either a completely destroyed Facility where an action is required to
avoid a BES Emergency, or a Facility that is damaged to a point that actions are
required to avoid a BES Emergency. By reporting either a “damaged or destroyed”
Facility, within 24 hours, it will give the ERO (and whoever else the entity wishes to
inform per Requirement R1) the situational awareness that the electrical system
has been reconfigured or may need to be reconfigured, thus supporting reliable
operations of each interconnection.
The SDT also developed another to read:
“Damage or destruction of its Facility that results from actual or suspected
intentional human action.”
This language gives the required guidance that if there is actual intentional human
action that damages or destroys a Facility, it is required to be reported within 24
hours, this will give the ERO (and whoever else the entity wishes to inform per
Requirement R1) the situational awareness that the Facility was “damaged or
destroyed” intentionally by a human.
This event was written to cover the increase of “Entity with Reporting
Responsibility” and removing the RC since they do not own Facility(s).
The SDT also included a second part of this event being “suspected intentional
human action.” This language was required to give an entity the reporting
responsibility to report to the ERO (and whoever else the entity wishes to inform
per Requirement R1) the situational awareness that they suspect that their Facility
was damaged or destroyed by intentional human action. The SDT envisions that
entities could further define what a suspected intentional human action is within
72
�Organization
Yes or No
Question 2 Comment
their Operating Plan.
(3) In the “Damage or destruction of a Facility” and “Any physical threat that could
impact the operability of a Facility” events, Distribution Provider should be removed.
Per the Function Model, the Distribution Provider does not have any Facilities (line,
generator, shunt compensator, transformer). The only Distribution Provider
equipment that even resembles a Facility would be capacitors (i.e. shunt
compensator) but they do not qualify because they are not Bulk Electric System
Elements.
The SDT agrees that if a DP does not own or operate a Facility then this event would
not be applicable to them. However, if a DP does experience an event such as
those listed, then it is a reportable incident under this standard.
(4) The “Any physical threat that could impact the operability of a Facility” event
requires duplicate reporting. For example, if a large generating plant experiences
such a threat, who should report the event? What if loss of the plant could cause
capacity and energy shortages as well as transmission limits? The end result is that
the RC, BA, TOP, GO and GOP could all end up submitting a report for the same
event. For a given operating area, only one report should be required from one
registered entity for each event.
The SDT acknowledges that multiple reports could result from an event. If an entity
experiences an applicable event type, then they required to report it. As previously
stated, the industry can benefit from having such differing perspectives when
events occur.
(5) The “Any physical threat that could impact the operability of a Facility” event
should not apply to a single Facility but rather multiple Facilities which if lost would
impact BES reliability. As written now, a train derailment near a single 138 kV
transmission line or small generator with minimal reliability impact would require
reporting.
The SDT removed all language under “Entity with Reporting Responsibility,” with
73
�Organization
Yes or No
Question 2 Comment
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Physical threat to its Facility excluding weather related threat, which has the
potential to degrade the normal operation of the Facility
Or
Suspicious device or activity at a Facility
Do not report copper theft unless it degrades normal operations of a Facility.”
This language gives the required guidance that if there is a physical threat that has
the potential to degrade a Facility’s normal operation or a suspicious device or
activity is discovered at a Facility, it is required to be reported within 24 hours, this
will give the ERO (and whoever else the entity wishes to inform per Requirement
R1) the situational awareness that the Facility has a potential of not being able to
operate as it is designed. The SDT also states that copper theft is not a reportable
event unless it degrades the normal operation of a Facility.
(6) The “BES Emergency resulting in automatic firm load shedding” should not apply
to the DP. In the existing EOP-004 standard, Distribution Provider is not included and
the load shed information still gets reported.
The SDT believes that the DP should be required to report “automatic firm load
shedding…” to the ERO (and whoever else the entity wishes to inform per
Requirement R1).
(7) The “Voltage deviation on a Facility” event needs to be clarified that the TOP only
reports voltage deviations in its Transmission Operator Area. Because TOPs may view
74
�Organization
Yes or No
Question 2 Comment
into other Transmission Operator Areas, it could technically be required to report
another TOP’s voltage deviation because one of its System Operators observed the
neighboring TOP’s voltage deviation.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Observed voltage deviation of ± 10% of nominal voltage sustained for ≥ 15
continuous minutes .”
This language clearly states that if the threshold is met, the entity needs to submit a
report within 24 hours.
The SDT understands that there may be several reports of a single event; and as the
SDT has stated before, that this will give the ERO a better understanding of the
depth and breathe of system conditions based on the given event.
(8) For the “Loss of firm load greater than 15 minutes” event, the potential for
duplicate reporting needs to be eliminated. Every time a DP experiences this event,
the DP, TOP and BA all appear to be required to report since the DP is within both the
Balancing Authority Area and Transmission Operator Area. Only one report is
necessary and should be sent. Given that the existing EOP-004 standard does not
include the DP, we suggest eliminating the DP to eliminate one level of duplicate
reporting.
The SDT understands that there may be several reports of a single event; and as the
SDT has stated before, that this will give the ERO a better understanding of the
depth and breathe of system conditions based on the given event.
(9) For the “System separation (islanding)” event, please remove DP. As long as any
island remains viable, the Distribution Provider will not even be aware that an island
occurred. It is not responsible for monitoring frequency or having a wide area view.
75
�Organization
Yes or No
Question 2 Comment
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified.
This event is now only applicable to RC, BA, and TOP.
(10) For the “System separation (islanding)” event, please remove BA. Because
islanding and system separation, involve Transmission Facilities automatically being
removed from service, this is largely a Transmission Operator issue. This position is
further supported by the approval of system restoration standard (EOP-005-2) that
gives the responsibility to restore the system to the TOP. (11) For the “System
separation (islanding)” event, please eliminate duplicate reporting by clarifying that
the RC should submit the report when more than one TOP is involved. If only one
TOP is involved, then the single TOP can submit the report or the RC could agree to
do it on their behalf. Only one report is necessary.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified.
This event is now only applicable to RC, BA, and TOP. The SDT understands that
there may be several reports of a single event; and as the SDT has stated before,
that this will give the ERO a better understanding of the depth and breathe of
system conditions based on the given event.
(12) For the “Generation loss” event, duplicate reporting should be eliminated. It is
not necessary for both the BA and GOP to submit two separate reports with nearly
identical information. Only one entity should be responsible for reporting.
The SDT understands that there may be several reports of a single event; and as the
SDT has stated before, that this will give the ERO a better understanding of the
depth and breathe of system conditions based on the given event.
(13) For the “Complete loss of off-site power to a nuclear generating plant”, the
76
�Organization
Yes or No
Question 2 Comment
associated GO or GOP should be required to report rather than the TO or TOP.
Maintaining power to cooling systems is ultimately the responsibility of the nuclear
plant operator. At the very least, TO should be removed because it is not an
operating entity and loss of off-site power is an operational issue. If the TOP remains
in the reporting responsibility, it should be clarified that it is only a TOP with an
agreement pursuant to NUC-001. All of this is further complicated because NUC-001
was written for a non-specific transmission entity because there was no one
functional entity from which the nuclear plant operator gets it off-site power.
The SDT reviewed, discussed and updated Attachment 1 based on comments
received, FERC directives and what is required for combining CIP-001 and EOP-004
into EOP-004-2.
The SDT has taken your comment into consideration and this threshold for
reporting now states:
“Complete loss of off-site power affecting a nuclear generating station per the
Nuclear Plant Interface Requirement.” As stated in this event Threshold, the TOP’s
NIPR may have additional guidance concerning the complete loss of offsite power
affecting a nuclear plant.
(14) For the “Complete or partial loss of monitoring capability”, partial loss needs to
be further clarified. Is loss of a single RTU a partial loss of monitoring capability? For
a large RC is loss of ICCP to a single small TOP, considered a partial loss? We suggest
as long as the entity has the ability to monitor their system through other means that
the event should not be reported. For the loss of a single RTU, if the entity has a
solving state estimator that provides estimates for the area impacted, the partial
threshold loss would not be considered. If the entity has another entity (i.e. perhaps
the RC is still receiving data for its TOP area, the RC can monitor for the TOP) that can
monitor their system as a backup, the partial loss has not been met.
The SDT reviewed, discussed and updated Attachment 1 based on comments
received, FERC directives and what is required for combining CIP-001 and EOP-004
into EOP-004-2. This event now only applies to:
“Complete loss of monitoring capability affecting a BES control center for 30
77
�Organization
Yes or No
Question 2 Comment
continuous minutes or more such that analysis capability (State Estimator,
Contingency Analysis) is rendered inoperable.” This will only apply to an RC, BA, or
TOP who have this capability to start with.
Response: The SDT thanks you for your comment.
Southern Company Services
No
It appears that the SDT has incorporated the reporting requirements for CIP-008
“reportable Cyber Security Incidents”; however, the “recognition” requirements
remain in CIP-008 Reliability Standard. Southern understands the desire to
consolidate reporting requirements into a single standard, but it would be clearer for
Cyber Security Incidents if both the recognition and reporting requirements were in
one reliability standard and not spread across multiple standards.
The SDT has discussed this issue with Project 2008-06, Cyber Security SDT and we
have remanded the one hour event back to CIP-008. The next version of EOP-004-2
will not contain a one hour reporting requirement.
As it relates to the event type “Loss of Firm Load for > 15 minutes”, Southern
suggests that the SDT clarify if weather related loss of firm load is excluded from the
reporting requirement.
The SDT believes that it is important to report this event based on the threshold
regardless of the cause. This will give the ERO (and whoever else the entity wishes
to inform per Requirement R1) a better understanding of the depth and breathe of
system conditions based on the given event.
As it relates to the event type “Loss of all voice communication capability”, Southern
suggest that the SDT clarify if this means both primary and backup voice
communication systems or just primary voice communication systems.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
78
�Organization
Yes or No
Question 2 Comment
comments to state:
“Complete loss of voice communications capabilities affecting a BES control center
for 30 continuous minutes or more.” The SDT intends “complete” to mean all
capabilities, including back up capabilities.
Referring to “CIP-008-3 or its successor” in Requirement R1.1 is problematic. This
arrangement results in a variable requirement for EOP-004-2 R1. The requirements
in a particular version of a standard should be fixed and not variable. If exceptions to
applicable events change, a revision should be made to EOP-004 to reflect the
modified requirement.
The SDT has discussed this issue with Project 2008-06, Cyber Security SDT and we
have remanded the one hour event back to CIP-008.
Response: The SDT thanks you for your comment.
Hydro One
No
In the Attachment 1, language identical to event descriptions in the NERC Event
Analysis Process and FERC OE-417 should be used. Creating a third set of event
descriptions is not helpful to system operators. Recommend aligning the Attachment
1 wording with that contained in Attachment 2, DOE Form OE-417 and the EAP
whenever possible.
The SDT reviewed, discussed and updated Attachment 1 based on comments
received, FERC directives and what is required for combining CIP-001 and EOP-004
into EOP-004-2. Using identical terminology will be difficult to achieve as the DOE
form and EAP have differing processes for identification of the reportable
incidences. The SDT has tried to set up the reportable events in the standard to be
as similar as possible to the other organizations without being tied to their specific
language. Attachment 2 has been modified to match the events types listed in
Attachment 1.
The proposed “events” are subjective and will lead to confusion and questions as to
what has to be reported. - Event: A reportable Cyber Security Incident. All
reportable Cyber Security Incidents may not require “One Hour Reporting.” A “onesize fits all” approach may not be appropriate for the reporting of all Cyber Security
79
�Organization
Yes or No
Question 2 Comment
Incidents. The NERC “Security Guideline for the Electricity Sector: Threat and Incident
Reporting” document provides time-frames for Cyber Security Incident Reporting.
For example, a Cyber Security Compromise is recommended to be reported within
one hour of detection, however, Information Theft or Loss is recommended to be
reported within 48 hours. Recommend listing the Event as “A confirmed reportable
Cyber Security Incident. The existing NERC “Security Guideline for the Electricity
Sector: Threat and Incident Reporting” document uses reporting time-frames based
on “detection” and “discovery.” Recommend using the word confirmed because of
the investigation time that may be required from the point of initial “detection” or
“discovery” to the point of confirmation, when the compliance “time-clock” would
start for the reporting requirement in EOP-004-2.
The SDT has discussed this issue with Project 2008-06, Cyber Security SDT and we
have remanded the one hour event back to CIP-008. The next version of EOP-004-2
will not contain a one hour reporting requirement. Note that the existing NERC
“Security Guideline for the Electricity Sector: Threat and Incident Reporting”
document is a “guideline” to assist entities. It should not be confused with a
mandatory and enforceable Reliability Standard.
- Event: Damage or destruction of a Facility Threshold for Reporting: revise language
on third item to read: “Results from actual or suspected intentional human action,
excluding unintentional human errors”.
The SDT reviewed, discussed and updated “Damage and destruction of a Facility”
based on comments received, FERC directives and what is required for combining
CIP-001 and EOP-004 into EOP-004-2. The new “threshold” not states:
“Damage or destruction of a Facility within its Reliability Coordinator Area,
Balancing Authority Area or Transmission Operator Area that results in the need for
actions to avoid a BES Emergency.”
This language gives the required guidance of who has to report within its Area that
results in need for actions to avoid a BES Emergency (as defined by NERC: Any
80
�Organization
Yes or No
Question 2 Comment
abnormal system condition that requires automatic or immediate manual action to
prevent or limit the failure of transmission facilities or generation supply that could
adversely affect the reliability of the Bulk Electric System).
This relates to either a completely destroyed Facility where an action is required to
avoid a BES Emergency, or a Facility that is damaged to a point that actions are
required to avoid a BES Emergency. By reporting either a “damaged or destroyed”
Facility, within 24 hours, it will give the ERO (and whoever else the entity wishes to
inform per Requirement R1) the situational awareness that the electrical system
has been reconfigured or may need to be reconfigured, thus supporting reliable
operations of each interconnection.
- Event: Any physical threat that could impact the operability of a Facility This Event
category should be deleted. The word “could” is hypothetical and therefore
unverifiable and un-auditable. The word “impact” is undefined. Please delete this
reporting requirement, or provide a list of hypothetical “could impact” events, as well
as a specific definition and method for determining a specific physical impact
threshold for “could impact” events other than “any.”
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Physical threat to its Facility excluding weather related threat, which has the
potential to degrade the normal operation of the Facility
Or
Suspicious device or activity at a Facility
81
�Organization
Yes or No
Question 2 Comment
Do not report copper theft unless it degrades normal operations of a Facility.”
This language gives the required guidance that if there is a physical threat that has
the potential to degrade a Facility’s normal operation or a suspicious device or
activity is discovered at a Facility, it is required to be reported within 24 hours, this
will give the ERO (and whoever else the entity wishes to inform per Requirement
R1) the situational awareness that the Facility has a potential of not being able to
operate as it is designed. The SDT also states that copper theft is not a reportable
event unless it degrades the normal operation of a Facility.
- Event: BES Emergency requiring public appeal for load reduction. Replace wording
in the Event column with language from #8 on the OE-417 Reporting Form to
eliminate reporting confusion. Following this sentence add, “This shall exclude other
public appeals, e.g., made for weather, air quality and power market-related
conditions, which are not made in response to a specific BES event.”
The SDT disagrees with quantifying a use of public appeals reporting for different
types of events. The important item here is that a public appeal was issued for load
reduction. A report is require to inform the ERO (and whoever else the entity
wishes to inform per Requirement R1) of your current status and provide them with
the situational awareness of the status of your system.
- Event: Complete or partial loss of monitoring capability Event wording: Delete the
words “or partial” to conform the wording to the NERC Event Analysis Process.
The SDT reviewed, discussed and updated Attachment 1 based on comments
received, FERC directives and what is required for combining CIP-001 and EOP-004
into EOP-004-2. This event now only applies to:
“Complete loss of monitoring capability affecting a BES control center for 30
continuous minutes or more such that analysis capability (State Estimator,
Contingency Analysis) is rendered inoperable.” This will only apply to an RC, BA, or
TOP who have this capability to start with.
82
�Organization
Yes or No
Question 2 Comment
Event: Transmission Loss Revise to BES Transmission Loss
The SDT removed all language under “Entity with Reporting Responsibility” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Unexpected loss, contrary to design, of three or more BES Elements caused by a
common disturbance (excluding successful automatic reclosing).”
Event: Generation Loss Revise to BES Generation Loss
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Total generation loss, within one minute, of ≥ 2,000 MW for entities in the Eastern
or Western Interconnection
OR
≥ 1,000 MW for entities in the ERCOT or Quebec Interconnection.”
The SDT believes that if an entity reaches this threshold, it needs to be reported.
Response: The SDT thanks you for your comment.
CenterPoint Energy
No
CenterPoint Energy appreciates the revisions made to Attachment 1 based on
stakeholder feedback; however, the Company continues to have concerns regarding
certain events and thresholds for reporting and offers the following
recommendations. (1) CenterPoint Energy recommends the deletion of "per
Requirement R1" in the “Note” under Attachment 1 as it contains a circular reference
back to R1 which includes timeframes.
83
�Organization
Yes or No
Question 2 Comment
The SDT has updated Requirement R1 due to industry comments to read:
“R1. Each Responsible Entity shall have an event reporting Operating Plan that
includes communication protocol(s) for applicable events listed in, and within the
time frames specified in EOP-004 Attachment 1 to the Electric Reliability
Organization and other organizations based on the event type (e.g. the Regional
Entity, company personnel, the Responsible Entity’s Reliability Coordinator, law
enforcement, governmental or provincial agencies).”
(2) CenterPoint Energy maintains that a required 1 hour threshold for reporting of
any event is unreasonable. CenterPoint Energy is confident that given dire
circumstances Responsible Entities will act quickly on responding to and
communication of any impending threat to the reliability of the Bulk Electric System.
The SDT has discussed this issue with Project 2008-06, Cyber Security SDT and we
have remanded the one hour event back to CIP-008. The next version of EOP-004-2
will not contain a one hour reporting requirement.
(3) For the event of “Damage or destruction of a Facility”, CenterPoint Energy is
concerned that the use of the term “suspected” is too broad and proposes that the
SDT delete "suspected" and add "that causes an Adverse Reliability Impact..." to the
threshold for reporting regarding human action.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Damage or destruction of a Facility within its Reliability Coordinator Area,
Balancing Authority Area or Transmission Operator Area that results in the need for
actions to avoid a BES Emergency.”
84
�Organization
Yes or No
Question 2 Comment
This language gives the required guidance of who has to report within its Area that
results in need for actions to avoid a BES Emergency (as defined by NERC: Any
abnormal system condition that requires automatic or immediate manual action to
prevent or limit the failure of transmission facilities or generation supply that could
adversely affect the reliability of the Bulk Electric System).
This relates to either a completely destroyed Facility where an action is required to
avoid a BES Emergency, or a Facility that is damaged to a point that actions are
required to avoid a BES Emergency. By reporting either a “damaged or destroyed”
Facility, within 24 hours, it will give the ERO (and whoever else the entity wishes to
inform per Requirement R1) the situational awareness that the electrical system
has been reconfigured or may need to be reconfigured, thus supporting reliable
operations of each interconnection.
The SDT also developed another to read:
“Damage or destruction of its Facility that results from actual or suspected
intentional human action.”
This language gives the required guidance that if there is actual intentional human
action that damages or destroys a Facility, it is required to be reported within 24
hours, this will give the ERO (and whoever else the entity wishes to inform per
Requirement R1) the situational awareness that the Facility was “damaged or
destroyed” intentionally by a human.
This event was written to cover the increase of “Entity with Reporting
Responsibility” and removing the RC since they do not own Facility(s).
The SDT also included a second part of this event being “suspected intentional
human action.” This language was required to give an entity the reporting
responsibility to report to the ERO (and whoever else the entity wishes to inform
per Requirement R1) the situational awareness that they suspect that their Facility
85
�Organization
Yes or No
Question 2 Comment
was damaged or destroyed by intentional human action. The SDT envisions that
entities could further define what a suspected intentional human action is within
their Operating Plan.
(4) CenterPoint Energy believes that the event, “Any physical threat that could impact
the operability of a Facility” is too broad and should be deleted. Alternatively,
CenterPoint Energy recommends that the SDT delete "could” or change the event
description to "A physical incident that causes an Adverse Reliability Impact".
Additionally, in footnote 1, the example of a train derailment uses the phrase “could
have damaged”. CenterPoint Energy is concerned that as beauty is the eye of the
beholder, this phrase is open to interpretation and therefore recommends that the
phrase, “causes an Adverse Reliability Impact” be incorporated into the description.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event and
footnote 1. The SDT removed this language so the entities within this column are
clearly stated and identified. Under the “Threshold for Reporting” column, a bright
line was updated based on currently enforced Reliability Standards, FERC directives
and industry comments to state:
“Physical threat to its Facility excluding weather related threat, which has the
potential to degrade the normal operation of the Facility
Or
Suspicious device or activity at a Facility
Do not report copper theft unless it degrades normal operations of a Facility.”
This language gives the required guidance that if there is a physical threat that has
the potential to degrade a Facility’s normal operation or a suspicious device or
activity is discovered at a Facility, it is required to be reported within 24 hours, this
86
�Organization
Yes or No
Question 2 Comment
will give the ERO (and whoever else the entity wishes to inform per Requirement
R1) the situational awareness that the Facility has a potential of not being able to
operate as it is designed. The SDT also states that copper theft is not a reportable
event unless it degrades the normal operation of a Facility.
(5) The Company proposes that the threshold for reporting the event, “BES
Emergency requiring manual firm load shedding” is too low. It appears the SDT was
attempting to align this threshold with the DOE reporting requirement. However, as
the SDT stated above, there are several valid reasons why this should not be done;
therefore, CenterPoint Energy recommends the threshold be revised to “Manual firm
load shedding ≥ 300 MW”.
The SDT disagrees as this is currently enforceable within EOP-004-1.
(6) CenterPoint Energy also recommends a similar revision to the threshold for
reporting associated with the “BES Emergency resulting in automatic firm load
shedding” event. (“Firm load shedding ≥ 300 MW (via automatic under voltage or
under frequency load shedding schemes, or SPS/RAS”)
The SDT disagrees as we have aligned this with “manual firm load shedding.” As
written a report will be required for load shedding of 100MW for automatic or
manual actions.
(7) CenterPoint Energy is uncertain of the event, “Loss of firm load for ≥ 15
minutes” and its fit with BES Emergency requiring manual firm load shedding or BES
Emergency resulting in automatic firm load shedding. The Company believes that this
event is already covered with manual firm load shedding and automatic firm load
shedding and should therefore be deleted.
The SDT disagrees, as “Loss of firm load” is due to an action other than loss of load
due to “automatic” or “manual” actions by the BA, TOP, or DP. The intent is to
capture that load was loss by some other action. Note that this is a currently
enforceable item within EOP-004-1.
87
�Organization
Yes or No
Question 2 Comment
(8) For the event of “System separation (islanding)”, CenterPoint Energy believes that
100 MW is inconsequential and proposes 300 MW instead.
The SDT disagrees, as this has been vetted through the industry with very little
negative feedback.
(9) For “Generation loss”, CenterPoint Energy suggests that the SDT add "only if
multiple units” to the criteria of “1,000 MW for entities in the ERCOT or Quebec
Interconnection”.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Total generation loss, within one minute, of ≥ 2,000 MW for entities in the Eastern
or Western Interconnection
OR
≥ 1,000 MW for entities in the ERCOT or Quebec Interconnection.”
(10) Finally, CenterPoint Energy recommends that the SDT delete the term “partial”
under the “Entity with Reporting Responsibility” for “Complete or partial loss of
monitoring capability”. The Company proposes revising the event description to "Loss
of monitoring capability for > 30 minutes that causes system analysis tools to be
inoperable”.
The SDT reviewed, discussed and updated Attachment 1 based on comments
received, FERC directives and what is required for combining CIP-001 and EOP-004
into EOP-004-2. This event is now written to state:
“Complete loss of monitoring capability affecting a BES control center for 30
continuous minutes or more such that analysis capability (State Estimator,
Contingency Analysis) is rendered inoperable.” This will only apply to an RC, BA, or
88
�Organization
Yes or No
Question 2 Comment
TOP who have this capability to start with.
Response: The SDT thanks you for your comment.
Arkansas Electric Cooperative
Corporation
No
AECC supports the comments submitted by ACES Power Marketing.
Response: The SDT thanks you for your comment. Please review the response to that commenter.
MWDSC
No
See comment for question 1
Response: The SDT thanks you for your comment. Please review the response to Question 1.
Georgia System Operations
Corporation
No
See comments under no. 4 below.
Response: The SDT thanks you for your comment. Please review the response to Question 4.
Texas Reliability Entity
No
(1) In the Events Table, consider whether the item for “Voltage deviation on Facility”
should also be applicable to GOPs, because a loss of voltage control at a generator
(e.g. failure of an automatic voltage regulator or power system stabilizer) could have
a similar impact on the BES as other reportable items. Note: We made this comment
last time, and the SDT’s posted response was non-responsive to this concern.
The SDT reviewed TRE’s comment and believe that our consideration of comments
during that last posting clearly stated the SDT view correctly. We stated “The SDT
disagrees with this comment. Attachment 1 is the minimum set of events that will
be required to report and communicate per your Operating Plan will be aware of
system conditions.” Further, we note that such events do not rise to the level of
notification to the ERO. When events like the ones you mention occur, then entity
has obligations to notify other parties according to reliability standards relating to
that equipment. The NERC Standards Process Manual does allow TRE to apply for a
variance if they have special concerns that GOPs should submit a report to the ERO.
(2) In the Events Table, under Transmission Loss, the SDT indicated that reporting is
triggered only if three or more Transmission Facilities operated by a single TOP are
lost. What if four Facilities are lost, with two Facilities operated by each of two TOPs?
89
�Organization
Yes or No
Question 2 Comment
That is a larger event than three Facilities lost by one TOP, but there is no reporting
requirement? Determining event status by facility ownership is not an appropriate
measure. The reporting requirements should be based on the magnitude, duration,
or impact of the event, and not on what entities own or operate the facilities.
(3) In the Events Table, under Transmission Loss, the criteria “loss of three or more
Transmission Facilities” is very indefinite and ambiguous. For example, how will bus
outages be considered? Many entities consider a bus as a single “Facility,” but loss of
a single bus may impact as many as six 345kV transmission lines and cause a major
event. It is not clear if this type of event would be reportable under the listed event
threshold? Is the single-end opening of a transmission line considered as a loss of a
Facility under the reporting criteria?
(4) Combinations of events should be reportable. For example, a single event
resulting in the loss of two Transmission Facilities (line and transformer) and a 950
MW generator would not be reportable under this standard. But loss of two lines
and a transformer, or a 1000 MW generator, would be reportable. It is important to
capture all events that have significant impacts.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Unexpected loss, contrary to design, of three or more BES Elements caused by a
common disturbance (excluding successful automatic reclosing).”
The SDT has reviewed Attachment 1 as a minimum level of reporting thresholds.
There may be times where an entity may wish to report when a threshold has not
been reached because of their experience with their system. EOP-004-2 does not
prevent any entity from reporting any type of situation (event) at anytime. Note
that the SDT has received industry feedback and it is not within scope of a results
90
�Organization
Yes or No
Question 2 Comment
based Standards concept to be very prescriptive in nature.
(5) In the Events Table, under “Unplanned control center evacuation,” “Loss of all
voice communication capability” and “Complete or partial loss of monitoring
capability,” GOPs should be included. GOPs also operate control centers that are
subject to these kinds of occurrences, with potentially major impacts to the BES.
Note that large GOP control centers are classified as “High Impact” facilities in the CIP
Version 5 standards, and a single facility can control more than 10,000 MW of
generation.
The SDT appreciates your suggestion; however, as we understand the point, it
doesn’t apply continent-wide. The SDT has applied these events to RCs, BAs, and
TOPs.
(6) The “BES Emergency resulting in automatic firm load shedding” event row within
Attachment 1 should include the BA as a responsible entity for reporting. Note that
EOP-003-1 requires the BA to shed load in emergency situations (R1, R5 as examples),
and any such occurrence should be reported.
The SDT has reviewed your comment and would like to note that manual load
shedding is only reportable if 100 MW or more is activated. Automatic load
shedding is intended to be when a “relay” performs a breaker action that sheds
load without human interaction and achieves a level of 100 MW or more.
Response: The SDT thanks you for your comment.
Occidental Power Services,
Inc.
No
There are no requirements in Attachment 1 for LSEs without BES assets so these
entities should not be in the Applicability section.
Response: The SDT thanks you for your comment. The LSE obligation in this standard was tied to applicability in CIP-008 for cyber
incident reporting. Reporting under CIP-008 is no longer proposed to be a part of EOP-004-2 so this applicability has been
removed. Please note that LSEs will be obligated to report under CIP-008 until that standard has been changed.
Xcel Energy
No
1) The event Damage or destruction of a Facility appears to need ‘qualifying’. Is this
intended for only malicious intent? Otherwise, weather related or other operational
events will often meet this criteria. For example adjustment in generation or changes
91
�Organization
Yes or No
Question 2 Comment
in line limits to “avoid an Adverse Reliability Impact” could occur during a weather
related outage. We suggest adjusting this event and criteria to clearly exclude certain
items or identify what is included.
The SDT removed all language under “Entity with Reporting Responsibility” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Damage or destruction of a Facility within its Reliability Coordinator Area,
Balancing Authority Area or Transmission Operator Area that results in the need for
actions to avoid a BES Emergency.”
This language gives the required guidance of who has to report within its Area that
results in need for actions to avoid a BES Emergency (as defined by NERC: Any
abnormal system condition that requires automatic or immediate manual action to
prevent or limit the failure of transmission facilities or generation supply that could
adversely affect the reliability of the Bulk Electric System).
This relates to either a completely destroyed Facility where an action is required to
avoid a BES Emergency, or a Facility that is damaged to a point that actions are
required to avoid a BES Emergency. By reporting either a “damaged or destroyed”
Facility, within 24 hours, it will give the ERO (and whoever else the entity wishes to
inform per Requirement R1) the situational awareness that the electrical system
has been reconfigured or may need to be reconfigured, thus supporting reliable
operations of each interconnection.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
92
�Organization
Yes or No
Question 2 Comment
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Damage or destruction of its Facility that results from actual or suspected
intentional human action.”
This language gives the required guidance that if there is actual intentional human
action that damages or destroys a Facility, it is required to be reported within 24
hours, this will give the ERO (and whoever else the entity wishes to inform per
Requirement R1) the situational awareness that the Facility was “damaged or
destroyed” intentionally by a human.
This event was written to cover the increase of “Entity with Reporting
Responsibility” and removing the RC since they do not own Facility(s).
The SDT also included a second part of this event being “suspected intentional
human action.” This language was required to give an entity the reporting
responsibility to report to the ERO (and whoever else the entity wishes to inform
per Requirement R1) the situational awareness that they suspect that their Facility
was damaged or destroyed by intentional human action. The SDT envisions that
entities could further define what a suspected intentional human action is within
their Operating Plan.
2) Also recommend placing the information in footnote 1 into the associated
Threshold for Reporting column, and removing the footnote.
The SDT has removed the footnote per industry comments and concerns.
Response: The SDT thanks you for your comment.
American Electric Power
No
If CIP-008 is now out of scope within the requirements of this standard, any
references to it should also be removed from Attachment 1.
The SDT has removed the one-hour reporting requirement as requested within
93
�Organization
Yes or No
Question 2 Comment
comments received.
The Threshold for Reporting column on page 26 includes “Results from actual or
suspected intentional human action.” This wording is too vague as many actions by
their very nature are intentional. In addition, it should actually be used as a qualifying
event rather than a threshold. We recommend removing it entirely from the
Threshold column, and placing it in the Events column and also replacing the first row
as follows: “Actual or suspected intentional human action with the goal of damage to,
or destruction of, the Facility.”
On page 27, the event “Any physical threat that could impact the operability of a
Facility” is too vague and broad. Using the phrases “any physical threat” and “could
impact” sets too high a bar on what would need to be reported. On page 28, for the
event “Complete loss of off-site power to a nuclear generating plant (grid supply)”,
TO and TOP should be removed and replaced by GOP.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Physical threat to its Facility excluding weather related threat, which has the
potential to degrade the normal operation of the Facility
Or
Suspicious device or activity at a Facility
Do not report copper theft unless it degrades normal operations of a Facility.”
This language gives the required guidance that if there is a physical threat that has
94
�Organization
Yes or No
Question 2 Comment
the potential to degrade a Facility’s normal operation or a suspicious device or
activity is discovered at a Facility, it is required to be reported within 24 hours, this
will give the ERO (and whoever else the entity wishes to inform per Requirement
R1) the situational awareness that the Facility has a potential of not being able to
operate as it is designed. The SDT also states that copper theft is not a reportable
event unless it degrades the normal operation of a Facility.
Response: The SDT thanks you for your comment.
Clark Public Utilities
No
I agree with all but one. The event is "Damage or destruction of a Facility" and the
threshold for reporting is "Results from actual or suspected intentional human
action." I understand and agree that destruction of a facility due to actual or
suspected intentional human action should always be reported. However, I do not
know what level of damage should be reported. Obviously the term "damage" is
meant to signify and event that is less than destruction. As a result, damage could be
extensive, minimal, or hardly noticeable. There needs to be some measure of what
the damage entails if the standard is to contain a broad requirement for the reporting
of damage intentionally caused by human action. Whether that measure is based on
the actual impacts to the BES from the damage or whether the measure is based on
the ability of the damaged equipment to continue to function at 100%, 50% or some
capability would be acceptable but currently it is too open ended.
Response: The SDT thanks you for your comment. The SDT removed all language under “Entity with Reporting Responsibility,”
with the exception of entity(s) that are required to report an applicable event. The SDT removed this language so the entities
within this column are clearly stated and identified. Under the “Threshold for Reporting” column, a bright line was updated based
on currently enforced Reliability Standards, FERC directives and industry comments to state:
“Damage or destruction of its Facility that results from actual or suspected intentional human action.”
This language gives the required guidance that if there is actual intentional human action that damages or destroys a Facility, it is
required to be reported within 24 hours, this will give the ERO (and whoever else the entity wishes to inform per Requirement R1)
the situational awareness that the Facility was “damaged or destroyed” intentionally by a human.
95
�Organization
Yes or No
Question 2 Comment
This event was written to cover the increase of “Entity with Reporting Responsibility” and removing the RC since they do not own
Facility(s).
The SDT also included a second part of this event being “suspected intentional human action.” This language was required to give
an entity the reporting responsibility to report to the ERO (and whoever else the entity wishes to inform per Requirement R1) the
situational awareness that they suspect that their Facility was damaged or destroyed by intentional human action. The SDT
envisions that entities could further define what a suspected intentional human action is within their Operating Plan.
New York Power Authority
No
Please see comments submitted by NPCC Regional Standards Committee (RSC).
Response: Thank you for your comment. Please see response to the comments.
Consolidated Edison Co. of NY,
Inc.
No
General comment regarding Attachment 1:SDT should strive to use identical language
to event descriptions in the NERC Event Analysis Process and FERC OE-417. Creating
a third set of event descriptions is not helpful to system operators. We recommend
aligning the Attachment 1 wording with that contained in Attachment 2, DOE Form
OE-417 and the EAP whenever possible.
The SDT reviewed, discussed and updated Attachment 1 based on comments
received, FERC directives and what is required for combining CIP-001 and EOP-004
into EOP-004-2. Using identical terminology will be difficult to achieve as the DOE
form and EAP have differing processes for identification of the reportable
incidences. The SDT has tried to set up the reportable events in the standard to be
as similar as possible to the other organizations without being tied to their specific
language. Attachment 2 has been modified to match the events types listed in
Attachment 1.
Replace the Attachment 1 “NOTE” with the following clarifying wording: NOTE: The
Electric Reliability Organization and the Responsible Entity’s Reliability Coordinator
will accept the DOE OE-417 form in lieu of Attachment 2 if the entity is required to
submit an OE-417 report. Submit reports to the ERO via one of the following: e-mail:
esisac@nerc.com, Facsimile: 609-452-9550, Voice: 609-452-1422. Initial submittal by
Voice within the reporting time frame is acceptable for all events when followed by a
hardcopy submittal by Facsimile or e-mail as and if required.
96
�Organization
Yes or No
Question 2 Comment
The SDT thanks you with your comment. First, the SDT believes that you intended
the comment to address the “Note” on Attachment 2, not Attachment 1. The SDT
does not believe that a hardcopy report is necessary if the organization has made
voice contact.
Event: Damage or destruction of a Facility Threshold for Reporting: revise language
on third item to read, Results from actual or suspected intentional human action,
excluding unintentional human errors.
The SDT reviewed, discussed and updated “Damage and destruction of a Facility”
based on comments received, FERC directives and what is required for combining
CIP-001 and EOP-004 into EOP-004-2. The new “threshold” not states:
“Damage or destruction of a Facility within its Reliability Coordinator Area,
Balancing Authority Area or Transmission Operator Area that results in the need for
actions to avoid a BES Emergency.”
This language gives the required guidance of who has to report within its Area that
results in need for actions to avoid a BES Emergency (as defined by NERC: Any
abnormal system condition that requires automatic or immediate manual action to
prevent or limit the failure of transmission facilities or generation supply that could
adversely affect the reliability of the Bulk Electric System).
This relates to either a completely destroyed Facility where an action is required to
avoid a BES Emergency, or a Facility that is damaged to a point that actions are
required to avoid a BES Emergency. By reporting either a “damaged or destroyed”
Facility, within 24 hours, it will give the ERO (and whoever else the entity wishes to
inform per Requirement R1) the situational awareness that the electrical system
has been reconfigured or may need to be reconfigured, thus supporting reliable
97
�Organization
Yes or No
Question 2 Comment
operations of each interconnection.
Event: Any physical threat that could impact the operability of a Facility This Event
category should be deleted. The word “could” is hypothetical and therefore
unverifiable and un-auditable. The word “impact” is undefined. Please delete this
reporting requirement, or please provide a list of hypothetical “could impact” events,
as well as a specific definition and method for determining a specific physical impact
threshold for “could impact” events other than “any.”
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Physical threat to its Facility excluding weather related threat, which has the
potential to degrade the normal operation of the Facility
Or
Suspicious device or activity at a Facility
Do not report copper theft unless it degrades normal operations of a Facility.”
This language gives the required guidance that if there is a physical threat that has
the potential to degrade a Facility’s normal operation or a suspicious device or
activity is discovered at a Facility, it is required to be reported within 24 hours, this
will give the ERO (and whoever else the entity wishes to inform per Requirement
98
�Organization
Yes or No
Question 2 Comment
R1) the situational awareness that the Facility has a potential of not being able to
operate as it is designed. The SDT also states that copper theft is not a reportable
event unless it degrades the normal operation of a Facility.
Event: BES Emergency requiring public appeal for load reduction. Replace Event
wording with language from #8 on OE-417 reporting form to eliminate reporting
confusion. Following this sentence add, “This shall exclude other public appeals, e.g.,
made for weather, air quality and power market-related conditions, which are not
made in response to a specific BES event.
The SDT disagrees with quantifying a use of public appeals reporting for different
types of events. The important item here is that a public appeal was issued for load
reduction. A report is require to inform the ERO (and whoever else the entity
wishes to inform per Requirement R1) of your current status and provide them with
the situational awareness of the status of your system.
”Event: Complete or partial loss of monitoring capability Event wording: Delete the
words “or partial” to conform the wording to NERC Event Analysis Process. Event:
Transmission Loss Modify to BES Transmission Loss Event Generation Loss Modify to
BES Generation Loss
Orange and Rockland Utilities,
Inc.
No
General comment regarding Attachment 1: SDT should strive to use identical
language to event descriptions in the NERC Event Analysis Process and FERC OE-417.
Creating a third set of event descriptions is not helpful to system operators. We
recommend aligning the Attachment 1 wording with that contained in Attachment 2,
DOE Form OE-417 and the EAP whenever possible.
The SDT reviewed, discussed and updated Attachment 1 based on comments
received, FERC directives and what is required for combining CIP-001 and EOP-004
into EOP-004-2. Using identical terminology will be difficult to achieve as the DOE
form and EAP have differing processes for identification of the reportable
incidences. The SDT has tried to set up the reportable events in the standard to be
as similar as possible to the other organizations without being tied to their specific
99
�Organization
Yes or No
Question 2 Comment
language. Attachment 2 has been modified to match the events types listed in
Attachment 1.
Replace the Attachment 1 “NOTE” with the following clarifying wording: NOTE: The
Electric Reliability Organization and the Responsible Entity’s Reliability Coordinator
will accept the DOE OE-417 form in lieu of Attachment 2 if the entity is required to
submit an OE-417 report. Submit reports to the ERO via one of the following: e-mail:
esisac@nerc.com, Facsimile: 609-452-9550, Voice: 609-452-1422. Initial submittal by
Voice within the reporting time frame is acceptable for all events when followed by a
hardcopy submittal by Facsimile or e-mail as and if required.
The SDT thanks you for your comment. First, the SDT believes that you intended
the comment to address the “Note” on Attachment 2, not Attachment 1. The SDT
does not believe that a hardcopy report is necessary if the organization has made
voice contact.
Event: Damage or destruction of a Facility Threshold for Reporting: revise language
on third item to read, Results from actual or suspected intentional human action,
excluding unintentional human errors.
The SDT reviewed, discussed and updated “Damage and destruction of a Facility”
based on comments received, FERC directives and what is required for combining
CIP-001 and EOP-004 into EOP-004-2. The new “threshold” not states:
“Damage or destruction of a Facility within its Reliability Coordinator Area,
Balancing Authority Area or Transmission Operator Area that results in the need for
actions to avoid a BES Emergency.”
This language gives the required guidance of who has to report within its Area that
results in need for actions to avoid a BES Emergency (as defined by NERC: Any
abnormal system condition that requires automatic or immediate manual action to
prevent or limit the failure of transmission facilities or generation supply that could
100
�Organization
Yes or No
Question 2 Comment
adversely affect the reliability of the Bulk Electric System).
This relates to either a completely destroyed Facility where an action is required to
avoid a BES Emergency, or a Facility that is damaged to a point that actions are
required to avoid a BES Emergency. By reporting either a “damaged or destroyed”
Facility, within 24 hours, it will give the ERO (and whoever else the entity wishes to
inform per Requirement R1) the situational awareness that the electrical system
has been reconfigured or may need to be reconfigured, thus supporting reliable
operations of each interconnection.
Event: Any physical threat that could impact the operability of a Facility This Event
category should be deleted. The word “could” is hypothetical and therefore
unverifiable and un-auditable. The word “impact” is undefined. Please delete this
reporting requirement, or please provide a list of hypothetical “could impact” events,
as well as a specific definition and method for determining a specific physical impact
threshold for “could impact” events other than “any.”
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Physical threat to its Facility excluding weather related threat, which has the
potential to degrade the normal operation of the Facility
Or
101
�Organization
Yes or No
Question 2 Comment
Suspicious device or activity at a Facility
Do not report copper theft unless it degrades normal operations of a Facility.”
This language gives the required guidance that if there is a physical threat that has
the potential to degrade a Facility’s normal operation or a suspicious device or
activity is discovered at a Facility, it is required to be reported within 24 hours, this
will give the ERO (and whoever else the entity wishes to inform per Requirement
R1) the situational awareness that the Facility has a potential of not being able to
operate as it is designed. The SDT also states that copper theft is not a reportable
event unless it degrades the normal operation of a Facility.
Event: BES Emergency requiring public appeal for load reduction. Replace Event
wording with language from #8 on OE-417 reporting form to eliminate reporting
confusion. Following this sentence add, “This shall exclude other public appeals, e.g.,
made for weather, air quality and power market-related conditions, which are not
made in response to a specific BES event.”
The SDT disagrees with quantifying a use of public appeals reporting for different
types of events. The important item here is that a public appeal was issued for load
reduction. A report is require to inform the ERO (and whoever else the entity
wishes to inform per Requirement R1) of your current status and provide them with
the situational awareness of the status of your system.
Event: Complete or partial loss of monitoring capability Event wording: Delete the
words “or partial” to conform the wording to NERC Event Analysis Process.
The SDT reviewed, discussed and updated Attachment 1 based on comments
received, FERC directives and what is required for combining CIP-001 and EOP-004
into EOP-004-2. This event is now written to state:
“Complete loss of monitoring capability affecting a BES control center for 30
continuous minutes or more such that analysis capability (State Estimator,
Contingency Analysis) is rendered inoperable.” This will only apply to an RC, BA, or
102
�Organization
Yes or No
Question 2 Comment
TOP who have this capability to start with.
Event: Transmission Loss Modify to BES Transmission Loss
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Unexpected loss, contrary to design, of three or more BES Elements caused by a
common disturbance (excluding successful automatic reclosing).”
Event Generation Loss Modify to BES Generation Loss
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Total generation loss, within one minute, of ≥ 2,000 MW for entities in the Eastern
or Western Interconnection
OR
≥ 1,000 MW for entities in the ERCOT or Quebec Interconnection.”
Response: The SDT thanks you for your comment.
FirstEnergy Corp
No
FE requests the following changes be made to Attachment 1:1. Pg. 19 / Event:
“Voltage deviation on a Facility”. The term “observes” for Entity with Reporting
Responsibility be changed to “experiences”. The burden should rest with the
103
�Organization
Yes or No
Question 2 Comment
initiating entity in consistency with other Reporting Responsibilities.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Observed voltage deviation of ± 10% of nominal voltage sustained for ≥ 15
continuous minutes.”
2. In “Threshold for Reporting”, the language should be expanded to - plus or minus
10% “of nominal voltage” for greater than or equal to 15 continuous minutes.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Observed voltage deviation of ± 10% of nominal voltage sustained for ≥ 15
continuous minutes.”
This language clearly states that if the threshold is met, the entity needs to submit a
report within 24 hours.
3. Pg.20 /Event: “Complete or partial loss of monitoring capability”. The term
“partial” should be deleted from the event description to read as follows: Complete
loss of monitoring capability and the reporting responsibility requirements to read
“Each RC, BA, and TOP that experiences the complete loss of monitoring capability.”
The SDT reviewed, discussed and updated Attachment 1 based on comments
received, FERC directives and what is required for combining CIP-001 and EOP-004
104
�Organization
Yes or No
Question 2 Comment
into EOP-004-2. This event is now written to state:
“Complete loss of monitoring capability affecting a BES control center for 30
continuous minutes or more such that analysis capability (State Estimator,
Contingency Analysis) is rendered inoperable.” This will only apply to an RC, BA, or
TOP who have this capability to start with.
Response: The SDT thanks you for your comment.
Farmington Electric Utility
System
No
The reporting threshold for “Complete or partial loss of monitoring capability” should
be modified to include the loss of additional equipment and not be limited to State
Estimator and Contingency Analysis. Some options have been included: Affecting a
BES control center for ≥ 30 continuous minutes such that Real-Time monitoring
tools are rendered inoperable. Affecting a BES control center for ≥ 30 continuous
minutes to the extent a Constrained Facility would not be identified or an Adverse
Reliability Impact event could occur due to lack of monitoring capability. Affecting a
BES control center for ≥ 30 continuous minutes such that an Emergency would
not be identified or ma
Response: The SDT thanks you for your comment. The SDT reviewed, discussed and updated Attachment 1 based on comments
received, FERC directives and what is required for combining CIP-001 and EOP-004 into EOP-004-2. This event is now written to
state:
“Complete loss of monitoring capability affecting a BES control center for 30 continuous minutes or more such that analysis
capability (State Estimator, Contingency Analysis) is rendered inoperable.” This will only apply to an RC, BA, or TOP who have this
capability to start with.
Public Service Enterprise
Group
No
We agreed with most of the revisions. However, for the 24-hour reporting time
frame portion of the EOP-004 Attachment 1: Reportable Event that starts on p. 18,
we have these concerns: a. Why was “RC” left out in the first row? RC is in the
second row that also addresses a “Facility.” We believe that “RC” was inadvertently
105
�Organization
Yes or No
Question 2 Comment
left out.
b. In the first row, entities such as a BA, TO, GO, GOP, or DP would not know whether
damage or destruction of one of its Facilities either “Affects an IROL (per FAC-014)” or
“Results in the need for actions to avoid an Adverse Reliability Impact.” FAC-014-2,
R5.1.1 requires Reliability Coordinators provide information for each IROL on the
“Identification and status of the associated Facility (or group of Facilities) that is (are)
critical to the derivation of the IROL” to entities that do NOT include the entities
listed above. And frankly, those entities would not need to know. The reporting
requirements associated with “Damage or destruction of a Facility” need to be
changed so that the criteria for reporting by an entity whose Facilities experience
damage or destruction does not rely upon information that the entity does not
possess. c. A possible route to achieve the results in b. above is described below: i. All
Facilities that are damaged or destroyed that “Results from actual or suspected
intentional human action” would be reported to the ERO by the entity experiencing
the damage or destruction. ii. All Facilities that are damaged or destroyed OTHER
THAN THAT due to an “actual or suspected intentional human action” would be
reported to the RC by the entity experiencing the damage or destruction. Based
upon those reports, the RC would be required to report whether the reported
damage or destruction of a Facility “Affects an IROL (per FAC-010)” or “Results in the
need for actions to Avoid an Adverse Reliability Consequence.” (The RC may need to
modify its data specifications in IRO-010-1a - Reliability Coordinator Data
Specification and Collection - to specify outages due to “damage or destruction of a
Facility.” We also note that “DP” is not included in IRO-010-1a, but “LSE” is included.
DPs are required to also register as LSEs if they meet certain criteria. See the
“Statement of Compliance Registry Criteria, Rev. 5.0”, p.7. For this reason, we
suggest that DP be replaced with LSE in EOP-004-2.) d. To implement the changes in
c. above, we suggest that the first row be divided into two rows: i. FIRST ROW: This
would be like the existing first row on page 18, except “RC” would be added to the
column for “Entity with Reporting Responsibility” and the only reporting threshold
would be ““Results from actual or suspected intentional human action.” ii. SECOND
ROW: The Event would be “Damage or destruction of a Facility of a BA, TO, TOP, GO,
106
�Organization
Yes or No
Question 2 Comment
GOP, or LSE,” the Entity, the Reporting Responsibility would be “The RC that has the
BA, TOP, GO, GOP, or LSE experiencing the damage or destruction in its area,” and
the Threshold for Reporting would be “Affects an IROL (per FAC-010)” or “Results in
the need for actions to avoid an Adverse Reliability Consequence.”
Response: The SDT thanks you for your comment. The SDT removed all language under “Entity with Reporting Responsibility,”
with the exception of entity(s) that are required to report an applicable event. The SDT removed this language so the entities
within this column are clearly stated and identified. Under the “Threshold for Reporting” column, a bright line was updated based
on currently enforced Reliability Standards, FERC directives and industry comments to state:
“Damage or destruction of a Facility within its Reliability Coordinator Area, Balancing Authority Area or Transmission Operator
Area that results in the need for actions to avoid a BES Emergency.”
This language gives the required guidance of who has to report within its Area that results in need for actions to avoid a BES
Emergency (as defined by NERC: Any abnormal system condition that requires automatic or immediate manual action to prevent
or limit the failure of transmission facilities or generation supply that could adversely affect the reliability of the Bulk Electric
System).
This relates to either a completely destroyed Facility where an action is required to avoid a BES Emergency, or a Facility that is
damaged to a point that actions are required to avoid a BES Emergency. By reporting either a “damaged or destroyed” Facility,
within 24 hours, it will give the ERO (and whoever else the entity wishes to inform per Requirement R1) the situational awareness
that the electrical system has been reconfigured or may need to be reconfigured, thus supporting reliable operations of each
interconnection.
The SDT also developed another to read:
107
�Organization
Yes or No
Question 2 Comment
“Damage or destruction of its Facility that results from actual or suspected intentional human action.”
This language gives the required guidance that if there is actual intentional human action that damages or destroys a Facility, it is
required to be reported within 24 hours, this will give the ERO (and whoever else the entity wishes to inform per Requirement R1)
the situational awareness that the Facility was “damaged or destroyed” intentionally by a human.
This event was written to cover the increase of “Entity with Reporting Responsibility” and removing the RC since they do not own
Facility(s).
The SDT also included a second part of this event being “suspected intentional human action.” This language was required to give
an entity the reporting responsibility to report to the ERO (and whoever else the entity wishes to inform per Requirement R1) the
situational awareness that they suspect that their Facility was damaged or destroyed by intentional human action. The SDT
envisions that entities could further define what a suspected intentional human action is within their Operating Plan.
MidAmerican Energy
No
Several modifications need to be made to Table 1 to enhance clarity and delete
unnecessary or duplicate items. The stated reliability objective of EOP-004 and the
drafting team is to reduce and prevent outages which could lead to cascading
through reporting. It is understood that the EOP-004 Attachment 1 is to cover similar
items to the DOE OE-417 form. Last, remember that FERC recently asked the
question of what standards did not provide system reliability benefits. Those reports
that cannot show a direct threat to a potential cascade need to be eliminated. Table
1 should always align with the cascade risk objectives and OE-417 where possible.
Therefore Table 1 should be modified as follows:
1. Completely divorce CIP-008 from EOP-004. Constant changes, the introduction of
new players such as DOE and DHS, and repeated congressional bills, make
coordination with CIP-008 nearly impossible. Cyber security and operational
performance under EOP-004 remain separate and different despite best efforts to
combine the two concepts.
The SDT has discussed this issue with Project 2008-06, Cyber Security SDT and we
108
�Organization
Yes or No
Question 2 Comment
have remanded the one hour event back to CIP-008. The next version of EOP-004-2
will not contain a one hour reporting requirement.
2. Modify R1.2 to state that ERO notification only is required for Table 1. This is
similar to the DOE OE-417 notification. Notification of other entities is a best
practice, not a mandatory NERC standard. If entities want to notify neighboring
entities, they may do so as a best practice guideline.
The SDT has updated R1 based on comments received to read as:
“R1. Each Responsible Entity shall have an event reporting Operating Plan that
includes communication protocol(s) for applicable events listed in, and within the
timeframes specified in EOP-004 Attachment 1 to the Electric Reliability
Organization and other organizations based on the event type (e.g. the Regional
Entity, company personnel, the Responsible Entity’s Reliability Coordinator, law
enforcement, governmental or provincial agencies).”
3. Better clarity for communicating each of the applicable events listed in the EOP004 Attachment 1 in accordance with the timeframes specified are needed.
MidAmerican suggests a forth column be added to the table to clearly identify who
must be notified within the specified time period or at a minimum, that R1.2 be
revised to clearly state that only the ERO must be notified to comply with the
standard.
The SDT disagrees but believes that per your Operating Plan contained in
Requirement R1, an entity could take Attachment 1 and insert another column to
assist whoever is designated to report an event within your company. The SDT
does not want to be too prescriptive within Attachment 1.
4. Consolidate OE-417 concepts on physical attack and cyber events by consolidating
OE-417 items 1, 2, 9 and 10 to: Verifiable, credible, and malicious physical damage
(excluding natural weather events) to a BES generator, line, transformer, or bus that
when reported requires an appropriate Reliability Coordinator or Balancing Authority
to issue an Energy Emergency Alert Level 2 or higher. The whole attempt to discuss a
109
�Organization
Yes or No
Question 2 Comment
NERC Facility and avoid adverse reliability impacts overreaches the fundamental
principal or reporting for an emergency that could result in a cascade.
The SDT disagrees since the OE-417 (and EAP) does not follow the ANSI process as
NERC does in the Standards Development Process.
5. The wording “affects an IROL (per FAC-014),” is too vague and not measurable.
Many facilities could affect an IROL, but fewer facilities if lost would cause an IROL.
Change “affects” to “results in”
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Damage or destruction of a Facility within its Reliability Coordinator Area,
Balancing Authority Area or Transmission Operator Area that results in the need for
actions to avoid a BES Emergency.”
This language gives the required guidance of who has to report within its Area that
results in need for actions to avoid a BES Emergency (as defined by NERC: Any
abnormal system condition that requires automatic or immediate manual action to
prevent or limit the failure of transmission facilities or generation supply that could
adversely affect the reliability of the Bulk Electric System).
This relates to either a completely destroyed Facility where an action is required to
avoid a BES Emergency, or a Facility that is damaged to a point that actions are
required to avoid a BES Emergency. By reporting either a “damaged or destroyed”
110
�Organization
Yes or No
Question 2 Comment
Facility, within 24 hours, it will give the ERO (and whoever else the entity wishes to
inform per Requirement R1) the situational awareness that the electrical system
has been reconfigured or may need to be reconfigured, thus supporting reliable
operations of each interconnection.
6. Recommend that Adverse Reliability Impact be deleted and be replaced with actual
EEA 2 or EEA 3 level events.
The SDT has removed Adverse Reliability Impact based on industry feedback and
rewrote the event:
The SDT removed all language under “Entity with Reporting Responsibility” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Damage or destruction of a Facility within its Reliability Coordinator Area,
Balancing Authority Area or Transmission Operator Area that results in the need for
actions to avoid a BES Emergency.”
This language gives the required guidance of who has to report within its Area that
results in need for actions to avoid a BES Emergency (as defined by NERC: Any
abnormal system condition that requires automatic or immediate manual action to
prevent or limit the failure of transmission facilities or generation supply that could
adversely affect the reliability of the Bulk Electric System).
This relates to either a completely destroyed Facility where an action is required to
avoid a BES Emergency, or a Facility that is damaged to a point that actions are
111
�Organization
Yes or No
Question 2 Comment
required to avoid a BES Emergency. By reporting either a “damaged or destroyed”
Facility, within 24 hours, it will give the ERO (and whoever else the entity wishes to
inform per Requirement R1) the situational awareness that the electrical system
has been reconfigured or may need to be reconfigured, thus supporting reliable
operations of each interconnection.
The SDT also developed another to read:
“Damage or destruction of its Facility that results from actual or suspected
intentional human action.”
This language gives the required guidance that if there is actual intentional human
action that damages or destroys a Facility, it is required to be reported within 24
hours, this will give the ERO (and whoever else the entity wishes to inform per R1)
the situational awareness that the Facility was “damaged or destroyed”
intentionally by a human.
This event was written to cover the increase of “Entity with Reporting
Responsibility” and removing the RC since they do not own Facility(s).
The SDT also included a second part of this event being “suspected intentional
human action.” This language was required to give an entity the reporting
responsibility to report to the ERO (and whoever else the entity wishes to inform
per Requirement R1) the situational awareness that they suspect that their Facility
was damaged or destroyed by intentional human action. The SDT envisions that
entities could further define what a suspected intentional human action is within
their Operating Plan.
7. The phrase “results from actual or suspected intentional human action” is vague
112
�Organization
Yes or No
Question 2 Comment
and not measurable. This line item used the term “suspected” which relates to
“sabotage”. MidAmerican recommends that “Results from actual or suspected
intentional human action” be deleted. If not deleted the phrase should be replaced
with “Results from verifiable, credible, and malicious human action intended to
damage the BES.”
8. Delete “Any physical threat...” as vague, and difficult to measure in a “perfect” zero
defect audit environment, and as already covered by item 1 above. If not deleted, at
a minimum replace “Any physical threat”, with “physical attack” as being
measureable and consistent with DOE OE-417.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Damage or destruction of its Facility that results from actual or suspected
intentional human action.”
This language gives the required guidance that if there is actual intentional human
action that damages or destroys a Facility, it is required to be reported within 24
hours, this will give the ERO (and whoever else the entity wishes to inform per
Requirement R1) the situational awareness that the Facility was “damaged or
destroyed” intentionally by a human.
This event was written to cover the increase of “Entity with Reporting
Responsibility” and removing the RC since they do not own Facility(s).
113
�Organization
Yes or No
Question 2 Comment
The SDT also included a second part of this event being “suspected intentional
human action.” This language was required to give an entity the reporting
responsibility to report to the ERO (and whoever else the entity wishes to inform
per Requirement R1) the situational awareness that they suspect that their Facility
was damaged or destroyed by intentional human action. The SDT envisions that
entities could further define what a suspected intentional human action is within
their Operating Plan.
9. With the use of “i.e.” the SDT is mandating that each other entity must be
contacted. The NSRF believes that the SDT meant that “e.g.” should be used to
provide examples. The SDT may wish to add another column to Attachment 1 to
provide clarity.
The SDT has made the required change concerning replacing “i.e.” with “e.g.”
10. The phrase “or partial loss of monitoring capability” is too vague and should be
deleted. In addition, the 30 minute window is too short for EMS and IT staff to
effectively be notified and troubleshoot systems before being subjected to a federal
law requiring reporting and potential violations. The time frame should be consistent
with the EOP-008 standard. If not deleted, replace with “Complete loss of SCADA
affecting a BES control center for ≥ 60 continuous minutes such that analysis tools
of State Estimator and/or Contingency Analysis are rendered inoperable.
The SDT reviewed, discussed and updated Attachment 1 based on comments
received, FERC directives and what is required for combining CIP-001 and EOP-004
into EOP-004-2. This event is now written to state:
“Complete loss of monitoring capability affecting a BES control center for 30
continuous minutes or more such that analysis capability (State Estimator,
Contingency Analysis) is rendered inoperable.” This will only apply to an RC, BA, or
TOP who have this capability to start with.
11. Transmission loss should be deleted. The number of transmission elements out
does not directly correlate to BES stability and cascading. For that reason alone, this
114
�Organization
Yes or No
Question 2 Comment
item should be deleted or it would have already been included in the past EOP-004
standard. In addition, large footprints can have multiple storms or weather events
resulting in normal system outages. This should not be a reportable event that deals
with potential cascading.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Unexpected loss, contrary to design, of three or more BES Elements caused by a
common disturbance (excluding successful automatic reclosing).”
12. Modify the threshold of “BES emergency requiring a public appeal...” to include,
“Public appeal for a load reduction event resulting from a RC or BA implementing its
emergency energy and capacity plans documented in EOP-001.” Public appeals for
conservation that aren't used to avoid capacity and energy emergencies should be
clearly excluded.
The SDT disagrees as your request makes the event very prescriptive. The
threshold is written to state: “Public appeal for load reduction event.” The SDT
understands that there may be several reports of a single event and as the SDT has
stated before, that this will give the ERO a better understanding of the depth and
breathe of system conditions based on the given event.
13. Add a time threshold to complete loss of off-site power to a nuclear plant.
Nuclear plants are to have backup diesel generation that last for a minimum amount
of time. A threshold recognizing this 4 hour or longer window needs to be added
such as complete loss of off-site power to a nuclear plant for more than 4 hours.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
115
�Organization
Yes or No
Question 2 Comment
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Complete loss of off-site power affecting a nuclear generating station per the
Nuclear Plant Interface Requirement.”
As stated in this event Threshold, the TOP’s NIPR may have additional guidance
concerning the complete loss of offsite power affecting a nuclear plant.
Also see the NSRF comments.
Please review the responses to that commenter.
Response: The SDT thanks you for your comment.
Illinois Municipal Electric
Agency
No
Illinois Municipal Electric Agency supports comments submitted by Florida Municipal
Power Agency.
Response: The SDT thanks you for your comment. Please review the responses to that commenter.
Amercican Transmission
Company, LLC
No
ATC is proposing changes to the following Events in Attachment 1: (Reference Clean
Copy of the Standard)
1) Pg. 18/ Event: Any Physical threat that could impact the operability of a Facility.
ATC is proposing a language change to the Threshold- “Meets Registered Entities
criteria stated in its Event Reporting Operating Plan, in addition to excluding
weather.”
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
116
�Organization
Yes or No
Question 2 Comment
comments to state:
“Physical threat to its Facility excluding weather related threat, which has the
potential to degrade the normal operation of the Facility
Or
Suspicious device or activity at a Facility
Do not report copper theft unless it degrades normal operations of a Facility.”
This language gives the required guidance that if there is a physical threat that has
the potential to degrade a Facility’s normal operation or a suspicious device or
activity is discovered at a Facility, it is required to be reported within 24 hours, this
will give the ERO (and whoever else the entity wishes to inform per Requirement
R1) the situational awareness that the Facility has a potential of not being able to
operate as it is designed. The SDT also states that copper theft is not a reportable
event unless it degrades the normal operation of a Facility.
2) Pg. 19 / Event: Voltage deviation on a Facility. ATC believes that the term
“observes” for Entity with Reporting Responsibility be changed back to “experiences”
as originally written. The burden should rest with the initiating entity in consistency
with other Reporting Responsibilities. Also, for Threshold for Reporting, ATC believes
the language should be expanded to - plus or minus 10% “of target voltage” for
greater than or equal to 15 continuous minutes.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
117
�Organization
Yes or No
Question 2 Comment
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Observed voltage deviation of ± 10% of nominal voltage sustained for ≥ 15
continuous minutes .”
This language clearly states that if the threshold is met, the entity needs to submit a
report within 24 hours.
3) Pg. 19/ Event: Transmission loss. ATC recommends that Threshold for Reporting
be changed to read “Unintentional loss of four, or more Transmission Facilities,
excluding successful automatic reclosing, within 30 seconds of the first loss
experienced and for 30 continuous minutes. Technical justification or Discussion for
this recommended change: In the instance of a transformer-line-transformer,
scenario commonly found close-in to Generating stations, consisting of 3 defined
“facilities”, 1 lightning strike can cause automatic unintentional loss by design.
Increase the number of facilities to 4.In a normal shoulder season day, an entity may
experience the unintentional loss of a 138kv line from storm activity, at point A in the
morning, a loss of a 115kv line from a different storm 300 miles from point A in the
afternoon, and a loss of 161kv line in the evening 500 miles from point A due to a
failed component, if it is an entity of significant size. Propose some type of time
constraint. Add time constraint as proposed, 30 seconds, other than automatic
reclosing. In the event of dense lightning occurrence, the loss of multiple
transmission facilities may occur over several minutes to several hours with no
significant detrimental effect to the BES, as load will most certainly be affected (lost
due to breaker activity on the much more exposed Distribution system) as well. Any
additional loss after 30 seconds must take into account supplemental devices with
intentional relay time delays, such as shunt capacitors, reactors, or load tap changers
on transformers activating as designed, arresting system decay. In addition,
Generator response after this time has significant impact.
The SDT removed all language under “Entity with Reporting Responsibility,” with
118
�Organization
Yes or No
Question 2 Comment
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Unexpected loss, contrary to design, of three or more BES Elements caused by a
common disturbance (excluding successful automatic reclosing).”
4) Pg.20 /Event: Complete or partial loss of monitoring capability. ATC recommends
that the term “partial” be deleted from the event description.ATC recommends that
the term “partial” be deleted for the Entity with Reporting Responsibility and
changed to read: Each RC, BA, and TOP that experiences the complete loss of
monitoring capability.
The SDT reviewed, discussed and updated Attachment 1 based on comments
received, FERC directives and what is required for combining CIP-001 and EOP-004
into EOP-004-2. This event is now written to state:
“Complete loss of monitoring capability affecting a BES control center for 30
continuous minutes or more such that analysis capability (State Estimator,
Contingency Analysis) is rendered inoperable.” This will only apply to an RC, BA, or
TOP who have this capability to start with.
Response: The SDT thanks you for your comment.
Alliant Energy
No
In the first Event for twenty four hour reporting, the last item in “Threshold for
Reporting” should be revised to “Results from actual or suspected intentional
malicious human action.” An employee may be performing maintenance and make a
mistake, which could impact the BES. In the second Event for twenty four hour
reporting the event should be revised to “Any physical attack that could impact the
operability of a Facility.” Alliant Energy believes this is clearer and easier to measure.
119
�Organization
Yes or No
Question 2 Comment
Response: The SDT thanks you for your comment. The SDT removed all language under “Entity with Reporting Responsibility,”
with the exception of entity(s) that are required to report an applicable event. The SDT removed this language so the entities
within this column are clearly stated and identified. Under the “Threshold for Reporting” column, a bright line was updated based
on currently enforced Reliability Standards, FERC directives and industry comments to state:
“Damage or destruction of a Facility within its Reliability Coordinator Area, Balancing Authority Area or Transmission Operator
Area that results in the need for actions to avoid a BES Emergency.”
This language gives the required guidance of who has to report within its Area that results in need for actions to avoid a BES
Emergency (as defined by NERC: Any abnormal system condition that requires automatic or immediate manual action to prevent
or limit the failure of transmission facilities or generation supply that could adversely affect the reliability of the Bulk Electric
System).
This relates to either a completely destroyed Facility where an action is required to avoid a BES Emergency, or a Facility that is
damaged to a point that actions are required to avoid a BES Emergency. By reporting either a “damaged or destroyed” Facility,
within 24 hours, it will give the ERO (and whoever else the entity wishes to inform per Requirement R1) the situational awareness
that the electrical system has been reconfigured or may need to be reconfigured, thus supporting reliable operations of each
interconnection.
The SDT also developed another to read:
“Damage or destruction of its Facility that results from actual or suspected intentional human action.”
This language gives the required guidance that if there is actual intentional human action that damages or destroys a Facility, it is
required to be reported within 24 hours, this will give the ERO (and whoever else the entity wishes to inform per Requirement R1)
the situational awareness that the Facility was “damaged or destroyed” intentionally by a human.
This event was written to cover the increase of “Entity with Reporting Responsibility” and removing the RC since they do not own
Facility(s).
The SDT also included a second part of this event being “suspected intentional human action.” This language was required to give
an entity the reporting responsibility to report to the ERO (and whoever else the entity wishes to inform per Requirement R1) the
120
�Organization
Yes or No
Question 2 Comment
situational awareness that they suspect that their Facility was damaged or destroyed by intentional human action. The SDT
envisions that entities could further define what a suspected intentional human action is within their Operating Plan.
Consumers Energy
No
The term "Facility" seems to be much more broad and even more vague than the use
of BES equipment. We recommend reverting back to use of BES equipment.
Response: The SDT thanks you for your comment. The SDT disagrees since BES is used within the definition of Facility. NERC
defines Facility as: “A set of electrical equipment that operates as a single Bulk Electric System Element (e.g., a line, a generator, a
shunt compensator, transformer, etc.).“
Ameren
No
We appreciate the efforts of the SDT and believe this latest Draft is greatly improved
over the previous version. However, we propose the following suggestions: (1) The
first Event category in Attachment 1 under 24 Hour Reporting is Applicable to GO and
GOP entities. Yet the first 2 of 3 Thresholds for Reporting require data that is
unobtainable for GO and GOP entities. Specifically, Events that “Affects an IROL (per
FAC-014)” and “Results in the need for actions to avoid an Adverse Reliability
Impact”. We believe these thresholds, and the use of the NERC Glossary term
Adverse Reliability Impact, clearly show the SDT’s intent to limit reporting only to
Events that have a major and significant reliability impact on the BES. GO or GOP
does not have access to the wide-area view of the transmission system, making them
to make this determination is impossible. As a result, we do not believe GO and GOP
entities should have Reporting Responsibility for these types of Events.
(2) For GO and GOP entities, the third Threshold is confusing as to which facilities in
the plant it would be applicable to; because the definition of "Facility" does not
provide a clear guidance in that respect. For example, would a damage to ID fan
qualify as a reportable event?
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
121
�Organization
Yes or No
Question 2 Comment
comments to state:
“Damage or destruction of a Facility within its Reliability Coordinator Area,
Balancing Authority Area or Transmission Operator Area that results in the need for
actions to avoid a BES Emergency.”
This language gives the required guidance of who has to report within its Area that
results in need for actions to avoid a BES Emergency (as defined by NERC: Any
abnormal system condition that requires automatic or immediate manual action to
prevent or limit the failure of transmission facilities or generation supply that could
adversely affect the reliability of the Bulk Electric System).
This relates to either a completely destroyed Facility where an action is required to
avoid a BES Emergency, or a Facility that is damaged to a point that actions are
required to avoid a BES Emergency. By reporting either a “damaged or destroyed”
Facility, within 24 hours, it will give the ERO (and whoever else the entity wishes to
inform per Requirement R1) the situational awareness that the electrical system
has been reconfigured or may need to be reconfigured, thus supporting reliable
operations of each interconnection.
The SDT also developed another to read:
“Damage or destruction of its Facility that results from actual or suspected
intentional human action.”
This language gives the required guidance that if there is actual intentional human
action that damages or destroys a Facility, it is required to be reported within 24
122
�Organization
Yes or No
Question 2 Comment
hours, this will give the ERO (and whoever else the entity wishes to inform per
Requirement R1) the situational awareness that the Facility was “damaged or
destroyed” intentionally by a human.
This event was written to cover the increase of “Entity with Reporting
Responsibility” and removing the RC since they do not own Facility(s).
The SDT also included a second part of this event being “suspected intentional
human action.” This language was required to give an entity the reporting
responsibility to report to the ERO (and whoever else the entity wishes to inform
per Requirement R1) the situational awareness that they suspect that their Facility
was damaged or destroyed by intentional human action. The SDT envisions that
entities could further define what a suspected intentional human action is within
their Operating Plan.
(3) The second Event category in Attachment 1 under 24 Hour Reporting, "Any
physical threat that could impact the operability of a Facility" is wide open to
interpretation and thus impracticable to comply with. For example, a simple car
accident that threatens any transmission circuit, whether it impacts the BES (as listed
in the Threshold for the previous event in the table or any other measure) or not, is
reportable. This list could become endless without the events having any substantial
impact on the system. To continue this point, the Footnote 1 can also include, among
many other examples, the following:(a) A wild fire near a generating plant, (b) Low
river levels that might shut down a generating plant, (c) A crane that has partially
collapsed near a generator switchyard, (d) Damage to a rail line into a coal plant,
and/or (v) low gas pressure that might limit or stop operation of a natural gas
generating plant.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
123
�Organization
Yes or No
Question 2 Comment
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Physical threat to its Facility excluding weather related threat, which has the
potential to degrade the normal operation of the Facility
Or
Suspicious device or activity at a Facility
Do not report copper theft unless it degrades normal operations of a Facility.”
This language gives the required guidance that if there is a physical threat that has
the potential to degrade a Facility’s normal operation or a suspicious device or
activity is discovered at a Facility, it is required to be reported within 24 hours, this
will give the ERO (and whoever else the entity wishes to inform per Requirement
R1) the situational awareness that the Facility has a potential of not being able to
operate as it is designed. The SDT also states that copper theft is not a reportable
event unless it degrades the normal operation of a Facility.
(4) The category, "Transmission Loss" is a concern also. If the meaning of
Transmission Facility is included in the meaning of Facility as described in the event
list, it may be acceptable; but, we still have a question how would a loss of a bus and
the multiple radial element that may be connected to that bus would be treated?
Also, how would a breaker failure affect this type of an event? The loss of a circuit is
124
�Organization
Yes or No
Question 2 Comment
“intentional” (as opposed to Unintentional as listed in the threshold) for the failure of
breaker, how will it be treated in counting three or more? We suggest a clarification
for such types of scenarios.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Unexpected loss, contrary to design, of three or more BES Elements caused by a
common disturbance (excluding successful automatic reclosing).”
(5) Requirement R1.: 1.1 includes an exception from compliance with this Standard if
there is a Cyber Security Incident according to CIP-008-3. However, note that the CIP008-3 may not apply to all GO and GOP facilities. While the exception is warranted to
eliminate duplicative event reporting plans, the language of this requirement is
confusing as it does not clearly provides that message.
The SDT has discussed this issue with Project 2008-06, Cyber Security SDT and we
have proposed remanding the one hour event back to CIP-008.
(6) The second paragraph in Section C.1.1.2. Includes the phrases “...shall retain the
current, document...” and “...the “date change page” from each version...” Is the
“document” intended to be the Operating Plan? We do not see a defining reference
in the text around this phrase; also, is a “date change page” mandatory for
compliance with this Standard? We request additional clarification of wording in the
Evidence Retention section of the Standard.
(7) Page 19 / Event: Voltage deviation on a Facility: We believe that the term
“observes” for Entity with Reporting Responsibility be changed back to “experiences”
as originally written. The burden should rest with the initiating entity in consistency
with other Reporting Responsibilities. In addition, for Threshold for Reporting, We
125
�Organization
Yes or No
Question 2 Comment
believe the language should be expanded to - plus or minus 10%”of nominal voltage”
for greater than or equal to 15 continuous minutes.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Observed voltage deviation of ± 10% of nominal voltage sustained for ≥ 15
continuous minutes .”
This language clearly states that if the threshold is met, the entity needs to submit a
report within 24 hours.
(8) Page 20 /Event: Complete or partial loss of monitoring capability. We suggest to
the SDT that the term “partial” be deleted from the event description.
(9) We suggest to the SDT that the term “partial” be deleted for the Entity with
Reporting Responsibility and changed to read: Each RC, BA, and TOP that experiences
the complete loss of monitoring capability.
The SDT reviewed, discussed and updated Attachment 1 based on comments
received, FERC directives and what is required for combining CIP-001 and EOP-004
into EOP-004-2. This event is now written to state:
“Complete loss of monitoring capability affecting a BES control center for 30
continuous minutes or more such that analysis capability (State Estimator,
Contingency Analysis) is rendered inoperable.” This will only apply to an RC, BA, or
TOP who have this capability to start with.
Response: The SDT thanks you for your comment.
We Energies
No
Submitting reports to the ERO: NERC and all of the Regional Entities are the ERO. If I
126
�Organization
Yes or No
Question 2 Comment
send a report to any Regional Entity (and not NERC), I have sent it to the ERO.
The SDT would like to point out the FERC has approved NERC to be the ERO. And
the NERC has a delegation agreement with each Regional Entities. This
Requirement R1 requires you send a report to the ERO (and whoever else the entity
wishes to inform per Requirement R1 including the applicable regions if you are so
obligated or its’ your desire).
Damage or Destruction of a Facility: A DP may not have a Facility by the NERC
Glossary definition. All distribution is not a Facility. Did you mean to exclude all
distribution?
The SDT agrees that if a DP does not own or operate a Facility then this event would
not be applicable to them.
Any Physical threat that could impact the operability of a Facility: An RC does not
have Facilities by the NERC Glossary definition. An RC will not have to report this. BES
Emergency... Reporting Responsibility: If meeting the Reporting Threshold was due
to a directive from the RC, who is the Initiating entity?
The SDT agrees concerning the RC does not own a Facility and has removed all
language under “Entity with Reporting Responsibility,” with the exception of
entity(s) that are required to report an applicable event. The SDT removed this
language so the entities within this column are clearly stated and identified. Under
the “Threshold for Reporting” column, a bright line was updated based on currently
enforced Reliability Standards, FERC directives and industry comments to state:
“Physical threat to its Facility excluding weather related threat, which has the
potential to degrade the normal operation of the Facility
Or
127
�Organization
Yes or No
Question 2 Comment
Suspicious device or activity at a Facility
Do not report copper theft unless it degrades normal operations of a Facility.”
This language gives the required guidance that if there is a physical threat that has
the potential to degrade a Facility’s normal operation or a suspicious device or
activity is discovered at a Facility, it is required to be reported within 24 hours, this
will give the ERO (and whoever else the entity wishes to inform per Requirement
R1) the situational awareness that the Facility has a potential of not being able to
operate as it is designed. The SDT also states that copper theft is not a reportable
event unless it degrades the normal operation of a Facility.
Voltage deviation on a Facility Threshold for Reporting: 10% of what voltage?
Nominal, rated, scheduled, design, actual at an instant?
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Observed voltage deviation of ± 10% of nominal voltage sustained for ≥ 15
continuous minutes.”
This language clearly states that if the threshold is met, the entity needs to submit a
report within 24 hours.
Response: The SDT thanks you for your comment.
NextEra Energy Inc
No
As stated in NextEra’s past comments, we continue to be concerned that EOP-004-2
does not appropriately address actual sabotage that threatens the Bulk Electric
128
�Organization
Yes or No
Question 2 Comment
System (BES) versus random acts that are isolated and pose no risk to the BES.
Therefore, NextEra repeats a portion of its past comments below in the hope that the
next revision of EOP-004-2 will more adequately address NextEra’s concerns.
Specifically, NextEra’s requests that its definition of sabotage set forth below replace
Attachment 1’s “Damage and Destruction of Equipment” and “Any physical threat
that could impact the operability of a Facility.” In Order No. 693, FERC stated its
interest in NERC revising CIP-001 to better define sabotage and requiring notification
to the certain appropriate federal authorities, such as the Department of Homeland
Security. FERC Order No. 693 at PP 461, 462, 467, 468, 471. NextEra has provided an
approach that accomplishes FERC’s objectives and remains within the framework of
the drafting team, but also focuses the process of determining and reporting on only
those sabotage acts that could affect other BES systems. Today, there are too many
events that are being reported as sabotage to all parties in the Interconnection, when
in reality these acts have no material affect or potential impact to other BES systems
other than the one that experienced it. For example, while the drafting team notes
the issue of copper theft is a localized act, there are other localized acts of sabotage
that are committed by an individual, and these acts pose little, if any, impact or
threat to other BES systems. Reporting sabotage that does not need to be sent to
everyone does not add to the security or reliability of the BES. Relatedly, there is a
need to clarify some of the current industry confusion on who should (and has the
capabilities to) be reporting to a broader audience of entities. Hence, the NextEra
approach provides a clear definition of sabotage, as well as the process for
determining and reporting sabotage. New Definition for Sabotage. Attempted or
Actual Sabotage: an intentional act that attempts to or does destroy or damage BES
equipment for the purpose of disrupting the operations of BES equipment, or the
BES, and has a potential to materially threaten or impact the reliability of one or
more BES systems (i.e., one act of sabotage on BES equipment is only reportable if it
is determined to be part of a larger conspiracy to threaten the reliability of the
Interconnection or more than one BES system).
Response: The SDT thanks you for your comment. The SDT has stated in our “Consideration of Issues and Directives – March 15,
129
�Organization
Yes or No
Question 2 Comment
2012” that was posted with the last posting stated:
The SDT has not proposed a definition for inclusion in the NERC Glossary because it is impractical to define every event that
should be reported without listing them in the definition. Attachment 1 is the de facto definition of “event”. The SDT considered
the FERC directive to “further define sabotage” and decided to eliminate the term sabotage from the standard. The team felt that
without the intervention of law enforcement after the fact, it was almost impossible to determine if an act or event was that of
sabotage or merely vandalism. The term “sabotage” is no longer included in the standard and therefore it is inappropriate to
attempt to define it. The events listed in Attachment 1 provide guidance for reporting both actual events as well as events which
may have an impact on the Bulk Electric System. The SDT believes that this is an equally effective and efficient means of
addressing the FERC Directive.
The SDT has discussed this with FERC Staff and we agree that sabotage could be a state of mind; and, therefore, the real issue:
Was there an event or not?
ISO New England Inc
No
Response: The SDT thanks you for your participation.
Nebraska Public Power District
No
1. The following comments are in regard to Attachment 1:A. The row [Event] titled
“Damage or destruction of Facility”: 1. In column 3 [Threshold for Reporting], the
word “Affect” is vague note the following concerns: i. Does “Affect” include a broken
crossarm damaged without the Facility relaying out of service. This could be
considered to have an “Affect” on the IROL. ii. Would the answer be different if the
line relayed out of service and auto-reclosed (short interruption) for the same
damaged crossarm? We need clarity from the SDT in order to know when a report is
due.
2. For clarification: Who initiates the report when the IROL interfaces spans between
multiple entities? We know of an IROL that has no less that four entities that operate
Facilities within the interface. Who initiates the report of the IROL is affected? All?
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
130
�Organization
Yes or No
Question 2 Comment
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Damage or destruction of a Facility within its Reliability Coordinator Area,
Balancing Authority Area or Transmission Operator Area that results in the need for
actions to avoid a BES Emergency.”
This language gives the required guidance of who has to report within its Area that
results in need for actions to avoid a BES Emergency (as defined by NERC: Any
abnormal system condition that requires automatic or immediate manual action to
prevent or limit the failure of transmission facilities or generation supply that could
adversely affect the reliability of the Bulk Electric System).
This relates to either a completely destroyed Facility where an action is required to
avoid a BES Emergency, or a Facility that is damaged to a point that actions are
required to avoid a BES Emergency. By reporting either a “damaged or destroyed”
Facility, within 24 hours, it will give the ERO (and whoever else the entity wishes to
inform per Requirement R1) the situational awareness that the electrical system
has been reconfigured or may need to be reconfigured, thus supporting reliable
operations of each interconnection.
The SDT also developed another to read:
“Damage or destruction of its Facility that results from actual or suspected
intentional human action.”
131
�Organization
Yes or No
Question 2 Comment
This language gives the required guidance that if there is actual intentional human
action that damages or destroys a Facility, it is required to be reported within 24
hours, this will give the ERO (and whoever else the entity wishes to inform per
Requirement R1) the situational awareness that the Facility was “damaged or
destroyed” intentionally by a human.
This event was written to cover the increase of “Entity with Reporting
Responsibility” and removing the RC since they do not own Facility(s).
The SDT also included a second part of this event being “suspected intentional
human action.” This language was required to give an entity the reporting
responsibility to report to the ERO (and whoever else the entity wishes to inform
per Requirement R1) the situational awareness that they suspect that their Facility
was damaged or destroyed by intentional human action. The SDT envisions that
entities could further define what a suspected intentional human action is within
their Operating Plan.
B. The row [Event] titled “Any physical threat that could impact the operability of a
Facility”:1. In Column 1 [Event] change the word “threat” to “attack”, this aligns with
the OE-417 report.2. In Column 3 [Threshold for Reporting], align the threshold with
the OE-417 form.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Physical threat to its Facility excluding weather related threat, which has the
potential to degrade the normal operation of the Facility
132
�Organization
Yes or No
Question 2 Comment
Or
Suspicious device or activity at a Facility
Do not report copper theft unless it degrades normal operations of a Facility.”
This language gives the required guidance that if there is a physical threat that has
the potential to degrade a Facility’s normal operation or a suspicious device or
activity is discovered at a Facility, it is required to be reported within 24 hours, this
will give the ERO (and whoever else the entity wishes to inform per Requirement
R1) the situational awareness that the Facility has a potential of not being able to
operate as it is designed. The SDT also states that copper theft is not a reportable
event unless it degrades the normal operation of a Facility.
C. The row [Event] titled “Transmission loss”, in column 3 [Threshold for Reporting],
the defined term “Transmission Facilities” is too vague. There needs to be a more
description such that an entity clearly understands when an event is reportable and
for what equipment. We would recommend the definition used in the Event
Reporting Field Trial: An unexpected outage, contrary to design, of three or more BES
elements caused by a common disturbance. Excluding successful automatic
reclosing. For example: a. The loss of a combination of NERC-defined Facilities. b. The
loss of an entire generation station of three or more generators (aggregate
generation of 500 MW to 1,999 MW); combined cycle units are represented as one
unit.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
133
�Organization
Yes or No
Question 2 Comment
comments to state:
“Unexpected loss, contrary to design, of three or more BES Elements caused by a
common disturbance (excluding successful automatic reclosing).”
D. The row [Event] titled “Complete or partial loss of monitoring”: 1. In column 1
[Event], delete the words “or partial”. This is subjective without definition, delete. 2.
Also in column 1 [Event], delete the word “monitoring” and replace with Supervisory
Control and Data Acquisition (SCADA). SCADA is defined term that explicitly calls out
in the definition “monitoring and control” and is understood by the industry as such.
3. In column 2 [Entity with Reporting Responsibility], delete the words “or partial”;
also delete the word “monitoring” and replace with SCADA. 4. In column 3 [Threshold
for Reporting], reword to state “Complete loss of SCADA affecting a BES control
center for >/= 30 continuous minutes”.
The SDT reviewed, discussed and updated Attachment 1 based on comments
received, FERC directives and what is required for combining CIP-001 and EOP-004
into EOP-004-2. This event is now written to state:
“Complete loss of monitoring capability affecting a BES control center for 30
continuous minutes or more such that analysis capability (State Estimator,
Contingency Analysis) is rendered inoperable.” This will only apply to an RC, BA, or
TOP who have this capability to start with.
Response: The SDT thanks you for your comment.
GTC
No
Page 17 & 18, One Hour Reporting and Twenty-four Hour Reporting: append the
introductory statements with the following: “meeting the threshold for reporting”
after recognition of the event. Example: Submit EOP-004 Attachment 2 or DOE-OE417 report to the parties identified pursuant to Requirement R1, Part 1.2 within
twenty-four hours of recognition of the event meeting the threshold for reporting.
Page 19, system separation (islanding); Clarify the intent of this threshold for
reporting: Load >= 100 MW and any generation; or Load >= 100 MW and Generation
134
�Organization
Yes or No
Question 2 Comment
>= 100 MW, or some combination of load and generation totaling 100 MW.
Response: The SDT thanks you for your comment. The SDT has chosen not add the requested language as we believe the intent is
understood that the time frames means from “meeting the threshold for reporting.” The SDT has revised the language regarding
islanding and we believe it addresses your concern.
Indiana Municipal Power
Agency
No
The event "any physical threat that could impact the operability of a Facility" is not
measurable and can be interpreted many ways by entities or auditors. IMPA
recommend incorporating language that let's this be the judgment of the registered
entity only.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Physical threat to its Facility excluding weather related threat, which has the
potential to degrade the normal operation of the Facility
Or
Suspicious device or activity at a Facility
Do not report copper theft unless it degrades normal operations of a Facility.”
This language gives the required guidance that if there is a physical threat that has
the potential to degrade a Facility’s normal operation or a suspicious device or
135
�Organization
Yes or No
Question 2 Comment
activity is discovered at a Facility, it is required to be reported within 24 hours, this
will give the ERO (and whoever else the entity wishes to inform per Requirement
R1) the situational awareness that the Facility has a potential of not being able to
operate as it is designed. The SDT also states that copper theft is not a reportable
event unless it degrades the normal operation of a Facility.
On the "voltage deviation on a Facility", IMPA recommends that only the TOP the
experiences a voltage deviation be the one responsible for reporting.
The SDT has made this change per comments received from the industry.
For generation loss and transmission loss, IMPA believes that the amount of loss
needs to be associated with a time period or event (concurrent forced outages).
Response: The SDT thanks you for your comment.
Idaho Power Co.
No
I think that the category “Damage or destruction of a Facility” is too ambiguous, and
the Threshold for Reporting criteria does not help to clarify the question. Any loss of
a facility may result in the need for actions to get to the new operating point, would
this be a reportable disturbance?
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Damage or destruction of a Facility within its Reliability Coordinator Area,
Balancing Authority Area or Transmission Operator Area that results in the need for
actions to avoid a BES Emergency.”
136
�Organization
Yes or No
Question 2 Comment
This language gives the required guidance of who has to report within its Area that
results in need for actions to avoid a BES Emergency (as defined by NERC: Any
abnormal system condition that requires automatic or immediate manual action to
prevent or limit the failure of transmission facilities or generation supply that could
adversely affect the reliability of the Bulk Electric System).
This relates to either a completely destroyed Facility where an action is required to
avoid a BES Emergency, or a Facility that is damaged to a point that actions are
required to avoid a BES Emergency. By reporting either a “damaged or destroyed”
Facility, within 24 hours, it will give the ERO (and whoever else the entity wishes to
inform per Requirement R1) the situational awareness that the electrical system
has been reconfigured or may need to be reconfigured, thus supporting reliable
operations of each interconnection.
The SDT also developed another to read:
“Damage or destruction of its Facility that results from actual or suspected
intentional human action.”
This language gives the required guidance that if there is actual intentional human
action that damages or destroys a Facility, it is required to be reported within 24
hours, this will give the ERO (and whoever else the entity wishes to inform per
Requirement R1) the situational awareness that the Facility was “damaged or
destroyed” intentionally by a human.
This event was written to cover the increase of “Entity with Reporting
Responsibility” and removing the RC since they do not own Facility(s).
137
�Organization
Yes or No
Question 2 Comment
The SDT also included a second part of this event being “suspected intentional
human action.” This language was required to give an entity the reporting
responsibility to report to the ERO (and whoever else the entity wishes to inform
per Requirement R1) the situational awareness that they suspect that their Facility
was damaged or destroyed by intentional human action. The SDT envisions that
entities could further define what a suspected intentional human action is within
their Operating Plan.
Response: The SDT thanks you for your comment.
MISO
No
American Public Power
Association
No
APPA in our comments on the previous draft of EOP-004-2 requested relief for small
entities from this reporting/documentation standard. APPA suggested setting a 300
MW threshold for some of the criteria in Attachment 1. This suggestion was not
accepted by the SDT. However, the SDT is still directed by FERC to “consider whether
separate, less burdensome requirements for smaller entities may be appropriate.
Therefore, APPA requests that the SDT provide relief to small entities by providing
separate requirements for small entities by requiring reporting only when one of the
four criteria in DOE-OE-417 are met: 1. Actual physical attack, 2. Actual cyber attack,
3. Complete operational failure, or 4. Electrical System Separation. APPA
recommends this information should be reported to the small entity’s BA as allowed
in the DOE-OE-417 joint filling process.
Response: The SDT thanks you for your comment. The SDT has taken your concerns into consideration (as directed by FERC) and
believes that “small entities” will most likely not meet the thresholds for reporting since items are predicated on “Facilities” or
they don’t meet the Threshold for reporting.
Brazos Electric Power
Cooperative
No
Please see the comments submitted by ACES Power Marketing.
138
�Organization
Yes or No
Question 2 Comment
Response: The SDT thanks you for your comment. Please review the response to those comments.
Puget Sound Energy, Inc.
No
The Note at the beginning of Attachment 1 references notifying parties per
Requirement R1; however, notification occurs in conjunction with Requirement
R2.The term “Adverse Reliability Impact” is used in the threshold section of the event
“Damage or destruction of a Facility”. At this time, there are two definitions for that
term in the NERC Glossary. The FERC-approved definition for this term is “The impact
of an event that results in frequency-related instability; unplanned tripping of load or
generation; or uncontrolled separation or cascading outages that affects a
widespread area of the Interconnection.” If the drafting team instead means to use
the definition that NERC approved on 8/4/2011 (as seems likely, since that definition
more closely aligns with the severity level indicated by the other two threshold
statements) then the definition should be included in the Implementation Plan as a
prerequisite approval.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Damage or destruction of a Facility within its Reliability Coordinator Area,
Balancing Authority Area or Transmission Operator Area that results in the need for
actions to avoid a BES Emergency.”
This language gives the required guidance of who has to report within its Area that
results in need for actions to avoid a BES Emergency (as defined by NERC: Any
abnormal system condition that requires automatic or immediate manual action to
prevent or limit the failure of transmission facilities or generation supply that could
139
�Organization
Yes or No
Question 2 Comment
adversely affect the reliability of the Bulk Electric System).
This relates to either a completely destroyed Facility where an action is required to
avoid a BES Emergency, or a Facility that is damaged to a point that actions are
required to avoid a BES Emergency. By reporting either a “damaged or destroyed”
Facility, within 24 hours, it will give the ERO (and whoever else the entity wishes to
inform per Requirement R1) the situational awareness that the electrical system
has been reconfigured or may need to be reconfigured, thus supporting reliable
operations of each interconnection.
In addition, would the threshold of “Results from actual or suspected intentional
human action” include results from actual intentional human action which produced
an accidental result, meaning, someone was intentionally doing some authorized
action but unintentionally made a mistake, leading to damage of a facility? The event
“Any physical threat that could impact the operability of a Facility” will require
reporting for many events that have little or no significance to reliable operation of
the Bulk Electric System. For example, a balloon lodged in a 115 kV transmission line
is a “physical threat” that could definitely “impact the operability” of that Facility and,
yet, will probably have little reliability impact. So, too, could a car-pole accident that
causes a pole to lean, a leaning tree, or an unfortunately-located bird’s nest. The
drafting team should develop appropriate threshold language so that reporting is
required only for events that do threaten the reliability of the Bulk Electric System.
The SDT also developed another to read:
“Damage or destruction of its Facility that results from actual or suspected
intentional human action.”
This language gives the required guidance that if there is actual intentional human
action that damages or destroys a Facility, it is required to be reported within 24
hours, this will give the ERO (and whoever else the entity wishes to inform per
140
�Organization
Yes or No
Question 2 Comment
Requirement R1) the situational awareness that the Facility was “damaged or
destroyed” intentionally by a human.
This event was written to cover the increase of “Entity with Reporting
Responsibility” and removing the RC since they do not own Facility(s).
The SDT also included a second part of this event being “suspected intentional
human action.” This language was required to give an entity the reporting
responsibility to report to the ERO (and whoever else the entity wishes to inform
per Requirement R1) the situational awareness that they suspect that their Facility
was damaged or destroyed by intentional human action. The SDT envisions that
entities could further define what a suspected intentional human action is within
their Operating Plan.
With respect to the event “Unplanned control center evacuation”, the standard
drafting team should include the term “complete” in the description and/or threshold
statement to avoid having partial evacuations trigger the need to report.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Unplanned evacuation from BES control center facility for 30 continuous minutes
or more.” The SDT does not believe the word “complete” needs to be added.
Response: The SDT thanks you for your comment.
Central Lincoln
No
1) We appreciate the changes made to reduce the short time reporting requirements.
141
�Organization
Yes or No
Question 2 Comment
The SDT has removed the one-hour reporting time frame, and all events are to be
reported within 24 hours of recognition of the event.
2) We would like to point out that the 24 hour reporting threshold for “Damage or
destruction of a Facility” resulting from intentional human action will still be nonproportional BES risk for certain events. The discovery of a gunshot 115 kV insulator
will start the 24 hour clock running, no matter how busy the discoverer is performing
restoration or other duties that are more important. The damage may have been
done a year earlier, but upon discovery the report suddenly becomes the priority
task. To hit the insulator, the shooter likely had to take aim and pull the trigger, so
intent is at least suspected if not actual. And the voltage level ensures the insulator is
part of a Facility.
The SDT has updated Damage or destruction of a facility into 2 different thresholds:
The SDT removed all language under “Entity with Reporting Responsibility” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Damage or destruction of a Facility within its Reliability Coordinator Area,
Balancing Authority Area or Transmission Operator Area that results in the need for
actions to avoid a BES Emergency.”
This language gives the required guidance of who has to report within its Area that
results in need for actions to avoid a BES Emergency (as defined by NERC: Any
abnormal system condition that requires automatic or immediate manual action to
prevent or limit the failure of transmission facilities or generation supply that could
adversely affect the reliability of the Bulk Electric System).
142
�Organization
Yes or No
Question 2 Comment
This relates to either a completely destroyed Facility where an action is required to
avoid a BES Emergency, or a Facility that is damaged to a point that actions are
required to avoid a BES Emergency. By reporting either a “damaged or destroyed”
Facility, within 24 hours, it will give the ERO (and whoever else the entity wishes to
inform per Requirement R1) the situational awareness that the electrical system
has been reconfigured or may need to be reconfigured, thus supporting reliable
operations of each interconnection.
The SDT also developed another to read:
“Damage or destruction of its Facility that results from actual or suspected
intentional human action.”
This language gives the required guidance that if there is actual intentional human
action that damages or destroys a Facility, it is required to be reported within 24
hours, this will give the ERO (and whoever else the entity wishes to inform per
Requirement R1) the situational awareness that the Facility was “damaged or
destroyed” intentionally by a human.
This event was written to cover the increase of “Entity with Reporting
Responsibility” and removing the RC since they do not own Facility(s).
The SDT also included a second part of this event being “suspected intentional
human action.” This language was required to give an entity the reporting
responsibility to report to the ERO (and whoever else the entity wishes to inform
per R1) the situational awareness that they suspect that their Facility was damaged
or destroyed by intentional human action. The SDT envisions that entities could
143
�Organization
Yes or No
Question 2 Comment
further define what a suspected intentional human action is within their Operating
Plan.
3) We also note that the theft of in service copper is not a physical threat, it is actual
damage. The reference to Footnote 1 should be relocated or copied to the cell above
the one it resides in now.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Physical threat to its Facility excluding weather related threat, which has the
potential to degrade the normal operation of the Facility
Or
Suspicious device or activity at a Facility
Do not report copper theft unless it degrades normal operations of a Facility.”
This language gives the required guidance that if there is a physical threat that has
the potential to degrade a Facility’s normal operation or a suspicious device or
activity is discovered at a Facility, it is required to be reported within 24 hours, this
will give the ERO (and whoever else the entity wishes to inform per Requirement
R1) the situational awareness that the Facility has a potential of not being able to
operate as it is designed. The SDT also states that copper theft is not a reportable
event unless it degrades the normal operation of a Facility.
4) We support the APPA comments regarding small entities.
The SDT has taken your concerns into consideration (as directed by FERC) and
believes that “small entities” will most likely not meet the thresholds for reporting
144
�Organization
Yes or No
Question 2 Comment
since items are predicated on “Facilities.”
Response: The SDT thanks you for your comment.
Los Angeles Department of
Water and Power
No
LADWP has the following comments:#1 - “Any physical threat that could impact the
operability of a Facility” is still vague and “operability” is too low a threshold. There
needs to be a potential impact to BES reliability.
The SDT has updated Damage or destruction of a facility into 2 different thresholds:
The SDT removed all language under “Entity with Reporting Responsibility” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Damage or destruction of a Facility within its Reliability Coordinator Area,
Balancing Authority Area or Transmission Operator Area that results in the need for
actions to avoid a BES Emergency.”
This language gives the required guidance of who has to report within its Area that
results in need for actions to avoid a BES Emergency (as defined by NERC: Any
abnormal system condition that requires automatic or immediate manual action to
prevent or limit the failure of transmission facilities or generation supply that could
adversely affect the reliability of the Bulk Electric System).
This relates to either a completely destroyed Facility where an action is required to
avoid a BES Emergency, or a Facility that is damaged to a point that actions are
required to avoid a BES Emergency. By reporting either a “damaged or destroyed”
145
�Organization
Yes or No
Question 2 Comment
Facility, within 24 hours, it will give the ERO (and whoever else the entity wishes to
inform per Requirement R1) the situational awareness that the electrical system
has been reconfigured or may need to be reconfigured, thus supporting reliable
operations of each interconnection.
The SDT also developed another to read:
“Damage or destruction of its Facility that results from actual or suspected
intentional human action.”
This language gives the required guidance that if there is actual intentional human
action that damages or destroys a Facility, it is required to be reported within 24
hours, this will give the ERO (and whoever else the entity wishes to inform per
Requirement R1) the situational awareness that the Facility was “damaged or
destroyed” intentionally by a human.
This event was written to cover the increase of “Entity with Reporting
Responsibility” and removing the RC since they do not own Facility(s).
The SDT also included a second part of this event being “suspected intentional
human action.” This language was required to give an entity the reporting
responsibility to report to the ERO (and whoever else the entity wishes to inform
per Requirement R1) the situational awareness that they suspect that their Facility
was damaged or destroyed by intentional human action. The SDT envisions that
entities could further define what a suspected intentional human action is within
their Operating Plan.
#2 - “Voltage Deviation on a Facility” I think the threshold definition needs to be
more specific: Is it 10% from nominal? 10% from normal min/max operating
146
�Organization
Yes or No
Question 2 Comment
tables/schedules? Another entities 10% might be different than mine.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Observed voltage deviation of ± 10% of nominal voltage sustained for ≥ 15
continuous minutes .”
This language clearly states that if the threshold is met, the entity needs to submit a
report within 24 hours.
#3 - “Transmission Loss” The threshold of three facilities is still too vague. A generator
and a transformer and a gen-tie are likely to have overlapping zones of protection
that could routinely take out all three. The prospect of penalties would likely cause
unneeded reporting.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Unexpected loss, contrary to design, of three or more BES Elements caused by a
common disturbance (excluding successful automatic reclosing).”
Response: The SDT thanks you for your comment.
Deseret Power
No
The threshold for reporting is way too low. A gun shot insulator is not an act of
147
�Organization
Yes or No
Question 2 Comment
terrorism... vandalism yes... and a car hit pole would be reportable on a 138 kv line.
these seem to be too aggressive in reporting.
Response: The SDT thanks you for your comment. The SDT removed all language under “Entity with Reporting Responsibility,”
with the exception of entity(s) that are required to report an applicable event. The SDT removed this language so the entities
within this column are clearly stated and identified. Under the “Threshold for Reporting” column, a bright line was updated based
on currently enforced Reliability Standards, FERC directives and industry comments to state:
“Physical threat to its Facility excluding weather related threat, which has the potential to degrade the normal operation of the
Facility
Or
Suspicious device or activity at a Facility
Do not report copper theft unless it degrades normal operations of a Facility.”
This language gives the required guidance that if there is a physical threat that has the potential to degrade a Facility’s normal
operation or a suspicious device or activity is discovered at a Facility, it is required to be reported within 24 hours, this will give the
ERO (and whoever else the entity wishes to inform per Requirement R1) the situational awareness that the Facility has a potential
of not being able to operate as it is designed. The SDT also states that copper theft is not a reportable event unless it degrades the
normal operation of a Facility.
Kansas City Power & Light
No
For the event, “Damage or destruction of a Facility”, the “Threshold for reporting”
includes “Results from actual or suspected intentional human action”. This is too
broad and could include events such as damage to equipment resulting from stealing
cooper or wire which has no intentional motivation to disrupt the reliability of the
bulk electric system. Reports of this type to law enforcement and governmental
agencies will quickly appear as noise and begin to be treated as noise. This may
result in overlooking a report that deserves attention. Recommend the drafting team
consider making this threshold conditional on the judgment by the entity on the
148
�Organization
Yes or No
Question 2 Comment
human action intended to be a potential threat to the reliability of the bulk electric
system. For the event, “Any physical threat that could impact the operability of a
Facility”, the same comment as above applies. The footnote states to include copper
theft if the Facility operation is impacted. Again, it is recommended to make a report
of this nature conditional on the judgment of the entity on the intent to be a
potential threat to the reliability of the bulk electric system.
Response: The SDT thanks you for your comment. The SDT has updated Damage or destruction of a facility into 2 different
thresholds:
The SDT removed all language under “Entity with Reporting Responsibility,” with the exception of entity(s) that are required to
report an applicable event. The SDT removed this language so the entities within this column are clearly stated and identified.
Under the “Threshold for Reporting” column, a bright line was updated based on currently enforced Reliability Standards, FERC
directives and industry comments to state:
“Damage or destruction of a Facility within its Reliability Coordinator Area, Balancing Authority Area or Transmission Operator
Area that results in the need for actions to avoid a BES Emergency.”
This language gives the required guidance of who has to report within its Area that results in need for actions to avoid a BES
Emergency (as defined by NERC: Any abnormal system condition that requires automatic or immediate manual action to prevent
or limit the failure of transmission facilities or generation supply that could adversely affect the reliability of the Bulk Electric
System).
This relates to either a completely destroyed Facility where an action is required to avoid a BES Emergency, or a Facility that is
damaged to a point that actions are required to avoid a BES Emergency. By reporting either a “damaged or destroyed” Facility,
within 24 hours, it will give the ERO (and whoever else the entity wishes to inform per Requirement R1) the situational awareness
that the electrical system has been reconfigured or may need to be reconfigured, thus supporting reliable operations of each
149
�Organization
Yes or No
Question 2 Comment
interconnection.
The SDT also developed another to read:
“Damage or destruction of its Facility that results from actual or suspected intentional human action.”
This language gives the required guidance that if there is actual intentional human action that damages or destroys a Facility, it is
required to be reported within 24 hours, this will give the ERO (and whoever else the entity wishes to inform per Requirement R1)
the situational awareness that the Facility was “damaged or destroyed” intentionally by a human.
This event was written to cover the increase of “Entity with Reporting Responsibility” and removing the RC since they do not own
Facility(s).
The SDT also included a second part of this event being “suspected intentional human action.” This language was required to give
an entity the reporting responsibility to report to the ERO (and whoever else the entity wishes to inform per Requirement R1) the
situational awareness that they suspect that their Facility was damaged or destroyed by intentional human action. The SDT
envisions that entities could further define what a suspected intentional human action is within their Operating Plan.
Dominion
Yes
Comments: While Dominion agrees that the revisions are a much appreciated
improvement, we are concerned that Attachment 1 does not explicitly contain the
‘entities which must be, at a minimum, notified.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified.
Attachment 2 appears to indicate that only the ERO and the Reliability Coordinator
for the Entity with Reporting Responsibility need be informed. However, the
background section indicates that the Entity with Reporting Responsibility is also
150
�Organization
Yes or No
Question 2 Comment
expected to contact local law enforcement. We therefore suggest that Attachment 2
be modified to include local law enforcement.
The SDT has adapted the language in Attachment 2 along the lines of your concern.
Page 26 redline; Attachment 1; Event - Damage or destruction of a Facility; Threshold
for Reporting - Results from actual or suspected intentional human action; Dominion
is concerned with the ambiguity that this could be interpreted as applying to
distribution. Page 27 redline; Attachment 1; Event - Any physical threat that could
impact the operability of a Facility; Dominion is concerned the word “could” is
hypothetical and therefore unverifiable and un-auditable.
The SDT has updated Damage or destruction of a facility into 2 different thresholds:
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Damage or destruction of a Facility within its Reliability Coordinator Area,
Balancing Authority Area or Transmission Operator Area that results in the need for
actions to avoid a BES Emergency.”
This language gives the required guidance of who has to report within its Area that
results in need for actions to avoid a BES Emergency (as defined by NERC: Any
abnormal system condition that requires automatic or immediate manual action to
prevent or limit the failure of transmission facilities or generation supply that could
adversely affect the reliability of the Bulk Electric System).
151
�Organization
Yes or No
Question 2 Comment
This relates to either a completely destroyed Facility where an action is required to
avoid a BES Emergency, or a Facility that is damaged to a point that actions are
required to avoid a BES Emergency. By reporting either a “damaged or destroyed”
Facility, within 24 hours, it will give the ERO (and whoever else the entity wishes to
inform per Requirement R1) the situational awareness that the electrical system
has been reconfigured or may need to be reconfigured, thus supporting reliable
operations of each interconnection.
The SDT also developed another to read:
“Damage or destruction of its Facility that results from actual or suspected
intentional human action.”
This language gives the required guidance that if there is actual intentional human
action that damages or destroys a Facility, it is required to be reported within 24
hours, this will give the ERO (and whoever else the entity wishes to inform per
Requirement R1) the situational awareness that the Facility was “damaged or
destroyed” intentionally by a human.
This event was written to cover the increase of “Entity with Reporting
Responsibility” and removing the RC since they do not own Facility(s).
The SDT also included a second part of this event being “suspected intentional
human action.” This language was required to give an entity the reporting
responsibility to report to the ERO (and whoever else the entity wishes to inform
per Requirement R1) the situational awareness that they suspect that their Facility
was damaged or destroyed by intentional human action. The SDT envisions that
entities could further define what a suspected intentional human action is within
152
�Organization
Yes or No
Question 2 Comment
their Operating Plan.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Physical threat to its Facility excluding weather related threat, which has the
potential to degrade the normal operation of the Facility
Or
Suspicious device or activity at a Facility
Do not report copper theft unless it degrades normal operations of a Facility.”
This language gives the required guidance that if there is a physical threat that has
the potential to degrade a Facility’s normal operation or a suspicious device or
activity is discovered at a Facility, it is required to be reported within 24 hours, this
will give the ERO (and whoever else the entity wishes to inform per Requirement
R1) the situational awareness that the Facility has a potential of not being able to
operate as it is designed. The SDT also states that copper theft is not a reportable
event unless it degrades the normal operation of a Facility.
The SDT could provide a list of hypothetical “could impact” events, as well as a
specific definition and method for determining a specific physical impact threshold
for “could impact” events other than “any.”
153
�Organization
Yes or No
Question 2 Comment
The SDT cannot provide a list of hypothetical events, but will remind the entity that
the Operating Plan that is required per Requirement R1 could contain a basis to
report concerning your unique system equipment or configuration of your system.
Response: The SDT thanks you for your comment.
Seattle City Light
Yes
This is a great improvement over the prior CIP and EOP versions. However, please
see #4 for overall comment.
Response: The SDT thanks you for your comment. Please review the response to Question 4.
Avista
Yes
In general the SDT has made significant improvements to Attachment 1. Avista does
have a suggestion to further improve Attachment 1.In Attachment 1 under the 24
hour Reporting Matrix, the second event states "Any physical threat that could
impact the operability of a Facility" and the Threshold for Reporting states "Threat to
a Facility excluding weather related threats". This is extremely open ended. We
suggest adding the following language to the Threshold for Reporting for Any Physical
Threat: Threat to a facility that: Could affect an IROL (per FAC-014) OR Could result in
the need for actions to avoid and Adverse Reliability Impact This new language would
be consistent with the reporting threshold for a Damage event.
Response: The SDT thanks you for your comment. The SDT has updated Damage or destruction of a facility into 2 different
thresholds:
The SDT removed all language under “Entity with Reporting Responsibility,” with the exception of entity(s) that are required to
report an applicable event. The SDT removed this language so the entities within this column are clearly stated and identified.
Under the “Threshold for Reporting” column, a bright line was updated based on currently enforced Reliability Standards, FERC
directives and industry comments to state:
“Damage or destruction of a Facility within its Reliability Coordinator Area, Balancing Authority Area or Transmission Operator
154
�Organization
Yes or No
Question 2 Comment
Area that results in the need for actions to avoid a BES Emergency.”
This language gives the required guidance of who has to report within its Area that results in need for actions to avoid a BES
Emergency (as defined by NERC: Any abnormal system condition that requires automatic or immediate manual action to prevent
or limit the failure of transmission facilities or generation supply that could adversely affect the reliability of the Bulk Electric
System).
This relates to either a completely destroyed Facility where an action is required to avoid a BES Emergency, or a Facility that is
damaged to a point that actions are required to avoid a BES Emergency. By reporting either a “damaged or destroyed” Facility,
within 24 hours, it will give the ERO (and whoever else the entity wishes to inform per Requirement R1) the situational awareness
that the electrical system has been reconfigured or may need to be reconfigured, thus supporting reliable operations of each
interconnection.
The SDT also developed another to read:
“Damage or destruction of its Facility that results from actual or suspected intentional human action.”
This language gives the required guidance that if there is actual intentional human action that damages or destroys a Facility, it is
required to be reported within 24 hours, this will give the ERO (and whoever else the entity wishes to inform per Requirement R1)
the situational awareness that the Facility was “damaged or destroyed” intentionally by a human.
This event was written to cover the increase of “Entity with Reporting Responsibility” and removing the RC since they do not own
Facility(s).
The SDT also included a second part of this event being “suspected intentional human action.” This language was required to give
an entity the reporting responsibility to report to the ERO (and whoever else the entity wishes to inform per Requirement R1) the
situational awareness that they suspect that their Facility was damaged or destroyed by intentional human action. The SDT
155
�Organization
Yes or No
Question 2 Comment
envisions that entities could further define what a suspected intentional human action is within their Operating Plan.
PNGC Comment Group
Yes
We agree with reservations. Our comments are below and we are seeking
clarification of the Applicability section of the standard. We are voting "no" but if
slight changes are made to the applicability section we will change our votes to "yes".
NERC and FERC have expressed a willingness to address the compliance burden on
smaller entities that pose minimal risk to the Bulk Electric System. The PNGC
Comment Group understands the SDT’s intent to categorize reportable events and
achieve an Adequate Level of Reliability while also understanding the costs
associated. Given the changes made by the SDT to Attachment 1, we believe you
have gone a long way in alleviating the potential for needless reporting from small
entities that does not support reliability.
The SDT has taken your concerns into consideration (as directed by FERC) and
believes that “small entities” will most likely not meet the thresholds for reporting
since items are predicated on “Facilities.”
One remaining concern we have are potential reporting requirements in the Event
types; “Damage or destruction of a Facility” and “Any physical threat that could
impact the operability of a Facility”. These two event types have the following
threshold language; “Results from actual or suspected intentional human action” and
“Threat to a Facility excluding weather related threats” respectively. We believe
these two thresholds could lead to very small entities filing reports for events that
really are not a threat to the BES or Reliability.
The SDT has updated Damage or destruction of a facility into 2 different thresholds:
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
156
�Organization
Yes or No
Question 2 Comment
“Damage or destruction of a Facility within its Reliability Coordinator Area,
Balancing Authority Area or Transmission Operator Area that results in the need for
actions to avoid a BES Emergency.”
This language gives the required guidance of who has to report within its Area that
results in need for actions to avoid a BES Emergency (as defined by NERC: Any
abnormal system condition that requires automatic or immediate manual action to
prevent or limit the failure of transmission facilities or generation supply that could
adversely affect the reliability of the Bulk Electric System).
This relates to either a completely destroyed Facility where an action is required to
avoid a BES Emergency, or a Facility that is damaged to a point that actions are
required to avoid a BES Emergency. By reporting either a “damaged or destroyed”
Facility, within 24 hours, it will give the ERO (and whoever else the entity wishes to
inform per Requirement R1) the situational awareness that the electrical system
has been reconfigured or may need to be reconfigured, thus supporting reliable
operations of each interconnection.
The SDT also developed another to read:
“Damage or destruction of its Facility that results from actual or suspected
intentional human action.”
This language gives the required guidance that if there is actual intentional human
action that damages or destroys a Facility, it is required to be reported within 24
hours, this will give the ERO (and whoever else the entity wishes to inform per
Requirement R1) the situational awareness that the Facility was “damaged or
157
�Organization
Yes or No
Question 2 Comment
destroyed” intentionally by a human.
This event was written to cover the increase of “Entity with Reporting
Responsibility” and removing the RC since they do not own Facility(s).
The SDT also included a second part of this event being “suspected intentional
human action.” This language was required to give an entity the reporting
responsibility to report to the ERO (and whoever else the entity wishes to inform
per Requirement R1) the situational awareness that they suspect that their Facility
was damaged or destroyed by intentional human action. The SDT envisions that
entities could further define what a suspected intentional human action is within
their Operating Plan.
Note: For vandalism, sabotage or suspected terrorism, even the smallest entities will
file a police report and at that point local law enforcement will follow their terrorism
reporting procedures if necessary, as you’ve rightly indicated in your “Law
Enforcement Reporting” section. We believe extraneous reporting could be
alleviated with a small tweak to the Applicability section for 4.1.9 to exclude the
smallest Distribution Providers. As stated before, even if these very small entities are
excluded from filing reports under EOP-004-2, threats to Facilities that they may have
will still be reported to local law enforcement while not cluttering up the NERC/DOE
reporting process for real threats to the BES. Our suggested change:4.1.9.
Distribution Provider: with peak load >= 200 MWs. The PNGC Comment Group
arrived at the 200 MWs threshold after reviewing Attachment 1, Event “Loss of firm
load for >= 15 Minutes”. We agree with the SDT’s intent to exclude these small firm
load losses from reporting through EOP-004-2.Another approach we could support is
that taken by the Project 2008-06 SDT with respect to Distribution Provider
Facilities:4.2.2 Distribution Provider: One or more of the Systems or programs
designed, installed, and operated for the protection or restoration of the BES:
158
�Organization
Yes or No
Question 2 Comment
The SDT has discussed this very issue and would like to point out that the Threshold
for Reporting limits are the same as in the enforceable Reliability Standard, EOP004-1. The SDT believes that small entities (200mw or less) would not be applicable
to this event. The SDT has attempted to place these types of limits to reduce small
entities from having these applicable reporting requirements.
o A UFLS or UVLS System that is part of a Load shedding program required by a NERC
or Regional Reliability Standard and that performs automatic Load shedding under a
common control system, without human operator initiation, of 300 MW or more
o A Special Protection System or Remedial Action Scheme where the Special
Protection System or Remedial Action Scheme is required by a NERC or Regional
Reliability Standard o A Protection System that applies to Transmission where the
Protection System is required by a NERC or Regional Reliability Standard o Each
Cranking Path and group of Elements meeting the initial switching requirements from
a Blackstart Resource up to and including the first interconnection point of the
starting station service of the next generation unit(s) to be started. We’re not
advocating this exact language but rather the approach that narrows the focus to
what is truly impactful to reliability while minimizing costs and needless compliance
burden. One last issue we have is with the language in Attachment 1, Event “BES
Emergency resulting in automatic firm load shedding.” Under “Entity with Reporting
Responsibility”, you state that the DP or TOP that “implements” automatic load
shedding of >= 100 MWs must report (Also please review the CIP threshold of 300
MWs as this may be a more appropriate threshold). We believe rather than
specifying a DP or TOP report, it would be appropriate for the UFLS Program Owner
to file the report per EOP-004-2. In our situation we have DPs that own UFLS relays
that are part of the TOP’s program and this could lead to confusing reporting
requirements. Also we don’t believe that an entity can “Implement” “Automatic”
load shedding but this is purely a semantic issue.
The SDT has updated Damage or destruction of a facility into 2 different thresholds:
The SDT removed all language under “Entity with Reporting Responsibility” with
159
�Organization
Yes or No
Question 2 Comment
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Damage or destruction of a Facility within its Reliability Coordinator Area,
Balancing Authority Area or Transmission Operator Area that results in the need for
actions to avoid a BES Emergency.”
This language gives the required guidance of who has to report within its Area that
results in need for actions to avoid a BES Emergency (as defined by NERC: Any
abnormal system condition that requires automatic or immediate manual action to
prevent or limit the failure of transmission facilities or generation supply that could
adversely affect the reliability of the Bulk Electric System).
This relates to either a completely destroyed Facility where an action is required to
avoid a BES Emergency, or a Facility that is damaged to a point that actions are
required to avoid a BES Emergency. By reporting either a “damaged or destroyed”
Facility, within 24 hours, it will give the ERO (and whoever else the entity wishes to
inform per Requirement R1) the situational awareness that the electrical system
has been reconfigured or may need to be reconfigured, thus supporting reliable
operations of each interconnection.
The SDT also developed another to read:
“Damage or destruction of its Facility that results from actual or suspected
160
�Organization
Yes or No
Question 2 Comment
intentional human action.”
This language gives the required guidance that if there is actual intentional human
action that damages or destroys a Facility, it is required to be reported within 24
hours, this will give the ERO (and whoever else the entity wishes to inform per
Requirement R1) the situational awareness that the Facility was “damaged or
destroyed” intentionally by a human.
This event was written to cover the increase of “Entity with Reporting
Responsibility” and removing the RC since they do not own Facility(s).
The SDT also included a second part of this event being “suspected intentional
human action.” This language was required to give an entity the reporting
responsibility to report to the ERO (and whoever else the entity wishes to inform
per Requirement R1) the situational awareness that they suspect that their Facility
was damaged or destroyed by intentional human action. The SDT envisions that
entities could further define what a suspected intentional human action is within
their Operating Plan.
Response: The SDT thanks you for your comment.
United Illuminating Company
Yes
The phrasing of the event labeled as Event Damage or Destruction of a Facility may
be improved in the Threshold for Reporting Column. Suggest the introduction
sentence for this event should be phrased as Where the Damage or Destruction of a
Facility: etc. The rationale for the change is that as written it is unclear if the list that
follows is meant to modify the word Facilities or the overall introductory sentence.
The confusion being caused by the word That. What is important to be reported is if
a Facility is damaged and then an IROL is affected it should be reported, not that if a
Facility is comprising an IROL Facility is damaged but there is no impact on the IROL.
161
�Organization
Yes or No
Question 2 Comment
The SDT has updated Damage or destruction of a facility into 2 different thresholds:
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
Damage or destruction of a Facility within its Reliability Coordinator Area, Balancing
Authority Area or Transmission Operator Area that results in the need for actions to
avoid a BES Emergency.
This language gives the required guidance of who has to report within its Area that
results in need for actions to avoid a BES Emergency (as defined by NERC: Any
abnormal system condition that requires automatic or immediate manual action to
prevent or limit the failure of transmission facilities or generation supply that could
adversely affect the reliability of the Bulk Electric System).
This relates to either a completely destroyed Facility where an action is required to
avoid a BES Emergency, or a Facility that is damaged to a point that actions are
required to avoid a BES Emergency. By reporting either a “damaged or destroyed”
Facility, within 24 hours, it will give the ERO (and whoever else the entity wishes to
inform per Requirement R1) the situational awareness that the electrical system
has been reconfigured or may need to be reconfigured, thus supporting reliable
operations of each interconnection.
The SDT also developed another to read:
162
�Organization
Yes or No
Question 2 Comment
“Damage or destruction of its Facility that results from actual or suspected
intentional human action.”
This language gives the required guidance that if there is actual intentional human
action that damages or destroys a Facility, it is required to be reported within 24
hours, this will give the ERO (and whoever else the entity wishes to inform per
Requirement R1) the situational awareness that the Facility was “damaged or
destroyed” intentionally by a human.
This event was written to cover the increase of “Entity with Reporting
Responsibility” and removing the RC since they do not own Facility(s).
The SDT also included a second part of this event being “suspected intentional
human action.” This language was required to give an entity the reporting
responsibility to report to the ERO (and whoever else the entity wishes to inform
per Requirement R1) the situational awareness that they suspect that their Facility
was damaged or destroyed by intentional human action. The SDT envisions that
entities could further define what a suspected intentional human action is within
their Operating Plan.
Second, the top of each table is the phrase Submit EOP-004 Attachment 2 or DOE-OE417 report to the parties identified pursuant to Requirement R1, Part 1.2 within one
hour of recognition of the event. This creates the requirement that the actual form is
required to be transmitted to parties other than NERC/DOE. The suggested revision
is Submit EOP-004 Attachment 2 or DOE-OE-417 report to NERC and/or DOE, and
complete notification to other organizations identified pursuant to Requirement R1
Part 1.2 within one hour etc..
The SDT has revised Attachment 2 heading to read “Use this form to report events.
The Electric Reliability Organization will accept the DOE OE-417 form in lieu of this
163
�Organization
Yes or No
Question 2 Comment
form if the entity is required to submit an OE-417 report. Submit reports to the
ERO via one of the following: e-mail: systemawareness@nerc.net voice: 404-4469780.” Based on industry comments.
Response: The SDT thanks you for your comment.
Ingleside Cogeneration LP
Yes
Ingleside Cogeneration LP agrees with the removal of nearly all one hour reporting
requirements. In our view there must be a valid contribution expected of the
recipients of any reporting that takes place this early in the process. Any nonessential communications will impede the progress of the front-line personnel
attempting to resolve the issue at hand - which has to be the priority. Secondly,
there is a risk that early reporting may include some speculation of the cause, which
may be found to be incorrect as more information becomes available. Recipients
must temper their reactions to account for this uncertainty. In fact, Ingleside
Cogeneration LP recommends that the single remaining one-hour reporting scenario
be eliminated. It essentially defers the reporting of a cyber security incident to CIP008 anyways, and may even lead to a multiple violation of both Standards if
exceeded.
Response: The SDT thanks you for your comment. The SDT agrees and has removed the one-hour reporting requirement based on
comments received.
Springfield Utility Board
Yes
o Spell out Requirement 1, rather than “parties per R1” in NOTE. o On page 44,
“Examples of such events include” should say, “include, but are not limited to”. o
SUB appreciates clarification regarding events, particularly the discussion regarding
“sabotage”, and recommends listing and defining “Event” in Definitions and Terms
Used in NERC Standards.
The SDT has stated in our “Consideration of Issues and Directives – March 15, 2012”
that was posted with the last posting stated:
The SDT has not proposed a definition for inclusion in the NERC Glossary because it
is impractical to define every event that should be reported without listing them in
164
�Organization
Yes or No
Question 2 Comment
the definition. Attachment 1 is the de facto definition of “event.” The SDT
considered the FERC directive to “further define sabotage” and decided to
eliminate the term sabotage from the standard. The team felt that without the
intervention of law enforcement after the fact, it was almost impossible to
determine if an act or event was that of sabotage or merely vandalism. The term
“sabotage” is no longer included in the standard and therefore it is inappropriate to
attempt to define it. The events listed in Attachment 1 provide guidance for
reporting both actual events as well as events which may have an impact on the
Bulk Electric System. The SDT believes that this is an equally effective and efficient
means of addressing the FERC Directive.
The SDT has discussed this with FERC Staff and we agree that sabotage could be a
state of mind and therefore the real issue was there an event or not.
o The Guideline and Technical Basis provides clarity, and SUB agrees with the removal
of “NERC Guideline: Threat and Incident Reporting”.
o In the flow chart on page 9 there are parallel paths going from “Refer to Ops Plan
for Reporting” to the ‘Report Event to ERO, Reliability Coordinator’ via both the Yes
and No response. It seems like the yes/no decision should follow after “Refer to Ops
Plan” for communication to law enforcement.
The SDT has offered the flowchart as an example of how an entity could handle the
notification to law enforcement agencies. There is no requirement to follow the
flowchart. Entities are free to develop their own procedures based upon their
needs to report.
Response: The SDT thanks you for your comment.
PPL Electric Utilities
Yes
PPL EU thanks the SDT for the changes made in this latest proposal. We feel our prior
comments were addressed. Regarding the event 'Transmission Loss': For your
consideration, please consider adding a footnote to the event ‘Transmission Loss’
such that weather events do not need to be reported. Also please consider including
'operation contrary to design' in the threshold language. E.g. consistent with the
165
�Organization
Yes or No
Question 2 Comment
NERC Event Analysis table, the threshold would be, ‘Unintentional loss, contrary to
design, of three or more BES Transmission Facilities.’
Response: The SDT thanks you for your comment. The SDT removed all language under “Entity with Reporting Responsibility,”
with the exception of entity(s) that are required to report an applicable event. The SDT removed this language so the entities
within this column are clearly stated and identified. Under the “Threshold for Reporting” column, a bright line was updated based
on currently enforced Reliability Standards, FERC directives and industry comments to state:
“Unexpected loss, contrary to design, of three or more BES Elements caused by a common disturbance (excluding successful
automatic reclosing).”
Tacoma Power
Yes
Tacoma Power supports the revisions. It appears that all agencies and entities are
willing to support the use of the DOE Form OE-417 as the initial notification form
(although EOP-004 does include their own reporting form as an attachment to the
Standard). Tacoma is already using the OE-417 and distributing it to all applicable
Entities and Agencies.
Response: The SDT thanks you for your comment.
Seattle City Light
Yes
This is a great improvement over the prior CIP and EOP versions. However, please
see #4 for overall comment.
Response: The SDT thanks you for your comment. Please review the response to Question 4.
MEAG Power
Yes
This is a great improvement over the prior CIP and EOP versions. However, please
see #4 for overall comment.
Response: The SDT thanks you for your comment. Please review the response to Question 4.
Public Utility District No. 1 of
Snohomish County
This is an excellent improvement over the prior CIP and EOP versions. However,
please see #4 for overall comment.
166
�Organization
Yes or No
Question 2 Comment
Response: The SDT thanks you for your comment. Please review the response to Question 4.
Imperial Irrigation District (IID)
Yes
Colorado Springs Utilities
Yes
Arizona Public Service
Company
Yes
Utility Services
Yes
Dynegy Inc.
Yes
Manitoba Hydro
Yes
City of Austin dba Austin
Energy
Yes
Entergy
Yes
Pepco Holdings Inc
Yes
Independent Electricity
System Operator
Yes
Cowlitz County PUD
Yes
Edison Mission Marketing &
Trading, Inc.
Yes
Exelon Corporation and its
affiliates
Yes
167
�Organization
Yes or No
ERCOT
Yes
Oncor Electric Delivery
Yes
Question 2 Comment
168
�3.
The SDT has proposed a new Section 812 to be incorporated into the NERC Rules of Procedure. Do you agree with the proposed
addition? If not, please explain in the comment area below.
Summary Consideration: The DSR SDT proposed a revision to the NERC Rules of Procedure (Section 812). The SDT has learned that
NERC has started a new effort to forward event reports to applicable government authorities. As such, Section 812 is no longer
needed and will be removed from this project.
Organization
Northeast Power Coordinating
Council
Yes or No
Question 3 Comment
No
The proposed new section does not contain specifics of the proposed system nor the
interfacing outside of the system to support the report collecting.
Response: The SDT thanks you for your comment. The SDT has learned that NERC has started a new effort to forward event
reports to applicable government authorities. As such, Section 812 is no longer needed and will be removed from this project.
SPP Standards Review Group
No
We have two concerns about the proposed change to the RoP. One, we have
concerns that our information and data will be circulated to an as yet undetermined
audience which appears to be solely under NERC’s control. Secondly, there isn’t
sufficient detail in the clearinghouse concept to support comments at this time.
Response: The SDT thanks you for your comment. The SDT has learned that NERC has started a new effort to forward event
reports to applicable government authorities. As such, Section 812 is no longer needed and will be removed from this project.
ISO/RTO Standards Review
Committee
No
The SRC offers comments regarding the posted draft requirements; however, by so
doing, the SRC does not indicate support of the proposed requirements. Following
these comments, please see the latter part of the SRC’s response to Question 4 below
for an SRC proposed alternative approach: The SRC is unable to comment on the
proposed new section as the section does not contain any description of the
proposed process or the interface requirements to support the report collecting
system. We reserve judgment on this proposal and our right to comment on the
169
�Organization
Yes or No
Question 3 Comment
proposal when the proposed addition is posted.
Response: The SDT thanks you for your comment. The SDT has learned that NERC has started a new effort to forward event
reports to applicable government authorities. As such, Section 812 is no longer needed and will be removed from this project.
ACES Power Marketing
Standards Collaborators
No
(1) It is not clear to us what is the driving the need for the Rules of Procedure
proposal. NERC is already collecting event and disturbance reports without
memorializing the change in the Rules of Procedure. (2) The language potentially
conflicts with other subsections in Section 800. For instance, the proposal says that
the system will apply to collect report forms “for this section”. This section would
refer to Section 800. Section 800 covers NERC alerts and GADS. Electronic GADS
(eGADS) already has been established to collect GADS data? Will this section cause
NERC to have to incorporate eGADS into this report collection system? Incorporating
NERC Alerts is also problematic because when reports are required as a result of a
NERC alert, the report must be submitted through the NERC Alert system.(3) The
statement that “a system to collect report forms as established for this section or
standard” causes additional confusion regarding to which standards it applies. Does
it only apply to this new EOP-004-2 or to all standards? If it applies to all standards,
does this create a potential issue for CIP-008-3 R1.3 which requires reporting to the
ES-ISAC and not this clearinghouse?
Response: The SDT thanks you for your comment. The SDT has learned that NERC has started a new effort to forward event reports
to applicable government authorities. As such, Section 812 is no longer needed and will be removed from this project.
Seattle City Light
No
Seattle City Light follows MEAG and believes this type of activity and process is better
suited to NAESBE than it is to NERC Compliance.
Response: The SDT thanks you for your comment. The SDT has learned that NERC has started a new effort to forward event reports
to applicable government authorities. As such, Section 812 is no longer needed and will be removed from this project.
Hydro One
No
The proposed new section does not contain specifics of the proposed system nor the
170
�Organization
Yes or No
Question 3 Comment
interfacing outside of the system to support the report collecting.
Response: The SDT thanks you for your comment. The SDT has learned that NERC has started a new effort to forward event reports
to applicable government authorities. As such, Section 812 is no longer needed and will be removed from this project.
CenterPoint Energy
No
CenterPoint Energy does not agree with the SDT’s proposed section 812. The
proposal for NERC to establish a system that will “...forward the report to the
appropriate NERC departments, applicable regional entities, other designated
registered entities, and to appropriate governmental, law enforcement, regulatory
agencies as necessary. This can include state, federal, and provincial organizations.” is
redundant with the draft Standard. Responsible entities are already required to
report applicable events to NERC, applicable regional entities, registered entities, and
appropriate governmental, law enforcement, and regulatory agencies. CenterPoint
Energy believes if the SDT’s intent is to require NERC to distribute these system event
reports, then EOP-004-2 should be revised to require responsible entities to only
report the event to NERC. As far as distribution to appropriate NERC departments,
CenterPoint Energy believes that is an internal NERC matter and does not need to be
included in the Rules of Procedure.
Response: The SDT thanks you for your comment. The SDT has learned that NERC has started a new effort to forward event reports
to applicable government authorities. As such, Section 812 is no longer needed and will be removed from this project.
Arkansas Electric Cooperative
Corporation
No
AECC supports the comments submitted by ACES Power Marketing.
Response: The SDT thanks you for your comment. The SDT has learned that NERC has started a new effort to forward event reports
to applicable government authorities. As such, Section 812 is no longer needed and will be removed from this project.
National Rural Electric
Cooperative Association
(NRECA)
No
NRECA is concerned with the drafting team's proposal to add a new Section 812 to
the NERC ROP. NRECA does not see the need for the drafting team to make such a
proposal as it relates to the new EOP-004 that the drafting team is working on. The
171
�Organization
Yes or No
Question 3 Comment
requirements in the draft standard clearly require what is necessary for this Event
Reporting standard. NRECA requests that the drafting team withdraw its proposed
ROP Section 812 from consideration. The proposed language is unclear to the point
of not being able to understand who is being required to do what. Further, the
language is styled in more of a proposal, and not in the style of what would
appropriately be included in the NERC ROP. Finally, the SDT has not adequately
supported the need for such a modification to the NERC ROP. Without that support,
NRECA is not able to agree with the need for this addition to the ROP. Again, NRECA
requests that the drafting team withdraw its proposed ROP Section 812 from
consideration.
Response: The SDT thanks you for your comment. The SDT has learned that NERC has started a new effort to forward event reports
to applicable government authorities. As such, Section 812 is no longer needed and will be removed from this project.
Occidental Power Services,
Inc.
No
This section should reference the confidentiality requirements in the ROP and should
have a statement about the system for collection and dissemination of disturbance
reports being “subject to the confidentiality requirements of the NERC ROP.”
Response: The SDT thanks you for your comment. The SDT has learned that NERC has started a new effort to forward event reports
to applicable government authorities. As such, Section 812 is no longer needed and will be removed from this project.
Pepco Holdings Inc
No
This could create confusion.This new ROP section states that “... the system shall then
forward the report to the appropriate NERC departments, applicable regional
entities, other designated registered entities, and to appropriate governmental, law
enforcement, regulatory agencies as necessary.” Standard Section R1.2 states “A
process for communicating each of the applicable events listed in EOP-004
Attachment 1 in accordance with the timeframes specified in EOP-004 Attachment 1
to the Electric Reliability Organization and other organizations needed for the event
type; i.e. the Regional Entity; company personnel; the Responsible Entity’s Reliability
Coordinator; law enforcement, governmental or provincial agencies.” If NERC is going
to be the “clearinghouse” forwarding reports to the RE and DOE, does that mean that
172
�Organization
Yes or No
Question 3 Comment
the reporting entity only needs to make a single submission to NERC for distribution?
If the reporting entity is required to make all notifications, per R1.2, what is the
purpose of NERC’s duplication of sending out reports? It would be very helpful to the
reporting entities if R1.2 was revised to state that NERC would forward the event
form to the RE and DOE and the reporting entity would only be responsible for
providing notice verbally to its associated BA, TOP, RC, etc. as appropriate and for
notifying appropriate law enforcement as required.
Response: The SDT thanks you for your comment. The SDT has learned that NERC has started a new effort to forward event reports
to applicable government authorities. As such, Section 812 is no longer needed and will be removed from this project.
Independent Electricity
System Operator
No
We are unable to comment on the proposed new section as the section does not
contain any description of the proposed process or the interface requirements to
support the report collecting system. We reserve judgment on this proposal and our
right to comment on the proposal when the proposed addition is posted.
Response: The SDT thanks you for your comment. The SDT has learned that NERC has started a new effort to forward event reports
to applicable government authorities. As such, Section 812 is no longer needed and will be removed from this project.
MidAmerican Energy
No
See the NSRF comments. The NERC Rules of Procedure Section 807 already
addresses the dissemination of Disturbance data, as does Appendix 8 Phase 1 with
the activation of NERC’s crisis communication plan, and the ESISAC Concept of
Operations. The addition of proposed Section 812 is not necessary. The Reliability
Coordinator, through the use of the RCIS, would disseminate reliability notifications if
it is in turn notified per R1.2. (As stated in the in the Clean copy of EOP-004-2)
Response: The SDT thanks you for your comment. The SDT has learned that NERC has started a new effort to forward event reports
to applicable government authorities. As such, Section 812 is no longer needed and will be removed from this project.
Public Utility District No. 1 of
Snohomish County
No
This type of activity and process is better suited to NAESBE than it is to NERC
Compliance.
173
�Organization
Yes or No
Question 3 Comment
Response: The SDT thanks you for your comment. The SDT has learned that NERC has started a new effort to forward event reports
to applicable government authorities. As such, Section 812 is no longer needed and will be removed from this project.
Illinois Municipal Electric
Agency
No
Illinois Municipal Electric Agency supports comments submitted by ATC.
Response: The SDT thanks you for your comment. The SDT has learned that NERC has started a new effort to forward event reports
to applicable government authorities. As such, Section 812 is no longer needed and will be removed from this project.
Amercican Transmission
Company, LLC
No
ATC believes that the NERC Rules of Procedure Section 807 already addresses the
dissemination of Disturbance data, as does Appendix 8 Phase 1 with the activation of
NERC’s crisis communication plan, and the ESISAC Concept of Operations. The
addition of proposed Section 812 is not necessary. The Reliability Coordinator,
through the use of the RCIS, would disseminate reliability notifications if it is in turn
notified per R1.2. (As stated in the in the Clean copy of EOP-004-2)
Response: The SDT thanks you for your comment. The SDT has learned that NERC has started a new effort to forward event reports
to applicable government authorities. As such, Section 812 is no longer needed and will be removed from this project.
Ameren
No
If the SDT keeps new Section 812 we suggest to the SDT a wording change for the
second sentence, underlined: “Upon receipt of the submitted report, the system shall
then forward the report to the appropriate NERC department for review. After
review, the report will be forwarded to the applicable regional entities, other
designated registered entities, and to appropriate governmental, law enforcement,
regulatory agencies as necessary.”
Response: The SDT thanks you for your comment. The SDT has learned that NERC has started a new effort to forward event reports
to applicable government authorities. As such, Section 812 is no longer needed and will be removed from this project.
We Energies
No
Section 812 refers to the section as a standard and as a Procedure. That is not
correct.Section 812 reads to me as if NERC (the system) will be forwarding everything
174
�Organization
Yes or No
Question 3 Comment
specified anywhere in RoP 800.
Response: The SDT thanks you for your comment. The SDT has learned that NERC has started a new effort to forward event reports
to applicable government authorities. As such, Section 812 is no longer needed and will be removed from this project.
Exelon Corporation and its
affiliates
No
While we don’t have any immediate objection to revising the Rules of Procedures
(ROP) to allow for report collecting under Section 800 relative to the EOP-004
standard, the proposed language is unclear and confusing. Please consider the
following revision:"812. NERC Reporting Clearinghouse NERC will establish a system
to collect reporting forms as required for Section 800 or per FERC approved standards
from any Registered Entities. NERC shall distribute the reports to the appropriate
governmental, law enforcement, regulatory agencies as required per Section 800 or
the applicable standard."Further, NERC should post ROP revisions along with a
discussion justifying the revision for industry comment specific to the ROP. There
may be significant implications to this revision beyond the efforts relative to EOP-004.
Response: The SDT thanks you for your comment. The SDT has learned that NERC has started a new effort to forward event reports
to applicable government authorities. As such, Section 812 is no longer needed and will be removed from this project.
Tacoma Power
No
Tacoma Power disagrees with the requirement to perform annual testing of each
communication plan. We do not see any added value in performing annual testing of
each communication plan. There are already other Standard requirements to
performing routine testing of communications equipment and emergency
communications with other agencies.The “proof of compliance” to the Standard
should be in the documentation of the reports filed for any qualifying event, within
the specified timelines and logs or phone records that it was communicated per each
specified communication plan.
Response: The SDT thanks you for your comment. The SDT has learned that NERC has started a new effort to forward event reports
to applicable government authorities. As such, Section 812 is no longer needed and will be removed from this project.
175
�Organization
Seattle City Light
Yes or No
Question 3 Comment
No
Seattle City Light follows MEAG and believes this type of activity and process is better
suited to NAESBE than it is to NERC Compliance.
Response: The SDT thanks you for your comment. The SDT has learned that NERC has started a new effort to forward event reports
to applicable government authorities. As such, Section 812 is no longer needed and will be removed from this project.
MEAG Power
No
This type of activity and process is better suited to NAESBE than it is to NERC
Compliance.
Response: The SDT thanks you for your comment. The SDT has learned that NERC has started a new effort to forward event reports
to applicable government authorities. As such, Section 812 is no longer needed and will be removed from this project.
ERCOT
No
ERCOT has joined the IRC comments on this project.
Response: The SDT thanks you for your comment. The SDT has learned that NERC has started a new effort to forward event reports
to applicable government authorities. As such, Section 812 is no longer needed and will be removed from this project.
Idaho Power Co.
No
No opinion
Response: The SDT thanks you for your comment. The SDT has learned that NERC has started a new effort to forward event reports
to applicable government authorities. As such, Section 812 is no longer needed and will be removed from this project.
MISO
No
MISO agrees with and adopts the Comments of the IRC on this issue.
Response: The SDT thanks you for your comment. The SDT has learned that NERC has started a new effort to forward event reports
to applicable government authorities. As such, Section 812 is no longer needed and will be removed from this project.
Brazos Electric Power
Cooperative
No
Please see the comments submitted by ACES Power Marketing.
Response: The SDT thanks you for your comment. The SDT has learned that NERC has started a new effort to forward event reports
176
�Organization
Yes or No
Question 3 Comment
to applicable government authorities. As such, Section 812 is no longer needed and will be removed from this project.
Kansas City Power & Light
No
Rules stipulating the extent of how reported information will be treated by NERC is
an important consideration, however, the proposed section 812 proposes to provide
reports to other governmental agencies and regulatory bodies beyond that of NERC
and FERC. NERC should be treating the event information reported to NERC as
confidential and should not take it upon itself to distribute such information beyond
the boundaries of the national interest at NERC and FERC.
Response: The SDT thanks you for your comment. The SDT has learned that NERC has started a new effort to forward event reports
to applicable government authorities. As such, Section 812 is no longer needed and will be removed from this project.
Dominion
Yes
While Dominion supports this addition, we suggest adding to the sentence “NERC will
establish a system to collect report forms as established for this section or reliability
standard.....”
Response: The SDT thanks you for your comment. The SDT has learned that NERC has started a new effort to forward event reports
to applicable government authorities. As such, Section 812 is no longer needed and will be removed from this project.
MRO NSRF
Yes
ATC believes that the NERC Rules of Procedure Section 807 already addresses the
dissemination of Disturbance data, as does Appendix 8 Phase 1 with the activation of
NERC’s crisis communication plan, and the ESISAC Concept of Operations. The
addition of proposed Section 812 is not necessary. The Reliability Coordinator,
through the use of the RCIS, would disseminate reliability notifications if it is in turn
notified per R1.2. (As stated in the in the Clean copy of EOP-004-2)
Response: The SDT thanks you for your comment. The SDT has learned that NERC has started a new effort to forward event reports
to applicable government authorities. As such, Section 812 is no longer needed and will be removed from this project.
Ingleside Cogeneration LP
Yes
Ingleside Cogeneration is encouraged by NERC’s willingness to act as central data
gathering point for event information. However, we see this only as a starting point.
177
�Organization
Yes or No
Question 3 Comment
There are still multiple internal and external reporting demands that are similar to
those captured in EOP-004-2 - examples include the DOE, RAPA (misoperations),
EAWG (events analysis), and ES-ISAC (cyber security). Although we appreciate the
difference in reporting needs expressed by each of these organizations, there are
very powerful reporting applications available which capture a basic set of data and
publish them in multiple desirable formats. We ask that NERC spearhead this
initiative - as it is a natural part of the ERO function.
Response: The SDT thanks you for your comment. The SDT has learned that NERC has started a new effort to forward event reports
to applicable government authorities. As such, Section 812 is no longer needed and will be removed from this project.
American Electric Power
Yes
While we have no objections at this point, we would like specific details on what our
obligations would be as a result of these changes. For example, would the
clearinghouse tool provide verifications that the report(s) had been received as well
as forwarded? In addition, if DOE OE-417 is the form being submitted, would the
NERC Reporting Clearinghouse forward that report to the DOE?
Response: The SDT thanks you for your comment. The SDT has learned that NERC has started a new effort to forward event reports
to applicable government authorities. As such, Section 812 is no longer needed and will be removed from this project.
Springfield Utility Board
Yes
o SUB supports the new Section 812 being incorporated into the NERC ROP. This
addition provides clarity for what is required by whom and takes away any possible
ambiguity.
Response: The SDT thanks you for your comment. The SDT has learned that NERC has started a new effort to forward event reports
to applicable government authorities. As such, Section 812 is no longer needed and will be removed from this project.
FirstEnergy Corp
Yes
FE agrees but asks that the defined term “registered entities” in the second sentence
be capitalized.
Response: The SDT thanks you for your comment. The SDT has learned that NERC has started a new effort to forward event reports
178
�Organization
Yes or No
Question 3 Comment
to applicable government authorities. As such, Section 812 is no longer needed and will be removed from this project.
GTC
Yes
With the exception of the RC and company personnel, it appears this proposed
section captures the same reporting obligations and to the same entities via R1.2.
Recommend adjustments to R1.2 such that reportable events are submitted to NERC,
RC, and company personnel.
Response: The SDT thanks you for your comment. The SDT has learned that NERC has started a new effort to forward event reports
to applicable government authorities. As such, Section 812 is no longer needed and will be removed from this project.
Central Lincoln
Yes
Thank you for minimizing the number of necessary reports.
Response: The SDT thanks you for your comment. The SDT has learned that NERC has started a new effort to forward event reports
to applicable government authorities. As such, Section 812 is no longer needed and will be removed from this project.
Xcel Energy
We believe such a tool would be useful, however we are indifferent as to if it is
required to be established by the Rules of Procedure.
Response: The SDT thanks you for your comment. The SDT has learned that NERC has started a new effort to forward event reports
to applicable government authorities. As such, Section 812 is no longer needed and will be removed from this project.
ISO New England Inc
We unable to comment on the proposed new section as the section does not contain
any description of the proposed process or the interface requirements to support the
report collecting system. We reserve judgment on this proposal and our right to
comment on the proposal when the proposed addition is posted.
Response: The SDT thanks you for your comment. The SDT has learned that NERC has started a new effort to forward event reports
to applicable government authorities. As such, Section 812 is no longer needed and will be removed from this project.
Indiana Municipal Power
Agency
no comment
179
�Organization
Yes or No
Los Angeles Department of
Water and Power
Question 3 Comment
LADWP does not have a comment on this question at this time
Response: The SDT thanks you for your comment. The SDT has learned that NERC has started a new effort to forward event reports
to applicable government authorities. As such, Section 812 is no longer needed and will be removed from this project.
DECo
Yes
Duke Energy
Yes
Luminant
Yes
Bonneville Power
Administration
Yes
Imperial Irrigation District (IID)
Yes
Florida Municipal Power
Agency
Yes
LG&E and KU Services
Yes
PPL Corporation NERC
Registered Affiliates
Yes
PNGC Comment Group
Yes
Colorado Springs Utilities
Yes
Arizona Public Service
Company
Yes
180
�Organization
Yes or No
Southern Company Services
Yes
Utility Services
Yes
Georgia System Operations
Corporation
Yes
Manitoba Hydro
Yes
Clark Public Utilities
Yes
New York Power Authority
Yes
Consolidated Edison Co. of NY,
Inc.
Yes
Orange and Rockland Utilities,
Inc.
Yes
Farmington Electric Utility
System
Yes
Public Service Enterprise
Group
Yes
PPL Electric Utilities
Yes
Cowlitz County PUD
Yes
Edison Mission Marketing &
Trading, Inc.
Yes
Question 3 Comment
181
�Organization
Yes or No
American Public Power
Association
Yes
Oncor Electric Delivery
Yes
Deseret Power
Yes
Question 3 Comment
182
�4. Do you have any other comment, not expressed in the questions above, for the SDT?
Summary Consideration: The DSR SDT received several suggestions for improvement to the standard. The DSR SDT has removed
reporting of Cyber Security Incidents from EOP-004 and have asked the team developing CIP-008-5 to retain this reporting. Most of
the language contained in the “Background” Section was moved to the “Guidelines and Technical Basis” Section. Minor language
changes were made to the measures and the data retention section. Attachment 2 was revised to list events in the same order in
which they appear in Attachment 1.
Organization
Texas Reliability Entity
Yes or No
Question 4 Comment
(1) The ERO and Regional Entities should not be included in the Applicability of this
standard. The only justification given for including them was they are required to
comply with CIP-008. CIP-008 contains its own reporting requirements, and no
additional reliability benefit is provided by including ERO and Regional Entities in
EOP-004. Furthermore, stated NERC policy is to avoid writing requirements that
apply to the ERO and Regional Entities, and we do not believe there is any sufficient
reason to deviate from that policy in this standard.
The SDT is revising the standard to not contain reporting for Cyber Security
Incidences. Under the revisions, CIP-008-3 and successive versions will retain the
reporting requirements. The Applicability section has been revised to address this
situation.
(2) Under Compliance, in section 1.1, all the words in “Compliance Enforcement
Authority” should be capitalized.
The SDT agrees and has adopted this suggestion.
(3) Under Evidence Retention, it is not sufficient to retain only the “date change
page” from prior versions of the Plan. It is not unduly burdensome for the entity to
retain all prior versions of its “event reporting Operating Plan” since the last audit,
and it should be required to do so. (What purpose is supposed to be served by
183
�Organization
Yes or No
Question 4 Comment
retaining only the “date change pages”?)
The SDT has revised the standard to require the retention of previous versions, not
just the date change page.
(4) The title of part F, “Interpretations,” is incorrect on page 23. Should perhaps be
“Associated Documents.”
The SDT has revised Part F and it now contains the Guidelines and Technical Basis.
Response: The SDT thanks you for your comment.
ACES Power Marketing
Standards Collaborators
(1) IC, TSP, TO, GO, and DP should be all removed from the applicability of the
standard. Previous versions of the standard did not apply to them and we see no
reason to expand applicability to them. IC and TSP are not even mentioned in any of
the “Entity with Reporting Responsibility” sections. For the sections that do not
mention specific entities, IC and TSP would have no responsibility for any of the
events. The TO and GO are not operating entities so the reporting should not apply
to them. DP was not included in any previous versions of CIP-001 or EOP-004. Any
information (such as load) that was necessary regarding DPs was always gathered by
the BA or TOP and included in their reports. There is no indication that this process
was not working and, therefore, it should not be changed. Furthermore, including
the DP potentially expands the standard outside of the Bulk Electric System which is
contrary to recent statements that NERC Legal has made at the April 11 and 12, 2012
SC meeting. Their comments indicated the standards are written for the Bulk Electric
System. What information does a DP have to report except load loss which can easily
be reported by the BA or TOP?
The SDT disagrees with some of your suggestions. As the standard is to report
events associated with physical assets, it is incumbent for the asset owners to file
the reports associated with any events. Thus DP, TO, and GO were added to the
Applicability of this standard. Their perspectives on events can be useful in
evaluating situational awareness and providing NERC with information on lessons
learned. Further, this standard limits reporting to BES Elements except where
184
�Organization
Yes or No
Question 4 Comment
noted. This is consistent with NERC and SC Standard Process design. Where this
standard had included other functional registrations associated with the inclusion
of CIP-008; those registrations have been removed from the standard.
(2) Measure M2 needs to clarify an attestation is an acceptable form of evidence if
there are no events.
Registered Entities must determine how to best demonstrate they have met the
performance obligation of a requirement. The use of an attestation statement is
already permitted and recognized with the NERC Compliance Program if that is the
best means of demonstrating your performance under the requirement. Auditors
will then assess whether or not an attestation meets the requirement in one's
audit. Attestations cannot be specifically permitted for use.
(3) The rationale box for R3 and R4 should be modified. It in essence states that
updating the event reporting Operating Plan and testing it will assure that the BES
remains secure. While these requirements might contribute to reliability, these two
requirements collectively will not assure BES security and stability.
The SDT has revised the rationale box language based upon the changes it has
made to the requirements. It should be noted that upon acceptance of the
standard, the language in the rationale boxes are removed from the standard.
(4) We disagree with the VSLs for Requirement R2. While the VSLs associated with
late reporting for a 24-hour reporting requirement include four VSLs, the one-hour
reporting requirement only includes three VSLs. There seems to be no justification
for this inconsistency. Four VSLs should be written for the one-hour reporting
requirement.
As the standard has been revised to remove the one-hour reporting provision, your
suggestion is moot.
(5) Reporting of reportable Cyber Security Incidents does not appear to be fully
coordinated with version 5 of the CIP standards. For instance, EOP-004-2 R1, Part 1.2
requires a process for reporting events to external entities and CIP-008-5 Part 1.5
185
�Organization
Yes or No
Question 4 Comment
requires identifying external groups to which to communicate Reportable Cyber
Security Incidents. Thus, it appears the Cyber Security Incident response plan in CIP008-5 R1 and the event reporting Operating Plan in EOP-004-2 R1 will compel
duplication of external reporting at least in the document of the Operating Plain and
Reportable Cyber Security Incident response plan. This needs to be resolved.
While the SDT had worked this through with the other standard team to resolve
this concern; it is now irrelevant, as reporting of Cyber Security Incidences are no
longer part of EOP-004-2.
(6) In the effective date section of the implementation plan, the statement that the
prior version of the standard remains in effect until the new version is accepted by all
applicable regulatory authorities is not correct. In areas where regulatory approval is
required, it will only remain in effect in the areas where the regulator has not
approved it.
The SDT finds that the two statements are making the same point; that the new
standard does not become enforceable until all regulatory authorities have
approved it.
(7) On page 6 in the background section, the statement attributing RCIS reporting to
the TOP standards is not accurate. There is no requirement in the TOP standards to
report events across RCIS. In fact, the only mention of RCIS in the standards occurs in
EOP-002-3 and COM-001-1.1.
The SDT agrees and adopts your suggestion.
(8) On page 6 in the background section, the first sentence of the third paragraph is
not completely aligned with the purpose statement of the standard. The statement
in the background section indicates that the reliability objective “is to prevent
outages which could lead to Cascading by effectively reporting events”. However,
the purpose states that the goal is to improve reliability. We think it would make
more sense for the reliability objective to match the purpose statement more closely.
The SDT has revised the Background section to match the standard’s purpose
186
�Organization
Yes or No
Question 4 Comment
statement.
(9) On page 7 in the first paragraph, “industry facility” should be changed to
“Facility”.
The SDT agrees and adopts your suggestion.
Response: The SDT thanks you for your comment.
Seattle City Light
1) Seattle City Light follows MEAG and questions if these administrative activities
better should be sent over to NAESB? R1: There is merit in having a plan as identified
in R1, but is this a need to support reliability or is it a business practice? Should it be
in NAESB’s domain? R2, R3 & R4: These are not appropriate for a Standard. If you
don’t annually review the plan, will reliability be reduced and the BES be subject to
instability, separation and cascading? If DOE needs a form filled out, fill it out and
send it to DOE. NERC doesn’t need to pile on. Mike Moon and Jim Merlo have been
stressing results and risk based, actual performance based, event analysis, lessons
learned and situational awareness. EOP-004 is primarily a business preparedness
topic and identifies administrative procedures that belong in the NAESB domain.
The SDT believes this standard is needed to provide Situational Awareness and can
help in providing lessons learned to the industry. The SDT has revised the
requirements to address this need. While it may be appropriate to have NAESB to
adopt this obligation at some in the future, the SDT was charged with addressing
deficiencies at this time. The SDT has removed all references to filing reports to
DOE from the earlier versions. Today’s only reference provides for NERC’s
acceptance of the use of their form when it is appropriate.
2) Seattle City Light finds that even though efforts were made to differentiate
between sabotage vs. criminal damage, the difference still appears to be confusing.
Sabotage clearly requires FBI notification, but criminal damage (i.e. copper theft,
trespassing, equipment theft) is best handled by local law agencies. A key point on
how to determine the difference is to always go with the evidence. If you have a hole
in the fence and cut grounding wires, this would only require local law enforcement
187
�Organization
Yes or No
Question 4 Comment
notification. If there is a deliberate attack on a utility’s BES infrastructure for intent
of sabotage and or terrorism--this is a FBI notification event. One area where a
potential for confusion arises is with the term “intentional human action” in defining
damage. Shooting insulators on a rural transmission tower is not generally sabotage,
but removing bolts from the tower may well be. Seattle understands the difficulty in
differentiating these two cases, for example, and supports the proposed Standard,
but would encourage additional clarification in this one area.
The SDT appreciates the concern you raise. The SDT decided early that trying to set
a definition for sabotage across the continent would be impossible as there are
many differing viewpoints; particularly within the law enforcement agencies. There
was consensus that even if we were able to set a definition, it may be consistent or
recognized by other agencies. Therefore, the SDT decided to set event types that
warranted reporting. Entities best know who they have to report to and under
what considerations those reports need to be submitted. This is basis for this
standard. The SDT wanted to provide entities with the result that was necessary
but not prescribe how to do it. This concept has been embraced throughout this
project. We believe that entities can create a single or multiple contact lists that
have the right people being notified when an event type occurs. The SDT has
revised the language on “intentional human action” in Attachment 1 in an attempt
to provide you the clarification you requested.
Response: Thank you for your comment.
Essential Power, LLC
1. As this Standard does not deal with real-time reporting or analysis, and is simply
considered an after the fact reporting process, I question the need for the Standard
at all. This is a process that could be handled through a change to the Rules of
Procedure rather than through a Standard. Developing this process as a Reliability
Standard is, in my opinion, contrary to the shift toward Reliability-Based Standards
Development.2. I do not believe that establishing a reporting requirement improves
the reliability of the BES, as stated in the purpose statement. The reporting
requirement, however, would improve situational awareness. I recommend the
188
�Organization
Yes or No
Question 4 Comment
purpose statement be changed to reflect this, and included with the process in the
NERC Rules of Procedure.
Response: The SDT thanks you for your comment. The SDT believes this standard is needed to provide Situational Awareness and
can help in providing lessons learned to the industry. The SDT has revised the requirements to address this need. The vast
majority of commenters support the Purpose statement as written.
Georgia System Operations
Corporation
a) Reporting most of these items ... o Does not "provide for reliable operation of the
BES" o Does not include "requirements for the operation of existing BES facilities" o
Is not necessary to "provide for reliable operation of the BES"... and is therefore not
in accordance with the statutory and regulatory definitions of a Reliability Standard.
They should not be in a Reliability Standard. Most of this is an administrative activity
to provide information for NERC to perform some mandated analysis.
The SDT believes this standard is needed to provide Situational Awareness and can
help in providing lessons learned to the industry. The SDT has revised the
requirements to address this need.
b) A reportable Cyber Security Incident: Delete this item from the table. It is covered
in another standard and does not need to be duplicated in another standard.
The SDT has discussed this issue with Project 2008-06, Cyber Security SDT and we
have remanded the one hour event back to CIP-008. The next version of EOP-004-2
will not contain a one hour reporting requirement.
c) Damage or destruction of a Facility: Entities MAY only need to slightly modify their
existing CIP-001 Sabotage Reporting procedures from a compliance perspective of
HAVING an Operating Plan but not from a perspective of complying with the Plan. A
change from an entity reporting "sabotage" on "its" facilities (especially when the
common understanding of CIP-001 is to report sabotage on facilities as "one might
consider facilities in everyday discussions") to reporting "damage on its Facilities" (as
defined in the Glossary) is a significant change. An operator does not know off the
top of his head the definition of Facility or Element. He will not know for any
particular electrical device whether or not reporting is required. Although the term is
189
�Organization
Yes or No
Question 4 Comment
useful for legal and regulatory needs, it is problematic for practical operational needs.
This creates the need for a big change in guidance, training, and tools for an operator
to know which pieces of equipment this applies to. There is the need to translate
from NERC-ese to Operator-ese. Much more time is needed to implement. The third
threshold ("Results from actual or suspected intentional human action") perpetuates
the problem of knowing the human's intention. Also, what if the action was intended
but the result was not intended? The third threshold is ambiguous and subject to
interpretation. The original intent of this project was to get away from the problem of
the term sabotage due to its ambiguity and subjectivity. This latest change reverses
all of the work so far toward that original goal. Instead of the drafted language,
change this item to reporting "Damage or destruction of a Facility and any involved
human action" and use only the first two threshold criteria.
The SDT has stated in our “Consideration of Issues and Directives – March 15, 2012”
that was posted with the last posting stated:
The SDT has not proposed a definition for inclusion in the NERC Glossary because it
is impractical to define every event that should be reported without listing them in
the definition. Attachment 1 is the de facto definition of “event.” The SDT
considered the FERC directive to “further define sabotage” and decided to
eliminate the term sabotage from the standard. The team felt that without the
intervention of law enforcement after the fact, it was almost impossible to
determine if an act or event was that of sabotage or merely vandalism. The term
“sabotage” is no longer included in the standard and therefore it is inappropriate to
attempt to define it. The events listed in Attachment 1 provide guidance for
reporting both actual events as well as events which may have an impact on the
Bulk Electric System. The SDT believes that this is an equally effective and efficient
means of addressing the FERC Directive.
The SDT has discussed this with FERC Staff and we agree that sabotage could be a
190
�Organization
Yes or No
Question 4 Comment
state of mind and therefore the real issue was there an event or not.
The SDT also uses the NERC defined term of “Facility: A set of electrical equipment
that operates as a single Bulk Electric System Element (e.g., a line, a generator, a
shunt compensator, transformer, etc.).”
d) Any physical threat that could impact the operability of a Facility: See comment
above about the term "Facility" and the need for a much longer implementation
time.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Physical threat to its Facility excluding weather related threat, which has the
potential to degrade the normal operation of the Facility
Or
Suspicious device or activity at a Facility
Do not report copper theft unless it degrades normal operations of a Facility.”
This language gives the required guidance that if there is a physical threat that has
the potential to degrade a Facility’s normal operation or a suspicious device or
activity is discovered at a Facility, it is required to be reported within 24 hours, this
will give the ERO (and whoever else the entity wishes to inform per Requirement
R1) the situational awareness that the Facility has a potential of not being able to
191
�Organization
Yes or No
Question 4 Comment
operate as it is designed. The SDT also states that copper theft is not a reportable
event unless it degrades the normal operation of a Facility.
e) Transmission loss: This item is very unclear. What is meant by "loss?" Above, it says
to report damage or destruction of a Facility. This says to report the loss of 3
Facilities. Is the intent here to report when there are 3 or more Facilities that are
unintentionally and concurrently out of service for longer than a certain threshold of
time? The intent should not be to include equipment failure? Three is very arbitrary.
An entity with a very large footprint with a very large number of electrical devices is
highly likely to have 3 out of service at one time. An entity with very few electrical
devices is less likely to have 3. Delete the word Transmission. It is somewhat
redundant. A Facility is BES Element. I believe all BES Elements are Transmission
Facilities. A Facility operates as a single "electrical device." What if more than 3
downstream electrical devices are all concurrently out of service due to the failure of
one upstream device? Would that meet the criteria? A situation meeting the criteria
will be difficult to detect. Need better operator tools, specific procedures for this,
training, and more implementation time.
The SDT removed all language under “Entity with Reporting Responsibility,” with the
exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state”
“Unexpected loss, contrary to design, of three or more BES Elements caused by a
common disturbance (excluding successful automatic reclosing).”
f) The implementation plan says current version stays in effect until accepted by ALL
regulatory authorities but it also says that the new version takes effect 12 months
after the BOT or the APPLICABLE authorities accept it. It is possible that ONE
regulatory authority will not accept it for 13 months and both versions will be in
192
�Organization
Yes or No
Question 4 Comment
effect. It is also possible for ALL regulatory authorities to accept it at the same time,
the current version to no longer be in effect, but the new version will not be in effect
for 12 months.
The SDT intends for this standard to not become enforceable until all regulatory
authorities have approved it. The SDT will work with NERC and others to ensure a
timely enforcement period without overlap.
Response: Thank you for your comment.
We Energies
Applicability: Change Electric Reliability Organization to NERC or delete Regional
Entity. The ERO is NERC and all the Regional Entities.R1.2: The ERO is NERC and all
the REs. If I report to any one on the REs (only and not to NERC), I have reported to
the ERO. Change ERO to NERC. M1 refers to R1.1 and R1.2 as Parts. It would be
clearer to refer to them as requirements or sub-requirements.
The SDT is limited to listing functional registrations in the Applicability section. The
applicable entities are the ERO and Regional Entity, not NERC. The SDT notes that
the Applicability section has nothing to do with the reporting obligations. The
Applicability section denotes who has obligations within the standard to report.
The Applicability section has been revised in accordance with comments received
on who needs to report on event types.
M2: Add a comma after "that the event was reported" and "supplemented by
operator logs". It will be easier to read.
The SDT has revised the requirement and associated language.
R3: This should be clarified to state that no reporting will be done for the annual test,
not just exclude the ERO.
The SDT has revised the requirement.
M4: An annual review will not be time stamped.
The SDT has removed the time-stamp provision.
193
�Organization
Yes or No
Question 4 Comment
Response: The SDT thanks you for your comment.
City of Austin dba Austin
Energy
Austin Energy makes the following comments:
(1) Comment on the Background section titled “A Reporting Process Solution - EOP004”: This section includes the sentence, “Essentially, reporting an event to law
enforcement agencies will only require the industry to notify the state OR
PROVINCIAL OR LOCAL level law enforcement agency.” (emphasis added) The
corresponding flowchart includes a step, “Notification Protocol to State Agency Law
Enforcement.” Austin Energy requests that the SDT update the flowchart to match
the language of the associated paragraph and include “state or provincial or local”
agencies.
The SDT wishes to point out that the flowchart is an example only – it was not
meant to show every permutation. The entity can choose to use the flowchart or
develop one for their own use.
(2) Comments on VSLs: Austin Energy recommends that the SDT amend the VSLs for
R2 to include the "recognition of" events throughout. That is, update the R2 VSLs to
state “... X hours after "recognizing" an event ...” in all locations where the phrase
occurs.
The DSR SDT believes the current language is sufficient as Table 1 clearly states that
the reporting ‘clock’ starts after recognition of the event.
(3) Austin Energy has a concern with the inclusion of the word "damage" to the
phrase "damage or destruction of a Facility." We agree that any "destruction" of a
facility that meets any of the three criteria be a reportable event. However, if the
Standard is going to include "damage," some objective definition for "damage" (that
sets a floor) ought to be included. Much like the copper theft issue, we do not see the
benefit of reporting to NERC vandalism that does not rise to a certain threshold (e.g.
someone who takes a pot shot at an insulator) unless the damage has some tangible
impact on the reliability of the BES or is an act of an orchestrated sabotage (e.g.
194
�Organization
Yes or No
Question 4 Comment
removal of a bolt in a transmission structure).
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Damage or destruction of a Facility within its Reliability Coordinator Area,
Balancing Authority Area or Transmission Operator Area that results in the need for
actions to avoid a BES Emergency.”
This language gives the required guidance of who has to report within its Area that
results in need for actions to avoid a BES Emergency (as defined by NERC: Any
abnormal system condition that requires automatic or immediate manual action to
prevent or limit the failure of transmission facilities or generation supply that could
adversely affect the reliability of the Bulk Electric System).
This relates to either a completely destroyed Facility where an action is required to
avoid a BES Emergency, or a Facility that is damaged to a point that actions are
required to avoid a BES Emergency. By reporting either a “damaged or destroyed”
Facility, within 24 hours, it will give the ERO (and whoever else the entity wishes to
inform per Requirement R1) the situational awareness that the electrical system
has been reconfigured or may need to be reconfigured, thus supporting reliable
operations of each interconnection.
The SDT removed all language under “Entity with Reporting Responsibility,” with
195
�Organization
Yes or No
Question 4 Comment
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Damage or destruction of its Facility that results from actual or suspected
intentional human action.”
This language gives the required guidance that if there is actual intentional human
action that damages or destroys a Facility, it is required to be reported within 24
hours, this will give the ERO (and whoever else the entity wishes to inform per
Requirement R1) the situational awareness that the Facility was “damaged or
destroyed” intentionally by a human.
This event was written to cover the increase of “Entity with Reporting
Responsibility” and removing the RC since they do not own Facility(s).
The SDT also included a second part of this event being “suspected intentional
human action.” This language was required to give an entity the reporting
responsibility to report to the ERO (and whoever else the entity wishes to inform
per Requirement R1) the situational awareness that they suspect that their Facility
was damaged or destroyed by intentional human action. The SDT envisions that
entities could further define what a suspected intentional human action is within
their Operating Plan.
(4) Austin Energy voted to approve the revised Standard because it is an
improvement over the existing Standard. In light of FERC's comments in Paragraph 81
of the Order approving the Find, Fix, Track and Report initiative, however, Austin
Energy would propose that this Standard is the type of Standard that does not truly
196
�Organization
Yes or No
Question 4 Comment
enhance reliability of the BES and is, instead, an administrative activity. As such, we
recommend that NERC consider whether EOP-004-2 ought to be retired.
The SDT appreciates the suggestion; however, we note that a standard cannot be
retired prior to its effective and enforcement dates. Further, the SDT has been
charged with addressing deficiencies that are present in current standards which
the industry has determined to be needed through approval of the SAR. If the P81
process should ultimately decide to retire this standard, then the process will have
made that decision. The SDT cannot presume that the P81 effort will become
effective.
Response: The SDT thanks you for your comment.
Bonneville Power
Administration
BPA believes that the VSL should allow for amending the form after a NERC specified
time period without penalty and suggests that a window of 48 hours be given to
amend the form to make adjustments without needing to file a self report. Should
the standard be revised to allow a time period for amending the form without having
to file a self report, BPA would change its negative position to affirmative.
Response: The SDT thanks you for your comment. The SDT would like to point that a window is not needed as the standard
requires a report at a 24-hour time frame which provides information on what is known at the time. The standard does not
require any follow up or update report. If the entity wishes to file a follow up report, it can do so on its own. A self report should
only be needed if the 24-hour report was not filed.
CenterPoint Energy
CenterPoint Energy proposes that the purpose be enhanced to reflect risk and
response. For example, the purpose could read “To sustain and improve reliability of
the Bulk Electric System by identifying common risks reported by Responsible Entities
as a source of lessons learned.”In the Background section under Law Enforcement
Reporting, “the” should be added in front of “Bulk Electric System”. Also under the
Background section - “Present expectations of the industry under CIP-001-1a”,
CenterPoint Energy is not aware of any current annual requirements for CIP-001 and
suggests that this section be revised to reflect that fact. CenterPoint Energy strongly
197
�Organization
Yes or No
Question 4 Comment
believes that the Violation Severity Levels (VSL) should not be high or severe unless
an Adverse Reliability Impact occurred. CenterPoint Energy is requesting that
Requirement R2 be deleted and the phrase, "as a result of not implementing the
plan/insufficient or untimely report, an Adverse Reliability Impact occurred” be
added to the Requirement R1 VSL. Regarding the VSL for Requirement R4, the
Violation Risk Factor should be "Lower" and read “the entity did not perform the
annual test of the operating plan” as annual is to be defined by the entity or
according to the CAN-0010.
Response: The SDT thanks you for your comment. The vast majority of commenters support the Purpose statement as written.
The missing ‘the’ has been added to the background section under ‘Law Enforcement Reporting.’ ‘Annual’ has been changed to
‘These’. VSLs refer to how closely the entity met the requirements of the standard; it is the VRF that measures impact to
reliability. The DSR SDT believes use of the high and severe VSLs is appropriate. R4 has been deleted along with its VRF/VSLs.
Cowlitz County PUD
Cowlitz is pleased with changes made to account for the difficulties small entities
have in regard to reporting time frames. Although Cowlitz is confident that the
current draft is manageable for small entities, we propose that the resulting reports
this Standard will generate will contain many insignificant events from the event
types “Damage or destruction of a Facility,” and “Any physical threat that could
impact the operability of a Facility.” In particular, examples would be limited target
practice on insulators, car-pole accidents, and accidental contact from tree trimming
or construction activities.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Damage or destruction of a Facility within its Reliability Coordinator Area,
198
�Organization
Yes or No
Question 4 Comment
Balancing Authority Area or Transmission Operator Area that results in the need for
actions to avoid a BES Emergency.”
This language gives the required guidance of who has to report within its Area that
results in need for actions to avoid a BES Emergency (as defined by NERC: Any
abnormal system condition that requires automatic or immediate manual action to
prevent or limit the failure of transmission facilities or generation supply that could
adversely affect the reliability of the Bulk Electric System).
This relates to either a completely destroyed Facility where an action is required to
avoid a BES Emergency, or a Facility that is damaged to a point that actions are
required to avoid a BES Emergency. By reporting either a “damaged or destroyed”
Facility, within 24 hours, it will give the ERO (and whoever else the entity wishes to
inform per Requirement R1) the situational awareness that the electrical system
has been reconfigured or may need to be reconfigured, thus supporting reliable
operations of each interconnection.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Damage or destruction of its Facility that results from actual or suspected
intentional human action.”
This language gives the required guidance that if there is actual intentional human
199
�Organization
Yes or No
Question 4 Comment
action that damages or destroys a Facility, it is required to be reported within 24
hours, this will give the ERO (and whoever else the entity wishes to inform per
Requirement R1) the situational awareness that the Facility was “damaged or
destroyed” intentionally by a human.
This event was written to cover the increase of “Entity with Reporting
Responsibility” and removing the RC since they do not own Facility(s).
The SDT also included a second part of this event being “suspected intentional
human action.” This language was required to give an entity the reporting
responsibility to report to the ERO (and whoever else the entity wishes to inform
per Requirement R1) the situational awareness that they suspect that their Facility
was damaged or destroyed by intentional human action. The SDT envisions that
entities could further define what a suspected intentional human action is within
their Operating Plan.
Cowlitz suggests that at least a >= 100 MW (200 MW would be better) and/or >= N-2
impact threshold be established for these event types. Also, Cowlitz suggests the
statement “results from actual or suspected intentional human action” be changed to
“results from actual or suspected intentional human action to damage or destroy a
Facility.” A human action may be intentional which can result in damage to a facility,
but the intent may have been of good standing, and not directed at the Facility. For
example, the intent may have been to legally harvest a tree, or move equipment
under a line. Cowlitz believes the above proposed changes would benefit the ERO,
both in reduction of nuisance reports and possible violations over minimal to no
impact BES events.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
200
�Organization
Yes or No
Question 4 Comment
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Physical threat to its Facility excluding weather related threat, which has the
potential to degrade the normal operation of the Facility
Or
Suspicious device or activity at a Facility
Do not report copper theft unless it degrades normal operations of a Facility.”
This language gives the required guidance that if there is a physical threat that has
the potential to degrade a Facility’s normal operation or a suspicious device or
activity is discovered at a Facility, it is required to be reported within 24 hours, this
will give the ERO (and whoever else the entity wishes to inform per Requirement
R1) the situational awareness that the Facility has a potential of not being able to
operate as it is designed. The SDT also states that copper theft is not a reportable
event unless it degrades the normal operation of a Facility.
Response: The SDT thanks you for your comment.
Colorado Springs Utilities
CSU is concerned with the word ‘damage’. We support any ‘destruction’ of a facility
that meets any of the three criteria be a reportable issue, but ‘damage’, if it’s going to
be included should have some objective definition that sets a baseline.
Response: The SDT thanks you for your comment. The SDT removed all language under “Entity with Reporting Responsibility,”
201
�Organization
Yes or No
Question 4 Comment
with the exception of entity(s) that are required to report an applicable event. The SDT removed this language so the entities
within this column are clearly stated and identified. Under the “Threshold for Reporting” column, a bright line was updated based
on currently enforced Reliability Standards, FERC directives and industry comments to state:
“Damage or destruction of a Facility within its Reliability Coordinator Area, Balancing Authority Area or Transmission Operator
Area that results in the need for actions to avoid a BES Emergency.”
This language gives the required guidance of who has to report within its Area that results in need for actions to avoid a BES
Emergency (as defined by NERC: Any abnormal system condition that requires automatic or immediate manual action to prevent
or limit the failure of transmission facilities or generation supply that could adversely affect the reliability of the Bulk Electric
System).
This relates to either a completely destroyed Facility where an action is required to avoid a BES Emergency, or a Facility that is
damaged to a point that actions are required to avoid a BES Emergency. By reporting either a “damaged or destroyed” Facility,
within 24 hours, it will give the ERO (and whoever else the entity wishes to inform per Requirement R1) the situational awareness
that the electrical system has been reconfigured or may need to be reconfigured, thus supporting reliable operations of each
interconnection.
The SDT removed all language under “Entity with Reporting Responsibility,” with the exception of entity(s) that are required to
report an applicable event. The SDT removed this language so the entities within this column are clearly stated and identified.
Under the “Threshold for Reporting” column, a bright line was updated based on currently enforced Reliability Standards, FERC
directives and industry comments to state:
“Damage or destruction of its Facility that results from actual or suspected intentional human action.”
This language gives the required guidance that if there is actual intentional human action that damages or destroys a Facility, it is
required to be reported within 24 hours, this will give the ERO (and whoever else the entity wishes to inform per Requirement R1)
202
�Organization
Yes or No
Question 4 Comment
the situational awareness that the Facility was “damaged or destroyed” intentionally by a human.
This event was written to cover the increase of “Entity with Reporting Responsibility” and removing the RC since they do not own
Facility(s).
The SDT also included a second part of this event being “suspected intentional human action.” This language was required to give
an entity the reporting responsibility to report to the ERO (and whoever else the entity wishes to inform per Requirement R1) the
situational awareness that they suspect that their Facility was damaged or destroyed by intentional human action. The SDT
envisions that entities could further define what a suspected intentional human action is within their Operating Plan.
Dominion
Dominion believes that the reporting of “Any physical threat that could impact the
operability of a Facility4” may overwhelm the Reliability Coordinator staff with little
to no value since the event may have already passed. This specific event uses the
phrase “operability of a Facility” yet “operability” is not defined and is therefore
ambiguous. We do support the reporting to law enforcement and the ERO but do not
generally support reporting events that have passed to the Reliability Coordinator.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Physical threat to its Facility excluding weather related threat, which has the
potential to degrade the normal operation of the Facility
Or
Suspicious device or activity at a Facility
203
�Organization
Yes or No
Question 4 Comment
Do not report copper theft unless it degrades normal operations of a Facility.”
This language gives the required guidance that if there is a physical threat that has
the potential to degrade a Facility’s normal operation or a suspicious device or
activity is discovered at a Facility, it is required to be reported within 24 hours, this
will give the ERO (and whoever else the entity wishes to inform per Requirement
R1) the situational awareness that the Facility has a potential of not being able to
operate as it is designed. The SDT also states that copper theft is not a reportable
event unless it degrades the normal operation of a Facility.
Attachment 2; section 4 Event Identification and Description: The type of events
listed should match the events as they are exactly written in Attachment 1. As it is
currently written, it leaves room for ambiguity.
The SDT agrees and has adopted your suggestion.
M3 - Dominion objects to having to provide additional supplemental evidence (i.e.
operator logs), and the SDT maybe want to include a requirement for NERC to
provide a confirmation that the report has been received.
The SDT believes that you are referring to M2. We have added “which may be”
prior to “supplemented by operator logs,” indicating that this is optional. The SDT
has opted not to develop a requirement for the ERO to provide receipt
conformation of a report.
Response: The SDT thanks you for your comment.
Entergy
Entergy does not agree with the Time Horizon for R2. The rationale for R2 contains
phrases related to situational awareness and keeping people/agencies aware of the
“current situation.” However, this standard is related to after the fact event
reporting, not real-time reporting via RCIS, as discussed on page 6 of the red-lined
standard. Therefore the time horizon for R2 should indicate that this is an after the
204
�Organization
Yes or No
Question 4 Comment
fact requirement expected to be performed either in 1 hour or 24 hours after an
event occurs, not in the operations assessment time frame. This change should also
be made on page 15 of the redline in the Table of compliance elements for R2. Page
18 of the redline document contains a VSL for R2 which states that it will be
considered a violation if the Responsible Entity submitted a report in the appropriate
timeframe but failed to provide all of the required information. It has long been the
practice to submit an initial report and provide additional information as it becomes
available. On page 24 of the redlined document, this is included in the following
“...and provide as much information as is available at the time of the notification to
the ERO...” But the compliance elements table now imposes that if the entity fails to
provide ALL required information at the time the initial report is required, the entity
will be non compliant with the standard. This imposes an unreasonable burden to
the Reliability Entity. This language should be removed. The compliance element
table for R3 and R4 make it a high or severe violation to be late on either the annual
test or the annual review of the Operating plan for communication. While Entergy
supports that periodically verifying the information in the plan and having a test of
the operating plan have value, it does not necessarily impose additional risk to the
BES to have a plan that exceeds its testing or review period by two to three months.
This is an administrative requirement and the failure to test or review should be a
lower or moderate VSL, which would be consistent with the actual risk imposed by a
late test or review. On page 24 of the redlined draft, there is a statement that says “In
such cases, the affected Responsible Entity shall notify parties per Requirement R1
and provide as much information as if available at the time of the notification...”
Since R1 is the requirement to have a plan, and R2 is the requirement to implement
the plan for applicable events, it seems that the reference in this section should be to
Requirement R2, not Requirement R1.
Response: The SDT thanks you for your comment. There is no longer a requirement for this ‘two-step’ reporting. The initial report
is the only report an entity must make. The note at the top of Attachment 1 is to give entities the flexibility to make a quick
‘something big just happened, but I don’t know the extent’ phone call, but realistically the reporting time frame is 24 hours which
should give ample time to make one written report using OE-417 or Attachment 2. You will also notice that the amount of
205
�Organization
Yes or No
Question 4 Comment
information you must provide is minimal – the idea is that this is a trigger for NERC or the Event Analysis process and they will
contact you if further details are required.
VSLs refer to how closely the entity met the requirements of the standard; it is the VRF that measures impact to reliability. The
DSRSDT believes use of the high and severe VSLs is appropriate. Also, R4 has been deleted along with its VRF/VSLs.
ERCOT
ERCOT has joined the IRC comments on this project and offers these additional
comments. ERCOT supports the alternative approach submitted by the IRC. ERCOT
requests that time horizons be added for each of the requirements as have been with
other recent Reliability Standards projects. With regards to Attachment 1, ERCOT
requests the following changes:
o Modify “Generation loss” from “≥ 1,000 MW for entities in the ERCOT or
Quebec Interconnection” to “≥ 1,100 MW for entities in the ERCOT
Interconnection” and “≥ 1,000 MW for entities in the Quebec Interconnection”.
This is consistent with the DCS threshold and eliminates possible operator confusion
since DCSs event are reported in the ERCOT interconnection at 80% of single largest
contingency which equates to 1100 MW.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Total generation loss, within one minute, of ≥ 2,000 MW for entities in the Eastern
or Western Interconnection
OR
≥ 1,000 MW for entities in the ERCOT or Quebec Interconnection.”
The NERC SPM does allow TRE to apply for a variance if they have special concerns
that GOPs should submit a report to the ERO.
206
�Organization
Yes or No
Question 4 Comment
o Modify “Transmission loss” from “Unintentional loss of three or more Transmission
Facilities (excluding successful automatic reclosing)” to “Inconsequential loss of three
or more Transmission Facilities not part of a single rated transmission path (excluding
successful automatic reclosing).” If a single line is comprised of 3 or more sections,
this should not be part of what is reported here as it is intended to be when you have
a single event trip of 3 or more transmission facilities that is not part of its intended
design.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Unexpected loss, contrary to design, of three or more BES Elements caused by a
common disturbance (excluding successful automatic reclosing).”
The NERC SPM does allow TRE to apply for a variance if they have special concerns
that GOPs should submit a report to the ERO.
o ERCOT requests review of footnote 1. The footnote does not seem appropriate in
including an example of a control center as the definition of a BES facility does not
include control centers.
The SDT removed all foot notes within Attachment based on comments received.
Response: The SDT thanks you for your comment.
FirstEnergy Corp
FE supports the standard and has the following additional comments and
suggestions:1. Guideline/Technical Basis Section - FE requests the SDT add specific
guidance for each requirement. Much of the information in this section is either
included, or should be included in the Background section of the standard. One
example of guidance that would help is for Requirement R3 on how an entity could
207
�Organization
Yes or No
Question 4 Comment
perform the annual test. The comment form for this posting has the following
paragraph on pg. 2 which could be used as guidance for R3: “the annual test will
include verification that communication information contained in the Operating Plan
is correct. As an example, the annual update of the Operating Plan could include
calling “others as defined in the Responsibility Entity’s Operating Plan” (see Part 1.2)
to verify that their contact information is up to date. If any discrepancies are noted,
the Operating Plan would be updated. Note that there is no requirement to test the
reporting of events to the Electric Reliability Organization and the Responsible
Entity’s Reliability Coordinator.”2. With regard to the statement in the comment form
(pg 2 paragraph 7)”Note that there is no requirement to test the reporting of events
to the Electric Reliability Organization and the Responsible Entity’s Reliability
Coordinator.”, requirement R3 only includes the ERO as an entity and should also
include the Reliability Coordinator.
3. The measure M3 says that an entity can use an actual event as a test to meet R3.
Does this mean just 1 actual event will meet R3, or is the intent that all possible
events per 1.2 are tested? Would like some clarity on this measure.
Response: The SDT thanks you for your comment. The requirements have been revised and these revisions along with the
‘Rationale’ boxes should provide the clarity you seek.
Indiana Municipal Power
Agency
For 1.2 under R1, is the SDT leaving it up to the registered entities do decide which
organizations will be contacted for each event listed in attachment 1 or do all of
those organization need to be contacted for each event listed in attachment 1? The
requirement needs to clearly communicate this clarification and be independent of
the rationale language. Auditors will go by the requirement and not the rationale for
the requirement. For 1.1 under R1, does each event need its own process of
recognition or can one process be used to cover all the applicable events? The
requirement needs to clearly communicate this clarification and be independent of
the rationale language. Auditors will go by the requirement and not the rationale for
the requirement. For 1.2 under R1, company personnel is used as an example but in
the rationale for R1, the third line uses operating personnel. IMPA recommends
208
�Organization
Yes or No
Question 4 Comment
changing the example in 1.2 to operating personnel which is used in the current
version of CIP-001.
Response: The SDT thanks you for your comment. The SDT does not believe that it has the ability (or desire) to programmatically
prescribe whether entities have a single or multiple contact lists. Entities themselves know best who and under what conditions
do reports need to be provided. Further, the industry in past comment periods, clearly indicated that they did not wish to have
the SDT provide the “how.”
GTC
For R2, please clarify how an entity can demonstrate that no reportable events were
experienced. GTC recommends an allowance for a letter of attestation within M2.
Response: Thank you for your comment. Registered Entities must determine how to best demonstrate they have met the
performance obligation of a requirement. The use of an attestation statement is already permitted and recognized with the NERC
Compliance Program if that is the best means of demonstrating your performance under the requirement. Auditors will then
assess whether or not an attestation meets the requirement in one's audit. Attestations cannot be specifically permitted for use.
Orange and Rockland Utilities,
Inc.
Form EOP-004, Attachment 2: Event Reporting Form: Delete the Task words “or
partial.” Delete the Task words “physical threat that could impact the operability of
a Facility.” Make any changes to the VSL’s necessary to align them with the reviewed
wording provided above.
Consolidated Edison Co. of NY,
Inc.
Form EOP-004, Attachment 2: Event Reporting Form: Delete the Task words “or
partial.” Delete the Task words “physical threat that could impact the operability of a
Facility.” Make any changes to the VSL’s necessary to align them with the reviewed
wording provided above.
Response: The SDT thanks you for your comment. The SDT has updated Attachment 2 to reflect the events listed in Attachment 1.
NextEra Energy Inc
Given that Responsible Entities are already required by other Reliability Standards to
communicate threats to reliability to their Reliability Coordinator (RC), NextEra does
not believe that EOP-004-2 is a Reliability Standard that promotes the reliability of
the bulk power system, as envisioned by Section 215 of the Federal Power Act.
209
�Organization
Yes or No
Question 4 Comment
Because an RC reporting requirement is already covered in other Standards, EOP-0042 essentially is a reporting out requirement to the Regional Reliability Organization
(RRO). NextEra does not agree that the reporting of events to the RROs should be
subject to fines under the Reliability Standard regulatory framework. The reporting
to RROs, as required by EOP-004-2, while informative and helpful for lessons learned,
etc., is not necessary to address an immediate threat to reliability. In addition,
NextEra does not believe it would be constructive to fine Responsible Entities for
failure to report to a RRO within a mandated deadline during times when these
entities are attempting to address potential sabotage on their system. NextEra
would, therefore, prefer that the EOP-004-2 Standards Drafting Team be disbanded,
and instead that EOP-004-2’s reporting requirements be folded in to the event
analysis reporting requirements. Therefore, NextEra requests that the new Section
812 be revised to include EOP-004-2 as a data request for lessons learn or for
informational purposes only, and, also, for EOP-004-2 project to be disbanded.
Response: The SDT thanks you for your comment. While the SDT appreciates your viewpoint, the SDT has been charged with
addressing deficiencies identified in current standards. The SDT believes that the standard will provide NERC with the situational
awareness it needs as well as providing the industry valuable information through lessons learned.
Illinois Municipal Electric
Agency
Illinois Municipal Electric Agency supports comments submitted by Florida Municipal
Power Agency.
Response: The SDT thanks you for your comment. Please review the response to that commenter.
Florida Municipal Power
Agency
In R1, bullet, it is a bit ambiguous whether the list of organizations to be
communicated with is an exhaustive list (i.e.) or a list of examples (e.g.). The list is
preceded by an “i.e.” which indicates the former, but includes an “or” which indicates
the latter. We are interpreting this as meaning the list is exhaustive as separated by
semi-colons, but that the last phrase separated by commas is a list of examples. Is
this the correct interpretation?
The SDT has made the required change concerning replacing “i.e.” with “e.g.”
210
�Organization
Yes or No
Question 4 Comment
The Rules of Procedure language for data retention (first paragraph of the Evidence
Retention section) should not be included in the standard, but instead referred to
within the standard (e.g., “Refer to Rules of Procedure, Appendix 4C: Compliance
Monitoring and Enforcement Program, Section 3.1.4.2 for more retention
requirements”) so that changes to the RoP do not necessitate changes to the
standard.
The language that you mention is part of the standard boilerplate and is included in
all standards. The SDT has chosen to keep the language as is at this time.
Response: The SDT thanks you for your comment.
Ingleside Cogeneration LP
Ingleside Cogeneration LP strongyly believes that LSEs that do not own BES assets
should be excluded from the Applicability section of this standard.
Response: The SDT thanks you for your comment. The LSE obligation in this standard was tied to applicability in CIP-008 for cyber
incident reporting. Reporting under CIP-008 is no longer part of EOP-004-2 so this applicability has been removed.
Los Angeles Department of
Water and Power
LADWP does not have any other comments at this time
Response: The SDT thanks you for your participation.
Manitoba Hydro
Manitoba Hydro is voting negative on EOP-004-2 for the reasons identified in our
response to Question 1. In addition, Manitoba Hydro has the following
comments:(Background section) - The section has inconsistent references to EOP-004
(eg. EOP-004 and EOP-004-2 are used). Wording should be made consistent.
(Background section) - The section references entities, and responsible entities.
Suggest wording is made consistent and changed to Responsible Entities. (General
comment) - References in the standard to ‘Part 1.2’ should be changed to R1.2 as it is
unclear if Part 1.2 refers to, for example, R1.2 or part 1.2 ‘Evidence Retention’.
211
�Organization
Yes or No
Question 4 Comment
(M4) -Please clarify what is meant by ‘date change page’.
Response: The SDT thanks you for your comment. The SDT appreciates the points you raise and we continually review the
document to make sure the language is consistent and unambiguous.
Southern Company Services
Move the Background Section (pages 4-9) to the Guideline and Technical Basis
section. They are not needed in the main body of the standard.
The SDT agrees and adopts your suggestion.
Each “Entity with Reporting Responsibility” in the one-hour reporting table (p. 17)
should be explicitly listed in the table, not pointed to another variable location. The
criterion for “Threshold for Reporting” in the one-hour reporting table (p. 17) should
be explicitly listed in the table, not pointed to another variable location.
Please specify the voltage base against which the +/- 10% voltage deviation on a
Facility is to be measured in the twenty-four hour reporting table (p. 19).
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Observed voltage deviation of ± 10% of nominal voltage sustained for ≥ 15
continuous minutes .”
This language clearly states that if the threshold is met, the entity needs to submit a
report within 24 hours.
Response: The SDT thanks you for your comment.
Oncor Electric Delivery
Oncor takes the position that the proposed objectives as prescribed in Project 200901 - Disturbance and Sabotage Reporting, is a “good” step forward. Currently, NERC
212
�Organization
Yes or No
Question 4 Comment
reporting obligations related to disturbances occurs over multiple standards including
CIP-001, EOP-004-1, TOP-007-0, CIP-008-3 and Event Analysis (EA). Oncor is especially
pleased that the Event Analysis Working Group (EAWG) is actively working to find
ways of streamlining the disturbance reporting process especially to agencies outside
of NERC such as FERC, and state agencies. Oncor is in agreement that an addition to
the NERC Rules of Procedure in section 800 to develop a Reporting Clearinghouse for
disturbance events by the establishment of a system to collect report and then
forward completed forms to various requesting agencies, is also a very positive step."
Response: The SDT thanks you for your comment. The SDT would like to point out that the EAP is a voluntary program where the
entity analyzes an issue or system condition. EOP-004-2 is a Reporting Standard where an entity informs the ERO (and whoever
else per Requirement R1) of a current event. This will give other the situational awareness that their system may be degraded.
Please refer to the Southwest Outage Report for more situational awareness issues that failed.
Occidental Power Services,
Inc.
OPSI continues to believe that LSEs that do not own BES assets should be excluded
from the Applicability section of this standard.
It is disingenuous of both the SDT and FERC to promote an argument to support this
inclusion such as that stated in Section 459 of Order 693 (and referred to by the SDT
in their Consideration of Comments in the last posting). The fact is that no reportable
disturbance can be caused by an “attack” on an LSE that does not own BES assets.
The SDT has yet to point out such an event.
Response: The SDT thanks you for your comment. The LSE obligation in this standard was tied to applicability in CIP-008 for cyber
incident reporting. Reporting under CIP-008 is no longer part of EOP-004-2 so this applicability has been removed. The SDT notes
that LSEs will still be subject to reporting under CIP-008 until such time they are removed from that standard.
New York Power Authority
Please see comments submitted by NPCC Regional Standards Committee (RSC).
Response: The SDT thanks you for your comment. Please review the response to that commenter.
MRO NSRF
R1 states: “Each Responsible Entity shall have an event reporting Operating Plan that
213
�Organization
Yes or No
Question 4 Comment
includes:”The definition of Operating Plan is:”A document that identifies a group of
activities that may be used to achieve some goal. An Operating Plan may contain
Operating Procedures and Operating Processes. A company-specific system
restoration plan that includes an Operating Procedure for black-starting units,
Operating Processes for communicating restoration progress with other entities, etc.,
is an example of an Operating Plan.” This appears to us to be too prescriptive and
could be interpreted to require a series of documents to for reporting issues to NERC.
We suggest the following wording: R1. Each Responsible Entity shall have document
methodology(ies) or process(es) for: 1.1. Recognizing each of the applicable events
listed in EOP-004 Attachment 1.1.2. Reporting each of the applicable events listed in
EOP-004 Attachment 1 in accordance with the time framess specified in EOP-004
Attachment 1 to the Electric Reliability Organization. LES Comment: [R1] We are
concerned by the significant amount of detail an entity would be required to contain
within the Operating Plan as part of Requirement R1. Rather than specifying an
entity must have a documented process for recognizing each of the events listed in
EOP-004-2 Attachment 1, at a minimum, consider removing the term “process” in
R1.1 and replacing with “guideline” to ensure operating personnel are not forced to
adhere to a specific sequence of steps and still have the flexibility to exercise their
own judgment. Section 5 of the standard (Background) should be moved to the
Guideline and Technical Basis document. A background that long does not belong in
the standard piece as it detracts from the intent of the standard itself.
Response: The SDT thanks you for your comment. The background and Guidelines and Technical Basis sections have been
combined.
ReliabilityFirst
ReliabilityFirst votes in the Affirmative for this standard because the standard further
enhances reliability by clearing up confusion and ambiguity of reporting events which
were previously reported under the EOP-004-1 and CIP-001-1 standards. Even
though ReliabilityFirst votes in the Affirmative, we offer the following comments for
consideration: 1. Requirement R1, Part 1.2a. ReliabilityFirst recommends further
prescribing whom the Responsible Entity needs to communicate with. The phrase “...
214
�Organization
Yes or No
Question 4 Comment
and other organizations needed for the event type...” in Part 1.2 essentially leaves it
up to the Responsible Entity to determine (include in their process) whom they
should communicate each applicable event to. ReliabilityFirst recommends added a
fourth column under Attachment 1, which lists whom the Responsible Entity is
required to communicate with, for each applicable event. 2. VSL for Requirement
R2a. Requirement R2 requires the Responsible Entity to “implement its event
reporting Operating Plan” and does not require the entity to submit a report. For
consistency with the requirement, ReliabilityFirst recommends modifying the VSLs to
begin with the following type of language: “The Responsible Entity implemented its
event reporting Operating Plan more than 24 hours but...” This recommendation is
based on the FERC Guideline 3, VSL assignment should be consistent with the
corresponding requirement and should not expand on, nor detract from, what is
required in the requirement.
Response: The SDT thanks you for your comment. The SDT believes that implementing your Operating Plan means that you report
an event. Therefore the VSLs are entirely consistent with the requirement.
DECo
Requirement R3 for annual test specifically states that ERO is not included during
test. Implies that local law enforcement or state law enforcement will be included in
test. Hard to coordinate with many Local organizations in our area.
Response: The SDT thanks you for your comment. The SDT has revised the language in Requirement R3 and believes that the
changes will address your suggestion.
Alliant Energy
Section 5 of the standard (Background) should be moved to the Guideline and
Technical Basis document. A background that long does not belong in the standard
piece as it detracts from the intent of the standard itself.
Response: The SDT thanks you for your comment. The background and Guidelines and Technical Basis sections have been
combined.
215
�Organization
MidAmerican Energy
Yes or No
Question 4 Comment
See the NSRF comments.
Response: The SDT thanks you for your participation. Please review the response to that commenter.
MEAG Power
Should these administrative activities be sent over to NAESB? R1: There is merit in
having a plan as identified in R1, but is this a need to support reliability or is it a
business practice? Should it be in NAESB’s domain? R2, R3 & R4: These are not
appropriate for a Standard. If you don’t annually review the plan, will reliability be
reduced and the BES be subject to instability, separation and cascading? If DOE
needs a form filled out, fill it out and send it to DOE. NERC doesn’t need to pile on.
Mike Moon and Jim Merlo have been stressing results and risk based, actual
performance based, event analysis, lessons learned and situational awareness. EOP004 is primarily a business preparedness topic and identifies administrative
procedures that belong in the NAESB domain.
Public Utility District No. 1 of
Snohomish County
SNPD suggest moving these administrative activities to NAESB. R1: There is merit in
having a plan as identified in R1, but is this a need to support reliability or is it a
business practice? Should it be in NAESB’s domain? R2, R3 & R4: These are not
appropriate for a Standard. If you don’t annually review the plan, will reliability be
reduced and the BES be subject to instability, separation and cascading? If DOE
needs a form filled out, fill it out and send it to DOE. NERC doesn’t need to pile on.
Gerry Cauley and Mike Moon have been stressing results and risk based, actual
performance based, event analysis, lessons learned and situational awareness. EOP004 is primarily a business preparedness topic and identifies administrative
procedures that belong in the NAESB domain.
Response: The SDT thanks you for your comment. SDT believes this standard is needed to provide Situational Awareness and can
help in providing lessons learned to the industry. The SDT has revised the requirements to address this need. While it may be
appropriate to have NAESB to adopt this obligation at some in the future, the SDT was charged with addressing deficiencies at this
time. The SDT has removed all references to filing reports to DOE from the earlier versions. Today’s only reference provides for
NERC’s acceptance of the use of their form when it is appropriate.
216
�Organization
Springfield Utility Board
Yes or No
Question 4 Comment
SUB appreciates the opportunity to provide comments. While Staff was concerned
with the consolidation of CIP and non-CIP NERC Reliability Standards (as to how
they’ll be audited), the Project 2009-01 SDT has done an excellent job in providing
clarification around identifying and reporting events, particularly related to the
varying definitions of “sabotage”.
Response: The SDT thanks you for your support.
Tacoma Power
Tacoma Power disagrees with the requirement to perform annual testing of each
communication plan. We do not see any added value in performing annual testing of
each communication plan. There are already other Standard requirements to
performing routine testing of communications equipment and emergency
communications with other agencies. The “proof of compliance” to the Standard
should be in the documentation of the reports filed for any qualifying event, within
the specified timelines and logs or phone records that it was communicated per each
specified communication plan. Tacoma Power has none at this time. Thank you for
considering our comments.
Response: The SDT thanks you for your comment. The SDT has revised Requirement R3 and we believe that our changes address
your suggestion.
Exelon Corporation and its
affiliates
Thanks to the SDT. Significant progress was made in revising the proposed standard
language. We appreciate the effort and have only a few remaining requests:
o We understand that CIP-008 dictates the 1-hour reporting obligation for Cyber
Security Incidents and this iteration of EOP-004 delineates the CIP-008 requirements.
Please confirm that per the exemption language in the CIP standards (as consistent
with the March 10, 2011 FERC Order (docket # RM06-22-014) nuclear generating
units are not subject to this reporting requirement.
The SDT has discussed this issue with Project 2008-06, Cyber Security SDT and we
have remanded the one hour event back to CIP-008. The next version of EOP-004-2
217
�Organization
Yes or No
Question 4 Comment
will not contain a one-hour reporting requirement.
o EOP-004 still lists “Generation Loss” as a 24 hour reporting criteria without any time
threshold guidance for the generation loss. Exelon previously commented to the SDT
(without the comment being addressed) that Generation Loss should provide some
type of time threshold. If the 2000 MW is from a combination of units in a single
location, what is the time threshold for the combined unit loss? In considering
clarification language, the SDT should review the BAL standards on the disturbance
recovery period for appropriate timing for closeness of trips.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Total generation loss, within one minute, of ≥ 2,000 MW for entities in the Eastern
or Western Interconnection
OR
≥ 1,000 MW for entities in the ERCOT or Quebec Interconnection.”
o The “physical threat that could impact” requirement remains vague and it’s not
clear the relevance of such information to NERC or the Regions. If a train derailment
occurred near a generation facility (as stated in the footnote), are we to expect that
NERC is going to send out a lesson learned with suggested corrective actions to
protect generators from that occurring? The value in that event reporting criteria
seems low. The requirement should be removed.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
218
�Organization
Yes or No
Question 4 Comment
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Physical threat to its Facility excluding weather related threat, which has the
potential to degrade the normal operation of the Facility
Or
Suspicious device or activity at a Facility
Do not report copper theft unless it degrades normal operations of a Facility.”
This language gives the required guidance that if there is a physical threat that has
the potential to degrade a Facility’s normal operation or a suspicious device or
activity is discovered at a Facility, it is required to be reported within 24 hours, this
will give the ERO (and whoever else the entity wishes to inform per Requirement
R1) the situational awareness that the Facility has a potential of not being able to
operate as it is designed. The SDT also states that copper theft is not a reportable
event unless it degrades the normal operation of a Facility.
o The event concerning voltage deviation of +/- 10% does not specify which type of
voltage. In response to this comment in the previous comment period, the SDT
indicated that the entity could determine the type of voltage. It would be clearer to
specify in the standard and avoid future interpretation at the audit level.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
219
�Organization
Yes or No
Question 4 Comment
“Observed voltage deviation of ± 10% of nominal voltage sustained for ≥ 15
continuous minutes .”
This language clearly states that if the threshold is met, the entity needs to submit a
report within 24 hours.
o As requested previously, for nuclear facilities, EOP-004 reporting should be
coordinated with existing required notifications to the NRC and FBI as to not
duplicate effort or add unnecessary burden on the part of a nuclear GO/GOP during a
potential security or cyber event. Please contact the NRC about this project to
ensure that required communication and reporting in response to a radiological
sabotage event (as defined by the NRC) or any incident that has impacted or has the
potential to impact the BES does not create duplicate reporting, conflicting reporting
thresholds or confusion on the part of the nuclear generator operator. Each nuclear
generating site licensee must have an NRC approved Security Plan that outlines
applicable notifications to the FBI. Depending on the severity of the security event,
the nuclear licensee may initiate the Emergency Plan (E-Plan). Exelon again asks that
the proposed reporting process and flow chart be coordinated with the NRC to
ensure it does not conflict with existing expected NRC requirements and protocol
associated with site specific Emergency and Security Plans. In the alternative, the
EOP-004 language should include acceptance of NRC required reporting to meet the
EOP-004 requirements.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Complete loss of off-site power affecting a nuclear generating station per the
Nuclear Plant Interface Requirement.”
As stated in this event Threshold, the TOP’s NIPR may have additional guidance
concerning the complete loss of offsite power affecting a nuclear plant.
220
�Organization
Yes or No
Question 4 Comment
o The proposed standard notes that the text boxes will be moved to the Guideline
and Technical Basis Section which we support. However, it’s not clear whether all the
information in the background section will remain part of the standard. If this section
is to remain as proposed concerted revision is needed to ensure that the discussion
language matches the requirement language. At present, it does not. For instance,
the flow chart on page 9 indicates when to report to law enforcement while the
requirements merely state that communications to law enforcement be addressed
within the operating plan.
The background sections will remain in the standard. The flowchart on Page 9 is an
example only and may differ from your Operating Plan.
o Exelon voted negative vote on this ballot due to the need for further clarification
and reconciliation between NERC EOP-004 and the NRC.
The SDT team does not believe that reporting under EOP-004 can in anyway
‘conflicts’ with any other reporting obligations that nuclear or any other type of
GO/GOP may have. By allowing applicable entities to use the OE-417 form, the
drafting team believes it has given industry reasonable accommodation to reduce
duplicative reporting. The same is true for other agencies as well. If an entity
submits to NERC the same that was submitted to the other regulatory agency, then
this submission will be acceptable. Based on the historical frequency with which
GO/GOPs report under the current EOP-004-1 the drafting team does not believe
this places and inordinate burden on the applicable entities.
Response: The SDT thanks you for your comment.
Alberta Electric System
Operator
The Alberta Electric System Operator will need to modify parts of this standard to fit
the provincial model and current legislation when it develops the Alberta Reliability
Standard.
Response: The SDT thanks you for your comment.
221
�Organization
Puget Sound Energy, Inc.
Yes or No
Question 4 Comment
The effective date language in the Implementation Plan is inconsistent with the
effective date language in the proposed standard.
The SDT checked the language and found both to be identical.
In addition, the statement of effective date in the Implementation Plan is ambiguous
- will EOP-004-2 be effective in accordance with the first paragraph or when it is
“assigned an effective date” as stated in the second paragraph?
The second paragraph deals with EOP-004-1, the currently mandatory and
enforceable standard.
All requirements should be assigned a Lower Violation Risk Factor. Medium risk
factors require direct impact on the Bulk Electric System and the language there
regarding “instability, separation, or cascading failures” is present to distinguish the
Medium risk factor from the High risk factor. Since all of the requirements address
after-the-fact reporting, there can be no direct impact on the Bulk Electric System. In
addition, if having an Operating Plan under Requirement R1 is a Lower risk factor,
then it does not make sense that reviewing that Operating Plan annually under
Requirement R4 has a higher risk factor.
The SDT disagrees. Please review the VRF documentation that was posted with the
standard for the analysis of the requirements.
The shift away from "the distracting element of motivation", i.e., removing
"Sabotage" from the equation, runs the risk of focusing solely on what happened,
how to fix it, and waiting for the next event to occur. That speaks to a reactive
approach rather than a proactive one. There is a concern with the removal of the FBI
from the reporting mix. Basically, the new standard will involve reporting a suspicious
event or attack to local law enforcement and leaving it up to them to decide on
reporting to the FBI. Depending on their evaluation, an event which is significant for a
responsible entity might not rise to the priority level of the local law enforcement
agency for them to report it to the FBI. While this might reduce the reporting
requirements a bit, it might do so to the responsible entity’s detriment.
222
�Organization
Yes or No
Question 4 Comment
The Operating Plan developed by each responsible entity may indeed have certain
event types reported directly to the FBI. It is up the entity to determine the
appropriate notifications. Entities in Canada would not report anything to the FBI.
In Attachment 2 - item 4, would it be possible for the boxes be either alpha-sorted or
sorted by priority?
The SDT has made changes to Attachment 2 to list the Events in order of their
listing in Attachment 1.
There is a disconnect between footnote 1 on page 18 (Don't report copper theft) and
the Guideline section, which suggests reporting forced intrusion attempt at a
substation.
Forced Intrusion was removed from the Guidelines section. The SDT has deleted
footnote 1 based on comments received from the industry, however, retained the
concept in the event type “Physical threats to a Facility” as:
“Do not report copper theft unless it degrades normal operation of a Facility.”
Also, in the section discussing the removal of sabotage, the Guideline mentions
certain types of events that should be reported to NERC, DHS, FBI, etc., while that
specificity with respect to entities has been removed from the reporting requirement.
The SDT disagrees with your assessment on reporting. Entities know best to whom
and what reporting obligations they have on the applicable event types. The SDT
has learned that states vary in organization of their law enforcement agencies. As
such it is impossible for the SDT to outline those obligations in a consistent and
uniform manner. Entities can establish a single or multiple contact lists as needed
for the different event types.
Response: The SDT thanks you for your comments.
Kansas City Power & Light
The flowchart states, “Notification Protocol to State Agency Law Enforcement”.
223
�Organization
Yes or No
Question 4 Comment
Please correct this to, “Notification to State, Provincial, or Local Law Enforcement”, to
be consistent with the language in the background section part, “A Reporting Process
Solution - EOP-004”.
Evidence Retention - it is not clear what the phrase “prior 3 calendar years”
represents in the third paragraph of this section regarding data retention for
requirements and measures for R2, R3, R4 and M2, M3, M4 respectively. Please
clarify what this means. Is that different than the meaning of “since the last audit for
3 calendar years” for R1 and M1?
Response: The SDT thanks you for your comment. The flowchart is an example only and was not meant to show every
permutation. The evidence retention paragraph has been revised to reflect the ‘since last audit’ language.
United Illuminating Company
The measures M3 and M4 require evidence to be dated and time stamped. The time
stamp is excessive and provides no benefit. A dated document is sufficient. The
measure M2 requires in addition to a record of the transmittal of the EOP-004
Attachment 2 form or DOE-417 form that an operator log or other operating
documentation is provided. It is unclear why this supplemental evidence of operator
logs is required. We are assuming that the additional operator logs or
documentation is required to demonstrate that the communication was completed
to organizations other than NERC and DOE of the event. If true then the measure
should be clear on this topic. For communication to NERC and DOE use the EOP-004
Form or OE-417 form and retain the transmittal record. For communication to other
organizations pursuant to R1 Part 1.2 evidence may include but not limited to,
operator logs, transmittal record, attestations, or voice recordings.
Response: The SDT thanks you for your comment. The SDT has removed the time-stamp provision. The SDT agrees and adopts
your suggestion.
New York Independent
System Operator
The NYISO is part of and supports comments submitted by NPCC Reliability Standards
Committee and the IRC Standards Review Committee. However the NYISO would also
like to comment on the following items: o NERC has been proposing the future
224
�Organization
Yes or No
Question 4 Comment
development of performance based standards, which is directly related to reliability
performance. Requirement 2 of this standard is simply a reporting requirement. We
believe that this does not fall into a category of a performance based standard. NERC
has the ability to ask for reports on events through ROP provisions and now the new
Event Analysis Process. It does not have to make it part of the compliance program.
Some have indicated that need for timely reporting of cyber or sabotage events. The
counter argument is that the requirement is reporting when confirmed which would
delay any useful information to fend off a simultaneous threat. Also NERC has not
provided any records of how previous timely (1 hour) reporting has mitigated
reliability risks. o The NERC Event Analysis Process was recently approved by the
NERC OC and is in place. This was the model program for reporting outside the
compliance program that the industry was asking for. This should replace the need
for EOP-004.o NERC has presented Risk Based Compliance Monitoring (RBCM) to the
CCC, MRC, BOT and at Workshops. This involves audit teams monitoring an entities
controls to ensure they have things in place to maintain compliance with reliability
rules. The proposed EOP-004 has created requirements that are controls to
requirement R2, which is to file a report on predefined incidents. The RBCM is being
presented as the auditor will make determinations on the detail of the sampling for
compliance based on the assessment of controls an entity has in place to maintain
compliance. It is also noted that compliance will not be assessed against these
controls. As the APS example for COM-002 is presented in the Workshop slides, the
issue is that EOP-004 R1, R3 and R4 are controls for reporting; 1) have a plan, 2) test
the plan, and 3) review the plan. While R2 is the only actionable requirement. The
NYISO believes that all reporting requirements have been met by OE-417 and EAP
reporting requirements and that EOP-004 has served its time. At a minimum, the
NYISO would suggest that EOP-004 be simplified to just R2 (reporting requirement)
and the other requirements be placed at the end of the RSAW to demonstrate a
culture of compliance as presented by NERC.
Response: The SDT thanks you for your comment. Please review the responses to those commenters. The SDT appreciates your
suggestion, however, most of your comment is beyond the scope of the SDT’s charge. The SDT would like to note your statement
225
�Organization
Yes or No
Question 4 Comment
on reporting requirements having been met by the OE-417 and EAP requirements. The SDT fails to see how NERC gains situational
awareness and the opportunity to pass along lessons learned when the aforementioned reports are not forwarded to the
appropriate ERO group. The SDT would also note that the ERO does not have access to the OE-417 filings unless they are provided
and the EAP does not include reporting for some of the event types listed in Attachment 1. The SDT will forward your comment to
appropriate officials for their consideration.
Hydro One
The proposed standard is not consistent with NERC’s new Risk Based Compliance
Monitoring. - The performance based action to “implement its event reporting
Operating Plan” on defined events, as required in R2, could be considered a valid
requirement. However, the concern is that this requirement could be superseded by
the NERC Events Analysis Process and existing OE-417 Reporting.- The requirements
laid out in R1, R3 and R4 are specific controls to ensure that the proposed
requirement to report (R2) is carried out. However, controls should not be part of a
compliance requirement. The only requirement proposed in this standard that is not
a control is R2.NERC does not need to duplicate the enforcement of reporting already
imposed by the DOE. DOE-417 is a well-established process that has regulatory
obligations. NERC enforcement of reporting is redundant. NERC has the ability to
request copies of these reports without making them part of the Reliability Rules.
The SDT appreciates your suggestion, however, most of your comment is beyond
the scope of the SDT’s charge. The SDT would like to note your statement on
reporting requirements having been met by the OE-417 and EAP requirements. This
statement is not true for Canadian entities. The SDT fails to see how NERC gains
situational awareness and the opportunity to pass along lessons learned when the
aforementioned reports are not forwarded to the appropriate ERO group. The SDT
would also note that the ERO does not have access to the OE-417 filings unless they
are provided and the EAP does not include reporting for some of the event types
listed in Attachment 1. The SDT will forward your comment to appropriate officials
for their consideration.
Form EOP-004, Attachment 2: Event Reporting Form: - Delete from the Task column
226
�Organization
Yes or No
Question 4 Comment
the words “or partial”.- Delete from the Task column the words “physical threat that
could impact the operability of a Facility”.
The SDT has proposed changes to the language within Attachment 2 which we
believe corrects the point made.
VSL’s may have to be revised to reflect revised wording. The standard as proposed is
not supportive of Gerry Cauley’s performance based standard initiative
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Physical threat to its Facility excluding weather related threat, which has the
potential to degrade the normal operation of the Facility
Or
Suspicious device or activity at a Facility
Do not report copper theft unless it degrades normal operations of a Facility.”
This language gives the required guidance that if there is a physical threat that has
the potential to degrade a Facility’s normal operation or a suspicious device or
activity is discovered at a Facility, it is required to be reported within 24 hours, this
will give the ERO (and whoever else the entity wishes to inform per Requirement
R1) the situational awareness that the Facility has a potential of not being able to
operate as it is designed. The SDT also states that copper theft is not a reportable
event unless it degrades the normal operation of a Facility.
227
�Organization
Yes or No
Question 4 Comment
Response: The SDT thanks you for your comment.
Northeast Power Coordinating
Council
The proposed standard is not consistent with NERC’s new Risk Based Compliance
Monitoring. a. The performance based action to “implement its event reporting
Operating Plan” on defined events, as required in R2, could be considered a valid
requirement. However, the concern is that this requirement could be superseded by
the NERC Events Analysis Process and existing OE-417 Reporting. b. The
requirements laid out in R1, R3 and R4 are specific controls to ensure that the
proposed requirement to report (R2) is carried out. However, controls should not be
part of a compliance requirement. The only requirement proposed in this standard
that is not a control is R2.NERC does not need to duplicate the enforcement of
reporting already imposed by the DOE. DOE-417 is a well established process that has
regulatory obligations. NERC enforcement of reporting is redundant. NERC has the
ability to request copies of these reports without making them part of the Reliability
Rules.
The SDT appreciates your suggestion however; most of your comment is beyond
the scope of the SDT’s charge. The SDT would like to note your statement on
reporting requirements having been met by the OE-417 and EAP requirements. This
statement is not true for Canadian entities. The SDT fails to see how NERC gains
situational awareness and the opportunity to pass along lessons learned when the
aforementioned reports are not forwarded to the appropriate ERO group. The SDT
would also note that the ERO does not have access to the OE-417 filings unless they
are provided and the EAP does not include reporting for some of the event types
listed in Attachment 1. The SDT will forward your comment to appropriate officials
for their consideration.
Form EOP-004, Attachment 2: Event Reporting Form: Delete from the Task column
the words “or partial”. Delete from the Task column the words “physical threat that
228
�Organization
Yes or No
Question 4 Comment
could impact the operability of a Facility”.
The SDT has proposed changes to the language within Attachment 2 which we
believe corrects the point made.
VSL’s may have to be revised to reflect revised wording.
The SDT agrees and adopts your suggestion.
Response: The SDT thanks you for your comment.
American Public Power
Association
The SDT needs to provide some relief for the small entities in regards to the VSL in
the compliance section. APPA believes there should be no High or Severe VSLs for
this standard. This is a reporting/documentation standard and does not affect BES
reliability at all. It is APPA’s opinion that this standard should be removed from the
mandatory and enforceable NERC Reliability Standards and turned over to a working
group within the NERC technical committees. Timely reporting of this outage data is
already mandatory under Section 13(b) of the Federal Energy Administration Act of
1974. There are already civil and criminal penalties for violation of that Act. This
standard is a duplicative mandatory reporting requirement with multiple monetary
penalties for US registered entities. If this standard is approved, NERC must address
this duplication in their filing with FERC. This duplicative reporting and the
differences in requirements between DOE-OE-417 and NERC EOP-004-2 require an
analysis by FERC of the small entity impact as required by the Regulatory Flexibility of
Act of 1980
Response: The SDT thanks you for your comment. VSLs refer to how closely the entity met the requirements of the standard; it is
the VRF that measures impact to reliability. The SDT believes use of the high and severe VSLs is appropriate. The SDT believes that
size is not the important criteria in determining an impact on reliability. The reporting thresholds are based on the BES. No entity,
including small entities is required to report on equipment that is not categorized as BES, which should give small entities relief
from reporting on non-impactive assets.
Pepco Holdings Inc
The SDT's efforts have resulted in a very good draft.
229
�Organization
Yes or No
Question 4 Comment
Response: The SDT thanks you for your support.
ISO/RTO Standards Review
Committee
The SRC offers some other comments regarding the posted draft requirements;
however, by so doing, the SRC does not indicate support of the proposed
requirements. Following these comments, please see below for an SRC proposed
alternative approach: The SRC does not agree with the MEDIUM VRF assigned to
Requirement R4. R4 is a requirement to conduct an annual review of the Event
Reporting Operating Plan mandated in Requirement R1. R1 however is assigned a VRF
of LOWER. We are unable to rationalize why a subsequent review of a plan should
have a higher reliability risk impact than the development of the plan itself.
Hypothetically, if an entity doesn’t develop a plan to begin with, then it will be
assigned a LOWER VRF, and the entity will have no plan to review annually and hence
it will not be deemed non-compliant with requirement R4. The entity can avoid being
assessed violating a requirement with a MEDIUM VRF by not having the plan to begin
with, for which the entity will be assessed violating a requirement with a LOWER VRF.
We suggest changing the R4 VRF to LOWER.
The SDT has revised the requirements and R4 has been deleted along with its
VRF/VSL.
The SRC requests that the SDT post the following Alternative Proposal for Industry
comments as required by the Standards Process to obtain Industry consensus and as
permitted by FERC: An equally effective alternative is to withdraw this standard and
to make the contents of the SDT’s posted standard a NERC Guideline.
a. This alternative is more in line with new NERC and FERC proposals
b. This alternative retains the reporting format
Comments 1. The FERC Order 693 directives regarding “sabotage” have already been
addressed by the SDT (i.e. the concept was found outside the scope of NERC
standards)
2. Current Industry actions already address the needs cited in the Order:
230
�Organization
Yes or No
Question 4 Comment
a. Approved Reporting Processes already exists i. The Operating Committee’s Event
Analysis Process ii. Alert Reporting
b. The Data already exists i. Reliability Coordinators Information System (which
creates hundred if not thousands of “reports” per year) ii. The DOE’s OE 417 Report
itself provides part of the FERC discussed data
3. The proposed standard is not supportive of Gerry Cauley’s performance based
standard initiative or of FERC’s offer to reduce procedural standards
a. The proposed requirement is a process not an outcome i. The proposal is more
focused on reporting and could divert the attention of reliability entities from
addressing a situation to collecting data for a report
b. The proposed “events” are subjective and if followed will create an unmanageable
burden on NERC staff i. Reporting “damage” to facilities can be interpreted as
anything from a dent in a generator to the total destruction of a transformer ii. The
reporting requirements on all applicable entities will create more questions about
differences between the reports of the various entities - rather than leading to
conclusions about patterns among events that indicate a global threat iii. Reporting
any “physical threat” is too vague and subjective iv. Reporting “damage to a facility
that affects an IROL” is subjective and can be seen to require reporting of damage on
every facility in an interconnected area.
v. Reporting “Partial loss of monitoring” is a data quality issue that can be anything
from the loss of a single data point to the loss of an entire SCADA system vi. Testing
the filling out of a Report does not make it easier to fill out the report later (moreover
the reporting is already done often enough -see 2.b.i)c. The proposed requirements
will create a disincentive to improving current Reporting practices (the more an entity
designs into its own system the more it will be expected to do and the more likely it
will be penalized for failing to comply)i. Annual reviews of the reporting practices fall
into the same category, why have a detailed process to review when a simple one will
suffice?
231
�Organization
Yes or No
Question 4 Comment
4. The proposed standard does not provide a feedback loop to either the data
suppliers or to potentially impacted functional entities a. If the “wide area” data
analysis indicates a threat, there is no requirement to inform the impacted entities b.
As a BES reliability issue there is no performance indicators or metrics to show the
value of this standard i. The SRC recognizes that specific incidents cannot be
identified but if this is to be a reliability standard some information must be provided.
A Guideline could be designed to address this concern.
5. The proposed standard is not consistent with NERC’s new Risk Based Compliance
Monitoring.
a. The performance based action to report on defined events, as required in R2, could
be considered a valid requirement. However we have concerns as noted in Bullet 3
above. The requirements laid out in R1, R3 and R4 are specific controls to ensure that
the proposed requirement to report (R2) is carried out. NERC is moving in the
direction to assess entities’ controls, outside of the compliance enforcement arm.
The industry is being informed that NERC Audit staff will conduct compliance audits
based on the controls that the entity has implemented to ensure compliance. The
SRC is interested in supporting this effort and making it successful. However, if this is
the direction NERC is moving, we should not be making controls part of a compliance
requirement. The only requirement proposed in this standard that is not a control is
R2.
6. For FERC-jurisdictional entities, NERC does not need to duplicate the enforcement
of reporting already imposed by the DOE. DOE-417 is a well established process that
has regulatory obligations. NERC enforcement of reporting would be redundant.
NERC has the ability to request copies of these reports without making them part of
the Reliability Rules.
Response: The SDT thanks you for your comment. The SDT will bring this request to the attention of the SC for consideration as
this request is beyond the scope of work identified in this project.
LG&E and KU Services
The Violation Severity Level for Requirement R2 should be revised to read “...hours
232
�Organization
Yes or No
Question 4 Comment
after recognizing an event requiring reporting...” This will make the language in the
VSL consistent with the language in Attachment 1.
Response: The SDT thanks you for your comment. The VSLs have been reviewed and revised based upon the revisions to the
requirements.
SPP Standards Review Group
The VRF for R1 is Lower which is fine. The issue is that R4, which is the review of the
plan contained in R1, has a Medium VRF. We recommend moving the VRF of R4 to
Lower.We recommend deleting the phrase ‘...supplemented by operator logs or
other operating documentation...’ as found in the first sentence of M2. A much
clearer reference is made to operator logs and other operating documentation in the
second sentence. The duplication is unnecessary.What will happen with the
accompanying information contained in the Background section in the draft
standard? Will it be moved to the Guideline and Technical Basis at the end of the
standard as the information contained in the text boxes? This is valuable information
and should not be lost.
Response: The SDT thanks you for your comment. The SDT has revised the requirements and R4 has been deleted along with its
VRF/VSL. The background has been moved to the Guidelines and Technical Basis section.
Utility Services
There are no other comments at this time.
Response: The SDT thanks you for your participation.
Dynegy Inc.
Use of the term "Part x.x" throughout the Standard is somewhat confusing. I can't
recall other Standards using that type of term. Suggest using the term
"Requirement" instead.
Response: The SDT thanks you for your comment. The standard has been rewritten and revised in accordance with your
suggestion.
Central Lincoln
We agree with the comments provided by both PNGC and APPA.
233
�Organization
Yes or No
Question 4 Comment
Response: The SDT thanks you for your comment. Please review the responses to those commenters.
PNGC Comment Group
We appreciate the hard work of the SDT.
Response: The SDT thanks you for your support.
PPL Corporation NERC
Registered Affiliates
We appreciate the inclusion of the Process Flowchart on Page 9 of the draft standard.
We submit for your consideration, removing the line from the NO decision box to the
‘Report Event to ERO, Reliability Coordinator’ box. It seems if the event does not
need reporting per the decision box, this line is not needed.The decision box on
‘Report to Law Enforcement ?’ does not have a Yes or No. Perhaps, this decision box
is misplaced, or is it intended to occur always and not have a different path with
different actions? Ie. should it be a process box? Thank you for your work on this
standard.
PPL Electric Utilities
We appreciate the inclusion of the Process Flowchart on Page 9 of the draft standard.
We submit for your consideration, removing the line from the NO decision box to the
‘Report Event to ERO, Reliability Coordinator’ box. It seems if the event does not
need reporting per the decision box, this line is not needed.For clarity in needed
actions, please consider using a decision box following flowcharting standards such
as, a decision box containing a question with a Yes and a No path. The decision box
on ‘Report to Law Enforcement ?’ does not have a Yes or No. Perhaps, this decision
box is misplaced, or is it intended to occur always and not have a different path with
different actions? Ie. should it be a process box?Thank you for your work on this
standard.
Response: The SDT thanks you for your comment. The flowchart was provided as an example and guidance for entities to use if
they so choose. Entities can elect to create their own flowchart based upon their needs.
Independent Electricity
System Operator
We do not agree with the MEDIUM VRF assigned to Requirement R4. Re stipulates a
requirement to conduct an annual review of the event reporting Operating Plan in
234
�Organization
Yes or No
Question 4 Comment
Requirement R1, which itself is assigned a VRF of LOWER. We are unable to
rationalize why a subsequent review of a plan should have a higher reliability risk
impact than the development of the plan itself. Hypothetically, if an entity doesn’t
develop a plan to begin with, then it will be assigned a LOWER VRF, and the entity will
have no plan to review annually and hence it will not be deemed non-compliant with
requirement R4. The entity can avoid being assessed violating a requirement with a
MEDIUM VRF by not having the plan to begin with, for which the entity will be
assessed violating a requirement with a LOWER VRF. We suggest changing the R4
VRF to LOWER.
Response: The SDT thanks you for your comment. The SDT has revised the requirements and R4 has been deleted along with its
VRF/VSL.
SMUD & BANC
We feel issues were addressed, but still have concern with ‘damage’. We certainly
support that any ‘destruction’ of a facility that meets any of the three criteria be a
reportable issue. But ‘damage’, if it’s going to be included should have some
objective definition that sets a floor. Much like the copper theft issue, we don’t see
the benefit of reporting plain vandalism (gun-shot insulators results from actual or
suspected intentional human action) to NERC unless the ‘damage’ has some tangible
impact on the reliability of the system or are acts of an orchestrated sabotage (i.e.
removal of bolt in a transmission structure).
Response: The SDT thanks you for comment. The SDT removed all language under “Entity with Reporting Responsibility,” with the
exception of entity(s) that are required to report an applicable event. The SDT removed this language so the entities within this
column are clearly stated and identified. Under the “Threshold for Reporting” column, a bright line was updated based on
currently enforced Reliability Standards, FERC directives and industry comments to state:
235
�Organization
Yes or No
Question 4 Comment
“Damage or destruction of a Facility within its Reliability Coordinator Area, Balancing Authority Area or Transmission Operator
Area that results in the need for actions to avoid a BES Emergency.”
This language gives the required guidance of who has to report within its Area that results in need for actions to avoid a BES
Emergency (as defined by NERC: Any abnormal system condition that requires automatic or immediate manual action to prevent
or limit the failure of transmission facilities or generation supply that could adversely affect the reliability of the Bulk Electric
System).
This relates to either a completely destroyed Facility where an action is required to avoid a BES Emergency, or a Facility that is
damaged to a point that actions are required to avoid a BES Emergency. By reporting either a “damaged or destroyed” Facility,
within 24 hours, it will give the ERO (and whoever else the entity wishes to inform per R1) the situational awareness that the
electrical system has been reconfigured or may need to be reconfigured, thus supporting reliable operations of each
interconnection.
The SDT removed all language under “Entity with Reporting Responsibility,” with the exception of entity(s) that are required to
report an applicable event. The SDT removed this language so the entities within this column are clearly stated and identified.
Under the “Threshold for Reporting” column, a bright line was updated based on currently enforced Reliability Standards, FERC
directives and industry comments to state;
Damage or destruction of its Facility that results from actual or suspected intentional human action.
This language gives the required guidance that if there is actual intentional human action that damages or destroys a Facility, it is
required to be reported within 24 hours, this will give the ERO (and whoever else the entity wishes to inform per Requirement R1)
the situational awareness that the Facility was “damaged or destroyed” intentionally by a human.
This event was written to cover the increase of “Entity with Reporting Responsibility” and removing the RC since they do not own
Facility(s).
The SDT also included a second part of this event being “suspected intentional human action.” This language was required to give
an entity the reporting responsibility to report to the ERO (and whoever else the entity wishes to inform per Requirement R1) the
situational awareness that they suspect that their Facility was damaged or destroyed by intentional human action. The SDT
envisions that entities could further define what a suspected intentional human action is within their Operating Plan.
ISO New England Inc
We requests that the SDT post the following Alternative Proposal for Industry
236
�Organization
Yes or No
Question 4 Comment
comments as required by the Standards Process to obtain Industry consensus and as
permitted by FERC: An equally effective alternative is to withdraw this standard and
to make the contents of the SDT’s posted standard a NERC Guideline.a. This
alternative is more in line with new NERC and FERC proposalsb. This alternative
retains the reporting formatComments1. The FERC Order 693 directives regarding
“sabotage” have already been addressed by the SDT (i.e. the concept was found
outside the scope of NERC standards)2. Current Industry actions already address the
needs cited in the Order:a. Approved Reporting Processes already existsi. The
Operating Committee’s Event Analysis Processii. Alert Reporting b. The Data already
existsi. Reliability Coordinators Information System (which creates hundred if not
thousands of “reports” per year)ii. The DOE’s OE 417 Report itself provides part of
the FERC discussed data3. The proposed standard is not supportive of Gerry Cauley’s
performance based standard initiative or of FERC’s offer to reduce procedural
standardsa. The proposed requirement is a process not an outcomei. The proposal is
more focused on reporting and could divert the attention of reliability entities from
addressing a situation to collecting data for a reportb. The proposed “events” are
subjective and if followed will create an unmanageable burden on NERC staffi.
Reporting “damage” to facilities can be interpreted as anything from a dent in a
generator to the total destruction of a transformerii. The reporting requirements on
all applicable entities will create more questions about differences between the
reports of the various entities - rather than leading to conclusions about patterns
among events that indicate a global threatiii. Reporting any “physical threat” is too
vague and subjective iv. Reporting “damage to a facility that affects an IROL” is
subjective and can be seen to require reporting of damage on every facility in an
interconnected area.
v. Reporting “Partial loss of monitoring” is a data quality issue that can be anything
from the loss of a single data point to the loss of an entire SCADA system
vi. Testing the filling out of a Report does not make it easier to fill out the report later
(moreover the reporting is already done often enough -see 2.b.i)c. The proposed
requirements will create a disincentive to improving current Reporting practices (the
237
�Organization
Yes or No
Question 4 Comment
more an entity designs into its own system the more it will be expected to do and the
more likely it will be penalized for failing to comply)i. Annual reviews of the reporting
practices fall into the same category, why have a detailed process to review when a
simple one will suffice?4. The proposed standard does not provide a feedback loop to
either the data suppliers or to potentially impacted functional entitiesa. If the “wide
area” data analysis indicates a threat, there is no requirement to inform the impacted
entitiesb. As a BES reliability issue there is no performance indicators or metrics to
show the value of this standardi. We recognize that specific incidents cannot be
identified but if this is to be a reliability standard some information must be provided.
A Guideline could be designed to address this concern. 5. The proposed standard is
not consistent with NERC’s new Risk Based Compliance Monitoring. a. The
performance based action to report on defined events, as required in R2, could be
considered a valid requirement. However we have concerns as noted in Bullet 3
above.The requirements laid out in R1, R3 and R4 are specific controls to ensure that
the proposed requirement to report (R2) is carried out. NERC is moving in the
direction to assess entities’ controls, outside of the compliance enforcement arm.
The industry is being informed that NERC Audit staff will conduct compliance audits
based on the controls that the entity has implemented to ensure compliance. We are
interested in supporting this effort and making it successful. However, if this is the
direction NERC is moving, we should not be making controls part of a compliance
requirement. The only requirement proposed in this standard that is not a control is
R2. 6. For FERC-jurisdictional entities, NERC does not need to duplicate the
enforcement of reporting already imposed by the DOE. DOE-417 is a well established
process that has regulatory obligations. NERC enforcement of reporting would be
redundant. NERC has the ability to request copies of these reports without making
them part of the Reliability Rules.
Response: The SDT thanks you for your comment. The SDT will bring this request to the attention of the SC for consideration as
this request is beyond the scope of work identified in this project.
Brazos Electric Power
We thank the work of the SDT on this project. However, additional improvements
238
�Organization
Cooperative
Yes or No
Question 4 Comment
should be made as described in the comments submitted by ACES Power Marketing.
Response: The SDT thanks you for your comment. Please review the responses to that commenter.
FirstEnergy
While FE voted affirmative on this draft, upon further review we request clarification
be made in the next draft of the standard regarding the applicability of the Nuclear
Generator Operator. Per FE's previous comments, nuclear generator operators
already have specific regulatory requirements to notify the NRC for certain
notifications to other governmental agencies in accordance with 10 CFR
50.72(b)(s)(xi). We had asked that the SDT contact the NRC about this project to
ensure that existing communication and reporting that a licensee is required to
perform in response to a radiological sabotage event (as defined by the NRC) or any
incident that has impacted or has the potential to impact the BES does not create
either duplicate reporting, conflicting reporting thresholds or confusion on the part of
the nuclear generator operator. In addition, EOP-004 must acknowledge that there
may be NRC reporting forms that have the equivalent information contained in their
Attachment 2. For what the NRC considers a Reportable Event, Nuclear plants are
required to fill out NRC form 361 and/or form 366. We do not agree with the
drafting team's response to ours and Exelon's comments that "The NRC does not fall
under the jurisdiction of NERC and so therefore it is not within scope of this project."
While the statement is correct, we believe that requirements should not conflict with
or duplicate other regulatory requirements. We remain concerned that the standard
with regard to Nuclear GOP applicability causes duplicative regulatory reporting with
existing reporting requirements of the NRC. Therefore, we ask:1. That NERC and the
drafting team please investigate these issues further and revise the standard to
clarify the scope for nuclear GOPs, and2. For any reporting deemed in the scope for
nuclear GOP after NERC's and the SDT's investigation per our request in #1 above,
that the SDT consider the ability to utilize information from NRC reports as meeting
the EOP-004-2 requirements similar to the allowance of using the DOE form as
presently proposed.
239
�Organization
Yes or No
Question 4 Comment
Response: The SDT thanks you for your comment. The SDT team does not believe that reporting under EOP-004 can in anyway
‘conflicts’ with any other reporting obligations that nuclear or any other type of GO/GOP may have. By allowing applicable entities
to use the OE-417 form, the drafting team believes it has given industry reasonable accommodation to reduce duplicative
reporting. The same is true for other agencies as well. If an entity submits to NERC the same that was submitted to the other
regulatory agency, then this submission will be acceptable. Based on the historical frequency with which GO/GOPs report under
the current EOP-004-1 the drafting team does not believe this places and inordinate burden on the applicable entities.
American Electric Power
While we do not necessarily disagree with modifying this standard, we do have
serious concerns with the possibility that Form OE-417 form would not also be
modified to match any changes made to this standard. To the degree they would be
different, this would create unnecessary confusion and burden on operators.
While we appreciate the point raised, the SDT does have any authority with regard
to the language contained within the DOE OE-417 form. The Department of Energy
is responsible for the design and contents of the 417 form. As a part of the SDT’s
work in this proposal, we met with and collaborated with the DOE staff responsible
for the 417 form establish a common understanding of reportable events. We hope
that if the DOE desires to make further changes, they will pass along information
for consideration in a future NERC SAR.
If CIP-008 is now out of scope within the requirements of this standard, the task
“reportable Cyber Security Incident” should be removed from Attachment 2.
The SDT has discussed this issue with Project 2008-06, Cyber Security SDT and we
have remanded the one hour event back to CIP-008. The next version of EOP-004-2
will not contain a one hour reporting requirement.
Response: The SDT thanks you for your comment.
Progress Energy
Within attachment 1 (Reportable Events) an exclusion is allowed for weather related
threats. PGN recommends a more generic approach to include natural events such as
forest fires, sink holes, etc. This would alleviate some reporting burdens in areas that
240
�Organization
Yes or No
Question 4 Comment
are prone to these types of events.
Response: The SDT thanks you for your comment. The SDT has revised the language in accordance with your suggestion to
“weather or natural disaster related threats”.
Xcel Energy
Xcel Energy appreciates the work of the drafting team and believes the current draft
is an improvement over the existing standard. However, we would like to see the
comments provided here and above addressed prior to submitting an AFFIRMATIVE
vote.1) Suggest enhancing the “Example of Reporting Process...” flowchart as follows:
EVENT > Refer to Ops Plan for Event Reporting > Refer to Law Enforcement? > Yes/No
> ....
The SDT has provided the flowchart as an example and guidance for entities.
Entities can choose to create their own version of the flowchart for use in their
Operating Plan.
2) Attachment 1 - in both the 1 hour and the 24 hour reporting they are qualified
with “within x hours of recognition of the event”. Is this the intent, so that if an entity
recognizes at some point after an event that the time clock starts?
The SDT has discussed this issue with Project 2008-06, Cyber Security SDT and we
have remanded the one hour event back to CIP-008. The next version of EOP-004-2
will not contain a one hour reporting requirement.
The SDT envisions when the entity is made aware of an applicable event contained
in Attachment 1, that they would report the event within 24 hours. Any entity
could enhance their Operating Plan to describe as much detail as they wanted to
provide to their employees as they see fit.
3) VSLs - R3 & R4 “Severe” should remove the “OR....”, as this is redundant. Once an
entity has exceeded the 3 calendar months, the Severe VSL is triggered.
The SDT has revised the requirements and accordingly the VSLs.
4) The Guideline and Technical Basis page 22 should be corrected to read “The
241
�Organization
Yes or No
Question 4 Comment
changes do not include any real-time operating notifications for the types of events
covered by CIP-001 and EOP-004. The real-time reporting requirements are achieved
through the RCIS and are covered in other standards (e.g. EOP-002-Capacity and
Energy Emergencies). These standards deal exclusively with after-the-fact reporting.”
Response: Thank you for the grammatical correction.
5) Also in the following section of the Guideline and Technical Basis (page 23) the
third bullet item should be qualified to exclude copper theft: Examples of such events
include: o Bolts removed from transmission line structures o Detection of cyber
intrusion that meets criteria of CIP-008-3 or its successor standard o Forced intrusion
attempt at a substation (excluding copper theft) o Train derailment near a
transmission right-of-way o Destruction of Bulk Electric System equipment
Response: Thank you for the correction; however, as a result of other changes
made to the standard, the SDT is proposing to remove the third bulleted item from
this list.
Response: The SDT thanks you for your comment.
Edison Mission Marketing &
Trading, Inc.
No
Idaho Power Co.
No
Arizona Public Service
Company
None
END OF REPORT
242
�Consideration of Comments
Project 2009-01 Disturbance Sabotage and Reporting
The Project 2009-01 Drafting Team thanks all commenters who submitted comments on Draft 5 of
EOP-004-2. The standard was posted for a 30-day public comment period from August 29, through
September 27, 2012. Stakeholders were asked to provide feedback on the standard and associated
documents through a special electronic comment form. There were 56 sets of comments, including
comments from approximately 181 different people from approximately 125 companies, representing
9 of the 10 Industry Segments as shown in the table on the following pages.
All comments submitted may be reviewed in their original format on the standard’s project page.
If you feel that your comment has been overlooked, please let us know immediately. Our goal is to give
every comment serious consideration in this process! If you feel there has been an error or omission,
you can contact the Vice President and Director of Standards, Mark Lauby, at 404-446-2560 or at
mark.lauby@nerc.net. In addition, there is a NERC Reliability Standards Appeals Process.1
Summary Consideration:
The Disturbance and Sabotage Reporting standard drafting team has opted to pursue a recirculation
ballot for EOP-004-2 after making a few clarifications to the Guidelines and Technical Basis section to
address stakeholder concerns raised during the second successive ballot:
•
Distribution Providers – Some concerns were raised with respect to applicability of the standard to
all Distribution Providers. The concerns relate to DPs that do not own BES Facilities. While these
entities would not have any events to report under R2, they would still be applicable under R1 and
R3. The team discussed this issue and has addressed this concern with additional language in the
Guidelines and Technical Basis Section of the standard as follows:
“Distribution Provider Applicability Discussion
The DSR SDT has included Distribution Providers (DP) as an applicable entity under this
standard. The team realizes that not all DPs will own BES Facilities and will not meet the
“Threshold for Reporting” for any event listed in Attachment 1. These DPs will not have
1
The appeals process is in the Standard Processes Manual: http://www.nerc.com/files/Appendix_3A_StandardsProcessesManual_20120131.pdf
�any reports to submit under Requirement R2. However, these DPs will be responsible
for meeting Requirements R1 and R3. The DSR SDT does not intend for these entities to
have a detailed Operating Plan to address events that are not applicable to them. In this
instance, the DSR SDT intends for the DP to have a very simple Operating Plan that
includes a statement that there are no applicable events in Attachment 1 (to meet R1)
and that the DP will review the list of events in Attachment 1 each year (to meet R3).
The team does not think this will be a burden on any entity as the development and
annual validation of the Operating Plan should not take more that 30 minutes on an
annual basis. If a DP discovers applicable events during the annual review, it is expected
that the DP will develop a more detailed Operating Plan to comply with the
requirements of the standard.”
•
Duplicative Reporting – If an entity is registered as an RC, BA and TOP, they should only have to
submit a single report. The team discussed and has addressed this concern with additional
language in the Guidelines and Technical Basis Section of the standard as follows:
“Multiple Reports for a Single Organization
For entities that have multiple registrations, the DSR SDT intends that these entities will
only have to submit one report for any individual event. For example, if an entity is
registered as a Reliability Coordinator, Balancing Authority and Transmission Operator,
the entity would only submit one report for a particular event rather submitting three
reports as each individual registered entity.”
With regards to the concern regarding multiple entities submitting a report for the same event, the
team does not see this as being an issue for industry and will not make any further revisions to
address this.
Other issues were raised by stakeholders and a discussion of those is below:
•
24 Hour Reporting – Several stakeholders had concerns regarding the 24 hour reporting
requirement. Commenters suggest that events or situations affecting real time reliability to the
system already are required to be reported to appropriate Functional Entities that have the
responsibility to take action. Adding one more responsibility to system operators increases the
operator’s burden, which reduces the operator’s effectiveness when operating the system. Care
should be given when placing additional responsibility on the system operators. Allowing reporting
at the end of the next business day gives operators the flexibility to allow support staff to assist
with after-the-fact reporting requirements. To this end, the DSR SDT has added clarifying language
to R2 as follows:
Consideration of Comments: Project 2009-01
2
�R2. Each Responsible Entity shall report events per their Operating Plan within 24 hours
of recognition of meeting an event type threshold for reporting or by the end of the next
business day if the event occurs on a weekend (which is recognized to be 4 PM local
time on Friday to 8 AM Monday local time). [Violation Risk Factor: Medium] [Time
Horizon: Operations Assessment]
•
Paragraph 81 – On March 15, 2012, FERC issued an order on NERC’s Find, Fix and Track process and
in paragraph 81 of that order (“P81”), invited NERC and other entities to propose to remove from
Commission-approved Reliability Standards unnecessary or redundant requirements. In response
to P81 and the Commission’s request for comments to be coordinated, during June and July 2012,
various industry stakeholders, Trade Associations, staff from NERC and staff from the NERC Regions
jointly discussed consensus criteria and an initial list of Reliability Standard requirements that
appeared to easily satisfy the criteria, and, thus, could be retired. In Phase 1 of the Paragraph 81
effort, only two of the requirements (in total) from CIP-001 and EOP-004 met the initial threshold
for being included in the P81 Project. Both of these requirements will also be retired by EOP-004-2.
Phase 2 of the Paragraph 81 Project will evaluate all NERC Reliability Standards, including any
modifications to EOP-004-2. CIP-001-2a and EOP-004-1 are mandatory and enforceable NERC
Reliability Standards. If EOP-004-2 is not approved by the industry, those standards will remain as
is and subject to the Compliance Monitoring and Enforcement Program.
•
Reporting – Some comments were submitted regarding the reporting burden of this standard. The
revised standard combines two standards into one and removes the analysis portion of the current
mandatory and enforceable standards (EOP-004-1 and CIP-001-2a). The analysis provisions will be
addressed in the NERC Events Analysis Program upon approval of EOP-004-2. This revised standard
involves notification only and does not require any investigation or analysis.
•
Attachment 1 comments – Many suggestions were made regarding the language of certain events
listed in Attachment 1. Most of these comments are about a single event type and were made by
only one stakeholder. The team has reviewed all of these comments. In several cases, the same or
a similar suggestion was made on an earlier draft, and the team considered it at that time. The SDT
believes that stakeholder consensus has been achieved regarding these event types. . The team
has elected to move forward to recirculation ballot.
•
Violation Risk Factors - Many stakeholders had concerns with the VRFs for R2 and R3 being
assigned as “medium”. The SDT developed the VRFs based on existing, FERC Approved VRFs and
NERC Guidelines for establishment of VRFs. EOP-004-2 is a result of merging CIP-001-2a and EOP004-1. Each requirement in CIP-001-2a is assigned a “Medium” VRF. The requirements of CIP-0012a map to EOP-004-2 Requirements R1 and R2. Having an Operating Plan (EOP-004-2, R1) merits a
“Lower” VRF. The reporting of events contained in the Operating Plan required under Requirement
R1 is mandated under Requirement R2 (which maps from CIP-001-2a, R2). The SDT cannot “lower
Consideration of Comments: Project 2009-01
3
�the bar” on an existing VRF per NERC and FERC guidelines. Further, since R3 requires validation of
the contact information in the Operating Plan, it is also assigned a “Medium” VRF.
•
Violation Severity Levels - Other stakeholders suggested revision to the VSLs for Requirement R1
based on if the event reporting Operating Plan fails to include one or more of the event types listed
in Attachment 1. The SDT agrees and has revised the VSLs for R1 as follows:
Lower: The Responsible Entity had an Operating Plan, but failed to include one
applicable event type.
Moderate: The Responsible Entity had an Operating Plan, but failed to include two
applicable event types.
High: The Responsible Entity had an Operating Plan, but failed to include three
applicable event types.
Severe: The Responsible Entity had an Operating Plan, but failed to include four or more
applicable event types OR the Responsible Entity failed to have an event reporting
Operating Plan.
Consideration of Comments: Project 2009-01
4
�Index to Questions, Comments, and Responses
1.
The DSR SDT has revised EOP-004-2 by combining Requirements R3 and R4 into a single
requirement (Requirement R3) to, “… validate all contact information contained in the Operating
Plan pursuant to Requirement R1 each calendar year.” Do you agree with this revision? If not,
please explain in the comment area below. ....................................................................................15
2.
The DSR SDT has revised the VSLs to reflect the language in the revised requirements. Do you
agree with the proposed VRFs and VSLs? If not, please explain in the comment area below. .......25
3.
Do you have any other comment, not expressed in the questions above, for the DSR SDT? .........37
Consideration of Comments: Project 2009-01
5
�The Industry Segments are:
1 — Transmission Owners
2 — RTOs, ISOs
3 — Load-serving Entities
4 — Transmission-dependent Utilities
5 — Electric Generators
6 — Electricity Brokers, Aggregators, and Marketers
7 — Large Electricity End Users
8 — Small Electricity End Users
9 — Federal, State, Provincial Regulatory or other Government Entities
10 — Regional Reliability Organizations, Regional Entities
Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
1.
Group
Additional Member
Guy Zito
Northeast Power Coordinating Council
Additional Organization
Region
Segment
Selection
1.
Alan Adamson
New York State Reliability Council, LLC
NPCC
10
2.
Carmen Agavriloai
Independent Electricity System Operator
NPCC
2
3.
Greg Campoli
New York Independent System Operator
NPCC
2
4.
Sylvain Clermont
Hydro-Quebec TransEnergie
NPCC
1
5.
Chris de Graffenried
Consolidated Edison Co. of New York,
Inc.
NPCC
1
6.
Gerry Dunbar
Northeast Power Coordinating Council
NPCC
10
7.
Mike Garton
Dominion Resources Services, Inc.
NPCC
5
8.
Kathleen Goodman
ISO - New England
NPCC
2
2
3
4
5
6
7
8
9
10
X
�Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
9.
National Grid
NPCC
1
10. David Kiguel
Hydro One Networks Inc.
NPCC
1
11. Michael Lombardi
Northeast Utilities
NPCC
1
12. Randy MacDonald
New Brunswick Power Transmission
NPCC
9
13. Bruce Metruck
New York Power Authority
NPCC
6
14. Silvia Parada Mitchell NextEra Energy, LLC
NPCC
5
15. Lee Pedowicz
Northeast Power Coordinating Council
NPCC
10
16. Robert Pellegrini
The United Illuminating Company
NPCC
1
17. Si-Truc Phan
Hydro-Quebec TransEnergie
NPCC
1
18. David Ramkalawan
Ontario Power Generation, Inc.
NPCC
5
19. Brian Robinson
Utility Services
NPCC
8
20. Michael Schiavone
National Grid
NPCC
1
21. Wayne Sipperly
New York Power Authority
NPCC
5
22. Donald Weaver
New Brunswick System Operator
NPCC
2
23. Ben Wu
Orange and Rockland Utilities
NPCC
1
24. Peter Yost
Consolidated Edison Co. of New York,
Inc.
NPCC
3
2.
Michael Jones
Group
Ron Sporseen
Additional Member
PNGC Comment Group
Additional Organization
Region
3
X
4
5
6
7
X
Joe Jarvis
Blachly-Lane Electric Cooperative
WECC
3
2.
Dave Markham
Central Electric Cooperative
WECC
3
3.
Dave Hagen
Clearwater Power Company
WECC
3
4.
Roman Gillen
Consumer's Power Inc.
WECC
1, 3
5.
Roger Meader
Coos-Curry Electric Cooperative
WECC
3
6.
Bryan Case
Fall River Electric Cooperative
WECC
3
7.
Rick Crinklaw
Lane Electric Cooperative
WECC
3
8.
Annie Terracciano
Northern Lights Inc.
WECC
3
9.
Aleka Scott
PNGC Power
WECC
4
10. Heber Carpenter
Raft River Electric Cooperative
WECC
3
11. Steve Eldrige
Umatilla Electric Cooperative
WECC
1, 3
12. Marc Farmer
West Oregon Electric Cooperative
WECC
4
8
X
Segment
Selection
1.
Consideration of Comments: Project 2009-01
X
2
7
9
10
�Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
13. Margaret Ryan
PNGC Power
WECC
8
14. Rick Paschall
PNGC Power
WECC
3
3.
Group
Greg Rowland
Additional Member
Duke Energy
Additional Organization
Region
Doug Hils
Duke Energy
RFC
1
2.
Lee Schuster
Duke Energy
FRCC
3
3.
Dale Goodwine
Duke Energy
SERC
5
4.
Greg Cecil
Duke Energy
RFC
6
Group
Chang Choi
Additional Member
Tacoma Public Utilities
Additional Organization
Region
Chang Choi
City of Tacoma
WECC
1
2.
Travis Metcalfe
Tacoma Public Utilities
WECC
3
3.
Keith Morisette
Tacoma Public Utilities
WECC
4
4.
Chris Mattson
Tacoma Power
WECC
5
5.
Michael Hill
Tacoma Public Utilities
WECC
6
5.
Group
Additional Member
Additional Organization
Region
RFC
3, 4, 5
2.
Barbara Holland
RFC
3, 4, 5
3.
Jeffrey DePriest
RFC
3, 4, 5
Group
Gerry Beckerle
X
X
X
SERC OC Standards Review Group
Additional Organization
Region
6
X
X
X
X
X
X
X
7
X
X
Segment
Selection
1.
Roger Powers
City of Springfield, IL - CWLP
SERC
1, 3
2.
Dan Roethemeyer
Dynegy
SERC
5
3.
Melinda Montgomery
Entergy
SERC
1, 3, 6
4.
Terry Bilke
MISO
SERC
2
5.
Scott Brame
NCEMC
SERC
4, 1, 3, 5
6.
William Berry
OMU
SERC
3, 5
Consideration of Comments: Project 2009-01
5
Segment
Selection
Alexander Eizans
Additional Member
X
Detroit Edison
1.
6.
X
4
Segment
Selection
1.
Kent Kujala
3
Segment
Selection
1.
4.
2
8
8
9
10
�Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
7.
Tim Hattaway
PowerSouth
SERC
1, 5
8.
Brett Koelsch
Progress Energy Carolinas
SERC
1, 3, 5, 6
9.
Vicky Budreau
SCPSA
SERC
1, 3, 5, 6
10. Gary Hutson
SMEPA
SERC
1, 3, 5, 6
11. Marsha Morgan
Southern Co. Services
SERC
1, 5
12. Randy Hubbert
Southern Co. Services
SERC
1, 5
13. Joel Wise
TVA
SERC
1, 3, 5, 6
14. Stuart Goza
TVA
SERC
1, 3, 5, 6
15. Jim Case
Entergy
SERC
1, 3, 6
16. Mike Bryson
PJM
SERC
2
17. Mike Hirst
Cogentrix
SERC
5
7.
Group
Larry Raczkowski
Additional Member
FirstEnergy
Additional Organization
Region
FirstEnergy Corp
RFC
1
2. Stephan Kern
FirstEnergy Energy Delivery
RFC
3
3. Douglas Hohlbaugh
Ohio Edison Company
RFC
4
4. Kenneth Dresner
FirstEnergy Solutions
RFC
5
5. Kevin Querry
FirstEnergy Solutions
RFC
6
Group
Mike Garton
Additional Member
Dominion
Additional Organization
Region
Dominion Resources Services, Inc.
RFC
5, 6
2. Randi Heise
Dominion Resources Services, Inc.
MRO
5, 6
3. Connie Lowe
Dominion Resources Services, Inc.
NPCC
5, 6
4. Mike Crowley
Virginia Electric and Power Company
SERC
1, 3, 5, 6
Group
WILL SMITH
Additional Member
MRO NSRF
Additional Organization
Consideration of Comments: Project 2009-01
5
X
X
X
X
X
X
X
X
X
X
X
X
Region
4
6
7
X
Segment
Selection
1. Louis Slade
9.
3
Segment
Selection
1. William J Smith
8.
2
X
X
Segment
Selection
9
8
9
10
�Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
1.
CHUCK LAWRENCE
ATC
MRO
1
2.
TOM BREENE
WPS
MRO
3, 4, 5, 6
3.
JODI JENSON
WAPA
MRO
1, 6
4.
KEN GOLDSMITH
ALTW
MRO
4
5.
ALICE IRELAND
XCEL/NSP
MRO
1, 3, 5, 6
6.
DAVE RUDOLPH
BEPC
MRO
1, 3, 5, 6
7.
ERIC RUSKAMP
LES
MRO
1, 3, 5, 6
8.
JOE DEPOORTER
MGE
MRO
3, 4, 5, 6
9.
SCOTT NICKELS
RPU
MRO
4
10. TERRY HARBOUR
MEC
MRO
1, 3, 5, 6
11. MARIE KNOX
MISO
MRO
2
12. LEE KITTELSON
OTP
MRO
1, 3, 5
13. SCOTT BOS
MPW
MRO
1, 3, 5
14. TONY EDDLEMAN
NPPD
MRO
1, 3, 5
15. MIKE BRYTOWSKI
GRE
MRO
1, 3, 5, 6
16. DAN INMAN
MPC
MRO
1, 3, 5, 6
10.
Group
Chris Higgins
Additional Member
Bonneville Power Administration
Additional Organization
Region
BPA, Technical Operations
WECC
1
2. Fran Halpin
BPA, Duty Scheduling
WECC
5
3. Erika Doot
BPA, Generation Support
WECC
3, 5, 6
4. John Wylder
BPA, Transmission
WECC
1
5. Deanna Phillips
BPA, FERC Compliance
WECC
1, 3, 5, 6
6. Russell Funk
BPA, Transmission
WECC
1
Group
Robert Rhodes
Additional Member
SPP Standards Review Group
Additional Organization
Region
X
4
5
X
6
X
X
Segment
Selection
1.
John Allen
City Utilities of Springfield
SPP
1, 4
2.
Doug Callison
Grand River Dam Authority
SPP
1, 3, 5
3.
Jonathan Hayes
Southwest Power Pool
SPP
2
4.
Bo Jones
Westar Energy
SPP
1, 3, 5, 6
Consideration of Comments: Project 2009-01
X
3
Segment
Selection
1. Jim Burns
11.
2
10
7
8
9
10
�Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
5.
Allen Klassen
Westar Energy
SPP
1, 3, 5, 6
6.
Tiffany Lake
Westar Energy
SPP
1, 3, 5, 6
7.
Tara Lightner
Sunflower Electric Power Corporation
SPP
1
8.
Kyle McMenamin
Xcel Energy
SPP
1, 3, 5, 6
9.
Jerry McVey
Sunflower Electric Power Corporation
SPP
1
10. Fred Meyer
Empire District Electric Company
SPP
1
11. Terri Pyle
Oklahoma Gas & Electric Company
SPP
1, 3, 5
12. Don Schmit
Nebraska Publlic Power District
MRO
1, 3, 5
13. Katie Shea
Westar Energy
SPP
1, 3, 5, 6
14. Sean Simpson
Board of Public Utilities, City of
McPherson
SPP
NA
15. Bryan Taggart
Westar Energy
SPP
1, 3, 5, 6
16. Mark Wurm
Board of Public Utilities, City of
McPherson
SPP
NA
12.
Group
Jason Marshall
Additional Member
Additional Organization
Region
4
5
Susan Sosbe
Wabash Valley Power Association
RFC
3
Clem Cassmeyer
Western Farmers Electric Cooperative
SPP
1, 5
3.
Megan Wagner
Sunflower Electric Power Corporation
SPP
1
4.
Scott Brame
North Carolina Electric Membership
Corporation
SERC
1, 3, 4, 5
5.
Bob Solomon
Hoosier Energy
RFC
1
6.
Robert Thomasson
Big Rivers Electric Corporation
SERC
7.
Shari Heino
Brazos Electric Power Cooperative
ERCOT
1, 5
8.
John Shaver
Arizona Electric Power Cooperative
WECC
4, 5
9.
John Shaver
Southwest Transmission Cooperative
WECC
1
10. Mohan Sachdeva
Buckeye Power
RFC
3, 4
11. Michael Brytowski
Great River Energy
MRO
1, 3, 5, 6
Individual
Janet Smith, Regulatory
Affairs Supervisor
Arizona Public Service Company
Individual
Emily Pennel
Southwest Power Pool Regional Entity
Consideration of Comments: Project 2009-01
6
7
8
9
10
X
Segment
Selection
2.
14.
3
ACES Power Marketing Standards
Collaborators
1.
13.
2
X
X
X
X
X
11
�Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
15.
Individual
Antonio Grayson
Southern Company
X
16.
Individual
Daniela Hammons
CenterPoint Energy
X
17.
Individual
Lee Layton
Blue Ridge EMC
X
18.
Individual
Anthony Jablonski
ReliabilityFirst
19.
Individual
Jonathan Appelbaum
The United Illuminating Company
20.
Individual
Russ Schneider
Flathead Electric Cooperative, Inc.
21.
Individual
Oliver Burke
Entergy Services, Inc. (Transmission)
X
22.
Individual
Nazra Gladu
Manitoba Hydro
X
23.
Individual
Lewis County PUD
X
Individual
Steve Grega
Steve Alexanderson
P.E.
25.
Individual
Jack Stamper
Clark Public Utilities
26.
Individual
Russell A. Noble
Cowlitz PUD
27.
Individual
Chantel Haswell
Public Service Enterprise Group
28.
Individual
Mike Hirst
Cogentrix Energy
29.
Individual
Dave Willis
Idaho Power Co.
30.
Individual
Michelle R D'Antuono
Individual
Howard Rulf
Ingelside Cogeneration LP
Wisconsin Electric Power company dba We
Energies
32.
Individual
Melissa Kurtz
US Army Corps of Engineers
33.
Individual
David Jendras
Ameren Services
Individual
35. Individual
Michael Falvo
RoLynda Shumpert
Independent Electricity System Operator
South Carolina Electric and Gas
X
36.
Individual
David Revill
Georgia Transmission Corporation
X
37.
Individual
Andrew Gallo
City of Austin dba Austin Energy
X
38.
Individual
Andrew Z.Pusztai
american Transmission Company
X
24.
31.
34.
2
4
X
5
X
6
7
8
9
10
X
X
X
X
X
X
X
X
X
X
Central Lincoln
Consideration of Comments: Project 2009-01
3
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
12
�Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
2
3
4
5
6
39.
Individual
Don Schmit
Nebraska Public Power Disstrict
X
X
X
40.
Individual
Terry Harbour
MidAmerican Energy
X
X
X
41.
Individual
Kathleen Goodman
Individual
d mason
ISO New England Inc.
City and County of San Francisco - Hetch
Hetchy Water and Power
43.
Individual
Tracy Richardson
Springfield Utility Board
44.
Individual
Rich Salgo
NV Energy
X
X
X
45.
Individual
Thad Ness
American Electric Power
X
X
X
46.
Individual
Charles Yeung
Southwest Power Pool RTO
47.
Individual
Nathan Mitchell
American Public Power Association
48.
Individual
Don Jones
Texas Reliability Entity
49.
Individual
Christine Hasha
ERCOT
50.
Individual
Denise M. Lietz
Puget Sound Energy Inc.
X
X
X
51.
Individual
Maggy Powell
X
X
X
X
Individual
Christina Bigelow
Exelon Corporation and its affiliates
Midwest Independent Transmission System
Operator, Inc.
53.
Individual
Scott Berry
Indiana Municipal Power Agency
54.
Individual
Darryl Curtis
Oncor Electric Delivery
X
55.
Individual
Tony Kroskey
Brazos Electric Power Cooperative, Inc.
X
56.
Individual
Alice Ireland
Xcel Energy
X
X
X
42.
52.
Consideration of Comments: Project 2009-01
7
8
9
10
X
X
X
X
X
X
X
X
X
X
X
X
X
13
�If you wish to express support for another entity’s comments without entering any additional comments, you may do so here.
Organization
Supporting Comments of “Entity Name”
PNGC Comment Group
Central Lincoln PUD
Blue Ridge EMC
R3 is another example of a "paper chase", creating (or rather continuing) an
administrative burden for the utility. The standard should only require that the entity
have a plan and the accountability should be "did the entity follow the plan when
needed, including proving that the appropriate contacts were made?"
Response: Thank you for your comment. Requirement R3 is in direct response to a FERC directive in Order 693 and as such, the
SDT included this provision. Also, if the information in the plan is out of date, then the plan will not be effective.
Flathead Electric Cooperative, Inc.
Central Lincoln
US Army Corps of Engineers
MRO NSRF
Nebraska Public Power District
Midwest Reliability Organization (MRO) NERC Standards Review Forum (NSRF); AND
Southwest Power Pool RTO
MidAmerican Energy
MidAmerican supports the MRO NSRF comments
ISO New England Inc.
NPCC
Consideration of Comments: Project 2009-01
14
�1.
The DSR SDT has revised EOP-004-2 by combining Requirements R3 and R4 into a single requirement (Requirement R3) to, “…
validate all contact information contained in the Operating Plan pursuant to Requirement R1 each calendar year.” Do you agree
with this revision? If not, please explain in the comment area below.
Summary Consideration: The majority of stakeholders agree with the combination of R3 and R4 and with the new language of R3 to
“validate” the contact information. A few commenters suggested that Requirement R3 is administrative and should be removed
under the provisions of “Paragraph 81”. On March 15, 2012, FERC issued an order on NERC’s Find, Fix and Track process and in
paragraph 81 (“P81”) invited NERC and other entities to propose to remove from Commission-approved Reliability Standards
unnecessary or redundant requirements. In response to P81 and the Commission’s request for comments to be coordinated, during
June and July 2012, various industry stakeholders, Trade Associations, staff from NERC and staff from the NERC Regions jointly
discussed consensus criteria and an initial list of Reliability Standard requirements that appeared to easily satisfy the criteria, and,
thus, could be retired. In Phase 1 of the Paragraph 81 effort, only two of the requirements (in total) from CIP-001 and EOP-004 met
the initial threshold for being included in the P81 Project. Both of these requirements will also be retired by EOP-004-2. Phase 2 of
the Paragraph 81 Project will evaluate all NERC Reliability Standards, including any modifications to EOP-004-2. CIP-001-2a and EOP004-1 are mandatory and enforceable NERC Reliability Standards. If EOP-004-2 is not approved by the industry, those standards will
remain as is and subject to the Compliance Monitoring and Enforcement Program.
Organization
Yes or No
CenterPoint Energy
No
Consideration of Comments: Project 2009-01
Question 1 Comment
CenterPoint Energy supports the concept of combining Requirements R3
and R4; however, the Company still prefers an annual review requirement
which would include validating the contact information and content of
the Operating Plan overall. Therefore, CenterPoint Energy recommends
the following revised language for Requirement R3: “Each Responsible
Entity shall review and update the Operating Plan at least every 15
months.” The Company also suggests that the Measure be worded as
follows: “Evidence may include, but is not limited to dated documentation
reflecting changes to the Operating Plan including updated contact
information if necessary.”
15
�Organization
Yes or No
Question 1 Comment
Response: Thank you for your comment. The SDT appreciates the suggestion on validating the content of the Operating Plan, but
at this time, we feel that the step is not necessary to meet the directive from FERC Order 693. As to the comment on extending
the review period to 15 months, following much discussion and review of the industry comments, we are staying with the
language as proposed.
American Electric Power
No
In the spirit of Paragraph 81 efforts, we request the removal of R3 as it is
solely administrative in nature, existing only to support R2. This is more of
an internal control and does not appear to rise to the level of being an
industry-wide requirement. In addition, having two requirements rather
than one increases the likelihood of being found non-compliant for
multiple requirements rather than a single requirement.
Response: Thank you for your comment. Requirement R3 is in direct response to a FERC directive in Order 693 and as such, the
SDT included this provision. On March 15, 2012, FERC issued an order on NERC’s Find, Fix and Track process and in paragraph 81
(“P81”) invited NERC and other entities to propose to remove from Commission-approved Reliability Standards unnecessary or
redundant requirements. In response to P81 and the Commission’s request for comments to be coordinated, during June and July
2012, various industry stakeholders, Trade Associations, staff from NERC and staff from the NERC Regions jointly discussed
consensus criteria and an initial list of Reliability Standard requirements that appeared to easily satisfy the criteria, and, thus,
could be retired. In Phase 1 of the Paragraph 81 effort, only two of the requirements (in total) from CIP-001 and EOP-004 met the
initial threshold for being included in the P81 Project. Both of these requirements will also be retired by EOP-004-2. Phase 2 of
the Paragraph 81 Project will evaluate all NERC Reliability Standards, including any modifications to EOP-004-2. , CIP-001-2a and
EOP-004-1 are mandatory and enforceable NERC Reliability Standards. If EOP-004-2 is not approved by the industry, those
standards will remain as is and subject to the Compliance Monitoring and Enforcement Program. As the SDT is moving forward
with a Recirculation Ballot, your suggestions will be forwarded to NERC for future consideration.
City and County of San Francisco - Hetch
Hetchy Water and Power
No
Consideration of Comments: Project 2009-01
Measure M3 specifically identifies two types of acceptable compliance
evidence: Voice Recording and Log entries. Specifying only these two
forms of evidence creates a risk that some auditors will reject other forms
of R3 compliance evidence which are equally valid, such as emails or
written call records. Although M3 states that acceptable evidence is not
limited to Voice Recordings or Log Entries, we have concern that other
16
�Organization
Yes or No
Question 1 Comment
methods of complying with R3 may not be accepted.
Response: Thank you for your comment. The SDT believes that the phrase “may include, but are not limited to” addresses your
concern. The SDT will present your comment to the NERC Compliance staff in an effort to inform audit staffs on what evidence is
permissible.
Blue Ridge EMC
No
See previous comments
Response: Thank you for previous comments. Requirement R3 is in direct response to a FERC directive in Order 693 and as such,
the SDT included this provision. Also, if the information in the plan is out of date, then the plan will not be effective.
Detroit Edison
No
The requirement is too prescriptive and difficult to document.
Requirement should be for annual review of Operating Plan. This allows
for entity to review plan and document this the same as other Standards
that require annual review (i.e. annual review blocks on documents).The
requirement as written is vague and difficult to document. Annual review
of reporting process is already a requirement.
Response: Thank you for your comments. While the SDT appreciates the view that the Operating Plan should be reviewed
annually, the SDT feels that the requirement only needs to address the validity of the contact information contained within the
Operating Plan in order to meet the FERC directive in Order 693. If the entity is aware of changes within its operations that would
make a more extensive review advisable, it can choose to do so; but where there have been no significant changes to an entity’s
operations in the last year, ensuring the validity of the contact information should be sufficient.
Manitoba Hydro
No
This seems like an administrative only requirement. It would be too
difficult to validate or measure.
Response: Thank you for your comment. Requirement R3 is in direct response to a FERC directive in Order 693 and as such, the
SDT included this provision. The measure calls for an entity to have “dated records to show that it validated all contact
information contained in the Operating Plan each calendar year. Such evidence may include, but are not limited to, dated voice
recordings and operating logs or other communication documentation.” The SDT does not believe that this is an administrative
Consideration of Comments: Project 2009-01
17
�Organization
Yes or No
Question 1 Comment
requirement because, if the information in the Operating Plan is out of date, then the plan will not be effective.
ACES Power Marketing Standards
Collaborators
No
Consideration of Comments: Project 2009-01
We believe that the revision to R3 and elimination of R4 are great
improvements to the standard as a lot of the unnecessary burdens have
been removed. However, Requirement R3 is still not needed, has several
issues with it and should be eliminated. (1) While validating contact
information annually in a reporting plan makes sense, it does not rise to
level of importance of requiring sanctions for failure to do so.
Furthermore, it does nothing to assure reliability. Shortly after the contact
information has been updated, it could change. This does not mean that
validation should be more frequent but simply that is an unnecessary
administrative burden. If contact information changes, the registered
entity will have to find it. For reliability purposes, why does it matter if
they do this in the 24-hour reporting period after the event or annually
before the event? (2) Requirement R3 is administrative and is not
consistent with the recent direction that NERC and FERC have taken
toward compliance. Violations of this requirement are likely to be
candidates for FFT treatment and this is exactly the kind of requirement
that FERC invited NERC to propose for retirement in Paragraph 81 of the
order approving the FFT process. Furthermore, it appears to meet at least
two criteria (Administrative and periodic updates) that the Paragraph 81
drafting team has proposed to use to identify candidate requirements for
retirement. The requirement is also not consistent with the direction
NERC has taken on internal controls. How is an auditor reviewing that
contact information has been updated in an Operating Plan forward
looking or for that matter beneficial to reliability? Imagine a registered
entity fails to update their contact information but still reports an event
within the 24 hour reporting time frame to the appropriate parties. They
are in technical violation of R3 but have met the spirit of the standard. (3)
Requirement R3 is not a results-based requirement. It simply compels a
registered entity “how to” meet reporting deadlines. Certainly, if a
18
�Organization
Yes or No
Question 1 Comment
registered entity has current contact information on hand, it will be easier
to notify appropriate parties of events quickly. However, it does limit a
registered entity’s ability to identify its own unique and possibly better
way to meet a requirement. “How to” requirements prevent unique and
superior solutions.
Response: Thank you for your comment. Requirement R3 is in direct response to a FERC directive in Order 693 and as such, the
SDT included this provision. The SDT does not believe that this is an administrative requirement because, if the information in the
Operating Plan is out of date, then the plan will not be effective.
On March 15, 2012, FERC issued an order on NERC’s Find, Fix and Track process and in paragraph 81 (“P81”) invited NERC and
other entities to propose to remove from Commission-approved Reliability Standards unnecessary or redundant requirements. In
response to P81 and the Commission’s request for comments to be coordinated, during June and July 2012, various industry
stakeholders, Trade Associations, staff from NERC and staff from the NERC Regions jointly discussed consensus criteria and an
initial list of Reliability Standard requirements that appeared to easily satisfy the criteria, and, thus, could be retired. In Phase 1 of
the Paragraph 81 effort, only two of the requirements (in total) from CIP-001 and EOP-004 met the initial threshold for being
included in the P81 Project. Both of these requirements will also be retired by EOP-004-2. Phase 2 of the Paragraph 81 Project
will evaluate all NERC Reliability Standards, including any modifications to EOP-004-2. CIP-001-2a and EOP-004-1 are mandatory
and enforceable NERC Reliability Standards. If EOP-004-2 is not approved by the industry, those standards will remain as is and
subject to the Compliance Monitoring and Enforcement Program. As the SDT is moving forward with a Recirculation Ballot, your
suggestions will be forwarded to NERC for future consideration.
NV Energy
No
Consideration of Comments: Project 2009-01
Without further clarification of what is expected by "validate all contact
information" I cannot support this requirement. On the surface, "validate"
appears to be acceptable terminology, as it means to me a review of the
contact names and contact information (perhaps cell #, home phone, text
address, email address, etc) that would be evidenced through an
attestation of completion of review along with records showing the
updates made to the contact information pursuant to the review.
However, when the Measure is considered, it refers to evidence such as
operator logs, voice recordings, etc. This seems to indicate that the
19
�Organization
Yes or No
Question 1 Comment
expectation is that each contact is tested, by dialing, texting, emailing, etc
with some sort of confirmation that each contact was successful. If this is
what is necessary to satisfy the "validate" requirement, I believe it is
excessive, burdensome and unnecessary. I suggest modification of the
Measure language to clearly allow for an entity to demonstrate
compliance by a showing that it reviewed the contact information and
made changes as deemed necessary by its review, and to remove the
reference to operator logs and voice recordings as the evidence of
measure.
Response: Thank you for your comment. The SDT agrees with your comment and views your direction as being consistent with
the standard’s intent. The SDT will submit your comment to NERC Compliance staff for their consideration. The SDT intends for
operator logs and voice recordings to be acceptable as evidence, but not the only acceptable evidence. The use of the language
“such as” in the measure indicates this.
Bonneville Power Administration
Yes
BPA agrees with the revision and recognizes that it will involve a large
amount of validation workload for entities with a large footprint.
Yes
Dominion supports the combination of Requirements R3 and R4 into a
single requirement (Requirement R3), although we remain concerned that
validation requiring a phone call could be perceived as a nuisance by that
entity.
Response: Thank you for your comment.
Dominion
Response: Thank you for your comment. The SDT appreciates this concern but feels that the requirement is necessary to address
the FERC directive in the Order 693. The SDT does not believe that validation of the contact information will be a nuisance. If the
information in the Operating Plan is out of date, then the plan will not be effective.
Duke Energy
Yes
Consideration of Comments: Project 2009-01
Duke Energy commends the excellent work of the Standard Drafting Team
in incorporating previous comments into the current posted draft of the
20
�Organization
Yes or No
Question 1 Comment
standard.
Response: Thank you for your comment.
ERCOT
Yes
ERCOT considers replacing R3 and R4 with the new R3 is an improvement
and we thank the drafting team for making the change.
Yes
Even though ReliabilityFirst votes in the Affirmative, we offer the following
comment regarding Requirement R3 for consideration. ReliabilityFirst
recommends changing the word “validate” to “verify” in Requirement R3.
ReliabilityFirst believes not only does the entity need to validate contact
information is correct, they should verify (i.e. authenticate though test)
that the contact information is correct.
Response: Thank you for your comment.
ReliabilityFirst
Response: Thank you for your comment. The SDT feels that the action you define is consistent with our intent.
Independent Electricity System Operator
Yes
IESO agrees that the intent of Requirement R3 to have the Registered
Entities validate the contact information in the contact lists that they may
have for the events applicable to them is achieved. IESO also agrees that
the elimination of conducting an annual test of the communications
process and review of the event reporting Operating Plan in merging the
previous R3 and R4 into this new R3 will give entities an opportunity to
develop a plan that suits its business needs.
Yes
IMPA agrees with the removal of a “test” and going with a validation
requirement for the contact information in the Operating Plan.
Response: Thank you for your comment.
Indiana Municipal Power Agency
Consideration of Comments: Project 2009-01
21
�Organization
Yes or No
Question 1 Comment
Response: Thank you for your comment.
Ingelside Cogeneration LP
Yes
Ingleside Cogeneration believes that an annual validation of contact
information is sufficient for a reporting procedure. R2 provides sufficient
impetus for Responsible Entities to keep their Operating plan current - as a
missed report will lead to a violation. Furthermore, external agencies and
law enforcement officials will be reluctant to participate in validation
tests, as dozens of nearby BES entities will overwhelm them with such
requests.
Response: Thank you for your comment. Requirement R3 is in direct response to a FERC directive in Order 693 and as such, the
SDT included this provision. If the information in the Operating Plan is out of date, then the plan will not be effective.
SPP Standards Review Group
Yes
We feel that replacing R3 and R4 with the new R3 is an improvement and
we thank the drafting team for making the change.
Response: Thank you for your support.
PNGC Comment Group
Yes
Tacoma Public Utilities
Yes
SERC OC Standards Review Group
Yes
FirstEnergy
Yes
MRO NSRF
Yes
Arizona Public Service Company
Yes
Southwest Power Pool Regional Entity
Yes
Consideration of Comments: Project 2009-01
22
�Organization
Yes or No
Southern Company
Yes
The United Illuminating Company
Yes
Entergy Services, Inc. (Transmission)
Yes
Lewis County PUD
Yes
Central Lincoln
Yes
Clark Public Utilities
Yes
Cowlitz PUD
Yes
Public Service Enterprise Group
Yes
Cogentrix Energy
Yes
Idaho Power Co.
Yes
Wisconsin Electric Power company dba We
Energies
Yes
Ameren Services
Yes
South Carolina Electric and Gas
Yes
Georgia Transmission Corporation
Yes
City of Austin dba Austin Energy
Yes
american Transmission Company
Yes
Consideration of Comments: Project 2009-01
Question 1 Comment
23
�Organization
Yes or No
MidAmerican Energy
Yes
Springfield Utility Board
Yes
Southwest Power Pool RTO
Yes
American Public Power Association
Yes
Texas Reliability Entity
Yes
Puget Sound Energy Inc.
Yes
Exelon Corporation and its affiliates
Yes
Midwest Independent Transmission
System Operator, Inc.
Yes
Oncor Electric Delivery
Yes
Xcel Energy
Yes
Consideration of Comments: Project 2009-01
Question 1 Comment
24
�2.
The DSR SDT has revised the VSLs to reflect the language in the revised requirements. Do you agree with the proposed VRFs and
VSLs? If not, please explain in the comment area below.
Summary Consideration: Many stakeholders had concerns with the VRFs for R2 and R3 being assigned as “medium”. The SDT
developed the VRFs based on existing, FERC Approved VRFs and NERC Guidelines for establishment of VRFs. EOP-004-2 is a result of
merging CIP-001-2a and EOP-004-1. Each requirement in CIP-001-2a is assigned a “Medium” VRF. The requirements of CIP-001-2a
map to EOP-004-2 Requirements R1 and R2. Having an Operating Plan (EOP-004-2, R1) merits a “Lower” VRF. The reporting of
events contained in the Operating Plan required under Requirement R1 is mandated under Requirement R2 (which maps from CIP001-2a, R2). The SDT cannot “lower the bar” on an existing VRF per NERC and FERC guidelines. Further, since R3 requires validation
of the contact information in the Operating Plan, it is also assigned a “Medium” VRF.
Other stakeholders suggested revision to the VSLs for Requirement R1 based on if the event reporting Operating Plan fails to include
one or more of the event types listed in Attachment 1. The SDT agrees and has added the following VSLs to R1, in addition to the
language that was previously included in the “Severe” VSL:
Lower: The Responsible Entity had an Operating Plan, but failed to include one applicable event type.
Moderate: The Responsible Entity had an Operating Plan, but failed to include two applicable event types.
High: The Responsible Entity had an Operating Plan, but failed to include three applicable event types.
Severe: The Responsible Entity had an Operating Plan, but failed to include four or more applicable event types.
Organization
Yes or No
Detroit Edison
No
Question 2 Comment
Under VSLs for R2- We disagree with the reporting time frames. Making the
time requirement as soon as 24 hours puts this reporting requirement on the
real time operators. Many of the situations listed in the EOP-004 attachment
are not included in the OE-417 report. The Unofficial Comment Form states the
reporting obligations serve to provide input to the NERC Event Analysis
Program. This program has removed the 24 hour reporting requirement and
Consideration of Comments: Project 2009-01
25
�Organization
Yes or No
Question 2 Comment
changed it to 5 business days.
Response: Thank you for your comments. The reporting obligation under this standard is to provide notification of events to
NERC Situation Awareness group. The SDT, in consultation with the DOE and NERC Events Analysis group, have recognized the
where there is duplication of reporting and provided for the common use of the different group’s forms. This standard is not a
replacement or substitution for any other obligations to other agencies. However, the SDT recognizes the concern with having
real time operations staff submitting the report. To this end, the DSR SDT has added clarifying language to R2 as follows:
R2. Each Responsible Entity shall report events per their Operating Plan within 24 hours of meeting an event type threshold
for reporting or by the end of the next business day if the event occurs on a weekend (which is recognized to be 4 PM local
time on Friday to 8 AM Monday local time). [Violation Risk Factor: Medium] [Time Horizon: Operations Assessment]
Texas Reliability Entity
No
(1) VSLs for R1 should have a lower level VSL if the event reporting Operating
Plan fails to include one or more of the event types listed in Attachment 1. (2)
VSL for R1 is incorrectly stated as there are no “parts” to R1.
Response: Thank you for your comment. 1) The SDT agrees and has added the following VSLs for R1, in addition to the language
that was previously included in the “Severe” VSL:
Lower: The Responsible Entity had an Operating Plan, but failed to include one applicable event type.
Moderate: The Responsible Entity had an Operating Plan, but failed to include two applicable event types.
High: The Responsible Entity had an Operating Plan, but failed to include three applicable event types.
Severe: The Responsible Entity had an Operating Plan, but failed to include four or more applicable event types.
2) This was correct in the clean version of the standard.
ACES Power Marketing Standards
Collaborators
No
Because R3 is administrative, the VRF should be Lower. The requirement
simply compels that that registered entity update a document which is purely
administrative.
Response: Thank you for your comment. The SDT developed the VRFs based on existing, FERC Approved VRFs and NERC
Guidelines for establishment of VRFs. EOP-004-2 is a result of merging CIP-001-2a and EOP-004-1. Each requirement in CIP-001-2a
Consideration of Comments: Project 2009-01
26
�Organization
Yes or No
Question 2 Comment
is assigned a “Medium” VRF. The requirements of CIP-001-2a map to EOP-004-2 Requirements R1 and R2. Having an Operating
Plan (EOP-004-2, R1) merits a “Lower” VRF. The reporting of events contained in the Operating Plan required under Requirement
R1 is mandated under Requirement R2 (which maps from CIP-001-2a, R2). The SDT cannot “lower the bar” on an existing VRF per
NERC and FERC guidelines. Further, since R3 requires validation of the contact information in the Operating Plan, it is also
assigned a “Medium” VRF.
Bonneville Power Administration
No
BPA does not agree with the VRFs and VSLs. BPA believes that the violation
levels for administrative errors are too high. For more information, please
reference comments to question #3.
Response: Thank you for your comment. The SDT developed the VRFs based on existing, FERC Approved VRFs and NERC
Guidelines for establishment of VRFs. EOP-004-2 is a result of merging CIP-001-2a and EOP-004-1. Each requirement in CIP-001-2a
is assigned a “Medium” VRF. The requirements of CIP-001-2a map to EOP-004-2 Requirements R1 and R2. Having an Operating
Plan (EOP-004-2, R1) merits a “Lower” VRF. The reporting of events contained in the Operating Plan required under Requirement
R1 is mandated under Requirement R2 (which maps from CIP-001-2a, R2). The SDT cannot “lower the bar” on an existing VRF per
NERC and FERC guidelines. Further, since R3 requires validation of the contact information in the Operating Plan, it is also
assigned a “Medium” VRF. Please see the response to your question 3 comments.
CenterPoint Energy
No
CenterPoint Energy suggests that the phrase “which caused a negative impact
to the Bulk Electric System” be added to each Violation Severity Level. For
example, the wording would appear as follows: “The Responsible Entity
submitted an event report (e.g., written or verbal) to all required recipients
more than 24 hours but less than or equal to 36 hours after meeting an event
threshold for reporting which caused a negative impact to the Bulk Electric
System”. Additionally or alternatively, the Company proposes that the above
phrase be added to the Threshold(s) for Reporting in Attachment 1 to focus on
events that have an impact or effect on the Bulk Electric System.
Response: Thank you for your comment. The SDT does not believe such a change is necessary. Each event type listed is
applicable to BES reliability.
Consideration of Comments: Project 2009-01
27
�Organization
Yes or No
MidAmerican Energy
No
Question 2 Comment
Change the VRFs / VSLs to match suggested changes in Question 3
Response: Thank you for your comment. The SDT followed the NERC guidelines for VSLs in setting the appropriate levels. Please
see the response to your question 3 comments.
The United Illuminating Company
No
Do not agree that the VRF for R3 is medium. Failure to Validate contact
information will not likely lead to instability and Cascade. Reporting under
EOP-004 is not an immediate action, and given a 24 hour reporting window a
proper contact point can be identified on-the-fly. R2 is properly identified as
the Medium VRF since a failure to report whether due to an improper
Operating plan or improper contact list may lead to a BES cascade.
Response: Thank you for your comment. The SDT developed the VRFs based on existing, FERC Approved VRFs and NERC
Guidelines for establishment of VRFs. EOP-004-2 is a result of merging CIP-001-2a and EOP-004-1. Each requirement in CIP-001-2a
is assigned a “Medium” VRF. The requirements of CIP-001-2a map to EOP-004-2 Requirements R1 and R2. Having an Operating
Plan (EOP-004-2, R1) merits a “Lower” VRF. The reporting of events contained in the Operating Plan required under Requirement
R1 is mandated under Requirement R2 (which maps from CIP-001-2a, R2). The SDT cannot “lower the bar” on an existing VRF per
NERC and FERC guidelines. Further, since R3 requires validation of the contact information in the Operating Plan, it is also
assigned a “Medium” VRF.
Southwest Power Pool Regional Entity
No
In R2, SPP RE does not understand why the VSLs are based on who was or was
not contacted rather than when it was reported. An entity could decide to put
only two entities in its Event Reporting Operating Plan. If the entity fails to
submit an appropriate event report, it is open to a Severe VSL on the top set of
VSLs but only a moderate on the lower set of VSLs. This seems to be a
disconnect for applying the VSLs for the same facts and circumstances.
Response: Thank you for your comment. The SDT followed the NERC guidelines for VSLs in setting the appropriate levels. The
VSLs were written based on two potential failures to meet the requirement. The first is based on the time the report was
submitted while the second was based on the entity submitting the report within 24 hours but not to all applicable entities.
Consideration of Comments: Project 2009-01
28
�Organization
Yes or No
Midwest Independent Transmission
System Operator, Inc.
No
Question 2 Comment
MISO agrees with the comments submitted by the SERC Operating Committee
that the VRFs for R2 and R3 should be “Lower” instead of “Medium,” since
these are administrative requirements. MISO further respectfully suggests that
implementing another standard that requires reporting every incident
identified in a plan within 24 hours and that classifies failure to do so a
“Severe” violation, will likely cause entities to limit the scope of their plans.
NERC, therefore, would not receive information that appears unimportant to a
single entity but could be important in the context of similar events across the
country.
Response: Thank you for your comment. The SDT developed the VRFs based on existing, FERC Approved VRFs and NERC
Guidelines for establishment of VRFs. EOP-004-2 is a result of merging CIP-001-2a and EOP-004-1. Each requirement in CIP-001-2a
is assigned a “Medium” VRF. The requirements of CIP-001-2a map to EOP-004-2 Requirements R1 and R2. Having an Operating
Plan (EOP-004-2, R1) merits a “Lower” VRF. The reporting of events contained in the Operating Plan required under Requirement
R1 is mandated under Requirement R2 (which maps from CIP-001-2a, R2). The SDT cannot “lower the bar” on an existing VRF per
NERC and FERC guidelines. Further, since R3 requires validation of the contact information in the Operating Plan, it is also
assigned a “Medium” VRF.
The SDT does not agree with your second comment and believes that entities will report the appropriate events.
Oncor Electric Delivery
No
Oncor suggest the following additions to VSL language for R1 to align more
closely with the measures described in M1Lower VSL - Entity has one applicable
event type not properly identified in its event reporting Operating Plan. High
VSL - Entity has more than one applicable event type not properly identified in
its event reporting Operating Plan. Severe VSL - The Responsible Entity failed to
have an event reporting Operating Plan
Response: Thank you for your comment. Based on comments from you and others, we have added the following VSLs for R1, in
addition to the language that was previously included in the “Severe” VSL:
Lower: The Responsible Entity had an Operating Plan, but failed to include one applicable event type.
Consideration of Comments: Project 2009-01
29
�Organization
Yes or No
Question 2 Comment
Moderate: The Responsible Entity had an Operating Plan, but failed to include two applicable event types.
High: The Responsible Entity had an Operating Plan, but failed to include three applicable event types.
Severe: The Responsible Entity had an Operating Plan, but failed to include four or more applicable event types.
Exelon Corporation and its affiliates
No
R2 VSLs - By measuring the amount of time taken to report and the number of
entities to receive the report, the VSLs track more with size and location than
with a failure to report. For instance, an entity failing to report at all to one
entity would be deemed a lower VSL while an entity reporting to many, but
failing to report to three entities would be deemed a high VSL.
R3 VSL - The severe VSLs do not seem commensurate to oversight. A three
month delay in validating that phone numbers are correct, for phone numbers
that are accurate, does not track with a severe infraction.
Response: Thank you for your comment. The SDT followed the NERC guidelines for VSLs in setting the appropriate levels. The SDT
will forward your suggestions to NERC for future consideration of the VSL language.
Blue Ridge EMC
No
R3 VSLs are silly.
Response: Thank you for your comment. The SDT followed the NERC guidelines for setting the appropriate VSLs.
Tacoma Public Utilities
No
Regarding the Severe VSL for R1, the reference to “Parts 1.1 and 1.2” appears
to be outdated. For R2, change “the Responsible Entity failed to submit an
event report...to X entity(ies) within 24 hours” to “the Responsible Entity failed
to submit an event report...to only X entity(ies) within 24 hours.” (Add ‘only.’)
Response: Thank you for your comment. The SDT agrees with your first suggestion and this was correct in the clean version of the
standard that was posted. Your second suggestion will be forwarded to NERC for future consideration.
Consideration of Comments: Project 2009-01
30
�Organization
Yes or No
SPP Standards Review Group
No
Question 2 Comment
Since EOP-004 is about after-the-fact reporting, we suggest that all the VRFs be
Lower. This would mean lowering R2 and R3 from Medium.
The third component of the Severe VSL for R2 is more severe than the other
two components. In an attempt to be more consistent across all the VSLs, we
propose the following for the High VSL for R2: The Responsible Entity
submitted an event report (e.g., written or verbal) to all required recipients
more than 48 hours after meeting an event threshold for reporting. OR The
Responsible Entity failed to submit an event report (e.g., written or verbal) to
three or more entities identified in its event reporting Operating Plan within 24
hours. We propose the following, deleting the first two components as shown
in the current draft, for the Severe VSL for R2: The Responsible Entity failed to
submit a report for an event in EOP-004 Attachment 1.
Response: Thank you for your comment. The SDT developed the VRFs based on existing, FERC Approved VRFs and NERC
Guidelines for establishment of VRFs. EOP-004-2 is a result of merging CIP-001-2a and EOP-004-1. Each requirement in CIP-001-2a
is assigned a “Medium” VRF. The requirements of CIP-001-2a map to EOP-004-2 Requirements R1 and R2. Having an Operating
Plan (EOP-004-2, R1) merits a “Lower” VRF. The reporting of events contained in the Operating Plan required under Requirement
R1 is mandated under Requirement R2 (which maps from CIP-001-2a, R2). The SDT cannot “lower the bar” on an existing VRF per
NERC and FERC guidelines. Further, since R3 requires validation of the contact information in the Operating Plan, it is also
assigned a “Medium” VRF.
The VSLs were written to account for tardiness of reports, for failing to report to certain entities and for not submitting a report at
all. The investigators will apply the appropriate VSL based on the type of violation found.
ERCOT
No
Since EOP-004 is related to ex-post reporting, which has nothing to do with
operational or planning risk, this is an administrative requirement and,
accordingly, the VRFs should all be Low. This would mean lowering the VRF for
R2 and R3 to Low.
The third component of the Severe VSL for R2 is more severe than the other
two components. In an attempt to be more consistent across all the VSLs, we
Consideration of Comments: Project 2009-01
31
�Organization
Yes or No
Question 2 Comment
propose the following for the High VSL for R2: The Responsible Entity
submitted an event report (e.g., written or verbal) to all required recipients
more than 48 hours after meeting an event threshold for reporting. OR The
Responsible Entity failed to submit an event report (e.g., written or verbal) to
three or more entities identified in its event reporting Operating Plan within 24
hours. ERCOT proposes that the first two components of the Severe VSL for R2
be deleted and replaced with: The Responsible Entity failed to submit a report
for an event in EOP-004 Attachment 1.
Response: Thank you for your comment. The SDT developed the VRFs based on existing, FERC Approved VRFs and NERC
Guidelines for establishment of VRFs. EOP-004-2 is a result of merging CIP-001-2a and EOP-004-1. Each requirement in CIP-001-2a
is assigned a “Medium” VRF. The requirements of CIP-001-2a map to EOP-004-2 Requirements R1 and R2. Having an Operating
Plan (EOP-004-2, R1) merits a “Lower” VRF. The reporting of events contained in the Operating Plan required under Requirement
R1 is mandated under Requirement R2 (which maps from CIP-001-2a, R2). The SDT cannot “lower the bar” on an existing VRF per
NERC and FERC guidelines. Further, since R3 requires validation of the contact information in the Operating Plan, it is also
assigned a “Medium” VRF.
The VSLs were written to account for tardiness of reports, for failing to report to certain entities and for not submitting a report at
all. The investigators will apply the appropriate VSL based on the type of violation found.
Duke Energy
No
The Lower VSL for R3 should be clarified. The phrase “validated 75% or more”
should be modified to say “validated at least 75% but less than 100%”.
Response: Thank you for your comment. The SDT agrees and has made the correction.
SERC OC Standards Review Group
No
The VRF for R2 should be “Lower” instead of “Medium” since it is
administrative which involves reporting events to entities not identified in the
Functional Model that have operating responsibilities listed. The VRF for R3
should also be “Lower” instead of “Medium” since it is an administrative
requirement.
Response: Thank you for your comment. The SDT developed the VRFs based on existing, FERC Approved VRFs and NERC
Consideration of Comments: Project 2009-01
32
�Organization
Yes or No
Question 2 Comment
Guidelines for establishment of VRFs. EOP-004-2 is a result of merging CIP-001-2a and EOP-004-1. Each requirement in CIP-001-2a
is assigned a “Medium” VRF. The requirements of CIP-001-2a map to EOP-004-2 Requirements R1 and R2. Having an Operating
Plan (EOP-004-2, R1) merits a “Lower” VRF. The reporting of events contained in the Operating Plan required under Requirement
R1 is mandated under Requirement R2 (which maps from CIP-001-2a, R2). The SDT cannot “lower the bar” on an existing VRF per
NERC and FERC guidelines. Further, since R3 requires validation of the contact information in the Operating Plan, it is also
assigned a “Medium” VRF.
Southern Company
No
The VRF for R2 should be “Lower” instead of “Medium” since it is
administrative which involves reporting events to entities not identified in the
Functional Model that have operating responsibilities listed. The VRF for R3
should also be “Lower” instead of “Medium” since it is an administrative
requirement. In addition we suggest that the VSL for R1 should have a lower
level VSL for an Operating Plan that may have one event type missing from the
Operating Plan.
Response: Thank you for your comment. The SDT developed the VRFs based on existing, FERC Approved VRFs and NERC
Guidelines for establishment of VRFs. EOP-004-2 is a result of merging CIP-001-2a and EOP-004-1. Each requirement in CIP-001-2a
is assigned a “Medium” VRF. The requirements of CIP-001-2a map to EOP-004-2 Requirements R1 and R2. Having an Operating
Plan (EOP-004-2, R1) merits a “Lower” VRF. The reporting of events contained in the Operating Plan required under Requirement
R1 is mandated under Requirement R2 (which maps from CIP-001-2a, R2). The SDT cannot “lower the bar” on an existing VRF per
NERC and FERC guidelines. Further, since R3 requires validation of the contact information in the Operating Plan, it is also
assigned a “Medium” VRF.
Cogentrix Energy
No
The VRF for R2 should be “Lower” instead of “Medium” since it is
administrative which involves reporting events to entities not identified in the
Functional Model that have operating responsibilities listed. The VRF for R3
should also be “Lower” instead of “Medium” since it is an administrative
requirement.
Response: Thank you for your comment. The SDT developed the VRFs based on existing, FERC Approved VRFs and NERC
Guidelines for establishment of VRFs. EOP-004-2 is a result of merging CIP-001-2a and EOP-004-1. Each requirement in CIP-001-2a
Consideration of Comments: Project 2009-01
33
�Organization
Yes or No
Question 2 Comment
is assigned a “Medium” VRF. The requirements of CIP-001-2a map to EOP-004-2 Requirements R1 and R2. Having an Operating
Plan (EOP-004-2, R1) merits a “Lower” VRF. The reporting of events contained in the Operating Plan required under Requirement
R1 is mandated under Requirement R2 (which maps from CIP-001-2a, R2). The SDT cannot “lower the bar” on an existing VRF per
NERC and FERC guidelines. Further, since R3 requires validation of the contact information in the Operating Plan, it is also
assigned a “Medium” VRF.
Xcel Energy
No
The VSLs for column for R2 provide a range of severity based on the number of
contacts made (or not made) but this seems to be arbitrarily defined. A smaller
entity may only have two or three contacts so missing one or more here may
be a much higher risk than for a larger utility that may have ten or more
contacts. The VSLs should be drafted to include percentages instead of whole
numbers. The Lower VSL column for R3 states,”...OR The Responsible Entity
validated 75% or more of the contact information contained in the operating
plan.” This could be interpreted that even someone completed 100% (which is
more than 75%) a low VSL could be assigned. This VSL should be drafted in
similar fashion to the Moderate, High and Severe VSLs and include a range (i.e.
less than 100% but more than 75%).
Response: Thank you for your comment. The SDT followed the NERC guidelines for VRFs and VSLs in setting the appropriate
levels. The SDT will forward your suggestions to NERC for future consideration.
Manitoba Hydro
No
This seems like an administrative only requirement. It would be too difficult to
validate or measure.
Response: Thank you for your comment. Please see the response to your comment in question 1.
Independent Electricity System
Operator
No
We agree with the VRF for R2, but have a concern over the VRFs assigned to R1
(Lower) and R3 (Medium).Having an event reporting operating plan (R1) is a
first step toward meeting the intent of this standard, annually validating it (R3)
is a maintenance requirement which arguably can be regarded as equally
important but its reliability risk impact for failure to comply should be no higher
Consideration of Comments: Project 2009-01
34
�Organization
Yes or No
Question 2 Comment
than having no plan to begin with. We therefore suggest that the VRFs for R1
and R3 be at least the same, or that R1’s VRF be higher than that for R3.
Response: Thank you for your comment. The SDT developed the VRFs based on existing, FERC Approved VRFs and NERC
Guidelines for establishment of VRFs. EOP-004-2 is a result of merging CIP-001-2a and EOP-004-1. Each requirement in CIP-001-2a
is assigned a “Medium” VRF. The requirements of CIP-001-2a map to EOP-004-2 Requirements R1 and R2. Having an Operating
Plan (EOP-004-2, R1) merits a “Lower” VRF. The reporting of events contained in the Operating Plan required under Requirement
R1 is mandated under Requirement R2 (which maps from CIP-001-2a, R2). The SDT cannot “lower the bar” on an existing VRF per
NERC and FERC guidelines. Further, since R3 requires validation of the contact information in the Operating Plan, it is also
assigned a “Medium” VRF.
Southwest Power Pool RTO
No
We question the reliability benefits of this requirement.
Response: Thank you for your comment. Requirement R3 is in direct response to a FERC directive in Order 693 and as such, the
SDT included this provision. If the information in the Operating Plan is out of date, then the plan will not be effective.
Lewis County PUD
No
American Electric Power
No
Response: Thank you for your participation.
ReliabilityFirst
Yes
Even though ReliabilityFirst votes in the Affirmative, we offer the following
comments for consideration regarding the VSLs: VSL for Requirement R2 ReliabilityFirst questions whether there is justification for the gradation of VSLs
out to 60 hours for the reporting an event. Without justification, ReliabilityFirst
believes the timeframe should be shortened to eight hour increments with a
severe VSL being more than 48 hours late. ReliabilityFirst believes that being
more than a day late (24 hours) falls within the entity completely not meeting
the intent of submitting the report with the required 24 hour timeframe.
Response: Response: Thank you for your comment. The SDT followed the NERC guidelines for VRFs and VSLs in setting the
Consideration of Comments: Project 2009-01
35
�Organization
Yes or No
Question 2 Comment
appropriate levels.
PNGC Comment Group
Yes
FirstEnergy
Yes
Arizona Public Service Company
Yes
Entergy Services, Inc. (Transmission)
Yes
Clark Public Utilities
Yes
Public Service Enterprise Group
Yes
Idaho Power Co.
Yes
Ingelside Cogeneration LP
Yes
Wisconsin Electric Power company
dba We Energies
Yes
Ameren Services
Yes
South Carolina Electric and Gas
Yes
Georgia Transmission Corporation
Yes
City of Austin dba Austin Energy
Yes
Springfield Utility Board
Yes
American Public Power Association
Yes
Consideration of Comments: Project 2009-01
36
�3.
Do you have any other comment, not expressed in the questions above, for the DSR SDT?
Summary Consideration: Most stakeholders who responded to this question provide comments suggesting specific revisions to the
requirements or to the event types listed in Attachment 1. Most of these comments are about a single event type and were made
by only one stakeholder. The team has reviewed all of these comments. In several cases, the same or a similar suggestion was made
on an earlier draft, and the team considered it at that time. The SDT believes that stakeholder consensus has been achieved
regarding these event types. The team has elected to move forward to recirculation ballot.
Organization
Question 3 Comment
Detroit Edison
"Suspicious activity" and "suspicious device" should be eliminated from Attachment 1, Event
types: 'Physical threats to a Facility' and 'Physical threat to a BES Control Center'. By including
'suspicious activity' in the standard, I believe the project team went outside of the scope of the
project, which was intended to be a merger of the two standards. Regarding standard CIP 001,
the threshold for reporting is “Disturbances or unusual occurrences, suspected or determined
to be caused by sabotage....”, as its title suggested: Sabotage Reporting. Suspicious activity,
which is not defined by the standard, clearly has a much lower threshold than sabotage, or
even suspected sabotage. The reporting requirement of 24 hours, also increases the burden on
the entity to either rush to investigate and make a determination regarding suspicious activity
in less than 24 hours, or not perform due diligence and report uninvestigated “suspicious”
activity, which normally turns out to not be a "Physical Threat”. Suspicious activity should be
duly investigated by the entity, local law enforcement, or the FBI as appropriate; and then
reported if it has been determined to be a physical threat, or cannot be explained. Reporting
within 24 hours will devalue the information inputted, as most cases of suspicious activity are
innocuous, and the standard lacks a process of follow up, which would remove the those
incidents from intelligence databases. Regarding suspicious devices, determination is usually
immediate, (in less than 24 hours), and then the device would be classified as either
"sabotage" or "no threat". The standard is not clear whether suspicious devices still have to be
reported, even if they are immediately determined as not a "Physical Threat to a Facility or BES
Control Center." Disturbance and Sabotage Reporting Standard Drafting Team (Project 2009-
Consideration of Comments: Project 2009-01
37
�Organization
Question 3 Comment
01) - Reporting Concepts states: The changes do not include any real-time operating
notifications for the types of events covered by CIP-001 and EOP-004. The real-time reporting
requirements are achieved through the RCIS and are covered in other standards (e.g. EOP-002Capacity and Energy Emergencies). These standards deal exclusively with after-the-fact
reporting." Attachment 1 in existing EOP-004-1 is much easier to follow (specifies time
requirement to file). Also R2 states DOE OE-417 may be utilized to file reports, however
Standard time requirement for update report is 48 hours, OE-417 has changed time
requirement on updated filing to 72 hours. Difference can cause confusion and possible
penalties. The real time operator must focus on maintaining system reliability. Putting
unnecessary reporting obligations on RT puts more importance on the reporting structure than
on maintaining reliability. Let 8/5 support personnel perform the reporting tasks and keep the
24/7 on shift operators focusing on the BES.
Response: Thank you for the comment. The SDT disagrees with your position on the inclusion of suspicious activities. Suspicious
activities are events and notification of such events is a part of the existing and CIP-001 and EOP-004 standards. Reporting under
EOP-004 is for notification purposes only. The standard does not require any analysis of events and does not require any follow
up reports as you suggest.
City of Austin dba Austin Energy
(1) City of Austin dba Austin Energy (AE) requests that the SDT clarify whether R3 requires that
each Registered Entity subject to EOP-004-2 verify NERC’s contact information each year. It
appears this would be overly burdensome for NERC to respond to individual requests. (2) AE
also asks that NERC’s fax number be included in the contact information at the beginning of
Attachment 1 and at the Event Reporting Form in Attachment 2. NERC included the fax
number as a viable contact method in its recent NERC Alert notifying the industry of the
changed information. (3) AE requests that the SDT increase the threshold for reporting loss of
firm load to ≥ 300 MW for all entities to align the reporting threshold with the OE-417
threshold. Otherwise, smaller entities would have to report firm load losses between 200 and
299 MW to NERC but not to the DOE. This could be administratively confusing to those
responsible for reporting. (4) Attachment 1 lists the threshold for reporting generation loss at
≥ 1,000MW for the ERCOT Interconnection. ERCOT planning is based on a single
contingency of 1,375MW. For this reason, AE believes the minimum threshold for a
Consideration of Comments: Project 2009-01
38
�Organization
Question 3 Comment
disturbance should be greater than the single contingency amount of >1,375MW for the
ERCOT Interconnection.
Response: Thank you for your comment. The SDT does not feel it is necessary to specific how the validation occurs and has left
this to the entity to determine how to do this. The SDT agrees with the inclusion of the fax number. The SDT will forward the
other suggestions to NERC for future consideration. However, it should be noted that these suggestions have not been adopted
due to consistency with other standards.
ACES Power Marketing Standards
Collaborators
(1) For the first “Damage or destruction of a Facility” event in Attachment 1, the threshold for
reporting should be modified. The threshold for reporting would only include damage or
destruction that necessitates the need for action to prevent an Emergency. It does not include
if an Emergency actually occurs. Based on the definition of Emergency which states that it is
an “abnormal system condition that requires... action to prevent or limit”, we think the
threshold should be changed to “Damage or destruction of a Facility... that results in a BES
Emergency”. Per the definition, the Emergency is what necessitates action which is what the
threshold appeared to be focused on. (2) In the second “Damage or destruction of a Facility”
event in Attachment 1, the threshold regarding “intentional human action” is ambiguous and
suffers from the same difficulties as defining sabotage. What constitutes intentional? How do
we know something was intentional without a law enforcement investigation? If a car runs
into a transmission tower, was this an accident or intentional human action? It could be
either. This appears to be the same issue that prevented the drafting team from defining
sabotage.(3) Under the “Physical threats to a BES control center” event in Attachment 1, the
event should very clearly define if this applies to backup control centers or not. (4) Under the
“Complete loss of off-site power to a nuclear generating plant (grid supply)” event” in
Attachment 1, the entity with reporting responsibility is not coordinated with NUC-001. NUC001 used the term transmission entity to mean an entity that is responsible for providing NPIR
services. They did not use only TOP because there are other entities that provide this service.
Please coordinate the “Entity with Reporting Responsibility” with that standard. (5) We
continue to believe that the draft standard has not satisfied the complete scope of the SAR
regarding elimination of redundancy. The draft standard will continue to require redundant
reporting by various entities. For instance, under the event “Loss of Firm Load” in Attachment
Consideration of Comments: Project 2009-01
39
�Organization
Question 3 Comment
1, the DP, TOP, and BA all are required to report. The response to our last set of comments
regarding this issue was that “the industry can benefit from having such differing perspectives
when events occur”. This response seems to confuse event analysis with event reporting. The
purpose of the standard is to simply report that an event happened. In fact, the reporting
form only requires the submitting entity to report the type of event. The description of what
happened is optional. What additional perspectives could be gained from having multiple
registered entities in the same electrical footprint report that an event happened. If the
purpose is to analyze the event, this is covered in the events analysis process. Furthermore,
once NERC becomes aware of the event they have the authority to request data and
information from other registered entities. Please eliminate the duplicate reporting
requirements. Other events that may require duplicate reporting include: Damage or
destruction of a Facility, Physical threats to a Facility, BES Emergency resulting in automatic
firm load shedding, Loss of firm load, System separation, Generation loss, and Complete loss of
off-site power to a nuclear generating plant.(6) In the second “Damage or destruction of a
Facility” event and “Physical Threats to a Facility” events, Distribution Provider should be
removed. The Distribution Provider does not have any Facilities which is defined as “a set of
electrical equipment that operates as a single Bulk Electric System Element”. The DP’s
transformers interconnecting to the BES are not Facilities and the latest NERC BOT definition
explicitly does not include them in Inclusion I1. If a DP did own Facilities, it would be
registered as a TO or GO. Inclusion of the DP will compel the DP to provide evidence that it
does not have Facilities which is an unnecessary compliance burden that does not support
reliability. (7) The “BES Emergency resulting in automatic firm load shedding” should not
apply to the DP. In the existing EOP-004 standard, Distribution Provider is not included and
the load shed information still gets reported. (8) For the “Voltage deviation on a Facility”
event in Attachment 1, we suggest changing “area” in the threshold for reporting to
“Transmission Operator Area” as it is a defined term. (9) For the “System separation
(islanding)” event, please remove BA. Because islanding and system separation, involve
Transmission Facilities automatically being removed from service, this is largely a Transmission
Operator issue. This position is further supported by the approval of system restoration
standard (EOP-005-2) that gives the responsibility to restore the system to the TOP. (10) The
response to our comments requesting that Measure 2 specifically identify that attestations are
Consideration of Comments: Project 2009-01
40
�Organization
Question 3 Comment
acceptable forms of evidence to indicate that no events have occurred indicated that the
measure cannot permit use of attestations. Other standards that have been recently approved
by the board specifically permit the use of attestations. FAC-003-2 M1 and M2, TOP-001-2
M1-M11 and TOP-003-2 M5 all permit the use of attestations. We ask that the drafting team
to reconsider including a specific reference that an attestation is acceptable to indicate no
event has occurred given these new facts. (11) In requirement R1, we suggest changing “in
accordance with EOP-004-2 Attachment 1” to “to report events identified in EOP-004-2
Attachment 1”. It makes more sense since the attachment is a list of events that require
reporting. The other language sounds like additional requirements will be established in
Attachment 1.
Response: Thank you for comment. Many suggestions were made regarding the language of certain events listed in Attachment
1. Most of these comments are about a single event type and were made by only one stakeholder. The team has reviewed all of
these comments. In several cases, the same or a similar suggestion was made on an earlier draft, and the team considered it at
that time. The SDT believes that stakeholder consensus has been achieved regarding these event types. The team has elected to
move forward to recirculation ballot.
Southwest Power Pool Regional
Entity
(1) SPP RE thinks the following Generation reporting threshold is unclear: "Total generation
loss, within one minute, of ≥ 2,000 MW for entities in the Eastern or Western
Interconnection". What has to happen within one minute? It reads as if you have to make a
report within one minute. If the intent is that a report has to be made within 24 hours if the
loss is for more than one minute it should read, "Total generation loss ≥ 2,000 MW for
more than one minute for entities in the Eastern or Western Interconnection". What is the
intent of the one minute requirement?
(2) It appears per R1 that entities are no longer required to include Regional Entities in their
reporting chains. SPP RE believes Regional Entities must be included in the reporting chain so
they can fulfill their obligations under their delegation agreements.
(3) SPP RE thinks this standard was changed substantially enough that it should have been
opened for a new ballot pool.
Consideration of Comments: Project 2009-01
41
�Organization
Question 3 Comment
Response: Thank you for comment. 1) The intent of the “one minute” language is to avoid having to report when a generator has
a slow run back rather than a sudden loss. Typically, a unit will trip instantly and the loss will be clear. Other times, the
generation will slowly decline and the SDT does not intend for this to be reported. The reporting requirement is to submit a
report for an applicable event within 24 hours. 2) Entities are required to report to the ERO only and may submit reports to
others, including the RE. The SDT envisions the reports generated through EOP-004-2 act as an input to the Events Analysis
Process which includes participation by the Regional Entity. 3) The SDT followed the standards development process which allows
significant revision to the standards a long as it proceeds to a successive ballot. The NERC Standard Processes Manual clearly
states that a ballot pool stays in place until balloting is completed on a standard. On occasion, the Standards Committee has
determined that it is necessary to form a new ballot pool for a project because the ballot pool has been in place for several years
and many of the original ballot pool members are no longer available to vote, but this is not the normal practice.
Ameren Services
(1) This draft refers to a number of activities in the Operations Plan that each entity is to have
on hand as the primary guide of actions to be taken when an event occurs. Although there is
information related to the requirements that should be included in the Operations Plan, the
drafting team has not defined a structure on the format, the minimum information to be
included or the direct audience for the Operations Plan. In addition, there is no guidance on
the disposition, distribution of the Operations Plan which is left to the entity to determine. We
request that the drafting team provide a defined structure for entities concerning the
development and implementation of the Operations Plan.
(2) Page 14 (Attachment 2) - Voltage Deviation of a Facility - This appears to be a contradiction
to VAR-001-2 R10 for TOP which states IROL events will be corrected within 30 minutes. We
request the 15 minute reporting criteria be changed to also state 30 minutes.
(3) Throughout Document - "Report to the ERO and Regional Entity" - NERC and DHS
established the ES-ISAC as a confidential location to report all events that happen on the BES.
As these events are of a Sabotage / Disturbance nature, they should all go through the ES-ISAC
both as a single location for distribution, and as a best practice that the industry has started.
(4) There seems to be some differences between the red-line and clean versions which may
need some clarification. For example, (a) In the redline version, the revision history box
appears to indicate the inclusion of parts of CIP-008, and in the “Clean” version this has been
Consideration of Comments: Project 2009-01
42
�Organization
Question 3 Comment
removed from the revision history box. (b) The red-line version includes a drawing at two
places versus once in the clean version. (c) The correlation between the clean and redline
documents is not very clear and there appears to be gaps in the reporting and tracking
framework structure.
Response: Thank you for comment. 1)-3) Many suggestions were made regarding the language of certain events listed in
Attachment 1. Most of these comments are about a single event type and were made by only one stakeholder. The team has
reviewed all of these comments. In several cases, the same or a similar suggestion was made on an earlier draft, and the team
considered it at that time. The SDT believes that stakeholder consensus has been achieved regarding these event types. The team
has elected to move forward to recirculation ballot. 4) In removing tables and diagrams, the redline version tends to show both
the old and new with only a red line down the side of the page. The clean version of the standard is the final version.
Texas Reliability Entity
(A) Regional Entity should be capitalized in R1. (B) COMMENTS ON ATTACHMENT 1:In the
previous comment period on this Standard, Texas RE submitted comments that we feel were
not adequately addressed. There were several responses to comments regarding the Events
Table that need deeper review and consideration:(1) In the Events Table, under Transmission
Loss, the SDT indicated that reporting is triggered only if three or more Transmission Facilities
operated by a single TOP are lost. Also, generators that are lost as a result of transmission loss
events must be included when counting Facilities. As Texas RE indicated in previous comments
to this Standard, determining event reporting requirements by the entity that owns/operates
the facility is not an appropriate measure. If the industry wants to learn from events, these
types of issues must be addressed. Including the RC as one of the Entity(s) with Reporting
Responsibility may alleviate this concern. The RC would have overall view of the system and
could provide the reports on multi-element events where the elements are owned/operated
by different entities. For the SDT to believe that “There may be times where an entity may
wish to report when a threshold has not been reached because of their experience with their
system” is worthy to note but falls short of the reliability implications caused by those entities
that will not report. The industry needs to learn from events and failure to report will facilitate
failure to learn.
(2) In the Events Table, under Transmission Loss, there has been considerable discussion
Consideration of Comments: Project 2009-01
43
�Organization
Question 3 Comment
recently within the Events Analysis Subcommittee (EAS) regarding the definition of the phrase
“contrary to design.” The EAS is currently working on possible guidelines to interpret this
event type. The SDT may want to consider including the EAS language into the Guidelines and
Technical Basis for this Standard.
(3) In the Events Table, under “Unplanned BES Control Center evacuation” and “Complete loss
of voice communication capability,” and “Complete loss of monitoring capability,” GOPs
should be included. GOPs also operate control centers that would be subject to these kinds of
occurrences. As Texas RE indicated in previous comments to this Standard, in CIP-002-5
Attachment 1 there is a “High Impact Rating” for the following: “1.4 Each Control Center,
backup Control Center, and associated data centers used to perform the functional obligations
of the Generation Operator that includes control 1) for generation equal to or greater than an
aggregate of 1500 MW in a single Interconnection or 2) that includes control of one or more of
the generation assets that meet criteria 2.3, 2.6, and 2.9.” In the ERCOT Region, we
experienced an event where a GOP control center lost an ICCP link that carried real-time
information regarding its generation fleet (over 10,000 MWs). Without inclusion of the GOP
here the event may not get recorded. While it was a “virtual” loss, the impact to the BES
through generation control actions could be significant and the event should be reported and
analyzed. For the GOP control centers that do exist, the reporting of such events should be a
requirement. Based on the minimum of these two examples, why would the SDT NOT include
GOP as being applicable?
(4) In the Events Table, under “BES Emergency requiring public appeal for load reduction,” the
definition of Emergency is “Any abnormal system condition that requires automatic or
immediate manual action to prevent or limit the failure of transmission facilities....” Is it the
intent of the SDT to exclude public appeals issued in anticipation of a possible emergency,
before a BES Emergency is officially declared?
(5) In the Events Table, under “BES Emergency resulting in automatic firm load shedding,” the
SDT may want to consider including the RC as one of the Entity(s) with Reporting
Responsibility. The RC would have overall view of the system and should provide the reports
on events where the multiple entities may be involved. We have UVLS schemes in our region
Consideration of Comments: Project 2009-01
44
�Organization
Question 3 Comment
where the total MW shed is greater than 100 MW, but the individual TOP MW shed is less than
100 MW.
(6) In the Events Table, consider whether the item for “Voltage deviation on Facility” should
also be applicable to GOPs, because a loss of voltage control at a generator (e.g. failure of an
automatic voltage regulator or power system stabilizer) could have a similar impact on the BES
as other reportable items. Note: We made this comment last time, and the SDT’s posted
response was non-responsive to this concern. The SDT noted “Further, we note that such
events do not rise to the level of notification to the ERO” but the SDT failed to recognize that
“Voltage deviation on a Facility” does exactly that - notifies the ERO but from a TOP
perspective only. Texas RE is trying to establish the correct Responsible Entity for reporting
“Voltage deviation on a Facility” (in this case a generator regardless of the cause and other
obligations the owner may have with other Reliability Standards).
Response: Thank you for comment. A) The SDT agrees and has made the correction. B) Many suggestions were made regarding
the language of certain events listed in Attachment 1. Most of these comments are about a single event type and were made by
only one stakeholder. The team has reviewed all of these comments. In several cases, the same or a similar suggestion was made
on an earlier draft, and the team considered it at that time. The SDT believes that stakeholder consensus has been achieved
regarding these event types. The team has elected to move forward to recirculation ballot.
Central Lincoln
1) Central Lincoln must again point out the lack of proportionality for gunshot insulators and
similar events under “Damage or destruction of a Facility.” Please see our last set of
comments. These incidents are fairly common in the west, and typically do not cause an
immediate outage. They are generally discovered months after the fact, yet the discovery
starts the 24 hour clock running as if the situation had suddenly changed. Prior SDT response:
“... this will give the ERO (and whoever else the entity wishes to inform per Requirement R1)
the situational awareness that the Facility was “damaged or destroyed” intentionally by a
human.” There is already a great lag in awareness regarding the damaged insulator. Months or
more can pass prior to discovery by the entity. We fail to see how it becomes so urgent upon
discovery. Prior SDT response: “The SDT envisions that entities could further define what a
suspected intentional human action is within their Operating Plan.”We do not share the SDT’s
Consideration of Comments: Project 2009-01
45
�Organization
Question 3 Comment
vision. If an Operating Plan redefined suspected intentional human action so the act of
preparing a gun for firing, aligning the sights on an insulator and pulling the trigger was not
included, we believe the entity that operates under that plan would be found non-compliant
under the language of this standard. We do not offer a simple change in text that will fix the
problem, we are only pointing out the problem exists. Murphy dictates discovery will occur at
the most inopportune time, which will be during an after hours outage on a stormy holiday
weekend night when many employees are out of town and those that are available are already
fully engaged. The entity is then faced with choosing to delay restoration or violating the
standard. When proposing a zero defect event driven requirement event driven such as this
one, we ask the SDT to consider all possible scenarios in which the event may occur.
2) We note that Distribution Providers are listed in the Applicability Section. We also note that
there is no requirement in the Statement of Compliance Registry Criteria for Distribution
Providers to own or operate BES Facilities, own or operate UFLS or UVLS of 100 MW, or to
have load exceeding 200 MW. DP’s that cannot meet any of the thresholds of Attachment 1
would still need an Operating Plan under R1 and annually validate the possibly null contact list
in its OP under R3. We suggest that DPs that cannot meet the thresholds of Attachment 1 be
removed from the Applicability Section.
Response: Thank you for comment. 1) Many suggestions were made regarding the language of certain events listed in
Attachment 1. Most of these comments are about a single event type and were made by only one stakeholder. The team has
reviewed all of these comments. In several cases, the same or a similar suggestion was made on an earlier draft, and the team
considered it at that time. The SDT believes that stakeholder consensus has been achieved regarding these event types. The team
has elected to move forward to recirculation ballot.
2) To your suggestion on DPs, the SDT has clarified, in the Guidelines and Technical Basis Section of the standard, that DPs who do
not meet the threshold reporting requirements can conduct an annual review of the threshold requirements and be exempted
from R1 and R3 for that period. Once the DP has met the threshold reporting requirements, they will then have to comply with
the standard.
“Distribution Provider Applicability Discussion
The DSR SDT has included Distribution Providers (DP) as an applicable entity under this standard. The team realizes that not
Consideration of Comments: Project 2009-01
46
�Organization
Question 3 Comment
all DPs will own BES Facilities and will not meet the “Threshold for Reporting” for any event listed in Attachment 1. These
DPs will not have any reports to submit under Requirement R2. However, these DPs will be responsible for meeting
Requirements R1 and R3. The DSR SDT does not intend for these entities to have a detailed Operating Plan to address
events that are not applicable to them. In this instance, the DSR SDT intends for the DP to have a very simple Operating Plan
that includes a statement that there are no applicable events in Attachment 1 (to meet R1) and that the DP will review the
list of events in Attachment 1 each year (to meet R3). The team does not think this will be a burden on any entity as the
development and annual validation of the Operating Plan should not take more that 30 minutes on an annual basis. If a DP
discovers applicable events during the annual review, it is expected that the DP will develop a more detailed Operating Plan
to comply with the requirements of the standard.”
Duke Energy
1) There are discrepancies between the red-lined EOP-004-2 and the Clean EOP-004-2 that
were posted for this project. Our comments are based upon the Clean EOP-004-2.
2) Attachment 1 and Attachment 2 have the ERO email and phone number listed. If these ever
change, does the standard have to go through the revision and balloting process again, or is
there an easier way to incorporate such changes?
3) Attachment 1 - When an event occurs that meets the Threshold for Reporting, it’s not clear
whether all listed entities have to report or not. Several Event Types need this clarity added.
For example, if a TOP loses voice communication capability, do both the TOP and RC have to
report?
4) Attachment 1 - Damage or destruction of a Facility, applicable to BA, TO, TOP, GO, GOP, DP.
The Threshold for Reporting should be further clarified by adding the sentence “Do not report
theft or damage unless it degrades normal operation of a Facility.” This would eliminate
unnecessary reporting of copper theft or vandalism.
5) Attachment 1 - Physical threats to a Facility. The Threshold for Reporting should be
modified by deleting the sentence “Do not report theft unless it degrades normal operation of
a Facility”. This sentence isn’t needed here, and fits better with “Damage or destruction of a
Facility” as noted in 4) above.
6) Attachment 1 - Transmission loss. This event type should be deleted because it is duplicated
Consideration of Comments: Project 2009-01
47
�Organization
Question 3 Comment
under TADS reporting and PRC-004 Protection System Misoperations reporting.
7) Attachment 1 - Unplanned BES control center evacuation, Complete loss of voice
communication capability, and Complete loss of monitoring capability. The Threshold for
Reporting on all three of these Event Types is 30 minutes, and should be extended to 2 hours,
consistent with the transition time identified in EOP-008 “Loss of Control Center
Functionality”.
Response: Thank you for comment. Many suggestions were made regarding the language of certain events listed in Attachment
1. Most of these comments are about a single event type and were made by only one stakeholder. The team has reviewed all of
these comments. In several cases, the same or a similar suggestion was made on an earlier draft, and the team considered it at
that time. The SDT believes that stakeholder consensus has been achieved regarding these event types. The team has elected to
move forward to recirculation ballot.
ERCOT
As a general matter, this standard imposes an ex-post reporting obligation. Consistent with
the ongoing P 81 standard review/elimination effort, this standard is arguably a candidate for
elimination under the principles guiding that effort. The obligation proposed in the standards
are better suited for inclusion in the Rules of Procedure or as a guideline because they are
strictly administrative in nature.
Response: On March 15, 2012, FERC issued an order on NERC’s Find, Fix and Track process
and in paragraph 81 (“P81”) invited NERC and other entities to propose to remove from
Commission-approved Reliability Standards unnecessary or redundant requirements. In
response to P81 and the Commission’s request for comments to be coordinated, during June
and July 2012, various industry stakeholders, Trade Associations, staff from NERC and staff
from the NERC Regions jointly discussed consensus criteria and an initial list of Reliability
Standard requirements that appeared to easily satisfy the criteria, and, thus, could be
retired. In Phase 1 of the Paragraph 81 effort, only two of the requirements (in total) from
CIP-001 and EOP-004 met the initial threshold for being included in the P81 Project. Both of
these requirements will also be retired by EOP-004-2. Phase 2 of the Paragraph 81 Project
will evaluate all NERC Reliability Standards, including any modifications to EOP-004-2. CIP001-2a and EOP-004-1 are mandatory and enforceable NERC Reliability Standards. If EOP-
Consideration of Comments: Project 2009-01
48
�Organization
Question 3 Comment
004-2 is not approved by the industry, those standards will remain as is and subject to the
Compliance Monitoring and Enforcement Program. As the SDT is moving forward with a
Recirculation Ballot, your suggestions will be forwarded to NERC for future consideration.
To the extent the SDT continues to pursue this effort, ERCOT offers the following additional
comments. ERCOT has commented on the listing in the Entity with Reporting Responsibility
column of Attachment 1. Consistent with those prior comments, the current version still fails
to adequately create a bright line threshold for particular events. For example, in the
Transmission loss event, although the TOP is listed, there is no direction regarding which TOP
is required to file the event report. Is it the TOP in whose TOP area the loss occurred or is it a
neighboring TOP who observes the loss? Clearly, the responsibility for reporting lies with the
host system, but that responsibility is not clearly designated. There are several other similar
events where there is no bright line. We suggest that the drafting team return the deleted
language to the Entity with Reporting Responsibility column in those instances where the
current version fails to provide a bright line in the Threshold column. Regarding multiple
reports for a single event, that aspect of the proposed draft should be revised to only require a
single report. While additional information may be available from others, let the Event Analysis
team perform their function. This would eliminate the redundant reporting that is currently
required as the standard is written.
Response: Many suggestions were made regarding the language of certain events listed in
Attachment 1. Most of these comments are about a single event type and were made by
only one stakeholder. The team has reviewed all of these comments. In several cases, the
same or a similar suggestion was made on an earlier draft, and the team considered it at
that time. The SDT believes that stakeholder consensus has been achieved regarding these
event types. The team has elected to move forward to recirculation ballot.
ERCOT requests that the reference to “cyber attack” be removed from the Guideline and
Technical Basis section of the document since all reporting of cyber events has been removed
from the standard and retained in CIP-008.
Response: This correction has been made.
Consideration of Comments: Project 2009-01
49
�Organization
Question 3 Comment
Response: Thank you for comment. Please see responses above.
American Public Power Association
As stated in our comments on the previous draft: It is APPA’s opinion that this standard should
be removed from the mandatory and enforceable NERC Reliability Standards and turned over
to a working group within the NERC technical committees. Timely reporting of this outage
data is already mandatory under Section 13(b) of the Federal Energy Administration Act of
1974. There are already civil and criminal penalties for violation of that Act. This standard is a
duplicative mandatory reporting requirement with multiple monetary penalties for US
registered entities. If this standard is approved, NERC must address this duplication in their
filing with FERC. This duplicative reporting and the differences in requirements between DOEOE-417 and NERC EOP-004-2 require an analysis by FERC of the small entity impact as required
by the Regulatory Flexibility of Act of 1980
Response: Thank you for the comment. The SDT does not believe that there is duplicative reporting. The reports that you
mention do not go to NERC under the FPA. We will forward your suggestion to NERC for consideration in the preparation of the
filing for approval.
NV Energy
Aside from the comment referring to the new R3 and the term "validate", I applaud the SDT
for the improvements made in the remainder of the Standard. This is a much simpler and
straightforward approach to meeting the directives in this project and greatly simplifies the
processes necessary on the part of the registered entities.
Response: Thank you for your comment.
CenterPoint Energy
CenterPoint Energy appreciates the revisions made to the draft Standard based on stakeholder
feedback and believes that the changes made are positive overall. However, the Company
recommends the additional changes noted below for a favorable vote. In the Rationale for R1,
CenterPoint Energy recommends that the 2nd sentence in the 1st paragraph be revised as
follows, “In addition, these event reports may serve as input to the NERC Events Analysis
Program.”, as not all events listed in Attachment 1 will serve as input in to the NERC Events
Analysis Program. CenterPoint Energy also proposes that the Standard Drafting Team (SDT)
Consideration of Comments: Project 2009-01
50
�Organization
Question 3 Comment
add "There cannot be a violation of Requirement R2 without an event." as noted in the
Consideration of Issues and Directives to the Requirement. For Attachment 1, CenterPoint
Energy recommends the following revisions: CenterPoint Energy continues to be concerned
that the uses of the terms “suspicious” and “suspected” are too broad. The Company proposes
that the SDT remove the terms from the Thresholds for Reporting or add “which caused a
negative impact to the Bulk Electric System” or “that causes an Adverse Reliability Impact..." to
each phrase where the terms are used. CenterPoint Energy proposes that the threshold for
reporting the event, “BES Emergency requiring manual firm load shedding” is too low. It
appears the SDT was attempting to align this threshold with the DOE reporting requirement.
However, as the SDT has stated, there are several valid reasons why this should not be done.
Therefore, CenterPoint Energy recommends the threshold be revised to “Manual firm load
shedding ≥ 300 MW”. CenterPoint Energy also recommends a similar revision to the
threshold for reporting associated with the “BES Emergency resulting in automatic firm load
shedding” event. (“Firm load shedding ≥ 300 MW (via automatic under voltage or under
frequency load shedding schemes, or SPS/RAS”) For the event of “System separation
(islanding)”, CenterPoint Energy believes that 100 MW is inconsequential and proposes 300
MW instead. For “Generation loss”, CenterPoint Energy suggests that the SDT add "only if
multiple units” to the criteria of “1,000 MW for entities in the ERCOT or Quebec
Interconnection”.
Response: Thank you for comment. Many suggestions were made regarding the language of certain events listed in Attachment
1. Most of these comments are about a single event type and were made by only one stakeholder. The team has reviewed all of
these comments. In several cases, the same or a similar suggestion was made on an earlier draft, and the team considered it at
that time. The SDT believes that stakeholder consensus has been achieved regarding these event types. The team has elected to
move forward to recirculation ballot.
PNGC Comment Group
Comments: The PNGC Comment group remains concerned that the “Applicability” section will
inadvertently subject Distribution Providers to requirements that they should be excluded
from. Please consider the two examples below and note that we’re talking about probably
hundreds of small DPs being subject to these unnecessary requirements without any increase
to the reliability of the BES. Example 1: Small DP with a peak load of 50 MWs. They have no
Consideration of Comments: Project 2009-01
51
�Organization
Question 3 Comment
BES Facilities and their system is radial. Even though this utility will never have a reporting
requirement per Attachment A, they are still subject to R1 and R3 plus the associated
compliance (read financial) risk for non-conformance. An easy fix to this issue would be for
DPs without BES Facilities and with less than 200 MW annual peak load to be excluded in the
Applicability section. Example 2: Small DP with a peak load of 50 MWs. Their only BES
Facilities are two Automatic UFLS relays that are capable of shedding 15 MWs. DP’s Host
Balance Authority (HBA) has a peak load of 10,000 MWs, meaning their UFLS plan requires
them to have the capacity to shed 3000 MWs should system conditions warrant. Is it the SDT’s
intent for this DP to have an Operating Plan in place for “damage”, “destruction”, or “physical
threat” for these two relays that are capable of shedding only 15 MWs out of a 3000 MW HBA
UFLS plan? The SDT set a 100 MW threshold for reporting of automatic UFLS load shedding so
why have reporting requirements for the threat to 15 MWs worth of UFLS relays? Once again
the easy fix is to modify the Applicability section. We suggest: 4.1.7. Distribution Provider: with
>= 200 MW annual peak load, or;>= 100 MW Automatic firm load shedding
Response: Thank you for comment. To your suggestion on DPs, the SDT has clarified, in the Guidelines and Technical Basis of the
Standard, that DPs who do not meet the threshold reporting requirements can conduct an annual review of the threshold
requirements and be exempted from R1 and R3 for that period. Once the DP has met the threshold reporting requirements, they
will then have to comply with the standard.
“Distribution Provider Applicability Discussion
The DSR SDT has included Distribution Providers (DP) as an applicable entity under this standard. The team realizes that not
all DPs will own BES Facilities and will not meet the “Threshold for Reporting” for any event listed in Attachment 1. These
DPs will not have any reports to submit under Requirement R2. However, these DPs will be responsible for meeting
Requirements R1 and R3. The DSR SDT does not intend for these entities to have a detailed Operating Plan to address
events that are not applicable to them. In this instance, the DSR SDT intends for the DP to have a very simple Operating Plan
that includes a statement that there are no applicable events in Attachment 1 (to meet R1) and that the DP will review the
list of events in Attachment 1 each year (to meet R3). The team does not think this will be a burden on any entity as the
development and annual validation of the Operating Plan should not take more that 30 minutes on an annual basis. If a DP
discovers applicable events during the annual review, it is expected that the DP will develop a more detailed Operating Plan
Consideration of Comments: Project 2009-01
52
�Organization
Question 3 Comment
to comply with the requirements of the standard.”
Cowlitz PUD
Cowlitz approves of the improvement efforts on Attachment 1. However, Cowlitz must again
point out the fallacy of potentially inundating the ERO with nuisance reporting of minor
vandalism and accidental damage. For example, gunshot “target practice” of insulators and
structures will apply under “Damage or destruction of a Facility.” Such incidents are fairly
common in the west, and typically do not cause an immediate outage. They are generally
discovered months or years after the fact, yet the discovery starts the 24 hour compliance
clock running as if the urgency is just as important as a recent event. If there is already a great
lag in awareness regarding the damaged Facility, Cowlitz fails to see how it becomes so urgent
upon discovery.------------Again, Cowlitz points out the sentence structure “Damage or
destruction of its Facility that results from actual or suspected intentional human action” does
not restrict the human action as malicious or sabotage. “Intentional human action” could be
innocent, such as a land owner attempting to fall a tree for fire wood. The intent was not to
damage the Facility, but the “intentional human action” to obtain fire wood resulted in the
damage of the Facility. This does not comport with prior SDT response: “... this will give the
ERO (and whoever else the entity wishes to inform per Requirement R1) the situational
awareness that the Facility was ‘damaged or destroyed’ intentionally by a human.” Therefore,
if this is the SDT’s intent Cowlitz suggests this change: Damage or destruction of its Facility
that causes immediate impaired operation or loss of the Facility from suspected or actual
malicious human intent. Do not report mischievous vandalism, as defined in the Operating
Plan, where immediate loss of, or immediate impaired operation of the Facility has not
occurred. --------------Prior SDT response: “The SDT envisions that entities could further define
what a suspected intentional human action is within their Operating Plan.” Cowlitz does not
share the SDT’s vision. The Standard as written does not specifically address the ability to
“further define” terms used in the Attachment. Past allowance of audit teams to allow
registered entity definitions, e.g. “annual,” was to address gaps in standards until the
standards could be revised. If this is truly the intent of the SDT, then requirement R1 would
need revision such as: “The Operating plan shall define what a suspected intentional human
action is.” Cowlitz respectfully requests that ambiguity be avoided.------------------ Cowlitz notes
that Distribution Providers are listed in the Applicability Section with no qualifiers. Cowlitz
Consideration of Comments: Project 2009-01
53
�Organization
Question 3 Comment
points out that there is no requirement in the Statement of Compliance Registry Criteria for
Distribution Providers to own or operate BES Facilities, own or operate UFLS or UVLS of 100
MW, or to have load exceeding 200 MW. DP’s that cannot meet any of the thresholds of
Attachment 1 would still need an Operating Plan under R1 and annually validate the possibly
null contact list in its OP under R3. Cowlitz requests that DPs that cannot meet the thresholds
of Attachment 1 be removed from the Applicability Section. Not doing so will increase
compliance risk without any reliability return.
Response: Thank you for comment. Many suggestions were made regarding the language of certain events listed in Attachment
1. Most of these comments are about a single event type and were made by only one stakeholder. The team has reviewed all of
these comments. In several cases, the same or a similar suggestion was made on an earlier draft, and the team considered it at
that time. The SDT believes that stakeholder consensus has been achieved regarding these event types. The team has elected to
move forward to recirculation ballot.
To your suggestion on DPs, the SDT has clarified, in the Guidelines and Technical Basis Section of the Standard, that DPs who do
not meet the threshold reporting requirements can conduct an annual review of the threshold requirements and be exempted
from R1 and R3 for that period. Once the DP has met the threshold reporting requirements, they will then have to comply with
the standard.
“Distribution Provider Applicability Discussion
The DSR SDT has included Distribution Providers (DP) as an applicable entity under this standard. The team realizes that not
all DPs will own BES Facilities and will not meet the “Threshold for Reporting” for any event listed in Attachment 1. These
DPs will not have any reports to submit under Requirement R2. However, these DPs will be responsible for meeting
Requirements R1 and R3. The DSR SDT does not intend for these entities to have a detailed Operating Plan to address
events that are not applicable to them. In this instance, the DSR SDT intends for the DP to have a very simple Operating Plan
that includes a statement that there are no applicable events in Attachment 1 (to meet R1) and that the DP will review the
list of events in Attachment 1 each year (to meet R3). The team does not think this will be a burden on any entity as the
development and annual validation of the Operating Plan should not take more that 30 minutes on an annual basis. If a DP
discovers applicable events during the annual review, it is expected that the DP will develop a more detailed Operating Plan
to comply with the requirements of the standard.”
Wisconsin Electric Power company
Damage or destruction of a Facility, Damage or destruction of its Facility that results from
Consideration of Comments: Project 2009-01
54
�Organization
Question 3 Comment
dba We Energies
actual or suspected intentional human action.: By the Functional Model, I do not believe the
BA function has Facilities by the NERC Glossary definition. This would not apply to a BA. The
line above this would adequately cover BA reporting. Remove a BA from applicability for this
line.
Physical threats to a Facility: The BA function does not have Facilities. Remove a BA from
applicability for this line. There could be a separate line for Physical Threats to a Facility within
an RC, FOP, BA Area as there is for Damage or Destruction of a Facility. Voltage deviation on a
Facility: Please specify what voltage this is, nominal, rated, etc. This should also be > 10%
deviation. Exactly at 10% could be at the edge of an allowed range.
Response: Thank you for comment. Many suggestions were made regarding the language of certain events listed in Attachment
1. Most of these comments are about a single event type and were made by only one stakeholder. The team has reviewed all of
these comments. In several cases, the same or a similar suggestion was made on an earlier draft, and the team considered it at
that time. The SDT believes that stakeholder consensus has been achieved regarding these event types. The team has elected to
move forward to recirculation ballot.
Manitoba Hydro
Does the Background, Guidelines and Technical Basis form part of the standard itself once
published? Or are these just parts of the package that accompany the standard during
circulation for comment?
The background, guidance and technical basis will remain with the standard and provides
clarification on the SDT’s intent and direction
Compliance 1.2: The reference to Responsible Entity is bracketed and in lowercase. We are
not clear why.
This was corrected in the clean version.
VSLs, R1, Severe VSL: The words "in the event reporting Operating Plan” are missing from the
end of this sentence.
This was corrected in the clean version.
Consideration of Comments: Project 2009-01
55
�Organization
Question 3 Comment
VSLS, R2, Lower VSL: The violation occurs if the Responsible Entity has submitted an event
report to one entity whereas Moderate VSL, High VSL and Severe VSL, the level of severity of
the VSL increases depending on the number of entities that the Responsible Entity fails to
submit an event report to. The drafting here is not as precise as it should be. The way the
Lower VSL is written, it will also be triggered when the Responsible Entity has complied with
the requirement. For example, if the Responsible Entity is required to report an event to 5
entities, and it does, it will still mean that it has "submitted an event report to one entity
identified in the event reporting (also, the ‘ing’ is missing on the Lower VSL
reference)Operating Plan". It is also duplicative. For example, if the Responsible Entity
submitted a report to only one entity, and failed to submit a report to 4 others, they fall under
the Lower VSL and the Higher VSL (we are assuming in this case, the violation will be found to
be the higher VSL). Perhaps what the drafting team intended to do was to make the Lower
VSL, which the Responsible Entity failed to submit an event report...to one entity identified....
The SDT followed the NERC guidelines for VSLs in setting the appropriate levels. The VSLs
were written based on two potential failures to meet the requirement. The first is based on
the time the report was submitted while the second was based on the entity submitting the
report within 24 hours but not to all applicable entities. If a violation is determined, it will
be for either being late with the report or for not submitting the report to everyone. The
appropriate VSL will be applied ONLY if a violation is found.
The Guidelines and Technical Basis contain a reference to R4 which no longer exists in the
standard.
This reference has been removed.
Response: Thank you for comment. Please see responses above.
Dominion
Dominion reads Requirement R1 as explicitly requiring only the inclusion of reporting to the
ERO in the Operating Plan. We acknowledge that the requirement also contains additional
entities in parenthesis which infers the inclusion of a larger group (and which appears to be
supported by the rationale box). Dominion suggests the SDT explicitly state which entities, at a
minimum, be included, for reporting, in the Operating Plan. We suggest adding a column to
Consideration of Comments: Project 2009-01
56
�Organization
Question 3 Comment
Attachment 1 and including entities to which the event must be reported. As an examples; o
All event types should include local law enforcement o Events for which the BA, RC, TOP bear
responsibility should probably also be reported to the regional entity o Events for which the
Facility Owner bears responsibility should probably also be reported to the respective BA and
TOP, who would in turn determine whether to notify their respective RC. The RC would in turn
determine if additional entities need to be contacted. Requirement R2 establishes a 24 hour
reporting threshold; however, the “NOTE” provided on Attachment 1 seems to contradict
Requirement 2 and could therefore lead to compliance issues. Dominion suggests that
Requirement R2 be revised to agree with the “NOTE” on Attachment 1. For example,
Requirement R2 could be reworded as: Except as noted on Attachment 1, Each Responsible
Entity shall...Also under the “NOTE” in Attachment 1, why has the facsimile number for the
ERO been removed? The DOE still provides a facsimile number for reporting. Attachment 2:
Event Reporting Form #4; need to update the below to reflect the same naming convention of
the events in Attachment 1, the “t” should not be capitalized in Physical Threat and add an ‘s’
behind threat. Add (islanding) behind System separation and capitalize the ‘U’ in unplanned
control center evacuation.
Response: Thank you for comment. Many suggestions were made regarding the language of certain events listed in Attachment
1. Most of these comments are about a single event type and were made by only one stakeholder. The team has reviewed all of
these comments. In several cases, the same or a similar suggestion was made on an earlier draft, and the team considered it at
that time. The SDT believes that stakeholder consensus has been achieved regarding these event types. The team has elected to
move forward to recirculation ballot.
Southern Company
NOTE: The SDT received assistance from Southern Company personnel in parsing these
comments as show below. As submitted, the formatting of the original comments was lost
and very difficult for the SDT to read and understand.
Event Type Entity with Reporting Responsibility Threshold for Reporting SOCO Comment:
Damage or destruction of a Facility RC, BA, TOP Damage or destruction of a Facility within its
Reliability Coordinator Area, Balancing Authority Area or Transmission Operator Area,
excluding weather or natural disaster related threats, that results in actions to avoid a BES
Consideration of Comments: Project 2009-01
57
�Organization
Question 3 Comment
Emergency. – No Comment
Damage or destruction of a Facility BA, TO, TOP, GO, GOP, DP Damage or destruction of its
Facility that results from actual or suspected intentional human action.:
Do not report damage unless it degrades normal operation of a Facility.
How does the SDT define “intentional human action?” Further, how is the phrase
“suspected intentional human action” defined? This phrase is very broad. Is
“intentional human action” identified as actions intended to damage facilities or does it
include accidental actions by individuals? For example, if a person accidentally shot
insulators off of a 230 kV line resulting in damage, would that be considered reportable
“intentional human action?”
In addition, what is that actual trigger for reporting? Does it require that the action has
been discovered or is it from the time the event occurs? Further, 24 hours is a very
brief time period -- how is an entity to conduct an investigation within that time period
to determine if damage or destruction could have resulted from “actual or suspected”
human action and also determine if it could have been “intentional”?
In Southern’s cases, and likely in other entities case, operating personnel submit the
reports to the regulatory entities for events that fall under this standard. Southern is
concerned, that the threshold for reporting for “Damage or destruction of a Facility”
and “Physical threats to a Facility” is so broad that numerous reports would need to be
filed that 1) may be a result of something that does not pose harm to reliability and
should not be of interest to the regulators, and 2) would introduce additional burden to
operating personnel that are monitoring the system every moment of the day. With
the current proposed “Threshold for Reporting”, the reporting requirement would
hamper the ability of system operating personnel to perform their core real-time
system operator tasks which would harm reliability.
Physical threats to a Facility BA, TO, TOP, GO, GOP, DP Physical threat to its Facility excluding
weather or natural disaster related threats, which has the potential to degrade the normal
operation of the Facility. OR Suspicious device or activity at a Facility. Do not report theft
Consideration of Comments: Project 2009-01
58
�Organization
Question 3 Comment
unless it degrades normal operation of a Facility.
Please provide some clarity as to what is considered suspicious activity. For example,
would someone taking a photo of a BES substation fall into this category? Please
provide examples of what may be considered suspicious activity and how NERC and
others may use this information and what actions they would take as a result of
receiving this information.
In addition, what is that actual trigger for reporting? Is it when the threat is discovered
or from when it should have or could have been discovered? Further, 24 hours is a
very brief time period -- how is an entity to conduct an investigation within that time
period in order to determine if the physical threat has the potential to degrade the
normal operation of the Facility or that the “suspicious activity”?
Physical threats to a BES control center RC, BA, TOP Physical threat to its BES control center,
excluding weather or natural disaster related threats, which has the potential to degrade the
normal operation of the control center. OR Suspicious device or activity at a BES control
center. – No Comment
BES Emergency requiring public appeal for load reduction Initiating entity is responsible for
reporting. Public appeal for load reduction event.
It is unclear which entity would be responsible for reporting this event. For example, if
the RC/TOP/BA were to identify the need to do this and instruct an LSE to issue the
public appeal, who would report the event?
BES Emergency requiring system-wide voltage reduction Initiating entity is responsible for
reporting System wide voltage reduction of 3% or more.
It is unclear which entity would be responsible for reporting this event. For example, if
the RC were to identify the need to do this and instruct a TOP to reduce voltage, who
would report the event?
BES Emergency requiring manual firm load shedding Initiating entity is responsible for
reporting Manual firm load shedding ≥ 100 MW. – No Comment
Consideration of Comments: Project 2009-01
59
�Organization
Question 3 Comment
BES Emergency resulting in automatic firm load shedding DP, TOP Automatic firm load
shedding ≥ 100 MW (via automatic undervoltage or underfrequency load shedding
schemes, or SPS/RAS). – No Comment
Voltage deviation on a Facility TOP Observed within its area a voltage deviation of ± 10% of
nominal voltage sustained for >or= 15 continuous minutes.
Please change “nominal” to “expected” or “scheduled”
IROL Violation (all Interconnections) or SOL Violation for Major WECC Transfer Paths (WECC
only) RC Operate outside the IROL for time greater than IROL Tv (all Interconnections) or
Operate outside the SOL for more than 30 minutes for Major WECC Transfer Paths (WECC
only). – No Comment
Loss of firm load BA, TOP, DP Loss of firm load due to equipment failures/system operational
actions for >or= 15 Minutes: >or= 300 MW for entities with previous year’s demand >or= 3,000
MW OR >or= 200 MW for all other entities
This should not be as a result of weather or natural disasters.
System separation(islanding) RC, BA, TOP Each separation resulting in an island ≥ 100 MW
– No Comment
Generation loss BA, GOP Total generation loss, within one minute, of ≥ 2,000 MW for
entities in the Eastern or Western Interconnection OR ≥ 1,000 MW for entities in the
ERCOT or Quebec Interconnection – No Comment
Complete loss of off-site power to a nuclear generating plant (grid supply) TO, TOP Complete
loss of off-site power affecting a nuclear generating station per the Nuclear Plant Interface
Requirement – No Comment
Transmission loss TOP Unexpected loss, contrary to design, of three or more BES Elements
caused by a common disturbance (excluding successful automatic reclosing). – No Comment
Unplanned BES control center evacuation RC, BA, TOP Unplanned evacuation from BES
control center facility for 30 continuous minutes or more. – No Comment
Consideration of Comments: Project 2009-01
60
�Organization
Question 3 Comment
Complete loss of voice communication capability RC, BA, TOP Complete loss of voice
communication capability affecting a BES control center for 30 continuous minutes or more. –
No Comment
Complete loss of monitoring capability RC, BA, TOP Complete loss of monitoring capability
affecting a BES control center for 30 continuous minutes or more such that analysis capability
(i.e., State Estimator or Contingency Analysis) is rendered inoperable. – No Comment
Many suggestions were made regarding the language of certain events listed in Attachment
1. Most of these comments are about a single event type and were made by only one
stakeholder. The team has reviewed all of these comments. In several cases, the same or a
similar suggestion was made on an earlier draft, and the team considered it at that time.
The SDT believes that stakeholder consensus has been achieved regarding these event types.
The team has elected to move forward to recirculation ballot.Guideline and Technical Basis
Comments
In the Summary of Key Concepts section of the Guideline and Technical Basis, the DSR SDT
explains that the proposed Standard does not include any real-time operating notifications for
events listed in Attachment 1. The DSR SDT should consider language in the Standard which
codifies this approach. Southern Company notes that the proposed standard does not
mention any exclusion of real-time notification.
Response: The SDT does not believe that this revision is necessary as the requirement R2
clearly states that events are to be reported within 24 hours.
The Law Enforcement Reporting section of the Guideline and Technical Basis unintentionally
expands on the purpose of the Standard by stating that “The Standard is intended to reduce
the risk of Cascading events.” The stated purpose of the Standard is “To improve the
reliability of the Bulk Electric System by requiring the reporting of events by Responsible
Entities.” The phrase in the Guideline should be removed or modified in order to avoid any
uncertainty about the Standard’s purpose.
Response: The SDT has made the requested clarification to the Guidelines and Technical
Basis section.
Consideration of Comments: Project 2009-01
61
�Organization
Question 3 Comment
The DSR SDT should consider integrating the content of the Concept Paper into the Guideline
and Technical Basis. Presently, the Concept Paper appears as an add-on at the end of the
document. When the Concept Paper existed as a stand-alone document, various segments
such as “Introduction” and “Summary of Concepts and Assumptions” were helpful to
stakeholders and standards developers. The revised merged document in the present draft
does not need two separate sections addressing concepts nor does it need an introduction at
the midway point. Additionally, two other areas are either duplicative or contribute to
ambiguity within the supplemental information. First, it is not clear that the segment on
Concepts and Assumptions includes any actual assumptions. The section should be modified or
deleted to address this concern. Second, the segment entitled ‘What about sabotage?’ seems
to contain topics similar to those on the first page of the Guideline. Again, the DSR SDT should
consider integrating all of the necessary information into a more comprehensive document.
Response: The SDT has chosen to leave these sections in tact because it helps convey the
development process as well as the information about the team’s insights.
Response: Thank you for comment. Please see responses above.
FirstEnergy
FirstEnergy Corp (FE) appreciates the work done by the SDT by incorporating the comments
and revisions from the previous draft. FE would like to see the time parameters in
Requirement 3 and Measure 3 to be changed from “each calendar year” to “at least once
every 12 months”. This is similar to the wording that is being used in the CIP standards
Response: Thank you for comment. Many suggestions were made regarding the language of certain events listed in Attachment
1. Most of these comments are about a single event type and were made by only one stakeholder. The team has reviewed all of
these comments. In several cases, the same or a similar suggestion was made on an earlier draft, and the team considered it at
that time. The SDT believes that stakeholder consensus has been achieved regarding these event types. The team has elected to
move forward to recirculation ballot.
Oncor Electric Delivery
For reporting consistency, under the Event Type labeled “Generation Loss”, in Appendix 1 of
EOP-004-2, Oncor recommends that the reporting threshold of 1,000 KW for the ERCOT
Interconnection be raised to 1,400 MW to match the 1,000 MW level in the current version of
Consideration of Comments: Project 2009-01
62
�Organization
Question 3 Comment
the ERO Event Analysis Program.
Under the Event Type labeled “Damage or Destruction of a “Facility”, Appendix 1, with the
threshold that states,” Damage or destruction of its Facility that results from actual or
suspected intentional human action”, Oncor suggest the addition of the following language to
address intentional human action that is theft in nature but is not intended to disrupt the
normal operation of the BES: “Do not report theft unless it degrades the normal operation of a
Facility.”
Response: Thank you for comment. Many suggestions were made regarding the language of certain events listed in Attachment
1. Most of these comments are about a single event type and were made by only one stakeholder. The team has reviewed all of
these comments. In several cases, the same or a similar suggestion was made on an earlier draft, and the team considered it at
that time. The SDT believes that stakeholder consensus has been achieved regarding these event types. The team has elected to
move forward to recirculation ballot.
Georgia Transmission Corporation
GTC recommends a minor change to Attachment 2 associated with the complete loss of offsite power to nuclear generating plant. NUC-001-2 R9.3.5 describes provisions for restoration
of off-site power and applies to both the Nuclear Plant Generator Operator and the applicable
Transmission Entities. To maintain consistency, GTC recommends modification to this row in
EOP-004-2 Attachment 2 such that the “Nuclear Plant Generator Operator” is the Responsible
Entity with reporting responsibility. (A TO may not have visibility to all off-site power
resources for a nuclear generating plant if multiple TO’s are providing off-site power.)At a
minimum, GTC recommends if the SDT believes the TO and TOP should remain involved, these
entities should be limited to “TO and TOP that are responsible for providing services related to
Nuclear Plant Interface Requirements (NPIRs)” which is also consistent with NUC-001-2.
Response: Thank you for comment. Many suggestions were made regarding the language of certain events listed in Attachment
1. Most of these comments are about a single event type and were made by only one stakeholder. The team has reviewed all of
these comments. In several cases, the same or a similar suggestion was made on an earlier draft, and the team considered it at
that time. The SDT believes that stakeholder consensus has been achieved regarding these event types. The team has elected to
move forward to recirculation ballot.
Consideration of Comments: Project 2009-01
63
�Organization
Question 3 Comment
South Carolina Electric and Gas
Has the drafting team considered how reports from R2 tie in with reports required by the
NERC Event Analysis process? It appears that reporting deadlines conflict between the two.
The SDT should clarify that the event types "Damage or Destruction" listed in attachment 1 do
not pertain to "cyber events", to avoid duplication of the CIP-008 requirements.
Response: Thank you for comment. Reporting under this standard is for the notification of events to the NERC Situation
Awareness Group. Reports in this standard can be the initial reports for the EA group, but are not designed to address the balance
of the EA program. The SDT had removed the cyber security obligations in this draft.
Xcel Energy
In attachment one, the “Threshold for Reporting” under Damage or Destruction of a Facility
appears to closely follow the definition of sabotage that EOP-004-2 says it is trying to do away
with. This definition should be drafted to better correlate with the other physical threats and
include the language, “which has the potential to degrade the normal operation of the
Facility”.
Additionally in Attachment 1, both the Physical threats to a Facility and Physical threats to a
BES control center include the wording, “Suspicious device or activity...”. What constitutes
suspicious activity? With no definition this interpretation is left to the Entity which is again
something the DSR SDT says they would like to eliminate.
Lastly, in the Guideline and Technical Basis section, under A Reporting Process Solution - EOP004 it states, “A proposal discussed with the FBI, FERC Staff, NERC Standards Project
Coordinator and the SDT Chair is reflected in the flowchart below (Reporting Hierarchy for
Reportable Events). Essentially, reporting an event to law enforcement agencies will only
require the industry to notify the state or provincial or local level law enforcement agency. The
state or provincial or local level law enforcement agency will coordinate with law enforcement
with jurisdiction to investigate. If the state or provincial or local level law enforcement agency
decides federal agency law enforcement or the RCMP should respond and investigate, the
state or provincial or local level law enforcement agency will notify and coordinate with the
FBI or the RCMP.” This appears to be in direct conflict with the Rationale for R1 which states,
“An existing procedure that meets the requirements of CIP-001-2a may be included in this
Operating Plan along with other processes, procedures or plans to meet this requirement.”
Consideration of Comments: Project 2009-01
64
�Organization
Question 3 Comment
CIP-001-2a required “communication contacts, as applicable, with local Federal Bureau of
Investigation (FBI)...” so if the CIP-001-2a procedure is included this does not seem to meet
the requirements of the operating plan required under EOP-004-2. Also, if the intent of the
Operating Plan is to include all local law enforcement and not FBI the operating plan would
become very detailed and when validated annually as required in R3, this becomes very
burdensome on an entity.
Response: Thank you for comment. Many suggestions were made regarding the language of certain events listed in Attachment
1. Most of these comments are about a single event type and were made by only one stakeholder. The team has reviewed all of
these comments. In several cases, the same or a similar suggestion was made on an earlier draft, and the team considered it at
that time. The SDT believes that stakeholder consensus has been achieved regarding these event types. The team has elected to
move forward to recirculation ballot.
American Electric Power
In the spirit of Paragraph 81 efforts, we request the removal of R1. R1 is administrative in
nature, existing only to support R2. Reporting an event externally might necessitate the need
for a plan/procedure/policy/job aide, but requiring it is an overreach. Having two
requirements rather than one increases the likelihood of being found non-compliant for
multiple requirements rather than a single requirement. The Paragraph 81 project team has
already recommended removing the requirement to have contact information with law
enforcement from CIP-001 R4. Notwithstanding our comments above, we recommend
removing the phrase “and other organizations...” from R1. If this requirement is to remain, it
needs to be very specific regarding who needs to be included in the reporting.R2 –
We recommend removing “per their Operating Plan” from R2 so it reads “Each Responsible
Entity shall report events within 24 hours of meeting an event type threshold for reporting.” If
an entity deviates from its plan but still meets the intent of the requirement (e.g. reporting to
NERC with 24 hours), this could be viewed as a finding of non-compliance. We need to get
away from “compliance for compliance’s sake”, and focus solely on those efforts which will
benefit the reliability of the BES.
Attachment 1 Page 13, Row 1 (Clean Version): This is too open-ended and would likely lead to
voluminous reporting. As it currently reads, “Damage or destruction of a Facility within its
Consideration of Comments: Project 2009-01
65
�Organization
Question 3 Comment
Reliability Coordinator Area, Balancing Authority Area or Transmission Operator Area that
results in actions to avoid a BES Emergency” could bring all copper thefts into scope. Thefts
should not need to be reported unless the theft results in reliability concerns as specified by
other criteria or parameters in Attachment 1.
Attachment 1 Page 13, Row 2 (Clean Version): The threshold “Damage or destruction of its
Facility that results from actual or suspected intentional human action” should be eliminated
entirely. For the event Damage or destruction of a Facility, the threshold for reporting is set
too low.
Attachment 1 Page 13, Row 3 (Clean Version): We suggest modifying the text to read “Do not
report theft... unless the theft results in reliability concerns as specified by other criteria or
parameters in Attachment 1.”
Attachment 1 Page 14, Row 4 (Clean Version): Regarding “Loss of Firm Load”, we suggest
making it clear that the MW threshold is an aggregate value for those entities whose TOP is
responsible for multiple operating companies or legal entities. In addition, is it necessary to
include the DP as an entity with reporting responsibility? Its inclusion could create confusion
by further segmenting the established threshold.
Attachment 1 Page 15, Row 1 (Clean Version): Including “Transmission loss” as currently
drafted would result in much more reporting than is necessary or warranted. As currently
drafted, it could bring more events into scope than intended, especially for larger entities.
EOP-004 Attachment 2: Event Reporting Form: AEP remains concerned that industry would be
required to report similar information to multiple Federal entities, in this case to both NERC
(Attachment 2) and the DOE (OE-417). In addition, the reporting requirement are not clear for
every kind of event as to which entity the reports must be forwarded to, and it is unclear how
information would be passed to other entities as necessary.
EOP-004 Attachment 2: Event Reporting Form: This form is a further example of mixing
security concepts with operational concepts. Not only is not advisable, it does not serve the
interests of either concept.
Consideration of Comments: Project 2009-01
66
�Organization
Question 3 Comment
Response: Thank you for your comment. On March 15, 2012, FERC issued an order on NERC’s Find, Fix and Track process and in
paragraph 81 (“P81”) invited NERC and other entities to propose to remove from Commission-approved Reliability Standards
unnecessary or redundant requirements. In response to P81 and the Commission’s request for comments to be coordinated,
during June and July 2012, various industry stakeholders, Trade Associations, staff from NERC and staff from the NERC Regions
jointly discussed consensus criteria and an initial list of Reliability Standard requirements that appeared to easily satisfy the
criteria, and, thus, could be retired. In Phase 1 of the Paragraph 81 effort, only two of the requirements (in total) from CIP-001
and EOP-004 met the initial threshold for being included in the P81 Project. Both of these requirements will also be retired by
EOP-004-2. Phase 2 of the Paragraph 81 Project will evaluate all NERC Reliability Standards, including any modifications to EOP004-2. CIP-001-2a and EOP-004-1 are mandatory and enforceable NERC Reliability Standards. If EOP-004-2 is not approved by the
industry, those standards will remain as is and subject to the Compliance Monitoring and Enforcement Program. As the SDT is
moving forward with a Recirculation Ballot, your suggestions will be forwarded to NERC for future consideration. As the
Paragraph 81 efforts are beyond the scope of this project, the SDT can only pass along your suggestion to that project team for
action there.
Many suggestions were made regarding the language of certain events listed in Attachment 1. Most of these comments are about
a single event type and were made by only one stakeholder. The team has reviewed all of these comments. In several cases, the
same or a similar suggestion was made on an earlier draft, and the team considered it at that time. The SDT believes that
stakeholder consensus has been achieved regarding these event types. The team has elected to move forward to recirculation
ballot.
Midwest Independent Transmission
System Operator, Inc.
MISO respectfully submits that several of the thresholds for reporting in EOP-004 - Attachment
1 should be modified to clarify when the reporting obligation is triggered, and to ensure that
entities are reporting events of the type and significance intended. In particular, MISO focuses
on the following draft thresholds in EOP-004 - Attachment 1: o The requirement that an entity
report when “[d]amage or destruction of a Facility within its Reliability Coordinator Area,
Balancing Authority Area or Transmission Operator Area that results in actions to avoid a BES
Emergency.” A BES Emergency is defined as “Any abnormal system condition that requires
automatic or immediate manual action to prevent or limit the failure of transmission facilities
or generation supply that could adversely affect the reliability of the Bulk Electric System.”RCs
and BAs take actions each and every day to “avoid a BES Emergency.” At the time of those
actions, they are reacting to conditions that their operating personnel are observing on the
Consideration of Comments: Project 2009-01
67
�Organization
Question 3 Comment
BES. There is no way for an RC or a BA to discern whether the conditions to which they
reacted resulted from the “damage or destruction of a Facility” and there is no requirement
for Transmission Operators and/or Owners to report “damage or destruction of a Facility” to
their BA or RC. Accordingly, RCs and BAs will likely, often not be sufficiently informed to
determine if their actions require them to submit a report. Responsible entities are likely to
expend significant time and resources reporting daily operations and actions routinely taken to
respond to observed BES conditions as they present themselves. These actions may be in
response to congestion, equipment outages, relay malfunctions, etc. Whether or not the
initiating factor was “damage to or destruction of a Facility” will often be an unknown factor
and - even if such is known - the genesis of that damage and/or what constitutes damage (as
discussed below) present further potential for confusion and over-reporting, Nonetheless, the
lack of clarity in the standard is likely to result in some RCs and BAs preparing reports whether
or not they definitely ascertain the underlying cause for the system conditions that prompted
them to take actions “to avoid a BES Emergency.” The preparation and submission of such
reports, in many cases, will not facilitate the stated objective of this standard, which is the
improvement of the reliability of the Bulk Electric System. In addition, with respect to damage
or destruction of a Facility, it is debatable as to what would be considered “damage.” For
example, would an improper repair or outage that results in damage to a Facility that requires
a more extended repair or outage be deemed “damage” to that Facility under this standard?
These ambiguities will likely result in significant over-reporting, over-burdening responsible
entities, and inundating Regional Entities and NERC with information that is not useful for the
purpose of facilitating the reliable operation of the Bulk Electric System. These effects would
undermine the express purpose of the standard and the potential value of information if the
reporting obligations are appropriately defined, assigned, and scoped. For these reasons,
MISO recommends that the SDT revise the standard to: (1) remove the requirement for RCs
and BAs to report the “damage or destruction of a Facility” as it is redundant of the
immediately subsequent requirement, (2) to remove reporting responsibility from BAs to
report the “damage or destruction of a Facility” as this obligation is more properly placed with
the TO, TOP, GO , GOP, and DP, and (3) provide guidance to the remaining responsible entities,
TO, TOP, GO , GOP, and DP, regarding when “damage” to a Facility should be reported, e.g.,
an illustrative list of the types of “damage” that would yield information and/or trends that
Consideration of Comments: Project 2009-01
68
�Organization
Question 3 Comment
would facilitate the improvement of the reliability of the BES.
o The requirement to report “[p]hysical threats to a Facility” and/or “[p]hysical threats to a BES
Control Center”With respect to physical threats to Facilities or BES Control Centers, what is
considered a “physical threat” and/or a “suspicious device or activity”? Is a crank call count
that the building is on fire a physical threat? Is the return of a disgruntled employee
suspicious? MISO understands and supports the reporting and analysis of threats and even
certain types of suspicious activities, etc. It is merely concerned that the reporting threshold
expressed in this standard will result in the reporting of substantial amounts of data that will
not facilitate the improvement of the reliability of the BES and that the volume of reports may
delay or otherwise obscure the detection of notable trends. Accordingly, MISO recommends
that the SDT revise the standard to: (1) require the reporting only of substantial physical
threats that are likely to have an adverse impact on the reliable operation of the Bulk Electric
System, and (2) to provide an illustrative list of the types of “suspicious activity or devices” as
guidance to responsible entities.
o Timing of reports Finally, MISO respectfully suggests that NERC re-assess the timing
requirements as related to the objectives expressed within this standard. MISO believes that
NERC should clarify that its “situational awareness” staff will review submitted information to
determine whether there are indications of possible coordinated attack and to quickly inform
responsible entities that there are signals of possible coordinated attack. This clarification
could be made in the standard, or the standard could describe the process that NERC staff will
use. Unless such review and information is provided, the need that the standard attempts to
address will not be fully met. Conversely, many of the events listed in Attachment A that
require reporting do not need to be reported within 24 hours and would not offer significant
benefit or value if reported within that time period as NERC and Regional Entities primarily
utilize such information to capture metrics or perform after-the-fact events analysis.
Accordingly, MISO respectfully suggests that, while performing analysis to determine
clarifications that would result in the appropriate definition, assignment, and scope of
reporting obligations, NERC should also examine the events and identify those events for
which a longer time period for reporting would be suitable. This would significantly reduce the
administrative burden on responsible entities and likely result in more comprehensive,
Consideration of Comments: Project 2009-01
69
�Organization
Question 3 Comment
rigorous, and beneficial reporting.
Response: Thank you for your comment. Many suggestions were made regarding the language of certain events listed in
Attachment 1. Most of these comments are about a single event type and were made by only one stakeholder. The team has
reviewed all of these comments. In several cases, the same or a similar suggestion was made on an earlier draft, and the team
considered it at that time. The SDT believes that stakeholder consensus has been achieved regarding these event types. The team
has elected to move forward to recirculation ballot.
Indiana Municipal Power Agency
On page 6 of 23 of the draft standard document, second paragraph under Rationale for R1, the
SDT uses the words “Every industry participant that owns or operates elements or devices on
the grid has a formal or informal process...” The use of these words implies that this
requirement and others in this standard may apply to every industry entity regardless if they
are a registered entity or not. IMPA understands that standards can only apply to entities that
are registered with NERC, but we still prefer to see different wording in this sentence. IMPA
recommends using “Every registered entity that owns or operates elements or devices on the
grid has a formal or informal process...”
We have revised “industry participants” to Registered Entity”.
Another concern is on pages 18, 19, and 20 of 23. It is not clear what exactly is required of a
registered entity and the law enforcement reporting process. IMPA understands it is up to the
entity to decide just how its event reporting Operating Plan is made up and who is contacted
for the events in attachment 1. These pages are confusing when it comes to the listing of
stakeholders in the reporting process on page 18 of 23 and then when the SDT states that an
entity may just notify the state or provincial or local level law enforcement agency. The SDT
needs to clarify that the listing of stakeholders on page 18 of 23 is just a suggestive listing and
that if the entity so decides per its reporting Operating Plan that notification of the local law
enforcement agency is sufficient (the thought that the local law enforcement agency can
coordinate with additional law enforcement agencies if it sees the need). The requirement to
contact the FBI in CIP-001 is not a requirement in EOP-004-2 unless the registered entity puts
that requirement in its event reporting Operating Plan.
The information on law enforcement in the Guidelines and Technical Basis section is
Consideration of Comments: Project 2009-01
70
�Organization
Question 3 Comment
designed to provide one example of how an entity could report to law enforcement. It is not
intended to be the only possible way.
As a clarification, in the Background section’s second paragraph, it should read “retiring both
EOP-004-1 and CIP-001-2a” as opposed to CIP-002-2a as written above in this comment
document.
We have searched the comment form and cannot find this.
Response: Thank you for your comment. Please see responses above.
Cogentrix Energy
Overall: The standard makes good stride in eliminating the redundancy of CIP-001 and EOP004. M1 States: “... and each organization identified to receive an event report for event types
specified in EOP-004-2 Attachment 1”. It is an unclear in the statement that the protocols go
with Attachment 1 and entities to receive report are part of Attachment 2While this draft is an
improvement on the previous draft, the proposed R2 is unacceptable, and should be amended
to, at a minimum, require reporting by the end of the next business day, instead of within 24
hours. Events or situations affecting real time reliability to the system already are required to
be reported to appropriate Functional Entities that have the responsibility to take action.
Adding one more responsibility to system operators increases the operator’s burden, which
reduces the operator’s effectiveness when operating the system. Care should be given when
placing additional responsibility on the system operators. Allowing reporting at the end of the
next business day gives operators the flexibility to allow support staff to assist with after-thefact reporting requirements. For some event types where in order to provide real time
situational awareness over a wide area (for example coordinated sabotage event) it may be
appropriate to have more timely reporting. If the intent of this standard is to address sabotage
reporting there needs to be an understanding of the actions to be taken by those receiving the
reports so the reporting entities can incorporate those actions into their plan. As a minimum,
NERC should have a process in place to assess the reports and take appropriate actions.
Attachment 1: Threshold for reporting should not be defined such that multiple reports would
be required for the same event. For example, both the TOP and RC being required to report
Consideration of Comments: Project 2009-01
71
�Organization
Question 3 Comment
the outage of a transmission line.
2nd event type (Damage or destruction of a Facility): Add the following sentence to the
Threshold for Reporting: “Do not report theft or damage unless it degrades normal operation
of a Facility.”
4th event type (Physical threats to a BES control center): The term “BES control center” needs
to be clarified.
5th, 6th, and 7th event types: In instances where a reliability directive is issued, is the
“initiating entity” the entity that issues the directive or the entity that carried out the directive.
9th event type (Voltage deviation on a Facility): Change “nominal” to “expected or scheduled.”
15th event type (Transmission loss): It is not clear what is meant by “contrary to design.” This
is so broad that it could be interpreted as requiring reporting misoperations within the
reporting time frame before even an initial investigation can begin. This needs to be clarified
and tied to the impact on the reliability of the BES.
Response: Thank you for your comment. The full Measure M1 states: “Each Responsible Entity will have a dated event reporting
Operating Plan that includes, but is not limited to the protocol(s) and each organization identified to receive an event report for
event types specified in EOP-004-2 Attachment 1 and in accordance with the entity responsible for reporting.” It is expected that the
Operating Plan will contain the entities to which a report will be submitted. The Measure indicates evidence needs to be provided
showing that these entities received the event report. The protocol(s) refer to the Operating Plan and could include any procedures
for identification of events as well as communicating to other entities.
In response to your suggestion on Requirement R2, the DSR SDT has added clarifying language to R2 as follows:
R2. Each Responsible Entity shall report events per their Operating Plan within 24 hours of meeting an event type threshold for
reporting or by the end of the next business day if the event occurs on a weekend (which is recognized to be 4 PM local time on
Friday to 8 AM Monday local time). [Violation Risk Factor: Medium] [Time Horizon: Operations Assessment]
Many suggestions were made regarding the language of certain events listed in Attachment 1. Most of these comments are about
a single event type and were made by only one stakeholder. The team has reviewed all of these comments. In several cases, the
same or a similar suggestion was made on an earlier draft, and the team considered it at that time. The SDT believes that
stakeholder consensus has been achieved regarding these event types. The team has elected to move forward to recirculation
Consideration of Comments: Project 2009-01
72
�Organization
Question 3 Comment
ballot.
Northeast Power Coordinating
Council
Paragraph 81 efforts are underway to eliminate requirements that have little or no reliability
benefit. This Standard only addresses documentation and has no impact on reliability.
Response: Thank you for your comment. On March 15, 2012, FERC issued an order on NERC’s Find, Fix and Track process and in
paragraph 81 (“P81”) invited NERC and other entities to propose to remove from Commission-approved Reliability Standards
unnecessary or redundant requirements. In response to P81 and the Commission’s request for comments to be coordinated,
during June and July 2012, various industry stakeholders, Trade Associations, staff from NERC and staff from the NERC Regions
jointly discussed consensus criteria and an initial list of Reliability Standard requirements that appeared to easily satisfy the
criteria, and, thus, could be retired. In Phase 1 of the Paragraph 81 effort, only two of the requirements (in total) from CIP-001
and EOP-004 met the initial threshold for being included in the P81 Project. Both of these requirements will also be retired by
EOP-004-2. Phase 2 of the Paragraph 81 Project will evaluate all NERC Reliability Standards, including any modifications to EOP004-2. CIP-001-2a and EOP-004-1 are mandatory and enforceable NERC Reliability Standards. If EOP-004-2 is not approved by the
industry, those standards will remain as is and subject to the Compliance Monitoring and Enforcement Program. As the
Paragraph 81 efforts are beyond the scope of this project, the SDT can only pass along your suggestion to that project team for
action there.
Puget Sound Energy Inc.
Puget Sound Energy appreciates the Standard Drafting Team's work to streamline and clarify
the proposed standard. In addition, we understand that the Standard Drafting Team faces a
significant challenge in developing workable thresholds for reporting under this standard.
Unfortunately, Puget Sound Energy cannot support the proposed standard because the
reporting thresholds remain too vague and, thus, too broad - especially those related to
damage or destruction of a Facility and those related to physical threats. The first four events
listed on Attachment 1 are not brightline rules, because they each involve significant elements
of judgment and interpretation. An example of our concern relates to the phrase "... that
results from actual or suspected intentional human action." Puget Sound Energy, like many
regulated entities, is staffed only with System Operators at night and on weekends. As a
result, the 24-hour reporting requirement necessarily requires the System Operators to submit
the required reports. So, how is a System Operator going to judge whether a human action is
"intentional"? As a result, it will be necessary to report any event in which human action is
Consideration of Comments: Project 2009-01
73
�Organization
Question 3 Comment
involved because there is no way for a System Operator to know for sure whether the action is
intentional or not. And, regulated entities will need to instruct their System Operators to
make such reports, because the failure to submit a report of even one event listed in EOP-004
Attachment 1 is assigned a severe VSL under the proposed standard. We believe that the
proposed threshold language will likely result in a flood of event reports that will not improve
situation awareness.
Response: Thank you for your comment. Many suggestions were made regarding the language of certain events listed in
Attachment 1. Most of these comments are about a single event type and were made by only one stakeholder. The team has
reviewed all of these comments. In several cases, the same or a similar suggestion was made on an earlier draft, and the team
considered it at that time. The SDT believes that stakeholder consensus has been achieved regarding these event types. The team
has elected to move forward to recirculation ballot.
In response to your concern on the 24-hour reporting requirement, the DSR SDT has added clarifying language to R2 as follows:
R2. Each Responsible Entity shall report events per their Operating Plan within 24 hours of recognition of meeting an event type
threshold for reporting or by the end of the next business day if the event occurs on a weekend (which is recognized to be 4 PM
local time on Friday to 8 AM Monday local time). [Violation Risk Factor: Medium] [Time Horizon: Operations Assessment]
Exelon Corporation and its affiliates
Thanks to the drafting team for all the work on this revision. Significant progress was made,
though Exelon has some remaining comments:
o It’s not clear why the team separated ‘Damage or destruction of a Facility’ into two rows.
Please advise.
Response: The first row applies to the RC, which may not own any Facilities but has them
under their operational control. This event applies to damage or destruction whereby the
RC, TOP or BA has to take action to avoid a BES Emergency. The second row is simply
damage or destruction of a Facility. It is expected that this second type of event would not
be severe enough to have to take action to avoid a BES Emergency.
o Damage or destruction of a Facility - The threshold for "damage or destruction of a Facility”
Consideration of Comments: Project 2009-01
74
�Organization
Question 3 Comment
is too open-ended without qualifying the device or activity as “confirmed”. Event reporting for
nuclear generating units are initiated when an incident such as tampering is "confirmed". EOP004 should include some threshold of proof for a reason to believe that no other possibility
exists for "damage or destruction of a facility" event other than actual or suspected intentional
human action.
Many suggestions were made regarding the language of certain events listed in Attachment
1. Most of these comments are about a single event type and were made by only one
stakeholder. The team has reviewed all of these comments. In several cases, the same or a
similar suggestion was made on an earlier draft, and the team considered it at that time.
The SDT believes that stakeholder consensus has been achieved regarding these event types.
The team has elected to move forward to recirculation ballot.
o Physical threats to a Facility - Reporting of every “suspicious activity” such as photographing
equipment or site could result in an unwieldy volume of reports and dilute the data from
depicting quality insight. For example, nuclear generating units are required to report all
unauthorized and/or suspicious activity to the NRC. Please confirm that the intent of this
threshold for notification would include all unauthorized and/or suspicious activity.
The SDT concurs that the intent of the threshold for notification would include all
unauthorized and/or suspicious activity.
o Physical threats to a BES control center - please confirm that reporting responsibility falls to
the RC, BA, TOP and not GOs. In addition, please confirm that by use of the lower case
“control center” other definitions in development through other standards development
projects (e.g. CIP version 5) and that may be added to the NERC Glossary will not apply until
formally vetted in a future EOP-004 standards development project.
The entities listed for this event type are the RC, BA and TOP only. No other entities are
applicable for this event type. If the lower case “control center” is replaced by a definition
developed in future standards actions, a change to EOP-004-2 to use the defined term would
require notice to the industry and a ballot of the revised standard in some manner. The DSR
Consideration of Comments: Project 2009-01
75
�Organization
Question 3 Comment
SDT does not have control over how that would be accomplished.
o Loss of firm load - “Loss of firm load for ≥ 15 Minutes: ≥ 300 MW for entities with
previous year’s demand ≥ 3,000 MW”. Please clarify whether the team intends for this to
apply to a single event a loss of more than 300 MW due to non-concurrent multiple
distribution outages that total > 300MW.
This event relates to a single incident of the loss of firm load.
o Generation loss - Exelon appreciates the timing clarification added to the generation loss
threshold. The phrase “within one minute” should also be included in the threshold for the
ERCOT and Quebec Interconnections to read: “Total generation loss, within one minute, of
≥ 2,000 MW for entities in the Eastern or Western Interconnection OR Total generation
loss, within one minute, of ≥ 1,000 MW for entities in the ERCOT or Quebec
Interconnection”
The phrase “within one minute” applies to everything listed in the event. To clarify this, we
have inserted a colon after the word “of” and moved “≥ 2,000 MW for entities in the Eastern
or Western Interconnection” down one line.
o The Law Enforcement Reporting section in the Guideline and Technical Basis states: "The
inclusion of reporting to law enforcement enables and supports reliability principles such as
protection of the BES from malicious physical or cyber attack." Since CIP-008 now covers
reporting of cyber incidents the reference to cyber should be removed.
We have made the correction in your last point regarding “cyber attacks” and have removed
it from the Guidelines and Technical Basis section.
Response: Thank you for your comment. Please see responses embedded above.
MRO NSRF
The NSRF requests that the SDT address the following concerns and clarifications in
Attachment 1;
1) Please explore redundancy reporting event Item #14; Complete loss of off-site power to a
Consideration of Comments: Project 2009-01
76
�Organization
Question 3 Comment
nuclear generating plant with obligations of NUC-001-2.1 R9.4.4.”Provisions for supplying
information necessary to report to government agencies, as related to NPIRs.” The NSRF
understands the importance concerning safety issues with a nuclear plant. A multiple unit coal
facility may have a larger reliability impact to the BES than a nuclear plant. The SDT is stating
that the fuel source is a reporting issue, not the reliability of a plant loosing off sight power.
Recommend that this item be deleted.
2) Item 2 in Attachment 1 would obligate an entity to report any loss of (copper) grounds
either on a T-Line or grounds associated with a transformer or breakers and that this level of
reporting should not rise to the NERC level. Believes that additional qualifying language similar
to Item 1 be incorporated into the threshold and read as follows:”Damage or destruction of its
Facility that results from actual or suspected intentional human action that results in actions to
avoid a BES Emergency.”
3) Item 3 Attachment 1 needs clarification since a physical threat needs to be actual and
confirmed so that the TO or TOP repositions the system. In addition, the SDT needs to clarify
what the phrase “normal operations” means. (Is this a ratings issue? or a result in how the
System Operator operates the system.)
4) Item 3 should provide clarification as to “Suspicious device or activity at a Facility” to
determine when threshold raises to the level of reporting. We are concerned that, based on
an Auditors perception, these words could be interpreted in several different ways. In
addition, we believe that language needs to be included that the threat causes the reporting
entity to change to an abnormal operating state. This situation could be interpreted
differently by the auditor or the entity at the time of the event. Recommend the following
language: “Suspicious device or activity at a Facility with the potential to degrade the normal
operation of the Facility”. This language is similar to the first threshold.
5) The term Initiating entity is used three times within Attachment 1 and needs to be more
clearly defined or reworded. Is it the entity that identifies the needs of a Public Appeal or the
entity that makes the public appeal the initiating entity? The word “initiating” does not
provide clarity but only provides uncertainty to the industry. The Standard needs to be clear
on who has the responsibility as the “initiating”. Recommend the following: a. For public
Consideration of Comments: Project 2009-01
77
�Organization
Question 3 Comment
appeal, under Entity with Reporting Responsibility; “entity that issues a public appeal to the
public” b. For system wide voltage reduction, under Entity with Reporting Responsibility;
“entity that activates a voltage reduction” c. For manual load shedding, under Entity with
Reporting Responsibility; “entity that activates manual load shedding”
6) The NSRF recommends transmission loss to read as: “contrary to protection system design”
found in threshold for reporting within the Attachment for a Transmission loss event.
7) In Requirement 2/ Measure 2, recommend adding “upon recognition of “ as a starting point
to the 24 hour reporting requirement, within the threshold of reporting where perceived
threats are the threshold, or transmission loss, when contrary to design is determined.
Response: Thank you for your comment. Many suggestions were made regarding the language of certain events listed in
Attachment 1. Most of these comments are about a single event type and were made by only one stakeholder. The team has
reviewed all of these comments. In several cases, the same or a similar suggestion was made on an earlier draft, and the team
considered it at that time. The SDT believes that stakeholder consensus has been achieved regarding these event types. The team
has elected to move forward to recirculation ballot.
7) This was the intent of the drafting team and we have made this clarification to R2 and M2.
Independent Electricity System
Operator
The proposed implementation plan may conflict with Ontario regulatory practice respecting
the effective date of the standard. It is suggested that this conflict be removed by: Moving the
last part “, or as otherwise made effective pursuant to the laws applicable to such ERO
governmental authorities.” to right after “this standard is approved by applicable regulatory
approval” in the Effective Dates Section on P.2 of the draft standard, and the proposed
Implementation Plan.
Response: Thank you for your comment. The SDT used the standard language provide by NERC Legal and intended to address all
of the jurisdictions in which the standard may become enforceable. We will refer your suggestion to NERC Legal for consideration
in the preparation of the filing.
Bonneville Power Administration
The proposed standard does not have any oral reporting option for system operators and thus
appears to be administrative in nature. Due to this and the fact that administrative staff are
Consideration of Comments: Project 2009-01
78
�Organization
Question 3 Comment
not available on weekends, the “24 hour” reporting requirements should be modified to “Next
Business Day” to allow for weekend delays in reporting.BPA believes that there are too many
minor events that have to be reported within 24 hours. Reporting during the next business
day would suffice. Some examples include: A 115 shunt capacitor bank failure for the first
event type does not seem important enough to require reporting within 24 hours just because
action has to be taken to raise generation or switching of line. A failure of a line tower that has
proper protective action to clear the line and also has automatic (SPS) to properly protect as
designed the BES system (a good normal practice) from overloads or voltage issues does not
seem important enough to require reporting within 24 hours either.
Response: Thank you for your comment. Many suggestions were made regarding the language of certain events listed in
Attachment 1. Most of these comments are about a single event type and were made by only one stakeholder. The team has
reviewed all of these comments. In several cases, the same or a similar suggestion was made on an earlier draft, and the team
considered it at that time. The SDT believes that stakeholder consensus has been achieved regarding these event types. The team
has elected to move forward to recirculation ballot.
Clark Public Utilities
The SDT has not adequately addressed my comments from the last draft regarding damage or
destruction of its facility that results from actual or suspected intentional human action. The
SDT needs to limit what it means by damage. As an example, if someone breaks into a
substation and paints graffiti on a breaker that is part of the BES, the breaker has been
"damaged." However, the breaker's ability to function has not been compromised and there
are no emergency actions that need to be taken. There is no reason for an emergency
reporting procedure to require this to be reported. The SDT needs to add the same modifier
for damage that it added in the previous event threshold for reporting. The reference for this
type of damage should be as follows:Event: Damage or destruction of a Facility.Entity with
Reporting Responsibility: BA, TO, TOP, GO, GOP, DP.Threshold for Reporting: Damage or
destruction of its Facility that results from actual or suspected intentional human action that
results in actions to avoid a BES Emergency.
Response: Thank you for your comment. Many suggestions were made regarding the language of certain events listed in
Attachment 1. Most of these comments are about a single event type and were made by only one stakeholder. The team has
Consideration of Comments: Project 2009-01
79
�Organization
Question 3 Comment
reviewed all of these comments. In several cases, the same or a similar suggestion was made on an earlier draft, and the team
considered it at that time. The SDT believes that stakeholder consensus has been achieved regarding these event types. The team
has elected to move forward to recirculation ballot.
Lewis County PUD
We are a small utility with little impact to the BES with a small hydro on the end of a 230kV
line. CIP-001 requires us to contact the FBI who has repeatedly instructed us to call the local
sheriff office. The sheriff office has instructed us to call 911 and they will contact the FBI as
needed. Therefore, 911 is our only contact number and our plan if vandalism, property
destruction or sabotage is to have a supervisor call 911 and report. I do not think calling 911 to
confirm the contact number serves any propose. Our plan will be simple with not a lot detail.
The drafting team should recognize the reality of small utilities and state the required plan
may be simple and not follow the flowchart in the draft standard.
Response: Thank you for your comment. The SDT did recognize your circumstances and set the requirements to provide the
flexibility to address the diversity of entities to which the standard is intended to apply.
SPP Standards Review Group
We have made previous comments in the past regarding the listing in the Entity with Reporting
Responsibility column of Attachment 1. While we concur with some of the changes that the
drafting team has made regarding the addition of a bright line in the Threshold for Reporting
column, there remain events where there is no line at all. For example, in the Transmission
loss event, the TOP is listed and there is no distinction regarding which TOP is required to file
the event report. Is it the TOP in whose TOP area the loss occurred or is it a neighboring TOP
who observes the loss. Clearly, the responsibility for reporting lies with the host system. There
are several other similar events where the bright line is non-existent and needs to be added.
We suggest that the drafting team return the deleted language to the Entity with Reporting
Responsibility column in those instances where the bright line has not been added in the
Threshold column. Regarding multiple reports for a single event, we again believe that only a
single report should be required. While additional information may be available from others,
let the Event Analysis personnel do their job investigating an event and eliminate any
redundant reporting that is currently required as the standard is written.
If not, this standard, if approved, would then appear to be a likely candidate for Phase 2 of the
Consideration of Comments: Project 2009-01
80
�Organization
Question 3 Comment
Paragraph 81 project.
Response: Thank you for your comment. Many suggestions were made regarding the language of certain events listed in
Attachment 1. Most of these comments are about a single event type and were made by only one stakeholder. The team has
reviewed all of these comments. In several cases, the same or a similar suggestion was made on an earlier draft, and the team
considered it at that time. The SDT believes that stakeholder consensus has been achieved regarding these event types. The team
has elected to move forward to recirculation ballot. On March 15, 2012, FERC issued an order on NERC’s Find, Fix and Track
process and in paragraph 81 (“P81”) invited NERC and other entities to propose to remove from Commission-approved Reliability
Standards unnecessary or redundant requirements. In response to P81 and the Commission’s request for comments to be
coordinated, during June and July 2012, various industry stakeholders, Trade Associations, staff from NERC and staff from the
NERC Regions jointly discussed consensus criteria and an initial list of Reliability Standard requirements that appeared to easily
satisfy the criteria, and, thus, could be retired. In Phase 1 of the Paragraph 81 effort, only two of the requirements (in total) from
CIP-001 and EOP-004 met the initial threshold for being included in the P81 Project. Both of these requirements will also be
retired by EOP-004-2. Phase 2 of the Paragraph 81 Project will evaluate all NERC Reliability Standards, including any modifications
to EOP-004-2. CIP-001-2a and EOP-004-1 are mandatory and enforceable NERC Reliability Standards. If EOP-004-2 is not
approved by the industry, those standards will remain as is and subject to the Compliance Monitoring and Enforcement Program.
As the SDT is moving forward with a Recirculation Ballot, your suggestions will be forwarded to NERC for future consideration.
SERC OC Standards Review Group
While this draft is an improvement on the previous draft, the proposed R2 is unacceptable,
and should be amended to, at a minimum, require reporting by the end of the next business
day, instead of within 24 hours. Events or situations affecting real time reliability to the system
already are required to be reported to appropriate Functional Entities that have the
responsibility to take action. Adding one more responsibility to system operators increases the
operator’s burden, which reduces the operator’s effectiveness when operating the system.
Care should be given when placing additional responsibility on the system operators. Allowing
reporting at the end of the next business day gives operators the flexibility to allow support
staff to assist with after-the-fact reporting requirements. For some event types where in order
to provide real time situational awareness over a wide area (for example coordinated sabotage
event) it may be appropriate to have more timely reporting .If the intent of this standard is to
address sabotage reporting there needs to be an understanding of the actions to be taken by
those receiving the reports so the reporting entities can incorporate those actions into their
Consideration of Comments: Project 2009-01
81
�Organization
Question 3 Comment
plan. As a minimum, NERC should have a process in place to assess the reports and take
appropriate actions.
Attachment 1: Threshold for reporting should not be defined such that multiple reports would
be required for the same event. For example, both the TOP and RC being required to report
the outage of a transmission line.
2nd event type (Damage or destruction of a Facility): Add the following sentence to the
Threshold for Reporting: “Do not report theft or damage unless it degrades normal operation
of a Facility.”
4th event type (Physical threats to a BES control center): The term “BES control center” needs
to be clarified.
5th, 6th, and 7th event types: In instances where a reliability directive is issued, is the
“initiating entity” the entity that issues the directive or the entity that carried out the directive.
9th event type (Voltage deviation on a Facility): Change “nominal” to “expected or scheduled.”
15th event type (Transmission loss): It is not clear what is meant by “contrary to design.” This
is so broad that it could be interpreted as requiring reporting misoperations within the
reporting time frame before even an initial investigation can begin. This needs to be clarified
and tied to the impact on the reliability of the BES. The comments expressed herein represent
a consensus of the views of the above named members of the SERC OC Standards Review
Group only and should not be construed as the position of SERC Reliability Corporation, its
board, or its officers.
Response: Thank you for your comment. Many suggestions were made regarding the language of certain events listed in
Attachment 1. Most of these comments are about a single event type and were made by only one stakeholder. The team has
reviewed all of these comments. In several cases, the same or a similar suggestion was made on an earlier draft, and the team
considered it at that time. The SDT believes that stakeholder consensus has been achieved regarding these event types. The team
has elected to move forward to recirculation ballot.
Tacoma Public Utilities
Why does the text “...but is not limited to...” in M1 have to be included? Does this mean that
Consideration of Comments: Project 2009-01
82
�Organization
Question 3 Comment
there are unwritten requirements that an auditor might look for? What if, in trying to validate
contact information, contacts do not confirm their information?
Regarding the Loss of firm load row in Attachment 1, an exception should be made for
weather or natural disaster related threats in the Threshold for Reporting.
Regarding the Transmission loss row in Attachment 1, it is not quite clear which types of BES
Elements would meet the Threshold for Reporting. Is it just lines, buses, and transformers?
What about reactive resources? What about generators that unexpectedly trip offline during a
fault on the transmission system?
Response: Thank you for your comment. In Measure M1 the text “but is not limited to” is intended to provide flexibility for each
entity to determine, based on its assets and unique situation, to develop an Operating Plan that appropriately supports reliability.
Many suggestions were made regarding the language of certain events listed in Attachment 1. Most of these comments are about
a single event type and were made by only one stakeholder. The team has reviewed all of these comments. In several cases, the
same or a similar suggestion was made on an earlier draft, and the team considered it at that time. The SDT believes that
stakeholder consensus has been achieved regarding these event types. The team has elected to move forward to recirculation
ballot.
MidAmerican Energy
Yes. 1) MidAmerican Energy agrees with and supports MRO NSRF comments.
2) Add additional wording to clearly provide for compliance when events are found more than
24 hours after an event. Add the following to the end of R2. Add, Events not identified until
sometime later after they occurred shall be reported within 24 hours.
3) In R3 add "external" for R3 to read Validate "external" contact information.
4) In EOP-004-2 Attachment 1 - the wording “Damage or destruction of its Facility that results
from actual or suspected intentional human action that results in actions to avoid a BES
Emergency” is not specific or measureable and therefore ambiguous. Zero defect standards
which carry penalties must be specific. Please reword to "Intentional human action to destroy
a NERC BES facility whose loss could result in actions to avoid a BES Emergency". This clearly
aligns with the EOP-004 intent of sabotage and emergency reporting. EOP-004 should not
report on unexpected conditions such as when a system operator attempts to reclose a line
Consideration of Comments: Project 2009-01
83
�Organization
Question 3 Comment
during a storm believing the line tripped for a temporary fault due to debris, when in fact the
fault was permanent and damaged a transformer.
Response: Thank you for your comment. See response to MRO NSF comments.
Many suggestions were made regarding the language of certain events listed in Attachment 1. Most of these comments are about
a single event type and were made by only one stakeholder. The team has reviewed all of these comments. In several cases, the
same or a similar suggestion was made on an earlier draft, and the team considered it at that time. The SDT believes that
stakeholder consensus has been achieved regarding these event types. The team has elected to move forward to recirculation
ballot.
american Transmission Company
Yes A. ATC requests that the Standards Drafting Team address the following concerns and
clarifications in Attachment 1:
a.) Reporting event #14 in Attachment 1, is duplicative with respect to Nuclear Reliability
Standard NUC-001-2.1 R 9.4.4. Reporting event #14 requires entities to report to NERC a
“Complete loss of off-site power to a nuclear generating plant” while Nuclear Reliability
Standard NUC-001-2.1 R9.4.4., i.e. includes “Provisions for supplying information necessary to
report to government agencies, as related to Nuclear Plant Interface Requirements (NPIRs)”.
In addition, ATC believes the reporting related to event #14 in Attachment 1 is not a
“reliability” issue, and more appropriately covered under Standard NUC-001 as a “Nuclear
Safety Shutdown” issue. Therefore, ATC recommends that Item #14 in Attachment 1 of EOP004-2 be deleted.
b.) In Attachment 1, reporting event #2, i.e. Damage or destruction of a Facility” could
obligate an entity to report any loss of copper grounds either on a T-Line or grounds associated
with a transformer or breakers. ATC believes this does not rise to a reporting level such as
NERC. ATC believes that additional qualifying language similar to reporting item #1 be
incorporated into the threshold and read as follows: “Damage or destruction of its Facility that
results from actual or suspected intentional human action that results in actions to avoid a BES
Emergency.”
c.) In Attachment 1, reporting event #3 i.e. “Physical threats to a Facility” needs clarification
Consideration of Comments: Project 2009-01
84
�Organization
Question 3 Comment
since a physical threat needs to be actual and confirmed so that the TO or TOP repositions the
system. In addition, the SDT needs to clarify what the phrase “normal operations” means. Is
this a ratings issue? Or a result in how the Operator operates the system.
d.) In Attachment 1, reporting event #3 threshold i.e. “Suspicious device or activity at a
Facility” needs clarification to determine when it raises to the level of reporting. These words
could be interpreted in several different ways. In addition, ATC believe that language needs to
be added that the threat causes the reporting entity to change to an abnormal operating state.
ATC recommends the threshold be revised to read: “Suspicious device or activity at a Facility
with the potential to degrade the normal operation of the Facility”.
e.) In Attachment 1, the term “Initiating entity” is used three times for reporting events and
needs to be clearly defined or reworded. Is it the entity that identifies the needs of a Public
Appeal or the entity that makes the public appeal the initiating entity? The Standard needs to
be clear on who has the responsibility as the “initiating” party, especially when multiple parties
may be involved. ATC recommends the following:1) For public appeal, under Entity with
Reporting Responsibility; it is the “entity that issues a public appeal to the public”2) For
system wide voltage reduction, under Entity with Reporting Responsibility; it is the “entity that
activates a voltage reduction”3) For manual load shedding, under Entity with Reporting
Responsibility; it is the “entity that activates manual load shedding”
f.) In Attachment 1, reporting event #15 i.e. “Transmission Loss”, the threshold includes the
phrase “contrary to design”. ATC recommends this be clarified to read “contrary to protection
system design”.
B. In EOP-004-2 Requirement 2/ Measure 2 both have the following language:”Each
Responsible Entity shall report events per their Operating Plan within 24 hours of meeting an
event type threshold for reporting.” ATC recommends adding “upon recognition” as a starting
point to the 24 hour reporting requirement. This would be revised to read: “Each Responsible
Entity shall report events per their Operating Plan within 24 hours of recognition of an event
type threshold”
Response: Thank you for your comment. A) Many suggestions were made regarding the language of certain events listed in
Consideration of Comments: Project 2009-01
85
�Organization
Question 3 Comment
Attachment 1. Most of these comments are about a single event type and were made by only one stakeholder. The team has
reviewed all of these comments. In several cases, the same or a similar suggestion was made on an earlier draft, and the team
considered it at that time. The SDT believes that stakeholder consensus has been achieved regarding these event types. The team
has elected to move forward to recirculation ballot.
B) This was the intent of the drafting team and we have made this clarification to R2 and M2.
END OF REPORT
Consideration of Comments: Project 2009-01
86
�Exhibit E
Analysis of how VRFs and VSLs Were Determined Using Commission Guidelines
�Violation Risk Factor and Violation Severity Level Assignments
Project 2009-01 – Disturbance and Sabotage Reporting
This document provides the drafting team’s justification for assignment of violation risk factors (VRFs)
and violation severity levels (VSLs) for each requirement in
EOP-004-2 — Event Reporting
Each primary requirement is assigned a VRF and a set of one or more VSLs. These elements support the
determination of an initial value range for the Base Penalty Amount regarding violations of requirements
in FERC-approved Reliability Standards, as defined in the ERO Sanction Guidelines.
Justification for Assignment of Violation Risk Factors in EOP-004-2
The Disturbance and Sabotage Reporting Standard Drafting Team applied the following NERC criteria
when proposing VRFs for the requirements in EOP-004-2:
High Risk Requirement
A requirement that, if violated, could directly cause or contribute to bulk electric system
instability, separation, or a cascading sequence of failures, or could place the bulk electric system
at an unacceptable risk of instability, separation, or cascading failures; or, a requirement in a
planning time frame that, if violated, could, under emergency, abnormal, or restorative conditions
anticipated by the preparations, directly cause or contribute to bulk electric system instability,
separation, or a cascading sequence of failures, or could place the bulk electric system at an
unacceptable risk of instability, separation, or cascading failures, or could hinder restoration to a
normal condition.
Medium Risk Requirement
A requirement that, if violated, could directly affect the electrical state or the capability of the
bulk electric system, or the ability to effectively monitor and control the bulk electric system.
However, violation of a medium risk requirement is unlikely to lead to bulk electric system
instability, separation, or cascading failures; or, a requirement in a planning time frame that, if
violated, could, under emergency, abnormal, or restorative conditions anticipated by the
preparations, directly and adversely affect the electrical state or capability of the bulk electric
system, or the ability to effectively monitor, control, or restore the bulk electric system.
However, violation of a medium risk requirement is unlikely, under emergency, abnormal, or
restoration conditions anticipated by the preparations, to lead to bulk electric system instability,
separation, or cascading failures, nor to hinder restoration to a normal condition.
�Lower Risk Requirement
A requirement that is administrative in nature and a requirement that, if violated, would not be
expected to adversely affect the electrical state or capability of the bulk electric system, or the
ability to effectively monitor and control the bulk electric system; or, a requirement that is
administrative in nature and a requirement in a planning time frame that, if violated, would not,
under the emergency, abnormal, or restorative conditions anticipated by the preparations, be
expected to adversely affect the electrical state or capability of the bulk electric system, or the
ability to effectively monitor, control, or restore the bulk electric system. A planning requirement
that is administrative in nature.
The SDT also considered consistency with the FERC Violation Risk Factor Guidelines for setting
1
VRFs:
Guideline (1) — Consistency with the Conclusions of the Final Blackout Report
The Commission seeks to ensure that Violation Risk Factors assigned to Requirements of
Reliability Standards in these identified areas appropriately reflect their historical critical impact
on the reliability of the Bulk-Power System.
In the VSL Order, FERC listed critical areas (from the Final Blackout Report) where violations could
severely affect the reliability of the Bulk-Power System: 2
−
−
−
−
−
−
−
−
−
−
−
−
Emergency operations
Vegetation management
Operator personnel training
Protection systems and their coordination
Operating tools and backup facilities
Reactive power and voltage control
System modeling and data exchange
Communication protocol and facilities
Requirements to determine equipment ratings
Synchronized data recorders
Clearer criteria for operationally critical facilities
Appropriate use of transmission loading relief.
Guideline (2) — Consistency within a Reliability Standard
The Commission expects a rational connection between the sub-Requirement Violation Risk
Factor assignments and the main Requirement Violation Risk Factor assignment.
1
North American Electric Reliability Corp., 119 FERC ¶ 61,145, order on reh’g and compliance filing, 120 FERC ¶ 61,145
(2007) (“VRF Rehearing Order”).
2
Id. at footnote 15.
VRF and VSL Assignments – Project 2009-01 (August 2, 2012)
2
�Guideline (3) — Consistency among Reliability Standards
The Commission expects the assignment of Violation Risk Factors corresponding to
Requirements that address similar reliability goals in different Reliability Standards would be
treated comparably.
Guideline (4) — Consistency with NERC’s Definition of the Violation Risk Factor Level
Guideline (4) was developed to evaluate whether the assignment of a particular
Violation Risk Factor level conforms to NERC’s definition of that risk level.
Guideline (5) — Treatment of Requirements that Co-mingle More Than One Obligation
Where a single Requirement co-mingles a higher risk reliability objective and a lesser risk
reliability objective, the VRF assignment for such Requirements must not be watered down to
reflect the lower risk level associated with the less important objective of the Reliability
Standard.
The following discussion addresses how the SDT considered FERC’s VRF Guidelines 2 through 5. The
team did not address Guideline 1 directly because of an apparent conflict between Guidelines 1 and 4.
Whereas Guideline 1 identifies a list of topics that encompass nearly all topics within NERC’s
Reliability Standards and implies that these requirements should be assigned a “High” VRF, Guideline 4
directs assignment of VRFs based on the impact of a specific requirement to the reliability of the system.
The SDT believes that Guideline 4 is reflective of the intent of VRFs in the first instance and therefore
concentrated its approach on the reliability impact of the requirements.
VRF for EOP-004-2:
There are three requirements in EOP-004-2. Requirement R1 was assigned a Lower VRF while
Requirements R2 and R3 were assigned a Medium VRF.
VRF for EOP-004-2, Requirements R1:
•
FERC’s Guideline 2 — Consistency within a Reliability Standard. The Requirement specifies which
entities are required to have processes for recognition of events and for communicating with other
entities. This Requirement is the only administrative Requirement within the Standard. The VRF is
only applied at the Requirement level. FERC’s Guideline 3 — Consistency among Reliability
Standards. This requirement calls for an entity to have processes for recognition of events and
communicating with other entities. This requirement is administrative in nature and deals with the
means to report events after the fact. All event reporting requirements in Attachment 1 are for 24
hours after recognition that an event has occurred. The current approved VRFs for EOP-004-1 are
VRF and VSL Assignments – Project 2009-01 (August 2, 2012)
3
�all lower with the exception of Requirement R2 which is a requirement to analyze events. This
standard relates only to reporting events. The analysis portion is addressed through the NERC Rules
of Procedure and the Events Analysis Program.
•
FERC’s Guideline 4 — Consistency with NERC’s Definition of a VRF. Failure to have an event
reporting Operating Plan is not likely to directly affect the electrical state or the capability of the bulk
electric system. Development of the Operating Plan is a requirement that is administrative in nature
and is in a planning time frame that, if violated, would not, under emergency, abnormal, or
restorative conditions anticipated by the preparations, be expected to adversely affect the electrical
state or capability of the bulk electric system, or the ability to effectively monitor, control, or restore
the bulk electric system.. Therefore this requirement was assigned a Lower VRF.
•
FERC’s Guideline 5 — Treatment of Requirements that Co-mingle More Than One Objective.
EOP-004-2, Requirement R1 contains only one objective which is to have an Operating Plan with
two distinct processes. Since the requirement is to have an Operating Plan, only one VRF was
assigned.
VRF for EOP-004-2, Requirement R2:
•
FERC’s Guideline 2 — Consistency within a Reliability Standard. This Requirement calls for the
Responsible Entity to implements its Operating Plan and is assigned a Medium VRF. There is one
other similar Requirement in this Standard which specify an annual validation of the information
contained in the Operating Plan (R3). Both of these Requirements are assigned a Medium VRF.
•
FERC’s Guideline 3 — Consistency among Reliability Standards. EOP-004-2, Requirement R2 is a
requirement for entities to report events using the process for recognition of events per Attachment 1.
Failure to report events within 24 hours is not likely to “directly affect the electrical state or the
capability of the bulk electric system, or the ability to effectively monitor and control the bulk
electric system.” However, violation of a medium risk requirement should also be “unlikely to lead
to bulk electric system instability, separation, or cascading failures…” Such an instance could occur
if personnel do not report events. Therefore, this requirement was assigned a Medium VRF.
•
FERC’s Guideline 4 — Consistency with NERC’s Definition of a VRF. EOP-004-2, Requirement
R2 mandates that Responsible Entities implement their Operating Plan. Bulk power system
instability, separation, or cascading failures are not likely to occur due to a failure to notify another
entity of the event failure, but there is a slight chance that it could occur. Therefore, this requirement
was assigned a Medium VRF.
•
FERC’s Guideline 5 - Treatment of Requirements that Co-mingle More Than One Objective. EOP004-2, Requirement R2 addresses a single objective and has a single VRF.
VRF and VSL Assignments – Project 2009-01 (August 2, 2012)
4
�VRF for EOP-004-2, Requirement R3:
•
FERC’s Guideline 2 — Consistency within a Reliability Standard. This Requirement calls for the
Responsible Entity to perform an annual validation of the information contained in the Operating
Plan and is assigned a Medium VRF. There is one other similar Requirement in this Standard which
specifies that the Responsible Entity implement its Operating Plan (R2).. Both of these
Requirements is assigned a Medium VRF.
•
FERC’s Guideline 3 — Consistency among Reliability Standards. EOP-004-2, Requirement R3 is a
requirement for entities to perform an annual validation of the information contained of the
information in the Operating Plan. Failure to perform an annual validation of the information
contained in the Operating Plan is not likely to “directly affect the electrical state or the capability of
the bulk electric system, or the ability to effectively monitor and control the bulk electric system.”
However, violation of a medium risk requirement should also be “unlikely to lead to bulk electric
system instability, separation, or cascading failures…” Such an instance could occur if personnel do
not perform an annual test of the Operating Plan and it is out of date or contains erroneous
information. Therefore, this requirement was assigned a Medium VRF.
•
FERC’s Guideline 4 — Consistency with NERC’s Definition of a VRF. EOP-004-2, Requirement
R3 mandates that Responsible Entities perform an annual validation of the information contained of
the information in the Operating Plan. Bulk power system instability, separation, or cascading
failures are not likely to occur due to a failure to perform an annual test of the Operating Plan, but
there is a slight chance that it could occur if the Operating Plan is out of date or contains erroneous
information. Therefore, this requirement was assigned a Medium VRF.
•
FERC’s Guideline 5 - Treatment of Requirements that Co-mingle More Than One Objective. EOP004-2, Requirement R3 addresses a single objective and has a single VRF.
VRF and VSL Assignments – Project 2009-01 (August 2, 2012)
5
�Justification for Assignment of Violation Severity Levels for EOP-004-2:
In developing the VSLs for the EOP-004-2 standard, the SDT anticipated the evidence that would be
reviewed during an audit, and developed its VSLs based on the noncompliance an auditor may find
during a typical audit. The SDT based its assignment of VSLs on the following NERC criteria:
Lower
Missing a minor
element (or a small
percentage) of the
required performance
The performance or
product measured has
significant value as it
almost meets the full
intent of the
requirement.
Moderate
High
Severe
Missing at least one
significant element (or a
moderate percentage)
of the required
performance.
The performance or
product measured still
has significant value in
meeting the intent of the
requirement.
Missing more than one
significant element (or is
missing a high
percentage) of the
required performance or
is missing a single vital
component.
The performance or
product has limited
value in meeting the
intent of the
requirement.
Missing most or all of
the significant elements
(or a significant
percentage) of the
required performance.
The performance
measured does not
meet the intent of the
requirement or the
product delivered
cannot be used in
meeting the intent of the
requirement.
FERC’s VSL guidelines are presented below, followed by an analysis of whether the VSLs proposed for
each requirement in EOP-004-2 meet the FERC Guidelines for assessing VSLs:
Guideline 1: Violation Severity Level Assignments Should Not Have the Unintended Consequence
of Lowering the Current Level of Compliance
Compare the VSLs to any prior levels of non-compliance and avoid significant changes that may
encourage a lower level of compliance than was required when levels of non-compliance were
used.
Guideline 2: Violation Severity Level Assignments Should Ensure Uniformity and Consistency in
the Determination of Penalties
A violation of a “binary” type requirement must be a “Severe” VSL.
Do not use ambiguous terms such as “minor” and “significant” to describe noncompliant
performance.
Guideline 3: Violation Severity Level Assignment Should Be Consistent with the Corresponding
Requirement
VRF and VSL Assignments – Project 2009-01 (August 2, 2012)
6
�VSLs should not expand on what is required in the requirement.
Guideline 4: Violation Severity Level Assignment Should Be Based on A Single Violation, Not on A
Cumulative Number of Violations
. . . unless otherwise stated in the requirement, each instance of non-compliance with a
requirement is a separate violation. Section 4 of the Sanction Guidelines states that assessing
penalties on a per violation per day basis is the “default” for penalty calculations.
VRF and VSL Assignments – Project 2009-01 (August 2, 2012)
7
�VSLs for EOP-004-2 Requirements R1:
Compliance with
NERC’s VSL
Guidelines
R#
Guideline 1
Guideline 2
Violation Severity Level
Assignments Should Not
Have the Unintended
Consequence of Lowering
the Current Level of
Compliance
Violation Severity Level
Assignments Should Ensure
Uniformity and Consistency in the
Determination of Penalties
Guideline 2a: The Single Violation
Severity Level Assignment
Category for "Binary"
Requirements Is Not Consistent
Guideline 3
Guideline 4
Violation Severity Level
Assignment Should Be
Consistent with the
Corresponding
Requirement
Violation Severity
Level Assignment
Should Be Based on
A Single Violation,
Not on A
Cumulative Number
of Violations
The proposed binary VSL
uses the same terminology
as used in the associated
requirement, and is,
therefore, consistent with
the requirement.
The VSLs are based
on a single violation
and not cumulative
violations.
Guideline 2b: Violation Severity
Level Assignments that Contain
Ambiguous Language
R1
Meets NERC’s
VSL guidelines.
The requirement
calls for the
entity to have an
Operating Plan
and is binary in
nature. The VSL
is therefore set
to “Severe”.
The proposed
requirement is a revision
of CIP-001-1, R1-R4, and
EOP-004-1, R2. The
Requirement has no Parts
and is binary in nature.
The binary VSL does not
lower the current level of
Compliance.
The proposed VSL does not use
any ambiguous terminology,
thereby supporting uniformity and
consistency in the determination
of similar penalties for similar
violations.
VRF and VSL Assignments – Project 2009-01 (August 2, 2012)
8
�VSLs for EOP-004-2 Requirement R2:
Compliance with
NERC’s VSL
Guidelines
Guideline 1
Guideline 2
Violation Severity Level
Assignments Should Not
Have the Unintended
Consequence of Lowering
the Current Level of
Compliance
Violation Severity Level
Assignments Should Ensure
Uniformity and Consistency in
the Determination of
Penalties
R#
Guideline 3
Guideline 4
Violation Severity Level
Assignment Should Be
Consistent with the
Corresponding
Requirement
Violation Severity
Level Assignment
Should Be Based on
A Single Violation,
Not on A
Cumulative Number
of Violations
The proposed VSLs use the
same terminology as used
in the associated
requirement, and are,
therefore, consistent with
the requirement.
The VSLs are based
on a single violation
and not cumulative
violations.
Guideline 2a: The Single
Violation Severity Level
Assignment Category for
"Binary" Requirements Is Not
Consistent
Guideline 2b: Violation
Severity Level Assignments
that Contain Ambiguous
Language
R2
Meets NERC’s VSL
guidelines. There
is an incremental
aspect to the
violation and the
VSLs follow the
guidelines for
incremental
violations.
The proposed requirement is
a revision of EOP-004-1, R3.
There is only a Severe VSL for
that requirement. However,
the reporting of events is
based on timing intervals
listed in EOP-004 Attachment
1. Based on the VSL
Guidance, the DSR SDT
developed four VSLs based
on tardiness of the submittal
of the report. If a report is
not submitted, then the VSL
is Severe. This maintains the
current VSL.
The proposed VSLs do not use
any ambiguous terminology,
thereby supporting uniformity
and consistency in the
determination of similar
penalties for similar
violations.
VRF and VSL Assignments – Project 2009-01 (August 2, 2012)
9
�VSLs for EOP-004-2 Requirement R3:
Compliance with
NERC’s VSL
Guidelines
Guideline 1
Guideline 2
Violation Severity Level
Assignments Should Not
Have the Unintended
Consequence of Lowering
the Current Level of
Compliance
Violation Severity Level
Assignments Should Ensure
Uniformity and Consistency in
the Determination of
Penalties
R#
Guideline 3
Guideline 4
Violation Severity Level
Assignment Should Be
Consistent with the
Corresponding
Requirement
Violation Severity
Level Assignment
Should Be Based on
A Single Violation,
Not on A
Cumulative Number
of Violations
The proposed VSLs use the
same terminology as used
in the associated
requirement, and are,
therefore, consistent with
the requirement.
The VSLs are based
on a single violation
and not cumulative
violations.
Guideline 2a: The Single
Violation Severity Level
Assignment Category for
"Binary" Requirements Is Not
Consistent
Guideline 2b: Violation
Severity Level Assignments
that Contain Ambiguous
Language
R3
Meets NERC’s VSL
guidelines. There
is an incremental
aspect to the
violation and the
VSLs follow the
guidelines for
incremental
violations.
The proposed requirement is
a new Requirement. The
test of the Operating Plan is
based on the calendar year.
Based on the VSL Guidance,
the DSR SDT developed four
VSLs based on tardiness of
the submittal of the report.
If a test is not performed,
then the VSL is Severe.
The proposed VSLs do not use
any ambiguous terminology,
thereby supporting uniformity
and consistency in the
determination of similar
penalties for similar
violations.
VRF and VSL Assignments – Project 2009-01 (August 2, 2012)
10
�Exhibit F
Record of Development of Proposed Reliability Standard
�Project 2009-01
Disturbance and Sabotage Reporting
Related Files
Status:
Adopted by the Board of Trustees on November 6, 2012, pending regulatory
approval.
Background:
This project will entail revision to the following existing standards:
•
•
CIP-001-1 – Sabotage Reporting
EOP-004-1 – Disturbance Reporting
Stakeholders have indicated that identifying potential acts of “sabotage” is
difficult to do in real time, and additional clarity is needed to identify thresholds
for reporting potential acts of sabotage in CIP-001-1. Stakeholders have also
reported that EOP-004-1 has some requirements that reference out-of-date
Department of Energy forms, making the requirements ambiguous. EOP-004-1
also has some ‘fill-in-the-blank’ components to eliminate.
The project will include addressing previously identified stakeholder concerns and
FERC directives; will bring the standards into conformance with the latest
approved version of the ERO Rules of Procedure; and may include other
improvements to the standards deemed appropriate by the drafting team, with
the consensus of stakeholders, consistent with establishing high quality,
enforceable and technically sufficient bulk power system reliability standards.
Draft
Action
Dates
Results
Draft 6
EOP-004-2
Clean(89) |
Redline to last
posted(90)
Implementation
Plan
Clean(91)
Supporting
Materials:
Mapping
Document(92)
Recirculation Ballot
and Non-binding
poll
Info(97)
Vote>>
Summary(98)
10/24/12
11/05/12
(closed)
Ballot
Results(99)
Non-binding
Poll
Results(100)
Consideration of
Comments
�Consideration of
Issues and
Directives(93)
VRF/VSL
Justification(94)
CIP-001-2a(95)
EOP-004-1(96)
Draft 5
EOP-004-2
Clean (71)|
Redline to Last
Posted(72)
Successive Ballot
and Non-binding
Poll
Implementation
Plan
Clean(73) |
Redline to Last
Posted(74)
Vote>>
Info(81)
Updated
Summary(83)
09/18/12
09/27/12
(closed)
Ballot
Results(84)
Non-binding
Poll
Results(85)
Comments
Received(86)
Consideration of
Comments(88)
Supporting
Materials:
Comment Form
(Word)(75)
Mapping
Document(76)
Consideration of
Issues and
Directives(77)
Comment Period
Info(82)
Submit
Comments>>
08/29/12
09/27/12
(closed)
Meeting
Results(87)
VRF/VSL
Justification(78)
CIP-001-2a(79)
EOP-004-1(80)
Draft 4
EOP-004-2
Clean(51) |
Redline to Last
Posted (52)
Successive Ballot
and Non-binding
Poll
Updated Info(63)
Summary(66)
05/15/1205/24/12
(closed)
Ballot
Results(67)
�Info(64)
Supporting
Materials:
Comment Form
(Word)(53)
Non-binding
Poll
Results(68)
Vote>>
Implementation
Plan
Clean(54) |
Redline to Last
Posted(55)
Consideration of
Comments(70)
Mapping
Document(56)
Consideration of
Issues and
Directives(57)
Comment Period
Info(65)
Submit
VRF/VSL
Justification(58) Comments>>
04/25/12
05/24/12
(closed)
Comments
Received(69)
Proposed NERC
RoP Section
812(59)
CIP-001-2a(60)
CIP-008-3(61)
EOP-004-1(62)
Draft 3
EOP-004-2
Clean(34) |
Redline to Last
Posted(35)
Supporting
Materials:
Comment Form
(Word)(36)
Implementation
Plan
Clean(37) |
Redline to Last
Posted(38)
Mapping
Join Ballot Pools>>
Formal Comment
Period
Info(43)
Submit
Comments>>
Initial Ballot and
Non-Binding Poll
Updated Info(44)
Info(45)
Vote>>
10/28/11
11/28/11
(closed)
10/28/11
12/12/11
(closed)
Comments
Received(46)
Consideration of
Comments(50)
Summary(47)
12/02/11
12/12/11
(closed)
Full
Record(48)
Non-Binding
Poll
�Document(39)
Results(49)
VRF/VSL
Justification(40)
CIP-001-1(41)
EOP-004-1(42)
Draft 2
EOP-004-2
clean(25) |
redline to last
posted(26)
Supporting
Materials:
Comment Form
(Word)(27)
Info(31)
Formal Comment
Period>>
Consideration of
Comments(33)
03/09/11
04/08/11
Comments
Received(32)
Implementation
Plan(28)
CIP-001-1(29)
EOP-004-1(30)
Draft 1
EOP-004-2
EOP-004-2(19)
Supporting
Materials:
Comment Form
(Word)(20)
Informal Comment
Period
Submit
Comments>>
09/15/10
–
10/15/10
Comments
Received(23)
Consideration of
Comments(24)
Info(22)
Mapping
Document(21)
Concept Paper
Supporting
Disturbance and
Sabotage
Reporting
Concept
Paper(12)
Comment Period
Submit
Comments>>
Info (16)
03/17/10
04/16/10
(closed)
Comments
Received (17)
Consideration of
Comments (18)
�Supporting
Materials:
Comment Form
(Word)(13)
CIP-001-1 Sabotage
Reporting(14)
EOP-004-1 Disturbance
Reporting(15)
Nominations for
Standard
Drafting Team
Supporting
Materials:
Nomination
Form
(Word)(10)
Info(11)
Submit
Nomination>>
09/16/09
09/30/09
(closed)
Draft 2
Disturbance and
Sabotage
Reporting SAR 2
Clean(8) |
Redline to Last
Posting (9)
Nominations for
SAR Drafting
Team
Supporting
Materials:
Nomination
Form (Word)(6)
Proposed SAR
Draft SAR
Info(7)
Submit
Nomination>>
Comment Period
Info(3)
Submit
Comments>>
04/29/09
05/13/09
(closed)
04/22/09
05/21/09
(closed)
Comments
Received(4)
Consideration of
Comments(5)
�Version 1(1)
Supporting
Materials:
Comment Form
(Word)(2)
�Standard Authorization Request Form
Title of Proposed Project:
Disturbance and Sabotage Reporting (Project 2009-01)
Request Date
April 2, 2009
Approved by SC for posting: April 15, 2009
SAR Requester Information
Name
Patrick Brown
Primary Contact
SAR Type (Check a box for each one
that applies.)
New Standard
Patrick Brown
Manager, NERC and Regional Coordination
PJM Interconnection
Revision to existing Standards:
CIP-001-1 and EOP-004-1
Telephone
610-666-4597
Withdrawal of existing Standard
E-mail
brownp@pjm.com
Urgent Action
Purpose (Describe the proposed standard action: Nomination of a proposed
standard, revision to a standard, or withdrawal of a standard and describe what
the standard action will achieve.)
This project will entail revision to existing standards CIP-001-1 – Sabotage Reporting and EOP004-1 – Disturbance Reporting. The standards may be merged to eliminate redundancy and
provide clarity on sabotage events. EOP-004 has some ‘fill-in-the-blank’ components to
eliminate. The development may include other improvements to the standards deemed
appropriate by the drafting team, with the consensus of stakeholders, consistent with establishing
high quality, enforceable and technically sufficient bulk power system reliability standards.
Industry Need (Provide a justification for the development or revision of the standard,
including an assessment of the reliability and market interface impacts of implementing or
not implementing the standard action.)
The existing requirements need to be revised to be more specific – and there needs to be more
clarity in what sabotage looks like.
Brief Description (Provide a paragraph that describes the scope of this standard action.)
CIP-001 may be merged with EOP-004 to eliminate redundancies. Acts of sabotage have to be
reported to the DOE as part of EOP-004. Specific references to the DOE form need to be
116-390 Village Boulevard
Princeton, New Jersey 08540-5721
609.452.8060 | www.nerc.com
�Standards Authorization Request Form
eliminated.
EOP-004 has some ‘fill-in-the-blank’ components to eliminate.
The development may include other improvements to the standards deemed appropriate by the
drafting team, with the consensus of stakeholders, consistent with establishing high quality,
enforceable and technically sufficient bulk power system reliability standards (see tables for each
standard at the end of this SAR for more detailed information).
Detailed Description (Provide a description of the proposed project with sufficient details
for the standard drafting team to execute the SAR.)
See “Issues to be Considered by Drafting Team” tables for each standard at the end of this SAR
for more detailed information.
SAR–2
�Standards Authorization Request Form
Reliability Functions
The Standard will Apply to the Following Functions (Check box for each one that applies.)
Reliability
Coordinator
Responsible for the real-time operating reliability of its Reliability
Coordinator Area in coordination with its neighboring Reliability
Coordinator’s wide area view.
Balancing
Authority
Integrates resource plans ahead of time, and maintains loadinterchange-resource balance within a Balancing Authority Area
and supports Interconnection frequency in real time.
Interchange
Authority
Ensures communication of interchange transactions for reliability
evaluation purposes and coordinates implementation of valid and
balanced interchange schedules between Balancing Authority
Areas.
Planning
Coordinator
Assesses the longer-term reliability of its Planning Coordinator
Area.
Resource
Planner
Develops a >one year plan for the resource adequacy of its
specific loads within a Planning Coordinator area.
Transmission
Planner
Develops a >one year plan for the reliability of the interconnected
Bulk Electric System within its portion of the Planning Coordinator
area.
Transmission
Service
Provider
Administers the transmission tariff and provides transmission
services under applicable transmission service agreements (e.g.,
the pro forma tariff).
Transmission
Owner
Owns and maintains transmission facilities.
Transmission
Operator
Ensures the real-time operating reliability of the transmission
assets within a Transmission Operator Area.
Distribution
Provider
Delivers electrical energy to the End-use customer.
Generator
Owner
Owns and maintains generation facilities.
Generator
Operator
Operates generation unit(s) to provide real and reactive power.
PurchasingSelling Entity
Purchases or sells energy, capacity, and necessary reliabilityrelated services as required.
Market
Operator
Interface point for reliability functions with commercial functions.
LoadServing
Entity
Secures energy and transmission service (and reliability-related
services) to serve the End-use Customer.
SAR–3
�Standards Authorization Request Form
Reliability and Market Interface Principles
Applicable Reliability Principles (Check box for all that apply.)
1. Interconnected bulk power systems shall be planned and operated in a coordinated
manner to perform reliably under normal and abnormal conditions as defined in the
NERC Standards.
2. The frequency and voltage of interconnected bulk power systems shall be controlled
within defined limits through the balancing of real and reactive power supply and
demand.
3. Information necessary for the planning and operation of interconnected bulk power
systems shall be made available to those entities responsible for planning and
operating the systems reliably.
4. Plans for emergency operation and system restoration of interconnected bulk power
systems shall be developed, coordinated, maintained and implemented.
5. Facilities for communication, monitoring and control shall be provided, used and
maintained for the reliability of interconnected bulk power systems.
6. Personnel responsible for planning and operating interconnected bulk power systems
shall be trained, qualified, and have the responsibility and authority to implement
actions.
7. The security of the interconnected bulk power systems shall be assessed, monitored
and maintained on a wide area basis.
8. Bulk power systems shall be protected from malicious physical or cyber attacks.
Does the proposed Standard comply with all of the following Market Interface
Principles? (Select ‘yes’ or ‘no’ from the drop-down box.)
1. A reliability standard shall not give any market participant an unfair competitive
advantage. Yes
2. A reliability standard shall neither mandate nor prohibit any specific market structure. Yes
3. A reliability standard shall not preclude market solutions to achieving compliance with that
standard. Yes
4. A reliability standard shall not require the public disclosure of commercially sensitive
information. All market participants shall have equal opportunity to access commercially
non-sensitive information that is required for compliance with reliability standards. Yes
SAR–4
�Standards Authorization Request Form
Related Standards
Standard No.
Explanation
COM-003-1
Operations Communications Protocols – this standard may include some
requirements that require coordination with the requirements addressed in
this project
Related SARs
SAR ID
Explanation
Regional Variances
Region
Explanation
ERCOT
FRCC
MRO
NPCC
SERC
RFC
SPP
WECC
Issues
Issues to be Considered by Drafting Team
Project 2009-01 — Disturbance and Sabotage Reporting
Standard #
Title
CIP-001-0
Sabotage Reporting
FERC Order 693
SAR–5
�Standards Authorization Request Form
Disposition: Approved with modifications
Consider the need for wider application of the standard. Consider
whether separate, less burdensome requirements for smaller entities
may be appropriate.
Define “sabotage” and provide guidance on triggering events that
would cause an entity to report an event.
In the interim, provide advice to entities about the reporting of
particular circumstances as they arise.
Consider FirstEnergy’s suggestions to differentiate between cyber and
physical security sabotage and develop a threshold of materiality.
Incorporate a periodic review or updating of the sabotage reporting
procedures and for their periodic testing. Consider a staggered
schedule of annual testing and formal review every two to three years.
Include a requirement to report a sabotage event to the proper
government authorities. Develop the language to specifically
implement this directive.
Explore ways to reduce redundant reporting, including central
coordination of sabotage reports and a uniform reporting format.
V0 Industry Comments
Object to multi-site requirement
Definition of sabotage required
VRF comments
Adequate procedures will insure it is unlikely to lead to bulk electric
system instability, separation, or cascading failures.
Other
Modify standard to conform to the latest version of NERC’s Reliability
Standards Development Procedure, the NERC Standard Drafting Team
Guidelines, and the ERO Rules of Procedure.
NERC Audit and Observation Team
Applicability — How does this standard pertain to Load Serving
Entities, LSE's.
Registered Entities have sabotage reporting processes and procedures
in place but not all personnel has been trained.
Question: How do you “and make the operator aware”
R4 — "What is meant by: “establish contact with the FBI”. Is a phone
number adequate? Many entities which call the FBI are referred back
to the local authority. The AOT noted that on the FBI website it states
to contact the local authorities. Is this a question for Homeland
Security to deal with for us?"
R4 — Establish communications contacts, as applicable with local FBI
and RAMP officials. Some entities are very remote and the sheriff is
the only local authority does the FBI still need to be contacted?
FERC’s December 20, 2007 and April 4, 2008 Orders in Docket Nos. RC07004-000, RC07-6-000, and RC07-7-000
In FERC’s December 20, 2007 Order, the Commission reversed
NERC’s Compliance Registry decisions with respect to three
load serving entities in the ReliabilityFirst (RFC) footprint. The
distinguishing feature of these three LSEs is that none owned
physical assets. Both NERC and RFC assert that there will be a
“reliability gap” if retail marketers are not registered as LSEs.
To avoid a possible gap, a consistent, uniform approach to
SAR–6
�Standards Authorization Request Form
ensure that appropriate Reliability Standards and associated
requirements are applied to retail marketers must be applied.
Each drafting team responsible for reliability standards
applicable to LSEs is to review and change as necessary,
requirements in the applicable reliability standards to address
the issues surrounding accountability for loads served by retail
marketers/suppliers. For additional information see:
FERC’s December 20, 2007 Order
(http://www.nerc.com/files/LSE_decision_order.pdf )
NERC’s March 4, 2008
(http://www.nerc.com/files/FinalFiledLSE3408.pdf ),
FERC’s April 4, 2008 Order
(http://www.nerc.com/files/AcceptLSECompFiling040408.pdf ) and
NERC’s July 31, 2008
(http://www.nerc.com/files/FinalFiled-CompFilingLSE-07312008.pdf ) compliance filings to FERC on
this subject.
Issues
Issues to be Considered by Drafting Team
Project 2009-01 — Disturbance and Sabotage Reporting
Standard #
Title
EOP-004-1
Disturbance Reporting
FERC Order 693
Disposition: Approved with modification
Include any requirements for users, owners, and operators of the bulk
power system to provide data that will assist NERC in the investigation
of a blackout or disturbance.
Change NERC’s Rules of Procedure to assure the Commission receives
these reports in the same frame as the DOE.
Consider APPA’s concern about generator operators and LSEs analyzing
performance of their equipment and provide data and information on
the equipment to assist others with analysis.
Consider all comments offered in a future modification of the reliability
standard.
Fill-in-the-Blank Team Comments
Consider changes to R1 and R3.4 to standardize the disturbance
reporting requirements (requirements for disturbance reporting need
to be added to this standard)
Regions currently have procedures, but not in the form of a standard.
The drafting team will need to review regional requirements to
determine reporting requirements for the North American standard.
V0 Industry Comments
R3 – too many reports, narrow requirement to RC
How does this apply to generator operator?
Other
Modify standard to conform to the latest version of NERC’s Reliability
Standards Development Procedure, the NERC Standard Drafting Team
Guidelines, and the ERO Rules of Procedure.
NERC Audit and Observation Team
R3.1 — Can there be a violation without an event?
SAR–7
�Standards Authorization Request Form
Event Analysis Team
Reliability Issue: Coordination and follow up on lessons learned from
event analyses Consider adding to EOP-004 – Disturbance Reporting.
Proposed requirement: Regional Entities (REs) shall work together
with Reliability Coordinators, Transmission Owners, and Generation
Owners to develop an Event Analysis Process to prevent similar events
from happening and follow up with the recommendations. This
process shall be defined within the appropriate NERC Standard.
FERC’s December 20, 2007 and April 4, 2008 Orders in Docket Nos. RC07004-000, RC07-6-000, and RC07-7-000
In FERC’s December 20, 2007 Order, the Commission reversed
NERC’s Compliance Registry decisions with respect to three
load serving entities in the ReliabilityFirst (RFC) footprint. The
distinguishing feature of these three LSEs is that none owned
physical assets. Both NERC and RFC assert that there will be a
“reliability gap” if retail marketers are not registered as LSEs.
To avoid a possible gap, a consistent, uniform approach to
ensure that appropriate Reliability Standards and associated
requirements are applied to retail marketers must be applied.
Each drafting team responsible for reliability standards
applicable to LSEs is to review and change as necessary,
requirements in the applicable reliability standards to address
the issues surrounding accountability for loads served by retail
marketers/suppliers. For additional information see:
FERC’s December 20, 2007 Order
(http://www.nerc.com/files/LSE_decision_order.pdf )
NERC’s March 4, 2008
(http://www.nerc.com/files/FinalFiledLSE3408.pdf ),
FERC’s April 4, 2008 Order
(http://www.nerc.com/files/AcceptLSECompFiling040408.pdf ) and
NERC’s July 31, 2008
(http://www.nerc.com/files/FinalFiled-CompFilingLSE-07312008.pdf ) compliance filings to FERC on
this subject.
SAR–8
�Unofficial Comment Form for Project 2009-01 — SAR for Disturbance and
Sabotage Reporting
Please DO NOT use this comment form. Please use the electronic comment form located at
the link below to submit comments on the proposed SAR for revisions to the existing
Disturbance and Sabotage Reporting standards. Comments must be submitted by May 21,
2009. If you have questions please contact Stephen Crutchfield at
Stephen.crutchfield@nerc.net or by telephone at 609-651-9455.
http://www.nerc.com/filez/standards/Project200901_Disturbance_Sabotage_Reporting.html
Background Information
This project will entail revision to the following existing standards:
•
CIP-001-1 — Sabotage Reporting
•
EOP-004-1 — Disturbance Reporting
Stakeholders have indicated that identifying potential acts of “sabotage” is difficult to
identify in real-time, and additional clarity is needed to identify thresholds for reporting
potential acts of sabotage in CIP-001-1. Stakeholders have also reported that EOP-004-1
has some requirements that reference out-of-date Department of Energy forms, making the
requirements ambiguous. EOP-004 also has some ‘fill-in-the-blank’ components to
eliminate.
The project will include addressing previously identified stakeholder concerns and FERC
directives, will bring the standards into conformance with the latest approved version of the
ERO Rules of Procedure, and may include other improvements to the standards deemed
appropriate by the drafting team, with the consensus of stakeholders, consistent with
establishing high quality, enforceable and technically sufficient bulk power system reliability
standards.
116-390 Village Blvd.
Princeton, NJ 08540
609.452.8060 | www.nerc.com
�Unofficial Comment Form — Project 2009-01 — SAR for Disturbance and Sabotage
Reporting
*Please use the electronic comment form to submit your final responses to NERC.
1. Do you agree that there is a reliability-related reason to support modifying CIP-001-1
and EOP-004-1? If not, please explain in the comment area.
Yes
No
Comments:
2. Do you agree with the scope of the proposed SAR? If not, please explain what should be
added or deleted to the proposed scope.
Yes
No
Comments:
3. Are you aware of any associated business practices that we should consider with this
SAR? If yes, please explain in the comment area.
Yes
No
Comments:
4. CIP-001-1 applies to the Reliability Coordinator, Transmission Operator, Balancing
Authority, Generator Operator, and the Load-serving Entity. EOP-004-1 applies to the
same entities, plus the Regional Reliability Organization. Do you agree with the
applicability of the existing CIP-001-1 and the existing EOP-004-1? If no, please identify
what you believe should be modified.
Yes
No
Comments:
5. If you have any other comments on the SAR or proposed modifications to CIP-001-1 and
EOP-004-1 that you haven’t provided in response to the previous questions, please
provide them here.
Comments:
Page 2 of 2
�Standards Announcement
Comment Period Open
April 22–May 21, 2009
Now available at: http://www.nerc.com/filez/standards/Project200901_Disturbance_Sabotage_Reporting.html
Project Name:
2009-01 — Disturbance and Sabotage Reporting
Due Date and Submittal Information:
The comment period is open until 8 p.m. EDT on May 21, 2009. Please use this electronic
form to submit comments. If you experience any difficulties in using the electronic form, please
contact Lauren Koller at Lauren.Koller@nerc.net. An off-line, unofficial copy of the comment
form is posted on the project page: http://www.nerc.com/filez/standards/Project200901_Disturbance_Sabotage_Reporting.html
Content for Comment Period:
A proposed SAR for revisions to the existing Disturbance and Sabotage Reporting
standards
Other Materials Posted:
CIP-001-1 — Sabotage Reporting
EOP-004-1 — Disturbance Reporting
Project Background:
This project will entail revision to the following existing standards:
CIP-001-1 — Sabotage Reporting
EOP-004-1 — Disturbance Reporting
Stakeholders have indicated that identifying potential acts of “sabotage” is difficult to do in real
time, and additional clarity is needed to identify thresholds for reporting potential acts of
sabotage in CIP-001-1. Stakeholders have also reported that EOP-004-1 has some requirements
that reference out-of-date Department of Energy forms, making the requirements ambiguous.
EOP-004-1 also has some ‘fill-in-the-blank’ components to eliminate.
The project will include addressing previously identified stakeholder concerns and FERC
directives; will bring the standards into conformance with the latest approved version of the ERO
Rules of Procedure; and may include other improvements to the standards deemed appropriate
by the drafting team, with the consensus of stakeholders, consistent with establishing high
quality, enforceable and technically sufficient bulk power system reliability standards.
�Applicability of Standards in Project:
Reliability Coordinators
Balancing Authorities
Transmission Operators
Generator Operators
Load Serving Entities
Regional Reliability Organizations
Standards Development Process
The Reliability Standards Development Procedure contains all the procedures governing the
standards development process. The success of the NERC standards development process
depends on stakeholder participation. We extend our thanks to all those who participate.
For more information or assistance,
please contact Shaun Streeter at shaun.streeter@nerc.net or at 609.452.8060.
�Project 2009-01 Disturbance and Sabotage Reporting Comment Received
April 29, 2009 through May 13, 2009
Individual or group. (40 Responses)
Name (28 Responses)
Organization (28 Responses)
Group Name (12 Responses)
Contact Organization (12 Responses)
Question 1 (39 Responses)
Question 1 Comments (40 Responses)
Question 2 (40 Responses)
Question 2 Comments (40 Responses)
Question 3 (38 Responses)
Question 3 Comments (40 Responses)
Question 4 (39 Responses)
Question 4 Comments (40 Responses)
Question 5 (0 Responses)
Question 5 Comments (40 Responses)
Individual
Stephen V. Fisher
Lands Energy Consulting
Yes
I have worked with 5 Northwest public utilities on developing procedures related to CIP-001-1 and EOP004-1. All 5 utilities operate electric systems in fairly remote locations and are embedded in a larger utility's
Balancing Authority/Transmission Operator area. A. CIP-001-1 - Developing procedures to unambiguously
identify acts of sabotage has been particularly challenging for these systems. In general, it's hard for them
to determine whether the most prevalent forms of malicious and intentional system damage that they incur
- copper theft and gun shot insulators/equipment - should qualify as acts of sabotage. Although none of the
systems consider copper theft to be acts of sabotage, two of the systems consider gun shot
insulators/equipment to be acts of sabotage. The other systems look for intent to disrupt electric system
operations as a key component of their sabotage identification procedures. Additional guidance from NERC
in the form of CIP-001-1 modifications or a companion guidelines document on sabotage identification
would provide much needed guidance for these procedures. B. EOP-004-1 - This standard was clearly
drafted with the larger electric systems in mind. I have one client that serves 3300 commercial/residential
customers from 4-115/13 kV substation transformers and one large industrial customer (80% of its energy
load) from a 230/13 kV substation. 75% of the client's load is served from three substations attached to a
long, 115 kV transmission line operated by the Bonneville Power Administration. Whenever the line relays
open on a permanent fault (which happens 2-3 times per year), the client loses over 50% of its customers
(but no more than 10-15 MW during winter peak), thereby necessitating the preparation of a Disturbance
Report. To allow utilities to concentrate on operating their systems, without fear of violating EOP-004-1 for
failure to report trivial outages, I would remove LSEs from the obligation to report disturbances - leave the
reporting to the BA/TOP for large outages in their footprint.
No
I would like to see the SAR expanded to cover the issues I mentioned in my prior comment. Otherwise, the
scope of the SAR looks fine to me.
No
No
CIP-001-1 - Yes. In many cases, the staff of an LSE embedded in another entity's BA/TOP area is more
�likely to discover an act of sabotage directed toward a BA/TOP-owned facility that could affect the BES than
the asset owner. This is because the LSE likely has more operating staff in the area. I have included a
requirement in my clients' Sabotage Identification and Reporting Procedures that the client treat acts of
sabotage to a third party's system discovered by client employees as though the act was directed toward
client facilities. EOP-004-1 - As mentioned before, I would eliminate the LSE from the applicability list and
leave the responsibility for disturbance reporting and response to the TOP/BA. However, I would retain a
responsibility for the LSEs to cooperate (when requested) with any disturbance investigation.
One final comment on CIP-001-1. My clients received universally rude treatment from the FBI field offices
when they attempted to establish the contacts required by the Standard. If the FBI doesn't see value in
establishing these contacts, remove the requirement from the Standard. Making sure the LSE knows the FBI
field office phone number is probably all the Standard should require.
Individual
Brent Hebert
Calpine Corporation
Yes
Communication of facility status or emergencies between merchant generators registered as GOP and the
RC, BA, GOP, or LSE in which the facility resides should be coordinated for EOP -004 reporting. The
reporting to NERC/DOE should come from the RC, BA, GOP, or LSE.
Yes
No
The reporting requirements of EOP - 004 are needed for the RC, BA, LSE and the GOP that operates or
controls generation in a system as defined by NERC. (System – A combination of generation, transmission,
and distribution components). A disturbance is described as an unplanned event that produces and
abnormal system condition, any perturbation to the electric system, and the unexpected change in ACE that
is caused by the sudden failure of generation or interruption of load. The GOP operating/controlling
generation within a system has the ability to analyze system conditions to determine if reporting is
necessary. A NERC registered GOP that is a merchant generator within another company’s system does not
have the ability for a wide area view and cannot analyze system conditions beyond the interconnection
point of the facility. Moreover, in most cases the reporting requirements outlined in the Interconnection
Reliability Operating Limits and Preliminary Disturbance Report do not apply to the merchant generator that
is not a generation only BA. The applicability of the standard does encompass the true merchant generation
entities required to register as GOP. Similarly, the OE-417 table 1 reporting requirements generally do not
apply to a true merchant generating entity that is required to register as a GOP.
Individual
Steve Toth
Covanta
Yes
Yes - the key to Sabotage reporting requirements is identifying what the 'definition' is of an actual or
potential 'Sabotage' event. Like any other standard, if FERC/NERC leave it up to 2000+ entities to establish
their own definitions of 'Sabotage', you may likely get 2000+ answers. That is not a controlled and
coordinated approach. I offer the following definition, "Sabotage - Deliberate or malicious destruction of
property, obstruction of normal operations, or injury to personnel by outside agents." Examples of sabotage
events could include, but are not limited to, suspicious packages left near site electrical generating or
electrical transmission assets, identified destruction of generating assets, telephone/e mail received threats
to destroy or interrupt electrical generating efforts, etc." These have passed multiple NERC regional audits
and reviews to date.
Yes
�No
Yes
It would be a welcome enhancement to the end users to understand to communication link between all
"appropriate parties" who shall be notified of potential or actual sabotage events.... which also needs to be
defined.
Individual
Harvie Beavers
Colmac Clarion
Yes
Yes
No
Yes
Need single report for Sabotage so whatever is required results in notification of all parties (State
Emergency Management, Homeland Security, FBI, Grid Reliability Chain of Command). Any and all of these
can 'expand' knowledge later but all seem to require 'instant' notification.
Individual
Russell A. Noble
Cowlitz County PUD
Yes
The standards as written now create reporting on local customer quality of service outage events not
related to BPS disturbances. Sabotage reporting has degenerated into reporting of mischievous vandalism
and minor theft occurences. This creates compliance documentation overburden and waste of limited funds
needed for true BPS reliability concerns, and also adds nuisance calls to the FBI and Homeland Security.
No
Added to the scope: For EOP-004 add a provision for a reporting flow rather than everything going to the RE
and NERC, that is something going like the DP and TOP reports to the BA, the BA to the RE, and the RE to
NERC. This would allow for multiple related reports to be combined into a single coherent report as the
reporting goes up the chain. For CIP-001 consider reporting flow as above with local law enforcement
notification. Let an upper entity in the reporting chain decide when to contact Federal Agencies such as the
BA or the RC.
No
No
Replace LSE with DP, and the Regional Reliability Organization with the Regional Entity.
Local Law enforcement agencies often are not friendly to Federal involvement with smaller problems they
consider their "turf." Need to make sure the small stuff stays with them, however have a system of internal
reporting that will catch coordinated sabotage efforts (multiple attacks on DPs and small BAs) at the RC or
RE level who then can report to the Federal agencies. Currently EOP-004-1 requires small entities to report
a "disturbance" if half of their firm customer load is lost. For some entities, this can be one small substation
going down due to a bird. The "50% of total demand" requirement should be removed or improved to better
define a true BPS disturbance.
Individual
Michael Puscas
�United Illuminating
Yes
Yes
No
No
Add Distribution Provider
Individual
George Pettyjohn
Reliant Energy
Yes
EOP-004-1 indicates that Generators should analyze disturbances on the bulk electrical system or their
facilities. Generators do not have the capability of analyzing the bulk electrical system other than
Frequency. Even so, generators can not unilaterlly respond to what it thinks are disturbances. In the case of
CAISO The Participating Generator Agreement prevents me from making any unilateral moves save for the
direst frequency emergencies. If the System operator or Reliability Coordinator informs the generator that
there is a disturbance and that logs and readouts etc. are required then the generator should respond with
all available informaiton for the subject hours or time. Clearer responsibilities provide clearer results.
No
I think Generator opeators shuld be excluded accept to provide requested information from the System
Operator or Reliability coordinator.
No
No
EOOP-004-1 should exclude the generator operator from disturbance reporting except providing the system
operator or reliability coordinator with appropriate unit operation informaiton upon request. Acts of
sabotage should be identified clearley and reported to the indicated authorities.
Individual
Judith A. James
Texas Regional Entity
Yes
Yes
No
No
Add GO and TO to the list of applicability. The intent of CIP-001-1 when it was first written was to have the
proper and most likely entities associated directly with operations to be the ones to begin the reporting
process in the case of sabotage on the system. In the ERCOT Region and other regions in the US, the GOP
may not be physically located at the site. The GOP is often removed from the minute-by-minute
responsibilities of plant operations and, therefore, may be less able to react to physical sabotage at the
location/plant/facility in a timely manner. The concern is that, in the case of an actual sabotage event, the
failure to report to the appropriate authorities in a timely manner may jeopardize the reliability of the BPS.
Therefore, the Generator Owner (GO) should be added to the list of applicability for CIP-001-1, because it is
�the GO that is more likely to be on location at the generation site and thus aware of sabotage when it first
occurs. This would disallow for any possible communication gap and put responsibility on all of the
appropriate entities to report such an event. Additionally, and for the same reasons as adding the GO, the
Transmission Owner (TO) should also be added to the list of applicability for reporting sabotage on its
facilities.
Individual
Edward C. Stein
self
Yes
Yes
No
Yes
Individual
Chris Scanlon
Exelon
Yes
Yes
Consolidation of redundant requiremnts and clarifications of difficult to follow / interpret standards should
be a high priority at NERC.
No
We are not sure what this question means. Who's Associated Business practices, NERC, Applicable Entities
in the Standard, our business practices?
No
CIP-001, remove LSE's from the standard for the reasons identified in the FERC LSE order. Ad TO and DP.
EOP-004, remove LSE's from the standard for the reasons identified in the FERC LSE order. Remove RRO's,
they are not a user, owner, operator of the BES. Add DP or TO. Consider conditional applicability as in the
UFLS standards, " the TO or DP who performs the functions specified in the standard..."
Exelon agrees this is a worthwhile project and that reliability will be enhanced and the compliance process
will be simplified by clarifying terminology and reporting requirements in these standards. If nothing else,
defining "Sabotage" so as to end interpretations of this term and the related requirements is necessary.
Group
SERC OC Standards Review Group
Entergy Services, Inc
No
The EOP-004-1 standard is an unnecessary duplication of existing DOE reporting requirements. This
essentially exposes an entity to fines by NERC, enforced by FERC, for failure to comply with a DOE
regulation, which seems improper to us. In addition, reporting requirements do not have an impact on the
reliability of the BES
Yes
No
�Business practices should not be considered in a standard.
No
The EOP-004-1 standard should not apply to the RRO.
Group
WECC
WECC
Yes
Yes
No
Yes
No
Group
Project 2007-02 Operating Personnel Comms Protocols SDT
NERC OPCP SDT
No
The Operating Personnel Communication Protocols standard drafting team respectfully requests that the
Sabotage Reporting SAR Drafting Team incorporate the following into your proposed SAR: “Each Reliability
Coordinator, Balancing Authority, and Transmission Operator shall have procedures for the communication
of information concerning the Cyber and Physical emergency alerts in accordance with the conditions
described in Attachment 1 Security Emergency Alerts .” The Operating Personnel Communications Protocols
Project 2007-02 was initiated to ensure that real time system operators use standardized communication
protocols during normal and emergency operations to improve situational awareness and shorten response
time. The SDT developed a new COM-003-1 Standard that has yet to be posted and is dependent upon
revising at least two other standards (CIP-001 and TOP Standard). COM-003 contains requirements that
specify: 1. Use of three-part communication; 2. English language; 3. Common time zone; 4. NATO alphanumeric alphabet; 5. Mutually agreed line identifiers; 6. The use of pre-defined system condition
terminology such as those contained in the RCWG Alert Level Guide and EOP-002-2. This request is based
on recent NERC Standards Committee direction to our team to incorporate the Reliability Coordinator
Working Group’s (RCWG) Alert Level Guide into a Standard. The consensus of our team is that a TOP
Standard is the most appropriate location for the Transmission Emergency Alert language from the Guide as
the energy emergency alert language is currently described in EOP-002-2. The RCWG Guide proposes the
use of pre-defined system condition descriptions for use during emergencies for reliability related
information. This guide was developed in response to a Blackout Report recommendation. Our team placed
the Transmission Emergency Alert language into a TOP standard. Since the Sabotage Reporting SAR DT
intends to modifyCIP-001, we seek your consent to incorporate the cyber and physical security alert
language to comply with the wishes of the Standards Committee. We believe that the CIP-001 Standard is
the most appropriate location for this language for the following reasons: • The levels of emergency
conditions related to the cyber and physical security of the electric system is directly related to Critical
Infrastructure Protection. • The current version of CIP-001 already requires the timely reporting of actual
and suspected security emergency conditions and the use of pre-defined terminology supports the efficient
sharing of such information. The OPCP SDT includes the following text for the record. It is a proposed draft
revision of CIP-001. A. Introduction 1. Title: Security Incidents 2. Number: CIP-001-2 3. Purpose: To
ensure the recognition, communication and response to cyber and physical security incidents suspected or
determined to be caused by sabotage. 4. Applicability 4.1. Reliability Coordinators. 4.2. Balancing
Authorities. 4.3. Transmission Operators. 4.4. Generator Operators. 4.5. Load Serving Entities. 5. Effective
�Date: The standard is effective the first day of the first calendar quarter after applicable regulatory
approvals (or the standard otherwise becomes effective the first day of the first calendar quarter after NERC
BOT adoption in those jurisdictions where regulatory approval is not required). B. Requirements R1. Each
Reliability Coordinator, Balancing Authority, Transmission Operator, Generator Operator, and Load Serving
Entity shall have procedures for the recognition of and for making their operating personnel aware of
security threats on its facilities and multi site security threats affecting larger portions of the
Interconnection. R2. Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator, and Load Serving Entity shall have procedures for the communication of information concerning
the physical and cyber security status of their facilities in accordance with the conditions described in
Attachment 1-CIP-001-1. R3. Each Reliability Coordinator, Balancing Authority, Transmission Operator,
Generator Operator, and Load Serving Entity shall provide its operating personnel with security threat or
incident response guidelines, including personnel to contact, for reporting security threats and incidents. R4.
Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator Operator, and Load
Serving Entity shall establish communications contacts, as applicable, with local Federal Bureau of
Investigation (FBI) or Royal Canadian Mounted Police (RCMP) officials and develop reporting procedures as
appropriate to their circumstances. C. Measures M1. Each Reliability Coordinator, Balancing Authority,
Transmission Operator, Generator Operator, and Load Serving Entity shall have and provide upon request a
procedure (either electronic or hard copy) as defined in Requirement 1 M2. Each Reliability Coordinator,
Balancing Authority, Transmission Operator, Generator Operator, and Load Serving Entity shall have and
provide upon request the procedures or guidelines that will be used to confirm that it meets Requirements 2
and 3. M3. Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator Operator,
and Load Serving Entity shall have and provide upon request evidence that could include, but is not limited
to procedures, policies, a letter of understanding, communication records, or other equivalent evidence that
will be used to confirm that it has established communications contacts with the applicable, local FBI or
RCMP officials to communicate sabotage events (Requirement 4). D. Compliance 1. Compliance Monitoring
Process 1.1. Compliance Enforcement Authority Regional Entity 1.2. Compliance Monitoring Period and
Reset One or more of the following methods will be used to verify compliance: - Compliance Audits - Selfcertifications - Spot Checking - Compliance Violation Investigations - Self-Reporting - Complaints 1.3. Data
Retention The Transmission Operator, Transmission Owner, Balancing Authority, Reliability Coordinator,
Generator Operator and Distribution Provider shall keep data or evidence to show compliance as identified
below unless directed by its Compliance Enforcement Authority to retain specific evidence for a longer
period of time as part of an investigation: o The Transmission Operator, Transmission Owner, Balancing
Authority, Reliability Coordinator, Generator Operator and Distribution Provider shall retain its current, in
force document and any documents in force since the last compliance audit. o If a Transmission Operator,
Transmission Owner, Balancing Authority, Reliability Coordinator, Generator Operator or Distribution
Provider is found non-compliant, it shall keep information related to the non-compliance until found
compliant. o The Compliance Enforcement Authority shall keep the last audit records and all requested and
submitted subsequent audit records. 1.4. Additional Compliance Information None. 2. Levels of NonCompliance: 2.1. Level 1: There shall be a separate Level 1 non-compliance, for every one of the following
requirements that is in violation: 2.1.1 Does not have procedures for the recognition of and for making its
operating personnel aware of sabotage events (R1). 2.1.2 Does not have procedures or guidelines for the
communication of information concerning sabotage events to appropriate parties in the Interconnection
(R2). 2.1.3 Has not established communications contacts, as specified in R4. 2.2. Level 2: Not applicable.
2.3. Level 3: Has not provided its operating personnel with sabotage response procedures or guidelines
(R3). 2.4. Level 4:.Not applicable. E. Regional Differences None. Version History Version Date Action
Change Tracking 0 April 1, 2005 Effective Date New 0 August 8, 2005 Removed “Proposed” from Effective
Date Errata 1 November 1, 2006 Adopted by Board of Trustees Amended 1 April 4, 2007 Regulatory
Approval — Effective Date New 2 March 2009 Added SEA attachment and updates to Effective Date and
Compliance sections. New Attachment 1-CIP-001-2 Physical Security Emergency Alerts General
Requirements 1. Initiation by Reliability Coordinator. A Physical Security Emergency Alert may be initiated
only by a Reliability Coordinator at: a. The Reliability Coordinator’s own decision, b. By request from a
Transmission Operator, c. By request from a Balancing Authority, or d. By request from federal, state, or
local Law Enforcement Officials. 2. Situations for initiating alert. An Alert may be initiated for the following
reasons: a. A physical threat affecting a control center, grid or generator asset has been identified, or b. A
physical attack affecting a control center, grid or generator asset has occurred or is imminent. 3.
�Notification. A Reliability Coordinator who initiates a Physical Security Emergency Alert shall notify all
Transmission Operators and Balancing Authorities in its Reliability Area. The Reliability Coordinator shall
also notify other Reliability Coordinators of the situation via the Reliability Coordinator Information System
(RCIS) using the “CIP” category. Additionally, conference calls between Reliability Coordinators shall be held
as necessary to communicate system conditions. The Reliability Coordinator shall also notify all
Transmission Operators and Balancing Authorities in its Reliability Area and other Reliability Coordinators
when the alert has changed levels or ended. Physical Security Emergency Alert Levels To ensure that all
Reliability Coordinators clearly understand potential and actual Physical Security Emergency Alerts, NERC
has established three levels of Security Emergency Alerts. The Reliability Coordinators will use these terms
when explaining security alerts to each other. The Reliability Coordinator may declare whatever alert level is
necessary, and need not proceed through the alerts sequentially. 1. Alert 1 – “Control Center / Bulk Electric
System asset threat identified” Circumstances: A credible threat of physical attack on a Bulk Electric System
asset has been communicated to the Reliability Coordinator. No physical attack has occurred at this point.
Determining the credibility of any threat is a subjective process, but the following factors should be
considered: a. The nature and specificity of the threat, b. The timing of the threat, c. Mode of threat
communication, and d. The criticality of the threatened asset. During a Physical Security Emergency Alert
Level 1, Reliability Coordinators, Transmission Operators and Balancing Authorities shall have the following
responsibilities: i. Notification The Reliability Coordinator responsible for initiating the Physical Security
Emergency Alert shall post the declaration of the alert level along with the location of the affected facility on
the RCIS under “CIP” and notify all Transmission Operators and Balancing Authorities in its Reliability Area.
ii. Updating Status during the Physical Security Emergency Alert The declaring Entity shall update the
Reliability Coordinator of any changes in the situation until the Alert Level 1 is terminated. The Reliability
Coordinator shall update the RCIS as changes occur. 2. Alert 2 – “Verified Physical attack at a single site”
Circumstances: A Reliability Coordinator, Transmission Operator, or Balancing Authority has identified a
physical attack upon a control center, generator asset, or other bulk electric system asset. During a Physical
Security Emergency Alert Level 2, Reliability Coordinators, Transmission Operators and Balancing
Authorities shall have the following responsibilities: i. Notification The Reliability Coordinator responsible for
initiating the Physical Security Emergency Alert shall post the declaration of the alert level along with the
location of the affected facility on the RCIS under “CIP” and notify all Transmission Operators and Balancing
Authorities in its Reliability Area. ii. Updating Status during the Physical Security Emergency Alert The
declaring Entity shall update the Reliability Coordinator of the situation a minimum of once per hour until
the Alert Level 2 is terminated. The Reliability Coordinator shall update the RCIS as changes occur. 3. Alert
3 – “Verified Physical attack at multiple sites” Circumstances: Multiple attacks have been confirmed on
control centers, generator assets or other bulk electric system assets. A Reliability Coordinator shall declare
a Physical Security Emergency Alert 3 whenever: a. A Transmission Operator or Balancing Authority reports
multiple physical attacks on bulk electric system assets, b. Multiple Transmission Operators or Balancing
Authorities report one or more physical attacks on their bulk electric system assets. i. Notification The
Reliability Coordinator responsible for initiating the Physical Security Emergency Alert shall post the
declaration of the alert level along with the location of the affected facility on the RCIS under “CIP” and
notify all Transmission Operators and Balancing Authorities in its Reliability Area. ii. Updating Status during
the Physical Security Emergency Alert The declaring Entity(ies) shall update the Reliability Coordinator of
the situation a minimum of once per hour until the Alert Level 3 is terminated. The Reliability Coordinator
shall update the RCIS as changes occur. 4. Alert 0 – “Termination of Alert Level” Circumstances: The threat
which prompted the Physical Security Emergency Alert Level has diminished or has been removed. i.
Notification The Reliability Coordinator responsible for initiating the Physical Security Emergency Alert shall
notify all other Reliability Coordinators via the RCIS, and it shall also notify all Transmission Operators and
Balancing Authorities in its Reliability Area that the Alert Level has been terminated. Cyber Security
Emergency Alerts Cyber Assets – Those programmable electronic devices and communication networks,
including hardware, software, and data, associated with bulk electric system assets. Cyber Security Incident
– Any malicious act or suspicious event that compromises, or attempts to compromise, the electronic or
physical security perimeter of a critical cyber asset or disrupts or attempts to disrupt the operation of a
critical cyber asset. Critical Cyber Asset – Those cyber assets essential to the reliable operation of critical
assets. Electronic Security Perimeter – The logical border surrounding the network or group of sub-networks
to which the critical cyber assets are connected, and for which access is controlled. Physical Security
Perimeter – The physical border surrounding computer rooms, telecommunications rooms, operations
�centers and other locations in which critical cyber assets are housed and for which access is controlled.
General Requirements 1. Initiation - A Cyber Security Emergency Alert shall be initiated by: a. The
Reliability Coordinator’s analysis, b. By request from any NERC functional Model entitiy that Com-003-0 is
applicable to. c. By request from federal, state, or local Law Enforcement Officials. 2. Situations for initiating
alert. An Alert shall be initiated for the following reasons: a. A cyber threat affecting a control center or bulk
electric system asset has been identified, or b. A cyber attack affecting a control center or bulk electric
system has occurred or is imminent. 3. Notification. An entity who initiates a Cyber Security Emergency
Alert shall make notification as per the NERC Functional model or as Regional / local instruction. The
Reliability Coordinator shall notify FBI local office, Electricity Sector Information Sharing Analysis Center
(ESISAC) and Department of Homeland Security. The Reliability Coordinator shall also notify as necessary
other Reliability Coordinators of the situation via the Reliability Coordinator Information System (RCIS)
using the “CIP” category. The Reliability Coordinator shall notify all Transmission Operators and Balancing
Authorities in its Reliability Area and other Reliability Coordinators when the alert has changed levels or
ended. Cyber Security Emergency Alert Levels To ensure that all applicable entities clearly understand
potential and actual Cyber Security Emergency Alerts, three levels of Security Emergency Alerts shall be
used. The Reliability Coordinators will use these terms when communicating security alerts to each other.
When declaring the applicable alert level it is important to note that the applicable level can be determined
without sequentially proceeding through levels. As an example given circumstances an Alert Level 3 could
be called without previously being in an Alert Level 1 or Level 2 state. 1. Alert 1 – “Verified Control Center /
Bulk Electric System Cyber Asset threat identified or imminent” What is “verified” - unknown or
unauthorized access to a cyber device, unknown or unauthorized change to a cyber device (i,e., config file,
O/S, firmware change. ‘Verified’ could mean the elimination of a false positive in your security monitoring
system. ‘Verified’ could also be the differentiation between malicious and non-malicious (ie human error,
not following policy, etc) intent. What is a “threat” - A threat can be perceived as any action or event that
occurs where the monitoring authority was not previously made aware that that action would occur. With
flimsy change control or access controls, field staff or technical staff performing troubleshooting or other
maintenance may access or change devices without notifying the monitoring entity. The monitoring entity
would have to treat this as a threat and take appropriate action to either isolate that device from the rest of
the system, notify appropriate authority, dispatch a crew, etc Examples of threats - Over and above the
examples above, another threat example could be a notification from DHS or other security agency that
they have reason to believe a hack, virus or other cyber terrorism activity could occur. Also, noticing a
distinct change in network traffic which could imply someone has intercepted your data and can manipulate
it before sending it from the control room to the device being controlled or manipulating the data coming
from the device before a controller seeing it and forcing them to perform an incorrect control event in
reaction to erroneous data. Circumstances: A credible threat of Cyber attack on a Control Center or Bulk
Electric System asset has been communicated to the Reliability Coordinator. No cyber attack has occurred
at this point. Determining the credibility of any threat is a subjective process, but the following factors
should be considered: a. The nature and specificity of the threat, b. The timing of the threat, c. Mode of
threat communication, and d. The criticality of the threatened asset. During a Cyber Security Emergency
Alert Level 1, applicable entities shall have the following responsibilities: i. Notification An entity who
initiates a Cyber Security Emergency Alert Level 1 shall make notification as per the NERC Functional model
or as Regional / local instruction. The Reliability Coordinator shall post the declaration of the alert level
along with the location of the affected facility on the RCIS under “CIP” and notify all Transmission Operators
and Balancing Authorities in its Reliability Area. The Reliability Coordinator shall also notify as necessary the
FBI local office, Electricity Sector Information Sharing Analysis Center (ESISAC) and Department of
Homeland Security. ii. Updating Status during the Cyber Security Emergency Alert The declaring Entity shall
update those applicable entities of any changes in the situation until the Alert Level 1 is terminated. The
Reliability Coordinator shall update the RCIS as changes occur. 2. Alert 2 – “Verified Cyber attack on a
Control Center or Bulk Electric System asset” Circumstances: An applicable entity has identified a cyber
attack upon a control center or bulk electric system asset. During a Cyber Security Emergency Alert Level 2,
applicable entities shall have the following responsibilities: i. Notification An entity who initiates a Cyber
Security Emergency Alert Level 2 shall make notification as per the NERC Functional model or as Regional /
local instruction. The Reliability Coordinator responsible shall post the declaration of the alert level along
with the location of the affected facility on the RCIS under “CIP” and notify all Transmission Operators and
Balancing Authorities in its Reliability Area. The Reliability Coordinator shall also notify the FBI local office,
�Electricity Sector Information Sharing Analysis Center (ESISAC) and Department of Homeland Security. ii.
Updating Status during the Cyber Security Emergency Alert The declaring Entity shall provide updates of the
situation a minimum of once per hour until the Alert Level 2 is terminated. The Reliability Coordinator shall
update the RCIS as changes occur. 3. Alert 3 – “Verified Cyber attack at one or more Control Center or Bulk
Electric System cyber asset” Circumstances: An applicable entity has identified a cyber attack upon a
control center or bulk electric system asset and shall declare a Cyber Security Emergency Alert 3 whenever:
a. A Transmission Operator or Balancing Authority reports one or more cyber attacks on bulk electric
system that render an asset(s) unavailable. i. Notification An entity who initiates a Cyber Security
Emergency Alert Level 3 shall make notification as per the NERC Functional model or as Regional / local
instruction. The Reliability Coordinator shall post the declaration of the alert level along with the location of
the affected facility on the RCIS under “CIP” and notify all Transmission Operators and Balancing Authorities
in its Reliability Area. The Reliability Coordinator shall also notify the FBI local office, Electricity Sector
Information Sharing Analysis Center (ESISAC) and Department of Homeland Security. ii. Updating Status
during the Cyber Security Emergency Alert The declaring Entity(ies) shall provide an update of the situation
a minimum of once per hour until the Alert Level 3 is terminated. The Reliability Coordinator shall update
the RCIS as changes occur. 4. Alert 0 – “Termination of Alert Level” Circumstances: The threat which
prompted the Cyber Security Emergency Alert Level has diminished or has been removed. i. Notification An
entity who initiates a Cyber Security Emergency Alert shall make notification as per the NERC Functional
model or as Regional / local instruction when situation has diminished or returned to normal. The Reliability
Coordinator shall notify all other Reliability Coordinators via the RCIS, and it shall also notify all
Transmission Operators and Balancing Authorities in its Reliability Area that the Alert Level has been
terminated.
Individual
Jimmy Hartmann
ERCOT ISO
Yes
No
The scope should be modified to provide for a different treatment of reporting requirements that are
administrative in nature, or that are after-the-fact (thus cannot impact reliability unless analysis and followup is not performed; even then, the impact would be at some future time). Reporting requirements which
are of the nature to assist in identification of system concerns or which serve to prevent or mitigate ongoing system problems (including, but not limited to, actual or attempted sabotage activity) should remain
in standards, but should be separate and apart from the administrative reporting.
No
No
The Regional Reliability Organization is not a registered Functional Entity in the NERC registry. The
applicability must be revised to more appropriately assign the requirements to registered functional entities.
Also, the industry needs to recognize that there are other resources than generation for which the operators
need to be included. Perhaps a demand-side resource should have a resource operator. This particular SAR
may not be the appropriate venue for this, but control of resources which can be used to mitigate sabotage
events or disturbance events may need to be addressed.
Due to the fact that both the CIP-001-1 and EOP-004-1 have similar reporting standards, initially combining
the two sounds like a correct analysis. However, after further consideration and due to the critical nature of
its intended function involving Security aspects, the CIP-001 should be intensely evaluated to determine if
its intended purpose meets the threshold or criteria to stand alone. The existing standards for CIP-001-1
Sabotage Reporting may help prevent future mitigation actions caused by sabotage events. EOP-004-1
Disturbance Reporting is administrative in nature, thus the jeopardy of the Bulk Electric System reliability is
�impacted only if analysis is not performed or if corrective follow-up actions are not implemented. Combining
EOP-004 Standard requirements under the umbrella of the CIP -001 Standard would create a high profile
Disturbance Reporting Standard. The industry would be better served if information defining sabotage was
provided as well as a technical reference document on recognizing sabotage that would also clarify or state
any personnel training requirements. All aspects of the intended functions must be reviewed before merging
the two standards. At a minimum, we must consider modification that provides improved understanding of
the reporting standards and implications as they are currently written.
Group
PSEG Enterprise Group Inc Companies
Public Service Electric and Gas Company
Yes
Yes
No
Yes
The PSEG Companies ask that the drafting team allow sufficient flexibilty for sabotage recognigion and
reporting requirements such that nothing precludes ultilizing a single corporate-wide program for both bulk
electic system assets and other businesses. PSEG's Sabotage Recognition, Response and Reporting Program
is directed to all business areas which are directed to follow the same internal protocol that also satisfies the
NERC Standards requirements. For example, for gas assets, PSEG's gas distribution business follows the
PSEG corporate-wide program for sabotage recognition and response. PSEG agrees that some modifications
should be made to CIP-001 (ex. better define or give examples of sabotage) and EOP-004 to make them
clearer • If they are merged, then Sabotage will not be in the title (or the primary focus) because several of
the Disturbances that reporting is required for in EOP-004 have nothing to do with sabotage. • EOP-004 has
criteria listed in 4 places to determine when to send a report: o Criteria listed in EOP-004 Attachment 1 o
Criteria listed in EOP-004 Attachment 2 o Criteria listed in top portion of Table 1-EOP-004 o Criteria listed in
bottom potion of Table 1-EOP-004 Therefore, it would be much easier if there was one table of criteria for
reference that addressed all of the reportable conditions and all of the applicable reports. • If the 2
standards are merged as suggested in the SAR, any differences in the reporting obligation for actual or
attempted sabotage and reporting of disturbances must be clear.
Group
Northeast Power Coordinating Council
Northeast Power Coordinating Council
Yes
No
The SAR needs to be more specific in defining its objectives. CIP-001 Requirement R1 currently states: R1.
Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator Operator, and Load
Serving Entity shall have procedures for the recognition of and for making their operating personnel aware
of sabotage events on its facilities and multi-site sabotage affecting larger portions of the Interconnection.
The SDT needs to include the following objectives: 1. Develop clear definitions for the terms “operating
personnel” and “sabotage events.” The definition of “operating personnel,” should be clarified and limited to
staff at BES facilities. Operating personnel should report only those events which meet a clear, recognizable
threshold as reportable potential sabotage events. There should be a consistent continent-wide list of
examples or typical reportable and non-reportable events to help guide operating personnel. The term
“sabotage event” needs to be defined. Clarification is required regarding when the determination of a
sabotage event is made, e.g., upon first observation (requiring operating personnel be educated in
discerning sabotage events), or upon later investigation by trained security personnel and law enforcement
�individuals. The terms potential or suspected sabotage event for reporting purposes should be clarified or
defined. 2. Define the obligations of Registered Entity operating personnel - who are required to be “aware
of” such “sabotage events,” e.g., who, what, where, when, why and how, and what they are to do in
response to this awareness. The SDT should clarify the use of the term “aware” in the standard. “Aware”
can be interpreted in accordance with its largely passive, dictionary-based meaning, where being “aware”
simply means knowing about something, such as a sabotage event. Alternatively, the Reliability Standard
meaning of “aware” could refer to more active wording, involving more than mere awareness, e.g., “alert
and quick to respond,” pointing to and requiring a specific affirmative response, i.e., reporting to the
appropriate systems, governmental agencies, and regulatory bodies. EOP-004 The SDT needs to work on
the following areas. 1. NERC reporting needs to be clarified. For example, Attachment 1 paragraph 6c
states: Introduction …The entity on whose system a reportable disturbance occurs shall notify NERC ... 6.
Any action taken by a Generator Operator, Transmission Operator, Balancing Authority, or Load-Serving
Entity that results in: … c. Failure, degradation, or misoperation of system protection, special protection
schemes, remedial action schemes, or other operating systems that do not require operator intervention,
which did result in, or could have resulted in, a system disturbance …” The sense of Attachment 1 is
internally inconsistent between the introduction (“occurs”) and the required actions in 6c (“could have
resulted in a system disturbance”). The initial intent appears to be only to report actual system
disturbances. Yet, paragraph 6c adds the phrase “or could have resulted in” a potential system disturbance.
This inconsistency should be clarified.
No
Yes
Individual
Rick Terrill
Luminant Power
Yes
Yes
Yes
The SAR drafting team should include in the SAR scope a review of the NRC sabotage and event reporting
requirements to ensure there are no overlapping or conflicting requirements between NERC, FERC, and the
NRC. The SAR scope should include a review of the CIP Cyber Security Standards and coordination with the
CIP SDT to ensure that cyber sabotage reporting definitions are in concert, and ensure that cyber sabotage
reporting requirements are not duplicated in multiple standards.
Yes
None
Individual
Rao Somayajula
ReliabilityFirst Corporation
Yes
Yes
No
Yes
�Individual
Tony Kroskey
Brazos Electric Power Cooperative, Inc.
Yes
Yes
No
No
May need to consider adding Transmission Owner. I don't see a need for the RRO to be included as they are
not owner/operators of grid facilities.
Individual
Paul Golden
PacifiCorp
Yes
Yes
No
No
LSE's don't generally own/operate facilities/systems that would experience a logical or physical sabotage
event.
Group
Kansas City Power & Light
Kansas City Power & Light
Yes
Agree with the SAR that clarity would be helpful in establishing criteria regarding what constitutes sabotage
reporting.
No
Agree with the scope of the SAR except for the applicable entities. See response to question #4.
No
No
Do not agree Load Serving Entities need to continue to be included for sabotage. According the NERC
Functional Model, an LSE provides for estimating customer load and provides for the acquisition of
transmission and energy to meet customer load demand. An LSE has no real impact on maintaining the
reliability of electric network short of their planning function. Unfortunately, an LSE needs to be included for
disturbance reporting to the DOE under certain conditions for loss of customer load. This may be a reason
to maintain a separation of CIP-001 and EOP-004 so as not to unnecessarily include an LSE when it is not
needed.
If it is desirable to keep CIP-001 and EOP-004 separate, it is recommended the SDT consider adding a
reference in CIP-001 to the DOE reporting form either by name or by internet link in the standard.
�Individual
Terry Harbour
MidAmerican Energy
No
MidAmerican Energy believes only EOP-004-1 is confusing and needs to modified or clarified. There is no
need to combine the two standards. Standard EOP-004 could be clarified to eliminate references to
sabotage which are already covered by CIP-001-1. Standard EOP-004 should be strictly limited to system
events, not sabotage.
No
See the responses to questions 1 and 5.
Yes
Attachment TOP-005, section 2.9 speaks of “Multi-site sabotage” with no definition. The ES-ISAC 2008
advisory is an associated standard or practice on sabotage. All references to sabotage should be eliminated
or retired except for CIP-001.
No
MidAmerican Energy believes the requirement for the Regional Reliability Organization should be removed
from EOP-004-1 since the RRO is a holdover from making the standards enforceable. It is no longer
appropriate for the regions to be named as responsible entities within the standards.
Conflicting time frames exist from document updates. Reporting should be consolidated to one form and /
or site to minimize conflicts, confusion, and errors. 1) Reporting requirements for the outage of 50,000 or
more customers in EOP-004-1 requires a report to be made within one hour while the form OE-417 requires
a report be made within six hours of the outage. The six hour reference on the updated OE-417 form is the
correct reference. 2) Reporting for either CIP-001 or EOP-004 should center on the DOE Form OE-417. This
would eliminate confusion, simplify reporting for system operators thereby directly enhancing reliability
during system events. This would also eliminate much of the duplicate material and attachments in EOP-004
3) Although it is beyond the scope of this SAR, the industry would benefit if there was a central location or
link on the NERC website containing all reporting forms, including FERC, NERC, DOE, and ESIAC. This would
enable System Operators to more efficiently locate and report events.
Individual
Darryl Curtis
Oncor Electric Delivery
Yes
Yes
No
Yes
No Additional Comments
Individual
Chris de Graffenried on behalf of Con Edison & O&R
Consolidated Edison Co. of New York, Inc.
Yes
No
GENERAL – CECONY and ORU support the general objectives of the SAR to merge existing standards CIP001-1 – Sabotage Reporting and EOP-004-1 – Disturbance Reporting to improve clarity and remove
redundancy. However, the SAR needs to be more specific in defining its objectives. CIP-001 Requirement R1
�currently states: R1. Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator, and Load Serving Entity shall have procedures for the recognition of and for making their
operating personnel aware of sabotage events on its facilities and multi-site sabotage affecting larger
portions of the Interconnection. The SDT needs to include the following objectives: 1. Develop clear
definitions for the terms “operating personnel” and “sabotage events.” The definition of “operating
personnel,” should be clarified and limited to staff at BES facilities. Operating personnel should report only
those events which meet a clear, recognizable threshold as reportable potential sabotage events. There
should be a consistent continent-wide list of examples or typical reportable and non-reportable events to
help guide operating personnel. The term “sabotage event” needs to be defined. Clarification is required
regarding when the determination of a sabotage event is made, e.g., upon first observation (requiring
operating personnel be educated in discerning sabotage events), or upon later investigation by trained
security personnel and law enforcement individuals. The terms potential or suspected sabotage event for
reporting purposes should be clarified or defined. 2. Define the obligations of Registered Entity operating
personnel - who are required to be “aware of” such “sabotage events,” e.g., who, what, where, when, why
and how, and what they are to do in response to this awareness. The SDT should clarify the use of the term
“aware” in the standard. “Aware” can be interpreted in accordance with its largely passive, dictionary-based
meaning, where being “aware” simply means knowing about something, such as a sabotage event.
Alternatively, the Reliability Standard meaning of “aware” could refer to more active wording, involving
more than mere awareness, e.g., “alert and quick to respond,” pointing to and requiring a specific
affirmative response, i.e., reporting to the appropriate systems, governmental agencies, and regulatory
bodies. EOP-004 The SDT needs to work on the following areas. 1. NERC reporting needs to be clarified. For
example, Attachment 1 paragraph 6c states: Introduction …The entity on whose system a reportable
disturbance occurs shall notify NERC ... 6. Any action taken by a Generator Operator, Transmission
Operator, Balancing Authority, or Load-Serving Entity that results in: … c. Failure, degradation, or
misoperation of system protection, special protection schemes, remedial action schemes, or other operating
systems that do not require operator intervention, which did result in, or could have resulted in, a system
disturbance …” The sense of Attachment 1 is internally inconsistent between the introduction (“occurs”) and
the required actions in 6c (“could have resulted in a system disturbance”). The initial intent appears to be
only to report actual system disturbances. Yet, paragraph 6c adds the phrase “or could have resulted in” a
potential system disturbance. This inconsistency should be clarified.
No
Yes
Individual
Wayne Pourciau
Georgia System Operations Corp.
Yes
There is a need to eliminate burdensome reporting deadlines which interfere with the reliable operations or
recovery of the BES. There is also a need to move requirements for reporting to NERC or Regional Entities
(except for reporting of threats to physical or cyber security) from the Requirements section of Reliability
Standards to elsewhere.
No
The scope of the SAR should be to move all requirements to report to NERC or Regional Entities out of the
Requirements section of all Reliability Standards to elsewhere. This does not include reporting,
communicating, or coordinating between reliability entities. The NERC/Region reporting requirements could
be consolidated in another document and referenced in the Supporting References section of the Reliability
Standards. The deadlines for reporting should be changed to realistic timeframes that do not interfere with
operating the BES or responding to incidents yet still allow NERC and the Regions to accomplish their
missions.
No
�Business practices should not be part of a Reliability Standard. Neither should NERC/Region reporting
requirements (except for reporting of threats to physical or cyber security). NERC may need to take some
action in the case of threats but does not and cannot take any operational action for most of the reporting
requirements that are presently in the Requirements section of the Reliability Standards.
No
EOP-004 should be retired. CIP-001 should not apply to LSEs other than those that are retail marketers.
Entity reporting to NERC/Regions is needed by NERC and the Regions to accomplish their missions of
overseeing the reliability of the BES and enforcing compliance with Reliability Standards. An entity not
reporting as quickly as possible does not harm the integrity of the Interconnection. In fact, it increases the
risk to the BES to be investigating details and filling out forms during a time when attention should be on
correcting or mitigating an incident.
Individual
Bob Thomas
Illinois Municipal Electric Agency
Yes
Simplification of reporting requirements should facilitate reliability.
Yes
Yes
A one-stop reporting tool/site would facilitate efficient reporting and compliance; e.g., further development
of the ES-ISAC/CIPIS to include all reportable categories and automatic notification of required parties. A
single report form would be best.
Yes
IMEA recommends the following considerations: Simplification of reportable events and the reporting
process should be the overriding objective. NERC's Security Guideline for the Electricity Sector: Threat and
Incident Reporting (Version 2.0) should be updated to support this standards developement initiative. At
some point in the process, it may help if examples are given of events actually reported that did not need to
be reported.
Individual
Kasia Mihalchuk
Manitoba Hydro
Yes
Yes
No
Yes
Group
IRC Standards Review Committee
IESO
Yes
Yes
�No
No
We agree with the applicability of CIP-001-1 but question the need to include the RRO in EOP-004-1.
Requirement R1 of EOP-004-1 can be turned into an industry developed and approved procedural
requirement with details included in an appendix; whereas R5 can be changed to a requirement for the
responsible entities to act on recommendations and to self-report compliance. Tracking and reviewing
status of recommendation do not need to be performed by the RRO, or any entity for that matter, if a selfreporting mechanism is developed.
We suggest that the revision not be conducted with a preconceived notion that the two standards must be
combined since there are some differences between sabotage and emergency system conditions, and in the
communication and reporting processes and channels. We suggest the SDT start off with a neutral position
to focus on improving the standards, then assess the pros and cons of merging the two based on technical
merit only.
Group
Pepco Holdings, Inc. - Affiliates
Pepco Holdings, Inc.
Yes
PHI recommends merging these two standards into one.
Yes
No
No
As specified in Order 693, Regional Reliability Organizations are not to be assigned applicability. The revised
standard(s) should contain the reporting form either directly or by reference and the RRO should be
removed. The other EOP-004 requirements for RROs are now considered normal monitoring activities of the
Regional Entities.
Consider CIP-008-2 as potentially having overlaps with the proposed standard
Individual
Jim Sorrels
AEP
Yes
No
Sabotage is a term of intent that is often determined after the fact by the registered entity and/or law
enforcement officials. In fact, it is often difficult to determine in real-time the intent of a suspicious event.
We would suggest that suspicious events become reportable at the point that the event is determined to
have had sabotage intent. The entities should have a methodology to collect evidence, to have the evidence
analyzed, and to report those events that are determined to have had the intent of sabotage.
Yes
The current reporting process necessitates multiple reports be sent to multiple parties, which is inefficient
and may, inadvertently, result in alignment issues between the separate reports. We would recommend that
a single report that combines NERC (CIPIS) and NERC ESISAC information be provided to NERC (CIPIS) that
is systematically (programmatically) forwarded to all necessary entities. Further, updates to incidents would
also go through NERC with the same electronic processing. Currently, we are not aware of a formal method
to report incidents to the FBI, which should be also included in the distribution. The current reporting
mechanism to the FBI JTTF is by telephone and the NERC platform described would provide more consistent
reporting.
No
�We would recommend that the Load Serving Entity (LSE) be removed from both standards, and that the
Generator Owner and Transmission Owner be added to the resulting standard.
Group
FirstEnergy
FirstEnergy Corp.
Yes
Yes
We agree with the scope but would also like to see the following considered: 1. References to the DOE
reporting process in EOP-004 need to be revised. They currently refer to the old EIA form. 2. Besides
"sabotage", it may be helpful to clearly define "vandalism". It is vaguely written in the standards. Also, the
process of "public appeals" for the DOE reportable requirements needs to be more clearly defined. 3.
Consolidate documents covering reporting requirements. There are currently several documents that require
reporting (EOP-004, CIP-001, DOE oe-417, and NERC's Security Guideline for the Electricity Sector: Threat
and Incident Reporting). NERC also has the "Bulk Power System Disturbance Classification Scale" that does
not completely align with all the reporting requirements. Therefore we recommend keeping this as simple as
possible by combining all the reporting requirements into one standard. It would be beneficial to not require
operators to have to go to 4 different documents to determine what to report on.
No
Although we are not aware of any NAESB business practices that need to be reviewed in conjunction with
these proposed revisions, the SDT should consider reviewing current RTO procedures and practices that
may require the need for variances in the revised standards.
No
The Regional Reliability Organization should be removed from the applicability of EOP-004-1. Any report
they receive would be from the other entities listed. For consistency, the entities should report to the
appropriate law enforcement agency. A report to the Reliability Entity should also be made for that entities
information only.
1. Under Industry Need it states: "The existing requirements need to be revised to be more specific – and
there needs to be more clarity in what sabotage looks like." The use of the phrase "more specific" should be
qualified by adding "while not being too prescriptive". As with other reliability standards, we do not want a
standard that causes unwarranted and unnecessary additional work and costs to an entity to comply. 2. As
pointed out by the NERC Audit and Observation Team in the "Issues to be considered" for CIP-001,
clarification is needed regarding contacting the FBI. Prior audits dwelled heavily on FBI notification. For
example, our policy states that Corporate Security notifies the FBI. In recent events it appears that local law
enforcement handles day to day activities. The notification process for contacting the FBI needs clarification
along with specific instances in which to call them. Who should make the call to the FBI? It appears that a
protocol needs to be developed to clarify what events require notifying the FBI. It could be as simple as
after an incident a standard form is completed and forwarded to the FBI, letting them decide if follow up is
needed. 3. We suggest aligning all reporting requirements for consistency. The items requiring reporting
and the timelines to report are very inconsistent between NERC and the DOE. NERC's timelines are also not
consistent with their own Security Guideline for the Electricity Sector: Threat and Incident Reporting.
Individual
Greg Rowland
Duke Energy
Yes
We agree that additional clarity is needed regarding sabotage and disturbance reporting. Requirements
should be tightened up and triggering events/thresholds of materiality need to be better defined.
No
While we agree with the need for clarity in sabotage and disturbance reporting, we believe that the
Standards Drafting Team should carefully consider whether there is a reliability-related need for each
�requirement. Some disturbance reporting requirements are triggered not just to assist in real-time reliability
but also to identify lessons-learned opportunities. If disturbance and sabotage reporting continue to be
reliability standards, we believe that all linkages to lessons-learned/improvements need to be stripped out.
We have other forums to identify lessons-learned opportunities and to follow-up on those opportunities.
Also, requirements to report possible non-compliances should be eliminated. We strongly support voluntary
self-reporting, but not mandatory self-reporting.
No
No
It’s unclear to us that the RRO should continue to be an applicable entity.
Individual
Howard Rulf
We Energies
Yes
No
Consider including the sabotage issues in IRO-014-1 R 1.1.1 footnote 1 and TOP-005-1 Attachment 1, 2.9.
No
Yes
Group
Electric Market Policy
Dominion Resources Inc.
Yes
Comments: Agree with the statement that sabotage is hard to determine in real time by operations staffs.
The determination of sabotage should be left up to law enforcement. They have the knowledge and peer
contacts needed to adequately determine whether physical or cyber intrusions are merely malicious acts or
coordinated efforts (sabotage). The operators should only be required to report physical and cyber
intrusions to law enforcement. All other reporting requirements should apply to law enforcement once a
determination of sabotage has been made. If the recommendations above are not to be accepted, then we
have the following comments: CIP-001-1 1) R1 – states entities “shall have procedures for the recognition
of and for making their operating personnel aware of sabotage events on its facilities and “multi-site
sabotage” affecting larger portions of the Interconnection. The SAR notes that the industry objects to the
multi-site requirement, most likely because the term is ambiguous. If this term remains in the standard, it
needs to be clearly defined and responsibilities for obtaining (how do you get this information and from
whom?) and distributing need to be included. 2) R1 – audits have shown confusion over the requirement to
make operating personnel aware of sabotage events. The term operating personnel needs to be defined.
Are they the individuals responsible for operating the facility, coordinating with other entities (i.e., RC, BA,
TOP, GOP, and LSE)? It has been suggested that notification is required to all personnel at a facility. Keep in
mind the purpose of the standard is to ensure sabotage events are properly reported, not to address
emergency response. 3) R1 – The SAR (NERC Audit and Observation Team) notes that Registered Entities
have processes and procedures in place, but not all personnel have been trained. There is no specific
training requirement in the standard. 4) R2 & R3 – I agree with the SAR that sabotage needs to be defined
and these requirements should be more specific with respect to the information to be communicated. It
seems to me that the standard should mirror the criteria contained in DOE OE-417. The emphasis should be
placed on ensuring that the same information communicated to DOE is shared with the appropriate parties
in the Interconnection. 5) R4 – I agree with the SAR (NERC Audit and Observation Team) comments
regarding the intention of this requirement. There is no language that directs contact with FBI or RCMP
�although that is what is implied by the Purpose statement. 6) VRF Comments – I’m not sure what is
intended by the statement “Adequate procedures will insure it is unlikely to lead to bulk electric system
instability, separation, or cascading failures.” The purpose of the standard is that of communication. No
operational decisions or actions are directed by this standard, nor does it require entities to address
operational aspects resulting from sabotage. 7) The potential exists for overlapping sabotage reporting
requirements at nuclear power plants due to multiple regulators (Nuclear Regulatory Commission (NRC) –
10 CFR 73 and Federal Energy Regulatory Commission (FERC) – NUC-001-1). Some entities may have
revised existing NRC driven procedures to accommodate reporting requirements of both regulators. Because
of the restrictions placed on NRC driven documents (i.e., procedures are classified as “safeguards
information”), it can be difficult to demonstrate compliance to NERC and/or FERC without ensuring that the
individuals are qualified for receipt of such information per 10 CFR 73. Additionally, multiple procedures
may have the unintended consequence of delaying appropriate communication. EOP-004-1 Consider
removing Attachment 2 as the information is duplicated in DOE Form OE-417. A simple reference to the
form should suffice.
Yes
No
No
Applicability should not apply to LSE unless they have physical assets. If they do not have such assets, they
are unable to determine how many customers are out, how much load was lost or the duration of an
outage. We continue to question the need for the LSE entity in reliability standards. End use customer load
is either connected to transmission or distribution facilities. So, the applicable planner has to plan for that
load when designing its facilities or the load will not have reliable service. To the extent that energy and
capacity for that load is supplied by an entity other than the TO or DP, the TO or DP should have
interconnection requirements that compel the supplier to provide any and all data necessary to meet the
requirements of reliability standards.
CIP-008-1 Incident Reporting and Response Planning – include some requirements that require coordination
with the requirements addressed in this project.
Individual
Jianmei Chai
Consumers Energy Company
Yes
Yes
No
Yes
Individual
Mike Sonnelitter
NextEra Energy Resources, LLC
Yes
No
The scope of the SAR should not include Generator Operators.
No
�No
The scope of the proposed SAR should not include the Generator Operator.
No comment.
Individual
D. Bryan Guy
Progress Energy
No
No. It is not clear that the issues listed in a revised standard will improve reliability. Revision based on
redundancy is not sufficient reason for combination. Extensive documentation efforts have been made to
comply with the current Standards. Unless combining these Standards provides compelling Reliability
benefit, it is not worth the industry’s resources to revise existing documentation and processes for the sake
of eliminating redundancy. Redundancy issues were raised prior to the ERO adopting the initial Standard set
into law. We have noted the other issues raised in the SAR, however, it is still unclear where the Reliability
benefit of this SAR is evidenced.
No
No. If this SAR moves forward other standards may need to be considered. For example, in CIP-008,
incident reporting for cyber incidents leads to filing of the OE-417 form.
Yes
Yes. If this SAR moves forward other practices such as those required by CIP-008 (cyber incident reporting
via the OE-417 form) may need to be considered.
Yes
Group
Bonneville Power Administration
BPA Transmission Reliability Program
No
Eliminating a single standard by consolidating two standards does not improve reliability. All of the defined
actions are indeed being taken now.
No
Leave as is, all requiremnets for reporting are now covered. A common definition of sabotage is already
widely available.
No
Yes
Individual
Kirit Shah
Ameren
Yes
No
There seems to be an open slate including the following language in the scope “The development may
include other improvements to the standards deemed appropriate by the drafting team, with the consensus
of stakeholders, consistent with establishing high quality, enforceable and technically sufficient bulk power
system reliability standards (see tables for each standard at the end of this SAR for more detailed
information).” The unnamed improvements should be limited to those requirements that relate only to
Disturbance and Sabotage NOT a general wish list(or witch hunt).
�No
Yes
None
Group
MRO NERC Standards Review Subcommittee
Michael Brytowski
Yes
No
The MRO NSRS would like to keep the references to the DOE reporting form.
Yes
No
As FERC has directed, the RRO should be removed since they are not owners or operators of the BES.
A. The SAR states that there may be impact on a related standard, COM-003-1 (page SAR-5). Is the SDT
referring to Project 2007-02, Operating Personnel Communication Protocols? If so, this is a SAR too and
should not be used as a reference. B. CIP-001-1 and EOP-004-1 should be combined into one EOP
Standard. C. Within EOP-004-1 there is industry confusion on what form to submit in the event of an event.
There should only be one form for the new combination Standard eliminating the need for reporting form
attachments. It should be the DOE Form, OE-417. Although it is beyond the scope of this SAR, it would
greatly benefit industry if there was a central location on the NERC website containing ALL reporting forms,
including FERC, NERC, DOE, and ESIAC. This would enable the System Operators to efficiently locate the
most current version of the appropriate form in order to report events. D. The word Disturbance is primarily
used in other Standards as in, Disturbance Control Standard or system separation due to a disturbance.
Should the NERC definition be updated? Should the word “Sabotage” be defined by NERC? Additionally, we
recommend that one definition of “Sabotage” be utilized industry-wide, instead of varying definitions by
multiple groups like the DOE, ESIAC, etc.
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and
Sabotage Reporting
The Disturbance and Sabotage Reporting SAR Drafting Team (DSR SAR DT) thanks all
commenters who submitted comments on the first draft SAR. The SAR was posted for a 30day public comment period from April 22, 2009 through May 21, 2009. The stakeholders
were asked to provide feedback on the documents through a special Electronic Comment
Form. There were 40 sets of comments, including comments from more than 120 different
people from over 60 companies representing 9 of the 10 Industry Segments as shown in the
table on the following pages.
http://www.nerc.com/filez/standards/Project2009-01_Disturbance_Sabotage_Reporting.html
The majority of stakeholders agree that there is a reliability related need to support
modifying CIP-001-1 and EOP-004-1. Of those stakeholders providing comments, they
predominantly agreed with the reliability-related reason for the SAR but offered the
following concerns:
1) Concerns with applicability of the requirements: The SAR DT notes that applicability
will be determined by the final requirements that are written for the standard.
2) Concerns on combining the standards: The SAR DT notes that the Purpose of the
SAR indicates that the standards may be merged to eliminate redundancy and
provide clarity. It will be up to the Standard Drafting team to make this
determination through the Standard Development Process (with stakeholder input).
3) Concerns with the definition of sabotage and the inclusion of vandalism, thresholds
for defining sabotage, etc.
4) Concerns on onerous or duplicative reporting: The Brief Description section of the
SAR states “Specific references to the DOE form need to be eliminated”. This should
address its concerns.
The SAR DT does not feel that the SAR should be revised based on these comments. The
SAR DT will forward these comments to the Standard Drafting Team for its consideration in
the drafting of the standards.
The majority of stakeholders agree with the scope of the SAR. Several stakeholders offered
suggestions for items to include in the SAR, however the SAR DT believes that these
comments may be too prescriptive to include with the SAR. The team feels that inclusion of
these types of comments would prevent the Standard Drafting Team from having the ability
to develop standard(s) based on stakeholder consensus. The SAR DT will forward these
comments to the Standard Drafting Team for its consideration. Some of the comments
received include:
1) The inclusion of specific definitions in the SAR (operating personnel, sabotage
events, obligations): The SAR DT believes that this would be too prescriptive and
believe that this should be addressed by the Standard Drafting Team.
2) Consolidate documents covering reporting requirements: The SAR DT agrees and
suggests that the Standard Drafting Team investigate a “one-stop-shopping”
solution for the various reports required, including the DOE report.
116-390 Village Blvd.
Princeton, NJ 08540
609.452.8060 | www.nerc.com
�Stakeholders did not identify any associated business practices for consideration under the
SAR. One stakeholder identified a related standard that references multi-site sabotage.
The team has included a reference to TOP-005, section 2.9 (Appendix 1) in the SAR under
Related Standards. Two stakeholders suggested that Business Practices should not be
considered in a standard. The SAR DT notes that standard development projects must not
invalidate business practices that are already in place and aids in coordination with North
American Energy Standards Board (NAESB).
Many stakeholders had comments regarding applicability of the two standards. Based on
these comments, the SAR DT has added Transmission Owner, Generator Owner and
Distribution Provider to the Applicability section of the SAR as possible entities in the
standard(s) developed under this SAR as the Standard Drafting team may have a need to
include them in the standard(s). The applicability of Load-Serving Entity or Distribution
Provider will ultimately be determined by the Standard Drafting Team as it develops the
requirements through the Standard Development Process. The three main comments were:
1) Regional Reliability Organization applicability: Several commenters do not feel the
RRO should be in the standards. The DSR SAR DT concurs and notes that the SAR
states that “EOP-004 has some ‘fill-in-the-blank’ components to eliminate”. This will
remove the RRO from applicability.
2) Load-Serving Entity/Distribution Provider: Several stakeholders do not feel that the
standards should be applicable to LSEs, but should apply to Distribution Providers.
NERC has recognized, through its Compliance Registry, that there are asset owning
LSEs and non-asset owning LSEs. The SAR DT believes that an asset owning LSE
may be a Distribution Provider based on the Functional Model v4. The team has
added DP to the applicability of the standard as the Standard Drafting team may
have a need to include them in the standard(s). The applicability of LSE or
Distribution Provider will ultimately be determined by the Standard Drafting Team as
it develops the requirements through the Standard Development Process.
3) Transmission Owner/Generator Owner: Several stakeholders have indicated a need
to include the TO as an applicable entity. A couple of those would also include the
GO. The SAR DT discussed the addition of the TO and GO. The team has a concern
that there may be duplication of requirements between the TO/TOP and GO/GOP if
the TO and GO are added to the SAR. That being said, the team added the TO and
GO to the applicability of the SAR so that the Standard Drafting team may consider
these entities for applicability. The applicability of requirements will ultimately be
determined by the Standard Drafting Team as it develops the requirements through
the Standard Development Process.
Stakeholders provided many good comments that should be considered in the development
of the standards under this project. The SAR DT does not believe that these comments
require any significant revisions to the SAR, but will forward these comments to the
Standard Drafting Team for its consideration in drafting the standard(s). The comments
include:
1) Consolidation of reports: The SAR DT agrees with this concept and will forward the
comment to the Standard Drafting Team for its consideration.
2) Concerns about pre-determination of combining CIP-001 and EOP-004 into one
standard: The SAR states: CIP-001 may be merged with EOP-004 to eliminate
redundancies. The two standards may be left separate.
116-390 Village Blvd.
Princeton, NJ 08540
609.452.8060 | www.nerc.com
�3) Reporting criteria in multiple tables: The team agrees that it would be easier if there
were only one table. Part of this scope of this project is to eliminate redundancies
and make general improvements to the standard. The team also agrees that the
requirements developed should be clear in their reliability objective.
If you feel that your comment has been overlooked, please let us know immediately. Our
goal is to give every comment serious consideration in this process! If you feel there has
been an error or omission, you can contact the Vice President and Director of Standards,
Gerry Adamski, at 609-452-8060 or at gerry.adamski@nerc.net. In addition, there is a
NERC Reliability Standards Appeals Process. 1
1
The appeals process is in the Reliability Standards Development Procedures:
http://www.nerc.com/standards/newstandardsprocess.html.
116-390 Village Blvd.
Princeton, NJ 08540
609.452.8060 | www.nerc.com
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and
Sabotage Reporting
Index to Questions, Comments, and Responses
1.
Do you agree that there is a reliability-related reason to support modifying CIP-001-1
and EOP-004-1? If not, please explain in the comment area. .................................12
2.
Do you agree with the scope of the proposed SAR? If not, please explain what should
be added or deleted to the proposed scope. .........................................................20
3.
Are you aware of any associated business practices that we should consider with this
SAR? If yes, please explain in the comment area. ................................................38
4.
CIP-001-1 applies to the Reliability Coordinator, Transmission Operator, Balancing
Authority, Generator Operator, and the Load-serving Entity. EOP-004-1 applies to the
same entities, plus the Regional Reliability Organization. Do you agree with the
applicability of the existing CIP-001-1 and the existing EOP-004-1? If no, please
identify what you believe should be modified. .......................................................43
5.
If you have any other comments on the SAR or proposed modifications to CIP-001-1
and EOP-004-1 that you haven’t provided in response to the previous questions, please
provide them here. ...........................................................................................51
August 13, 2009
4
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
The Industry Segments are:
1 — Transmission Owners
2 — RTOs, ISOs
3 — Load-serving Entities
4 — Transmission-dependent Utilities
5 — Electric Generators
6 — Electricity Brokers, Aggregators, and Marketers
7 — Large Electricity End Users
8 — Small Electricity End Users
9 — Federal, State, Provincial Regulatory or other Government Entities
10 — Regional Reliability Organizations, Regional Entities
Commenter
Organization
Industry Segment
1
1.
Group
Jim Case
SERC OC Standards Review Group
Additional Member
X
Additional Organization
2
3
4
5
6
7
9
10
X
Region
Segment Selection
1. Al McMeekin
SCE&G
SERC
1, 3, 5
2. Eugene Warnecke
Ameren
SERC
1, 3, 5
3. Gary Hutson
SMEPA
SERC
1, 3, 5
4. Melinda Montgomery
Entergy
SERC
1, 3
5. Tom Sims
Southern
SERC
1, 3, 5
6. Marc Butts
Southern
SERC
1, 3, 5
7. Chris Bradley
BREC
SERC
1, 3, 5
8. Tom Kanzlik
SCE&G
SERC
1, 3, 5
9. Paul Turner
Ga Systems Operations Corp.
SERC
3
10. Phil Creech
Progress Energy Carolinas
SERC
1, 3, 5
11. Vicky Budreau
SCPSA
SERC
1, 3, 5, 9
12. Renee Free
SCPSCA
SERC
9
13. Mike Clements
TVA
SERC
1, 3, 5, 9
14. Travis Sykes
TVA
SERC
1, 3, 5
August 13, 2009
8
5
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Commenter
Organization
Industry Segment
1
15. John Troha
2.
SERC
Group
Harry Tom
3
4
5
RFC
Project 2007-02 Operating Personnel Comms
Protocols SDT
Additional Member
2
X
Additional Organization
6
7
X
X
Region
GSOC
SERC
1
HydroOne
NPCC
1, 9
3. Alan Allgower
ERCOT
ERCOT
10
4. Harvie Beavers
Colmac Clarion/Piney Creek LP
RFC
5
5. Mark L. Bradley
ITC
MRO
1
6. Mike Brost
JEA
FRCC
1
7. William D Ellard
CAISO
WECC
10
8. Ronald Goins
MISO
MRO
10
9. Leanne Harrison
PJM
RFC
10
10. James McGovern
ISO-NE
NPCC
10
11. Wayne Mitchell
Entergy
SERC
1
12. John Stephens
City Utilities of Springfield
RFC
1
13. Fred Waites
Southern Company
SERC
1
Kenneth D. Brown
Additional Member
PSEG Enterprise Group Inc Companies
X
Additional Organization
Region
RFC
5
2. James Hebson
PSEG Energy Resources & Trade
RFC
6
3. Gary Grysko
PSEG Power Connecticut
NPCC
5
4. Dominic DiBari
PSEG Texas LLC
ERCOT
5
Guy Zito
Additional Member
Northeast Power Coordinating Council
X
Additional Organization
Region
Segment Selection
1. Ralph Rufrano
New York Power Authority
NPCC
5
2. Alan Adamson
New York State Reliability Council
NPCC
10
August 13, 2009
X
Segment Selection
PSEG Fossil LLC
Group
X
X
1. Clint Bogan
4.
10
Segment Selection
2. Tom Irvine
Group
9
10
1. Lloyd Snyder
3.
8
6
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Commenter
Organization
Industry Segment
1
2
3
4
5
6
7
3. Greg Campoli
New York Independent System Operator
NPCC
2
4. Roger Champagne
Hydro-Quebec TransEnergie
NPCC
2
5. Kurtis Chong
Independent Electricity System Operator
NPCC
2
6. Sylvain Clermont
Hydro-Quebec TransEnergie
NPCC
1
7. Manuel Couto
National Grid
NPCC
1
8. Chris de Graffenried
Consolidated Edison Co. of New York, Inc.
NPCC
1
9. Brian Evans-Mongeon
Utility Services
NPCC
8
10. Mike Garton
Dominion Resources Services, inc.
NPCC
5
11. Mike Gildea
Constellation Energy
NPCC
6
12. Brian Gooder
Ontario Power Generation Incorporated
NPCC
5
13. Kathleen Goodman
ISO - New England
NPCC
2
14. David Kiguel
Hydro One Networks, Inc.
NPCC
1
15. Michael Lombardi
Northeast Utilities
NPCC
1
16. Randy MacDonald
New Brunswick System Operator
NPCC
2
17. Bruce Metruck
New York Power Authority
NPCC
6
18. Robert Pellegrini
The United Illuminating Company
NPCC
1
19. Michael Schiavone
National Grid
NPCC
1
20. Michael Sonnelitter
FPL Energy/NextEra Energy
NPCC
5
21. Peter Yost
Consolidated Edison Co. of New York, Inc.
NPCC
3
22. Lee Pedowicz
Northeast Power Coordinating Council
NPCC
10
23. Gerry Dunbar
Northeast Power Coordinating Council
NPCC
10
5.
Group
Michael Gammon
Additional Member
Kansas City Power & Light
X
X
Additional Organization
Region
X
SPP
1, 3, 5, 6
2. John Breckenridge
Kansas City Power & Light
SPP
1, 3, 5, 6
Ben Li
Additional Member
August 13, 2009
IRC Standards Review Committee
Additional Organization
10
Segment Selection
Kansas City Power & Light
Group
9
X
1. Joe Doetzl
6.
8
X
Region
Segment Selection
7
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Commenter
Organization
Industry Segment
1
2
3
4
5
6
7
1. James Castle
NYISO
NPCC
2
2. Charles Yeung
SPP
SPP
2
3. Anita Lee
AESO
WECC
2
4. Matt Goldberg
ISO-NE
NPCC
2
5. Bill Phillips
MISO
MRO
2
6. Steve Myers
ERCOT
ERCOT
2
7. Lourdes Estrada-Salinero
CAISO
WECC
2
7.
Group
Richard Kafka
Pepco Holdings, Inc. - Affiliates
Additional Member
X
Additional Organization
X
X
Region
RFC
5
2. Tony Gabrielli
Conectiv Energy Supply, Inc.
RFC
5
3. George Gacser
Potomac Electric Power Co.
RFC
1, 3, 5
4. E. W. Stowe
Pepco Holdings, Inc
RFC
1, 3, 5
5. Mark Godfrey
Pepco Holdings, Inc
RFC
1, 3
Sam Ciccone
FirstEnergy
Additional Member
X
Additional Organization
X
X
X
X
Region
Segment Selection
1. Jim Eckels
FE
RFC
1
2. John Martinez
FE
RFC
1
3. John Reed
FE
RFC
1
4. Dave Folk
FE
RFC
1, 3, 4, 5, 6
5. Doug Hohlbaugh
FE
RFC
1, 3, 4, 5, 6
6. Larry Hartley
FE
RFC
3
9.
Group
Jalal Babik
Additional Member
Electric Market Policy
X
Additional Organization
X
Region
X
X
Segment Selection
1. Louis Slade
SERC
6
2. Mike Garton
NPCC
5
August 13, 2009
10
Segment Selection
Conectiv Energy Supply, Inc.
Group
9
X
1. Kara Dundas
8.
8
8
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Commenter
Organization
Industry Segment
1
10.
Group
Denise Koehn
Bonneville Power Administration
Additional Member
1. Theodore Snodgrass
11.
Group
Michael Brytowski
X
Additional Organization
Dispatch
2
3
4
X
5
6
X
X
Region
7
9
10
Segment Selection
WECC
1
MRO NERC Standards Review Subcommittee
Additional Member
X
Additional Organization
Region
Segment Selection
1. Carol Gerou
MRO
MRO
10
2. Neal Balu
WPS
MRO
3, 4, 5, 6
3. Pam Sordet
XCEL
MRO
1, 3, 5, 6
4. Joe DePoorter
MGE
MRO
3, 4, 5, 6
5. Ken Goldsmith
ALTW
MRO
4
6. Jim Haigh
WAPA
MRO
1, 6
7. Terry Harbour
MEC
MRO
1, 3, 5, 6
8. Joseph Knight
GRE
MRO
1, 3, 5, 6
9. Scott Nickels
RPU
MRO
3, 4, 5, 6
10. Dave Rudolph
BEPC
MRO
1, 3, 5, 6
11. Eric Ruskamp
LES
MRO
1, 3, 5, 6
12.
Individual
Stephen V. Fisher
Lands Energy Consulting
13.
Individual
Brent Hebert
Calpine Corporation
X
14.
Individual
Steve Toth
Covanta
X
15.
Individual
Harvie Beavers
Colmac Clarion
X
16.
Individual
Russell A. Noble
Cowlitz County PUD
17.
Individual
Michael Puscas
United Illuminating
18.
Individual
George Pettyjohn
Reliant Energy
August 13, 2009
8
X
X
X
X
9
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Commenter
Organization
Industry Segment
1
2
3
4
5
6
19.
Individual
Judith A. James
Texas Regional Entity
20.
Individual
Edward C. Stein
self
21.
Individual
Chris Scanlon
Exelon
22.
Individual
Mike Davis
WECC
23.
Individual
Jimmy Hartmann
ERCOT ISO
24.
Individual
Rick Terrill
Luminant Power
25.
Individual
Rao Somayajula
ReliabilityFirst Corporation
26.
Individual
Tony Kroskey
Brazos Electric Power Cooperative, Inc.
X
27.
Individual
Paul Golden
PacifiCorp
X
28.
Individual
Terry Harbour
MidAmerican Energy
X
29.
Individual
Darryl Curtis
Oncor Electric Delivery
X
30.
Individual
Chris de Graffenried on
behalf of Con Edison &
O&R
Consolidated Edison Co. of New York, Inc.
X
31.
Individual
Wayne Pourciau
Georgia System Operations Corp.
32.
Individual
Bob Thomas
Illinois Municipal Electric Agency
33.
Individual
Kasia Mihalchuk
Manitoba Hydro
X
X
X
X
34.
Individual
Jim Sorrels
AEP
X
X
X
X
August 13, 2009
7
8
9
10
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
10
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Commenter
Organization
Industry Segment
1
2
3
4
5
6
X
X
35.
Individual
Greg Rowland
Duke Energy
36.
Individual
Howard Rulf
We Energies
X
X
X
37.
Individual
Jianmei Chai
Consumers Energy Company
X
X
X
38.
Individual
Mike Sonnelitter
NextEra Energy Resources, LLC
39.
Individual
D. Bryan Guy
Progress Energy
X
X
X
40.
Individual
Kirit Shah
Ameren
X
X
X
August 13, 2009
X
X
7
8
9
10
X
X
11
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
1. Do you agree that there is a reliability-related reason to support modifying CIP-001-1 and EOP-004-1? If not,
please explain in the comment area.
Summary Consideration: The majority of stakeholders agree that there is a reliability related need to support modifying CIP001-1 and EOP-004-1. Of those stakeholders providing comments, they predominantly agreed with the reliability-related
reason for the SAR but offered the following concerns:
1) Applicability of the requirements: The SAR DT notes that applicability will be determined by the final requirements that are
written for the standard.
2) Combining the standards: The SAR DT notes that the Purpose of the SAR indicates that the standards may be merged to
eliminate redundancy and provide clarity. It will be up to the Standard Drafting team to make this determination through
the Standard Development Process (with stakeholder input).
3) Definition of sabotage and the inclusion of vandalism, thresholds for defining sabotage, etc.
4) Onerous or duplicative reporting: The Brief Description section of the SAR states “Specific references to the DOE form need
to be eliminated”. This should address any concerns.
The SAR DT will forward these comments to the Standard Drafting Team for its consideration in the drafting of the standards.
Organization
Yes or No
Question 1 Comment
No
The EOP-004-1 standard is an unnecessary duplication of existing DOE reporting requirements. This essentially exposes
an entity to fines by NERC, enforced by FERC, for failure to comply with a DOE regulation, which seems improper to us.
In addition, reporting requirements do not have an impact on the reliability of the BES
SERC OC
Standards Review
Group
Response: The DSR SAR DT thanks you for your comment. The Brief Description section of the SAR states “Specific references to the DOE form
need to be eliminated”.
MidAmerican
Energy
No
MidAmerican Energy believes only EOP-004-1 is confusing and needs to modified or clarified. There is no need to
combine the two standards. Standard EOP-004 could be clarified to eliminate references to sabotage which are already
covered by CIP-001-1. Standard EOP-004 should be strictly limited to system events, not sabotage.
Response: The DSR SAR DT thanks you for your comment. The SAR DT notes that the Purpose of the SAR indicates that the standards may be
merged to eliminate redundancy and provide clarity. It will be up to the Standard Drafting Team to make this determination through the Standard
Development Process (with stakeholder input).
August 13, 2009
12
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Yes or No
Bonneville Power
Administration
No
Question 1 Comment
Eliminating a single standard by consolidating two standards does not improve reliability. All of the defined actions are
indeed being taken now.
Response: The DSR SAR DT thanks you for your comment. The SAR DT notes that the Purpose of the SAR indicates that the standards may be
merged to eliminate redundancy and provide clarity. It will be up to the Standard Drafting team to make this determination through the Standard
Development Process (with stakeholder input).
Progress Energy
No
No. It is not clear that the issues listed in a revised standard will improve reliability. Revision based on redundancy is not
sufficient reason for combination. Extensive documentation efforts have been made to comply with the current Standards.
Unless combining these Standards provides compelling Reliability benefit, it is not worth the industry’s resources to revise
existing documentation and processes for the sake of eliminating redundancy. Redundancy issues were raised prior to
the ERO adopting the initial Standard set into law. We have noted the other issues raised in the SAR, however, it is still
unclear where the Reliability benefit of this SAR is evidenced.
Response: The DSR SAR DT thanks you for your comment. Industry consensus indicates that eliminating redundancy between standards is
required to avoid potential double jeopardy issues with compliance to the standards. Furthermore, one of the FERC Order 693 directives for CIP001 is:
Explore ways to reduce redundant reporting, including central coordination of sabotage reports and a uniform reporting format.
Kansas City
Power & Light
Yes
Agree with the SAR that clarity would be helpful in establishing criteria regarding what constitutes sabotage reporting.
Response: The DSR SAR DT thanks you for your comment. One of the FERC Order 693 directives for CIP-001 is:
Define “sabotage” and provide guidance on triggering events that would cause an entity to report an event.
Pepco Holdings,
Inc. - Affiliates
Yes
PHI recommends merging these two standards into one.
Response: The DSR SAR DT thanks you for your comment. The SAR DT notes that the Purpose of the SAR indicates that the standards may be
merged to eliminate redundancy and provide clarity. It will be up to the Standard Drafting team to make this determination through the Standard
Development Process (with stakeholder input).
Electric Market
Policy
August 13, 2009
Yes
Comments: Agree with the statement that sabotage is hard to determine in real time by operations staffs. The
determination of sabotage should be left up to law enforcement. They have the knowledge and peer contacts needed to
adequately determine whether physical or cyber intrusions are merely malicious acts or coordinated efforts (sabotage).
13
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Yes or No
Question 1 Comment
The operators should only be required to report physical and cyber intrusions to law enforcement. All other reporting
requirements should apply to law enforcement once a determination of sabotage has been made. If the recommendations
above are not to be accepted, then we have the following comments:
CIP-001-1
1) R1 states entities shall have procedures for the recognition of and for making their operating personnel aware of
sabotage events on its facilities and multi-site sabotage affecting larger portions of the Interconnection. The SAR notes
that the industry objects to the multi-site requirement, most likely because the term is ambiguous. If this term remains in
the standard, it needs to be clearly defined and responsibilities for obtaining (how do you get this information and from
whom?) and distributing need to be included.
2) R1 audits have shown confusion over the requirement to make operating personnel aware of sabotage events. The
term operating personnel needs to be defined. Are they the individuals responsible for operating the facility, coordinating
with other entities (i.e., RC, BA, TOP, GOP, and LSE)? It has been suggested that notification is required to all personnel
at a facility. Keep in mind the purpose of the standard is to ensure sabotage events are properly reported, not to address
emergency response.
3) R1 The SAR (NERC Audit and Observation Team) notes that Registered Entities have processes and procedures in
place, but not all personnel have been trained. There is no specific training requirement in the standard.
4) R2 & R3 I agree with the SAR that sabotage needs to be defined and these requirements should be more specific with
respect to the information to be communicated. It seems to me that the standard should mirror the criteria contained in
DOE OE-417. The emphasis should be placed on ensuring that the same information communicated to DOE is shared
with the appropriate parties in the Interconnection.
5) R4 I agree with the SAR (NERC Audit and Observation Team) comments regarding the intention of this requirement.
There is no language that directs contact with FBI or RCMP although that is what is implied by the Purpose statement.
6) VRF Comments I’m not sure what is intended by the statement Adequate procedures will insure it is unlikely to lead to
bulk electric system instability, separation, or cascading failures? The purpose of the standard is that of communication.
No operational decisions or actions are directed by this standard, nor does it require entities to address operational
aspects resulting from sabotage.
7) The potential exists for overlapping sabotage reporting requirements at nuclear power plants due to multiple regulators
(Nuclear Regulatory Commission (NRC) 10 CFR 73 and Federal Energy Regulatory Commission (FERC) NUC-001-1).
Some entities may have revised existing NRC driven procedures to accommodate reporting requirements of both
regulators. Because of the restrictions placed on NRC driven documents (i.e., procedures are classified as safeguards
information), it can be difficult to demonstrate compliance to NERC and/or FERC without ensuring that the individuals are
qualified for receipt of such information per 10 CFR 73. Additionally, multiple procedures may have the unintended
consequence of delaying appropriate communication.EOP-004-1Consider removing Attachment 2 as the information is
August 13, 2009
14
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Yes or No
Question 1 Comment
duplicated in DOE Form OE-417. A simple reference to the form should suffice.
Response: The DSR SAR DT thanks you for your comment. The team notes that your comments relate directly to potential revisions of the
standard requirements. The team will pass your comments along to the Standards Drafting Team for its consideration. For item 4, one of the
FERC Order 693 directives for CIP-001 is:
Define “sabotage” and provide guidance on triggering events that would cause an entity to report an event.
Lands Energy
Consulting
Yes
I have worked with 5 Northwest public utilities on developing procedures related to CIP-001-1 and EOP-004-1. All 5
utilities operate electric systems in fairly remote locations and are embedded in a larger utility's Balancing
Authority/Transmission Operator area.
A. CIP-001-1 - Developing procedures to unambiguously identify acts of sabotage has been particularly challenging for
these systems. In general, it's hard for them to determine whether the most prevalent forms of malicious and intentional
system damage that they incur - copper theft and gun shot insulators/equipment - should qualify as acts of sabotage.
Although none of the systems consider copper theft to be acts of sabotage, two of the systems consider gun shot
insulators/equipment to be acts of sabotage. The other systems look for intent to disrupt electric system operations as a
key component of their sabotage identification procedures. Additional guidance from NERC in the form of CIP-001-1
modifications or a companion guidelines document on sabotage identification would provide much needed guidance for
these procedures.
B. EOP-004-1 - This standard was clearly drafted with the larger electric systems in mind. I have one client that serves
3300 commercial/residential customers from 4-115/13 kV substation transformers and one large industrial customer (80%
of its energy load) from a 230/13 kV substation. 75% of the client's load is served from three substations attached to a
long, 115 kV transmission line operated by the Bonneville Power Administration. Whenever the line relays open on a
permanent fault (which happens 2-3 times per year), the client loses over 50% of its customers (but no more than 10-15
MW during winter peak), thereby necessitating the preparation of a Disturbance Report. To allow utilities to concentrate
on operating their systems, without fear of violating EOP-004-1 for failure to report trivial outages, I would remove LSEs
from the obligation to report disturbances - leave the reporting to the BA/TOP for large outages in their footprint.
Response: The DSR SAR DT thanks you for your comment.
A. The team notes that your comments relate directly to potential revisions of the standard requirements. The team will pass your comments
along to the Standards Drafting Team for its consideration.
B. NERC has recognized, through its Compliance Registry, that there are asset owning LSEs and non-asset owning LSEs. The SAR DT believes
that an asset owning LSE may be a Distribution Provider based on the Functional Model v4. The team has added DP to the applicability of the
standard as the Standard Drafting team may have a need to include them in the standard(s). The applicability of LSE or Distribution Provider will
ultimately be determined by the Standard Drafting Team as it develops the requirements through the Standard Development Process. The team
August 13, 2009
15
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Yes or No
Question 1 Comment
will pass your comments along to the Standards Drafting Team for its consideration.
Calpine
Corporation
Yes
Communication of facility status or emergencies between merchant generators registered as GOP and the RC, BA, GOP,
or LSE in which the facility resides should be coordinated for EOP -004 reporting. The reporting to NERC/DOE should
come from the RC, BA, GOP, or LSE.
Response: The DSR SAR DT thanks you for your comment. The team concurs that reporting should be coordinated and will pass your comments
along to the Standards Drafting Team for its consideration.
Covanta
Yes
Yes - the key to Sabotage reporting requirements is identifying what the 'definition' is of an actual or potential 'Sabotage'
event. Like any other standard, if FERC/NERC leave it up to 2000+ entities to establish their own definitions of
'Sabotage', you may likely get 2000+ answers. That is not a controlled and coordinated approach. I offer the following
definition, "Sabotage - Deliberate or malicious destruction of property, obstruction of normal operations, or injury to
personnel by outside agents." Examples of sabotage events could include, but are not limited to, suspicious packages left
near site electrical generating or electrical transmission assets, identified destruction of generating assets, telephone/e
mail received threats to destroy or interrupt electrical generating efforts, etc." These have passed multiple NERC
regional audits and reviews to date.
Response: The DSR SAR DT thanks you for your comment. One of the FERC Order 693 directives for CIP-001 is:
Define “sabotage” and provide guidance on triggering events that would cause an entity to report an event.
The team will pass your comments along to the Standards Drafting Team for its consideration.
Cowlitz County
PUD
Yes
The standards as written now create reporting on local customer quality of service outage events not related to BPS
disturbances. Sabotage reporting has degenerated into reporting of mischievous vandalism and minor theft occurences.
This creates compliance documentation overburden and waste of limited funds needed for true BPS reliability concerns,
and also adds nuisance calls to the FBI and Homeland Security.
Response: The DSR SAR DT thanks you for your comment. One of the FERC Order 693 directives for CIP-001 is:
Define “sabotage” and provide guidance on triggering events that would cause an entity to report an event.
This should address the concern of sabotage vs. vandalism/theft reporting.
Reliant Energy
August 13, 2009
Yes
EOP-004-1 indicates that Generators should analyze disturbances on the bulk electrical system or their facilities.
Generators do not have the capability of analyzing the bulk electrical system other than Frequency. Even so, generators
can not unilaterally respond to what it thinks are disturbances. In the case of CAISO The Participating Generator
16
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Yes or No
Question 1 Comment
Agreement prevents me from making any unilateral moves save for the direst frequency emergencies. If the System
operator or Reliability Coordinator informs the generator that there is a disturbance and that logs and readouts etc. are
required then the generator should respond with all available information for the subject hours or time. Clearer
responsibilities provide clearer results.
Response: The DSR SAR DT thanks you for your comment. While the team agrees that generators may not have the capability to analyze events,
the team note that you concern is regarding applicability of requirements. The final wording of the requirements developed by the Standard
Drafting Team will determine the applicability.
Georgia System
Operations Corp.
Yes
There is a need to eliminate burdensome reporting deadlines which interfere with the reliable operations or recovery of the
BES. There is also a need to move requirements for reporting to NERC or Regional Entities (except for reporting of
threats to physical or cyber security) from the Requirements section of Reliability Standards to elsewhere.
Response: The DSR SAR DT thanks you for your comment. Specific revisions to the requirements will be vetted during the standard development
process.
Illinois Municipal
Electric Agency
Yes
Simplification of reporting requirements should facilitate reliability.
Response: The DSR SAR DT thanks you for your comment.
Duke Energy
Yes
We agree that additional clarity is needed regarding sabotage and disturbance reporting. Requirements should be
tightened up and triggering events/thresholds of materiality need to be better defined.
Response: The DSR SAR DT thanks you for your comment. One of the FERC Order 693 directives for this project is:
Define “sabotage” and provide guidance on triggering events that would cause an entity to report an event.
MRO NERC
Standards Review
Subcommittee
Yes
Colmac Clarion
Yes
United
Illuminating
Yes
August 13, 2009
17
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Yes or No
PSEG Enterprise
Group Inc
Companies
Yes
Northeast Power
Coordinating
Council
Yes
IRC Standards
Review
Committee
Yes
FirstEnergy
Yes
Texas Regional
Entity
Yes
Edward C. Stein
Yes
Exelon
Yes
WECC
Yes
ERCOT ISO
Yes
Luminant Power
Yes
ReliabilityFirst
Corporation
Yes
Brazos Electric
Power
Cooperative, Inc.
Yes
August 13, 2009
Question 1 Comment
18
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Yes or No
PacifiCorp
Yes
Oncor Electric
Delivery
Yes
Consolidated
Edison Co. of
New York, Inc.
Yes
Manitoba Hydro
Yes
AEP
Yes
We Energies
Yes
Consumers
Energy Company
Yes
NextEra Energy
Resources, LLC
Yes
Ameren
Question 1 Comment
Yes
August 13, 2009
19
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
2. Do you agree with the scope of the proposed SAR? If not, please explain what should be added or deleted to the proposed scope.
Summary Consideration: The majority of stakeholders agree with the scope of the SAR. Several stakeholders offered
suggestions for items to include in the SAR, however the SAR DT believes that these comments may be too prescriptive to
include with the SAR. The team feels that inclusion of these types of comments would prevent the Standard Drafting Team
from having the ability to develop standard(s) based on stakeholder consensus. The SAR DT will forward these comments to
the Standard Drafting Team for its consideration. Some of the comments received include:
1
The inclusion of specific definitions in the SAR (operating personnel, sabotage events, obligations): The SAR DT believes
that this would be too prescriptive and believe that this should be addressed by the Standard Drafting Team.
2
Consolidate documents covering reporting requirements: The SAR DT agrees and suggests that the Standard Drafting
Team investigate a “one-stop-shopping” solution for the various reports required, including the DOE report.
Organization
Yes or No
Project 2007-02
Operating
Personnel Comms
Protocols SDT
No
Question 2 Comment
The Operating Personnel Communication Protocols standard drafting team respectfully requests that the Sabotage
Reporting SAR Drafting Team incorporate the following into your proposed SAR: “Each Reliability Coordinator, Balancing
Authority, and Transmission Operator shall have procedures for the communication of information concerning the Cyber
and Physical emergency alerts in accordance with the conditions described in “Attachment 1 Security Emergency Alerts.”
The Operating Personnel Communications Protocols Project 2007-02 was initiated to ensure that real time system
operators use standardized communication protocols during normal and emergency operations to improve situational
awareness and shorten response time. The SDT developed a new COM-003-1 Standard that has yet to be posted and is
dependent upon revising at least two other standards (CIP-001 and TOP Standard).
COM-003 contains requirements that specify:
1. Use of three-part communication;
2. English language;
3. Common time zone;
4. NATO alpha-numeric alphabet;
5. Mutually agreed line identifiers;
6. The use of pre-defined system condition terminology such as those contained in the RCWG Alert Level Guide
and EOP-002-2.
August 13, 2009
20
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Yes or No
Question 2 Comment
This request is based on recent NERC Standards Committee direction to our team to incorporate the Reliability
Coordinator Working Group’s (RCWG) Alert Level Guide into a Standard. The consensus of our team is that a TOP
Standard is the most appropriate location for the Transmission Emergency Alert language from the Guide as the energy
emergency alert language is currently described in EOP-002-2. The RCWG Guide proposes the se of pre-defined system
condition descriptions for use during emergencies for reliability related formation. This guide was developed in response to
a Blackout Report recommendation. Our team placed the Transmission Emergency Alert language into a TOP standard.
Since the Sabotage Reporting SAR DT intends to modify CIP-001, we seek your consent to incorporate the cyber
and physical security alert language to comply with the wishes of the Standards Committee. We believe that the CIP-001
Standard is the most appropriate location for this language for the following reasons:
• The levels of emergency conditions related to the cyber and physical security of the electric system is directly
related to Critical Infrastructure Protection.
• The current version of CIP-001 already requires the timely reporting of actual and suspected security emergency
conditions and the use of pre-defined terminology supports the efficient haring of such information.
The OPCP SDT includes the following text for the record. It is a proposed draft revision of CIP-001.
A. Introduction
1. Title: Security Incidents
2. Number: CIP-001-2
3. Purpose: To ensure the recognition, communication and response to cyber and physical security incidents suspected or
determined to be caused by sabotage.
4. Applicability
4.1. Reliability Coordinators.
4.2. Balancing Authorities.
4.3. Transmission Operators.
4.4. Generator Operators.
4.5. Load Serving Entities.
5. Effective Date: The standard is effective the first day of the first calendar quarter after applicable regulatory approvals (or
the standard otherwise becomes effective the first day of the first calendar quarter after NERC OT adoption in those
jurisdictions where regulatory approval is not required).
August 13, 2009
21
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Yes or No
Question 2 Comment
B. Requirements
R1. Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator Operator, and Load Serving Entity
shall have procedures for the recognition of and for making their operating personnel aware of security threats on its
facilities and multi site security threats affecting larger portions of the Interconnection.
R2. Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator Operator, and Load Serving Entity
shall have procedures for the communication of information concerning the physical and cyber security status of their
facilities in accordance with the conditions described in Attachment 1-CIP-001-1.
R3. Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator Operator, and Load Serving Entity
shall provide its operating personnel with security threat or incident response guidelines, including personnel to contact, for
reporting security threats and incidents.
R4. Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator Operator, and Load Serving Entity
shall establish communications contacts, as applicable, with local Federal Bureau of Investigation (FBI) or Royal Canadian
Mounted Police (RCMP) officials and develop reporting procedures as appropriate to their circumstances.
C. Measures
M1. Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator Operator, and Load Serving
Entity shall have and provide upon request a procedure (either electronic or hard copy) as defined in Requirement 1
M2. Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator Operator, and Load Serving
Entity shall have and provide upon request the procedures or guidelines that will be used to confirm that it meets
Requirements 2 and 3.
M3. Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator Operator, and Load Serving
Entity shall have and provide upon request evidence that could include, but is not limited o procedures, policies, a letter of
understanding, communication records, or other equivalent evidence that will be used to confirm that it has established
communications contacts with the applicable, local FBI or CMP officials to communicate sabotage events (Requirement 4).
D. Compliance
1. Compliance Monitoring Process
1.1. Compliance Enforcement Authority Regional Entity
1.2. Compliance Monitoring Period and Reset
One or more of the following methods will be used to verify compliance:
- Compliance Audits
August 13, 2009
22
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Yes or No
Question 2 Comment
- Self-Certifications
- Spot Checking
- Compliance Violation Investigations
- Self-Reporting
- Complaints
1.3. Data Retention
The Transmission Operator, Transmission Owner, Balancing Authority, Reliability Coordinator, Generator Operator and
Distribution Provider shall keep data or evidence to show compliance as identified below unless directed by its Compliance
Enforcement Authority to retain specific evidence for a longer period of time as part of an investigation:
o The Transmission Operator, Transmission Owner, Balancing Authority, Reliability Coordinator, Generator
Operator and Distribution Provider shall retain its current, in force document and any documents in force since the last
compliance audit.
o If a Transmission Operator, Transmission Owner, Balancing Authority, Reliability Coordinator, Generator
Operator or Distribution Provider is found non-compliant, it shall keep information related to the non-compliance until found
compliant.
o The Compliance Enforcement Authority shall keep the last audit records and all requested and submitted
subsequent audit records.
1.4. Additional Compliance Information
None.
2. Levels of Non-Compliance:
2.1. Level 1: There shall be a separate Level 1 non-compliance, for every one of the following requirements that is in
violation:
2.1.1 Does not have procedures for the recognition of and for making its operating personnel aware of sabotage
events (R1).
2.1.2 Does not have procedures or guidelines for the communication of information concerning sabotage events to
appropriate parties in the Interconnection (R2).
2.1.3 Has not established communications contacts, as specified in R4.
2.2. Level 2: Not applicable.
August 13, 2009
23
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Yes or No
Question 2 Comment
2.3. Level 3: Has not provided its operating personnel with sabotage response procedures or guidelines (R3).
2.4. Level 4:.Not applicable.
E. Regional Differences None.
Version History Version Date Action Change Tracking 0 April 1, 2005 Effective Date New 0 August 8, 2005 Removed
“Proposed” from Effective ate Errata 1 November 1, 2006 Adopted by Board of Trustees Amended 1 April 4, 2007
Regulatory approval — Effective Date New 2 March 2009 Added SEA attachment and updates to Effective Date and
compliance sections. New
Attachment 1-CIP-001-2 Physical Security Emergency Alerts
General requirements
1. Initiation by Reliability Coordinator.
A Physical Security Emergency Alert may be initiated only by a Reliability Coordinator at:
a. The Reliability Coordinator’s own decision,
b. By request from a Transmission Operator,
c. By request from a Balancing Authority, or
d. By request from federal, state, or cal Law Enforcement Officials.
2. Situations for initiating alert.
An Alert may be initiated for the following reasons:
a. A physical threat affecting a control center, grid or generator asset has been identified, or
b. A physical attack affecting a control center, grid or generator asset has occurred or is imminent.
3. Notification.
A Reliability Coordinator who initiates a Physical Security Emergency Alert shall notify all Transmission Operators and
Balancing Authorities in its Reliability Area. The Reliability Coordinator shall also notify other Reliability Coordinators of the
situation via the Reliability Coordinator Information System (RCIS) using the “CIP” category. Additionally, conference calls
between Reliability Coordinators shall be held as necessary to communicate system conditions.
The Reliability Coordinator shall also notify all Transmission Operators and Balancing Authorities in its Reliability Area and
other Reliability Coordinators hen the alert has changed levels or ended.
August 13, 2009
24
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Yes or No
Question 2 Comment
Physical Security Emergency Alert Levels
To ensure that all Reliability Coordinators clearly understand potential and actual Physical Security Emergency Alerts,
NERC as established three levels of Security Emergency Alerts. The Reliability Coordinators will use these terms hen
explaining security alerts to each other. The Reliability Coordinator may declare whatever alert level is necessary, and
need not proceed through the alerts sequentially.
1. Alert 1 – “Control Center / Bulk Electric system asset threat identified” Circumstances: A credible threat of physical attack
on a Bulk Electric System asset has been communicated to the Reliability Coordinator. No physical attack has occurred at
this point. Determining the credibility of any threat is a subjective process, but the following factors should be considered:
a. The nature and specificity of the threat,
b. The timing of the threat,
c. Mode of threat communication, and
d. The criticality of the threatened asset. During a Physical Security Emergency Alert Level 1, Reliability Coordinators,
Transmission Operators and Balancing Authorities shall have the following responsibilities:
i. Notification: The Reliability Coordinator responsible for initiating the Physical Security Emergency Alert shall post
the declaration of the alert level along with the location of the affected facility on the RCIS under “CIP” and notify all
Transmission Operators and Balancing Authorities in its Reliability Area.
ii. Updating Status during the Physical Security Emergency Alert The declaring Entity shall update the reliability
Coordinator of any changes in the situation until the Alert Level 1 is terminated. The Reliability Coordinator shall update the
RCIS as changes occur.
2. Alert 2 – “Verified Physical attack at a single site” circumstances: A Reliability Coordinator, Transmission Operator, or
Balancing Authority has identified a physical attack upon a control center, generator asset, or other bulk electric system
asset. During a Physical Security Emergency Alert Level 2, Reliability Coordinators, Transmission Operators and Balancing
Authorities shall have the following responsibilities:
i. Notification: The Reliability Coordinator responsible for initiating the Physical Security Emergency Alert shall post
the declaration of the alert level along with the location of the affected facility on the RCIS under “CIP” and notify all
Transmission Operators and Balancing Authorities in its Reliability Area.
ii. Updating Status during the Physical Security Emergency Alert The Declaring Entity shall update the Reliability
Coordinator of the situation a minimum of once per hour until the Alert Level 2 is terminated. The Reliability Coordinator
shall update the RCIS as changes occur.
3. Alert 3– “Verified Physical attack at multiple sites” Circumstances: Multiple attacks have been confirmed on control
centers, generator assets or other bulk electric system assets. A Reliability Coordinator shall declare Physical Security
August 13, 2009
25
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Yes or No
Question 2 Comment
Emergency Alert 3 whenever:
a. A Transmission Operator or Balancing Authority reports multiple physical attacks on bulk electric system assets,
b. Multiple Transmission Operators or Balancing authorities report one or more physical attacks on their bulk
electric system assets.
i. Notification: The Reliability Coordinator responsible for initiating the Physical Security Emergency Alert shall post
the declaration of the alert level along with the location of the affected facility on the RCIS under “CIP” and notify all
Transmission Operators and Balancing Authorities in its Reliability Area.
ii. Updating Status during the Physical Security Emergency Alert The declaring Entity(ies) shall update the
Reliability Coordinator of the situation a minimum of once per hour until the Alert Level 3 is terminated. The Reliability
Coordinator shall update the RCIS as changes occur.
4. Alert 0 – “Termination of Alert Level” Circumstances: The threat which prompted the Physical Security Emergency Alert
Level has diminished or has been removed.
i. Notification The Reliability Coordinator responsible for initiating the Physical Security Emergency Alert shall
notify all other Reliability Coordinators via the RCIS, and it shall also notify all Transmission Operators and Balancing
Authorities in its Reliability Area that the Alert Level has been terminated.
Cyber Security Emergency Alerts Cyber Assets – Those programmable electronic devices and communication
networks, including hardware, software, and data, associated with bulk electric system assets.
Cyber Security Incident - Any malicious act or suspicious event that compromises, or attempts to compromise, the
electronic or physical security perimeter of a critical cyber asset or disrupts or attempts to disrupt the operation of a critical
cyber asset.
Critical Cyber Asset – Those cyber assets essential to the reliable operation of critical assets.
Electronic Security Perimeter – The logical border surrounding the network or group of sub-networks to which the
critical cyber assets are connected, and for which access is controlled.
Physical Security Perimeter – The physical border surrounding computer rooms, telecommunications rooms,
operations centers and other locations in which critical cyber assets are housed and for which access is controlled.
General Requirements
1. Initiation - A Cyber Security Emergency Alert shall be initiated by:
a. The Reliability Coordinator’s analysis,
b. By request from any NERC functional Model entity that Com-003-0 is applicable to.
August 13, 2009
26
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Yes or No
Question 2 Comment
c. By request from federal, state, or local Law Enforcement Officials.
2. Situations for initiating alert. An Alert shall be initiated for the following reasons:
a. A cyber threat affecting a control center or bulk electric system asset has been identified, or
b. A cyber attack affecting a control center or bulk electric system has occurred or is imminent.
3. Notification.
An entity who initiates a Cyber Security Emergency Alert shall make notification as per the NERC Functional model or as
Regional / local instruction. The Reliability Coordinator shall notify FBI local office, Electricity Sector Information Sharing
Analysis Center ESISAC) and Department of Homeland Security. The Reliability Coordinator shall also notify as necessary
other Reliability Coordinators of the situation via the Reliability Coordinator Information System (RCIS) sing the “CIP”
category. The Reliability Coordinator shall notify all Transmission Operators and Balancing Authorities in its Reliability Area
and other Reliability Coordinators when the alert has changed levels or ended.
Cyber Security Emergency Alert Levels
To ensure that all applicable entities clearly understand potential and actual Cyber Security Emergency Alerts, three levels
of Security Emergency Alerts shall be sed.
The Reliability Coordinators will use these terms when communicating security alerts to each other. When declaring the
applicable alert level it is important to note that the applicable level can be determined without sequentially proceeding
through levels.
As an example given circumstances an Alert Level 3 could be called without previously being in an Alert Level 1 or Level 2
state.
1. Alert 1 – “Verified Control Center / Bulk Electric System Cyber Asset threat identified or imminent” What is “verified” unknown or unauthorized access to a cyber device, unknown or unauthorized change to a cyber device (i,e., config file, /S,
firmware change. ‘Verified’ could mean the elimination of a false positive in your security monitoring system. ‘Verified’ could
also be the differentiation between malicious and non-malicious (ie human error, not following policy, etc) intent. What is a
“threat” - A threat can be perceived as any action or event that occurs where the monitoring authority was not previously
made aware that that action would occur. With flimsy change control or access controls, field staff or technical staff
performing troubleshooting or other maintenance may access or change devices without notifying the monitoring entity.
The monitoring entity would have to treat this as a threat and take appropriate action to either isolate that device from the
rest of the system, notify appropriate authority, dispatch a crew, etc.
Examples of threats - Over and above the examples above, another threat example could be a notification from DHS or
other security agency that they have reason to believe a hack, virus or other cyber terrorism activity could occur. Also,
noticing a distinct change in network traffic which could imply someone has intercepted your data and can manipulate
August 13, 2009
27
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Yes or No
Question 2 Comment
before sending it from the control room to the device being controlled or manipulating the data coming from the device
before a controller seeing it and forcing them to perform an incorrect control event in reaction to erroneous data.
Circumstances: A credible threat of Cyber attack on a Control Center or Bulk Electric System asset has been
communicated to the Reliability Coordinator. No cyber attack has occurred t this point. Determining the credibility of any
threat is a subjective process, but the following factors should be considered:
a. The nature and specificity of the threat,
b. The timing of the threat,
c. Mode of threat communication, and
d. The criticality of the threatened asset. During a Cyber Security Emergency Alert Level 1, applicable entities shall
have the following responsibilities:
i. Notification An entity who initiates a Cyber Security Emergency Alert Level 1 shall make notification as per the
NERC Functional model r as Regional / local instruction. The Reliability Coordinator shall post the declaration of the alert
level long with the location of the affected facility on the RCIS under “CIP” and notify all Transmission Operators and
Balancing Authorities in its Reliability Area. The Reliability Coordinator shall also notify as necessary the BI local office,
Electricity Sector Information Sharing Analysis Center (ESISAC) and Department of Homeland Security.
ii. Updating Status during the Cyber Security Emergency Alert The declaring Entity shall update those applicable
entities of any changes in the situation until the Alert Level 1 is terminated. The Reliability Coordinator shall update the
RCIS as changes occur.
2. Alert 2 – “Verified Cyber attack on a Control Center or Bulk Electric System asset”
Circumstances: An applicable entity has identified a cyber attack upon a control center or bulk electric system asset. During
a Cyber Security Emergency Alert Level 2, applicable entities shall have the following responsibilities:
i. Notification An entity who initiates a Cyber Security Emergency Alert Level 2 shall make notification as per the
NERC Functional model or as Regional / cal instruction. The Reliability Coordinator responsible shall post the declaration
of the alert level along with the location of the affected facility on the RCIS under “CIP” and notify all Transmission
Operators and Balancing Authorities in its Reliability Area. The Reliability Coordinator shall also notify the FBI local office,
Electricity Sector Information Sharing Analysis Center (ESISAC) and Department of Homeland Security.
ii. Updating Status during the Cyber Security Emergency Alert The declaring Entity shall provide updates of the
situation a minimum of once per hour until the Alert Level 2 is terminated. The Reliability Coordinator shall update the RCIS
as changes occur.
August 13, 2009
28
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Yes or No
Question 2 Comment
3. Alert 3 – “Verified Cyber attack at one or more Control Center or Bulk Electric System cyber asset”
Circumstances: An applicable entity has identified a cyber attack upon a control center or bulk electric system asset and
shall declare a Cyber Security Emergency Alert 3 whenever:
a. A Transmission Operator or Balancing Authority reports one or more cyber attacks on bulk electric system that
render an asset(s) unavailable.
i. Notification An entity who initiates a Cyber Security Emergency Alert Level 3 shall make notification as per the
NERC Functional model or as Regional / local instruction. The Reliability Coordinator shall post the declaration of the alert
level along with the location of the affected facility on the RCIS under “CIP” and notify all Transmission Operators and
Balancing Authorities its Reliability Area. The Reliability Coordinator shall also notify the FBI local office, Electricity Sector
Information Sharing Analysis Center (ESISAC) and Department of Homeland Security.
ii. Updating Status during the Cyber Security Emergency Alert The declaring Entity(ies) shall provide an update of
the situation minimum of once per hour until the Alert Level 3 is terminated. The Reliability Coordinator shall update he
RCIS as changes occur.
4. Alert 0 – “Termination of Alert Level” Circumstances: The threat which prompted the Cyber Security Emergency Alert
Level has diminished or has been removed. i. Notification An entity who initiates a Cyber Security Emergency Alert shall
make notification as per the NERC Functional model or as Regional / local instruction when situation has diminished or
returned to normal. The Reliability Coordinator shall notify all other Reliability Coordinators via the RCIS, and it shall also
notify all Transmission Operators and Balancing Authorities in its Reliability Area that the Alert Level has been terminated.
Response: The DSR SAR DT thanks you for your comment. The standards in this Project 2009-01 SAR are designed to specify reporting
requirements for disturbance and sabotage events. The DSR SAR DT believes that the suggested additions go beyond the intended scope of the
revisions to the standards, and do not feel that communications protocols belong in these reporting standards. The proposed revisions and Alert
Levels are real-time requirements, and the team feels that these would be more appropriately addressed in an IRO or COM standard.
Northeast Power
Coordinating
Council
No
The SAR needs to be more specific in defining its objectives.
CIP-001Requirement R1 currently states:
R1. Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator Operator, and Load Serving Entity
shall have procedures for the recognition of and for making their operating personnel aware of sabotage events on its
facilities and multi-site sabotage affecting larger portions of the Interconnection.
The SDT needs to include the following objectives:
1. Develop clear definitions for the terms “operating personnel” and “sabotage events.” The definition of “operating
personnel,” should be clarified and limited to staff at BES facilities. Operating personnel should report only those events
August 13, 2009
29
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Yes or No
Question 2 Comment
which meet a clear, recognizable threshold as reportable potential sabotage events. There should be a consistent
continent-wide list of examples or typical reportable and non-reportable events to help guide operating personnel. The term
“sabotage event” needs to be defined. Clarification is required regarding when the determination of a sabotage event is
made, e.g., upon first observation (requiring operating personnel be educated in discerning sabotage events), or upon later
investigation by trained security personnel and law enforcement individuals. The terms potential or suspected sabotage
event for reporting purposes should be clarified or defined.
2. Define the obligations of Registered Entity operating personnel - who are required to be aware of such “sabotage
events,” e.g., who, what, where, when, why and how, and what they are to do in response to this awareness. The SDT
should clarify the use of the term “aware” in the standard. “Aware” can be interpreted in accordance with its largely passive,
dictionary-based meaning, where being “aware” simply means knowing about something, such as a sabotage event.
Alternatively, the Reliability Standard meaning of “aware” could refer to more active wording, involving more than mere
awareness, e.g., “alert and quick to respond,” pointing to and requiring a specific affirmative response, i.e., reporting to the
appropriate systems, governmental agencies, and regulatory bodies.
EOP-004 - The SDT needs to work on the following areas.
1. NERC reporting needs to be clarified. For example, Attachment 1 paragraph 6c states: Introduction “The entity on whose
system a reportable disturbance occurs shall notify NERC ... 6. Any action taken by a Generator Operator, Transmission
Operator, Balancing Authority, or Load-Serving Entity that results in: c. Failure, degradation, or misoperation of system
protection, special protection schemes, remedial action schemes, or other operating systems that do not require operator
intervention, which did result in, or could have resulted in, a system disturbance - The sense of Attachment 1 is internally
inconsistent between the introduction (“occurs”) and the required actions in 6c (could have resulted in a system
disturbance). The initial intent appears to be only to report actual system disturbances. Yet, paragraph 6c adds the phrase
“or could have resulted in” a potential system disturbance. This inconsistency should be clarified.
Response: The DSR SAR DT thanks you for your comment.
CIP-001: The inclusion of specific definitions in the SAR as you suggest (operating personnel, sabotage events, obligations) are too prescriptive and
could prevent better definitions from being developed during the Standards Development stage of the project. The team will pass your comments
along to the standard drafting team for its consideration.
EOP-004: Your comment addresses specific revisions to the standard. The team will pass your comments along to the standard drafting team for its
consideration.
Kansas City Power
& Light
No
Agree with the scope of the SAR except for the applicable entities. See response to question #4.
Response: The DSR SAR DT thanks you for your comment. Please see response to Q4.
August 13, 2009
30
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Yes or No
MRO NERC
Standards Review
Subcommittee
No
Question 2 Comment
The MRO NSRS would like to keep the references to the DOE reporting form.
Response: The DSR SAR DT thanks you for your comment. The DSR SAR DT understands your comment to indicate that you would like to see a
“one stop” reporting form for disturbances and sabotage events. The DSR SAR DT agrees with you and will pass this comment along to the standard
drafting team for its consideration in developing the standard(s).
Lands Energy
Consulting
No
I would like to see the SAR expanded to cover the issues I mentioned in my prior comment. Otherwise, the scope of the
SAR looks fine to me.
Response: The DSR SAR DT thanks you for your comment. Please see response to Q1 on other issues.
Bonneville Power
Administration
No
Leave as is, all requirements for reporting are now covered. A common definition of sabotage is already widely available.
Response: The DSR SAR DT thanks you for your comment. Most stakeholders desire more clarity around the definition of sabotage as well as
examples of what is and is not sabotage as opposed to vandalism.
Cowlitz County
PUD
No
Added to the scope:
For EOP-004 add a provision for a reporting flow rather than everything going to the RE and NERC. That is something
going like the DP and TOP reports to the BA, the BA to the RE, and the RE to NERC. This would allow for multiple related
reports to be combined into a single coherent report as the reporting goes up the chain.
For CIP-001 consider reporting flow as above with local law enforcement notification. Let an upper entity in the reporting
chain decide when to contact Federal Agencies such as the BA or the RC.
Response: The DSR SAR DT thanks you for your comment. The DSR SAR DT feels that your comments are “how” comments that should be
addressed in standard drafting stage. The team will pass this comment along to the standard drafting team for its consideration.
Reliant Energy
No
I think Generator operators should be excluded except to provide requested information from the System Operator or
Reliability coordinator.
Response: The DSR SAR DT thanks you for your comment. Other commenters have questioned the ability of Generator Operators to have a wide
area view and to be able to analyze disturbances on the system. The team agrees that generators may not have a wide area view and the capability to
analyze system events. The final wording of the requirements (i.e. reporting vs. data provision) developed by the Standard Drafting Team will
August 13, 2009
31
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Yes or No
Question 2 Comment
determine the applicability to GOPs. The team will pass your comment on to the Standard Drafting Team for its consideration.
ERCOT ISO
No
The scope should be modified to provide for a different treatment of reporting requirements that are administrative in
nature, or that are after-the-fact (thus cannot impact reliability unless analysis and follow-up is not performed; even then,
the impact would be at some future time). Reporting requirements which are of the nature to assist in identification of
system concerns or which serve to prevent or mitigate on-going system problems (including, but not limited to, actual or
attempted sabotage activity) should remain in standards, but should be separate and apart from the administrative
reporting.
Response: The DSR SAR DT thanks you for your comment. The team concurs with the concepts on reporting as you suggest, however the team
does not feel that this should be addressed in the SAR. The team suggests that this is more appropriately addressed in the standard drafting
process, and the team will pass your comment along to the standard drafting team for its consideration in drafting the standard.
MidAmerican
Energy
No
See the responses to questions 1 and 5.
Response: The DSR SAR DT thanks you for your comment. Please see responses to Q1 and Q5.
We Energies
No
Consider including the sabotage issues in IRO-014-1 R 1.1.1 footnote 1 and TOP-005-1 Attachment 1, 2.9.
Response: The DSR SAR DT thanks you for your comment. The team has added references to these two standards in the “Related Standards”
section for the SAR.
NextEra Energy
Resources, LLC
No
The scope of the SAR should not include Generator Operators.
Response: The DSR SAR DT thanks you for your comment. Other commenters have questioned the ability of Generator Operators to have a wide
area view and to be able to analyze disturbances on the system. The team agrees that generators may not have a wide area view and the capability to
analyze system events. The final wording of the requirements (i.e. reporting vs. data provision) developed by the Standard Drafting Team will
determine the applicability to GOPs. The team will pass your comment on to the Standards Drafting Team for its consideration.
Progress Energy
No
No. If this SAR moves forward other standards may need to be considered. For example, in CIP-008, incident reporting for
cyber incidents leads to filing of the OE-417 form.
Response: The DSR SAR DT thanks you for your comment. The SAR states “Specific references to the DOE form need to be eliminated.” This will
remove the linkage that you identify between CIP-001 and CIP-008. There is also a directive from FERC Order 693 in the SAR that states:
August 13, 2009
32
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Yes or No
Question 2 Comment
Consider FirstEnergy’s suggestions to differentiate between cyber and physical security sabotage and develop a threshold of materiality.
This allows the standard drafting team to delineate physical and cyber assets. The DSR SAR DT also notes that CIP-008 might be a good framework
for drafting the standard requirements pertaining to sabotage and disturbance reporting of physical assets.
Ameren
No
There seems to be an open slate including the following language in the scope. The development may include other
improvements to the standards deemed appropriate by the drafting team, with the consensus of stakeholders, consistent
with establishing high quality, enforceable and technically sufficient bulk power system reliability standards (see tables for
each standard at the end of this SAR for more detailed information). The unnamed improvements should be limited to
those requirements that relate only to Disturbance and Sabotage NOT a general wish list (or witch hunt).
Response: The DSR SAR DT thanks you for your comment. The passage that you mention is the intent of each SAR and is a stock statement that is
included in almost every SAR. The SAR is limited to the standards listed in the SAR which is approved by the NERC SC to move to standards
development.
Consolidated
Edison Co. of New
York, Inc.
No
GENERAL CECONY and ORU support the general objectives of the SAR to merge existing standards CIP-001-1 Sabotage
Reporting and EOP-004-1 Disturbance Reporting to improve clarity and remove redundancy.
However, the SAR needs to be more specific in defining its objectives.
CIP-001Requirement R1 currently states:
R1. Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator Operator, and Load Serving Entity
shall have procedures for the recognition of and for making their operating personnel aware of sabotage events on its
facilities and multi-site sabotage affecting larger portions of the Interconnection.
The SDT needs to include the following objectives:
1. Develop clear definitions for the terms operating personnel and sabotage events. The definition of operating personnel,
should be clarified and limited to staff at BES facilities. Operating personnel should report only those events which meet a
clear, recognizable threshold as reportable potential sabotage events. There should be a consistent continent-wide list of
examples or typical reportable and non-reportable events to help guide operating personnel. The term sabotage event
needs to be defined. Clarification is required regarding when the determination of a sabotage event is made, e.g., upon first
observation (requiring operating personnel be educated in discerning sabotage events), or upon later investigation by
trained security personnel and law enforcement individuals. The terms potential or suspected sabotage event for reporting
purposes should be clarified or defined.
2. Define the obligations of Registered Entity operating personnel - who are required to be aware of such sabotage events,
e.g., who, what, where, when, why and how, and what they are to do in response to this awareness. The SDT should clarify
the use of the term aware in the standard. Aware can be interpreted in accordance with its largely passive, dictionary-
August 13, 2009
33
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Yes or No
Question 2 Comment
based meaning, where being aware simply means knowing about something, such as a sabotage event. Alternatively, the
Reliability Standard meaning of aware could refer to more active wording, involving more than mere awareness, e.g., alert
and quick to respond, pointing to and requiring a specific affirmative response, i.e., reporting to the appropriate systems,
governmental agencies, and regulatory bodies.
EOP-004 - The SDT needs to work on the following areas.
1. NERC reporting needs to be clarified. For example, Attachment 1 paragraph 6c states:
Introduction The entity on whose system a reportable disturbance occurs shall notify NERC ... 6. Any action taken by a
Generator Operator, Transmission Operator, Balancing Authority, or Load-Serving Entity that results in: ?c. Failure,
degradation, or misoperation of system protection, special protection schemes, remedial action schemes, or other
operating systems that do not require operator intervention, which did result in, or could have resulted in, a system
disturbance.
The sense of Attachment 1 is internally inconsistent between the introduction (occurs) and the required actions in 6c (could
have resulted in a system disturbance). The initial intent appears to be only to report actual system disturbances. Yet,
paragraph 6c adds the phrase or could have resulted in a potential system disturbance. This inconsistency should be
clarified.
Response: The DSR SAR DT thanks you for your comment.
CIP-001: The inclusion of specific definitions in the SAR as you suggest (operating personnel, sabotage events, obligations) are too prescriptive and
could prevent better definitions from being developed during the standard drafting stage of the project. The team will pass your comments along to
the standard drafting team for its consideration.
EOP-004: Your comment addresses specific revisions to the standard. The team will pass your comments along to the standard drafting team for its
consideration.
Georgia System
Operations Corp.
No
The scope of the SAR should be to move all requirements to report to NERC or Regional Entities out of the Requirements
section of all Reliability Standards to elsewhere. This does not include reporting, communicating, or coordinating between
reliability entities. The NERC/Region reporting requirements could be consolidated in another document and referenced in
the Supporting References section of the Reliability Standards. The deadlines for reporting should be changed to realistic
timeframes that do not interfere with operating the BES or responding to incidents yet still allow NERC and the Regions to
accomplish their missions.
Response: The DSR SAR DT thanks you for your comment. The team does not feel that this should be addressed explicitly in the SAR, but suggests
that this is more appropriately addressed in the standard drafting stage for full industry vetting of the concepts. The team will pass your comment
along to the standard drafting team for its consideration in developing the standard.
August 13, 2009
34
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Yes or No
Question 2 Comment
No
Sabotage is a term of intent that is often determined after the fact by the registered entity and/or law enforcement officials.
In fact, it is often difficult to determine in real-time the intent of a suspicious event. We would suggest that suspicious
events become reportable at the point that the event is determined to have had sabotage intent. The entities should have a
methodology to collect evidence, to have the evidence analyzed, and to report those events that are determined to have
had the intent of sabotage.
AEP
Response: The DSR SAR DT thanks you for your comment. The team concurs that it is difficult to determine sabotage in real-time. The teamdoes
not feel that this should be addressed explicitly in the SAR and suggests that this is more appropriately addressed in the standard drafting stage for
full industry vetting of the concepts. The team will pass your comment along to the standard drafting team for its consideration in developing the
standard.
Duke Energy
No
While we agree with the need for clarity in sabotage and disturbance reporting, we believe that the Standards Drafting
Team should carefully consider whether there is a reliability-related need for each requirement. Some disturbance
reporting requirements are triggered not just to assist in real-time reliability but also to identify lessons-learned
opportunities. If disturbance and sabotage reporting continue to be reliability standards, we believe that all linkages to
lessons-learned/improvements need to be stripped out. We have other forums to identify lessons-learned opportunities
and to follow-up on those opportunities. Also, requirements to report possible non-compliances should be eliminated. We
strongly support voluntary self-reporting, but not mandatory self-reporting.
Response: The DSR SAR DT thanks you for your comment. The team concurs that each requirement should be evaluated for its reliability need, and
the team will pass your comment along to the standard drafting team for its consideration in the drafting stage of the standard.
FirstEnergy
Yes
We agree with the scope but would also like to see the following considered:
1. References to the DOE reporting process in EOP-004 need to be revised. They currently refer to the old EIA form.
2. Besides "sabotage", it may be helpful to clearly define "vandalism". It is vaguely written in the standards. Also, the
process of "public appeals" for the DOE reportable requirements needs to be more clearly defined.
3. Consolidate documents covering reporting requirements. There are currently several documents that require reporting
(EOP-004, CIP-001, DOE oe-417, and NERC's Security Guideline for the Electricity Sector: Threat and Incident Reporting).
NERC also has the "Bulk Power System Disturbance Classification Scale" that does not completely align with all the
reporting requirements. Therefore we recommend keeping this as simple as possible by combining all the reporting
requirements into one standard. It would be beneficial to not require operators to have to go to 4 different documents to
determine what to report on.
Response: The DSR SAR DT thanks you for your comment.
August 13, 2009
35
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Yes or No
Question 2 Comment
The Brief Description of the SAR states: Specific references to the DOE form need to be eliminated.
The team will pass your comment along to the standard drafting team for its consideration.
The team concurs that this should be considered in drafting the standards. The team will pass your comment along to the standard drafting
team for its consideration.
Exelon
Yes
Consolidation of redundant requirements and clarifications of difficult to follow / interpret standards should be a high priority
at NERC.
Response: The DSR SAR DT thanks you for your comment. One of the FERC directives for CIP-001 is: Explore ways to reduce redundant reporting,
including central coordination of sabotage reports and a uniform reporting format.
Electric Market
Policy
Yes
SERC OC
Standards Review
Group
Yes
PSEG Enterprise
Group Inc
Companies
Yes
IRC Standards
Review Committee
Yes
Pepco Holdings,
Inc. - Affiliates
Yes
Calpine
Corporation
Yes
Covanta
Yes
Colmac Clarion
Yes
August 13, 2009
36
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Yes or No
United Illuminating
Yes
Texas Regional
Entity
Yes
Edward C. Stein
Yes
WECC
Yes
Luminant Power
Yes
ReliabilityFirst
Corporation
Yes
Brazos Electric
Power
Cooperative, Inc.
Yes
PacifiCorp
Yes
Oncor Electric
Delivery
Yes
Illinois Municipal
Electric Agency
Yes
Manitoba Hydro
Yes
Consumers Energy
Company
Yes
August 13, 2009
Question 2 Comment
37
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
3. Are you aware of any associated business practices that we should consider with this SAR? If yes, please
explain in the comment area.
Summary Consideration: Stakeholders did not identify any associated business practices for consideration under the SAR.
One stakeholder identified a related standard that references multi-site sabotage. The team has included a reference to TOP005, section 2.9 (Appendix 1) in the SAR under Related Standards. Two stakeholders suggested that Business Practices should
not be considered in a standard. The SAR DT notes that standard development projects must not invalidate business practices
that are already in place. This question is required to be asked per the Standard Drafting Team Guidelines (page 8) and aids in
coordination with North American Energy Standards Board. One stakeholder suggested a “one-stop-shopping” solution. The
SAR DT agrees with this approach and will forward this comment to the Standard Drafting Team.
Organization
Yes or No
MRO NERC Standards
Review Subcommittee
Yes
Luminant Power
Yes
Question 3 Comment
The SAR drafting team should include in the SAR scope a review of the NRC sabotage and event reporting
requirements to ensure there are no overlapping or conflicting requirements between NERC, FERC, and the NRC.
The SAR scope should include a review of the CIP Cyber Security Standards and coordination with the CIP SDT to
ensure that cyber sabotage reporting definitions are in concert, and ensure that cyber sabotage reporting requirements
are not duplicated in multiple standards.
Response: The DSR SAR DT thanks you for your comment. The team notes that your comments relate directly to potential revisions of the standard
itself. Part of this SAR is to eliminate redundancies as well. The team will pass your comments along to the Standards Drafting Team for its
consideration. This project is designed to address physical asset reporting, not cyber assets. Therefore, cyber assets will not be included in this
SAR.
MidAmerican Energy
Yes
Attachment TOP-005, section 2.9 speaks of “Multi-site sabotage” with no definition. The ES-ISAC 2008 advisory is an
associated standard or practice on sabotage. All references to sabotage should be eliminated or retired except for
CIP-001.
Response: The DSR SAR DT thanks you for your comment. The team has included a reference to TOP-005, section 2.9 (Appendix 1) in the SAR
under Related Standards. Project 2009-01 is designed to address physical asset reporting, not cyber asset sabotage and disturbance reporting. The
standard drafting team will remove redundancies per the SAR.
August 13, 2009
38
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Illinois Municipal
Electric Agency
Yes or No
Yes
Question 3 Comment
A one-stop reporting tool/site would facilitate efficient reporting and compliance; e.g., further development of the ESISAC/CIPIS to include all reportable categories and automatic notification of required parties. A single report form
would be best.
Response: The DSR SAR DT thanks you for your comment. The team agrees with your suggestion and will pass this along to the Standard Drafting
Team for its consideration in developing standards.
AEP
Yes
The current reporting process necessitates multiple reports be sent to multiple parties, which is inefficient and may,
inadvertently, result in alignment issues between the separate reports. We would recommend that a single report that
combines NERC (CIPIS) and NERC ESISAC information be provided to NERC (CIPIS) that is systematically
(programmatically) forwarded to all necessary entities. Further, updates to incidents would also go through NERC with
the same electronic processing. Currently, we are not aware of a formal method to report incidents to the FBI, which
should be also included in the distribution. The current reporting mechanism to the FBI JTTF is by telephone and the
NERC platform described would provide more consistent reporting.
Response: The DSR SAR DT thanks you for your comment. The team agrees with your suggestion and will pass this along to the Standard Drafting
Team for its consideration in developing standards. This project is designed to address physical asset reporting, not cyber assets.
Progress Energy
Yes
Yes. If this SAR moves forward other practices such as those required by CIP-008 (cyber incident reporting via the OE417 form) may need to be considered.
Response: The DSR SAR DT thanks you for your comment. The SAR states “Specific references to the DOE form need to be eliminated.” This will
remove the linkage that you identify between CIP-001 and CIP-008. There is also a directive from FERC Order 693 in the SAR that states:
Consider FirstEnergy’s suggestions to differentiate between cyber and physical security sabotage and develop a threshold of materiality.
This allows the standard drafting team to delineate physical and cyber assets. The DSR SAR DT also notes that the general layout and sequencing of
requirements in CIP-008 might be a good framework for drafting the standard requirements pertaining to sabotage and disturbance reporting of
physical assets.
Exelon
No
We are not sure what this question means. Who's Associated Business practices, NERC, Applicable Entities in the
Standard, our business practices?
Response: The DSR SAR DT thanks you for your comment. “Business practices” refers to any business practice of any stakeholder (e.g. North
American Energy Standards Board business practices).
August 13, 2009
39
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
SERC OC Standards
Review Group
Yes or No
No
Question 3 Comment
Business practices should not be considered in a standard.
Response: The DSR SAR DT thanks you for your comment. Standard development projects must not invalidate business practices that are already
in place. This question is required to be asked per the Standard Drafting Team Guidelines (page 8) and aids in coordination with North American
Energy Standards Board.
FirstEnergy
No
Although we are not aware of any NAESB business practices that need to be reviewed in conjunction with these
proposed revisions, the SDT should consider reviewing current RTO procedures and practices that may require the
need for variances in the revised standards.
Response: The DSR SAR DT thanks you for your comment. The Standard Drafting Team will review any procedures or practices that are identified
for potential variances.
Georgia System
Operations Corp.
No
Business practices should not be part of a Reliability Standard. Neither should NERC/Region reporting requirements
(except for reporting of threats to physical or cyber security). NERC may need to take some action in the case of
threats but does not and cannot take any operational action for most of the reporting requirements that are presently in
the Requirements section of the Reliability Standards.
Response: The DSR SAR DT thanks you for your comment. Standard development projects must not invalidate business practices that are already
in place. This question is required to be asked per the Standard Drafting Team Guidelines (page 8) and aids in coordination with North American
Energy Standards Board. The team disagrees with your assertion about reporting. Instances of sabotage are often not identified until after the fact,
and these should be reported to alert other entities of the sabotage and for “lessons learned”.
PSEG Enterprise
Group Inc Companies
No
Northeast Power
Coordinating Council
No
Kansas City Power &
Light
No
IRC Standards Review
Committee
No
August 13, 2009
40
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Yes or No
Pepco Holdings, Inc. Affiliates
No
Electric Market Policy
No
Bonneville Power
Administration
No
Lands Energy
Consulting
No
Covanta
No
Colmac Clarion
No
Cowlitz County PUD
No
United Illuminating
No
Reliant Energy
No
Texas Regional Entity
No
Edward C. Stein
No
PacifiCorp
No
WECC
No
ERCOT ISO
No
ReliabilityFirst
Corporation
No
August 13, 2009
Question 3 Comment
41
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Yes or No
Brazos Electric Power
Cooperative, Inc.
No
Oncor Electric Delivery
No
Consolidated Edison
Co. of New York, Inc.
No
Manitoba Hydro
No
Duke Energy
No
We Energies
No
Consumers Energy
Company
No
NextEra Energy
Resources, LLC
No
Ameren
No
August 13, 2009
Question 3 Comment
42
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
4. CIP-001-1 applies to the Reliability Coordinator, Transmission Operator, Balancing Authority, Generator
Operator, and the Load-serving Entity. EOP-004-1 applies to the same entities, plus the Regional Reliability
Organization. Do you agree with the applicability of the existing CIP-001-1 and the existing EOP-004-1? If no,
please identify what you believe should be modified.
Summary Consideration: Many stakeholders had comments regarding applicability of the two standards. The
three main concerns were:
1
Regional Reliability Organization applicability: Many commenters do not feel the RRO should be in the standards. The DSR
SAR DT concurs and notes that the SAR states that “EOP-004 has some ‘fill-in-the-blank’ components to eliminate”. This will
remove the RRO from applicability.
2
Load-Serving Entity/Distribution Provider: Many stakeholders do not feel that the standards should be applicable to LSEs,
but should apply to Distribution Providers. NERC has recognized, through its Compliance Registry, that there are asset
owning LSEs and non-asset owning LSEs. The SAR DT believes that an asset owning LSE may be a Distribution Provider
based on the Functional Model v4. The team added DP to the applicability of the standard as the Standard Drafting team
may have a need to include them in the standard(s). The applicability of LSE or Distribution Provider will ultimately be
determined by the Standard Drafting Team as it develops the requirements through the Standard Development Process.
3
Transmission Owner/Generator Owner: Many stakeholders have indicated a need to include the TO as an applicable entity.
A couple of those would also include the GO. The SAR DT discussed the addition of both the TO and GO. The team has a
concern that there will be duplication of requirements between the TO/TOP and GO/GOP if the TO and GO are added to the
SAR. That being said, the team added the TO and GO to the applicability of the SAR so that the Standard Drafting team
may consider these entities for applicability. The applicability of requirements will ultimately be determined by the Standard
Drafting Team as it develops the requirements through the Standard Development Process.
Organization
Yes or No
SERC OC Standards
Review Group
No
Question 4 Comment
The EOP-004-1 standard should not apply to the RRO.
Response: The DSR SAR DT thanks you for your comment. The team concurs and notes that the SAR states: EOP-004 has some ‘fill-in-the-blank’
components to eliminate. This will remove the RRO from applicability.
Kansas City Power &
August 13, 2009
No
Do not agree Load Serving Entities need to continue to be included for sabotage. According the NERC Functional Model,
43
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Yes or No
Light
Question 4 Comment
an LSE provides for estimating customer load and provides for the acquisition of transmission and energy to meet
customer load demand. An LSE has no real impact on maintaining the reliability of electric network short of their planning
function. Unfortunately, an LSE needs to be included for disturbance reporting to the DOE under certain conditions for
loss of customer load. This may be a reason to maintain a separation of CIP-001 and EOP-004 so as not to unnecessarily
include an LSE when it is not needed.
Response: The DSR SAR DT thanks you for your comment. NERC has recognized, through its Compliance Registry, that there are asset owning LSEs
and non-asset owning LSEs. The SAR DT believes that an asset owning LSE may be a Distribution Provider based on the Functional Model v4. The
team added DP to the applicability of the standard as the Standard Drafting team may have a need to include them in the standard(s). The applicability
of LSE or Distribution Provider will ultimately be determined by the Standard Drafting Team as it develops the requirements through the standard
drafting stage of the process. The team will pass your comment along to the Standard Drafting Team for its consideration.
IRC Standards Review
Committee
No
We agree with the applicability of CIP-001-1 but question the need to include the RRO in EOP-004-1. Requirement R1 of
EOP-004-1 can be turned into an industry developed and approved procedural requirement with details included in an
appendix; whereas R5 can be changed to a requirement for the responsible entities to act on recommendations and to
self-report compliance. Tracking and reviewing status of recommendation do not need to be performed by the RRO, or any
entity for that matter, if a self-reporting mechanism is developed.
Response: The DSR SAR DT thanks you for your comment. The team concurs and notes that the SAR states: EOP-004 has some ‘fill-in-the-blank’
components to eliminate. This will remove the RRO from applicability.
Pepco Holdings, Inc. Affiliates
No
As specified in Order 693, Regional Reliability Organizations are not to be assigned applicability. The revised standard(s)
should contain the reporting form either directly or by reference and the RRO should be removed. The other EOP-004
requirements for RROs are now considered normal monitoring activities of the Regional Entities.
Response: The DSR SAR DT thanks you for your comment. The team concurs and notes that the SAR states: EOP-004 has some ‘fill-in-the-blank’
components to eliminate. This will remove the RRO from applicability.
FirstEnergy
No
The Regional Reliability Organization should be removed from the applicability of EOP-004-1. Any report they receive
would be from the other entities listed. For consistency, the entities should report to the appropriate law enforcement
agency. A report to the Reliability Entity should also be made for that entities information only.
Response: The DSR SAR DT thanks you for your comment. The team concurs and notes that the SAR states: EOP-004 has some ‘fill-in-the-blank’
components to eliminate. This will remove the RRO from applicability.
Electric Market Policy
August 13, 2009
No
Applicability should not apply to LSE unless they have physical assets. If they do not have such assets, they are unable to
44
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Yes or No
Question 4 Comment
determine how many customers are out, how much load was lost or the duration of an outage. We continue to question
the need for the LSE entity in reliability standards. End use customer load is either connected to transmission or
distribution facilities. So, the applicable planner has to plan for that load when designing its facilities or the load will not
have reliable service. To the extent that energy and capacity for that load is supplied by an entity other than the TO or DP,
the TO or DP should have interconnection requirements that compel the supplier to provide any and all data necessary to
meet the requirements of reliability standards.
Response: The DSR SAR DT thanks you for your comment. NERC has recognized, through its Compliance Registry, that there are asset owning LSEs
and non-asset owning LSEs. The SAR DT believes that an asset owning LSE may be a Distribution Provider based on the Functional Model v4. The
team has added DP to the applicability of the standard as the Standard Drafting team may have a need to include them in the standard(s). The
applicability of LSE or Distribution Provider will ultimately be determined by the Standard Drafting Team as it develops the requirements in the standard
drafting stage of the process. The team will pass your comment along to the Standard Drafting Team for its consideration.
MRO NERC Standards
Review Subcommittee
No
As FERC has directed, the RRO should be removed since they are not owners or operators of the BES.
Response: The DSR SAR DT thanks you for your comment. The team concurs and notes that the SAR states: EOP-004 has some ‘fill-in-the-blank’
components to eliminate. This will remove the RRO from applicability.
Lands Energy
Consulting
No
CIP-001-1 - Yes. In many cases, the staff of an LSE embedded in another entity's BA/TOP area is more likely to discover
an act of sabotage directed toward a BA/TOP-owned facility that could affect the BES than the asset owner. This is
because the LSE likely has more operating staff in the area. I have included a requirement in my clients' Sabotage
Identification and Reporting Procedures that the client treat acts of sabotage to a third party's system discovered by client
employees as though the act was directed toward client facilities. EOP-004-1 - As mentioned before, I would eliminate the
LSE from the applicability list and leave the responsibility for disturbance reporting and response to the TOP/BA.
However, I would retain a responsibility for the LSEs to cooperate (when requested) with any disturbance investigation.
Response: The DSR SAR DT thanks you for your comment. NERC has recognized, through its Compliance Registry, that there are asset owning LSEs
and non-asset owning LSEs. The SAR DT believes that an asset owning LSE may be a Distribution Provider based on the Functional Model v4. The
team has added DP to the applicability of the standard as the Standard Drafting team may have a need to include them in the standard(s). The
applicability of LSE or Distribution Provider will ultimately be determined by the Standard Drafting Team as it develops the requirements in the standard
drafting stage of the process. The team will pass your comment along to the Standard Drafting Team for its consideration.
Calpine Corporation
August 13, 2009
No
The reporting requirements of EOP - 004 are needed for the RC, BA, LSE and the GOP that operates or controls
generation in a system as defined by NERC. (System - A combination of generation, transmission, and distribution
components). A disturbance is described as an unplanned event that produces and abnormal system condition, any
45
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Yes or No
Question 4 Comment
perturbation to the electric system, and the unexpected change in ACE that is caused by the sudden failure of generation
or interruption of load. The GOP operating/controlling generation within a system has the ability to analyze system
conditions to determine if reporting is necessary. A NERC registered GOP that is a merchant generator within another
company’s system does not have the ability for a wide area view and cannot analyze system conditions beyond the
interconnection point of the facility. Moreover, in most cases the reporting requirements outlined in the Interconnection
Reliability Operating Limits and Preliminary Disturbance Report do not apply to the merchant generator that is not a
generation only BA. The applicability of the standard does encompass the true merchant generation entities required to
register as GOP. Similarly, the OE-417 table 1 reporting requirements generally do not apply to a true merchant
generating entity that is required to register as a GOP.
Response: The DSR SAR DT thanks you for your comment. The team agrees that generators may not have a wide area view and the capability to
analyze events. The final wording of the requirements developed by the Standard Drafting Team will determine the applicability. The team will pass
your comment on to the Standards Drafting Team for its consideration. The SAR calls for the removal of references to the DOE form OE-417.
Cowlitz County PUD
No
Replace LSE with DP, and the Regional Reliability Organization with the Regional Entity.
Response: The DSR SAR DT thanks you for your comment. The team has added DP to the applicability of the SAR. The SAR calls for removing the fillin-the-blank standard elements which will remove the RRO.
United Illuminating
No
Add Distribution Provider
Response: The DSR SAR DT thanks you for your comment. The team has added DP to the applicability of the SAR.
Reliant Energy
No
EOOP-004-1 should exclude the generator operator from disturbance reporting except providing the system operator or
reliability coordinator with appropriate unit operation information upon request. Acts of sabotage should be identified
clearly and reported to the indicated authorities.
Response: The DSR SAR DT thanks you for your comment. Other commenters have questioned the ability of Generator Operators to have a wide area
view and to be able to analyze disturbances on the system. The team agrees that generators may not have a wide area view and the capability to
analyze system events. The final wording of the requirements (i.e. reporting vs. data provision) developed by the Standard Drafting Team will determine
the applicability to GOPs. The team will pass your comment on to the Standards Drafting Team for its consideration.
Texas Regional Entity
August 13, 2009
No
Add GO and TO to the list of applicability. The intent of CIP-001-1 when it was first written was to have the proper and
most likely entities associated directly with operations to be the ones to begin the reporting process in the case of
sabotage on the system. In the ERCOT Region and other regions in the US, the GOP may not be physically located at the
site. The GOP is often removed from the minute-by-minute responsibilities of plant operations and, therefore, may be less
46
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Yes or No
Question 4 Comment
able to react to physical sabotage at the location/plant/facility in a timely manner. The concern is that, in the case of an
actual sabotage event, the failure to report to the appropriate authorities in a timely manner may jeopardize the reliability of
the BPS. Therefore, the Generator Owner (GO) should be added to the list of applicability for CIP-001-1, because it is the
GO that is more likely to be on location at the generation site and thus aware of sabotage when it first occurs. This would
disallow for any possible communication gap and put responsibility on all of the appropriate entities to report such an
event. Additionally, and for the same reasons as adding the GO, the Transmission Owner (TO) should also be added to
the list of applicability for reporting sabotage on its facilities.
Response: The DSR SAR DT thanks you for your comment. The SAR DT discussed the addition of the TO and GO. The team was concerned that there
may be duplication of requirements between the TO/TOP and GO/GOP if the TO and GO are added to the SAR. That being said, the team added the TO
and GO to the applicability of the SAR so that the Standard Drafting team may consider these entities for applicability. The applicability of requirements
will ultimately be determined by the Standard Drafting Team as it develops the requirements through the standard drafting Process. The team will pass
your comment along to the Standard Drafting Team for its consideration concerning applicability.
NextEra Energy
Resources, LLC
No
The scope of the proposed SAR should not include the Generator Operator.
Response: The DSR SAR DT thanks you for your comment. Other commenters have questioned the ability of Generator Operators to have a wide area
view and to be able to analyze disturbances on the system. The team agrees that generators may not have a wide area view and the capability to
analyze system events. The final wording of the requirements (i.e. reporting vs. data provision) developed by the Standard Drafting Team will determine
the applicability to GOPs. The team will pass your comment on to the Standards Drafting Team for its consideration.
Exelon
No
CIP-001, remove LSE's from the standard for the reasons identified in the FERC LSE order. Ad TO and DP. EOP-004,
remove LSE's from the standard for the reasons identified in the FERC LSE order. Remove RRO's, they are not a user,
owner, operator of the BES. Add DP or TO. Consider conditional applicability as in the UFLS standards, " the TO or DP
who performs the functions specified in the standard..."
Response: The DSR SAR DT thanks you for your comment. NERC has recognized, through its Compliance Registry, that there are asset owning LSEs
and non-asset owning LSEs. The SAR DT believes that an asset owning LSE may be a Distribution Provider based on the Functional Model v4. The
team has added DP to the applicability of the SAR. The applicability of LSE or Distribution Provider will ultimately be determined by the Standard
Drafting Team as it develops the requirements in the standard drafting stage of the process. The SAR DT discussed the addition of the TO. The team is
concerned that there may be duplication of requirements between the TO/TOP if the TO is added to the SAR. That being said, the team added the TO
and GO to the applicability of the SAR so that the Standard Drafting team may consider these entities for applicability. The applicability of requirements
will ultimately be determined by the Standard Drafting Team as it develops the requirements through the standard drafting Process. The SAR calls for
elimination of fill in the blanks elements, which will remove the RRO from the standard. The team will pass your comment along to the Standard Drafting
Team for its consideration concerning conditional applicability.
August 13, 2009
47
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Yes or No
Question 4 Comment
No
The Regional Reliability Organization is not a registered Functional Entity in the NERC registry. The applicability must be
revised to more appropriately assign the requirements to registered functional entities. Also, the industry needs to
recognize that there are other resources than generation for which the operators need to be included. Perhaps a demandside resource should have a resource operator. This particular SAR may not be the appropriate venue for this, but control
of resources which can be used to mitigate sabotage events or disturbance events may need to be addressed.
ERCOT ISO
Response: The DSR SAR DT thanks you for your comment. The SAR calls for elimination of fill-in-the-blank elements, which will remove the RRO from
the standard. The applicability of requirements will ultimately be determined by the Standard Drafting Team as it develops the requirements in the
standard drafting stage of the process. The team will pass your comment along to the Standard Drafting Team for its consideration concerning
conditional applicability. This SAR is for reporting rather than control actions as you mention.
Brazos Electric Power
Cooperative, Inc.
No
May need to consider adding Transmission Owner. I don't see a need for the RRO to be included as they are not
owner/operators of grid facilities.
Response: The DSR SAR DT thanks you for your comment. The SAR DT discussed the addition of the TO. The team is concerned that there may be
duplication of requirements between the TO/TOP if the TO is added to the SAR. That being said, the TO has been added to the applicability of the SAR
so that the Standard Drafting team may consider these entities for applicability. The applicability of requirements will ultimately be determined by the
Standard Drafting Team as it develops the requirements in the standard drafting stage of the process. The SAR calls for elimination of fill in the blank
elements, which will remove the RRO from the standard. The team will pass your comment along to the Standard Drafting Team for its consideration
concerning conditional applicability.
PacifiCorp
No
LSE's don't generally own/operate facilities/systems that would experience a logical or physical sabotage event.
Response: The DSR SAR DT thanks you for your comment. NERC has recognized, through its Compliance Registry, that there are asset owning LSEs
and non-asset owning LSEs. The SAR DT believes that an asset owning LSE may be a Distribution Provider based on the Functional Model v4. The
team has added DP to the applicability of the SAR. The applicability of LSE or Distribution Provider will ultimately be determined by the Standard
Drafting Team as it develops the requirements in the standard drafting stage of the process.
MidAmerican Energy
No
MidAmerican Energy believes the requirement for the Regional Reliability Organization should be removed from EOP-0041 since the RRO is a holdover from making the standards enforceable. It is no longer appropriate for the regions to be
named as responsible entities within the standards.
Response: The DSR SAR DT thanks you for your comment. The SAR calls for elimination of fill-in-the-blank elements, which will remove the RRO from
the standard.
August 13, 2009
48
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Yes or No
Georgia System
Operations Corp.
No
Question 4 Comment
EOP-004 should be retired. CIP-001 should not apply to LSEs other than those that are retail marketers.
Response: The DSR SAR DT thanks you for your comment. The SAR calls for EOP-004 to be revised. The Standard Drafting Team may, with
stakeholder approval, retire it. CIP-001: NERC has recognized, through its Compliance Registry, that there are asset owning LSEs and non-asset
owning LSEs. The SAR DT believes that an asset owning LSE may be a Distribution Provider based on the Functional Model v4. The team has added
DP to the applicability of the SAR. The applicability of LSE or Distribution Provider will ultimately be determined by the Standard Drafting Team as it
develops the requirements in the standard drafting process.
AEP
No
We would recommend that the Load Serving Entity (LSE) be removed from both standards, and that the Generator Owner
and Transmission Owner be added to the resulting standard.
Response: The DSR SAR DT thanks you for your comment. NERC has recognized, through its Compliance Registry, that there are asset owning LSEs
and non-asset owning LSEs. The SAR DT believes that an asset owning LSE may be a Distribution Provider based on the Functional Model v4. The
team has added DP to the applicability of the SAR. The applicability of LSE or Distribution Provider will ultimately be determined by the Standard
Drafting Team as it develops the requirements in the standard drafting stage of the process. The SAR DT discussed the addition of the TO and GO. The
team has a concern that there may be duplication of requirements between the TO/TOP and GO/GOP if the TO and GO are added to the SAR. That being
said, the team added the TO and GO to the applicability of the SAR so that the Standard Drafting team may consider these entities for applicability. The
applicability of requirements will ultimately be determined by the Standard Drafting Team as it develops the requirements through the standard drafting
Process. The team will pass your comment along to the Standard Drafting Team for its consideration concerning applicability.
Duke Energy
No
It’s unclear to us that the RRO should continue to be an applicable entity.
Response: The DSR SAR DT thanks you for your comment. The team concurs and notes that the SAR states: EOP-004 has some ‘fill-in-the-blank’
components to eliminate. This will remove the RRO from applicability.
Covanta
Yes
It would be a welcome enhancement to the end users to understand to communication link between all "appropriate
parties" who shall be notified of potential or actual sabotage events.... which also needs to be defined.
Response: The DSR SAR DT thanks you for your comment. The team concurs, and will pass this comment on to the standard drafting team for its
consideration.
Edward C. Stein
Yes
WECC
Yes
August 13, 2009
49
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Yes or No
Luminant Power
Yes
ReliabilityFirst
Corporation
Yes
Oncor Electric Delivery
Yes
Consolidated Edison
Co. of New York, Inc.
Yes
Illinois Municipal
Electric Agency
Yes
Manitoba Hydro
Yes
We Energies
Yes
Consumers Energy
Company
Yes
PSEG Enterprise
Group Inc Companies
Yes
Northeast Power
Coordinating Council
Yes
Bonneville Power
Administration
Yes
Colmac Clarion
Yes
Progress Energy
Yes
Ameren
Yes
August 13, 2009
Question 4 Comment
50
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
5. If you have any other comments on the SAR or proposed modifications to CIP-001-1 and EOP-004-1 that you
haven’t provided in response to the previous questions, please provide them here.
Summary Consideration: Stakeholders provided many good comments that should be considered in the development of the
standards under this project. The SAR DT does not believe that these require any revisions to the SAR and will forward these
comments to the Standard Drafting Team for its consideration in developing the standard(s). These include:
1
Consolidation of reports: The SAR DT agrees with this concept and will forward the comment to the Standard Drafting
Team for its consideration.
2
Concerns about pre-determination of combining CIP-001 and EOP-004 into one standard: The SAR states: CIP-001 may be
merged with EOP-004 to eliminate redundancies. The two standards may be left separate.
3
Reporting criteria in multiple tables: The team agrees that it would be easier if there were only one table. Part of this SAR
is to eliminate redundancies and make general improvements to the standard. The team also agrees that the requirements
developed should be clear in their reliability objective.
Organization
PSEG Enterprise Group
Inc Companies
Question 5 Comment
The PSEG Companies ask that the drafting team allow sufficient flexibility for sabotage recognition and reporting requirements such
that nothing precludes utilizing a single corporate-wide program for both bulk electric system assets and other businesses. PSEG's
Sabotage Recognition, Response and Reporting Program is directed to all business areas which are directed to follow the same
internal protocol that also satisfies the NERC Standards requirements. For example, for gas assets, PSEG's gas distribution
business follows the PSEG corporate-wide program for sabotage recognition and response. PSEG agrees that some modifications
should be made to CIP-001 (ex. better define or give examples of sabotage) and EOP-004 to make them clearer? If they are
merged, then Sabotage will not be in the title (or the primary focus) because several of the Disturbances that reporting is required for
in EOP-004 have nothing to do with sabotage. EOP-004 has criteria listed in 4 places to determine when to send a report:
o Criteria listed in EOP-004 Attachment 1
o Criteria listed in EOP-004 Attachment 2
o Criteria listed in top portion of Table 1-EOP-004
o Criteria listed in bottom potion of Table 1-EOP-004
Therefore, it would be much easier if there was one table of criteria for reference that addressed all of the reportable conditions and
all of the applicable reports. If the 2 standards are merged as suggested in the SAR, any differences in the reporting obligation for
actual or attempted sabotage and reporting of disturbances must be clear.
August 13, 2009
51
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Question 5 Comment
Response: The DSR SAR DT thanks you for your comment. The team agrees that it would be easier if there were only one table. Part of this project is
to eliminate redundancies and make general improvements to the standard. The team also agrees that the requirements developed should be clear in
their reliability objective. The team will forward your comment to the standard drafting team for its consideration in the drafting of the standard.
Kansas City Power & Light
If it is desirable to keep CIP-001 and EOP-004 separate, it is recommended the SDT consider adding a reference in CIP-001 to the
DOE reporting form either by name or by internet link in the standard.
Response: The DSR SAR DT thanks you for your comment. The SAR SDT recommends eliminating all references to the DOE report, so there won’t be
a reference to it in CIP-001.
IRC Standards Review
Committee
We suggest that the revision not be conducted with a preconceived notion that the two standards must be combined since there are
some differences between sabotage and emergency system conditions, and in the communication and reporting processes and
channels. We suggest the SDT start off with a neutral position to focus on improving the standards, then assess the pros and cons of
merging the two based on technical merit only.
Response: The DSR SAR DT thanks you for your comment. The SAR states: CIP-001 may be merged with EOP-004 to eliminate redundancies. The two
standards may be left separate.
Pepco Holdings, Inc. Affiliates
Consider CIP-008-2 as potentially having overlaps with the proposed standard
Response: The DSR SAR DT thanks you for your comment. The SAR states “Specific references to the DOE form need to be eliminated.” This will
remove the linkage that you identify between CIP-001 and CIP-008. There is also a directive from FERC Order 693 in the SAR that states:
Consider FirstEnergy’s suggestions to differentiate between cyber and physical security sabotage and develop a threshold of materiality.
This allows the standard drafting team to delineate physical and cyber assets. The DSR SAR DT also notes that CIP-008 might be a good framework for
drafting the standard requirements pertaining to sabotage and disturbance reporting of physical assets.
FirstEnergy
1. Under Industry Need it states: "The existing requirements need to be revised to be more specific and there needs to be more
clarity in what sabotage looks like." The use of the phrase "more specific" should be qualified by adding "while not being too
prescriptive". As with other reliability standards, we do not want a standard that causes unwarranted and unnecessary additional
work and costs to an entity to comply.
2. As pointed out by the NERC Audit and Observation Team in the "Issues to be considered" for CIP-001, clarification is needed
regarding contacting the FBI. Prior audits dwelled heavily on FBI notification. For example, our policy states that Corporate Security
notifies the FBI. In recent events it appears that local law enforcement handles day to day activities. The notification process for
August 13, 2009
52
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Question 5 Comment
contacting the FBI needs clarification along with specific instances in which to call them. Who should make the call to the FBI? It
appears that a protocol needs to be developed to clarify what events require notifying the FBI. It could be as simple as after an
incident a standard form is completed and forwarded to the FBI, letting them decide if follow up is needed.
3. We suggest aligning all reporting requirements for consistency. The items requiring reporting and the timelines to report are very
inconsistent between NERC and the DOE. NERC's timelines are also not consistent with their own Security Guideline for the
Electricity Sector: Threat and Incident Reporting.
Response: The DSR SAR DT thanks you for your comment.
The team concurs that the standards should provide the “what” without the “how”. The standard drafting team will develop the standards using the
NERC Standard Development Process that includes stakeholder consensus. The team does not feel it is necessary to add the “not too prescriptive”
qualifier to the SAR.
The team will forward this comment to the standard drafting team for its consideration in developing the standard(s).
The team concurs with your comment and notes that other commenters have suggested “one stop shopping” reporting for disturbances and
sabotage. The team will forward this comment to the standard drafting team for its consideration in developing the standard(s).
Electric Market Policy
CIP-008-1 Incident Reporting and Response Planning include some requirements that require coordination with the requirements
addressed in this project.
Response: The DSR SAR DT thanks you for your comment. The SAR states “Specific references to the DOE form need to be eliminated.” This will
remove the linkage that you identify between CIP-001 and CIP-008. There is also a directive from FERC Order 693 in the SAR that states:
Consider FirstEnergy’s suggestions to differentiate between cyber and physical security sabotage and develop a threshold of materiality.
This allows the standard drafting team to delineate physical and cyber assets. The DSR SAR DT also notes that CIP-008 might be a good framework for
drafting the standard requirements pertaining to sabotage and disturbance reporting of physical assets.
MRO NERC Standards
Review Subcommittee
A. The SAR states that there may be impact on a related standard, COM-003-1 (page SAR-5). Is the SDT referring to Project 200702, Operating Personnel Communication Protocols? If so, this is a SAR too and should not be used as a reference.
B. CIP-001-1 and EOP-004-1 should be combined into one EOP Standard.
C. Within EOP-004-1 there is industry confusion on what form to submit in the event of an event. There should only be one form for
the new combination Standard eliminating the need for reporting form attachments. It should be the DOE Form, OE-417. Although it
is beyond the scope of this SAR, it would greatly benefit industry if there was a central location on the NERC website containing ALL
reporting forms, including FERC, NERC, DOE, and ESIAC. This would enable the System Operators to efficiently locate the most
current version of the appropriate form in order to report events.
August 13, 2009
53
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Question 5 Comment
D. The word Disturbance is primarily used in other Standards as in, Disturbance Control Standard or system separation due to a
disturbance. Should the NERC definition be updated? Should the word “Sabotage” be defined by NERC? Additionally, we
recommend that one definition of “Sabotage” be utilized industry-wide, instead of varying definitions by multiple groups like the DOE,
ESIAC, etc.
Response: The DSR SAR DT thanks you for your comment.
A. It does reference project 2007-02, and it has been noted in the SAR.
B. Will forward this comment to the standard drafting team for its consideration in developing the standard(s).
C. The team concurs with your comment and notes that other commenters have suggested “one stop shopping” reporting for disturbances and
sabotage. The team will forward this comment to the standard drafting team for its consideration in developing the standard(s).
D. References to DOE are to be removed from the standards per the SAR. FERC Order 693 directives include definition of sabotage for CIP-001.
Lands Energy Consulting
One final comment on CIP-001-1. My clients received universally rude treatment from the FBI field offices when they attempted to
establish the contacts required by the Standard. If the FBI doesn't see value in establishing these contacts, remove the requirement
from the Standard. Making sure the LSE knows the FBI field office phone number is probably all the Standard should require.
Response: The DSR SAR DT thanks you for your comment. The team will forward this comment to the standard drafting team for its consideration in
developing the standard(s).
Colmac Clarion
Need single report for Sabotage so whatever is required results in notification of all parties (State Emergency Management,
Homeland Security, FBI, Grid Reliability Chain of Command). Any and all of these can 'expand' knowledge later but all seem to
require 'instant' notification.
Response: The DSR SAR DT thanks you for your comment. The team concur with your comment and notes that other commenters have suggested
“one stop shopping” reporting for disturbances and sabotage. The team will forward this comment to the standard drafting team for its consideration
in developing the standard(s).
Cowlitz County PUD
August 13, 2009
Local Law enforcement agencies often are not friendly to Federal involvement with smaller problems they consider their "turf." Need
to make sure the small stuff stays with them, however have a system of internal reporting that will catch coordinated sabotage efforts
(multiple attacks on DPs and small BAs) at the RC or RE level who then can report to the Federal agencies. Currently EOP-004-1
requires small entities to report a "disturbance" if half of their firm customer load is lost. For some entities, this can be one small
substation going down due to a bird. The "50% of total demand" requirement should be removed or improved to better define a true
BPS disturbance.
54
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Question 5 Comment
Response: The DSR SAR DT thanks you for your comment. The team will forward this comment to the standard drafting team for its consideration in
developing the standard(s).
Exelon
Exelon agrees this is a worthwhile project and that reliability will be enhanced and the compliance process will be simplified by
clarifying terminology and reporting requirements in these standards. If nothing else, defining "Sabotage" so as to end interpretations
of this term and the related requirements is necessary.
Response: The DSR SAR DT thanks you for your comment.
ERCOT ISO
Due to the fact that both the CIP-001-1 and EOP-004-1 have similar reporting standards, initially combining the two sounds like a
correct analysis. However, after further consideration and due to the critical nature of its intended function involving Security
aspects, the CIP-001 should be intensely evaluated to determine if its intended purpose meets the threshold or criteria to stand
alone. The existing standards for CIP-001-1 Sabotage Reporting may help prevent future mitigation actions caused by sabotage
events. EOP-004-1 Disturbance Reporting is administrative in nature, thus the jeopardy of the Bulk Electric System reliability is
impacted only if analysis is not performed or if corrective follow-up actions are not implemented. Combining EOP-004 Standard
requirements under the umbrella of the CIP -001 Standard would create a high profile Disturbance Reporting Standard. The industry
would be better served if information defining sabotage was provided as well as a technical reference document on recognizing
sabotage that would also clarify or state any personnel training requirements. All aspects of the intended functions must be
reviewed before merging the two standards. At a minimum, we must consider modification that provides improved understanding of
the reporting standards and implications as they are currently written.
Response: The DSR SAR DT thanks you for your comment. The SAR states: CIP-001 may be merged with EOP-004 to eliminate redundancies. The two
standards may be left separate. One of the FERC Order 693 directives for CIP-001 states:
Define “sabotage” and provide guidance on triggering events that would cause an entity to report an event.
The Standard Drafting Team will follow the NERC Standard Development Process in making revisions under this SAR, including a thorough review of
the requirements of both standards. The team will forward this comment to the standard drafting team for its consideration in developing the
standard(s).
MidAmerican Energy
August 13, 2009
Conflicting time frames exist from document updates. Reporting should be consolidated to one form and / or site to minimize
conflicts, confusion, and errors. 1) Reporting requirements for the outage of 50,000 or more customers in EOP-004-1 requires a
report to be made within one hour while the form OE-417 requires a report be made within six hours of the outage. The six hour
reference on the updated OE-417 form is the correct reference. 2) Reporting for either CIP-001 or EOP-004 should center on the
DOE Form OE-417. This would eliminate confusion and simplify reporting for system operators thereby directly enhancing reliability
during system events. This would also eliminate much of the duplicate material and attachments in EOP-004. 3) Although it is
beyond the scope of this SAR, the industry would benefit if there was a central location or link on the NERC website containing all
55
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Question 5 Comment
reporting forms, including FERC, NERC, DOE, and ESIAC. This would enable System Operators to more efficiently locate and report
events.
Response: The DSR SAR DT thanks you for your comment. The team notes that other commenters have suggested “one stop shopping” reporting for
disturbances and sabotage. The team concurs that timeframes for similar reports should be the same. The team will forward this comment to the
standard drafting team for its consideration in developing the standard(s).
Georgia System
Operations Corp.
Entity reporting to NERC/Regions is needed by NERC and the Regions to accomplish their missions of overseeing the reliability of
the BES and enforcing compliance with Reliability Standards. An entity not reporting as quickly as possible does not harm the
integrity of the Interconnection. In fact, it increases the risk to the BES to be investigating details and filling out forms during a time
when attention should be on correcting or mitigating an incident.
Response: The DSR SAR DT thanks you for your comment. The team agrees that non-reporting, in the administrative sense, may not harm the
integrity of the Interconnection. The team suggests that the appropriate avenue for addressing this concern is through the development of Violation
Risk Factors and Violation Severity Levels for each requirement. These compliance elements will be developed during the standard drafting stage of
the development process.
Illinois Municipal Electric
Agency
IMEA recommends the following considerations: Simplification of reportable events and the reporting process should be the
overriding objective. NERC's Security Guideline for the Electricity Sector: Threat and Incident Reporting (Version 2.0) should be
updated to support this standards development initiative. At some point in the process, it may help if examples are given of events
actually reported that did not need to be reported.
Response: The DSR SAR DT thanks you for your comment. The team notes that other commenters have suggested “one stop shopping” reporting for
disturbances and sabotage. The team agrees that NERC’s Security Guide should be in sync with the standards. The team will forward this comment to
the standard drafting team for its consideration in developing the standard(s). One of the FERC Order 693 directives for CIP-001 states:
Define “sabotage” and provide guidance on triggering events that would cause an entity to report an event.
Events that were reported, but didn’t need to be, may be identified in “lessons learned”.
WECC
No
Luminant Power
None
Oncor Electric Delivery
No Additional Comments
August 13, 2009
56
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Question 5 Comment
NextEra Energy
Resources, LLC
No comment.
Ameren
None
August 13, 2009
57
�Unofficial Nomination Form for SAR Drafting Team for Disturbance and Sabotage
Reporting (Project 2009-01)
Please use the electronic nomination form located at the link below. If you have any
questions, please contact David Taylor at david.taylor@nerc.net or by telephone at 609-6515089.
http://www.nerc.com/filez/standards/Project2009-01_Disturbance_Sabotage_Reporting.html
By submitting the following information you are indicating your commitment to
actively participate in SAR Drafting Team meetings if appointed to the SAR Drafting
Team by the Standards Committee.
Name:
Organization:
Address:
Telephone:
E-mail:
Project 2009-01 Disturbance and Sabotage Reporting will entail revising existing
standards CIP-001 — Sabotage Reporting and EOP-004 — Disturbance Reporting to
eliminate redundancies and provide clarity on sabotage events. The project includes
addressing several issues identified by stakeholders, FERC directives from Order 693, and
may include improvements to the standards deemed appropriate by the drafting team,
with the consensus of stakeholders, consistent with establishing high quality, enforceable
and technically sufficient bulk power system reliability standards.
Please briefly describe (no more than a couple of paragraphs) your experience and
qualifications directly related to the issues to be addressed by the Disturbance and
Sabotage Reporting SAR Drafting Team. We are seeking a cross section of the industry to
participate on the team, but in particular are seeking individuals with experience in
management of real-time bulk power operations activities. Please include any previous
experience related to developing or applying IEEE or other industry related standards as
this type of experience might be beneficial to include on the team, but is not a requisite to
be appointed to the team.
116-390 Village Blvd.
Princeton, NJ 08540
609.452.8060 | www.nerc.com
�Nomination Form for Disturbance and Sabotage Reporting SAR Drafting Team (Project 2009-01)
Are you currently a
member of any
NERC or Regional
Entity SAR or
standard drafting
team? If yes, please
list each team here.
No
Have you previously
worked on any NERC
or Regional Entity
SAR or standard
drafting teams? If
yes, please list them
here.
No
Yes:
Yes:
Please identify the NERC
Region(s) for which you are able
to represent your company’s
position relative to the topics
addressed in the SAR:
Please identify the Industry Segment(s) for which you
are able to represent your company’s position relative
to the topics addressed in the SAR:
1 — Transmission Owners
2 — RTOs and ISOs
ERCOT
3 — Load-serving Entities
FRCC
4 — Transmission-dependent Utilities
MRO
5 — Electric Generators
NPCC
RFC
6 — Electricity Brokers, Aggregators, and
Marketers
SERC
7 — Large Electricity End Users
SPP
8 — Small Electricity End Users
WECC
9 — Federal, State, and Provincial Regulatory or
other Government Entities
Not Applicable or None of
the Above
10 — Regional Reliability Organizations and
Regional Entities
Not applicable
Please identify the Functional Entities 1 for which you are able to represent your company’s
position relative to the topics addressed in the SAR:
1
These functions are defined in the NERC Functional Model, which is available on the NERC Web site.
-2-
�Nomination Form for Disturbance and Sabotage Reporting SAR Drafting Team (Project 2009-01)
Balancing Authority
Planning Coordinator
Compliance Enforcement Authority
Transmission Operator
Distribution Provider
Transmission Owner
Generator Operator
Transmission Planner
Generator Owner
Transmission Service Provider
Interchange Authority
Purchasing-selling Entity
Load-serving Entity
Resource Planner
Market Operator
Reliability Coordinator
Please provide the names and contact information for two references who could
attest to your technical qualifications and your ability to work well in a group.
NERC staff may contact these references.
Name and
Title:
Office
Telephone:
Organization:
E-mail:
Name and
Title:
Office
Telephone:
Organization:
E-mail:
-3-
�Standards Announcement
Nomination Period Opens for Standard Authorization Request
(SAR) Drafting Team
April 29–May 13, 2009
Now available at: http://www.nerc.com/filez/standards/Project200901_Disturbance_Sabotage_Reporting.html
Nominations for SAR Drafting Team (Project 2009-01 — Disturbance and
Sabotage Reporting)
The Standards Committee is seeking industry experts to serve on the Disturbance and Sabotage
Reporting SAR Drafting Team (see project background below). The SAR drafting team will
assist the requester in further developing the SAR and considering stakeholder comments.
If you are interested in serving on this standard drafting team, please complete the following
electronic nomination form by May 13, 2009:
https://www.nerc.net/nercsurvey/Survey.aspx?s=bf869d5cbde94f9788c7606a2f50829f
Please contact Dave Taylor at david.taylor@nerc.net or at 609-651-5089 with any questions
about the team.
Project Background:
Project 2009-01 — Disturbance and Sabotage Reporting will entail revising existing standards
CIP-001-1 — Sabotage Reporting and EOP-004-1 — Disturbance Reporting to eliminate
redundancies and provide clarity on sabotage events. The project includes addressing several
issues identified by stakeholders, FERC directives from Order 693, and may include
improvements to the standards deemed appropriate by the drafting team, with the consensus of
stakeholders, consistent with establishing high quality, enforceable and technically sufficient
bulk power system reliability standards.
More information about the project is available on the following page:
http://www.nerc.com/filez/standards/Project2009-01_Disturbance_Sabotage_Reporting.html
Standards Development Process
The Reliability Standards Development Procedure contains all the procedures governing the
standards development process. The success of the NERC standards development process
depends on stakeholder participation. We extend our thanks to all those who participate.
For more information or assistance,
please contact Shaun Streeter at shaun.streeter@nerc.net or at 609.452.8060.
�Standard Authorization Request Form
Title of Proposed Standard: Disturbance and Sabotage reporting (Project 2009-01)
Request Date: April 2, 2009
Approved by SC for posting: April 15, 2009
Revision Date: August 13, 2009
SAR Requester Information
Name:
Patrick Brown
Primary Contact:
SAR Type (Check a box for each one
that applies.)
New Standard
Patrick Brown
Revision to existing Standard
Manager, NERC and Regional Coordination
PJM Interconnection
Telephone:
610-666-4597
Withdrawal of existing Standard
E-mail:
brownp@pjm.com
Urgent Action
Purpose (Describe the proposed standard action: Nomination of a proposed
standard, revision to a standard, or withdrawal of a standard and describe what
the standard action will achieve.)
This project will entail revision to existing standards CIP-001-1 – Sabotage Reporting and
EOP004-1 – Disturbance Reporting. The standards may be merged to eliminate redundancy and
provide clarity on sabotage events. EOP-004 has some ‘fill-in-the-blank’ components to
eliminate. The development may include other improvements to the standards deemed
appropriate by the drafting team, with the consensus of stakeholders, consistent with
establishing high quality, enforceable and technically sufficient bulk power system reliability
standards.
Industry Need (Provide a justification for the development or revision of the standard,
including an assessment of the reliability and market interface impacts of implementing or
not implementing the standard action.)
The existing requirements need to be revised to be more specific – and there needs to be
more clarity in what sabotage looks like.
Brief Description (Provide a paragraph that describes the scope of this standard action.)
CIP-001 may be merged with EOP-004 to eliminate redundancies. Acts of sabotage have to
be reported to the DOE as part of EOP-004. Specific references to the DOE form need to be
eliminated.
EOP-004 has some ‘fill-in-the-blank’ components to eliminate.
The development may include other improvements to the standards deemed appropriate by
116-390 Village Boulevard
Princeton, New Jersey 08540-5721
609.452.8060 | www.nerc.com
�Standards Authorization Request Form
the drafting team, with the consensus of stakeholders, consistent with establishing high
quality, enforceable and technically sufficient bulk power system reliability standards (see
tables for each standard at the end of this SAR for more detailed information).
Detailed Description (Provide a description of the proposed project with sufficient details
for the standard drafting team to execute the SAR.)
See “Issues to be Considered by Drafting Team” tables for each standard at the end of this
SAR for more detailed information.
SAR–2
�Standards Authorization Request Form
Reliability Functions
The Standard will Apply to the Following Functions (Check box for each one that applies.)
Reliability
Coordinator
Responsible for the real-time operating reliability of its Reliability
Coordinator Area in coordination with its neighboring Reliability
Coordinator’s wide area view.
Balancing
Authority
Integrates resource plans ahead of time, and maintains loadinterchange-resource balance within a Balancing Authority Area
and supports Interconnection frequency in real time.
Interchange
Authority
Ensures communication of interchange transactions for reliability
evaluation purposes and coordinates implementation of valid and
balanced interchange schedules between Balancing Authority
Areas.
Planning
Coordinator
Assesses the longer-term reliability of its Planning Coordinator
Area.
Resource
Planner
Develops a >one year plan for the resource adequacy of its
specific loads within a Planning Coordinator area.
Transmission
Planner
Develops a >one year plan for the reliability of the interconnected
Bulk Electric System within its portion of the Planning Coordinator
area.
Transmission
Service
Provider
Administers the transmission tariff and provides transmission
services under applicable transmission service agreements (e.g.,
the pro forma tariff).
Transmission
Owner
Owns and maintains transmission facilities.
Transmission
Operator
Ensures the real-time operating reliability of the transmission
assets within a Transmission Operator Area.
Distribution
Provider
Delivers electrical energy to the End-use customer.
Generator
Owner
Owns and maintains generation facilities.
Generator
Operator
Operates generation unit(s) to provide real and reactive power.
PurchasingSelling Entity
Purchases or sells energy, capacity, and necessary reliabilityrelated services as required.
Market
Operator
Interface point for reliability functions with commercial functions.
LoadServing
Entity
Secures energy and transmission service (and reliability-related
services) to serve the End-use Customer.
SAR–3
�Standards Authorization Request Form
Reliability and Market Interface Principles
Applicable Reliability Principles (Check box for all that apply.)
1. Interconnected bulk power systems shall be planned and operated in a coordinated
manner to perform reliably under normal and abnormal conditions as defined in the
NERC Standards.
2. The frequency and voltage of interconnected bulk power systems shall be controlled
within defined limits through the balancing of real and reactive power supply and
demand.
3. Information necessary for the planning and operation of interconnected bulk power
systems shall be made available to those entities responsible for planning and
operating the systems reliably.
4. Plans for emergency operation and system restoration of interconnected bulk power
systems shall be developed, coordinated, maintained and implemented.
5. Facilities for communication, monitoring and control shall be provided, used and
maintained for the reliability of interconnected bulk power systems.
6. Personnel responsible for planning and operating interconnected bulk power systems
shall be trained, qualified, and have the responsibility and authority to implement
actions.
7. The security of the interconnected bulk power systems shall be assessed, monitored
and maintained on a wide area basis.
8. Bulk power systems shall be protected from malicious physical or cyber attacks.
Does the proposed Standard comply with all of the following Market Interface
Principles? (Select ‘yes’ or ‘no’ from the drop-down box.)
1. A reliability standard shall not give any market participant an unfair competitive
advantage. Yes
2. A reliability standard shall neither mandate nor prohibit any specific market structure. Yes
3. A reliability standard shall not preclude market solutions to achieving compliance with that
standard. Yes
4. A reliability standard shall not require the public disclosure of commercially sensitive
information. All market participants shall have equal opportunity to access commercially
non-sensitive information that is required for compliance with reliability standards. Yes
SAR–4
�Standards Authorization Request Form
Related Standards
Standard No.
Explanation
COM-003-1
Operations Communications Protocols – this standard may include some
requirements that require coordination with the requirements addressed in
this project. (still in standard development stage)
IRO-014-1
R1.1.1, footnote 1 lists sabotage. The standard drafting team should
consider this reference and the impact of their work on this specific item.
TOP-005-1.1
Attachment 1, item 2.9 is “Multi-site sabotage”. The standard drafting
team should consider this reference and the impact of their work on this
specific item.
Related SARs
SAR ID
Explanation
Regional Variances
Region
Explanation
ERCOT
FRCC
MRO
NPCC
SERC
RFC
SPP
WECC
SAR–5
�Standards Authorization Request Form
Issues to be Considered by Drafting Team
Project 2009-01 — Disturbance and Sabotage Reporting
Standard #
CIP-001-0
Issues
Title
Sabotage Reporting
FERC Order 693
Disposition: Approved with modifications
Consider the need for wider application of the standard. Consider
whether separate, less burdensome requirements for smaller entities
may be appropriate.
Define “sabotage” and provide guidance on triggering events that
would cause an entity to report an event.
In the interim, provide advice to entities about the reporting of
particular circumstances as they arise.
Consider FirstEnergy’s suggestions to differentiate between cyber and
physical security sabotage and develop a threshold of materiality.
Incorporate a periodic review or updating of the sabotage reporting
procedures and for their periodic testing. Consider a staggered
schedule of annual testing and formal review every two to three years.
Include a requirement to report a sabotage event to the proper
government authorities. Develop the language to specifically
implement this directive.
Explore ways to reduce redundant reporting, including central
coordination of sabotage reports and a uniform reporting format.
V0 Industry Comments
Object to multi-site requirement
Definition of sabotage required
VRF comments
Adequate procedures will insure it is unlikely to lead to bulk electric
system instability, separation, or cascading failures.
Other
Modify standard to conform to the latest version of NERC’s Reliability
Standards Development Procedure, the NERC Standard Drafting Team
Guidelines, and the ERO Rules of Procedure.
NERC Audit and Observation Team
Applicability — How does this standard pertain to Load Serving
Entities, LSE's.
Registered Entities have sabotage reporting processes and procedures
in place but not all personnel has been trained.
Question: How do you “and make the operator aware”
R4 — "What is meant by: “establish contact with the FBI”. Is a phone
number adequate? Many entities which call the FBI are referred back
to the local authority. The AOT noted that on the FBI website it states
SAR–6
�Standards Authorization Request Form
to contact the local authorities. Is this a question for Homeland
Security to deal with for us?"
R4 — Establish communications contacts, as applicable with local FBI
and RAMP officials. Some entities are very remote and the sheriff is
the only local authority does the FBI still need to be contacted?
FERC’s December 20, 2007 and April 4, 2008 Orders in Docket Nos. RC07004-000, RC07-6-000, and RC07-7-000
In FERC’s December 20, 2007 Order, the Commission reversed NERC’s
Compliance Registry decisions with respect to three load serving
entities in the ReliabilityFirst (RFC) footprint. The distinguishing
feature of these three LSEs is that none owned physical assets. Both
NERC and RFC assert that there will be a “reliability gap” if retail
marketers are not registered as LSEs. To avoid a possible gap, a
consistent, uniform approach to ensure that appropriate Reliability
Standards and associated requirements are applied to retail marketers
must be applied. Each drafting team responsible for reliability
standards applicable to LSEs is to review and change as necessary,
requirements in the applicable reliability standards to address the
issues surrounding accountability for loads served by retail
marketers/suppliers. For additional information see:
FERC’s December 20, 2007 Order
(http://www.nerc.com/files/LSE_decision_order.pdf )
NERC’s March 4, 2008
(http://www.nerc.com/files/FinalFiledLSE3408.pdf ),
FERC’s April 4, 2008 Order
(http://www.nerc.com/files/AcceptLSECompFiling-040408.pdf ) and
NERC’s July 31, 2008 (http://www.nerc.com/files/FinalFiledCompFiling-LSE-07312008.pdf ) compliance filings to FERC on this
subject.
Issues to be Considered by Drafting Team
Project 2009-01 — Disturbance and Sabotage Reporting
Standard #
EOP-004-1
Issues
Title
Disturbance Reporting
FERC Order 693
Disposition: Approved with modification
Include any requirements for users, owners, and operators of the bulk
power system to provide data that will assist NERC in the investigation of
a blackout or disturbance.
Change NERC’s Rules of Procedure to assure the Commission receives
these reports in the same frame as the DOE.
Consider APPA’s concern about generator operators and LSEs analyzing
performance of their equipment and provide data and information on the
equipment to assist others with analysis.
Consider all comments offered in a future modification of the reliability
standard.
SAR–7
�Standards Authorization Request Form
Fill-in-the-Blank Team Comments
Consider changes to R1 and R3.4 to standardize the disturbance
reporting requirements (requirements for disturbance reporting need to
be added to this standard)
Regions currently have procedures, but not in the form of a standard.
The drafting team will need to review regional requirements to determine
reporting requirements for the North American standard.
V0 Industry Comments
R3 – too many reports, narrow requirement to RC
How does this apply to generator operator?
Other
Modify standard to conform to the latest version of NERC’s Reliability
Standards Development Procedure, the NERC Standard Drafting Team
Guidelines, and the ERO Rules of Procedure.
NERC Audit and Observation Team
R3.1 — Can there be a violation without an event?
Event Analysis Team
Reliability Issue: Coordination and follow up on lessons learned from
event analyses Consider adding to EOP-004 – Disturbance Reporting.
Proposed requirement: Regional Entities (REs) shall work together with
Reliability Coordinators, Transmission Owners, and Generation Owners to
develop an Event Analysis Process to prevent similar events from
happening and follow up with the recommendations. This process shall
be defined within the appropriate NERC Standard.
FERC’s December 20, 2007 and April 4, 2008 Orders in Docket Nos. RC07004-000, RC07-6-000, and RC07-7-000
In FERC’s December 20, 2007 Order, the Commission reversed NERC’s
Compliance Registry decisions with respect to three load serving entities
in the ReliabilityFirst (RFC) footprint. The distinguishing feature of these
three LSEs is that none owned physical assets. Both NERC and RFC
assert that there will be a “reliability gap” if retail marketers are not
registered as LSEs. To avoid a possible gap, a consistent, uniform
approach to ensure that appropriate Reliability Standards and associated
requirements are applied to retail marketers must be applied. Each
drafting team responsible for reliability standards applicable to LSEs is to
review and change as necessary, requirements in the applicable reliability
standards to address the issues surrounding accountability for loads
served by retail marketers/suppliers. For additional information see:
FERC’s December 20, 2007 Order
(http://www.nerc.com/files/LSE_decision_order.pdf )
NERC’s March 4, 2008
(http://www.nerc.com/files/FinalFiledLSE3408.pdf ),
FERC’s April 4, 2008 Order
(http://www.nerc.com/files/AcceptLSECompFiling-040408.pdf ) and
NERC’s July 31, 2008 (http://www.nerc.com/files/FinalFiledCompFiling-LSE-07312008.pdf ) compliance filings to FERC on this
subject.
SAR–8
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Comments received on Project 2009-01 — Disturbance and Sabotage Reporting
The Disturbance and Sabotage Reporting Standard Drafting Team (DSR SDT) received many suggestions for
improvements to the standards during the SAR comment period. These comments do not indicate any revisions to
the SAR, but the DSRSDT thought that these comments merited further consideration during the standard drafting
phase of the project. The comments below are being compiled for use by the Standard Development Team.
Organization
Electric Market Policy
Comment
Comments: Agree with the statement that sabotage is hard to determine in real time by operations staffs. The
determination of sabotage should be left up to law enforcement. They have the knowledge and peer contacts needed to
adequately determine whether physical or cyber intrusions are merely malicious acts or coordinated efforts (sabotage).
The operators should only be required to report physical and cyber intrusions to law enforcement. All other reporting
requirements should apply to law enforcement once a determination of sabotage has been made. If the
recommendations above are not to be accepted, then we have the following comments:
CIP-001-1
1) R1 states entities shall have procedures for the recognition of and for making their operating personnel aware of
sabotage events on its facilities and multi-site sabotage affecting larger portions of the Interconnection. The SAR notes
that the industry objects to the multi-site requirement, most likely because the term is ambiguous. If this term remains in
the standard, it needs to be clearly defined and responsibilities for obtaining (how do you get this information and from
whom?) and distributing need to be included.
2) R1 audits have shown confusion over the requirement to make operating personnel aware of sabotage events. The
term operating personnel needs to be defined. Are they the individuals responsible for operating the facility,
coordinating with other entities (i.e., RC, BA, TOP, GOP, and LSE)? It has been suggested that notification is required
to all personnel at a facility. Keep in mind the purpose of the standard is to ensure sabotage events are properly
reported, not to address emergency response.
3) R1 The SAR (NERC Audit and Observation Team) notes that Registered Entities have processes and procedures in
place, but not all personnel have been trained. There is no specific training requirement in the standard.
4) R2 & R3 I agree with the SAR that sabotage needs to be defined and these requirements should be more specific
with respect to the information to be communicated. It seems to me that the standard should mirror the criteria
contained in DOE OE-417. The emphasis should be placed on ensuring that the same information communicated to
DOE is shared with the appropriate parties in the Interconnection.
5) R4 I agree with the SAR (NERC Audit and Observation Team) comments regarding the intention of this requirement.
There is no language that directs contact with FBI or RCMP although that is what is implied by the Purpose statement.
August 13, 2009
9
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Comment
6) VRF Comments I’m not sure what is intended by the statement Adequate procedures will insure it is unlikely to lead to
bulk electric system instability, separation, or cascading failures? The purpose of the standard is that of communication.
No operational decisions or actions are directed by this standard, nor does it require entities to address operational
aspects resulting from sabotage.
7) The potential exists for overlapping sabotage reporting requirements at nuclear power plants due to multiple
regulators (Nuclear Regulatory Commission (NRC) 10 CFR 73 and Federal Energy Regulatory Commission (FERC)
NUC-001-1). Some entities may have revised existing NRC driven procedures to accommodate reporting requirements
of both regulators. Because of the restrictions placed on NRC driven documents (i.e., procedures are classified as
safeguards information), it can be difficult to demonstrate compliance to NERC and/or FERC without ensuring that the
individuals are qualified for receipt of such information per 10 CFR 73. Additionally, multiple procedures may have the
unintended consequence of delaying appropriate communication.EOP-004-1Consider removing Attachment 2 as the
information is duplicated in DOE Form OE-417. A simple reference to the form should suffice.
Lands Energy
Consulting
I have worked with 5 Northwest public utilities on developing procedures related to CIP-001-1 and EOP-004-1. All 5
utilities operate electric systems in fairly remote locations and are embedded in a larger utility's Balancing
Authority/Transmission Operator area.
A. CIP-001-1 - Developing procedures to unambiguously identify acts of sabotage has been particularly challenging for
these systems. In general, it's hard for them to determine whether the most prevalent forms of malicious and intentional
system damage that they incur - copper theft and gun shot insulators/equipment - should qualify as acts of sabotage.
Although none of the systems consider copper theft to be acts of sabotage, two of the systems consider gun shot
insulators/equipment to be acts of sabotage. The other systems look for intent to disrupt electric system operations as a
key component of their sabotage identification procedures. Additional guidance from NERC in the form of CIP-001-1
modifications or a companion guidelines document on sabotage identification would provide much needed guidance for
these procedures.
B. EOP-004-1 - This standard was clearly drafted with the larger electric systems in mind. I have one client that serves
3300 commercial/residential customers from 4-115/13 kV substation transformers and one large industrial customer
(80% of its energy load) from a 230/13 kV substation. 75% of the client's load is served from three substations attached
to a long, 115 kV transmission line operated by the Bonneville Power Administration. Whenever the line relays open on
a permanent fault (which happens 2-3 times per year), the client loses over 50% of its customers (but no more than 1015 MW during winter peak), thereby necessitating the preparation of a Disturbance Report. To allow utilities to
concentrate on operating their systems, without fear of violating EOP-004-1 for failure to report trivial outages, I would
remove LSEs from the obligation to report disturbances - leave the reporting to the BA/TOP for large outages in their
footprint.
Calpine Corporation
August 13, 2009
Communication of facility status or emergencies between merchant generators registered as GOP and the RC, BA,
10
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Comment
GOP, or LSE in which the facility resides should be coordinated for EOP -004 reporting. The reporting to NERC/DOE
should come from the RC, BA, GOP, or LSE.
Covanta
Yes - the key to Sabotage reporting requirements is identifying what the 'definition' is of an actual or potential 'Sabotage'
event. Like any other standard, if FERC/NERC leave it up to 2000+ entities to establish their own definitions of
'Sabotage', you may likely get 2000+ answers. That is not a controlled and coordinated approach. I offer the following
definition, "Sabotage - Deliberate or malicious destruction of property, obstruction of normal operations, or injury to
personnel by outside agents." Examples of sabotage events could include, but are not limited to, suspicious packages
left near site electrical generating or electrical transmission assets, identified destruction of generating assets,
telephone/e mail received threats to destroy or interrupt electrical generating efforts, etc." These have passed multiple
NERC regional audits and reviews to date.
Northeast Power
Coordinating Council
The SAR needs to be more specific in defining its objectives.
CIP-001Requirement R1 currently states:
R1. Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator Operator, and Load Serving
Entity shall have procedures for the recognition of and for making their operating personnel aware of sabotage events
on its facilities and multi-site sabotage affecting larger portions of the Interconnection.
The SDT needs to include the following objectives:
1. Develop clear definitions for the terms “operating personnel” and “sabotage events.” The definition of “operating
personnel,” should be clarified and limited to staff at BES facilities. Operating personnel should report only those events
which meet a clear, recognizable threshold as reportable potential sabotage events. There should be a consistent
continent-wide list of examples or typical reportable and non-reportable events to help guide operating personnel. The
term “sabotage event” needs to be defined. Clarification is required regarding when the determination of a sabotage
event is made, e.g., upon first observation (requiring operating personnel be educated in discerning sabotage events),
or upon later investigation by trained security personnel and law enforcement individuals. The terms potential or
suspected sabotage event for reporting purposes should be clarified or defined.
2. Define the obligations of Registered Entity operating personnel - who are required to be aware of such “sabotage
events,” e.g., who, what, where, when, why and how, and what they are to do in response to this awareness. The SDT
should clarify the use of the term “aware” in the standard. “Aware” can be interpreted in accordance with its largely
passive, dictionary-based meaning, where being “aware” simply means knowing about something, such as a sabotage
event. Alternatively, the Reliability Standard meaning of “aware” could refer to more active wording, involving more than
mere awareness, e.g., “alert and quick to respond,” pointing to and requiring a specific affirmative response, i.e.,
reporting to the appropriate systems, governmental agencies, and regulatory bodies.
August 13, 2009
11
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Comment
EOP-004 - The SDT needs to work on the following areas.
1. NERC reporting needs to be clarified. For example, Attachment 1 paragraph 6c states: Introduction “The entity on
whose system a reportable disturbance occurs shall notify NERC ... 6. Any action taken by a Generator Operator,
Transmission Operator, Balancing Authority, or Load-Serving Entity that results in: c. Failure, degradation, or
misoperation of system protection, special protection schemes, remedial action schemes, or other operating systems
that do not require operator intervention, which did result in, or could have resulted in, a system disturbance - The sense
of Attachment 1 is internally inconsistent between the introduction (“occurs”) and the required actions in 6c (could have
resulted in a system disturbance). The initial intent appears to be only to report actual system disturbances. Yet,
paragraph 6c adds the phrase “or could have resulted in” a potential system disturbance. This inconsistency should be
clarified.
FirstEnergy
We agree with the scope but would also like to see the following considered:
1. References to the DOE reporting process in EOP-004 need to be revised. They currently refer to the old EIA form.
2. Besides "sabotage", it may be helpful to clearly define "vandalism". It is vaguely written in the standards. Also, the
process of "public appeals" for the DOE reportable requirements needs to be more clearly defined.
3. Consolidate documents covering reporting requirements. There are currently several documents that require reporting
(EOP-004, CIP-001, DOE oe-417, and NERC's Security Guideline for the Electricity Sector: Threat and Incident
Reporting). NERC also has the "Bulk Power System Disturbance Classification Scale" that does not completely align
with all the reporting requirements. Therefore we recommend keeping this as simple as possible by combining all the
reporting requirements into one standard. It would be beneficial to not require operators to have to go to 4 different
documents to determine what to report on.
MRO NERC Standards
Review Subcommittee
The MRO NSRS would like to keep the references to the DOE reporting form.
Cowlitz County PUD
Added to the scope:
For EOP-004 add a provision for a reporting flow rather than everything going to the RE and NERC. That is something
going like the DP and TOP reports to the BA, the BA to the RE, and the RE to NERC. This would allow for multiple
related reports to be combined into a single coherent report as the reporting goes up the chain.
For CIP-001 consider reporting flow as above with local law enforcement notification. Let an upper entity in the reporting
chain decide when to contact Federal Agencies such as the BA or the RC.
Reliant Energy
August 13, 2009
I think Generator operators should be excluded except to provide requested information from the System Operator or
12
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Comment
Reliability coordinator.
ERCOT ISO
The scope should be modified to provide for a different treatment of reporting requirements that are administrative in
nature, or that are after-the-fact (thus cannot impact reliability unless analysis and follow-up is not performed; even then,
the impact would be at some future time). Reporting requirements which are of the nature to assist in identification of
system concerns or which serve to prevent or mitigate on-going system problems (including, but not limited to, actual or
attempted sabotage activity) should remain in standards, but should be separate and apart from the administrative
reporting.
Consolidated Edison
Co. of New York, Inc.
GENERAL CECONY and ORU support the general objectives of the SAR to merge existing standards CIP-001-1
Sabotage Reporting and EOP-004-1 Disturbance Reporting to improve clarity and remove redundancy.
However, the SAR needs to be more specific in defining its objectives.
CIP-001Requirement R1 currently states:
R1. Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator Operator, and Load Serving
Entity shall have procedures for the recognition of and for making their operating personnel aware of sabotage events
on its facilities and multi-site sabotage affecting larger portions of the Interconnection.
The SDT needs to include the following objectives:
1. Develop clear definitions for the terms operating personnel and sabotage events. The definition of operating
personnel, should be clarified and limited to staff at BES facilities. Operating personnel should report only those events
which meet a clear, recognizable threshold as reportable potential sabotage events. There should be a consistent
continent-wide list of examples or typical reportable and non-reportable events to help guide operating personnel. The
term sabotage event needs to be defined. Clarification is required regarding when the determination of a sabotage event
is made, e.g., upon first observation (requiring operating personnel be educated in discerning sabotage events), or upon
later investigation by trained security personnel and law enforcement individuals. The terms potential or suspected
sabotage event for reporting purposes should be clarified or defined.
2. Define the obligations of Registered Entity operating personnel - who are required to be aware of such sabotage
events, e.g., who, what, where, when, why and how, and what they are to do in response to this awareness. The SDT
should clarify the use of the term aware in the standard. Aware can be interpreted in accordance with its largely passive,
dictionary-based meaning, where being aware simply means knowing about something, such as a sabotage event.
Alternatively, the Reliability Standard meaning of aware could refer to more active wording, involving more than mere
awareness, e.g., alert and quick to respond, pointing to and requiring a specific affirmative response, i.e., reporting to
the appropriate systems, governmental agencies, and regulatory bodies.
EOP-004 - The SDT needs to work on the following areas.
August 13, 2009
13
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Comment
1. NERC reporting needs to be clarified. For example, Attachment 1 paragraph 6c states:
Introduction The entity on whose system a reportable disturbance occurs shall notify NERC ... 6. Any action taken by a
Generator Operator, Transmission Operator, Balancing Authority, or Load-Serving Entity that results in: ?c. Failure,
degradation, or misoperation of system protection, special protection schemes, remedial action schemes, or other
operating systems that do not require operator intervention, which did result in, or could have resulted in, a system
disturbance.
The sense of Attachment 1 is internally inconsistent between the introduction (occurs) and the required actions in 6c
(could have resulted in a system disturbance). The initial intent appears to be only to report actual system disturbances.
Yet, paragraph 6c adds the phrase or could have resulted in a potential system disturbance. This inconsistency should
be clarified.
Georgia System
Operations Corp.
The scope of the SAR should be to move all requirements to report to NERC or Regional Entities out of the
Requirements section of all Reliability Standards to elsewhere. This does not include reporting, communicating, or
coordinating between reliability entities. The NERC/Region reporting requirements could be consolidated in another
document and referenced in the Supporting References section of the Reliability Standards. The deadlines for reporting
should be changed to realistic timeframes that do not interfere with operating the BES or responding to incidents yet still
allow NERC and the Regions to accomplish their missions.
AEP
Sabotage is a term of intent that is often determined after the fact by the registered entity and/or law enforcement
officials. In fact, it is often difficult to determine in real-time the intent of a suspicious event. We would suggest that
suspicious events become reportable at the point that the event is determined to have had sabotage intent. The entities
should have a methodology to collect evidence, to have the evidence analyzed, and to report those events that are
determined to have had the intent of sabotage.
Duke Energy
While we agree with the need for clarity in sabotage and disturbance reporting, we believe that the Standards Drafting
Team should carefully consider whether there is a reliability-related need for each requirement. Some disturbance
reporting requirements are triggered not just to assist in real-time reliability but also to identify lessons-learned
opportunities. If disturbance and sabotage reporting continue to be reliability standards, we believe that all linkages to
lessons-learned/improvements need to be stripped out. We have other forums to identify lessons-learned opportunities
and to follow-up on those opportunities. Also, requirements to report possible non-compliances should be eliminated.
We strongly support voluntary self-reporting, but not mandatory self-reporting.
NextEra Energy
Resources, LLC
The scope of the SAR should not include Generator Operators.
August 13, 2009
14
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Comment
Luminant Power
The SAR drafting team should include in the SAR scope a review of the NRC sabotage and event reporting
requirements to ensure there are no overlapping or conflicting requirements between NERC, FERC, and the NRC. The
SAR scope should include a review of the CIP Cyber Security Standards and coordination with the CIP SDT to ensure
that cyber sabotage reporting definitions are in concert, and ensure that cyber sabotage reporting requirements are not
duplicated in multiple standards.
Illinois Municipal
Electric Agency
A one-stop reporting tool/site would facilitate efficient reporting and compliance; e.g., further development of the ESISAC/CIPIS to include all reportable categories and automatic notification of required parties. A single report form would
be best.
AEP
The current reporting process necessitates multiple reports be sent to multiple parties, which is inefficient and may,
inadvertently, result in alignment issues between the separate reports. We would recommend that a single report that
combines NERC (CIPIS) and NERC ESISAC information be provided to NERC (CIPIS) that is systematically
(programmatically) forwarded to all necessary entities. Further, updates to incidents would also go through NERC with
the same electronic processing. Currently, we are not aware of a formal method to report incidents to the FBI, which
should be also included in the distribution. The current reporting mechanism to the FBI JTTF is by telephone and the
NERC platform described would provide more consistent reporting.
Kansas City Power &
Light
Do not agree Load Serving Entities need to continue to be included for sabotage. According the NERC Functional
Model, an LSE provides for estimating customer load and provides for the acquisition of transmission and energy to
meet customer load demand. An LSE has no real impact on maintaining the reliability of electric network short of their
planning function. Unfortunately, an LSE needs to be included for disturbance reporting to the DOE under certain
conditions for loss of customer load. This may be a reason to maintain a separation of CIP-001 and EOP-004 so as not
to unnecessarily include an LSE when it is not needed.
Electric Market Policy
Applicability should not apply to LSE unless they have physical assets. If they do not have such assets, they are unable
to determine how many customers are out, how much load was lost or the duration of an outage. We continue to
question the need for the LSE entity in reliability standards. End use customer load is either connected to transmission
or distribution facilities. So, the applicable planner has to plan for that load when designing its facilities or the load will
not have reliable service. To the extent that energy and capacity for that load is supplied by an entity other than the TO
or DP, the TO or DP should have interconnection requirements that compel the supplier to provide any and all data
necessary to meet the requirements of reliability standards.
Lands Energy
Consulting
CIP-001-1 - Yes. In many cases, the staff of an LSE embedded in another entity's BA/TOP area is more likely to
discover an act of sabotage directed toward a BA/TOP-owned facility that could affect the BES than the asset owner.
This is because the LSE likely has more operating staff in the area. I have included a requirement in my clients'
August 13, 2009
15
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Comment
Sabotage Identification and Reporting Procedures that the client treat acts of sabotage to a third party's system
discovered by client employees as though the act was directed toward client facilities. EOP-004-1 - As mentioned
before, I would eliminate the LSE from the applicability list and leave the responsibility for disturbance reporting and
response to the TOP/BA. However, I would retain a responsibility for the LSEs to cooperate (when requested) with any
disturbance investigation.
Calpine Corporation
The reporting requirements of EOP - 004 are needed for the RC, BA, LSE and the GOP that operates or controls
generation in a system as defined by NERC. (System - A combination of generation, transmission, and distribution
components). A disturbance is described as an unplanned event that produces and abnormal system condition, any
perturbation to the electric system, and the unexpected change in ACE that is caused by the sudden failure of
generation or interruption of load. The GOP operating/controlling generation within a system has the ability to analyze
system conditions to determine if reporting is necessary. A NERC registered GOP that is a merchant generator within
another company’s system does not have the ability for a wide area view and cannot analyze system conditions beyond
the interconnection point of the facility. Moreover, in most cases the reporting requirements outlined in the
Interconnection Reliability Operating Limits and Preliminary Disturbance Report do not apply to the merchant generator
that is not a generation only BA. The applicability of the standard does encompass the true merchant generation entities
required to register as GOP. Similarly, the OE-417 table 1 reporting requirements generally do not apply to a true
merchant generating entity that is required to register as a GOP.
Covanta
It would be a welcome enhancement to the end users to understand to communication link between all "appropriate
parties" who shall be notified of potential or actual sabotage events.... which also needs to be defined.
Reliant Energy
EOOP-004-1 should exclude the generator operator from disturbance reporting except providing the system operator or
reliability coordinator with appropriate unit operation information upon request. Acts of sabotage should be identified
clearly and reported to the indicated authorities.
Texas Regional Entity
Add GO and TO to the list of applicability. The intent of CIP-001-1 when it was first written was to have the proper and
most likely entities associated directly with operations to be the ones to begin the reporting process in the case of
sabotage on the system. In the ERCOT Region and other regions in the US, the GOP may not be physically located at
the site. The GOP is often removed from the minute-by-minute responsibilities of plant operations and, therefore, may
be less able to react to physical sabotage at the location/plant/facility in a timely manner. The concern is that, in the
case of an actual sabotage event, the failure to report to the appropriate authorities in a timely manner may jeopardize
the reliability of the BPS. Therefore, the Generator Owner (GO) should be added to the list of applicability for CIP-0011, because it is the GO that is more likely to be on location at the generation site and thus aware of sabotage when it
first occurs. This would disallow for any possible communication gap and put responsibility on all of the appropriate
entities to report such an event. Additionally, and for the same reasons as adding the GO, the Transmission Owner
August 13, 2009
16
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Comment
(TO) should also be added to the list of applicability for reporting sabotage on its facilities.
Exelon
CIP-001, remove LSE's from the standard for the reasons identified in the FERC LSE order. Ad TO and DP. EOP-004,
remove LSE's from the standard for the reasons identified in the FERC LSE order. Remove RRO's, they are not a user,
owner, operator of the BES. Add DP or TO. Consider conditional applicability as in the UFLS standards, " the TO or DP
who performs the functions specified in the standard..."
ERCOT ISO
The Regional Reliability Organization is not a registered Functional Entity in the NERC registry. The applicability must
be revised to more appropriately assign the requirements to registered functional entities. Also, the industry needs to
recognize that there are other resources than generation for which the operators need to be included. Perhaps a
demand-side resource should have a resource operator. This particular SAR may not be the appropriate venue for this,
but control of resources which can be used to mitigate sabotage events or disturbance events may need to be
addressed.
AEP
We would recommend that the Load Serving Entity (LSE) be removed from both standards, and that the Generator
Owner and Transmission Owner be added to the resulting standard.
NextEra Energy
Resources, LLC
The scope of the proposed SAR should not include the Generator Operator.
PSEG Enterprise
Group Inc Companies
The PSEG Companies ask that the drafting team allow sufficient flexibility for sabotage recognition and reporting
requirements such that nothing precludes utilizing a single corporate-wide program for both bulk electric system assets
and other businesses. PSEG's Sabotage Recognition, Response and Reporting Program is directed to all business
areas which are directed to follow the same internal protocol that also satisfies the NERC Standards requirements. For
example, for gas assets, PSEG's gas distribution business follows the PSEG corporate-wide program for sabotage
recognition and response. PSEG agrees that some modifications should be made to CIP-001 (ex. better define or give
examples of sabotage) and EOP-004 to make them clearer? If they are merged, then Sabotage will not be in the title (or
the primary focus) because several of the Disturbances that reporting is required for in EOP-004 have nothing to do with
sabotage. EOP-004 has criteria listed in 4 places to determine when to send a report:
o Criteria listed in EOP-004 Attachment 1
o Criteria listed in EOP-004 Attachment 2
o Criteria listed in top portion of Table 1-EOP-004
o Criteria listed in bottom potion of Table 1-EOP-004
Therefore, it would be much easier if there was one table of criteria for reference that addressed all of the reportable
August 13, 2009
17
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Comment
conditions and all of the applicable reports. If the 2 standards are merged as suggested in the SAR, any differences in
the reporting obligation for actual or attempted sabotage and reporting of disturbances must be clear.
FirstEnergy
2. As pointed out by the NERC Audit and Observation Team in the "Issues to be considered" for CIP-001, clarification is
needed regarding contacting the FBI. Prior audits dwelled heavily on FBI notification. For example, our policy states that
Corporate Security notifies the FBI. In recent events it appears that local law enforcement handles day to day activities.
The notification process for contacting the FBI needs clarification along with specific instances in which to call them.
Who should make the call to the FBI? It appears that a protocol needs to be developed to clarify what events require
notifying the FBI. It could be as simple as after an incident a standard form is completed and forwarded to the FBI,
letting them decide if follow up is needed.
3. We suggest aligning all reporting requirements for consistency. The items requiring reporting and the timelines to
report are very inconsistent between NERC and the DOE. NERC's timelines are also not consistent with their own
Security Guideline for the Electricity Sector: Threat and Incident Reporting.
MRO NERC Standards
Review Subcommittee
B. CIP-001-1 and EOP-004-1 should be combined into one EOP Standard.
C. Within EOP-004-1 there is industry confusion on what form to submit in the event of an event. There should only be
one form for the new combination Standard eliminating the need for reporting form attachments. It should be the DOE
Form, OE-417. Although it is beyond the scope of this SAR, it would greatly benefit industry if there was a central
location on the NERC website containing ALL reporting forms, including FERC, NERC, DOE, and ESIAC. This would
enable the System Operators to efficiently locate the most current version of the appropriate form in order to report
events.
Lands Energy
Consulting
One final comment on CIP-001-1. My clients received universally rude treatment from the FBI field offices when they
attempted to establish the contacts required by the Standard. If the FBI doesn't see value in establishing these
contacts, remove the requirement from the Standard. Making sure the LSE knows the FBI field office phone number is
probably all the Standard should require.
Colmac Clarion
Need single report for Sabotage so whatever is required results in notification of all parties (State Emergency
Management, Homeland Security, FBI, Grid Reliability Chain of Command). Any and all of these can 'expand'
knowledge later but all seem to require 'instant' notification.
Cowlitz County PUD
Local Law enforcement agencies often are not friendly to Federal involvement with smaller problems they consider their
"turf." Need to make sure the small stuff stays with them, however have a system of internal reporting that will catch
coordinated sabotage efforts (multiple attacks on DPs and small BAs) at the RC or RE level who then can report to the
Federal agencies. Currently EOP-004-1 requires small entities to report a "disturbance" if half of their firm customer
August 13, 2009
18
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Comment
load is lost. For some entities, this can be one small substation going down due to a bird. The "50% of total demand"
requirement should be removed or improved to better define a true BPS disturbance.
ERCOT ISO
Due to the fact that both the CIP-001-1 and EOP-004-1 have similar reporting standards, initially combining the two
sounds like a correct analysis. However, after further consideration and due to the critical nature of its intended function
involving Security aspects, the CIP-001 should be intensely evaluated to determine if its intended purpose meets the
threshold or criteria to stand alone. The existing standards for CIP-001-1 Sabotage Reporting may help prevent future
mitigation actions caused by sabotage events. EOP-004-1 Disturbance Reporting is administrative in nature, thus the
jeopardy of the Bulk Electric System reliability is impacted only if analysis is not performed or if corrective follow-up
actions are not implemented. Combining EOP-004 Standard requirements under the umbrella of the CIP -001 Standard
would create a high profile Disturbance Reporting Standard. The industry would be better served if information defining
sabotage was provided as well as a technical reference document on recognizing sabotage that would also clarify or
state any personnel training requirements. All aspects of the intended functions must be reviewed before merging the
two standards. At a minimum, we must consider modification that provides improved understanding of the reporting
standards and implications as they are currently written.
MidAmerican Energy
Conflicting time frames exist from document updates. Reporting should be consolidated to one form and / or site to
minimize conflicts, confusion, and errors. 1) Reporting requirements for the outage of 50,000 or more customers in EOP004-1 requires a report to be made within one hour while the form OE-417 requires a report be made within six hours of
the outage. The six hour reference on the updated OE-417 form is the correct reference. 2) Reporting for either CIP001 or EOP-004 should center on the DOE Form OE-417. This would eliminate confusion and simplify reporting for
system operators thereby directly enhancing reliability during system events. This would also eliminate much of the
duplicate material and attachments in EOP-004. 3) Although it is beyond the scope of this SAR, the industry would
benefit if there was a central location or link on the NERC website containing all reporting forms, including FERC,
NERC, DOE, and ESIAC. This would enable System Operators to more efficiently locate and report events.
Illinois Municipal
Electric Agency
IMEA recommends the following considerations: Simplification of reportable events and the reporting process should be
the overriding objective. NERC's Security Guideline for the Electricity Sector: Threat and Incident Reporting (Version
2.0) should be updated to support this standards development initiative. At some point in the process, it may help if
examples are given of events actually reported that did not need to be reported.
August 13, 2009
19
�Standard Authorization Request Form
Disturbance and Sabotage reporting (Project 2009-01)
Title of Proposed Standard:
Request Date: April 2, 2009
Approved by SC for posting: April 15, 2009
Revision Date: July 22, 2009August 13, 2009
SAR Requester Information
Name:
Patrick Brown
Primary Contact:
SAR Type (Check a box for each one
that applies.)
New Standard
Patrick Brown
Revision to existing Standard
Manager, NERC and Regional Coordination
PJM Interconnection
Telephone:
610-666-4597
Withdrawal of existing Standard
E-mail:
brownp@pjm.com
Urgent Action
Purpose (Describe the proposed standard action: Nomination of a proposed
standard, revision to a standard, or withdrawal of a standard and describe what
the standard action will achieve.)
This project will entail revision to existing standards CIP-001-1 – Sabotage Reporting and
EOP004-1 – Disturbance Reporting. The standards may be merged to eliminate redundancy
and provide clarity on sabotage events. EOP-004 has some ‘fill-in-the-blank’ components
to eliminate. The development may include other improvements to the standards deemed
appropriate by the drafting team, with the consensus of stakeholders, consistent with
establishing high quality, enforceable and technically sufficient bulk power system
reliability standards.
Industry Need (Provide a justification for the development or revision of the standard,
including an assessment of the reliability and market interface impacts of implementing
or not implementing the standard action.)
The existing requirements need to be revised to be more specific – and there needs to be
more clarity in what sabotage looks like.
Brief Description (Provide a paragraph that describes the scope of this standard
action.)
CIP-001 may be merged with EOP-004 to eliminate redundancies. Acts of sabotage have
to be reported to the DOE as part of EOP-004. Specific references to the DOE form need
to be eliminated.
EOP-004 has some ‘fill-in-the-blank’ components to eliminate.
116-390 Village Boulevard
Princeton, New Jersey 08540-5721
609.452.8060 | www.nerc.com
�Standards Authorization Request Form
The development may include other improvements to the standards deemed appropriate
by the drafting team, with the consensus of stakeholders, consistent with establishing
high quality, enforceable and technically sufficient bulk power system reliability standards
(see tables for each standard at the end of this SAR for more detailed information).
Detailed Description (Provide a description of the proposed project with sufficient
details for the standard drafting team to execute the SAR.)
See “Issues to be Considered by Drafting Team” tables for each standard at the end of
this SAR for more detailed information.
SAR–2
�Standards Authorization Request Form
Reliability Functions
The Standard will Apply to the Following Functions (Check box for each one that applies.)
Reliability
Coordinator
Responsible for the real-time operating reliability of its Reliability
Coordinator Area in coordination with its neighboring Reliability
Coordinator’s wide area view.
Balancing
Authority
Integrates resource plans ahead of time, and maintains loadinterchange-resource balance within a Balancing Authority Area
and supports Interconnection frequency in real time.
Interchange
Authority
Ensures communication of interchange transactions for reliability
evaluation purposes and coordinates implementation of valid and
balanced interchange schedules between Balancing Authority
Areas.
Planning
Coordinator
Assesses the longer-term reliability of its Planning Coordinator
Area.
Resource
Planner
Develops a >one year plan for the resource adequacy of its
specific loads within a Planning Coordinator area.
Transmission
Planner
Develops a >one year plan for the reliability of the interconnected
Bulk Electric System within its portion of the Planning Coordinator
area.
Transmission
Service
Provider
Administers the transmission tariff and provides transmission
services under applicable transmission service agreements (e.g.,
the pro forma tariff).
Transmission
Owner
Owns and maintains transmission facilities.
Transmission
Operator
Ensures the real-time operating reliability of the transmission
assets within a Transmission Operator Area.
Distribution
Provider
Delivers electrical energy to the End-use customer.
Generator
Owner
Owns and maintains generation facilities.
Generator
Operator
Operates generation unit(s) to provide real and reactive power.
PurchasingSelling Entity
Purchases or sells energy, capacity, and necessary reliabilityrelated services as required.
Market
Operator
Interface point for reliability functions with commercial functions.
LoadServing
Entity
Secures energy and transmission service (and reliability-related
services) to serve the End-use Customer.
SAR–3
�Standards Authorization Request Form
Reliability and Market Interface Principles
Applicable Reliability Principles (Check box for all that apply.)
1. Interconnected bulk power systems shall be planned and operated in a coordinated
manner to perform reliably under normal and abnormal conditions as defined in the
NERC Standards.
2. The frequency and voltage of interconnected bulk power systems shall be controlled
within defined limits through the balancing of real and reactive power supply and
demand.
3. Information necessary for the planning and operation of interconnected bulk power
systems shall be made available to those entities responsible for planning and
operating the systems reliably.
4. Plans for emergency operation and system restoration of interconnected bulk power
systems shall be developed, coordinated, maintained and implemented.
5. Facilities for communication, monitoring and control shall be provided, used and
maintained for the reliability of interconnected bulk power systems.
6. Personnel responsible for planning and operating interconnected bulk power systems
shall be trained, qualified, and have the responsibility and authority to implement
actions.
7. The security of the interconnected bulk power systems shall be assessed, monitored
and maintained on a wide area basis.
8. Bulk power systems shall be protected from malicious physical or cyber attacks.
Does the proposed Standard comply with all of the following Market Interface
Principles? (Select ‘yes’ or ‘no’ from the drop-down box.)
1. A reliability standard shall not give any market participant an unfair competitive
advantage. Yes
2. A reliability standard shall neither mandate nor prohibit any specific market structure. Yes
3. A reliability standard shall not preclude market solutions to achieving compliance with that
standard. Yes
4. A reliability standard shall not require the public disclosure of commercially sensitive
information. All market participants shall have equal opportunity to access commercially
non-sensitive information that is required for compliance with reliability standards. Yes
SAR–4
�Standards Authorization Request Form
Related Standards
Standard No.
Explanation
COM-003-1
Operations Communications Protocols – this standard may include some
requirements that require coordination with the requirements addressed in
this project. (still in standard development stage)
IRO-014-1
R1.1.1, footnote 1 lists sabotage. The standard drafting team should
consider this reference and the impact of their work on this specific item.
TOP-005-1.1
Attachment 1, item 2.9 is “Multi-site sabotage”. The standard drafting
team should consider this reference and the impact of their work on this
specific item.
Related SARs
SAR ID
Explanation
Regional Variances
Region
Explanation
ERCOT
FRCC
MRO
NPCC
SERC
RFC
SPP
WECC
SAR–5
�Standards Authorization Request Form
Issues to be Considered by Drafting Team
Project 2009-01 — Disturbance and Sabotage Reporting
Standard #
CIP-001-0
Issues
Title
Sabotage Reporting
FERC Order 693
Disposition: Approved with modifications
Consider the need for wider application of the standard. Consider
whether separate, less burdensome requirements for smaller entities
may be appropriate.
Define “sabotage” and provide guidance on triggering events that would
cause an entity to report an event.
In the interim, provide advice to entities about the reporting of particular
circumstances as they arise.
Consider FirstEnergy’s suggestions to differentiate between cyber and
physical security sabotage and develop a threshold of materiality.
Incorporate a periodic review or updating of the sabotage reporting
procedures and for their periodic testing. Consider a staggered schedule
of annual testing and formal review every two to three years.
Include a requirement to report a sabotage event to the proper
government authorities. Develop the language to specifically implement
this directive.
Explore ways to reduce redundant reporting, including central
coordination of sabotage reports and a uniform reporting format.
V0 Industry Comments
Object to multi-site requirement
Definition of sabotage required
VRF comments
Adequate procedures will insure it is unlikely to lead to bulk electric
system instability, separation, or cascading failures.
Other
Modify standard to conform to the latest version of NERC’s Reliability
Standards Development Procedure, the NERC Standard Drafting Team
Guidelines, and the ERO Rules of Procedure.
NERC Audit and Observation Team
Applicability — How does this standard pertain to Load Serving Entities,
LSE's.
Registered Entities have sabotage reporting processes and procedures in
place but not all personnel has been trained.
Question: How do you “and make the operator aware”
R4 — "What is meant by: “establish contact with the FBI”. Is a phone
number adequate? Many entities which call the FBI are referred back to
the local authority. The AOT noted that on the FBI website it states to
SAR–6
�Standards Authorization Request Form
contact the local authorities. Is this a question for Homeland Security to
deal with for us?"
R4 — Establish communications contacts, as applicable with local FBI and
RAMP officials. Some entities are very remote and the sheriff is the only
local authority does the FBI still need to be contacted?
FERC’s December 20, 2007 and April 4, 2008 Orders in Docket Nos. RC07004-000, RC07-6-000, and RC07-7-000
In FERC’s December 20, 2007 Order, the Commission reversed NERC’s
Compliance Registry decisions with respect to three load serving entities
in the ReliabilityFirst (RFC) footprint. The distinguishing feature of these
three LSEs is that none owned physical assets. Both NERC and RFC
assert that there will be a “reliability gap” if retail marketers are not
registered as LSEs. To avoid a possible gap, a consistent, uniform
approach to ensure that appropriate Reliability Standards and associated
requirements are applied to retail marketers must be applied. Each
drafting team responsible for reliability standards applicable to LSEs is to
review and change as necessary, requirements in the applicable reliability
standards to address the issues surrounding accountability for loads
served by retail marketers/suppliers. For additional information see:
FERC’s December 20, 2007 Order
(http://www.nerc.com/files/LSE_decision_order.pdf )
NERC’s March 4, 2008
(http://www.nerc.com/files/FinalFiledLSE3408.pdf ),
FERC’s April 4, 2008 Order
(http://www.nerc.com/files/AcceptLSECompFiling-040408.pdf ) and
NERC’s July 31, 2008 (http://www.nerc.com/files/FinalFiledCompFiling-LSE-07312008.pdf ) compliance filings to FERC on this
subject.
Issues to be Considered by Drafting Team
Project 2009-01 — Disturbance and Sabotage Reporting
Standard #
EOP-004-1
Issues
Title
Disturbance Reporting
FERC Order 693
Disposition: Approved with modification
Include any requirements for users, owners, and operators of the bulk
power system to provide data that will assist NERC in the investigation of
a blackout or disturbance.
Change NERC’s Rules of Procedure to assure the Commission receives
these reports in the same frame as the DOE.
Consider APPA’s concern about generator operators and LSEs analyzing
performance of their equipment and provide data and information on the
equipment to assist others with analysis.
Consider all comments offered in a future modification of the reliability
standard.
SAR–7
�Standards Authorization Request Form
Fill-in-the-Blank Team Comments
Consider changes to R1 and R3.4 to standardize the disturbance
reporting requirements (requirements for disturbance reporting need to
be added to this standard)
Regions currently have procedures, but not in the form of a standard.
The drafting team will need to review regional requirements to determine
reporting requirements for the North American standard.
V0 Industry Comments
R3 – too many reports, narrow requirement to RC
How does this apply to generator operator?
Other
Modify standard to conform to the latest version of NERC’s Reliability
Standards Development Procedure, the NERC Standard Drafting Team
Guidelines, and the ERO Rules of Procedure.
NERC Audit and Observation Team
R3.1 — Can there be a violation without an event?
Event Analysis Team
Reliability Issue: Coordination and follow up on lessons learned from
event analyses Consider adding to EOP-004 – Disturbance Reporting.
Proposed requirement: Regional Entities (REs) shall work together with
Reliability Coordinators, Transmission Owners, and Generation Owners to
develop an Event Analysis Process to prevent similar events from
happening and follow up with the recommendations. This process shall
be defined within the appropriate NERC Standard.
FERC’s December 20, 2007 and April 4, 2008 Orders in Docket Nos. RC07004-000, RC07-6-000, and RC07-7-000
In FERC’s December 20, 2007 Order, the Commission reversed NERC’s
Compliance Registry decisions with respect to three load serving entities
in the ReliabilityFirst (RFC) footprint. The distinguishing feature of these
three LSEs is that none owned physical assets. Both NERC and RFC
assert that there will be a “reliability gap” if retail marketers are not
registered as LSEs. To avoid a possible gap, a consistent, uniform
approach to ensure that appropriate Reliability Standards and associated
requirements are applied to retail marketers must be applied. Each
drafting team responsible for reliability standards applicable to LSEs is to
review and change as necessary, requirements in the applicable reliability
standards to address the issues surrounding accountability for loads
served by retail marketers/suppliers. For additional information see:
FERC’s December 20, 2007 Order
(http://www.nerc.com/files/LSE_decision_order.pdf )
NERC’s March 4, 2008
(http://www.nerc.com/files/FinalFiledLSE3408.pdf ),
FERC’s April 4, 2008 Order
(http://www.nerc.com/files/AcceptLSECompFiling-040408.pdf ) and
NERC’s July 31, 2008 (http://www.nerc.com/files/FinalFiledCompFiling-LSE-07312008.pdf ) compliance filings to FERC on this
subject.
SAR–8
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Comments received on Project 2009-01 — Disturbance and Sabotage Reporting
The Disturbance and Sabotage Reporting Standard Drafting Team (DSR SDT) received many suggestions for
improvements to the standards during the SAR comment period. These comments do not indicate any revisions to
the SAR, but the DSRSDT thought that these comments merited further consideration during the standard drafting
phase of the project. The comments below are being compiled for use by the Standard Development Team.
Organization
Electric Market Policy
Comment
Comments: Agree with the statement that sabotage is hard to determine in real time by operations staffs. The
determination of sabotage should be left up to law enforcement. They have the knowledge and peer contacts needed to
adequately determine whether physical or cyber intrusions are merely malicious acts or coordinated efforts (sabotage).
The operators should only be required to report physical and cyber intrusions to law enforcement. All other reporting
requirements should apply to law enforcement once a determination of sabotage has been made. If the recommendations
above are not to be accepted, then we have the following comments:
CIP-001-1
1) R1 states entities shall have procedures for the recognition of and for making their operating personnel aware of
sabotage events on its facilities and multi-site sabotage affecting larger portions of the Interconnection. The SAR notes
that the industry objects to the multi-site requirement, most likely because the term is ambiguous. If this term remains in
the standard, it needs to be clearly defined and responsibilities for obtaining (how do you get this information and from
whom?) and distributing need to be included.
2) R1 audits have shown confusion over the requirement to make operating personnel aware of sabotage events. The
term operating personnel needs to be defined. Are they the individuals responsible for operating the facility, coordinating
with other entities (i.e., RC, BA, TOP, GOP, and LSE)? It has been suggested that notification is required to all personnel
at a facility. Keep in mind the purpose of the standard is to ensure sabotage events are properly reported, not to address
emergency response.
3) R1 The SAR (NERC Audit and Observation Team) notes that Registered Entities have processes and procedures in
place, but not all personnel have been trained. There is no specific training requirement in the standard.
4) R2 & R3 I agree with the SAR that sabotage needs to be defined and these requirements should be more specific with
respect to the information to be communicated. It seems to me that the standard should mirror the criteria contained in
DOE OE-417. The emphasis should be placed on ensuring that the same information communicated to DOE is shared
with the appropriate parties in the Interconnection.
5) R4 I agree with the SAR (NERC Audit and Observation Team) comments regarding the intention of this requirement.
There is no language that directs contact with FBI or RCMP although that is what is implied by the Purpose statement.
August 13, 2009
9
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Comment
6) VRF Comments I’m not sure what is intended by the statement Adequate procedures will insure it is unlikely to lead to
bulk electric system instability, separation, or cascading failures? The purpose of the standard is that of communication.
No operational decisions or actions are directed by this standard, nor does it require entities to address operational
aspects resulting from sabotage.
7) The potential exists for overlapping sabotage reporting requirements at nuclear power plants due to multiple regulators
(Nuclear Regulatory Commission (NRC) 10 CFR 73 and Federal Energy Regulatory Commission (FERC) NUC-001-1).
Some entities may have revised existing NRC driven procedures to accommodate reporting requirements of both
regulators. Because of the restrictions placed on NRC driven documents (i.e., procedures are classified as safeguards
information), it can be difficult to demonstrate compliance to NERC and/or FERC without ensuring that the individuals are
qualified for receipt of such information per 10 CFR 73. Additionally, multiple procedures may have the unintended
consequence of delaying appropriate communication.EOP-004-1Consider removing Attachment 2 as the information is
duplicated in DOE Form OE-417. A simple reference to the form should suffice.
Lands Energy
Consulting
I have worked with 5 Northwest public utilities on developing procedures related to CIP-001-1 and EOP-004-1. All 5
utilities operate electric systems in fairly remote locations and are embedded in a larger utility's Balancing
Authority/Transmission Operator area.
A. CIP-001-1 - Developing procedures to unambiguously identify acts of sabotage has been particularly challenging for
these systems. In general, it's hard for them to determine whether the most prevalent forms of malicious and intentional
system damage that they incur - copper theft and gun shot insulators/equipment - should qualify as acts of sabotage.
Although none of the systems consider copper theft to be acts of sabotage, two of the systems consider gun shot
insulators/equipment to be acts of sabotage. The other systems look for intent to disrupt electric system operations as a
key component of their sabotage identification procedures. Additional guidance from NERC in the form of CIP-001-1
modifications or a companion guidelines document on sabotage identification would provide much needed guidance for
these procedures.
B. EOP-004-1 - This standard was clearly drafted with the larger electric systems in mind. I have one client that serves
3300 commercial/residential customers from 4-115/13 kV substation transformers and one large industrial customer (80%
of its energy load) from a 230/13 kV substation. 75% of the client's load is served from three substations attached to a
long, 115 kV transmission line operated by the Bonneville Power Administration. Whenever the line relays open on a
permanent fault (which happens 2-3 times per year), the client loses over 50% of its customers (but no more than 10-15
MW during winter peak), thereby necessitating the preparation of a Disturbance Report. To allow utilities to concentrate
on operating their systems, without fear of violating EOP-004-1 for failure to report trivial outages, I would remove LSEs
from the obligation to report disturbances - leave the reporting to the BA/TOP for large outages in their footprint.
Calpine Corporation
August 13, 2009
Communication of facility status or emergencies between merchant generators registered as GOP and the RC, BA, GOP,
or LSE in which the facility resides should be coordinated for EOP -004 reporting. The reporting to NERC/DOE should
10
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Comment
come from the RC, BA, GOP, or LSE.
Covanta
Yes - the key to Sabotage reporting requirements is identifying what the 'definition' is of an actual or potential 'Sabotage'
event. Like any other standard, if FERC/NERC leave it up to 2000+ entities to establish their own definitions of
'Sabotage', you may likely get 2000+ answers. That is not a controlled and coordinated approach. I offer the following
definition, "Sabotage - Deliberate or malicious destruction of property, obstruction of normal operations, or injury to
personnel by outside agents." Examples of sabotage events could include, but are not limited to, suspicious packages left
near site electrical generating or electrical transmission assets, identified destruction of generating assets, telephone/e
mail received threats to destroy or interrupt electrical generating efforts, etc." These have passed multiple NERC regional
audits and reviews to date.
Northeast Power
Coordinating Council
The SAR needs to be more specific in defining its objectives.
CIP-001Requirement R1 currently states:
R1. Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator Operator, and Load Serving
Entity shall have procedures for the recognition of and for making their operating personnel aware of sabotage events on
its facilities and multi-site sabotage affecting larger portions of the Interconnection.
The SDT needs to include the following objectives:
1. Develop clear definitions for the terms “operating personnel” and “sabotage events.” The definition of “operating
personnel,” should be clarified and limited to staff at BES facilities. Operating personnel should report only those events
which meet a clear, recognizable threshold as reportable potential sabotage events. There should be a consistent
continent-wide list of examples or typical reportable and non-reportable events to help guide operating personnel. The
term “sabotage event” needs to be defined. Clarification is required regarding when the determination of a sabotage event
is made, e.g., upon first observation (requiring operating personnel be educated in discerning sabotage events), or upon
later investigation by trained security personnel and law enforcement individuals. The terms potential or suspected
sabotage event for reporting purposes should be clarified or defined.
2. Define the obligations of Registered Entity operating personnel - who are required to be aware of such “sabotage
events,” e.g., who, what, where, when, why and how, and what they are to do in response to this awareness. The SDT
should clarify the use of the term “aware” in the standard. “Aware” can be interpreted in accordance with its largely
passive, dictionary-based meaning, where being “aware” simply means knowing about something, such as a sabotage
event. Alternatively, the Reliability Standard meaning of “aware” could refer to more active wording, involving more than
mere awareness, e.g., “alert and quick to respond,” pointing to and requiring a specific affirmative response, i.e., reporting
to the appropriate systems, governmental agencies, and regulatory bodies.
EOP-004 - The SDT needs to work on the following areas.
August 13, 2009
11
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Comment
1. NERC reporting needs to be clarified. For example, Attachment 1 paragraph 6c states: Introduction “The entity on
whose system a reportable disturbance occurs shall notify NERC ... 6. Any action taken by a Generator Operator,
Transmission Operator, Balancing Authority, or Load-Serving Entity that results in: c. Failure, degradation, or misoperation
of system protection, special protection schemes, remedial action schemes, or other operating systems that do not require
operator intervention, which did result in, or could have resulted in, a system disturbance - The sense of Attachment 1 is
internally inconsistent between the introduction (“occurs”) and the required actions in 6c (could have resulted in a system
disturbance). The initial intent appears to be only to report actual system disturbances. Yet, paragraph 6c adds the phrase
“or could have resulted in” a potential system disturbance. This inconsistency should be clarified.
FirstEnergy
We agree with the scope but would also like to see the following considered:
1. References to the DOE reporting process in EOP-004 need to be revised. They currently refer to the old EIA form.
2. Besides "sabotage", it may be helpful to clearly define "vandalism". It is vaguely written in the standards. Also, the
process of "public appeals" for the DOE reportable requirements needs to be more clearly defined.
3. Consolidate documents covering reporting requirements. There are currently several documents that require reporting
(EOP-004, CIP-001, DOE oe-417, and NERC's Security Guideline for the Electricity Sector: Threat and Incident
Reporting). NERC also has the "Bulk Power System Disturbance Classification Scale" that does not completely align with
all the reporting requirements. Therefore we recommend keeping this as simple as possible by combining all the reporting
requirements into one standard. It would be beneficial to not require operators to have to go to 4 different documents to
determine what to report on.
MRO NERC Standards
Review Subcommittee
The MRO NSRS would like to keep the references to the DOE reporting form.
Cowlitz County PUD
Added to the scope:
For EOP-004 add a provision for a reporting flow rather than everything going to the RE and NERC. That is something
going like the DP and TOP reports to the BA, the BA to the RE, and the RE to NERC. This would allow for multiple related
reports to be combined into a single coherent report as the reporting goes up the chain.
For CIP-001 consider reporting flow as above with local law enforcement notification. Let an upper entity in the reporting
chain decide when to contact Federal Agencies such as the BA or the RC.
Reliant Energy
August 13, 2009
I think Generator operators should be excluded except to provide requested information from the System Operator or
Reliability coordinator.
12
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Comment
ERCOT ISO
The scope should be modified to provide for a different treatment of reporting requirements that are administrative in
nature, or that are after-the-fact (thus cannot impact reliability unless analysis and follow-up is not performed; even then,
the impact would be at some future time). Reporting requirements which are of the nature to assist in identification of
system concerns or which serve to prevent or mitigate on-going system problems (including, but not limited to, actual or
attempted sabotage activity) should remain in standards, but should be separate and apart from the administrative
reporting.
Consolidated Edison
Co. of New York, Inc.
GENERAL CECONY and ORU support the general objectives of the SAR to merge existing standards CIP-001-1
Sabotage Reporting and EOP-004-1 Disturbance Reporting to improve clarity and remove redundancy.
However, the SAR needs to be more specific in defining its objectives.
CIP-001Requirement R1 currently states:
R1. Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator Operator, and Load Serving
Entity shall have procedures for the recognition of and for making their operating personnel aware of sabotage events on
its facilities and multi-site sabotage affecting larger portions of the Interconnection.
The SDT needs to include the following objectives:
1. Develop clear definitions for the terms operating personnel and sabotage events. The definition of operating personnel,
should be clarified and limited to staff at BES facilities. Operating personnel should report only those events which meet a
clear, recognizable threshold as reportable potential sabotage events. There should be a consistent continent-wide list of
examples or typical reportable and non-reportable events to help guide operating personnel. The term sabotage event
needs to be defined. Clarification is required regarding when the determination of a sabotage event is made, e.g., upon
first observation (requiring operating personnel be educated in discerning sabotage events), or upon later investigation by
trained security personnel and law enforcement individuals. The terms potential or suspected sabotage event for reporting
purposes should be clarified or defined.
2. Define the obligations of Registered Entity operating personnel - who are required to be aware of such sabotage events,
e.g., who, what, where, when, why and how, and what they are to do in response to this awareness. The SDT should
clarify the use of the term aware in the standard. Aware can be interpreted in accordance with its largely passive,
dictionary-based meaning, where being aware simply means knowing about something, such as a sabotage event.
Alternatively, the Reliability Standard meaning of aware could refer to more active wording, involving more than mere
awareness, e.g., alert and quick to respond, pointing to and requiring a specific affirmative response, i.e., reporting to the
appropriate systems, governmental agencies, and regulatory bodies.
EOP-004 - The SDT needs to work on the following areas.
1. NERC reporting needs to be clarified. For example, Attachment 1 paragraph 6c states:
August 13, 2009
13
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Comment
Introduction The entity on whose system a reportable disturbance occurs shall notify NERC ... 6. Any action taken by a
Generator Operator, Transmission Operator, Balancing Authority, or Load-Serving Entity that results in: ?c. Failure,
degradation, or misoperation of system protection, special protection schemes, remedial action schemes, or other
operating systems that do not require operator intervention, which did result in, or could have resulted in, a system
disturbance.
The sense of Attachment 1 is internally inconsistent between the introduction (occurs) and the required actions in 6c
(could have resulted in a system disturbance). The initial intent appears to be only to report actual system disturbances.
Yet, paragraph 6c adds the phrase or could have resulted in a potential system disturbance. This inconsistency should be
clarified.
Georgia System
Operations Corp.
The scope of the SAR should be to move all requirements to report to NERC or Regional Entities out of the Requirements
section of all Reliability Standards to elsewhere. This does not include reporting, communicating, or coordinating between
reliability entities. The NERC/Region reporting requirements could be consolidated in another document and referenced in
the Supporting References section of the Reliability Standards. The deadlines for reporting should be changed to realistic
timeframes that do not interfere with operating the BES or responding to incidents yet still allow NERC and the Regions to
accomplish their missions.
AEP
Sabotage is a term of intent that is often determined after the fact by the registered entity and/or law enforcement officials.
In fact, it is often difficult to determine in real-time the intent of a suspicious event. We would suggest that suspicious
events become reportable at the point that the event is determined to have had sabotage intent. The entities should have
a methodology to collect evidence, to have the evidence analyzed, and to report those events that are determined to have
had the intent of sabotage.
Duke Energy
While we agree with the need for clarity in sabotage and disturbance reporting, we believe that the Standards Drafting
Team should carefully consider whether there is a reliability-related need for each requirement. Some disturbance
reporting requirements are triggered not just to assist in real-time reliability but also to identify lessons-learned
opportunities. If disturbance and sabotage reporting continue to be reliability standards, we believe that all linkages to
lessons-learned/improvements need to be stripped out. We have other forums to identify lessons-learned opportunities
and to follow-up on those opportunities. Also, requirements to report possible non-compliances should be eliminated. We
strongly support voluntary self-reporting, but not mandatory self-reporting.
NextEra Energy
Resources, LLC
The scope of the SAR should not include Generator Operators.
Luminant Power
The SAR drafting team should include in the SAR scope a review of the NRC sabotage and event reporting requirements
to ensure there are no overlapping or conflicting requirements between NERC, FERC, and the NRC. The SAR scope
August 13, 2009
14
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Comment
should include a review of the CIP Cyber Security Standards and coordination with the CIP SDT to ensure that cyber
sabotage reporting definitions are in concert, and ensure that cyber sabotage reporting requirements are not duplicated in
multiple standards.
Illinois Municipal
Electric Agency
A one-stop reporting tool/site would facilitate efficient reporting and compliance; e.g., further development of the ESISAC/CIPIS to include all reportable categories and automatic notification of required parties. A single report form would
be best.
AEP
The current reporting process necessitates multiple reports be sent to multiple parties, which is inefficient and may,
inadvertently, result in alignment issues between the separate reports. We would recommend that a single report that
combines NERC (CIPIS) and NERC ESISAC information be provided to NERC (CIPIS) that is systematically
(programmatically) forwarded to all necessary entities. Further, updates to incidents would also go through NERC with the
same electronic processing. Currently, we are not aware of a formal method to report incidents to the FBI, which should
be also included in the distribution. The current reporting mechanism to the FBI JTTF is by telephone and the NERC
platform described would provide more consistent reporting.
Kansas City Power &
Light
Do not agree Load Serving Entities need to continue to be included for sabotage. According the NERC Functional Model,
an LSE provides for estimating customer load and provides for the acquisition of transmission and energy to meet
customer load demand. An LSE has no real impact on maintaining the reliability of electric network short of their planning
function. Unfortunately, an LSE needs to be included for disturbance reporting to the DOE under certain conditions for
loss of customer load. This may be a reason to maintain a separation of CIP-001 and EOP-004 so as not to unnecessarily
include an LSE when it is not needed.
Electric Market Policy
Applicability should not apply to LSE unless they have physical assets. If they do not have such assets, they are unable to
determine how many customers are out, how much load was lost or the duration of an outage. We continue to question
the need for the LSE entity in reliability standards. End use customer load is either connected to transmission or
distribution facilities. So, the applicable planner has to plan for that load when designing its facilities or the load will not
have reliable service. To the extent that energy and capacity for that load is supplied by an entity other than the TO or DP,
the TO or DP should have interconnection requirements that compel the supplier to provide any and all data necessary to
meet the requirements of reliability standards.
Lands Energy
Consulting
CIP-001-1 - Yes. In many cases, the staff of an LSE embedded in another entity's BA/TOP area is more likely to discover
an act of sabotage directed toward a BA/TOP-owned facility that could affect the BES than the asset owner. This is
because the LSE likely has more operating staff in the area. I have included a requirement in my clients' Sabotage
Identification and Reporting Procedures that the client treat acts of sabotage to a third party's system discovered by client
employees as though the act was directed toward client facilities. EOP-004-1 - As mentioned before, I would eliminate the
August 13, 2009
15
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Comment
LSE from the applicability list and leave the responsibility for disturbance reporting and response to the TOP/BA.
However, I would retain a responsibility for the LSEs to cooperate (when requested) with any disturbance investigation.
Calpine Corporation
The reporting requirements of EOP - 004 are needed for the RC, BA, LSE and the GOP that operates or controls
generation in a system as defined by NERC. (System - A combination of generation, transmission, and distribution
components). A disturbance is described as an unplanned event that produces and abnormal system condition, any
perturbation to the electric system, and the unexpected change in ACE that is caused by the sudden failure of generation
or interruption of load. The GOP operating/controlling generation within a system has the ability to analyze system
conditions to determine if reporting is necessary. A NERC registered GOP that is a merchant generator within another
company’s system does not have the ability for a wide area view and cannot analyze system conditions beyond the
interconnection point of the facility. Moreover, in most cases the reporting requirements outlined in the Interconnection
Reliability Operating Limits and Preliminary Disturbance Report do not apply to the merchant generator that is not a
generation only BA. The applicability of the standard does encompass the true merchant generation entities required to
register as GOP. Similarly, the OE-417 table 1 reporting requirements generally do not apply to a true merchant
generating entity that is required to register as a GOP.
Covanta
It would be a welcome enhancement to the end users to understand to communication link between all "appropriate
parties" who shall be notified of potential or actual sabotage events.... which also needs to be defined.
Reliant Energy
EOOP-004-1 should exclude the generator operator from disturbance reporting except providing the system operator or
reliability coordinator with appropriate unit operation information upon request. Acts of sabotage should be identified
clearly and reported to the indicated authorities.
Texas Regional Entity
Add GO and TO to the list of applicability. The intent of CIP-001-1 when it was first written was to have the proper and
most likely entities associated directly with operations to be the ones to begin the reporting process in the case of
sabotage on the system. In the ERCOT Region and other regions in the US, the GOP may not be physically located at
the site. The GOP is often removed from the minute-by-minute responsibilities of plant operations and, therefore, may be
less able to react to physical sabotage at the location/plant/facility in a timely manner. The concern is that, in the case of
an actual sabotage event, the failure to report to the appropriate authorities in a timely manner may jeopardize the
reliability of the BPS. Therefore, the Generator Owner (GO) should be added to the list of applicability for CIP-001-1,
because it is the GO that is more likely to be on location at the generation site and thus aware of sabotage when it first
occurs. This would disallow for any possible communication gap and put responsibility on all of the appropriate entities to
report such an event. Additionally, and for the same reasons as adding the GO, the Transmission Owner (TO) should also
be added to the list of applicability for reporting sabotage on its facilities.
Exelon
CIP-001, remove LSE's from the standard for the reasons identified in the FERC LSE order. Ad TO and DP. EOP-004,
August 13, 2009
16
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Comment
remove LSE's from the standard for the reasons identified in the FERC LSE order. Remove RRO's, they are not a user,
owner, operator of the BES. Add DP or TO. Consider conditional applicability as in the UFLS standards, " the TO or DP
who performs the functions specified in the standard..."
ERCOT ISO
The Regional Reliability Organization is not a registered Functional Entity in the NERC registry. The applicability must be
revised to more appropriately assign the requirements to registered functional entities. Also, the industry needs to
recognize that there are other resources than generation for which the operators need to be included. Perhaps a demandside resource should have a resource operator. This particular SAR may not be the appropriate venue for this, but control
of resources which can be used to mitigate sabotage events or disturbance events may need to be addressed.
AEP
We would recommend that the Load Serving Entity (LSE) be removed from both standards, and that the Generator Owner
and Transmission Owner be added to the resulting standard.
NextEra Energy
Resources, LLC
The scope of the proposed SAR should not include the Generator Operator.
PSEG Enterprise
Group Inc Companies
The PSEG Companies ask that the drafting team allow sufficient flexibility for sabotage recognition and reporting
requirements such that nothing precludes utilizing a single corporate-wide program for both bulk electric system assets
and other businesses. PSEG's Sabotage Recognition, Response and Reporting Program is directed to all business areas
which are directed to follow the same internal protocol that also satisfies the NERC Standards requirements. For
example, for gas assets, PSEG's gas distribution business follows the PSEG corporate-wide program for sabotage
recognition and response. PSEG agrees that some modifications should be made to CIP-001 (ex. better define or give
examples of sabotage) and EOP-004 to make them clearer? If they are merged, then Sabotage will not be in the title (or
the primary focus) because several of the Disturbances that reporting is required for in EOP-004 have nothing to do with
sabotage. EOP-004 has criteria listed in 4 places to determine when to send a report:
o Criteria listed in EOP-004 Attachment 1
o Criteria listed in EOP-004 Attachment 2
o Criteria listed in top portion of Table 1-EOP-004
o Criteria listed in bottom potion of Table 1-EOP-004
Therefore, it would be much easier if there was one table of criteria for reference that addressed all of the reportable
conditions and all of the applicable reports. If the 2 standards are merged as suggested in the SAR, any differences in the
reporting obligation for actual or attempted sabotage and reporting of disturbances must be clear.
August 13, 2009
17
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
FirstEnergy
Comment
2. As pointed out by the NERC Audit and Observation Team in the "Issues to be considered" for CIP-001, clarification is
needed regarding contacting the FBI. Prior audits dwelled heavily on FBI notification. For example, our policy states that
Corporate Security notifies the FBI. In recent events it appears that local law enforcement handles day to day activities.
The notification process for contacting the FBI needs clarification along with specific instances in which to call them. Who
should make the call to the FBI? It appears that a protocol needs to be developed to clarify what events require notifying
the FBI. It could be as simple as after an incident a standard form is completed and forwarded to the FBI, letting them
decide if follow up is needed.
3. We suggest aligning all reporting requirements for consistency. The items requiring reporting and the timelines to report
are very inconsistent between NERC and the DOE. NERC's timelines are also not consistent with their own Security
Guideline for the Electricity Sector: Threat and Incident Reporting.
MRO NERC Standards
Review Subcommittee
B. CIP-001-1 and EOP-004-1 should be combined into one EOP Standard.
Lands Energy
Consulting
One final comment on CIP-001-1. My clients received universally rude treatment from the FBI field offices when they
attempted to establish the contacts required by the Standard. If the FBI doesn't see value in establishing these contacts,
remove the requirement from the Standard. Making sure the LSE knows the FBI field office phone number is probably all
the Standard should require.
Colmac Clarion
Need single report for Sabotage so whatever is required results in notification of all parties (State Emergency
Management, Homeland Security, FBI, Grid Reliability Chain of Command). Any and all of these can 'expand' knowledge
later but all seem to require 'instant' notification.
Cowlitz County PUD
Local Law enforcement agencies often are not friendly to Federal involvement with smaller problems they consider their
"turf." Need to make sure the small stuff stays with them, however have a system of internal reporting that will catch
coordinated sabotage efforts (multiple attacks on DPs and small BAs) at the RC or RE level who then can report to the
Federal agencies. Currently EOP-004-1 requires small entities to report a "disturbance" if half of their firm customer load
is lost. For some entities, this can be one small substation going down due to a bird. The "50% of total demand"
requirement should be removed or improved to better define a true BPS disturbance.
August 13, 2009
C. Within EOP-004-1 there is industry confusion on what form to submit in the event of an event. There should only be
one form for the new combination Standard eliminating the need for reporting form attachments. It should be the DOE
Form, OE-417. Although it is beyond the scope of this SAR, it would greatly benefit industry if there was a central location
on the NERC website containing ALL reporting forms, including FERC, NERC, DOE, and ESIAC. This would enable the
System Operators to efficiently locate the most current version of the appropriate form in order to report events.
18
�Consideration of Comments on Project 2009-01 — SAR for Disturbance and Sabotage Reporting
Organization
Comment
ERCOT ISO
Due to the fact that both the CIP-001-1 and EOP-004-1 have similar reporting standards, initially combining the two
sounds like a correct analysis. However, after further consideration and due to the critical nature of its intended function
involving Security aspects, the CIP-001 should be intensely evaluated to determine if its intended purpose meets the
threshold or criteria to stand alone. The existing standards for CIP-001-1 Sabotage Reporting may help prevent future
mitigation actions caused by sabotage events. EOP-004-1 Disturbance Reporting is administrative in nature, thus the
jeopardy of the Bulk Electric System reliability is impacted only if analysis is not performed or if corrective follow-up actions
are not implemented. Combining EOP-004 Standard requirements under the umbrella of the CIP -001 Standard would
create a high profile Disturbance Reporting Standard. The industry would be better served if information defining
sabotage was provided as well as a technical reference document on recognizing sabotage that would also clarify or state
any personnel training requirements. All aspects of the intended functions must be reviewed before merging the two
standards. At a minimum, we must consider modification that provides improved understanding of the reporting standards
and implications as they are currently written.
MidAmerican Energy
Conflicting time frames exist from document updates. Reporting should be consolidated to one form and / or site to
minimize conflicts, confusion, and errors. 1) Reporting requirements for the outage of 50,000 or more customers in EOP004-1 requires a report to be made within one hour while the form OE-417 requires a report be made within six hours of
the outage. The six hour reference on the updated OE-417 form is the correct reference. 2) Reporting for either CIP-001
or EOP-004 should center on the DOE Form OE-417. This would eliminate confusion and simplify reporting for system
operators thereby directly enhancing reliability during system events. This would also eliminate much of the duplicate
material and attachments in EOP-004. 3) Although it is beyond the scope of this SAR, the industry would benefit if there
was a central location or link on the NERC website containing all reporting forms, including FERC, NERC, DOE, and
ESIAC. This would enable System Operators to more efficiently locate and report events.
Illinois Municipal
Electric Agency
IMEA recommends the following considerations: Simplification of reportable events and the reporting process should be
the overriding objective. NERC's Security Guideline for the Electricity Sector: Threat and Incident Reporting (Version 2.0)
should be updated to support this standards development initiative. At some point in the process, it may help if examples
are given of events actually reported that did not need to be reported.
August 13, 2009
19
�Unofficial Nomination Form for Standard Drafting Team for Disturbance and
Sabotage Reporting (Project 2009-01)
Please DO NOT use this form. Please use the electronic nomination form located at the link below.
If you have any questions, please contact Stephen Crutchfield at stephen.crutchfield@nerc.net or by
telephone at 609-651-9455.
http://www.nerc.com/filez/standards/Project2009-01_Disturbance_Sabotage_Reporting.html
By submitting the following information you are indicating your commitment to
actively participate (including physically attending face-to-face) Standard Drafting
Team meetings if appointed to the Standard Drafting Team by the Standards
Committee.
Name:
Organization:
Address:
Telephone:
E-mail:
Project 2009-01 Disturbance and Sabotage Reporting will entail revising existing standards CIP-001
— Sabotage Reporting and EOP-004 — Disturbance Reporting to eliminate redundancies and provide clarity
on sabotage events. The project includes addressing several issues identified by stakeholders, FERC
directives from Order 693, and may include improvements to the standards deemed appropriate by the
drafting team, with the consensus of stakeholders, consistent with establishing high quality, enforceable
and technically sufficient bulk power system reliability standards.
Please briefly describe (no more than a couple of paragraphs) your experience and qualifications directly
related to the issues to be addressed by the Disturbance and Sabotage Reporting Standard Drafting Team.
We are seeking a cross section of the industry to participate on the team, but in particular are seeking
individuals with experience in management of real-time bulk power operations activities. Please include any
previous experience related to developing or applying IEEE or other industry related standards as this type
of experience might be beneficial to include on the team, but is not a requisite to be appointed to the team.
Are you currently a member of any NERC or Regional Entity
SAR or standard drafting team? If yes, please list each
No
Yes:
116-390 Village Blvd.
Princeton, NJ 08540
609.452.8060 | www.nerc.com
�Unofficial Nomination Form for Disturbance and Sabotage Reporting Standard Drafting Team
(Project 2009-01)
team here.
Have you previously worked on any NERC or Regional
Entity SAR or standard drafting teams? If yes, please list
them here.
Please identify the NERC Region(s) for
which you are able to represent your
company’s position relative to the topics
addressed in the SAR:
No
Yes:
Please identify the Industry Segment(s) for which you are able to
represent your company’s position relative to the topics
addressed in the SAR:
1 — Transmission Owners
ERCOT
2 — RTOs and ISOs
FRCC
3 — Load-serving Entities
MRO
4 — Transmission-dependent Utilities
NPCC
5 — Electric Generators
RFC
6 — Electricity Brokers, Aggregators, and Marketers
SERC
7 — Large Electricity End Users
SPP
8 — Small Electricity End Users
WECC
9 — Federal, State, and Provincial Regulatory or other
Government Entities
Not Applicable or None of the
Above
10 — Regional Reliability Organizations and Regional
Entities
Not applicable
Please identify the Functional Entities 1 for which you are able to represent your company’s position relative
to the topics addressed in the SAR:
Balancing Authority
Planning Coordinator
Compliance Enforcement Authority
Transmission Operator
Distribution Provider
Transmission Owner
Generator Operator
Transmission Planner
Generator Owner
Transmission Service Provider
Interchange Authority
Purchasing-selling Entity
Load-serving Entity
Resource Planner
Market Operator
Reliability Coordinator
1
These functions are defined in the NERC Functional Model, which is available on the NERC Web site.
2
�Unofficial Nomination Form for Disturbance and Sabotage Reporting Standard Drafting Team
(Project 2009-01)
Please provide the names and contact information for two references who could attest to your
technical qualifications and your ability to work well in a group. NERC staff may contact these
references.
Name and Title:
Office
Telephone:
Organization:
E-mail:
Name and Title:
Office
Telephone:
Organization:
E-mail:
3
�Standards Announcement
Nomination Period Opens for Standard Drafting Team
September 16-30, 2009
Now available at: http://www.nerc.com/filez/standards/Project200901_Disturbance_Sabotage_Reporting.html
Project 2009-01: Disturbance and Sabotage Reporting
The Standards Committee is seeking industry experts to serve on the Disturbance and Sabotage Reporting
Standard Drafting Team. The nomination period is open until September 30, 2009.
Instructions
If you are interested in serving on this standard drafting team, please complete the following electronic
nomination form: https://www.nerc.net/nercsurvey/Survey.aspx?s=ba96a1dc8506404889e26d05aaf490c6 .
Please contact Dave Taylor at david.taylor@nerc.net or 609-651-5089 with any questions about the team.
Project Background
Project 2009-01 — Disturbance and Sabotage Reporting will entail revising existing standards CIP-001-1 —
Sabotage Reporting and EOP-004-1 — Disturbance Reporting to eliminate redundancies and provide clarity on
sabotage events. The project includes addressing several issues identified by stakeholders, FERC directives
from Order 693, and may include improvements to the standards deemed appropriate by the drafting team, with
the consensus of stakeholders, consistent with establishing high quality, enforceable and technically sufficient
bulk power system reliability standards.
More information about the project is available on the following page:
http://www.nerc.com/filez/standards/Project2009-01_Disturbance_Sabotage_Reporting.html
Standards Development Process
The Reliability Standards Development Procedure contains all the procedures governing the standards
development process. The success of the NERC standards development process depends on stakeholder
participation. We extend our thanks to all those who participate.
For more information or assistance,
please contact Shaun Streeter at shaun.streeter@nerc.net or at 609.452.8060.
�Disturbance and Sabotage Reporting Standard Drafting Team (Project 2009-01)
Reporting Concepts
Introduction
The SAR for Project 2009-01 Disturbance and Sabotage Reporting was moved forward for
standard drafting by the NERC Standards Committee in August of 2009. The Disturbance and
Sabotage Reporting Standard Drafting Team (DSR SDT) was formed in late 2009 and is
progressing toward developing standards based on the SAR. This concepts paper is designed to
solicit stakeholder input regarding the proposed reporting concepts that the DSR SDT has
developed.
The standards listed under the SAR are:
CIP-001 — Sabotage Reporting
EOP-004 — Disturbance Reporting
The DSR SDT is also proposing to investigate incorporation of the cyber incident reporting
aspects of CIP-008 under this project. This will be coordinated with the Cyber Security — Order
706 Standard Drafting Team (Project 2008-06).
The DSR SDT has reviewed the existing standards, the SAR, issues from the NERC database
and FERC Order 693 Directives to determine a prudent course of action with respect to these
standards.
This concept paper provides stakeholders with a proposed “road map” that will be used by the
DSR SDT in updating or revising CIP-001 and EOP-004. This concept paper provides the
background information and thought process of the DSR SDT.
The proposed changes do not include any real-time operating notifications for the types of events
covered by CIP-001 and EOP-004. The real-time reporting requirements are achieved through
the RCIS and are covered in other standards (e.g. TOP). The proposed standards deal
exclusively with after-the-fact reporting.
The DSR SDT is proposing to consolidate disturbance and event reporting under a single
standard. These two components and other key concepts are discussed in the following sections.
116-390 Village Blvd.
Princeton, NJ 08540
609.452.8060 | www.nerc.com
�Disturbance and Sabotage Reporting Concepts
Summary of Concepts and Assumptions:
The Standard Will: Require use of a single form to report disturbances and “impact events” that
threaten the reliability of the bulk electric system
Provide clear criteria for reporting
Include consistent reporting timelines
Identify appropriate applicability, including a reporting hierarchy in the case of
disturbance reporting
Provide clarity around of who will receive the information
The drafting team will explore other opportunities for efficiency, such as development of an
electronic form and possible inclusion of regional reporting requirements
Discussion of Disturbance Reporting
Disturbance reporting requirements currently exist in EOP-004. The current approved definition
of Disturbance from the NERC Glossary of Terms is:
1. An unplanned event that produces an abnormal system condition.
2. Any perturbation to the electric system.
3. The unexpected change in ACE that is caused by the sudden failure of generation or
interruption of load.
Disturbance reporting requirements and criteria are in the existing EOP-004 standard and its
attachments. The DST SDT discussed the reliability needs for disturbance reporting and will
consider guidance found in the document “NERC Guideline: Threat and Incident Reporting” in
the development of requirements, which will include clear criteria for reporting. The new/revised
standard will specify who has access to reported information about disturbances.
The DSR SDT is considering developing a reporting hierarchy that requires the Reliability
Coordinator (RC) to submit the disturbance report. Any entity (Distribution Provider, LoadServing Entity, Generator Operator) that experiences a disturbance would report the appropriate
information to the Transmission Operator or Balancing Authority (if applicable) who would then
report to the RC. The RC would then submit the report to NERC, the affected Regional Entity
(RE) and/or Department of Energy (DOE) as appropriate. By having the RC submit the report,
situational awareness would be enhanced. All affected entities would be aware of the
disturbance and relevant information. Also, the flow of information between entities would be
enhanced and a more comprehensive report could be developed.
Discussion of “Impact Event” Reporting
There are situations worthy of reporting because they have the potential to impact reliability.
The DSR SDT proposes calling such incidents ‘impact events’ with the following definition:
An impact event is any situation that has the potential to significantly impact the
reliability of the Bulk Electric System. Such events may originate from malicious intent,
accidental behavior, or natural occurrences.
March 17, 2010
2
�Disturbance and Sabotage Reporting Concepts
Impact event reporting facilitates situational awareness, which allows potentially impacted
parties to prepare for and possibly mitigate the reliability risk. It also provides the raw material,
in the case of certain potential reliability threats, to see emerging patterns.
Examples of impact events include:
Bolts removed from transmission line structures
Detection of cyber intrusion that meets criteria of CIP-008
Forced intrusion attempt at a substation
Train derailment near a transmission right-of-way
Destruction of Bulk Electrical System equipment
What about sabotage?
One thing became clear in the DSR SDT’s discussion concerning sabotage: everyone has a
different definition. The current standard CIP-001 elicited the following response from FERC in
FERC Order 693, paragraph 471 which states in part: “. . . the Commission directs the ERO to
develop the following modifications to the Reliability Standard through the Reliability Standards
development process: (1) further define sabotage and provide guidance as to the triggering
events that would cause an entity to report a sabotage event.”
Often, the underlying reason for an event is unknown or cannot be confirmed. The DSR SDT
believes that reporting material risks to the Bulk Electrical System using the impact event
categorization, it will be easier to get the relevant information for mitigation, awareness, and
tracking, while removing the distracting element of motivation.
The DSR SDT discussed the reliability needs for impact event reporting and will consider
guidance found in the document “NERC Guideline: Threat and Incident Reporting” in the
development of requirements, which will include clear criteria for reporting.
Certain types of impact events should be reported to NERC, the Department of Homeland
Security (DHS), the Federal Bureau of Investigation (FBI), and/or Provincial or local law
enforcement. Other types of impact events may have different reporting requirements. For
example, an impact event that is related to copper theft may only need to be reported to the local
law enforcement authorities. The new standard will specify who has access to reported
information about impact events.
Potential Uses of Reportable Information
Event analysis, correlation of data, and trend identification are a few potential uses for the
information reported under this standard. As envisioned, the standard will only require
Functional entities to report the incidents and provide information or data necessary for these
analyses. Other entities (e.g. – NERC, Law Enforcement, etc) will be responsible for performing
the analyses. The NERC Rules of Procedure (section 800) provide an overview of the
responsibilities of the ERO in regards to analysis and dissemination of information for reliability.
March 17, 2010
3
�Disturbance and Sabotage Reporting Concepts
Jurisdictional agencies (which may include DHS, FBI, NERC, RE, FERC, Provincial Regulators,
and DOE) have other duties and responsibilities.
Collection of Reportable Information or “One stop shopping”
The goal of the DSR SDT is to have one reporting form for all functional entities (US, Canada,
Mexico) to submit to NERC. Ultimately, it may make sense to develop an electronic version to
expedite completion, sharing and storage. Ideally, entities would complete a single form which
could then be distributed to jurisdictional agencies and functional entities as appropriate.
Specific reporting forms 1 that exist today (i.e. - OE-417, etc) could be included as part of the
electronic form to accommodate US entities with a requirement to submit the form. Or may be
removed (but still be mandatory for US entities under Public Law 93-275) to streamline the
proposed consolidated reliability standard for all North American entities (US, Canada, Mexico).
Jurisdictional agencies may include DHS, FBI, NERC, RE, FERC, Provincial Regulators, and
DOE. Functional entities may include the RC, TOP, and BA for situational awareness.
Applicability of the standard will be determined based on the specific requirements.
The DSR SDT recognizes that some regions require reporting of additional information beyond
what is in EOP-004. The DSR SDT is planning to update the listing of reportable events from
discussions with jurisdictional agencies, NERC, Regional Entities and stakeholder input. There
is a possibility that regional differences may still exist.
The reporting proposed by the DSR SDT is intended to meet the uses and purposes of NERC.
The DSR SDT recognizes that other requirements for reporting exist (e.g., DOE-417 reporting),
which may duplicate or overlap the information required by NERC. To the extent that other
reporting is required, the DSR SDT envisions that duplicate entry of information is not
necessary, and the submission of the alternate report will be acceptable to NERC so long as all
information required by NERC is submitted. For example, if the NERC Report duplicates
information from the DOE form, the DOE report may be included or attached to the NERC
report, in lieu of entering that information on the NERC report.
1
The DOE Reporting Form, OE-417 is currently a part of the EOP-004 standard. If this report is removed from the
standard, it should be noted that this form is still required by law as noted on the form: NOTICE: This report is
mandatory under Public Law 93-275. Failure to comply may result in criminal fines, civil penalties and other
sanctions as provided by law. For the sanctions and the provisions concerning the confidentiality of information
submitted on this form, see General Information portion of the instructions. Title 18 USC 1001 makes it a criminal
offense for any person knowingly and willingly to make to any Agency or Department of the United States any
false, fictitious, or fraudulent statements as to any matter within its jurisdiction.
March 17, 2010
4
�Unofficial Comment Form for Project 2009-01 — Disturbance and Sabotage Reporting
Please DO NOT use this form to submit comments. Please use the electronic form located
at the site below to submit comments on the proposed Concepts Paper for Disturbance and
Sabotage Reporting. Comments must be submitted by April 16, 2010. If you have
questions please contact Stephen Crutchfield by email at Stephen.crutchfield@nerc.net or
by telephone at 609-651-9455.
http://www.nerc.com/filez/standards/Project200901_Disturbance_Sabotage_Reporting.html
Background:
The SAR for Project 2009-01, Disturbance and Sabotage Reporting was moved forward for
standard drafting by the NERC Standards Committee in August of 2009. The Disturbance
and Sabotage Reporting Standard Drafting Team (DSR SDT) was formed in late 2009 and is
progressing toward developing standards based on the SAR. The concepts paper was
developed to solicit stakeholder input regarding the proposed reporting concepts that the
DSR SDT has developed. Please review the redlined SAR and then answer the following
questions.
This initial comment period is requesting industry input on the direction herein proposed by
the DSR SDT. Should your organization feel that the direction proposed is not the direction
that should be pursued then your comments on what direction the SDT should take would
be greatly appreciated. The “concept paper” lays out the foundation for the reporting
requirements in the standard. We are not seeking input or guidance on the definition of
physical or cyber sabotage, what type of disturbances should be reported, who should do
reporting, or to whom or what organizations will be receiving the reports. All of these
points will be addressed by the SDT in later phases of the project and we will be seeking
important industry guidance at those times. The SDT does recognize the importance of all
of that data and information, but at this time, we are only seeking input on the direction of
the concepts we propose to build upon.
116-390 Village Blvd.
Princeton, NJ 08540
609.452.8060 | www.nerc.com
�1. The details of reporting requirements and criteria are in the existing EOP-004 standard
and its attachments. The DSR SDT discussed the reliability needs for disturbance
reporting and will consider guidance found in the document “NERC Guideline: Threat and
Incident Reporting” in the development of requirements. Do you agree with using the
existing guidance as the foundation for disturbance reporting? Please explain your
response (yes or no) in the comment area.
Yes
No
Comments:
2. The DSR SDT is considering developing a reporting hierarchy for disturbances that
requires entities to submit information to the Reliability Coordinator and then for the
Reliability Coordinator to submit the report. Do you agree with this hierarchy concept?
Please explain your response (yes or no) in the comment area.
Yes
No
Comments:
3. The goal of the DSR SDT is to have one report form for all functional entities (US,
Canada, Mexico) to submit to NERC. Do you agree with this change? Please explain
your response (yes or no) in the comment area.
Yes
No
Comments:
4. The goal of the DSR SDT is to eliminate the need to file duplicate reports. The standards
will specify information required by NERC for reliability. To the extent that this
information is also required for other reports (e.g. DOE OE-417), those reports will be
allowed to supplement the NERC report in lieu of duplicating the entries in the NERC
report. Do you agree with this concept? Please explain your response (yes or no) in the
comment area.
Yes
No
Comments:
5. In its discussion concerning sabotage, the DSR SDT has determined that the spectrum of
all sabotage-type events is not well understood throughout the industry. In an effort to
provide clarity and guidance, the DSR SDT developed the concept of an impact event.
2
�By developing impact events, it allows us to identify situations in the “gray area” where
sabotage is not clearly defined. Other types of events may need to be reported for
situational awareness and trend identification. Do you agree with this concept? Please
explain your response (yes or no) in the comment area.
Yes
No
Comments:
6. If you are aware of any regional reporting requirements beyond the scope of CIP-001,
CIP-008 and EOP-004 please provide them here.
Comments:
7. If you have any other comments on the Concepts Paper that you haven’t already
provided in response to the previous questions, please provide them here.
Comments:
3
�Standard CIP-001-1 — Sabotage Reporting
A. Introduction
1.
Title:
Sabotage Reporting
2.
Number:
CIP-001-1
3.
Purpose: Disturbances or unusual occurrences, suspected or determined to be
caused by sabotage, shall be reported to the appropriate systems, governmental
agencies, and regulatory bodies.
4.
Applicability
4.1. Reliability Coordinators.
4.2. Balancing Authorities.
4.3. Transmission Operators.
4.4. Generator Operators.
4.5. Load Serving Entities.
5.
Effective Date:
January 1, 2007
B. Requirements
R1.
Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator, and Load Serving Entity shall have procedures for the recognition of and for
making their operating personnel aware of sabotage events on its facilities and
multi-site sabotage affecting larger portions of the Interconnection.
R2.
Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator, and Load Serving Entity shall have procedures for the communication of
information concerning sabotage events to appropriate parties in the Interconnection.
R3.
Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator, and Load Serving Entity shall provide its operating personnel with sabotage
response guidelines, including personnel to contact, for reporting disturbances due to
sabotage events.
R4.
Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator, and Load Serving Entity shall establish communications contacts, as
applicable, with local Federal Bureau of Investigation (FBI) or Royal Canadian
Mounted Police (RCMP) officials and develop reporting procedures as appropriate to
their circumstances.
C. Measures
M1. Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator, and Load Serving Entity shall have and provide upon request a procedure
(either electronic or hard copy) as defined in Requirement 1
M2. Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator, and Load Serving Entity shall have and provide upon request the procedures
or guidelines that will be used to confirm that it meets Requirements 2 and 3.
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 1 of 3
�Standard CIP-001-1 — Sabotage Reporting
M3. Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator, and Load Serving Entity shall have and provide upon request evidence that
could include, but is not limited to procedures, policies, a letter of understanding,
communication records, or other equivalent evidence that will be used to confirm that it
has established communications contacts with the applicable, local FBI or RCMP
officials to communicate sabotage events (Requirement 4).
D. Compliance
1.
Compliance Monitoring Process
1.1. Compliance Monitoring Responsibility
Regional Reliability Organizations shall be responsible for compliance
monitoring.
1.2. Compliance Monitoring and Reset Time Frame
One or more of the following methods will be used to verify compliance:
- Self-certification (Conducted annually with submission according to
schedule.)
- Spot Check Audits (Conducted anytime with up to 30 days notice given to
prepare.)
- Periodic Audit (Conducted once every three years according to schedule.)
- Triggered Investigations (Notification of an investigation must be made
within 60 days of an event or complaint of noncompliance. The entity will
have up to 30 days to prepare for the investigation. An entity may request an
extension of the preparation period and the extension will be considered by
the Compliance Monitor on a case-by-case basis.)
The Performance-Reset Period shall be 12 months from the last finding of noncompliance.
1.3. Data Retention
Each Reliability Coordinator, Transmission Operator, Generator Operator,
Distribution Provider, and Load Serving Entity shall have current, in-force
documents available as evidence of compliance as specified in each of the
Measures.
If an entity is found non-compliant the entity shall keep information related to the
non-compliance until found compliant or for two years plus the current year,
whichever is longer.
Evidence used as part of a triggered investigation shall be retained by the entity
being investigated for one year from the date that the investigation is closed, as
determined by the Compliance Monitor,
The Compliance Monitor shall keep the last periodic audit report and all requested
and submitted subsequent compliance records.
1.4. Additional Compliance Information
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 2 of 3
�Standard CIP-001-1 — Sabotage Reporting
None.
Levels of Non-Compliance:
2.
2.1. Level 1: There shall be a separate Level 1 non-compliance, for every one of the
following requirements that is in violation:
2.1.1
Does not have procedures for the recognition of and for making its
operating personnel aware of sabotage events (R1).
2.1.2
Does not have procedures or guidelines for the communication of
information concerning sabotage events to appropriate parties in the
Interconnection (R2).
2.1.3
Has not established communications contacts, as specified in R4.
2.2. Level 2: Not applicable.
2.3. Level 3: Has not provided its operating personnel with sabotage response
procedures or guidelines (R3).
2.4. Level 4:.Not applicable.
E. Regional Differences
None indicated.
Version History
Version
Date
Action
Change Tracking
0
April 1, 2005
Effective Date
New
0
August 8, 2005
Removed “Proposed” from Effective
Date
Errata
1
November 1,
2006
Adopted by Board of Trustees
Amended
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 3 of 3
�Standard EOP-004-1 — Disturbance Reporting
A. Introduction
1.
Title:
Disturbance Reporting
2.
Number:
EOP-004-1
3.
Purpose: Disturbances or unusual occurrences that jeopardize the operation of the
Bulk Electric System, or result in system equipment damage or customer interruptions,
need to be studied and understood to minimize the likelihood of similar events in the
future.
4.
Applicability
4.1. Reliability Coordinators.
4.2. Balancing Authorities.
4.3. Transmission Operators.
4.4. Generator Operators.
4.5. Load Serving Entities.
4.6. Regional Reliability Organizations.
5.
Effective Date:
January 1, 2007
B. Requirements
R1.
Each Regional Reliability Organization shall establish and maintain a Regional
reporting procedure to facilitate preparation of preliminary and final disturbance
reports.
R2.
A Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator or Load Serving Entity shall promptly analyze Bulk Electric System
disturbances on its system or facilities.
R3.
A Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator or Load Serving Entity experiencing a reportable incident shall provide a
preliminary written report to its Regional Reliability Organization and NERC.
R3.1.
The affected Reliability Coordinator, Balancing Authority, Transmission
Operator, Generator Operator or Load Serving Entity shall submit within 24
hours of the disturbance or unusual occurrence either a copy of the report
submitted to DOE, or, if no DOE report is required, a copy of the NERC
Interconnection Reliability Operating Limit and Preliminary Disturbance
Report form. Events that are not identified until some time after they occur
shall be reported within 24 hours of being recognized.
R3.2.
Applicable reporting forms are provided in Attachments 1-EOP-004 and 2EOP-004.
R3.3.
Under certain adverse conditions, e.g., severe weather, it may not be possible
to assess the damage caused by a disturbance and issue a written
Interconnection Reliability Operating Limit and Preliminary Disturbance
Report within 24 hours. In such cases, the affected Reliability Coordinator,
Balancing Authority, Transmission Operator, Generator Operator, or Load
Serving Entity shall promptly notify its Regional Reliability Organization(s)
and NERC, and verbally provide as much information as is available at that
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 1 of 13
�Standard EOP-004-1 — Disturbance Reporting
time. The affected Reliability Coordinator, Balancing Authority, Transmission
Operator, Generator Operator, or Load Serving Entity shall then provide
timely, periodic verbal updates until adequate information is available to issue
a written Preliminary Disturbance Report.
R3.4.
If, in the judgment of the Regional Reliability Organization, after consultation
with the Reliability Coordinator, Balancing Authority, Transmission Operator,
Generator Operator, or Load Serving Entity in which a disturbance occurred, a
final report is required, the affected Reliability Coordinator, Balancing
Authority, Transmission Operator, Generator Operator, or Load Serving Entity
shall prepare this report within 60 days. As a minimum, the final report shall
have a discussion of the events and its cause, the conclusions reached, and
recommendations to prevent recurrence of this type of event. The report shall
be subject to Regional Reliability Organization approval.
R4.
When a Bulk Electric System disturbance occurs, the Regional Reliability Organization
shall make its representatives on the NERC Operating Committee and Disturbance
Analysis Working Group available to the affected Reliability Coordinator, Balancing
Authority, Transmission Operator, Generator Operator, or Load Serving Entity
immediately affected by the disturbance for the purpose of providing any needed
assistance in the investigation and to assist in the preparation of a final report.
R5.
The Regional Reliability Organization shall track and review the status of all final
report recommendations at least twice each year to ensure they are being acted upon in
a timely manner. If any recommendation has not been acted on within two years, or if
Regional Reliability Organization tracking and review indicates at any time that any
recommendation is not being acted on with sufficient diligence, the Regional
Reliability Organization shall notify the NERC Planning Committee and Operating
Committee of the status of the recommendation(s) and the steps the Regional
Reliability Organization has taken to accelerate implementation.
C. Measures
M1. The Regional Reliability Organization shall have and provide upon request as
evidence, its current regional reporting procedure that is used to facilitate preparation
of preliminary and final disturbance reports. (Requirement 1)
M2. Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator, and Load-Serving Entity that has a reportable incident shall have and provide
upon request evidence that could include, but is not limited to, the preliminary report,
computer printouts, operator logs, or other equivalent evidence that will be used to
confirm that it prepared and delivered the NERC Interconnection Reliability Operating
Limit and Preliminary Disturbance Reports to NERC within 24 hours of its recognition
as specified in Requirement 3.1.
M3. Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator, and/or Load Serving Entity that has a reportable incident shall have and
provide upon request evidence that could include, but is not limited to, operator logs,
voice recordings or transcripts of voice recordings, electronic communications, or other
equivalent evidence that will be used to confirm that it provided information verbally
as time permitted, when system conditions precluded the preparation of a report in 24
hours. (Requirement 3.3)
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 2 of 13
�Standard EOP-004-1 — Disturbance Reporting
D. Compliance
1.
Compliance Monitoring Process
1.1. Compliance Monitoring Responsibility
NERC shall be responsible for compliance monitoring of the Regional Reliability
Organizations.
Regional Reliability Organizations shall be responsible for compliance monitoring
of Reliability Coordinators, Balancing Authorities, Transmission Operators,
Generator Operators, and Load-serving Entities.
1.2. Compliance Monitoring and Reset Time Frame
One or more of the following methods will be used to assess compliance:
- Self-certification (Conducted annually with submission according to
schedule.)
- Spot Check Audits (Conducted anytime with up to 30 days notice given to
prepare.)
- Periodic Audit (Conducted once every three years according to schedule.)
- Triggered Investigations (Notification of an investigation must be made
within 60 days of an event or complaint of noncompliance. The entity will
have up to 30 days to prepare for the investigation. An entity may request an
extension of the preparation period and the extension will be considered by
the Compliance Monitor on a case-by-case basis.)
The Performance-Reset Period shall be 12 months from the last finding of noncompliance.
1.3. Data Retention
Each Regional Reliability Organization shall have its current, in-force, regional
reporting procedure as evidence of compliance. (Measure 1)
Each Reliability Coordinator, Balancing Authority, Transmission Operator,
Generator Operator, and/or Load Serving Entity that is either involved in a Bulk
Electric System disturbance or has a reportable incident shall keep data related to
the incident for a year from the event or for the duration of any regional
investigation, whichever is longer. (Measures 2 through 4)
If an entity is found non-compliant the entity shall keep information related to the
noncompliance until found compliant or for two years plus the current year,
whichever is longer.
Evidence used as part of a triggered investigation shall be retained by the entity
being investigated for one year from the date that the investigation is closed, as
determined by the Compliance Monitor,
The Compliance Monitor shall keep the last periodic audit report and all requested
and submitted subsequent compliance records.
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 3 of 13
�Standard EOP-004-1 — Disturbance Reporting
1.4. Additional Compliance Information
See Attachments:
- EOP-004 Disturbance Reporting Form
- Table 1 EOP-004
Levels of Non-Compliance for a Regional Reliability Organization
2.
2.1. Level 1: Not applicable.
2.2. Level 2: Not applicable.
2.3. Level 3: Not applicable.
2.4. Level 4: No current procedure to facilitate preparation of preliminary and final
disturbance reports as specified in R1.
Levels of Non-Compliance for a Reliability Coordinator, Balancing Authority,
Transmission Operator, Generator Operator, and Load- Serving Entity:
3.
3.1. Level 1: There shall be a level one non-compliance if any of the following
conditions exist:
3.1.1
Failed to prepare and deliver the NERC Interconnection Reliability
Operating Limit and Preliminary Disturbance Reports to NERC within 24
hours of its recognition as specified in Requirement 3.1
3.1.2
Failed to provide disturbance information verbally as time permitted,
when system conditions precluded the preparation of a report in 24 hours
as specified in R3.3
3.1.3
Failed to prepare a final report within 60 days as specified in R3.4
3.2. Level 2: Not applicable.
3.3. Level 3: Not applicable
3.4. Level 4: Not applicable.
E. Regional Differences
None identified.
Version History
Version
Date
Action
Change Tracking
0
April 1, 2005
Effective Date
New
0
May 23, 2005
Fixed reference to attachments 1-EOP004-0 and 2-EOP-004-0, Changed chart
title 1-FAC-004-0 to 1-EOP-004-0,
Fixed title of Table 1 to read 1-EOP004-0, and fixed font.
Errata
0
July 6, 2005
Fixed email in Attachment 1-EOP-004-0 Errata
from info@nerc.com to
esisac@nerc.com.
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 4 of 13
�Standard EOP-004-1 — Disturbance Reporting
0
July 26, 2005
Fixed Header on page 8 to read EOP004-0
Errata
0
August 8, 2005
Removed “Proposed” from Effective
Date
Errata
1
November 1,
2006
Adopted by Board of Trustees
Revised
1
March 22,
2007
Updated Department of Energy link and
references to Form OE-411
Errata
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 5 of 13
�Standard EOP-004-1 — Disturbance Reporting
Attachment 1-EOP-004
NERC Disturbance Report Form
Introduction
These disturbance reporting requirements apply to all Reliability Coordinators, Balancing
Authorities, Transmission Operators, Generator Operators, and Load Serving Entities, and
provide a common basis for all NERC disturbance reporting. The entity on whose system a
reportable disturbance occurs shall notify NERC and its Regional Reliability Organization of the
disturbance using the NERC Interconnection Reliability Operating Limit and Preliminary
Disturbance Report forms. Reports can be sent to NERC via email (esisac@nerc.com) by
facsimile (609-452-9550) using the NERC Interconnection Reliability Operating Limit and
Preliminary Disturbance Report forms. If a disturbance is to be reported to the U.S. Department
of Energy also, the responding entity may use the DOE reporting form when reporting to NERC.
Note: All Emergency Incident and Disturbance Reports (Schedules 1 and 2) sent to DOE shall be
simultaneously sent to NERC, preferably electronically at esisac@nerc.com.
The NERC Interconnection Reliability Operating Limit and Preliminary Disturbance Reports are
to be made for any of the following events:
1.
2.
3.
4.
5.
The loss of a bulk power transmission component that significantly affects the integrity of
interconnected system operations. Generally, a disturbance report will be required if the
event results in actions such as:
a.
Modification of operating procedures.
b.
Modification of equipment (e.g. control systems or special protection systems) to
prevent reoccurrence of the event.
c.
Identification of valuable lessons learned.
d.
Identification of non-compliance with NERC standards or policies.
e.
Identification of a disturbance that is beyond recognized criteria, i.e. three-phase fault
with breaker failure, etc.
f.
Frequency or voltage going below the under-frequency or under-voltage load shed
points.
The occurrence of an interconnected system separation or system islanding or both.
Loss of generation by a Generator Operator, Balancing Authority, or Load-Serving Entity
⎯ 2,000 MW or more in the Eastern Interconnection or Western Interconnection and 1,000
MW or more in the ERCOT Interconnection.
Equipment failures/system operational actions which result in the loss of firm system
demands for more than 15 minutes, as described below:
a.
Entities with a previous year recorded peak demand of more than 3,000 MW are
required to report all such losses of firm demands totaling more than 300 MW.
b.
All other entities are required to report all such losses of firm demands totaling more
than 200 MW or 50% of the total customers being supplied immediately prior to the
incident, whichever is less.
Firm load shedding of 100 MW or more to maintain the continuity of the bulk electric
system.
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 6 of 13
�Standard EOP-004-1 — Disturbance Reporting
6.
7.
8.
Any action taken by a Generator Operator, Transmission Operator, Balancing Authority, or
Load-Serving Entity that results in:
a.
Sustained voltage excursions equal to or greater than ±10%, or
b.
Major damage to power system components, or
c.
Failure, degradation, or misoperation of system protection, special protection schemes,
remedial action schemes, or other operating systems that do not require operator
intervention, which did result in, or could have resulted in, a system disturbance as
defined by steps 1 through 5 above.
An Interconnection Reliability Operating Limit (IROL) violation as required in reliability
standard TOP-007.
Any event that the Operating Committee requests to be submitted to Disturbance Analysis
Working Group (DAWG) for review because of the nature of the disturbance and the
insight and lessons the electricity supply and delivery industry could learn.
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 7 of 13
�Standard EOP-004-1 — Disturbance Reporting
NERC Interconnection Reliability Operating Limit and Preliminary Disturbance
Report
Check here if this is an Interconnection Reliability Operating Limit (IROL) violation report.
1. Organization filing report.
2. Name of person filing report.
3. Telephone number.
4. Date and time of disturbance.
Date:(mm/dd/yy)
Time/Zone:
5. Did the disturbance originate in your
system?
Yes
No
6. Describe disturbance including: cause,
equipment damage, critical services
interrupted, system separation, key
scheduled and actual flows prior to
disturbance and in the case of a
disturbance involving a special
protection or remedial action scheme,
what action is being taken to prevent
recurrence.
7. Generation tripped.
MW Total
List generation tripped
8. Frequency.
Just prior to disturbance (Hz):
Immediately after disturbance (Hz
max.):
Immediately after disturbance (Hz
min.):
9. List transmission lines tripped (specify
voltage level of each line).
10.
FIRM
INTERRUPTIBLE
Demand tripped (MW):
Number of affected Customers:
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 8 of 13
�Standard EOP-004-1 — Disturbance Reporting
Demand lost (MW-Minutes):
11. Restoration time.
INITIAL
FINAL
Transmission:
Generation:
Demand:
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 9 of 13
�Standard EOP-004-1 — Disturbance Reporting
Attachment 2-EOP-004
U.S. Department of Energy Disturbance Reporting Requirements
Introduction
The U.S. Department of Energy (DOE), under its relevant authorities, has established mandatory
reporting requirements for electric emergency incidents and disturbances in the United States.
DOE collects this information from the electric power industry on Form OE-417 to meet its
overall national security and Federal Energy Management Agency’s Federal Response Plan
(FRP) responsibilities. DOE will use the data from this form to obtain current information
regarding emergency situations on U.S. electric energy supply systems. DOE’s Energy
Information Administration (EIA) will use the data for reporting on electric power emergency
incidents and disturbances in monthly EIA reports. In addition, the data may be used to develop
legislative recommendations, reports to the Congress and as a basis for DOE investigations
following severe, prolonged, or repeated electric power reliability problems.
Every Reliability Coordinator, Balancing Authority, Transmission Operator, Generator Operator
or Load Serving Entity must use this form to submit mandatory reports of electric power system
incidents or disturbances to the DOE Operations Center, which operates on a 24-hour basis,
seven days a week. All other entities operating electric systems have filing responsibilities to
provide information to the Reliability Coordinator, Balancing Authority, Transmission Operator,
Generator Operator or Load Serving Entity when necessary for their reporting obligations and to
file form OE-417 in cases where these entities will not be involved. EIA requests that it be
notified of those that plan to file jointly and of those electric entities that want to file separately.
Special reporting provisions exist for those electric utilities located within the United States, but
for whom Reliability Coordinator oversight responsibilities are handled by electrical systems
located across an international border. A foreign utility handling U.S. Balancing Authority
responsibilities, may wish to file this information voluntarily to the DOE. Any U.S.-based utility
in this international situation needs to inform DOE that these filings will come from a foreignbased electric system or file the required reports themselves.
Form EIA-417 must be submitted to the DOE Operations Center if any one of the following
applies (see Table 1-EOP-004-0 — Summary of NERC and DOE Reporting Requirements for
Major Electric System Emergencies):
1. Uncontrolled loss of 300 MW or more of firm system load for more than 15 minutes from a
2.
3.
4.
5.
single incident.
Load shedding of 100 MW or more implemented under emergency operational policy.
System-wide voltage reductions of 3 percent or more.
Public appeal to reduce the use of electricity for purposes of maintaining the continuity of the
electric power system.
Actual or suspected physical attacks that could impact electric power system adequacy or
reliability; or vandalism, which target components of any security system. Actual or
suspected cyber or communications attacks that could impact electric power system
adequacy or vulnerability.
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 10 of 13
�Standard EOP-004-1 — Disturbance Reporting
6. Actual or suspected cyber or communications attacks that could impact electric power system
adequacy or vulnerability.
7. Fuel supply emergencies that could impact electric power system adequacy or reliability.
8. Loss of electric service to more than 50,000 customers for one hour or more.
9. Complete operational failure or shut-down of the transmission and/or distribution electrical
system.
The initial DOE Emergency Incident and Disturbance Report (form OE-417 – Schedule 1) shall
be submitted to the DOE Operations Center within 60 minutes of the time of the system
disruption. Complete information may not be available at the time of the disruption. However,
provide as much information as is known or suspected at the time of the initial filing. If the
incident is having a critical impact on operations, a telephone notification to the DOE Operations
Center (202-586-8100) is acceptable, pending submission of the completed form OE-417.
Electronic submission via an on-line web-based form is the preferred method of notification.
However, electronic submission by facsimile or email is acceptable.
An updated form OE-417 (Schedule 1 and 2) is due within 48 hours of the event to provide
complete disruption information. Electronic submission via facsimile or email is the preferred
method of notification. Detailed DOE Incident and Disturbance reporting requirements can be
found at: http://www.oe.netl.doe.gov/oe417.aspx.
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 11 of 13
�Standard EOP-004-1 — Disturbance Reporting
Table 1-EOP-004-0
Summary of NERC and DOE Reporting Requirements for Major Electric System
Emergencies
Incident
Report
Incident
Threshold
Time
No.
Required
Uncontrolled
1 hour
OE – Sch-1
loss of Firm
≥ 300 MW – 15 minutes or more
48
1
OE – Sch-2
System Load
hour
1 hour
≥ 100 MW under emergency
OE – Sch-1
Load Shedding
48
2
operational policy
OE – Sch-2
hour
1 hour
Voltage
OE – Sch-1
3% or more – applied system-wide
48
3
Reductions
OE – Sch-2
hour
1 hour
Emergency conditions to reduce
OE – Sch-1
Public Appeals
48
4
demand
OE – Sch-2
hour
Physical
1 hour
sabotage,
On physical security systems –
OE – Sch-1
48
5
terrorism or
suspected or real
OE – Sch-2
hour
vandalism
Cyber sabotage,
1 hour
If the attempt is believed to have or
OE – Sch-1
terrorism or
48
6
did happen
OE – Sch-2
vandalism
hour
1 hour
Fuel supply
Fuel inventory or hydro storage
OE – Sch-1
48
7
emergencies
levels ≤ 50% of normal
OE – Sch-2
hour
1 hour
Loss of electric
OE – Sch-1
≥ 50,000 for 1 hour or more
48
8
service
OE – Sch-2
hour
Complete
If isolated or interconnected
1 hour
operation failure
OE – Sch-1
electrical systems suffer total
48
9
of electrical
OE – Sch-2
electrical system collapse
hour
system
All DOE OE-417 Schedule 1 reports are to be filed within 60-minutes after the start of an
incident or disturbance
All DOE OE-417 Schedule 2 reports are to be filed within 48-hours after the start of an incident
or disturbance
All entities required to file a DOE OE-417 report (Schedule 1 & 2) shall send a copy of these
reports to NERC simultaneously, but no later than 24 hours after the start of the incident or
disturbance.
Incident
Report
Incident
Threshold
Time
No.
Required
Loss of major
24
Significantly affects integrity of
NERC Prelim
system
hour
1
interconnected system operations
Final report
component
60 day
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 12 of 13
�Standard EOP-004-1 — Disturbance Reporting
2
Interconnected
system
separation or
system islanding
3
Loss of
generation
4
Loss of firm
load ≥15minutes
5
Firm load
shedding
≥100 MW to maintain continuity of
bulk system
•
•
6
System
operation or
operation
actions resulting
in:
Total system shutdown
Partial shutdown, separation, or
islanding
≥ 2,000 – Eastern Interconnection
≥ 2,000 – Western Interconnection
≥ 1,000 – ERCOT Interconnection
Entities with peak demand ≥3,000:
loss ≥300 MW
All others ≥200MW or 50% of total
demand
•
Voltage excursions ≥10%
Major damage to system
components
Failure, degradation, or
misoperation of SPS
NERC Prelim
Final report
24
hour
60 day
NERC Prelim
Final report
24
hour
60 day
NERC Prelim
Final report
24
hour
60 day
NERC Prelim
Final report
24
hour
60 day
NERC Prelim
Final report
24
hour
60 day
72
IROL violation
Reliability standard TOP-007.
hour
7
60 day
Due to nature of disturbance &
24
As requested by
NERC Prelim
usefulness to industry (lessons
hour
8
ORS Chairman
Final report
learned)
60 day
All NERC Operating Security Limit and Preliminary Disturbance reports will be filed within 24
hours after the start of the incident. If an entity must file a DOE OE-417 report on an incident,
which requires a NERC Preliminary report, the Entity may use the DOE OE-417 form for both
DOE and NERC reports.
Any entity reporting a DOE or NERC incident or disturbance has the responsibility to also
notify its Regional Reliability Organization.
NERC Prelim
Final report
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 13 of 13
�Standards Announcement
Comment Period Open
March 17–April 16, 2010
Now available at: http://www.nerc.com/filez/standards/Project2009-01_Disturbance_Sabotage_Reporting.html
Project 2009-01: Disturbance and Sabotage Reporting
The Disturbance and Sabotage Reporting Drafting Team is seeking comments on a proposed concepts paper for
disturbance and sabotage reporting until 8 p.m. Eastern on April 16, 2010.
The concepts paper lays out the foundation for the reporting requirements in the standard and was developed to
solicit stakeholder input regarding the drafting team's proposed reporting concepts.
Instructions
Please use this electronic form to submit comments. If you experience any difficulties in using the electronic
form, please contact Lauren Koller at Lauren.Koller@nerc.net. An off-line, unofficial copy of the comment
form is posted on the project page: http://www.nerc.com/filez/standards/Project200901_Disturbance_Sabotage_Reporting.html
Next Steps
The drafting team will draft and post responses to comments received during this period.
Project Background
This project will entail revising existing standards CIP-001-1 — Sabotage Reporting and EOP-004-1 —
Disturbance Reporting to eliminate redundancies and provide clarity on sabotage events. The project will
address several issues identified by stakeholders, as well as FERC directives from Order 693. The other
changes may include improvements to the standards deemed appropriate by the drafting team, with the
consensus of stakeholders, consistent with establishing high quality, enforceable and technically sufficient bulk
power system reliability standards.
Standards Development Process
The Reliability Standards Development Procedure contains all the procedures governing the standards
development process. The success of the NERC standards development process depends on stakeholder
participation. We extend our thanks to all those who participate.
For more information or assistance,
please contact Lauren Koller at Lauren.Koller@nerc.net
�Individual or group. (41 Responses)
Name (26 Responses)
Organization (26 Responses)
Group Name (15 Responses)
Contact Organization (15 Responses)
Question 1 (39 Responses)
Question 1 Comments (41 Responses)
Question 2 (40 Responses)
Question 2 Comments (41 Responses)
Question 3 (38 Responses)
Question 3 Comments (41 Responses)
Question 4 (39 Responses)
Question 4 Comments (41 Responses)
Question 5 (37 Responses)
Question 5 Comments (41 Responses)
Question 6 (0 Responses)
Question 6 Comments (41 Responses)
Question 7 (0 Responses)
Question 7 Comments (41 Responses)
Group
Exelon
Exelon Transmission Strategy & Compliance
Yes
No
Some of the DOE related reporting is driven by distribution events, i.e. outages greater then 50,000 customers, is it
realistic to expect the RC, whose focus is on the transmission system to perform distribution related reporting?
Yes
Yes
No
We agree with the direction to identify impact events examples that would trigger reporting and not be limited to
sabotage reporting only. It is important to note that when an incident occurs, some level of investigation is required
before a determination can be made as to the event is sabotage or not. The focus should be on reporting events
when they occur and allow follow-up investigations to make the sabotage determination. That being said, care must
be taken in the development of any list of impact events so that it doesn’t become or is misinterpreted to be a
definitive list. Therefore if it is not on the list, it is not reportable.
At the 2010 RFC Spring Workshop the following disturbance reporting Criteria was rolled out: All events that are
required to be reported by the OE-417 and EOP-004 criteria will use those published procedures. For other events
that do not meet the OE-417 and EOP-004 reporting criteria, ReliabilityFirst expects to receive notification of any
events involving a sustained outage of multiple BES facilities (buses, lines, generators, and/or transformers, etc.) that
are in close proximity (electrically) to one another and occur in a short time frame (such as a few minutes).
You should consider providing clear and concise instructions as to the expectation on submitting forms, i.e. the DOE
417. There should be no guessing as to when and how reports should be submitted and who should receive them.
Specific details on reporting criteria should be included.
Individual
Steve Fisher
Lands Energy Consulting
No
My firm provides compliance consulting services to a number of smaller (50-700 MW peak load) LSE/DP registered
entities. EOP-004 creates an obligation for LSEs to report "disturbances" that affect their systems. A few of the
smaller of these systems receive service from Bonneville-owned transmission lines that serve only 4-6 substations.
The NERC Form establishes loss of 50% of the LSE's retail customers as a reportable disturbances. One of my
clients receives service from BPA at 5 substations. A single industrial customer with a substantially dedicated
�substation comprises 90% of the utility's MWH load. Were it not for this customer, the utility would have been well
below the registration requirement for a DP/LSE. The balance of the load, about 15 MW of peak and 4000 retail
customers, is served from 5 substations. Four of these substations serving 3000 customers are served from a long
Bonneville 115 kV BES transmission line that runs through a heavily treed right of way. Every time this single line
experiences a permanent outage (which will happen a few times a year), the utility loses less than 10 MW of load, but
75% of its retail customers. Under the disturbance reporting criteria, this outage would constitute a reportable
disturbance for the utility. When the NERC disturbance reporting criteria were adopted, I doubt that anyone conceived
that they would apply to cases like I just desribed. Reporting trivial events like I've just described constitutes a
nuisance to the entity making the report and NERC/WECC for having to process the report. The outage has no
earthly effect on the reliability of the BES and certainly doesn't warrant preparation of any kind of disturbance report.
Yes
I would give the RC the authority to establish impact thresholds for reporting. Consistent with my earlier comment, I
would set the materiality threshold for disturbance reporting purposes at LSEs (or a combination of LSEs in the case
of BPA) serving at least 90,000 customers.
Yes
I think that the impact approach makes sense and that EOP-004 and CIP-001 are logically connected. Many entities
of which I am aware link Sabotage Reporting Training to Disturbance Reporting obligation awareness already.
Yes
Less paperwork and fewer requirements to keep in mind during what may be once in a lifetime events are always
good.
No
The level of complexity described will overwhelm the 20-200 employee utilities that have yet to see - and will never
see - the kind of sabotage event that scares the Department of Homeland Security.
I believe WECC sets its loss of load criteria for disturbance reporting at 200 MW rather than the 300 MW in the NERC
reporting form.
The lack of common sense that leads to a 15 MW loss of load resulting from a 115 kV line outage being catagorized
as a "reportable disturbance" really hurts the credibility of the entire NERC Compliance Program. The smaller utilities
look at application of EOP-004 in particular to their operation and conclude that either the EO/RRO is: a. stupid; or b.
Out to persecute the smaller utilities. In reality, EOP-004 was drafted for application to Southern California Edison,
where loss of 50% of customers would be 2-3 million customers. Now that's really disturbing!
Individual
David Kahly
Kootenai Electric Cooperative
No
Impact events seems to add another layer of uncertainty to the reporting. Define a transmission line. Our transmission
lines have very little impact on the grid. It is possible for our lines to cause a local area outage on our transmission
provider - but neither is of national security interest or even regional interest. There is no power flow going on across
the lines other than local power delivery supply. It seems you run more risk of losing the important reports in the snow
of reporting - similar to what we have to avoid on our SCADA systems for our operators to see the key information.
Group
Northeast Power Coordinating Council
Northeast Power Coordinating Council
Yes
In considering guidance found in the document “NERC Guideline: Threat and Incident Reporting”, the SDT should
maintain focus on only those items that are absolutely necessary to maintain the reliability of the Bulk Electric System.
In fact, the purpose of reporting per EOP-004 is that disturbances... need to be studied and understood to minimize
the likelihood of similar events in the future.
No
This is not a standards issue, and NERC should not dictate the reporting structure. It should be left to the RCs and
their members.
Yes
�We agree with the concept that there should be one report form for all functional entities (whether located in the US,
Canada, Mexico) for use in reporting to NERC. This would provide for a consistent reporting format across the
continent.
Yes
We agree with the objective of eliminating duplicate reporting. However, EOP-004 currently allows substitution of
DOE OE-417 in place of the NERC Interconnection Reliability Operating Limit and Preliminary Disturbance Report. As
suggested in the Concept Paper, entities meeting the criteria of OE-417 are still obligated to file a report with DOE.
Given that and the fact that CIP-001 requires no actual reporting, it is not clear where duplication exists today. We
agree with the recommendation to eliminate the need for filing duplicate reports such as the DOE form OE-417. There
is no benefit with regard to CIP-001 in filing separate reports. Duplicate reports introduce the potential for incomplete
information to be supplied to responsible parties. Removing jurisdictional agencies from the Standard, and having
NERC provide either query or situational awareness to those agencies being considered, might not be easy to
achieve. There is an obligation under law to require entities to report to the DOE on the OE-417 form as amended or
modified. This might drive the “omitted” agencies to have reporting laws enacted as well.
No
We believe that physical and cyber events must be investigated before a determination of sabotage or impact event
can be made. The purpose of the NERC Standards is to maintain the reliability of the BES. Therefore, impact events
should define or clarify the circumstances that would or could affect reliability. Reportable items should be based on
impact to reliability, not on ‘newsworthy’ events or to gather information for trending. It is the law enforcement
industry’s responsibility to make a determination of “sabotage” or other. This determination cannot definitively be
made by industry personnel, there is no expertise or time to investigate causes. It is the industry’s job to mitigate
effects. Examples would help provide for better guidance/direction. Industry examples would be welcomed to help
reinforce developed internal processes for compliance.
SERC and RFC are developing additional requirements at this time. We suggest that reporting be based on impact to
reliability, not on ‘newsworthy’ events. We therefore do not agree with such regional efforts and would prefer a
continent wide reporting requirement.
a. NERC should focus efforts on developing specific event reporting criteria and not base the requirement on the
definition of the term ‘sabotage’, but on the reporting criteria itself. See comments above. b. The “opportunities for
efficiency” discussed in the Concept Paper would be best achieved by focusing on those items that are absolutely
necessary to maintain the reliability of the Bulk Electric System. If there are elements that need to be reported that do
not support this objective, then that reporting should not be required in reliability standards. Consider making NERC
the distributor of reports to other agencies. We recognize that the key is to simplify reporting to a single form, and to
the extent possible, to one agency. “Front line” reliability personnel must have the “timely” knowledge to know when a
situation warrants local, area, regional, or national involvement.
Individual
Darryl Curtis
Oncor Electric Delivery Company LLC
Yes
NERC Guideline: Threat and Incident Reporting" document should be used for guidance as it identifies best practices
for reporting.
Yes
Oncor agrees that with this reporting hierarchy, in that dual reporting should be elminated
Yes
Oncor agrees that by using the same type reporting format, there should be consistency in regard to each functional
entity's expectations.
Yes
Oncor agrees that this effort should eliminate file duplication
Yes
Oncor agrees that there are no broadly used guidance documents that detail how an event may be accurately
defined.
Oncor is not aware of any regional reporting requirements beyond the scope of CIP-001, CIP-008 and EOP-004.
Group
SERC Reliability Coordinator Sub-committee (RCS)
SERC RCS
No
Routine minor incidents such as copper theft and gun shots to insulators should not be reported. These types of
minor events do not affect the reliability of the BPS. Existing reporting requirements are satisfactory. The focus of
reporting should be on reliability related incidents and not incidents related to vandalism as such.
�No
The RC should not be responsible for submitting the report to FERC, NERC or the RRO. The RC may not have the
necessary first hand information concerning the facts of the event. Situation awareness can be maintained by
including the RC in the distribution of any sabotage related reporting.
Yes
There should only be one report for all functional entities.
No
The requirement should be a single report that satisfies the need for all US governmental agencies as well as NERC
and the RRO’s.
No
Impact events that do not afffect reliability should not be reported.
We are not aware of any regional reporting requirements beyond the requirements of CIP-001, CIP-008 and EOP004. However, the SERC RRO has shared a list of events of interest that it would like to be made aware of to
maintain situation awareness.
None.
Group
Arizona Public Service Company
Arizona Public Service Company
No
APS supports standard revisions which streamline the reporting process for security incidents with a single form,
which aligns both with EIA reporting and NERC Standards requirements, particularly those identified in the NERC
Threat and Incident Reporting Guidelines. This would eliminate users issuing reports to multiple locations/government
entities without a standard form or format. The DOE 417 form which is currently utilized for reporting purposes is outdated and does not account for the types of incidents as identified in the NERC Threat and Incident Reporting
Guidelines. The guidelines state that an entity can report security incidents to the ESISAC , through CIPIS (Critical
Infrastructure Protection Information System), and or RCIS (Reliability Coordinator Information Center). CIPIS refers
an entity to the NICC and to the WECC. Additionally, APS proposes that the terms and timelines of reporting security
incidents be clearly identified. Events are often detected quickly or immediately. Determining whether or not the event
was sabotage and/or a reportable event; however, typically takes much longer. There is no time allowance for an
entity to investigate the event to determine what actually occurred. Currently, DOE 417 provides that acts of sabotage
should be reported within one hour of detection if the impact could affect the reliable operation of the bulk power
system. This may affect the accuracy of the information being provided by an entity on it's initial reporting. Finally,
provisions should be incorporated to address the privacy of information being submitted, including handling and
storage.
Yes
All disturbance reporting should go through the RC.
Yes
APS supports the standardization of the form for consistency and format.
Yes
APS supports eliminating the need to file duplicate reports. This standardized form should generate and send the
DOE OE-417 report, totally eliminating duplicate work. Streamline the process.
Individual
Edward Bedder
Orange and Rockland Utilities, Inc.
Yes
However, the SDT needs to maintain clear demarcation for the criteria for reporting events, and only those events that
directly effect the reliability of the BES.
Yes
Having the reporting flow through the Reliability Coordinator supports the reliability objective of assessing, monitoring,
and maintaining a wide-area view of the reliability of the Bulk Electric System. The reporting hierarchy should be to
submit the information to the Reliability Coordinator, and to have the RC submit the report. This would eliminate the
duplication of information.
�Yes
We agree with the concept that there should be one report form for all functional entities (whether located in the US,
Canada, Mexico) for use in reporting to NERC. This would provide for a consistent reporting format across the
continent.
Yes
No
Physical and cyber events must be investigated before a determination of sabotage or impact event can be made.
Impact events should define or clarify the circumstances that would or could affect reliability. Reportable items should
be based on impact to reliability, not on ‘newsworthy’ events or to gather information for trending. It is the law
enforcement industry’s responsibility to make a determination of “sabotage” or other. This determination cannot
definitively be made by industry (operating) personnel. If NERC's definition is expanded for CIP-001 and/or EOP-004,
responsibility and timing of reporting needs to addressed so that appropriate agencies conduct the investigation and
assessment. Operating personnel need to remain focused on the primary responsibility of mitigating the effects.
NERC's SDT effort requires a clear, consistent, and comprehensive continent-wide approach, thus mitigating any
need for regional reporting requirements.
Individual
Kasia Mihalchuk
Manitoba Hydro
Yes
The “Threat and Incident Reporting” document contains a lot of detailed information which greatly assists in
determining reporting events and weaning out non important events. The document contains some examples and
expected reporting time lines. Attachment 1-EOP-004, though considerably smaller and condensed it does contain
some detail not mentioned in “Threat and Incident Reporting”. Integrating the “Threat and Incident Reporting” into
Attachment 1-EOP-004, though large in size, has lots of information and is easy to follow would be a large
improvement to existing protocol OR SEE QUESTION 3 COMMENTS. Incidences we have experienced on our
system, in past were difficult to delineate as reportable, who to report to and when. An improvement to this Standard
is welcome.
Yes
The Reporting Concept states that the new hierarchy is, “ Affected entity to TOP/ BA to RC. Then the RC will then
submit to NERC and DOE (if required)”. This will enhance the existing requirement EOP-004-1 R4 which states that
the RC shall assist the affected entity by providing representatives to assist in the investigation (this is also all
reiterated in Attachment 1-EOP-004) . In an disturbance, the local resources would be tied up in the rectification of the
problem. Analyzing and reporting the event (is it reportable, who to report to, what is the timeline) is distracting and
time consuming. By leaving the final upper level steps of reporting to NERC/DOE by the RC would be efficient.
Yes
This is a promising idea, though there would be different requirements for the three countries, this could easily be
rectified with “drop down menus”. This electronic form could contain a lot of information without distracting clutter as
you “tree” down the menu depending on the event that occurred. This could also contain electronic references to
information located in Attachment 1-EOP-004 and Threat and Incident Reporting.
Yes
This could be easily incorporated into the electronic form. You could be prompted for information required
immediately, and notified for information that could be entered later. This form could contain all the enterable data that
all agencies could require. If the form is live and on line, all entities could be notified (depending on the entries) of an
going event immediately. Form could be web based similar to ARS program or even integrated into the ARS program.
Yes
Though there are some specific events already included in this new definition, more could be added to dissolve
specific “gray areas” and as new ones come up. Again these examples could be added into the electronic form and
could contain a large data base which would be available depending on the event that occurred.
No. CIP-001 contains references to NERC and the DOE. CIP-008 makes exclusions for facilities regulated by US
Nuclear Regulatory Commission and Canadian Nuclear Safety Commission. It also contains references to ES ISAC
(Electricity Sector Information Sharing and Analysis Center). EOP-004 contains reference to NERC and DOE There is
no reference to Homeland Security, FBI, etc or to Canadian equivalent references in any of these Standards. When
NERC is notified of an event, it is likely other organizations will have to be notified. There should be some sort of
consistency to cover all these Standards and all notifiable parties at a NERC Standards level.
No
Individual
Brian Bartos
Bandera Electric Cooperative, Inc.
�Yes
Yes
This approach, while I suspect will not be universally agreed to, should provide some definitive guidance in reporting.
No preference in this area.
Yes
One can only assume the number of reports required in this area will continue to increase in terms of scope and to
which agency wants this data. The SDT is encouraged to attempt to find a reporting format and scope that does not
needlessly duplicate or complicate overall reporting obligations.
Yes
In principle, I agree with this concept. Would like for the SDT to pursue this further and seek additional comments at
that time.
No.
I commend the SDT for working on this effort and wish them success.
Group
PacifiCorp
PacifiCorp
Yes
Yes
Yes
Yes
Yes
Group
E.ON U.S. LLC
E.ON U.S.LLC
Yes
E.ON U.S. believe that the guidelines provide greater clarity for reporting forced outages caused by disturbances and
sabotage but there remains issues that in need of further clarification. For example, there remains too much
subjectivity on the reporting of forced outages when there is “identification of valuable lessons learned”
Yes
The hierarchy will simplify reporting from the entity in that the RC is always notified and then the RC notifies other
parties as required, (with the exception of OE-417, which still has to be filled out per law) E.ON U.S. recommends that
the drafting team pay particular attention to the report process to make sure that duplicate reports are not being
required. Currently information on forced outages is already communicated to the RC so formalizing a requirement to
provide data to the RC may represent duplication to reports already provided.
Yes
E.ON U.S. supports the proposal.
No
Reliability standards are federal law enforced by fines that can reach up to $1,000,000 per day of violation. There is
no reason to deliberately include ambiguity, i.e. “gray areas,” in requirements such that registered entities are left
unable to determine what it is they must do or refrain from doing to remain compliant. “Sabotage” for the purposes of
these standards must be defined. .
�Individual
John T. Walker
Portland General Electric
Yes
This process is in place and utilities are familiar with it. This is a good place to start.
Yes
PGE is familiar with and works closely with WECC today so the hierarchial consideration makes sense.
Yes
PGE supports the efforts of the Standards Drafting Team on the SAR for Project 2009-01 to consolidate the
disturbance and saborage reporting processes as outlined in the concept paper.
Yes
PGE supports reducing the duplication of reporting.
Yes
PGE supports the DSR SDT's efforts to bring clarity and guidance to the spectrum of sabotage-type events.
Individual
Gregory Miller
BGE
Yes
We have no problem with NERC using the existing guidance as the foundation for disturbance reporting; however,
since this project proposes to investigate incorporation of the Cyber Incident reporting aspects of CIP-008, we feel
that if adopted, this concept should be added to the NERC Guideline document "Threat and Incident Reporting".
No
As currently worded, BGE opposes the reporting hierarchy concept, since insufficient guidelines were proposed to
prevent translation errors between the responsible entity (RE) and the RC. In addition to creating possible reporting
errors, this also opens a risk that the RC could misrepresent the true intent of an RE’s report contents if called upon to
explain/justify a submitted report. Reporting delays are another concern with this proposal because the RE would
basically be relinquishing control of the reporting process to the RC, while ultimately retaining the responsibility for
ensuring the report gets submitted within the required timeframe. However, BGE recognizes that avoiding duplication
and conflicting reports as well as encouraging communication are valuable. To make the reporting hierarchy concept
acceptable to BGE, the DSR SDT must develop proper controls to ensure the RE has the ability to control or approve
the information submitted and/or subsequently discussed with the respective authorities, and that it is done within the
permissible timeframe to satisfy compliance requirements.
Yes
One form makes sense to us; less is better is the sense that it makes filing reports easier by not creating unnecessary
complications.
Yes
We agree with this approach, as long as the latest version of the DOE OE-417 form is fully incorporated in the new
single-reporting form, so that it maintains its credibility with the DOE.
Yes
We agree that "the spectrum of all sabotage-type events is not well understood throughout the industry"; however, we
feel that the proposed concept of an "Impact Event" falls short of clarifying what constitutes such events. We believe
that "Impact Events" needs further clarification to eliminate "gray areas" and to provide more reporting consistency
between entities.
We are not aware of any regional requirements beyond the scope of CIP-001, CIP-008 and EOP-004.
1. If we move to a "one size fits all" single reporting form, it is important that the form be properly developed to cover
any foreseeable event, which appears to be the intent of the DSR SDT, as outlined on page 4 of the concept
document. Such an approach should also incorporate a single point of contact for reporting information, to avoid any
confusion. 2. We would like clarification that any proposed CIP-008-related reporting requirement (including any
linked reporting requirement between CIP-008 and CIP-001) is only applicable in situations where the incident/event
involves a registered entity’s Critical Cyber Asset.
�Individual
Dan Roethemeyer
Dynegy Inc.
Yes
We agree with using the guidance; however, please consider revising the NERC Guideline: Threat and Incident
Reporting document to (i) lengthen the reporting timelines related to attempted sabotage to allow for additional time to
deem the threat credible, (ii) expand the description of forced outage of generation greater than 2000 MW to include
whether it is at the BA or GO level and if GO level, whether it is for one site or the combined GO's sites in a Region,
and (iii) add a Responsible Party column to the Appendix A matrix.
Yes
This seems to be straightforward approach in that the RC is the best judge of threats to the overall system and could
eliminate multiple reports of a single event.
Yes
Please keep it short and simple.
Yes
Short and simple should be the goal.
Yes
We agree with the concept but please provide specific examples. Also, please consider whether their are any
penalties for misinterpreting an incident, who would determine if an event was a threat, and whether this could result
in over reporting non-threats.
Please consider MISO RTO-OP-023.
N/A
Group
Electric Market Policy
Dominion Resources Services, Inc.
Yes
Yes; however, in considering guidance found in the document “NERC Guideline: Threat and Incident Reporting” the
SDT should maintain focus on only those items that are absolutely necessary to maintain the reliability of the Bulk
Electric System. In fact, the purpose of reporting per EOP-004 is that disturbances... need to be studied and
understood to minimize the likelihood of similar events in the future.
Yes
Having the reporting flow through the Reliability Coordinator supports the reliability objective of assessing, monitoring,
and maintaining a wide-area view of the reliability of the Bulk Electric System.
Yes
Yes, we agree with the concept that there should be one report form for all functional entities (whether located in the
US, Canada, Mexico) for use in reporting to NERC.
Yes
Yes, we agree with the objective of eliminating duplicate reporting; however, EOP-004 currently allows substitution of
DOE OE-417 in place of the NERC Interconnection Reliability Operating Limit and Preliminary Disturbance Report. As
suggested in the Concept Paper, entities meeting the criteria of OE-417 are still obligated to file a report with DOE.
Given that and the fact that CIP-001 requires no actual reporting, it is not clear where duplication exists today.
Yes
We believe that physical and cyber events must be investigated before a determination of sabotage or impact event
can be made.
SERC and RFC are developing additional requirements at this time. We suggest that reporting be based on impact to
reliability, not on ‘newsworthy’ events. We therefore do not agree with such regional efforts and would prefer a
continent wide reporting requirements.
a. NERC should focus efforts on developing specific event reporting criteria and not base the requirement on the
definition of the term ‘sabotage’ but on the reporting criteria itself. b. The “opportunities for efficiency” discussed in the
Concept Paper would be best achieved by focusing on those items that are absolutely necessary to maintain the
reliability of the Bulk Electric System. If there are elements that need to be reported that do not support this objective,
than that reporting should not be required in reliability standards.
Individual
Rick Terrill
Luminant
�No
While the guidance is generally ok in the “NERC Guideline: Threat and Incidence Reporting”, the reporting timelines
include 1 hour, 2 hours, 4 hours, 6 hours, 8 hours, 24 hours, and 48 hours. Please simplify and reduce the variation in
timelines. When it comes to Sabotage reporting, some time requirements start with detection, some start with
determination of sabotage and some events do not specify the trigger for the reporting clock to start. Again, please
provide clarity and consistency around the start of the timeline for reporting. Generally, the reporting timing should
start with the recognition or determination that a suspected or known sabotage event occurred.
Yes
Luminant believes that one report should be filed with the Reliability Coordinator or one responsible entity, who then
files the report with all applicable entities.
Yes
Luminant agrees with the concept of reducing reporting requirements, but asks the SDT to go even further. In the
concept paper, the SDT discussed that information would not be duplicated on the NERC report and the DOE OE-417
report. The concept paper described a process where one report would simply supplement the other, but two reports
would still be filed when required. Can the NERC SDT work with the DOE to develop one report to meet the needs of
NERC and the DOE?
No
Luminant would prefer to report disturbances and sabotage events. The reporting of impact events could lead to
unnecessary reporting. A definition of an “impact event” may be even more confusing than sabotage events.
Luminant disagrees with the direction of utilizing impact events, as this is an expansion in scope beyond the
simplification of sabotage and disturbance reporting.
Group
MRO's NERC Standards Review Subcommittee
Midwestreliability Organization
No
We agree with using the present documentation but would like just one reporting form. We are concerned that the
guidelines and reporting periods specified within the DOE OE-417 report conflict with the NERC Guidelines. For
example. DOE OE-417 report requires “Suspected Physical or Cyber Impairment” to be reported within 6 hours. The
NERC guidelines indicate “Suspected Activities” are to be reported within 1 hour. We recommend the SDT use the
DOE OE-417 report as a guiding document, and then determine additional reporting requirements using guidance
from the NERC Guideline. FERC Order 693 appears to indicate conflicts and confusion with NERC reporting
requirements and DOE reporting requirements should be eliminated.
No
We agree a coordinated reporting process is beneficial for the entity and the Reliability Coordinator (RC). However, a
hierarchy would likely lengthen the reporting timeframe, or reduce the allotted time for each entity to provide
notification to the RC in order to meet DOE or NERC timelines. Communication and coordination with the RC would
likely provide more accurate and complete data submissions within a timely process and create shared accountability
for the report being submitted.
Yes
However, We believe the primary goal should focus on “each entity” being able to submit one report for all functional
requirements. Entities in the US that are required to submit the DOE OE-417 form should not be required to submit an
additional form developed for other entities (Canada & Mexico). One approach to satisfy this goal is for NERC to
require all entities (US, Canada, & Mexico) to complete the DOE OE-417 form as their report.
Yes
We agree with the concept to eliminate duplicate reports. However, we are concerned with the reference of the DOE
OE-417 report being a “supplement” of the NERC report rather than “accepted” as the NERC report.
No
Rather than attempting to define a new term (impact event), we suggest that the concept of impact event be replaced
with further defining sabotage and providing guidance on trigger events (impact event) that would cause an entity to
report.
No Comment.
Confusion often arises in the industry between the CIP standards and other reliability standards based on CIP-001
naming convention. We would suggest the SDT retire CIP-001 and incorporate requirements within the EOP-004
standard or a new EOP-xxx standard to avoid confusion rising from CIP and other NERC Reliability Standards.
Additionally, we assume the SDT has been created to specifically address FERC Order 693 directives to the ERO
which appears to include the following items: 1. Applicability – “possible revisions to CIP-001-1 that address our
concerns regarding the need for wider application of the Reliability Standard… the ERO should consider whether
separate, less burdensome requirements for smaller entities may be appropriate” (FERC, 2007, para. 460). 2.
Definition of Sabotage – “we direct that the ERO further define the term and provide guidance on triggering events
�that would cause an entity to report an event… we believe the term sabotage is commonly understood and that
common understanding should suffice in most instances… the ERO should consider FirstEnergy’s suggestions to
differentiate between cyber and physical sabotage and develop a threshold of materiality.” (FERC, 2007, para. 461462) 3. Periodic Review and Testing – “directs the ERO to incorporate a periodic review or updating of the sabotage
reporting procedures and for the periodic testing of the sabotage reporting procedures.” (FERC, 2007, para. 466) 4.
Redundant Reporting – “now direct the ERO to address our underlying concern regarding mandatory reporting of a
sabotage event… Regarding the potential for redundant reporting under CIP-001-1 and other government reporting
standards, and the need for greater coordination… We direct the ERO to explore ways to address these concerns –
including central coordination of sabotage reports and a uniform reporting format… with the appropriate governmental
agencies that have levied the reporting requirements.” (FERC, 2007, para. 468-469) 5. Specified Time – “the
Commission directs the ERO to modify CIP-001-1 to require an applicable entity to contact appropriate governmental
authorities in the event of sabotage within a specified period of time… the ERO should consider suggestions raised…
to define the specified period for reporting an incident beginning from when an event is discovered or suspected to be
sabotage” (FERC, 2007, para. 470). 6. Summary of CIP-001-1 – “the Commission directs the ERO to develop the
following modifications… (1) further define sabotage and provide guidance as to the triggering events… (2) specify
baseline requirements regarding… procedures for recognizing sabotage events… (3) incorporate a periodic review…
and for the periodic testing… (4) require an applicable specified period of time. In addition… address our concerns
regarding applicability to smaller entities… consolidation of the sabotage reporting forms and the sabotage reporting
channels with the appropriate governmental authorities to minimize the impact of these reporting requirements on all
entities.” (FERC, 2007, para. 471) 7. Analyze Performance – “at a minimum, generator operators and LSEs should
analyze the performance of their equipment and provide the data… The Commission directs the ERO to consider this
concern in future revisions… that includes any Requirements necessary for users, owners and operators… to provide
data that will assist NERC” (FERC, 2007, para. 613, 617). 8. Reporting Time Frames – “The Commission directs the
ERO to change its Rules of Procedures to assure that the Commission also receives these reports within the same
time frames as the DOE.” (FERC, 2007, para. 618)
Individual
James Stanton
SPS Consulting Group Inc.
No
At least not exclusively. The current standards and the guidance fail to consider that different registered entities will
have different scopes of awareness for when disturbances may take place. We want to avoid the situation where a
generator (for example) is cited for failure to report a disturbance of which they have way of knowing occurred.
Yes
Yes
There should have probably been one report all along.
Yes
Duplication is inefficient and casts the whole reporting mechanism in a questionable light.
Yes
The term sabotage was always too narrow a concept for the standards. At times, questionable activities are not
confirmed as sabotage events until well after the fact, forcing the registered entity to speculate on whether or not to
report an activity that may not be a confirmed sabotage event at the time, and hence encounter another silly violation
based on imprecise terminology.
Again, please consider the unique scope of the entities to which these standards are to comply. Don't dump all the
requirements on all the applicable entities and perpetuate the current practice of forcing them to parse the
requirements into what is logical or illogical from their perspective. The drafting team should have the expertise to do
this. Identify which requirements apply to which applicable entity.
Individual
Andrew Gallo
Calpine Corp.
Yes
Yes
A Functional Entity such as a Generator Owner/Operator is not always aware that an event, such as a plant trip, is
part of a wider system disturbance that rises to the level of a reportable event under EOP-004. A reporting hierarchy
that allows a Generator to report the facts to its Transmission Operator and have that entity take a wider view to
determine whether there is a disturbance should facilitate the reporting of actual disturbances. The SDT needs to
ensure that some thought goes into the flow of information within the hierarchy and what triggers are needed to drive
the reporting up the hierarchy.
�Yes
A single approach is desirable, particularly for those entities that find themselves in multiple regions or countries.
Yes
Clarification, simplicity and the removal of duplicate reporting is beneficial.
Yes
Individual
Steve Alexanderson
Central Lincoln
No
The guidance document makes no distinction between entities that operate 24/7 dispatch and those that don’t. The 1
hour and even the 24 hour reporting requirements in some cases will be impossible for entities without 24/7 dispatch
to meet without changing business practices. These are the same entities that present little or no risk to the BES.
Yes
In the west at least, this hierarchy should be extended to include BA’s as indicated in the Concepts Paper. See
http://www.bpa.gov/corporate/business/reliability/Docs/2007/PNSC_RE_Data_Letter_2_070723.pdf for the RC’s
policy on which entities it chooses to communicate with.
Yes
The existing reporting is needlessly complex. We appreciate the SDT’s goal.
Yes
The existing reporting is needlessly complex. We appreciate the SDT’s goal.
Yes
An act of vandalism may have impact. An act of sabotage may not be impactful alone, but may be part of a wider
coordinated attack. Dictionary definitions speaking of “intent” are not helpful in this regard, since acts of vandalism
and sabotage are both generally committed intentionally. Saboteurs, though, work for a higher cause. That cause
may be political, social, environmental, etc. We ask that the SDT look beyond dictionary definitions in developing a
definition of sabotage.
Individual
Brenda Frazer
Edison Mission Marketing & Trading
Yes
Yes
Yes
With the realization that having a common report form may be difficult to coordinate between differen agencies.
Yes
No
There are too many special circumstances to try and capture. I feel this would be best delivered as a guideline.
I don't know of any.
No other comments.
Individual
Martin Bauer
�USBR
Yes
The reporting outlined in the proposed plan does not include a clear indication of how NERC will use the information
they collect from the entities. Care needs to be taken in addressing the reporting requirements to not create a more
confusing or onerous reporting process.
No
The existing reporting methods collect reports of disturbances and analyze them by committees of the respective
coordinating councils. The new process would introduce a duplicate layer and associated staffing. It would be better
to ensure communication between the existing committees of the respective coordinating councils and the RC rather
than creating a new layer of review tracking and analysis. While the layered reporting hierarchy discussed in the
Disturbance Reporting section of the paper will eventually help with overall event awareness, the additional delays the
hierarchical approach could result in a decrease in situational (timely) awareness. Having more comprehensive
information as a result of the potential enhancements each layer adds to the chain of reporting may not be more
valuable than timely and well disseminated information in an actual disturbance situation. We would suggest the SDT
give careful consideration to this proposed direction. It may be appropriate to consider that expedited reporting of
operational impacts would outweigh the benefit of administratively intensive reporting procedures. The events
reported through the existing process have not yielded material feedback other than statistical analysis. Statistical
analysis is not as sensitive to timely reporting. Operational impacts which may be the result of possible sabotage may
be evident through assessment of widespread outage patterns or following event analysis. Comprehensive event
analysis can take anywhere from 15 days to 90 days depending on the event.
Yes
The Bureau of Reclamation utilizes a form for tracking unexpected events. This form contains information which the
agency considers important for its one reliability improvement program. The form is also used to meet NERC
standard requirements for protection system operations analysis. This form contains most of information required by
DOE. The SDT should consider requiring the submission of specific information rather than lock responses in one
specific form. In this manner the agency would be avoid duplicate forms, one for NERC, the other for agency
purposes.
Yes
It should be clear what information is to be supplemented. The fewer times the information has to be handled the
more efficient the process becomes. If the information exists on a required form, that legal form should be allowed.
Also, if the form is already submitted, then reference to it should be sufficient rather than requiring resubmission of the
form. That would require handling the information again. As explained in the previous answer, the SDT should
recognize that responsible entities have already developed internal reporting processes which utilize forms for
consistent responses. Those forms may contain more information than is needed by the new standard to be
proposed. The entity should be allowed to submit the internal form or else duplication would be created, which may
reduce the effectiveness of an entities reliability improvement program.
Yes
There should be a clear distinction between a cyber event and a cyber event that has a material impact on the
reliability of the bulk electric system. Not all CIP-008 events will carry such a distinction. That being said, CIP 008
cannot be completely incorporated in this process. Denying access to a cyber asset is noteworthy under CIP008 but
may not pose a threat to the reliability of the bulk electric system. Consider recognizing the impact on the bulk electric
system when modifying definitions of adding the bulk electric system description to the definitions. This will help to
clarify that disturbances, as discussed in this effort, are situations that produce an abnormal condition on the electric
power system, not necessarily on ancillary or supporting systems, such as SCADA systems or the water-related
systems at hydroelectric dams.
The concept of "threat" evaluation criteria is somewhat vague and a great care is needed to ensure it is clear enough
that the most individuals would be able to analyze an event and end up at the same threat. Otherwise it would be
almost impossible to ensure compliance with a requirement which cannot accurately describe criteria to be used to
ensure that proper evaluation has occurred.
Individual
John Alberts
Wolverine Power Supply Cooperative, Inc.
Yes
I agree with referencing existing guidelines - However: My concern is that, until all reportable incidents are anaylzed
by the parties to which they are reported, their "impact" on the BES will not be quantified. Therefore, the tendency to
want to "report all events so that their impact can be determined" or "report all events because the information can be
utilized for informational purposes, regardless of impact on BES" might lead to expanded reporting requirements,
some of which may have questionable value from a reliability standpoint.
Yes
From the persepective of a TOP, this seems to alleviate reporting burden and move it upline. I can understand the
logic in wanting the reporting to flow through the RC for awareness purposes, but I can understand the RC's
reluctance to bear the additional potential burden. Again, a focused effort to minimize the necessary reporting to 'true
impact events" should be kept in mind, regardless of who has to report. Collecting reams of data and figuring out what
�impact it has later should not be the goal.
Yes
I can't see how anyone would disgaree with this concept - However - I question how practical it will be to implement,
since various agencies would have to collaborate and coordinate to accomplish this task.
Yes
I agree with the concept of minimizing duplication - See previous question 3 for concerns.
Yes
I agree with the concept of focusing on impact instead of the type of event (sabotage, accident, vandalism, etc.) I
hope that the reporting proposal that comes out of this project will clearly make a separation between true impact
events that must be reported per the standards (enforceable), vs. "other" information that may be (electively - not
enforceable) reported, per some set of guidelines.
The concepts of removing duplication, consolidation, and focusing on "impact events" sound logical. I am concerned
that the focus may drift to expanded reporting, not reduced reporting.
Individual
Thad Ness
American Electric Power
Yes
Yes
This approach may work as long as there is a uniform process across all of the Reliability Coordinators. AEP owns
and operates BES facilities under three separate RCs and having differing rules and processes would create
confusion and additional burdens. There are some concerns about the time lag of reporting the information and this
might not work well in all cases especially if the information and knowledge are at the local level. AEP recommends
that the standard could have a default hierarchy, but this should not prohibit any entity from reporting directly.
Yes
Yes
Yes
Individual
James McCloskey
Central Hudson Gas & Electric
Yes
Central Hudson agrees with using the “NERC Guideline: Threat and Incident Reporting” in the development of
requirements. Central Hudson has currently in place a NERC-DOE Threat and Incident Reporting Table developed
from this NERC Guideline that allows for a quick-reference to all threat and incident reporting criteria (arranged by
category)with a cross-reference to the specfic reporting form (NERC Interconnection Reliability Operating Limit and
Preliminary Disturbance Report, DOE Form OE-417, or NERC ES-ISAC Threat and Incident Report Form). Central
Hudson recommends maintaining the option of utilizing only 1 form, the DOE Form OE-417, for incidents that require
reporting to the DOE and NERC to maintain the streamlined approach to this reporting process.
Yes
Central Hudson agrees with this reporting hierarchy for disturbances given the "wider-view" of the Reliability
Coordinator as opposed to an entity such as a Transmission Owner or Load-Serving Entity. While, based on past
experience, the current process works if reports are filed to the DOE, RRO, and RC simultaneously via email for
example. However, the RC is in a better position to identify multi-site incidents and escalate the reporting process if
necessary.
Yes
Central Hudson agress with this goal if the intent is to develop and implement an electronic version that would meet
DOE requirements as well.
Yes
�Central Hudson agrees with this concept and, as stated in a previous response, recommends that the ability of
utilizing the DOE OE-417 to supplement the NERC report be maintained.
Yes
Central Hudson agrees with this concept, particularly if the reporting hierarchy through the RC is implemented in
order to better identify trends.
Although not beyond the scope of these standards, NPCC maintains a document and reporting form (Document C-17
- Procedures for Monitoring and Reporting Critical Operating Tool Failures) that outlines the reporting requirements,
responsibilities, and obligations of NPCC RCs in response to unforeseen critical operating tool failures.
The NERC Guideline: Threat and Incident Reporting Attachment A matrix is an extremely beneficial document that
organizes reporting criteria. However, it identifies communications systems failure sub-category under the Equipment
And/Or Systems Failure category as reportable with a reference to OE-417 - Schedule 1, Item 10. Item 10 on
Schedule 1 addresses only failures due to attacks (not failures for other resaons).
Individual
Deborah Schaneman
Platte River Power Authority
Yes
Yes
Situational awareness would be enhanced. All affected entities would be aware of the disturbance and relevant
information. Also, the flow of information between entities would be enhanced and a more comprehensive report
could be developed.
Yes
Yes
Yes
Individual
Howard Rulf
We Energies
No
While the NERC Guideline includes readily discernible information (and we would like to see that format carried
forward into any future documentation), utilize OE-417 as the foundation document in order to eliminate reporting
redundancies. If supplemental references are necessary for the proposed resolution, list the document as an official
attachment to the standard. Minimize the need to search in multiple locations for guideline information – some may
not be aware supporting documentation exists without explicit reference within the standard.
Yes
A hierarchical approach in conjunction with a single, electronic form would provide consistent reporting timelines,
provide clarity in the reporting process, and provide more accurate and meaningful data submissions while having
shared accountability. Confusion in the current method could be alleviated while providing more consistency in the
reporting of an "impact event".
Yes
Agree in conjunction with proposed concept that DOE OE-417 will be allowed to supplement the NERC report in lieu
of duplicating entries.
Yes
However, also evaluate whether or not DOE OE-417 is sufficient in lieu of a NERC report. If additional information is
required, duplicate format of DOE-OE-417 with additional NERC information listed at the end of the form.
Yes
We would prefer to refer to all sabotage, vandalism, cyber attacks, and other criminal behavior as impact events.
Focusing more on the event's impact on reliability and its ramifications on the systems seems to be more useful than
to try to determine the intent of the perpetrator.
What is meant by beyond the scope of the referenced standards? We Energies also has reporting obligations with the
MISO RC (MISO OP-023), RFC (PRC-002-RFC-01), and the Wisconsin and Michigan Public Service Commissions.
�Give consideration to combining CIP-001 and EOP-004-1 through a common categorization. For example, “System
Risk Reporting” could encompass both actual and potential events and would minimize the need to cross reference
both standards, and provide one location for event and potential-event reporting. Much of the challenge in this project
is in achieving a common understanding of the words sabotage and terrorism. There are nuances of meaning in the
words that imply a relationship between the attacker and the victim, or a motive other than simple profit or mischief.
This nuance of meaning requires the victim of the damage to discern a relationship or motive which may not be
discoverable in the relatively brief time window during which the entity must report the event. In fact, they may never
be known. Consequently, We Energies recommends elimination of the words sabotage and terrorism from these
standards. We also recommend elimination of the word vandalism since it also implies an ability and duty to discern
whether a particular act (barbed wire thrown over transformer bushings) was done out of pure mischief (vandalism) or
with intent to destroy equipment for a political purpose (terrorism). And if the act was committed by a disgruntled
employee, it becomes sabotage. No wonder there is confusion and indecision. Instead, We Energies recommends
using the simple words “criminal damage”. One need not be a prosecuting attorney or FBI Special Agent to know
what this means. Simply ask, “Does is look like somebody damaged it (or hacked in) intentionally?” and, “Did we give
consent?” and you’re done. With elimination of sabotage, terrorism and vandalism, and all of their baggage, comes
the ability to integrate both CIP 001 and EOP 004. We now have criminal damage (or cyber attack) as just another
event to be evaluated against certain pre-defined impact measures. No value judgments, no speculation. Another
benefit of using these simple words and tests is that operating personnel, whether in the field or at the console, will
not require special awareness training in discerning these nuances of meaning. They already have experience with
the equipment or cyber systems and its normal performance. Operating personnel can readily assess whether an
impact event is due to equipment failure, weather or animal contact vs. intentionally caused by a person. If it appears
to be criminal damage, call the local police agency. Report the event and the impact. Cooperate with the
investigation. Share your knowledge of the normal condition of the equipment or performance of the system. Share
your experience with similar events. It will be important to highlight that the theft of all the grounding pigtails in a
substation is different from the act of simply snipping each of them to leave the equipment electrically floating. The
technical condition is the same, but this allows the police to make an inference with respect to motive, suspect profile,
sophistication, etc. That’s their job. They may ask us to speculate on the motive or skills of the attacker. That's okay.
But at least we don't have to know or guess at it for the purpose of determining whether to report the event. No
training required. With respect to notification to the FBI, We Energies recommends that the standard merely state that
the owner of the damaged asset ensure the local office of the FBI is notified. The standard should permit
documentation of either a direct phone call by the asset owner or obtaining an assurance from the local police that
they will do so. There should be no need to prove earlier establishment of a relationship with the FBI. There should be
no expectation that the entity have a signed letter from the FBI Special Agent in Charge acknowledging his agency’s
duty. This document means nothing. With respect to reporting within the industry, We Energies recommends that the
only events to be reported “up the chain” are those that we choose to characterize as “impact events”. That is, the
events that meet some measurable threshold with respect to BES impact. We should describe these efficiently to
avoid over-reporting of trivial events. It is apparent that we are already over-reporting since DHS HITRAC recently fed
back to the industry that copper thieves attacked a substation in San Bernardino, CA taking some of the grounding
conductors. The industry should have the option to report non-impact events that are unusual in some respect and
which may have some mutual industry benefit in terms of prevention, awareness or recovery. Attack attempts with no
impact, or observations of suspicious activity could fall into this optional category. These optional reports could be
aggregated by the entity for the purpose of detecting patterns or trends, or be reported ad hoc. The ES-ISAC should
be the recipient of the reports. It should be the single point of contact since it has the industry insight, engineering
expertise and cross-sector relationships to analyze and return valuable intelligence to the industry. With the ES-ISAC
as the recipient of the reports, efficient sharing with Federal agencies, with the regional entities and with neighboring
asset owners could be automated and rapid. There is much benefit to be gained from this project, primarily in the area
of creating clarity and uniformity. There is some risk that the reporting requirements will become onerous and
prescriptive.
Individual
Jianmei Chai
Consumers Energy Company
No
The existing guidelines ignore the fact that there are currently three overlapping and inconsistent reporting
requirements for disturbances of various types: CIP-001, EOP-004, and DOE OE-417. The reporting should be such
that any single event type needs to be reported only once, and to only a single agency, for any disturbance. First,
CIP-001 events should be reported to the ES-ISAC under one specific requirement (or set of requirements) and
removed from OE-417 and EOP-004, such that all interested agencies obtain their information from only that one
source. Second, OE-417 events should be reportable ONLY to DOE, and, again, other agencies should obtain their
information from only that one source. If NERC wishes to make such reporting mandatory and enforceable, the NERC
requirements should indicate ONLY that such reporting should be made in accordance with OE-417. Finally, EOP004 (or similar requirements) should require reporting to NERC ONLY in the case of events that don’t fit under CIP001 or OE-417 requirements. Alternatively, OE-417 should be submitted ONLY to NERC and they should disseminate
the information. EOP-004 has several issues and inconsistencies: a. EOP-004 requires that the entity that submits
form DOE-417 to provide copies to NERC. The DOE-417 form intermixes NERC entity definitions (e.g. BA, LSE, TO)
with generic terms such as “Electric Utilities” and “Generating Entities”. Is it the Generator Owner or Generator
Operator that is required to submit the information? There should be one form or at least well defined definitions that
apply to both forms. b. EOP-004-1 R3.1 requires submittal within 24 hours, however Table 1-EOP-004-0 which
purports to summarize the standard appears to change this requirement to 1 hour for several disturbances.
Additionally, it incorrectly summaries the reporting time for 50,000 customers, which is 6 hours in DOE-417 and
summarized in Table 1-EOP-004-0 as 1-hour. An attachment to a standard should not be allowed to supersede the
standard or create additional rules. c. EOP-004-1 R3.1 requires submittal within 24 hours, however Table 1-EOP-004-
�0 which purports to summarize the standard appears to change the standard. R3.1 clearly states that events are to be
reported within 24 hours of identification, however Table 1-EOP-004-0 state that the events are to be reported on the
basis of the start of the disturbance. An attachment to a standard should not be allowed to supersede the standard or
create additional rules. d. EOP-004-1 R3.1 requires submittal within 24 hours, however Table 1-EOP-004-0 which
purports to summarize the standard appears to change the standard. R3.1 clearly states that events are to be
reported within 24 hours of identification, however Table 1-EOP-004-0 states that copies of DOE-417 are required to
be submitted “simultaneously”. It also states that schedules 1 and 2 are due within 24 hours of start of the event
instead of 48 hours for per DOE-417 for schedule 2. An attachment to a standard should not be allowed to supersede
the standard or create additional rules. e. The requirement of loss of customers should be scaled based on customers
served. Loss of 50,000 customers to a utility that serves 100,000 customers is different than loss of 50,000 customers
to a utility that serves 2,000,000 customers.
No
It would be inefficient for RC’s to accumulate ALL disturbance data and submit it, and to bifurcate the reporting based
on type of disturbance above and beyond OE-417 data (which should go ONLY to DOE) would make a standard very
involved for an entity to comply with. We’re discussing after-event data here, not data needed for current operations –
and there’s no reason to make it any more complicated than necessary.
Yes
Agreed – to the extent that it’s consistent with the concept that any specific type of data is submitted to ONLY one
entity.
No
NERC should either coordinate with DOE for a single reporting process or simply adopt the DOE’s standard.
Yes
We agree with the concept, however, based on the information provided, it may be too vague to be of value. Terms
such as “potential” and “significant” can be subjective and therefore provide little direction. We would like to see
something more specific. Also, inclusion of the destruction of BES assets may be too inclusive and needs to be
restricted to BES assets that will cause a specific level of impact on reliability.
Group
Western Electricity Coodinating Council
WECC
Yes
It is comprehensive; however, we must keep in mind that the OE-417 is required under Public Law 93-275 and needs
to be attached if applicable in the US.
Yes
There should be an established time sequence that allows the RC to review the entities material prior to forwarding to
NERC. By channelling all reports through the RC situational awareness will be enhanced. Instead of "submit
information", it should be clarified that entities submit complete written reports to RC in electronic format.
Yes
Canadian and Mexican entities should be consulted on content of report form to assure their "buy in".
No
This will work well for the USA entities to save us time in re-entering the same information. We believe that FERC and
NERC and the Regions should have one common reporting form for North America. The OE-417 is not required by
law outside of the United States. Canadian and Mexican entities may feel that US DOE has no juristiction in these
countries, and therefore no right to required reporting as is stated on the OE-417.
Yes
This will help eliminate regional differences in sabotage reporting. The definition should be broad enough so it covers
new types of sabotage that may evolve. Event analysis facilitates situational awareness and if it requires further
investigation regarding developing patterns and severity, it should be handled by law enforcement if need be.
There is a need to learn what reporting requirements are required by the Mexican and Canadian entities.
As stated previously, for "One stop shopping" we need "buy in" from the foreign nationals. The way to do this is to
engage their opinions and respect their juristictional agencies as well.
Individual
Amir Hammad
Constellation Power Source Generation
Yes
The existing guidance is an excellent base on which to build changes to EOP-004 and CIP-001. However, the SDT
�must challenge each item in the different event categories and clarify or omit bullet points that are seemingly vague.
For example, under System Disturbances, a forced outage report is needed when “a generation asset of 500 MW or
above is on a forced outage for unknown reasons, or a forced outage of generation of 2,000 MW occurs…” Simply
removing the 500 MW criteria would make this criterion less vague. There are other examples of this in the guideline.
Yes
As stated in the concept paper, a hierarchy ensures proper communications, but it has the added benefit of reducing
redundancy on the Registered Entities, so long as responsibilities and accountability are clearly established.
Yes
Yes
Constellation agrees with the concept of eliminating the need to file duplicate reports. If the single NERC reporting
form is both comprehensive and easy to use, then using a single report should not be an issue. It is essential that all
elements of DOE OE-417, and any similar documents, be incorporated into this single report. Not incorporating all
elements will result in gaps in reporting for all Registered Entities.
No
Although defining an impact event would bring clarity to defining sabotage events, adding another situation would
further complicate things. Furthermore, the examples of impact events used all fall under the Sabotage category in
the Threat and Incident Reporting Guideline. Constellation Power Generation suggests the SDT further clarifies the
items in the Sabotage category to ensure all grey area situations are included. Clarification is also needed in how a
Cyber Security Incident (CIP-008) would map into the categories of Disturbance/Impact Events (CIP-001). To that
point, Constellation Power Generation questions whether cyber related incidents should fall under the spectrum of
sabotage type events, or remain separate and be incorporated in the CIP revisions. Having cyber related incidents
separate from other sabotage events would provide the clarity and guidance that the DSR SDT is striving to achieve.
Constellation Power Generation would like clarification that any proposed CIP-008-related reporting requirement
(including any linked reporting requirement between CIP-008 and CIP-001) is only applicable in situations where the
incident/event involves a registered entity’s Critical Cyber Asset. In that vein, we want to emphasize the importance of
the DSR SDT working with the CIP SDT on the cyber related events. If the DSR SDT is going to be adding clarity to
cyber related events, then coordination with the CIP SDT is needed to ensure the same verbiage is being used.
Furthermore, having any duplication of requirements will cause a double jeopardy scenario which would go against
the SAR for the DSR SDT. As stated earlier, Constellation Power Generation also questions whether cyber related
incidents should fall under the spectrum of sabotage type events, or remain separate and be incorporated in the CIP
revisions.
Group
Public Service Enterprise Group Companies
PSE&G
Yes
EOP reportable disturbances are familiar concepts in the industry.
Yes
The PSEG Companies believe that all entities with a reportable disturbance should report to the RC. The RC is best
positioned to evaluate the impact of the event and forward the information to the appropriate entities. There should
not be any intermediate entities to relay information to the RC as that can introduce delay and has the potential to
introduce transcription errors. Sabotage events should be reported to the RC as well as to law enforcement. CIP-008
reporting is highly specialized and should be retained in the set of cyber security standards, not merged with CIP-001
and EOP-004.
No
While simplification and consistency is a laudable goal, it should not be applied to different governmental agencies
(USA, Canada, Mexico) which may have different structures and processes. Moreover, results based standards
should not include administrative matters such as reporting forms.
Yes
The PSEG Companies agree with the avoidance of duplicate reports. NERC report forms should not include anything
in the DOE form, and NERC Regional report forms should not include anything in the DOE or NERC forms. Hence, a
DOE report should not "supplement" a NERC form, but rather replace it unless the NERC form calls for other
information for the same reportable incident, and likewise for the DOE - NERC - Regional form structure. DOE forms
would be filed with DOE, NERC and the Regional Entity where the event originated. NERC forms would be filed with
NERC and the region where the event originated and the Regional form filed only with the Region. In designing the
NERC and Regional forms, the need to file multiple reports should be minimized, and in no event should any of the
three (DOE, NERC, Region) forms contain duplicative information requests.
Yes
The PSEG Companies agree with the concept, but reserve judgment on the descriptions of the impacts. There is
clearly a need to better define what constitutes a sabotage incident versus common theft or vandalism. Moreover,
�where it may be impossible to determine if any given incident (e.g., several loose bolts on a transmission tower cross
brace could be sabotage or could be human error in construction) falls within sabotage, a registered entity should not
be second guessed in an audit if the registered entity determines not to report. Excessive unnecessary reporting can
mask real incidents.
The PSEG Companies believe that RFC is developing a regional disturbance reporting requirement for events not
meeting the criteria of current DOE and NERC reports.
If reporting does become the responsibility of the Reliability Coordinators, the RCIS should be made available viewonly to registered entities with a notification when RC's have posted new entries. That will enhance the situational
awareness of registered entities. The PSEG Companies disagree with inclusion of CIP-008 reporting requirements as
part of the CIP-001 and EOP-004 initiative. CIP-008 reporting as part of the cyber security set of NERC standards is
usually managed by specialized corporate organizations separate from those involved with the other NERC
standards, and with highly specialized cyber skill sets. CIP-008 reporting requirements should remain where they are,
and any perceived need for improvement addressed in the ongoing CIP Version 4 development process.
Individual
Greg Rowland
Duke Energy
Yes
No
The RC should not be responsible for submitting the report to FERC, NERC or the RRO. The RC may not have the
necessary first hand information concerning the facts of the event. Situation awareness can be maintained by
including the RC in the distribution of any sabotage related reporting.
Yes
There should only be one report for all functional entities to submit to NERC.
Yes
Since the OE-417 is a DOE required report, it must be submitted. Including the OE-417 as part of the NERC
electronic form will facilitate reporting to NERC.
No
As FERC ordered in Order No. 693, the drafting team should further define sabotage and provide guidance as to the
triggering events that would cause an entity to report a sabotage event. Suggested definition: “Sabotage – the
malicious destruction of, or damage to assets of the electric industry, with the intention of disrupting or adversely
affecting the reliability of the electric grid for the purposes of weakening the critical infrastructure of our nation.”
None
We don’t think CIP-001, EOP-004 and cyber incident reporting aspects of CIP-008 should all be combined into one
standard, because of the significant differences between sabotage and disturbances. We have suggested that the
drafting team further define sabotage, and we have included a suggested definition in our response to question #5
above. Sabotage is very specific due to the intent (for the purpose of weakening the critical infrastructure), and the
potential impact to the BES. We believe that sabotage and cyber incident reporting should remain a part of the CIP
Standards due to the emphasis placed on the criticality and vulnerability of the assets needed to support reliable
operation of the BES. Cyber Security and Physical Security could be placed together in the same standard (remain in
CIP) and other disturbances (i.e., accidental, natural) in a separate standard. “One stop shopping” for reporting is still
possible as long as the OE-417 form is included as part of the NERC electronic form. And while we agree with the
need for additional clarity in sabotage and disturbance reporting, we believe that the Standards Drafting Team should
carefully consider whether there is a reliability-related need for each requirement. Some disturbance reporting
requirements are triggered not just to assist in real-time reliability but also to identify lessons-learned opportunities. If
disturbance and sabotage reporting continue to be reliability standards, we believe that all linkages to lessonslearned/improvements need to be stripped out. We have other forums to identify lessons-learned opportunities and to
follow-up on those opportunities.
Group
ERCOT ISO
ERCOT ISO
Parts of the Guideline are helpful, but the guideline goes beyond the scope of the requirements of the current
standards, which could pose potential audit concerns. ERCOT ISO strongly feels this approach for reporting should
be focused on physical events only and cyber event reporting should be contained within CIP-008 only. Continue to
keep physical separate from cyber.
No
There are some events that are truly local and should be handled by local entities and reported to local authorities
(i.e. theft). If there is an impact or potential to have an impact to the BES or to the region, then hierarchical reporting
would be appropriate.
Yes
�Standardization ensures consistency and relevance of the information received.
ERCOT ISO agrees with the concept of eliminating the need to file duplicate reports, but as stated in the Concept
Paper, the DOE form (OE-417) is required by law. Based on this, the elimination of EOP-004 (after the fact reporting)
is essential, since the OE-417 is mandatory and all-inclusive.
ERCOT ISO recognizes the risks associated with “gray areas” not being clarified. While “gray areas” pose compliance
risk due to differing interpretations, a risk remains that some items will go unreported. A more prescriptive approach
raises an even greater risk of events not being reported. People will not report events that are not specifically listed,
and will not use judgment in determining the need for reporting.
All references to CIP-008 should be removed and we reassert that physical and cyber reporting should be separate.
There is documentation available from the CIPC that the drafting team considered CIP-001 related physical sabotage
reporting and specified cyber incident reporting requirements in CIP-008. ERCOT ISO requests the DSR SDT to
continue to improve its guidelines and to post those guidelines for all to use, but not to create sanctionable standards
whose good intentions could result in unintended adverse consequences for the Industry. ERCOT ISO also suggests
that all reporting forms and guidance should be located in a central, easily accessible location, eliminating confusion
and simplify reporting for system operators thereby directly enhancing reliability during system events. The industry
would benefit from a central location or link on the NERC website containing all reporting forms.
Group
ISO RTO Council Standards Review Committee
IESO
Yes
The guidelines in EOP-004 and its attachments should be retained as the foundation for reporting disturbances. One
would note that such EOP Disturbances are relatively well defined reliability impacts. Thus EOP-004 disturbances are
based on HOW certain events impacted the BES. [Sabotage on the other hand requires an implication of WHY an
event occurred.] The original EOP-004 represents a common sense approach to defining reliability events that may
be useful to analyze on a regional basis. In the current environment, Regions are not sanctionable entities but they
still are valuable sources to collect, analyze and trend the few disturbances that occur in each region. To make use of
Regions, however, precludes the use of sanctionable NERC standards. EOP-004 as written does not meet the NERC
requirements for standards but it does meet the Industry needs for a guideline for reporting events that deserve to be
reviewed. The SDT should propose deleting EOP-004 and use it as a Disturbance Reporting Guideline.
No
The idea of a reporting hierarchy provides an easy to follow pro forma approach. But disturbance reports should not
always follow a common reporting path. A disturbance on the transmission system for example need not be routed
through an “if applicable” Balancing Authority. To mandate that a BA be in the path is inappropriate. To leave the
applicability open is to create a subjective compliance problem for the impacted BA. Copper theft is another example
that should not require reporting up through the RC. It is a local issue and the Transmission Owner should be able to
report this directly to the appropriate parties. How would a DP, LSE or GO know if an event is an “impact event”? The
posed impact events are a series of conditions for sabotage but not for EOP-type disturbances. The aforementioned
entities have no requirement to monitor and analyze the BES, which then means every event would be an impact
event for those entities (not an EOP disturbance but an impact event). Thus every theft of copper is an impact event
mandating a Disturbance Report even though the SDT notes the RC only has to send it to the “local authorities”. This
seems to be a misuse of the RC resources; every train derailment is an impact event requiring a Disturbance report
(is that a commercial train, regional rail line a local trolley car); every teenage prank would also generate an impact
event mandating a disturbance report. The SDT defined impact events are not appropriate for use in defining
disturbances. There is a big difference from creating a set of guidelines to follow as opposed to creating sanctionable
standards
No
The SRC supports NERC’s initiative for Results Based Standards. The SRC understood RBS to mean the results
were reliability based quantities not administrative quantities. There is no need for a NERC Reliability standard on
reporting. The idea that all functional entities in each of the said countries will use one form would be a good idea if
and only if all the countries and all of their agencies were willing to accept that form. The SRC does not believe that
those agencies will be willing to cede what information they ask for to NERC; nor that NERC will be able to create a
single form that all such agencies will accept.
No
The concept of eliminating duplication is laudable, but the idea of writing a standard to mandate reporting that
involves reporting to governmental areas does not make sense unless NERC will do all of the reporting for the
Industry. A governmental agency is as likely as not to change the forms they require which would then mean two
different reports (one for NERC and one for the given agency) or that the standard would have to be re-written every
time there is a change.
No
The nature of the fact that “gray areas” exists preclude the idea of using a standard to report; particularly a standard
for the vague topic of motivation such as sabotage events and the more defined disturbance events.
The FERC Order merely asked NERC to “further define sabotage and provide guidance as to the triggering events
�that would cause an entity to report a sabotage event.” There is no requirement to create a Reporting Standard and
no mention of Disturbance events. There is a strong need to avoid heavy-handed use of NERC standards particularly
for such post event reporting guidelines. The SRC would urge the DSR SDT to continue to improve its guidelines and
to post those guidelines for all to use, but not to create sanctionable standards whose good intentions will inevitably
result in many unintended adverse consequences for the Industry. Rather, the SDT should seek to retire sanctionable
requirements that require event reporting in favor of guidelines for reporting.
Group
Bonneville Power Administration
BPA, Transmission Reliability Program
No
BPA likes the idea of consolidating information and eliminating duplication of reported information. In the report, don’t
include every detail possible found in the “Threat Guideline”. TOP’s are supposed to be operating the electrical
system, not doing investigative work for copper theft incidents (see comment on #5).
No
The RC is made aware of these type of incidents and goes right back to incorporating that in their awareness and to
focusing on system reliability. If the RC is the recipient for further distribution of information of this type they will be
forever going back for more information. Eliminate the middleman in whatever concept you propose, folks have plenty
to do now. Let people make good judgments with the direct field people on the seriousness of the breach with their
security personnel contacting the appropriate law enforcement agency. (Or are you looking to do a simple RE reports
to the RC who marks various category items on a secure website Yes/No category item indicator that can be rolled up
in ES-ISAC mapboard.? )
Yes
As long as we don’t make one form that requires extraneous information for the sake of having agreement.
Yes
Minimizing the number of reports is a good thing. The concept of actually sharing information should be utilized as
much as practical.
Yes
BPA agrees with providing an industry-wide definition and guideline. We do NOT agree with requiring reports for
every instance of every activity. If your definition is good, you’ll get what is needed and not much chaff.
Individual
Kirit Shah
Ameren
Yes
We agree that it makes sense to build upon existing documentation. However, we do not believe it is necessary to
require event reporting to be in an enforceable standard. Rather the drafting team should consider developing a
reporting guideline document and retiring the EOP-004 standard.
Yes
The heirarchy is appealing in the fact that the TOP/BA will be kept in the loop and receive critical information from the
Generators, Distribution, LSE, etc. But there will be an inherent delay in reporting due to the fact that at every handoff of information there will be questions for additional and/or clarified information, and there is always a possibility for
the loss of information due to the transfer from one entity to the next. Further, this reporting through a heirarchy could
also take away from the operators ability to respond to system events due to being tied to an information transfer
ladder.
Yes
One report would be great for this standard. While this standard needs simplification and automation, we strongly
suggest developing a guideline for reporting rather than enforceable standards.
No
The DOE OE-417 report should not supplement the NERC report due to the fact that the majority of reportable events
are defined in/come from the OE-417 report. The NERC reporting form should be based on the OE-417 report and
then include additional reporting requirements defined by NERC. However, it does not make sense to require
reporting to the governmental agencies through enforceable NERC standards. The governmental agencies already
have legal authority to compel reporting.
While we are not opposed to the concept of identifying impact events, we are concerned that the drafting team may
actually be expanding reporting requirements. We do not support expansion of reporting requirements unless a clear
�reliability or legal need is identified. Some of the impact events are almost never sabotage and do not warrant
reporting for reliability needs and should not be included. For example, copper theft should not require reporting, in
general, because it is almost never sabotage and rarely impacts reliability. If it does impact reliability because, for
example, the protection system is impacted and causes more significant potential contingencies, then reporting could
be required. Why is a train derailment near a transmission right of way significant? It would only be significant if an
investigation identified sabotage as the reason. Furthermore, what is considered near?
Group
Midwest ISO Standards Collaborators
Midwest ISO
Yes
We agree that it makes sense to build upon existing documentation. However, we do not believe it is necessary to
require event reporting to be in an enforceable standard. Rather the drafting team should consider developing a
reporting guideline document and retiring the EOP-004 standard. This is further supported by the fact that there is a
role in the existing standard for the Regional Entities even though these requirements can’t be enforced against the
Regional Entities because they are not a user, owner or operator of the system.
No
We do not agree with developing a hierarchy for reporting for all disturbances and impacting events. For instance,
copper theft is an example of an item that should be reported to the appropriate entities directly by the Transmission
Owner. The RC does not need to be made aware of every copper theft unless it has a direct impact on reliability
(affects rating, protection system, etc.) and the RC should not be burdened with expending resources for this
reporting. A further example in which the hierarchy is not needed would be the case in which only one entity is
impacted. If a significant event occurs on one TOP’s system, then the TOP should be able to handle the reporting of
all entities under its purview.. If more than one TOP is involved, then it would be necessary to involve the RC in the
reporting.
Yes
We agree with the goal of having a single report form but believe there will be a significant challenge to get varying
governmental agencies to agree on single report format.
No
It certainly makes sense to eliminate duplication in reporting and to allow supplemental information to be submitted in
other reports. However, it does not make sense to require reporting to other governmental agencies through NERC
enforceable NERC standards. Those governmental agencies already have legal authority to compel reporting. Again,
we support developing a guideline for reporting rather than enforceable standards. The guideline could certainly
explain the various reporting requirements and supplemental reporting requirements mentioned in the question
without causing the issues we have identified in our comments.
No
We agree with the idea of identifying impact events but do not support the requirement for these to be always
reported through the hierarchical structure identified in question 2. If an impact event only affects one entity, that
entity should have the reporting requirement.
While we are not opposed to the concept of identifying impact events, we are concerned that the drafting team may
actually be expanding reporting requirements. We do not support expansion of reporting requirements unless a clear
reliability or legal need is identified. Some of the impact events are almost never sabotage and do not warrant
reporting for reliability needs and should not be included. For example, copper theft should not require reporting, in
general, because it is almost never sabotage and rarely impacts reliability. If it does impact reliability because, for
example, the protection system is impacted and causes more significant potential contingencies, then reporting could
be required. Why is a train derailment near a transmission right of way significant? It would only be significant if an
investigation identified sabotage as the reason. Furthermore, what is considered near?
Group
FirstEnergy
FirstEnergy Corp.
Yes
This guideline appears to be a good starting point for developing consistency in reporting. However, we believe that
after-the-fact event reporting is administrative in nature and seldom rises to the level of mandated reliability standard
requirements. It is not clear what reporting would be made through this effort and how it differs from reporting made
through the NERC Reliability Coordinator Information System (RCIS). With the initiative for more results-based
standards being the goal of NERC, true after the fact reporting-type requirements should become administrative
procedures and only be included in standards if they are truly required for preserving an Adequate Level of Reliability.
If there are aspects that rise to be retained in a mandatory and enforceable reliability standard, we propose that those
associated with sabotage be moved to CIP-001 and that EOP-004 be focused on operational disturbances that
warrant a wide area knowledge. However, if the RCIS is the mechanism to convey real-time information and that is
presently occurring outside of reliability standards, it is unclear what the delta improvement this project aims to
achieve.
�No
While we appreciate the team's effort to serialize the reporting process, with the electronic communication methods
available today, it seems that reporting can be accomplished simultaneously to multiple entities without shifting the
burden of reporting to others along the communications path. This is particularly true if the reporting format is
standardized to a one-size-fits-all report. Additionally, it would be a great burden to the Reliability Coordinator to
review all events perceived by entities to be malicious sabotage events.
No
While one consistent form for reporting may simplify reporting requirements, it would be very difficult to get all
governmental agencies to agree to a one-size-fits all approach.
Yes
We agree that the simplification and consistency of reporting will improve the reporting of this information. We support
the drafting team's efforts in this area and hope that all regulatory agencies will as well. However, as we have
mentioned in our other comments, the reporting requirements should not be in a reliability standard unless they are
proven to be necessary to maintain an Adequate Level of Reliability of the BES. Reporting of these events should be
required by NERC in arenas outside of the standards.
Yes
The concept paper makes good progress in this area and the drafting team is on the right track, and agree that better
clarity needs to be developed surrounding sabotage events. However, some of the examples stated in the paper are
too vague and do not address extenuating circumstances or reasons for the events. One example sighted in the
paper is "Bolts removed from transmission line structures." This statement may be too broad. For instance, if the bolts
are removed from the tower and the organization is not experiencing a labor dispute, it could be considered a
sabotage event with wide area implications. However, if the organization is in the middle of a labor dispute, this would
be vandalism and would most likely not be of a wide area concern. Also, the number and location of towers affected
could be an important determination related to the risk the event imposes on the Bulk Electric System.
We fully agree that sabotage events need to be more clearly defined and reporting requirements need to be better
coordinated. But as we have stated in previous comments, the drafting team needs to determine if standard
requirements need to be developed for this type of reporting or if this is better left to administrative requirements
outside the standards arena. Also, while we appreciate the team's effort to simplify reporting requirements for entities,
we are concerned with the serial communication offered by the concept paper. As an example, the team proposes to
have LSE report the incident to the BA and/or TOP and then have the BA and/or TOP report it to the RC and the RC
to report it to NERC and the NERC report to the regulatory agencies. While this simplifies it for each individual
organization, this method introduces many opportunities for errors and miscommunications. Since this is after-the-fact
reporting, it is difficult to defend this type of communication path when one consistent report could be sent
simultaneously to all agencies at the same time from the originating location.
Individual
Dan Rochester
Independent Electricity System Operator
Yes
Yes
We do not agree with the need of such a hierarchy setup solely for the purpose of making reports to the need-to-know
entities. All responsible entities (RC, BA, TOP, etc.) need to file a report. With the proposed set up noted under Q3,
which we support, these reports should go directly to NERC. The RC should not be held responsible for forwarding
other entities’ reports to NERC, and in doing so subject itself to potential non-compliance.
Yes
Yes, this will simplify the reporting effort. NERC may forward the reports to the other need-to-know entities.
Yes
We support this concept since it works well for those entities that are not required to file reports with the US agencies,
e.g. the DOE.
Yes
We agree with the general concept. However, we suggest that the classification of “events” to be compatible if not
identical to those which need to be reported in real time as required in CIP-001, for otherwise it will create confusion
and unnecessary, extra work. Also, this proposal appears to focus on the sabotage-type events only but the SAR
deals with both sabotage and other disturbances (e.g. emergency type of events) reporting. A parallel type of “impact
event” is needed for non-sabotage-type of events.
In the Background Section of the comment form, it is indicated that the SDT “…is NOT seeking input or guidance on
the definition of physical or cyber sabotage, what type of disturbances should be reported, who should do reporting,
or to whom or what organizations will be receiving the reports.” Yet there are proposed definitions, with examples, in
the concept paper. The SDT should make it absolutely clear that by supporting the general concept as described in
�the paper, the commenting entities are not endorsing the proposed definitions, nor the examples as elements to be
included in the standard.
Individual
Roger Champagne
Hydro-Québec TransÉnergie (HQT)
Yes
In considering guidance found in the document “NERC Guideline: Threat and Incident Reporting”, the SDT should
maintain focus on only those items that are absolutely necessary to maintain the reliability of the Bulk Electric System.
In fact, the purpose of reporting per EOP-004 is that disturbances... need to be studied and understood to minimize
the likelihood of similar events in the future.
Yes
Having the reporting flow through the Reliability Coordinator supports the reliability objective of assessing, monitoring,
and maintaining a wide-area view of the reliability of the Bulk Electric System. The reporting hierarchy should be to
submit the information to the Reliability Coordinator, and to have the RC submit the report. This would eliminate the
duplication of information.
Yes
We agree with the concept that there should be one report form for all functional entities (whether located in the US,
Canada, Mexico) for use in reporting to NERC. This would provide for a consistent reporting format across the
continent.
Yes
We agree with the objective of eliminating duplicate reporting. However, EOP-004 currently allows substitution of
DOE OE-417 in place of the NERC Interconnection Reliability Operating Limit and Preliminary Disturbance Report. As
suggested in the Concept Paper, entities meeting the criteria of OE-417 are still obligated to file a report with DOE.
Given that and the fact that CIP-001 requires no actual reporting, it is not clear where duplication exists today. We
agree with the recommendation to eliminate the need for filing duplicate reports such as the DOE form OE-417. There
is no benefit with regard to CIP-001 in filing separate reports. Duplicate reports introduce the potential for incomplete
information to be supplied to responsible parties. Removing jurisdictional agencies from the Standard, and having
NERC provide either query or situational awareness to those agencies being considered, might not be easy to
achieve. There is an obligation under law to require entities to report to the DOE on the OE-417 form as amended or
modified. This might drive the “omitted” agencies to have reporting laws enacted as well.
No
We believe that physical and cyber events must be investigated before a determination of sabotage or impact event
can be made. The purpose of the NERC Standards is to maintain the reliability of the BES. Therefore, impact events
should define or clarify the circumstances that would or could affect reliability. Reportable items should be based on
impact to reliability, not on ‘newsworthy’ events or to gather information for trending. It is the law enforcement
industry’s responsibility to make a determination of “sabotage” or other. This determination cannot definitively be
made by industry personnel, there is no expertise or time to investigate causes. It is the industry’s job to mitigate
effects. Examples would help provide for better guidance/direction. Industry examples would be welcomed to help
reinforce developed internal processes for compliance.
SERC and RFC are developing additional requirements at this time. We suggest that reporting be based on impact to
reliability, not on ‘newsworthy’ events. We therefore do not agree with such regional efforts and would prefer a
continent wide reporting requirement.
a. NERC should focus efforts on developing specific event reporting criteria and not base the requirement on the
definition of the term ‘sabotage’, but on the reporting criteria itself. See comments above. b. The “opportunities for
efficiency” discussed in the Concept Paper would be best achieved by focusing on those items that are absolutely
necessary to maintain the reliability of the Bulk Electric System. If there are elements that need to be reported that do
not support this objective, then that reporting should not be required in reliability standards. Consider making NERC
the distributor of reports to other agencies. We recognize that the key is to simplify reporting to a single form, and to
the extent possible, to one agency. “Front line” reliability personnel must have the “timely” knowledge to know when a
situation warrants local, area, regional, or national involvement. Finally, the SDT should keep in mind the fact that
Canadian stakeholders might have some difference in the way reports are made to Security Agencies.
�Consideration of Comments on Disturbance and Sabotage Reporting —
Project 2009-01
The Disturbance and Sabotage Reporting Standard Drafting Team thanks all commenters
who submitted comments on the proposed Concepts Paper for Disturbance and Sabotage
Reporting. The document was posted for a 30-day public comment period from March 17,
2010 through April 16, 2010. Stakeholders were asked to provide feedback on the
standards through a special Electronic Comment Form. There were 41 sets of comments,
including comments from more than 95 different people from approximately 50 companies
representing 8 of the 10 Industry Segments as shown in the table on the following pages.
The comments have been sorted and organized by question number in this report; the
comments are shown in the original format on the following project web page:
http://www.nerc.com/filez/standards/Project2009-1_Disturbance_Sabotage_Reporting.html
Summary Consideration:
Use of “NERC Guideline: Threat and Incident Reporting”
Most stakeholders agree that existing guidance should be used as the foundation for
disturbance reporting. Most commenters felt that the “NERC Guideline: Threat and Incident
Reporting” document contains a lot of detailed information which greatly assists in
determining reporting events and weaning out non important events. The most common
desire was one, common form to be used for reporting and the OE-417 was considered to
be a good starting point. Most respondents thought the form could be streamlined. The
DSR SDT was urged to focus on applicable events and reporting timelines which are not
clear now and to report items that are clearly essential to the reliability of the BES. There
was some concern expressed about “over-reporting”, out of fear of non-compliance rather
than the over the reliability of the BES. There was also a clear desire to separate out
vandalism & copper theft from reporting requirements.
Hierarchy for Reporting Disturbances
Most stakeholders (about 2/3) agree with the concept of developing a reporting hierarchy
for disturbances. Stakeholders who disagreed believed that the RC should be one of many
to receive information on impact events (DOE, RRO, etc.). Such a hierarchy would lead to
reporting delays (leading to lack of situational awareness), be cumbersome and complicated
and clouds responsibility for who is to report what to whom. Other negative comments
believed that a hierarchy would distract the RC’s focus from its primary responsibility.
Those stakeholders who agreed commented that the RC should be the collection point for
reports and information and take the responsibility to forward as required. This is from the
concept that the RC has the “wider view” and can recognize patterns, and has the ability to
“escalate” the reporting process. This would also minimize duplication of reports and
information.
Single Form for All Agencies
Most stakeholders agreed with the concept of having one reporting form for all entities.
Several commenters suggested that there is no need for a standard on reporting as they
considered it administrative in nature. Most dissenters thought there should be a guideline,
rather than an enforceable standard. There is widespread agreement that the one-size-fitsall approach would be very difficult to get agreement on, given the different countries and
September 15, 2010
1
�agencies involved. Many stakeholders pointed out that consistency and simplification were
drivers for one report form. Having multiple recipients, with different information
requirements, seems to support an electronic format that would guide information only to
those who need it. The concept of an electronic reporting tool will need to be further vetted
and developed.
Supplements to NERC Form
Most stakeholders agreed with the concept of entities being able to use information from
other sources such as the OE-417 form, to supplement the NERC report form. Some
thought that duplicate reports were acceptable, as long as the information was not
duplicated (if # of customers lost is required on form A, don’t ask on forms B & C). Several
stakeholders commented on the need for an electronic, one stop reporting tool. This would
avoid duplication while ensuring that the information reported goes only to intended
recipients. With an electronic, one stop reporting tool, reports can be updated/corrected
instantly, without repeating previously submitted information. Some stakeholders cautioned
that the OE-417 can change every three years and this should be taken into account when
developing an electronic reporting tool. Again, such a reporting tool would need to be
vetted and developed to meet reliability needs.
Impact Events
The majority of stakeholders agreed with the concept of “impact events.” Some
stakeholders felt that the introduction of impact events increased the risk that some items
will go unreported. However, most felt that impact events would dramatically increase the
number of reports being submitted, and it would be difficult to separate important
information from background noise. Several respondents felt that the SDT ignored the
FERC Directive, and did not define sabotage and provide guidance as to the triggering
events that would cause an entity to report a sabotage event. Many respondents supplied
the SDT with their own definition of “Sabotage”. The DSR SDT believes that the concept of
impact events and the specificity of what needs to be reported in the standard will be an
equally efficient and effective means of address the FERC directive regarding sabotage.
Some stakeholders felt that impact events add another layer of uncertainty to the reporting.
Even with the switch from sabotage to impact events, several felt that “intent” was still key
to determining reportability.
Regional Differences
Several commenters provided information on regional reporting. The SDT will consider
whether these should be included in the continent-wide standard. These include:
1.
NPCC maintains a document and reporting form (Document C-17 - Procedures
for Monitoring and Reporting Critical Operating Tool Failures) that outlines the
reporting requirements, responsibilities, and obligations of NPCC RCs in
response to unforeseen critical operating tool failures.
2.
For other events that do not meet the OE-417 and EOP-004 reporting criteria,
ReliabilityFirst expects to receive notification of any events involving a
sustained outage of multiple BES facilities (buses, lines, generators, and/or
transformers, etc.) that are in close proximity (electrically) to one another
and occur in a short time frame (such as a few minutes).
3.
WECC sets its loss of load criteria for disturbance reporting at 200 MW rather
than the 300 MW in the NERC reporting form.
4.
SERC and RFC are developing additional requirements at this time. We
suggest that reporting be based on impact to reliability, not on ‘newsworthy’
September 15, 2010
2
�events. We therefore do not agree with such regional efforts and would prefer
a continent wide reporting requirements.
5.
Some entities identified some in-force Regional Standards and other regional
reporting requirements.
Project Scope
Some stakeholders suggested that the SDT has gone beyond its approved scope to “further
define sabotage and provide guidance as to the triggering events that would cause an entity
to report a sabotage event.” Further, there is no requirement to create a Reporting
Standard to define sabotage. The SDT contends that the development of impact events and
the reporting requirements for them will provide the clarity sought in the directive. Other
stakeholders suggested that the SDT should seek to retire sanctionable requirements that
require event reporting in favor of guidelines for reporting. Several commenters suggested
that the introduction of impact events actually expands the reporting requirements. It
should be noted that the list of impact events is expected to be explicit as to who is to
report what to whom and within certain timelines.
Electronic Tool
Several stakeholders provided input as to what they believed an electronic reporting tool
should contain:
1
If the decision is made to go to a single reporting form, it should be
developed to cover any foreseeable event.
2
The SDT should work toward a single form, located in a central location, and
submitted to one common entity (NERC)
3
Reports should be forwarded to the ES-ISAC, not NERC, as the infrastructure
is already in place for efficient sharing with Federal agencies, with the
regional entities and with neighboring asset owners. Reports should flow to
all affected entities in parallel, rather than series (timing issues).
Commenters also suggested that the SDT should consider the impacts of the reporting
requirements on the small and very small utilities.
If you feel that your comment has been overlooked, please let us know immediately. Our
goal is to give every comment serious consideration in this process! If you feel there has
been an error or omission, you can contact the Vice President and Director of Standards,
Herbert Schrayshuen, at 609-452-8060 or at Herb.Schrayshuen@nerc.net. In addition,
there is a NERC Reliability Standards Appeals Process. 1
1
The appeals process is in the Reliability Standards Development Procedures:
http://www.nerc.com/standards/newstandardsprocess.html.
September 15, 2010
3
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting —
Project 2009-01
Index to Questions, Comments, and Responses
1.
The details of reporting requirements and criteria are in the existing EOP-004 standard
and its attachments. The DSR SDT discussed the reliability needs for disturbance
reporting and will consider guidance found in the document “NERC Guideline: Threat
and Incident Reporting” in the development of requirements. Do you agree with using
the existing guidance as the foundation for disturbance reporting? Please explain your
response (yes or no) in the comment area. ........................................................... 12
2.
The DSR SDT is considering developing a reporting hierarchy for disturbances that
requires entities to submit information to the Reliability Coordinator and then for the
Reliability Coordinator to submit the report. Do you agree with this hierarchy concept?
Please explain your response (yes or no) in the comment area. ............................... 24
3.
The goal of the DSR SDT is to have one report form for all functional entities (US,
Canada, Mexico) to submit to NERC. Do you agree with this change? Please explain
your response (yes or no) in the comment area. ................................................... 34
4.
The goal of the DSR SDT is to eliminate the need to file duplicate reports. The
standards will specify information required by NERC for reliability. To the extent that
this information is also required for other reports (e.g. DOE OE-417), those reports will
be allowed to supplement the NERC report in lieu of duplicating the entries in the NERC
report. Do you agree with this concept? Please explain your response (yes or no) in
the comment area. ............................................................................................ 42
5.
In its discussion concerning sabotage, the DSR SDT has determined that the spectrum
of all sabotage-type events is not well understood throughout the industry. In an effort
to provide clarity and guidance, the DSR SDT developed the concept of an impact
event. By developing impact events, it allows us to identify situations in the “gray
area” where sabotage is not clearly defined. Other types of events may need to be
reported for situational awareness and trend identification. Do you agree with this
concept? Please explain your response (yes or no) in the comment area. ................ 51
6.
If you are aware of any regional reporting requirements beyond the scope of CIP-001,
CIP-008 and EOP-004 please provide them here.................................................... 61
7.
If you have any other comments on the Concepts Paper that you haven’t already
provided in response to the previous questions, please provide them here. ............... 65
4
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
The Industry Segments are:
1 — Transmission Owners
2 — RTOs, ISOs
3 — Load-serving Entities
4 — Transmission-dependent Utilities
5 — Electric Generators
6 — Electricity Brokers, Aggregators, and Marketers
7 — Large Electricity End Users
8 — Small Electricity End Users
9 — Federal, State, Provincial Regulatory or other Government Entities
10 — Regional Reliability Organizations, Regional Entities
Commenter
Organization
Industry Segment
1
1.
Group
John Bee
X
Exelon
Additional Member
Additional Organization
2
3
X
4
5
6
Region
ComEd
RFC
1
PECO
RFC
1
3. Ron Schloendorn
PECO
RFC
1
4. John Garavaglia
ComEd
RFC
1
5. Karl Perman
Exelon
NA - Not Applicable
NA
6. Dave Belanger
Exelon Generation Co., LLC
RFC
5
7. Alison MacKellar
Exelon Generation Co., LLC
RFC
5
8. Tom Leeming
ComEd
RFC
1
9. Tom Hunt
PECO
RFC
1
Guy Zito
Additional Member
10
X
Northeast Power Coordinating Council
Additional Organization
Region
Segment Selection
1. Alan Adamson
New York State Reliability Council, LLC
NPCC
NA
2. Michael Schiavone
National Grid
NPCC
1
September 15, 2010
9
Segment Selection
2. Dave Weaver
Group
8
X
1. Dan Brotzman
2.
7
5
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Commenter
Organization
Industry Segment
1
2
3
4
5
6
3. Roger Champagne
Hydro-Quebec TransEnergie
NPCC
2
4. Kurtis Chong
Independent Electricity System Operator
NPCC
2
5. Sylvain Clermont
Hydro-Quebec TransEnergie
NPCC
1
6. Chris de Graffenried
Consolidated Edison Co. of New York, Inc.
NPCC
1
7. Gerry Dunbar
Northeast Power Coordinating Council
NPCC
10
8. Ben Eng
New York Power Authority
NPCC
4
9. Brian Evans-Mongeon
Utility Services
NPCC
8
10. Mike Garton
Dominion Resources Services, Inc.
NPCC
5
11. Brian L. Gooder
Ontario Power Generation Incorporated
NPCC
5
12. Peter Yost
Consolidated Edison Co. of New York, Inc.
NPCC
3
13. David Kiguel
Hydro One Networks Inc.
NPCC
1
14. Michael R. Lombardi
Northeast Utilities
NPCC
1
15. Randy MacDonald
New Brunswick System Operator
NPCC
2
16. Bruce Metruck
New York Power Authority
NPCC
6
17. Lee Pedowicz
Northeast Power Coordinating Council
NPCC
10
18. Robert Pellegrini
The United Illuminating Company
NPCC
1
19. Saurabh Saksena
National Grid
NPCC
1
20. Kathleen Goodman
ISO - New England
NPCC
2
21. Greg Campoli
New York ISO
NPCC
2
3.
Group
Wes Davis (SERC Staff)
and Steve Corbin (Chair of
SERC RCS)
8
9
10
X
SERC Reliability Coordinator Sub-committee
(RCS)
Additional Member
Additional Organization
Region
Segment Selection
1. Steve Corbin
Southeastern RC
SERC
NA
2. Joel Wise
TVA RC
SERC
NA
3. Don Reichenbach
VACAR South RC
SERC
NA
4. Don Shipley
ICTE RC
SERC
NA
5. Robert Rhodes
SPP RC
SERC
NA
6. Stan Williams
PJM RC
SERC
September 15, 2010
7
6
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Commenter
Organization
Industry Segment
1
7. Tim Aliff
4.
Midwest ISO RC
Group
Mike Garton
Electric Market Policy
Additional Member
2
3
4
5
SERC
X
Additional Organization
6
X
X
Region
3
2. Louis Slade
Dominion Resources Services, Inc.
SERC
6
X
MRO's NERC Standards Review Subcommittee
Additional Member
Additional Organization
Region
Segment Selection
1. Chuck Lawrence
American Transmission Company
MRO
1
2. Tom Webb
WPS Corporation
MRO
3, 4, 5, 6
3. Terry Bilke
Midwest ISO Inc.
MRO
2
4. Jodi Jenson
Western Area Power Administration
MRO
1, 6
5. Ken Goldsmith
Alliant Energy
MRO
4
6. Dave Rudolph
Basin Electric Power Cooperative
MRO
1, 3, 5, 6
7. Eric Ruskamp
Lincoln Electric System
MRO
1, 3, 5, 6
8. Joseph Knight
Great River Energy
MRO
1, 3, 5, 6
9. Scott Nickels
Rochester Public Utilties
MRO
4
10. Terry Harbour
MidAmerican Energy Company
MRO
1, 3, 5, 6
6.
Group
Linda Perea
Western Electricity Coodinating Council
Additional Member
1. Steve Rueckert
7.
Group
Kenneth D. Brown
X
Additional Organization
WECC
Additional Member
Region
Segment Selection
WECC
Public Service Enterprise Group Companies
X
Additional Organization
10
X
X
X
Region
Segment Selection
1. Ron Wharton
PSE&G
RFC
1, 3
2. Dave Murray
PSEG Power Connecticut
NPCC
5
3. Jim Hebson
PSEG Energy Resource & Trade
ERCOT
6
4. Jerzy Sluarz
PSEG Fossil
RFC
5
September 15, 2010
10
Segment Selection
RFC
Carol Gerou
9
X
Dominion Resources Services, Inc.
Group
8
NA
1. Michael Gildea
5.
7
7
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Commenter
Organization
Industry Segment
1
2
3
4
5
6
5
Bruce Wertz
.
Odessa Ector Power Partners
ERCOT
5
6
Peter Dolan
.
PSEG Energy Resource & Trade
RFC
6
8.
Group
Laura Zotter
ERCOT ISO
Additional Member
Additional Organization
Region
Segment Selection
ERCOT ISO
ERCOT
2, 10
ERCOT ISO
ERCOT
2, 10
3. Christine Hasha
ERCOT ISO
ERCOT
2, 10
Ben Li
ISO RTO Council Standards Review Committee
Additional Member
X
Additional Organization
Region
Segment Selection
1. Al Dicaprio
PJM
RFC
2
2. Jame Castle
NYISO
NPCC
2
3. Lourdes Estrada-Salinero
CAISO
WECC
2
4. Matt Goldberg
ISO-NE
NPCC
2
5. Steve Myers
ERCOT
ERCOT
2
6. Bill Phillips
MISO
RFC
2
7. Mark Thompson
AESO
WECC
2
8. Charles Yeung
SPP
SPP
2
10.
Group
Denise Koehn
Additional Member
Bonneville Power Administration
X
X
Additional Organization
X
X
Region
Segment Selection
1. Tedd Snodgrass
BPA, Transmission Dispatch
WECC
1
2. Jim Burns
BPA, Transmission Technical Operations
WECC
1
3. Jeff Millennor
BPA, Security & Emergency Response
WECC
1, 3, 5, 6
11.
Group
Jason L. Marshall
Additional Member
September 15, 2010
9
Midwest ISO Standards Collaborators
Additional Organization
10
X
2. Jimmy Hartmann
Group
8
X
1. Steve Myers
9.
7
X
Region
Segment Selection
8
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Commenter
Organization
Industry Segment
1
2
3
4
5
6
7
1. Bob Thomas
IMEA
SERC
4
2. Jim Cyrulewski
JDRJC Associates, LLC
RFC
8
3. Joe Knight
Great River Energy
MRO
1, 3, 5, 6
4. Randi Woodward
Minnesota Power
MRO
1
5. Kirit Shah
Ameren
SERC
1
12.
Group
Sam Ciccone
FirstEnergy
Additional Member
X
Additional Organization
X
X
X
9
X
Region
Segment Selection
1. Doug Hohlbaugh
FE
RFC
1, 3, 4, 5, 6
2. Dave Folk
FE
RFC
1, 3, 4, 5, 6
13.
Individual
Thomas Glock
Arizona Public Service Company
X
X
X
14.
Individual
Sandra Shaffer
PacifiCorp
X
X
X
X
15.
Individual
Brent Ingebrigtson
E.ON U.S. LLC
X
X
X
X
16.
Individual
Steve Fisher
Lands Energy Consulting
17.
Individual
David Kahly
Kootenai Electric Cooperative
18.
Individual
Darryl Curtis
Oncor Electric Delivery Company LLC
X
19.
Individual
Edward Bedder
Orange and Rockland Utilities, Inc.
X
20.
Individual
Kasia Mihalchuk
Manitoba Hydro
X
X
X
X
21.
Individual
Brian Bartos
Bandera Electric Cooperative, Inc.
X
X
22.
Individual
John T. Walker
Portland General Electric
X
23.
Individual
Gregory Miller
BGE
X
September 15, 2010
8
X
9
10
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Commenter
Organization
Industry Segment
1
2
3
4
5
6
24.
Individual
Dan Roethemeyer
Dynegy Inc.
X
25.
Individual
Rick Terrill
Luminant
X
26.
Individual
James Stanton
SPS Consulting Group Inc.
27.
Individual
Andrew Gallo
Calpine Corp.
28.
Individual
Steve Alexanderson
Central Lincoln
29.
Individual
Brenda Frazer
Edison Mission Marketing & Trading
X
30.
Individual
Martin Bauer
USBR
X
31.
Individual
John Alberts
Wolverine Power Supply Cooperative, Inc.
X
X
32.
Individual
Thad Ness
American Electric Power
X
X
33.
Individual
James McCloskey
Central Hudson Gas & Electric
X
X
34.
Individual
Deborah Schaneman
Platte River Power Authority
X
X
35.
Individual
Howard Rulf
We Energies
X
X
36.
Individual
Jianmei Chai
Consumers Energy Company
X
X
37.
Individual
Amir Hammad
Constellation Power Source Generation
38.
Individual
Greg Rowland
Duke Energy
X
X
X
X
39.
Individual
Kirit Shah
Ameren
X
X
X
X
40.
Individual
Dan Rochester
Independent Electricity System Operator
September 15, 2010
7
8
X
X
X
X
X
X
X
X
X
X
X
X
10
9
10
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Commenter
Organization
Industry Segment
1
41.
Individual
Roger Champagne
September 15, 2010
Hydro-Québec TransEnergie (HQT)
2
3
4
5
6
7
8
X
11
9
10
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
1. The details of reporting requirements and criteria are in the existing EOP-004 standard and its
attachments. The DSR SDT discussed the reliability needs for disturbance reporting and will consider
guidance found in the document “NERC Guideline: Threat and Incident Reporting” in the
development of requirements. Do you agree with using the existing guidance as the foundation for
disturbance reporting? Please explain your response (yes or no) in the comment area.
Summary Consideration: Most stakeholders agree that existing guidance should be used as the foundation for disturbance
reporting. Most commenters felt that the “NERC Guideline: Threat and Incident Reporting” document contains a lot of detailed
information which greatly assists in determining reporting events and weaning out non important events. The most common
desire expressed was to have one common form for all reporting, and the OE-417 was suggested as a good starting point.
Most respondents thought the form could be streamlined. The DSR SDT was urged to focus on applicable events and reporting
timelines which are not clear now and to report items that are clearly essential to the reliability of the BES. There was some
concern expressed about “over-reporting”, out of fear of non-compliance rather reporting based on the reliability of the BES.
There was also a clear desire to exclude vandalism & copper theft from reporting requirements.
Several specific suggestions were made to modify existing reporting requirements, and the drafting team will consider these
when developing the proposed requirements.
Organization
ERCOT ISO
Yes or No
Question 1 Comment
Possible
Yes
Parts of the Guideline are helpful, but the guideline goes beyond the scope of the requirements of the current
standards, which could pose potential audit concerns. ERCOT ISO strongly feels this approach for reporting
should be focused on physical events only and cyber event reporting should be contained within CIP-008
only. Continue to keep physical separate from cyber.
Response: The DSR SDT thanks you for your comment. The intent was to look at the posted “NERC Guideline: Threat and Incident Reporting” and
ask the industry if DSR SDT should consider existing guidelines for possible inclusion into the yet to be written requirement(s). The DSR SDT has not
determined at this time what bright line will be used for the yet to be drafted Standard(s). The DSR SDT will take into consideration your comment on
keeping cyber and physical events separate.
Arizona Public Service Company
No
Then Yes
September 15, 2010
APS supports standard revisions which streamline the reporting process for security incidents with a single
form, which aligns both with EIA reporting and NERC Standards requirements, particularly those identified in
the NERC Threat and Incident Reporting Guidelines. This would eliminate users issuing reports to multiple
locations/government entities without a standard form or format. The DOE 417 form which is currently utilized
12
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Yes or No
Question 1 Comment
for reporting purposes is out-dated and does not account for the types of incidents as identified in the NERC
Threat and Incident Reporting Guidelines. The guidelines state that an entity can report security incidents to
the ESISAC , through CIPIS (Critical Infrastructure Protection Information System), and or RCIS (Reliability
Coordinator Information Center). CIPIS refers an entity to the NICC and to the WECC. Additionally, APS
proposes that the terms and timelines of reporting security incidents be clearly identified. Events are often
detected quickly or immediately. Determining whether or not the event was sabotage and/or a reportable
event; however, typically takes much longer. There is no time allowance for an entity to investigate the event
to determine what actually occurred. Currently, DOE 417 provides that acts of sabotage should be reported
within one hour of detection if the impact could affect the reliable operation of the bulk power system. This
may affect the accuracy of the information being provided by an entity on it's initial reporting. Finally,
provisions should be incorporated to address the privacy of information being submitted, including handling
and storage.
Response: The DSR SDT thanks you for your comment. The intent was to look at the posted “NERC Guideline: Threat and Incident Reporting” and
ask the industry if DSR SDT should consider existing guidelines for possible inclusion into the yet to be written requirement(s). The DSR SDT has not
determined at this time what bright line will be used for the yet to be drafted Standard(s) which should streamline the reporting process (what events
and what timeline should be used). c
SPS Consulting Group Inc.
No
At least not exclusively. The current standards and the guidance fail to consider that different registered
entities will have different scopes of awareness for when disturbances may take place. We want to avoid the
situation where a generator (for example) is cited for failure to report a disturbance of which they have way of
knowing occurred.
Response: The DSR SDT thanks you for your comment. The intent was to look at the posted “NERC Guideline: Threat and Incident Reporting” and
ask the industry if DSR SDT should consider existing guidelines for possible inclusion into the yet to be written requirement(s). The DSR SDT will take
into consideration what Registered Entities are to be included within the yet to be written standard(s) based on the SAR and the facilities each type of
Registered Entity is required to have.
Bonneville Power Administration
No
Then Yes
BPA likes the idea of consolidating information and eliminating duplication of reported information. In the
report, don’t include every detail possible found in the “Threat Guideline”. TOP’s are supposed to be
operating the electrical system, not doing investigative work for copper theft incidents (see comment on #5).
Response: The DSR SDT thanks you for your comment. The intent was to look at the posted “NERC Guideline: Threat and Incident Reporting” and
ask the industry if DSR SDT should consider existing guidelines for possible inclusion into the yet to be written requirement(s). The DSR SDT has not
determined at this time what bright line will be used for the yet to be drafted Standard(s). We will consider your specific suggestion for not requiring
reporting of incidents such as copper threat, when we develop the proposed requirements.
September 15, 2010
13
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Lands Energy Consulting
Yes or No
Question 1 Comment
No
My firm provides compliance consulting services to a number of smaller (50-700 MW peak load) LSE/DP
registered entities. EOP-004 creates an obligation for LSEs to report "disturbances" that affect their systems.
A few of the smaller of these systems receive service from Bonneville-owned transmission lines that serve
only 4-6 substations. The NERC Form establishes loss of 50% of the LSE's retail customers as a reportable
disturbances. One of my clients receives service from BPA at 5 substations. A single industrial customer with
a substantially dedicated substation comprises 90% of the utility's MWH load. Were it not for this customer,
the utility would have been well below the registration requirement for a DP/LSE. The balance of the load,
about 15 MW of peak and 4000 retail customers, is served from 5 substations. Four of these substations
serving 3000 customers are served from a long Bonneville 115 kV BES transmission line that runs through a
heavily treed right of way. Every time this single line experiences a permanent outage (which will happen a
few times a year), the utility loses less than 10 MW of load, but 75% of its retail customers. Under the
disturbance reporting criteria, this outage would constitute a reportable disturbance for the utility. When the
NERC disturbance reporting criteria were adopted, I doubt that anyone conceived that they would apply to
cases like I just described. Reporting trivial events like I've just described constitutes a nuisance to the entity
making the report and NERC/WECC for having to process the report. The outage has no earthly effect on the
reliability of the BES and certainly doesn't warrant preparation of any kind of disturbance report.
Response: The DSR SDT thanks you for your comment. The intent was to look at the posted “NERC Guideline: Threat and Incident Reporting” and
ask the industry if DSR SDT should consider existing guidelines for possible inclusion into the yet to be written requirement(s). The DSR SDT will take
into consideration what Registered Entities are to be included within the yet to be written standard(s) based on the NERC Standards Committee
approved SAR. The DSR SDT will review the Commissions concern that, an adversary might determine that a small LSE is the appropriate target
when the adversary aims at a particular population or facility, as stated in FERC Order 693, paragraph 459. The intent of the proposed standard(s) is to
address reporting needed for after-the-fact analyses of events as well as reporting necessary for situational awareness.
SERC Reliability Coordinator
Sub-committee (RCS)
No
Routine minor incidents such as copper theft and gun shots to insulators should not be reported. These types
of minor events do not affect the reliability of the BPS. Existing reporting requirements are satisfactory. The
focus of reporting should be on reliability related incidents and not incidents related to vandalism as such.
Response: The DSR SDT thanks you for your comment. The intent was to look at the posted “NERC Guideline: Threat and Incident Reporting” and
ask the industry if DSR SDT should consider existing guidelines for possible inclusion into the yet to be written requirement(s). Reporting threasholds
will be determined during the next step of the Standards Development process. The DSR SDT agrees with your comments on vandalism but a balance
must be further explored to meet industry and regulatory requirements specifically under FERC Order 693.
Consumers Energy Company
September 15, 2010
No
The existing guidelines ignore the fact that there are currently three overlapping and inconsistent reporting
requirements for disturbances of various types: CIP-001, EOP-004, and DOE OE-417. The reporting should
be such that any single event type needs to be reported only once, and to only a single agency, for any
14
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Yes or No
Question 1 Comment
disturbance. First, CIP-001 events should be reported to the ES-ISAC under one specific requirement (or set
of requirements) and removed from OE-417 and EOP-004, such that all interested agencies obtain their
information from only that one source. Second, OE-417 events should be reportable ONLY to DOE, and,
again, other agencies should obtain their information from only that one source. If NERC wishes to make
such reporting mandatory and enforceable, the NERC requirements should indicate ONLY that such reporting
should be made in accordance with OE-417. Finally, EOP-004 (or similar requirements) should require
reporting to NERC ONLY in the case of events that don’t fit under CIP-001 or OE-417 requirements.
Alternatively, OE-417 should be submitted ONLY to NERC and they should disseminate the information.EOP004 has several issues and inconsistencies:
a. EOP-004 requires that the entity that submits form DOE-417 to provide copies to NERC. The DOE-417
form intermixes NERC entity definitions (e.g. BA, LSE, TO) with generic terms such as “Electric Utilities” and
“Generating Entities”. Is it the Generator Owner or Generator Operator that is required to submit the
information? There should be one form or at least well defined definitions that apply to both forms.
b. EOP-004-1 R3.1 requires submittal within 24 hours, however Table 1-EOP-004-0 which purports to
summarize the standard appears to change this requirement to 1 hour for several disturbances. Additionally,
it incorrectly summaries the reporting time for 50,000 customers, which is 6 hours in DOE-417 and
summarized in Table 1-EOP-004-0 as 1-hour. An attachment to a standard should not be allowed to
supersede the standard or create additional rules.
c. EOP-004-1 R3.1 requires submittal within 24 hours, however Table 1-EOP-004-0 which purports to
summarize the standard appears to change the standard. R3.1 clearly states that events are to be reported
within 24 hours of identification, however Table 1-EOP-004-0 state that the events are to be reported on the
basis of the start of the disturbance. An attachment to a standard should not be allowed to supersede the
standard or create additional rules.
d. EOP-004-1 R3.1 requires submittal within 24 hours, however Table 1-EOP-004-0 which purports to
summarize the standard appears to change the standard. R3.1 clearly states that events are to be reported
within 24 hours of identification, however Table 1-EOP-004-0 states that copies of DOE-417 are required to
be submitted “simultaneously”. It also states that schedules 1 and 2 are due within 24 hours of start of the
event instead of 48 hours for per DOE-417 for schedule 2. An attachment to a standard should not be allowed
to supersede the standard or create additional rules.
e. The requirement of loss of customers should be scaled based on customers served. Loss of 50,000
customers to a utility that serves 100,000 customers is different than loss of 50,000 customers to a utility that
serves 2,000,000 customers.
Response: The DSR SDT thanks you for your comment. The intent was to look at the posted “NERC Guideline: Threat and Incident Reporting” and
September 15, 2010
15
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Yes or No
Question 1 Comment
ask the industry if DSR SDT should consider existing guidelines for possible inclusion into the yet to be written requirement(s). The DSR SDT agrees
that present Reliability Standards can be complicated and lead to confusion when working on maintaining system reliability in the area of reporting per
CIP-001-1 and EOP-004-1. We will consider the disagreements you’ve identified in existing reporting requirements when we develop the proposed
requirements.
Central Lincoln
No
The guidance document makes no distinction between entities that operate 24/7 dispatch and those that
don’t. The 1 hour and even the 24 hour reporting requirements in some cases will be impossible for entities
without 24/7 dispatch to meet without changing business practices. These are the same entities that present
little or no risk to the BES.
Response: The DSR SDT thanks you for your comment. The intent was to look at the posted “NERC Guideline: Threat and Incident Reporting” and
ask the industry if DSR SDT should consider existing guidelines for possible inclusion into the yet to be written requirement(s). The DSR SDT will take
into consideration what Registered Entities are to be included within the yet to be written standard(s) based on the SAR. The DSR SDT will establish
the “requirements necessary for users, owners, and operators of the Bulk-Power-System” as stated in FERC Order 693, paragraph 617 and the
difference in reporting of events on the BES, as stated in the Purpose statement of EOP-004-1. The intent of the proposed standard(s) is to address
reporting needed for after-the-fact analyses of events as well as reporting necessary for situational awareness.
MRO's NERC Standards Review
Subcommittee
No
Then Yes
We agree with using the present documentation but would like just one reporting form. We are concerned
that the guidelines and reporting periods specified within the DOE OE-417 report conflict with the NERC
Guidelines. For example. DOE OE-417 report requires “Suspected Physical or Cyber Impairment” to be
reported within 6 hours. The NERC guidelines indicate “Suspected Activities” are to be reported within 1 hour.
We recommend the SDT use the DOE OE-417 report as a guiding document, and then determine additional
reporting requirements using guidance from the NERC Guideline. FERC Order 693 appears to indicate
conflicts and confusion with NERC reporting requirements and DOE reporting requirements should be
eliminated.
Response: The DSR SDT thanks you for your comment. The intent was to look at the posted “NERC Guideline: Threat and Incident Reporting” and
ask the industry if DSR SDT should consider existing guidelines for possible inclusion into the yet to be written requirement(s). The DSR SDT is
looking to streamline required reporting actions and remove any redundant reporting requirements if at all possible. The DOE Form OE-417 is
currently mandatory under Public Law 93-275 for entities within the juristicion of the U.S Department of Energy. We will consider the disagreements
you’ve identified in existing reporting requirements when we develop the proposed requirements.
Luminant
No
Then Yes
September 15, 2010
While the guidance is generally ok in the “NERC Guideline: Threat and Incidence Reporting”, the reporting
timelines include 1 hour, 2 hours, 4 hours, 6 hours, 8 hours, 24 hours, and 48 hours. Please simplify and
reduce the variation in timelines. When it comes to Sabotage reporting, some time requirements start with
detection, some start with determination of sabotage and some events do not specify the trigger for the
reporting clock to start. Again, please provide clarity and consistency around the start of the timeline for
16
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Yes or No
Question 1 Comment
reporting. Generally, the reporting timing should start with the recognition or determination that a suspected
or known sabotage event occurred.
Response: The DSR SDT thanks you for your comment. The DSR SDT is looking to streamline required reporting actions and remove any redundant
reporting requirements if at all possible. The DSR SDT agrees that present Reliability Standards can be complicated and lead to confusion when
working on maintaining system reliability in the area of reporting per CIP-001-1 and EOP-004-1. We will consider your specific suggestion for less
variation in reporting timeframes, when we develop the proposed requirements.
We Energies
No
Then Yes
While the NERC Guideline includes readily discernible information (and we would like to see that format
carried forward into any future documentation), utilize OE-417 as the foundation document in order to
eliminate reporting redundancies. If supplemental references are necessary for the proposed resolution, list
the document as an official attachment to the standard. Minimize the need to search in multiple locations for
guideline information - some may not be aware supporting documentation exists without explicit reference
within the standard.
Response: The DSR SDT thanks you for your comment. The intent was to look at the posted “NERC Guideline: Threat and Incident Reporting” and
ask the industry if DSR SDT should consider existing guidelines for possible inclusion into the yet to be written requirement(s). The DSR SDT is
looking to streamline required reporting actions and remove any redundant reporting requirements if at all possible. The DSR SDT agrees that present
Reliability Standards can be complicated and lead to confusion when working on maintaining system reliabiltiy in the area of reporting per CIP-001-1
and EOP-004-1. The DOE Form OE-417 is currently mandatory under Public Law 93-275 for entities within the juristicion of the U.S Department of
Energy. We will consider your recommendation regarding listing supplemental references within the body of the standard when we draft the proposed
standard(s).
American Electric Power
Yes
Bandera Electric Cooperative,
Inc.
Yes
Calpine Corp.
Yes
Duke Energy
Yes
Edison Mission Marketing &
Trading
Yes
September 15, 2010
17
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Yes or No
Exelon
Yes
Independent Electricity System
Operator
Yes
PacifiCorp
Yes
Platte River Power Authority
Yes
Central Hudson Gas & Electric
Yes
Question 1 Comment
Central Hudson agrees with using the “NERC Guideline: Threat and Incident Reporting” in the development of
requirements. Central Hudson has currently in place a NERC-DOE Threat and Incident Reporting Table
developed from this NERC Guideline that allows for a quick-reference to all threat and incident reporting
criteria (arranged by category)with a cross-reference to the specfic reporting form (NERC Interconnection
Reliability Operating Limit and Preliminary Disturbance Report, DOE Form OE-417, or NERC ES-ISAC Threat
and Incident Report Form). Central Hudson recommends maintaining the option of utilizing only 1 form, the
DOE Form OE-417, for incidents that require reporting to the DOE and NERC to maintain the streamlined
approach to this reporting process.
Response: The DSR SDT thanks you for your comment. The DSR SDT is looking to have a single reporting report form (per question 3) and
streamline the reporting processes that may be developed within a yet to be written requirement(s).
E.ON U.S. LLC
Yes
E.ON U.S. believe that the guidelines provide greater clarity for reporting forced outages caused by
disturbances and sabotage but there remains issues that in need of further clarification. For example, there
remains too much subjectivity on the reporting of forced outages when there is “identification of valuable
lessons learned”
Response: The DSR SDT thanks you for your comment. The DSR SDT concurs that further clarification is required with the ambigious statement
“identification of valuable lessons learned” contained in the guideline – use of this phrase does not meet the technical writing threshold required for
inclusion in a NERC Standard. The DSR SDT’s intent was to look at the posted NERC Guideline and ask the industry if DSR SDT should consider
existing guidelines for possible inclusion into the yet to be written requirement(s). Recommendation of changes to the “NERC Guideline: Threat and
Incident Reporting” should be submitted to NERC via the Critical Infrastructure Protection Committee. I
Public Service Enterprise Group
Companies
September 15, 2010
Yes
EOP reportable disturbances are familiar concepts in the industry.
18
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Yes or No
Question 1 Comment
Response: The DSR SDT thanks you for your comment and support.
Orange and Rockland Utilities,
Inc.
Yes
However, the SDT needs to maintain clear demarcation for the criteria for reporting events, and only those
events that directly effect the reliability of the BES.
Response: The DSR SDT thanks you for your comment. The DSR SDT has been directed to review all disturbance type activities and submit to the
industry a well thought out set of requirements that clearly define disturbance events and what information is required to enhance an
entity’ssituational awareness. Clear demarcation for the criteria for reporting will be determined in the near future based on the approved SAR and
industry feedback. The intent of the proposed standard(s) is to address reporting needed for after-the-fact analyses of events as well as reporting
necessary for situational awareness.
Wolverine Power Supply
Cooperative, Inc.
Yes
I agree with referencing existing guidelines - However: My concern is that, until all reportable incidents are
analyzed by the parties to which they are reported, their "impact" on the BES will not be quantified.
Therefore, the tendency to want to "report all events so that their impact can be determined" or "report all
events because the information can be utilized for informational purposes, regardless of impact on BES"
might lead to expanded reporting requirements, some of which may have questionable value from a reliability
standpoint.
Response: The DSR SDT thanks you for your comment. The intent was to look at the posted “NERC Guideline: Threat and Incident Reporting” and
ask the industry if the DSR SDT should consider existing guidelines for possible inclusion into the yet to be written requirement(s). The DSR SDT has
been directed to review all disturbance type activities and submit to the industry a well thought out set of requirements that clearly define reportable
events and what information is required to enhance an entity’s situational awareness. Clear demarcation for the criteria for reporting will be
determined in the near future based on the approved SAR and industry feedback. The intent of the proposed standard(s) is to address reporting
needed for after-the-fact analyses of events as well as reporting necessary for situational awareness.
Hydro-Québec TransEnergie
(HQT)
Yes
In considering guidance found in the document “NERC Guideline: Threat and Incident Reporting”, the SDT
should maintain focus on only those items that are absolutely necessary to maintain the reliability of the Bulk
Electric System. In fact, the purpose of reporting per EOP-004 is that disturbances... need to be studied and
understood to minimize the likelihood of similar events in the future.
Northeast Power Coordinating
Council
Yes
In considering guidance found in the document “NERC Guideline: Threat and Incident Reporting”, the SDT
should maintain focus on only those items that are absolutely necessary to maintain the reliability of the Bulk
Electric System. In fact, the purpose of reporting per EOP-004 is that disturbances... need to be studied and
understood to minimize the likelihood of similar events in the future.
Response: The DSR SDT thanks you for your comment. The DSR SDT will establish the “requirements necessary for users, owners, and operators of
September 15, 2010
19
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Yes or No
Question 1 Comment
the Bulk-Power-System” as stated in FERC Order 693, paragraph 617 and the difference in reporting of events on the BES, as stated in the Purpose
statement of EOP-004-1. The intent of the proposed standard(s) is to address reporting needed for after-the-fact analyses of events as well as
reporting necessary for situational awareness.
Western Electricity Coordinating
Council
Yes
It is comprehensive; however, we must keep in mind that the OE-417 is required under Public Law 93-275
and needs to be attached if applicable in the US.
Response: The DSR SDT thanks you for your comment.
Oncor Electric Delivery Company
LLC
Yes
NERC Guideline: Threat and Incident Reporting" document should be used for guidance as it identifies best
practices for reporting.
Response: The DSR SDT thanks you for your comment.
Manitoba Hydro
Yes
The “Threat and Incident Reporting” document contains a lot of detailed information which greatly assists in
determining reporting events and weaning out non important events. The document contains some examples
and expected reporting time lines. Attachment 1-EOP-004, though considerably smaller and condensed it
does contain some detail not mentioned in “Threat and Incident Reporting”. Integrating the “Threat and
Incident Reporting” into Attachment 1-EOP-004, though large in size, has lots of information and is easy to
follow would be a large improvement to existing protocol OR SEE QUESTION 3 COMMENTS. Incidences we
have experienced on our system, in past were difficult to delineate as reportable, who to report to and when.
An improvement to this Standard is welcome.
Response: The DSR SDT thanks you for your comment. The DSR SDT is looking to streamline and remove any redundancies within the NERC
Standard’s requirements.
Constellation Power Source
Generation
Yes
The existing guidance is an excellent base on which to build changes to EOP-004 and CIP-001. However, the
SDT must challenge each item in the different event categories and clarify or omit bullet points that are
seemingly vague. For example, under System Disturbances, a forced outage report is needed when “a
generation asset of 500 MW or above is on a forced outage for unknown reasons, or a forced outage of
generation of 2,000 MW occurs...” Simply removing the 500 MW criteria would make this criterion less vague.
There are other examples of this in the guideline.
Response: The DSR SDT thanks you for your comment. The DSR SDT is looking to streamline and remove any redundancies within the NERC
Standard’s requirements. It is the intent of the SDT to carefully review the different event categories and provide clarity where needed to remove
ambiguity.
September 15, 2010
20
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
ISO RTO Council Standards
Review Committee
Yes or No
Question 1 Comment
Yes
The guidelines in EOP-004 and its attachments should be retained as the foundation for reporting
disturbances. One would note that such EOP Disturbances are relatively well defined reliability impacts. Thus
EOP-004 disturbances are based on HOW certain events impacted the BES. [Sabotage on the other hand
requires an implication of WHY an event occurred.]The original EOP-004 represents a common sense
approach to defining reliability events that may be useful to analyze on a regional basis. In the current
environment, Regions are not sanctionable entities but they still are valuable sources to collect, analyze and
trend the few disturbances that occur in each region. To make use of Regions, however, precludes the use of
sanctionable NERC standards. EOP-004 as written does not meet the NERC requirements for standards but
it does meet the Industry needs for a guideline for reporting events that deserve to be reviewed. The SDT
should propose deleting EOP-004 and use it as a Disturbance Reporting Guideline.
Response: The DSR SDT thanks you for your comment. Regions are required to comply with requirements in NERC Reliability Standards – however
Regions are not sanctioned the same way as users, owners and operators of the bulk power system – if a Region fails to comply with a NERC
Reliability Standard, it can be fined for failure to comply under the ERO’s Rules of Procedure.
USBR
Yes
The reporting outlined in the proposed plan does not include a clear indication of how NERC will use the
information they collect from the entities. Care needs to be taken in addressing the reporting requirements to
not create a more confusing or onerous reporting process.
Response: The DSR SDT thanks you for your comment. It is anticipated that NERC will analyze events to assess trends and identify lessons learned
for industry feedback and reliability improvement.
FirstEnergy
Yes
This guideline appears to be a good starting point for developing consistency in reporting. However, we
believe that after-the-fact event reporting is administrative in nature and seldom rises to the level of mandated
reliability standard requirements. It is not clear what reporting would be made through this effort and how it
differs from reporting made through the NERC Reliability Coordinator Information System (RCIS). With the
initiative for more results-based standards being the goal of NERC, true after the fact reporting-type
requirements should become administrative procedures and only be included in standards if they are truly
required for preserving an Adequate Level of Reliability. If there are aspects that rise to be retained in a
mandatory and enforceable reliability standard, we propose that those associated with sabotage be moved to
CIP-001 and that EOP-004 be focused on operational disturbances that warrant wide-area knowledge.
However, if the RCIS is the mechanism to convey real-time information and that is presently occurring outside
of reliability standards, it is unclear what the delta improvement this project aims to achieve.
Response: The DSR SDT thanks you for your comment. As stated in FERC Order, 693, paragraph 611, “Complete and timely data is essential for
analyzing system disturbances” and in paragraph 617, “the Commission directs the ERO to develop a modification to EOP-004-1 through the
September 15, 2010
21
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Yes or No
Question 1 Comment
Reliabiloity Standards development process that includes any requirements necessary for users, owners, and operators of the Bulk-Power-System to
provide data that will assist NERC in the investigation of a blackout or disturbance”. Some data is needed, therefore, for after-the-fact analyses. In
addition, some data is needed much more quickly for situational awareness. The DSR SDT will analize and determine what constitues a reportable
event and what information is required for situational awareness as opposed to after the fact analyses of events.
Portland General Electric
Yes
This process is in place and utilities are familiar with it. This is a good place to start.
Response: The DSR SDT thanks you for your comment and support.
Ameren
Yes
We agree that it makes sense to build upon existing documentation. However, we do not believe it is
necessary to require event reporting to be in an enforceable standard. Rather the drafting team should
consider developing a reporting guideline document and retiring the EOP-004 standard.
Response: The DSR SDT thanks you for your comment. As stated in FERC Order, 693, paragraph 611, “Complete and timely data is essential for
analyzing system disturbances” and in paragraph 617, “the Commission directs the ERO to develop a modification to EOP-004-1 through the
Reliabiloity Standards development process that includes any requirements necessary for users, owners, and operators of the Bulk-Power-System to
provide data that will assist NERC in the investigation of a blackout or disturbance”. Some data is needed, therefore, for after-the-fact analyses. In
addition, some data is needed much more quickly for situational awareness. As envisioned, the requirements developed under this project will
address both types of reporting requirements.
Midwest ISO Standards
Collaborators
Yes
We agree that it makes sense to build upon existing documentation. However, we do not believe it is
necessary to require event reporting to be in an enforceable standard. Rather the drafting team should
consider developing a reporting guideline document and retiring the EOP-004 standard. This is further
supported by the fact that there is a role in the existing standard for the Regional Entities even though these
requirements can’t be enforced against the Regional Entities because they are not a user, owner or operator
of the system.
Response: The DSR SDT thanks you for your comment. As stated in FERC Order, 693, paragraph 611, “Complete and timely data is essential for
analyzing system disturbances” and in paragraph 617, “the Commission directs the ERO to develop a modification to EOP-004-1 through the
Reliabiloity Standards development process that includes any requirements necessary for users, owners, and operators of the Bulk-Power-System to
provide data that will assist NERC in the investigation of a blackout or disturbance”. Some data is needed, therefore, for after-the-fact analyses. In
addition, some data is needed much more quickly for situational awareness. As envisioned, the requirements developed under this project will
address both types of reporting requirements.
Dynegy Inc.
September 15, 2010
Yes
We agree with using the guidance; however, please consider revising the NERC Guideline: Threat and
Incident Reporting document to (i) lengthen the reporting timelines related to attempted sabotage to allow for
22
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Yes or No
Question 1 Comment
additional time to deem the threat credible, (ii) expand the description of forced outage of generation greater
than 2000 MW to include whether it is at the BA or GO level and if GO level, whether it is for one site or the
combined GO's sites in a Region, and (iii) add a Responsible Party column to the Appendix A matrix.
Response: The DSR SDT thanks you for your comment. Recommendation of changes to the “NERC Guideline: Threat and Incident Reporting” should
submitted to NERC via the Critical Infrastructure Protection Committee since that falls outside the scope of the SAR.
We will consider your specific suggestions for revisions to reporting requirements when we develop the proposed requirements.
BGE
Yes
We have no problem with NERC using the existing guidance as the foundation for disturbance reporting;
however, since this project proposes to investigate incorporation of the Cyber Incident reporting aspects of
CIP-008, we feel that if adopted, this concept should be added to the NERC Guideline document "Threat and
Incident Reporting".
Response: The DSR SDT thanks you for your comment. Recommendation of changes to the “NERC Guideline: Threat and Incident Reporting” should
submitted to NERC via the Critical Infrastructure Protection Committee since that falls outside the scope of the SAR.
Electric Market Policy
Yes
Yes; however, in considering guidance found in the document “NERC Guideline: Threat and Incident
Reporting” the SDT should maintain focus on only those items that are absolutely necessary to maintain the
reliability of the Bulk Electric System. In fact, the purpose of reporting per EOP-004 is that disturbances...
need to be studied and understood to minimize the likelihood of similar events in the future.
Response: The DSR SDT thanks you for your comment. The DSR SDT will establish the “requirements necessary for users, owners, and operators of
the Bulk-Power-System” as stated in FERC Order 693, paragraph 617 and the difference in reporting of events on the BES, as stated in the Purpose
statement of EOP-004-1. As envisioned, the requirements developed under this project will address reporting requirements that are used for after-thefact analyses as well as reporting requirements that are associated with situational awareness.
September 15, 2010
23
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
2. The DSR SDT is considering developing a reporting hierarchy for disturbances that requires entities
to submit information to the Reliability Coordinator and then for the Reliability Coordinator to submit
the report. Do you agree with this hierarchy concept? Please explain your response (yes or no) in
the comment area.
Summary Consideration: Most stakeholders (about 2/3) agree with the concept of developing a reporting hierarchy for
disturbances. Stakeholders who disagreed believed that the RC should be one of many to receive information on impact events
(DOE, RRO, etc.). Such a hierarchy would lead to reporting delays (leading to lack of situational awareness), be cumbersome
and complicated and clouds responsibility for who is to report what to whom. Other negative comments believed that a
hierarchy would distract the RC’s focus from its primary responsibility. Thos stakeholders who agreed commented that the RC
should be the collection point for reports and information and take the responsibility to forward as required. This is from the
concept that the RC has the “wider view” and can recognize patterns, and has the ability to “escalate” the reporting process.
This would also minimize duplication of reports and information.
Org a n iza tio n
BGE
Ye s o r No
Qu e s tio n 2 Co m m e n t
No
As currently worded, BGE opposes the reporting hierarchy concept, since insufficient guidelines were
proposed to prevent translation errors between the responsible entity (RE) and the RC. In addition to creating
possible reporting errors, this also opens a risk that the RC could misrepresent the true intent of an RE’s
report contents if called upon to explain/justify a submitted report. Reporting delays are another concern with
this proposal because the RE would basically be relinquishing control of the reporting process to the RC, while
ultimately retaining the responsibility for ensuring the report gets submitted within the required timeframe.
However, BGE recognizes that avoiding duplication and conflicting reports as well as encouraging
communication are valuable. To make the reporting hierarchy concept acceptable to BGE, the DSR SDT
must develop proper controls to ensure the RE has the ability to control or approve the information submitted
and/or subsequently discussed with the respective authorities, and that it is done within the permissible
timeframe to satisfy compliance requirements.
Re s p o n s e : Th e DS R S DT th a n ks yo u fo r yo u r c o m m e n t. If th e re p o rtin g h ie ra rc h y c o n c e p t is a d o p te d , it will in c lu d e c o n tro ls to e n s u re tim e ly
re p o rtin g , c le a r a c c o u n ta b ility s o th a t ris k is n o t tra n s fe rre d , a n d a m e c h a n s im to e n s u re th e Re s p o n s ib le En tity’s re p o rte d in fo rm a tio n re m a in s a s
s u b m itte d .
September 15, 2010
24
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Org a n iza tio n
Consumers Energy
Company
Ye s o r No
No
Qu e s tio n 2 Co m m e n t
It would be inefficient for RC’s to accumulate ALL disturbance data and submit it, and to bifurcate the reporting based on
type of disturbance above and beyond OE-417 data (which should go ONLY to DOE) would make a standard very involved
for an entity to comply with. We’re discussing after-event data here, not data needed for current operations - and there’s no
reason to make it any more complicated than necessary.
Re s p o n s e : Th e DS R S DT th a n ks yo u fo r yo u r c o m m e n t. In o rd e r fo r a re p o rtin g h ie ra rc h y c o n c e p t to b e a d o p te d , it will re s u lt in re a l e ffie n c y g a in s b y
e lim in a tin g d u p lic a tio n o f re p o rts . It will n o t b e p u rs u e d if th e re s u lt is a c o m p lic a te d o r b u rd e n s o m e p ro c e s s fo r re s p o n s ib le e n titie s .
Exelon
No
Some of the DOE related reporting is driven by distribution events, i.e. outages greater then 50,000 customers, is it realistic
to expect the RC, whose focus is on the transmission system to perform distribution related reporting?
Re s p o n s e : Th e DS R S DT th a n ks yo u fo r yo u r c o m m e n t. Th e DOE Re p o rtin g Fo rm OE 417 is c u rre n tly m a n d a to ry b y P u b lic La w a n d o n ly a p p lie s to US
e n titie s a n d c o n ta in s re p o rtin g th re s h o ld s th a t a re n o t re q u ire d b y NERC. Ou r g o a l is to d e rive re p o rtin g th re s h o ld s th a t m e e t NERC’s n e e d s fo r
in fo rm a tio n o n b u lk e le c tric s ys te m d is tu rb a n c e s a n d re a l-tim e e ve n ts , n o t d is trib u tio n le ve l-o n ly p ro b le m s .
USBR
No
The existing reporting methods collect reports of disturbances and analyze them by committees of the respective
coordinating councils. The new process would introduce a duplicate layer and associated staffing. It would be better to
ensure communication between the existing committees of the respective coordinating councils and the RC rather than
creating a new layer of review tracking and analysis. While the layered reporting hierarchy discussed in the Disturbance
Reporting section of the paper will eventually help with overall event awareness, the additional delays the hierarchical
approach could result in a decrease in situational (timely) awareness. Having more comprehensive information as a result of
the potential enhancements each layer adds to the chain of reporting may not be more valuable than timely and well
disseminated information in an actual disturbance situation. We would suggest the SDT give careful consideration to this
proposed direction. It may be appropriate to consider that expedited reporting of operational impacts would outweigh the
benefit of administratively intensive reporting procedures. The events reported through the existing process have not yielded
material feedback other than statistical analysis. Statistical analysis is not as sensitive to timely reporting. Operational
impacts which may be the result of possible sabotage may be evident through assessment of widespread outage patterns or
following event analysis. Comprehensive event analysis can take anywhere from 15 days to 90 days depending on the
event.
Re s p o n s e : Th e DS R S DT th a n ks yo u fo r yo u r c o m m e n t. We a g re e th a t re p o rtin g tim e lin e s s m u s t b e we ig h e d a g a in s t th e p e rc ie ve d b e n e fits o f a
re p o rtin g h ie ra rc h y. If th e re p o rtin g h ie ra rc h y c o n c e p t is a d o p te d , it s h o u ld in c lu d e c o n tro ls to e n s u re tim e ly re p o rtin g , c le a r a c c o u n ta b ility s o th a t ris k
o f a vio la tio n o f th e s ta n d a rd is n o t tra n s fe rre d , a n d a p ro c e s s to e n s u re th e re s p o n s ib le e n titie s ’ re p o rte d in fo rm a tio n re m a in s a s s u b m itte d . Als o it
m u s t re s u lt in re a l e ffie n c y g a in s a n d s u p p o rt th e re lia b ility o f th e b u lk e le c tric s ys te m .
September 15, 2010
25
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Org a n iza tio n
IS O RTO Co u n c il
S ta n d a rd s Re vie w
Co m m itte e
Ye s o r No
No
Qu e s tio n 2 Co m m e n t
The idea of a reporting hierarchy provides an easy to follow pro forma approach. But disturbance reports should not always
follow a common reporting path. A disturbance on the transmission system for example need not be routed through an “if
applicable” Balancing Authority. To mandate that a BA be in the path is inappropriate. To leave the applicability open is to
create a subjective compliance problem for the impacted BA. Copper theft is another example that should not require
reporting up through the RC. It is a local issue and the Transmission Owner should be able to report this directly to the
appropriate parties. How would a DP, LSE or GO know if an event is an “impact event”? The posed impact events are a
series of conditions for sabotage but not for EOP-type disturbances. The aforementioned entities have no requirement to
monitor and analyze the BES, which then means every event would be an impact event for those entities (not an EOP
disturbance but an impact event). Thus every theft of copper is an impact event mandating a Disturbance Report even
though the SDT notes the RC only has to send it to the “local authorities”. This seems to be a misuse of the RC resources;
every train derailment is an impact event requiring a Disturbance report (is that a commercial train, regional rail line a local
trolley car); every teenage prank would also generate an impact event mandating a disturbance report. The SDT defined
impact events are not appropriate for use in defining disturbances. There is a big difference from creating a set of guidelines
to follow as opposed to creating sanctionable standards
Re s p o n s e : Th e DS R S DT th a n ks yo u fo r yo u r c o m m e n t. Fu rth e rm o re , im p a c t e ve n ts s h o u ld n o t in c lu d e c o p p e r th e ft o r o th e r c o n d itio n s th a t p o s e n o
th re a t to th e re lia b ility o f th e BES . A tra in d e ra ilm e n t is o n ly a n im p a c t e ve n t if it th re a te n s s o m e e le m e n t o f th e b u lk e le c tric s ys te m s u c h a s a
tra n s m is s io n lin e c o rrid o r - th e d e ra illm e n t in its e lf is n o t a n im p a c t e ve n t. S e e m o re o n im p a c t e ve n ts u n d e r th e re s p o n s e s to Qu e s tio n 3.
Bo n n e ville P o we r
Ad m in is tra tio n
No
The RC is made aware of these type of incidents and goes right back to incorporating that in their awareness and to focusing
on system reliability. If the RC is the recipient for further distribution of information of this type they will be forever going back
for more information. Eliminate the middleman in whatever concept you propose, folks have plenty to do now. Let people
make good judgments with the direct field people on the seriousness of the breach with their security personnel contacting
the appropriate law enforcement agency. (Or are you looking to do a simple RE reports to the RC who marks various
category items on a secure website Yes/No category item indicator that can be rolled up in ES-ISAC map board?)
Re s p o n s e : Th e DS R S DT th a n ks yo u fo r yo u r c o m m e n t. Th e Re lia b ility Co o rd in a to r’s s u g g e s te d ro le in th is is to a llo w th e m to in c o rp o ra te th e
re le va n t d a ta fro m re s p o n s ib le e n titie s in th e ir fo o tp rin t fo r fu rth e r a n a lys is .
Du ke En e rg y
No
September 15, 2010
The RC should not be responsible for submitting the report to FERC, NERC or the RRO. The RC may not have the
necessary first hand information concerning the facts of the event. Situation awareness can be maintained by including the
RC in the distribution of any sabotage related reporting.
26
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Org a n iza tio n
S ERC Re lia b ility
Co o rd in a to r S u b c o m m itte e (RCS )
Ye s o r No
No
Qu e s tio n 2 Co m m e n t
The RC should not be responsible for submitting the report to FERC, NERC or the RRO. The RC may not have the
necessary first hand information concerning the facts of the event. Situation awareness can be maintained by including the
RC in the distribution of any sabotage related reporting.
Re s p o n s e : Th e DS R S DT th a n ks yo u fo r yo u r c o m m e n t. If th e re p o rtin g h ie ra rc h y c o n c e p t is a d o p te d , it will in c lu d e c o n tro ls to e n s u re tim e ly
re p o rtin g , c le a r a c c o u n ta b ility s o th a t ris k o f a vio la tio n o f th e s ta n d a rd is n o t tra n s fe rre d , a n d a p ro c e s s to e n s u re th e re s p o n s ib le e n titie s ’ re p o rte d
in fo rm a tio n re m a in s a s s u b m itte d . Als o it m u s t re s u lt in re a l e ffie n c y g a in s a n d s u p p o rt th e re lia b ility o f th e b u lk e le c tric s ys te m .
ERCOT IS O
No
There are some events that are truly local and should be handled by local entities and reported to local authorities (i.e. theft).
If there is an impact or potential to have an impact to the BES or to the region, then hierarchical reporting would be
appropriate.
Re s p o n s e : Th e DS R S DT th a n ks yo u fo r yo u r c o m m e n t. We a g re e - a c le a rly d e fin e d im p a c t e ve n t c rite ria wo u ld d o ju s t a s yo u s u g g e s t - le a ve lo c a l
is s u e s o n th e lo c a l le ve l.
No rth e a s t P o we r
Co o rd in a tin g Co u n c il
No
This is not a standards issue, and NERC should not dictate the reporting structure. It should be left to the RCs and their
members.
Re s p o n s e : Th e DS R S DT th a n ks yo u fo r yo u r c o m m e n t. In d e fin in g a d is tu rb a n c e re p o rtin g h ie ra rc h y we s o u g h t to re a lize e ffic e n c ie s . If th e re p o rtin g
h ie ra rc h y c o n c e p t is a d o p te d , it m u s t re s u lt in re a l e ffie n c y g a in s a n d s u p p o rt th e re lia b ility o f th e b u lk e le c tric s ys te m . It will n o t b e a d o p te d if th e
re s u lt in a c o m p lic a te d o r b u rd e n s o m e p ro c e s s fo r re s p o n s ib le e n titie s .
MRO's NERC
S ta n d a rd s Re vie w
S u b c o m m itte e
No
We agree a coordinated reporting process is beneficial for the entity and the Reliability Coordinator (RC). However, a
hierarchy would likely lengthen the reporting timeframe, or reduce the allotted time for each entity to provide notification to
the RC in order to meet DOE or NERC timelines. Communication and coordination with the RC would likely provide more
accurate and complete data submissions within a timely process and create shared accountability for the report being
submitted.
Re s p o n s e : Th e DS R S DT th a n ks yo u fo r yo u r c o m m e n t. If th e re p o rtin g h ie ra rc h y c o n c e p t is a d o p te d , it will in c lu d e c o n tro ls to e n s u re tim e ly
re p o rtin g , c le a r a c c o u n ta b ility s o th a t ris k o f a vio la tio n o f th e s ta n d a rd is n o t tra n s fe rre d , a n d s o m e m e c h a n s im to e n s u re th e re s p o n s ib le e n titie s ’s
re p o rte d in fo rm a tio n re m a in s a s s u b m itte d .
September 15, 2010
27
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Org a n iza tio n
Mid we s t IS O
S ta n d a rd s
Co lla b o ra to rs
Ye s o r No
No
Qu e s tio n 2 Co m m e n t
We do not agree with developing a hierarchy for reporting for all disturbances and impacting events. For instance, copper
theft is an example of an item that should be reported to the appropriate entities directly by the Transmission Owner. The
RC does not need to be made aware of every copper theft unless it has a direct impact on reliability (affects rating, protection
system, etc.) and the RC should not be burdened with expending resources for this reporting. A further example in which the
hierarchy is not needed would be the case in which only one entity is impacted. If a significant event occurs on one TOP’s
system, then the TOP should be able to handle the reporting of all entities under its purview. If more than one TOP is
involved, then it would be necessary to involve the RC in the reporting.
Re s p o n s e : Th e DS R S DT th a n ks yo u fo r yo u r c o m m e n t. Th e re p o rtin g h ie ra rc h y c o n c e p t is m e a n t to a p p ly o n ly to d is tu rb a n c e re p o rtin g . We a g re e
th a t c o p p e r th e ft a n d o th e r s itu a tio n s th a t d o n o t p o s e a d ire c t th re a t to re lia b ility s h o u ld n ’t b e re p o rte d to NERC th ro u g h th is s ta n d a rd .
FirstEnergy
No
While we appreciate the team's effort to serialize the reporting process, with the electronic communication methods available
today, it seems that reporting can be accomplished simultaneously to multiple entities without shifting the burden of reporting
to others along the communications path. This is particularly true if the reporting format is standardized to a one-size-fits-all
report. Additionally, it would be a great burden to the Reliability Coordinator to review all events perceived by entities to be
malicious sabotage events.
Re s p o n s e : Th e DS R S DT th a n ks yo u fo r yo u r c o m m e n t. Th e re p o rtin g h ie ra rc h y c o n c e p t wo u ld o n ly a p p ly to d is tu rb a n c e re p o rtin g , n o t im p a c t e ve n ts .
Th e Re lia b ility Co o rd in a to r’s s u g g e s te d ro le in th is to a llo w th e m to in c o rp o ra te th e re le ve n t d a te a fro m re s p o n s ib le e n titie s in th e ir fo o tp rin t fo r fu rth e r
a n a lys is . We will c o n s id e r yo u r s u g g e s tio n o f s im u la ta n e o u s s u b m is s io n s a s a m e a n s to e ffe c tive ly n o tify th e n e c e s s a ry p a rtie s .
Edison Mission
Marketing & Trading
Yes
PacifiCorp
Yes
SPS Consulting Group
Inc.
Calpine Corp.
Yes
Yes
September 15, 2010
A Functional Entity such as a Generator Owner/Operator is not always aware that an event, such as a plant trip, is part of a
wider system disturbance that rises to the level of a reportable event under EOP-004. A reporting hierarchy that allows a
Generator to report the facts to its Transmission Operator and have that entity take a wider view to determine whether there
is a disturbance should facilitate the reporting of actual disturbances. The SDT needs to ensure that some thought goes into
the flow of information within the hierarchy and what triggers are needed to drive the reporting up the hierarchy.
28
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Org a n iza tio n
Ye s o r No
Qu e s tio n 2 Co m m e n t
Re s p o n s e : Th e DS R S DT th a n ks yo u fo r yo u r c o m m e n t. A re p o rtin g h ie ra rc h y p ro c e s s m u s t in c lu d e c le a r trig g e rs fo r re p o rtin g a n d p ro vid e a n
e ffic ie n t, we ll-d e fin e d in fo rm a tio n flo w.
We Energies
Yes
A hierarchical approach in conjunction with a single, electronic form would provide consistent reporting timelines, provide
clarity in the reporting process, and provide more accurate and meaningful data submissions while having shared
accountability. Confusion in the current method could be alleviated while providing more consistency in the reporting of an
"impact event".
Re s p o n s e : Th e DS R S DT th a n ks yo u fo r yo u r c o m m e n t.
Arizona Public Service
Company
Yes
All disturbance reporting should go through the RC.
Re s p o n s e : Th e DS R S DT th a n ks yo u fo r yo u r c o m m e n t.
Constellation Power
Source Generation
Yes
As stated in the concept paper, a hierarchy ensures proper communications, but it has the added benefit of reducing
redundancy on the Registered Entities, so long as responsibilities and accountability are clearly established.
Re s p o n s e : Th e DS R S DT th a n ks yo u fo r yo u r c o m m e n t.
Central Hudson Gas &
Electric
Yes
Central Hudson agrees with this reporting hierarchy for disturbances given the "wider-view" of the Reliability Coordinator as
opposed to an entity such as a Transmission Owner or Load-Serving Entity. While, based on past experience, the current
process works if reports are filed to the DOE, RRO, and RC simultaneously via email for example. However, the RC is in a
better position to identify multi-site incidents and escalate the reporting process if necessary.
Re s p o n s e : Th e DS R S DT th a n ks yo u fo r yo u r c o m m e n t.
Wolverine Power Supply
Cooperative, Inc.
Yes
September 15, 2010
From the perspective of a TOP, this seems to alleviate reporting burden and move it up line. I can understand the logic in
wanting the reporting to flow through the RC for awareness purposes, but I can understand the RC's reluctance to bear the
additional potential burden. Again, a focused effort to minimize the necessary reporting to 'true impact events" should be
kept in mind, regardless of who has to report. Collecting reams of data and figuring out what impact it has later should not
be the goal.
29
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Org a n iza tio n
Ye s o r No
Qu e s tio n 2 Co m m e n t
Re s p o n s e : Th e DS R S DT th a n ks yo u fo r yo u r c o m m e n t. We a g re e th a t re g a rd le s s o f a n y re p o rtin g h ie ra rc h y, th e g o a l is to re p o rt o n d is tu rb a n c e s a n d
e ve n ts with m e a n in g fu l im p a c t o n th e b u lk e le c tric s ys te m . S e e Qu e s tio n 3 re s p o n s e s fo r m o re in fo rm a tio n o n h o w we view im p a c t e ve n ts .
Electric Market Policy
Yes
Having the reporting flow through the Reliability Coordinator supports the reliability objective of assessing, monitoring, and
maintaining a wide-area view of the reliability of the Bulk Electric System.
Hydro-Québec
TransEnergie (HQT)
Yes
Having the reporting flow through the Reliability Coordinator supports the reliability objective of assessing, monitoring, and
maintaining a wide-area view of the reliability of the Bulk Electric System. The reporting hierarchy should be to submit the
information to the Reliability Coordinator, and to have the RC submit the report. This would eliminate the duplication of
information.
Orange and Rockland
Utilities, Inc.
Yes
Having the reporting flow through the Reliability Coordinator supports the reliability objective of assessing, monitoring, and
maintaining a wide-area view of the reliability of the Bulk Electric System. The reporting hierarchy should be to submit the
information to the Reliability Coordinator, and to have the RC submit the report. This would eliminate the duplication of
information.
Re s p o n s e : Th e DS R S DT th a n ks yo u fo r yo u r c o m m e n t.
Lands Energy
Consulting
Yes
I would give the RC the authority to establish impact thresholds for reporting. Consistent with my earlier comment, I would
set the materiality threshold for disturbance reporting purposes at LSEs (or a combination of LSEs in the case of BPA)
serving at least 90,000 customers.
Re s p o n s e : Th e DS R S DT th a n ks yo u fo r yo u r c o m m e n t. Re p o rtin g th re s h o ld s in th e s ta n d a rd will m e e t NERC re q u ire m e n ts : Re lia b ility Co o rd in a to r’s
m a y h a ve d iffe re n t re p o rtin g c rite ria to m e e t Re g io n a l re q u ire m e n ts , b u t th e y will n o t a p p e a r in th is ye t to b e writte n S ta n d a rd .
Central Lincoln
Yes
In the west at least, this hierarchy should be extended to include BA’s as indicated in the Concepts Paper. See:
http://www.bpa.gov/corporate/business/reliability/Docs/2007/PNSC_RE_Data_Letter_2_070723.pdf
for the RC’s policy on which entities it chooses to communicate with.
September 15, 2010
30
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Org a n iza tio n
Ye s o r No
Qu e s tio n 2 Co m m e n t
Re s p o n s e : Th e DS R S DT th a n ks yo u fo r yo u r c o m m e n t. Th e h ie ra rc h y c o n c e p t in c lu d e s BAs a s a p p ro p ria te in th e re p o rtin g s tru c tu re .
Luminant
Yes
Luminant believes that one report should be filed with the Reliability Coordinator or one responsible entity, who then files the
report with all applicable entities.
Re s p o n s e : Th e DS R S DT th a n ks yo u fo r yo u r c o m m e n t.
Oncor Electric Delivery
Company LLC
Yes
Oncor agrees that with this reporting hierarchy, in that dual reporting should be eliminated
Re s p o n s e : Th e DS R S DT th a n ks yo u fo r yo u r c o m m e n t.
Portland General Electric
Yes
PGE is familiar with and works closely with WECC today so the hierarchial consideration makes sense.
Re s p o n s e : Th e DS R S DT th a n ks yo u fo r yo u r c o m m e n t.
Platte River Power
Authority
Yes
Situational awareness would be enhanced. All affected entities would be aware of the disturbance and relevant information.
Also, the flow of information between entities would be enhanced and a more comprehensive report could be developed.
Re s p o n s e : Th e DS R S DT th a n ks yo u fo r yo u r c o m m e n t.
Ameren
Yes
The hierarchy is appealing in the fact that the TOP/BA will be kept in the loop and receive critical information from the
Generators, Distribution, LSE, etc. But there will be an inherent delay in reporting due to the fact that at every hand-off of
information there will be questions for additional and/or clarified information, and there is always a possibility for the loss of
information due to the transfer from one entity to the next. Further, this reporting through a hierarchy could also take away
from the operators ability to respond to system events due to being tied to an information transfer ladder.
Re s p o n s e : Th e DS R S DT th a n ks yo u fo r yo u r c o m m e n t. If th e re p o rtin g h ie ra rc h y c o n c e p t is a d o p te d , it will in c lu d e c o n tro ls to e n s u re tim e ly re p o rtin g ,
c le a r a c c o u n ta b ility s o th a t ris k o f a vio la tio n o f th e s ta n d a rd is n o t tra n s fe rre d , a n d s o m e p ro c e s s to e n s u re th e re s p o n s ib le e n titie s ’ re p o rte d
in fo rm a tio n re m a in s a s s u b m itte d . It m u s t a ls o e n s u re th a t it d o e s n o t p la c e a n y e xtra b u rd e n o n o p e ra to rs th a t c o u ld c re a te a n a d d itio n a l ris k to
re lia b ility.
September 15, 2010
31
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Org a n iza tio n
E.ON U.S. LLC
Ye s o r No
Yes
Qu e s tio n 2 Co m m e n t
The hierarchy will simplify reporting from the entity in that the RC is always notified and then the RC notifies other parties as
required, (with the exception of OE-417, which still has to be filled out per law) E.ON U.S. recommends that the drafting team
pay particular attention to the report process to make sure that duplicate reports are not being required. Currently
information on forced outages is already communicated to the RC so formalizing a requirement to provide data to the RC
may represent duplication to reports already provided.
Re s p o n s e : Th e DS R S DT th a n ks yo u fo r yo u r c o m m e n t. Avo id in g d u p lic a tio n is a ke y g o a l o f th e d ra ftin g te a m .
Public Service Enterprise
Group Companies
Yes
The PSEG Companies believe that all entities with a reportable disturbance should report to the RC. The RC is best
positioned to evaluate the impact of the event and forward the information to the appropriate entities. There should not be
any intermediate entities to relay information to the RC as that can introduce delay and has the potential to introduce
transcription errors. Sabotage events should be reported to the RC as well as to law enforcement. CIP-008 reporting is
highly specialized and should be retained in the set of cyber security standards, not merged with CIP-001 and EOP-004.
Re s p o n s e : Th e DS R S DT th a n ks yo u fo r yo u r c o m m e n t. De te c tio n o f c yb e r e ve n ts m a y b e s p e c ia lize d b u t re p o rt o f th e m is n o t. Th re a ts to re lia b ility
m u s t b e re p o rte d n o m a tte r wh a t th e c a u s e . Th e DS R S DT p ro p o s e s u s in g th e th re s h o ld s fo u n d in CIP -008 - th is s ta n d a rd wo u ld p ro vid e a o n e s to p
fo rm to s u b m it th e in fo rm a tio n . No te th a t th e c u rre n t CIP -008 h a s a re p o rtin g re q u ire m e n t to th e ES -IS AC o n ly.
Manitoba Hydro
Yes
The Reporting Concept states that the new hierarchy is, “Affected entity to TOP/ BA to RC. Then the RC will then submit to
NERC and DOE (if required)”.This will enhance the existing requirement EOP-004-1 R4 which states that the RC shall assist
the affected entity by providing representatives to assist in the investigation (this is also all reiterated in Attachment 1-EOP004) .In an disturbance, the local resources would be tied up in the rectification of the problem. Analyzing and reporting the
event (is it reportable, who to report to, what is the timeline) is distracting and time consuming. By leaving the final upper
level steps of reporting to NERC/DOE by the RC would be efficient.
Re s p o n s e : Th e DS R S DT th a n ks yo u fo r yo u r c o m m e n t.
Western Electricity
Coordinating Council
Yes
There should be an established time sequence that allows the RC to review the entities material prior to forwarding to NERC.
By channeling all reports through the RC situational awareness will be enhanced. Instead of "submit information", it should
be clarified that entities submit complete written reports to RC in electronic format.
Response: The DSR SDT thanks you for your comment. If the reporting hierarchy concept is adopted, it will include controls to ensure timely reporting,
clear accountability so that risk of a violation of the standard is not transferred, and a process to ensure the responsible entities’ reported information
remains as submitted.
September 15, 2010
32
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Org a n iza tio n
American Electric Power
Ye s o r No
Yes
Qu e s tio n 2 Co m m e n t
This approach may work as long as there is a uniform process across all of the Reliability Coordinators. AEP owns and
operates BES facilities under three separate RCs and having differing rules and processes would create confusion and
additional burdens. There are some concerns about the time lag of reporting the information and this might not work well in
all cases especially if the information and knowledge are at the local level. AEP recommends that the standard could have a
default hierarchy, but this should not prohibit any entity from reporting directly.
Re s p o n s e : Th e DS R S DT th a n ks yo u fo r yo u r c o m m e n t. Ou r g o a l is u n ifo rm re p o rtin g c rite ria to m e e t s p e c ifie d re q u ire m e n ts . We will c o n s id e r th e
ris ks a n d b e n e fits o f a llo win g a d e fa u lt h ie ra rc h ic a l re p o rtin g s tru c tu re with th e a b ility fo r re s p o n s ib le e n titie s to re p o rt d ire c tly to NERC.
Bandera Electric
Cooperative, Inc.
Yes
This approach, while I suspect will not be universally agreed to, should provide some definitive guidance in reporting.
Re s p o n s e : Th e DS R S DT th a n ks yo u fo r yo u r c o m m e n t.
Dynegy Inc.
Yes
This seems to be straightforward approach in that the RC is the best judge of threats to the overall system and could
eliminate multiple reports of a single event.
Re s p o n s e : Th e DS R S DT th a n ks yo u fo r yo u r c o m m e n t.
Independent Electricity
System Operator
Yes
We do not agree with the need of such a hierarchy setup solely for the purpose of making reports to the need-to-know
entities. All responsible entities (RC, BA, TOP, etc.) need to file a report. With the proposed set up noted under Q3, which we
support, these reports should go directly to NERC. The RC should not be held responsible for forwarding other entities’
reports to NERC, and in doing so subject itself to potential non-compliance.
Re s p o n s e : Th e DS R S DT th a n ks yo u fo r yo u r c o m m e n t. If th e re p o rtin g h ie ra rc h y c o n c e p t is a d o p te d , it will in c lu d e c o n tro ls to e n s u re tim e ly re p o rtin g ,
c le a r a c c o u n ta b ility s o th a t ris k o f a vio la tio n o f th e s ta n d a rd is n o t tra n s fe rre d , a n d a p ro c e s s to e n s u re th e re s p o n s ib le e n titie s ’ re p o rte d in fo rm a tio n
re m a in s a s s u b m itte d .
September 15, 2010
33
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
3. The goal of the DSR SDT is to have one report form for all functional entities (US, Canada, Mexico) to
submit to NERC. Do you agree with this change? Please explain your response (yes or no) in the
comment area.
Summary Consideration: Most stakeholders agreed with the concept of having one reporting form for all entities.
Several commenters suggested that there is no need for a standard on reporting as they considered it administrative in nature.
Most thought it should be a guideline, rather than an enforceable standard.
There is widespread agreement that the one-size-fits-all approach would be very difficult to get agreement on, given the
different countries and agencies involved. Many stakeholders pointed out that consistency and simplification were drivers for
one report form.
Having multiple recipients, with different information requirements, seem to support an electronic format that would guide
information only to those who need it. The concept of an electronic reporting tool would need to be further vetted and
developed.
Organization
Yes or No
Bandera Electric Cooperative,
Inc.
ISO RTO Council Standards
Review Committee
Question 3 Comment
No preference in this area.
No
The SRC supports NERC’s initiative for Results Based Standards. The SRC understood RBS to mean the
results were reliability based quantities not administrative quantities. There is no need for a NERC Reliability
standard on reporting. The idea that all functional entities in each of the said countries will use one form
would be a good idea if and only if all the countries and all of their agencies were willing to accept that form.
The SRC does not believe that those agencies will be willing to cede what information they ask for to NERC;
nor that NERC will be able to create a single form that all such agencies will accept.
Response: The DSR SDT thanks you for your comment. The DSR SDT acknowledges the difficulty in attempting to present a single form. However,
the DSR SDT believes it may be possible to achieve consolidation since the various reports ask repetitive questions. For example, having to provide
contact names, telephone numbers, email addresses on multiple forms is not an effective use of time or resources. Similarly, answering the question
“Describe the event” or “What steps did you take” on multiple reporting forms is also not effective. The DSR SDT does recongnize that it may not be
possible to eliminate reporting to multiple jurisdicational agencies due to legislative or regulatory requirements. The set of results-based standards is
intended to provide a ‘defense-in-depth’ approach to protecting reliability of the bulk power system. While many reports are administrative and are
only used to assess compliance with specific requirements, the reporting addressed in this project is focused on providing data needed to support
September 15, 2010
34
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Yes or No
Question 3 Comment
after-the-fact analyses of events, and reporting information needed to maintain situaitional awareness. As such, the SDT believes that these reporting
requirements do need to be enforceable.
FirstEnergy
No
While one consistent form for reporting may simplify reporting requirements, it would be very difficult to get all
governmental agencies to agree to a one-size-fits all approach.
Response: The DSR SDT thanks you for your comment. The DSR SDT acknowledges the difficulty in attempting to present a single form. However,
the DSR SDT believes it may be possible to achieve consolidation since the various reports ask repetitive questions. For example, having to provide
contact names, telephone numbers, email addresses on multiple forms is not an effective use of time or resources. Similarly, answering the question
“Describe the event” or “What steps did you take” on multiple reporting forms is also not effective. The DSR SDT does recongnize that it may not be
possible to eliminate reporting to multiple jurisdicational agencies due to legislative or regulatory requirements.
Public Service Enterprise Group
Companies
No
While simplification and consistency is a laudable goal, it should not be applied to different governmental
agencies (USA, Canada, Mexico) which may have different structures and processes. Moreover, results
based standards should not include administrative matters such as reporting forms.
Response: The DSR SDT thanks you for your comment. The DSR SDT acknowledges the difficulty in attempting to present a single form. However,
the DSR SDT believes it may be possible to achieve consolidation since the various reports ask repetitive questions. For example, having to provide
contact names, telephone numbers, email addresses on multiple forms is not an effective use of time or resources. Similarly, answering the question
“Describe the event” or “What steps did you take” on multiple reporting forms is also not effective. The DSR SDT does recongnize that it may not be
possible to eliminate reporting to multiple jurisdicational agencies due to legislative or regulatory requirements. The set of results-based standards is
intended to provide a ‘defense-in-depth’ approach to protecting reliability of the bulk power system. While many reports are administrative and are
only used to assess compliance with specific requirements, the reporting addressed in this project is focused on providing data needed to support
after-the-fact analyses of events, and reporting information needed to maintain situaitional awareness. As such, the SDT believes that these reporting
requirements do need to be enforceable.
American Electric Power
Yes
Constellation Power Source
Generation
Yes
Exelon
Yes
PacifiCorp
Yes
Platte River Power Authority
Yes
September 15, 2010
35
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Yes or No
Calpine Corp.
Yes
Question 3 Comment
A single approach is desirable, particularly for those entities that find themselves in multiple regions or
countries.
Response: The DSR SDT thanks you for your comment.
We Energies
Yes
Agree in conjunction with proposed concept that DOE OE-417 will be allowed to supplement the NERC report
in lieu of duplicating entries.
Response: The DSR SDT thanks you for your comment. The DSR SDT acknowledges the difficulty in attempting to present a single form. However,
the DSR SDT believes it may be possible to achieve consolidation since the various reports ask repetitive questions. For example, having to provide
contact names, telephone numbers, email addresses on multiple forms is not an effective use of time or resources. Similarly, answering the question
“Describe the event” or “What steps did you take” on multiple reporting forms is also not effective. The DSR SDT does recongnize that it may not be
possible to eliminate reporting to multiple jurisdicational agencies due to legislative or regulatory requirements.
Consumers Energy Company
Yes
Agreed - to the extent that it’s consistent with the concept that any specific type of data is submitted to ONLY
one entity.
Response: The DSR SDT thanks you for your comment. The DSR SDT acknowledges the difficulty in attempting to present a single form. However,
the DSR SDT believes it may be possible to achieve consolidation since the various reports ask repetitive questions. For example, having to provide
contact names, telephone numbers, email addresses on multiple forms is not an effective use of time or resources. Similarly, answering the question
“Describe the event” or “What steps did you take” on multiple reporting forms is also not effective. The DSR SDT does recongnize that it may not be
possible to eliminate reporting to multiple jurisdicational agencies due to legislative or regulatory requirements.
Arizona Public Service Company
Yes
APS supports the standardization of the form for consistency and format.
Response: The DSR SDT thanks you for your comment.
Bonneville Power Administration
Yes
As long as we don’t make one form that requires extraneous information for the sake of having agreement.
Response: The DSR SDT thanks you for your comment. The DSR SDT acknowledges the difficulty in attempting to present a single form. However,
the DSR SDT believes it may be possible to achieve consolidation since the various reports ask repetitive questions. For example, having to provide
contact names, telephone numbers, email addresses on multiple forms is not an effective use of time or resources. Similarly, answering the question
“Describe the event” or “What steps did you take” on multiple reporting forms is also not effective. The DSR SDT does recongnize that it may not be
possible to eliminate reporting to multiple jurisdicational agencies due to legislative or regulatory requirements.
September 15, 2010
36
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Western Electricity Coordinating
Council
Yes or No
Yes
Question 3 Comment
Canadian and Mexican entities should be consulted on content of report form to assure their "buy in".
Response: The DSR SDT thanks you for your comment. It is DSR SDT’s intent to discuss the need for information with appropriate jurisdictional
agencies.
Central Hudson Gas & Electric
Yes
Central Hudson agrees with this goal if the intent is to develop and implement an electronic version that would
meet DOE requirements as well.
Response: The DSR SDT thanks you for your comment. The DSR SDT acknowledges the difficulty in attempting to present a single form. However,
the DSR SDT believes it may be possible to achieve consolidation since the various reports ask repetitive questions. For example, having to provide
contact names, telephone numbers, email addresses on multiple forms is not an effective use of time or resources. Similarly, answering the question
“Describe the event” or “What steps did you take” on multiple reporting forms is also not effective. The DSR SDT does recongnize that it may not be
possible to eliminate reporting to multiple jurisdicational agencies due to legislative or regulatory requirements.
E.ON U.S. LLC
Yes
E.ON U.S. supports the proposal.
Response: The DSR SDT thanks you for your comment.
MRO's NERC Standards Review
Subcommittee
Yes
However, We believe the primary goal should focus on “each entity” being able to submit one report for all
functional requirements. Entities in the US that are required to submit the DOE OE-417 form should not be
required to submit an additional form developed for other entities (Canada & Mexico). One approach to satisfy
this goal is for NERC to require all entities (US, Canada, & Mexico) to complete the DOE OE-417 form as
their report.
Response: The DSR SDT thanks you for your comment.
Wolverine Power Supply
Cooperative, Inc.
Yes
I can't see how anyone would disagree with this concept - However - I question how practical it will be to
implement, since various agencies would have to collaborate and coordinate to accomplish this task.
Response: The DSR SDT thanks you for your comment. The DSR SDT acknowledges the difficulty in attempting to present a single form. However,
the DSR SDT believes it may be possible to achieve consolidation since the various reports ask repetitive questions. For example, having to provide
contact names, telephone numbers, email addresses on multiple forms is not an effective use of time or resources. Similarly, answering the question
“Describe the event” or “What steps did you take” on multiple reporting forms is also not effective. The DSR SDT does recongnize that it may not be
possible to eliminate reporting to multiple jurisdicational agencies due to legislative or regulatory requirements.
September 15, 2010
37
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Lands Energy Consulting
Yes or No
Question 3 Comment
Yes
I think that the impact approach makes sense and that EOP-004 and CIP-001 are logically connected. Many
entities of which I am aware link Sabotage Reporting Training to Disturbance Reporting obligation awareness
already.
Response: The DSR SDT thanks you for your comment.
Oncor Electric Delivery Company
LLC
Yes
Oncor agrees that by using the same type reporting format, there should be consistency in regard to each
functional entity's expectations.
Response: The DSR SDT thanks you for your comment.
BGE
Yes
One form makes sense to us; less is better is the sense that it makes filing reports easier by not creating
unnecessary complications.
Response: The DSR SDT thanks you for your comment.
Ameren
Yes
One report would be great for this standard. While this standard needs simplification and automation, we
strongly suggest developing a guideline for reporting rather than enforceable standards.
Response: The DSR SDT thanks you for your comment. The DSR SDT acknowledges the difficulty in attempting to present a single form. However,
the DSR SDT believes it may be possible to achieve consolidation since the various reports ask repetitive questions. For example, having to provide
contact names, telephone numbers, email addresses on multiple forms is not an effective use of time or resources. Similarly, answering the question
“Describe the event” or “What steps did you take” on multiple reporting forms is also not effective. The DSR SDT does recongnize that it may not be
possible to eliminate reporting to multiple jurisdicational agencies due to legislative or regulatory requirements. The set of results-based standards is
intended to provide a ‘defense-in-depth’ approach to protecting reliability of the bulk power system. While many reports are administrative and are
only used to assess compliance with specific requirements, the reporting addressed in this project is focused on providing data needed to support
after-the-fact analyses of events, and reporting information needed to maintain situaitional awareness. As such, the SDT believes that these reporting
requirements do need to be enforceable.
Portland General Electric
Yes
PGE supports the efforts of the Standards Drafting Team on the SAR for Project 2009-01 to consolidate the
disturbance and sabotage reporting processes as outlined in the concept paper.
Response: The DSR SDT thanks you for your comment.
Dynegy Inc.
September 15, 2010
Yes
Please keep it short and simple.
38
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Yes or No
Question 3 Comment
Response: The DSR SDT thanks you for your comment.
ERCOT ISO
Yes
Standardization ensures consistency and relevance of the information received.
Response: The DSR SDT thanks you for your comment.
USBR
Yes
The Bureau of Reclamation utilizes a form for tracking unexpected events. This form contains information
which the agency considers important for its one reliability improvement program. The form is also used to
meet NERC standard requirements for protection system operations analysis. This form contains most of
information required by DOE. The SDT should consider requiring the submission of specific information
rather than lock responses in one specific form. In this manner the agency would be avoid duplicate forms,
one for NERC, the other for agency purposes.
Response: The DSR SDT thanks you for your comment.
Central Lincoln
Yes
The existing reporting is needlessly complex. We appreciate the SDT’s goal.
Response: The DSR SDT thanks you for your comment.
SPS Consulting Group Inc.
Yes
There should have probably been one report all along.
Response: The DSR SDT thanks you for your comment.
Duke Energy
Yes
There should only be one report for all functional entities to submit to NERC.
Response: The DSR SDT thanks you for your comment.
SERC Reliability Coordinator
Sub-committee (RCS)
Yes
There should only be one report for all functional entities.
Response: The DSR SDT thanks you for your comment.
Manitoba Hydro
September 15, 2010
Yes
This is a promising idea, though there would be different requirements for the three countries, this could easily
be rectified with “drop down menus”. This electronic form could contain a lot of information without distracting
clutter as you “tree” down the menu depending on the event that occurred. This could also contain electronic
39
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Yes or No
Question 3 Comment
references to information located in Attachment 1-EOP-004 and Threat and Incident Reporting.
Response: The DSR SDT thanks you for your comment. We will consider your specific suggestions when we develop the reporting requirements.
Hydro-Québec TransEnergie
(HQT)
Yes
We agree with the concept that there should be one report form for all functional entities (whether located in
the US, Canada, Mexico) for use in reporting to NERC. This would provide for a consistent reporting format
across the continent.
Response: The DSR SDT thanks you for your comment.
Northeast Power Coordinating
Council
Yes
We agree with the concept that there should be one report form for all functional entities (whether located in
the US, Canada, Mexico) for use in reporting to NERC. This would provide for a consistent reporting format
across the continent.
Response: The DSR SDT thanks you for your comment.
Orange and Rockland Utilities,
Inc.
Yes
We agree with the concept that there should be one report form for all functional entities (whether located in
the US, Canada, Mexico) for use in reporting to NERC. This would provide for a consistent reporting format
across the continent.
Response: The DSR SDT thanks you for your comment.
Midwest ISO Standards
Collaborators
Yes
We agree with the goal of having a single report form but believe there will be a significant challenge to get
varying governmental agencies to agree on single report format.
Response: The DSR SDT thanks you for your comment. The DSR SDT acknowledges the difficulty in attempting to present a single form. However,
the DSR SDT believes it may be possible to achieve consolidation since the various reports ask repetitive questions. For example, having to provide
contact names, telephone numbers, email addresses on multiple forms is not an effective use of time or resources. Similarly, answering the question
“Describe the event” or “What steps did you take” on multiple reporting forms is also not effective. The DSR SDT does recongnize that it may not be
possible to eliminate reporting to multiple jurisdicational agencies due to legislative or regulatory requirements.
Edison Mission Marketing &
Trading
Yes
With the realization that having a common report form may be difficult to coordinate between differen
agencies.
Response: The DSR SDT thanks you for your comment. The DSR SDT acknowledges the difficulty in attempting to present a single form. However,
the DSR SDT believes it may be possible to achieve consolidation since the various reports ask repetitive questions. For example, having to provide
September 15, 2010
40
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Yes or No
Question 3 Comment
contact names, telephone numbers, email addresses on multiple forms is not an effective use of time or resources. Similarly, answering the question
“Describe the event” or “What steps did you take” on multiple reporting forms is also not effective. The DSR SDT does recongnize that it may not be
possible to eliminate reporting to multiple jurisdicational agencies due to legislative or regulatory requirements.
Independent Electricity System
Operator
Yes
Yes, this will simplify the reporting effort. NERC may forward the reports to the other need-to-know entities.
Response: The DSR SDT thanks you for your comment.
Electric Market Policy
Yes
Yes, we agree with the concept that there should be one report form for all functional entities (whether located
in the US, Canada, Mexico) for use in reporting to NERC.
Response: The DSR SDT thanks you for your comment.
September 15, 2010
41
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
4. The goal of the DSR SDT is to eliminate the need to file duplicate reports. The standards will specify
information required by NERC for reliability. To the extent that this information is also required for
other reports (e.g. DOE OE-417), those reports will be allowed to supplement the NERC report in lieu
of duplicating the entries in the NERC report. Do you agree with this concept? Please explain your
response (yes or no) in the comment area.
Summary Consideration: Most stakeholders agreed with the concept of entities being able to use information from other
sources such as the OE-417 form, to supplement the NERC report form. Some thought that duplicate reports were acceptable,
as long as the information was not duplicated (if # of customers lost is required on form A, don’t ask on forms B & C). Several
stakeholders commented on the need for an electronic, one stop reporting tool. This would avoid duplication while ensuring
that the information reported goes only to intended recipients. With an electronic, one stop reporting tool, reports can be
updated/corrected instantly, without repeating previously submitted information. Some stakeholders cautioned that the OE417 can change every three years and this should be taken into account when developing an electronic reporting tool. Again,
such a reporting tool would need to be vetted and developed to meet reliability needs.
Organization
Yes or No
ERCOT ISO
Question 4 Comment
ERCOT ISO agrees with the concept of eliminating the need to file duplicate reports, but as stated in the
Concept Paper, the DOE form (OE-417) is required by law. Based on this, the elimination of EOP-004 (after
the fact reporting) is essential, since the OE-417 is mandatory and all-inclusive.
Response: The DSR SDT thanks you for your comment. We agree that the OE-417 compiles a baseline set of information for disturbances, however, it
does not function as an all-inclusive report of sabotage and cyber security incidents. The DSR SDT certainly seeks to gain effienciencies through the
modification of EOP-004 and CIP-001, which may include the elimination of one or both. Further, the OE-417 is only mandatory for US entities.
Midwest ISO Standards
Collaborators
No
It certainly makes sense to eliminate duplication in reporting and to allow supplemental information to be
submitted in other reports. However, it does not make sense to require reporting to other governmental
agencies through NERC enforceable NERC standards. Those governmental agencies already have legal
authority to compel reporting. Again, we support developing a guideline for reporting rather than enforceable
standards. The guideline could certainly explain the various reporting requirements and supplemental
reporting requirements mentioned in the question without causing the issues we have identified in our
comments.
Response: The DSR SDT thanks you for your comment. The DSR SDT does not envision a NERC standard mandating submission of reports to DOE,
which is mandatory under Public Law for US entities. If the DSR SDT is able to develop a one-stop-shopping electronic form, we plan to develop an
September 15, 2010
42
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Yes or No
Question 4 Comment
option to have the report submitted to NERC, DOE and FERC simultaneously. If an entity chooses to submit the report manually, they will then also be
responsible for following DOE regulations and other mandatory requirements.
Consumers Energy Company
No
NERC should either coordinate with DOE for a single reporting process or simply adopt the DOE’s standard.
Response: The DSR SDT thanks you for your comment. The DSR SDT does not envision a NERC standard mandating submission of reports to DOE,
which is mandatory under Public Law for US entities. If the DSR SDT is able to develop a one-stop-shopping electronic form, we plan to develop an
option to have the report submitted to NERC, DOE and FERC simultaneously. If an entity chooses to submit the report manually, they will then also be
responsible for following DOE regulations and other mandatory requirements. The DOE report does not collect all the information that NERC needs.
E.ON U.S. LLC
No
Reliability standards are federal law enforced by fines that can reach up to $1,000,000 per day of violation.
There is no reason to deliberately include ambiguity, i.e. “gray areas,” in requirements such that registered
entities are left unable to determine what it is they must do or refrain from doing to remain compliant.
“Sabotage” for the purposes of these standards must be defined.
Response: The DSR SDT thanks you for your comment. The intent of the DSR SDT is to develop requirements for reporting that will be clear and
unambiguous with respect to compliance issues. Sabotage will be included in the reporting for “impact events”, but may not be called ‘sabotage’ as
there are many different interpretations of “sabotage”.
ISO RTO Council Standards
Review Committee
No
The concept of eliminating duplication is laudable, but the idea of writing a standard to mandate reporting that
involves reporting to governmental areas does not make sense unless NERC will do all of the reporting for the
Industry. A governmental agency is as likely as not to change the forms they require which would then mean
two different reports (one for NERC and one for the given agency) or that the standard would have to be rewritten every time there is a change.
Response: The DSR SDT thanks you for your comment. The DSR SDT does not envision a NERC standard mandating submission of reports to DOE,
which is mandatory under Public Law for US entities. If the DSR SDT is able to develop a one-stop-shopping electronic form, we plan to develop an
option to have the report submitted to NERC, DOE and FERC simultaneously. If an entity chooses to submit the report manually, they will then also be
responsible for following DOE regulations and other mandatory requirements.
Ameren
No
September 15, 2010
The DOE OE-417 report should not supplement the NERC report due to the fact that the majority of
reportable events are defined in/come from the OE-417 report. The NERC reporting form should be based on
the OE-417 report and then include additional reporting requirements defined by NERC. However, it does not
make sense to require reporting to the governmental agencies through enforceable NERC standards. The
governmental agencies already have legal authority to compel reporting.
43
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Yes or No
Question 4 Comment
Response: The DSR SDT thanks you for your comment. The DSR SDT does not envision a NERC standard mandating submission of reports to DOE,
which is mandatory under Public Law for US entities. If the DSR SDT is able to develop a one-stop-shopping electronic form, we plan to develop an
option to have the report submitted to NERC, DOE and FERC simultaneously. If an entity chooses to submit the report manually, they will then also be
responsible for following DOE regulations and other mandatory requirements.
SERC Reliability Coordinator
Sub-committee (RCS)
No
The requirement should be a single report that satisfies the need for all US governmental agencies as well as
NERC and the RRO’s.
Response: The DSR SDT thanks you for your comment. The intent of the DSR SDT is to develop standards to address the reliability needs for NERC
and not governmental agency reporting criteria.
Western Electricity Coordinating
Council
No
This will work well for the USA entities to save us time in re-entering the same information. We believe that
FERC and NERC and the Regions should have one common reporting form for North America. The OE-417
is not required by law outside of the United States. Canadian and Mexican entities may feel that US DOE has
no jurisdiction in these countries, and therefore no right to required reporting as is stated on the OE-417.
Response: The DSR SDT thanks you for your comment. We agree that the OE-417 report is not required for Canadian or Mexican entities. The DSR
SDT does not envision a NERC standard mandating submission of reports to DOE. If the DSR SDT is able to develop a one-stop-shopping electronic
form, we plan to develop an option to have the report submitted (or not) to NERC, DOE and FERC simultaneously. If an entity chooses to submit the
report manually, they will then also be responsible for following DOE regulations and other mandatory requirements.
American Electric Power
Yes
Edison Mission Marketing &
Trading
Yes
Exelon
Yes
Orange and Rockland Utilities,
Inc.
Yes
PacifiCorp
Yes
Platte River Power Authority
Yes
September 15, 2010
44
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Arizona Public Service Company
Yes or No
Question 4 Comment
Yes
APS supports eliminating the need to file duplicate reports. This standardized form should generate and send
the DOE OE-417 report, totally eliminating duplicate work. Streamline the process.
Response: The DSR SDT thanks you for your comment.
Central Hudson Gas & Electric
Yes
Central Hudson agrees with this concept and, as stated in a previous response, recommends that the ability
of utilizing the DOE OE-417 to supplement the NERC report be maintained.
Response: The DSR SDT thanks you for your comment.
Calpine Corp.
Yes
Clarification, simplicity and the removal of duplicate reporting is beneficial.
Response: The DSR SDT thanks you for your comment.
Constellation Power Source
Generation
Yes
Constellation agrees with the concept of eliminating the need to file duplicate reports. If the single NERC
reporting form is both comprehensive and easy to use, then using a single report should not be an issue. It is
essential that all elements of DOE OE-417, and any similar documents, be incorporated into this single report.
Not incorporating all elements will result in gaps in reporting for all Registered Entities.
Response: The DSR SDT thanks you for your comment.
SPS Consulting Group Inc.
Yes
Duplication is inefficient and casts the whole reporting mechanism in a questionable light.
Response: The DSR SDT thanks you for your comment.
We Energies
Yes
However, also evaluate whether or not DOE OE-417 is sufficient in lieu of a NERC report. If additional
information is required, duplicate format of DOE-OE-417 with additional NERC information listed at the end of
the form.
Response: The DSR SDT thanks you for your comment.
Wolverine Power Supply
Cooperative, Inc.
Yes
I agree with the concept of minimizing duplication - See previous question 3 for concerns.
Response: The DSR SDT thanks you for your comment.
September 15, 2010
45
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
USBR
Yes or No
Question 4 Comment
Yes
It should be clear what information is to be supplemented. The fewer times the information has to be handled
the more efficient the process becomes. If the information exists on a required form, that legal form should be
allowed. Also, if the form is already submitted, then reference to it should be sufficient rather than requiring
resubmission of the form. That would require handling the information again. As explained in the previous
answer, the SDT should recognize that responsible entities have already developed internal reporting
processes which utilize forms for consistent responses. Those forms may contain more information than is
needed by the new standard to be proposed. The entity should be allowed to submit the internal form or else
duplication would be created, which may reduce the effectiveness of an entities reliability improvement
program.
Response: The DSR SDT thanks you for your comment. The DSR SDT envisions a one-stop-shopping form that allows reports to be saved, revised
and resubmitted at a later date without re-entry of data or information. However, as a caution the DSR SDT cannot guarantee the possibility to submit
custom forms.
Lands Energy Consulting
Yes
Less paperwork and fewer requirements to keep in mind during what may be once in a lifetime events are
always good.
Response: The DSR SDT thanks you for your comment.
Luminant
Yes
Luminant agrees with the concept of reducing reporting requirements, but asks the SDT to go even further. In
the concept paper, the SDT discussed that information would not be duplicated on the NERC report and the
DOE OE-417 report. The concept paper described a process where one report would simply supplement the
other, but two reports would still be filed when required. Can the NERC SDT work with the DOE to develop
one report to meet the needs of NERC and the DOE?
Response: The DSR SDT thanks you for your comment. We will consult with the DOE to see if it one report will meet the reporting needs for NERC
and the DOE. NERC reliability needs will take precedence.
Bonneville Power Administration
Yes
Minimizing the number of reports is a good thing. The concept of actually sharing information should be
utilized as much as practical.
Response: The DSR SDT thanks you for your comment.
Oncor Electric Delivery Company
LLC
September 15, 2010
Yes
Oncor agrees that this effort should eliminate file duplication
46
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Yes or No
Question 4 Comment
Response: The DSR SDT thanks you for your comment.
Bandera Electric Cooperative,
Inc.
Yes
One can only assume the number of reports required in this area will continue to increase in terms of scope
and to which agency wants this data. The SDT is encouraged to attempt to find a reporting format and scope
that does not needlessly duplicate or complicate overall reporting obligations.
Response: The DSR SDT thanks you for your comment. We will consult with the DOE and FERC to see if it one report will meet the reporting needs
for NERC, FERC and the DOE. NERC reliability needs will take precedence.
Portland General Electric
Yes
PGE supports reducing the duplication of reporting.
Response: The DSR SDT thanks you for your comment.
Dynegy Inc.
Yes
Short and simple should be the goal.
Response: The DSR SDT thanks you for your comment.
Duke Energy
Yes
Since the OE-417 is a DOE required report, it must be submitted. Including the OE-417 as part of the NERC
electronic form will facilitate reporting to NERC.
Response: The DSR SDT thanks you for your comment. We will consult with the DOE to see if it one report will meet the reporting needs for NERC
and the DOE. NERC reliability needs will take precedence.
Central Lincoln
Yes
The existing reporting is needlessly complex. We appreciate the SDT’s goal.
Response: The DSR SDT thanks you for your comment.
Public Service Enterprise Group
Companies
September 15, 2010
Yes
The PSEG Companies agree with the avoidance of duplicate reports. NERC report forms should not include
anything in the DOE form, and NERC Regional report forms should not include anything in the DOE or NERC
forms. Hence, a DOE report should not "supplement" a NERC form, but rather replace it unless the NERC
form calls for other information for the same reportable incident, and likewise for the DOE - NERC - Regional
form structure. DOE forms would be filed with DOE, NERC and the Regional Entity where the event
originated. NERC forms would be filed with NERC and the region where the event originated and the
Regional form filed only with the Region. In designing the NERC and Regional forms, the need to file multiple
reports should be minimized, and in no event should any of the three (DOE, NERC, Region) forms contain
47
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Yes or No
Question 4 Comment
duplicative information requests.
Response: The DSR SDT thanks you for your comment. We will consider your comment in the development of the reporting structure / forms.
Manitoba Hydro
Yes
This could be easily incorporated into the electronic form. You could be prompted for information required
immediately, and notified for information that could be entered later. This form could contain all the enterable
data that all agencies could require. If the form is live and on line, all entities could be notified (depending on
the entries) of an going event immediately. Form could be web based similar to ARS program or even
integrated into the ARS program.
Response: The DSR SDT thanks you for your comment. We will consider your comment in the development of the reporting structure / forms.
FirstEnergy
Yes
We agree that the simplification and consistency of reporting will improve the reporting of this information. We
support the drafting team's efforts in this area and hope that all regulatory agencies will as well. However, as
we have mentioned in our other comments, the reporting requirements should not be in a reliability standard
unless they are proven to be necessary to maintain an Adequate Level of Reliability of the BES. Reporting of
these events should be required by NERC in arenas outside of the standards.
Response: The DSR SDT thanks you for your comment. The information provided in the reports is either used after the fact for analyses or used to
maintain situational awareness, and is needed for reliability.
MRO's NERC Standards Review
Subcommittee
Yes
We agree with the concept to eliminate duplicate reports. However, we are concerned with the reference of
the DOE OE-417 report being a “supplement” of the NERC report rather than “accepted” as the NERC report.
Response: The DSR SDT thanks you for your comment. Future NERC reliability reporting needs may not totally align with DOE report information.
Therefore, the OE-417 report would not necessarily substitute for the NERC report. The DOE Reporting Form OE 417 is currently mandatory by Public
for US entities.
Hydro-Québec TransEnergie
(HQT)
September 15, 2010
Yes
We agree with the objective of eliminating duplicate reporting. However, EOP-004 currently allows
substitution of DOE OE-417 in place of the NERC Interconnection Reliability Operating Limit and Preliminary
Disturbance Report. As suggested in the Concept Paper, entities meeting the criteria of OE-417 are still
obligated to file a report with DOE. Given that and the fact that CIP-001 requires no actual reporting, it is not
clear where duplication exists today. We agree with the recommendation to eliminate the need for filing
duplicate reports such as the DOE form OE-417. There is no benefit with regard to CIP-001 in filing
separate reports. Duplicate reports introduce the potential for incomplete information to be supplied to
responsible parties.
48
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Yes or No
Question 4 Comment
Removing jurisdictional agencies from the Standard, and having NERC provide either query or situational
awareness to those agencies being considered, might not be easy to achieve. There is an obligation under
law to require entities to report to the DOE on the OE-417 form as amended or modified. This might drive the
“omitted” agencies to have reporting laws enacted as well.
Northeast Power Coordinating
Council
Yes
We agree with the objective of eliminating duplicate reporting. However, EOP-004 currently allows
substitution of DOE OE-417 in place of the NERC Interconnection Reliability Operating Limit and Preliminary
Disturbance Report. As suggested in the Concept Paper, entities meeting the criteria of OE-417 are still
obligated to file a report with DOE. Given that and the fact that CIP-001 requires no actual reporting, it is not
clear where duplication exists today. We agree with the recommendation to eliminate the need for filing
duplicate reports such as the DOE form OE-417. There is no benefit with regard to CIP-001 in filing
separate reports. Duplicate reports introduce the potential for incomplete information to be supplied to
responsible parties.
Removing jurisdictional agencies from the Standard, and having NERC provide either query or situational
awareness to those agencies being considered, might not be easy to achieve. There is an obligation under
law to require entities to report to the DOE on the OE-417 form as amended or modified. This might drive the
“omitted” agencies to have reporting laws enacted as well.
Response: The DSR SDT thanks you for your comment. The DSR SDT has discussed the possibility of consolidating CIP-001 and EOP-004 to create a
single reporting standard. FERC directives require modifications to the standards which also may impose additional reporting requirements (see
paragraph 470 of Order 693).
We concur with your comments regarding the legal obligations to submit certain reports. The DSR SDT is attempting to consult with appropriate
governmental aencies to address this.
BGE
Yes
We agree with this approach, as long as the latest version of the DOE OE-417 form is fully incorporated in the
new single-reporting form, so that it maintains its credibility with the DOE.
Response: The DSR SDT thanks you for your comment. The intent is to maintain credibility with the DOE reporting requirements.
Independent Electricity System
Operator
Yes
We support this concept since it works well for those entities that are not required to file reports with the US
agencies, e.g. the DOE.
Response: The DSR SDT thanks you for your comment.
Electric Market Policy
September 15, 2010
Yes
Yes, we agree with the objective of eliminating duplicate reporting; however, EOP-004 currently allows
49
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Yes or No
Question 4 Comment
substitution of DOE OE-417 in place of the NERC Interconnection Reliability Operating Limit and Preliminary
Disturbance Report. As suggested in the Concept Paper, entities meeting the criteria of OE-417 are still
obligated to file a report with DOE. Given that and the fact that CIP-001 requires no actual reporting, it is not
clear where duplication exists today.
Response: The DSR SDT thanks you for your comment. The DSR SDT has discussed the possibility of consolidating CIP-001 and EOP-004 to create a
single reporting standard. FERC directives require modifications to the standards which also may impose additional reporting requirements (see
paragraph 470 of Order 693).
September 15, 2010
50
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
5. In its discussion concerning sabotage, the DSR SDT has determined that the spectrum of all
sabotage-type events is not well understood throughout the industry. In an effort to provide clarity
and guidance, the DSR SDT developed the concept of an impact event. By developing impact events,
it allows us to identify situations in the “gray area” where sabotage is not clearly defined. Other
types of events may need to be reported for situational awareness and trend identification. Do you
agree with this concept? Please explain your response (yes or no) in the comment area.
Summary Consideration: The majority of stakeholders agreed with the concept of impact events. Some stakeholders felt
that the introduction of impact events increased the risk that some items will go unreported. However, most felt that impact
events would dramatically increase the number of reports being submitted, and it would be difficult to separate important
information from background noise. Several respondents felt that the SDT ignored the FERC Directive, and did not define
sabotage and provide guidance as to the triggering events that would cause an entity to report a sabotage event. Many
respondents supplied the SDT with their own definition of “Sabotage”. The DSR SDT believes that the concept of impact events
and the specificity of what needs to be reported in the standard will be an equally efficient and effective means of addressing
the FERC directive regarding sabotage. Some stakeholders felt that impact events add another layer of uncertainty to the
reporting. Even with the switch from sabotage to impact events, several felt that “intent” was still key to determining
reportability.
Organization
Yes or No
ERCOT ISO
Question 5 Comment
ERCOT ISO recognizes the risks associated with “gray areas” not being clarified. While “gray areas” pose
compliance risk due to differing interpretations, a risk remains that some items will go unreported. A more
prescriptive approach raises an even greater risk of events not being reported. People will not report events
that are not specifically listed, and will not use judgment in determining the need for reporting.
Response: The DSR SDT thanks you for your comment. We agree that a more prescriptive approach could pose greater risks but we will attempt to
clarify and define an approach to assist the industry and stakeholders for reporting impact events.
Constellation Power Source
Generation
September 15, 2010
No
Although defining an impact event would bring clarity to defining sabotage events, adding another situation
would further complicate things. Furthermore, the examples of impact events used all fall under the Sabotage
category in the Threat and Incident Reporting Guideline. Constellation Power Generation suggests the SDT
further clarifies the items in the Sabotage category to ensure all grey area situations are included. Clarification
is also needed in how a Cyber Security Incident (CIP-008) would map into the categories of
Disturbance/Impact Events (CIP-001). To that point, Constellation Power Generation questions whether cyber
related incidents should fall under the spectrum of sabotage type events, or remain separate and be
incorporated in the CIP revisions. Having cyber related incidents separate from other sabotage events would
51
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Yes or No
Question 5 Comment
provide the clarity and guidance that the DSR SDT is striving to achieve.
Response: The DSR SDT thanks you for your comment. We are suggesting the term “Impact Event” be substituted to include all events that would
impact the reliability of the BES. Events now included in reporting requirements that do not impact the reliability of the BES would be excluded from
the reporting unless the DSR SDT clarifies why it should be included and under what specific instances or examples.
Duke Energy
No
As FERC ordered in Order No. 693, the drafting team should further define sabotage and provide guidance as
to the triggering events that would cause an entity to report a sabotage event. Suggested definition:
“Sabotage - the malicious destruction of, or damage to assets of the electric industry, with the intention of
disrupting or adversely affecting the reliability of the electric grid for the purposes of weakening the critical
infrastructure of our nation.”
Response: The DSR SDT thanks you for your comment. The SDR SDT struggles with terms that deal with determing “intent” which may not be
determined until after a lengthy investigation. We will continue to discuss for inclusion in a future draft of this project. The DSR SDT believes that the
concept of impact events and the specificity of what needs to be reported in the standard will be an equally efficient and effective means of addressing
the FERC directive regarding sabotage.
Kootenai Electric Cooperative
No
Impact events seems to add another layer of uncertainty to the reporting. Define a transmission line. Our
transmission lines have very little impact on the grid. It is possible for our lines to cause a local area outage
on our transmission provider - but neither is of national security interest or even regional interest. There is no
power flow going on across the lines other than local power delivery supply. It seems you run more risk of
losing the important reports in the snow of reporting - similar to what we have to avoid on our SCADA
systems for our operators to see the key information.
Response: The DSR SDT thanks you for your comment. The DSR SDT understands your concern and this was discussed a great deal. It is our belief
that criteria of the “impact events” to be reported will be properly defined and discriminated from local events that have no impact on the reliability of
the BES.
SERC Reliability Coordinator
Sub-committee (RCS)
No
Impact events that do not affect reliability should not be reported.
Response: The DSR SDT thanks you for your comment. The DSR SDT agrees but a balance must be further explored to meet industry and regulatory
requirements specifically under FERC Order 693.
Luminant
September 15, 2010
No
Luminant would prefer to report disturbances and sabotage events. The reporting of impact events could lead
to unnecessary reporting. A definition of an “impact event” may be even more confusing than sabotage
52
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Yes or No
Question 5 Comment
events.
Response: The DSR SDT thanks you for your comment. The DSR SDT understands your concern and this was discussed a great deal. It is our belief
that criteria of the “impact events” to be reported will be properly defined and discriminated from local events that have no impact on the reliability of
the BES. We are suggesting the term “Impact Event” be substituted to include only events that would impact the reliability of the BES. Events now
included in reporting requirements that do not impact reliabiltiy of the BES would be excluded from the reporting unless the DSR SDT clarifies why it
should be included and under what specific instances or examples.
Orange and Rockland Utilities,
Inc.
No
Physical and cyber events must be investigated before a determination of sabotage or impact event can be
made. Impact events should define or clarify the circumstances that would or could affect reliability.
Reportable items should be based on impact to reliability, not on ‘newsworthy’ events or to gather information
for trending. It is the law enforcement industry’s responsibility to make a determination of “sabotage” or other.
This determination cannot definitively be made by industry (operating) personnel. If NERC's definition is
expanded for CIP-001 and/or EOP-004, responsibility and timing of reporting needs to addressed so that
appropriate agencies conduct the investigation and assessment. Operating personnel need to remain focused
on the primary responsibility of mitigating the effects.
Response: The DSR SDT thanks you for your comment. The SDR SDT struggles with terms that deal with determing “intent” which may not be
determined until after a lengthy investigation. We will continue to discuss these ideas for inclusion in a future draft of this project. Timing of the
reporting process will be further clarified based upon your comments and those in the industry that have voiced similar concerns.
MRO's NERC Standards Review
Subcommittee
No
Rather than attempting to define a new term (impact event), we suggest that the concept of impact event be
replaced with further defining sabotage and providing guidance on trigger events (impact event) that would
cause an entity to report.
Response: The DSR SDT thanks you for your comment. We will continue to discuss the FERC “Clarification of sabotage” directive and seek further
guidance to meet this directive. The term sabotage has created conflict in its meaning among stakeholders as to when its determined and by whom
and how long an investigation would take to make that call on the intent of the saboteur. The DSR SDT is reviewing what a reportable disturbance
actually is and sabotage may be a sub component of a reportable disturbance event.
Lands Energy Consulting
No
The level of complexity described will overwhelm the 20-200 employee utilities that have yet to see - and will
never see - the kind of sabotage event that scares the Department of Homeland Security.
Response: The DSR SDT thanks you for your comment. The DSR SDT does not intend for the reporting of impact events to overwhelm smaller
entities. If events do not affect the reliability of the BES, then it is our intent that they will be excluded from reporting requirements under our
proposal. We will attempt to clarify and define an approach to assist the industry and stakeholders for reporting impact events. FERC cautioned the
September 15, 2010
53
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Yes or No
Question 5 Comment
industry that acts of sabotage may be “tested” on smaller entities and ultimately on larger entities.
ISO RTO Council Standards
Review Committee
No
The nature of the fact that “gray areas” exists preclude the idea of using a standard to report; particularly a
standard for the vague topic of motivation such as sabotage events and the more defined disturbance events.
Response: The DSR SDT thanks you for your comment. We will attempt to clarify and define an approach to assist the industry and stakeholders for
reporting impact events.
Edison Mission Marketing &
Trading
No
There are too many special circumstances to try and capture. I feel this would be best delivered as a
guideline.
Response: The DSR SDT thanks you for your comment. We are suggesting the term “Impact Event” be substituted to include only events that would
impact the reliability of the BES. Events now included in reporting requirements that do not impact reliability of the BES would be excluded from the
reporting unless the DSR SDT clarifies why it should be included and under what specific instances or examples.
Exelon
No
We agree with the direction to identify impact events examples that would trigger reporting and not be limited
to sabotage reporting only. It is important to note that when an incident occurs, some level of investigation is
required before a determination can be made as to the event is sabotage or not. The focus should be on
reporting events when they occur and allow follow-up investigations to make the sabotage determination.
That being said, care must be taken in the development of any list of impact events so that it doesn’t become
or is misinterpreted to be a definitive list. Therefore if it is not on the list, it is not reportable.
Response: The DSR SDT thanks you for your comment. We concur and plan to allow reports to be submitted, edited and re-submitted in the one-stopshopping reporting tool. We are suggesting the term “Impact Event” be substituted for sabotage andinclude only events that would impact the
reliability of the BES. Events now included in reporting requirements that do not impact reliability of the BES would be excluded from the reporting
unless the DSR SDT clarifies why it should be included and under what specific instances or examples.
Midwest ISO Standards
Collaborators
No
We agree with the idea of identifying impact events but do not support the requirement for these to be always
reported through the hierarchical structure identified in question 2. If an impact event only affects one entity,
that entity should have the reporting requirement.
Response: The DSR SDT thanks you for your comment. The DSRSDT will continue to explore the benefits and weaknesses of the hierarchy reporting
structure.
Hydro-Québec TransEnergie
(HQT)
September 15, 2010
No
We believe that physical and cyber events must be investigated before a determination of sabotage or impact
event can be made. The purpose of the NERC Standards is to maintain the reliability of the BES. Therefore,
54
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Yes or No
Question 5 Comment
impact events should define or clarify the circumstances that would or could affect reliability. Reportable
items should be based on impact to reliability, not on ‘newsworthy’ events or to gather information for
trending. It is the law enforcement industry’s responsibility to make a determination of “sabotage” or other.
This determination cannot definitively be made by industry personnel, there is no expertise or time to
investigate causes. It is the industry’s job to mitigate effects. Examples would help provide for better
guidance/direction. Industry examples would be welcomed to help reinforce developed internal processes for
compliance.
Northeast Power Coordinating
Council
No
We believe that physical and cyber events must be investigated before a determination of sabotage or impact
event can be made. The purpose of the NERC Standards is to maintain the reliability of the BES. Therefore,
impact events should define or clarify the circumstances that would or could affect reliability. Reportable
items should be based on impact to reliability, not on ‘newsworthy’ events or to gather information for
trending. It is the law enforcement industry’s responsibility to make a determination of “sabotage” or other.
This determination cannot definitively be made by industry personnel, there is no expertise or time to
investigate causes. It is the industry’s job to mitigate effects. Examples would help provide for better
guidance/direction. Industry examples would be welcomed to help reinforce developed internal processes for
compliance.
Response: The DSR SDT thanks you for your comment. The SDR SDT struggles with terms that deal with determing “intent” which may not be
determined until after a lengthy investigation. We will continue to discuss issues with sabotage for inclusion in a future draft of this project. Timing of
the reporting process will be further clarified based upon your comments and those in the industry that have voiced similar concerns.
American Electric Power
Yes
Calpine Corp.
Yes
PacifiCorp
Yes
Platte River Power Authority
Yes
Central Lincoln
Yes
September 15, 2010
An act of vandalism may have impact. An act of sabotage may not be impactful alone, but may be part of a
wider coordinated attack. Dictionary definitions speaking of “intent” are not helpful in this regard, since acts of
vandalism and sabotage are both generally committed intentionally. Saboteurs, though, work for a higher
cause. That cause may be political, social, environmental, etc. We ask that the SDT look beyond dictionary
definitions in developing a definition of sabotage.
55
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Yes or No
Question 5 Comment
Response: The DSR SDT thanks you for your comment. The SDR SDT struggles with terms that deal with determing “intent”. The term sabotage has
created conflict in its meaning among stakeholders as to when its determined and by whom and how long an investigation would take to make that call
on the intent of the saboteur. We will strive to meet this challenge with the input on the right language from government agencies and industry
experience expertise.
Bonneville Power Administration
Yes
BPA agrees with providing an industry-wide definition and guideline. We do NOT agree with requiring reports
for every instance of every activity. If your definition is good, you’ll get what is needed and not much chaff.
Response: The DSR SDT thanks you for your comment.
Central Hudson Gas & Electric
Yes
Central Hudson agrees with this concept, particularly if the reporting hierarchy through the RC is implemented
in order to better identify trends.
Response: The DSR SDT thanks you for your comment. The DSRSDT will continue to explore the benefits and weaknesses of the hierarchy reporting
structure.
Wolverine Power Supply
Cooperative, Inc.
Yes
I agree with the concept of focusing on impact instead of the type of event (sabotage, accident, vandalism,
etc.)I hope that the reporting proposal that comes out of this project will clearly make a separation between
true impact events that must be reported per the standards (enforceable), vs. "other" information that may be
(electively - not enforceable) reported, per some set of guidelines.
Response: The DSR SDT thanks you for your comment. We agree reportable items should be based on impact to reliability and with other
commenters that expressed a desire to avoid reporting on ‘newsworthy’ events but to gather meaningful information for trending. We are suggesting
the term “Impact Event” be substituted for sabotage to include only events that would impact the reliability of the BES.
Bandera Electric Cooperative,
Inc.
Yes
In principle, I agree with this concept. Would like for the SDT to pursue this further and seek additional
comments at that time.
Response: The DSR SDT thanks you for your comment. We will seek further comments on the concept and will prepare the beginnings of the first
draft soon.
Oncor Electric Delivery Company
LLC
Yes
Oncor agrees that there are no broadly used guidance documents that detail how an event may be accurately
defined.
Response: The DSR SDT thanks you for your comment. We agree that further industry guidance of a clear and understandable standard should be
sought under the new Results Based approach. We will attempt to clarify and define an approach to assist the industry and stakeholders in reporting
September 15, 2010
56
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Yes or No
Question 5 Comment
impact events.
Portland General Electric
Yes
PGE supports the DSR SDT's efforts to bring clarity and guidance to the spectrum of sabotage-type events.
Response: The DSR SDT thanks you for your comment.
FirstEnergy
Yes
The concept paper makes good progress in this area and the drafting team is on the right track, and agree
that better clarity needs to be developed surrounding sabotage events. However, some of the examples
stated in the paper are too vague and do not address extenuating circumstances or reasons for the events.
One example sighted in the paper is "Bolts removed from transmission line structures." This statement may
be too broad. For instance, if the bolts are removed from the tower and the organization is not experiencing a
labor dispute, it could be considered a sabotage event with wide area implications. However, if the
organization is in the middle of a labor dispute, this would be vandalism and would most likely not be of a
wide area concern. Also, the number and location of towers affected could be an important determination
related to the risk the event imposes on the Bulk Electric System.
Response: The DSR SDT thanks you for your comment. We concur with your comments that the number and location of the towers affected may have
a “local” vs “wide area” concern. However, under the “impact event” reporting that we are proposing, both scenarios above should be reported as
impact events as long as it affects the BES.
Public Service Enterprise Group
Companies
Yes
The PSEG Companies agree with the concept, but reserve judgment on the descriptions of the impacts.
There is clearly a need to better define what constitutes a sabotage incident versus common theft or
vandalism. Moreover, where it may be impossible to determine if any given incident (e.g., several loose bolts
on a transmission tower cross brace could be sabotage or could be human error in construction) falls within
sabotage, a registered entity should not be second guessed in an audit if the registered entity determines not
to report. Excessive unnecessary reporting can mask real incidents.
Response: The DSR SDT thanks you for your comment. The DSR SDT agrees with clearly defining a reportable impact versus common theft. Concern
st
over reporting an incident and the audit process are within the discussions of the DSR SDT and will be fully explored to assist with the 1 Draft. The
ability to identify trends could be very important compared to isolated incidents that do not impact the BES. Every effort to explore this balance of
reporting will be taken into account.
SPS Consulting Group Inc.
September 15, 2010
Yes
The term sabotage was always too narrow a concept for the standards. At times, questionable activities are
not confirmed as sabotage events until well after the fact, forcing the registered entity to speculate on whether
or not to report an activity that may not be a confirmed sabotage event at the time, and hence encounter
another silly violation based on imprecise terminology.
57
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Yes or No
Question 5 Comment
Response: The DSR SDT thanks you for your comment. We are suggesting the term “Impact Event” be substituted to include all events that would
impact the reliability of the BES. Events now included in reporting requirements that do not impact reliability of the BES would be excluded from the
reporting unless the DSR SDT clarifies why it should be included and under what specific instances or examples. Tightening the reporting criteria of
impact events could possibly address the concern expressed by a “violation based on imprecise terminology.”
USBR
Yes
There should be a clear distinction between a cyber event and a cyber event that has a material impact on the
reliability of the bulk electric system. Not all CIP-008 events will carry such a distinction. That being said, CIP
008 cannot be completely incorporated in this process. Denying access to a cyber asset is noteworthy under
CIP008 but may not pose a threat to the reliability of the bulk electric system. Consider recognizing the impact
on the bulk electric system when modifying definitions of adding the bulk electric system description to the
definitions. This will help to clarify that disturbances, as discussed in this effort, are situations that produce an
abnormal condition on the electric power system, not necessarily on ancillary or supporting systems, such as
SCADA systems or the water-related systems at hydroelectric dams.
Response: The DSR SDT thanks you for your comment. We are suggesting in our discusssion to consolidate the location of reporting into one
standard. The industry has demonstrated by comments that it favors streamlining the reporting process to achieve a “one stop shop” approach. We
will continue to explore the possibilities to achieve the best results for all stakeholders. A discussion of advantages /disadvantages will continue to
discover options and alternatives with input from all stakeholders.
Western Electricity Coordinating
Council
Yes
This will help eliminate regional differences in sabotage reporting. The definition should be broad enough so
it covers new types of sabotage that may evolve. Event analysis facilitates situational awareness and if it
requires further investigation regarding developing patterns and severity, it should be handled by law
enforcement if need be.
Response: The DSR SDT thanks you for your comment. The DSR SDT will continue to explore the “Impact Event” definition to allow for new types of
events. Event analysis is clearly a goal of reporting as is situational awareness and hopefully this project will enhance the understanding and clearly
define obligations to all stakeholders.
Manitoba Hydro
Yes
Though there are some specific events already included in this new definition, more could be added to
dissolve specific “gray areas” and as new ones come up. Again these examples could be added into the
electronic form and could contain a large data base which would be available depending on the event that
occurred.
Response: The DSR SDT thanks you for your comment.
September 15, 2010
58
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
BGE
Yes or No
Question 5 Comment
Yes
We agree that "the spectrum of all sabotage-type events is not well understood throughout the industry";
however, we feel that the proposed concept of an "Impact Event" falls short of clarifying what constitutes such
events. We believe that "Impact Events" needs further clarification to eliminate "gray areas" and to provide
more reporting consistency between entities.
Response: The DSR SDT thanks you for your comment. The DSR SDT will continue to clarify the impact events concept and eliminate “gray areas”
while including language to give clarity to the reporting process.
Dynegy Inc.
Yes
We agree with the concept but please provide specific examples. Also, please consider whether there are
any penalties for misinterpreting an incident, who would determine if an event was a threat, and whether this
could result in over reporting non-threats.
Response: The DSR SDT thanks you for your comment. The DSR SDT may include specific examples of impact events and types of reportables events
st
in the 1 draft of the standard (or in supplemental guidance) to help illustrate reportable criteria.
Consumers Energy Company
Yes
We agree with the concept, however, based on the information provided, it may be too vague to be of value.
Terms such as “potential” and “significant” can be subjective and therefore provide little direction. We would
like to see something more specific. Also, inclusion of the destruction of BES assets may be too inclusive and
needs to be restricted to BES assets that will cause a specific level of impact on reliability.
Response: The DSR SDT thanks you for your comment. The SDR SDT struggles with terms that deal with determing “potential” and “significant”.
Specific examples of criteria is being explored and discussed. We will strive to meet this challenge with the input on the right language from
government agencies and industry experience expertise. Your suggestion of restricting to BES assets that will cause a specific level of impact on
reliability will be discussed with the DSR SDT.
Independent Electricity System
Operator
Yes
We agree with the general concept. However, we suggest that the classification of “events” to be compatible if
not identical to those which need to be reported in real time as required in CIP-001, for otherwise it will create
confusion and unnecessary, extra work. Also, this proposal appears to focus on the sabotage-type events
only but the SAR deals with both sabotage and other disturbances (e.g. emergency type of events) reporting.
A parallel type of “impact event” is needed for non-sabotage-type of events.
Response: The DSR SDT thanks you for your comment. The DSR SDT notes that impacts events include both sabotage and non-sabotage types of
events and these events include CIP-001 events.
Electric Market Policy
September 15, 2010
Yes
We believe that physical and cyber events must be investigated before a determination of sabotage or impact
59
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Yes or No
Question 5 Comment
event can be made.
Response: The DSR SDT thanks you for your comment. We agree that sabotage requires investigation. The term “impact event” was developed to
allow immediate reporting of events based on impact to the BES rather than intent.
We Energies
Yes
We would prefer to refer to all sabotage, vandalism, cyber attacks, and other criminal behavior as impact
events. Focusing more on the event's impact on reliability and its ramifications on the systems seems to be
more useful than to try to determine the intent of the perpetrator.
Response: The DSR SDT thanks you for your comment. The DSR SDT agrees with your assessment and will pursue the clarity and criteria examples
to achieve reporting.
September 15, 2010
60
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
6. If you are aware of any regional reporting requirements beyond the scope of CIP-001, CIP-008 and
EOP-004 please provide them here.
Summary Consideration: Several commenters provided information on regional reporting. The SDT will consider whether
these should be included in the continent-wide standard. These include:
1. NPCC maintains a document and reporting form (Document C-17 - Procedures for Monitoring and Reporting Critical
Operating Tool Failures) that outlines the reporting requirements, responsibilities, and obligations of NPCC Reliability
Coordinators in response to unforeseen critical operating tool failures.
2. For other events that do not meet the OE-417 and EOP-004 reporting criteria, ReliabilityFirst expects to receive notification
of any events involving a sustained outage of multiple BES facilities (buses, lines, generators, and/or transformers, etc.)
that are in close proximity (electrically) to one another and occur in a short time frame (such as a few minutes).
3. WECC sets its loss of load criteria for disturbance reporting at 200 MW rather than the 300 MW in the NERC reporting form.
4. SERC and RFC are developing additional requirements at this time.
5. We suggest that reporting be based on impact to reliability, not on ‘newsworthy’ events. We therefore do not agree with
such regional efforts and would prefer a continent wide reporting requirements.
6. MISO RC (MISO OP-023) and RFC (PRC-002-RFC-01).
Organization
Central Hudson Gas & Electric
Question 6 Comment
Although not beyond the scope of these standards, NPCC maintains a document and reporting form (Document C-17 Procedures for Monitoring and Reporting Critical Operating Tool Failures) that outlines the reporting requirements,
responsibilities, and obligations of NPCC RCs in response to unforeseen critical operating tool failures.
Response: The DSR SDT thanks you for your comment. The DSR SDT will examine regional reporting criteria and requirements to determine whether
it should be included in a continent wide standard.
Exelon
At the 2010 RFC Spring Workshop the following disturbance reporting Criteria was rolled out: All events that are required to
be reported by the OE-417 and EOP-004 criteria will use those published procedures. For other events that do not meet the
OE-417 and EOP-004 reporting criteria, ReliabilityFirst expects to receive notification of any events involving a sustained
outage of multiple BES facilities (buses, lines, generators, and/or transformers, etc.) that are in close proximity (electrically)
to one another and occur in a short time frame (such as a few minutes).
September 15, 2010
61
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Question 6 Comment
Response: The DSR SDT thanks you for your comment. The DSR SDT will examine regional reporting criteria and requirements to determine whether
it should be included in a continent wide standard.
Lands Energy Consulting
I believe WECC sets its loss of load criteria for disturbance reporting at 200 MW rather than the 300 MW in the NERC
reporting form.
Response: The DSR SDT thanks you for your comment. The DSR SDT will consider regional criteria when developing reporting thresholds.
Edison Mission Marketing &
Trading
I don't know of any.
Orange and Rockland Utilities,
Inc.
NERC's SDT effort requires a clear, consistent, and comprehensive continent-wide approach, thus mitigating any need for
regional reporting requirements.
Response: The DSR SDT thanks you for your comment. The SDR SDT feels in many instances that region specific standards may be needed.
However, the SDT will provide a clear reporting standard that can be consistently followed continent-wide.
MRO's NERC Standards Review
Subcommittee
No Comment.
Duke Energy
None
Bandera Electric Cooperative,
Inc.
No.
Manitoba Hydro
No.CIP-001 contains references to NERC and the DOE.CIP-008 makes exclusions for facilities regulated by US Nuclear
Regulatory Commission and Canadian Nuclear Safety Commission. It also contains references to ES ISAC (Electricity
Sector Information Sharing and Analysis Center).EOP-004 contains reference to NERC and DOE. There is no reference to
Homeland Security, FBI, etc or to Canadian equivalent references in any of these Standards. When NERC is notified of an
event, it is likely other organizations will have to be notified. There should be some sort of consistency to cover all these
Standards and all notifiable parties at a NERC Standards level.
Response: The DSR SDT thanks you for your comment. The DSR SDT absolutely understands your provided comment and have had detailed
conversations surrounding “who” should be notified and “when”. Most importantly, a level of consistency should exist when reporting disturbances
and sabotage events negatively impacting the BES.
September 15, 2010
62
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Oncor Electric Delivery Company
LLC
Question 6 Comment
Oncor is not aware of any regional reporting requirements beyond the scope of CIP-001, CIP-008 and EOP-004.
Response: The DSR SDT thanks you for your comment.
Dynegy Inc.
Please consider MISO RTO-OP-023.
Response: The DSR SDT thanks you for your comment. The DSR SDT will examine regional reporting criteria and requirements to determine whether
it should be included in a continent wide standard. Please provide a copy of the subject document.
Electric Market Policy
Hydro-Québec TransEnergie
(HQT)
SERC and RFC are developing additional requirements at this time. We suggest that reporting be based on impact to
reliability, not on ‘newsworthy’ events. We therefore do not agree with such regional efforts and would prefer a continent
wide reporting requirements.
Northeast Power Coordinating
Council
Response: The DSR SDT thanks you for your comment. The DSR SDT will examine regional reporting criteria and requirements to determine whether
it should be included in a continent wide standard.
Public Service Enterprise Group
Companies
The PSEG Companies believe that RFC is developing a regional disturbance reporting requirement for events not meeting
the criteria of current DOE and NERC reports.
Response: The DSR SDT thanks you for your comment. The DSR SDT will examine regional reporting criteria and requirements to determine whether
it should be included in a continent wide standard.
Western Electricity Coordinating
Council
There is a need to learn what reporting requirements are required by the Mexican and Canadian entities.
Response: The DSR SDT thanks you for your comment. The DSR SDT is comprised of international members and we are currently researching
requirements that Mexico and Canada may have.
SERC Reliability Coordinator
Sub-committee (RCS)
September 15, 2010
We are not aware of any regional reporting requirements beyond the requirements of CIP-001, CIP-008 and EOP-004.
However, the SERC RRO has shared a list of events of interest that it would like to be made aware of to maintain situation
63
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Question 6 Comment
awareness.
Response: The DSR SDT thanks you for your comment. The SDR SDT feels there will always be a need for the Regional Entities to be kept aware of
certain “hot topic” issues. However, it is the SDT’s intent to provide clear and concise reporting requirements for events impacting the BES.
BGE
We are not aware of any regional requirements beyond the scope of CIP-001, CIP-008 and EOP-004.
Response: The DSR SDT thanks you for your comment.
We Energies
What is meant by beyond the scope of the referenced standards? We Energies also has reporting obligations with the
MISO RC (MISO OP-023), RFC (PRC-002-RFC-01), and the Wisconsin and Michigan Public Service Commissions.
Response: The DSR SDT thanks you for your comment. The DSR SDT will examine regional reporting criteria and requirements to determine whether
it should be included in a continent wide standard. Please provide a copy of the subject reporting requirements for the SDT to review.
September 15, 2010
64
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
7. If you have any other comments on the Concepts Paper that you haven’t already provided in
response to the previous questions, please provide them here.
Summary Consideration: Several stakeholders provided comments in this section. Some stakeholders suggested that the
SDT has gone beyond its approved scope to “further define sabotage and provide guidance as to the triggering events that
would cause an entity to report a sabotage event.” Further, there is no requirement to create a Reporting Standard to define
sabotage. The SDT contends that the development of impact events and the reporting requirements for them will provide the
clarity sought in the directive.
Other stakeholders suggested that the SDT should seek to retire sanctionable requirements that require event reporting in
favor of guidelines for reporting.
Several commenters suggested that the introduction of impact events actually expands the reporting requirements. It should
be noted that the list of impact events is expected to be explicit as to who is to report what to whom and within certain
timelines.
Several stakeholders provided input as to what they believed an electronic reporting tool should contain:
1
If the decision is made to go to a single reporting form, it should be developed to cover any foreseeable event.
2
The SDT should work toward a single form, located in a central location, and submitted to one common entity (NERC)
3
Reports should be forwarded to the ES-ISAC, not NERC, as the infrastructure is already in place for efficient sharing with
Federal agencies, with the regional entities and with neighboring asset owners. Reports should flow to all affected entities
in parallel, rather than series (timing issues).
Commenters also suggested that the SDT should consider the impacts of the reporting requirements on the small, and very
small utilities.
Organization
BGE
Question 7 Comment
1. If we move to a "one size fits all" single reporting form, it is important that the form be properly developed to cover any
foreseeable event, which appears to be the intent of the DSR SDT, as outlined on page 4 of the concept document. Such
an approach should also incorporate a single point of contact for reporting information, to avoid any confusion.
2. We would like clarification that any proposed CIP-008-related reporting requirement (including any linked reporting
requirement between CIP-008 and CIP-001) is only applicable in situations where the incident/event involves a registered
entity’s Critical Cyber Asset.
September 15, 2010
65
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Question 7 Comment
Response (Questions 3&6): The DSR SDT thanks you for your comment. The drafting team will explore clarification that any proposed CIP-008
related reporting requirement between CIP-008 and CIP-001 is only applicable where the incident/event involves a registered entity’s CCA. Note that
CIP-002 through CIP-009 are undergoing revision under project 2008-06 – Order 706 SDT. Note that the current CIP-008 has a reporting requirement
to the ES-ISAC only.
Electric Market Policy
a. NERC should focus efforts on developing specific event reporting criteria and not base the requirement on the definition
of the term ‘sabotage’ but on the reporting criteria itself.
b. The “opportunities for efficiency” discussed in the Concept Paper would be best achieved by focusing on those items
that are necessary to maintain the reliability of the Bulk Electric System. If there are elements that need to be reported
that, do not support this objective, than that reporting should not be required in reliability standards.
Hydro-Québec TransEnergie
(HQT)
a. NERC should focus efforts on developing specific event reporting criteria and not base the requirement on the
definition of the term ‘sabotage’, but on the reporting criteria itself. See comments above.
b. The “opportunities for efficiency” discussed in the Concept Paper would be best achieved by focusing on those items
that are necessary to maintain the reliability of the Bulk Electric System. If there are elements that need to be
reported that do not support this objective, then that reporting should not be required in reliability standards. Consider
making NERC the distributor of reports to other agencies. We recognize that the key is to simplify reporting to a single
form, and to the extent possible, to one agency. “Front line” reliability personnel must have the “timely” knowledge to
know when a situation warrants local, area, regional, or national involvement. Finally, the SDT should keep in mind
the fact that Canadian stakeholders might have some difference in the way reports are made to Security Agencies.
Northeast Power Coordinating
Council
a. NERC should focus efforts on developing specific event reporting criteria and not base the requirement on the definition
of the term ‘sabotage’, but on the reporting criteria itself. See comments above
b. The “opportunities for efficiency” discussed in the Concept Paper would be best achieved by focusing on those items
that are absolutely necessary to maintain the reliability of the Bulk Electric System. If there are elements that need to be
reported that do not support this objective, then that reporting should not be required in reliability standards. Consider
making NERC the distributor of reports to other agencies. We recognize that the key is to simplify reporting to a single
form, and to the extent possible, to one agency. “Front line” reliability personnel must have the “timely” knowledge to
know when a situation warrants local, area, regional, or national involvement.
Response: The DSR SDT thanks you for your comment. The DSR SDT agrees to focus efforts to specific event reporting criteria. SDT believes that
by reporting material risks to the Bulk Electrical System using the impact event categorization it will be easier to get the relevant information for
mitigation, awareness, and tracking, not based on the requirement of defining “sabotage”. The SDT believes that it is the submitter’s responsibility
to submit OE-417 forms to the DOE, as stated by Public Law for US entities. The DSR SDT does recognize that it may not be possible to eliminate
September 15, 2010
66
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Question 7 Comment
reporting to multiple jurisdictional agencies due to legislative or regulatory requirements.
SPS Consulting Group Inc.
Again, please consider the unique scope of the entities to which these standards are to comply. Don't dump all the
requirements on all the applicable entities and perpetuate the current practice of forcing them to parse the requirements
into what is logical or illogical from their perspective. The drafting team should have the expertise to do this. Identify which
requirements apply to which applicable entity.
Response: The DSR SDT thanks you for your comment. The DSR SDT will take into consideration what registered entities and thresholds are to be
included in the revised standard(s) based on the SAR. The DSR SDT will establish the “requirements necessary for users, owners, and operators of
the Bulk-Power-System” as stated in FERC Order 693 and the difference in reporting of events on the BES, as stated in the Purpose statement of
EOP-004-1.
ERCOT ISO
All references to CIP-008 should be removed and we reassert that physical and cyber reporting should be separate. There
is documentation available from the CIPC that the drafting team considered CIP-001 related physical sabotage reporting
and specified cyber incident reporting requirements in CIP-008.ERCOT ISO requests the DSR SDT to continue to improve
its guidelines and to post those guidelines for all to use, but not to create sanctionable standards whose good intentions
could result in unintended adverse consequences for the Industry. ERCOT ISO also suggests that all reporting forms and
guidance should be located in a central, easily accessible location, eliminating confusion and simplify reporting for system
operators thereby directly enhancing reliability during system events. The industry would benefit from a central location or
link on the NERC website containing all reporting forms.
Response: The intent was to look at the posted “NERC Guideline: Threat and Incident Reporting” and ask the industry if the DSR SDT should
consider existing guidelines for possible inclusion into the yet to be written requirement(s). The DSR SDT has not determined at this time what
bright line will be used for the yet to be drafted Standard(s). The DSR SDT will take into consideration your comment on keeping cyber and physical
events separate. We are suggesting in our discussion to consolidate the location of reporting into one standard. The industry has demonstrated
by its comments that it prefers that the reporting process be streamlined to achieve a “one stop shop” approach. We will continue to explore the
possibilities to achieve the best results for all stakeholders. A discussion of advantages /disadvantages will continue to discover options and
alternatives with input from all stakeholders.
Western Electricity Coordinating
Council
As stated previously, for "One stop shopping" we need "buy in" from the foreign nationals. The way to do this is to engage
their opinions and respect their jurisdictional agencies as well.
Response (Question 6): The DSR SDT thanks you for your comment. The DSR SDT does recognize that it may not be possible to eliminate reporting
to multiple jurisdictional agencies due to legislative or regulatory requirements. The SDT acknowledges that it is possible to consolidate various
reports that ask repetitive questions and through this process can work with foreign nationals to receive their “buy in” for a one report form for all
functional entities to submit to NERC.
September 15, 2010
67
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
MRO's NERC Standards Review
Subcommittee
Question 7 Comment
Confusion often arises in the industry between the CIP standards and other reliability standards based on CIP-001 naming
convention. We would suggest the SDT retire CIP-001 and incorporate requirements within the EOP-004 standard or a
new EOP-xxx standard to avoid confusion rising from CIP and other NERC Reliability Standards. Additionally, we assume
the SDT has been created to specifically address FERC Order 693 directives to the ERO which appears to include the
following items:
1. Applicability - “possible revisions to CIP-001-1 that address our concerns regarding the need for wider application of the
Reliability Standard... the ERO should consider whether separate, less burdensome requirements for smaller entities may
be appropriate” (FERC, 2007, para. 460).
2. Definition of Sabotage - “we direct that the ERO further define the term and provide guidance on triggering events that
would cause an entity to report an event... we believe the term sabotage is commonly understood and that common
understanding should suffice in most instances... the ERO should consider FirstEnergy’s suggestions to differentiate
between cyber and physical sabotage and develop a threshold of materiality.” (FERC, 2007, para. 461-462)
3. Periodic Review and Testing - “directs the ERO to incorporate a periodic review or updating of the sabotage reporting
procedures and for the periodic testing of the sabotage reporting procedures.” (FERC, 2007, para. 466)
4. Redundant Reporting - “now direct the ERO to address our underlying concern regarding mandatory reporting of a
sabotage event... Regarding the potential for redundant reporting under CIP-001-1 and other government reporting
standards, and the need for greater coordination... We direct the ERO to explore ways to address these concerns including central coordination of sabotage reports and a uniform reporting format... with the appropriate governmental
agencies that have levied the reporting requirements.” (FERC, 2007, para. 468-469)
5. Specified Time - “the Commission directs the ERO to modify CIP-001-1 to require an applicable entity to contact
appropriate governmental authorities in the event of sabotage within a specified period of time... the ERO should consider
suggestions raised... to define the specified period for reporting an incident beginning from when an event is discovered or
suspected to be sabotage” (FERC, 2007, para. 470).
6. Summary of CIP-001-1 - “the Commission directs the ERO to develop the following modifications... (1) further define
sabotage and provide guidance as to the triggering events... (2) specify baseline requirements regarding... procedures for
recognizing sabotage events... (3) incorporate a periodic review... and for the periodic testing... (4) require an applicable
specified period of time. In addition... address our concerns regarding applicability to smaller entities... consolidation of the
sabotage reporting forms and the sabotage reporting channels with the appropriate governmental authorities to minimize
the impact of these reporting requirements on all entities.” (FERC, 2007, para. 471)
7. Analyze Performance - “at a minimum, generator operators and LSEs should analyze the performance of their
equipment and provide the data... The Commission directs the ERO to consider this concern in future revisions... that
includes any Requirements necessary for users, owners and operators... to provide data that will assist NERC” (FERC,
September 15, 2010
68
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Question 7 Comment
2007, para. 613, 617).
8. Reporting Time Frames - “The Commission directs the ERO to change its Rules of Procedures to assure that the
Commission also receives these reports within the same time frames as the DOE.” (FERC, 2007, para. 618)
Response: The DSR SDT thanks you for your comment. The DSR SDT agrees with your comments to specifically address FERC Order 693
directives to the ERO and will determine a prudent course of action with respect to these standards and pursue the suggestion to retire CIP-001 and
incorporate requirements within the EOP-004 standard to avoid confusion rising from CIP and other NERC Reliability Standards.
Constellation Power Source
Generation
Constellation Power Generation would like clarification that any proposed CIP-008-related reporting requirement
(including any linked reporting requirement between CIP-008 and CIP-001) is only applicable in situations where the
incident/event involves a registered entity’s Critical Cyber Asset. In that vein, we want to emphasize the importance of the
DSR SDT working with the CIP SDT on the cyber related events. If the DSR SDT is going to be adding clarity to cyber
related events, then coordination with the CIP SDT is needed to ensure the same verbiage is being used. Furthermore,
having any duplication of requirements will cause a double jeopardy scenario which would go against the SAR for the
DSR SDT. As stated earlier, Constellation Power Generation also questions whether cyber related incidents should fall
under the spectrum of sabotage type events, or remain separate and be incorporated in the CIP revisions.
Response: The DSR SDT thanks you for your comment. The intent was to look at the posted “NERC Guideline: Threat and Incident Reporting” and
ask the industry if DSR SDT should consider existing guidelines for possible inclusion into the yet to be written requirement(s). The DSR SDT has
not determined at this time what bright line will be used for the yet to be drafted Standard(s). Note that CIP-002 through CIP-009 are undergoing
revision under project 2008-06 – Order 706 SDT.
We Energies
September 15, 2010
Give consideration to combining CIP-001 and EOP-004-1 through a common categorization. For example, “System Risk
Reporting” could encompass both actual and potential events and would minimize the need to cross reference both
standards, and provide one location for event and potential-event reporting. Much of the challenge in this project is in
achieving a common understanding of the words sabotage and terrorism. There are nuances of meaning in the words that
imply a relationship between the attacker and the victim, or a motive other than simple profit or mischief. This nuance of
meaning requires the victim of the damage to discern a relationship or motive which may not be discoverable in the
relatively brief time window during which the entity must report the event. In fact, they may never be known.
Consequently, We Energies recommends elimination of the words sabotage and terrorism from these standards. We also
recommend elimination of the word vandalism since it also implies an ability and duty to discern whether a particular act
(barbed wire thrown over transformer bushings) was done out of pure mischief (vandalism) or with intent to destroy
equipment for a political purpose (terrorism). And if the act was committed by a disgruntled employee, it becomes
sabotage. No wonder there is confusion and indecision. Instead, We Energies recommends using the simple words
“criminal damage”. One need not be a prosecuting attorney or FBI Special Agent to know what this means. Simply ask,
“Does is look like somebody damaged it (or hacked in) intentionally?” and, “Did we give consent?” and you’re done. With
69
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Question 7 Comment
elimination of sabotage, terrorism and vandalism, and all of their baggage, comes the ability to integrate both CIP 001 and
EOP 004. We now have criminal damage (or cyber attack) as just another event to be evaluated against certain predefined impact measures. No value judgments, no speculation. Another benefit of using these simple words and tests is
that operating personnel, whether in the field or at the console, will not require special awareness training in discerning
these nuances of meaning. They already have experience with the equipment or cyber systems and its normal
performance. Operating personnel can readily assess whether an impact event is due to equipment failure, weather or
animal contact vs. intentionally caused by a person. If it appears to be criminal damage, call the local police agency.
Report the event and the impact. Cooperate with the investigation. Share your knowledge of the normal condition of the
equipment or performance of the system. Share your experience with similar events. It will be important to highlight that
the theft of all the grounding pigtails in a substation is different from the act of simply snipping each of them to leave the
equipment electrically floating. The technical condition is the same, but this allows the police to make an inference with
respect to motive, suspect profile, sophistication, etc. That’s their job. They may ask us to speculate on the motive or
skills of the attacker. That's okay. But at least we don't have to know or guess at it for the purpose of determining whether
to report the event. No training required. With respect to notification to the FBI, We Energies recommends that the
standard merely state that the owner of the damaged asset ensure the local office of the FBI is notified. The standard
should permit documentation of either a direct phone call by the asset owner or obtaining an assurance from the local
police that they will do so. There should be no need to prove earlier establishment of a relationship with the FBI. There
should be no expectation that the entity have a signed letter from the FBI Special Agent in Charge acknowledging his
agency’s duty. This document means nothing. With respect to reporting within the industry, We Energies recommends
that the only events to be reported “up the chain” are those that we choose to characterize as “impact events”. That is, the
events that meet some measurable threshold with respect to BES impact. We should describe these efficiently to avoid
over-reporting of trivial events. It is apparent that we are already over-reporting since DHS HITRAC recently fed back to
the industry that copper thieves attacked a substation in San Bernardino, CA taking some of the grounding conductors.
The industry should have the option to report non-impact events that are unusual in some respect and which may have
some mutual industry benefit in terms of prevention, awareness or recovery. Attack attempts with no impact, or
observations of suspicious activity could fall into this optional category. These optional reports could be aggregated by the
entity for the purpose of detecting patterns or trends, or be reported ad hoc. The ES-ISAC should be the recipient of the
reports. It should be the single point of contact since it has the industry insight, engineering expertise and cross-sector
relationships to analyze and return valuable intelligence to the industry. With the ES-ISAC as the recipient of the reports,
efficient sharing with Federal agencies, with the regional entities and with neighboring asset owners could be automated
and rapid. There is much benefit to be gained from this project, primarily in the area of creating clarity and uniformity.
There is some risk that the reporting requirements will become onerous and prescriptive.
Response: The DSR SDT thanks you for your comment. The DSR SDT is proposing to consolidate disturbance and event reporting under a single
standard. The DSR SDT believes that reporting material risks to the Bulk Electrical System by using the impact event categorization, it will be easier
to get the relevant information for mitigation, awareness, and tracking, while removing the distracting element of motivation by the elimination of
the term “sabotage”. The intent is to allow potentially impacted parties to prepare for and possibly mitigate the reliability risk. The NERC Rules of
September 15, 2010
70
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Question 7 Comment
Procedure (section 800) provides an overview of the responsibilities of the ERO in regards to analysis and dissemination of information for
reliability. The SDT is proposing that the new standard specify who has access to reported information and who should be notified about impact
events, because agencies such as the DHS and FBI have other duties and responsibilities - an impact event that is related to copper theft may only
need to be reported to the local law enforcement authorities. The goal of the DSR SDT is create clarity and uniformity by developing a single
reporting form for all functional entities without regard to nationality (US, Canada, Mexico) to submit to NERC with guidance. Ideally, entities would
complete a single form, which could then be distributed to jurisdictional agencies and functional entities as appropriate. The DSR SDT agrees with
your assessment that there should be no expectation that the entity have a signed letter from the FBI Special Agent.
Bandera Electric Cooperative,
Inc.
I commend the SDT for working on this effort and wish them success.
Response: The DSR SDT thanks you for your comment.
Public Service Enterprise Group
Companies
If reporting does become the responsibility of the Reliability Coordinators, the RCIS should be made available view-only to
registered entities with a notification when RC's have posted new entries. That will enhance the situational awareness of
registered entities.
The PSEG Companies disagree with inclusion of CIP-008 reporting requirements as part of the CIP-001 and EOP-004
initiative. CIP-008 reporting as part of the cyber security set of NERC standards is usually managed by specialized
corporate organizations separate from those involved with the other NERC standards, and with highly specialized cyber
skill sets. CIP-008 reporting requirements should remain where they are, and any perceived need for improvement
addressed in the ongoing CIP Version 4 development process.
Response: The DSR SDT thanks you for your comment. The RCIS is a real-time communication and reporting tool and is outside the scope of the
SDT. The goal of the DSR SDT is to develop a form to expedite report completion, sharing and storage. Ideally, entities would complete a single
form, which could then be distributed to jurisdictional agencies and functional entities as appropriate. Functional entities may include the RC, TOP,
and BA for situational awareness. The DSR SDT will take into consideration your comment with inclusion to CIP-008 reporting. However, the
drafting team will explore clarification that any proposed CIP-008-related reporting requirement between CIP-008 and CIP-001 is only applicable
where the incident/event involves a registered entity’s CCA. Note that CIP-002 through CIP-009 are undergoing revision under project 2008-06 –
Order 706 SDT.
Independent Electricity System
Operator
September 15, 2010
In the Background Section of the comment form, it is indicated that the SDT “...is NOT seeking input or guidance on the
definition of physical or cyber sabotage, what type of disturbances should be reported, who should do reporting, or to
whom or what organizations will be receiving the reports.” Yet there are proposed definitions, with examples, in the
concept paper. The SDT should make it absolutely clear that by supporting the general concept as described in the paper,
the commenting entities are not endorsing the proposed definitions, nor the examples as elements to be included in the
standard.
71
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Question 7 Comment
Response: The DSR SDT thanks you for your comment. The DSR SDT will continue to clarify the impact events concept and eliminate “gray areas”
while including language to give clarity to the reporting process. Standards developed under this project will be posted for comment on specific
content.
Luminant
Luminant disagrees with the direction of utilizing impact events, as this is an expansion in scope beyond the simplification
of sabotage and disturbance reporting.
Response: The DSR SDT thanks you for your comment. We are suggesting the term “Impact Event” be substituted to include only events that would
impact the reliability of the BES. The DSR SDT has reviewed the existing standards, the SAR; issues from the NERC database and FERC Order 693
Directives and determine this was a prudent course of action with respect to these standards to provide clear criteria for reporting.
Dynegy Inc.
N/A
Manitoba Hydro
No
Edison Mission Marketing &
Trading
No other comments.
SERC Reliability Coordinator
Sub-committee (RCS)
None.
USBR
The concept of "threat" evaluation criteria is somewhat vague and a great care is needed to ensure it is clear enough that
the most individuals would be able to analyze an event and end up at the same threat. Otherwise it would be almost
impossible to ensure compliance with a requirement which cannot accurately describe criteria to be used to ensure that
proper evaluation has occurred.
Response: The DSR SDT thanks you for your comment. We are suggesting the term “Impact Event” be substituted to include only events that
would impact the reliability of the BES as opposed to requiring a threat evaluation. The DSR SDT intends to develop criteria that will assist entities
in determining which events should be reported.
Wolverine Power Supply
Cooperative, Inc.
The concepts of removing duplication, consolidation, and focusing on "impact events" sound logical. I am concerned that
the focus may drift to expanded reporting, not reduced reporting.
Response: The DSR SDT thanks you for your comment. The DST SDT discussed the reporting of “impact events” and will consider guidance found
in the document, “NERC Guideline: Threat and Incident Reporting” which will include clear criteria to eliminate erroneous or expanded reporting.
September 15, 2010
72
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
ISO RTO Council Standards
Review Committee
Question 7 Comment
The FERC Order merely asked NERC to “further define sabotage and provide guidance as to the triggering events that
would cause an entity to report a sabotage event.” There is no requirement to create a Reporting Standard and no
mention of Disturbance events. There is a strong need to avoid heavy-handed use of NERC standards particularly for
such post event reporting guidelines. The SRC would urge the DSR SDT to continue to improve its guidelines and to post
those guidelines for all to use, but not to create sanctionable standards whose good intentions will inevitably result in
many unintended adverse consequences for the Industry. Rather, the SDT should seek to retire sanctionable
requirements that require event reporting in favor of guidelines for reporting.
Response: The DSR SDT thanks you for your comment. The intent was to look at the posted “NERC Guideline: Threat and Incident Reporting” and
ask the industry if the DSR SDT should consider existing guidelines for possible inclusion into the yet to be written requirement(s). The DSR SDT
has not determined at this time what bright line will be used for the yet to be drafted Standard(s). The DSR SDT will take into consideration your
comment on keeping cyber and physical events separate. We are suggesting in our discussion to consolidate the location of reporting into one
standard. The industry has demonstrated by its comments that the reporting process be streamlined to achieve a “one stop shop” approach. We
will continue to explore the possibilities to achieve the best results for all stakeholders. A discussion of advantages /disadvantages will continue to
discover options and alternatives with input from all stakeholders.
Lands Energy Consulting
The lack of common sense that leads to a 15 MW loss of load resulting from a 115 kV line outage being categorized as a
"reportable disturbance" really hurts the credibility of the entire NERC Compliance Program. The smaller utilities look at
application of EOP-004 in particular to their operation and conclude that either the EO/RRO is: a. stupid; or b. Out to
persecute the smaller utilities. In reality, EOP-004 was drafted for application to Southern California Edison, where loss of
50% of customers would be 2-3 million customers. Now that's really disturbing!
Response: The DSR SDT thanks you for your comment. The DSR SDT intends to develop criteria that will assist entities in determining which
events should be reported. Acts of sabotage may be “tested” on smaller entities before the saboteurs move on the larger entities.
Central Hudson Gas & Electric
The NERC Guideline: Threat and Incident Reporting Attachment A matrix is an extremely beneficial document that
organizes reporting criteria. However, it identifies communications systems failure sub-category under the Equipment
And/Or Systems Failure category as reportable with a reference to OE-417 - Schedule 1, Item 10. Item 10 on Schedule 1
addresses only failures due to attacks (not failures for other reasons).
Response: The DSR SDT thanks you for your comment. The intent was to look at the posted “NERC Guideline: Threat and Incident Reporting” and
ask the industry if the DSR SDT should consider existing guidelines for possible inclusion into the yet to be written requirement(s). The DSR SDT
has not determined at this time what bright line will be used for the yet to be drafted Standard(s). Loss of communications would be considered an
impact event. The reason for the loss of communications is irrelevant.
September 15, 2010
73
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Question 7 Comment
Duke Energy
We don’t think CIP-001, EOP-004 and cyber incident reporting aspects of CIP-008 should all be combined into one
standard, because of the significant differences between sabotage and disturbances. We have suggested that the
drafting team further define sabotage, and we have included a suggested definition in our response to question #5 above.
Sabotage is very specific due to the intent (for the purpose of weakening the critical infrastructure), and the potential
impact to the BES. We believe that sabotage and cyber incident reporting should remain a part of the CIP Standards due
to the emphasis placed on the criticality and vulnerability of the assets needed to support reliable operation of the BES.
Cyber Security and Physical Security could be placed together in the same standard (remain in CIP) and other
disturbances (i.e., accidental, natural) in a separate standard. “One stop shopping” for reporting is still possible as long as
the OE-417 form is included as part of the NERC electronic form. And while we agree with the need for additional clarity
in sabotage and disturbance reporting, we believe that the Standards Drafting Team should carefully consider whether
there is a reliability-related need for each requirement. Some disturbance reporting requirements are triggered not just to
assist in real-time reliability but also to identify lessons-learned opportunities. If disturbance and sabotage reporting
continue to be reliability standards, we believe that all linkages to lessons-learned/improvements need to be stripped out.
We have other forums to identify lessons-learned opportunities and to follow-up on those opportunities.
Response: The DSR SDT thanks you for your comment. The DSR SDT is still evaluating inclusion of CIP-008 reporting requirements with CIP-001
and EOP-004 requirements, Note that the current CIP-008 has a reporting requirement to the ES-ISAC only. The DSR SDT developed the more
inclusive term “impact events” to eliminate using more confusing terms like sabotage (which is not likely to be determined until after a lengthy
investigation). These standards may be combined to have all reporting requirements in a single standard, not because the items to be reported are
necessarily related.
FirstEnergy
We fully agree that sabotage events need to be more clearly defined and reporting requirements need to be better
coordinated. But as we have stated in previous comments, the drafting team needs to determine if standard requirements
need to be developed for this type of reporting or if this is better left to administrative requirements outside the standards
arena. Also, while we appreciate the team's effort to simplify reporting requirements for entities, we are concerned with the
serial communication offered by the concept paper. As an example, the team proposes to have LSE report the incident to
the BA and/or TOP and then have the BA and/or TOP report it to the RC and the RC to report it to NERC and the NERC
report to the regulatory agencies. While this simplifies it for each individual organization, this method introduces many
opportunities for errors and miscommunications. Since this is after-the-fact reporting, it is difficult to defend this type of
communication path when one consistent report could be sent simultaneously to all agencies at the same time from the
originating location.
Response: The DSR SDT thanks you for your comment. The Reliability Coordinator’s suggested role in this is to allow them to incorporate the
relevant data from responsible entities in their footprint for further analysis. We will consider your suggestion of simultaneous submissions as a
means to effectively notify the necessary parties. The SDT believes that it is the submitter’s responsibility to submit OE-417 fo rm s to th e DOE. Th e
DS R S DT d o e s re c o g n ize th a t it m a y n o t b e p o s s ib le to e lim in a te re p o rtin g to m u ltip le ju ris d ic tio n a l a g e n c ie s d u e to le g is la tive o r re g u la to ry
September 15, 2010
74
�Consideration of Comments on Concept Paper for Disturbance and Sabotage Reporting — Project 2009-01
Organization
Question 7 Comment
re q u ire m e n ts .
Ameren
While we are not opposed to the concept of identifying impact events, we are concerned that the drafting team may
actually be expanding reporting requirements. We do not support expansion of reporting requirements unless a clear
reliability or legal need is identified. Some of the impact events are almost never sabotage and do not warrant reporting
for reliability needs and should not be included. For example, copper theft should not require reporting, in general,
because it is almost never sabotage and rarely impacts reliability. If it does, impact reliability because, for example, the
protection system is impacted and causes more significant potential contingencies, then reporting could be required. Why
is a train derailment near a transmission right of way significant? It would only be significant if an investigation identified
sabotage as the reason. Furthermore, what is considered near?
Midwest ISO Standards
Collaborators
While we are not opposed to the concept of identifying impact events, we are concerned that the drafting team may
actually be expanding reporting requirements. We do not support expansion of reporting requirements unless a clear
reliability or legal need is identified. Some of the impact events are almost never sabotage and do not warrant reporting
for reliability needs and should not be included. For example, copper theft should not require reporting, in general,
because it is almost never sabotage and rarely impacts reliability. If it does impact reliability because, for example, the
protection system is impacted and causes more significant potential contingencies, then reporting could be required. Why
is a train derailment near a transmission right of way significant? It would only be significant if an investigation identified
sabotage as the reason. Furthermore, what is considered near?
Response: The DSR SDT thanks you for your comment. It is not the intent of the DSR SDT to expand reporting requirements but rather to attempt
to clarify and define an approach to assist the industry and stakeholders in reporting impact events. Furthermore, impact events should not include
copper theft or other conditions that pose no threat to the reliability of the BES. A train derailment is only an impact event if it threatens some
element of the power system such as a transmission line corridor - the derailment in itself is not an impact event.
Exelon
You should consider providing clear and concise instructions as to the expectation on submitting forms, i.e. the DOE 417.
There should be no guessing as to when and how reports should be submitted and who should receive them. Specific
details on reporting criteria should be included.
Response : The DSR SDT thanks you for your comment. The DSR SDT intends to develop criteria for reporting impact events.
September 15, 2010
75
�EOP-004-2 — Impact Event and Disturbance Assessment, Analysis, and Reporting
Standard Development Timeline
This section is maintained by the drafting team during the development of the standard and will
be removed when the standard becomes effective.
Development Steps Completed
1. SC approved SAR for initial posting (April, 2009).
2. SAR posted for comment (April 22 – May 21, 2009).
3. SC authorized moving the SAR forward to standard development (September 2009).
4. Concepts Paper posted for comment (March 17 – April 16, 2010).
Proposed Action Plan and Description of Current Draft
This is the first posting of the proposed standard in accordance with Results-Based Criteria. The
drafting team requests posting for a 30-day formal comment period.
Future Development Plan
Anticipated Actions
Initial Comment Period
Anticipated Date
September 2010
Drafting team considers comments, makes conforming changes, and
proceed to second comment
October – December
2010
Comment Period/Initial Ballot
December 2010January 2011
February – March
2011
April 2011
Successive Comment/Ballot period
Receive BOT approval
Draft 1: September 10, 2010
1
�EOP-004-2 — Impact Event and Disturbance Assessment, Analysis, and Reporting
Effective Dates
1. USA: First calendar day of the first calendar quarter one year after applicable regulatory
authority approval for all requirements
2. Canada and Mexico: First calendar day of the first calendar quarter one year following
Board of Trustees adoption unless governmental authority withholds approval
Version History
Version
2
Date
Draft 1: September 10, 2010
Action
Merged CIP-001-1 and EOP-004-1 into
EOP-004-2;
Retired EOP-004-1, R1, R3.2, R3.3,
R3.4, R4, R5 and associated measures,
evidence retention and VSLs.
Added new requirements for ERO – R1,
R7, R8.
Change Tracking
Revision to entire
standard (Project 200901)
2
�EOP-004-2 — Impact Event and Disturbance Assessment, Analysis, and Reporting
Definitions of Terms Used in Standard
This section includes all newly defined or revised terms used in the proposed standard. Terms
already defined in the Reliability Standards Glossary of Terms are not repeated here. New or
revised definitions listed below become approved when the proposed standard is approved.
When the standard becomes effective, these defined terms will be removed from the individual
standard and added to the Glossary.
None
Draft 1: September 10, 2010
3
�EOP-004-2 — Impact Event and Disturbance Assessment, Analysis, and Reporting
When this standard has received ballot approval, the text boxes will be moved to the Guideline
and Technical Basis Section.
Introduction
1. Title:
Impact Event and Disturbance Assessment, Analysis, and Reporting
2. Number:
EOP-004-2
3. Purpose:
Responsible Entities shall report impact events and their known causes to
support situational awareness and the reliability of the Bulk Electric
System (BES).
4. Applicability
4.1.
Functional Entities:
4.1.1. Reliability Coordinator
4.1.2. Balancing Authority
4.1.3. Transmission Owner
4.1.4. Transmission Operator
4.1.5. Generator Owner
4.1.6. Generator Operator
4.1.7. Distribution Provider
4.1.8. Electric Reliability Organization
5. Background:
NERC established a SAR Team in 2009 to investigate revisions to the CIP-001 and EOP-004
Reliability Standards.
1.
2.
3.
4.
CIP-001 may be merged with EOP-004 to eliminate redundancies.
Acts of sabotage have to be reported to the DOE as part of EOP-004.
Specific references to the DOE form need to be eliminated.
EOP-004 has some ‘fill-in-the-blank’ components to eliminate.
The development may include other improvements to the standards deemed appropriate by the
drafting team, with the consensus of stakeholders, consistent with establishing high quality,
enforceable and technically sufficient bulk power system reliability standards (see tables for each
standard at the end of this SAR for more detailed information).
The SAR for Project 2009-01, Disturbance and Sabotage Reporting was moved forward for
standard drafting by the NERC SC in August of 2009. The Disturbance and Sabotage Reporting
Standard Drafting Team (DSR SDT) was formed in late 2009. A “concepts paper” was designed
Draft 1: September 10, 2010
4
�EOP-004-2 — Impact Event and Disturbance Assessment, Analysis, and Reporting
to solicit stakeholder input regarding the proposed reporting concepts that the DSR SDT has
developed.
The concept paper sought comments from stakeholders on the “road map” that will be used by
the SDR SDT in updating or revising CIP-001 and EOP-004. The concept paper provided
stakeholders the background information and thought process of the SDR SDT.
The DSR SDT has reviewed the existing standards, the SAR, issues from the NERC database
and FERC Order 693 Directives in order to determine a prudent course of action with respect to
these standards.
The DSR SDT has proposed the following concept for impact event:
An impact event is any event that has either impacted or has the potential to impact the
reliability of the Bulk Electric System. Such events may be caused by equipment failure
or mis-operation, environmental conditions, or human action.
To support this concept, the DSR SDT has provided specific event for reporting including types
of impact events and timing thresholds pertaining to the different types of impact events and
who’s responsibility for reporting under the different impact events. This information is outlined
in Attachment 1 to the proposed standard.
The DSR SDT wishes to make clear that the proposed changes do not include any real-time
operating notifications for the types of events covered by CIP-001, EOP-004. This is achieved
through the RCIS and is covered in other standards (e.g. TOP). The proposed standard deals
exclusively with after-the-fact reporting.
The DSR SDT is proposing to consolidate disturbance and impact event reporting under a single
standard. These two components and other key concepts are discussed in the following sections.
Summary of Concepts
• A single form to report disturbances and impact events that threaten the reliability of the
bulk electric system
•
Other opportunities for efficiency, such as development of an electronic form and
possible inclusion of regional reporting requirements
•
Clear criteria for reporting
•
Consistent reporting timelines
•
Clarity around of who will receive the information and how it will be used
Draft 1: September 10, 2010
5
�EOP-004-2 — Impact Event and Disturbance Assessment, Analysis, and Reporting
Requirements and Measures
R1. The ERO shall establish, maintain
and utilize a system for receiving
and distributing impact event
reports, received pursuant to
Requirement R6, to applicable
government, provincial or law
enforcement agencies and
Registered Entities to enhance and
support situational awareness.
M1. The ERO shall provide evidence
that it established, maintained and
utilized a system for the
distribution of the reports it
receives to the various
organizations or agencies. Such
evidence could include, but is not
limited to, dated records indicating
that reports were distributed as
shown on the submitted report or
electronic logs indicating
distribution of reports. (R1)
Rationale for R1
The goal of the DSR SDT is to have a generic
reporting form and a system for all functional entities
(US, Canada, Mexico) to submit impact event reports
to NERC and other entities. Ultimately, it may make
sense to develop an electronic version of the form to
expedite completion, sharing and storage. Ideally,
entities would complete a single electronic form online which could then be electronically forwarded or
distributed to jurisdictional agencies and functional
entities as appropriate using check boxes or other
coding within the electronic form. Specific reporting
forms that exist today (i.e. - OE-417, etc) could be
included as part of the electronic form to
accommodate US entities with a requirement to
submit the form or may be removed (but still be
mandatory for US entities under Public Law 93-275)
to streamline the proposed consolidated reliability
standard for all North American entities (US, Canada,
Mexico). Jurisdictional agencies may include DHS,
FBI, NERC, RE, FERC, Provincial Regulators, and
DOE. Functional entities may include the RC, TOP,
and BA for situational awareness. Applicability of the
standard will be determined based on the specific
requirements.
The DSR SDT recognizes that some regions require
reporting of additional information beyond what is in
EOP-004. The DSR SDT is planning to update the
listing of reportable events from discussions with
jurisdictional agencies, NERC, Regional Entities and
stakeholder input. There is a possibility that regional
differences may still exist.
Responsible entities will ultimately be responsible for
ensuring that OE-417 reports are received at the DOE.
Draft 1: September 10, 2010
6
�EOP-004-2 — Impact Event and Disturbance Assessment, Analysis, and Reporting
R2. Each Applicable Entity identified in
Attachment 1 shall have an Operating Plan(s)
for identifying, assessing and reporting impact
events listed in Attachment 1 that includes the
following components:
2.1. Method(s) for identifying impact events
2.2. Method(s) for assessing cause(s) of
impact events
2.3. Method(s) for making internal and
external notifications pursuant to Parts
2.5 and 2.6
2.4. List of internal company personnel
responsible for making initial
notification(s) pursuant to Parts 2.5.and
2.6.
2.5. List of internal company personnel to
notify
2.6. List of external organizations to notify to
include but not limited to NERC,
Regional Entity, Law Enforcement, and
Governmental or Provincial Agencies.
2.7. Method(s) for updating the Operating
Plan when there is a component change
within 30 days of the notification of the
change.
2.8. A provision for updating the Operating
Plan based on lessons learned from an
exercise or implementation of the
Operating Plan within 30 days of
identifying the lessons learned.
Rationale for R2
Every industry participant that owns or
operates elements or devices on the grid has a
formal or informal process, procedure, or
steps it takes to assess what happened and
why it happened when impact events occur.
This requirement has the Registered Entity
establish documentation on how that
procedure, process, or plan is organized.
For the Operating Plan, the DSR SDT
envisions that “assessing” includes performing
sufficient analysis to be able to complete the
report for reportable impact events. The main
issue is to make sure an entity can a) identify
when an impact event has occurred and b) be
able to gather enough information to complete
the report.
Parts 3.3 and 3.4 include, but not limited to,
operating personnel who could be involved
with any aspect of the operating plan.
The Operating Plan may include, but not be
limited to, the following: how the entity is
notified of event’s occurrence, person(s)
initially tasked with the overseeing the
assessment or analytical study, investigatory
steps typically taken, and documentation of
the assessment / remedial action plan.
2.9. A provision for updating the Operating Plan based on applicable lessons learned from
the annual NERC report issued pursuant to Requirement R8 within 30 days of NERC
publishing lessons learned.
M2. Each Applicable Entity shall provide the current in force Operating Plan to the
Compliance Enforcement Authority upon request. (R2)
Draft 1: September 10, 2010
7
�EOP-004-2 — Impact Event and Disturbance Assessment, Analysis, and Reporting
R3. Each Applicable Entity shall identify and
assess initial probable cause of impact events
listed in Attachment 1 in accordance with its
Operating Plan documented in Requirement
R2.
Rationale for R3
The DSR SDT intends for each
Applicable Entity to assess the causes
of the reportable impact event and
gather enough information to complete
the report that is required to be filed.
M3. To the extent that an Applicable Entity has an
impact event on its Facilities, the Applicable
Entity shall provide documentation of its
assessment or analysis. Such evidence could include, but is not limited to, operator logs,
voice recordings, or power flow analysis cases. (R3)
R4. Each Applicable Entity shall conduct a drill,
exercise, or Real-time implementation of its
Operating Plan for reporting created pursuant
to Requirement R2 at least annually, with no
more than 15 months between exercises or
actual use.
M4. The Applicable Entity shall provide evidence
that it conducted a drill, exercise or Real-time
implementation of the Operating Plan for
reporting as specified in the requirement.
Such evidence could include, but is not
limited to, a dated, exercise scenario with
notes on the exercise or operator logs, voice
recordings, or power flow analysis cases for
an actual implementation of the Operating
Plan. (R4)
Draft 1: September 10, 2010
Rationale for R4
The DSR SDT intends for each
Applicable Entity to conduct a drill or
exercise of it Operating Plan as often as
merited but no longer than 15 months
from the previous exercise to prevent a
long cycle of exercises (i.e., conducting
an exercise in January of one year and
then December of the next year).
Multiple exercises in a 15 month period
is not a violation of the requirement and
would be encouraged to improve
reliability. A drill or exercise may be a
table-top exercise, a simulation or an
actual implementation of the Operating
Plan.
8
�EOP-004-2 — Impact Event and Disturbance Assessment, Analysis, and Reporting
R5. Each Applicable Entity shall provide
training to all internal personnel identified
in its Operating Plan for reporting pursuant
to Requirement R2 subject to the following:
5.1 The training includes the personnel
required to respond and their required
actions under the Operating Plan.
Rationale for R5
The SDT is not prescribing how training is
to be conducted and leaves that decision to
each Applicable Entity as they best know
how to conduct such activities. Conduct of
an exercise constitutes training for
compliance with this requirement.
5.2 Training conducted at least once per
calendar year, with no more than 15
months between training sessions for
personnel with existing
responsibilities.
For changes to the Operating Plan (5.3), the
training may simply consist of a review of
the revised responsibilities and a “sign-off”
that personnel have reviewed the revisions.
5.3 If the Operating Plan is revised (with the exception of contact information revisions),
training shall be conducted within 30 days of the Operating Plan revisions.
5.4 For internal personnel added to the Operating Plan or those with revised
responsibilities under the Operating Plan, training shall be conducted prior to
assuming the responsibilities in the plan.
M5. Applicable Entities shall provide the actual training material presented to verify content
and the association between the people listed in the plan and those who participated in the
training, documentation showing who was trained and when internal personnel were
trained on the responsibilities in the Operating Plan as well as dates for personnel changes
and evidence that the training was conducted following personnel changes. (R5)
R6. Each Applicable Entity shall report impact events in accordance with its Operating Plan
created pursuant to Requirement R2 and the timelines outlined in Attachment 1.
M6. Registered Entities shall provide evidence demonstrating the submission of reports using
the Operating Plan created pursuant to Requirement R2 for impact events. Such evidence
will include a copy of the original impact event report submitted, evidence to support the
type of impact event experienced; the date and time of the impact event ; as well as
evidence of report submittal that includes date and time. (R6)
Draft 1: September 10, 2010
9
�EOP-004-2 — Impact Event and Disturbance Assessment, Analysis, and Reporting
R7. The ERO shall annually review and
propose revisions to the impact event
table (Attachment 1) if warranted based
on its analysis of reported impact events.
Revisions to Attachment 1 shall follow
the Reliability Standards Development
Procedure.
M7. The ERO shall provide evidence that it
reviewed the impact event table. If
applicable, the ERO shall provide
evidence that it followed the Reliability
Standards Development Procedure to
propose and implement revisions to
Attachment 1. Such evidence may
include, but not be limited to,
documentation that compares or assesses
the list of impact events (Attachment 1)
against the analysis of reported impact
events. (R7)
R8. The ERO shall publish a quarterly report
of the year’s reportable impact events
subject to the following:
8.1 Issued no later than 30 days following
the end of the calendar quarter
8.2 Identifies trends on the BES
8.3 Identifies threats to the BES
8.4 Identifies other vulnerabilities to the
BES
Rationale for R7-R8
Some of the concepts contained in
Requirements R7 and R8 are contained in the
NERC Rules of Procedure, section 800. The
DSR SDT felt that, in order to have a
complete standard for reporting impact events
that improved reliability, there needed to be
feedback to industry on a regular basis as
well as when issues are discovered. The
analysis of impact events is crucial and the
subsequent dissemination of the results of
that analysis must be performed.
In accordance with Sections 401(2) and 405
of the Rules of Procedures, the ERO can be
set as an applicable entity in a requirement or
standard. After careful consideration, the
DSR SDT believes that these requirements
(R7-8) are best applicable to the ERO.
Rationale for R8
The ERO will analyze Impact Events that are
reported through requirement R6. The DSR
SDT envisions the ERO issuing reports
identifying trends, threats or other
vulnerabilities when available or at least
quarterly. The report will include lessons
learned and recommended actions (such as
mitigation plans) to improve reliability as
applicable.
8.5 Documents lessons learned
8.6 Includes recommended actions.
M8. The ERO shall provide evidence that it issued a report identifying trends, threats, or other
vulnerabilities on the bulk electric system at least quarterly. Such evidence will include a
copy of the report as well as dated evidence of the report’s issuance. (R8)
Draft 1: September 10, 2010
10
�EOP-004-2 — Impact Event and Disturbance Assessment, Analysis, and Reporting
Compliance
Compliance Enforcement Authority
•
Regional Entity
•
For requirements applicable to the ERO, an entity contracted to perform an audit.
Compliance Monitoring and Enforcement Processes:
•
•
•
•
•
•
Compliance Audits
Self-Certifications
Spot Checking
Compliance Violation Investigations
Self-Reporting
Complaints
Evidence Retention
Each Reliability Coordinator, Balancing Authority, Transmission Owner, Transmission
Operator, Generator Owner, Generator Operator and Distribution Provider shall keep data or
evidence to show compliance as identified below unless directed by its Compliance
Enforcement Authority to retain specific evidence for a longer period of time as part of an
investigation:
The ERO shall retain evidence of Requirements 1, 7 and 8, Measures 1, 7, and 8 for three
calendar years.
Each Reliability Coordinator, Balancing Authority, Transmission Owner, Transmission
Operator, Generator Owner, Generator Operator and Distribution Provider shall retain
data or evidence of Requirements 2, 3, 4, and 5 and Measures 2, 3, 4, and 5 for three
calendar years for the duration of any regional investigation, whichever is longer to show
compliance unless directed by its Compliance Enforcement Authority to retain specific
evidence for a longer period of time as part of an investigation.
Each Reliability Coordinator, Balancing Authority, Transmission Owner, Transmission
Operator, Generator Owner, Generator Operator and Distribution Provider shall retain
data or evidence of Requirement 6 and Measure 6 for three calendar years for the
duration of any regional investigation, whichever is longer to show compliance unless
directed by its Compliance Enforcement Authority to retain specific evidence for a longer
period of time as part of an investigation.
If a Registered Entity is found non-compliant, it shall keep information related to the noncompliance until found compliant or for the duration specified above, whichever is longer.
The Compliance Enforcement Authority shall keep the last audit records and all requested
and submitted subsequent audit records.
Additional Compliance Information
To be determined.
Draft 1: September 10, 2010
11
�EOP-004-2 — Impact Event and Disturbance Assessment, Analysis, and Reporting
Variances
None
Interpretations
None
Draft 1: September 10, 2010
12
�EOP-004-2 — Impact Event and Disturbance Assessment, Analysis, and Reporting
EOP-004 - Attachment 1: Impact Events Table
NOTE: Under certain adverse conditions, e.g., severe weather, it may not be possible to assess the damage caused by an impact event
and issue a written Impact Event Report within the timing in the table below. In such cases, the affected Applicable Entity shall notify
its Regional Entity(ies) and NERC, and verbally provide as much information as is available at that time. The affected Applicable
Entity shall then provide periodic verbal updates until adequate information is available to issue a written Preliminary Impact Event
Report.
EOP-004 – Attachment 1 - Actual Reliability Impact – Part A
Event
Entity with Reporting
Responsibility
Energy Emergency
requiring Public appeal
for load reduction
Energy Emergency
requiring system-wide
voltage reduction
Energy Emergency
requiring firm load
shedding
Voltage Deviations
RC, BA
Frequency Deviations
RC, BA
IROL Violation
RC, TOP
Loss of Firm load for ≥
15 Minutes
RC, BA, TO, TOP, DP
System Separation
(Islanding)
Generation loss
RC, BA, TOP, DP
RC, TO, TOP, DP
RC, BA, TOP, DP
RC, TOP, GOP
RC, BA, GO, GOP
Draft 1: September 10, 2010
Threshold for Reporting
Time to Submit Report
To reduce consumption in order to maintain
the continuity of the BES
Each public appeal for load reduction
System wide voltage reduction of 3% or more
Within 1 hour of issuing a public
appeal
Firm load shedding ≥ 100 MW (manually or
via automatic undervoltage or underfrequency
load shedding schemes, or SPS/RAS)
± 10% sustained for ≥ 15 minutes
Within 24 hours after occurrence
± Deviations ≥ than Frequency Trigger Limit
(FTL) more than 15 minutes
Operate outside the IROL for time greater
than IROL Tv
• ≥ 300 MW for entities with previous year’s
demand ≥ 3000 MW
• ≥ 200 MW for all other entities
Each separation resulting in an island of
generation and load ≥ 100 MW
• ≥ 2,000 MW for entities in the Eastern or
Western Interconnection
13
Within 1 hour after occurrence is
identified
Within 24 hours after 15 minute
threshold
Within 24 hours after 15 minute
threshold
Within 24 hours after Tv threshold
Within 24 hours after 15 minute thresh
Within 1 hour after occurrence is
identified
Within 24 hours after occurrence
�EOP-004-2 — Impact Event and Disturbance Assessment, Analysis, and Reporting
EOP-004 – Attachment 1 - Actual Reliability Impact – Part A
Event
Entity with Reporting
Responsibility
Threshold for Reporting
Time to Submit Report
≥ 1000 MW for entities in the ERCOT or
Quebec Interconnection
• An entire generating station of ≥ 5
generators with aggregate capacity of ≥
500 MW
• An entire DC converter station
• Multiple BES transmission elements
(simultaneous or common-mode event)
Through operational error, equipment failure,
or external cause
•
Transmission loss
RC, TO, TOP
Damage or destruction
of BES equipment1
RC, BA, TO, TOP, GO, GOP,
DP
Within 24 hours after occurrence
Within 1 hour after occurrence is
identified
Examples:
a. BES equipment that is:
i. A critical asset
ii. Affects an IROL
iii. Significantly affects the reliability margin of the system e.g., has the potential to result in the need for emergency
actions
iv. Damaged or destroyed due to a non-environmental external cause
b. Report copper theft from BES equipment only if it degrades the ability of equipment to operate correctly e.g., removal of
grounding straps rendering protective relaying ineffective
Draft 1: September 10, 2010
14
�EOP-004-2 — Impact Event and Disturbance Assessment, Analysis, and Reporting
EOP-004 – Attachment 1 - Potential Reliability Impact – Part B
Event
Entity with
Reporting
Responsibility
Threshold for Reporting
Time to Submit Report
Unplanned Control Center
evacuation
RC, BA, TOP
Unplanned evacuation from BES
control center facility
report within 1 hour after occurrence
Fuel supply emergency
RC, BA, GO, GOP
Affecting BES reliability1
report within 1 hour after occurrence
Loss of off-site power (grid
supply)
Loss of all monitoring or voice
communication capability
Forced intrusion2
RC, BA, TO, TOP,
GO, GOP
RC, BA, TOP
Affecting a nuclear generating
station
Affecting a BES control center
for ≥ 30 minutes
At a BES facility
report within 1 hour after occurrence
From a non-environmental
physical threat
That meets the criteria in CIP-008
(or its successor)
report within 24 hours after occurrence
Risk to BES equipment3
Detection of a cyber intrusion to
critical cyber assets
RC, BA, TO, TOP,
GO, GOP
RC, BA, TO, TOP,
GO, GOP, DP
RC, BA, TO, TOP,
GO, GOP, DP
report within 1 hour after occurrence
report within 24 hours after occurrence
report within 24 hours after occurrence
1. Report if problems with the fuel supply chain result in the projected need for emergency actions to manage reliability.
2. Report if you cannot reasonably determine likely motivation (i.e., intrusion to steal copper or spray graffiti is not reportable unless
it effects the reliability of the BES).
3. Examples include a train derailment adjacent to BES equipment, that either could have damaged the equipment directly or has the
potential to damage the equipment (e.g. flammable or toxic cargo that could pose fire hazard or could cause evacuation of a BES
facility control center).
Draft 1: September 10, 2010
15
�EOP-004-2 — Impact Event and Disturbance Assessment, Analysis, and Reporting
EOP-002 - Attachment 2: Impact Event Reporting Form
EOP-004 – Confidential Impact Event Report
Task
1.
Entity filing the report (include Compliance
Registration ID number):
2.
Date and Time of impact event.
Comments
Date: (mm/dd/yy)
Time/Zone:
3.
Name of contact person:
Email address:
Telephone Number:
4.
Did the impact event originate in your
system?
5.
Under which NERC function are you
reporting?
6.
Brief Description of impact event:
Yes
No
(More detail should be provided in the
Sequence of Events section below.)
Draft 1: September 10, 2010
16
�EOP-004-2 — Impact Event and Disturbance Assessment, Analysis, and Reporting
EOP-004 – Confidential Impact Event Report
Task
7.
Comments
Generation tripped off-line.
MW Total
List units tripped
8.
Frequency.
Just prior to impact event (Hz):
Immediately after impact event (Hz max):
Immediately after impact event (Hz min):
9.
List transmission facilities (lines,
transformers, buses, etc.) tripped and lockedout.
(Specify voltage level of each facility listed).
10.
FIRM
INTERRUPTIBLE
Demand tripped (MW):
Number of affected customers:
Demand lost (MW-Minutes):
Draft 1: September 10, 2010
17
�EOP-004-2 — Impact Event and Disturbance Assessment, Analysis, and Reporting
EOP-004 – Confidential Impact Event Report
Task
Comments
11. Restoration Time.
INITIAL
FINAL
Transmission:
Generation:
Demand:
12. Sequence of Events:
13. Identify the initial probable cause or known root cause of the impact event:
Draft 1: September 10, 2010
18
�EOP-004-2 — Impact Event and Disturbance Assessment, Analysis, and Reporting
EOP-004 – Confidential Impact Event Report
Task
Comments
14. Identify any protection system misoperation(s):
15. Additional Information that the helps to further explain the event if needed. A one-line diagram may be attached, if readily available, to
assist in the evaluation of the event.:
Draft 1: September 10, 2010
19
�EOP-004-2 — Impact Event and Disturbance Assessment, Analysis, and Reporting
Guideline and Technical Basis
Disturbance and Sabotage Reporting Standard Drafting Team (Project 2009-01) Reporting Concepts
Introduction
The SAR for Project 2009-01, Disturbance and Sabotage Reporting was moved forward for
standard drafting by the NERC Standards Committee in August of 2009. The Disturbance and
Sabotage Reporting Standard Drafting Team (DSR SDT) was formed in late 2009 and is
progressing toward developing standards based on the SAR. This concepts paper is designed to
solicit stakeholder input regarding the proposed reporting concepts that the DSR SDT has
developed.
The standards listed under the SAR are:
• CIP-001 — Sabotage Reporting
• EOP-004 — Disturbance Reporting
The DSR SDT also proposed to investigate incorporation of the cyber incident reporting aspects
of CIP-008 under this project. This will be coordinated with the Cyber Security - Order 706
SDT (Project 2008-06).
The DSR SDT has reviewed the existing standards, the SAR, issues from the NERC database
and FERC Order 693 Directives to determine a prudent course of action with respect to these
standards.
This concept paper provides stakeholders with a proposed “road map” that will be used by the
DSR SDT in updating or revising CIP-001 and EOP-004. This concept paper provides the
background information and thought process of the DSR SDT.
The proposed changes do not include any real-time operating notifications for the types of events
covered by CIP-001 and EOP-004. The real-time reporting requirements are achieved through
the RCIS and are covered in other standards (e.g. EOP-002-Capacity and Energy Emergencies).
The proposed standards deal exclusively with after-the-fact reporting.
The DSR SDT is proposing to consolidate disturbance and event reporting under a single
standard. These two components and other key concepts are discussed in the following sections.
Draft 1: September 10, 2010
20
�EOP-004-2 — Impact Event and Disturbance Assessment, Analysis, and Reporting
Summary of Concepts and Assumptions:
The Standard Will: Require use of a single form to report disturbances and “impact events” that
threaten the reliability of the bulk electric system
• Provide clear criteria for reporting
• Include consistent reporting timelines
• Identify appropriate applicability, including a reporting hierarchy in the case of
disturbance reporting
• Provide clarity around of who will receive the information
The drafting team will explore other opportunities for efficiency, such as development of an
electronic form and possible inclusion of regional reporting requirements
Discussion of Disturbance Reporting
Disturbance reporting requirements currently exist in EOP-004. The current approved definition
of Disturbance from the NERC Glossary of Terms is:
1. An unplanned event that produces an abnormal system condition.
2. Any perturbation to the electric system.
3. The unexpected change in ACE that is caused by the sudden failure of generation or
interruption of load.
Disturbance reporting requirements and criteria are in the existing EOP-004 standard and its
attachments. The DSR SDT discussed the reliability needs for disturbance reporting and
developed the list of impact events that are to be reported under this standard (attachment 1).
Discussion of “impact event” Reporting
There are situations worthy of reporting because they have the potential to impact reliability. The
DSR SDT proposes calling such incidents ‘impact events’ with the following concept:
An impact event is any situation that has the potential to significantly impact the
reliability of the Bulk Electric System. Such events may originate from malicious intent,
accidental behavior, or natural occurrences.
Impact event reporting facilitates situational awareness, which allows potentially impacted
parties to prepare for and possibly mitigate the reliability risk. It also provides the raw material,
in the case of certain potential reliability threats, to see emerging patterns.
Examples of impact events include:
• Bolts removed from transmission line structures
• Detection of cyber intrusion that meets criteria of CIP-008 or its successor standard
• Forced intrusion attempt at a substation
• Train derailment near a transmission right-of-way
• Destruction of Bulk Electrical System equipment
Draft 1: September 10, 2010
21
�EOP-004-2 — Impact Event and Disturbance Assessment, Analysis, and Reporting
What about sabotage?
One thing became clear in the DSR SDT’s discussion concerning sabotage: everyone has a
different definition. The current standard CIP-001 elicited the following response from FERC in
FERC Order 693, paragraph 471 which states in part: “. . . the Commission directs the ERO to
develop the following modifications to the Reliability Standard through the Reliability Standards
development process: (1) further define sabotage and provide guidance as to the triggering
events that would cause an entity to report a sabotage event.”
Often, the underlying reason for an event is unknown or cannot be confirmed. The DSR SDT
believes that reporting material risks to the Bulk Electrical System using the impact event
categorization, it will be easier to get the relevant information for mitigation, awareness, and
tracking, while removing the distracting element of motivation.
The DST SDT discussed the reliability needs for impact event reporting and will consider
guidance found in the document “NERC Guideline: Threat and Incident Reporting” in the
development of requirements, which will include clear criteria for reporting.
Certain types of impact events should be reported to NERC, the Department of Homeland
Security (DHS), the Federal Bureau of Investigation (FBI), and/or Provincial or local law
enforcement. Other types of impact events may have different reporting requirements. For
example, an impact event that is related to copper theft may only need to be reported to the local
law enforcement authorities.
Potential Uses of Reportable Information
Event analysis, correlation of data, and trend identification are a few potential uses for the
information reported under this standard. As envisioned, the standard will only require
Functional entities to report the incidents and provide information or data necessary for these
analyses. Other entities (e.g. – NERC, Law Enforcement, etc) will be responsible for performing
the analyses. The NERC Rules of Procedure (section 800) provide an overview of the
responsibilities of the ERO in regards to analysis and dissemination of information for reliability.
Jurisdictional agencies (which may include DHS, FBI, NERC, RE, FERC, Provincial Regulators,
and DOE) have other duties and responsibilities.
Collection of Reportable Information or “One stop shopping”
The goal of the DSR SDT is to have one reporting form for all functional entities (US, Canada,
Mexico) to submit to NERC. Ultimately, it may make sense to develop an electronic version to
expedite completion, sharing and storage. Ideally, entities would complete a single form which
could then be distributed to jurisdictional agencies and functional entities as appropriate.
Specific reporting forms 1 that exist today (i.e. - OE-417, etc) could be included as part of the
1
The DOE Reporting Form, OE-417 is currently a part of the EOP-004 standard. If this report is removed from the
standard, it should be noted that this form is still required by law as noted on the form: NOTICE: This report is
mandatory under Public Law 93-275. Failure to comply may result in criminal fines, civil penalties and other
sanctions as provided by law. For the sanctions and the provisions concerning the confidentiality of information
submitted on this form, see General Information portion of the instructions. Title 18 USC 1001 makes it a criminal
Draft 1: September 10, 2010
22
�EOP-004-2 — Impact Event and Disturbance Assessment, Analysis, and Reporting
electronic form to accommodate US entities with a requirement to submit the form, or may be
removed (but still be mandatory for US entities under Public Law 93-275) to streamline the
proposed consolidated reliability standard for all North American entities (US, Canada, Mexico).
Jurisdictional agencies may include DHS, FBI, NERC, RE, FERC, Provincial Regulators, and
DOE. Functional entities may include the RC, TOP, and BA for situational awareness.
Applicability of the standard will be determined based on the specific requirements.
The DSR SDT recognizes that some regions require reporting of additional information beyond
what is in EOP-004. The DSR SDT is planning to update the listing of reportable events from
discussions with jurisdictional agencies, NERC, Regional Entities and stakeholder input. There
is a possibility that regional differences may still exist.
The reporting proposed by the DSR SDT is intended to meet the uses and purposes of NERC.
The DSR SDT recognizes that other requirements for reporting exist (e.g., DOE-417 reporting),
which may duplicate or overlap the information required by NERC. To the extent that other
reporting is required, the DSR SDT envisions that duplicate entry of information is not
necessary, and the submission of the alternate report will be acceptable to NERC so long as all
information required by NERC is submitted. For example, if the NERC Report duplicates
information from the DOE form, the DOE report may be included or attached to the NERC
report, in lieu of entering that information on the NERC report.
offense for any person knowingly and willingly to make to any Agency or Department of the United States any
false, fictitious, or fraudulent statements as to any matter within its jurisdiction.
Draft 1: September 10, 2010
23
�Comment Form for the first draft of EOP-004-2 - Impact Event and
Disturbance Assessment, Analysis, and Reporting [Project 2009-01]
Please DO NOT use this form to submit comments on the proposed reliability standard,
EOP-004-2 - Impact Event and Disturbance Assessment, Analysis, and Reporting.
Comments must be submitted by October 15, 2010. If you have questions please contact
Stephen Crutchfield by email at Stephen.crutchfield@nerc.net or by telephone at 609-6519455.
Background Information:
NERC established a SAR Team in 2009 to investigate revisions to the CIP-001 and EOP-004
Reliability Standards.
1.
2.
3.
4.
CIP-001 may be merged with EOP-004 to eliminate redundancies.
Acts of sabotage have to be reported to the DOE as part of EOP-004.
Specific references to the DOE form need to be eliminated.
EOP-004 has some ‘fill-in-the-blank’ components to eliminate.
The development may include other improvements to the standards deemed appropriate by the
drafting team, with the consensus of stakeholders, consistent with establishing high quality,
enforceable and technically sufficient bulk power system reliability standards (see tables for each
standard at the end of this SAR for more detailed information).
The SAR for Project 2009-01, Disturbance and Sabotage Reporting was moved forward for
standard drafting by the NERC SC in August of 2009. The Disturbance and Sabotage Reporting
Standard Drafting Team (DSR SDT) was formed in late 2009. A “concepts paper” was designed
to solicit stakeholder input regarding the proposed reporting concepts that the DSR SDT has
developed.
The concept paper sought comments from stakeholders on the “road map” that will be used by
the SDR SDT in updating or revising CIP-001 and EOP-004. The concept paper provided
stakeholders the background information and thought process of the SDR SDT.
The DSR SDT has reviewed the existing standards, the SAR, issues from the NERC database
and FERC Order 693 Directives in order to determine a prudent course of action with respect to
these standards.
The DSR SDT has proposed the following concept for impact event:
An impact event is any event that has either impacted or has the potential to impact the
reliability of the Bulk Electric System. Such events may be caused by equipment failure
or mis-operation, environmental conditions, or human action.
Comment Form for the first draft of EOP-004-2 - Impact Event and Disturbance Assessment, Analysis, 1
and Reporting [Project 2009-01]
�To support this concept, the DSR SDT has provided specific event for reporting including types
of impact events and timing thresholds pertaining to the different types of impact events and
who’s responsibility for reporting under the different impact events. This information is outlined
in Attachment 1 to the proposed standard.
The DSR SDT wishes to make clear that the proposed changes do not include any real-time
operating notifications for the types of events covered by CIP-001, EOP-004. This is achieved
through the RCIS and is covered in other standards (e.g. TOP). The proposed standard deals
exclusively with after-the-fact reporting.
The DSR SDT is proposing to consolidate disturbance and impact event reporting under a single
standard. These two components and other key concepts are discussed in the following sections.
Summary of Concepts
• A single form to report disturbances and impact events that threaten the reliability of the
bulk electric system
•
Other opportunities for efficiency, such as development of an electronic form and
possible inclusion of regional reporting requirements
•
Clear criteria for reporting
•
Consistent reporting timelines
•
Clarity around of who will receive the information and how it will be used
Comment Form for the first draft of EOP-004-2 - Impact Event and Disturbance Assessment, Analysis, 2
and Reporting [Project 2009-01]
�You do not have to answer all questions. Enter All Comments in Simple Text
Format.
Insert a “check” mark in the appropriate boxes by double-clicking the gray areas.
1. Do you agree with the purpose statement of the proposed standard? Please explain in the
comment box below.
Yes
No
Comments:
2. Do you agree with the applicable entities in the Applicability Section as well as assignment
of applicable entities noted in Attachment 1? Please explain in the comment box below.
Yes
No
Comments:
3. Do you agree with the requirement R1 and measure M1? Please explain in the comment box
below.
Yes
No
Comments:
4. Do you agree with the requirement R2 and measure M2? Please explain in the comment box
below.
Yes
No
Comments:
5. Do you agree with the requirement R3 and measure M3? Please explain in the comment box
below.
Yes
No
Comments:
Comment Form for the first draft of EOP-004-2 - Impact Event and Disturbance Assessment, Analysis, 3
and Reporting [Project 2009-01]
�6. Do you agree with the requirement R4 and measure M4? Please explain in the comment box
below.
Yes
No
Comments:
7. Do you agree with the requirement R5 and measure M5? Please explain in the comment box
below.
Yes
No
Comments:
8. Do you agree with the requirement R6 and measure M6? Please explain in the comment box
below.
Yes
No
Comments:
9. Do you agree with the requirements for the ERO (R7-R8) or is this adequately covered in the
Rules of Procedure (section 802)? Please explain in the comment box below.
Yes
No
Comments:
10. Do
you agree with the impact event list in Attachment 1? Please explain in the comment box
below and provide suggestions for additions to the list of impact events.
Yes
No
Comments:
11. Do you agree with the use of the Preliminary Impact Event Report (Attachment 2)? Please
explain in the comment box below.
Yes
No
Comments:
Comment Form for the first draft of EOP-004-2 - Impact Event and Disturbance Assessment, Analysis, 4
and Reporting [Project 2009-01]
�12. The DSR SDT has replaced the terms “disturbance” and “sabotage” with the term “impact
events”. Do you agree that the term “impact events” adequately replaces the terms
“disturbance” and “sabotage” and addresses the FERC directive to “further define sabotage”
in an equally efficient and effective manner? Please explain in the comment box below.
Yes
No
Comments:
13. The DSR SDT has combined EOP-004 and CIP-001 into one standard (please review the
mapping document that shows the translation of requirements from the already approved
versions of CIP-001 and EOP-004 to the proposed EOP-004), EOP-004-3 and retiring CIP001. Do you agree that there is no reliability gap between the existing standards and the
proposed standard? Please explain in the comment box below.
Yes
No
Comments:
14. Do you agree with the proposed effective dates? Please explain in the comment box below.
Yes
No
Comments:
15. Do you have any other comments that you have not identified above?
Yes
No
Comments:
Comment Form for the first draft of EOP-004-2 - Impact Event and Disturbance Assessment, Analysis, 5
and Reporting [Project 2009-01]
�Mapping Document Showing Translation of CIP-001-1 – Sabotage Reporting and EOP-004-1 – Disturbance Reporting, into EOP-004-2 Impact Event and Disturbance Assessment, Analysis, and Reporting
Requirement in Approved Standard
R1. Each Reliability Coordinator, Balancing Authority,
Transmission Operator, Generator Operator, and LoadServing Entity shall have procedures for the recognition
of and for making their operating personnel aware of
sabotage events on its facilities and multi site sabotage
affecting larger portions of the Interconnection.
Standard: CIP-001-1 – Sabotage Reporting
Translation to
Proposed Language in EOP-004-2 - Impact Event and Disturbance Assessment,
New Standard or
Analysis, and Reporting
Other Action
Moved into EOPR2. Each Applicable Entity identified in Attachment 1 shall have an Operating
004-2, R2
Plan(s) for identifying, assessing and reporting impact events listed in
Attachment 1 that includes the following components:
2.1. Method(s) for identifying impact events
2.2. Method(s) for assessing cause(s) of impact events
2.3. Method(s) for making internal and external notifications
pursuant to Parts 2.5 and 2.6
2.4. List of internal company personnel responsible for making
initial notification(s) pursuant to Parts 2.5.and 2.6.
2.5. List of internal company personnel to notify
2.6. List of external organizations to notify to include but not
limited to NERC, Regional Entity, Law Enforcement, and
Governmental or Provincial Agencies.
2.7. Method(s) for updating the Operating Plan when there is a
component change within 30 days of the notification of the
change.
2.8. A provision for updating the Operating Plan based on lessons
learned from an exercise or implementation of the Operating
Plan within 30 days of identifying the lessons learned.
2.9. A provision for updating the Operating Plan based on
applicable lessons learned from the annual NERC report
issued pursuant to Requirement R8 within 30 days of NERC
publishing lessons learned.
�R2. Each Reliability Coordinator, Balancing Authority,
Transmission Operator, Generator Operator, and LoadServing Entity shall have procedures for the
communication of information concerning sabotage
events to appropriate parties in the Interconnection.
Moved into EOP004-2, R2
R3. Each Reliability Coordinator, Balancing Authority,
Transmission Operator, Generator Operator, and LoadServing Entity shall provide its operating personnel with
sabotage response guidelines, including personnel to
contact, for reporting disturbances due to sabotage
events.
Moved into EOP004-2, R2
R4. Each Reliability Coordinator, Balancing Authority,
Transmission Operator, Generator Operator, and LoadServing Entity shall establish communications contacts,
as applicable, with local Federal Bureau of Investigation
(FBI) or Royal Canadian Mounted Police (RCMP)
officials and develop reporting procedures as appropriate
to their circumstances.
Moved into EOP004-2, R2
Requirement in Approved Standard
Standard: EOP-004-1 – Disturbance Reporting
Translation to New
Proposed Language in EOP-004-2 - Impact Event and Disturbance
Standard or Other Action
Assessment, Analysis, and Reporting Comments
R1. Each Regional Reliability Organization shall
establish and maintain a Regional reporting procedure to
facilitate preparation of preliminary and final
disturbance reports.
Retire this fill-in-theblank requirement.
(The NERC EAWG is working to develop continent wide reporting
guidelines applicable under the NERC Rules of Procedure.)
R2. A Reliability Coordinator, Balancing Authority,
Transmission Operator, Generator Operator or LoadServing Entity shall promptly analyze Bulk Electric
System disturbances on its system or facilities.
Translated into EOP-0042, R1
R1. Each Applicable Entity shall have a documented Operating Plan for
identifying and assessing impact events listed in Attachment 1.
R3. A Reliability Coordinator, Balancing Authority,
Transmission Operator, Generator Operator or LoadServing Entity experiencing a reportable incident shall
Translated into EOP-0042, R6
R6. Each Applicable Entity shall report impact events in accordance with
its Operating Plan created pursuant to Requirement R2 and the timelines
Replace with new
reporting procedure
developed by NERC
EAWG.
�Requirement in Approved Standard
provide a preliminary written report to its Regional
Reliability Organization and NERC.
Standard: EOP-004-1 – Disturbance Reporting
Translation to New
Proposed Language in EOP-004-2 - Impact Event and Disturbance
Standard or Other Action
Assessment, Analysis, and Reporting Comments
outlined in Attachment 1.
R3.1. The affected Reliability Coordinator, Balancing
Translated into EOP-004Authority, Transmission Operator, Generator Operator
2, R6
or Load-Serving Entity shall submit within 24 hours of
the disturbance or unusual occurrence either a copy of
the report submitted to DOE, or, if no DOE report is
required, a copy of the NERC Interconnection
Reliability Operating Limit and Preliminary Disturbance
Report form. Events that are not identified until some
time after they occur shall be reported within 24 hours of
being recognized.
R3.2. Applicable reporting forms are provided in
Attachments 022-1 and 022-2.
Retire – informational
statement
R3.3. Under certain adverse conditions, e.g., severe
weather, it may not be possible to assess the damage
caused by a disturbance and issue a written
Interconnection Reliability Operating Limit and
Preliminary Disturbance Report within 24 hours. In
such cases, the affected Reliability Coordinator,
Balancing Authority, Transmission Operator, Generator
Operator, or Load-Serving Entity shall promptly notify
its Regional Reliability Organization(s) and NERC, and
verbally provide as much information as is available at
that time. The affected Reliability Coordinator,
Balancing Authority, Transmission Operator, Generator
Operator, or Load-Serving Entity shall then provide
timely, periodic verbal updates until adequate
information is available to issue a written Preliminary
Disturbance Report.
Retire as a requirement.
R3.4. If, in the judgment of the Regional Reliability
Organization, after consultation with the Reliability
Coordinator, Balancing Authority, Transmission
Operator, Generator Operator, or Load-Serving Entity in
which a disturbance occurred, a final report is required,
Retire this fill-in-theblank requirement.
Added as a “Note” to
EOP-004-Attachment1Impact Events Table
Replace with new
R6. Each Applicable Entity shall report impact events in accordance with
its Operating Plan created pursuant to Requirement R2 and the timelines
outlined in Attachment 1.
NOTE: Under certain adverse conditions, e.g., severe weather, it may not
be possible to assess the damage caused by an impact event and issue a
written Impact Event Report within the timing in the table below. In such
cases, the affected Applicable Entity shall notify its Regional Entity(ies)
and NERC, and verbally provide as much information as is available at
that time. The affected Applicable Entity shall then provide periodic
verbal updates until adequate information is available to issue a written
Preliminary Impact Event Report.
(The NERC EAWG is working to develop continent wide reporting
guidelines applicable under the NERC Rules of Procedure.)
�Requirement in Approved Standard
the affected Reliability Coordinator, Balancing
Authority, Transmission Operator, Generator Operator,
or Load-Serving Entity shall prepare this report within
60 days. As a minimum, the final report shall have a
discussion of the events and its cause, the conclusions
reached, and recommendations to prevent recurrence of
this type of event. The report shall be subject to
Regional Reliability Organization approval.
Standard: EOP-004-1 – Disturbance Reporting
Translation to New
Proposed Language in EOP-004-2 - Impact Event and Disturbance
Standard or Other Action
Assessment, Analysis, and Reporting Comments
reporting procedure
developed by NERC
EAWG.
R4. When a Bulk Electric System disturbance occurs,
the Regional Reliability Organization shall make its
representatives on the NERC Operating Committee and
Disturbance Analysis Working Group available to the
affected Reliability Coordinator, Balancing Authority,
Transmission Operator, Generator Operator, or LoadServing Entity immediately affected by the disturbance
for the purpose of providing any needed assistance in the
investigation and to assist in the preparation of a final
report.
Retire this fill-in-theblank requirement.
R5. The Regional Reliability Organization shall track
and review the status of all final report recommendations
at least twice each year to ensure they are being acted
upon in a timely manner. If any recommendation has
not been acted on within two years, or if Regional
Reliability Organization tracking and review indicates at
any time that any recommendation is not being acted on
with sufficient diligence, the Regional Reliability
Organization shall notify the NERC Planning
Committee and Operating Committee of the status of the
recommendation(s) and the steps the Regional
Reliability Organization has taken to accelerate
implementation.
Retire this fill-in-theblank requirement.
(The NERC EAWG is working to develop continent wide reporting
guidelines applicable under the NERC Rules of Procedure.)
Replace with new
reporting procedure
developed by NERC
EAWG.
Replace with new
reporting procedure
developed by NERC
EAWG.
(The NERC EAWG is working to develop continent wide reporting
guidelines applicable under the NERC Rules of Procedure.)
�Standards Announcement
30-Day Informal Comment Period Open
September 15 - October 15, 2010
Now available at: http://www.nerc.com/filez/standards/Project200901_Disturbance_Sabotage_Reporting.html
Project 2009-01 Disturbance and Sabotage Reporting
The Disturbance and Sabotage Reporting Standard Drafting Team is seeking comments on its preliminary draft
of EOP-004-2 – Impact Event and Disturbance Assessment, Analysis, and Reporting until 8 p.m. EDT on
October 15, 2010.
Transition from Reliability Standards Development Procedure Version 7 – to Standard
Processes Manual
In accordance with the Standard Processes Manual approved by FERC on September 3, 2010, the drafting team
is using an “informal” comment period to solicit stakeholder feedback. The new standard development process
allows drafting teams to use informal comment periods. Unlike formal comment periods where a drafting team
provides a response to each comment submitted, with informal comment periods the drafting team provides a
summary response to each question asked on its comment form, but the team is not obligated to provide an
individual response to each comment submitted. The summary response will indicate whether stakeholders
support the proposal and will identify any additional changes made based on stakeholder comments. With
informal comment periods drafting teams are not required to provide an individual response to each comment
submitted. This change to the process is intended to give drafting teams more time to deliberate on technical
issues, as opposed to deliberating on individual responses to comments. Note that while informal comment
periods are allowed in the new standard process for preliminary drafts of proposed standards, formal comment
periods are still required for the final draft of each standard.
Instructions
Please use this electronic form to submit comments. If you experience any difficulties in using the electronic
form, please contact Monica Benson at monica.benson@nerc.net. An off-line, unofficial copy of the comment
form is posted on the project page:
http://www.nerc.com/filez/standards/Project2009-01_Disturbance_Sabotage_Reporting.html
Next Steps
The drafting team will draft and post a summary response to the comments received and conforming revisions
to the standard. The next will be either another 30-day informal comment period or a 30-day formal comment
period on the complete standard.
�Project Background
This project involves revising existing standards CIP-001-1 — Sabotage Reporting and EOP-004-1 —
Disturbance Reporting to eliminate redundancies and provide clarity on sabotage events. The project will
address several issues identified by stakeholders, as well as FERC directives from Order 693, including a
directive to provide greater clarity to requirements associated with “sabotage.”
EOP-004-2 was drafted using the “results-based” criteria for developing a reliability standard. The resultsbased approach includes considerably more emphasis on the “concepts and assumptions” underlying the
development of requirements and goes beyond the steps most drafting teams have previously used when
developing a standard. Accordingly, the “look and feel” of a results-based standard is quite different than
NERC’s existing standards. However, at the core is a set of mandatory and enforceable requirements with
useful guidance supporting these requirements, an approach NERC’s legal counsel has reviewed and finds
acceptable. More information about results-based standards can be found at:
http://www.nerc.com/filez/standards/Project2010-06_Results-based_Reliability_Standards.html
Standards Process
The Standard Processes Manual contains all the procedures governing the standards development process. The
success of the NERC standards development process depends on stakeholder participation. We extend our
thanks to all those who participate.
For more information or assistance, please contact Monica Benson,
Standards Process Administrator, at monica.benson@nerc.net or at 609.452.8060
North American Electric Reliability Corporation
116-390 Village Blvd.
Princeton, NJ 08540
609.452.8060 | www.nerc.com
�Individual or group. (60 Responses)
Name (37 Responses)
Organization (37 Responses)
Group Name (23 Responses)
Lead Contact (23 Responses)
Question 1 (56 Responses)
Question 1 Comments (60 Responses)
Question 2 (58 Responses)
Question 2 Comments (60 Responses)
Question 3 (54 Responses)
Question 3 Comments (60 Responses)
Question 4 (56 Responses)
Question 4 Comments (60 Responses)
Question 5 (54 Responses)
Question 5 Comments (60 Responses)
Question 6 (55 Responses)
Question 6 Comments (60 Responses)
Question 7 (55 Responses)
Question 7 Comments (60 Responses)
Question 8 (54 Responses)
Question 8 Comments (60 Responses)
Question 9 (49 Responses)
Question 9 Comments (60 Responses)
Question 10 (55 Responses)
Question 10 Comments (60 Responses)
Question 11 (52 Responses)
Question 11 Comments (60 Responses)
Question 12 (53 Responses)
Question 12 Comments (60 Responses)
Question 13 (52 Responses)
Question 13 Comments (60 Responses)
Question 14 (49 Responses)
Question 14 Comments (60 Responses)
Question 15 (54 Responses)
Question 15 Comments (60 Responses)
Group
Northeast Power Coordinating Council
Guy Zito
No
The proposed requirements in the standard are not focused on the core industry concern that current requirements are
unclear as to what types of events warrant entities to report. Per draft 2 of the SAR, “The existing requirements need to
be revised to be more specific – and there needs to be more clarity in what sabotage looks like.” Instead this proposed
standard includes requirements that are more focused on “how” to report, rather than “what” to report. The draft 2 SAR
has never been balloted for approval prior to standard drafting. In fact, the SAR states, “The development may include
other improvements to the standards deemed appropriate by the drafting team, with consensus on the stakeholders
(emphasis added), consistent with establishing high quality, enforceable and technically sufficient bulk power system
reliability standards.” The scope of the SAR, and likewise the proposed standard, is inappropriate to the fundamental
reliability purpose of what events need to be reported. The proposed administrative requirements are difficult to
interpret, implement and measure, and do not clarify what type of sabotage information entities need to report.
Although the use of procedures and an understanding by those personnel accountable seems helpful for ensuring
reports are made, the fundamental purpose of clarifying what types of events should be reported and more importantly
what types do not have to be reported, is lacking in the standard. Also, one of the first issues identified in the SAR for
consideration by the drafting team seems to be ignored: “Consider whether separate, less burdensome requirements
for smaller entities may be appropriate.” The requirements for entities to develop Operating Plans and to have training
�for those plans, further adds uncertainty and increases complexity of how entities, large and small, will have to comply
with this standard. The term “impact events” does not draw a clear boundary around those events that are affected by
this standard. Since this is not a defined term, nor is intended to be a defined term in the NERC Glossary, this standard
lacks clarity and is likely to produce significant conflict as an applicable entity attempts to establish procedures to
assure compliance. It appears that situational awareness could not be improved with this standard since it is only
dealing with events after-the-fact, not within the time frame to allow corrective action by the system operator. This draft
standard should not have this high a priority while other standards having a greater impact on Bulk Electric System
reliability remain incomplete or unfinished. Regional reporting requirements should be in Regional Standards, and not
be included in a NERC Standard.
No
Having the ERO as an applicable entity raises the issue that they are also the compliance enforcement authority. The
ERO is responsible for multiple requirements in this standard that shape the ultimate actual rules that the other
applicable entities would be required to meet. For example, establishing and maintaining a system for receiving and
distributing impact events, per R1, would be done solely by the ERO, outside of NERC’s open process. NERC has also
offered the opinion that since NERC is not a “user, owner, or operator” Standards are not enforceable against the ERO.
In Attachment 1 the time frames listed are not consistent for similar events. For example, EEAs are either reported
within one or 24 hours depending on the nuance. Having multiple entities reporting the same event is troublesome, i.e.,
why does a RC have to report an EEA if the BA is going to report it? This will lead to unnecessary and possibly
conflicting reports for the same event. Attachment 1 seems to be consolidating time frames from other standards into
one for reporting. However, this subject is more complex than this table reveals, and the table needs more clarification.
Entities that have information about possible sabotage events should report these to NERC after the fact, and the
standard should simply reflect that. While we agree with the list of functional entities identified in the Applicability
Section, we do not agree with their application in Attachment 1. As the functional entities are identified in Attachment 1,
it is likely that there is going to be duplicate reporting. Several of the events require filing a written formal report within
one hour. For example, system separation is going to require an “all hands on deck” response to the actual event. The
paragraph above the table in Attachment 1 indicates that a verbal report would be allowed in certain circumstances, but
this is the same issue with the formal report in that the system operators are concerned with the event and not the
reporting requirements. There is already a DOE requirement to report certain events. We see no need to develop
redundant reporting requirements through NERC that cross federal agency jurisdictions.
No
Having the ERO as an applicable entity raises a concern because they are also the Compliance Enforcement Authority.
The ERO is responsible for multiple requirements in this standard that shape the ultimate actual rules that the other
applicable entities would be required to meet. Establishing and maintaining a system for receiving and distributing
impact events, per R1, would be done solely by the ERO, outside of NERC’s open process. At this stage it is not clear
how the ERO will develop or effectively maintain a list of “applicable government, provincial or law enforcement
agencies” for distribution as defined in R1. The “rationale for R1” states that OE-417 could be included as part of the
electronic form, but responsible entities will ultimately be responsible for ensuring that OE-417 reports are received at
DOE. This requirement needs to be more definitive with respect to OE-417. The better approach would be for the
entities to complete OE-417 form and this standard simply require a copy.
No
This is an overly prescriptive requirement given that the intent of this standard is after-the-fact reporting. The
requirement to create an Operating Plan is an unnecessary burden that offers no additional improvements to the
reliability of the Bulk Electric System, and this is not, in fact, an Operating Plan. At most, it may be a reporting plan.
Most of these requirements are administrative and procedural in nature and, therefore, do not belong as requirements
in a Reliability Standard. Perhaps they could be characterized as a best practice and have an associated set of
Guidelines developed and posted on the subject. As proposed, the Operating Plan is not required to ensure Bulk
Electric System reliability. As stated in the purpose of this standard, it does not cover any real-time operating
notifications for the types of events covered by CIP-001, EOP-004. Since these incidents are meant to be reportable
after-the-fact, familiarity with the reporting requirements and time frames is sufficient. Stating reporting requirements
directly in the standard would produce a more uniform and effective result across the industry, contributing towards a
more reliable Bulk Electric System. R2.6 establishes an external organization list for Applicable Entity reporting, yet R1
suggests that external reporting will be accomplished via submittal of impact event reports. How will the two
requirements be coordinated? What governmental agencies are appropriate, and how will duplicative reporting be
addressed (for example, DOE, Nuclear Regulatory Commission)? Also, in the “rationale for R2”, please explain the
reference to Parts 3.3 and 3.4.
No
"Impact event” needs to be defined in the NERC Glossary to provide the clarity the industry needs to build auditable
compliance procedures. Although it is useful for entities to make an initial assessment of a probable cause of an event,
this requirement should stand alone and does not need to be tied to requirement R2, Operating Plan. Quite often, it
takes a considerable amount of time for an actual cause to be determined. The determination process may require a
complex root cause analysis. Further, in the case of suspected or potential sabotage, the industry can only say it
doesn’t know, but it may be possible. Law enforcement agencies make the determination of whether sabotage is
involved, and the information may not be made available until an investigation is completed, if indeed it is ever made
�available.
No
The need for a periodic drill has not been established, and appears to be overly restrictive given the intent of the
standard is the reporting of impact events. Suggest this requirement be eliminated. Similar to our comments on R2 for
an Operating Plan, a drill, exercise, or Real-time implementation of its Operating Plan for reporting is unnecessary.
Such things are training practices. There are already existing standards requirements regarding training. There is no
imminent threat to reliability that requires these events to be reported in as short a time frame as may be required for
real-time operating conditions notifications.
No
The need for a periodic drill has not been established, and appears to be overly restrictive given that the intent of the
standard is reporting of impact events. Suggest this requirement be eliminated. There are training standards in place
that cover these requirements. The relevant personnel should be “aware” of the reporting requirements. But there is not
a need to have a training program with specific time frames for reporting impact events. Awareness of these reporting
requirements can be achieved through whatever means are available for entities to employ to train on any of the NERC
standards, and need not be dictated by requirements.
No
Entities are already required by other agencies (e.g., DOE, NRC) to report certain events. We see no need to develop
redundant reporting requirements for NERC that cross other federal agency jurisdictions. There is no need for an
Operating Plan as proposed. This is not truly an Operating Plan. There are already other standards which create the
requirements for an Operating Plan. This is an administrative reporting plan and any associated impact upon reliability
is far beyond real-time operations which is implied by the label “Operating Plan".
No
Having the ERO as an applicable entity raises concern as it is also the compliance enforcement authority. Requirement
R7 is unnecessary as there are already requirements in place for three year reviews of all Standards. R8 contains
requirements to release information that should be protected, such as identification of trends and threats against the
Bulk Electric System. This may trigger more threats because it will be published to unwanted persons in the private
sector. We do not support an annual time frame to update the events list. The list should be updated as needed
through the Reliability Standards Development Process. Any changes to a standard must be made through the
standards development process, and may not be done at the direction of the ERO without going through the process.
No
1) A particular Event could be applicable to multiple entities and Attachment 1 would require each applicable entity to
report the event. This is duplicative and would overburden the reporting system. 2) Loss of off-site power (grid supply)
reporting for nuclear plants is duplicative of reporting done to satisfy NRC requirements. Given the activity at a nuclear
plant during this event, this additional reporting is not desired. 3) Cyber intrusion remains an event that would need to
be reported multiple times (e.g., this standard, OE-417, NRC requirements, etc.). 4) Since external reporting for other
regulators (e.g., DOE, NRC, etc.) remains an obligation of the Applicable Entity, suggest that Attachment 1 only contain
impact events as defined in the current version of EOP-004. What are the examples at the bottom of page 14 supposed
to illustrate? Critical Asset should have the appropriate capitalization as being a defined term. Is Critical Asset what is
intended to be used here? Should the “a” list be read as ANDs or Ors? Does “loss of all monitoring communications”
mean “loss of all BES monitoring “communications”? Does “loss of all voice communications” mean “loss of all BES
voice communications?” Are the blue boxes footnotes or examples? Does “forced intrusion” mean “physical intrusion”
(which is different from “cyber intrusion”)? Regarding “Risk to BES Equipment,” request clarification of “nonenvironmental”. Regarding the train derailment example, the mixture of BES equipment and facility is confusing.
Request clarification for when the clock starts ticking. Regarding “Detection of a cyber intrusion to critical cyber assets”,
there is concern that this creates a double jeopardy situation between CIP-008 and EOP-004-2 R2.6. Suggest physical
incident reporting be part of EOP-004 and cyber security reporting be part of CIP-008.
No
There is already a DOE requirement to report certain events. There is no need to develop redundant reporting
requirements to NERC that cross other federal agency jurisdictions. The heading on page 16 refers to EOP-002, but
this is Standard EOP-004. If some questions do not require an answer all of the time, then the form should state that or
provide a NA checkbox. While Attachment 1 details some cyber thresholds, Attachment 2 provides no means to report
– which is acceptable if cyber incidents are handled by CIP-008 per the comment provided for Question 10. The Event
Report Template in Appendix A is different from the most recent version, which is available at:
http://www.nerc.com/docs/eawg/Event_Analysis_Process_WORKINGDRAFT_100110-Clean.pdf
No
The use of the term “impact events” has simply replaced the terms “disturbance” and “sabotage”, and has not further
defined sabotage as directed by FERC. We do feel that “impact events” needs to be a defined term. While we agree
with the SDT’s new direction, the FERC directive has not been met. This term and the FERC directive do not recognize
limitations in what a registered entity can do to determine whether an act of sabotage has been committed. This term
should recognize law enforcement and other specialized agencies, including international agencies roles in defining
acts of sabotage, and not hold the registered entity wholly responsible to do so.
No
�Per the mapping document, some of the existing requirements are awaiting a new reporting procedure being
developed by the NERC EAWG. For those requirements that were transferred over, the resulting standard seems
overly complex and lacks clarity. EOP-004-3 should be EOP-004-2.
No
The effective dates in Canada need to be defined. The first bullet should be sufficient. If the training and Operation Plan
requirements are adopted as proposed, this may not allow sufficient time for some entities to comply, particularly those
with limited number of staff, but perform functions that have multiple event reporting requirements.
Yes
Request clarification on how RCIS is part of this Standard. The form should be filled out in two stages. First stage
would be the immediately available information. The second stage would be the additional information such as one line
diagrams. There is concern with burdening the reporting operator on filling out forms instead of operating the Bulk
Electric System. Most of the draft requirements are written as administrative in nature, and this is not most effective.
Changes need to be made to (or possibly elimination of) R1, R2, R3. The standards should be changed to define what
a “disturbance” is for reporting in EOP-004. Sabotage reporting as per CIP-001 should be rescinded as EOP-004
already has such a requirement.
Group
Tenaska
Brian Pillittere
Yes
Yes
Yes
No
We have adequate compliance procedures already in place for the existing CIP-001-1 and EOP-004-1 Standards. The
list of required “Operating Plan” components in the proposed R2 is too specific. Maintaining the “Operating Plan”
described in R2 would increase the burden on Registered Entities to comply with the Standard and this type of "laundry
list" Requirement would make it more difficult to prove compliance with EOP-004-2 during an audit.
No
The probable cause of a reportable event is already required to be submitted on the OE-417 form. This Requirement is
redundant.
No
This Requirement is too specific and places additional burdens on Registered Entities.
No
This Requirement is too specific and places additional burdens on Registered Entities.
No
The reporting timelines are currently listed on the OE-417 form. This Requirement is redundant.
Yes
Since the proposed EOP-004-2 Standard does not eliminate the OE-417 reporting requirement, it does not streamline
the existing CIP-001-1 and EOP-004-1 reporting requirements for GO/GOP’s. The "laundry list" of components
required in the Operating Plan described in R2 is too specific and would make it more difficult to prove compliance
during an audit. We prefer that the existing CIP-001-1 and EOP-004-1 Standards remain unchanged.
Individual
Brenda Lyn Truhe
PPL Electric Utilities
Yes
No
While we agree with the applicable entities in the Applicability Section of the revised standard, we would like the SDT to
�reconsider the applicable entities identified on Attachment 1, specifically regarding duplication of reporting e.g. should
TO and TOP report?
Yes
No
While we agree with documenting our process, we feel the use of the defined term Operating Plan is not required and
possibly a misuse of the term. We would like to suggest using the term ‘procedure’. Additionally, we would like the SDT
to confirm/clarify whether Attachment 1 is a complete list of impact events. Also, please confirm that the Proposed R2.1
language ‘Method(s) for identifying impact events’ means identifying impact event occurrence as opposed to identifying
list of impact events. i.e. does R2.1 mean recognize impact event occurrence?
No
We believe the rationale for R3 is good and provides value. However, we feel the clarity was lost when the rationale
was translated to the standards language. Please consider revising language to refocus on rationale of assess and
report per Attachment 1 as opposed to identify. We suggest changing the word “identify” to “recognize” and add the
Rationale statement to the requirement as follows: “Each Applicable Entity shall assess the causes of the reportable
event and gather available information to the complete the report.”
Yes
No
We agree with the need for training on one’s process. However, we suggest changes to R5.3. Consider expanding the
exception criteria to exempt non-substantive changes such as errata changes, minor editorial changes, contact
information changes, etc. We also suggest saying ‘…,training shall be conducted, or notification of changes made,
within 30 days of the procedure revisions.’
No
We understand the rationale for this standard and support the project to combine EOP-004 and CIP-001 as well as the
reporting requirement in CIP-008. We are concerned that it may be difficult to meet Attachment 1 Part B Potential
Reliability Impact submittal times as the time to submit is 1 or 24 hour after occurrence. E.g. Risk to BES equipment,
the example given is a major event and easy to conclude. Consider forced intrusion, risk to BES equipment (increased
violence in remote area), or cyber intrusion – should Attachment 1 state ‘report within 24 hours after detection’?
Yes
No
While we think providing an impact event list is beneficial, we would like to see Attachment 1 revised and/or clarified.
Refer to response to Question 2 considering duplicate reporting. Regarding impact event ‘Damage or destruction of
BES equipment’ and considering the first example in the ‘Examples’ section, does ‘example a. i.’ mean if the BES
equipment that is damaged is not identified as a critical asset per CIP-002 that no reporting is required? Clarify the Part
A and Part B, specifically: Attachment 1 Part A is labeled ‘Actual Reliability Impact’. Does this title mean that for all
events listed that the ‘threshold for reporting’ is only met if the event occurs AND there is an actual reliability impact?
As opposed to Part B where the threshold for reporting is met when the event occurs and there is a potential for
reliability impact? This could be broad for event ‘risk to BES equipment’. Providing as much clarity as possible on the
‘threshold for reporting’ is beneficial to the industry and will help eliminate confusion with the existing CIP-001 standard
regarding ‘potential sabotage’.
Yes
For ease, timeliness, and accuracy of reporting an application with an easy to use interface would be preferred. If the
reporting is done via an application, the ability to enter partial data, save and add additional info prior to submission
would be helpful. Additionally, an application with drop downs to select from for impact event, NERC function, etc would
be helpful. #1 - Is the ‘Compliance Registration ID number’ the same as the NCR number? If this is required, include as
separate entry. #2 – is this the date of occurrence or detection?
Yes
Refer to clarification requested in question 10 comments.
Yes
Yes
Yes
Combining EOP-004, CIP-001 and CIP-008’s reporting requirements reduces redundancy and will add clarity to the
compliance activities.
Group
SERC OC Standards Review Group
�Jim Case, SERC OC Chair
No
The term “impact events” does not draw a clear boundary around those events that are affected by this standard. Since
this is not a defined term, nor is intended to be a defined term in the NERC glossary, this standard lacks clarity and is
likely to produce significant conflict as an applicable entity attempts to establish procedures to assure compliance. It
appears that situational awareness could not be improved with this standard since it is only dealing with events afterthe-fact, not within the time frame to allow corrective action by the system operator.
No
We find it interesting that the ERO is listed as an applicable entity. The ERO can’t be an applicable entity because they
are the compliance enforcement authority. The ERO is responsible for multiple requirements in this standard that
shape the ultimate actual rules that the other applicable entities would be required to meet. NERC seems to be
attempting to evade FERC jurisdiction by having a standard that enables it to write new rules that don’t pass through
the normal standards development process with ultimate approval by FERC. Attachment 1 is troublesome. The time
frames listed are not consistent for similar events. For example, EEAs are either reported within one or 24 hours
depending on the nuance. Having multiple entities reporting the same event is troublesome, i.e., why does an RC have
to report an EEA if the BA is going to report it? This will lead to conflicting reports for the same event. Attachment 1
seems to be consolidating time frames from other standards into one for reporting. However, we believe this subject is
more complex than this table reveals and the table needs more clarification or it should be eliminated and leave the
time frames in the other standards. Several of the events require filing a written formal report within one hour. For
example, system separation certainly is going to require an “all hands on deck” response to the actual event. We note
that the paragraph above the table in attachment 1 indicates that a verbal report would be allowed in certain
circumstances, but this is the same issue with the formal report in that the system operators are concerned with the
event and not the reporting requirements. There is already a DOE requirement to report certain events. We see no
need to develop redundant reporting requirements in the NERC arena that cross other federal agency jurisdictions.
No
The ERO cannot be subject to a requirement for which it is the compliance enforcement authority. The governance in
this situation appears incomplete.
No
This is an overly prescriptive requirement that dictates details of documentation and, as such, has no place in a
reliability standard. NERC needs to trust the RCs to do their jobs; this standard and this requirement in particular
seems to be attempting to codify the actions that an RC would take in response to an event. The cost and burden of
becoming auditably compliant with this requirement is extreme and unrealistic, especially on small entities
No
We think “impact event” needs to be defined in the NERC Glossary to provide the clarity the industry needs to build
auditably compliant procedures.
No
We think this requirement is unclear – we think it requires a drill for “reporting”, which seems absurd! We recommend
the elimination of this requirement.
No
While we support training on an annual basis for the operating plan, the concept of requiring training on reporting of
after-the-fact events does not support or enhance bulk electric system reliability. We recommend the elimination of this
requirement.
No
There is already a DOE requirement to report certain events. We see no need to develop redundant reporting
requirements in the NERC arena that cross other federal agency jurisdictions.
No
The ERO cannot be subject to a requirement for which it is the compliance enforcement authority. The governance in
this situation appears incomplete.
No
Will all reporting requirements be removed from other standards to avoid duplication? And will all future standard
revisions include revisions to this standard to incorporate associated reporting requirements? There is already a DOE
requirement to report certain events. We see no need to develop redundant reporting requirements in the NERC arena
that cross other federal agency jurisdictions.
No
There is already a DOE requirement to report certain events. We see no need to develop redundant reporting
requirements in the NERC arena that cross other federal agency jurisdictions.
Yes
We do feel that this needs to be a defined term
No
�Yes
Yes
We find it disturbing that NERC is headed down a path of codifying requirements that are redundant to existing DOE
requirements. How does redundancy in reporting requirements improve or enhance bulk electric system reliability?
Disclaimer: “The comments expressed herein represent a consensus of the views of the above named members of the
SERC OC Standards Review group only and should not be construed as the position of SERC Reliability Corporation,
its board or its officers.”
Group
PacifiCorp
Sandra Shaffer
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
No
Group
Luminant Energy
Brad Jones
Yes
No
Inclusion of both GO and GOP will result in duplicate reporting as both are responsible for reporting resource-related
events such as Generation Loss, Fuel Supply Emergencies and Loss of Off-site power (grid supply). Recommend
including only the GOP as it is critical that the GOP gather and communicate relevant information to the Reliability
Coordinator.
Yes
�Yes
Yes
No
We support the requirements outlined in R2 which create significant obligations to maintain and update the required
Operating Plan. However, we believe annual drilling for a reporting process seems unnecessary, particularly given the
response horizon of 24 hours for the majority of impact events. If drilling is required, the standard should allow actual
events to fulfill a drilling requirement as stated in the Rationale for R4 and within the text of M4.
No
Operating Plan revisions communicated through procedure updates and employee acknowledgements of the same are
sufficient when coupled with a procedural training program that occurs according to a programmed schedule.
Yes
Yes
Continually refining the Impact Event table to better define which events should be reported would be extremely
valuable. Section 802 does not adequately require such refinement, thus R7 and R8 are appropriate inclusions to this
standard.
No
The Impact Events Table might be easier to clarify if organized by Reporting Entity rather than Event Type as events
vary substantially based on the affected BES component. For example, a GO or GOP cannot adequately determine if
an event will significantly affect the reliability margin of the system or if an event results in an IROL. Examples specific
to Reporting Entities would assist in more appropriate report submissions. Additionally, the footnote under examples of
Damage or Destruction of BES Equipment, cites “A critical asset”. This term must be clarified to indicate whether this
refers to a Critical Asset as defined by CIP 002-1. Finally, the Fuel Supply Emergency item requires additional
definitions as neither a GO nor a GOP can reasonably project if an individual fuel supply chain problem will result in the
need for emergency actions by the RC or BA.
Yes
No
The term “Impact Event” does not adequately replace the term “Sabotage” The Impact Events table seems to provide
the definition of the term “Impact Event”. This table does not include sufficient definition for actual sabotage events.
Additionally, it does not include any provision for suspected sabotage events. Assuming the Damage or Destruction of
BES Equipment event type is intended to cover actual sabotage, the Threshold for Reporting column should include
specific levels of materiality that are specific to Functional Entity. For instance, a GO and GOP could have a MW level
to define materiality as a GO or GOP cannot assess impact to an IROL or system reliability margin due to equipment
damage. A threshold value consistent with “Generation Loss” in the proposed EOP-004 Attachment 1 would be
appropriate.
No
CIP-001-1 R3.1 includes instructions associated with the DOE OE-417 form. EOP-004-2 R2.6 should include the DOE
as an example of an external organization requiring notification. Additionally, the Rationale for R1 discusses the
possibility of one electronic form satisfying US entities with related disturbance reporting requirements but does not
include any information about the likelihood of this outcome. Please elaborate on the process required to combine
these reports.
Yes
No
Individual
Greg Froehling
Green Country Energy
Yes
Yes
Yes
�No
Highly administrative version of what could accomplish the same thing. A requirement that the applicable entitiy shall
make appropriate notificatiions as required by attachment A and B events. I can see the need for review and lessons
learned but that needs to be done at a higher level since many entities may be involved in an "event"
No
Actually yes and no... An event may be caused, analyzed and corrected by one entity but most likely it will involve
more. Low Voltage or frequency may not be caused by a generator but the generator will see the event and to have the
generator assess the probable cause seems inappropriate. I can see reporting the event and duration and making
notifications.
No
Another training requirement with what benefit? We must train on all of our NERC requirements now anyway to insure
compliance and that's not a requirement, thats implied and I think thats enough.
Same as my comment for question 6
Yes
Now this is an excellent example of all that is needed for this requirement!
Yes
I realize this is another burden for the ERO but the information would be good to know what is going on outside the
plant .
Yes
Yes
No
Yes and no ... Yes impact events is an adequit term however since it is restrained by the tables it may be helpful to
define the term and scope of the term to be more inclusive of sabotage events.
Yes
With the provision that definition and scope of "impact event" are developed and tables adjusted as needed to address
FERCs concerns specifically . "(1) further define sabotage and provide guidance as to the triggering events that would
cause an entity to report a sabotage event.”
Yes
Yes
I think the drafting team has done a wonderful job of beginning the task of combining two related standards. I ask them
to keep in mind the small generators, and others who do not have the wide view capability, that more than likely react
to events that occur wih no knowledge of why they occured, and limited staff to address administrative standard
requirements. Many times the KISS approach is the best approach.
Individual
TransAlta Centralia Generation, LLC
TransAlta Corporation
Yes
Yes
Electrical Reliability Organization (ERO) does not appear to be a defined term in the NERC Glossary of Terms on the
NERC website. Last updated April 20, 2010.
Yes
Yes
No
Clarity required Does an entity have to report on the cause of every “applicable” impact event they witness even though
the event did not originate at their plant, system or region and did not adversely affect them? Essentially this would
require every entity that witnessed an “applicable” event to report on its cause. In most cases they will not know the
cause if they did not create the event. Measure M3 should reference Attachment 1 to indicate the Time to Submit
Report’.
Yes
�No
Measure M5 states applicable entities shall provide training material presented… This measure is unclear as to
whether the meaning is for internal personnel or to be provided to external entities upon request? Please clarify.
No
R6 should reference Attachment 2 to make it clear that this report form must be used. M6 seems to be requesting
evidence that the Confidential Impact Event Report was submitted. TransAlta suggests the submission of the actual
report is evidence the report was submitted. Records of this submission can be provided on request. Web Reports
Project 2009-01 has indicated online reporting is the direction they are going. If the impact report becomes an online
Web report the entity submitting the report has no way of confirming the report ended up at the Compliance
Enforcement Authority office after it is submitted. There needs to be some method that demonstrates the report was
submitted and received.
Yes
Yes
No
We recommend the ‘time to Submit Report’ to start when the event is recognized verses when it occurred.
Yes
Yes
Yes
Yes
A Confidential Impact Event Report form is included in attachment 2 but nowhere in the standard does it say to use this
form. This form appears to be similar to the “Preliminary Disturbance Report” form used in EOP-004-1. Clarity is
required.
Individual
Doug Smeall
ATCO Electric Ltd.
Yes
Yes
Yes
Yes
Yes
Yes
No
R5.3 requires an entity to conduct training within 30 days of a revision to the Operating Plan. For an entity that covers a
wide area, 30 days may not be sufficient to reach all employees.
Yes
Yes
No
Attachment 1: Part A - Transmission Loss: Only sustained outages should be reportable. Also the reporting threshold
needs to be quantified for impact events, for example: a) Size of DC converter Station > 200 MW. b) Impact of loss of
Multiples BES transmission elements in terms of significant load (> 200 MW for > 15 min).
No
Attachment 2 Item 4 implies that an entity is required to analyse and report on an impact event that occurred outside its
�system. This is not practical as the entity will not have access to the necessary information.
Yes
Yes
Yes
No
Individual
Dan Roethemeyer
Dynegy Inc.
Yes
Statement is broad enough to cover both Standards.
Yes
Yes
No
For 2.7, 2.8, 2.9, 30 days is to stringent. Some changes may not warrant changes until a cumulative amount of
changes occur. Suggest making it no later than an annual review.
Yes
No
What is the basis for the drill being annual. This is to stringent. I suggest it be every 3 years.
No
The annual training seems excessive especially if their have been no changes. You have included one exception for
contact information revisions; however, it should be expanded to include exceptions for minor/non-substantial changes.
Also, make training requirements (after initial training)be required for substantive changes only.
Yes
Yes
No
A 2000 MW loss needs to be more clearly defined by either the BA, ISO, RC, etc. for the applicable enity. Also, what is
the distinction between the "damage or destruction of BES equipment" and the generation loss of >= 2000 MWs if it is
a Critical Asset which is currently drafted as those greater than 1500 MW in current draft of CIP-002-4. This could lead
to 2 events with different thresholds (i.e. 1500 MW and 2000 MWs). Possibly get rid of the 2000MW criteria and let the
threshhold level be the same as the Critical Asset MW level. Or remove the Critical Asset threshhold in the footnote to
Attachment 1.
Yes
No
The term is fine but FERC wants more specific examples. GO/GOP can't determine the effect on the BES.
Yes
Yes
Yes
This does not address the inability of a GO/GOP to determine effects on the BES. Surrounding BES knowledge is
limited for a GO/GOP.
Group
City of Garland
David Grubbs
Yes
�Yes
No
Reason 1 Most of this is duplication of existing processes - More “Big Government” and/or “Overhead” is not needed.
There are already processes in place to notify “real time” 24 X 7 organizations that take action (RC, BA, TOP, DOE,
FBI, Local Law Enforcement, etc) in response to an “impact event”. It is stated in your document on page five (5) “The
proposed standard deals exclusively with after-the –fact reporting.” The combining of CIP 001 & EOP 004 should not
expand on existing implemented reporting requirements nor should it result in NERC forming a 24 X 7 department to
handle 1 hour (near real time) reporting requirements. Reason 2 If this should go forward as drafted, NERC should not
establish a “clearing house” for reporting requirements for Registered Entities without also taking legal responsibility for
distributing those reports to required entities. It states in at least 2 places (Page 6 & Page 22) in the document that
Responsible Entities are ultimately responsible for ensuring that OE-417 is received at the DOE. Thus, a Registered
Entity could be penalized for violating this new standard if it did not file the reports with NERC or it could still be
penalized (both criminal & civil) if they filed the reports with NERC but NERC (for whatever reason) did not follow
through with ensuring the report was properly filed at the DOE.
No
There are 4 “methods” and 2 “provision” required for this requirement – in other words, 6 “paperwork” items that
auditors will audit and likely penalize entities for. On page 1, the statement is made “…proposed standard in
accordance with Results-Based Criteria.” Having to have 4 methods and 2 provisions to end with a report (all of which
is paperwork) is not a “result based” standard. It is like being required to have a "plan to plan on planning on
composing and filing a report". Events need to be analyzed, communicated, and reported and should be audited as
such (results based) – not audited on whether they have a book filled with methods and provisions.
No
Should be part of R2 or R6 – this is unnecessary duplication
No
Existing CIP 001 and EOP 004 are reporting standards – neither currently requires annual drills or exercises.
Combining these two (2) should not entail expanding the requirements to include drills or exercises. There are existing
drills / exercises that must be performed annually for compliance with CIP 008 & CIP 009 which require the same basic
identifying, assessing, developing lessons learned, responding, and reporting skill sets. Requiring additional drills or
exercises for this new combined standard will provide additional “business overhead” that results in basically nothing
that is not obtained by the CIP 008 / 009 drills as far as securing or making the BES reliable. It does, however, result in
additional audit risk at audit time.
No
This expands beyond the original CIP 001 and EOP 004 – neither explicitly requires training – combining does not
mean expanding. In reality, what practical skill are you going to train on? People who perform the analysis on an event
are going to have job specific training external to this standard and those same folks will maintain their skill set external
to this standard. If it is going to be a results based criteria standard, then let the entities be responsible. Training on
methods to fill out and file paper work does not make the BES more reliable. The vast majority of other standards do
not have a training requirement section and yet, entities manage to be compliant with those standards. Compared to all
the other reliability standards and their requirements, are penalties for training on filling out paper work really making
the BES more secure and reliable?
No
1. The reporting requirements should not be expanded beyond CIP 001 and EOP 004-1. The goal for combining the
two should be to make the process more efficient – not add on extra requirements for procedures on how to report,
drills on reporting, training on reporting, etc. 2. The timelines requiring 1 hour reporting to the ERO are not needed and
provide little realtime benefit to the BES. Real time or near real time reporting for “people on the ground” such as the
RC, BA, TOP, FBI, Local Law Enforcement, DOE, etc. is necessary. They are in a position to take action in response to
an event. On page 5, it states “The proposed standard deals exclusively with after-the-fact reporting. 1 Hour reporting
requirements to the ERO in addition to existing reporting are not reasonable “after-the-fact” reporting requirements in
the midst of an emergency. Also, there is not a 24X7 ERO center to report events to – why build and staff one when
they already exists at the RC, BA, TOP, DOE, FBI, Local Law Enforcement, etc. – An ERO 24X7 center would be extra
overhead that would provide no additional benefit in the first hour or hours of an emergency.
Yes
R7 – Yes as long as any changes to attachment 1 follow the “Reliability Standards Development Procedure. R8 - Yes
as long as R8.6 is strictly “recommended actions.” They should not become “required actions” as this bypasses the
standard development process.
No
This report should follow exactly the OE-417 to avoid redundant, possible conflicting, and overall confusion in reporting.
Note: The table has entries that are in conflict with the OE-417 and thus can cause confusion in filing multiple reports
potentially causing an entity to violate Federal Law due to the confusion. By submiting the same information on
�different timelines, i.e. one hour reporting under OE-417 and 24 hours under this Standard, the reports may be
significantly different causing confusion from differing reports of the same event. Although we prfer the events to match
the OE-417 events exactly, if the SDT decides to include a seperate events table we make the following suggestions:
Energy Emergency requiring system-wide voltage reduction: should be reportable at 5% not 3% voltage reduction. The
standard should clearly state this was applicable for BES energy emergency conditions only, not voltage reductions for
other reasons. On voltage deviations: it should be clear that this applies to widespread effects on the BES not a single
distribution feeder that has a low voltage. For the Frequency deviation: Did not see a definition for the FTL (frequency
trigger limit) Generation loss: the reportable loss of generation should be significantly more than 500 MW. The number
of units at the locaton is irrelevent. Ten units at 50 MW each is no more critical than a single 500 MW unit. Under this
standard, if the plant with ten 50 MW units trips it is reportable but an 800 MW single unit is not reportable. The trip of
the 800 MW unit has much more effect on the sytem reliability. Damage or destruction of BES equipment: Should be
limited to specific equipment such as a 765 kV autotransformer not a 138 kV lightning arrestor. This needs to be
eliminated or significantly limited as to the equipment type that is reportable.
No
The report filed should be the OE-417 ELECTRIC EMERGENCY INCIDENT AND DISTURBANCE REPORT and
should be filed only on OE-417 reportable incidents. If this report is implemented as drafted, companies with multiple
registration numbers and functions should only have to file one report for all functions and registrations.
No
1 In keeping with a Results Based Standard, the impact event should be a trigger for filing a report. At the time of the
event, one may not know if the event was caused by sabotage. Sabotage that does not affect the BES should not be a
reportable event. 2. To comply with the Commissoners request to define sabotage, Impact Event does not adequately
replace “sabotage”. If someone reports sabotage, people universally have a concept that someone(s) have taken some
type of action to purposely harm, disable, cripple, etc something. Impact Event does not convey that same concept. 3.
If Sabotage is left as a “trigger,” it should not include minor acts of vandalism but only acts that impact reliability of the
BES
No
EOP-004-1 R2 did not get translated to EOP-004-2 R2 - table states it is mapped to R1
No
Do not agree with this proposed draft - instead of combining 2 standards to gain efficiency, this expands the standard
with unnecessary paperwork, drills, training, etc.
Yes
Do not agree with this proposed draft - instead of combining 2 standards to gain efficiency, this expands the standard
with unnecessary paperwork, drills, training, etc. For reports required under this standard, companies with multiple
registration numbers and functions should only have to file one report for all functions and registrations.
Individual
Kasia Mihalchuk
Manitoba Hydro
No
Though new purpose greatly clarifies the proposed EOP-004-2 and using “situational awareness” is the key to this
purpose, further clarification of specific items should be added to the purpose. “Responsible Entities shall report
SIGNIFICANT events to support interconnection situational awareness on events that impact the integrity of the Bulk
Electric System, such as islanding, generation, transmission and load losses, load shedding, operation errors,
IROL/SOL violations, sustained voltage excursions, equipment and protection failures and on suspected or acts of
sabotage.”
No
Since this Standard is to support situational awareness, more entities should be included such as Load Serving Entities
(which was removed from EOP-004-1).
Yes
Yes, keeping R1 generic and pointing to “government”, “Provincial”, “law” encompasses all entities in all major
interconnections.
Yes
R2 – 2.1 to 2.9 detail what is expected of an Operating Plan for Impact Events. The attachment 1 details the event, the
threshold parameters and time line. Though the threshold parameters in the attachment may be questioned, this
greatly clarifies the expectations of reporting events. Further events should be added to this list: “Detection of
suspected or actual or acts or threats of physical sabotage”
No
Though each local entity should identify and assess initial probable cause of impact events as per their Operating Plan,
the creation of this Operating Plan could be labor intensive and also guidelines for consistency within an RC region
should be created. So “NO” is entered simply because a large time line would be needed to properly and efficiently
implement R3 and R4.
�No
Drills and exercise for implementation of the Operating Plan are important and critical, but as in question 5, or
Requirement R3, careful and detailed creation of the Operating Plan are crucial to facilitate proper training, drills and
exercises. So “NO” is entered simply because a large time line would be needed to properly and efficiently implement
R4 and R3.
No
The comments in Question 6 and 7 encompass the training aspect of this requirement.
Yes
Attachment 1 details the impact events and the thresholds of which they should be reported.
No
Rules of Procedure appear to have a different focus then R7 and R8. Briefing on Rules of Procedure 802 Assess,
review and report on: 1.1 overall electric operation 1.2 uncertainties and risks 1.3 self assessment of supply and
reliability 1.4 projects on customer demand 1.5 impact of evolving electric market practices that could affect the present
and future of the BES Briefing on R7 and R8 R7 – ERO shall review and propose revisions to Attachment 1 R8- ERO
shall publish quarterly reports on trends, threats, vulnerabilities, lessons learned and recommended actions.
Yes
Though R7 indicated Attachment 1 will be reviewed and revised reguarily the immediate addition of: “Detection of
suspected or actual or acts or threats of physical sabotage” should be added.
No
Though a “Confidential Impact Event Report” is much needed the Attachment 2 needs refinement. Provide an
explanation for each “task”. Isolate and simplify the “Who, When and What” section. Isolate the description of event.
Remove items 7 to 10. Modify Attachment 1, add columns to indicate time of event, quantity, restore time, etc as
required. The Attachment 1 can be attached to Attachment 2. This could simply and speed the reporting process.
No
The majority of the items listed in Attachment 1 are typically and historically operating events. Yes these are all “impact
events”. Sabotage, cyber and security are typically viewed as separate events. These events are not part of “a typical
day of BES operations”. These are outside event and though qualify as “impact events” should still be treated
separately.
No
Though CIP-001-1a already contained provisions for sabotage response guidelines, the new EOP-004-2 R2 (2.1 to 2.9)
will require reexamination of existing policies to remain compliant. Upon the approval of Attachment 1, the existing
disturbance guidelines will also have to be reexamined. With the addition of R3 (Identify and assess), R4 (Drills) and
R5 (Training), will also require redevelopment of existing processes.
No
Individual
Philip Savage
PacifiCorp
Yes
Yes
Yes
All efforts need to be made to include OE-417 reporting requirements to safeguard against duplicate reporting and / or
delinquent reporting. One report for all events is more preferable than multiple reports for one event.
Yes
Yes
Yes
No
Training required within 30 days of a revision to the Operating Plan is not feasible with 5 or 6 week shift rotations. A
sixty day requirement would be more realistic.
Yes
�Yes
No
Energy Emergency requiring firm load shedding - An SPS/RAS could operate shedding firm load but no Energy
Emergency may exist. This requires clarification. Transmission Loss - Multiple BES transmission elements. Loss of two
transmission lines in the same corridor due to a wildfire could qualify for this reporting. Once again clarification needed.
No
As previously mentioned all effort should be made to ensure duplicate reporting is not required. OE-417 requirements
should be covered by this one form.
Yes
Yes
Yes
Yes
This is yet another standard with training requirements not covered under any PER standards. Having different training
requirements spread throughout the standards makes it increasingly difficult to ensure all training requirements are
met. Developing a "Training Standard" that lists ALL required training would streamline the process and aid greatly in
compliance monitoring.
Individual
Brian Reich
Idaho Power Company
Yes
Yes
Yes
the SDT must ensure that only a single form is required for compliance (such example OE-417)
No
The SDT needs to clarify Requirement 2.9 references an annual report issued persuant to requirement R8, however
Requirement 8 references a quarterly report. These requirements should have the same time frames.
Yes
Yes
No
The 30 day Requirement is limited with real time operations. Most entities with real time operations utilize a 5 or 6 week
rotating schedule to comply with PER-002. the NERC Continuing Education Program allows up to 60 days to comply,
this allows the operating shifts to accomadate training within the operating schedule. The requirement 5.3 should allow
60 days to complete the training.
Yes
Yes
Yes
No
there should only be on report, utilized OE-417
Yes
Yes
Yes
�Yes
By including training requirements in each standard, creates confusion and compliance or failure to comply potentian.
PER standards are in place for personel training, these standards should be utilized for adding requirements that
require training for NERC Standards.
Individual
Chris Hajovsky
RRI Energy, Inc.
No
The purpose does not need to mention "and the reliability of the Bulk Electric System." This is the Congressional
mandate in FPA Section 215, and could be attached to every Standard, guide, notice and direction issued by FERC,
NERC and Regional Entities. In addition, the purpose references "Responsible Entities." However, section 4 on
"Applicability" references "Functional Entities." These terms should be consistent. Therefore, the purpose statement of
the proposed standard should be corrected to read, "Functional Entities identified in Section 4 shall report impact
events and their known causes to support situational awareness." CONSIDERATION: Is the phrase "shall report impact
events and their known causes" really a purpose of the Proposed Standard, or is it instead merely a means to achieve
the purpose of situational awareness? If the latter, the purpose statement can be further shortened to read, "Functional
Entities identified in Section 4 shall support situational awareness of impact events and their known causes."
No
Agree with the "Applicability" section functional categories. Agree with the Attachment 1 lists of "Entity with Reporting
Responsibility," with the following exceptions: PART A "Damage or Destruction of BES Equipment" - This item has a
footnote 1 listed, but nothing at the bottom of the page for a footnote. Assuming the footnote reference is intended to
reference the "Examples" at the bottom of the page, the following concerns exist: (i) "critical asset" - Is this term
intended to reference a "Critical Asset" identified pursuant to the CIP-002 risk-based assessment methodology? If so, it
should be capitalized. If not, who determines what constitutes a lower case "critical asset"? (ii) "Significantly affects the
reliability margin of the system…" - If this is intended to be enforceable, several words need significant clarification and
definition, such as "Significantly," "reliability margin," "system" (BES?), "potential," and "emergency action." The
combined ambiguity of just two of those phrases would most likely result in a court holding this statement as so vague
as to be unenforceable. The combined lack of clarity of all the highlighted words or phrases render this sentence
meaningless. (iii) "Damaged or destroyed due to a non-environmental external cause" - "Non-environmental external
cause" should be a defined term because, as is the case in item (ii) above, it is vague and subject to broad, random or
arbitrary interpretation. Part B provides examples of "non-environmental physical threat" for "Risk to BES equipment."
Those examples could be referenced here, or different examples included that are more applicable to the Event. The
items highlighted in items (ii) and (iii) above are very similar to the unintended string of CIP-001 violations that
Registered Entities experienced in 2007 and 2008 for failing to provide their own definition of "sabotage" under a
sabotage reporting standard that failed to provide any guidance to the industry within the standard as to what
constituted "sabotage." PART B "Detection of a cyber intrusion to critical cyber assets" - Capitalize "Critical Cyber
Asset."
Yes
While including the phrase "to enhance and support situational awareness" is a good use of the Results-Based
Standards development tools and framework, the phrase is already included in the purpose statement. As such, it is
unnecessary in Requirement 1. If it were to be included in Requirement 1, then it would also need to be included in
each of the other Requirements 2 through 8. The "Purpose" statement captures this aptly.
No
1. R2 includes the phrase "for identifying, assessing and reporting," followed by R2.1 which states "identifying," R2.2
which states "assessing" and both R2.3 and R2.6 state "notify" or "making internal and external notifications" (i.e.,
reporting). The language is unnecessarily redundant. RECOMMENDATION: Reword R2 phrase "for identifying,
assessing and reporting," to simply state, "for addressing." 2. Rationale for R2 - The rationale section for R2 references
in the third paragraph "Parts 3.3 and 3.4." Was this intended to reference R2.3 and R2.4?
No
"Identify and assess" - Auditors are as much in need of clearly worded, unambiguous Reliability Standards are as
Registered Entities. This phrase leaves much too wide a range of interpretations, almost guaranteeing regular and
frequent disagreements during an audit between Registered Entity and Regional Entity auditor as to what constitutes
"identify and assess" sufficient to meet the intent of this Requirement. Compounding this issue is the Rationale for R3
that states an Applicable Entity (which should probably read "applicable Functional Entity") should "gather enough
information to complete the report that is required to be filed." While Rationale statements are not technically part of the
standard, this emphasizes the current wording of the requirement as subject to random and arbitrary interpretation by
auditors and Registered Entities. RECOMMENDATION: Change "identify and assess" to "document," so that the
Requirement now reads "Each Applicable Entity shall document initial probable cause of impact events…" including an
option for "cause not determined".
No
Every employee in a Registered Entity might potentially have exposure to an impact event, and therefore result in a list
�of thousands of employees subject to the EOP-004-2 Operating Plan. Does this mean, for example, an applicable
Functional Entity with 3,000 employees, each capable of potentially observing an impact event, must include them in
the drill, exercise, or Real-Time implementation? Such an expectation would require a hypothetical email notice to be
sent to 3,000 employees, advising them "This is a test - You observe a suspicious vehicle driving around the fence of
your power plant. Perform the next action you should take." The result in this hypothetical might be 3,000 phone calls
and emails to the responsible employee in the applicable Functional Entity, each needing to be documented and
retained for the audit period. As stated above in question 5, auditors need guidance as much as Registered Entities.
Otherwise, it is observed that they will seek the most stringent approach they observe from the best of the best
practices over the first year of implementation and apply that expectation as the base-case, under which all other
approaches will be deemed violations.
No
1. This Requirement is structured to result in the same heavy-handed, zero-tolerance approach that has made CIP-004
one of the top three violated Reliability Standards. The failure in CIP-004 is that, for example, a seven-year background
check or annual training program that is tardy by one day results in a violation. There is no margin of error, proviso, or
cure scenario. Likewise, the proposed R5 in EOP-004-2 makes it a violation if someone takes their newly established
training on the day after the end of 15 months. Systems configurations are often based on quarterly monitoring for
individuals needing to take training. In addition, when dealing with potentially thousands of employees, it is inevitable
that any one of hundreds of reasons might result in an employee not being included in the tracking system, and rolling
past the 15th month. RECOMMENDATION: To avoid further burden to Regional Entity audit and enforcement
personnel as has been the case in CIP-004, develop a cure process that allows the Registered Entity to correct the
training or background check tardiness with prompt correction, fill out a notification report to submit to NERC, and
proceed with protecting the reliable operation of the BES, rather than tying up Registered Entity and Regional Entity
staffs with data requests, enforcement paperwork and administrative actions. 2. The proposed R5.3 requires the entire
applicable staff to redo the entire training within 30 days of a change to the Operating Plan. These Operating Plans will
not be short documents, and formal training will not involve a 5 minute soundbite. However, for such a significant
procedure as the Operating Plan, frequent changes and revisions are going to be very common, especially given the
likelihood of frequent clarifications, Compliance Action Notices ("CANs"), and lessons learned issued by NERC and
Regional Entities over this very detailed set of new obligations. It is not unreasonable to expect a Registered Entity to
make three or more revisions to their Operating Plan in a year, which would require training for thousands of
employees three times a year, for what might amount to a single sentence revision. Furthermore, the obligation to
retrain on the entire training program is not limited in this requirement to only those individuals impacted by the
revision. Where a change or revision only impacts 3 possible employees, this standard would require a company with
1,500 employees subject to the Operating Plan to retake the entire training. RECOMMENDATION: Clarify that upon
changes to the Operating Plan, the Registered Entity may either require full training, or instead distribute a summary of
the change(s) via email to affected personnel only.
No
RECOMMENDATION: Clarify that the reporting of impact events shall be to those entities identified in the Operation
Plan section developed specifically in Section 2.6. Reference to Attachment 1 indicates reporting to "external" parties is
the intent for R6.
Yes
We support the concept that Reliability Standard requirements and obligations that are subject to violations and
penalties should all be contained in the four-corners of the Reliability Standard. If an obligation exists in the Rules of
Procedures that creates a stand-alone responsibility that is subject to violation and penalty, it should be removed from
the Rules of Procedure and inserted into the appropriate Reliability Standard.
Yes
Yes
Yes
Agree. However, strongly encourage this to be made into a defined term in the Glossary of Terms.
Yes
Assume reference to EOP-004-3 in the question 13 was meant to reference version 2 (EOP-004-2).
Yes
No
Individual
Bill Keagle
BGE
Yes
�Yes
No
R1 With the definition of "Impact Event", are we eliminating the term "Disturbance Reporting"? If we eliminate
disturbance reporting, SDT should remove the reference from the Summary of Concepts and from the title, otherwise
further definition on the distinction between the two terms is needed. R1. What is the "system" described here? What
type of system is anticipated – electronic, programmatic or can it be better described by using “standard reporting
form”? M1. Needs to seek evidence that the "system" was used for receiving reports, as well as distributing them. M1.
Examples are more appropriately used in guidance documentation than in the standard. Rationale for R1 – Final
statement regarding OE-417 needs to be removed. The ERO will establish the requirement in their “system” if the
standard remains as is. The Requirement does not require the responsible entities to send OE-417 to DOE.
No
R2.1 Creates the opportunity for differences in identifying impact events. BGE recommends additional clarity in the
statement. Are we to use Attachment 1 as a “bright line” or can we use our Operating Plan to identify what an impact
event is? R2.4 - 2.6 Does a standard need to specify both internal and external lists? 2.7 – is “component” defined
anywhere? Is it a component of the BES or a component of the Operating Plan or a component of the three lists in 2.4
to 2.6? Rationale --- Parts 3.3 and 3.4?? Do you mean 2.3 and 2.4? Is the Operating Plan under scrutiny (mandatory
and compensable) for all items in the last paragraph of the rationale?
No
R3. Limits responsibility to Attachment 1 events only and mandates that an “initial probable cause” be identified. Are we
at liberty to define “initial probable cause” and define time period for completion in the Operating Plan? BGE believes
this could cause wide difference between Operating Plans and the standard should be more prescriptive by relating to
a time-table for the life of an impact event, including expected identification time, initial assessment time and analysis
time leading to the reporting deadlines. BGE recommends not including examples of evidence in a measure but include
it in a Guideline. Including in a measure will be translated as a requirement by an auditor.
No
M4. BGE recommends not including examples of evidence in a measure but include it in a Guideline. Including in a
measure will be translated as a requirement by an auditor. Rationale for R4: If multiple exercises are performed are all
of them subject to the sub-R2 requirements and to audit/audit findings?
No
Suggested revision to clarify R5: Each Applicable Entity shall provide training to all internal personnel identified in its
Operating Plan on the Operating Plan annually. Training is only on Reporting, pursuant to R2, not on the Operating
Plan? BGE does not believe the SDT needs to identify sub bullets on this requirement. R5.1 is not logical --- what does
it mean?
Yes
Comments for clarification: R6. Use of Capital letters in Operating Plan makes it unnecessary to state "created
pursuant to Requirement 2
No
R7. Make Impact Event Table all Capital Letters(it is a title). R8. Is the term "reportable impact events" new or is impact
event intended to be capitalized? R8. Does a quarterly report of the year’s reportable impact events include 12 months
of "reportable impact events"? This is confusing. R8. In the Rationale for R8 Impact Events appears with Capital letters
- why now? Shouldn’t it appear with all Capital letters throughout the document as it is a defined term? R8. There are
no previous requirements to report threats (R8.3) or lessons learned (R8.5) or trends (R8.2) to an ERO. Is this
information from reports to the ERO or from ERO research?
No
TOP determines "system-wide" voltage reductions; why place this responsibility on a TO or DP? - Load Shedding is
automatic load shedding; why 100MW? Does a DP need to provide a Report when directed by the RC, BA or TOP to
shed load or reduce voltage? - No examples should be included in the standard! Need to define a "BES Transmission
Element". - Table shows multiple entities in "Entity with Reporting Responsibility"; is it one or is it all entities report? - In
an audit who determines "reasonably determined likely motivation" - Is it justified to expect to have "motivation"
knowledge within one hour of an event? - Why are the Responsible Entities reporting Interruptible Demand tripped /
lost?
No
There is considerable difference between this form and OE-417 necessitating that two forms be completed. BGE
believes that the purpose of combining the standards was to reduce the number of reporting entities and number of
reports to be generated by each entity. BGE believes this fails to accomplish this purpose.
Yes
The defined term “impact events” should be capitalized throughout the document to identify it as a defined term.
Additionally, BGE has noted in several comments that another term is used instead of “impact events”. These terms
�should be eliminated and use “impact events” instead.
Yes
None.
Yes
None.
Yes
One item that is properly addressed is the removal of Load Serving Entity from the Applicable Functional Entities.
There may be a need to provide some guidance to Functional Entities when there are separate Transmission Owners
and Transmission Operators or Generation Owners and Generation Operators. If they are separate, there may be
redundancy in reporting. From the documentation, it doesn’t seem like the SDT are combining all reports into one form
as we would like to see. In the rational for R1 section, it talks of getting both forms (NERC and OE-417) together in one
document (however it sounds like the forms within the document are still separate), available electronically, which only
seems like a step forward. However, it does not take away the confusing process for the operators of which part of the
form would need to be filled, who should be set this form depending on what part is filled, if one part of the form is filled
out do the other parts need to be filled, etc. If the forms cannot be consolidated, BGE would rather the forms be
separate to reduce confusion. BGE believes all these reports should require one form with one set of recipients, period.
This may mean that NERC needs to get DOE to modify their OE-417 form.
Individual
John Brockhan
CenterPoint Energy
No
CenterPoint Energy does not agree with the purpose statement of the proposed standard. The directive from the
Commission in FERC Order 693 and restated in the Guideline and Technical Basis is “…the Commission directs the
ERO to develop the following modifications to the Reliability Standard through the Reliability Standards development
process: 1) further define sabotage and provide guidance as to the triggering events that would cause and entity to
report a sabotage event.” Instead the SDT has introduced another term, impact event, to address concerns regarding
different definitions. The term, impact event and its proposed concept is too broad. Specifically the concept that an
impact event “…has the potential to impact the reliability of the Bulk Electric System” leaves too much room for an
entity and a regulatory body to have a difference of opinion as to whether an event should be reported. Required
reporting should be limited to actual events. The reporting to follow could become overwhelming for the Responsible
Entities, the ERO, and other various organization and agencies. Furthermore, situational awareness is a term that is
associated with aspects of real-time. Given the analysis required before a report can be submitted, the report will not
be real-time and will not sustain a purpose of supporting situational awareness. (See also comments on Q10 regarding
the “Time to Submit Report”.) A purpose that is more aligned with consolidation of the EOP-004 and CIP-001 standards
would be as follows: Responsible Entities shall report disturbance events and acts of sabotage to support the reliability
of the BES through industry awareness.
No
CenterPoint Energy does not agree with the addition of Transmission Owner and Distribution Provider to the
Applicability section. Transmission Owner and Distribution provider are not currently applicable entities for either CIP001 or EOP-004 and should not be included in the proposed combined standard. However, CenterPoint Energy does
agree that LSE should be removed from the Applicability section. CenterPoint Energy appreciates the SDT’s efforts in
assigning entities to each event in Attachment 1. This is an improvement over the existing EOP-004 standard. It is
clear, however, that with multiple entities responsible for reporting each event, there is no need to expand the
Applicability Section to include Transmission Owner and Distribution Provider.
No
The ERO does not need to establish a “system for receiving reports” as the “system for receiving reports” is inherent
given the requirements for reporting. The requirement also seems to add redundancy versus eliminating redundancy in
the distribution of reports to applicable government, provincial or law enforcement agencies on matters already
reported by Responsible Entities. If an event is suspected to be an intentional criminal act, i.e. “sabotage”, the
Responsible Entity would have contacted appropriate provincial or law enforcement agencies. The ERO is not in a
position to add meaningful value to these reports as any information the ERO may provide is second hand. CenterPoint
Energy recommends R1 and M1 be deleted.
No
CenterPoint Energy does not agree with R2 and M2 as they are focused on process and procedure. Compliance with a
reporting requirement should be based on a complete and accurate report submitted in a timely manner. The process
an entity uses to accomplish that task is of no consequence. CenterPoint Energy recommends R2 and M2 be deleted.
However, if the SDT feels it is necessary to include this process based requirement, CenterPoint Energy believes the
SDT, in requiring an overly prescriptive Operating Plan, has expanded the requirement beyond the current CIP-001-1
and EOP-004-1 which only require “…procedures for the recognition of and for making operating personnel aware…”
(CIP-001-1) and “…shall promptly analyze…” (EOP-004-1). Specifically, R2.2 is not found in the current Standards.
“Methods for assessing causes(s) of impact events” would vary greatly depending upon the type and severity of the
�event. Responsible Entities would have a difficult time cataloging these various methods to any specific degree and if
they are not specific then CenterPoint Energy questions their value in a documented method. R2.3 is not found in the
current Standards and is an unnecessary requirement as the method of notification is irrelevant so long as the
notification is made. R2.7, R2.8, and R2.9 are also unnecessary expansions beyond what is currently in CIP-001-1 and
EOP-004-1. CIP-001-1 requires the Responsible Entity review its procedures annually and CenterPoint Energy
believes this is sufficient. When taken in total, R2 requires seven (7) different processes, provisions, and methods.
CenterPoint Energy recommends R2.2, R2.3, R2.7, R2.8 and R2.9 be deleted and believes this will not result in a
reliability gap.
No
CenterPoint Energy does not agree with R3 and M3 as written as the Company does not agree with the requirement to
have an Operating Plan (see comments to Q4 above). However, if R2 and M2 were to be deleted, and R3 was revised
to read; “Each Applicable Entity shall identify and assess initial probable cause of events listed in Attachment 1.”,
CenterPoint Energy could agree with this requirement.
No
CenterPoint Energy does not agree with R4 and M4. See comments to Q4 above. In addition to the process vs. results
based issue stated above, CenterPoint Energy believes conducting a drill to verify recognition, analysis, and reporting
procedures is a waste of valuable resources and time.
No
CenterPoint Energy believes that R5 and M5 are not necessary and should be deleted. CenterPoint Energy supports
an entity training its staff in any reporting responsibilities; however, such training should be the responsibility of each
entity and such requirements do not belong in a NERC standard. In addition, CenterPoint Energy believes any
necessary training requirements are covered in the PER Standards and therefore the addition of this requirement adds
redundancy to the Standards. If a majority of the industry supports such a requirement, CenterPoint Energy cannot
support R5 and M5 as written as we do not agree with the requirement to develop and maintain an Operating Plan (see
comments to Q4 above). CenterPoint Energy offers the following alternate language: “Each Applicable Entity shall
provide training concerning reporting requirements contained in this Standard to internal personnel involved in the
recognition or analysis of events listed in Attachment 1.
No
CenterPoint Energy does not agree with R6 and M6 as written as we do not agree with the requirement to develop and
maintain an Operating Plan (see comments to Q4 above) In addition CenterPoint Energy does not agree with the
timelines required in Attachment 1 (see comments on Q10). CenterPoint Energy offers the following alternate
language: “Each Applicable Entity shall report events outlined in Attachment 1 to applicable entities including but not
limited to; NERC, and appropriate law enforcement agencies."
No
CenterPoint Energy does not believe this requirement is necessary; however, if the SDT insists on keeping this
requirement then CenterPoint Energy believes it should remain as written. Any change to Attachment 1 should go
through the Reliability Standards Development Procedure.
No
CenterPoint Energy appreciates the efforts of the SDT in identifying the entity with reporting responsibility. This is an
improvement to the event table. CenterPoint Energy is concerned with multiple entities being listed as having Reporting
Responsibility. CenterPoint Energy recommends the SDT limit this to one entity having responsibility for reporting each
event. This would not preclude that entity from coordinating with other entities to gather data necessary to complete the
report. In addition, CenterPoint Energy believes there are several events that should be removed from the list.
“Transmission Loss” is covered by the TPL standards and does not need to be identified or reported under EOP-004.
The loss of a DC converter station or multiple BES transmission elements may or may not disrupt the reliable operation
of the BES, i.e. result in blackout, cascading outages, or voltage collapse. Likewise “Damage or destruction of BES
equipment” in and of itself should not be the subject of reporting. If the damage or destruction results in true disruption
to the reliable operation of the BES, that impact would be reported under one of the other identified events. “Voltage
Deviations” is another unnecessary event. CenterPoint Energy believes a voltage event of the proposed magnitude will,
more than likely, result in other events identified in Attachment 1 such as; IROL Violation or Generation Loss and would
be reported under one of those triggers. Another concern is the threshold trigger of +/- 10% for 15 minutes or more.
CenterPoint Energy is unclear as to the starting point to determine the deviation. In other words is the 10% deviation
from nominal voltage, such as 138kV or 345kV, or the actual voltage at the time of the event? Additionally, must the
deviation occur over a “wide area” or is such a deviation at one buss enough to trigger a report? Based upon these
ambiguities and concerns CenterPoint Energy recommends “Voltage Deviations” be deleted from Attachment 1. The
examples that follow on page 14 should also be deleted.
No
CenterPoint Energy does not agree that the term “impact event” adequately replaces “disturbances” and “sabotage”.
CenterPoint Energy suggests that just as the SDT has come to consensus on a concept for impact event, a definition
could be derived for sabotage. “Potential”, as used in the SDT’s concept, is a vague term and indicates an occurrence
that hasn’t happened. Required reporting should be limited to actual events. CenterPoint Energy offers the following
�definition of “sabotage”: “An actual or attempted act that intentionally disrupts the reliable operation of the BES or
results in damage to, destruction or misuse of BES facilities that result in large scale customer outages (i.e. 300MW or
more).”
Yes
CenterPoint Energy agrees that there is no reliability gap between the existing standards and the proposed standard.
However, CenterPoint Energy believes that the SDT went too far in developing the proposed EOP-004-2 and added
additional unnecessary requirements. If the comments made above to Q1 – Q12 were to be incorporated into the
proposed Standard, CenterPoint Energy believes the product would be closer to a results based Standard with no
reliability gap.
Yes
CenterPoint Energy appreciates the efforts of the SDT in removing outdated and unnecessary language from the
existing EOP-004 standard. Additionally, CenterPoint Energy urges the SDT to also remove the proposed “how to”
prescriptive requirements. CenterPoint Energy believes the SDT team’s focus should be on drafting a results-based
standard for reporting actual system disturbances and acts of sabotage that disrupt the reliable operation of the BES.
The SDT should not delve into trying to identify a list of events that have a potential reliability impact. As stated in
response to Q10, CenterPoint Energy strongly believes that cyber-related events should not be in the scope of this
standard since they are already required to be identified and reported to appropriate entities under CIP-008. Excluding
cyber events from this standard further supports the elimination of redundancies within the body of standards.
Individual
Joylyn Faust
Consumers Energy
No
R 2.7, R 2.8 and R 2.9 are creating a requirement to have procedures to update procedures. Having updated
procedures should be the requirement, no more.
No
NERC should either standardize on a 12 month year or an annual year for reviews.
No
Again, either 12 month year or annual year, NERC needs to standardize on one or the other. Training should apply
only to those that must take action relevant the reliability of the BES. A plan would likely include notification of senior
officers, however they don’t need to be included in drills and training if they have no active role.
Individual
Doug White
North Carolina Electric Coops
No
The term “impact event” is not a defined term in the NERC glossary and does not draw a clear boundary or give
concise guidance to aid in event recognition.
No
There is a conflict between the ERO being listed as an applicable entity and the fact that the ERO is the compliance
enforcement authority. The ERO is responsible for multiple requirements in this standard that other applicable entities
would be required to meet. Attachment 1 has inconsistent time frames listed for similar events. For example, EEA’s are
either reported within one or 24 hours depending on the nuance. Also, having more than one entity reporting an EEA
can lead to conflicting information for the same event. Attachment 1 has the RC and the BA both reporting the same
EEA event. Attachment 1 consolidates time frames from other standards for reporting purposes. There should either be
a separate standard for “reporting” that encompasses reporting requirements for all standards or leave the time frames
�and reporting requirements in the original individual standards. Several of the events require filing a written formal
report within one hour. For large events like cascading outages or system separation, “all hands on deck” attention will
need to be given to the actual event. Although a verbal report would be allowed in certain circumstances, attention to
the actual event should take precedence over formal reporting requirements. There is already a DOE requirement to
report certain events and no need to develop redundant reporting requirements in the NERC arena when this
information is already available at the federal level at other agencies.
No
The ERO cannot be subject to a requirement for which it is the compliance enforcement authority.
No
This requirement dictates details of documentation of after-the-fact reporting of events which cannot impact reliability of
the BES and, as such, should not be a reliability standard. The cost and burden of becoming auditably compliant with
this requirement can be extreme for small entities.
No
The term “impact event” needs to be defined in the NERC Glossary to provide the clarity the industry needs to build
auditably compliant procedures and give guidance on what is proper to report.
No
Requiring a drill for “reporting” is unnecessary and burdensome. Reporting is covered in processes and procedures
and during the normal training cycle. We recommend the elimination of this requirement.
No
Requiring training to report of after-the-fact events does not improve the reliability of the BES. We recommend the
elimination of this requirement.
No
There is already a DOE requirement to report certain events. NERC should not be developing redundant reporting
requirements when this information is already available at the federal level from other agencies.
No
The ERO cannot be subject to a requirement for which it is the compliance enforcement authority.
No
This list is too similar and redundant to the DOE requirements and does not provide any additional clarity on
recognition of sabotage.
No
There is already a DOE requirement to report certain events. NERC should not be developing redundant reporting
requirements when this information is already available at the federal level from other agencies.
Yes
No
Yes
Yes
Keep in mind that redundancy in reporting requirements from the DOE does not improve or enhance bulk electric
system reliability but rather creates more work for the reporting entity.
Individual
Lauri Jones
Pacific Gas and Electric Company
No
PG&E recognizes this is an after the fact report, however, the purpose statement should reflect the fact that this
proposed standard is for after-the-fact reporting. If the future intent is for this report to replace current reporting criteria
the purpose statement should be expanded to reflect the true intent of the Standard.
No
PG&E recognizes the ERO is in R1, however, it does not see where the ERO’s applicability is applied in Attachment 1.
Yes
No
PG&E would like clarification on whether the 30 days, is calendar days or business days.
Yes
�No
PG&E believes the addition of a drill constitutes additional training and should be added to R5. PG&E is concerned as
to who the target audience for this annual training would affect.
No
PG&E believes 30 days is too restrictive due to real-time operations schedule requirements. The schedule is six weeks
and individuals may be on either long change or vacation and therefore unable to complete the training within 30 days
of the identification of the need. Suggest extending to 60 days to meet the training criteria which follows the NERC
Continuing Education revised submittal date for the Individual Learning Activities (ILA).
No
PG&E believes that if the standard is intended to be an after the fact report, we question the one and/or twenty-four
hour reporting criteria and then the 30 day criteria?
Yes
Yes
No
PG&E believes the report is duplicative to the OE-417 reporting criteria.
No
PG&E believes Attachment 1 Part A or B do not clearing specify “sabotage” events, other than “forced entry” and the
proposed definition of “impact event” does not meet FERC’s directive to “further define sabotage” nor does it take into
consideration their request to address the applicability to smaller entities.
Yes
Yes
Yes
PG&E believes as the training requirements continue to expand, having one training standard that captures all the
training required within the NERC standards will allow for better clarity for the training departments in providing and
meeting all NERC Standard compliance issues.
Individual
Laurie Williams
PNM Resources
No
PNM believes the purpose statement should reflect the fact that this proposed standard is for after-the-fact reporting. It
is misleading and may have many thinking it is duplicative work.
No
PNM OTS does not see where the ERO’s applicability is applied in Attachment 1.
Yes
No
PNM would like clarification on whether the 30 days, is calendar days or business days.
Yes
No
PNM feels the addition of a drill or exercise constitutes additional training and believes R4 should be added to R5. The
WECC OTS also is interested as to what level does the annual training target, for instance, the field personnel. Will
they have to complete the exercise/drill?
No
PNM believes 30 days is too restrictive due to real-time operations schedule requirements. Most work schedules are
either five or six weeks and individuals may be on either long change or vacation and therefore unable to complete the
training within 30 days of the identification of the need. Based on the NERC Continuing Education revised submittal
date for the Individual Learning Activities (ILA), PNM would recommend 60 days. Creating an Impact Event Report is
duplicative and redundant and the WECC OTS feels this is not necessary.
No
PNM believes there seems to be redundancy in reporting based on the time frames in Attachment 1, i.e. OE-417 and
other required reports. If this standard is intended to be an after the fact report, why is there one/twenty-four hour
�reporting criteria?
Yes
Yes
No
PNM believes the report is duplicative to the OE-417 reporting criteria.
No
PNM believes the proposed definition of “impact event” does not meet FERC’s directive to “further define sabotage” nor
does it take into consideration their request to address the applicability to smaller entities. Attachment 1 Part A or B do
not clearing specify “sabotage” events, other than “forced entry”.
Yes
Yes
Yes
PNM believes that having one training standard that captures all the training required within the NERC standards will
allow for better clarity for the training departments in providing and meeting all NERC Standard compliance issues. This
will become even more of an issue as training requirements continue to expand.
Individual
Val Lehner
ATC
Yes
ATC agrees with the purpose statement. However, we do not agree with the implied definition of “impact events” as
represented in Attachment 1. (See specific comments about what is included in Attachment 1 for the type of events that
qualify as an “impact event”.)
No
The Functional Entities identified in Attachment 1 do not align with the current CIP Standard obligations (e.g. Load
Serving Entities are not included).
No
ATC does not agree with R1 for three reasons: 1. The ERO cannot be assigned obligations in NERC Standards. The
requirements for the ERO should be addressed by a revision to Section 801 of the Rules of Procedure. 2. This is a fillin-the-blank requirement. The requirement, positioned as R1, does not allow for the obligations to be clearly defined. It
refers to R6 which refers to R2 and Attachment 1. A clearer structure to the Standard would be to simply state that the
Functional Entities have to meet the reporting obligations documented in Attachment 1 and delete the current R1.
No
The requirement should be rewritten to simply state that the Functional Entities has to meet the reporting obligations
documented in Attachment 1. How the Functional Entity meets the obligations documented in Attachment 1 should be
determined by the Functional Entity, not the requirement. The prescriptive nature of this requirement does not support
the performance-based Standards that the industry and NERC are striving towards. In addition, requirement 2.9
creates an alternate method for NERC to develop Standards outside of the ANSI process. This requirement dictates
that Functional Entities are required to incorporate lessons learned from NERC reports into their Plan, which is a
requirement of this Standard.
No
ATC believes that this requirement should be deleted and that the SDT should coordinate its goal with the EAWG. We
believe that the lessons learned process and identification of root cause is better covered under that process than
through the NERC Mandatory Standards.
No
We do not believe that a drill that exercises a written reporting obligation will add additional reliability to the BES.
No
ATC believes it is an inherent obligation of all Functional Entities to train their appropriate staff to meet all applicable
NERC Standards. Including a training requirement in some, but not all, Standards implies that the other Standards do
not necessitate training. Although this is an important Standard and one that should be included in a Functional
Entities’ training program, ATC does not believe that this Standard is more important than the other NERC Standards
and, therefore, requires a separate training provision
Yes
ATC does agree that applicable entities report on events identified in Attachment 1 (See our comments about
�Attachment 1), but we do not agree that applicable entities should be required by this standard to have an Operational
Plan. Please see our comments to question 4.
No
ATC feels the ERO obligations should be covered in the Rules of Procedure. We do not agree with the requirements
assigned to the ERO, but believe that they should be incorporated into the ERO’s Rules of Procedure
No
ATC has several areas of concern regarding Attachment 1. 1. The one hour requirement for reporting will take the
Functional Entities’ focus off of addressing the immediate reliability issues and instead force the FE to devote valuable
resources to filling out forms which will potentially reduce reliability. 2. Part A: a. Provide a definition of “system wide”
for the Energy Emergency requiring system-wide voltage reduction. b. Add in the clarity that for Energy Emergency
requiring firm load shed pertains to a single event, not cumulative events. c. Insert the word “continuous” for Voltage
Deviations. d. Take off the TOP for IROL violations. (We believe that an IROL violation should be reported by the RC
and not by the TOP based on the nature of the event. Requiring both the RC and TOP to report will only result in
multiple reports for a single event. The RC is in the best position to report on an IROL violation for its RC area.) e. Take
off the TO, TOP and add the LSE for Loss of Firm Load. (As a transmission only company ATC does not have
contracts with end load users. Because of this the Loss of Firm Load should be the reporting obligations of the entity
closes to the end load users which is the BA, DP or LSE. Failure to modify this requirement will cause confusion as to
which entity has to report Loss of Firm Load. f. Define a timeframe for Generation Loss g. Multiple should be changed
to “4 or more” for Transmission Loss.(ATC is concerned that this would require reporting of events that have little or no
industry wide benefits but would take up considerable Registered Entity resources.) h. Provide clarity to and tighten the
definition of Damage or destruction of BES equipment. The way it is written now would require over-reporting of all
damaged or destroyed equipment due to a non-environmental external cause (e.g. broken insulator). 3. Part B: a. Take
off the TO and TOP for Loss of off-site power. (The GOP has the responsibility to acquire off-site power and we believe
it is the GOP’s sole responsibility to report the Loss of off-site power. Failure to correct this would result in multiple
reporting for the same event.) b. Take off RC for Risk to BES equipment. (The RC function does not own BES
equipment and we believe it is impossible for them to report on risk to BES equipment if they are not the owner or
operator of that equipment. This standard should be required of the entity that owns/operates BES equipment. c.
Provide guidance to the phrase “reasonably determine” in footnote. d. Examples provided do not provide a clear
obligation for an entity to follow. (Question: How close is the train to the substation? (Inches away from the substation
fence, ten feet away from the substation fence or 500 feet away from the substation fence.) In addition, this standard is
so open to interpretation that no entity can demonstrate compliance with the action. We believe that the only solution is
to delete this reporting requirement. Overall: Multiple Functional Entities impacted by the same event are required to
report. No lead entity is identified. This will result in multiple reports of the same event. ATC does not believe that this
built-in duplicity enhances reliability?
No
No. NERC does not have the authority to absolve the Functional Entities of the reporting obligations for the DOE Form
OE-417. Therefore, there will be duplicate reporting requirements and the one hour timeframes required in Attachment
1 will take valuable resources away from mitigating the event to filling out duplicative paperwork. It is ATC’s position
that the OE-417 report be used as the main reporting template until NERC and the DOE can develop a single reporting
template. Task #14 in the report should be modified to say, “Identify any known protection system misoperation(s).” If
this report is to be filed within 24 hrs, there will not be enough time to assess all operations to determine any
misoperation. As a case in point, it typically takes at least 24 hrs to receive final lightning data; therefore, not all data is
available to make a determination.
Yes
Yes, if ATC’s recommended changes are made to Attachment 1 and the Standard.
Yes
ATC agrees with this effort and does not currently see a reliability gap
Yes
Yes, if ATC’s recommended changes are made to the Standard. However, if the changes are not supported then ATC
recommends that the implantation time be changed to two years. Entities will need time to develop both the plan called
for in this standard and to train the personnel identified in the plan.
Yes
ATC believes that it is not evident in this draft that the SDT has worked collaboratively with the Events Analysis working
group to leverage their work. ATC believes that NERC must coordinate this project and the EAWG efforts. The EAWG
is proposing to modify NERC Rules of Procedure but the SDT is suggesting requirement for the ERO be build within
the standard. We believe that the Rules of Procedure is the proper course to take to for identifying NERC obligations,
but what is clear is that NERC itself does not seem to have an overall plan for event reporting and analysis. Lastly, ATC
would like to see the SDT expand the mapping document to include the work of the EAWG. The industry needs to be
presented with a clear picture as to how all these things will work together along with their reporting obligations. The
definition of an “impact event” needs to be revised. First, if these events are to include any equipment failure or misoperation that impacts the BES, the standard is requiring more than is intended based upon the reading of the
requirements. PRC-004 already covers the reporting of protection system mis-operations, and if reading this definition
�verbatim, it would lead one to conclude that those same mis-operations reported under PRC-004 shall also be reported
under EOP-004. The definition should be revised to something like: “An impact event is a system disturbance affecting
the Bulk Electric System beyond loss of a single element under normal operating conditions and does not include
events normally reported under PRC-004. Such events may be caused by…”
Group
Santee Cooper
Terry L. Blackwell
No
Since this standard is written to report events after-the-fact and not for a System Operator to perform corrective action,
we believe the words situational awareness should be removed from the purpose. Situational Awareness is typically
used for real-time operations. Also, any events that require reporting should be clearly defined in Attachment 1 and
leave no room for interpretation by an entity.
No
Standards cannot be applicable to an ERO because they are the compliance enforcement authority, and the ERO is
not a user, owner, or operator of the BES. Since we are reporting events that may affect the BES, why does a DP need
to be included as an applicable entity for this standard? If the DOE form is going to continue to be required by DOE,
then NERC should accept this form. Entities do not have time to fill out duplicate forms within the time limits allowed for
an event. This is burdensome on an entity. If NERC is going to require a separate reporting of events from DOE, then
NERC should look at these events closely to determine if any of the defined events should be eliminated or modified
from the current DOE form. (For example: Is shedding 100 MW of firm load really a threat to the BES?) Why does
Attachment 1 have multiple entities reporting the same event? An RC should not have to report an EEA if the BA is
required to report it. This will lead to conflicting reports for the same event. Attachment 1 is just a consolidation of the
time frame from other standards. It appears no review was done for consistency of time frames for similar events.
No
It cannot apply to the ERO.
No
The words “operating plan” should be removed from the requirement. This standard deals exclusively with after-the-fact
reporting. This requirement is also overly prescriptive.
No
Does the initial probable cause have to be reported within the timing associated in Attachment 1? Entities may not have
enough information that soon to report the initial probable cause. This should be done with events analysis.
No
There is no need to drill for administrative reporting! This requirement should be deleted.
No
The concept of requiring training on reporting of after-the-fact events does not support or enhance bulk electric system
reliability. We recommend the elimination of this requirement.
No
If the DOE form is going to continue to be required by DOE, then NERC should accept this form. Entities do not have
time to fill out duplicate forms within the time limits allowed for an event. This is burdensome on an entity
No
Standards cannot be applicable to an ERO because they are the compliance enforcement authority, and the ERO is
not a user, owner, or operator of the BES.
No
The SDT should review the list of events closely to determine if the defined events actually impact the BES. (For
example: Is shedding 100 MW of firm load really a threat to the BES?)
No
If the DOE form is going to continue to be required by DOE, then NERC should accept this form. Entities do not have
time to fill out duplicate forms within the time limits allowed for an event. This is burdensome on an entity.
No
The term "impact events" needs to be more clearly defined.
No
It is very difficult to assess this question with the standard as currently written.
No
With the proposed training and drill requirements in the current written standard, one year is not enough time.
Yes
We don’t believe that entities should be subjected to duplicate reporting to existing DOE requirements. How does
redundancy in reporting requirements improve or enhance bulk electric system reliability?
�Individual
Martin Bauer
US Bureau of Reclamation
No
The purpose is more closely related to the concept that "Responsible Entities shall document and analyze impact
events and their known causes and disseminate the impact event documentation to support situational awareness".
Not all impact events are to be reported. The analysis of the impact events is what is needed to achieve a lessons
learned.
Yes
The question is focused on a limited area of Attachment A. There other problematic areas of Attachment 1 will be
addressed in subsequent comments.
No
This standard should describe the ERO process of event documentation, analysis, and dissemination. Allowing the
ERO to develop a event documentation, analysis, and dissemination process, which becomes a requirement on the
Entities, must be derived through the Standards Development Process. The requirement, as it is currently worded,
allows the ERO to develop standard requirements. If the intent is to only develop a means of collecting, which does not
impose a requirement, the wording should state so. Otherwise, if the ERO wants to require that reports are posted to a
specific location by the Entity, then it is a requirement and must go through the Standards Development Process.
Secondly, there is already a single reporting form identified. It is not clear why the SDT could not accept that form as
the reporting tool.
No
R2 does not reconcile with Attachment A or the sub paragraphs. As an example, the requirement 2.6 states "List of
organizations to notify ...." All sub paragraphs use the term notify. Notify as used in Attachment A is when a report
cannot be provided in the time frame listed in Attachment A. Therefore there is no requirement in this standard for the
Operating Plan to have a provision for reporting. The subparagraph 2.8 indicates that the Entity must update it plan
based on the lessons learned published by NERC. It would be appropriate to require a review and update of the plan
based on the lessons learned.
Yes
This is provided that the report submitted in Attachment A does not include the probable cause. It is highly unlikely that
a probable cause may be determined within the reporting timelines.
No
There is no rationale offered on why 15 months was selected. Without a defined basis the time period is arbitrary. It
would be appropriate to let the Entity determine and document the time interval. That would allow the time frame to be
sensitive to the complexity of the Operating Plan. Some entities are geographically dispersed and a single Operating
Plan may be difficult to test at one time or within 15 months. The allowance for real time events or actual use is a good
move and may make it easier to define a suitable time frame by the Entity.
No
The measure is vague and redundant. The Entity is required to provide information to be used to "verify content". The
information may be used to demonstrate compliance but who will verify the content is adequate and on what basis.
Secondly, the measure requires training information be provided twice, once to demonstrate who participated and then
to show who was trained. This is all unnecessary and could be remedied by simply stating that "evidence shall
demonstrate that all individuals listed in the plan have received training on their role in the plan"
Yes
No
Requirements 7 and 8 are covered in the Section 801. 801. Objectives of the Reliability Assessment and Performance
Analysis Program. The objectives of the NERC reliability assessment and performance analysis program are to: (1)
conduct, and report the results of, an independent assessment of the overall reliability and adequacy of the
interconnected North American bulk power systems, both as existing and as planned; (2) analyze off-normal events on
the bulk power system; (3) identify the root causes of events that may be precursors of potentially more serious events;
(4) assess past reliability performance for lessons learned; (5) disseminate findings and lessons learned to the electric
industry to improve reliability performance; and (6) develop reliability performance benchmarks. The final reliability
assessment reports shall be approved by the board for publication to the electric industry and the general public.
No
The Attachment is very vague and without modification creates a Pseudo definition of BES equipment in the example
provided. The example now indicates that something is BES equipment if it is "Damaged or destroyed due to a nonenvironmental external cause". Perhaps the example should be reworded to "BES equipment whose operation effects
or causes:" and then adjust each of the line items to clarify what was intended. Next, the Attachment A example
redefines reportable levels for Risk to BES Equipment - From a non-environmental physical threat as "Report copper
theft from BES equipment only if it degrades the ability of equipment to operate correctly". Who makes that
�determination? Not all events will be known within 24 hours. As example, Risk to BES Equipment - From a nonenvironmental physical threat may not be known until more thorough examination or investigation takes place. Also the
reportable level appears to be defined by the Entity. While agree with that, we will end up with the same criticism from
FERC when the level is set to "high" in FERC's mind. The reporting times are unrealistic for complicated events.
Notification is reasonable but not reporting. Many organizations’s have internal processes the reports must be vetted
through before they become public and subject to compliance scrutiny.
No
There is already a reporting form for disturbances. The SDT should reconcile this standard with all the other reporting
that is being requested and not add more.
No
The two are distinctly different. Disturbances are what happened, sabotage is why. We can easily tell what happened.
Determining why it happened (e.g. sabotage) takes time.
No
The two could be combined with no realibility gap based on the concept rather than the proposed standard. As the
standard is currently written, there is a reliability gap. Consider that after the fact reporting of a sabotage event (other
than criminal acts which may have been witnessed) usually take some time to investigate and analyze.
No
There is a 15 month training requirement. If the standard goes into effect in one year, most entities will not have had an
opportunity to develop their new Operating Plans and train their staff. The effective date should recognize Operating
Plans need to be revised and then training needs to be implemented. The most aggressive schedule is 18 months. Two
years would be more appropriate. The implementation date could recognize the Operating Plan development as one
phase and the training as the second.
Yes
The SDT should consider that in reality it would be more streamlined to require immediate notification of an event for
situational awareness, and then give adequate time for analysis of the cause. Reports that have an arbitrary rush will
be diseased with low quality information and not much value in the long run to the BES. The Attachment A should be
constructed around notification of situational awareness. The reporting timeline should be constructed around the
different levels severity. The more severe the event, usually the more complicated the event is to analyze. Simple
events usually do not have a significant impact.
Individual
Wayne Pourciau
Georgia System Operations Corporation
Yes
No
This standard should not apply to distribution systems or Distribution Providers. It should apply only to the BES.
Yes
Yes it would reduce duplication of effort and should ensure that the various entities and agencies all have consistent
information. It should be simpler and quicker to file than what is needed to meet the current standard. However, the
system should allow for partial reporting and hierarchical reporting. Entities up the ladder in a reporting hierarchy may
fill in additional info (usually from a wider scope of view) than what lower level entities are aware of. It would be better
for information to go up a hierarchy than for bits and pieces to go to the ERO from many entities. Terminology may be
different in each of the bits and pieces yet the same idea may be intended. The ERO may mistake multiple reports as
being different events when they are all related to one event. The system should give an entity the ability to select the
entities that should receive the impact event report. If hierarchical reporting is not enabled by the system, then entities
should be allowed to work out a reporting hierarchy as a group and entities at lower levels should not be required to
report over the NERC system. Some higher level entity would enter the information on the NERC system as
coordinated by the entities within a group.
Yes
An entity-developed Operating Plan will allow the flexibility needed to address different entity relationships around the
country, e.g., generating companies, cooperatives, munis, large IOUs, small IOUs, RTOs/ISOs, non-independent
market area, and so on. However, all applicable entities should not be required to report directly to NERC or the region.
The system should allow for partial reporting and hierarchical reporting. Entities within an area should be allowed to
coordinate their plans to define reporting procedures within their area. They could have an entity at some wide scope
top level that reports to NERC and the region the information collected from multiple narrow scope lower levels within
their wide area. If every small lower level entity directly reported to NERC and the Region, it could create situational
confusion rather then situation awareness.
Yes
It directly supports the purpose of the standard.
Yes
�We agree with R4 with "… at least annually, with no more than 15 months …" replaced with "… at least once per
calendar year, with no more than 15 months …" as in R5.
Yes
Yes
It directly supports the purpose of the standard.
No
It should not be necessary for the ERO to require itself to do these things. NERC's authority should be sufficient to do
these things as part of its mission. With quarterly trending and analysis of threats, vulnerabilities, lessons learned, and
recommended actions in R8, R7 (an annual review) should not be necessary. The quarterly activity could include
proposing revisions to Attachment 1 if warranted. An alternative would be to perform annual trending and analysis of
threats, vulnerabilities, lessons learned, recommended actions, and proposed revisions to Attachment 1 if warranted.
Also, the Reliability Standards Development Procedure has been replaced with the Standard Processes Manual.
Yes
We support the concept of Impact Events and listing and describing them in a table. However, we have some
concerns. Reporting of impact events should not be applicable to a DP. The timelines outlined in Attachment 1 should
be targets to try to meet but it should not be a compliance violation of the reporting requirement if it is not met.
Regarding the NOTE before the table, verbal reports and updates should be allowed for other than certain adverse
conditions like severe weather as well as adverse conditions. The first priority for all entities should be addressing the
effects of the impact event. It may not be possible to assess the damage or the cause of an impact event in the allotted
time. All entities should make their best effort to quickly report under any circumstances what they know about the
event even if it is not complete. They should be allowed to report up through a hierarchy. The written report should not
be issued until adequate information is available. Change "Preliminary Impact Event Report" to "Confidential Impact
Event Report." Capitalization throughout this table is inconsistent. Sometimes an event is all capitalized. Sometimes
not. It is not in synch with the NERC Glossary. All terms that remain capitalized in the next draft (other than when used
as a title or heading) should be defined in the Glossary of Terms Used in NERC Reliability Standards. Examples of
inconsistencies: Unplanned Control Center evacuation, Loss of off-site power, Voltage Deviations. -Energy Emergency
requiring a public appeal or a system-wide voltage reduction: All The NERC Glossary defines Energy Emergency as a
condition when a LSE has exhausted all other options and can no longer provide its customers’ expected energy
requirements. The events should not be described as an Energy Emergency requiring public appeal or system-wide
voltage reductions. If public appeal and system-wide voltage reductions are still an option then all options have not
been exhausted, the LSE can still provide its customers' energy requirements, and it is not an Energy Emergency. We
suggest using "Energy Emergency Alert" rather than "Energy Emergency." -Energy Emergency requiring firm load
shedding: load shedding via automatic UFLS or UVLS would not necessarily be due to an Energy Emergency. Other
events could cause frequency or voltage to trigger a load shed. Most likely an entity would be seeing the Energy
Emergency coming and would be using manual load shedding. -Forced intrusion and detection of cyber intrusion to
critical cyber assets: CIP-008 is not referrenced for a forced intrusion. CIP-008 is referenced for a detection of cyber
intrusion impact event. Aren't there reportable events per CIP-008 that involve physical intrusion that are not intrusions
at a BES facility? -Risk to BES equipment: The threshold states that it is for a non-environmental threat but the
examples given are environmental threats. Please clarify.
Yes
We support having one form for reporting however every applicable entity should not be required to fill it out and send it
to NERC. See previous comments about hierarchical reporting. The title of the report is "Confidential Impact Event
Report." Some suggested modifications: The form could have a blank added to enter the event "description" as
described in the first column of Attachment 1. The first seven lines contain information that would most likely be filled
out every time. The other lines except line 13 may or may not be applicable every time. It is required (R3) for an entity
to access the initial probable cause of all impact events so line 13 will most likely be filled out every time. Please move
the probable cause line up to line 7 or 8 (depending on if the event description line is added).
Yes
The new term is much more clear than those two terms. This will improve uncertainty and confusion regarding whether
or not something should be reported.
Yes
The new single standard will cover all necessary reporting requirements that are in the current two standards. They are
being combined into EOP-004-2 not EOP-004-3.
Yes
Yes
Light years better than the current CIP-001-1 and EOP-004-1! With some changes from this comment period, we
should have a clearer set of realistic requirements which could likely pass the ballot. Thanks go out to the drafting team
for bringing clarity to this topic. Capitalization throughout this document is inconsistent. It is not in synch with the NERC
Glossary. All terms that remain capitalized in the next draft (other than when used as a title or heading) should be
�defined in the Glossary of Terms Used in NERC Reliability Standards. Examples of not in synch with the Glossary:
Registered Entity, Responsible Entity, Law Enforcement. These are not defined in the Glossary. The requirements that
apply to entities should not use the word "analysis." "Assessment" should be used. Analysis is a different process (an
ERO process) and is being addressed by another group within NERC (Dave Nevius). This EOP-004 drafting team and
the NERC analysis group should closely coordinate such that there are no conflicts and the combined
requirements/processes are realistic (mainly regarding timelines).
Individual
Rex Roehl
Indeck Energy Services
No
Suggestion: "Functional Entities identified in Section 4 shall support situational awareness of impact events and their
known causes."
No
---ERO should not be included in this or any other standard! FERC can decide whether NERC is doing a good job
without having standards requirements to audit to. If NERC needs to be included in a standard, then it should a standalone one so that the RSAW for all of the other audits don't need to include those requirements. ---"Loss of off-site
power (grid supply)" is important at control centers and other large generators. The SDT must use a well-defined
standard such as potentially cause a Reportable Disturbance, to differentiate significant events from others. --"Footnote 1. Report if problems with the fuel supply chain result in the projected need for emergency actions to
manage reliability." is ambiguous. Everything in the Standards program can "Affecting BES reliability". The SDT must
use a well-defined standard such as potentially cause a Reportable Disturbance, to differentiate significant events from
others. ---"Footnote 2. Report if you cannot reasonably determine likely motivation (i.e., intrusion to steal copper or
spray graffiti is not reportable unless it effects the reliability of the BES)." is well intentioned but ambiguous. For
example, if I know the motivation is to blow up the plant, then by this footnote, I don't have to report. The SDT must use
a well-defined standard such as potentially cause a Reportable Disturbance, to differentiate significant events from
others. ---All terms should be used from or added to the Glossary.
No
This standard is an inappropriate place to define this requirement. NERC needs to be held accountable, but it should
be independent of the standard. What if NERC fails to do it by the effective date of the standard, all Registered Entities
will violate the standard until NERC is done. The effective date needs to be set based on NERC completing the system
defined in R1.
No
R2 needs to state that the Operating Plan needs to only those Attachment 1 events applicable to the Registered Entity.
The Operating Plan should contain a list of these events so that the other Requirements can reference the Operating
Plan and not Attachment 1 for the list of events. For example a GO/GOP <2,000 MW would not need to address this
type of event and it wouldn't be listed in its Operating Plan. It would be unnecessarily cumbersome, to describe events
which are not covered within the Operating Plan.
No
R3 should reference the events covered by the Operating Plan, as listed in it, rather than in Attachment 1. If the Plan is
deficient, it is a violation of R2 and not every other Requirement that references the Plan.
No
In M4, it is suggested that data from a real event would be evidence. R4 should be satisfied if the Operating Plan is
used for a real event within 15 months of the last drill or event.
No
It is wholly unreasonable to re-train everyone for each change to the Operating Plan. Suggestion: Clarify that upon
changes to the Operating Plan, the Registered Entity may either require full training, or instead distribute a summary of
the change to affected personnel only.
No
---This is the first mention of the time lines in Attachment 1. If they are part of the standard, then they should be
incorporated to the Operating Plan in R2 and then need not be mentioned again, only compliance with the plan. ---In
M6, the last part, "evidence to support the type of impact event experienced; the date and time of the impact event ; as
well as evidence of report submittal that includes date and time" is redundant. All of that should be in the report to
NERC. If not, then it's not important to keep.
No
Reviewing Attachment 1 annually is unnecessary. Events don't change much and if they do, a SAR is needed to
consider the changes. NERC should not be included in any standard!
No
Loss of off-site power is important to more than just nuclear plants--but which ones? Control centers or other large
generators. But not small generators! Should there be a common element to Attachment 1, like the potential to cause a
Reportable Disturbance, or maybe there need to be multiple criteria like that.
�No
The form needs to identify whether it is a preliminary or final report. An identifier should be created to tie the final to the
preliminary one. Some fields, 1,2 3 5 & 6, are required for the preliminary report and should be labeled as such. With
the 1 hour reporting deadline for some events, the details may not be known. 12 & 13 should be required for the final
report. 13 should designate whether the cause is preliminary or final. 7-11 & 14 are optional, and the form should state
this, and based on some types of events. It's confusing to have irrelevant blanks on the form.
No
Impact Events is OK. It needs to be balloted as a definition for the Glossary like Protection System.
No
Bomb threat has totally been lost.
Yes
Good start on a unified event reporting standard!
Individual
Jonathan Appelbaum
United Illuminating
No
UI suggests adding the phrase: and the ERO shall provide quarterly reports; Responsible Entities shall report impact
events and their known causes, and the ERO shall provide quarterly reports, to support situational awareness and the
reliability of the Bulk Electric System (BES).
Yes
Yes
No
R2.9 requires provisions to update the Operating Plan based on the annual ERO report developed in R8. The ERO
report does not appear to be providing lessons learned to be applied to the Operating Plan for impact event reporting,
but more focsed on trends and threats to the BES. Also 30 days after the report is published by NERC is not enough
time for the entity to read, and assess the report, and then to administratively update the Operating Plan. UI agrees that
the Operating Plan should be reviewed annually and updated subsequent to the review within 30 days.
Yes
Yes
Suggest R4 be improved to state that a Registered Entity is only required to conduct a drill or execute real-time
implementation of the Operating Pan for one impact event listed in the attachment. In other words the Registered Entity
is not required to drill on reporting each type of impact event on an annual basis.
Yes
R5.3 coupled with the rationale provided is a sensible approach. It is important that the rational is not forgotten.
Yes
No
The rules of procedure adequately cover this.
No
UI agrees but the listing needs to be improved for clarity in certain instances. For example, EOP-004 Attachment 1 Part
A – Example iii – uses the phrase “significantly affects the reliability margin of the system.” Significantly is an
immeasurable concept and does not provide guidance to the Entity. The phrase “reliability margin” is not defined and is
open to interpretation. Perhaps utilize “resource adequacy”, if that is all that intended, or use “adequate level of
reliability”.
No
The standard does not appear to require the use of Attachment 2. Placing the form within the Standard may require the
use of the Standards Development Process to modify the form. UI suggests the form is maintained outside the
Standard to allow it to be adjusted. UI would prefer NERC to establish an internet based reporting tool to convey the
initial reports.
Yes
The term impact event can substitute for sabotage and disturbance. The use of Forced Intrusion is a bright line for
reporting.
Yes
�No
UI believes the implementation should be staged. For R1 and R2: First calendar day of the first calendar quarter one
year after applicable regulatory authority approval for all. This provides sufficient time to draft a procedure Then time
needs to be provided to provide training prior to implementation of R3 and R6. UI believes two calendar quarters
should be provided to complete training; therefore R3and R6 is effective six calendar quarters following regulatory
approval. Implementation for R4 should state that the initial calendar year begins on the date R2 is effective and
entities have 12 months following that date to complete their first drill. R5 requires training once per calendar year.
Implementation for R5 should state that the initial calendar year begins on the date R2 is effective and entities have 12
months following that date to complete their first drill.
No
Group
Arizona Public Service Company
Jana Van Ness, Director Regulatory Compliance
Yes
No
AZPS recommends excluding 4.1.7 Distribution Providers, as Distribution Providers generally operate at levels below
100kV.
Yes
Yes
AZPS agrees with R2, however, the use of the term "Operating Plan" is confusing. A more accurate term would be
"Event Reporting Plan."
Yes
Yes
AZPS agrees with R4, however, the use of the term "Operating Plan" is confusing and leads one to believe an
Operating Drill is necessary for a "reporting plan drill." A more accurate term to use would be "Event Reporting Plan."
No
AZPS believes the required training is too restrictive for minor changes/edits to the Event Reporting Plan.
Yes
AZPS believes that Operating Plan should be replaced with "Event Reporting Plan."
No
AZPS believes that the list in Attachment 1 would be complete, as long as the text box of examples is included. The
examples demonstrate what is necessary.
Yes
Yes
Yes
Yes
No
Group
Pacific Northwest Small Public Power Utility Comment Group
Steve Alexanderson
Yes
No
See #15
�No
See #15
No
Comments: When applying R3 to row 11 of attachment 1, the comment group notes that applicable entities are
expected to assess probable cause of BES equipment damage, including that which may be the result of criminal
behavior. At best this would needlessly duplicate the efforts of law enforcement. A more likely result is that entity
involvement would interfere with law enforcement and ultimately hinder prosecution of those responsible. Also See #15
No
See #15
No
See #15
No
See #15
No
Footnote 1 is missing from Part A, although it is referenced in column 1 row 11. Is this the Examples? The purpose of
the Examples is unclear. Is it meant to limit the scope to those enumerated? This is not stated, but if not it should be
removed since it adds confusion. What is meant by non-environmental? All external causes of damage or destruction
come from the environment by definition. Please specify what is intended or remove the word.
No
We found no “Preliminary Impact Event Report” in the posted draft standard, so we assume the question is regarding
the “Confidential Impact Report” (Attachment 2). It is unclear what role the form plays, since no requirement refers to it.
If this is the form to report impact events per R6, then R6 should reference it. The comment group cautions that the use
of the word “confidential” should be carefully considered, since many filled out forms that originally contained the word
are now posted on the NERC website for all to see. If there are limits to the extent and/or duration of the confidentiality
this should be clearly stated in the form, or the word should be avoided. Protection System misoperation reporting is
already covered by PRC-004. Including it here is redundant, and doubly jeopardizes an entity for the same event.
No
The comment group fails to see how changing the words meet the directive. Sabotage implies an organized intentional
attack that may or may not result in an electrical disturbance. The distinction between sabotage and vandalism is
important since sabotage on a small system may be the first wave of an attack on many entities. The proposed
standard asks us to treat insulator damage caused by a frustrated hunter (an act of vandalism) the same as attack by
an unfriendly foreign government (an act of sabotage). The comment group does not agree that these should be
treated equally.
Yes
The proposed standard has a huge impact on small DPs. DPs that presently do not maintain 24/7 dispatch centers will
need to begin doing so to meet the reporting deadlines such as 1 hour after an occurrence is identified (possibly
identified by a third party) or 24 hour after an occurrence (regardless of when it was discovered by the DP). The
planning, assessing, drilling, training, and reporting requirements (R2-R6), as well as documentation (M2-M6) by small
entities will cause utility rates to rise, will reduce local level of service, and will not represent a corresponding increase
to the reliability of the BES. The SDT concept of clear criteria for reporting has not been met, since R2 effectively
directs the applicable entities to develop their own criteria. The decision of which types of events will be reported to
which external organizations has been left up to the applicable entity. The comment group notes that there is no
coordination of effort required between the applicable entities and the RCs or TOs that issue reliability directives.
Energy Emergencies requiring voltage reduction or load shedding are likely to be communicated to applicable entities
via directives. The likely result of this lack of coordination is that entities will plan, drill, and train for an event, but when
the directive comes it will not be the one planned, drilled, and trained for. Coordination between those sending and
receiving directives would ensure the probable events and directed responses are the ones planned, drilled, and
trained for.
Group
NERC Staff
Mallory Huggins
Yes
Yes
�No
NERC staff is concerned about this requirement’s applicability to the ERO. We feel that such a responsibility needs
mentioning in the Rules of Procedure, the Compliance Monitoring and Enforcement Program (CMEP), or in a guideline
document rather than in a standard requirement. Further, the requirement specifies “how” to manage the event data,
not “what” should be monitored.
Yes
Yes
Yes
Yes
Yes
No
NERC staff believes that requirements R7 and R8 are not needed because they are intrinsic expectations from its
Rules of Procedure. Furthermore, these elements are necessary for analysis in support of the Reliability Metrics efforts
NERC is leading under its Reliability Assessment and Performance Analysis program.
No
The SDT should clarify its use of the term “critical asset” in the Examples section under Part A of the table. The term or
versions of the term are used in different contexts in the NERC Reliability Standards. For instance, in CIP-002-1,
Requirement 1, the Critical Asset Identification Method is used to identify its critical assets. In EOP-008-0, Requirement
1.3, the applicable entity is required to list its “critical facilities” in its contingency plan for the loss of control center
functionality. The team should confirm what it is referring to in this proposed standard. To avoid confusion, the SDT
may want to consider using a different term here or better clarify its meaning. Further, there exists the potential to have
disparate reporting criteria in this proposed standard relative to the criteria being proposed by the Events Analysis
Working Group as part of the Events Analysis Process document dated October 1, 2010. In particular, the following
areas should be reconciled between the drafting team and the EAWG to ensure a consistent set of threshold criteria:
Voltage Deviations --EOP-004-2: Greater than or equal to 15 minutes --EAWG Process: Greater than or equal to 5
minutes System Separation (Islanding) --EOP-004-2: Greater than or equal to 100 MW --EAWG Process: Greater than
or equal to 1000 MWs System Separation (Islanding) --EOP-004-2: Does not address intentional islanding as in the
case of Alberta, Florida, New Brunswick --EAWG Process: Addresses intentional islanding as in the case of Alberta,
Florida, New Brunswick SPS/RAS --EOP-004-2: Does not expressly address proper SPS/RAS operations or failure,
degradation, or misoperation of SPS/RAS --EAWG Process: Expressly addresses proper SPS/RAS operations or
failure, degradation, or misoperation of SPS/RAS Transmission Loss --EOP-004-2: Identifies Multiple BES transmission
elements --EAWG Process: Provides specificity in Category 1a and 1b regarding transmission events Damage or
destruction of BES equipment --EOP-004-2: Through operational error, equipment failure, or external cause but not
linked to loss of load --EAWG Process: Identifies in Category 2h equipment failures linked to loss of firm system
demands Forced intrusion --EOP-004-2: Addressed --EAWG Process: Not addressed Risk to BES equipment --EOP004-2: Addressed --EAWG Process: Not addressed Detection of a cyber intrusion to critical cyber assets --EOP-004-2:
Addressed --EAWG Process: Not addressed
No
Item 15: A one-line diagram should be attached to assist in the understanding and evaluation of the event. Two
additional items are recommended: --Ongoing reliability impacts/system vulnerability – this would capture areas where
one is not able to meet operating reserves or is in an overload condition, below voltage limits, etc. in real-time -Reliability impacts with next contingency – this would capture potential impacts as outlined above with the next
contingency.
No
NERC staff is concerned with the ambiguity of the term “impact event.” The definition of the term is not clear, in part
because it includes using the words “impact” and “event” (and thus violates the frowned-up practice of using a word to
define the word itself). NERC staff recommends the SDT consider using the term “Event.” The following definition
(modified from the one used the INPO Human Performance Fundamentals Desk Reference, P. 11) would apply: Event:
“An unwanted, undesirable change in the state of plants, systems or components that leads to undesirable
consequences to the safe and reliable operation of the Bulk Electric System.” Supporting statement following the
definition: “An event is often driven by deficiencies in barriers and defenses, latent organizational weaknesses and
conditions, errors in human performance and factors, and equipment design or maintenance issues.” Further, if this is
intended for use in this standard, it should be presented as an addition to Glossary to avoid confusion with the use of
the term event in other standards. Of course, this would require an analysis of how the term “Event” as defined herein
would affect the other standards to which the term is used. In the end, this is the cleanest manner for the standards.
�Yes
No
In order to provide explicit dates, the language should be modified to state: “First calendar day of the first calendar
quarter one year after the date of the order providing applicable regulatory authority approval for all requirements.”
Yes
NERC staff commends the SDT on its work so far. Merging CIP-001 and EOP-004 is a significant improvement and
eliminates some current redundancies for reporting events. NERC staff believes opportunities to improve the proposed
standard still exist. In particular, the team should consider possible redundancies with the Reliability Coordinator
Working Group (RCWG) reporting guidelines, the Electricity Sector - Information Sharing and Analysis Center (ESISAC) reporting requirements for sharing information across sectors, and the Events Analysis Working Group (EAWG)
efforts to develop event reporting processes. Ideally, the SDT and the EAWG should work together to develop a single
consistent set of reporting criteria that can be utilized in both the EAWG event reporting process and in the
requirements of the EOP-004-2 Reliability Standard.
Group
MRO's NERC Standards Review Subcommittee
Carol Gerou
Yes
Thank you for the clarification of “known causes”, this will allow entities to report what they currently know when
submitting an impact report.
Yes
The NSRS believes it is important for the ERO to provide valuable Lessons learned to our electrical industry, thus
enhancing the reliability of the BES.
Yes
No
A. As detailed in R2, the Operating Plan shall contain provisions for “identifying, assessing, and reporting impact
events”. R2.8, and R2.9 do not have a correlation to R2’s Operating Plan. Where, R2.7 states to update the Operating
Plan when there is a component change. The NSRS believes the components of this Operating Plan are only 1)
indentifying impact events, 2) assessing impact events, and 3) reporting impact events. R2.8 and R2.9 are based on
Lessons Learned (from internal and external sources) and do not fit in the components of an entity’s Operating Plan.
R2.7 requires the Operating Plan to be updated. As written, every memo, simulations, blog, etc that contain the words
“lessons learned” would be required to be in your Operating Plan. It is solely up to an entity to implement a “Lesson
Learned” and not the place for this SDT to require an Operating Plan to contain Lessons Learned. Recommend that
R2.8 and R2.9 be deleted for this requirement. If R2.8 and R2.9 are not removed, R5.3 will be in a constant state of
change. B. In R2.8 & R2.9, It may be difficult to implement lessons learned within 30 days. The NSRS recommends to
incorporate lessons learned within 12 calendar months if lesson learned are not deleted from the R2.8 & R2.9.
Yes
The NSRS thanks the SDT for stating “initial probable cause” as this is in direct correlation to the Purpose which states
“known causes”.
Yes
The NSRS agrees that to enhance reliability and situational awareness of the BES, the Operating Plan be exercised
once per calendar year.
No
R5.2. The NSRS agrees that to enhance reliability and situational awareness of the BES, the Operating Plan be trained
once per calendar year. R5.3 As detailed in R2, the Operating Plan shall contain provisions for “identifying, assessing,
and reporting impact events”. Where, R2.7 states to update the Operating Plan when there is a component change.
The NSRS believes the components of this Operating Plan are 1) indentifying impact events, 2) assessing impact
events, and 3) reporting impact events. These components relate to training when the Operating Plan is revised per,
R5.3, only. As written, every memo, simulations, blog, etc that contain the words “lessons learned” would be required to
be in your Operating Plan and trained on every time one was issued or heard about internally or externally.
Recommend that the Operating Plan be revised and training occurs when a change occurs to the entity’s Operating
Plan, consisting of 1) indentifying impact events, 2) assessing impact events, and 3) reporting impact events, only.
Yes
Yes
Should read “In accordance with Sections 401(2) and 405 of the Rules of Procedures, the ERO can be set as an
applicable entity in a requirement or standard”. As stated in the text box.
No
�Please provide a phone number and provision within the Note of EOP-004 – Attachment 1: Impact Events table for an
entity to contact NERC if unable to contact NERC within the time described. Voltage Deviations – recommend adding
the word “(continuous)” after sustained in Threshold column. This could be interpreted as an aggregate value over any
length of time. Frequency deviations - recommend adding the word “(continuous)” after 15 minutes’ in Threshold
column. This could be interpreted as an aggregate value over any length of time. CIP-008 R1.3 states the entity is to
report Cyber Security Incidents to the ES_ISAC. Does the EOP-004 Attachment 2 fulfill this requirement?
No
Number 4 of the reporting form does not take into consideration of potential impact events. Recommend that “Did the
impact event originate in your system?” to “Did the impact event originate or affect your system?”. This will provide
clarity to entities.
Yes
As an industry we have looked at sabotage as a sub component of a disturbance. Sabotage is hard to measure since it
is based on a perpetrator’s intent and thus very hard to determine.
Yes
Within the above question, the SDT is asking about EOP-004-2 not -3.
Yes
Yes
Please provide an e-mail address for the submittal of the report to NERC (and any other parties above a Regional
Entity) within this Standard and a fax number as a backup to electronic submittal. EOP-004 Attachment 2: Impact Event
Reporting Form (note in the proposed standards it states EOP-002) seems to be written for Actual Impact Events only.
Perhaps another section could be added for “Potential” Impact Events.
Individual
Amir Y Hammad
Constellation Power Generation and Constellation Commodities Group
Yes
No
Constellation Power Generation and Constellation Commodities Group disagrees with the inclusion of Generator
Owners. Since one of the goals in revising this standard is to streamline impact event reporting obligations, Generator
Operators are the appropriate entity to manage event reporting as the entity most aware of events should they arise. At
times, the information required to complete a report may warrant input from entities connected to generation, but the
operator remains the best entity to fulfill the reporting obligation.
Yes
No
Constellation Power Generation and Constellation Commodities Group has several issues with this requirement, but in
general, this requirement is heavily prescriptive, administrative in nature, and is unclear whether it will positively impact
BES reliability. As examples of administrative requirements that have no impact on reliability, please consider the
following comments: •Listing personnel in R2.4, - merely having a list of personnel does not add to the sufficiency of an
Operating Plan, but it does create a burdensome obligation to maintain a list. As well, specifying “personnel” may limit
plans from designating job titles or other designations that may more appropriately and consistently carry reporting
responsibility in the Operating Plan. •R2.5 is unclear as to the intent of the requirement – what is threshold of
notification? Is the list to be those that have a role in the event response or a list of all within the facility who may
receive news notification of the event? Also, as explained above for 2.4, a list is not a beneficial to reliability, but is
administratively burdensome. •What is the reasoning for the 30 day timeframe in R2.7 R2.8 and R2.9? The timeframe
is not based on a specific necessity, and creates an unreasonable time frame for changing the Operating Plan, in
particular if lessons learned are either short turn adjustments or comprehensive programmatic changes what warrant
more time to properly institute. In addition, coupled with other requirements (R4, R5, R8), the updating requirements of
R2.7, R2.8 and R2.8 potentially create a continually updating Operating Plan which could create enough confusion to
reduce the effectiveness of the Operating Plan. The updating and time frame requirements do not impact reliability, but
again impose significant administrative burden and compliance exposure. •R2.9 is particularly problematic for its
connection to R8. R8 requires NERC to create quarterly reports with lessons learned and R2.9 requires the registered
entities to amend their Operating Plans? What if NERC doesn’t write an annual or quarterly report? Are the registered
entities out of compliance? The “summary of concepts” for this latest revision, as written by the SDT, includes the
following items: •A single form to report disturbances and impact events that threaten the reliability of the bulk electric
system •Other opportunities for efficiency, such as development of an electronic form and possible inclusion of regional
reporting requirements •Clear criteria for reporting •Consistent reporting timelines •Clarity around of who will receive the
information and how it will be used Many of the sub-requirements in R2 do not address any of these items and do not
serve to establish a high quality, enforceable and reliability focused standard. Constellation Power Generation therefore
�recommends that R2 be amended to read as follows: R2. Each Applicable Entity identified in Attachment 1 shall have
an Operating Plan(s) for identifying, assessing and reporting impact events listed in Attachment 1 that includes the
following components: 2.1. Method(s) for identifying impact events listed in Attachment 1 2.2. Method(s) for assessing
cause(s) of impact events listed in Attachment 1 2.3. Method(s) for making internal and external notifications should an
impact event listed in Attachment 1 occur. 2.4. Method(s) for updating the Operating Plan. 2.5 Method(s) for making
operation personnel aware of changes to the Operating Plan.
No
This requirement introduces double jeopardy for registered entities. If an entity does not include methods for identifying
impact events and for assessing cause per R2.1 and R2.2 in their Operating Plan, they will be out of compliance with
R2. Without the methods in R2 the registered entity is out of compliance with R3 as well for failing to identify and
assess. Constellation Power Generation therefore recommends that R3 be amended to be incremental to R2 and read
as follows: R3. Each Applicable Entity shall implement their Operating Plan(s) to identify and assess cause of impact
events listed in Attachment 1.
No
It is not clear how this requirement to conduct drills and exercises relates to the concepts spelled out by the SDT: oA
single form to report disturbances and impact events that threaten the reliability of the bulk electric system oOther
opportunities for efficiency, such as development of an electronic form and possible inclusion of regional reporting
requirements oClear criteria for reporting oConsistent reporting timelines oClarity around of who will receive the
information and how it will be used R4 does not address any of the above items and should therefore be removed from
this standard.
No
Constellation Power Generation questions how R5 relates to the SDT’s “summary of concepts”: oA single form to
report disturbances and impact events that threaten the reliability of the bulk electric system oOther opportunities for
efficiency, such as development of an electronic form and possible inclusion of regional reporting requirements oClear
criteria for reporting oConsistent reporting timelines oClarity around of who will receive the information and how it will
be used However, Constellation Power Generation believes that security awareness is an important aspect of
personnel security and proposes an annual training similar to what was in the previous standards. Constellation Power
Generation therefore recommends two requirement changes that would achieve security awareness without the
burdensome administrative aspects. First, as stated earlier, a sub requirement in R2 should be added which reads as
follows: R2.5 Method(s) for making operation personnel aware of changes to the Operating Plan. Second, this training
requirement should be rewritten as follows: Each Applicable Entity shall provide training to all operation personnel at
least annually.
Yes
No
The impact event table (Attachment #1), as part of a standard, would have to be FERC approved every time it is edited.
That would cause it to go through NERC’s Standard Development Process, and would cause a revision to the standard
each time. This will also cause revisions to each and every registered entity’s Operating Plan. Overall, this requirement
causes a large administrative burden on all entities, and does not improve reliability. As stated earlier, the “summary of
concepts” for this latest revision, as written by the SDT, includes the following items: oA single form to report
disturbances and impact events that threaten the reliability of the bulk electric system oOther opportunities for
efficiency, such as development of an electronic form and possible inclusion of regional reporting requirements oClear
criteria for reporting oConsistent reporting timelines oClarity around of who will receive the information and how it will
be used Requirement 7 and 8 do not address any of these items. Furthermore, for R8, it is requiring NERC to send out
quarterly reports, yet entities are supposed to amend their Operating Plans based on an annual NERC report. This
requirement is confusing and is not consistent with earlier requirements. Constellation Power Generation believes that
these two requirements should be removed.
No
Constellation Power Generation and Constellation Commodities Group questions why the generation loss line item
includes generating facilities of 5 or more generators with an aggregate of 500 MW or greater? The number of units
makes no difference for reporting, as is evident in the generation thresholds written before this inclusion. The examples
of damaged or destroyed BES equipment are confusing, and do not clarify the reporting event. What if a GSU at a
small plant (20 MW) were to fail? Is that reportable? Constellation Power Generation believes that equipment failures
that are not suspicious do not need to be reported. Finally, Constellation Power Generation and Constellation
Commodities Group believes that the “loss of offsite power affecting a nuclear generation station” should be removed
for the following reasons: 1)The purpose of this reliability standard is stated as being: “Responsible Entities shall report
impact events and their known causes to support situational awareness and the reliability of the Bulk Electric System
(BES). “ While the “situational awareness” portion of the purpose could be interpreted as all-inclusive, the real element
deals with BES reliability. Off-site power sources to nuclear units have nothing to do with BES reliability. Why should
nuclear units be treated differently? 2)The issue of concern for a loss of offsite power at a nuclear station is continued
power supply (other than emergency diesels) to power equipment to cool the reactor core. A nuclear unit automatically
shuts down when off-site power supply is lost. Availability of off-site power is a reactor safety concern (i.e., NRC
�regulatory concern and a one-hour report to the NRC) – not a reliability concern that FERC/NERC would have
jurisdiction over. 3)There is a nuclear-specific reliability standard (NUC-001) that contemplated off-site power
availability. That standard contained no reporting requirements outside of those that may be already established in
current procedures. Why try to impose one here? 4)A loss of offsite power will result in an emergency declaration at the
nuclear facility. Notifications will be made to federal (NRC), state, and local authorities. The control room crew is
already overly-burdened with notifications – any additional call to NERC/Regional Reliability orgs will add insult-toinjury for no beneficial reason. If NERC is interested, they should obtain info from NRC. 5)If all else fails and the item is
to remain on the table, it needs to be clarified as a “complete” loss of off-site power lasting greater than X minutes (i.e.,
would we have to report a complete momentary loss that was rectified in short order by an auto-reclose or quick
operator action?).
No
It is unclear if an entity has to answer all the questions. In addition, “Preliminary” is not currently included in the report
title.
Yes
Yes
No
Based on the drastic differences between the previous revisions to these standards, and this proposed revision, 24
months would be a more reasonable timeframe for an effective date.
Yes
As stated earlier, the “summary of concepts” for this latest revision, as written by the SDT, includes the following items:
oA single form to report disturbances and impact events that threaten the reliability of the bulk electric system oOther
opportunities for efficiency, such as development of an electronic form and possible inclusion of regional reporting
requirements oClear criteria for reporting oConsistent reporting timelines oClarity around of who will receive the
information and how it will be used Each and every requirement should be mapped to one of these 5 items; otherwise,
it should not be included in this standard. Summarizing all of the comments above, Constellation Power Generation
proposes the following revision to EOP-004-2: 1. Title: Impact Event and Disturbance Assessment, Analysis, and
Reporting 2. Number: EOP-004-2 3. Purpose: Responsible Entities shall report impact events and their known causes
to support situational awareness and the reliability of the Bulk Electric System (BES). 4. Applicability 4.1. Functional
Entities: 4.1.1. Reliability Coordinator 4.1.2. Balancing Authority 4.1.3. Transmission Operator 4.1.4. Generator
Operator 4.1.5. Distribution Provider 4.1.6. Electric Reliability Organization Requirements and Measures R1. The ERO
shall establish, maintain and utilize a system for receiving and distributing impact event reports, received pursuant to
Requirement R6, to applicable government, provincial or law enforcement agencies and Registered Entities to enhance
and support situational awareness. R2. Each Applicable Entity identified in Attachment 1 shall have an Operating
Plan(s) for identifying, assessing and reporting impact events listed in Attachment 1 that includes the following
components: 2.1. Method(s) for identifying impact events listed in Attachment 2.2. Method(s) for assessing cause(s) of
impact events listed in Attachment 1 2.3. Method(s) for making internal and external notifications should an impact
event listed in Attachment 1 occur. 2.4. Method(s) for updating the Operating Plan. 2.5 Method(s) for making operation
personnel aware of changes to the Operating Plan. R3. Each Applicable Entity shall implement their Operating Plan(s)
to identify and assess cause of impact events listed in Attachment 1. R4. Each Applicable Entity shall provide training
to all operation personnel at least annually. R5. Each Applicable Entity shall report impact events in accordance with its
Operating Plan created pursuant to Requirement 2 and the timelines outlined in Attachment 1.
Group
FirstEnergy
Sam Ciccone
No
Since this standard is after-the-fact reporting, the phrase "situational awareness" may not be appropriate since that
phrase is attributed by a large part of the industry to real-time, minute-to-minute awareness of the system. We suggest
the following rewording of the purpose statement: "To ensure Applicable Entities report impact events and their known
causes to enhance and support the reliability of the Bulk Electric System (BES)".
No
We do not support the ERO as an applicable entity of a reliability standard because they are not a user, owner or
operator of the bulk electric system. Any expectation of the ERO should be defined in the Rules of Procedure.
No
FirstEnergy proposes that requirement R1 and Measure M1 be deleted. A requirement assignment to the ERO is
problematic and should not appear in a reliability standard. The team should keep in mind that all requirements will
require VSL assignments that form the basis of sanctions. FE does not believe it is appropriate for the ERO to be
exposed to a compliance violation investigation as the ERO is not a functional entity as envisioned by the Functional
Model. If this "after-the-fact" reporting is truly needed for reliability then the standard must be written in a manner that
does not obligate the ERO to reliability requirements. It would be acceptable and appropriate for a requirement to
�reference the "ERO Process" desired by R1, however, that process should be reflected in the Rules of Procedure and
not a reliability standard.
No
The term Operating Plan(s) is not the appropriate term for this standard. These should be called Reporting Plan(s).
Operating Plans are usually designed to be applied during the operating timeframe. Parts 2.2 and 2.6 – We suggest
changes to these two subparts as well as a new 2.2.1 and 2.6.1 as follows: 2.2. Method(s) for assessing the initial
probable cause(s) of impact events (Add) 2.2.1. Method(s) for assessing the external organizations to be notified. 2.6.
List of external organizations to notify in accordance with Part 2.2.1. to include but not limited to NERC, Regional
Entity, and Governmental Agencies. (Add) 2.6.1. Method(s) for notifying Law Enforcement as determined by Part 2.2.1.
Parts 2.4 and 2.6: This should be a list of job titles for ease of maintenance. An entity may choose to use someone in a
job position that is a 24 by 7 operation with several personnel that cover that position over the 24 by 7 period. Listing
each person by name should not be required as personnel change while the operating responsibility related to the job
title can remain constant. We suggest changing the wording to "2.4. List of the job titles of internal company personnel
responsible for making initial notification(s) in accordance with Parts 2.5.and 2.6. 2.5. List of the job titles of internal
company personnel to notify." Part 2.6 – We are under the impression that the phrase "include but not limited to"
should not be used according to the NEW SDT guidelines. We suggest changing this to say "List of external
organizations to notify that includes at a minimum, NERC, Regional Entity, and Governmental Agencies. (A provincial
agency is a governmental agency)." Part 2.7. is overly burdensome. FE suggests the team revise to simply reflect
annual updates that should consider component changes and updates from lessons learned. This also permits parts
2.8 and 2.9 to be deleted. FE proposes the following text for Requirement R2.7 "Annual review, not to exceed 15
months between reviews, and update as needed of the Reporting Plan that considers component changes and
continuous improvement changes from lessons learned." Parts 2.8 and 2.9 - FE proposes to delete part 2.8 and 2.9.
We do not see a need for these changes since the plan must be updated annually and will cover lessons learned.
No
M3 – Power flow analysis would be used to assess the impact of the event on the BES, not to determine initial probable
cause. It is more likely that DME would provide the data for the initial probable cause evaluation. We suggest rewording
M3 as follows: "To the extent that an Applicable Entity has an impact event on its Facilities, the Applicable Entity shall
provide documentation of its assessment or analysis. Such evidence could include, but is not limited to, operator logs,
voice recordings, or disturbance monitoring equipment reports. (R3)"
No
FE suggests that this requirement be deleted. FE does not see a reliability need for conducting a drill on reporting. This
is overly burdensome and should not be included within this reliability standard. Training on the plan and periodic
reminder of reporting obligations should suffice.
No
Requirement R5 and Part 5.1 – The wording in Part 5.1 is too prescriptive and shouldnot require training on the specific
actions of personnel. Also, R5 should not require training for personnel that may only receive the report and are not
required to do anything. Therefore we suggest rewording R5 and 5.1 as follows: "R5. Each Applicable Entity identified
in Attachment 1 shall have a Reporting Plan(s) for identifying, assessing and reporting impact events listed in
Attachment 1 that includes the following components: 5.1 The training includes the personnel required to respond
under the Reporting Plan." Part 5.3 – We suggest removing subpart 5.3. This requirement is overly burdensome and
not necessary. We believe that the requirements for annual review and update of the plan as well as training sufficiently
cover reviews of changes to the plan. Part 5.4 – The last phrase "training shall be conducted prior to assuming the
responsibilities in the plan" should account for emergency situations when the entity does not have time to train the
replacement before they are to assume a responsibility.
No
M6 – NERC's system should be capable of making this evidence available for the entities and provide a "return-receipt"
of the reports that we send them. Also, M6 should be revised to state "Applicable Entities" as opposed to "Registered
Entities".
No
FE disagrees with the ERO as an applicable entity within a reliability standard. See our responses to Questions 2 and 3
above. We do not believe the desired ERO process is adequately covered in section 802. Section 802 deals with
assessments and not event reporting.
No
1. The table in Att. 1 and the requirements should alleviate the potential for duplicate reporting. For example, If the RC
submits a report regarding a Voltage deviation in its footprint, the report should be submitted by the RC on behalf of the
RC, TOP, and GOP, and not require the TOP and GOP to submit duplicate reports. 2. Regarding the "Note" before the
table – We agree that under certain conditions it is not possible to issue a written report in a given time period.
However, the ERO and RE should also be required to confirm receipt of the verbal communication in writing to prove
that the entity communicated the event as these verbal notifications may be done by an entity using an unrecorded line.
3. Organizations with many registered entities should be permitted to submit one report to cover multiple entities under
one parent company name. We suggest this be made clear in the Tables, the reporting form, and in the requirements.
4. Voltage Deviations Event – We suggest the team provide more clarity with regard to the types and locations of
�voltage deviations that constitute an event. 5. Examples of BES Equipment in Part A of "Actual Reliability Impact" Table
– Is the phrase "critical asset" referring to the CIP defined term? If so, this should be capitalized. 6. Under the "Time to
Submit Report" column of the table, we suggest that all of the phrases end in "after identification of the occurrence". 7.
Frequency Trigger Limit (FTL) for the Frequency Deviation event should be replaced with the values the FTL represent.
The FTL is part of the BAAL Standards which have not been approved by the industry and are not in effect. It is
possible that these terms are not used by those not participating in the field trial of the BAAL standards.
Yes
Although we agree with the report, it should be clear that organizations with many registered entities can submit one
report to cover multiple entities under one parent company.
No
For the most part we support this definition of impact events. However, we have the following suggestions: 1. We
believe that it warrants an official NERC glossary definition. 2. The term "potential" in the definition should point to the
specific events detailed in Attachment 1 Part B. 3. Since the standard does not cover environmental events, the phrase
"environmental conditions" in the definition is not an impact event in the context of this standard.
Yes
Yes
No
Individual
Carol Bowman
City of Austin dba Austin Energy
Yes
Yes
Yes
Austin Energy would like to see OE-417 incorporated into the electronic form This will reduce the callout of EOP-004-2
and OE-417 forms in our checklists / documents and one form can be submitted to NERC and DOE.
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Austin Energy would like to see OE-417 incorporated into the electronic form This will reduce the callout of EOP-004-2
and OE-417 forms in our checklists / documents and one form can be submitted to NERC and DOE.
Yes
Yes
If we can used OE 417 for NERC and DOE we do not perceive a reliability gap.
Group
Electric Market Policy
Mike Garton
�No
The term “impact events” does not draw a clear boundary around those events that are affected by this standard. Since
this is not a defined term, nor is intended to be a defined term in the NERC glossary, this standard lacks clarity and is
likely to produce significant conflict as an applicable entity attempts to establish procedures to assure compliance. It
appears that situational awareness could not be improved with this standard since it is only dealing with events afterthe-fact, not within the time frame to allow corrective action by the system operator. As conveyed in Dominion’s
comments on NERC Reliability Standards Development Plan 2011 – 2013, Dominion does not see this draft standard
as needing to be in the queue while other standards having more impact to bulk electric reliability remain incomplete or
unfinished.
No
Having the ERO as an applicable entity is concerning as they are also the compliance enforcement authority. The ERO
is responsible for multiple requirements in this standard that shape the ultimate actual rules that the other applicable
entities would be required to meet. For example, establishing and maintaining a system for receiving and distributing
impact events, per R1, would be done solely by the ERO, outside of NERC’s open process. Attachment 1 is
troublesome. The time frames listed are not consistent for similar events. For example, EEAs are either reported within
one or 24 hours depending on the nuance. Having multiple entities reporting the same event is troublesome, i.e., why
does a RC have to report an EEA if the BA is going to report it? This will lead to conflicting reports for the same event.
Attachment 1 seems to be consolidating time frames from other standards into one for reporting. However, we believe
this subject is more complex than this table reveals and the table needs more clarification. Several of the events
require filing a written formal report within one hour. For example, system separation certainly is going to require an “all
hands on deck” response to the actual event. We note that the paragraph above the table in attachment 1 indicates
that a verbal report would be allowed in certain circumstances, but this is the same issue with the formal report in that
the system operators are concerned with the event and not the reporting requirements. There is already a DOE
requirement to report certain events. We see no need to develop redundant reporting requirements in the NERC arena
that cross other federal agency jurisdictions.
No
Having the ERO as an applicable entity is concerning as they are also the compliance enforcement authority. The ERO
is responsible for multiple requirements in this standard that shape the ultimate actual rules that the other applicable
entities would be required to meet. Establishing and maintaining a system for receiving and distributing impact events,
per R1, would be done solely by the ERO, outside of NERC’s open process. At this stage it is not clear how the ERO
will develop or effectively maintain a list of “applicable government, provincial or law enforcement agencies” for
distribution as defined in R1. The “rationale for R1” states that OE-417 could be included as part of the electronic form,
but responsible entities will ultimately be responsible for ensuring that OE-417 reports are received at DOE. This
requirement needs to be more definitive with respect to OE-417. It seems like the better approach would be for the
entities to complete OE-417 form and this standard simply require a copy.
No
This is an overly prescriptive requirement given the intent of this standard is after-the-fact reporting. The requirement to
create an Operating Plan lacks continuity with the ERO Event Analysis Process that is currently slated to begin industry
field testing on October 25, 2010. Suggest the SDT coordinate EOP-004-2 efforts with this process. R2.6 establishes
an external organization list for Applicable Entity reporting, yet R1 suggests that external reporting will be accomplished
via submittal of impact event reports. How will the two requirements be coordinated? What governmental agencies are
appropriate and how will duplicative reporting be addressed (for example, DOE, Nuclear Regulatory Commission)?
Also, in the “rationale for R2”, please explain the reference to Parts 3.3 and 3.4.
No
We think “impact event” needs to be defined in the NERC Glossary to provide the clarity the industry needs to build
audit ready compliant procedures.
No
The need for a periodic drill has not been established and appears to be overly restrictive given the intent of the
standard is reporting of impact events. Suggest this requirement be eliminated.
No
The need for a periodic training has not been established and appears to be overly restrictive given the intent of the
standard is reporting of impact events. Suggest this requirement be eliminated.
No
Entities are already required by other agencies (e.g., DOE, NRC) to report certain events. We see no need to develop
redundant reporting requirements in the NERC arena that cross other federal agency jurisdictions.
No
Having the ERO as an applicable entity is concerning as they are also the compliance enforcement authority.
No
1) A particular Event could be applicable to multiple entities and Attachment 1 would require each applicable entity to
report the event. This is duplicative and would appear to overburden the reporting system. 2) Loss of off-site power
(grid supply) reporting for nuclear plants is duplicative of reporting done to satisfy NRC requirements. Given the activity
�at a nuclear plant during this event, this additional reporting is not desired. 3) Cyber intrusion remains an event that
would need to be reported multiple times (e.g., this standard, OE-417, NRC requirements, etc.). 4) Since external
reporting for other regulators (e.g., DOE, NRC, etc.) remains an obligation of the Applicable Entity, suggest that
Attachment 1 only contain impact events as defined in the current version of EOP-004.
No
There is already a DOE requirement to report certain events. We see no need to develop redundant reporting
requirements in the NERC arena that cross other federal agency jurisdictions.
Yes
The use of the term “impact events’ has simply replaced the terms “disturbance” and “sabotage” and has not further
defined sabotage as directed by FERC. We do feel that impact events needs to be a defined term.
No
Per the mapping document, some of the existing requirements are awaiting a new reporting procedure being
developed by NERC EAWG. For those requirements that were transferred over, the resulting standard seems overly
complex and lacks clarity.
Yes
No
Individual
John Bee
Exelon
No
The purpose states that Responsible Entities SHALL report impact events – this implies that ALL impact events need to
be reported regardless of magnitude, suggest rewording to say "… shall report applicable impact events …" to allow for
evaluation of each impact for applicability in accordance with Attachment 1).
No
Attachment 1, Part B, footnote 1. A GO is unlikely to know if a fuel supply problem would cause a reliability concern
because one GO may not know the demand for an entire region. Attachment 1, Part B, footnote 1. What is the
definition of an "emergency" related to problems with a fuel supply chain? What time threshold of projected need would
constitute a 1 hour report? Attachment 1, Part A – Voltage Deviations - A GOP may not be able to make the
determination of a +/- 10% voltage deviation for ≥ 15 minutes, this should be a TOP RC function only. Attachment 1,
Part A – Generation Loss of ≥ 2, 000 MW for a GO/GOP does not provide a time threshold. If the 2, 000 MW is from a
combination of units in a single location, what is the time threshold for the combined unit loss? Attachment 1, Part A –
Damage or destruction of BES equipment • The event criteria is ambiguous and does not provide clear guidance;
specifically, the note needs to provide more explicit criteria related to parts (iii) and (iv) to remove the need for
interpretation especially since this is a 1 hour reportable occurrence. In addition, determination of the aggregate impact
of damage may not be immediately understood – does the 1 hour report time clock start on initiation of event or
following confirmation of event? • The initiating event needs to explicitly state that it is a physical and not cyber. Events
related to cyber sabotage are reported in accordance with CIP-008, "Cyber Security – Incident Reporting and
Response Planning," and therefore any type of event that is cyber initiated should be removed from this Standard. • If
the damage or destruction is related to a deliberate act, consideration should also be given to coordinating such
reporting with existing required notifications to the NRC and FBI as to not duplicate effort or add unnecessary burden
on the part of a nuclear GO/GOP during a potential security event. Attachment 1, Part B – Loss of off-site power (grid
supply) affecting a nuclear generating station – this event classification should be removed from EOP-004. The impact
of loss of off-site power on a nuclear generation unit is dependent on the specific plant design and may not result in a
loss of generation (i.e., unit trip); furthermore, if a loss of off-site power were to result in a unit trip, an Emergency
Notification System (ENS) would be required to the Nuclear Regulatory Commission (NRC). The 1 hour notification in
EOP-004 on a loss of off-site power (grid supply) to a nuclear generating station should be commensurate with other
federal required notifications. Depending on the unit design, the notification to the NRC may be 1 hour, 8 hours or none
at all. Consideration should be given to coordinating such reporting with existing required notifications to the NRC as to
not duplicate effort or add unnecessary burden on the part of a nuclear GO/GOP during a potential transient on the
unit. Attachment 1, Part B – Forced intrusion at a BES facility – Consideration should also be given to coordinating
such reporting with existing required notifications to the NRC and FBI as to not duplicate effort or add unnecessary
burden on the part of a nuclear GO/GOP during a potential security event. Attachment 1, Part B – Risk to BES
equipment from a non-environmental physical threat – this event leaves the interpretation of what constitutes a "risk"
with the reporting entity. Need more specific criteria for this event. Attachment 1, Part B – Detection of a cyber intrusion
to critical cyber assets - Events related to cyber sabotage are reported in accordance with CIP-008, "Cyber Security –
Incident Reporting and Response Planning," and therefore any type of event that is cyber initiated should be removed
from this Standard.
No
This requirement should include explicit communications to the NRC (if applicable) of any reports including a nuclear
�generating unit as a jurisdictional agency to ensure notifications to other external agencies are coordinated with the
NRC. Depending on the event, a nuclear generator operator (NRC licensee) has specific regulatory requirements to
notify the NRC for certain notifications to other governmental agencies in accordance with 10 CFR 50.72(b)(2)(xi). In
general, the DSR SDT should include discussions with the NRC to ensure communications are coordinated or consider
utilizing existing reporting requirements currently required by the NRC for each nuclear generator operator for
consistency.
No
R.2.4 and 2.5 - should not be required to have a list of internal personnel. If an entity has an Operating Plan that covers
internal and external notifications that should be sufficient. R2.2.7, 2.8, 2.9 – R4 requires an annual drill. Updating the
plan if required following an annual drill should be sufficient Why does an entity need to develop a stand alone
Operating Plan if there is an existing process to address identification, assessing and reporting certain events? 30 day
implementation for a component change or lesson learned does not seem reasonable or commensurate with the
potential impact to the BES and should not be a required element of EOP-004. What is the communication protocol for
lessons learned outside of the annual NERC report? What process will be followed and who will review, evaluate, and
disseminate lessons learned that warrant updating the Operating Plan?
No
: Agree that Each Applicable Entity shall identify and assess initial probable cause of impact events; disagree with
aspects and time requirements in Attachment 1.
No
If drills remain as a component of the standard, an effort to consolidate updating an entities plan with a requirement to
drill the plan should be made. . Each entity/utility should be able to dictate/determine if they need a drill for a particular
event. Is this document implying a drill for every type of event?
No
Exelon doesn’t feel that the 30 day requirement is achievable and recommends an annual review. Training for all
participants in a plan should not be required. Many organizations have dozens if not hundreds of procedures that a
particular individual must use in the performance of various tasks and roles. Checking a box which states someone
read a procedure does not add any value, it is an administrative burden with no contribution to reliability. It is Exelon’s
opinion that training requirements should be covered in the PER standards and that the audience to be trained should
be identified. R5.4 requires internal personnel that have responsibilities related to the Operating Plan cannot assume
the responsibilities unless they have completed training. This requirement places an unnecessary burden on the
registered entities to track and maintain a data base of all personnel trained and should not be a requirement for job
function. A current procedure and/or operating plan that addresses each threshold for reporting should provide
adequate assurance that the notifications will be made per an individual's core job responsibilities.
No
The time durations in the attachment are too short, it would be impossible to collect all the data necessary to report out
on an impact event in the defined time to report. The SDT should evaluate each event for the most appropriate entity
responsible to ensure there is minimal confusion on who has the responsibility and eliminate duplication of reporting
when feasible.
No
The listed Impact Events is lacking specific physical security related events. . In general, all impact events need to be
as explicit as possible in threshold criteria to eliminate any interpretation on the part of a reporting entity. Ambiguity in
what constitutes an "impact event" and what the definition of "occurrence" is will ultimately lead to confusion and
differing interpretations.
No
Exelon agrees with the use of the report but feels that # 5 should consist of check boxes. #12, 13, and 14 will take
more time then allotted by the reporting requirements to acquire, cannot be accomplished in an hour. Attachment 2
should have a provision for the reporting entity to enter (N/A) based on function (see below) Check box #8 A GO/GOP
may not have the information to determine what the frequency was prior to or immediately after an impact event. This
information should be the responsibility of a TOP or RC. Check box #9 A GO/GOP may not have the information to
determine what transmission facilities tripped and locked out. This information should be the responsibility of a TO,
TOP or RC. Check box #10 A GO/GOP may not have the information to determine the number of affected customers
or the demand lost (MW-Minutes). This information should be the responsibility of a TO, TOP, or RC.
No
Need to better define sabotage and provide examples, the term “impact events” create confusions as to what
constitutes an event. The definition of impact event is vague and needs to be quantified or qualified with a term such as
“significant”. Otherwise, almost any event could be deemed to be an impact event. Attachment 1 needs to clearly
define that damage or destruction of BES equipment does not include cyber sabotage. Events related to cyber
sabotage are reported in accordance with CIP-008, "Cyber Security – Incident Reporting and Response Planning," and
therefore any type of event that is cyber initiated should be removed from this Standard. In general, all impact events
need to be as explicit as possible in threshold criteria to eliminate any interpretation on the part of a reporting entity.
�Ambiguity in what constitutes an "impact event" and what the definition of "occurrence" is will ultimately lead to
confusion and differing interpretations.
No
Reporting form doesn’t allow for investigations which result in no impact events found or identified.
Yes
Agree with the proposed implementation date. A 12 month implementation will provide adequate time to generate,
implement and provide any necessary training by a registered entity.
Yes
The standard is lacking guidance for DOE Form OE-417 reporting as outlined in the current version of EOP-004 and
doesn’t contain any non-BES related reporting. What is the governing process for OE-417 reporting?. Need clarification
if one entity can respond on behalf to all entities in one company. Need a provision for entities to provide one report for
all entities. Radiological sabotage is a defined term within the NRC glossary of terms. It would seem that a deliberate
act directed towards a plant would also constitute an "impact event." In general, the DSR SDT should include
discussions with the NRC to ensure communications are coordinated or consider utilizing existing reporting
requirements currently required by the NRC for each nuclear generator operator for consistency. The definition of
sabotage is defined by NRC is as follows: Any deliberate act directed against a plant or transport in which an activity
licensed pursuant to 10 CFR Part 73 of NRC's regulations is conducted or against a component of such a plant or
transport that could directly or indirectly endanger the public health and safety by exposure to radiation.
Individual
Kirit Shah
Ameren
No
The purpose talks about reporting impact events and their known causes. We have no problem with this generic intent,
but the purpose says nothing about the very burdensome expectation of verbal updates to NERC and Regional Entities
(Attachment 1, top of first page), Preliminary Impact Event Reports (Attachment 1, top of first page, are these
Attachment 2?), "Actual" Impact Event Reports (Attachment 1 - Part A) and "Potential" Impact Event Reports
(Attachment 1 - Part B). These multiple levels of reporting and events need to be greatly reduced.
Yes
Yes
No
While we agree with the intent to list certain minimum requirments for the Operating Plan, the draft list is too lengthy
and prescriptive. This merely creates opportunites for failure to comply rather the real purpose of reporting data that
can be used to meaningfully increase the reliability of the BES by identifying trends of events that may otherwise be
ignored.
No
There are too many missing details on how this will be accomplished. As stated before, this Draft requires too much
time be invested in verbal reports, "Preliminary" reports, "Final" reports and even "Confidential" reports (Attachment 2).
If the goal is to report ASAP details on events which could impact BES reliability, all of these reports will need to be
made at the worst possible time - when Operators are trying to collect data, analyze what they find and correct major
problems on the system. And if the reports are wrong or not issued fast enough, the Operators will be keenly aware of
potential fines and violations.
No
Establishing a program with trigger actions expected to require reporting several times a year, combined with adequate
initial, and on-going, training should preclude the need for mandatory drills as an added compliance burden.
Yes
Yes
No
NERC's current heavy case load should justify reviewing the impact review table only once every 2 years.
No
We have numerous comments about the Attachments. (1) What are the requirements for "verbal" reporting to NERC
and Regional entities? (2) What are the requirements for a "Preliminary" Impact Event Report? (3) The Voltage
Deviations Event is unclear (a) Are these consecutive minutes? (b) Where is the voltage measured? (generator
terminals? Point of Interconnections? Anywhere?) (c) must each Entity report separately? (d) What is the +/- 10%
measured against (Generator Voltage Schedule?) (4) For Generation loss events how is an "entity" defined? (a
�corporate parent? each registered entity? other?) (5) Are the "Examples" in the Attachment 1 - Part A really Examples,
or mandatory situations? (6) Can you define "Damage"? (7) Can you define "external cause"? (8) Can you give
examples of "non-environmental external causes"? (9) The footnote 1 reference for "Damage or destruction of BES
equipment" doesn't match up with the a. and b. footnotes or the 1. footnote of Attachment A - Part B. (10) How is the
Operator supposed to determine what Event affects the reliability of the BES fast enough to decide whether or not to
report? (11) is the Loss of off-site power (grid supply) event to a nuclear plant already covered by NUC-001?(12) What
are "critcal cyber assets" since CIP-002-4 will eliminate that term? (13) When is Attachment 2 supposed to be used?
(14) What is meant by the word "Confidential" in the title of the Attachment 2 report? How would the SDT propose a
GO/GOP handle the reporting for the following situation? A CTG unit is dispatched and the unit is started, synchronized
and put on the bus. Immediately the Operator receives a high gas alarm from the GSU. The Operator quickly shuts the
unit down and de-energizes the GSU. There are no relay targets and no obvious reason for the problem. After several
weeks of analysis it's determined there was an internal fault in the GSU and it must be replaced. How would the SDT
recommend all the reporting requirments in this situation be addressed with the current draft?
No
It is unclear when this should be used, or why.
Yes
However, the term Impact Event should be a new defined term. When the SDT determines this, it should use the term
consistenly on both pages 5 and 21 of the SDT document.
No
It appears that all requirements have been addressed from the existing standards. However, we believe there is a
reliability gap that continues from the existing standards because sabotage is not defined any better than in the existing
standards.
Yes
Yes
We are concerned with the Future Development Plan. It shows an initial ballot period starting in December. This
standard has significant issues and will need another distinct comment period (and not the formal comment period in
parallel with balloting) prior to balloting.
Individual
Thad Ness
American Electric Power (AEP)
No
It is unclear what the relationship between this project and the newly revamped NERC Event Analysis Process. We
support moving towards one process opposed to separate obligations that may be in conflict. In addition, AEP supports
the concept of a central clearinghouse such as the RCIS that is shared by the industry. We support fewer punitive
requirements and more prompting for using tools to make multiple entities aware of reliability related issues shortly
after the fact.
No
AEP does not agree with the addition of the Generator Owner to the standard. The Generator Owner does not have
visibility to the real time operational status of a unit. As a result, the Generator Owner lacks the ability to recognize
impact events and report them to the Regional Entity or NERC within the time frames specified in the standard.
Reporting requirements for impact events should be the responsibility of the Generator Operator.
Yes
Overall we support the concepts; however, it is unclear if the ERO can be held accountable for compliance with NERC
Requirements. If this requirement is removed there needs to be some mechanism for the ERO to establish a single
clearinghouse.
No
Component 2.2 “Method(s) of assessing cause(s) of impact events” is very vague. Furthermore, there are concerns
whether these methods can be accomplished within one hour as might be required per Attachment 1, in addition to
operating the system. Component 2.6 – need to add the statement “as appropriate for type of impact event”
Components 2.7 through 2.9 – are good concepts to consider for future inclusion, but at this point in time these appear
to be overreaching objectives. We recommend the SDT take smaller increments towards future progress at measure
and reasonable pace. Furthermore, if Component 2.9 is retained it should only pertain to lessons learned on the
reporting of impact events not all recommendations regarding remediation of the impact events themselves.
Furthermore, the 30 day window to update the Operating Plans is aggressive considering the other priorities that may
be present day to day.
No
Not clear how this is different from R6 since it relies on the same timetable in Attachment 1.
Yes
�Yes
No
It is not clear how this is different from R3 since it relies on the same timetable in Attachment 1.
No
Are the times listed for the initial probable reporting under R3 or the reporting under R6? Many of these items do not
constitute emergency conditions. We view many of these as too onerous and would divert operating staff from
monitoring and operating the BES. In addition, some terms (i.e. Frequency Trigger Limits) are not currently defined
terms. Furthermore, there are existing requirements that have obligations for entities to provide this information to the
RC. For example “Detection of a cyber intrusion to critical cyber assets” is already covered under CIP-008. This creates
duplicate (and potentially competing) requirements. AEP also contends that some of the timelines are very aggressive
and not consummate with perceived need for the information. Transmission loss of multiple BES transmission elements
(simultaneous or common-mode event)within 24 hours after occurrence is overly aggressive and should provide more
specific criteria.
Yes
Yes
Yes
The standard needs to be modified to allow the ability for one entity to report on behalf of other entities. For example
the loss of Generation over the threshold could be reported by the RC opposed to the GO individually, if mutually
agreed upon before the fact.
Group
Bonneville Power Administration
Denise Koehn
Yes
Known causes are difficult under 1 hour reporting requirements (Unusual events are even harder to narrow down in 24
hours and may take weeks.) The System Operators and RC’s handle situational awareness and reliability events, this
is an extra wide view and learning for reporting only.
Yes
Yes
As long as the 2.4 list is position based, not based on each individual that fills the position. (There is a concern of listing
all 2.4 monitoring/reporting personnel in the company that cover the impact event, since there are different function
groups and shift work. Documentation trails are difficult with personnel changes.) Because the CIP is being added, it
requires an Operating Plan (instead of procedure) with 30 day revision timelines, so it increases the burden for
electrical grid event reporting function. R2.9 language refers to R8 “annual” report; however R8 language is “quarterly”
reporting of past year. It appears this standard is going to be in an update status 4 times per year, plus any event
modifications plus personnel changes. This could be overly burdensome due to the expanding world of cyber security.
Yes
Known causes are difficult under 1 hour reporting requirements. (Unusual events are even harder to narrow down in 24
hours and may take weeks.)
No
There was no drill required for CIP-001 (a drill was in CIP-008, but the purpose did not list combining CIP-008). A drill is
not needed for reporting Electrical Grid events, designate it as excluded in the intent of the requirement.
Yes
There was no training required for CIP-001 or in CIP-008. (The proposed EOP-008 purpose did not list incorporating
CIP-008). Training was not really needed for reporting Electrical Grid events.
Yes
The requirement needs to specify who (ERO) to report to. Attachment 1 doesn’t say to report to the ERO either. Clarify
or remove the difference between the report submitted and evidence of the type of impact event required in the
measurement.
�Yes
R2.9 language refers to R8 “annual” report; however R8 language is “quarterly” reporting. It appears this standard is
going to be in an update status 4 times per year minimum, plus any event modifications plus personnel changes.
Overly burdensome.
No
BPA suggests the following: Change loss of multiple BES to 3 or more. Loss of a double circuit configuration due to
lightning doesn’t need a report (it’s a studied contingency). Add qualifier to damage/destruction of BES equipment,
since a failed PCB or a system transformer normally doesn’t have a MAJOR impact to the grid. Add qualifier to Loss of
“ALL” off-site power affecting nuclear… The unplanned evacuation of control center is a busy time for the backup
control center, yet this standard requires 1 hour reporting. Suggest changing to 24 hours.
Yes
Item 8: list Hz minimum on the second line prior to Hz max since that is the typical frequency excursion order. The
Operating Plan is going to have to include the Compliance Registration ID number, since Operating Personnel don’t
carry that information around and it is not readily available.
The definition of an impact event in EOP-004-2 seems clear, however the term "mis-operation" still may imply intent in
the action of an individual. The SDT should consider further defining that term.
No
BPA supports the concept behind the revisions to EOP-004-2. Creating a single reporting methodology will improve the
processes and lead to more consistency. BPA recommends that the Standards Drafting Team (SDT) coordinate any
revisions in the reporting requirements with those found in CIP-008-3 to ensure that there are no conflicts. BPA asks
the SDT to consider the impact of these changes on CIP-008-3 and work with the CIP SDT to ensure that the wording
of the two requirements is similar and clear. Based on Attachment 1 part A of EOP-004-2, certain cyber security
events, intrusions for example, would have to be reported under both EOP-004-2 and CIP-008-3. That puts a burden
on a Registered Entity to take additional steps to coordinate reporting or face potential compliance risk for correctly
reporting an event under one standard and failing to report it under the other standard. The mapping document had
errors: a. CIP-001 R1 to EOP-004 R2.9 (annual vs quarterly). b. EOP-004-1 R2 was translated to R2 & R3 of version 2.
c. EOP-004-1 R3 was translated to R6 of version 2 (which doesn’t say to whom to report).
Yes
Yes
The document retention times in EOP-004-3 should be spelled out more clearly. The Compliance summary does so
(but needs some punctuation clarification regarding investigation), the SDT should consider making that part of the
requirements or clarifying the wording in the requirements.
Group
PSEG Companies
Kenneth D. Brown
No
The following sentence should be added. "This standard is not intended to be for real-time operations reporting."
No
For many items, there are multiple entities listed with reporting obligations. For example, loss of off-site power to a
nuclear plant lists RC, BA, TOP, TO, GO and GOP. This appears to result in the potential for the sending of 6 separate
reports within the hour for the same event, which in wide area disturbances overload the recipients. The drafting team
should consider revising the lists where possible to a single, or absolute minimum number, entity. Those items
reportable OE-417 should be removed from Attachment 1. For example, voltage reduction, loss of load for greater than
15 minutes. The trigger for voltage reduction should be the time of issuance of the directive to reduce voltage in an
emergency, not when "identified."
No
The top of this form should have the following statement added: "This form is not required if OE-417 is required to be
filed."
�Group
E.ON U.S. LLC
Brent Ingebrigtson
No
The proposed standard does not list the Load Serving Entity as an Applicable Entity, but the possible events that the
standard addresses are within the scope of the LSE. Some functions of the LSE listed within the Functional Model are
addressed in the proposed standard. Existing CIP-001-1a and EOP-004-1 are both applicable to the LSE.
No
The Version History contained with EOP-004-2 indicates that CIP-001-1 and EOP-004-1 are “Merged”, however, the
actions do not reflect the retirement of CIP-001-1a and therefore, it is unclear if there will be remaining redundancies or
potential gaps with the new version EOP-004-2 and CIP-001-1a.
Yes
The new standard should incorporate all other disturbance, sabotage, or “impact event” reporting standards, such as
CIP-008-3. At the very least it should reference those other standards that have within their scope same/similar events
in order to ensure complete reporting and full compliance. Suggesting that one standard provides the single reporting
procedure, when in actuality it does not, is counterproductive. The discussion of “impact event” clearly indicates the
SDT’s intent to include sabotage events in the proposed standard EOP-004-2.
Individual
Joe Knight
Great River Energy
Yes
Thank you for the clarification of “known causes”, this will allow entities to report what they currently know when
submitting an impact report.
Yes
We believe that it is important for the ERO to provide valuable Lessons learned to our electrical industry, thus
enhancing the reliability of the BES.
Yes
No
A. As detailed in R2, the Operating Plan shall contain provisions for “identifying, assessing, and reporting impact
events”. R2.8, and R2.9 do not have a correlation to R2’s Operating Plan. Where, R2.7 states to update the Operating
Plan when there is a component change. We believe that the components of this Operating Plan are only 1)
indentifying impact events, 2) assessing impact events, and 3) reporting impact events. R2.8 and R2.9 are based on
Lessons Learned (from internal and external sources) and do not fit in the components of an entity’s Operating Plan.
R2.7 requires the Operating Plan to be updated. As written, every memo, simulations, blog, etc that contain the words
“lessons learned” would be required to be in your Operating Plan. It is solely up to an entity to implement a “Lesson
Learned” and not the place for this SDT to require an Operating Plan to contain Lessons Learned. Recommend that
R2.8 and R2.9 be deleted for this requirement. If R2.8 and R2.9 are not removed, R5.3 will be in a constant state of
change. B. In R2.8 & R2.9, It may be difficult to implement lessons learned within 30 days. We suggest that lessons
learned should be incorporated within 12 calendar months if lessons learned are not deleted from the R2.8 & R2.9.
Yes
While we agree that it makes sense to report on the cause of an event, we disagree with the need for an Operating
�Plan as identified in R2
No
We disagree with the need to conduct a drill for reporting
No
We believe that this task should be incorporated into the Job Task Analysis for the System Operators and that this
requirement should be deleted as being redundant.
No
We believe the reporting time lines are too aggressive for some events. Reporting events within an hour is not
reasonable as an entity may still be dealing the event. This will particularly difficult when support personnel are not
present such as during nights, holidays and weekends.
Yes
No
Comments: Please provide a phone number and provision within the Note of EOP-004 – Attachment 1: Impact Events
table for an entity to contact NERC if unable to contact NERC within the time described. Voltage Deviations –
recommend adding the word “(continuous)” after sustained in Threshold column. This could be interpreted as an
aggregate value over any length of time. Frequency deviations - recommend adding the word “(continuous)” after 15
minutes’ in Threshold column. This could be interpreted as an aggregate value over any length of time. CIP-008 R1.3
states the entity is to report Cyber Security Incidents to the ES_ISAC. Does the EOP-004 Attachment 2 fulfill this
requirement? We request clarification on the Transmission Loss threshold events that constitute reporting. We also
want clarification on what constitutes the loss of a DC Converter station and is there a time duration that constitutes the
need for reporting or does each trip need to be reported? For example during a commutation spike the DC line could
be lost for less than a minute. Does this loss require a report to be submitted? Is the SDT stating that each time a
company loses their DC line, they are required to file a report even though it may not have an effect on the bulk
system? What is the threshold for this loss? The SDT needs to clarify that duplicative reporting is not required and that
only one entity needs to report. For instance, the first three categories regarding energy emergencies could be
interpreted to require the BA and RC to both report. The reporting responsibilities in this table should be clarified based
on who has primary reporting responsibility for the task per the NERC Functional Model and require only one report.
For instance, since balancing load, generation and interchange is the primary function of a BA per the NERC
Functional Model, only the BA should be required to provide this report. The term Frequency Trigger Limit (FTL) is not
currently defined in the NERC Glossary. The term FTL needs to be introduced at the beginning of the standard and
defined as a new term.
No
NERC and the DOE need to coordinate and decide on which report they want to use and whichever report it is needs
to include all information required by both entities. The way this standard is currently written there is the potential that
two government entities may need to be reported to is a relatively short period of time. It is not clear what benefit
providing the Compliance Registration ID number provides. Many of the registered entities employees that will likely
have to submit the report, particularly given the one-hour reporting requirement for some impact events, will not be
aware of this registration ID. However, they will know for what functions they are registered. We recommend removing
the need to enter this compliance registration ID or extending the time frame for reporting to allow back office personnel
to complete the form. For item two, please change “Time/Zone:” with “Time (include time zone)”. As written it is a little
confusing.
No
We believe the SAR scope regarding addressing sabotage has not been addressed at all. It appears that impact event
essentially replaces sabotage. This standard needs to make it clear that sabotage, in some cases, cannot be identified
until an investigation is performed by the appropriate policing agencies such as the FBI. Intent plays an important role
in determining sabotage and only these agencies are equipped to make these assessments.
No
It appears that all requirements have been addressed from the existing standards. However, we believe there is a
reliability gap that continues from the existing standards because sabotage is not defined any better than in the existing
standards.
Yes
Yes
We are concerned with the Future Development Plan. It shows an initial ballot period starting in December. This
standard has significant issues and will need another distinct comment period (and not the formal comment period in
parallel with balloting) prior to balloting. Please provide an e-mail address for the submittal of the report to NERC (and
any other parties above a Regional Entity) within this Standard and a fax number as a backup to electronic submittal.
Individual
Greg Rowland
�Duke Energy
No
The Purpose statement says that reporting under this standard supports situational awareness. However this is in
conflict with Section 5. Background, where the DSR SDT makes clear that this standard includes no real-time operating
notifications, and that this proposed standard deals exclusively with after-the-fact reporting. We also disagree with the
stated concept of “impact event”. Including the phrase “or has the potential to impact” in the concept makes it
impossibly broad for practical application and compliance.
Yes
No
The requirement again states the intent is to “enhance and support situational awareness”, which doesn’t sync with
“after-the-fact reporting”. We question why NERC needs to create this report and system for distributing impact event
reports to various organizations and agencies for after-the-fact reporting, when we are still required to make real-time
reports under other standards. For example, the Rational specifically recognizes that this standard won’t release us
from the DOE’s OE-417 reporting requirement. We don’t see that this provides value, unless NERC can find a way to
eliminate redundancy in reporting.
No
Sections 2.4 and 2.5 should allow identification of responsible positions/job titles rather than specific people. Section
2.9 only allows 30 days for updates to our plan based upon lessons learned coming out of an annual report. 60-90 days
would be more appropriate. Also, Section 2.9 says it’s an annual report, while R8 only requires quarterly reports.
Yes
Yes
No
Strike the word “all” in the requirement. All personnel don’t need to be trained – for example, the plan may contain
references to some personnel as potential sources of the information that will then be reported. Also, Section 5.3 only
allows 30 days for training, which may be impossible with rotating shift personnel and training schedules. 60 days is
more appropriate.
Yes
Yes
However, R8 only addresses quarterly reports, and R2 Section 2.9 states that there will be an annual report.
No
• General Comment – many timeframes in Attachment 1 are within one hour. This is inconsistent with the stated aim of
the standard, which is after-the-fact reporting, as opposed to real-time operating notifications under RCIS and other
standards (e.g. TOP). This standard should not be structured to require another layer of real-time reporting. • Voltage
Deviation – Plus or minus 10% of what voltage? • Frequency Deviation – this is Interconnection-wide. Do you really
want a report from every RC and BA in the Eastern Interconnection?? • Transmission Loss – “Multiple BES
transmission elements” should be changed to “Three or more BES transmission elements”. Also, the time to submit the
report should be based upon 24 hours after the occurrence is identified. • Damage or destruction of BES equipment –
need clarity on the “Examples”. Is the intent to report an event that meets any one of the four “part a.” sub-bullets? i. –
critical asset should be capitalized. Disagree with the phrase “has the potential to result” in section iii. – it should just
say “results”. Section iv. is too wide open. It should instead say “Damaged or destroyed with malicious intent to disrupt
or adversely affect the reliability of the electric grid.” • Unplanned Control Center evacuation – see our General
Comment above. Clearly in this case the reporting individuals are evacuating and cannot report in one hour. 24 hours
should be more than adequate for after-the-fact reporting. • Fuel Supply Emergency, Loss of off-site power, and Loss
of all monitoring or voice communication capability – see our General Comment above. Time to report should be 24
hours after occurrence is identified. • Forced intrusion, Risk to BES equipment, Detection of a cyber intrusion to critical
cyber assets – time to report should be 24 hours after occurrence is identified, and critical cyber assets should be
capitalized.
Yes
However, Attachment 2 is titled “Impact Event Reporting Form”.
No
We disagree with the stated concept of “impact event”. Including the phrase “or has the potential to significantly impact”
in the concept makes it impossibly broad for practical application and compliance. By not attempting to define
“sabotage”, the standard creates a broad reporting requirement. “Disturbance” is already adequately defined.
“Sabotage” should be defined as “the malicious destruction of, or damage to assets of the electric industry, with the
intention of disrupting or adversely affecting the reliability of the electric grid for the purposes of weakening the critical
infrastructure of our nation.”
�Yes
Yes
No
Individual
Nathan Lovett
Georgia Transmission Corporation
No
These events generally are Operator Functions and should not apply to a TO. 1. Energy Emergency requiring systemwide voltage reduction 2. Loss of firm load greater than 15 min. 3. Transmission loss (multiple BES transmission
elements) 4. Damage or destruction to BES equipment ( thru operational error or equipment failure) 5. Loss of off-site
power affecting a nuclear generating station
No
The only two events that apply to a TO are the ones related to CIP: 1. Forced intrusion (report if motivation cannot be
determined, i.e. to steal copper) 2. Detection of a cyber intrusion to critical cyber assets ( criteria of CIP-008)
Everything in this standard applies to a TOP and therefore E-004-2 and CIP-001 should not be combined
Group
WECC
Steve Rueckert
No
The purpose statement should reflect the fact that this proposed standard is for after-the-fact reporting. It is misleading
and may have many thinking it is duplicative work.
No
The ERO’s applicability is not applied in Attachment 1.
R1 is appropriate for after-the-fact reporting. However, as proposed this standard eliminates all real-time notifications,
including the CIP-001-1 R3 notice to appropriate parities in the Interconnection. New requirement R2.6 lists external
parties to notify but it does not include the Reliability Coordinator. It is important that the RC be notified of suspected
sabotage. The RC’s wide-area interconnection view and interaction with BAs may help recognize coordinated sabotage
actions. Any “impact event” where sabotage is suspected as the root cause should require additional and real-time
notifications.
No
Need clarification on whether the 30 days is calendar days or business days. As noted in the comment to question 3,
any impact event where sabotage is suspected should be treated differently from those where sabotage is not
suspected.
Yes
No
The addition of a drill or exercise constitutes additional training and believes R4 should be added to R5. Clarification is
needed as to what level does the annual training target, for instance, the field personnel. Will they have to complete the
exercise/drill?
No
�Thirty days is too restrictive due to real-time operations schedule requirements. Most work schedules are either five or
six weeks and individuals may be on either long change or vacation and therefore unable to complete the training
within 30 days of the identification of the need. Based on the NERC Continuing Education revised submittal date for the
Individual Learning Activities (ILA), the requirement should be changed to require training to be conducted within 60
days.
No
There seems to be redundancy in reporting based on the time frames in Attachment 1, i.e. OE-417 and other required
reports. If this standard is intended to be an after the fact report, why is there one/twenty-four hour reporting criteria?
Yes
For strictly after-the-fact reporting the list of Attachment 1 is appropriate. However, as noted in our earlier comments,
actual or suspected sabotage events can have a potentially significant impact on reliability and should be treated
differently, with additional real-time reporting requirements. It is important that such events be identified and recognized
for reliability purposes and that notices include the RC.
No
The report is duplicative to the OE-417 reporting criteria.
No
The proposed definition of “impact event” does not meet FERC’s directive to “further define sabotage” nor does it take
into consideration their request to address the applicability to smaller entities. Attachment 1 Part A or B do not clearing
specify “sabotage” events, other than “forced entry”. The purpose of CIP-001-1 and its requirements is to address the
specific issue of possible sabotage of BES facilities. This is entirely different than a “disturbance” or an “event” on the
BES. The proposed definition for “impact events” is essentially any event that has either impacted the BES or has the
potential to impact the BES, caused only by three specific things; equipment failure or misoperation, environmental
conditions, or human action. Several of these “impact events could be a result of sabotage. Actual or potential
sabotage clearly poses a risk to the reliability of the BES. It is important that the risks related to sabotage be reflected
in either EOP or CIP
A potential gap may exist. Attacks on BES facilities, via either vandalism or sabotage, are very different events than
impact events on the system. From a Compliance standpoint, a revised standard to address the FERC directive on
sabotage should be developed as an EOP standard (that is grouped with 693 Standards) rather than as a CIP
Standard (CIP-001-1).
Yes
Yes
Having one training standard that captures all the training required within the NERC standards will allow for better
clarity for the training departments in providing and meeting all NERC Standard compliance issues. This will become
even more of an issue as training requirements continue to expand. CIP-001-1 has surprisingly been one of the most
violated standards during the initial period. However, most entities have now developed and demonstrated a decent
compliance process. Unless a revised standard to address the FERC directive on sabotage is developed (as
suggested in 13 above) this proposed standard appears to eliminate sabotage reporting as a reliability standard to the
potential detriment of BES reliability.
Individual
Chris de Graffenried
Consolidated Edison Co. of NY, Inc.
No
Comments: The purpose is not clear because it uses the term “impact events”. This term should be a defined in the
NERC glossary, and should not include words such as “potential”.
No
Comments: NERC’s role as the Standard enforcement organization for the power industry will be in conflict if NERC is
also identified as an applicable entity. What compliance organization will audit NERC’s performance? This is presently
not clear.
No
See response to Question 2.
No
Requirement R2 • Lead-in paragraph - Following the words “Attachment 1” add a period and the words “The Operating
Plans shall” and then delete “that” and make “includes” singular. • R2.1, 2.2, 2.3, 2.7 - Replace the word “Method(s)”
with the word “Procedure(s)”. • 2.6 – After the word “notify” add a period, then insert the words “For example, external
organizations may include” and delete the words “to include but not limited to.” • 2.8 – After the words “Operating Plan
based on” add the word “applicable”. Rational R2 After the words “Every industry participant that owns or operates,”
add the words “Bulk Electric System.” Then delete the words “on the grid.”
�Yes
We agree, however, the term “impact event” must be part of the NERC glossary.
Yes
No
Requirement 5 – Training should be targeted only at those responsible for implementing the Operating Plan (OP), not
all those mentioned in the OP. R5 – After the words “internal personnel” add the words “responsible for implementing.”
The delete the words “identified in” and “for reporting pursuant to Requirement R2.” 5.4 – Following the words “For
internal personnel” add the words “responsible for implementing the Operation Plan.” Between the words “revised
responsibilities” add the word “implementation.” M5 – After the words “between the people” add the words “responsible
for implementing the Operating Plan”
No
R2 requires applicable entities to have an Operating Plan which are company specific procedures and process required
to be compliant with EOP-004. Therefore, R6 should be deleted since it is redundant with R2.
No
See response to Question 2 Requirement 7 Delete the words “and propose revisions to” Following the words
(Attachment 1) add a period. Following that period add the words “The ERO shall revise the table” Requirement 8
RECOMMEND DELETION OF R8 – CONFIDENTIALITY CONCERNS WILL MAKE ESTABLISHING A PUBLICATION
REQUIRMENT EXTREMELY CHALLENGING.
No
It is absolutely essential that the work on EOP-004 and that on the NERC Event Analysis Process (EAP) be fully
coordinated. We find that there are a number of inconsistencies between these two documents. The EAP and EOP-004
are not aligned. In order to operate and report effectively entities need consistent requirements. Attachment 1
Frequency Deviations – The term “Frequency Trigger Limit (FTL)” is not defined. Only defined terms should be used, or
the term should be defined. If the term is defined in another standard it should be moved to the Glossary of Terms for
wider use. Loss of Firm load for 15 Minutes – The text under the rightmost column entitled, Time to Submit Report,
appears to be incomplete in our copy. Transmission loss and Damage or destruction of BES equipment – At the end of
the wording for both under the column entitled “Threshold for Reporting” add the words “that significantly affects the
integrity of interconnected system operations.” Examples – Capitalize “Critical Asset” as this is a defined term.
No
It is not clear why the DOE form cannot be used. NERC should make every effort to minimize paper work for entities
responding to system events.
No
The definition is open for interpretation beyond events identified in Attachment 1. In addition, all Standards are
supposed to have Rationales. In the Draft Standard, the Rationales do not address the concept of Potential, and how it
relates to an actual system event. Additional work needs to be done addressing the meaning of “potential”.
Yes
Yes
Yes
Overriding Comment and Concern: It is absolutely essential that the work on EOP-004 and that on the NERC Event
Analysis Process (EAP) be fully coordinated. We find that there are a number of inconsistencies between these two
documents. The EAP and EOP-004 are not aligned. In order to operate and report effectively entities need consistent
requirements.
Group
Pepco Holdings, Inc - Affiliates
Richard Kafka
Yes
Yes
Yes
No
For R 2.7, 2.8 and 2.9, 30 days may be too short a time for large entities with multiple subsidiaries to do the necessary
notice and coordination. PHI suggests 90 days.
�Yes
Yes
No
30 days may be too short a time for large entities with multiple subsidiaries to do the necessary notice and
coordination. PHI suggests 90 days.
Yes
Yes
No
Some items with one hour reporting (such as Unplanned Control Center evacuation) may be so disruptive to operations
that one hour is too short. 4 hours suggested.
No
The list of events misses many items considered as suspicious or potential sabotage, such as suspicious observation
of critical facilities.
No
The list of events misses many items considered as suspicious or potential sabotage, such as suspicious observation
of critical facilities.
No
The list of events misses many items considered as suspicious or potential sabotage, such as suspicious observation
of critical facilities.
Yes
Yes
The EAWG is developing processes that will be enforced through the Rules of Procedure. It may be inappropriate to
reference the EAWG process in the Mapping Document.
Individual
Kathleen Goodman
ISO New England Inc.
No
The proposed requirements in the standard are not focused on the core industry concern that current requirements are
unclear as to what types of events warrant entities to report. Per draft 2 of the SAR, “The existing requirements need to
be revised to be more specific – and there needs to be more clarity in what sabotage looks like.” Instead this proposed
standard includes requirements that are more focused on “how” to report, rather than “what” to report. The draft 2 SAR
has never been balloted for approval prior to standard drafting. In fact, the SAR states, “The development may include
other improvements to the standards deemed appropriate by the drafting team, with consensus on the stakeholders
(emphasis added), consistent with establishing high quality, enforceable and technically sufficient bulk power system
reliability standards.” The scope of the SAR, and likewise the proposed standard, is inappropriate to the fundamental
reliability purpose of what events need to be reported. The proposed administrative requirements are difficult to
interpret, implement and measure, and do not clarify what type of sabotage information entities need to report.
Although the use of procedures and an understanding by those personnel accountable seems helpful for ensuring
reports are made, the fundamental purpose of clarifying what types of events should be reported and more importantly
what types do not have to be reported, is lacking in the standard. Also, one of the first issues identified in the SAR for
consideration by the drafting team seems to be ignored: “Consider whether separate, less burdensome requirements
for smaller entities may be appropriate.” The requirements for entities to develop Operating Plans and to have training
for those plans, further adds uncertainty and increases complexity of how entities, large and small, will have to comply
with this standard. The term “impact events” does not draw a clear boundary around those events that are affected by
this standard. Since this is not a defined term, nor is intended to be a defined term in the NERC Glossary, this standard
lacks clarity and is likely to produce significant conflict as an applicable entity attempts to establish procedures to
assure compliance. It appears that situational awareness could not be improved with this standard since it is only
dealing with events after-the-fact, not within the time frame to allow corrective action by the system operator. This draft
standard should not have this high a priority while other standards having a greater impact on Bulk Electric System
reliability remain incomplete or unfinished. Regional reporting requirements should be in Regional Standards, and not
be included in a NERC Standard.
No
Having the ERO as an applicable entity raises the issue that they are also the compliance enforcement authority. The
ERO is responsible for multiple requirements in this standard that shape the ultimate actual rules that the other
�applicable entities would be required to meet. For example, establishing and maintaining a system for receiving and
distributing impact events, per R1, would be done solely by the ERO, outside of NERC’s open process. NERC has also
offered the opinion that since NERC is not a “user, owner, or operator” Standards are not enforceable against the ERO.
In Attachment 1 the time frames listed are not consistent for similar events. For example, EEAs are either reported
within one or 24 hours depending on the nuance. Having multiple entities reporting the same event is troublesome, i.e.,
why does a RC have to report an EEA if the BA is going to report it? This will lead to unnecessary and possibly
conflicting reports for the same event. Attachment 1 seems to be consolidating time frames from other standards into
one for reporting. However, this subject is more complex than this table reveals, and the table needs more clarification.
Entities that have information about possible sabotage events should report these to NERC after the fact, and the
standard should simply reflect that. While we agree with the list of functional entities identified in the Applicability
Section, we do not agree with their application in Attachment 1. As the functional entities are identified in Attachment 1,
it is likely that there is going to be duplicate reporting. Several of the events require filing a written formal report within
one hour. For example, system separation is going to require an “all hands on deck” response to the actual event. The
paragraph above the table in Attachment 1 indicates that a verbal report would be allowed in certain circumstances, but
this is the same issue with the formal report in that the system operators are concerned with the event and not the
reporting requirements. There is already a DOE requirement to report certain events. We see no need to develop
redundant reporting requirements through NERC that cross federal agency jurisdictions.
No
Having the ERO as an applicable entity raises a concern because they are also the Compliance Enforcement Authority.
The ERO is responsible for multiple requirements in this standard that shape the ultimate actual rules that the other
applicable entities would be required to meet. Establishing and maintaining a system for receiving and distributing
impact events, per R1, would be done solely by the ERO, outside of NERC’s open process. At this stage it is not clear
how the ERO will develop or effectively maintain a list of “applicable government, provincial or law enforcement
agencies” for distribution as defined in R1. The “rationale for R1” states that OE-417 could be included as part of the
electronic form, but responsible entities will ultimately be responsible for ensuring that OE-417 reports are received at
DOE. This requirement needs to be more definitive with respect to OE-417. The better approach would be for the
entities to complete OE-417 form and this standard simply require a copy.
No
This is an overly prescriptive requirement given that the intent of this standard is after-the-fact reporting. The
requirement to create an Operating Plan is an unnecessary burden that offers no additional improvements to the
reliability of the Bulk Electric System, and this is not, in fact, an Operating Plan. At most, it may be a reporting plan.
Most of these requirements are administrative and procedural in nature and, therefore, do not belong as requirements
in a Reliability Standard. Perhaps they could be characterized as a best practice and have an associated set of
Guidelines developed and posted on the subject. As proposed, the Operating Plan is not required to ensure Bulk
Electric System reliability. As stated in the purpose of this standard, it does not cover any real-time operating
notifications for the types of events covered by CIP-001, EOP-004. Since these incidents are meant to be reportable
after-the-fact, familiarity with the reporting requirements and time frames is sufficient. Stating reporting requirements
directly in the standard would produce a more uniform and effective result across the industry, contributing towards a
more reliable Bulk Electric System. R2.6 establishes an external organization list for Applicable Entity reporting, yet R1
suggests that external reporting will be accomplished via submittal of impact event reports. How will the two
requirements be coordinated? What governmental agencies are appropriate, and how will duplicative reporting be
addressed (for example, DOE, Nuclear Regulatory Commission)? Also, in the “rationale for R2”, please explain the
reference to Parts 3.3 and 3.4.
No
We think “impact event” needs to be defined in the NERC Glossary to provide the clarity the industry needs to build
auditable compliance procedures. Although it is useful for entities to make an initial assessment of a probable cause of
an event, this requirement should stand alone and does not need to be tied to requirement R2, Operating Plan. Quite
often, it takes a considerable amount of time for an actual cause to be determined. The determination process may
require a complex root cause analysis. Further, in the case of suspected or potential sabotage, the industry can only
say it doesn’t know, but it may be possible. Law enforcement agencies make the determination of whether sabotage is
involved, and the information may not be made available until an investigation is completed, if indeed it is ever made
available.
No
The need for a periodic drill has not been established, and appears to be overly restrictive given the intent of the
standard is the reporting of impact events. Suggest this requirement be eliminated. Similar to our comments on R2 for
an Operating Plan, a drill, exercise, or Real-time implementation of its Operating Plan for reporting is unnecessary.
Such things are training practices. There are already existing standards requirements regarding training. There is no
imminent threat to reliability that requires these events to be reported in as short a time frame as may be required for
real-time operating conditions notifications.
No
The need for a periodic drill has not been established, and appears to be overly restrictive given that the intent of the
standard is reporting of impact events. Suggest this requirement be eliminated. There are training standards in place
that cover these requirements. We agree the relevant personnel should be “aware” of the reporting requirements. But
�there is not a need to have a training program with specific time frames for reporting impact events. Awareness of
these reporting requirements can be achieved through whatever means are available for entities to employ to train on
any of the NERC standards, and need not be dictated by requirements.
No
Entities are already required by other agencies (e.g., DOE, NRC) to report certain events. We see no need to develop
redundant reporting requirements for NERC that cross other federal agency jurisdictions. There is no need for an
Operating Plan as proposed. This is not truly an Operating Plan. There are already other standards which create the
requirements for an Operating Plan. This is an administrative reporting plan and any associated impact upon reliability
is far beyond real-time operations which is implied by the label “Operating Plan.”
No
Having the ERO as an applicable entity raises concern as it is also the compliance enforcement authority. Requirement
R7 is unnecessary as there are already requirements in place for three year reviews of all Standards. R8 contains
requirements to release information that should be protected, such as identification of trends and threats against the
Bulk Electric System. This may trigger more threats because it will be published to unwanted persons in the private
sector. We do not support an annual time frame to update the events list. The list should be updated as needed
through the Reliability Standards Development Process. Any changes to a standard must be made through the
standards development process, and may not be done at the direction of the ERO without going through the process.
No
1) A particular Event could be applicable to multiple entities and Attachment 1 would require each applicable entity to
report the event. This is duplicative and would overburden the reporting system. 2) Loss of off-site power (grid supply)
reporting for nuclear plants is duplicative of reporting done to satisfy NRC requirements. Given the activity at a nuclear
plant during this event, this additional reporting is not desired. 3) Cyber intrusion remains an event that would need to
be reported multiple times (e.g., this standard, OE-417, NRC requirements, etc.). 4) Since external reporting for other
regulators (e.g., DOE, NRC, etc.) remains an obligation of the Applicable Entity, suggest that Attachment 1 only contain
impact events as defined in the current version of EOP-004. What are the examples at the bottom of page 14 supposed
to illustrate? Critical Asset should have the appropriate capitalization as being a defined term. Is Critical Asset what is
intended to be used here? Should the “a” list be read as ANDs or Ors? Does “loss of all monitoring communications”
mean “loss of all BES monitoring “communications”? Does “loss of all voice communications” mean “loss of all BES
voice communications?” Are the blue boxes footnotes or examples? Does “forced intrusion” mean “physical intrusion”
(which is different from “cyber intrusion”)? Regarding “Risk to BES Equipment,” request clarification of “nonenvironmental”. Regarding the train derailment example, the mixture of BES equipment and facility is confusing.
Request clarification for when the clock starts ticking. Regarding “Detection of a cyber intrusion to critical cyber assets”,
there is concern that this creates a double jeopardy situation between CIP-008 and EOP-004-2 R2.6. Suggest physical
incident reporting be part of EOP-004 and cyber security reporting be part of CIP-008.
No
There is already a DOE requirement to report certain events. There is no need to develop redundant reporting
requirements to NERC that cross other federal agency jurisdictions. The heading on page 16 refers to EOP-002, but
this is Standard EOP-004. If some questions do not require an answer all of the time, then the form should state that or
provide a NA checkbox. While Attachment 1 details some cyber thresholds, Attachment 2 provides no means to report
– which is acceptable if cyber incidents are handled by CIP-008 per the comment provided for Question 10. The Event
Report Template in Appendix A is different from the most recent version, which is available at:
http://www.nerc.com/docs/eawg/Event_Analysis_Process_WORKINGDRAFT_100110-Clean.pdf
No
The use of the term “impact events” has simply replaced the terms “disturbance” and “sabotage”, and has not further
defined sabotage as directed by FERC. We do feel that “impact events” needs to be a defined term. While we agree
with the SDT’s new direction, the FERC directive has not been met. This term and the FERC directive do not recognize
limitations in what a registered entity can do to determine whether an act of sabotage has been committed. This term
should recognize law enforcement and other specialized agencies, including international agencies roles in defining
acts of sabotage, and not hold the registered entity wholly responsible to do so.
No
Per the mapping document, some of the existing requirements are awaiting a new reporting procedure being
developed by the NERC EAWG. For those requirements that were transferred over, the resulting standard seems
overly complex and lacks clarity. EOP-004-3 should be EOP-004-2.
No
If the training and Operation Plan requirements are adopted as proposed, this may not allow sufficient time for some
entities to comply, particularly those with limited number of staff, but perform functions that have multiple event
reporting requirements.
Yes
Request clarification on how RCIS is part of this Standard. The form should be filled out in two stages. First stage
would be the immediately available information. The second stage would be the additional information such as one line
diagrams. There is concern with burdening the reporting operator on filling out forms instead of operating the Bulk
�Electric System. Most of the draft requirements are written as administrative in nature, and this is not most effective.
Changes need to be made to (or possibly elimination of) R1, R2, R3. The standards should be changed to define what
a “disturbance” is for reporting in EOP-004. Sabotage reporting as per CIP-001 should be rescinded as EOP-004
already has such a requirement.
Group
We Energies
Howard Rulf
No
Impact event needs to be clarified first, and DP references in Attachment 1 clarified. Distribution is not BES.
No
The need for a DP to be included needs to be clarified. The Purpose points to BES. A DP does not have BES
equipment.
Yes
No
R2.3, R2.4: “Part” is not a defined term or used in the NERC Standard Process Manual. R2: Attachments are not
mentioned in the NERC Standard Process Manual. Is this a mandatory or informational part of the standard? R2.6 (and
possibly R2.5): There does not seem to be discretion in notifications. Are all people or organizations on the notify lists
always contacted for every impact event? Even Law Enforcement? R2.7: What is a “component? A Plan component? A
BES component? R2.9: There is no annual NERC report issued pursuant to R8. R8 requires quarterly reporting.
No
A DP may not have Facilities (a BES element). See NERC Glossary definition of Facility.
Yes
No
Please clarify who is to be trained. As written, R5 requires any internal personnel identified in the plan, including CEO,
Vice Presidents, etc., to be trained.
No
The proposed definition of “impact event” needs to be clarified.
Yes
No
I did not compare this standard to the OE-417 form. Please do not require operators to fill out a second form during an
emergency within one hour. Energy Emergency requiring Public appeal…: “Public ” is not a defined term. Energy
Emergency requiring system-wide voltage…: DP does not control BES voltage. Energy Emergency requiring firm load
shed…: TOP does not have load it would shed for an Energy Emergency. Frequency Deviations: Why is a BA
reporting? This will be every BA in the Interconnection reporting the same Frequency Deviation. Frequency Deviations:
Frequency Trigger Limit is not a defined term, and is not defined in this standard. Loss of Firm Load…: TO and TOP
may coordinate or direct load shed, but they do not serve firm load. Damage or destruction of BES… There is no
footnote 1 on this page. I assume it is the examples on the page. Are these “examples” of a larger set or are these all
that is required? Critical Asset is a defined term. Forced Intrusion: “facility” or Facility? An RC and BA do not have
Facilities.
No
The data required to assess an impact event thoroughly will often not be available or apparent. Immediate reporting
should fall to the RE with assistance/information from the affected entities. There do not seem to be provisions for
when it is impossible to take the time to fill out a form or when it is impossible to send a form. I did not compare this
standard to the OE-417 form. Please do not require operators to fill out a second form during an emergency within one
hour.
No
Impact Event could replace disturbance and sabotage but not in its present form. The proposed definition of impact
event “An impact event is any event that has either impacted or has the potential to impact the reliability of the Bulk
Electric System. Such events may be caused by equipment failure or mis-operation, environmental conditions, or
human action.” Is too vague. The “potential to impact the reliability” is too broad and open to interpretation. It needs to
be specific so entities know what is and is not an impact event and so an auditor clearly knows what it is. Define
“impact event” as the items listed in Attachment 1. As you have done, focusing on an event’s impact on reliability is
more important than determining an individuals intent (sabotage v.s. theft).
Yes
�Yes
Yes
Please be careful to capitalize defined terms. If the intent is to not use the defined term, use another word. "Forced
intrusion" (cutting a fence, breaking in a door) may not be discovered for quite some time after it occurs. Should it be
reported as soon as discovered? Even if there was no impact event (disturbance)? "Destruction of a Bulk Electric
System Component" seems pretty specific. However, if a transformer kicks off line due to criminal damage, yet is
considered repairable, is the event reportable?
Group
PPL Supply
Annette M. Bannon
Yes
No
While we agree with the list of functional entities identified in the Applicability Section, we do not agree with assignment
of applicable entities noted in Attachment 1. As the functional entities are identified in Attachment 1, there will likely be
duplicate reporting for many impact events. By applying reporting responsiblities to both the Gen Owner and Gen
Operator, this will result in duplicate reporting for plants with multiple owners. It also increases the burden on the Gen
Operator who is required to report the event to NERC and to other Gen Owners in a timely manner to allow other Gen
Owners to meet the NERC reporting timeline. We suggest that the reporting requirements associated with generators
be applied to the Gen Operator only.
Yes
No
While we agree with concept addressed in R2, we don't agree with use of the defined term Operating Plan. Consider
working the requirement as follows: "Each Applicable Entity identified in Attachment 1 shall have a documented
process or program that includes the following components:..." Also, please consider changing 2.1 to be"Method(s) for
recognizing the occurrence of impact events." The current wording could be interpreted to mean, "create a list of the
impact events."
No
Please consider changing the word "identify" to "recognize" and adding the Rationale statement to the requirement as
follows: "Each Applicable Entity shall assess the causes of the reportable event and gather available information to
complete the report."
Yes
No
We generally agree with R5 but recommend two changes to 5.3. Consider expanding the exception criteria to exempt
non-substantive changes such as errata changes, minor editorial changes, contact information changes, etc. Also,
consider changing "training shall be conducted" to "training or communication/notification of changes shall be
conducted."
No
It may be difficult to meet Attachment 1 Part B Potential Reliability Impact submittal times as the time to submit is 1 or
24 hours after occurrence. Consider changing the Time to Submit Report for Forced intrusion, Risk to BES equipment,
and Detection of a cyber intrusion to be "report within 24 hours after detection".
Yes
No
Attachment 1 Part A is labeled "Actual Reliability Impact". Does this title mean that for all events listed the "threshold for
reporting" is only met if the event occurs AND there is an actual reliability impact? As opposed to Part B where the
threshold for reporting is met when the event occurs and there is a potential for reliability impact? This could be broad
for events like "Risk to BES equipment."
Yes
Yes
Yes
�Yes
No
Individual
Amanda Stevenson
E.ON Climate & Renewables
Yes
No
1. Voltage deviation events are too vague for GOP. How does voltage deviations apply to GOP’s or specifically
renewables i.e., wind farms? 2. Define what an “entity” is. 3. Define what a “generating station” is. 4. Define what a
“BES facility” is. 5. Define what a control center is. 6. Renewable energy/generators should be taken into consideration
when crafting the events.
Yes
A generic ERCO approved electronic (form that can be submitted on-line) reporting form will help to add more clarity &
consistency to the Impact event reporting process.
No
Administrative burden to some of the components such as 2.5.
No
Redundant with R4.
No
1. Voltage deviation events are too vague for GOP. How does voltage deviations apply to GOP’s or specifically
renewables i.e., wind farms? 2. Define what an “entity” is. 3. Define what a “generating station” is. 4. Define what a
“BES facility” is. 6. Define what a control center is.
Yes
Suggestions on the form: if an entity has not had time to fully determine the cause of an Impact Event such as for
“Question # 4: Did the impact event originate in your system, yes or no?”, perhaps more time is needed that 24 hours
to determine the cause.
No
Acts of Sabotage is still not defined and if the registered entities are required to reports acts of sabotage, NERC still
needs to define this further.
Yes
Yes
Refrain from having redundant reporting forms if at all possible. This can create confusion and lead to unnecessary
penalty amounts and violations for registered entities. potential” impacts of an event on the BES need to be clearly
defined in the standard.
Individual
Christine Hasha
ERCOT ISO
No
ERCOT ISO believes that according to the timelines allotted in Attachment 1, it may not be possible for the entity to
identify the “known cause” of an event. The requirements list identification of “initial probable cause”. This is more
reasonable under the timelines noted in Attachment 1.
No
ERCOT ISO recommends that the Electric Reliability Organization be removed from the standard. The Electric
Reliability Organization should not be responsible for reliability functions and therefore should be excluded from
reliability standards.
No
Recommend that requirements for the Electric Reliability Organization be removed. However, if the requirements are
�retained, ERCOT ISO recommends the following wording change to be consistent with other standards. “R1. The ERO
shall create, implement, and maintain a system for receiving and distributing impact event reports, received pursuant to
Requirement R6, to applicable government, provincial or law enforcement agencies and Registered Entities to enhance
and support situational awareness.”
No
ERCOT ISO recommends the use of “Registered Entity” in place of “Applicable Entity”. This would provide consistency
with other requirements and Attachment 1. Recommend the following changes to the subrequirements. “2.6. List of
external organizations to notify to include but not limited to NERC, Regional Entity, relevant entities within the
interconnection, Law Enforcement, and Governmental or Provincial Agencies.” “2.7. Process for updating the Operating
Plan within 30 days of any changes not of an administrative nature. This includes updates to reflect any lessons
learned as a result of an exercise or actual event.” Remove requirement 2.8 and move content to requirement 2.7. “2.8.
Process for updating the Operating Plan within 30 days of publication the NERC annual report of lessons learned.” Add
“2.9. Process to ensure updates are communicated to personnel responsible for under the Operating Plan within 30
days of the change being completed.”
No
ERCOT ISO recommends the use of “Registered Entity” in place of “Applicable Entity”. This would provide consistency
with other requirements and Attachment 1. The measure for this requirement notes the obligation for “documentation”.
This is not addressed in the requirement. The measure also notes “on its Facilities”. This clarification of scope should
be addressed in the requirement. R3. Each Registered Entity shall identify, assess, and document initial probable
cause of impact events on its Facilities listed in Attachment 1.
No
ERCOT ISO believes that a drill or exercise of its Operating Plan is unnecessary. The intent of the drill can be
addressed within the training requirements under R5.
Yes
ERCOT ISO believes the content of training can include an exercise or drill.
No
ISO recommends the following changes to the language of the requirement. R6. Each Applicable Entity shall report
impact events in accordance with Attachment 1.
No
Recommend that the Electric Reliability Organization be removed. The Electric Reliability Organization should not be
responsible for reliability functions and therefore should be excluded from reliability standards.
No
ERCOT ISO requests the reporting timeframes be changed to reflect a 24 hour requirement for all events in
Attachment 1. During an impact event, operating personnel are generally involved in event resolution and not available
immediately to submit reports. ERCOT ISO requests that the “Detection of a cyber intrusion to a critical cyber asset” be
removed. There are established processes defined for incident response supporting CIP-008. By including this element
in Attachment 1, the Operating requirement R2 would also require procedure documents for cyber security incident
response. This would be redundant and would remove the responsibility away from the subject matter experts for cyber
security incident response.
No
ERCOT ISO requests the use of a single report format to meet all requirements from NERC and DOE. There is no
value added in requiring different reporting to different agencies.
No
Yes
Yes
Yes
ERCOT ISO supports the comments provided by the SRC. However, if the standard is to be established, ERCOT ISO
has offered the comments contained herein as improvements to the requirements proposed. The requirements listed
do not take into consideration the hierarchical reporting necessary for events (i.e.: GO to GOP to BA). The current
structure will lead to redundant and conflicting reporting from multiple entities. This will lead to confusion in the analysis
of the event. Any system developed and used to report impact events must include notification to the other relevant
entities (i.e.: Reliability Coordinator, Balancing Authority, Transmission Operator, and Generator Operator). The
proposed standard should not rely on a centralized system that does not follow the established hierarchy of
dissemination of information.
Individual
Terry Harbour
�MidAmerican Energy
Yes
No
While we agree with the list of functional entities identified in the Applicability Section, we do not agree with their
application in Attachment 1. As the functional entities are identified in Attachment 1, there is likely going to be duplicate
reporting. Why should both the RC and BA submit a report for an energy emergency requiring public appeals?
No
No
R2 and R5 coupled with R8 will drive quarterly updates (in addition to drills, etc) and training to the literally hundreds to
thousands of people per company for the proper internal operating personnel and management will actually hurt the
development of a culture of compliance by overwhelming personnel with constant plan changes and training. The
standards drafting team should remove all 30 day references or provide the technical basis of why revising plans and
training to “changes and lessons learned” quarterly all within 30 days is the right use of reliability resources to improve
the grid. The addition of the 30 day constraints and new vague criteria in Attachment one such as “damage to a BES
element through and external cause” or “transmission loss of multiple BES elements which could mean two or more” is
the opposite of clear standards writing or results based standards. We disagree with requiring an Operating Plan for
identifying, assessing, and reporting impact events. This is an administrative requirement that has no clear reliability
benefit. Furthermore, it is questionable that event reporting even meets the basic definition of an Operating Plan. Per
the NERC glossary of terms, Operating Plans contain Operating Procedures or Operating Processes which encompass
taking action real-time on the BES not reporting on it. As detailed in R2, the Operating Plan shall contain provisions for
“identifying, assessing, and reporting impact events”. R2.8, and R2.9 do not have a correlation to R2’s Operating Plan.
Where, R2.7 states to update the Operating Plan when there is a component change, the components of this Operating
Plan are only 1) indentifying impact events, 2) assessing impact events, and 3) reporting impact events. R2.8 and R2.9
are based on Lessons Learned (from internal and external sources) and do not fit in the components of an entity’s
Operating Plan. R2.7 requires the Operating Plan to be updated. As written, every memo, simulations, blog, etc that
contain the words “lessons learned” would be required to be in your Operating Plan. It is solely up to an entity to
implement a “Lesson Learned” and not the place for this SDT to require an Operating Plan to contain Lessons Learned.
Recommend that R2.8 and R2.9 be deleted for this requirement. If R2.8 and R2.9 are not removed, R5.3 will be in a
constant state of change. In R2.8 & R2.9, It may be difficult to implement lessons learned within 30 days. The NSRS
recommends to incorporate lessons learned within 12 calendar months if lesson learned are not deleted from the R2.8
& R2.9.
No
No
No
: R5.2. The NSRS agrees that to enhance reliability and situational awareness of the BES, the Operating Plan be
trained once per calendar year. R5.3 As detailed in R2, the Operating Plan shall contain provisions for “identifying,
assessing, and reporting impact events”. Where, R2.7 states to update the Operating We disagree with the need to
provide formal training. We could agree with the need to communicate to System Operators and other pertinent
personnel the criteria for reporting so that they know when system events need to be reported.
No
We believe the reporting time lines are too aggressive for some events. Reporting events within an hour is not
reasonable as an entity may still be dealing the event. This will particularly difficult when support personnel are not
present such as during nights, holidays and weekends.
Yes
No
New vague criteria in Attachment one such as “damage to a BES element through and external cause” or “transmission
loss of multiple BES elements which could mean two or more” is the opposite of clear standards writing or results
based standards.
No
Yes
Yes
�Yes
Yes
This entire standard needs to be revised to consider a results based standard.
Individual
Michael Gammon
Kansas City Power & Light
Yes
Yes
Consideration should be given to the need for a preliminary impact event report to be filed by the Reliability Coordinator
and the Registered Entity. If two reports should be filed, should they both contain the same information.
Yes
Although we support situational awareness for the other registered entities, impact event reports should be distributed
anonymously to communicate the information while protecting the registered entity.
No
We agree with the rationale for R8 requiring NERC to analyze Impact Events that are reported through R6 and publish
a report that includes lessons learned but disagree with R2.9 obligating an entity to update its Operating Plan based on
applicable lessons learned from the report. Whether lessons learned are applicable to an entity is subjective. If an
update based on lessons learned from an annual NERC report is required, the requirement should clearly state the
necessity of the update is determined by the entity and the entity’s Reliability Coordinator or NERC can not make that
determination then find the entity in violation of the requirement. In addition, if an update based on lessons learned
from a NERC report is required, NERC should publish the year-end report (R8) on approximately the same day
annually (i.e. January 31) and allow an entity at least 60 days to analyze the report and incorporate any changes it
deems necessary in its Operating Plan. In addition, the language using quarterly and annual as a requirements
between R2.9 and R8 is confusing.
No
We believe R3 and M3 are unnecessary as a stand alone requirement and measure and propose combining this
requirement and measure with R6 and M6. Identifying and assessing the initial probable cause of an impact event is
the obvious starting point in the reporting process and ultimate completion of the required report. Evidence to support
the identification and assessment of the impact event and evidence to support the completion and submittal of the
report are really one in the same.
No
We believe R4 and M4 are clearly unnecessary. Thoughtful preparation of an Operating Plan per R2 that specifically
addresses personnel responsibilities and appropriate evidence gathering combined with the training requirement in R5
is sufficient.
No
We agree with the need for the Operating plan and the provision of formal training to impacted personnel. We believe
that the personnel references are too open-ended to be productive and measurable. This leaves all applicable entities
open to subjectivity in assessment and may produce a large administrative burden to demonstrate compliance with no
associated benefit to improved reliability.
No
We believe R3 and M3 are unnecessary as a stand alone requirement and measure and propose combining these
requirements with R6 and M6. Identifying and assessing the initial probable cause of an impact event is the obvious
starting point in the reporting process and ultimate completion of the required report. Evidence to support the
identification and assessment of the impact event and evidence to support the completion and submittal of the report
are really one in the same.
No
We agree with the rationale for R8 requiring NERC to analyze Impact Events that are reported through R6 and publish
a report that includes lessons learned but disagree with R2.9 obligating an entity to update its Operating Plan based on
applicable lessons learned from the report. Whether lessons learned are applicable to an entity is subjective. If an
update based on lessons learned from an annual NERC report is required, the requirement should clearly state the
necessity of the update is determined by the entity and the entity’s Reliability Coordinator or NERC can not make that
determination then find the entity in violation of the requirement. In addition, if an update based on lessons learned
from a NERC report is required, NERC should publish the year-end report (R8) on approximately the same day
annually (i.e. January 31) and allow an entity at least 60 days to analyze the report and incorporate any changes it
deems necessary in its Operating Plan. Again, the language referencing annual and quarterly in these two
requirements in confusing.
No
�We agree with the event descriptions listed in Attachment 1 and the review and revision of the impact table by the ERO
is appropriately addressed in R7 but the time periods allowed to complete the new, longer preliminary report is
insufficient. The correlation of this with the timing of the reporting quarterly and annually or pushing information for
other entities' situational awareness does not allow the registered entity adequate time to thoughtfully consider the
event and proposed root cause.
No
For easier classification and analysis of events for both external reporting to the ERO and internal reporting for the
applicable entity, the form should include Event Type. The DSR SDT should code each event type and include the
codes as part of Attachment 1.
Yes
Should the word disturbance be removed from the title of EOP004-2 to avoid confusion and simply be called Impact
Event and Assessment, Analysis and Reporting.
Yes
No
April 2011 is too soon for considerations applicable to the creation of an Operating Plan.
Yes
The standard addressed a preliminary report it should also address the requirements of a final report.
Group
Southern Company - Transmission
J T Wood
No
We find it interesting that the ERO is listed as an applicable entity. The ERO is responsible for multiple requirements in
this standard that shapes the ultimate actual rules that the other applicable entities would be required to meet. Can the
NERC/ERO be accountable for a feedback loop to the industry? Feedback is preferable but would NERC/ERO selfreport a violation to the requirement?
Yes
We do have one concern in that we are hopeful that NERC will develop a system that will allow a one stop shop of
reporting.
No
The Operating Plan has a different connotation for different operations folks. We suggest that we call it an Impact Event
Reporting Plan.
Yes
Yes
No
We suggest that the time frame be changed to 60 or 90 days in 5.3. 5.4 needs to have a time frame associated with it;
we suggest that it be 60 or 90 days.
No
The time to submit report column needs to be more flexible with time frames.
Yes
No
The time to submit report column needs to be more flexible with time frames. The Entity with Reporting Responsibility
column needs to be more descriptive in which there are multiple entitles with hierarchy reporting.
Yes
Yes
Yes
Yes
Yes
�The only concern that we have with the proposed standard is that it feels like it is creating dual, not quite redundant,
reporting requirements for cyber intrusions in concert with CIP-008. Hopefully, there will not have to be a redundant
reporting requirement if we continue to merge efforts with the CIP Drafting Team. Since we will no longer use the word
SABOTAGE in the new EOP-004, we are hoping the industry and the CIP Drafting Team will give us the criteria they
wish for us to use in order to report CIP-008 incidents. We will then achieve a “ONE STOP SHOP” reporting standard.
Individual
Ron Gunderson
Nebraska Public Power District
No
The background states there is no real-time reporting requirement in this standard, but the purpose states a purpose is
for situational awareness. This implies real-time reporting. The purpose clearly identify the standard is for after the fact
reporting to permit analysis of events, trend data, and identify lessons learned.
Yes
Yes
Yes
No
Since the reporting under this standard is for after the fact reporting, the minimum time to report should be the end of
the next business day. The combination of the extremely short time periods to file a report and the amount of detail
required in attachment 2 will lead to a reduction in the reliability of the BES. System Operators will be forced to take
focus off their primary responsibility to respond to the event in order to complete the report within the required
timeframe (within an hour for some events). During non-business hours the only personnel available to complete the
reports will be those responsible for real-time operation of the BES. Since the background indicates this standard is
only for after the fact reporting, the minimum required time to submit the report should be one business day to permit
completion of the report without distracting from the real-time operation of the BES. Real-time reporting requirements
are covered in other standards and should be to the Reliability Coordinator and from the Reliability Coordinator to
NERC. For after the fact reporting, there is absolutely no reliability benefit for requiring reporting to be completed on
such a short timeframe. This is especially true due to the amount of data required by Attachment 2.
No
If the standard requires submission of the report within an hour (which is not appropriate), there must be an
abbreviated form that can be quickly filled out by checking boxes and not require substantial narrative. The existing
form has too much free form text that takes time to enter and with the short timeframe for reporting will distract the
entities responsible for real-time reliabiltiy of the BES from that task by forcing them to complete after the fact reports. It
is unrealistic to expect entities to staff personnel to complete the reporting 24 x 7 for unlikely events, so the task will fall
to System Operators who should be focusing on operating the BES at the time of these events instead of providing
after the fact reporting to entities that do not have responsibility for real-time operation of the BES. Real-time reporting
to the RC and/or BA is covered under other standards and is necessary for the RC to have situational awareness, but
is not covered under this standard. The registered entities may report to the proper law enforcement entities when the
situation warrants, but again this form is not the appropriate way to handle that reporting requirement.
Yes
I agree there is a lot of interpretation and confusion as to what sabotage or a Cyber Incident is, so would welcome
better clarity. Whether “impact events” can more effectively clarify, is yet to be seen. “it will be easier to get the relevant
information for mitigation, awareness, and tracking, while removing the distracting element of motivation.” “An impact
event is any situation that has the potential to significantly impact the reliability of the Bulk Electric System. Such events
may originate from malicious intent, accidental behavior, or natural occurrences.” I do know that Cyber Sabotage may
take time or days to become aware so not sure how that might expedite reporting and awareness.
Yes
Appears they only changed R1 for CIP-001 and moving R2-R4 directly over to EOP-004-2. R1 adds much more detail
on our part for a company operating plan but would definitely help some of the present confusion.
Individual
�Dan Rochester
Independent Electricity System Operator
No
(1) Our understanding of the proposed revision as conveyed in the SAR was to provide clarity and reduce redundancy
on reporting the latest and even on-going events on the system that may be caused by system changes and/or
sabotage. The intent is to ensure the proper authorities are informed of such events so that they may take appropriate
and necessary actions to identify causes and/or mitigate or limit the extent of interruptions. We also supported a
suggestion in the SAR to assess the merit of merging CIP-001 and EOP-004 to remove redundancy, although we
suggested that this should not be a presumption when revising the standard(s). This posting appears to indicate that
only EOP-004 will be revised at this time, and CIP-001 which deals with sabotage reporting will remain in effect. With
this assumption, the proposed standard appears to contain a mixture of reporting two types of events of different time
frame – the first type being those events that need to be reported soon or immediately after they occur (e.g. impact
events that appear to be the result of a sabotage) with an aim to curb/contain these events by the appropriate
authorities; the second type being the events that can be reported sometime well after the fact, e.g. system
disturbances due to weather or switching or other known causes that are not of malicious nature. Combining the two
types of requirement does not appear to be clearly conveyed in the SAR. We therefore suggest the SDT review the
main purpose and content in the proposed EOP-004 to ensure consistency with the SAR, and in relation to the purpose
and requirements already contained in CIP-004. (2) With respect to disseminating reports and related information after
the fact, we wonder if a data collection process, such as RoP 1900, can serve the purpose without having to create a
standard or a requirement to achieve this. (3) Most of the requirements appear to be administrative in nature and they
stipulate the how but not the what, which in our view does not conform with the Results-based standard concept and
does not rise to the level of a reliability standard. (4) A number of requirements proposed in the draft standard are quite
vague and cannot be measured. Details of this assessment is provided below.
No
We do not agree with the inclusion of TO and GO. They are not operating entities and do not need to collect or provide
information pertaining to impact events, which are the results and phenomena observe under operating conditions in
the operation horizon, and such information collection and provision are the responsibility of the TOP and GOP.
No
R1 does not directly convey the need for reporting. The requirement could be written to require the responsible entities
to report impact events to the ERO using a process to be described in the standard and according to a set of reporting
criteria. Whether or not there is a “system” makes little difference if it complies with the requirement to provide the
reports on time. In addition, an ERO established system which, without being included in the standard and posted for
public comment and eventually balloted, may not be acceptable to the entities that are responsible for reporting to the
ERO. Further, a reliability standard should not need to bother with how the ERO disseminate this information to
applicable government, provincial or law enforcement agencies. This is the obligation of the ERO and if required, can
be included in the Rules of Procedure.
No
R2 is not needed. An entity does not need to have an “operating plan” to identify and report on impact events; it needs
only to report on the events listed in Attachment 1 in a form depicted in Attachment 2. How does the entity do this, and
whether or not an operating plan is in place, or whether its staff is trained to provide the report should not need to be
included in a reliability standard for so long as the responsible entity provides the report in the required form on time. If
the responsible entity fails to report the listed events in the depicted format, it will be found non-compliant, and that’s it
– no more and no less. If the “operating plan” really means an established data collection and reporting procedure, then
the requirement should be revised to more clearly convey the intent.
No
We agree that the responsible entity needs to identify and assess initial probable cause of impact events but not in
accordance with any operating plan in R2. Each operating entity (RC, BA, TOP) has an inherent responsibility to
identify the cause of any system events to ensure it complies with a number of related operational standards. R3, in
fact, could be revised to require the Responsible Entity to include the probable cause of impact events in its report,
rather than asking it to “identify and assess” since this is not measurable. Also, the ERO may be removed from the
Applicability Section depending on the response to our comments under Q9.
No
Along the line of our comments on R2 for an operating plan (whose need we do not agree with), a drill, exercise, or
Real-time implementation of the Operating Plan for reporting is also not necessary.
No
Along the line of our comments on R2 for an Operating Plan (whose need we do not agree with), any training on
developing and providing the report is unnecessary. What matters is that the report is provided to the needed
organizations or entities on time and in the required format according to established procedure. How this is
accomplished goes outside of the purpose of reliability standard requirements.
No
We agree with having a requirement to report impact events in accordance with the timelines outlined in Attachment 1,
�but not with the requirements indicated in R2.
No
We agree with the need to update the list as needed, but it does not have to be the ERO who takes on a reliability
standard to do so. It can simply be an annual project in the standards development work plan to review Attachment 1
as part of a standard. The industry will then be provided an opportunity to weigh on the changes. Also, we do not see
the reliability results or benefits of R8. The ERO can issue the report quarterly but who are audiences? What reliability
purpose does it serve if no further actions are pursued upon receiving the report? Can this be done as a standing item
for the ERO at, say, the BoT meeting? Or, can this be a part of the quarterly communication from the ERO to the
industry? To make this a reliability standard is an over-kill, and does not conform with the results-based standard
concept. From our perspective, both R7 and R8 can be removed, and the ERO can be removed from the Applicability
Section as well.
No
We do not support the 1 hour reporting time frames for Emergency Energy, System Separation, unplanned Control
Center evacuation, Loss of off-site power, Loss of monitoring or voice communication. Energy emergency is broadcast
on the RCIS which also goes to the ERO so its explicit reporting is not necessary (System Operations please verify).
During other events listed above, the responsible entities will likely be concentrating its effort in returning the system to
a stable and reliable state. Reporting to anyone not having direct actions to control, mitigate and contain the
disturbances is secondary to restoring the system to t a reliable state. Since these are after the fact reports for
awareness and/or analysis and not for real-time responses, these can be reported at a later time, up to 24 hours after
the initial occurrence without any detriment to reliability, or at the very earliest: up to 1 hour after the system has
returned to a reliable state, or after the backup control centre is fully functional, or after backup power is restored to the
nuclear power plant, or after monitoring or voice communication is restored.
TBD
We do not have a view on what name is assigned to the reportable events for so long they are listed in Attachment 1.
However, the heading of the Table contains the words “Actual Reliability Impact”, which does not accurately reflect the
content inside the table and which may introduce confusion with the term “impact event”. We suggest to change them
to “Reportable Impact Events”. As we read the Summary of Concept and Assumption, there appears to be a slightly
different lists at the bottom of P. 21. With these events included, the meaning of “impact event” would seem to be too
broad. Rather than calling those events listed in Attachment 1 “impact events”, why not simply call them “reportable
events”?
No
We do not agree with the mapping. The proposed mapping attempts to merge the reporting in CIP-001-1 which has
more of an on-going awareness nature to alert operating and government authorities of suspected sabotage to prompt
investigation with a possible aim to identify the cause and develop remedies to curb the sabotage/events. The
proposed EOP-004-2 appears to be more of a post-event reporting for need-to-know purpose only. This is not
consistent with the purpose of the SAR.
We do not agree with the proposed standard. We therefore are unable to agree on any implementation plan.
No
Individual
Catherine Koch
Puget Sound Energy
Yes
However, further definition of "known causes" would be helpful as sometime the root cause analysis doesn't uncover
the actual cause for sometime after the timeframes outlined in Attachment 1.
Yes
No
The language of R1 and M1 does not support the DSR SDT’s goal of having a single form and system for reporting.
The standard should specify the form and system rather than deferring that decision to the ERO. The language of R1
and M1 leaves the form and system to the ERO’s discretion, which could lead to multiple forms and frequent revisions
to them. This would lead to difficulties in tracking the reporting requirements. In addition, it is impossible to comment
intelligently regarding the overall impact of the proposed standard and its requirements and measures without the
reporting form and system being specified in the standard.
No
While the concept of an operating plan is reasonable, the requirements for update in sections 2.7, 2.8 and 2.9 will lead
to an immense amount of work for the entities subject to the standard. In addition, constant revisions to the operating
plan makes it difficult to cement a habit through this procedure. The proposed update schedule does not strike the
appropriate balance between the need to respond to lessons learned and the value of plan continuity.
Yes
�However, this requirement doesn't address the timing required for this analysis. This may be intentional and
appreciated because at times the analysis can take months when the events are complex in nature.
Yes
No
The fact that proposed requirement R2 will require frequent updates to the operating plan means that the training
required under this plan will occur quite frequently as well, leading to operator confusion. Even the comment allowing a
review and “sign-off” will not completely mitigate this result.
Yes
It is assumed that for the purposes of M6, NERC and the regions would already have access to these reports.
No
This is adequately covered by section 802 of the Rules of Procedure. There seems to be some conflict between R2.9
and R8 regarding timeframes and the specific elements required.
No
The proposed standard does not adequately ensure that the impact events subject to its requirements are limited to
those listed in Attachment 1. In order to ensure that this is true, the term “impact event” should be a defined term and
that definition should clearly limit impact events to those listed in Attachment 1.
No
Attachment 2 is not referenced in the requirements of the proposed standard. As a result, it is not clear when its
submission would be required.
No
With some of the tight timeframes for reporting, it is reasonable to focus on impact rather than motivation. Requiring
further analysis of the event in order to assess the possibility that the event was caused by sabotage, however, may be
necessary to address FERC’s concerns with respect to sabotage.
Yes
No
There are no effective dates listed in the proposed standard. The proposed effective date should allow at least one
year for entities to implement the requirements of the standard. In addition, if requirement R1 remains, then the
requirement to implement an operating plan should only be triggered by the ERO’s finalization of the form and system
for reporting impact events and should provide at least six months for the implementation of the operating plan.
Yes
The DSR SDT’s concepts for implementing a new structure for reporting are appropriate. Proper implementation of
those concepts is likely to result in a very much improved standard. However, the proposed standard falls well short of
implementing the concepts and is not much of an improvement on the current standard.
Group
Midwest ISO Standards Collaborators
Jason L. Marshall
Yes
No
While we agree with the list of functional entities identified in the Applicability Section, we do not agree with their
application in Attachment 1. As the functional entities are identified in Attachment 1, there is likely going to be duplicate
reporting. Why should both the RC and BA submit a report for an energy emergency requiring public appeals?
Yes
No
We disagree with requiring an Operating Plan for identifying, assessing, and reporting impact events. This is an
administrative requirement that has no clear reliability benefit. Furthermore, it is questionable that event reporting even
meets the basic definition of an Operating Plan. Per the NERC glossary of terms, Operating Plans contain Operating
Procedures or Operating Processes which encompass taking action real-time on the BES not reporting on it. What is
an impact event? It appears that this undefined, ambiguous term was substituted for sabotage which is also undefined
and ambiguous. One of the SARs stated goals was to “provide clarity on sabotage events”. This does not provide
clarity.
No
While we agree that it makes sense to report on the cause of an event, we disagree with the need for an Operating
Plan as identified in R2.
�No
We disagree with the need to conduct a drill for reporting.
No
We disagree with the need to provide formal training. We could agree with the need to communicate to System
Operators and other pertinent personnel the criteria for reporting so that they know when system events need to be
reported.
No
We believe the reporting time lines are too aggressive for some events. Reporting events within an hour is not
reasonable as an entity may still be dealing the event. This will particularly difficult when support personnel are not
present such as during nights, holidays and weekends.
No
We do not agree with the requirements and we do not believe it is adequately covered in section 802. First, section 802
deals with assessments not event reporting. Secondly, since attachment 1 is part of a standard, it should not be
modified outside of the Reliability Standards Development process.
No
Several categories require duplicate reporting. For instance, the first three categories regarding energy emergencies
could be interpreted to require the BA and RC to both report. The reporting responsibilities in this table should be
clarified based on who has primary reporting responsibility for the task per the NERC Functional Model and require
only one report. For instance, since balancing load, generation and interchange is the primary function of a BA per the
NERC Functional Model, only the BA should be required to provide this report. As another option, perhaps the
registered entity initiating the action should submit the report. If the BA did not take action and the RC had to direct the
BA to take action, one could argue that perhaps the RC should submit the report then. However, if the BA takes action
appropriately on their own, the BA should submit it. If the TOP reduces voltage for a capacity and energy emergency
per a directive of the BA, then the BA should report the event.
No
This form differs from the DOE reporting forms. We do not believe different reporting forms should be required. The
DOE form should be sufficient for NERC reporting. It is not clear what benefit providing the Compliance Registration ID
number provides. Many of the registered entities employees that will likely have to submit the report, particularly given
the one-hour reporting requirement for some impact events, will not be aware of this registration ID. However, they will
know for what functions they are registered. We recommend removing the need to enter this compliance registration ID
or extending the time frame for reporting to allow back office personnel to complete the form. For item two, please
change “Time/Zone:” with “Time (include time zone)”. As written it is a little confusing.
No
We believe the SAR scope regarding addressing sabotage has not been addressed at all. It appears that impact event
essentially replaces sabotage. This standard needs to make it clear that sabotage, in some cases, cannot be identified
until an investigation is performed by the appropriate policing agencies such as the FBI. Intent plays an important role
in determining sabotage and only these agencies are equipped to make these assessments.
No
It appears that all requirements have been addressed from the existing standards. However, we believe there is a
reliability gap that continues from the existing standards because sabotage is not defined any better than in the existing
standards.
Yes
Yes
We are concerned with the Future Development Plan. It shows an initial ballot period starting in December. This
standard has significant issues and will need another distinct comment period (and not the formal comment period in
parallel with balloting) prior to balloting.
Group
IRC Standards Review Committee
Ben Li
No
The proposed requirements in the standard are not focused on the core industry concern that current requirements are
unclear as to what types of events warrant entities to report. Per draft 2 of the SAR, “The existing requirements need to
be revised to be more specific – and there needs to be more clarity in what sabotage looks like.” Instead this proposed
standard includes requirements that are more focused on “how” to report, rather than “what” to report. The SAR states
that: “The development may include other improvements to the standards deemed appropriate by the drafting team,
with consensus on the stakeholders (emphasis added), consistent with establishing high quality, enforceable and
technically sufficient bulk power system reliability standards.” The SRC believes the scope of the SAR, and likewise the
proposed standard, is inappropriate to the fundamental reliability purpose of what events need to be reported. The
proposed administrative requirements are difficult to interpret, implement and measure, and do not clarify what type of
�sabotage information entities need to report. Although the use of procedures and an understanding by those personnel
accountable seem helpful for ensuring reports are made, the fundamental purpose of clarifying what types of events
should be reported and more importantly what types do not have to be reported, is lacking in the standard. Also, one of
the first issues identified in the SAR for consideration by the drafting team seems to be ignored, “Consider whether
separate, less burdensome requirements for smaller entities may be appropriate.” The requirements for entities to
develop Operating Plans and to have training for those plans, further adds uncertainty and increases complexity of how
entities, large and small, will have to comply with this standard.
No
Entities that have information about possible sabotage events should report these to NERC after the fact and the
standard should simply reflect that. While we agree with the list of functional entities identified in the Applicability
Section, we do not agree with their application in Attachment 1. As the functional entities are identified in Attachment 1,
there is likely going to be duplicate reporting. Why should both the RC and BA submit a report for an EEA for example?
Yes
Note that ERCOT does not sign on to this particular comment.
No
The SRC suggests that this is not, in fact, an Operating Plan. At most, it may be a reporting plan or reporting
procedure. Most of these requirements are administrative and procedural in nature and, therefore, do not belong as
requirements in a Reliability Standard. Perhaps they could be characterized as a best practice and have an associated
set of Guidelines developed and posted on the subject. As proposed, the Operating Plan is not required to ensure bulk
power reliability. As stated in the purpose of this standard, it does not cover any real-time operating notifications for the
types of events covered by CIP-001, EOP-004. The Operating Plan requirements as proposed seem only to be suitable
for real-time notifications. Since these incidents are meant to be reportable after-the-fact, familiarity with the reporting
requirements and time frames is sufficient. Unlike the real-time operating notifications which have relatively short
reporting time frames, there is sufficient time for personnel to make appropriate communications within their
organizations to make timely after the fact reports under NERC Section 1600 authority. Would it be feasible for NERC
to issue a standing requirement for timely after-the-fact reports under NERC Section 1600 authority?
No
Although it is useful for entities to make an initial assessment of a probable cause of an event, this requirement should
stand alone and does not need to be tied to requirement R2, Operating Plan. Quite often, it takes quite some time for
an actual cause to be determined. The determination process may require a root cause analysis of some complexity.
Further, in the case of suspected or potential sabotage, the industry can only say it doesn’t know, but it may be
possible. It really is the law enforcement agencies who make the determination of whether sabotage is involved and the
info may not be made available until an investigation is completed, if indeed it is ever made available.
No
Similar to our comments on R2 for an Operating Plan, a drill, exercise, or Real-time implementation of its Operating
Plan for reporting is unnecessary. Such things are really training practices. There are already existing standards
requirements regarding training. There is no imminent threat to reliability that requires these events to be reported in a
short time frame as may be required for real-time operating notifications.
No
We do not agree with the need for R5. We do not see the need for a standard requirement that stipulates training the
personnel on reporting events. What matters is that the reports are provided to the needed organizations or entities on
time and in the required format according to established procedure. Stipulating a training requirement to achieve this
reporting is micro-managing and overly prescriptive.
No
There is not a need for an Operating Plan as proposed. This is not truly an Operating Plan. There are already other
standards which create the requirements for an Operating Plan. This is an administrative reporting plan and any
associated impact upon reliability is far beyond real-time operations.
No
We do not support an annual time frame to update the events list. The list should be updated as needed through the
Reliability Standards Development Process. Any changes to a standard must be made through the standards
development process, and may not be done at the direction of the ERO without going through the process.
No
We do not agree with the requirement to report “detection of a cyber intrusion to critical cyber assets” as this creates a
double jeopardy situation between CIP-008 and EOP-004-2 R2.6. We suggest that physical incident reporting be part
of EOP-004 and cyber security reporting be part of CIP-008.
No
Attachment 2 is not referenced in the standard requirements. Is it a part of the standard that an entity must use to file
the impact event reports to a specific recipient. If so, this needs to be referenced in the standard. We question the need
for using a fixed format for reports that vary from “shedding firm load” to “damaging equipment”. The nature of impact
events varies from one event to another and hence a fixed format or pre-determined form may not be able to provide
�the appropriate template that is suitable for use for all events. We urge the SDT to reconsider the use of Attachment 2
for reporting events, with due consideration to the actual intent of the standard (as pointed out in our comments under
Q1).
No
This term and the FERC directive do not recognize limitations in what a registered entity can do to determine whether
an act of sabotage has been committed. This term should recognize law enforcement’s and other specialized
agencies’, including international agencies’, role in defining acts of sabotage and not hold the registered entity wholly
responsible to do so.
No
If the training and Operation Plan requirements are adopted as proposed, this may not be sufficient time for some
entities to comply, particularly those with limited number of staff but perform functions that have multiple event reporting
requirements.
No
The standards should be changed to define what a “disturbance” is for reporting in EOP-004. Also, sabotage reporting
requirements in CIP-001 should be rescinded as EOP-004 already has such requirements.
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Consideration of Comments on Disturbance and Sabotage Reporting —
Project 2009-01
The Disturbance and Sabotage Reporting Drafting Team thanks all commenters who submitted
comments on its preliminary draft of EOP-004-2 – Impact Event and Disturbance Assessment,
Analysis, and Reporting. This standard was posted for a 30-day informal comment period from
September 15, 2010 through October 15, 2010. Stakeholders were asked to provide feedback
on the standard through a special Electronic Comment Form. There were 60 sets of comments,
including comments from more than 175 different people from approximately 100 companies
representing 9 of the 10 Industry Segments as shown in the table on the following pages.
In this report, the comments have been sorted by question number so that it is easier to see
where there is consensus. The comments are posted in their original format on the following
project page:
http://www.nerc.com/filez/standards/Project2009-01_Disturbance_Sabotage_Reporting.html
Based on stakeholder comments, and also on the results of the observations made by the
Quality Review team, the drafting team made the following significant changes to the standard
following the posting period that ended on October 15, 2011.
Scope: A common thread through most of the comments was that the DSR SDT went beyond
the reliability intent of the standard (reporting) and concentrated too much on the analysis of
the event. The DSR SDT agrees with this response, and revised the purpose as follows:
Original Purpose: Responsible Entities shall report impact events and their known causes to
support situational awareness and the reliability of the Bulk Electric System (BES).
Revised Purpose: To improve industry awareness and the reliability of the Bulk Electric
System by requiring the reporting of Impact Events and their causes, if known, by the
Responsible Entities.
Definitions:
Impact Event: The DSR SDT had proposed a working definition for “impact events” to
support EOP-004 - Attachment 1 as follows:
“An impact event is any event that has either impacted or has the potential to impact the
reliability of the Bulk Electric System. Such events may be caused by equipment failure or
mis-operation, environmental conditions, or human action.”
Many stakeholders indicated that the definition should be added to the NERC Glossary and
the DSR SDT adopted this suggestion.
The types of Impact Events that are required to be reported are contained within EOP-004 Attachment 1. Only the events identified in EOP-004 – Attachment 1 are required to be
reported under this Standard.
Sabotage: FERC Order 693, paragraph 471 states in part: “. . . the Commission directs the
ERO to develop the following modifications to the Reliability Standard through the
Reliability Standards development process: (1) further define sabotage and provide
March 7, 2011
1
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
guidance as to the triggering events that would cause an entity to report a sabotage event.”
The DSR SDT made a conscious, deliberate decision to exclude a strict definition of sabotage
from this standard and sought stakeholder feedback on this issue. Some suggested
adopting the NRC definition of the term sabotage, and the DSR SDT did consider adopting
the NRC definition shown below but determined that the definition is too narrowly focused.
Any deliberate act directed against a plant or transport in which an activity licensed
pursuant to 10 CFR Part 73 of NRC's regulations is conducted or against a component of
such a plant or transport that could directly or indirectly endanger the public health and
safety by exposure to radiation.
Most respondents agreed that in order to be labeled as an act of sabotage, the intent of the
perpetrators must be known. The team felt that it was almost impossible to determine if an
act or event was that of sabotage or merely vandalism without the intervention of law
enforcement after the fact. This would result in further ambiguity with respect to reporting
events, and the timeline associated with the reporting requirements does not lend itself to
the in-depth analysis required to identify a disturbance (or potential disturbance) as
sabotage. The SDT felt that a likely consequence of having to meet this criterion, in the
time allotted, would be an under-reporting of events. Accordingly, all references to
sabotage have been deleted from the standard.
Instead, the SDT concentrated on providing clear guidance on the events that should trigger
a report. The SDT believes that this more than adequately meets the reliability intent of the
Commission as expressed in paragraph 471 of Order 693 in an equally efficient and effective
manner.
Situational Awareness versus Industry Awareness: Some commenters correctly pointed
out that “situational awareness” is a desirable by-product of an effective event reporting
system, and not the driver of that system. Accordingly, all references to “situational
awareness” have been deleted from the standard. The more generic “industry awareness”
has been substituted where appropriate.
Applicability:
The DSR SDT had protracted discussions on the applicability of this standard to the LSE. Per the
Functional Model, the LSE does not own assets and therefore should not be an applicable entity
(no equipment that could experience a “disturbance”). However, the Registry Criteria contains
language that could imply that the LSE does own assets, or is at least responsible for assets. In
addition, the DSR SDT modified Attachment 1 to include reporting of damage or destruction of
Critical Cyber Assets per CIP-002. The LSE, as well as the Interchange Authority and
Transmission Service Provider are applicable entities under CIP-002 and should be included for
Impact Events under EOP-004.
There were several comments that the asset owners (GO/TO) would be less likely than the
asset operators (GOP/TOP) to be aware of an impact event. The DSR SDT recognizes that this
may be true in some cases, but not all. In order to meet the reliability objectives of this
requirement, the applicability for GO/TO will remain as per Attachment 1.
March 7, 2011
2
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Requirement R1:
Based on stakeholder comments, Requirement R1, which assigned the ERO the responsibility
for collecting and distributing impact event reports was deleted. There was strong support for a
central system for receiving and distributing impact event reports (a/k/a one stop shopping).
There was general agreement that NERC was the most likely, logical entity to perform that
function. However several respondents expressed their concern that the ERO could not be
compelled to do so by a requirement in a Reliability Standard (not a User, Owner or Operator of
the BES). In their own comments, NERC did not oppose the concept, but suggested that the
more appropriate place to assign this responsibility would be the NERC Rules of Procedure. The
DSR SDT concurs. The DSR SDT has removed the requirement from the standard and is
proposing to make revisions to the NERC Rules of Procedure as follows:
812. NERC will establish a system to collect impact event reports as established for this
section, from any Registered Entities, pertaining to data requirements identified in
Section 800 of this Procedure. Upon receipt of the submitted report, the system shall
then forward the report to the appropriate NERC departments, applicable regional
entities, other designated registered entities, and to appropriate governmental, law
enforcement, and regulatory agencies as necessary. These reports shall be forwarded
to the Federal Energy Regulatory Commission for impact events that occur in the United
States. The ERO shall solicit contact information from Registered Entities appropriate
governmental, law enforcement and regulatory agencies for distributing reports.
Requirement R2 (now R1 in the revised standard):
There were objections to the use of the term “Operating Plan” to describe the procedure to
identify and report the occurrence of a disturbance. The DSR SDT believes that the use of a
defined term is appropriate and has revised Requirement R1 to include Operating Plan,
Operating Process and Operating Procedure.
Many commenters felt that the requirements around updating the Operating Plan were too
prescriptive, and impossible to comply with during the time frame allowed. The DSR SDT
agrees, and Requirement R2, Parts 2.5 through 2.9 have been eliminated. They have been
replaced with Requirement R1,Part 1.4 to require updating the Impact Event Operating Plan
within 90 days of any change to content.
R1. Each Responsible Entity shall have an Impact Event Operating Plan that includes: [Violation
Risk: Factor Medium] [Time Horizon: Long-term Planning]:
1.1. An Operating Process for identifying Impact Events listed in Attachment 1.
1.2. An Operating Procedure for gathering information for Attachment 2 regarding
observed Impact Events listed in Attachment 1.
1.3. An Operating Process for communicating recognized Impact Events to the following:
1.3.1 Internal company personnel notification(s).
March 7, 2011
3
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
1.3.2. External organizations to notify to include but not limited to the Responsible
Entities’ Reliability Coordinator, NERC, Responsible Entities’ Regional Entity, Law
Enforcement, and Governmental or Provincial Agencies.
1.4. Provision(s) for updating the Impact Event Operating Plan within 90 days of any change
to its content.
Other requirements reference the Operating Plan as appropriate. The requirements of EOP004-2 fit precisely into the definition of Operating Plan:
Operating Plan: A document that identifies a group of activities that may be used to
achieve some goal. An Operating Plan may contain Operating Procedures and Operating
Processes. A company-specific system restoration plan that includes an Operating
Procedure for black-starting units, Operating Processes for communicating restoration
progress with other entities, etc., is an example of an Operating Plan.
Requirement R3 (now R2 in the revised standard):
Requirement R3 has been re-written to exclude the requirement to “assess the initial probable
cause”. The only remaining reference to “cause” is in the Impact Event Reporting Form
(Attachment 2). Here, there is no longer a requirement to assess the probable cause. The
probable cause only needs to be identified, and only if it is known at the time of the submittal
of the report.
R2. Each Responsible Entity shall implement its Impact Event Operating Plan
documented in Requirement R1 for Impact Events listed in Attachment 1 (Parts A
and B). [Violation Risk: Factor Medium] [Time Horizon: Real-time Operations and
Same-day Operations]
Requirement R4 (now R3 in the revised standard):
The DSR SDT did a full review based on comments that were received. R3 now is stream lined
to read:
R3. Each Responsible Entity shall conduct a test of its Operating Process for
communicating recognized Impact Events created pursuant to Requirement R1, Part 1.3
at least annually, with no more than 15 months between such tests. .
The testing of the Operating Process for communicating recognized Impact Events (as stated in
R1) is the main component of this requirement. Several commenters provided input that too
much “how” was previously within R3 and the DSR DST should only provide the “what”. The
DSR SDT did not provide any prescriptive guidance on how to accomplish the required testing
within the rewrite. Testing of the entity’s procedure (R1) could be by an actual exercise of the
process (testing as stated in FERC Order 693 section 471), a formal review process or real time
implementation of the procedure. The DSR SDT reviewed Order 693 and section 465 directs
that processes are “verify that they achieve the desired result”. This is the basis of R3, above.
Requirement R5 (now R4 in the revised standard):
The DSR SDT did a full review based on comments that were received. The major issues that
March 7, 2011
4
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
were provided by commenters involved the inclusion of Requirement R5, Part 5.3 and Part 5.4.
5.3 If the Operating Plan is revised (with the exception of contact information revisions),
training shall be conducted within 30 days of the Operating Plan revisions.
5.4 For internal personnel added to the Operating Plan or those with revised
responsibilities under the Operating Plan, training shall be conducted prior to
assuming the responsibilities in the plan.
Upon detailed review the DSR SDT agrees with the majority of comments received regarding
Requirement R5, Parts 5.3 and 5.4 and has removed Parts 5.3 and 5.4 completely from the
Standard. Training is still the main theme of this requirement (now R4) as it pertains to the
personnel required to implement the Impact Event Operating Plan (R1).
R4 now is stream lined to read:
R4. Each Responsible Entity shall review its Impact Event Operating Plan with those
personnel who have responsibilities identified in that plan at least annually with no
more than 15 calendar months between review sessions
Requirement R6 (now R5 in the revised standard):
The DSR SDT did a full review based on comments that were received. Many comments
received identified concerns on the reporting time lines within Attachment 1., Several
commenters wanted the ability to report impact events to their responsible parties via the DOE
Form OE-417. Upon discussions with the DOE and NERC, the DSR SDT has added the ability to
use the DOE Form OE-417 when the same or similar items are required to be reported to NERC
and the DOE. This will reduce the need to file multiple forms when the same or similar events
must be reported to the DOE and NERC. The reliability intent of reporting impact events within
prescribed guidelines, to provide industry awareness and to start any required analysis
processes can be met without duplicate reporting R5 now is stream lined to read:
R5. Each Responsible Entity shall report Impact Events in accordance with its Impact
Event Operating Plan pursuant to Requirement R1 and Attachment 1 using the form in
Attachment 2 or the DOE OE-417 reporting form.
Requirements R7 and R8:
The DSR SDT did a full review based on comments that were received. The DSR SDT has
determined that R7 and R8 are not required to be within a NERC Standard since Section 800 of
the Rules of Procedure already assigns this responsibility to NERC.
Attachment 1:
The DSR SDT did a full review based on comments that were received. The DSR SDT, the Events
Analysis Working Group (EAWG), NERC Staff (to include NERC Senior VP and Chief Reliability
Officer) had an open discussion involving this topic. The EAWG and the DSR SDT aligned
Attachment 1 with the Event Analysis Program category 1 analysis responsibilities. This will
assure that impact events in EOP-004-2 reporting requirements are the starting vehicle for any
required Event Analysis within the NERC Event Analysis Program. The DSR SDT reviewed the
“hierarchy” of reporting within Attachment 1. To reduce multiple entities reporting the same
impact event, the DSR SDT has stated that the entity that performs the action or is directly
March 7, 2011
5
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
affected by an action will report per EOP-004-2. As an example, during a system emergency,
the TOP or RC may request manual load shedding by a DP or TOP. The DP or TOP would have
the responsibility to report the action that it took if it meets or exceeds the bright-line criteria
established in Attachment 1. Upon reporting, the NERC Event Analysis Program would be made
aware of the impact event and start the Event Analysis Process which is outside the scope of
this Standard. Several bright-line criteria were removed from Attachment 1. These criteria (DC
converter station, 5 generator outages, and frequency trigger limits) were removed after
discussions with the EAWG and NERC staff, who concurred that these items should be removed
from a reporting standard and analysis process.
Several respondents expressed concern that the reporting requirements were redundant. The
general sentiment was that unclear responsibility to report a disturbance could trigger a flood
of event reports. Attachment 1 has been modified to assign clear responsibility for reporting,
for each category of Impact Event.
Some commenters indicated a concern that the list of events in Attachment 1 isn’t as
comprehensive as the existing standard since the existing standard includes bomb threats and
observations of suspicious activities. Others commented that the impact event list should
include deliberate acts against infrastructure. The DSR SDT believes that “observation of
suspicious activity” and “bomb threats” are addressed in Attachment 1 Part B – “Risk to BES
equipment from a non-environmental physical threat”. The SDT has added the phrase, “and
report of suspicious device near BES equipment” to note 3 of the “Attachment 1, Potential
Reliability – Part B” for additional clarity.
Attachment 2:
The proposed Impact Event Report (Attachment 2) generated comments regarding the
duplicative nature of the form when compared to the OE-417. The DSR SDT has added language
to the proposed form to clarify that NERC will accept a DOE OE-417 form in lieu of Attachment
2 if the responsible entity is required to submit an OE-417 form.
In collaboration with the NERC Event Analysis Working Group (EAWG) the DSR SDT modified
the attachment to eliminate confusion. This revised form will be Attachment 2 of the Standard
and collects the only information required to be reported for EOP-004-2. Further information
may be requested through the Events Analysis Process (NERC Rules of Procedure), but the
collection of this information is outside of the scope of EOP-004.
The DSR SDT has also clarified what the form’s purpose with the following addition to the form:
“This form is to be used to report impact events to the ERO.”
Other Standard Issues:
The DSR SDT proposed that combining EOP-004 and CIP-001 would not introduce a reliability
gap between the existing standards and the proposed standard and the industry comments
received confirms this.
Several entities expressed their concern with the fact that Attachment 1 contained most of the
elements already called for in the OE-417. The DSR SDT agrees, and Attachment 1 part 1 has
March 7, 2011
6
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
been modified to even more closely mirror the Department of Energy’s OE-417 Emergency
Incident and Disturbance Report form. Additionally, the standard has been modified to allow
for the use of the OE-417.
There was some concern expressed that there could be confusion between the reporting
requirements in this standard, and those found in CIP-008. The DSR SDT agrees, and
Attachment 1 Part B, has been modified to provide the process for the reporting of a Cyber
Security Incident.
The DSR SDT also believes NERC’s additional concern about what data is applicable is addressed
by the revisions to Attachment 1, and the inclusion of the OE-417 as an acceptable interim
vehicle.
Implementation Plan:
The DSR SDT asked stakeholders to provide feedback on the proposed effective date which
provided entities at least a year following board approval of the standard. Most stakeholders
supported the one year minimum, however based on the revisions made to the requirements,
the drafting team is now proposing that this time period be shortened to between six months
and nine months. The current CIP-001 plan is adequate for the new EOP-004 and training
should be met in the proposed timeline. Note that the Implementation Plan was developed for
the revised Requirements, which do not include an electronic “one-stop shopping” tool. The
tool for ‘one stop shopping’ will be addressed in the proposed revisions to the NERC Rules of
Procedure.
The industry commented on the need for e-mail addresses and fax numbers for back up
purposes. These details were added to the standard and the implementation plan.
The proposed ballot in December was incorrect and has been deleted from the future
development plan. The plan was updated with the correct project plan dates.
If you feel that your comment has been overlooked, please let us know immediately. Our goal is
to give every comment serious consideration in this process! If you feel there has been an error
or omission, you can contact the Vice President and Director of Standards, Herb Schrayshuen,
at 609-452-8060 or at herb.schrayshuen@nerc.net. In addition, there is a NERC Reliability
Standards Appeals Process. 1
Index to Questions, Comments, and Responses
1.
Do you agree with the purpose statement of the proposed standard? Please
explain in the comment box below. …. ........................................................... 19
2.
Do you agree with the applicable entities in the Applicability Section as well as
assignment of applicable entities noted in Attachment 1? Please explain in the
1
The appeals process is in the Reliability Standards Development Procedures:
http://www.nerc.com/standards/newstandardsprocess.html.
March 7, 2011
7
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
comment box below. …. ................................................................................. 35
3.
Do you agree with the requirement R1 and measure M1? Please explain in the
comment box below. …. ................................................................................. 53
4.
Do you agree with the requirement R2 and measure M2? Please explain in the
comment box below. …. ................................................................................. 67
5.
Do you agree with the requirement R3 and measure M3? Please explain in the
comment box below. …. ................................................................................. 90
6.
Do you agree with the requirement R4 and measure M4? Please explain in the
comment box below. …. ............................................................................... 103
7.
Do you agree with the requirement R5 and measure M5? Please explain in the
comment box below. …. ............................................................................... 115
8.
Do you agree with the requirement R6 and measure M6? Please explain in the
comment box below …. ................................................................................ 132
9.
Do you agree with the requirements for the ERO (R7-R8) or is this adequately
covered in the Rules of Procedure (section 802)? Please explain in the
comment box below. …. ............................................................................... 143
10. Do you agree with the impact event list in Attachment 1? Please explain in the
comment box below and provide suggestions for additions to the list of impact
events. …. ..................................................................................................... 155
11.
Do you agree with the use of the Preliminary Impact Event Report
(Attachment 2)? ……………………………………………………………………………...182
12. The DSR SDT has replaced the terms “disturbance” and “sabotage” with the
term “impact events”. Do you agree that the term “impact events” adequately
replaces the terms “disturbance” and “sabotage” and addresses the FERC
directive to “further define sabotage” in an equally efficient and effective
manner? Please explain in the comment box below………………………………192
13. The DSR SDT has combined EOP-004 and CIP-001 into one standard (please
review the mapping document that shows the translation of requirements
from the already approved versions of CIP-001 and EOP-004 to the proposed
EOP-004), EOP-004-3 and retiring CIP-001. Do you agree that there is no
reliability
gap
between
the
existing
standards
and
the
proposed
standard?....................................................................................................201
14. Do you agree with the proposed effective dates? Please explain in the
comment box below…………………………………………………………………………207
March 7, 2011
8
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
15. Do you have any other comments that you have not identified above?.......213
March 7, 2011
9
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
The Industry Segments are:
1 — Transmission Owners
2 — RTOs, ISOs
3 — Load-serving Entities
4 — Transmission-dependent Utilities
5 — Electric Generators
6 — Electricity Brokers, Aggregators, and Marketers
7 — Large Electricity End Users
8 — Small Electricity End Users
9 — Federal, State, Provincial Regulatory or other Government Entities
10 — Regional Reliability Organizations, Regional Entities
Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
1.
Group
Guy Zito
Additional Member Additional Organization
2
3
4
5
6
7
Northeast Power Coordinating Council
Region
9
10
X
Segment
Selection
1.
Alan Adamson
New York State Reliability Council, LLC
NPCC
10
2.
Gregory Campoli
New York Independent System Operator
NPCC
2
3.
Kurtis Chong
Independent Electricity System Operator
NPCC
2
March 1, 2011
8
10
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
2
4.
Sylvain Clermont
Hydro-Quebec TransEnergie
NPCC
1
5.
Chris de Graffenried
Consolidated Edison Co. of New York, Inc. NPCC
1
6.
Gerry Dunbar
Northeast Power Coordinating Council
NPCC
10
7.
Dean Ellis
Dynegy Generation
NPCC
5
8.
Brian Evans-Mongeon
Utility Services
NPCC
8
9.
Mike Garton
Dominion Resources Services, Inc.
NPCC
5
10.
Brian L. Gooder
Ontario Power Generation Incorporated
NPCC
5
11.
Kathleen Goodman
ISO - New England
NPCC
2
12.
Chantel Haswell
FPL Group, Inc.
NPCC
5
13.
David Kiguel
Hydro One Networks Inc.
NPCC
1
14.
Michael R. Lombardi
Northeast Utilities
NPCC
1
15.
Randy MacDonald
New Brunswick System Operator
NPCC
2
16.
Bruce Metruck
New York Power Authority
NPCC
6
17.
Lee Pedowicz
Northeast Power Coordinating Council
NPCC
10
18.
Robert Pellegrini
The United Illuminating Company
NPCC
1
19.
Si Truc Phan
Hydro-Quebec TransEnergie
NPCC
1
20.
Saurabh Saksena
National Grid
NPCC
1
21.
Michael Schiavone
National Grid
NPCC
1
March 1, 2011
3
4
5
6
7
11
8
9
10
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
22.
Peter Yost
Consolidated Edison Co. of New York, Inc. NPCC
2
3
4
5
6
7
3
Jim Case, SERC OC
2.
Group
Chair
SERC OC Standards Review Group
Additional Member Additional Organization
Region
X
X
Segment
Selection
1.
Mike Garton
Dominion Virginia Power
SERC
1, 3
2.
Jim Griffith
Southern
SERC
1, 3, 5
3.
Vicky Budreau
Santee Cooper
SERC
1, 3, 5, 9
4.
Gerry Beckerle
Ameren
SERC
1, 3
5.
Eugens Warnecke
Ameren
SERC
1, 3
6.
Scott McGough
Oglethorpe Power
SERC
5
7.
John Neagle
AEC I
SERC
1, 3, 5
8.
Joel Wise
TVA
SERC
1, 3, 5, 9
9.
Jennifer Weber
TVA
SERC
1, 3, 5, 9
10.
Robert Thomasson
BREC
SERC
1, 3, 5, 9
11.
Derek Bleyle
SCE&G
SERC
1, 3, 5
12.
Gene Delk
SCE&G
SERC
1, 3, 5
13.
Dave Plauck
Calpine
SERC
5
March 1, 2011
12
8
9
10
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
14.
Tom Hanzlik
SCE&G
SERC
1, 3, 5
15.
Randy Castello
Mississippi Power
SERC
1, 3, 5
16.
Doug White
NCEMC
SERC
1, 3, 5, 9
17.
Randy Haynes
Alcoa
SERC
1, 5
18.
Joel Rogers
SMEPA
SERC
1, 3, 5, 9
19.
Mike Bryson
PJM
SERC
2
20.
Rick Meyers
EEI
SERC
1, 5
21.
Tim Hattaway
PowerSouth
SERC
1, 3, 5, 9
22.
Barry Warner
EKPC
SERC
1, 3, 5, 9
23.
Jack Kerr
Dominion Virginia Power. P. SERC
1, 3
24.
Wes Davis
SERC Reliability Corp.
SERC
10
25.
John Troha
SERC Reliability Corp.
SERC
10
3.
Group
Brad Jones
Luminant Energy
2
3
4
5
6
7
X
Additional Member Additional Organization Region Segment Selection
1. Kevin Phillips
4.
Group
Luminant Energy
David Grubbs
ERCOT 6
City of Garland
Additional Member Additional Organization Region
March 1, 2011
X
Segment
13
8
9
10
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
2
3
4
5
6
7
Selection
1.
David Grubbs
ERCOT
1
2.
Fred Sherman
ERCOT
1
3.
Steve Zaragoza
ERCOT
1
4.
Billy Lee
ERCOT
1
5.
Heather Siemens
ERCOT
1
6.
Ronnie Hoeinghaus
ERCOT
1
7.
Matt Carter
ERCOT
1
5.
Group
Terry L. Blackwell
Additional Member Additional Organization
Santee Cooper
Region
X
X
X
X
Segment
Selection
1.
S. T. Abrams
Santee Cooper SERC
1
2.
Rene' Free
Santee Cooper SERC
1
3.
Vicky Budreau
Santee Cooper SERC
1
4.
Glenn Stephens
Santee Cooper SERC
1
Pacific Northwest Small Public Power Utility
6.
Group
March 1, 2011
Steve Alexanderson
Comment Group
X
X
14
8
9
10
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
Additional
Additional
Member
Organization
Region
2
Russell Noble
4
5
6
7
Segment
Selection
3,
1.
3
Cowlitz County PUD No. 1
4,
WECC
5
2.
Dave Proebstel
Clallam County PUD
WECC
3
3.
Ronald Sporseen
Blachly-Lane Electric Cooperative
WECC
3
4.
Ronald Sporseen
Central Electric Cooperative
WECC
3
5.
Ronald Sporseen
Clearwater Power Company
WECC
3
6.
Ronald Sporseen
Douglas Electric Cooperative
WECC
3
7.
Ronald Sporseen
Consumers Power
WECC
3
8.
Ronald Sporseen
Fall River Rural Electric Cooperative
WECC
3
9.
Ronald Sporseen
Northern Lights
WECC
3
10.
Ronald Sporseen
Lane Electric Cooperative
WECC
3
11.
Ronald Sporseen
Lincoln Electric Cooperative
WECC
3
12.
Ronald Sporseen
Raft River Rural Electric Cooperative
WECC
3
13.
Ronald Sporseen
Lost River Electric Cooperative
WECC
3
14.
Ronald Sporseen
Salmon River Electric Cooperative
WECC
3
15.
Ronald Sporseen
Umatilla Electric Cooperative
WECC
3
March 1, 2011
15
8
9
10
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
2
16.
Ronald Sporseen
Coos-Curry Electric Cooperative
WECC
3
17.
Ronald Sporseen
West Oregon Electric Cooperative
WECC
3
18.
Ronald Sporseen
WECC
5
WECC
5
Pacific
Northwest
3
4
5
6
7
8
9
10
Generating
Cooperative
19.
7.
Ronald Sporseen
Group
Power Resources Cooperative
Mallory Huggins
NERC Staff
Additional Member Additional Organization
Region
Segment Selection
1. Earl Shockley
NERC
NA - Not Applicable NA
2. Dave Nevius
NERC
NA - Not Applicable NA
3. Gerry Adamski
NERC
NA - Not Applicable NA
4. Roman Carter
NERC
NA - Not Applicable NA
MRO's
8.
Group
Carol Gerou
Additional Member Additional Organization
NERC
Standards
Review
Subcommittee
X
Region
Segment
Selection
1.
Mahmood Safi
Omaha Public Utility District
MRO
1, 3, 5, 6
2.
Chuck Lawrence
American Transmission Company
MRO
1
March 1, 2011
16
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
3.
Tom Webb
WPS Corporation
4.
Jodi Jenson
Western Area Power Administration MRO
1, 6
5.
Ken Goldsmith
Alliant Energy
MRO
4
6.
Alice Murdock
Xcel Energy
MRO
1, 3, 5, 6
7.
Dave Rudolph
Basin Electric Power Cooperative
MRO
1, 3, 5, 6
8.
Eric Ruskamp
Lincoln Electric System
MRO
1, 3, 5, 6
9.
Joseph Knight
Great River Energy
MRO
1, 3, 5, 6
10.
Joe DePoorter
Madison Gas & Electric
MRO
3, 4, 5, 6
11.
Scott Nickels
Rochester Public Utilties
MRO
4
12.
Terry Harbour
MidAmerican Energy Company
MRO
1, 3, 5, 6
9.
Group
Sam Ciccone
FirstEnergy
MRO
2
3
4
5
6
7
3, 4, 5, 6
X
X
X
X
X
Additional Member Additional Organization Region Segment Selection
1. Dave Folk
FE
RFC
2. Doug Hohlbaugh
FE
RFC
3. Andy Hunter
FE
RFC
4. Kevin Querry
FE
RFC
5. Brian Orians
FE
RFC
March 1, 2011
17
8
9
10
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
6. John Martinez
FE
RFC
7. John Reed
FE
RFC
8. Marissa McLean
FE
RFC
9. Phil Bowers
FE
RFC
10.
Group
Mike Garton
Electric Market Policy
Additional Member Additional Organization
Region
2
3
4
5
6
X
X
X
X
X
X
X
X
7
Segment
Selection
1.
Michael Gildea
Dominion
NPCC
5
2.
Louis Slade
Dominion
SERC
6
3.
John Loftis
Dominion Virginia Power SERC
1
11.
Group
Denise Koehn
Additional
Additional
Member
Organization
Bonneville Power Administration
Region
Segment
Selection
1.
Jim Burns
BPA, Transmission, Technical Operations
WECC
1
2.
Russell Funk
BPA, Transmission, DCC Data System Hardware WECC
1
3.
John Wylder
BPA, Transmission, CC HW Dsgn/Stds Montr &
WECC
1
Admin
March 1, 2011
18
8
9
10
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
12.
Group
Kenneth D. Brown
PSEG Companies
Additional Member Additional Organization
X
Region
2
3
X
4
5
X
6
7
8
9
10
X
Segment
Selection
1.
Ron Wharton
PSE&G System Ops
RFC
1, 3
2.
Jerzy Slusarz
PSEG Fossil
RFC
5, 6
3.
James Hebson
PSEG ER&T
ERCOT
5, 6
4.
Dominick Grasso
PSEG Power Connecticut NPCC
13.
Group
Steve Rueckert
5, 6
WECC
Additional Member Additional Organization Region
X
Segment
Selection
1.
Tom Schneider
WECC WECC
10
2.
John McGee
WECC WECC
10
14.
Group
Richard Kafka
Additional Member Additional Organization
Pepco Holdings, Inc - Affiliates
Region
X
X
X
X
Segment
Selection
1.
Vic Davis
Delmarva Power & Light Co
RFC
1
2.
Dave Thorne
Potomac Electric Power Company RFC
1
March 1, 2011
19
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
15.
Group
Howard Rulf
Additional Member Additional Organization
We Energies
Region
2
3
X
4
X
5
6
7
X
Segment
Selection
1.
Tom Eells
We Energies RFC
3, 4, 5
2.
Fred Hessen
We Energies RFC
3, 4, 5
3.
Brian Heimsch
We Energies RFC
3, 4, 5
16.
Group
Annette M. Bannon
Additional Member Additional Organization
PPL Supply
Region
X
Segment
Selection
1.
Mark Heimbach
17.
Group
J T Wood
Additional Member Additional Organization
PPL Martins Creek, LLC RFC
5
Southern Company - Transmission
Region
X
X
Segment
Selection
1.
Marc Butts
Southern Company Services SERC
1
2.
Andy Tillery
Southern Company Services SERC
1
3.
Jim Busbin
Southern Company Services SERC
1
4.
Phil Winston
Southern Company Services SERC
1
March 1, 2011
20
8
9
10
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
5.
Mike Sanders
Southern Company Services SERC
1
6.
Bob Canada
Southern Company Services SERC
1
7.
Boyd Nation
Southern Company Services SERC
1
8.
Phil Whitmer
Georgia Power Company
SERC
3
9.
Randy Mayfield
Alabama Power Company
SERC
3
10.
Randy Castello
Mississippi Power Company SERC
3
18.
Group
Jason L. Marshall
Midwest ISO Standards Collaborators
Additional Member Additional Organization
Region
2
3
4
5
6
7
X
Segment
Selection
1.
Jim Cyrulewski
JDRJC Associates, LLC RFC
8
2.
Kirit Shah
Ameren
SERC
1
3.
Robert A. Thomasson Sr. Big Rivers
SERC
1, 3
19.
Group
Ben Li
IRC Standards Review Committee
Additional Member Additional Organization Region
X
Segment
Selection
1.
Bill Phillips
MISO
2.
Matt Goldberg
ISO-NE NPCC
March 1, 2011
MRO
2
2
21
8
9
10
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
3.
Charles Yeung
SPP
SPP
2
4.
Mark Thompson
AESO
WECC
2
5.
James Castle
NYISO NPCC
2
6.
Steve Myers
ERCOT ERCOT
2
7.
Greg Van Pelt
CAISO WECC
2
8.
Patrick Brown
PJM
2
RFC
2
3
4
5
6
20.
Individual
Brian Pillittere
Tenaska
21.
Individual
Sandra Shaffer
PacifiCorp
X
X
X
X
7
X
Jana Van Ness, Director
22.
Individual
Regulatory Compliance
Arizona Public Service Company
X
X
X
X
23.
Individual
Brent Ingebrigtson
E.ON U.S. LLC
X
X
X
X
24.
Individual
Brenda Lyn Truhe
PPL Electric Utilities
X
25.
Individual
Greg Froehling
Green Country Energy
X
TransAlta Corporation
X
TransAlta
26.
Individual
March 1, 2011
Centralia
Generation, LLC
22
8
9
10
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
2
3
4
5
27.
Individual
Doug Smeall
ATCO Electric Ltd.
28.
Individual
Dan Roethemeyer
Dynegy Inc.
29.
Individual
Kasia Mihalchuk
Manitoba Hydro
X
X
30.
Individual
Philip Savage
PacifiCorp
X
X
31.
Individual
Brian Reich
Idaho Power Company
X
X
32.
Individual
Chris Hajovsky
RRI Energy, Inc.
33.
Individual
Bill Keagle
BGE
X
34.
Individual
John Brockhan
CenterPoint Energy
X
35.
Individual
Joylyn Faust
Consumers Energy
X
X
X
36.
Individual
Doug White
North Carolina Electric Coops
X
X
X
37.
Individual
Lauri Jones
Pacific Gas and Electric Company
X
X
38.
Individual
Laurie Williams
PNM Resources
X
X
39.
Individual
Val Lehner
ATC
X
March 1, 2011
6
7
X
X
X
X
X
X
X
23
8
9
10
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
40.
Individual
Martin Bauer
US Bureau of Reclamation
41.
Individual
Wayne Pourciau
Georgia System Operations Corporation
42.
Individual
Rex Roehl
Indeck Energy Services
43.
Individual
Jonathan Appelbaum
United Illuminating
Constellation
44.
Power
2
3
4
5
6
X
X
X
X
X
Generation
and
Individual
Amir Y Hammad
Constellation Commodities Group
45.
Individual
Carol Bowman
City of Austin dba Austin Energy
X
46.
Individual
John Bee
Exelon
X
X
X
47.
Individual
Kirit Shah
Ameren
X
X
X
X
48.
Individual
Thad Ness
American Electric Power (AEP)
X
X
X
X
49.
Individual
Joe Knight
Great River Energy
X
X
X
X
50.
Individual
Greg Rowland
Duke Energy
X
X
X
X
51.
Individual
Nathan Lovett
Georgia Transmission Corporation
X
March 1, 2011
7
X
X
24
8
9
10
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
2
3
4
5
52.
Individual
Chris de Graffenried
Consolidated Edison Co. of NY, Inc.
53.
Individual
Kathleen Goodman
ISO New England Inc.
54.
Individual
Amanda Stevenson
E.ON Climate & Renewables
55.
Individual
Christine Hasha
ERCOT ISO
56.
Individual
Terry Harbour
MidAmerican Energy
X
57.
Individual
Michael Gammon
Kansas City Power & Light
X
X
X
58.
Individual
Ron Gunderson
Nebraska Public Power District
X
X
X
59.
Individual
Dan Rochester
Independent Electricity System Operator
60.
Individual
Catherine Koch
Puget Sound Energy
March 1, 2011
6
7
X
X
X
X
X
X
X
25
8
9
10
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
1. Do you agree with the purpose statement of the proposed standard? Please explain in the comment box below.
Summary Consideration: Stakeholders who responded to this question were fairly evenly divided on acceptance of the original
purpose statement with about half supporting the purpose and half suggesting revisions to the purpose. A common thread through
most of the comments was that the DSR SDT went beyond the intent of the standard (reporting) and concentrated too much on the
analysis of the event. Based on these comments, the SDT revised the purpose statement. The new purpose is:
To improve industry awareness and the reliability of the Bulk Electric System by requiring the reporting of Impact Events and
their causes, if known, by the Responsible Entities.
Several commenters noted that the term, “impact event” is not a formally defined term.
definition for “impact events” to develop Attachment 1 as follows:
The DSR SDT has used a working
An impact event is any event that has either impacted or has the potential to impact the reliability of the Bulk Electric
System. Such events may be caused by equipment failure or mis-operation, environmental conditions, or human action.
Many stakeholders indicated that the definition should be added to the NERC Glossary and the DSR SDT adopted this suggestion.
The types of Impact Events that are required to be reported are contained within Attachment 1. Only these events are required to
be reported under this Standard.
Some commenters correctly pointed out that “situational awareness” was a desirable by-product of an effective event reporting
system, and not driver of that system. Accordingly, all references to “situational awareness” have been deleted from the standard.
The more generic “industry awareness” has been substituted where appropriate.
Many commenters noted that the SDT did not define sabotage. FERC Order 693, paragraph 471 states in part: “. . . the Commission
directs the ERO to develop the following modifications to the Reliability Standard through the Reliability Standards development
process: (1) further define sabotage and provide guidance as to the triggering events that would cause an entity to report a sabotage
event.” The DSR SDT made a conscious, deliberate decision to exclude a strict definition of sabotage from this standard and sought
March 1, 2011
26
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
stakeholder feedback on this issue. Some suggested adopting the NRC definition of the term sabotage, and the DSR SDT did
consider adopting the NRC definition shown below but determined that the definition is too narrowly focused.
Any deliberate act directed against a plant or transport in which an activity licensed pursuant to 10 CFR Part 73 of NRC's
regulations is conducted or against a component of such a plant or transport that could directly or indirectly endanger the public
health and safety by exposure to radiation.
Most respondents agreed that in order to be labeled as an act of sabotage, the intent of the perpetrators must be known. The team
felt that it was almost impossible to determine if an act or event was that of sabotage or merely vandalism without the intervention
of law enforcement after the fact. This would result in further ambiguity with respect to reporting events, and the timeline
associated with the reporting requirements does not lend itself to the in-depth analysis required to identify a disturbance (or
potential disturbance) as sabotage. The SDT felt that a likely consequence of having to meet this criterion, in the time allotted,
would be an under-reporting of events. Accordingly, all references to sabotage have been deleted from the standard.
Organization
Ameren
Yes or No
Question 1 Comment
No
The purpose talks about reporting impact events and their known causes. We have no problem with this
generic intent, but the purpose says nothing about the very burdensome expectation of verbal updates to
NERC and Regional Entities (Attachment 1, top of first page), Preliminary Impact Event Reports (Attachment
1, top of first page, are these Attachment 2?), "Actual" Impact Event Reports (Attachment 1 - Part A) and
"Potential" Impact Event Reports (Attachment 1 - Part B). These multiple levels of reporting and events need
to be greatly reduced.
American Electric Power (AEP)
No
It is unclear what the relationship between this project and the newly revamped NERC Event Analysis
Process. We support moving towards one process opposed to separate obligations that may be in conflict.
March 1, 2011
27
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 1 Comment
In addition, AEP supports the concept of a central clearinghouse such as the RCIS that is shared by the
industry. We support fewer punitive requirements and more prompting for using tools to make multiple
entities aware of reliability related issues shortly after the fact.
CenterPoint Energy
No
CenterPoint Energy does not agree with the purpose statement of the proposed standard. The directive from
the Commission in FERC Order 693 and restated in the Guideline and Technical Basis is “...the Commission
directs the ERO to develop the following modifications to the Reliability Standard through the Reliability
Standards development process: 1) further define sabotage and provide guidance as to the triggering events
that would cause and entity to report a sabotage event.” Instead the SDT has introduced another term, impact
event, to address concerns regarding different definitions. The term, impact event and its proposed concept is
too broad. Specifically the concept that an impact event “...has the potential to impact the reliability of the Bulk
Electric System” leaves too much room for an entity and a regulatory body to have a difference of opinion as
to whether an event should be reported. Required reporting should be limited to actual events. The reporting
to follow could become overwhelming for the Responsible Entities, the ERO, and other various organization
and agencies. Furthermore, situational awareness is a term that is associated with aspects of real-time.
Given the analysis required before a report can be submitted, the report will not be real-time and will not
sustain a purpose of supporting situational awareness. (See also comments on Q10 regarding the “Time to
Submit Report”.) A purpose that is more aligned with consolidation of the EOP-004 and CIP-001 standards
would be as follows: Responsible Entities shall report disturbance events and acts of sabotage to support the
reliability of the BES through industry awareness.
Consolidated Edison Co. of NY,
Inc.
No
Comments: The purpose is not clear because it uses the term “impact events”. This term should be a defined
in the NERC glossary, and should not include words such as “potential”.
March 1, 2011
28
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 1 Comment
Duke Energy
No
The Purpose statement says that reporting under this standard supports situational awareness. However this
is in conflict with Section 5. Background, where the DSR SDT makes clear that this standard includes no realtime operating notifications, and that this proposed standard deals exclusively with after-the-fact reporting.
We also disagree with the stated concept of “impact event”. Including the phrase “or has the potential to
impact” in the concept makes it impossibly broad for practical application and compliance.
Electric Market Policy
No
The term “impact events” does not draw a clear boundary around those events that are affected by this
standard. Since this is not a defined term, nor is intended to be a defined term in the NERC glossary, this
standard lacks clarity and is likely to produce significant conflict as an applicable entity attempts to establish
procedures to assure compliance. It appears that situational awareness could not be improved with this
standard since it is only dealing with events after-the-fact, not within the time frame to allow corrective action
by the system operator. As conveyed in Dominion’s comments on NERC Reliability Standards Development
Plan 2011 - 2013, Dominion does not see this draft standard as needing to be in the queue while other
standards having more impact to bulk electric reliability remain incomplete or unfinished.
ERCOT ISO
No
ERCOT ISO believes that according to the timelines allotted in Attachment 1, it may not be possible for the
entity to identify the “known cause” of an event. The requirements list identification of “initial probable cause”.
This is more reasonable under the timelines noted in Attachment 1.
Exelon
No
The purpose states that Responsible Entities SHALL report impact events - this implies that ALL impact
events need to be reported regardless of magnitude, suggest rewording to say "... shall report applicable
impact events ..." to allow for evaluation of each impact for applicability in accordance with Attachment 1).
March 1, 2011
29
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
FirstEnergy
Yes or No
Question 1 Comment
No
Since this standard is after-the-fact reporting, the phrase "situational awareness" may not be appropriate
since that phrase is attributed by a large part of the industry to real-time, minute-to-minute awareness of the
system. We suggest the following rewording of the purpose statement: "To ensure Applicable Entities report
impact events and their known causes to enhance and support the reliability of the Bulk Electric System
(BES)".
Indeck Energy Services
No
Suggestion: "Functional Entities identified in Section 4 shall support situational awareness of impact events
and their known causes."
Independent Electricity System
Operator
No
(1) Our understanding of the proposed revision as conveyed in the SAR was to provide clarity and reduce
redundancy on reporting the latest and even on-going events on the system that may be caused by system
changes and/or sabotage. The intent is to ensure the proper authorities are informed of such events so that
they may take appropriate and necessary actions to identify causes and/or mitigate or limit the extent of
interruptions. We also supported a suggestion in the SAR to assess the merit of merging CIP-001 and EOP004 to remove redundancy, although we suggested that this should not be a presumption when revising the
standard(s).This posting appears to indicate that only EOP-004 will be revised at this time, and CIP-001 which
deals with sabotage reporting will remain in effect. With this assumption, the proposed standard appears to
contain a mixture of reporting two types of events of different time frame - the first type being those events
that need to be reported soon or immediately after they occur (e.g. impact events that appear to be the result
of a sabotage) with an aim to curb/contain these events by the appropriate authorities; the second type being
the events that can be reported sometime well after the fact, e.g. system disturbances due to weather or
switching or other known causes that are not of malicious nature. Combining the two types of requirement
does not appear to be clearly conveyed in the SAR. We therefore suggest the SDT review the main purpose
March 1, 2011
30
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 1 Comment
and content in the proposed EOP-004 to ensure consistency with the SAR, and in relation to the purpose and
requirements already contained in CIP-004.(2) With respect to disseminating reports and related information
after the fact, we wonder if a data collection process, such as RoP 1900, can serve the purpose without
having to create a standard or a requirement to achieve this.(3) Most of the requirements appear to be
administrative in nature and they stipulate the how but not the what, which in our view does not conform with
the Results-based standard concept and does not rise to the level of a reliability standard.(4) A number of
requirements proposed in the draft standard are quite vague and cannot be measured. Details of this
assessment is provided below.
IRC Standards Review
Committee
No
The proposed requirements in the standard are not focused on the core industry concern that current
requirements are unclear as to what types of events warrant entities to report. Per draft 2 of the SAR, “The
existing requirements need to be revised to be more specific - and there needs to be more clarity in what
sabotage looks like.” Instead this proposed standard includes requirements that are more focused on “how”
to report, rather than “what” to report.
The SAR states that: “The development may include other
improvements to the standards deemed appropriate by the drafting team, with consensus on the stakeholders
(emphasis added), consistent with establishing high quality, enforceable and technically sufficient bulk power
system reliability standards.” The SRC believes the scope of the SAR, and likewise the proposed standard, is
inappropriate to the fundamental reliability purpose of what events need to be reported.
The proposed
administrative requirements are difficult to interpret, implement and measure, and do not clarify what type of
sabotage information entities need to report. Although the use of procedures and an understanding by those
personnel accountable seem helpful for ensuring reports are made, the fundamental purpose of clarifying
what types of events should be reported and more importantly what types do not have to be reported, is
lacking in the standard. Also, one of the first issues identified in the SAR for consideration by the drafting
March 1, 2011
31
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 1 Comment
team seems to be ignored, “Consider whether separate, less burdensome requirements for smaller entities
may be appropriate.” The requirements for entities to develop Operating Plans and to have training for those
plans, further adds uncertainty and increases complexity of how entities, large and small, will have to comply
with this standard.
ISO New England Inc.
No
The proposed requirements in the standard are not focused on the core industry concern that current
requirements are unclear as to what types of events warrant entities to report. Per draft 2 of the SAR, “The
existing requirements need to be revised to be more specific - and there needs to be more clarity in what
sabotage looks like.” Instead this proposed standard includes requirements that are more focused on “how”
to report, rather than “what” to report. The draft 2 SAR has never been balloted for approval prior to standard
drafting. In fact, the SAR states, “The development may include other improvements to the standards deemed
appropriate by the drafting team, with consensus on the stakeholders (emphasis added), consistent with
establishing high quality, enforceable and technically sufficient bulk power system reliability standards.” The
scope of the SAR, and likewise the proposed standard, is inappropriate to the fundamental reliability purpose
of what events need to be reported. The proposed administrative requirements are difficult to interpret,
implement and measure, and do not clarify what type of sabotage information entities need to report.
Although the use of procedures and an understanding by those personnel accountable seems helpful for
ensuring reports are made, the fundamental purpose of clarifying what types of events should be reported
and more importantly what types do not have to be reported, is lacking in the standard. Also, one of the first
issues identified in the SAR for consideration by the drafting team seems to be ignored: “Consider whether
separate, less burdensome requirements for smaller entities may be appropriate.” The requirements for
entities to develop Operating Plans and to have training for those plans, further adds uncertainty and
increases complexity of how entities, large and small, will have to comply with this standard.The term “impact
March 1, 2011
32
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 1 Comment
events” does not draw a clear boundary around those events that are affected by this standard. Since this is
not a defined term, nor is intended to be a defined term in the NERC Glossary, this standard lacks clarity and
is likely to produce significant conflict as an applicable entity attempts to establish procedures to assure
compliance. It appears that situational awareness could not be improved with this standard since it is only
dealing with events after-the-fact, not within the time frame to allow corrective action by the system
operator.This draft standard should not have this high a priority while other standards having a greater impact
on Bulk Electric System reliability remain incomplete or unfinished.Regional reporting requirements should be
in Regional Standards, and not be included in a NERC Standard.
Manitoba Hydro
No
Though new purpose greatly clarifies the proposed EOP-004-2 and using “situational awareness” is the key to
this purpose, further clarification of specific items should be added to the purpose. “Responsible Entities shall
report SIGNIFICANT events to support interconnection situational awareness on events that impact the
integrity of the Bulk Electric System, such as islanding, generation, transmission and load losses, load
shedding, operation errors, IROL/SOL violations, sustained voltage excursions, equipment and protection
failures and on suspected or acts of sabotage.”
Nebraska Public Power District
No
The background states there is no real-time reporting requirement in this standard, but the purpose states a
purpose is for situational awareness.
This implies real-time reporting.
The purpose clearly identify the
standard is for after the fact reporting to permit analysis of events, trend data, and identify lessons learned.
North Carolina Electric Coops
No
The term “impact event” is not a defined term in the NERC glossary and does not draw a clear boundary or
give concise guidance to aid in event recognition.
Northeast
Power
Coordinating
March 1, 2011
No
The proposed requirements in the standard are not focused on the core industry concern that current
33
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Council
Yes or No
Question 1 Comment
requirements are unclear as to what types of events warrant entities to report. Per draft 2 of the SAR, “The
existing requirements need to be revised to be more specific - and there needs to be more clarity in what
sabotage looks like.” Instead this proposed standard includes requirements that are more focused on “how”
to report, rather than “what” to report. The draft 2 SAR has never been balloted for approval prior to standard
drafting. In fact, the SAR states, “The development may include other improvements to the standards deemed
appropriate by the drafting team, with consensus on the stakeholders (emphasis added), consistent with
establishing high quality, enforceable and technically sufficient bulk power system reliability standards.” The
scope of the SAR, and likewise the proposed standard, is inappropriate to the fundamental reliability purpose
of what events need to be reported. The proposed administrative requirements are difficult to interpret,
implement and measure, and do not clarify what type of sabotage information entities need to report.
Although the use of procedures and an understanding by those personnel accountable seems helpful for
ensuring reports are made, the fundamental purpose of clarifying what types of events should be reported
and more importantly what types do not have to be reported, is lacking in the standard. Also, one of the first
issues identified in the SAR for consideration by the drafting team seems to be ignored: “Consider whether
separate, less burdensome requirements for smaller entities may be appropriate.” The requirements for
entities to develop Operating Plans and to have training for those plans, further adds uncertainty and
increases complexity of how entities, large and small, will have to comply with this standard.The term “impact
events” does not draw a clear boundary around those events that are affected by this standard. Since this is
not a defined term, nor is intended to be a defined term in the NERC Glossary, this standard lacks clarity and
is likely to produce significant conflict as an applicable entity attempts to establish procedures to assure
compliance. It appears that situational awareness could not be improved with this standard since it is only
dealing with events after-the-fact, not within the time frame to allow corrective action by the system
operator.This draft standard should not have this high a priority while other standards having a greater impact
March 1, 2011
34
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 1 Comment
on Bulk Electric System reliability remain incomplete or unfinished.Regional reporting requirements should be
in Regional Standards, and not be included in a NERC Standard.
Pacific
Gas
and
Electric
No
PG&E recognizes this is an after the fact report, however, the purpose statement should reflect the fact that
this proposed standard is for after-the-fact reporting. If the future intent is for this report to replace current
Company
reporting criteria the purpose statement should be expanded to reflect the true intent of the Standard.
PNM Resources
No
PNM believes the purpose statement should reflect the fact that this proposed standard is for after-the-fact
reporting. It is misleading and may have many thinking it is duplicative work.
PSEG Companies
No
The following sentence should be added.
"This standard is not intended to be for real-time operations
reporting."
RRI Energy, Inc.
No
The purpose does not need to mention "and the reliability of the Bulk Electric System."
This is the
Congressional mandate in FPA Section 215, and could be attached to every Standard, guide, notice and
direction issued by FERC, NERC and Regional Entities. In addition, the purpose references "Responsible
Entities." However, section 4 on "Applicability" references "Functional Entities." These terms should be
consistent.
Therefore, the purpose statement of the proposed standard should be corrected to read,
"Functional Entities identified in Section 4 shall report impact events and their known causes to support
situational awareness."CONSIDERATION: Is the phrase "shall report impact events and their known causes"
really a purpose of the Proposed Standard, or is it instead merely a means to achieve the purpose of
situational awareness? If the latter, the purpose statement can be further shortened to read, "Functional
Entities identified in Section 4 shall support situational awareness of impact events and their known causes."
March 1, 2011
35
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Santee Cooper
Yes or No
Question 1 Comment
No
Since this standard is written to report events after-the-fact and not for a System Operator to perform
corrective action, we believe the words situational awareness should be removed from the purpose.
Situational Awareness is typically used for real-time operations.Also, any events that require reporting should
be clearly defined in Attachment 1 and leave no room for interpretation by an entity.
SERC OC Standards Review
No
The term “impact events” does not draw a clear boundary around those events that are affected by this
standard. Since this is not a defined term, nor is intended to be a defined term in the NERC glossary, this
Group
standard lacks clarity and is likely to produce significant conflict as an applicable entity attempts to establish
procedures to assure compliance. It appears that situational awareness could not be improved with this
standard since it is only dealing with events after-the-fact, not within the time frame to allow corrective action
by the system operator.
United Illuminating
No
UI suggests adding the phrase: and the ERO shall provide quarterly reports; Responsible Entities shall report
impact events and their known causes, and the ERO shall provide quarterly reports, to support situational
awareness and the reliability of the Bulk Electric System (BES).
US Bureau of Reclamation
No
The purpose is more closely related to the concept that "Responsible Entities shall document and analyze
impact events and their known causes and disseminate the impact event documentation to support situational
awareness". Not all impact events are to be reported. The analysis of the impact events is what is needed to
achieve a lessons learned.
We Energies
No
Impact event needs to be clarified first, and DP references in Attachment 1 clarified. Distribution is not BES.
WECC
No
The purpose statement should reflect the fact that this proposed standard is for after-the-fact reporting. It is
March 1, 2011
36
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 1 Comment
misleading and may have many thinking it is duplicative work.
ATC
Yes
ATC agrees with the purpose statement. However, we do not agree with the implied definition of “impact
events” as represented in Attachment 1. (See specific comments about what is included in Attachment 1 for
the type of events that qualify as an “impact event”.)
Bonneville Power Administration
Yes
Known causes are difficult under 1 hour reporting requirements (Unusual events are even harder to narrow
down in 24 hours and may take weeks.) The System Operators and RC’s handle situational awareness and
reliability events, this is an extra wide view and learning for reporting only.
Dynegy Inc.
Yes
Statement is broad enough to cover both Standards.
Great River Energy
Yes
Thank you for the clarification of “known causes”, this will allow entities to report what they currently know
when submitting an impact report.
MRO's NERC Standards Review
Yes
Subcommittee
Puget Sound Energy
Thank you for the clarification of “known causes”, this will allow entities to report what they currently know
when submitting an impact report.
Yes
However, further definition of "known causes" would be helpful as sometime the root cause analysis doesn't
uncover the actual cause for sometime after the timeframes outlined in Attachment 1.
Arizona Public Service Company
Yes
ATCO Electric Ltd.
Yes
March 1, 2011
37
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
BGE
Yes
City of Austin dba Austin Energy
Yes
City of Garland
Yes
Constellation Power Generation
Yes
Question 1 Comment
and Constellation Commodities
Group
E.ON Climate & Renewables
Yes
Georgia
Yes
System
Operations
Corporation
Green Country Energy
Yes
Idaho Power Company
Yes
Kansas City Power & Light
Yes
Luminant Energy
Yes
MidAmerican Energy
Yes
March 1, 2011
38
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Midwest ISO Standards
Yes or No
Question 1 Comment
Yes
Collaborators
NERC Staff
Yes
Pacific Northwest Small Public
Yes
Power Utility Comment Group
PacifiCorp
Yes
PacifiCorp
Yes
Pepco Holdings, Inc - Affiliates
Yes
PPL Electric Utilities
Yes
PPL Supply
Yes
Tenaska
Yes
TransAlta Corporation
Yes
March 1, 2011
39
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
2. Do you agree with the applicable entities in the Applicability Section as well as assignment of applicable entities noted in
Attachment 1? Please explain in the comment box below.
There was no consensus amongst stakeholders who responded to this question regarding the
acceptability of the proposed list of functional entities and the assignment of applicable entities in Attachment 1.
Summary Consideration:
Several respondents replied with their concern that the reporting requirements were redundant. The general sentiment was that
unclear responsibility to report a disturbance could trigger a flood of event reports. Attachment 1 has been modified to assign clear
responsibility for reporting, for each category of Impact Event. There was some concern expressed that there could be confusion
between the reporting requirements in this standard, and those found in CIP-008. The DSR SDT agrees, and Attachment 1 Part B,
has been modified to provide the process for the reporting of a Cyber Security Incident.
The DSR SDT had protracted discussions on the applicability of this standard to the LSE. Per the Functional Model the LSE does not
own assets and therefore should not be an applicable entity (no equipment that could experience a “disturbance”). However, the
Registry Criteria contains language that could imply that the LSE does own assets, or is at least responsible for assets. In addition, the
DSR SDT modified Attachment 1 to include reporting of damage or destruction of Critical Cyber Assets per CIP-002. The LSE, as well
as the Interchange Authority and Transmission Service Provider are applicable entities under CIP-002 and should be included for
Impact Events under EOP-004.
There were several comments that the asset owners (GO/TO) would be less likely than the asset operators (GOP/TOP) to be aware
of an impact event. The DSR SDT recognizes that this may be true in some cases, but not all. In order to meet the reliability
objectives of this requirement, the applicability for GO/TO will remain as per Attachment 1.
Organization
March 1, 2011
Yes or No
Question 2 Comment
40
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
American Electric Power (AEP)
Yes or No
Question 2 Comment
No
AEP does not agree with the addition of the Generator Owner to the standard. The Generator Owner does
not have visibility to the real time operational status of a unit. As a result, the Generator Owner lacks the
ability to recognize impact events and report them to the Regional Entity or NERC within the time frames
specified in the standard.
Reporting requirements for impact events should be the responsibility of the
Generator Operator.
Arizona Public Service Company
No
AZPS recommends excluding 4.1.7 Distribution Providers, as Distribution Providers generally operate at
levels below 100kV.
ATC
No
The Functional Entities identified in Attachment 1 do not align with the current CIP Standard obligations (e.g.
Load Serving Entities are not included).
CenterPoint Energy
No
CenterPoint Energy does not agree with the addition of Transmission Owner and Distribution Provider to the
Applicability section. Transmission Owner and Distribution provider are not currently applicable entities for
either CIP-001 or EOP-004 and should not be included in the proposed combined standard. However,
CenterPoint Energy does agree that LSE should be removed from the Applicability section. CenterPoint
Energy appreciates the SDT’s efforts in assigning entities to each event in Attachment 1. This is an
improvement over the existing EOP-004 standard. It is clear, however, that with multiple entities responsible
for reporting each event, there is no need to expand the Applicability Section to include Transmission Owner
and Distribution Provider.
Consolidated Edison Co. of NY,
Inc.
No
Comments: NERC’s role as the Standard enforcement organization for the power industry will be in conflict if
NERC is also identified as an applicable entity.
March 1, 2011
What compliance organization will audit NERC’s
41
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 2 Comment
performance? This is presently not clear.
Constellation Power Generation
No
Constellation Power Generation and Constellation Commodities Group disagrees with the inclusion of
and Constellation Commodities
Generator Owners. Since one of the goals in revising this standard is to streamline impact event reporting
Group
obligations, Generator Operators are the appropriate entity to manage event reporting as the entity most
aware of events should they arise. At times, the information required to complete a report may warrant input
from entities connected to generation, but the operator remains the best entity to fulfill the reporting obligation.
E.ON Climate & Renewables
No
1. Voltage deviation events are too vague for GOP. How does voltage deviations apply to GOP’s or
specifically renewables i.e., wind farms? 2. Define what an “entity” is. 3. Define what a “generating station” is.
4. Define what a “BES facility” is. 5. Define what a control center is. 6. Renewable energy/generators should
be taken into consideration when crafting the events.
E.ON U.S. LLC
No
The proposed standard does not list the Load Serving Entity as an Applicable Entity, but the possible events
that the standard addresses are within the scope of the LSE. Some functions of the LSE listed within the
Functional Model are addressed in the proposed standard. Existing CIP-001-1a and EOP-004-1 are both
applicable to the LSE.
Electric Market Policy
No
Having the ERO as an applicable entity is concerning as they are also the compliance enforcement authority.
The ERO is responsible for multiple requirements in this standard that shape the ultimate actual rules that the
other applicable entities would be required to meet. For example, establishing and maintaining a system for
receiving and distributing impact events, per R1, would be done solely by the ERO, outside of NERC’s open
process. Attachment 1 is troublesome. The time frames listed are not consistent for similar events. For
example, EEAs are either reported within one or 24 hours depending on the nuance. Having multiple entities
March 1, 2011
42
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 2 Comment
reporting the same event is troublesome, i.e., why does a RC have to report an EEA if the BA is going to
report it? This will lead to conflicting reports for the same event. Attachment 1 seems to be consolidating
time frames from other standards into one for reporting. However, we believe this subject is more complex
than this table reveals and the table needs more clarification.Several of the events require filing a written
formal report within one hour. For example, system separation certainly is going to require an “all hands on
deck” response to the actual event. We note that the paragraph above the table in attachment 1 indicates
that a verbal report would be allowed in certain circumstances, but this is the same issue with the formal
report in that the system operators are concerned with the event and not the reporting requirements.There is
already a DOE requirement to report certain events.
We see no need to develop redundant reporting
requirements in the NERC arena that cross other federal agency jurisdictions.
ERCOT ISO
No
ERCOT ISO recommends that the Electric Reliability Organization be removed from the standard. The
Electric Reliability Organization should not be responsible for reliability functions and therefore should be
excluded from reliability standards.
Exelon
No
Attachment 1, Part B, footnote 1. A GO is unlikely to know if a fuel supply problem would cause a reliability
concern because one GO may not know the demand for an entire region. Attachment 1, Part B, footnote 1.
What is the definition of an "emergency" related to problems with a fuel supply chain? What time threshold of
projected need would constitute a 1 hour report?Attachment 1, Part A - Voltage Deviations - A GOP may not
be able to make the determination of a +/- 10% voltage deviation for ≥ 15 minutes, this should be a TOP
RC function only. Attachment 1, Part A - Generation Loss of ≥ 2, 000 MW for a GO/GOP does not provide
a time threshold. If the 2, 000 MW is from a combination of units in a single location, what is the time
threshold for the combined unit loss? Attachment 1, Part A - Damage or destruction of BES equipment o The
March 1, 2011
43
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 2 Comment
event criteria is ambiguous and does not provide clear guidance; specifically, the note needs to provide more
explicit criteria related to parts (iii) and (iv) to remove the need for interpretation especially since this is a 1
hour reportable occurrence.
In addition, determination of the aggregate impact of damage may not be
immediately understood - does the 1 hour report time clock start on initiation of event or following confirmation
of event?
o The initiating event needs to explicitly state that it is a physical and not cyber. Events related to
cyber sabotage are reported in accordance with CIP-008, "Cyber Security - Incident Reporting and Response
Planning," and therefore any type of event that is cyber initiated should be removed from this Standard. o If
the damage or destruction is related to a deliberate act, consideration should also be given to coordinating
such reporting with existing required notifications to the NRC and FBI as to not duplicate effort or add
unnecessary burden on the part of a nuclear GO/GOP during a potential security event. Attachment 1, Part B
- Loss of off-site power (grid supply) affecting a nuclear generating station - this event classification should be
removed from EOP-004. The impact of loss of off-site power on a nuclear generation unit is dependent on
the specific plant design and may not result in a loss of generation (i.e., unit trip); furthermore, if a loss of offsite power were to result in a unit trip, an Emergency Notification System (ENS) would be required to the
Nuclear Regulatory Commission (NRC). The 1 hour notification in EOP-004 on a loss of off-site power (grid
supply) to a nuclear generating station should be commensurate with other federal required notifications.
Depending on the unit design, the notification to the NRC may be 1 hour, 8 hours or none at all.
Consideration should be given to coordinating such reporting with existing required notifications to the NRC
as to not duplicate effort or add unnecessary burden on the part of a nuclear GO/GOP during a potential
transient on the unit. Attachment 1, Part B - Forced intrusion at a BES facility - Consideration should also be
given to coordinating such reporting with existing required notifications to the NRC and FBI as to not duplicate
effort or add unnecessary burden on the part of a nuclear GO/GOP during a potential security event.
Attachment 1, Part B - Risk to BES equipment from a non-environmental physical threat - this event leaves
March 1, 2011
44
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 2 Comment
the interpretation of what constitutes a "risk" with the reporting entity. Need more specific criteria for this
event.Attachment 1, Part B - Detection of a cyber intrusion to critical cyber assets - Events related to cyber
sabotage are reported in accordance with CIP-008, "Cyber Security - Incident Reporting and Response
Planning," and therefore any type of event that is cyber initiated should be removed from this Standard.
FirstEnergy
No
We do not support the ERO as an applicable entity of a reliability standard because they are not a user,
owner or operator of the bulk electric system. Any expectation of the ERO should be defined in the Rules of
Procedure.
Georgia
System
Operations
No
BES.
Corporation
Georgia
This standard should not apply to distribution systems or Distribution Providers. It should apply only to the
Transmission
No
These events generally are Operator Functions and should not apply to a TO.1. Energy Emergency requiring
system-wide voltage reduction2. Loss of firm load greater than 15 min.3. Transmission loss (multiple BES
Corporation
transmission elements)4. Damage or destruction to BES equipment ( thru operational error or equipment
failure)5. Loss of off-site power affecting a nuclear generating station
Indeck Energy Services
No
---ERO should not be included in this or any other standard! FERC can decide whether NERC is doing a
good job without having standards requirements to audit to. If NERC needs to be included in a standard, then
it should a stand-alone one so that the RSAW for all of the other audits don't need to include those
requirements.
---"Loss of off-site power (grid supply)" is important at control centers and other large
generators. The SDT must use a well-defined standard such as potentially cause a Reportable Disturbance,
to differentiate significant events from others.
---"Footnote 1. Report if problems with the fuel supply chain
result in the projected need for emergency actions to manage reliability." is ambiguous. Everything in the
March 1, 2011
45
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 2 Comment
Standards program can "Affecting BES reliability".
The SDT must use a well-defined standard such as
potentially cause a Reportable Disturbance, to differentiate significant events from others.
---"Footnote 2.
Report if you cannot reasonably determine likely motivation (i.e., intrusion to steal copper or spray graffiti is
not reportable unless it effects the reliability of the BES)." is well intentioned but ambiguous. For example, if I
know the motivation is to blow up the plant, then by this footnote, I don't have to report. The SDT must use a
well-defined standard such as potentially cause a Reportable Disturbance, to differentiate significant events
from others.
Independent Electricity System
No
---All terms should be used from or added to the Glossary.
We do not agree with the inclusion of TO and GO. They are not operating entities and do not need to collect
or provide information pertaining to impact events, which are the results and phenomena observe under
Operator
operating conditions in the operation horizon, and such information collection and provision are the
responsibility of the TOP and GOP.
IRC Standards Review
No
Committee
Entities that have information about possible sabotage events should report these to NERC after the fact and
the standard should simply reflect that. While we agree with the list of functional entities identified in the
Applicability Section, we do not agree with their application in Attachment 1. As the functional entities are
identified in Attachment 1, there is likely going to be duplicate reporting. Why should both the RC and BA
submit a report for an EEA for example?
ISO New England Inc.
No
Having the ERO as an applicable entity raises the issue that they are also the compliance enforcement
authority. The ERO is responsible for multiple requirements in this standard that shape the ultimate actual
rules that the other applicable entities would be required to meet. For example, establishing and maintaining
a system for receiving and distributing impact events, per R1, would be done solely by the ERO, outside of
NERC’s open process.
March 1, 2011
NERC has also offered the opinion that since NERC is not a “user, owner, or
46
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 2 Comment
operator” Standards are not enforceable against the ERO. In Attachment 1 the time frames listed are not
consistent for similar events. For example, EEAs are either reported within one or 24 hours depending on the
nuance. Having multiple entities reporting the same event is troublesome, i.e., why does a RC have to report
an EEA if the BA is going to report it? This will lead to unnecessary and possibly conflicting reports for the
same event. Attachment 1 seems to be consolidating time frames from other standards into one for reporting.
However, this subject is more complex than this table reveals, and the table needs more clarification.Entities
that have information about possible sabotage events should report these to NERC after the fact, and the
standard should simply reflect that.
While we agree with the list of functional entities identified in the
Applicability Section, we do not agree with their application in Attachment 1. As the functional entities are
identified in Attachment 1, it is likely that there is going to be duplicate reporting. Several of the events
require filing a written formal report within one hour. For example, system separation is going to require an
“all hands on deck” response to the actual event. The paragraph above the table in Attachment 1 indicates
that a verbal report would be allowed in certain circumstances, but this is the same issue with the formal
report in that the system operators are concerned with the event and not the reporting requirements.There is
already a DOE requirement to report certain events.
We see no need to develop redundant reporting
requirements through NERC that cross federal agency jurisdictions.
Luminant Energy
No
Inclusion of both GO and GOP will result in duplicate reporting as both are responsible for reporting resourcerelated events such as Generation Loss, Fuel Supply Emergencies and Loss of Off-site power (grid supply).
Recommend including only the GOP as it is critical that the GOP gather and communicate relevant
information to the Reliability Coordinator.
Manitoba Hydro
March 1, 2011
No
Since this Standard is to support situational awareness, more entities should be included such as Load
47
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 2 Comment
Serving Entities (which was removed from EOP-004-1).
MidAmerican Energy
No
While we agree with the list of functional entities identified in the Applicability Section, we do not agree with
their application in Attachment 1. As the functional entities are identified in Attachment 1, there is likely going
to be duplicate reporting. Why should both the RC and BA submit a report for an energy emergency requiring
public appeals?
Midwest ISO Standards
No
Collaborators
While we agree with the list of functional entities identified in the Applicability Section, we do not agree with
their application in Attachment 1. As the functional entities are identified in Attachment 1, there is likely going
to be duplicate reporting. Why should both the RC and BA submit a report for an energy emergency requiring
public appeals?
North Carolina Electric Coops
No
There is a conflict between the ERO being listed as an applicable entity and the fact that the ERO is the
compliance enforcement authority. The ERO is responsible for multiple requirements in this standard that
other applicable entities would be required to meet.Attachment 1 has inconsistent time frames listed for
similar events. For example, EEA’s are either reported within one or 24 hours depending on the nuance.
Also, having more than one entity reporting an EEA can lead to conflicting information for the same event.
Attachment 1 has the RC and the BA both reporting the same EEA event. Attachment 1 consolidates time
frames from other standards for reporting purposes. There should either be a separate standard for
“reporting” that encompasses reporting requirements for all standards or leave the time frames and reporting
requirements in the original individual standards.Several of the events require filing a written formal report
within one hour. For large events like cascading outages or system separation, “all hands on deck” attention
will need to be given to the actual event. Although a verbal report would be allowed in certain circumstances,
attention to the actual event should take precedence over formal reporting requirements.There is already a
March 1, 2011
48
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 2 Comment
DOE requirement to report certain events and no need to develop redundant reporting requirements in the
NERC arena when this information is already available at the federal level at other agencies.
Northeast
Power
Coordinating
No
Having the ERO as an applicable entity raises the issue that they are also the compliance enforcement
authority. The ERO is responsible for multiple requirements in this standard that shape the ultimate actual
Council
rules that the other applicable entities would be required to meet. For example, establishing and maintaining
a system for receiving and distributing impact events, per R1, would be done solely by the ERO, outside of
NERC’s open process.
NERC has also offered the opinion that since NERC is not a “user, owner, or
operator” Standards are not enforceable against the ERO. In Attachment 1 the time frames listed are not
consistent for similar events. For example, EEAs are either reported within one or 24 hours depending on the
nuance. Having multiple entities reporting the same event is troublesome, i.e., why does a RC have to report
an EEA if the BA is going to report it? This will lead to unnecessary and possibly conflicting reports for the
same event. Attachment 1 seems to be consolidating time frames from other standards into one for reporting.
However, this subject is more complex than this table reveals, and the table needs more clarification.Entities
that have information about possible sabotage events should report these to NERC after the fact, and the
standard should simply reflect that.
While we agree with the list of functional entities identified in the
Applicability Section, we do not agree with their application in Attachment 1. As the functional entities are
identified in Attachment 1, it is likely that there is going to be duplicate reporting. Several of the events
require filing a written formal report within one hour. For example, system separation is going to require an
“all hands on deck” response to the actual event. The paragraph above the table in Attachment 1 indicates
that a verbal report would be allowed in certain circumstances, but this is the same issue with the formal
report in that the system operators are concerned with the event and not the reporting requirements.There is
already a DOE requirement to report certain events.
March 1, 2011
We see no need to develop redundant reporting
49
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 2 Comment
requirements through NERC that cross federal agency jurisdictions.
Pacific Gas and Electric
No
Company
Pacific Northwest Small Public
PG&E recognizes the ERO is in R1, however, it does not see where the ERO’s applicability is applied in
Attachment 1.
No
See #15
PNM Resources
No
PNM OTS does not see where the ERO’s applicability is applied in Attachment 1.
PPL Electric Utilities
No
While we agree with the applicable entities in the Applicability Section of the revised standard, we would like
Power Utility Comment Group
the SDT to reconsider the applicable entities identified on Attachment 1, specifically regarding duplication of
reporting e.g. should TO and TOP report?
PPL Supply
No
While we agree with the list of functional entities identified in the Applicability Section, we do not agree with
assignment of applicable entities noted in Attachment 1. As the functional entities are identified in Attachment
1, there will likely be duplicate reporting for many impact events. By applying reporting responsiblities to both
the Gen Owner and Gen Operator, this will result in duplicate reporting for plants with multiple owners. It also
increases the burden on the Gen Operator who is required to report the event to NERC and to other Gen
Owners in a timely manner to allow other Gen Owners to meet the NERC reporting timeline. We suggest that
the reporting requirements associated with generators be applied to the Gen Operator only.
RRI Energy, Inc.
No
Agree with the "Applicability" section functional categories.Agree with the Attachment 1 lists of "Entity with
Reporting Responsibility," with the following exceptions:PART A"Damage or Destruction of BES Equipment" This item has a footnote 1 listed, but nothing at the bottom of the page for a footnote. Assuming the footnote
March 1, 2011
50
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 2 Comment
reference is intended to reference the "Examples" at the bottom of the page, the following concerns exist:(i)
"critical asset" - Is this term intended to reference a "Critical Asset" identified pursuant to the CIP-002 riskbased assessment methodology? If so, it should be capitalized. If not, who determines what constitutes a
lower case "critical asset"? (ii) "Significantly affects the reliability margin of the system..." - If this is intended
to be enforceable, several words need significant clarification and definition, such as "Significantly," "reliability
margin," "system" (BES?), "potential," and "emergency action." The combined ambiguity of just two of those
phrases would most likely result in a court holding this statement as so vague as to be unenforceable. The
combined lack of clarity of all the highlighted words or phrases render this sentence meaningless.(iii)
"Damaged or destroyed due to a non-environmental external cause" - "Non-environmental external cause"
should be a defined term because, as is the case in item (ii) above, it is vague and subject to broad, random
or arbitrary interpretation. Part B provides examples of "non-environmental physical threat" for "Risk to BES
equipment."
Those examples could be referenced here, or different examples included that are more
applicable to the Event.The items highlighted in items (ii) and (iii) above are very similar to the unintended
string of CIP-001 violations that Registered Entities experienced in 2007 and 2008 for failing to provide their
own definition of "sabotage" under a sabotage reporting standard that failed to provide any guidance to the
industry within the standard as to what constituted "sabotage." PART B"Detection of a cyber intrusion to
critical cyber assets" - Capitalize "Critical Cyber Asset."
Santee Cooper
No
Standards cannot be applicable to an ERO because they are the compliance enforcement authority, and the
ERO is not a user, owner, or operator of the BES. Since we are reporting events that may affect the BES,
why does a DP need to be included as an applicable entity for this standard? If the DOE form is going to
continue to be required by DOE, then NERC should accept this form. Entities do not have time to fill out
duplicate forms within the time limits allowed for an event. This is burdensome on an entity. If NERC is going
March 1, 2011
51
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 2 Comment
to require a separate reporting of events from DOE, then NERC should look at these events closely to
determine if any of the defined events should be eliminated or modified from the current DOE form. (For
example: Is shedding 100 MW of firm load really a threat to the BES?)Why does Attachment 1 have multiple
entities reporting the same event? An RC should not have to report an EEA if the BA is required to report it.
This will lead to conflicting reports for the same event.Attachment 1 is just a consolidation of the time frame
from other standards. It appears no review was done for consistency of time frames for similar events.
SERC OC Standards Review
No
We find it interesting that the ERO is listed as an applicable entity. The ERO can’t be an applicable entity
because they are the compliance enforcement authority. The ERO is responsible for multiple requirements in
Group
this standard that shape the ultimate actual rules that the other applicable entities would be required to meet.
NERC seems to be attempting to evade FERC jurisdiction by having a standard that enables it to write new
rules that don’t pass through the normal standards development process with ultimate approval by
FERC.Attachment 1 is troublesome.
The time frames listed are not consistent for similar events.
For
example, EEAs are either reported within one or 24 hours depending on the nuance. Having multiple entities
reporting the same event is troublesome, i.e., why does an RC have to report an EEA if the BA is going to
report it? This will lead to conflicting reports for the same event. Attachment 1 seems to be consolidating
time frames from other standards into one for reporting. However, we believe this subject is more complex
than this table reveals and the table needs more clarification or it should be eliminated and leave the time
frames in the other standards.Several of the events require filing a written formal report within one hour. For
example, system separation certainly is going to require an “all hands on deck” response to the actual event.
We note that the paragraph above the table in attachment 1 indicates that a verbal report would be allowed in
certain circumstances, but this is the same issue with the formal report in that the system operators are
concerned with the event and not the reporting requirements.There is already a DOE requirement to report
March 1, 2011
52
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 2 Comment
certain events. We see no need to develop redundant reporting requirements in the NERC arena that cross
other federal agency jurisdictions.
Southern Company -
No
Transmission
We find it interesting that the ERO is listed as an applicable entity. The ERO is responsible for multiple
requirements in this standard that shapes the ultimate actual rules that the other applicable entities would be
required to meet. Can the NERC/ERO be accountable for a feedback loop to the industry? Feedback is
preferable but would NERC/ERO self-report a violation to the requirement?
We Energies
No
The need for a DP to be included needs to be clarified. The Purpose points to BES. A DP does not have
BES equipment.
WECC
No
The ERO’s applicability is not applied in Attachment 1.
Great River Energy
Yes
We believe that it is important for the ERO to provide valuable Lessons learned to our electrical industry, thus
enhancing the reliability of the BES.
Kansas City Power & Light
Yes
Consideration should be given to the need for a preliminary impact event report to be filed by the Reliability
Coordinator and the Registered Entity. If two reports should be filed, should they both contain the same
information.
MRO's NERC Standards Review
Yes
Subcommittee
TransAlta Corporation
The NSRS believes it is important for the ERO to provide valuable Lessons learned to our electrical industry,
thus enhancing the reliability of the BES.
Yes
Electrical Reliability Organization (ERO) does not appear to be a defined term in the NERC Glossary of
Terms on the NERC website. Last updated April 20, 2010.
March 1, 2011
53
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
US Bureau of Reclamation
Yes or No
Question 2 Comment
Yes
The question is focused on a limited area of Attachment A. There other problematic areas of Attachment 1
will be addressed in subsequent comments.
Ameren
Yes
ATCO Electric Ltd.
Yes
BGE
Yes
Bonneville Power Administration
Yes
City of Austin dba Austin Energy
Yes
City of Garland
Yes
Duke Energy
Yes
Dynegy Inc.
Yes
Green Country Energy
Yes
Idaho Power Company
Yes
Nebraska Public Power District
Yes
NERC Staff
Yes
March 1, 2011
54
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
PacifiCorp
Yes
PacifiCorp
Yes
Pepco Holdings, Inc - Affiliates
Yes
Puget Sound Energy
Yes
Tenaska
Yes
United Illuminating
Yes
March 1, 2011
Question 2 Comment
55
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
3. Do you agree with the requirement R1 and measure M1? Please explain in the comment box below.
There was no consensus amongst stakeholders who responded to this question. There was strong
support for a central system for receiving and distributing impact event reports (a/k/a one stop shopping). There was general
agreement that NERC was the most likely, logical entity to perform that function. However several respondents expressed their
concern that the ERO could not be compelled to do so by a requirement in a Reliability Standard (not a User, Owner or Operator of
the BES). In their own comments, NERC did not oppose the concept, but suggested that the more appropriate place to assign this
responsibility would be the NERC Rules of Procedure. The DSR SDT concurs. The DSR SDT has removed the requirement from the
standard and is proposing to make revisions to the NERC Rules of Procedure as follows:
Summary Consideration:
812. NERC will establish a system to collect impact event reports as established for this section, from any Registered Entities,
pertaining to data requirements identified in Section 800 of this Procedure. Upon receipt of the submitted report, the
system shall then forward the report to the appropriate NERC departments, applicable regional entities, other designated
registered entities, and to appropriate governmental, law enforcement, regulatory agencies as necessary. These reports
shall be forwarded to the Federal Energy Regulatory Commission for impact events that occur in the United States. This can
include state, federal, and provincial organizations. The ERO shall solicit contact information from Registered Entities
appropriate governmental, law enforcement and regulatory agencies contact information for distributing reports.
The DSR SDT also believes NERC’s additional concern about what data is applicable is addressed by the revisions to Attachment 1,
and the inclusion of the OE-417 as an acceptable interim vehicle.
Organization
WECC
Yes or No
Question 3 Comment
R1 is appropriate for after-the-fact reporting. However, as proposed this standard eliminates all real-time
notifications, including the CIP-001-1 R3 notice to appropriate parities in the Interconnection. New
requirement R2.6 lists external parties to notify but it does not include the Reliability Coordinator. It is
March 1, 2011
56
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 3 Comment
important that the RC be notified of suspected sabotage. The RC’s wide-area interconnection view and
interaction with BAs may help recognize coordinated sabotage actions. Any “impact event” where sabotage is
suspected as the root cause should require additional and real-time notifications.
ATC
No
ATC does not agree with R1 for three reasons:1. The ERO cannot be assigned obligations in NERC
Standards. The requirements for the ERO should be addressed by a revision to Section 801 of the Rules of
Procedure.2. This is a fill-in-the-blank requirement. The requirement, positioned as R1, does not allow for the
obligations to be clearly defined. It refers to R6 which refers to R2 and Attachment 1. A clearer structure to
the Standard would be to simply state that the Functional Entities have to meet the reporting obligations
documented in Attachment 1 and delete the current R1.
BGE
No
R1
With the definition of "Impact Event", are we eliminating the term "Disturbance Reporting"?
If we
eliminate disturbance reporting, SDT should remove the reference from the Summary of Concepts and from
the title, otherwise further definition on the distinction between the two terms is needed.R1. What is the
"system" described here? What type of system is anticipated - electronic, programmatic or can it be better
described by using “standard reporting form”?M1. Needs to seek evidence that the "system" was used for
receiving reports, as well as distributing them.M1. Examples are more appropriately used in guidance
documentation than in the standard. Rationale for R1 - Final statement regarding OE-417 needs to be
removed.
The ERO will establish the requirement in their “system” if the standard remains as is. The
Requirement does not require the responsible entities to send OE-417 to DOE.
CenterPoint Energy
No
The ERO does not need to establish a “system for receiving reports” as the “system for receiving reports” is
inherent given the requirements for reporting.
The requirement also seems to add redundancy versus
eliminating redundancy in the distribution of reports to applicable government, provincial or law enforcement
March 1, 2011
57
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 3 Comment
agencies on matters already reported by Responsible Entities. If an event is suspected to be an intentional
criminal act, i.e. “sabotage”, the Responsible Entity would have contacted appropriate provincial or law
enforcement agencies. The ERO is not in a position to add meaningful value to these reports as any
information the ERO may provide is second hand. CenterPoint Energy recommends R1 and M1 be deleted.
City of Garland
No
Reason 1Most of this is duplication of existing processes - More “Big Government” and/or “Overhead” is not
needed. There are already processes in place to notify “real time” 24 X 7 organizations that take action (RC,
BA, TOP, DOE, FBI, Local Law Enforcement, etc) in response to an “impact event”. It is stated in your
document on page five (5) “The proposed standard deals exclusively with after-the -fact reporting.” The
combining of CIP 001 & EOP 004 should not expand on existing implemented reporting requirements nor
should it result in NERC forming a 24 X 7 department to handle 1 hour (near real time) reporting
requirements.Reason 2If this should go forward as drafted, NERC should not establish a “clearing house” for
reporting requirements for Registered Entities without also taking legal responsibility for distributing those
reports to required entities. It states in at least 2 places (Page 6 & Page 22) in the document that Responsible
Entities are ultimately responsible for ensuring that OE-417 is received at the DOE. Thus, a Registered Entity
could be penalized for violating this new standard if it did not file the reports with NERC or it could still be
penalized (both criminal & civil) if they filed the reports with NERC but NERC (for whatever reason) did not
follow through with ensuring the report was properly filed at the DOE.
Consolidated Edison Co. of NY,
No
See response to Question 2.
No
The requirement again states the intent is to “enhance and support situational awareness”, which doesn’t
Inc.
Duke Energy
sync with “after-the-fact reporting”. We question why NERC needs to create this report and system for
March 1, 2011
58
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 3 Comment
distributing impact event reports to various organizations and agencies for after-the-fact reporting, when we
are still required to make real-time reports under other standards. For example, the Rational specifically
recognizes that this standard won’t release us from the DOE’s OE-417 reporting requirement. We don’t see
that this provides value, unless NERC can find a way to eliminate redundancy in reporting.
Electric Market Policy
No
Having the ERO as an applicable entity is concerning as they are also the compliance enforcement authority.
The ERO is responsible for multiple requirements in this standard that shape the ultimate actual rules that the
other applicable entities would be required to meet. Establishing and maintaining a system for receiving and
distributing impact events, per R1, would be done solely by the ERO, outside of NERC’s open process. At
this stage it is not clear how the ERO will develop or effectively maintain a list of “applicable government,
provincial or law enforcement agencies” for distribution as defined in R1. The “rationale for R1” states that
OE-417 could be included as part of the electronic form, but responsible entities will ultimately be responsible
for ensuring that OE-417 reports are received at DOE. This requirement needs to be more definitive with
respect to OE-417. It seems like the better approach would be for the entities to complete OE-417 form and
this standard simply require a copy.
ERCOT ISO
No
Recommend that requirements for the Electric Reliability Organization be removed. However, if the
requirements are retained, ERCOT ISO recommends the following wording change to be consistent with
other standards. “R1. The ERO shall create, implement, and maintain a system for receiving and distributing
impact event reports, received pursuant to Requirement R6, to applicable government, provincial or law
enforcement agencies and Registered Entities to enhance and support situational awareness.”
Exelon
No
This requirement should include explicit communications to the NRC (if applicable) of any reports including a
nuclear generating unit as a jurisdictional agency to ensure notifications to other external agencies are
March 1, 2011
59
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 3 Comment
coordinated with the NRC.
Depending on the event, a nuclear generator operator (NRC licensee) has
specific regulatory requirements to notify the NRC for certain notifications to other governmental agencies in
accordance with 10 CFR 50.72(b)(2)(xi). In general, the DSR SDT should include discussions with the NRC
to ensure communications are coordinated or consider utilizing existing reporting requirements currently
required by the NRC for each nuclear generator operator for consistency.
FirstEnergy
No
FirstEnergy proposes that requirement R1 and Measure M1 be deleted.A requirement assignment to the ERO
is problematic and should not appear in a reliability standard. The team should keep in mind that all
requirements will require VSL assignments that form the basis of sanctions. FE does not believe it is
appropriate for the ERO to be exposed to a compliance violation investigation as the ERO is not a functional
entity as envisioned by the Functional Model. If this "after-the-fact" reporting is truly needed for reliability then
the standard must be written in a manner that does not obligate the ERO to reliability requirements. It would
be acceptable and appropriate for a requirement to reference the "ERO Process" desired by R1, however,
that process should be reflected in the Rules of Procedure and not a reliability standard.
Indeck Energy Services
No
This standard is an inappropriate place to define this requirement. NERC needs to be held accountable, but it
should be independent of the standard. What if NERC fails to do it by the effective date of the standard, all
Registered Entities will violate the standard until NERC is done. The effective date needs to be set based on
NERC completing the system defined in R1.
Independent Electricity System
Operator
No
R1 does not directly convey the need for reporting. The requirement could be written to require the
responsible entities to report impact events to the ERO using a process to be described in the standard and
according to a set of reporting criteria. Whether or not there is a “system” makes little difference if it complies
with the requirement to provide the reports on time. In addition, an ERO established system which, without
March 1, 2011
60
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 3 Comment
being included in the standard and posted for public comment and eventually balloted, may not be acceptable
to the entities that are responsible for reporting to the ERO. Further, a reliability standard should not need to
bother with how the ERO disseminate this information to applicable government, provincial or law
enforcement agencies. This is the obligation of the ERO and if required, can be included in the Rules of
Procedure.
ISO New England Inc.
No
Having the ERO as an applicable entity raises a concern because they are also the Compliance Enforcement
Authority. The ERO is responsible for multiple requirements in this standard that shape the ultimate actual
rules that the other applicable entities would be required to meet. Establishing and maintaining a system for
receiving and distributing impact events, per R1, would be done solely by the ERO, outside of NERC’s open
process. At this stage it is not clear how the ERO will develop or effectively maintain a list of “applicable
government, provincial or law enforcement agencies” for distribution as defined in R1. The “rationale for R1”
states that OE-417 could be included as part of the electronic form, but responsible entities will ultimately be
responsible for ensuring that OE-417 reports are received at DOE. This requirement needs to be more
definitive with respect to OE-417. The better approach would be for the entities to complete OE-417 form and
this standard simply require a copy.
MidAmerican Energy
No
NERC Staff
No
NERC staff is concerned about this requirement’s applicability to the ERO. We feel that such a responsibility
needs mentioning in the Rules of Procedure, the Compliance Monitoring and Enforcement Program (CMEP),
or in a guideline document rather than in a standard requirement. Further, the requirement specifies “how” to
manage the event data, not “what” should be monitored.
March 1, 2011
61
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 3 Comment
North Carolina Electric Coops
No
The ERO cannot be subject to a requirement for which it is the compliance enforcement authority.
Northeast
No
Having the ERO as an applicable entity raises a concern because they are also the Compliance Enforcement
Power
Coordinating
Authority. The ERO is responsible for multiple requirements in this standard that shape the ultimate actual
Council
rules that the other applicable entities would be required to meet. Establishing and maintaining a system for
receiving and distributing impact events, per R1, would be done solely by the ERO, outside of NERC’s open
process. At this stage it is not clear how the ERO will develop or effectively maintain a list of “applicable
government, provincial or law enforcement agencies” for distribution as defined in R1. The “rationale for R1”
states that OE-417 could be included as part of the electronic form, but responsible entities will ultimately be
responsible for ensuring that OE-417 reports are received at DOE. This requirement needs to be more
definitive with respect to OE-417. The better approach would be for the entities to complete OE-417 form and
this standard simply require a copy.
Puget Sound Energy
No
The language of R1 and M1 does not support the DSR SDT’s goal of having a single form and system for
reporting. The standard should specify the form and system rather than deferring that decision to the ERO.
The language of R1 and M1 leaves the form and system to the ERO’s discretion, which could lead to multiple
forms and frequent revisions to them. This would lead to difficulties in tracking the reporting requirements. In
addition, it is impossible to comment intelligently regarding the overall impact of the proposed standard and its
requirements and measures without the reporting form and system being specified in the standard.
Santee Cooper
No
It cannot apply to the ERO.
SERC OC Standards Review
No
The ERO cannot be subject to a requirement for which it is the compliance enforcement authority. The
March 1, 2011
62
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Group
Question 3 Comment
governance in this situation appears incomplete.
US Bureau of Reclamation
No
This standard should describe the ERO process of event documentation, analysis, and dissemination.
Allowing the ERO to develop a event documentation, analysis, and dissemination process, which becomes a
requirement on the Entities, must be derived through the Standards Development Process. The requirement,
as it is currently worded, allows the ERO to develop standard requirements. If the intent is to only develop a
means of collecting, which does not impose a requirement, the wording should state so. Otherwise, if the
ERO wants to require that reports are posted to a specific location by the Entity, then it is a requirement and
must go through the Standards Development Process. Secondly, there is already a single reporting form
identified. It is not clear why the SDT could not accept that form as the reporting tool.
American Electric Power (AEP)
Yes
Overall we support the concepts; however, it is unclear if the ERO can be held accountable for compliance
with NERC Requirements. If this requirement is removed there needs to be some mechanism for the ERO to
establish a single clearinghouse.
City of Austin dba Austin Energy
Yes
Austin Energy would like to see OE-417 incorporated into the electronic form This will reduce the callout of
EOP-004-2 and OE-417 forms in our checklists / documents and one form can be submitted to NERC and
DOE.
E.ON Climate & Renewables
Yes
A generic ERCO approved electronic (form that can be submitted on-line) reporting form will help to add more
clarity & consistency to the Impact event reporting process.
Georgia System Operations
Corporation
March 1, 2011
Yes
Yes it would reduce duplication of effort and should ensure that the various entities and agencies all have
consistent information. It should be simpler and quicker to file than what is needed to meet the current
63
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 3 Comment
standard.However, the system should allow for partial reporting and hierarchical reporting. Entities up the
ladder in a reporting hierarchy may fill in additional info (usually from a wider scope of view) than what lower
level entities are aware of. It would be better for information to go up a hierarchy than for bits and pieces to go
to the ERO from many entities. Terminology may be different in each of the bits and pieces yet the same idea
may be intended. The ERO may mistake multiple reports as being different events when they are all related to
one event.The system should give an entity the ability to select the entities that should receive the impact
event report.If hierarchical reporting is not enabled by the system, then entities should be allowed to work out
a reporting hierarchy as a group and entities at lower levels should not be required to report over the NERC
system. Some higher level entity would enter the information on the NERC system as coordinated by the
entities within a group.
Idaho Power Company
Yes
the SDT must ensure that only a single form is required for compliance (such example OE-417)
IRC Standards Review
Yes
Note that ERCOT does not sign on to this particular comment.
Yes
Although we support situational awareness for the other registered entities, impact event reports should be
Committee
Kansas City Power & Light
distributed anonymously to communicate the information while protecting the registered entity.
Manitoba Hydro
Yes
Yes, keeping R1 generic and pointing to “government”, “Provincial”, “law” encompasses all entities in all major
interconnections.
PacifiCorp
Yes
All efforts need to be made to include OE-417 reporting requirements to safeguard against duplicate reporting
and / or delinquent reporting.One report for all events is more preferable than multiple reports for one event.
March 1, 2011
64
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
RRI Energy, Inc.
Yes or No
Question 3 Comment
Yes
While including the phrase "to enhance and support situational awareness" is a good use of the ResultsBased Standards development tools and framework, the phrase is already included in the purpose statement.
As such, it is unnecessary in Requirement 1. If it were to be included in Requirement 1, then it would also
need to be included in each of the other Requirements 2 through 8. The "Purpose" statement captures this
aptly.
Southern Company -
Yes
Transmission
We do have one concern in that we are hopeful that NERC will develop a system that will allow a one stop
shop of reporting.
Avmeren
Yes
Arizona Public Service Company
Yes
ATCO Electric Ltd.
Yes
Bonneville Power Administration
Yes
Constellation Power Generation
Yes
and Constellation Commodities
Group
Dynegy Inc.
Yes
Great River Energy
Yes
March 1, 2011
65
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Green Country Energy
Yes
Luminant Energy
Yes
Midwest ISO Standards
Yes
Question 3 Comment
Collaborators
MRO's NERC Standards Review
Yes
Subcommittee
Nebraska Public Power District
Yes
Pacific Gas and Electric
Yes
Company
PacifiCorp
Yes
Pepco Holdings, Inc - Affiliates
Yes
PNM Resources
Yes
PPL Electric Utilities
Yes
PPL Supply
Yes
March 1, 2011
66
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Tenaska
Yes
TransAlta Corporation
Yes
United Illuminating
Yes
We Energies
Yes
March 1, 2011
Question 3 Comment
67
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
4. Do you agree with the requirement R2 and measure M2? Please explain in the comment box below.
Most stakeholders who responded to this question indicated disagreement with Requiremnet R2 and
M2 as originally proposed. There were objections to the use of the term “Operating Plan” to describe the procedure to identify and
report the occurrence of a disturbance. The DSR SDT concurs, and Operating plan has been replaced with the generic term
“procedure” where appropriate believe that the use of a defined term is appropriate and has revised Requirement 1 to include
Operating Plan, Operating Process and Operating Procedure.
Summary Consideration:
R1. Each Responsible Entity shall have an Impact Event Operating Plan that includes [Violation Risk: Factor Medium] [Time Horizon:
Long-term Planning]:
1.1.
An Operating Process for identifying Impact Events listed in Attachment 1.
1.2.
An Operating Procedure for gathering information for Attachment 2 regarding observed Impact Events listed in
Attachment 1.
1.3.
An Operating Process for communicating recognized Impact Events to the following:
1.3.1. Internal company personnel notification(s).
1.3.2. External organizations to notify to include but not limited to the Responsible Entities’ Reliability Coordinator,
NERC, Responsible Entities’ Regional Entity, Law Enforcement, and Governmental or Provincial Agencies.
1.4.
Provision(s) for updating the Impact Event Operating Plan within 90 days of any change to its content.
Other requirements reference the Operating Plan as appropriate. The requirements of EOP-004 fit precisely into the definition of
Operating Plan:
Operating Plan: A document that identifies a group of activities that may be used to achieve some goal. An Operating Plan
may contain Operating Procedures and Operating Processes. A company-specific system restoration plan that includes an
Operating Procedure for black-starting units, Operating Processes for communicating restoration progress with other
March 1, 2011
68
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
entities, etc., is an example of an Operating Plan.
Note R2 has been moved to R1 due to elimination of original R1. Many commenters felt that the requirements around updating the
Operating Plan were too prescriptive, and impossible to comply with during the time frame allowed. The DSR SDT agrees, and
Requirement R2 Parts 2.5 through 2.9 have been eliminated. They have been replaced with Requirement R1, Part 1.4 to update the
Operating Plan within 90 days of any change to content.
Organization
Yes or No
Bonneville Power Administration
Question 4 Comment
As long as the 2.4 list is position based, not based on each individual that fills the position. (There is a
concern of listing all 2.4 monitoring/reporting personnel in the company that cover the impact event, since
there are different function groups and shift work. Documentation trails are difficult with personnel changes.)
Because the CIP is being added, it requires an Operating Plan (instead of procedure) with 30 day revision
timelines, so it increases the burden for electrical grid event reporting function. R2.9 language refers to R8
“annual” report; however R8 language is “quarterly” reporting of past year. It appears this standard is going to
be in an update status 4 times per year, plus any event modifications plus personnel changes. This could be
overly burdensome due to the expanding world of cyber security.
Ameren
No
While we agree with the intent to list certain minimum requirments for the Operating Plan, the draft list is too
lengthy and prescriptive. This merely creates opportunites for failure to comply rather the real purpose of
reporting data that can be used to meaningfully increase the reliability of the BES by identifying trends of
events that may otherwise be ignored.
American Electric Power (AEP)
No
Component 2.2 “Method(s) of assessing cause(s) of impact events” is very vague. Furthermore, there are
concerns whether these methods can be accomplished within one hour as might be required per Attachment
March 1, 2011
69
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 4 Comment
1, in addition to operating the system. Component 2.6 - need to add the statement “as appropriate for type of
impact event” Components 2.7 through 2.9 - are good concepts to consider for future inclusion, but at this
point in time these appear to be overreaching objectives. We recommend the SDT take smaller increments
towards future progress at measure and reasonable pace. Furthermore, if Component 2.9 is retained it
should only pertain to lessons learned on the reporting of impact events not all recommendations regarding
remediation of the impact events themselves. Furthermore, the 30 day window to update the Operating Plans
is aggressive considering the other priorities that may be present day to day.
ATC
No
The requirement should be rewritten to simply state that the Functional Entities has to meet the reporting
obligations documented in Attachment 1. How the Functional Entity meets the obligations documented in
Attachment 1 should be determined by the Functional Entity, not the requirement. The prescriptive nature of
this requirement does not support the performance-based Standards that the industry and NERC are striving
towards. In addition, requirement 2.9 creates an alternate method for NERC to develop Standards outside of
the ANSI process. This requirement dictates that Functional Entities are required to incorporate lessons
learned from NERC reports into their Plan, which is a requirement of this Standard.
BGE
No
R2.1 Creates the opportunity for differences in identifying impact events. BGE recommends additional clarity
in the statement. Are we to use Attachment 1 as a “bright line” or can we use our Operating Plan to identify
what an impact event is?R2.4 - 2.6 Does a standard need to specify both internal and external lists? 2.7 - is
“component” defined anywhere?
Is it a component of the BES or a component of the Operating Plan or a
component of the three lists in 2.4 to 2.6?Rationale --- Parts 3.3 and 3.4?? Do you mean 2.3 and 2.4?Is the
Operating Plan under scrutiny (mandatory and compensable) for all items in the last paragraph of the
rationale?
March 1, 2011
70
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
CenterPoint Energy
Yes or No
Question 4 Comment
No
CenterPoint Energy does not agree with R2 and M2 as they are focused on process and procedure.
Compliance with a reporting requirement should be based on a complete and accurate report submitted in a
timely manner. The process an entity uses to accomplish that task is of no consequence. CenterPoint Energy
recommends R2 and M2 be deleted.However, if the SDT feels it is necessary to include this process based
requirement, CenterPoint Energy believes the SDT, in requiring an overly prescriptive Operating Plan, has
expanded the requirement beyond the current CIP-001-1 and EOP-004-1 which only require “...procedures for
the recognition of and for making operating personnel aware...” (CIP-001-1) and “...shall promptly analyze...”
(EOP-004-1). Specifically, R2.2 is not found in the current Standards. “Methods for assessing causes(s) of
impact events” would vary greatly depending upon the type and severity of the event. Responsible Entities
would have a difficult time cataloging these various methods to any specific degree and if they are not specific
then CenterPoint Energy questions their value in a documented method. R2.3 is not found in the current
Standards and is an unnecessary requirement as the method of notification is irrelevant so long as the
notification is made. R2.7, R2.8, and R2.9 are also unnecessary expansions beyond what is currently in CIP001-1 and EOP-004-1. CIP-001-1 requires the Responsible Entity review its procedures annually and
CenterPoint Energy believes this is sufficient. When taken in total, R2 requires seven (7) different processes,
provisions, and methods. CenterPoint Energy recommends R2.2, R2.3, R2.7, R2.8 and R2.9 be deleted and
believes this will not result in a reliability gap.
City of Garland
No
There are 4 “methods” and 2 “provision” required for this requirement - in other words, 6 “paperwork” items
that auditors will audit and likely penalize entities for. On page 1, the statement is made “...proposed standard
in accordance with Results-Based Criteria.” Having to have 4 methods and 2 provisions to end with a report
(all of which is paperwork) is not a “result based” standard. It is like being required to have a "plan to plan on
planning on composing and filing a report". Events need to be analyzed, communicated, and reported and
March 1, 2011
71
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 4 Comment
should be audited as such (results based) - not audited on whether they have a book filled with methods and
provisions.
Consolidated Edison Co. of NY,
No
Inc.
Requirement R2 o Lead-in paragraph - Following the words “Attachment 1” add a period and the words “The
Operating Plans shall” and then delete “that” and make “includes” singular. o R2.1, 2.2, 2.3, 2.7 - Replace the
word “Method(s)” with the word “Procedure(s)”. o 2.6 - After the word “notify” add a period, then insert the
words “For example, external organizations may include” and delete the words “to include but not limited to.”
o 2.8 - After the words “Operating Plan based on” add the word “applicable”.Rational R2After the words
“Every industry participant that owns or operates,” add the words “Bulk Electric System.” Then delete the
words “on the grid.”
Constellation Power Generation
No
Constellation Power Generation and Constellation Commodities Group has several issues with this
and Constellation Commodities
requirement, but in general, this requirement is heavily prescriptive, administrative in nature, and is unclear
Group
whether it will positively impact BES reliability. As examples of administrative requirements that have no
impact on reliability, please consider the following comments: oListing personnel in R2.4, - merely having a
list of personnel does not add to the sufficiency of an Operating Plan, but it does create a burdensome
obligation to maintain a list. As well, specifying “personnel” may limit plans from designating job titles or other
designations that may more appropriately and consistently carry reporting responsibility in the Operating Plan.
oR2.5 is unclear as to the intent of the requirement - what is threshold of notification? Is the list to be those
that have a role in the event response or a list of all within the facility who may receive news notification of the
event?
Also, as explained above for 2.4, a list is not a beneficial to reliability, but is administratively
burdensome. oWhat is the reasoning for the 30 day timeframe in R2.7 R2.8 and R2.9? The timeframe is not
based on a specific necessity, and creates an unreasonable time frame for changing the Operating Plan, in
March 1, 2011
72
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 4 Comment
particular if lessons learned are either short turn adjustments or comprehensive programmatic changes what
warrant more time to properly institute. In addition, coupled with other requirements (R4, R5, R8), the
updating requirements of R2.7, R2.8 and R2.8 potentially create a continually updating Operating Plan which
could create enough confusion to reduce the effectiveness of the Operating Plan. The updating and time
frame requirements do not impact reliability, but again impose significant administrative burden and
compliance exposure.
oR2.9 is particularly problematic for its connection to R8. R8 requires NERC to create
quarterly reports with lessons learned and R2.9 requires the registered entities to amend their Operating
Plans? What if NERC doesn’t write an annual or quarterly report? Are the registered entities out of
compliance? The “summary of concepts” for this latest revision, as written by the SDT, includes the following
items: oA single form to report disturbances and impact events that threaten the reliability of the bulk electric
system oOther opportunities for efficiency, such as development of an electronic form and possible inclusion
of regional reporting requirements oClear criteria for reporting oConsistent reporting timelines
oClarity
around of who will receive the information and how it will be usedMany of the sub-requirements in R2 do not
address any of these items and do not serve to establish a high quality, enforceable and reliability focused
standard. Constellation Power Generation therefore recommends that R2 be amended to read as follows:R2.
Each Applicable Entity identified in Attachment 1 shall have an Operating Plan(s) for identifying, assessing
and reporting impact events listed in Attachment 1 that includes the following components: 2.1. Method(s) for
identifying impact events listed in Attachment 12.2. Method(s) for assessing cause(s) of impact events listed
in Attachment 12.3. Method(s) for making internal and external notifications should an impact event listed in
Attachment 1 occur. 2.4. Method(s) for updating the Operating Plan.2.5 Method(s) for making operation
personnel aware of changes to the Operating Plan.
Consumers Energy
March 1, 2011
No
R 2.7, R 2.8 and R 2.9 are creating a requirement to have procedures to update procedures. Having updated
73
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 4 Comment
procedures should be the requirement, no more.
Duke Energy
No
Sections 2.4 and 2.5 should allow identification of responsible positions/job titles rather than specific people.
Section 2.9 only allows 30 days for updates to our plan based upon lessons learned coming out of an annual
report. 60-90 days would be more appropriate. Also, Section 2.9 says it’s an annual report, while R8 only
requires quarterly reports.
Dynegy Inc.
No
For 2.7, 2.8, 2.9, 30 days is to stringent. Some changes may not warrant changes until a cumulative amount
of changes occur. Suggest making it no later than an annual review.
E.ON Climate & Renewables
No
Administrative burden to some of the components such as 2.5.
Electric Market Policy
No
This is an overly prescriptive requirement given the intent of this standard is after-the-fact reporting. The
requirement to create an Operating Plan lacks continuity with the ERO Event Analysis Process that is
currently slated to begin industry field testing on October 25, 2010. Suggest the SDT coordinate EOP-004-2
efforts with this process.R2.6 establishes an external organization list for Applicable Entity reporting, yet R1
suggests that external reporting will be accomplished via submittal of impact event reports. How will the two
requirements be coordinated?
What governmental agencies are appropriate and how will duplicative
reporting be addressed (for example, DOE, Nuclear Regulatory Commission)? Also, in the “rationale for R2”,
please explain the reference to Parts 3.3 and 3.4.
ERCOT ISO
No
ERCOT ISO recommends the use of “Registered Entity” in place of “Applicable Entity”. This would provide
consistency with other requirements and Attachment 1. Recommend the following changes to the
subrequirements. “2.6. List of external organizations to notify to include but not limited to NERC, Regional
March 1, 2011
74
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 4 Comment
Entity, relevant entities within the interconnection, Law Enforcement, and Governmental or Provincial
Agencies.””2.7. Process for updating the Operating Plan within 30 days of any changes not of an
administrative nature. This includes updates to reflect any lessons learned as a result of an exercise or actual
event.”Remove requirement 2.8 and move content to requirement 2.7.”2.8. Process for updating the
Operating Plan within 30 days of publication the NERC annual report of lessons learned.”Add “2.9. Process to
ensure updates are communicated to personnel responsible for under the Operating Plan within 30 days of
the change being completed.”
Exelon
No
R.2.4 and 2.5 - should not be required to have a list of internal personnel. If an entity has an Operating Plan
that covers internal and external notifications that should be sufficient.R2.2.7, 2.8, 2.9 - R4 requires an annual
drill. Updating the plan if required following an annual drill should be sufficientWhy does an entity need to
develop a stand alone Operating Plan if there is an existing process to address identification, assessing and
reporting certain events?30 day implementation for a component change or lesson learned does not seem
reasonable or commensurate with the potential impact to the BES and should not be a required element of
EOP-004.What is the communication protocol for lessons learned outside of the annual NERC report? What
process will be followed and who will review, evaluate, and disseminate lessons learned that warrant updating
the Operating Plan?
FirstEnergy
No
The term Operating Plan(s) is not the appropriate term for this standard. These should be called Reporting
Plan(s). Operating Plans are usually designed to be applied during the operating timeframe. Parts 2.2 and 2.6
- We suggest changes to these two subparts as well as a new 2.2.1 and 2.6.1 as follows: 2.2. Method(s) for
assessing the initial probable cause(s) of impact events(Add) 2.2.1. Method(s) for assessing the external
organizations to be notified.2.6. List of external organizations to notify in accordance with Part 2.2.1. to
March 1, 2011
75
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 4 Comment
include but not limited to NERC, Regional Entity, and Governmental Agencies.(Add) 2.6.1. Method(s) for
notifying Law Enforcement as determined by Part 2.2.1.Parts 2.4 and 2.6: This should be a list of job titles for
ease of maintenance. An entity may choose to use someone in a job position that is a 24 by 7 operation with
several personnel that cover that position over the 24 by 7 period. Listing each person by name should not
be required as personnel change while the operating responsibility related to the job title can remain constant.
We suggest changing the wording to "2.4. List of the job titles of internal company personnel responsible for
making initial notification(s) in accordance with Parts 2.5.and 2.6.2.5. List of the job titles of internal company
personnel to notify."Part 2.6 - We are under the impression that the phrase "include but not limited to" should
not be used according to the NEW SDT guidelines. We suggest changing this to say "List of external
organizations to notify that includes at a minimum, NERC, Regional Entity, and Governmental Agencies. (A
provincial agency is a governmental agency)."Part 2.7. is overly burdensome. FE suggests the team revise to
simply reflect annual updates that should consider component changes and updates from lessons learned.
This also permits parts 2.8 and 2.9 to be deleted. FE proposes the following text for Requirement R2.7
"Annual review, not to exceed 15 months between reviews, and update as needed of the Reporting Plan that
considers component changes and continuous improvement changes from lessons learned."Parts 2.8 and 2.9
- FE proposes to delete part 2.8 and 2.9. We do not see a need for these changes since the plan must be
updated annually and will cover lessons learned.
Great River Energy
No
A. As detailed in R2, the Operating Plan shall contain provisions for “identifying, assessing, and reporting
impact events”. R2.8, and R2.9 do not have a correlation to R2’s Operating Plan. Where, R2.7 states to
update the Operating Plan when there is a component change. We believe that the components of this
Operating Plan are only 1) indentifying impact events, 2) assessing impact events, and 3) reporting impact
events. R2.8 and R2.9 are based on Lessons Learned (from internal and external sources) and do not fit in
March 1, 2011
76
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 4 Comment
the components of an entity’s Operating Plan. R2.7 requires the Operating Plan to be updated. As written,
every memo, simulations, blog, etc that contain the words “lessons learned” would be required to be in your
Operating Plan. It is solely up to an entity to implement a “Lesson Learned” and not the place for this SDT to
require an Operating Plan to contain Lessons Learned. Recommend that R2.8 and R2.9 be deleted for this
requirement. If R2.8 and R2.9 are not removed, R5.3 will be in a constant state of change. B. In R2.8 &
R2.9, It may be difficult to implement lessons learned within 30 days. We suggest that lessons learned
should be incorporated within 12 calendar months if lessons learned are not deleted from the R2.8 & R2.9.
Green Country Energy
No
Highly administrative version of what could accomplish the same thing. A requirement that the applicable
entitiy shall make appropriate notificatiions as required by attachment A and B events. I can see the need for
review and lessons learned but that needs to be done at a higher level since many entities may be involved in
an "event"
Idaho Power Company
No
The SDT needs to clarify Requirement 2.9 references an annual report issued persuant to requirement R8,
however Requirement 8 references a quarterly report. These requirements should have the same time
frames.
Indeck Energy Services
No
R2 needs to state that the Operating Plan needs to only those Attachment 1 events applicable to the
Registered Entity. The Operating Plan should contain a list of these events so that the other Requirements
can reference the Operating Plan and not Attachment 1 for the list of events. For example a GO/GOP <2,000
MW would not need to address this type of event and it wouldn't be listed in its Operating Plan. It would be
unnecessarily cumbersome, to describe events which are not covered within the Operating Plan.
Independent Electricity System
March 1, 2011
No
R2 is not needed. An entity does not need to have an “operating plan” to identify and report on impact events;
77
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Operator
Question 4 Comment
it needs only to report on the events listed in Attachment 1 in a form depicted in Attachment 2. How does the
entity do this, and whether or not an operating plan is in place, or whether its staff is trained to provide the
report should not need to be included in a reliability standard for so long as the responsible entity provides the
report in the required form on time. If the responsible entity fails to report the listed events in the depicted
format, it will be found non-compliant, and that’s it - no more and no less. If the “operating plan” really means
an established data collection and reporting procedure, then the requirement should be revised to more
clearly convey the intent.
IRC Standards Review
No
Committee
The SRC suggests that this is not, in fact, an Operating Plan. At most, it may be a reporting plan or reporting
procedure. Most of these requirements are administrative and procedural in nature and, therefore, do not
belong as requirements in a Reliability Standard. Perhaps they could be characterized as a best practice and
have an associated set of Guidelines developed and posted on the subject.As proposed, the Operating Plan
is not required to ensure bulk power reliability. As stated in the purpose of this standard, it does not cover any
real-time operating notifications for the types of events covered by CIP-001, EOP-004.
The Operating Plan
requirements as proposed seem only to be suitable for real-time notifications. Since these incidents are
meant to be reportable after-the-fact, familiarity with the reporting requirements and time frames is sufficient.
Unlike the real-time operating notifications which have relatively short reporting time frames, there is sufficient
time for personnel to make appropriate communications within their organizations to make timely after the fact
reports under NERC Section 1600 authority. Would it be feasible for NERC to issue a standing requirement
for timely after-the-fact reports under NERC Section 1600 authority?
ISO New England Inc.
No
This is an overly prescriptive requirement given that the intent of this standard is after-the-fact reporting. The
requirement to create an Operating Plan is an unnecessary burden that offers no additional improvements to
March 1, 2011
78
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 4 Comment
the reliability of the Bulk Electric System, and this is not, in fact, an Operating Plan. At most, it may be a
reporting plan. Most of these requirements are administrative and procedural in nature and, therefore, do not
belong as requirements in a Reliability Standard. Perhaps they could be characterized as a best practice and
have an associated set of Guidelines developed and posted on the subject.As proposed, the Operating Plan
is not required to ensure Bulk Electric System reliability. As stated in the purpose of this standard, it does not
cover any real-time operating notifications for the types of events covered by CIP-001, EOP-004.
Since
these incidents are meant to be reportable after-the-fact, familiarity with the reporting requirements and time
frames is sufficient.Stating reporting requirements directly in the standard would produce a more uniform and
effective result across the industry, contributing towards a more reliable Bulk Electric System.R2.6 establishes
an external organization list for Applicable Entity reporting, yet R1 suggests that external reporting will be
accomplished via submittal of impact event reports. How will the two requirements be coordinated? What
governmental agencies are appropriate, and how will duplicative reporting be addressed (for example, DOE,
Nuclear Regulatory Commission)? Also, in the “rationale for R2”, please explain the reference to Parts 3.3
and 3.4.
Kansas City Power & Light
No
We agree with the rationale for R8 requiring NERC to analyze Impact Events that are reported through R6
and publish a report that includes lessons learned but disagree with R2.9 obligating an entity to update its
Operating Plan based on applicable lessons learned from the report. Whether lessons learned are applicable
to an entity is subjective. If an update based on lessons learned from an annual NERC report is required, the
requirement should clearly state the necessity of the update is determined by the entity and the entity’s
Reliability Coordinator or NERC can not make that determination then find the entity in violation of the
requirement. In addition, if an update based on lessons learned from a NERC report is required, NERC
should publish the year-end report (R8) on approximately the same day annually (i.e. January 31) and allow
March 1, 2011
79
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 4 Comment
an entity at least 60 days to analyze the report and incorporate any changes it deems necessary in its
Operating Plan. In addition, the language using quarterly and annual as a requirements between R2.9 and
R8 is confusing.
MidAmerican Energy
No
R2 and R5 coupled with R8 will drive quarterly updates (in addition to drills, etc) and training to the literally
hundreds to thousands of people per company for the proper internal operating personnel and management
will actually hurt the development of a culture of compliance by overwhelming personnel with constant plan
changes and training.The standards drafting team should remove all 30 day references or provide the
technical basis of why revising plans and training to “changes and lessons learned” quarterly all within 30
days is the right use of reliability resources to improve the grid.The addition of the 30 day constraints and new
vague criteria in Attachment one such as “damage to a BES element through and external cause” or
“transmission loss of multiple BES elements which could mean two or more” is the opposite of clear standards
writing or results based standards. We disagree with requiring an Operating Plan for identifying, assessing,
and reporting impact events.
This is an administrative requirement that has no clear reliability benefit.
Furthermore, it is questionable that event reporting even meets the basic definition of an Operating Plan. Per
the NERC glossary of terms, Operating Plans contain Operating Procedures or Operating Processes which
encompass taking action real-time on the BES not reporting on it. As detailed in R2, the Operating Plan shall
contain provisions for “identifying, assessing, and reporting impact events”. R2.8, and R2.9 do not have a
correlation to R2’s Operating Plan.
Where, R2.7 states to update the Operating Plan when there is a
component change, the components of this Operating Plan are only 1) indentifying impact events, 2)
assessing impact events, and 3) reporting impact events. R2.8 and R2.9 are based on Lessons Learned
(from internal and external sources) and do not fit in the components of an entity’s Operating Plan. R2.7
requires the Operating Plan to be updated. As written, every memo, simulations, blog, etc that contain the
March 1, 2011
80
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 4 Comment
words “lessons learned” would be required to be in your Operating Plan. It is solely up to an entity to
implement a “Lesson Learned” and not the place for this SDT to require an Operating Plan to contain Lessons
Learned.
Recommend that R2.8 and R2.9 be deleted for this requirement.
If R2.8 and R2.9 are not
removed, R5.3 will be in a constant state of change. In R2.8 & R2.9, It may be difficult to implement lessons
learned within 30 days. The NSRS recommends to incorporate lessons learned within 12 calendar months if
lesson learned are not deleted from the R2.8 & R2.9.
Midwest ISO Standards
No
Collaborators
We disagree with requiring an Operating Plan for identifying, assessing, and reporting impact events. This is
an administrative requirement that has no clear reliability benefit. Furthermore, it is questionable that event
reporting even meets the basic definition of an Operating Plan. Per the NERC glossary of terms, Operating
Plans contain Operating Procedures or Operating Processes which encompass taking action real-time on the
BES not reporting on it. What is an impact event? It appears that this undefined, ambiguous term was
substituted for sabotage which is also undefined and ambiguous. One of the SARs stated goals was to
“provide clarity on sabotage events”. This does not provide clarity.
MRO's NERC Standards Review
Subcommittee
No
A. As detailed in R2, the Operating Plan shall contain provisions for “identifying, assessing, and reporting
impact events”. R2.8, and R2.9 do not have a correlation to R2’s Operating Plan. Where, R2.7 states to
update the Operating Plan when there is a component change. The NSRS believes the components of this
Operating Plan are only 1) indentifying impact events, 2) assessing impact events, and 3) reporting impact
events. R2.8 and R2.9 are based on Lessons Learned (from internal and external sources) and do not fit in
the components of an entity’s Operating Plan. R2.7 requires the Operating Plan to be updated. As written,
every memo, simulations, blog, etc that contain the words “lessons learned” would be required to be in your
Operating Plan. It is solely up to an entity to implement a “Lesson Learned” and not the place for this SDT to
March 1, 2011
81
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 4 Comment
require an Operating Plan to contain Lessons Learned. Recommend that R2.8 and R2.9 be deleted for this
requirement. If R2.8 and R2.9 are not removed, R5.3 will be in a constant state of change. B. In R2.8 &
R2.9, It may be difficult to implement lessons learned within 30 days. The NSRS recommends to incorporate
lessons learned within 12 calendar months if lesson learned are not deleted from the R2.8 & R2.9.
North Carolina Electric Coops
No
This requirement dictates details of documentation of after-the-fact reporting of events which cannot impact
reliability of the BES and, as such, should not be a reliability standard. The cost and burden of becoming
auditably compliant with this requirement can be extreme for small entities.
Northeast
Power
Coordinating
No
This is an overly prescriptive requirement given that the intent of this standard is after-the-fact reporting. The
requirement to create an Operating Plan is an unnecessary burden that offers no additional improvements to
Council
the reliability of the Bulk Electric System, and this is not, in fact, an Operating Plan. At most, it may be a
reporting plan. Most of these requirements are administrative and procedural in nature and, therefore, do not
belong as requirements in a Reliability Standard. Perhaps they could be characterized as a best practice and
have an associated set of Guidelines developed and posted on the subject.As proposed, the Operating Plan
is not required to ensure Bulk Electric System reliability. As stated in the purpose of this standard, it does not
cover any real-time operating notifications for the types of events covered by CIP-001, EOP-004.
Since
these incidents are meant to be reportable after-the-fact, familiarity with the reporting requirements and time
frames is sufficient.Stating reporting requirements directly in the standard would produce a more uniform and
effective result across the industry, contributing towards a more reliable Bulk Electric System.R2.6 establishes
an external organization list for Applicable Entity reporting, yet R1 suggests that external reporting will be
accomplished via submittal of impact event reports. How will the two requirements be coordinated? What
governmental agencies are appropriate, and how will duplicative reporting be addressed (for example, DOE,
March 1, 2011
82
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 4 Comment
Nuclear Regulatory Commission)? Also, in the “rationale for R2”, please explain the reference to Parts 3.3
and 3.4.
Pacific Gas and Electric
No
PG&E would like clarification on whether the 30 days, is calendar days or business days.
No
See #15
No
For R 2.7, 2.8 and 2.9, 30 days may be too short a time for large entities with multiple subsidiaries to do the
Company
Pacific Northwest Small Public
Power Utility Comment Group
Pepco Holdings, Inc - Affiliates
necessary notice and coordination. PHI suggests 90 days.
PNM Resources
No
PNM would like clarification on whether the 30 days, is calendar days or business days.
PPL Electric Utilities
No
While we agree with documenting our process, we feel the use of the defined term Operating Plan is not
required and possibly a misuse of the term.
We would like to suggest using the term ‘procedure’.
Additionally, we would like the SDT to confirm/clarify whether Attachment 1 is a complete list of impact
events. Also, please confirm that the Proposed R2.1 language ‘Method(s) for identifying impact events’
means identifying impact event occurrence as opposed to identifying list of impact events. i.e. does R2.1
mean recognize impact event occurrence?
PPL Supply
No
While we agree with concept addressed in R2, we don't agree with use of the defined term Operating Plan.
Consider working the requirement as follows: "Each Applicable Entity identified in Attachment 1 shall have a
documented process or program that includes the following components:..." Also, please consider changing
2.1 to be"Method(s) for recognizing the occurrence of impact events."
March 1, 2011
The current wording could be
83
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 4 Comment
interpreted to mean, "create a list of the impact events."
Puget Sound Energy
No
While the concept of an operating plan is reasonable, the requirements for update in sections 2.7, 2.8 and 2.9
will lead to an immense amount of work for the entities subject to the standard. In addition, constant revisions
to the operating plan makes it difficult to cement a habit through this procedure. The proposed update
schedule does not strike the appropriate balance between the need to respond to lessons learned and the
value of plan continuity.
RRI Energy, Inc.
No
1.
R2 includes the phrase "for identifying, assessing and reporting," followed by R2.1 which states
"identifying," R2.2 which states "assessing" and both R2.3 and R2.6 state "notify" or "making internal and
external notifications" (i.e., reporting). The language is unnecessarily redundant. RECOMMENDATION:
Reword R2 phrase "for identifying, assessing and reporting," to simply state, "for addressing."2. Rationale for
R2 - The rationale section for R2 references in the third paragraph "Parts 3.3 and 3.4." Was this intended to
reference R2.3 and R2.4?
Santee Cooper
No
The words “operating plan” should be removed from the requirement. This standard deals exclusively with
after-the-fact reporting. This requirement is also overly prescriptive.
SERC OC Standards Review
No
This is an overly prescriptive requirement that dictates details of documentation and, as such, has no place in
a reliability standard. NERC needs to trust the RCs to do their jobs; this standard and this requirement in
Group
particular seems to be attempting to codify the actions that an RC would take in response to an event. The
cost and burden of becoming auditably compliant with this requirement is extreme and unrealistic, especially
on small entities
March 1, 2011
84
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Southern Company -
Yes or No
Question 4 Comment
No
The Operating Plan has a different connotation for different operations folks. We suggest that we call it an
Transmission
Tenaska
Impact Event Reporting Plan.
No
We have adequate compliance procedures already in place for the existing CIP-001-1 and EOP-004-1
Standards. The list of required “Operating Plan” components in the proposed R2 is too specific. Maintaining
the “Operating Plan” described in R2 would increase the burden on Registered Entities to comply with the
Standard and this type of "laundry list" Requirement would make it more difficult to prove compliance with
EOP-004-2 during an audit.
United Illuminating
No
R2.9 requires provisions to update the Operating Plan based on the annual ERO report developed in R8. The
ERO report does not appear to be providing lessons learned to be applied to the Operating Plan for impact
event reporting, but more focsed on trends and threats to the BES. Also 30 days after the report is published
by NERC is not enough time for the entity to read, and assess the report, and then to administratively update
the Operating Plan. UI agrees that the Operating Plan should be reviewed annually and updated subsequent
to the review within 30 days.
US Bureau of Reclamation
No
R2 does not reconcile with Attachment A or the sub paragraphs. As an example, the requirement 2.6 states
"List of organizations to notify ...." All sub paragraphs use the term notify. Notify as used in Attachment A is
when a report cannot be provided in the time frame listed in Attachment A. Therefore there is no requirement
in this standard for the Operating Plan to have a provision for reporting.The subparagraph 2.8 indicates that
the Entity must update it plan based on the lessons learned published by NERC. It would be appropriate to
require a review and update of the plan based on the lessons learned.
March 1, 2011
85
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 4 Comment
We Energies
No
R2.3, R2.4: “Part” is not a defined term or used in the NERC Standard Process Manual.R2: Attachments are
not mentioned in the NERC Standard Process Manual. Is this a mandatory or informational part of the
standard?R2.6 (and possibly R2.5): There does not seem to be discretion in notifications. Are all people or
organizations on the notify lists always contacted for every impact event? Even Law Enforcement?R2.7:
What is a “component? A Plan component? A BES component?R2.9: There is no annual NERC report
issued pursuant to R8. R8 requires quarterly reporting.
WECC
No
Need clarification on whether the 30 days is calendar days or business days. As noted in the comment to
question 3, any impact event where sabotage is suspected should be treated differently from those where
sabotage is not suspected.
Arizona Public Service Company
Yes
AZPS agrees with R2, however, the use of the term "Operating Plan" is confusing. A more accurate term
would be "Event Reporting Plan."
ATCO Electric Ltd.
Yes
City of Austin dba Austin Energy
Yes
Georgia System Operations
Yes
Corporation
An entity-developed Operating Plan will allow the flexibility needed to address different entity relationships
around the country, e.g., generating companies, cooperatives, munis, large IOUs, small IOUs, RTOs/ISOs,
non-independent market area, and so on.However, all applicable entities should not be required to report
directly to NERC or the region. The system should allow for partial reporting and hierarchical reporting.
Entities within an area should be allowed to coordinate their plans to define reporting procedures within their
area. They could have an entity at some wide scope top level that reports to NERC and the region the
March 1, 2011
86
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 4 Comment
information collected from multiple narrow scope lower levels within their wide area. If every small lower level
entity directly reported to NERC and the Region, it could create situational confusion rather then situation
awareness.
Manitoba Hydro
Yes
R2 - 2.1 to 2.9 detail what is expected of an Operating Plan for Impact Events.The attachment 1 details the
event, the threshold parameters and time line. Though the threshold parameters in the attachment may be
questioned, this greatly clarifies the expectations of reporting events. Further events should be added to this
list:”Detection of suspected or actual or acts or threats of physical sabotage”
Luminant Energy
Yes
Nebraska Public Power District
Yes
NERC Staff
Yes
PacifiCorp
Yes
PacifiCorp
Yes
TransAlta Corporation
Yes
March 1, 2011
87
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
5. Do you agree with the requirement R3 and measure M3? Please explain in the comment box below.
There was no consensus amongst stakeholders who responded to this question. Requirement R3 has
been re-written to exclude the requirement to “assess the initial probable cause”. The only remaining reference to “cause” is in the
Impact Event Reporting Form (Attachment 2). Here, there is no longer a requirement to assess the probable cause. The probable
cause only needs to identified, and only if it is known at the time of the submittal of the report.
Summary Consideration:
Organization
Ameren
Yes or No
Question 5 Comment
No
There are too many missing details on how this will be accomplished. As stated before, this Draft requires
too much time be invested in verbal reports, "Preliminary" reports, "Final" reports and even "Confidential"
reports (Attachment 2). If the goal is to report ASAP details on events which could impact BES reliability, all
of these reports will need to be made at the worst possible time - when Operators are trying to collect data,
analyze what they find and correct major problems on the system. And if the reports are wrong or not issued
fast enough, the Operators will be keenly aware of potential fines and violations.
American Electric Power (AEP)
No
Not clear how this is different from R6 since it relies on the same timetable in Attachment 1.
ATC
No
ATC believes that this requirement should be deleted and that the SDT should coordinate its goal with the
EAWG. We believe that the lessons learned process and identification of root cause is better covered under
that process than through the NERC Mandatory Standards.
BGE
No
R3. Limits responsibility to Attachment 1 events only and mandates that an “initial probable cause” be
identified.
Are we at liberty to define “initial probable cause” and define time period for completion in the
Operating Plan? BGE believes this could cause wide difference between Operating Plans and the standard
March 1, 2011
88
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 5 Comment
should be more prescriptive by relating to a time-table for the life of an impact event, including expected
identification time, initial assessment time and analysis time leading to the reporting deadlines.BGE
recommends not including examples of evidence in a measure but include it in a Guideline. Including in a
measure will be translated as a requirement by an auditor.
CenterPoint Energy
No
CenterPoint Energy does not agree with R3 and M3 as written as the Company does not agree with the
requirement to have an Operating Plan (see comments to Q4 above). However, if R2 and M2 were to be
deleted, and R3 was revised to read; “Each Applicable Entity shall identify and assess initial probable cause
of events listed in Attachment 1.”, CenterPoint Energy could agree with this requirement.
City of Garland
No
Should be part of R2 or R6 - this is unnecessary duplication
Constellation Power Generation
No
This requirement introduces double jeopardy for registered entities. If an entity does not include methods for
and Constellation Commodities
identifying impact events and for assessing cause per R2.1 and R2.2 in their Operating Plan, they will be out
Group
of compliance with R2. Without the methods in R2 the registered entity is out of compliance with R3 as well
for failing to identify and assess. Constellation Power Generation therefore recommends that R3 be amended
to be incremental to R2 and read as follows: R3. Each Applicable Entity shall implement their Operating
Plan(s) to identify and assess cause of impact events listed in Attachment 1.
Electric Market Policy
No
We think “impact event” needs to be defined in the NERC Glossary to provide the clarity the industry needs to
build audit ready compliant procedures.
ERCOT ISO
No
ERCOT ISO recommends the use of “Registered Entity” in place of “Applicable Entity”. This would provide
consistency with other requirements and Attachment 1. The measure for this requirement notes the obligation
March 1, 2011
89
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 5 Comment
for “documentation”. This is not addressed in the requirement. The measure also notes “on its Facilities”. This
clarification of scope should be addressed in the requirement. R3. Each Registered Entity shall identify,
assess, and document initial probable cause of impact events on its Facilities listed in Attachment 1.
Exelon
No
: Agree that Each Applicable Entity shall identify and assess initial probable cause of impact events; disagree
with aspects and time requirements in Attachment 1.
FirstEnergy
No
M3 - Power flow analysis would be used to assess the impact of the event on the BES, not to determine initial
probable cause. It is more likely that DME would provide the data for the initial probable cause evaluation. We
suggest rewording M3 as follows: "To the extent that an Applicable Entity has an impact event on its Facilities,
the Applicable Entity shall provide documentation of its assessment or analysis. Such evidence could include,
but is not limited to, operator logs, voice recordings, or disturbance monitoring equipment reports. (R3)"
Green Country Energy
No
Actually yes and no... An event may be caused, analyzed and corrected by one entity but most likely it will
involve more. Low Voltage or frequency may not be caused by a generator but the generator will see the
event and to have the generator assess the probable cause seems inappropriate. I can see reporting the
event and duration and making notifications.
Indeck Energy Services
No
R3 should reference the events covered by the Operating Plan, as listed in it, rather than in Attachment 1. If
the Plan is deficient, it is a violation of R2 and not every other Requirement that references the Plan.
Independent Electricity System
Operator
No
We agree that the responsible entity needs to identify and assess initial probable cause of impact events but
not in accordance with any operating plan in R2. Each operating entity (RC, BA, TOP) has an inherent
responsibility to identify the cause of any system events to ensure it complies with a number of related
March 1, 2011
90
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 5 Comment
operational standards. R3, in fact, could be revised to require the Responsible Entity to include the probable
cause of impact events in its report, rather than asking it to “identify and assess” since this is not measurable.
Also, the ERO may be removed from the Applicability Section depending on the response to our comments
under Q9.
IRC Standards Review
No
Committee
Although it is useful for entities to make an initial assessment of a probable cause of an event, this
requirement should stand alone and does not need to be tied to requirement R2, Operating Plan. Quite often,
it takes quite some time for an actual cause to be determined. The determination process may require a root
cause analysis of some complexity.Further, in the case of suspected or potential sabotage, the industry can
only say it doesn’t know, but it may be possible. It really is the law enforcement agencies who make the
determination of whether sabotage is involved and the info may not be made available until an investigation is
completed, if indeed it is ever made available.
ISO New England Inc.
No
We think “impact event” needs to be defined in the NERC Glossary to provide the clarity the industry needs to
build auditable compliance procedures.Although it is useful for entities to make an initial assessment of a
probable cause of an event, this requirement should stand alone and does not need to be tied to requirement
R2, Operating Plan. Quite often, it takes a considerable amount of time for an actual cause to be determined.
The determination process may require a complex root cause analysis.Further, in the case of suspected or
potential sabotage, the industry can only say it doesn’t know, but it may be possible. Law enforcement
agencies make the determination of whether sabotage is involved, and the information may not be made
available until an investigation is completed, if indeed it is ever made available.
Kansas City Power & Light
No
We believe R3 and M3 are unnecessary as a stand alone requirement and measure and propose combining
this requirement and measure with R6 and M6. Identifying and assessing the initial probable cause of an
March 1, 2011
91
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 5 Comment
impact event is the obvious starting point in the reporting process and ultimate completion of the required
report. Evidence to support the identification and assessment of the impact event and evidence to support
the completion and submittal of the report are really one in the same.
Manitoba Hydro
No
Though each local entity should identify and assess initial probable cause of impact events as per their
Operating Plan, the creation of this Operating Plan could be labor intensive and also guidelines for
consistency within an RC region should be created.So “NO” is entered simply because a large time line would
be needed to properly and efficiently implement R3 and R4.
MidAmerican Energy
No
Midwest ISO Standards
No
Collaborators
While we agree that it makes sense to report on the cause of an event, we disagree with the need for an
Operating Plan as identified in R2.
North Carolina Electric Coops
No
The term “impact event” needs to be defined in the NERC Glossary to provide the clarity the industry needs to
build auditably compliant procedures and give guidance on what is proper to report.
Northeast
Power
Coordinating
No
"Impact event” needs to be defined in the NERC Glossary to provide the clarity the industry needs to build
auditable compliance procedures.Although it is useful for entities to make an initial assessment of a probable
Council
cause of an event, this requirement should stand alone and does not need to be tied to requirement R2,
Operating Plan. Quite often, it takes a considerable amount of time for an actual cause to be determined.
The determination process may require a complex root cause analysis.Further, in the case of suspected or
potential sabotage, the industry can only say it doesn’t know, but it may be possible. Law enforcement
agencies make the determination of whether sabotage is involved, and the information may not be made
March 1, 2011
92
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 5 Comment
available until an investigation is completed, if indeed it is ever made available.
Pacific Northwest Small Public
No
Power Utility Comment Group
Comments: When applying R3 to row 11 of attachment 1, the comment group notes that applicable entities
are expected to assess probable cause of BES equipment damage, including that which may be the result of
criminal behavior. At best this would needlessly duplicate the efforts of law enforcement. A more likely result
is that entity involvement would interfere with law enforcement and ultimately hinder prosecution of those
responsible. Also See #15
PPL Electric Utilities
No
We believe the rationale for R3 is good and provides value. However, we feel the clarity was lost when the
rationale was translated to the standards language.
Please consider revising language to refocus on
rationale of assess and report per Attachment 1 as opposed to identify. We suggest changing the word
“identify” to “recognize” and add the Rationale statement to the requirement as follows: “Each Applicable
Entity shall assess the causes of the reportable event and gather available information to the complete the
report.”
PPL Supply
No
Please consider changing the word "identify" to "recognize" and adding the Rationale statement to the
requirement as follows: "Each Applicable Entity shall assess the causes of the reportable event and gather
available information to complete the report."
RRI Energy, Inc.
No
"Identify and assess" - Auditors are as much in need of clearly worded, unambiguous Reliability Standards
are as Registered Entities. This phrase leaves much too wide a range of interpretations, almost guaranteeing
regular and frequent disagreements during an audit between Registered Entity and Regional Entity auditor as
to what constitutes "identify and assess" sufficient to meet the intent of this Requirement. Compounding this
issue is the Rationale for R3 that states an Applicable Entity (which should probably read "applicable
March 1, 2011
93
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 5 Comment
Functional Entity") should "gather enough information to complete the report that is required to be filed."
While Rationale statements are not technically part of the standard, this emphasizes the current wording of
the requirement as subject to random and arbitrary interpretation by auditors and Registered Entities.
RECOMMENDATION: Change "identify and assess" to "document," so that the Requirement now reads
"Each Applicable Entity shall document initial probable cause of impact events..." including an option for
"cause not determined".
Santee Cooper
No
Does the initial probable cause have to be reported within the timing associated in Attachment 1? Entities
may not have enough information that soon to report the initial probable cause. This should be done with
events analysis.
SERC OC Standards Review
No
Group
We think “impact event” needs to be defined in the NERC Glossary to provide the clarity the industry needs to
build auditably compliant procedures.
Tenaska
No
The probable cause of a reportable event is already required to be submitted on the OE-417 form. This
Requirement is redundant.
TransAlta Corporation
No
Clarity required Does an entity have to report on the cause of every “applicable” impact event they witness
even though the event did not originate at their plant, system or region and did not adversely affect them?
Essentially this would require every entity that witnessed an “applicable” event to report on its cause. In most
cases they will not know the cause if they did not create the event. Measure M3 should reference Attachment
1 to indicate the Time to Submit Report’.
We Energies
March 1, 2011
No
A DP may not have Facilities (a BES element). See NERC Glossary definition of Facility.
94
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Bonneville Power Administration
Yes or No
Question 5 Comment
Yes
Known causes are difficult under 1 hour reporting requirements. (Unusual events are even harder to narrow
down in 24 hours and may take weeks.)
Consolidated Edison Co. of NY,
Yes
We agree, however, the term “impact event” must be part of the NERC glossary.
Yes
It directly supports the purpose of the standard.
Yes
While we agree that it makes sense to report on the cause of an event, we disagree with the need for an
Inc.
Georgia System Operations
Corporation
Great River Energy
Operating Plan as identified in R2
MRO's NERC Standards Review
Yes
Subcommittee
Puget Sound Energy
The NSRS thanks the SDT for stating “initial probable cause” as this is in direct correlation to the Purpose
which states “known causes”.
Yes
However, this requirement doesn't address the timing required for this analysis. This may be intentional and
appreciated because at times the analysis can take months when the events are complex in nature.
US Bureau of Reclamation
Yes
This is provided that the report submitted in Attachment A does not include the probable cause. It is highly
unlikely that a probable cause may be determined within the reporting timelines.
Arizona Public Service Company
Yes
ATCO Electric Ltd.
Yes
March 1, 2011
95
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
City of Austin dba Austin Energy
Yes
Duke Energy
Yes
Dynegy Inc.
Yes
Idaho Power Company
Yes
Luminant Energy
Yes
NERC Staff
Yes
Pacific Gas and Electric
Yes
Question 5 Comment
Company
PacifiCorp
Yes
PacifiCorp
Yes
Pepco Holdings, Inc - Affiliates
Yes
PNM Resources
Yes
Southern Company -
Yes
Transmission
March 1, 2011
96
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
United Illuminating
Yes
WECC
Yes
March 1, 2011
Question 5 Comment
97
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
6. Do you agree with the requirement R4 and measure M4? Please explain in the comment box below.
Note R4 has been moved to R3 due to rearranging of requirements. The DSR SDT did a full review
based on comments that were received. R3 now is stream lined to read:
Summary Consideration:
R3. Each Responsible Entity shall conduct a test of its Operating Process for communicating recognized Impact Events created
pursuant to Requirement R1, Part 1.3 at least annually, with no more than 15 months between such tests. The testing of the
procedure (as stated in R1) is the main component of this requirement. Several commenters provided input that too much “how”
was previously within R3 and the DSR DST should only provide the “what”. The DSR SDT did not provide any prescriptive guidance
on how to accomplish the required verification within the rewrite. Testing of the entity’s Operating Process (R1) could be by an
actual exercise of the process (testing as stated in FERC Order 693 section 471), a formal review process or real time implementation
of the process. The DSR SDT reviewed Order 693 and section 465 directs that processes “verify that they achieve the desired result”.
This is the basis of R3, above.
Organization
Ameren
Yes or No
Question 6 Comment
No
Establishing a program with trigger actions expected to require reporting several times a year, combined with
adequate initial, and on-going, training should preclude the need for mandatory drills as an added compliance
burden.
ATC
No
We do not believe that a drill that exercises a written reporting obligation will add additional reliability to the
BES.
BGE
No
M4. BGE recommends not including examples of evidence in a measure but include it in a Guideline.
Including in a measure will be translated as a requirement by an auditor.Rationale for R4:
March 1, 2011
98
If multiple
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 6 Comment
exercises are performed are all of them subject to the sub-R2 requirements and to audit/audit findings?
Bonneville Power Administration
No
There was no drill required for CIP-001 (a drill was in CIP-008, but the purpose did not list combining CIP008). A drill is not needed for reporting Electrical Grid events, designate it as excluded in the intent of the
requirement.
CenterPoint Energy
No
CenterPoint Energy does not agree with R4 and M4. See comments to Q4 above. In addition to the process
vs. results based issue stated above, CenterPoint Energy believes conducting a drill to verify recognition,
analysis, and reporting procedures is a waste of valuable resources and time.
City of Garland
No
Existing CIP 001 and EOP 004 are reporting standards - neither currently requires annual drills or exercises.
Combining these two (2) should not entail expanding the requirements to include drills or exercises. There are
existing drills / exercises that must be performed annually for compliance with CIP 008 & CIP 009 which
require the same basic identifying, assessing, developing lessons learned, responding, and reporting skill
sets. Requiring additional drills or exercises for this new combined standard will provide additional “business
overhead” that results in basically nothing that is not obtained by the CIP 008 / 009 drills as far as securing or
making the BES reliable. It does, however, result in additional audit risk at audit time.
Constellation Power Generation
No
It is not clear how this requirement to conduct drills and exercises relates to the concepts spelled out by the
and Constellation Commodities
SDT:oA single form to report disturbances and impact events that threaten the reliability of the bulk electric
Group
systemoOther opportunities for efficiency, such as development of an electronic form and possible inclusion
of regional reporting requirementsoClear criteria for reportingoConsistent reporting timelines oClarity around
of who will receive the information and how it will be usedR4 does not address any of the above items and
should therefore be removed from this standard.
March 1, 2011
99
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 6 Comment
Consumers Energy
No
NERC should either standardize on a 12 month year or an annual year for reviews.
Dynegy Inc.
No
What is the basis for the drill being annual. This is to stringent. I suggest it be every 3 years.
Electric Market Policy
No
The need for a periodic drill has not been established and appears to be overly restrictive given the intent of
the standard is reporting of impact events. Suggest this requirement be eliminated.
ERCOT ISO
No
ERCOT ISO believes that a drill or exercise of its Operating Plan is unnecessary. The intent of the drill can be
addressed within the training requirements under R5.
Exelon
No
If drills remain as a component of the standard, an effort to consolidate updating an entities plan with a
requirement to drill the plan should be made. .
Each entity/utility should be able to dictate/determine if they
need a drill for a particular event. Is this document implying a drill for every type of event?
FirstEnergy
No
FE suggests that this requirement be deleted. FE does not see a reliability need for conducting a drill on
reporting. This is overly burdensome and should not be included within this reliability standard. Training on
the plan and periodic reminder of reporting obligations should suffice.
Great River Energy
No
We disagree with the need to conduct a drill for reporting
Green Country Energy
No
Another training requirement with what benefit? We must train on all of our NERC requirements now anyway
to insure compliance and that's not a requirement, thats implied and I think thats enough.
Indeck Energy Services
March 1, 2011
No
In M4, it is suggested that data from a real event would be evidence. R4 should be satisfied if the Operating
100
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 6 Comment
Plan is used for a real event within 15 months of the last drill or event.
Independent Electricity System
No
Operator
IRC Standards Review
Along the line of our comments on R2 for an operating plan (whose need we do not agree with), a drill,
exercise, or Real-time implementation of the Operating Plan for reporting is also not necessary.
No
Committee
Similar to our comments on R2 for an Operating Plan, a drill, exercise, or Real-time implementation of its
Operating Plan for reporting is unnecessary. Such things are really training practices. There are already
existing standards requirements regarding training. There is no imminent threat to reliability that requires
these events to be reported in a short time frame as may be required for real-time operating notifications.
ISO New England Inc.
No
The need for a periodic drill has not been established, and appears to be overly restrictive given the intent of
the standard is the reporting of impact events. Suggest this requirement be eliminated.
Similar to our
comments on R2 for an Operating Plan, a drill, exercise, or Real-time implementation of its Operating Plan for
reporting is unnecessary. Such things are training practices.
There are already existing standards
requirements regarding training. There is no imminent threat to reliability that requires these events to be
reported in as short a time frame as may be required for real-time operating conditions notifications.
Kansas City Power & Light
No
We believe R4 and M4 are clearly unnecessary. Thoughtful preparation of an Operating Plan per R2 that
specifically addresses personnel responsibilities and appropriate evidence gathering combined with the
training requirement in R5 is sufficient.
Luminant Energy
No
We support the requirements outlined in R2 which create significant obligations to maintain and update the
required Operating Plan. However, we believe annual drilling for a reporting process seems unnecessary,
particularly given the response horizon of 24 hours for the majority of impact events. If drilling is required, the
March 1, 2011
101
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 6 Comment
standard should allow actual events to fulfill a drilling requirement as stated in the Rationale for R4 and within
the text of M4.
Manitoba Hydro
No
Drills and exercise for implementation of the Operating Plan are important and critical, but as in question 5, or
Requirement R3, careful and detailed creation of the Operating Plan are crucial to facilitate proper training,
drills and exercises.So “NO” is entered simply because a large time line would be needed to properly and
efficiently implement R4 and R3.
MidAmerican Energy
No
Midwest ISO Standards
No
We disagree with the need to conduct a drill for reporting.
No
Requiring a drill for “reporting” is unnecessary and burdensome. Reporting is covered in processes and
Collaborators
North Carolina Electric Coops
procedures and during the normal training cycle. We recommend the elimination of this requirement.
Northeast Power Coordinating
No
Council
The need for a periodic drill has not been established, and appears to be overly restrictive given the intent of
the standard is the reporting of impact events. Suggest this requirement be eliminated.
Similar to our
comments on R2 for an Operating Plan, a drill, exercise, or Real-time implementation of its Operating Plan for
reporting is unnecessary. Such things are training practices.
There are already existing standards
requirements regarding training. There is no imminent threat to reliability that requires these events to be
reported in as short a time frame as may be required for real-time operating conditions notifications.
Pacific Gas and Electric
March 1, 2011
No
PG&E believes the addition of a drill constitutes additional training and should be added to R5. PG&E is
102
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Company
Pacific Northwest Small Public
Question 6 Comment
concerned as to who the target audience for this annual training would affect.
No
See #15
No
PNM feels the addition of a drill or exercise constitutes additional training and believes R4 should be added to
Power Utility Comment Group
PNM Resources
R5. The WECC OTS also is interested as to what level does the annual training target, for instance, the field
personnel. Will they have to complete the exercise/drill?
RRI Energy, Inc.
No
Every employee in a Registered Entity might potentially have exposure to an impact event, and therefore
result in a list of thousands of employees subject to the EOP-004-2 Operating Plan. Does this mean, for
example, an applicable Functional Entity with 3,000 employees, each capable of potentially observing an
impact event, must include them in the drill, exercise, or Real-Time implementation? Such an expectation
would require a hypothetical email notice to be sent to 3,000 employees, advising them "This is a test - You
observe a suspicious vehicle driving around the fence of your power plant. Perform the next action you
should take."
The result in this hypothetical might be 3,000 phone calls and emails to the responsible
employee in the applicable Functional Entity, each needing to be documented and retained for the audit
period.As stated above in question 5, auditors need guidance as much as Registered Entities. Otherwise, it is
observed that they will seek the most stringent approach they observe from the best of the best practices over
the first year of implementation and apply that expectation as the base-case, under which all other
approaches will be deemed violations.
Santee Cooper
March 1, 2011
No
There is no need to drill for administrative reporting! This requirement should be deleted.
103
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
SERC OC Standards Review
Yes or No
Question 6 Comment
No
We think this requirement is unclear - we think it requires a drill for “reporting”, which seems absurd! We
Group
recommend the elimination of this requirement.
Tenaska
No
This Requirement is too specific and places additional burdens on Registered Entities.
US Bureau of Reclamation
No
There is no rationale offered on why 15 months was selected. Without a defined basis the time period is
arbitrary. It would be appropriate to let the Entity determine and document the time interval. That would allow
the time frame to be sensitive to the complexity of the Operating Plan. Some entities aregeographically
dispersed and a single Operating Plan may be difficult to test atone time or within 15 months.The allowance
for real time events or actual use is a good move and maymake it easier to define a suitable time frame by the
Entity.
WECC
No
The addition of a drill or exercise constitutes additional training and believes R4 should be added to R5.
Clarification is needed as to what level does the annual training target, for instance, the field personnel. Will
they have to complete the exercise/drill?
American Electric Power (AEP)
Yes
Arizona Public Service Company
Yes
AZPS agrees with R4, however, the use of the term "Operating Plan" is confusing and leads one to believe an
Operating Drill is necessary for a "reporting plan drill."
A more accurate term to use would be "Event
Reporting Plan."
Georgia System Operations
Corporation
March 1, 2011
Yes
We agree with R4 with "... at least annually, with no more than 15 months ..." replaced with "... at least once
per calendar year, with no more than 15 months ..." as in R5.
104
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
MRO's NERC Standards Review
Yes or No
Question 6 Comment
Yes
The NSRS agrees that to enhance reliability and situational awareness of the BES, the Operating Plan be
Subcommittee
United Illuminating
exercised once per calendar year.
Yes
Suggest R4 be improved to state that a Registered Entity is only required to conduct a drill or execute realtime implementation of the Operating Pan for one impact event listed in the attachment. In other words the
Registered Entity is not required to drill on reporting each type of impact event on an annual basis.
ATCO Electric Ltd.
Yes
City of Austin dba Austin Energy
Yes
Consolidated Edison Co. of NY,
Yes
Inc.
Duke Energy
Yes
Idaho Power Company
Yes
NERC Staff
Yes
PacifiCorp
Yes
PacifiCorp
Yes
Pepco Holdings, Inc - Affiliates
Yes
March 1, 2011
105
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
PPL Electric Utilities
Yes
PPL Supply
Yes
Puget Sound Energy
Yes
Southern
Company
-
Question 6 Comment
Yes
Transmission
TransAlta Corporation
Yes
We Energies
Yes
March 1, 2011
106
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
7. Do you agree with the requirement R5 and measure M5? Please explain in the comment box below.
Most stakeholders who responded to this question indicated disagreement with the originally
proposed Requirement R5 and Measure M5. (Note R5 has been moved to R4 in the revised standard. ) The DSR SDT did a full
review based on comments that were received. The major issues that were provided by commenters was R5.3 and R5.4 and their
contents. Upon detailed review the DSR SDT agrees with the majority of comments received with R5.3 and R5.4 and have removed
them completely from the Standard. Training is still the main theme of this requirement as it pertains to the personnel in the
procedure (R1). R4 now is stream lined to read:
Summary Consideration:
R4. Each Responsible Entity shall review its Impact Event Operating Plan with those personnel who have responsibilities
identified in that plan at least annually with no more than 15 calendar months between review sessions
Organization
Yes or No
Green Country Energy
Question 7 Comment
Same as my comment for question 6
Arizona Public Service Company
No
AZPS believes the required training is too restrictive for minor changes/edits to the Event Reporting Plan.
ATC
No
ATC believes it is an inherent obligation of all Functional Entities to train their appropriate staff to meet all
applicable NERC Standards. Including a training requirement in some, but not all, Standards implies that the
other Standards do not necessitate training. Although this is an important Standard and one that should be
included in a Functional Entities’ training program, ATC does not believe that this Standard is more important
than the other NERC Standards and, therefore, requires a separate training provision
ATCO Electric Ltd.
March 1, 2011
No
R5.3 requires an entity to conduct training within 30 days of a revision to the Operating Plan. For an entity
107
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 7 Comment
that covers a wide area, 30 days may not be sufficient to reach all employees.
BGE
No
Suggested revision to clarify R5:Each Applicable Entity shall provide training to all internal personnel
identified in its Operating Plan on the Operating Plan annually. Training is only on Reporting, pursuant to R2,
not on the Operating Plan?BGE does not believe the SDT needs to identify sub bullets on this requirement.
R5.1 is not logical --- what does it mean?
CenterPoint Energy
No
CenterPoint Energy believes that R5 and M5 are not necessary and should be deleted. CenterPoint Energy
supports an entity training its staff in any reporting responsibilities; however, such training should be the
responsibility of each entity and such requirements do not belong in a NERC standard. In addition,
CenterPoint Energy believes any necessary training requirements are covered in the PER Standards and
therefore the addition of this requirement adds redundancy to the Standards.If a majority of the industry
supports such a requirement, CenterPoint Energy cannot support R5 and M5 as written as we do not agree
with the requirement to develop and maintain an Operating Plan (see comments to Q4 above). CenterPoint
Energy offers the following alternate language: “Each Applicable Entity shall provide training concerning
reporting requirements contained in this Standard to internal personnel involved in the recognition or analysis
of events listed in Attachment 1.
City of Garland
No
This expands beyond the original CIP 001 and EOP 004 - neither explicitly requires training - combining does
not mean expanding. In reality, what practical skill are you going to train on? People who perform the analysis
on an event are going to have job specific training external to this standard and those same folks will maintain
their skill set external to this standard. If it is going to be a results based criteria standard, then let the entities
be responsible. Training on methods to fill out and file paper work does not make the BES more reliable. The
vast majority of other standards do not have a training requirement section and yet, entities manage to be
March 1, 2011
108
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 7 Comment
compliant with those standards. Compared to all the other reliability standards and their requirements, are
penalties for training on filling out paper work really making the BES more secure and reliable?
Consolidated Edison Co. of NY,
No
Inc.
Requirement 5 - Training should be targeted only at those responsible for implementing the Operating Plan
(OP), not all those mentioned in the OP.R5 - After the words “internal personnel” add the words “responsible
for implementing.” The delete the words “identified in” and “for reporting pursuant to Requirement R2.”5.4 Following the words “For internal personnel” add the words “responsible for implementing the Operation
Plan.” Between the words “revised responsibilities” add the word “implementation.”M5 - After the words
“between the people” add the words “responsible for implementing the Operating Plan”
Constellation Power Generation
No
Constellation Power Generation questions how R5 relates to the SDT’s “summary of concepts”:oA single form
and Constellation Commodities
to report disturbances and impact events
that threaten the reliability of the bulk electric systemoOther
Group
opportunities for efficiency, such as development of an electronic form and possible inclusion of regional
reporting requirementsoClear criteria for reportingoConsistent reporting timelines oClarity around of who will
receive the information and how it will be usedHowever, Constellation Power Generation believes that
security awareness is an important aspect of personnel security and proposes an annual training similar to
what was in the previous standards. Constellation Power Generation therefore recommends two requirement
changes that would achieve security awareness without the burdensome administrative aspects. First, as
stated earlier, a sub requirement in R2 should be added which reads as follows: R2.5 Method(s) for making
operation personnel aware of changes to the Operating Plan.Second, this training requirement should be
rewritten as follows: Each Applicable Entity shall provide training to all operation personnel at least annually.
Consumers Energy
No
Again, either 12 month year or annual year, NERC needs to standardize on one or the other. Training should
apply only to those that must take action relevant the reliability of the BES. A plan would likely include
March 1, 2011
109
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 7 Comment
notification of senior officers, however they don’t need to be included in drills and training if they have no
active role.
Duke Energy
No
Strike the word “all” in the requirement. All personnel don’t need to be trained - for example, the plan may
contain references to some personnel as potential sources of the information that will then be reported. Also,
Section 5.3 only allows 30 days for training, which may be impossible with rotating shift personnel and training
schedules. 60 days is more appropriate.
Dynegy Inc.
No
The annual training seems excessive especially if their have been no changes. You have included one
exception for contact information revisions; however, it should be expanded to include exceptions for
minor/non-substantial changes.
Also, make training requirements (after initial training)be required for
substantive changes only.
E.ON Climate & Renewables
No
Redundant with R4.
Electric Market Policy
No
The need for a periodic training has not been established and appears to be overly restrictive given the intent
of the standard is reporting of impact events. Suggest this requirement be eliminated.
Exelon
No
Exelon doesn’t feel that the 30 day requirement is achievable and recommends an annual review.
Training
for all participants in a plan should not be required. Many organizations have dozens if not hundreds of
procedures that a particular individual must use in the performance of various tasks and roles. Checking a
box which states someone read a procedure does not add any value, it is an administrative burden with no
contribution to reliability. It is Exelon’s opinion that training requirements should be covered in the PER
standards and that the audience to be trained should be identified.
March 1, 2011
R5.4 requires internal personnel that
110
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 7 Comment
have responsibilities related to the Operating Plan cannot assume the responsibilities unless they have
completed training. This requirement places an unnecessary burden on the registered entities to track and
maintain a data base of all personnel trained and should not be a requirement for job function. A current
procedure and/or operating plan that addresses each threshold for reporting should provide adequate
assurance that the notifications will be made per an individual's core job responsibilities.
FirstEnergy
No
Requirement R5 and Part 5.1 - The wording in Part 5.1 is too prescriptive and shouldnot require training on
the specific actions of personnel. Also, R5 should not require training for personnel that may only receive the
report and are not required to do anything. Therefore we suggest rewording R5 and 5.1 as follows:"R5. Each
Applicable Entity identified in Attachment 1 shall have a Reporting Plan(s) for identifying, assessing and
reporting impact events listed in Attachment 1 that includes the following components:5.1 The training
includes the personnel required to respond under the Reporting Plan."Part 5.3 - We suggest removing
subpart 5.3. This requirement is overly burdensome and not necessary. We believe that the requirements for
annual review and update of the plan as well as training sufficiently cover reviews of changes to the plan. Part
5.4 - The last phrase "training shall be conducted prior to assuming the responsibilities in the plan" should
account for emergency situations when the entity does not have time to train the replacement before they are
to assume a responsibility.
Great River Energy
No
We believe that this task should be incorporated into the Job Task Analysis for the System Operators and that
this requirement should be deleted as being redundant.
Idaho Power Company
No
The 30 day Requirement is limited with real time operations. Most entities with real time operations utilize a 5
or 6 week rotating schedule to comply with PER-002. the NERC Continuing Education Program allows up to
60 days to comply, this allows the operating shifts to accomadate training within the operating schedule. The
March 1, 2011
111
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 7 Comment
requirement 5.3 should allow 60 days to complete the training.
Indeck Energy Services
No
It is wholly unreasonable to re-train everyone for each change to the Operating Plan. Suggestion: Clarify that
upon changes to the Operating Plan, the Registered Entity may either require full training, or instead distribute
a summary of the change to affected personnel only.
Independent Electricity System
No
Along the line of our comments on R2 for an Operating Plan (whose need we do not agree with), any training
on developing and providing the report is unnecessary. What matters is that the report is provided to the
Operator
needed organizations or entities on time and in the required format according to established procedure. How
this is accomplished goes outside of the purpose of reliability standard requirements.
IRC Standards Review
No
Committee
We do not agree with the need for R5. We do not see the need for a standard requirement that stipulates
training the personnel on reporting events. What matters is that the reports are provided to the needed
organizations or entities on time and in the required format according to established procedure. Stipulating a
training requirement to achieve this reporting is micro-managing and overly prescriptive.
ISO New England Inc.
No
The need for a periodic drill has not been established, and appears to be overly restrictive given that the
intent of the standard is reporting of impact events. Suggest this requirement be eliminated. There are
training standards in place that cover these requirements. We agree the relevant personnel should be
“aware” of the reporting requirements. But there is not a need to have a training program with specific time
frames for reporting impact events. Awareness of these reporting requirements can be achieved through
whatever means are available for entities to employ to train on any of the NERC standards, and need not be
dictated by requirements.
March 1, 2011
112
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Kansas City Power & Light
Yes or No
Question 7 Comment
No
We agree with the need for the Operating plan and the provision of formal training to impacted personnel. We
believe that the personnel references are too open-ended to be productive and measurable. This leaves all
applicable entities open to subjectivity in assessment and may produce a large administrative burden to
demonstrate compliance with no associated benefit to improved reliability.
Luminant Energy
No
Operating Plan revisions communicated through procedure updates and employee acknowledgements of the
same are sufficient when coupled with a procedural training program that occurs according to a programmed
schedule.
Manitoba Hydro
No
The comments in Question 6 and 7 encompass the training aspect of this requirement.
MidAmerican Energy
No
: R5.2. The NSRS agrees that to enhance reliability and situational awareness of the BES, the Operating
Plan be trained once per calendar year.R5.3 As detailed in R2, the Operating Plan shall contain provisions for
“identifying, assessing, and reporting impact events”.
Where, R2.7 states to update the OperatingWe
disagree with the need to provide formal training. We could agree with the need to communicate to System
Operators and other pertinent personnel the criteria for reporting so that they know when system events need
to be reported.
Midwest ISO Standards
No
Collaborators
We disagree with the need to provide formal training. We could agree with the need to communicate to
System Operators and other pertinent personnel the criteria for reporting so that they know when system
events need to be reported.
MRO's NERC Standards Review
Subcommittee
March 1, 2011
No
R5.2. The NSRS agrees that to enhance reliability and situational awareness of the BES, the Operating Plan
be trained once per calendar year.R5.3 As detailed in R2, the Operating Plan shall contain provisions for
113
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 7 Comment
“identifying, assessing, and reporting impact events”. Where, R2.7 states to update the Operating Plan when
there is a component change. The NSRS believes the components of this Operating Plan are 1) indentifying
impact events, 2) assessing impact events, and 3) reporting impact events. These components relate to
training when the Operating Plan is revised per, R5.3, only. As written, every memo, simulations, blog, etc
that contain the words “lessons learned” would be required to be in your Operating Plan and trained on every
time one was issued or heard about internally or externally. Recommend that the Operating Plan be revised
and training occurs when a change occurs to the entity’s Operating Plan, consisting of 1) indentifying impact
events, 2) assessing impact events, and 3) reporting impact events, only.
North Carolina Electric Coops
No
Requiring training to report of after-the-fact events does not improve the reliability of the BES.
We
recommend the elimination of this requirement.
Northeast Power Coordinating
No
Council
The need for a periodic drill has not been established, and appears to be overly restrictive given that the
intent of the standard is reporting of impact events. Suggest this requirement be eliminated. There are
training standards in place that cover these requirements. The relevant personnel should be “aware” of the
reporting requirements. But there is not a need to have a training program with specific time frames for
reporting impact events. Awareness of these reporting requirements can be achieved through whatever
means are available for entities to employ to train on any of the NERC standards, and need not be dictated by
requirements.
Pacific Gas and Electric
Company
No
PG&E believes 30 days is too restrictive due to real-time operations schedule requirements. The schedule is
six weeks and individuals may be on either long change or vacation and therefore unable to complete the
training within 30 days of the identification of the need. Suggest extending to 60 days to meet the training
criteria which follows the NERC Continuing Education revised submittal date for the Individual Learning
March 1, 2011
114
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 7 Comment
Activities (ILA).
Pacific Northwest Small Public
No
See #15
No
Training required within 30 days of a revision to the Operating Plan is not feasible with 5 or 6 week shift
Power Utility Comment Group
PacifiCorp
rotations. A sixty day requirement would be more realistic.
Pepco Holdings, Inc - Affiliates
No
30 days may be too short a time for large entities with multiple subsidiaries to do the necessary notice and
coordination. PHI suggests 90 days.
PNM Resources
No
PNM believes 30 days is too restrictive due to real-time operations schedule requirements. Most work
schedules are either five or six weeks and individuals may be on either long change or vacation and therefore
unable to complete the training within 30 days of the identification of the need. Based on the NERC
Continuing Education revised submittal date for the Individual Learning Activities (ILA), PNM would
recommend 60 days.Creating an Impact Event Report is duplicative and redundant and the WECC OTS feels
this is not necessary.
PPL Electric Utilities
No
We agree with the need for training on one’s process. However, we suggest changes to R5.3. Consider
expanding the exception criteria to exempt non-substantive changes such as errata changes, minor editorial
changes, contact information changes, etc.
We also suggest saying ‘...,training shall be conducted, or
notification of changes made, within 30 days of the procedure revisions.’
PPL Supply
No
We generally agree with R5 but recommend two changes to 5.3. Consider expanding the exception criteria to
exempt non-substantive changes such as errata changes, minor editorial changes, contact information
March 1, 2011
115
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 7 Comment
changes, etc. Also, consider changing "training shall be conducted" to "training or communication/notification
of changes shall be conducted."
Puget Sound Energy
No
The fact that proposed requirement R2 will require frequent updates to the operating plan means that the
training required under this plan will occur quite frequently as well, leading to operator confusion. Even the
comment allowing a review and “sign-off” will not completely mitigate this result.
RRI Energy, Inc.
No
1. This Requirement is structured to result in the same heavy-handed, zero-tolerance approach that has
made CIP-004 one of the top three violated Reliability Standards. The failure in CIP-004 is that, for example,
a seven-year background check or annual training program that is tardy by one day results in a violation.
There is no margin of error, proviso, or cure scenario. Likewise, the proposed R5 in EOP-004-2 makes it a
violation if someone takes their newly established training on the day after the end of 15 months. Systems
configurations are often based on quarterly monitoring for individuals needing to take training. In addition,
when dealing with potentially thousands of employees, it is inevitable that any one of hundreds of reasons
might result in an employee not being included in the tracking system, and rolling past the 15th month.
RECOMMENDATION: To avoid further burden to Regional Entity audit and enforcement personnel as has
been the case in CIP-004, develop a cure process that allows the Registered Entity to correct the training or
background check tardiness with prompt correction, fill out a notification report to submit to NERC, and
proceed with protecting the reliable operation of the BES, rather than tying up Registered Entity and Regional
Entity staffs with data requests, enforcement paperwork and administrative actions.2. The proposed R5.3
requires the entire applicable staff to redo the entire training within 30 days of a change to the Operating Plan.
These Operating Plans will not be short documents, and formal training will not involve a 5 minute soundbite.
However, for such a significant procedure as the Operating Plan, frequent changes and revisions are going to
March 1, 2011
116
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 7 Comment
be very common, especially given the likelihood of frequent clarifications, Compliance Action Notices
("CANs"), and lessons learned issued by NERC and Regional Entities over this very detailed set of new
obligations. It is not unreasonable to expect a Registered Entity to make three or more revisions to their
Operating Plan in a year, which would require training for thousands of employees three times a year, for
what might amount to a single sentence revision. Furthermore, the obligation to retrain on the entire training
program is not limited in this requirement to only those individuals impacted by the revision. Where a change
or revision only impacts 3 possible employees, this standard would require a company with 1,500 employees
subject to the Operating Plan to retake the entire training. RECOMMENDATION: Clarify that upon changes to
the Operating Plan, the Registered Entity may either require full training, or instead distribute a summary of
the change(s) via email to affected personnel only.
Santee Cooper
No
The concept of requiring training on reporting of after-the-fact events does not support or enhance bulk
electric system reliability. We recommend the elimination of this requirement.
SERC OC Standards Review
No
Group
While we support training on an annual basis for the operating plan, the concept of requiring training on
reporting of after-the-fact events does not support or enhance bulk electric system reliability. We recommend
the elimination of this requirement.
Southern Company -
No
Transmission
We suggest that the time frame be changed to 60 or 90 days in 5.3. 5.4 needs to have a time frame
associated with it; we suggest that it be 60 or 90 days.
Tenaska
No
This Requirement is too specific and places additional burdens on Registered Entities.
TransAlta Corporation
No
Measure M5 states applicable entities shall provide training material presented... This measure is unclear as
March 1, 2011
117
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 7 Comment
to whether the meaning is for internal personnel or to be provided to external entities upon request? Please
clarify.
US Bureau of Reclamation
No
The measure is vague and redundant. The Entity is required to provide information to be used to "verify
content". The information may be used to demonstrate compliance but who will verify the content is adequate
and on what basis. Secondly, the measure requires training information be provided twice, once to
demonstrate who participated and then to show who was trained. This is all unnecessary and could be
remedied by simply stating that "evidence shall demonstrate that all individuals listed in the plan have
received training on their role in the plan"
We Energies
No
Please clarify who is to be trained. As written, R5 requires any internal personnel identified in the plan,
including CEO, Vice Presidents, etc., to be trained.
WECC
No
Thirty days is too restrictive due to real-time operations schedule requirements. Most work schedules are
either five or six weeks and individuals may be on either long change or vacation and therefore unable to
complete the training within 30 days of the identification of the need. Based on the NERC Continuing
Education revised submittal date for the Individual Learning Activities (ILA), the requirement should be
changed to require training to be conducted within 60 days.
Bonneville Power Administration
Yes
There was no training required for CIP-001 or in CIP-008. (The proposed EOP-008 purpose did not list
incorporating CIP-008). Training was not really needed for reporting Electrical Grid events.
ERCOT ISO
March 1, 2011
Yes
ERCOT ISO believes the content of training can include an exercise or drill.
118
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
United Illuminating
Yes or No
Question 7 Comment
Yes
R5.3 coupled with the rationale provided is a sensible approach. It is important that the rational is not
forgotten.
Ameren
Yes
American Electric Power (AEP)
Yes
City of Austin dba Austin Energy
Yes
Georgia System Operations
Yes
Corporation
NERC Staff
Yes
PacifiCorp
Yes
March 1, 2011
119
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
8. Do you agree with the requirement R6 and measure M6? Please explain in the comment box below.
There was no consensus amongst stakeholders who responded to this question regarding agreement
with the originally proposed Requirement R6 and Measure M6. (Note R6 been moved to R5 in the revised standard.) The DSR SDT
did a full review based on comments that were received. Many comments indicated concerns with the reporting timelines within
Attachment 1. (The DSR SDT has addressed those comments in response to Question 10).
Summary Consideration:
Several commenters wanted the ability to report impact events to their responsible parties via the DOE Form OE-417. Following
discussions with the DOE and NERC, the DSR SDT has added the ability to use of the DOE Form OE-417 when the same or similar
items are required to be reported to NERC and the DOE. This will reduce the need to file multiple forms when like items must be
reported to the DOE and NERC for the same impact event. The underlying fact is that impact events are to be reported within
prescribed guidelines, thus providing industry awareness and starting of any analysis process. R5 now is stream lined to read:
R5. Each Responsible Entity shall report Impact Events in accordance with the Impact Event Operating Plan pursuant to
Requirement R1 and Attachment 1 using the form in Attachment 2 or the DOE OE-417 reporting form.
Organization
Yes or No
Question 8 Comment
American Electric Power (AEP)
No
It is not clear how this is different from R3 since it relies on the same timetable in Attachment 1.
CenterPoint Energy
No
CenterPoint Energy does not agree with R6 and M6 as written as we do not agree with the requirement to
develop and maintain an Operating Plan (see comments to Q4 above) In addition CenterPoint Energy does
not agree with the timelines required in Attachment 1 (see comments on Q10). CenterPoint Energy offers the
following alternate language: “Each Applicable Entity shall report events outlined in Attachment 1 to
applicable entities including but not limited to; NERC, and appropriate law enforcement agencies."
March 1, 2011
120
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 8 Comment
City of Garland
No
1. The reporting requirements should not be expanded beyond CIP 001 and EOP 004-1. The goal for
combining the two should be to make the process more efficient - not add on extra requirements for
procedures on how to report, drills on reporting, training on reporting, etc. 2. The timelines requiring 1 hour
reporting to the ERO are not needed and provide little realtime benefit to the BES. Real time or near real time
reporting for “people on the ground” such as the RC, BA, TOP, FBI, Local Law Enforcement, DOE, etc. is
necessary. They are in a position to take action in response to an event. On page 5, it states “The proposed
standard deals exclusively with after-the-fact reporting. 1 Hour reporting requirements to the ERO in addition
to existing reporting are not reasonable “after-the-fact” reporting requirements in the midst of an emergency.
Also, there is not a 24X7 ERO center to report events to - why build and staff one when they already exists at
the RC, BA, TOP, DOE, FBI, Local Law Enforcement, etc. - An ERO 24X7 center would be extra overhead
that would provide no additional benefit in the first hour or hours of an emergency.
Consolidated Edison Co. of NY,
No
Inc.
R2 requires applicable entities to have an Operating Plan which are company specific procedures and
process required to be compliant with EOP-004. Therefore, R6 should be deleted since it is redundant with
R2.
Electric Market Policy
No
Entities are already required by other agencies (e.g., DOE, NRC) to report certain events. We see no need to
develop redundant reporting requirements in the NERC arena that cross other federal agency jurisdictions.
ERCOT ISO
No
ISO recommends the following changes to the language of the requirement.R6. Each Applicable Entity shall
report impact events in accordance with Attachment 1.
Exelon
No
The time durations in the attachment are too short, it would be impossible to collect all the data necessary to
report out on an impact event in the defined time to report.The SDT should evaluate each event for the most
March 1, 2011
121
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 8 Comment
appropriate entity responsible to ensure there is minimal confusion on who has the responsibility and
eliminate duplication of reporting when feasible.
FirstEnergy
No
M6 - NERC's system should be capable of making this evidence available for the entities and provide a
"return-receipt" of the reports that we send them. Also, M6 should be revised to state "Applicable Entities" as
opposed to "Registered Entities".
Great River Energy
No
We believe the reporting time lines are too aggressive for some events. Reporting events within an hour is
not reasonable as an entity may still be dealing the event.
This will particularly difficult when support
personnel are not present such as during nights, holidays and weekends.
Indeck Energy Services
No
---This is the first mention of the time lines in Attachment 1. If they are part of the standard, then they
should be incorporated to the Operating Plan in R2 and then need not be mentioned again, only compliance
with the plan. ---In M6, the last part, "evidence to support the type of impact event experienced; the date and
time of the impact event ; as well as evidence of report submittal that includes date and time" is redundant.
All of that should be in the report to NERC. If not, then it's not important to keep.
Independent Electricity System
No
Attachment 1, but not with the requirements indicated in R2.
Operator
IRC Standards Review
Committee
We agree with having a requirement to report impact events in accordance with the timelines outlined in
No
There is not a need for an Operating Plan as proposed. This is not truly an Operating Plan. There are
already other standards which create the requirements for an Operating Plan. This is an administrative
reporting plan and any associated impact upon reliability is far beyond real-time operations.
March 1, 2011
122
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
ISO New England Inc.
Yes or No
Question 8 Comment
No
Entities are already required by other agencies (e.g., DOE, NRC) to report certain events. We see no need to
develop redundant reporting requirements for NERC that cross other federal agency jurisdictions.There is no
need for an Operating Plan as proposed. This is not truly an Operating Plan. There are already other
standards which create the requirements for an Operating Plan. This is an administrative reporting plan and
any associated impact upon reliability is far beyond real-time operations which is implied by the label
“Operating Plan.”
Kansas City Power & Light
No
We believe R3 and M3 are unnecessary as a stand alone requirement and measure and propose combining
these requirements with R6 and M6. Identifying and assessing the initial probable cause of an impact event
is the obvious starting point in the reporting process and ultimate completion of the required report. Evidence
to support the identification and assessment of the impact event and evidence to support the completion and
submittal of the report are really one in the same.
MidAmerican Energy
No
We believe the reporting time lines are too aggressive for some events. Reporting events within an hour is
not reasonable as an entity may still be dealing the event.
This will particularly difficult when support
personnel are not present such as during nights, holidays and weekends.
Midwest ISO Standards
No
Collaborators
We believe the reporting time lines are too aggressive for some events. Reporting events within an hour is
not reasonable as an entity may still be dealing the event.
This will particularly difficult when support
personnel are not present such as during nights, holidays and weekends.
North Carolina Electric Coops
No
There is already a DOE requirement to report certain events. NERC should not be developing redundant
reporting requirements when this information is already available at the federal level from other agencies.
March 1, 2011
123
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Northeast
Power
Coordinating
Yes or No
Question 8 Comment
No
Entities are already required by other agencies (e.g., DOE, NRC) to report certain events. We see no need to
develop redundant reporting requirements for NERC that cross other federal agency jurisdictions.There is no
Council
need for an Operating Plan as proposed. This is not truly an Operating Plan. There are already other
standards which create the requirements for an Operating Plan. This is an administrative reporting plan and
any associated impact upon reliability is far beyond real-time operations which is implied by the label
“Operating Plan".
Pacific Gas and Electric
No
Company
Pacific Northwest Small Public
PG&E believes that if the standard is intended to be an after the fact report, we question the one and/or
twenty-four hour reporting criteria and then the 30 day criteria?
No
See #15
No
PNM believes there seems to be redundancy in reporting based on the time frames in Attachment 1, i.e. OE-
Power Utility Comment Group
PNM Resources
417 and other required reports. If this standard is intended to be an after the fact report, why is there
one/twenty-four hour reporting criteria?
PPL Electric Utilities
No
We understand the rationale for this standard and support the project to combine EOP-004 and CIP-001 as
well as the reporting requirement in CIP-008. We are concerned that it may be difficult to meet Attachment 1
Part B Potential Reliability Impact submittal times as the time to submit is 1 or 24 hour after occurrence. E.g.
Risk to BES equipment, the example given is a major event and easy to conclude. Consider forced intrusion,
risk to BES equipment (increased violence in remote area), or cyber intrusion - should Attachment 1 state
‘report within 24 hours after detection’?
March 1, 2011
124
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
PPL Supply
Yes or No
Question 8 Comment
No
It may be difficult to meet Attachment 1 Part B Potential Reliability Impact submittal times as the time to
submit is 1 or 24 hours after occurrence. Consider changing the Time to Submit Report for Forced intrusion,
Risk to BES equipment, and Detection of a cyber intrusion to be "report within 24 hours after detection".
RRI Energy, Inc.
No
RECOMMENDATION: Clarify that the reporting of impact events shall be to those entities identified in the
Operation Plan section developed specifically in Section 2.6. Reference to Attachment 1 indicates reporting
to "external" parties is the intent for R6.
Santee Cooper
No
If the DOE form is going to continue to be required by DOE, then NERC should accept this form. Entities do
not have time to fill out duplicate forms within the time limits allowed for an event. This is burdensome on an
entity
SERC OC Standards Review
No
Group
There is already a DOE requirement to report certain events. We see no need to develop redundant reporting
requirements in the NERC arena that cross other federal agency jurisdictions.
Southern Company -
No
The time to submit report column needs to be more flexible with time frames.
Tenaska
No
The reporting timelines are currently listed on the OE-417 form. This Requirement is redundant.
TransAlta Corporation
No
R6 should reference Attachment 2 to make it clear that this report form must be used.M6 seems to be
Transmission
requesting evidence that the Confidential Impact Event Report was submitted.
TransAlta suggests the
submission of the actual report is evidence the report was submitted.Records of this submission can be
provided on request.Web Reports Project 2009-01 has indicated online reporting is the direction they are
March 1, 2011
125
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 8 Comment
going.If the impact report becomes an online Web report the entity submitting the report has no way of
confirming the report ended up at the Compliance Enforcement Authority office after it is submitted. There
needs to be some method that demonstrates the report was submitted and received.
We Energies
No
The proposed definition of “impact event” needs to be clarified.
WECC
No
There seems to be redundancy in reporting based on the time frames in Attachment 1, i.e. OE-417 and other
required reports. If this standard is intended to be an after the fact report, why is there one/twenty-four hour
reporting criteria?
Arizona Public Service Company
Yes
AZPS believes that Operating Plan should be replaced with "Event Reporting Plan."
ATC
Yes
ATC does agree that applicable entities report on events identified in Attachment 1 (See our comments about
Attachment 1), but we do not agree that applicable entities should be required by this standard to have an
Operational Plan. Please see our comments to question 4.
BGE
Yes
Comments for clarification:R6. Use of Capital letters in Operating Plan makes it unnecessary to state "created
pursuant to Requirement 2
Bonneville Power Administration
Yes
The requirement needs to specify who (ERO) to report to. Attachment 1 doesn’t say to report to the ERO
either. Clarify or remove the difference between the report submitted and evidence of the type of impact
event required in the measurement.
Georgia System Operations
Yes
It directly supports the purpose of the standard.
Corporation
March 1, 2011
126
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 8 Comment
Green Country Energy
Yes
Now this is an excellent example of all that is needed for this requirement!
Manitoba Hydro
Yes
Attachment 1 details the impact events and the thresholds of which they should be reported.
Puget Sound Energy
Yes
It is assumed that for the purposes of M6, NERC and the regions would already have access to these reports.
Ameren
Yes
ATCO Electric Ltd.
Yes
City of Austin dba Austin Energy
Yes
Constellation Power Generation
Yes
and Constellation Commodities
Group
Duke Energy
Yes
Dynegy Inc.
Yes
Idaho Power Company
Yes
Luminant Energy
Yes
MRO's NERC Standards Review
Yes
March 1, 2011
127
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 8 Comment
Subcommittee
NERC Staff
Yes
PacifiCorp
Yes
PacifiCorp
Yes
Pepco Holdings, Inc - Affiliates
Yes
United Illuminating
Yes
US Bureau of Reclamation
Yes
March 1, 2011
128
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
9. Do you agree with the requirements for the ERO (R7-R8) or is this adequately covered in the Rules of Procedure (section 802)?
Please explain in the comment box below.
There was no consensus amongst the commenters who responded to this question. The DSR SDT did a
full review based on comments that were received. The DSR SDT has determined that R7 and R8 are not required to be within a
NERC Standard since Section 800 of the Rules of Procedure already assigns this responsibility to NERC. The DSR SDT, the Events
Analysis Working Group (EAWG), NERC Staff (to include NERC Senior VP and Chief Reliability Officer) had an open discussion with
this item being a major topic. The DSR SDT and EAWG are working in coordination with each other to provide NERC Staff with
updated language for future inclusion into the Rules of Procedure. NERC Staff, the EAWG and the DSR SDT all supported this new
initiative.
Summary Consideration:
Organization
Yes or No
Question 9 Comment
Ameren
No
NERC's current heavy case load should justify reviewing the impact review table only once every 2 years.
ATC
No
ATC feels the ERO obligations should be covered in the Rules of Procedure.We do not agree with the
requirements assigned to the ERO, but believe that they should be incorporated into the ERO’s Rules of
Procedure
BGE
No
R7. Make Impact Event Table all Capital Letters(it is a title).
or is impact event intended to be capitalized?
R8. Is the term "reportable impact events" new
R8. Does a quarterly report of the year’s reportable impact
events include 12 months of "reportable impact events"? This is confusing.
R8. In the Rationale for R8
Impact Events appears with Capital letters - why now? Shouldn’t it appear with all Capital letters throughout
the document as it is a defined term?
March 1, 2011
R8. There are no previous requirements to report threats (R8.3) or
129
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 9 Comment
lessons learned (R8.5) or trends (R8.2) to an ERO. Is this information from reports to the ERO or from ERO
research?
CenterPoint Energy
No
CenterPoint Energy does not believe this requirement is necessary; however, if the SDT insists on keeping
this requirement then CenterPoint Energy believes it should remain as written. Any change to Attachment 1
should go through the Reliability Standards Development Procedure.
Consolidated Edison Co. of NY,
No
Inc.
See response to Question 2Requirement 7Delete the words “and propose revisions to”Following the words
(Attachment 1) add a period.Following that period add the words “The ERO shall revise the
table”Requirement 8RECOMMEND DELETION OF R8 - CONFIDENTIALITY CONCERNS WILL MAKE
ESTABLISHING A PUBLICATION REQUIRMENT EXTREMELY CHALLENGING.
Constellation Power Generation
No
The impact event table (Attachment #1), as part of a standard, would have to be FERC approved every time it
and Constellation Commodities
is edited. That would cause it to go through NERC’s Standard Development Process, and would cause a
Group
revision to the standard each time. This will also cause revisions to each and every registered entity’s
Operating Plan. Overall, this requirement causes a large administrative burden on all entities, and does not
improve reliability. As stated earlier, the “summary of concepts” for this latest revision, as written by the SDT,
includes the following items:oA single form to report disturbances and impact events
that threaten the
reliability of the bulk electric systemoOther opportunities for efficiency, such as development of an electronic
form and possible inclusion of regional reporting requirementsoClear criteria for reportingoConsistent
reporting timelines oClarity around of who will receive the information and how it will be usedRequirement 7
and 8 do not address any of these items. Furthermore, for R8, it is requiring NERC to send out quarterly
reports, yet entities are supposed to amend their Operating Plans based on an annual NERC report. This
requirement is confusing and is not consistent with earlier requirements. Constellation Power Generation
March 1, 2011
130
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 9 Comment
believes that these two requirements should be removed.
Electric Market Policy
No
Having the ERO as an applicable entity is concerning as they are also the compliance enforcement authority.
ERCOT ISO
No
Recommend that the Electric Reliability Organization be removed. The Electric Reliability Organization should
not be responsible for reliability functions and therefore should be excluded from reliability standards.
FirstEnergy
No
FE disagrees with the ERO as an applicable entity within a reliability standard. See our responses to
Questions 2 and 3 above. We do not believe the desired ERO process is adequately covered in section 802.
Section 802 deals with assessments and not event reporting.
Georgia System Operations
No
Corporation
It should not be necessary for the ERO to require itself to do these things. NERC's authority should be
sufficient to do these things as part of its mission.With quarterly trending and analysis of threats,
vulnerabilities, lessons learned, and recommended actions in R8, R7 (an annual review) should not be
necessary. The quarterly activity could include proposing revisions to Attachment 1 if warranted.An alternative
would be to perform annual trending and analysis of threats, vulnerabilities, lessons learned, recommended
actions, and proposed revisions to Attachment 1 if warranted.Also, the Reliability Standards Development
Procedure has been replaced with the Standard Processes Manual.
Indeck Energy Services
No
Reviewing Attachment 1 annually is unnecessary. Events don't change much and if they do, a SAR is
needed to consider the changes. NERC should not be included in any standard!
Independent Electricity System
Operator
No
We agree with the need to update the list as needed, but it does not have to be the ERO who takes on a
reliability standard to do so. It can simply be an annual project in the standards development work plan to
review Attachment 1 as part of a standard. The industry will then be provided an opportunity to weigh on the
March 1, 2011
131
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 9 Comment
changes. Also, we do not see the reliability results or benefits of R8. The ERO can issue the report quarterly
but who are audiences? What reliability purpose does it serve if no further actions are pursued upon receiving
the report? Can this be done as a standing item for the ERO at, say, the BoT meeting? Or, can this be a part
of the quarterly communication from the ERO to the industry? To make this a reliability standard is an overkill, and does not conform with the results-based standard concept.From our perspective, both R7 and R8 can
be removed, and the ERO can be removed from the Applicability Section as well.
IRC Standards Review
No
Committee
We do not support an annual time frame to update the events list. The list should be updated as needed
through the Reliability Standards Development Process. Any changes to a standard must be made through
the standards development process, and may not be done at the direction of the ERO without going through
the process.
ISO New England Inc.
No
Having the ERO as an applicable entity raises concern as it is also the compliance enforcement authority.
Requirement R7 is unnecessary as there are already requirements in place for three year reviews of all
Standards. R8 contains requirements to release information that should be protected, such as identification
of trends and threats against the Bulk Electric System. This may trigger more threats because it will be
published to unwanted persons in the private sector.We do not support an annual time frame to update the
events list. The list should be updated as needed through the Reliability Standards Development Process.
Any changes to a standard must be made through the standards development process, and may not be done
at the direction of the ERO without going through the process.
Kansas City Power & Light
No
We agree with the rationale for R8 requiring NERC to analyze Impact Events that are reported through R6
and publish a report that includes lessons learned but disagree with R2.9 obligating an entity to update its
Operating Plan based on applicable lessons learned from the report. Whether lessons learned are applicable
March 1, 2011
132
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 9 Comment
to an entity is subjective. If an update based on lessons learned from an annual NERC report is required, the
requirement should clearly state the necessity of the update is determined by the entity and the entity’s
Reliability Coordinator or NERC can not make that determination then find the entity in violation of the
requirement. In addition, if an update based on lessons learned from a NERC report is required, NERC
should publish the year-end report (R8) on approximately the same day annually (i.e. January 31) and allow
an entity at least 60 days to analyze the report and incorporate any changes it deems necessary in its
Operating Plan.
Again, the language referencing annual and quarterly in these two requirements in
confusing.
Manitoba Hydro
No
Rules of Procedure appear to have a different focus then R7 and R8.Briefing on Rules of Procedure
802Assess, review and report on:1.1 overall electric operation1.2 uncertainties and risks1.3 self assessment
of supply and reliability1.4 projects on customer demand1.5 impact of evolving electric market practicesthat
could affect the present and future of the BESBriefing on R7 and R8R7 - ERO shall review and propose
revisions to Attachment 1R8- ERO shall publish quarterly reports on trends, threats, vulnerabilities, lessons
learned and recommended actions.
Midwest ISO Standards
No
Collaborators
We do not agree with the requirements and we do not believe it is adequately covered in section 802. First,
section 802 deals with assessments not event reporting. Secondly, since attachment 1 is part of a standard,
it should not be modified outside of the Reliability Standards Development process.
NERC Staff
No
NERC staff believes that requirements R7 and R8 are not needed because they are intrinsic expectations
from its Rules of Procedure. Furthermore, these elements are necessary for analysis in support of the
Reliability Metrics efforts NERC is leading under its Reliability Assessment and Performance Analysis
March 1, 2011
133
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 9 Comment
program.
North Carolina Electric Coops
No
The ERO cannot be subject to a requirement for which it is the compliance enforcement authority.
Northeast
No
Having the ERO as an applicable entity raises concern as it is also the compliance enforcement authority.
Power
Coordinating
Requirement R7 is unnecessary as there are already requirements in place for three year reviews of all
Council
Standards. R8 contains requirements to release information that should be protected, such as identification
of trends and threats against the Bulk Electric System. This may trigger more threats because it will be
published to unwanted persons in the private sector.We do not support an annual time frame to update the
events list. The list should be updated as needed through the Reliability Standards Development Process.
Any changes to a standard must be made through the standards development process, and may not be done
at the direction of the ERO without going through the process.
Puget Sound Energy
No
This is adequately covered by section 802 of the Rules of Procedure. There seems to be some conflict
between R2.9 and R8 regarding timeframes and the specific elements required.
Santee Cooper
No
Standards cannot be applicable to an ERO because they are the compliance enforcement authority, and the
ERO is not a user, owner, or operator of the BES.
SERC OC Standards Review
No
Group
The ERO cannot be subject to a requirement for which it is the compliance enforcement authority. The
governance in this situation appears incomplete.
United Illuminating
No
The rules of procedure adequately cover this.
US Bureau of Reclamation
No
Requirements 7 and 8 are covered in the Section 801.801. Objectives of the Reliability Assessment and
March 1, 2011
134
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 9 Comment
Performance Analysis Program. The objectives of the NERC reliability assessment and performance analysis
program are to: (1) conduct, and report the results of, an independent assessment of the overall reliability and
adequacy of the interconnected North American bulk power systems, both as existing and as planned; (2)
analyze off-normal events on the bulk power system; (3) identify the root causes of events that may be
precursors of potentially more serious events; (4) assess past reliability performance for lessons learned; (5)
disseminate findings and lessons learned to the electric industry to improve reliability performance; and (6)
develop reliability performance benchmarks. The final reliability assessment reports shall be approved by the
board for publication to the electric industry and the general public.
Bonneville Power Administration
Yes
R2.9 language refers to R8 “annual” report; however R8 language is “quarterly” reporting. It appears this
standard is going to be in an update status 4 times per year minimum, plus any event modifications plus
personnel changes. Overly burdensome.
City of Garland
Yes
R7 - Yes as long as any changes to attachment 1 follow the “Reliability Standards Development Procedure.
R8 - Yes as long as R8.6 is strictly “recommended actions.” They should not become “required actions” as
this bypasses the standard development process.
Duke Energy
Yes
However, R8 only addresses quarterly reports, and R2 Section 2.9 states that there will be an annual report.
Green Country Energy
Yes
I realize this is another burden for the ERO but the information would be good to know what is going on
outside the plant .
Luminant Energy
Yes
Continually refining the Impact Event table to better define which events should be reported would be
extremely valuable. Section 802 does not adequately require such refinement, thus R7 and R8 are
March 1, 2011
135
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 9 Comment
appropriate inclusions to this standard.
MRO's NERC Standards Review
Yes
Subcommittee
RRI Energy, Inc.
Should read “In accordance with Sections 401(2) and 405 of the Rules of Procedures, the ERO can be set as
an applicable entity in a requirement or standard”. As stated in the text box.
Yes
We support the concept that Reliability Standard requirements and obligations that are subject to violations
and penalties should all be contained in the four-corners of the Reliability Standard. If an obligation exists in
the Rules of Procedures that creates a stand-alone responsibility that is subject to violation and penalty, it
should be removed from the Rules of Procedure and inserted into the appropriate Reliability Standard.
ATCO Electric Ltd.
Yes
City of Austin dba Austin Energy
Yes
Dynegy Inc.
Yes
Great River Energy
Yes
Idaho Power Company
Yes
MidAmerican Energy
Yes
Pacific Gas and Electric
Yes
Company
March 1, 2011
136
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
PacifiCorp
Yes
PacifiCorp
Yes
Pepco Holdings, Inc - Affiliates
Yes
PNM Resources
Yes
PPL Electric Utilities
Yes
PPL Supply
Yes
Southern Company -
Yes
Question 9 Comment
Transmission
TransAlta Corporation
Yes
We Energies
Yes
WECC
Yes
March 1, 2011
137
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
10.
Do you agree with the impact event list in Attachment 1? Please explain in the comment box below and provide suggestions for
additions to the list of impact events.
Most commenters who responded to this question disagreed with some aspect of Attachment 1 –
most commenters provided specific suggestions for improvement. The DSR SDT did a full review based on comments that were
received. The DSR SDT, the Events Analysis Working Group (EAWG), NERC Staff (to include NERC Senior VP and Chief Reliability
Officer) had an open discussion with this item being a major topic. The EAWG and the DSR SDT aligned Attachment 1 with the Event
Analysis Program category 1 analysis responsibilities. This will assure that impact events in EOP-004-2 reporting requirements are
the starting vehicle for any required Event Analysis within the Event Analysis Program. The DSR SDT agrees that there are similar
items in the DOE Form OE 417 and EOP-004-2. DOE, NERC and the DSR SDT are in initial talks to try and reduce duplicate reporting
requirements. Until such time in the future that a new process is established between the DOE and NERC, the DSR SDT has revised
the standard to indicate that the use of either the DOE Form OE 417 or Attachment 2 is an acceptable reporting form for applicable
entities. The DSR SDT reviewed the “hierarchy” of reporting within Attachment 1. To reduce multiple entities reporting the same
impact event, the DSR SDT has stated that the entity that performs the action or is directly affected by an action will report per EOP004-2. As an example, during a system emergency, the TOP or RC may request manual load shedding by a DP or TOP. The DP or TOP
would have the responsibility to report the action that they took if they meet or exceed the bright-line criteria established in
Attachment 1. Upon reporting, NERC Event Analysis Program would be made aware of the impact event and start the EA Process
which is outside the scope of this Standard.
Summary Consideration:
Several bright-line criteria were removed from Attachment 1. These criteria (DC converter station, 5 generator outages, and
frequency trigger limits) were removed after discussions with the EAWG and NERC staff, who concurred that these items should be
removed from a reporting standard and analysis process.
Organization
March 1, 2011
Yes or No
Question 10 Comment
138
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
WECC
Question 10 Comment
For strictly after-the-fact reporting the list of Attachment 1 is appropriate. However, as noted in our earlier
comments, actual or suspected sabotage events can have a potentially significant impact on reliability and
should be treated differently, with additional real-time reporting requirements. It is important that such events
be identified and recognized for reliability purposes and that notices include the RC.
Ameren
No
We have numerous comments about the Attachments. (1) What are the requirements for "verbal" reporting
to NERC and Regional entities? (2) What are the requirements for a "Preliminary" Impact Event Report? (3)
The Voltage Deviations Event is unclear (a) Are these consecutive minutes?
measured? (generator terminals? Point of Interconnections? Anywhere?)
(b) Where is the voltage
(c) must each Entity report
separately? (d) What is the +/- 10% measured against (Generator Voltage Schedule?) (4) For Generation loss
events how is an "entity" defined? (a corporate parent? each registered entity? other?) (5) Are the "Examples"
in the Attachment 1 - Part A really Examples, or mandatory situations? (6) Can you define "Damage"? (7)
Can you define "external cause"? (8) Can you give examples of "non-environmental external causes"? (9)
The footnote 1 reference for "Damage or destruction of BES equipment" doesn't match up with the a. and b.
footnotes or the 1. footnote of Attachment A - Part B. (10) How is the Operator supposed to determine what
Event affects the reliability of the BES fast enough to decide whether or not to report? (11) is the Loss of offsite power (grid supply) event to a nuclear plant already covered by NUC-001?(12) What are "critcal cyber
assets" since CIP-002-4 will eliminate that term? (13) When is Attachment 2 supposed to be used? (14) What
is meant by the word "Confidential" in the title of the Attachment 2 report? How would the SDT propose a
GO/GOP handle the reporting for the following situation? A CTG unit is dispatched and the unit is started,
synchronized and put on the bus. Immediately the Operator receives a high gas alarm from the GSU. The
Operator quickly shuts the unit down and de-energizes the GSU. There are no relay targets and no obvious
reason for the problem. After several weeks of analysis it's determined there was an internal fault in the GSU
March 1, 2011
139
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 10 Comment
and it must be replaced. How would the SDT recommend all the reporting requirments in this situation be
addressed with the current draft?
American Electric Power (AEP)
No
Are the times listed for the initial probable reporting under R3 or the reporting under R6?Many of these items
do not constitute emergency conditions. We view many of these as too onerous and would divert operating
staff from monitoring and operating the BES. In addition, some terms (i.e. Frequency Trigger Limits) are not
currently defined terms. Furthermore, there are existing requirements that have obligations for entities to
provide this information to the RC. For example “Detection of a cyber intrusion to critical cyber assets” is
already covered under CIP-008. This creates duplicate (and potentially competing) requirements.AEP also
contends that some of the timelines are very aggressive and not consummate with perceived need for the
information.Transmission loss of multiple BES transmission elements (simultaneous or common-mode
event)within 24 hours after occurrence is overly aggressive and should provide more specific criteria.
Arizona Public Service Company
No
AZPS believes that the list in Attachment 1 would be complete, as long as the text box of examples is
included. The examples demonstrate what is necessary.
ATC
No
ATC has several areas of concern regarding Attachment 1.1. The one hour requirement for reporting will take
the Functional Entities’ focus off of addressing the immediate reliability issues and instead force the FE to
devote valuable resources to filling out forms which will potentially reduce reliability.2. Part A:a. Provide a
definition of “system wide” for the Energy Emergency requiring system-wide voltage reduction.b. Add in the
clarity that for Energy Emergency requiring firm load shed pertains to a single event, not cumulative events.c.
Insert the word “continuous” for Voltage Deviations.d. Take off the TOP for IROL violations. (We believe that
an IROL violation should be reported by the RC and not by the TOP based on the nature of the event.
Requiring both the RC and TOP to report will only result in multiple reports for a single event. The RC is in
March 1, 2011
140
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 10 Comment
the best position to report on an IROL violation for its RC area.)e. Take off the TO, TOP and add the LSE for
Loss of Firm Load. (As a transmission only company ATC does not have contracts with end load users.
Because of this the Loss of Firm Load should be the reporting obligations of the entity closes to the end load
users which is the BA, DP or LSE. Failure to modify this requirement will cause confusion as to which entity
has to report Loss of Firm Load. f. Define a timeframe for Generation Loss g. Multiple should be changed to
“4 or more” for Transmission Loss.(ATC is concerned that this would require reporting of events that have
little or no industry wide benefits but would take up considerable Registered Entity resources.)h. Provide
clarity to and tighten the definition of Damage or destruction of BES equipment. The way it is written now
would require over-reporting of all damaged or destroyed equipment due to a non-environmental external
cause (e.g. broken insulator).3. Part B:a. Take off the TO and TOP for Loss of off-site power. (The GOP has
the responsibility to acquire off-site power and we believe it is the GOP’s sole responsibility to report the Loss
of off-site power. Failure to correct this would result in multiple reporting for the same event.)b. Take off RC
for Risk to BES equipment. (The RC function does not own BES equipment and we believe it is impossible
for them to report on risk to BES equipment if they are not the owner or operator of that equipment. This
standard should be required of the entity that owns/operates BES equipment. c. Provide guidance to the
phrase “reasonably determine” in footnote.d. Examples provided do not provide a clear obligation for an entity
to follow. (Question: How close is the train to the substation? (Inches away from the substation fence, ten
feet away from the substation fence or 500 feet away from the substation fence.) In addition, this standard is
so open to interpretation that no entity can demonstrate compliance with the action. We believe that the only
solution is to delete this reporting requirement. Overall:Multiple Functional Entities impacted by the same
event are required to report. No lead entity is identified. This will result in multiple reports of the same event.
ATC does not believe that this built-in duplicity enhances reliability?
March 1, 2011
141
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
ATCO Electric Ltd.
Yes or No
Question 10 Comment
No
Attachment 1: Part A - Transmission Loss: Only sustained outages should be reportable. Also the reporting
threshold needs to be quantified for impact events, for example:a) Size of DC converter Station > 200 MW.b)
Impact of loss of Multiples BES transmission elements in terms of significant load (> 200 MW for > 15 min).
BGE
No
TOP determines "system-wide" voltage reductions; why place this responsibility on a TO or DP?
- Load
Shedding is automatic load shedding; why 100MW? Does a DP need to provide a Report when directed by
the RC, BA or TOP to shed load or reduce voltage?
Need to define a "BES Transmission Element".
Responsibility"; is it one or is it all entities report?
likely motivation"
- No examples should be included in the standard!
- Table shows multiple entities in "Entity with Reporting
- In an audit who determines "reasonably determined
- Is it justified to expect to have "motivation" knowledge within one hour of an event?
-
Why are the Responsible Entities reporting Interruptible Demand tripped / lost?
Bonneville Power Administration
No
BPA suggests the following:Change loss of multiple BES to 3 or more. Loss of a double circuit configuration
due to lightning doesn’t need a report (it’s a studied contingency).
Add qualifier to damage/destruction of
BES equipment, since a failed PCB or a system transformer normally doesn’t have a MAJOR impact to the
grid.Add qualifier to Loss of “ALL” off-site power affecting nuclear...The unplanned evacuation of control
center is a busy time for the backup control center, yet this standard requires 1 hour reporting. Suggest
changing to 24 hours.
CenterPoint Energy
No
CenterPoint Energy appreciates the efforts of the SDT in identifying the entity with reporting responsibility.
This is an improvement to the event table. CenterPoint Energy is concerned with multiple entities being listed
as having Reporting Responsibility. CenterPoint Energy recommends the SDT limit this to one entity having
responsibility for reporting each event. This would not preclude that entity from coordinating with other entities
March 1, 2011
142
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 10 Comment
to gather data necessary to complete the report. In addition, CenterPoint Energy believes there are several
events that should be removed from the list. “Transmission Loss” is covered by the TPL standards and does
not need to be identified or reported under EOP-004. The loss of a DC converter station or multiple BES
transmission elements may or may not disrupt the reliable operation of the BES, i.e. result in blackout,
cascading outages, or voltage collapse. Likewise “Damage or destruction of BES equipment” in and of itself
should not be the subject of reporting. If the damage or destruction results in true disruption to the reliable
operation of the BES, that impact would be reported under one of the other identified events. “Voltage
Deviations” is another unnecessary event. CenterPoint Energy believes a voltage event of the proposed
magnitude will, more than likely, result in other events identified in Attachment 1 such as; IROL Violation or
Generation Loss and would be reported under one of those triggers. Another concern is the threshold trigger
of +/- 10% for 15 minutes or more. CenterPoint Energy is unclear as to the starting point to determine the
deviation. In other words is the 10% deviation from nominal voltage, such as 138kV or 345kV, or the actual
voltage at the time of the event? Additionally, must the deviation occur over a “wide area” or is such a
deviation at one buss enough to trigger a report? Based upon these ambiguities and concerns CenterPoint
Energy recommends “Voltage Deviations” be deleted from Attachment 1. The examples that follow on page
14 should also be deleted.
City of Garland
No
This report should follow exactly the OE-417 to avoid redundant, possible conflicting, and overall confusion in
reporting.Note: The table has entries that are in conflict with the OE-417 and thus can cause confusion in
filing multiple reports potentially causing an entity to violate Federal Law due to the confusion. By submiting
the same information on different timelines, i.e. one hour reporting under OE-417 and 24 hours under this
Standard, the reports may be significantly different causing confusion from differing reports of the same
event.Although we prfer the events to match the OE-417 events exactly, if the SDT decides to include a
March 1, 2011
143
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 10 Comment
seperate events table we make the following suggestions: Energy Emergency requiring system-wide voltage
reduction: should be reportable at 5% not 3% voltage reduction. The standard should clearly state this was
applicable for BES energy emergency conditions only, not voltage reductions for other reasons.On voltage
deviations: it should be clear that this applies to widespread effects on the BES not a single distribution feeder
that has a low voltage.For the Frequency deviation: Did not see a definition for the FTL (frequency trigger
limit)Generation loss: the reportable loss of generation should be significantly more than 500 MW. The
number of units at the locaton is irrelevent. Ten units at 50 MW each is no more critical than a single 500 MW
unit. Under this standard, if the plant with ten 50 MW units trips it is reportable but an 800 MW single unit is
not reportable. The trip of the 800 MW unit has much more effect on the sytem reliability. Damage or
destruction of BES equipment: Should be limited to specific equipment such as a 765 kV autotransformer not
a 138 kV lightning arrestor. This needs to be eliminated or significantly limited as to the equipment type that
is reportable.
Consolidated Edison Co. of NY,
Inc.
No
It is absolutely essential that the work on EOP-004 and that on the NERC Event Analysis Process (EAP) be
fully coordinated. We find that there are a number of inconsistencies between these two documents. The EAP
and EOP-004 are not aligned. In order to operate and report effectively entities need consistent
requirements.Attachment 1Frequency Deviations - The term “Frequency Trigger Limit (FTL)” is not defined.
Only defined terms should be used, or the term should be defined. If the term is defined in another standard it
should be moved to the Glossary of Terms for wider use.Loss of Firm load for 15 Minutes - The text under the
rightmost column entitled, Time to Submit Report, appears to be incomplete in our copy.Transmission loss
and Damage or destruction of BES equipment - At the end of the wording for both under the column entitled
“Threshold for Reporting” add the words “that significantly affects the integrity of interconnected system
operations.”Examples - Capitalize “Critical Asset” as this is a defined term.
March 1, 2011
144
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Constellation Power Generation
Yes or No
Question 10 Comment
No
Constellation Power Generation and Constellation Commodities Group questions why the generation loss line
and Constellation Commodities
item includes generating facilities of 5 or more generators with an aggregate of 500 MW or greater? The
Group
number of units makes no difference for reporting, as is evident in the generation thresholds written before
this inclusion. The examples of damaged or destroyed BES equipment are confusing, and do not clarify the
reporting event. What if a GSU at a small plant (20 MW) were to fail? Is that reportable? Constellation Power
Generation believes that equipment failures that are not suspicious do not need to be reported. Finally,
Constellation Power Generation and Constellation Commodities Group believes that the “loss of offsite power
affecting a nuclear generation station” should be removed for the following reasons:1)The purpose of this
reliability standard is stated as being: “Responsible Entities shall report impact events and their known causes
to support situational awareness and the reliability of the Bulk Electric System (BES). “ While the “situational
awareness” portion of the purpose could be interpreted as all-inclusive, the real element deals with BES
reliability. Off-site power sources to nuclear units have nothing to do with BES reliability. Why should nuclear
units be treated differently?2)The issue of concern for a loss of offsite power at a nuclear station is continued
power supply (other than emergency diesels) to power equipment to cool the reactor core. A nuclear unit
automatically shuts down when off-site power supply is lost. Availability of off-site power is a reactor safety
concern (i.e., NRC regulatory concern and a one-hour report to the NRC) - not a reliability concern that
FERC/NERC would have jurisdiction over.3)There is a nuclear-specific reliability standard (NUC-001) that
contemplated off-site power availability. That standard contained no reporting requirements outside of those
that may be already established in current procedures. Why try to impose one here?4)A loss of offsite power
will result in an emergency declaration at the nuclear facility. Notifications will be made to federal (NRC),
state, and local authorities.
The control room crew is already overly-burdened with notifications - any
additional call to NERC/Regional Reliability orgs will add insult-to-injury for no beneficial reason. If NERC is
interested, they should obtain info from NRC.5)If all else fails and the item is to remain on the table, it needs
March 1, 2011
145
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 10 Comment
to be clarified as a “complete” loss of off-site power lasting greater than X minutes (i.e., would we have to
report a complete momentary loss that was rectified in short order by an auto-reclose or quick operator
action?).
Duke Energy
No
o General Comment - many timeframes in Attachment 1 are within one hour. This is inconsistent with the
stated aim of the standard, which is after-the-fact reporting, as opposed to real-time operating notifications
under RCIS and other standards (e.g. TOP). This standard should not be structured to require another layer
of real-time reporting. o Voltage Deviation - Plus or minus 10% of what voltage? o Frequency Deviation - this
is Interconnection-wide. Do you really want a report from every RC and BA in the Eastern Interconnection??
o Transmission Loss - “Multiple BES transmission elements” should be changed to “Three or more BES
transmission elements”.
Also, the time to submit the report should be based upon 24 hours after the
occurrence is identified. o Damage or destruction of BES equipment - need clarity on the “Examples”. Is the
intent to report an event that meets any one of the four “part a.” sub-bullets? i. - critical asset should be
capitalized. Disagree with the phrase “has the potential to result” in section iii. - it should just say “results”.
Section iv. is too wide open. It should instead say “Damaged or destroyed with malicious intent to disrupt or
adversely affect the reliability of the electric grid.” o Unplanned Control Center evacuation - see our General
Comment above. Clearly in this case the reporting individuals are evacuating and cannot report in one hour.
24 hours should be more than adequate for after-the-fact reporting. o Fuel Supply Emergency, Loss of offsite power, and Loss of all monitoring or voice communication capability - see our General Comment above.
Time to report should be 24 hours after occurrence is identified. o Forced intrusion, Risk to BES equipment,
Detection of a cyber intrusion to critical cyber assets - time to report should be 24 hours after occurrence is
identified, and critical cyber assets should be capitalized.
March 1, 2011
146
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Dynegy Inc.
Yes or No
Question 10 Comment
No
A 2000 MW loss needs to be more clearly defined by either the BA, ISO, RC, etc. for the applicable
enity.Also, what is the distinction between the "damage or destruction of BES equipment" and the generation
loss of >= 2000 MWs if it is a Critical Asset which is currently drafted as those greater than 1500 MW in
current draft of CIP-002-4. This could lead to 2 events with different thresholds (i.e. 1500 MW and 2000
MWs). Possibly get rid of the 2000MW criteria and let the threshhold level be the same as the Critical Asset
MW level. Or remove the Critical Asset threshhold in the footnote to Attachment 1.
E.ON Climate & Renewables
No
1. Voltage deviation events are too vague for GOP. How does voltage deviations apply to GOP’s or
specifically renewables i.e., wind farms? 2. Define what an “entity” is. 3. Define what a “generating station” is.
4. Define what a “BES facility” is.6. Define what a control center is.
Electric Market Policy
No
1) A particular Event could be applicable to multiple entities and Attachment 1 would require each applicable
entity to report the event. This is duplicative and would appear to overburden the reporting system. 2) Loss
of off-site power (grid supply) reporting for nuclear plants is duplicative of reporting done to satisfy NRC
requirements. Given the activity at a nuclear plant during this event, this additional reporting is not desired.
3) Cyber intrusion remains an event that would need to be reported multiple times (e.g., this standard, OE417, NRC requirements, etc.). 4) Since external reporting for other regulators (e.g., DOE, NRC, etc.) remains
an obligation of the Applicable Entity, suggest that Attachment 1 only contain impact events as defined in the
current version of EOP-004.
ERCOT ISO
No
ERCOT ISO requests the reporting timeframes be changed to reflect a 24 hour requirement for all events in
Attachment 1. During an impact event, operating personnel are generally involved in event resolution and not
available immediately to submit reports. ERCOT ISO requests that the “Detection of a cyber intrusion to a
March 1, 2011
147
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 10 Comment
critical cyber asset” be removed. There are established processes defined for incident response supporting
CIP-008. By including this element in Attachment 1, the Operating requirement R2 would also require
procedure documents for cyber security incident response. This would be redundant and would remove the
responsibility away from the subject matter experts for cyber security incident response.
Exelon
No
The listed Impact Events is lacking specific physical security related events.
.In general, all impact events
need to be as explicit as possible in threshold criteria to eliminate any interpretation on the part of a reporting
entity.
Ambiguity in what constitutes an "impact event" and what the definition of "occurrence" is will
ultimately lead to confusion and differing interpretations.
FirstEnergy
No
1. The table in Att. 1 and the requirements should alleviate the potential for duplicate reporting. For example,
If the RC submits a report regarding a Voltage deviation in its footprint, the report should be submitted by the
RC on behalf of the RC, TOP, and GOP, and not require the TOP and GOP to submit duplicate reports.2.
Regarding the "Note" before the table - We agree that under certain conditions it is not possible to issue a
written report in a given time period. However, the ERO and RE should also be required to confirm receipt of
the verbal communication in writing to prove that the entity communicated the event as these verbal
notifications may be done by an entity using an unrecorded line.3. Organizations with many registered entities
should be permitted to submit one report to cover multiple entities under one parent company name. We
suggest this be made clear in the Tables, the reporting form, and in the requirements.4. Voltage Deviations
Event - We suggest the team provide more clarity with regard to the types and locations of voltage deviations
that constitute an event.5. Examples of BES Equipment in Part A of "Actual Reliability Impact" Table - Is the
phrase "critical asset" referring to the CIP defined term? If so, this should be capitalized.6. Under the "Time to
Submit Report" column of the table, we suggest that all of the phrases end in "after identification of the
March 1, 2011
148
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 10 Comment
occurrence".7. Frequency Trigger Limit (FTL) for the Frequency Deviation event should be replaced with the
values the FTL represent. The FTL is part of the BAAL Standards which have not been approved by the
industry and are not in effect. It is possible that these terms are not used by those not participating in the field
trial of the BAAL standards.
Great River Energy
No
Comments: Please provide a phone number and provision within the Note of EOP-004 - Attachment 1: Impact
Events table for an entity to contact NERC if unable to contact NERC within the time described.Voltage
Deviations - recommend adding the word “(continuous)” after sustained in Threshold column. This could be
interpreted as an aggregate value over any length of time.Frequency deviations - recommend adding the
word “(continuous)” after 15 minutes’ in Threshold column. This could be interpreted as an aggregate value
over any length of time.CIP-008 R1.3 states the entity is to report Cyber Security Incidents to the ES_ISAC.
Does the EOP-004 Attachment 2 fulfill this requirement?We request clarification on the Transmission Loss
threshold events that constitute reporting. We also want clarification on what constitutes the loss of a DC
Converter station and is there a time duration that constitutes the need for reporting or does each trip need to
be reported? For example during a commutation spike the DC line could be lost for less than a minute. Does
this loss require a report to be submitted? Is the SDT stating that each time a company loses their DC line,
they are required to file a report even though it may not have an effect on the bulk system? What is the
threshold for this loss?The SDT needs to clarify that duplicative reporting is not required and that only one
entity needs to report. For instance, the first three categories regarding energy emergencies could be
interpreted to require the BA and RC to both report. The reporting responsibilities in this table should be
clarified based on who has primary reporting responsibility for the task per the NERC Functional Model and
require only one report.
For instance, since balancing load, generation and interchange is the primary
function of a BA per the NERC Functional Model, only the BA should be required to provide this report.The
March 1, 2011
149
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 10 Comment
term Frequency Trigger Limit (FTL) is not currently defined in the NERC Glossary. The term FTL needs to be
introduced at the beginning of the standard and defined as a new term.
Indeck Energy Services
No
Loss of off-site power is important to more than just nuclear plants--but which ones? Control centers or other
large generators. But not small generators! Should there be a common element to Attachment 1, like the
potential to cause a Reportable Disturbance, or maybe there need to be multiple criteria like that.
Independent Electricity System
No
We do not support the 1 hour reporting time frames for Emergency Energy, System Separation, unplanned
Control Center evacuation, Loss of off-site power, Loss of monitoring or voice communication.
Operator
Energy
emergency is broadcast on the RCIS which also goes to the ERO so its explicit reporting is not necessary
(System Operations please verify). During other events listed above, the responsible entities will likely be
concentrating its effort in returning the system to a stable and reliable state. Reporting to anyone not having
direct actions to control, mitigate and contain the disturbances is secondary to restoring the system to t a
reliable state. Since these are after the fact reports for awareness and/or analysis and not for real-time
responses, these can be reported at a later time, up to 24 hours after the initial occurrence without any
detriment to reliability, or at the very earliest: up to 1 hour after the system has returned to a reliable state, or
after the backup control centre is fully functional, or after backup power is restored to the nuclear power plant,
or after monitoring or voice communication is restored.
IRC Standards Review
No
Committee
We do not agree with the requirement to report “detection of a cyber intrusion to critical cyber assets” as this
creates a double jeopardy situation between CIP-008 and EOP-004-2 R2.6. We suggest that physical incident
reporting be part of EOP-004 and cyber security reporting be part of CIP-008.
ISO New England Inc.
March 1, 2011
No
1) A particular Event could be applicable to multiple entities and Attachment 1 would require each applicable
150
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 10 Comment
entity to report the event. This is duplicative and would overburden the reporting system. 2) Loss of off-site
power (grid supply) reporting for nuclear plants is duplicative of reporting done to satisfy NRC requirements.
Given the activity at a nuclear plant during this event, this additional reporting is not desired. 3) Cyber
intrusion remains an event that would need to be reported multiple times (e.g., this standard, OE-417, NRC
requirements, etc.).
4) Since external reporting for other regulators (e.g., DOE, NRC, etc.) remains an
obligation of the Applicable Entity, suggest that Attachment 1 only contain impact events as defined in the
current version of EOP-004.What are the examples at the bottom of page 14 supposed to illustrate? Critical
Asset should have the appropriate capitalization as being a defined term. Is Critical Asset what is intended to
be used here? Should the “a” list be read as ANDs or Ors? Does “loss of all monitoring communications”
mean “loss of all BES monitoring “communications”? Does “loss of all voice communications” mean “loss of
all BES voice communications?”Are the blue boxes footnotes or examples?Does “forced intrusion” mean
“physical intrusion” (which is different from “cyber intrusion”)?Regarding “Risk to BES Equipment,” request
clarification of “non-environmental”. Regarding the train derailment example, the mixture of BES equipment
and facility is confusing. Request clarification for when the clock starts ticking.Regarding “Detection of a cyber
intrusion to critical cyber assets”, there is concern that this creates a double jeopardy situation between CIP008 and EOP-004-2 R2.6. Suggest physical incident reporting be part of EOP-004 and cyber security
reporting be part of CIP-008.
Kansas City Power & Light
No
We agree with the event descriptions listed in Attachment 1 and the review and revision of the impact table by
the ERO is appropriately addressed in R7 but the time periods allowed to complete the new, longer
preliminary report is insufficient. The correlation of this with the timing of the reporting quarterly and annually
or pushing information for other entities' situational awareness does not allow the registered entity adequate
time to thoughtfully consider the event and proposed root cause.
March 1, 2011
151
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Luminant Energy
Yes or No
Question 10 Comment
No
The Impact Events Table might be easier to clarify if organized by Reporting Entity rather than Event Type as
events vary substantially based on the affected BES component. For example, a GO or GOP cannot
adequately determine if an event will significantly affect the reliability margin of the system or if an event
results in an IROL. Examples specific to Reporting Entities would assist in more appropriate report
submissions. Additionally, the footnote under examples of Damage or Destruction of BES Equipment, cites “A
critical asset”. This term must be clarified to indicate whether this refers to a Critical Asset as defined by CIP
002-1.Finally, the Fuel Supply Emergency item requires additional definitions as neither a GO nor a GOP can
reasonably project if an individual fuel supply chain problem will result in the need for emergency actions by
the RC or BA.
MidAmerican Energy
No
New vague criteria in Attachment one such as “damage to a BES element through and external cause” or
“transmission loss of multiple BES elements which could mean two or more” is the opposite of clear standards
writing or results based standards.
Midwest ISO Standards
Collaborators
No
Several categories require duplicate reporting.
For instance, the first three categories regarding energy
emergencies could be interpreted to require the BA and RC to both report. The reporting responsibilities in
this table should be clarified based on who has primary reporting responsibility for the task per the NERC
Functional Model and require only one report. For instance, since balancing load, generation and interchange
is the primary function of a BA per the NERC Functional Model, only the BA should be required to provide this
report. As another option, perhaps the registered entity initiating the action should submit the report. If the
BA did not take action and the RC had to direct the BA to take action, one could argue that perhaps the RC
should submit the report then. However, if the BA takes action appropriately on their own, the BA should
submit it. If the TOP reduces voltage for a capacity and energy emergency per a directive of the BA, then the
March 1, 2011
152
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 10 Comment
BA should report the event.
MRO's NERC Standards Review
No
Subcommittee
Please provide a phone number and provision within the Note of EOP-004 - Attachment 1: Impact Events
table for an entity to contact NERC if unable to contact NERC within the time described.Voltage Deviations recommend adding the word “(continuous)” after sustained in Threshold column. This could be interpreted as
an aggregate value over any length of time.Frequency deviations - recommend adding the word
“(continuous)” after 15 minutes’ in Threshold column. This could be interpreted as an aggregate value over
any length of time.CIP-008 R1.3 states the entity is to report Cyber Security Incidents to the ES_ISAC. Does
the EOP-004 Attachment 2 fulfill this requirement?
Nebraska Public Power District
No
Since the reporting under this standard is for after the fact reporting, the minimum time to report should be the
end of the next business day. The combination of the extremely short time periods to file a report and the
amount of detail required in attachment 2 will lead to a reduction in the reliability of the BES.
System
Operators will be forced to take focus off their primary responsibility to respond to the event in order to
complete the report within the required timeframe (within an hour for some events). During non-business
hours the only personnel available to complete the reports will be those responsible for real-time operation of
the BES. Since the background indicates this standard is only for after the fact reporting, the minimum
required time to submit the report should be one business day to permit completion of the report without
distracting from the real-time operation of the BES. Real-time reporting requirements are covered in other
standards and should be to the Reliability Coordinator and from the Reliability Coordinator to NERC. For after
the fact reporting, there is absolutely no reliability benefit for requiring reporting to be completed on such a
short timeframe. This is especially true due to the amount of data required by Attachment 2.
March 1, 2011
153
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
NERC Staff
Yes or No
Question 10 Comment
No
The SDT should clarify its use of the term “critical asset” in the Examples section under Part A of the table.
The term or versions of the term are used in different contexts in the NERC Reliability Standards. For
instance, in CIP-002-1, Requirement 1, the Critical Asset Identification Method is used to identify its critical
assets. In EOP-008-0, Requirement 1.3, the applicable entity is required to list its “critical facilities” in its
contingency plan for the loss of control center functionality. The team should confirm what it is referring to in
this proposed standard. To avoid confusion, the SDT may want to consider using a different term here or
better clarify its meaning. Further, there exists the potential to have disparate reporting criteria in this
proposed standard relative to the criteria being proposed by the Events Analysis Working Group as part of the
Events Analysis Process document dated October 1, 2010. In particular, the following areas should be
reconciled between the drafting team and the EAWG to ensure a consistent set of threshold criteria:Voltage
Deviations --EOP-004-2: Greater than or equal to 15 minutes --EAWG Process: Greater than or equal to 5
minutesSystem Separation (Islanding) --EOP-004-2: Greater than or equal to 100 MW --EAWG Process:
Greater than or equal to 1000 MWsSystem Separation (Islanding) --EOP-004-2: Does not address intentional
islanding as in the case of Alberta, Florida, New Brunswick--EAWG Process: Addresses intentional islanding
as in the case of Alberta, Florida, New BrunswickSPS/RAS --EOP-004-2: Does not expressly address proper
SPS/RAS operations or failure, degradation, or misoperation of SPS/RAS --EAWG Process: Expressly
addresses proper SPS/RAS operations or failure, degradation, or misoperation of SPS/RASTransmission
Loss --EOP-004-2: Identifies Multiple BES transmission elements --EAWG Process: Provides specificity in
Category 1a and 1b regarding transmission eventsDamage or destruction of BES equipment --EOP-004-2:
Through operational error, equipment failure, or external cause but not linked to loss of load--EAWG Process:
Identifies in Category 2h equipment failures linked to loss of firm system demandsForced intrusion--EOP-0042: Addressed --EAWG Process: Not addressedRisk to BES equipment --EOP-004-2: Addressed --EAWG
Process: Not addressedDetection of a cyber intrusion to critical cyber assets --EOP-004-2: Addressed --
March 1, 2011
154
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 10 Comment
EAWG Process: Not addressed
North Carolina Electric Coops
No
This list is too similar and redundant to the DOE requirements and does not provide any additional clarity on
recognition of sabotage.
Northeast
Power
Coordinating
No
1) A particular Event could be applicable to multiple entities and Attachment 1 would require each applicable
entity to report the event. This is duplicative and would overburden the reporting system. 2) Loss of off-site
Council
power (grid supply) reporting for nuclear plants is duplicative of reporting done to satisfy NRC requirements.
Given the activity at a nuclear plant during this event, this additional reporting is not desired. 3) Cyber
intrusion remains an event that would need to be reported multiple times (e.g., this standard, OE-417, NRC
requirements, etc.).
4) Since external reporting for other regulators (e.g., DOE, NRC, etc.) remains an
obligation of the Applicable Entity, suggest that Attachment 1 only contain impact events as defined in the
current version of EOP-004.What are the examples at the bottom of page 14 supposed to illustrate? Critical
Asset should have the appropriate capitalization as being a defined term. Is Critical Asset what is intended to
be used here? Should the “a” list be read as ANDs or Ors? Does “loss of all monitoring communications”
mean “loss of all BES monitoring “communications”? Does “loss of all voice communications” mean “loss of
all BES voice communications?”Are the blue boxes footnotes or examples?Does “forced intrusion” mean
“physical intrusion” (which is different from “cyber intrusion”)?Regarding “Risk to BES Equipment,” request
clarification of “non-environmental”. Regarding the train derailment example, the mixture of BES equipment
and facility is confusing. Request clarification for when the clock starts ticking.Regarding “Detection of a cyber
intrusion to critical cyber assets”, there is concern that this creates a double jeopardy situation between CIP008 and EOP-004-2 R2.6. Suggest physical incident reporting be part of EOP-004 and cyber security
reporting be part of CIP-008.
March 1, 2011
155
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Pacific Northwest Small Public
Yes or No
Question 10 Comment
No
Footnote 1 is missing from Part A, although it is referenced in column 1 row 11. Is this the Examples? The
Power Utility Comment Group
purpose of the Examples is unclear. Is it meant to limit the scope to those enumerated? This is not stated, but
if not it should be removed since it adds confusion. What is meant by non-environmental? All external causes
of damage or destruction come from the environment by definition. Please specify what is intended or remove
the word.
PacifiCorp
No
Energy Emergency requiring firm load shedding - An SPS/RAS could operate shedding firm load but no
Energy Emergency may exist. This requires clarification.Transmission Loss - Multiple BES transmission
elements. Loss of two transmission lines in the same corridor due to a wildfire could qualify for this reporting.
Once again clarification needed.
Pepco Holdings, Inc - Affiliates
No
Some items with one hour reporting (such as Unplanned Control Center evacuation) may be so disruptive to
operations that one hour is too short. 4 hours suggested.
PPL Electric Utilities
No
While we think providing an impact event list is beneficial, we would like to see Attachment 1 revised and/or
clarified. Refer to response to Question 2 considering duplicate reporting. Regarding impact event ‘Damage
or destruction of BES equipment’ and considering the first example in the ‘Examples’ section, does ‘example
a. i.’ mean if the BES equipment that is damaged is not identified as a critical asset per CIP-002 that no
reporting is required? Clarify the Part A and Part B, specifically:Attachment 1 Part A is labeled ‘Actual
Reliability Impact’. Does this title mean that for all events listed that the ‘threshold for reporting’ is only met if
the event occurs AND there is an actual reliability impact? As opposed to Part B where the threshold for
reporting is met when the event occurs and there is a potential for reliability impact? This could be broad for
event ‘risk to BES equipment’.
March 1, 2011
Providing as much clarity as possible on the ‘threshold for reporting’ is
156
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 10 Comment
beneficial to the industry and will help eliminate confusion with the existing CIP-001 standard regarding
‘potential sabotage’.
PPL Supply
No
Attachment 1 Part A is labeled "Actual Reliability Impact". Does this title mean that for all events listed the
"threshold for reporting" is only met if the event occurs AND there is an actual reliability impact? As opposed
to Part B where the threshold for reporting is met when the event occurs and there is a potential for reliability
impact? This could be broad for events like "Risk to BES equipment."
PSEG Companies
No
For many items, there are multiple entities listed with reporting obligations. For example, loss of off-site
power to a nuclear plant lists RC, BA, TOP, TO, GO and GOP. This appears to result in the potential for the
sending of 6 separate reports within the hour for the same event, which in wide area disturbances overload
the recipients. The drafting team should consider revising the lists where possible to a single, or absolute
minimum number, entity.Those items reportable OE-417 should be removed from Attachment 1.
For
example, voltage reduction, loss of load for greater than 15 minutes.The trigger for voltage reduction should
be the time of issuance of the directive to reduce voltage in an emergency, not when "identified."
Puget Sound Energy
No
The proposed standard does not adequately ensure that the impact events subject to its requirements are
limited to those listed in Attachment 1. In order to ensure that this is true, the term “impact event” should be a
defined term and that definition should clearly limit impact events to those listed in Attachment 1.
Santee Cooper
No
The SDT should review the list of events closely to determine if the defined events actually impact the BES.
(For example: Is shedding 100 MW of firm load really a threat to the BES?)
SERC OC Standards Review
March 1, 2011
No
Will all reporting requirements be removed from other standards to avoid duplication? And will all future
157
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Group
Question 10 Comment
standard revisions include revisions to this standard to incorporate associated reporting requirements?There
is already a DOE requirement to report certain events. We see no need to develop redundant reporting
requirements in the NERC arena that cross other federal agency jurisdictions.
Southern Company -
No
Transmission
The time to submit report column needs to be more flexible with time frames. The Entity with Reporting
Responsibility column needs to be more descriptive in which there are multiple entitles with hierarchy
reporting.
United Illuminating
No
UI agrees but the listing needs to be improved for clarity in certain instances. For example,EOP-004
Attachment 1 Part A - Example iii - uses the phrase “significantly affects the reliability margin of the system.”
Significantly is an immeasurable concept and does not provide guidance to the Entity. The phrase “reliability
margin” is not defined and is open to interpretation. Perhaps utilize “resource adequacy”, if that is all that
intended, or use “adequate level of reliability”.
US Bureau of Reclamation
No
The Attachment is very vague and without modification creates a Pseudo definition of BES equipment in the
example provided. The example now indicates that something is BES equipment if it is "Damaged or
destroyed due to a non-environmental external cause". Perhaps the example should be reworded to "BES
equipment whose operation effects or causes:" and then adjust each of the line items to clarify what was
intended. Next, the Attachment A example redefines reportable levels for Risk to BES Equipment - From a
non-environmental physical threat as "Report copper theft from BES equipment only if it degrades the ability
of equipment to operate correctly". Who makes that determination? Not all events will be known within 24
hours. As example, Risk to BES Equipment - From a non-environmental physical threat may not be known
until more thorough examination or investigation takes place. Also the reportable level appears to be defined
by the Entity. While agree with that, we will end up with the same criticism from FERC when the level is set to
March 1, 2011
158
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 10 Comment
"high" in FERC's mind. The reporting times are unrealistic for complicated events. Notification is reasonable
but not reporting. Many organizations’s have internal processes the reports must be vetted through before
they become public and subject to compliance scrutiny.
We Energies
No
I did not compare this standard to the OE-417 form. Please do not require operators to fill out a second form
during an emergency within one hour.Energy Emergency requiring Public appeal...: “Public “ is not a defined
term.Energy Emergency requiring system-wide voltage...: DP does not control BES voltage.Energy
Emergency requiring firm load shed...: TOP does not have load it would shed for an Energy
Emergency.Frequency Deviations: Why is a BA reporting? This will be every BA in the Interconnection
reporting the same Frequency Deviation.Frequency Deviations: Frequency Trigger Limit is not a defined
term, and is not defined in this standard.Loss of Firm Load...: TO and TOP may coordinate or direct load
shed, but they do not serve firm load.Damage or destruction of BES... There is no footnote 1 on this page. I
assume it is the examples on the page. Are these “examples” of a larger set or are these all that is required?
Critical Asset is a defined term.Forced Intrusion: “facility” or Facility? An RC and BA do not have Facilities.
Georgia System Operations
Corporation
Yes
We support the concept of Impact Events and listing and describing them in a table. However, we have some
concerns.Reporting of impact events should not be applicable to a DP.The timelines outlined in Attachment 1
should be targets to try to meet but it should not be a compliance violation of the reporting requirement if it is
not met. Regarding the NOTE before the table, verbal reports and updates should be allowed for other than
certain adverse conditions like severe weather as well as adverse conditions. The first priority for all entities
should be addressing the effects of the impact event. It may not be possible to assess the damage or the
cause of an impact event in the allotted time. All entities should make their best effort to quickly report under
any circumstances what they know about the event even if it is not complete. They should be allowed to
March 1, 2011
159
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 10 Comment
report up through a hierarchy. The written report should not be issued until adequate information is available.
Change "Preliminary Impact Event Report" to "Confidential Impact Event Report."Capitalization throughout
this table is inconsistent. Sometimes an event is all capitalized. Sometimes not. It is not in synch with the
NERC Glossary. All terms that remain capitalized in the next draft (other than when used as a title or heading)
should be defined in the Glossary of Terms Used in NERC Reliability Standards. Examples of
inconsistencies: Unplanned Control Center evacuation, Loss of off-site power, Voltage Deviations.-Energy
Emergency requiring a public appeal or a system-wide voltage reduction: All The NERC Glossary defines
Energy Emergency as a condition when a LSE has exhausted all other options and can no longer provide its
customers’ expected energy requirements. The events should not be described as an Energy Emergency
requiring public appeal or system-wide voltage reductions. If public appeal and system-wide voltage
reductions are still an option then all options have not been exhausted, the LSE can still provide its customers'
energy requirements, and it is not an Energy Emergency. We suggest using "Energy Emergency Alert" rather
than "Energy Emergency."-Energy Emergency requiring firm load shedding: load shedding via automatic
UFLS or UVLS would not necessarily be due to an Energy Emergency. Other events could cause frequency
or voltage to trigger a load shed. Most likely an entity would be seeing the Energy Emergency coming and
would be using manual load shedding. -Forced intrusion and detection of cyber intrusion to critical cyber
assets: CIP-008 is not referrenced for a forced intrusion. CIP-008 is referenced for a detection of cyber
intrusion impact event. Aren't there reportable events per CIP-008 that involve physical intrusion that are not
intrusions at a BES facility?-Risk to BES equipment: The threshold states that it is for a non-environmental
threat but the examples given are environmental threats. Please clarify.
Manitoba Hydro
Yes
Though R7 indicated Attachment 1 will be reviewed and revised reguarily the immediate addition of:”Detection
of suspected or actual or acts or threats of physical sabotage”should be added.
March 1, 2011
160
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
City of Austin dba Austin Energy
Yes
Green Country Energy
Yes
Idaho Power Company
Yes
Pacific Gas and Electric
Yes
Question 10 Comment
Company
PacifiCorp
Yes
PNM Resources
Yes
RRI Energy, Inc.
Yes
TransAlta Corporation
Yes
March 1, 2011
161
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
11. Do you agree with the use of the Preliminary Impact Event Report (Attachment 2)? Please explain in the comment box
below.
Most commenters who responded to this question disagreed with some aspect of the Preliminary
Impact Event Report. The proposed Preliminary Impact Event Report (Attachment 2) generated comments regarding the duplicative
nature of the form when compared to the OE-417. The DSR SDT has added language to the proposed form to clarify that NERC will
accept a DOE OE-417 form in lieu of Attachment 2 if the responsible entity is required to submit an OE-417 form.
Summary Consideration:
In collaboration with the NERC Event Analysis Working Group (EAWG) the DSR SDT proposes to modify the attachment to eliminate
confusion. This revised form will be used as Attachment 2 of the Standard and is the only required information for EOP-004-2
reporting. Further information may be requested through Events Analysis Process (NERC Rules of Procedure), but this information is
outside of the scope of EOP-004.
The DSR SDT has also clarified what the form is to be used for with the following language added:
“This form is to be used to report impact events to the ERO.”
Organization
Yes or No
Question 11 Comment
City of Austin dba Austin Energy
Austin Energy would like to see OE-417 incorporated into the electronic form This will reduce the callout of
EOP-004-2 and OE-417 forms in our checklists / documents and one form can be submitted to NERC and
DOE.
Independent Electricity System
Operator
TBD
Ameren
No
March 1, 2011
It is unclear when this should be used, or why.
162
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
ATC
No
No. NERC does not have the authority to absolve the Functional Entities of the reporting obligations for the
DOE Form OE-417. Therefore, there will be duplicate reporting requirements and the one hour timeframes
required in Attachment 1 will take valuable resources away from mitigating the event to filling out duplicative
paperwork. It is ATC’s position that the OE-417 report be used as the main reporting template until NERC and
the DOE can develop a single reporting template. Task #14 in the report should be modified to say, “Identify
any known protection system misoperation(s).” If this report is to be filed within 24 hrs, there will not be
enough time to assess all operations to determine any misoperation. As a case in point, it typically takes at
least 24 hrs to receive final lightning data; therefore, not all data is available to make a determination.
ATCO Electric Ltd.
No
Attachment 2 Item 4 implies that an entity is required to analyse and report on an impact event that occurred
outside its system. This is not practical as the entity will not have access to the necessary information.
BGE
No
There is considerable difference between this form and OE-417 necessitating that two forms be completed.
BGE believes that the purpose of combining the standards was to reduce the number of reporting entities and
number of reports to be generated by each entity. BGE believes this fails to accomplish this purpose.
City of Garland
No
The report filed should be the OE-417 ELECTRIC EMERGENCY INCIDENT AND DISTURBANCE REPORT
and should be filed only on OE-417 reportable incidents. If this report is implemented as drafted, companies
with multiple registration numbers and functions should only have to file one report for all functions and
registrations.
Consolidated Edison Co. of NY,
Inc.
No
It is not clear why the DOE form cannot be used. NERC should make every effort to minimize paper work for
entities responding to system events.
Constellation Power Generation
and Constellation Commodities
Group
No
It is unclear if an entity has to answer all the questions. In addition, “Preliminary” is not currently included in
the report title.
Electric Market Policy
No
There is already a DOE requirement to report certain events. We see no need to develop redundant reporting
requirements in the NERC arena that cross other federal agency jurisdictions.
ERCOT ISO
No
ERCOT ISO requests the use of a single report format to meet all requirements from NERC and DOE. There
is no value added in requiring different reporting to different agencies.
March 1, 2011
Question 11 Comment
163
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Exelon
No
Exelon agrees with the use of the report but feels that # 5 should consist of check boxes. #12, 13, and 14 will
take more time then allotted by the reporting requirements to acquire, cannot be accomplished in an
hour.Attachment 2 should have a provision for the reporting entity to enter (N/A) based on function (see
below)Check box #8 A GO/GOP may not have the information to determine what the frequency was prior to
or immediately after an impact event. This information should be the responsibility of a TOP or RC.Check box
#9A GO/GOP may not have the information to determine what transmission facilities tripped and locked out.
This information should be the responsibility of a TO, TOP or RC.Check box #10A GO/GOP may not have the
information to determine the number of affected customers or the demand lost (MW-Minutes). This
information should be the responsibility of a TO, TOP, or RC.
Great River Energy
No
NERC and the DOE need to coordinate and decide on which report they want to use and whichever report it
is needs to include all information required by both entities. The way this standard is currently written there is
the potential that two government entities may need to be reported to is a relatively short period of time. It is
not clear what benefit providing the Compliance Registration ID number provides. Many of the registered
entities employees that will likely have to submit the report, particularly given the one-hour reporting
requirement for some impact events, will not be aware of this registration ID. However, they will know for
what functions they are registered. We recommend removing the need to enter this compliance registration
ID or extending the time frame for reporting to allow back office personnel to complete the form. For item two,
please change “Time/Zone:” with “Time (include time zone)”. As written it is a little confusing.
Idaho Power Company
No
there should only be on report, utilized OE-417
Indeck Energy Services
No
The form needs to identify whether it is a preliminary or final report. An identifier should be created to tie the
final to the preliminary one. Some fields, 1,2 3 5 & 6, are required for the preliminary report and should be
labeled as such. With the 1 hour reporting deadline for some events, the details may not be known. 12 & 13
should be required for the final report. 13 should designate whether the cause is preliminary or final. 7-11 &
14 are optional, and the form should state this, and based on some types of events. It's confusing to have
irrelevant blanks on the form.
IRC Standards Review
Committee
No
Attachment 2 is not referenced in the standard requirements. Is it a part of the standard that an entity must
use to file the impact event reports to a specific recipient. If so, this needs to be referenced in the
standard.We question the need for using a fixed format for reports that vary from “shedding firm load” to
“damaging equipment”. The nature of impact events varies from one event to another and hence a fixed
format or pre-determined form may not be able to provide the appropriate template that is suitable for use for
March 1, 2011
Question 11 Comment
164
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 11 Comment
all events. We urge the SDT to reconsider the use of Attachment 2 for reporting events, with due
consideration to the actual intent of the standard (as pointed out in our comments under Q1).
ISO New England Inc.
No
There is already a DOE requirement to report certain events. There is no need to develop redundant
reporting requirements to NERC that cross other federal agency jurisdictions.The heading on page 16 refers
to EOP-002, but this is Standard EOP-004. If some questions do not require an answer all of the time, then
the form should state that or provide a NA checkbox. While Attachment 1 details some cyber thresholds,
Attachment 2 provides no means to report - which is acceptable if cyber incidents are handled by CIP-008 per
the comment provided for Question 10.The Event Report Template in Appendix A is different from the most
recent version, which is available at:
http://www.nerc.com/docs/eawg/Event_Analysis_Process_WORKINGDRAFT_100110-Clean.pdf
Kansas City Power & Light
No
For easier classification and analysis of events for both external reporting to the ERO and internal reporting
for the applicable entity, the form should include Event Type. The DSR SDT should code each event type
and include the codes as part of Attachment 1.
Manitoba Hydro
No
Though a “Confidential Impact Event Report” is much needed the Attachment 2 needs refinement.Provide an
explanation for each “task”.Isolate and simplify the “Who, When and What” section.Isolate the description of
event.Remove items 7 to 10. Modify Attachment 1, add columns to indicate time of event, quantity, restore
time, etc as required. The Attachment 1 can be attached to Attachment 2. This could simply and speed the
reporting process.
MidAmerican Energy
No
Midwest ISO Standards
Collaborators
No
March 1, 2011
This form differs from the DOE reporting forms. We do not believe different reporting forms should be
required. The DOE form should be sufficient for NERC reporting.It is not clear what benefit providing the
Compliance Registration ID number provides. Many of the registered entities employees that will likely have
to submit the report, particularly given the one-hour reporting requirement for some impact events, will not be
aware of this registration ID. However, they will know for what functions they are registered. We recommend
removing the need to enter this compliance registration ID or extending the time frame for reporting to allow
back office personnel to complete the form. For item two, please change “Time/Zone:” with “Time (include
time zone)”. As written it is a little confusing.
165
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 11 Comment
MRO's NERC Standards Review
Subcommittee
No
Number 4 of the reporting form does not take into consideration of potential impact events. Recommend that
“Did the impact event originate in your system?” to “Did the impact event originate or affect your system?”.
This will provide clarity to entities.
Nebraska Public Power District
No
If the standard requires submission of the report within an hour (which is not appropriate), there must be an
abbreviated form that can be quickly filled out by checking boxes and not require substantial narrative. The
existing form has too much free form text that takes time to enter and with the short timeframe for reporting
will distract the entities responsible for real-time reliabiltiy of the BES from that task by forcing them to
complete after the fact reports. It is unrealistic to expect entities to staff personnel to complete the reporting
24 x 7 for unlikely events, so the task will fall to System Operators who should be focusing on operating the
BES at the time of these events instead of providing after the fact reporting to entities that do not have
responsibility for real-time operation of the BES. Real-time reporting to the RC and/or BA is covered under
other standards and is necessary for the RC to have situational awareness, but is not covered under this
standard. The registered entities may report to the proper law enforcement entities when the situation
warrants, but again this form is not the appropriate way to handle that reporting requirement.
NERC Staff
No
Item 15: A one-line diagram should be attached to assist in the understanding and evaluation of the
event.Two additional items are recommended:--Ongoing reliability impacts/system vulnerability - this would
capture areas where one is not able to meet operating reserves or is in an overload condition, below voltage
limits, etc. in real-time--Reliability impacts with next contingency - this would capture potential impacts as
outlined above with the next contingency.
North Carolina Electric Coops
No
There is already a DOE requirement to report certain events. NERC should not be developing redundant
reporting requirements when this information is already available at the federal level from other agencies.
Northeast Power Coordinating
Council
No
There is already a DOE requirement to report certain events. There is no need to develop redundant
reporting requirements to NERC that cross other federal agency jurisdictions.The heading on page 16 refers
to EOP-002, but this is Standard EOP-004. If some questions do not require an answer all of the time, then
the form should state that or provide a NA checkbox. While Attachment 1 details some cyber thresholds,
Attachment 2 provides no means to report - which is acceptable if cyber incidents are handled by CIP-008 per
the comment provided for Question 10.The Event Report Template in Appendix A is different from the most
recent version, which is available at:
http://www.nerc.com/docs/eawg/Event_Analysis_Process_WORKINGDRAFT_100110-Clean.pdf
March 1, 2011
166
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Pacific Gas and Electric
Company
No
PG&E believes the report is duplicative to the OE-417 reporting criteria.
Pacific Northwest Small Public
Power Utility Comment Group
No
We found no “Preliminary Impact Event Report” in the posted draft standard, so we assume the question is
regarding the “Confidential Impact Report” (Attachment 2). It is unclear what role the form plays, since no
requirement refers to it. If this is the form to report impact events per R6, then R6 should reference it. The
comment group cautions that the use of the word “confidential” should be carefully considered, since many
filled out forms that originally contained the word are now posted on the NERC website for all to see. If there
are limits to the extent and/or duration of the confidentiality this should be clearly stated in the form, or the
word should be avoided.Protection System misoperation reporting is already covered by PRC-004. Including
it here is redundant, and doubly jeopardizes an entity for the same event.
PacifiCorp
No
As previously mentioned all effort should be made to ensure duplicate reporting is not required. OE-417
requirements should be covered by this one form.
Pepco Holdings, Inc - Affiliates
No
The list of events misses many items considered as suspicious or potential sabotage, such as suspicious
observation of critical facilities.
PNM Resources
No
PNM believes the report is duplicative to the OE-417 reporting criteria.
PSEG Companies
No
The top of this form should have the following statement added: "This form is not required if OE-417 is
required to be filed."
Puget Sound Energy
No
Attachment 2 is not referenced in the requirements of the proposed standard. As a result, it is not clear when
its submission would be required.
Santee Cooper
No
If the DOE form is going to continue to be required by DOE, then NERC should accept this form. Entities do
not have time to fill out duplicate forms within the time limits allowed for an event. This is burdensome on an
entity.
SERC OC Standards Review
Group
No
There is already a DOE requirement to report certain events. We see no need to develop redundant reporting
requirements in the NERC arena that cross other federal agency jurisdictions.
March 1, 2011
Question 11 Comment
167
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
TransAlta Corporation
No
We recommend the ‘time to Submit Report’ to start when the event is recognized verses when it occurred.
United Illuminating
No
The standard does not appear to require the use of Attachment 2. Placing the form within the Standard may
require the use of the Standards Development Process to modify the form. UI suggests the form is
maintained outside the Standard to allow it to be adjusted. UI would prefer NERC to establish an internet
based reporting tool to convey the initial reports.
US Bureau of Reclamation
No
There is already a reporting form for disturbances. The SDT should reconcile this standard with all the other
reporting that is being requested and not add more.
We Energies
No
The data required to assess an impact event thoroughly will often not be available or apparent. Immediate
reporting should fall to the RE with assistance/information from the affected entities.There do not seem to be
provisions for when it is impossible to take the time to fill out a form or when it is impossible to send a form.I
did not compare this standard to the OE-417 form. Please do not require operators to fill out a second form
during an emergency within one hour.
WECC
No
The report is duplicative to the OE-417 reporting criteria.
Bonneville Power Administration
Yes
Item 8: list Hz minimum on the second line prior to Hz max since that is the typical frequency excursion
order.The Operating Plan is going to have to include the Compliance Registration ID number, since Operating
Personnel don’t carry that information around and it is not readily available.
Duke Energy
Yes
However, Attachment 2 is titled “Impact Event Reporting Form”.
E.ON Climate & Renewables
Yes
Suggestions on the form: if an entity has not had time to fully determine the cause of an Impact Event such as
for “Question # 4: Did the impact event originate in your system, yes or no?”, perhaps more time is needed
that 24 hours to determine the cause.
FirstEnergy
Yes
Although we agree with the report, it should be clear that organizations with many registered entities can
submit one report to cover multiple entities under one parent company.
Georgia System Operations
Yes
We support having one form for reporting however every applicable entity should not be required to fill it out
and send it to NERC. See previous comments about hierarchical reporting.The title of the report is
March 1, 2011
Question 11 Comment
168
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Corporation
"Confidential Impact Event Report." Some suggested modifications: The form could have a blank added to
enter the event "description" as described in the first column of Attachment 1. The first seven lines contain
information that would most likely be filled out every time. The other lines except line 13 may or may not be
applicable every time. It is required (R3) for an entity to access the initial probable cause of all impact events
so line 13 will most likely be filled out every time. Please move the probable cause line up to line 7 or 8
(depending on if the event description line is added).
PPL Electric Utilities
Yes
Arizona Public Service Company
Yes
Dynegy Inc.
Yes
Green Country Energy
Yes
Luminant Energy
Yes
PacifiCorp
Yes
PPL Supply
Yes
March 1, 2011
Question 11 Comment
For ease, timeliness, and accuracy of reporting an application with an easy to use interface would be
preferred. If the reporting is done via an application, the ability to enter partial data, save and add additional
info prior to submission would be helpful. Additionally, an application with drop downs to select from for
impact event, NERC function, etc would be helpful. #1 - Is the ‘Compliance Registration ID number’ the same
as the NCR number? If this is required, include as separate entry. #2 - is this the date of occurrence or
detection?
169
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
RRI Energy, Inc.
Yes
Southern Company Transmission
Yes
March 1, 2011
Question 11 Comment
170
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
12. The DSR SDT has replaced the terms “disturbance” and “sabotage” with the term “impact events”. Do you agree that the term
“impact events” adequately replaces the terms “disturbance” and “sabotage” and addresses the FERC directive to “further define
sabotage” in an equally efficient and effective manner? Please explain in the comment box below.
There was no consensus amongst commenters who responded to this question. Several commenters
expressed concern that the definition should be added to the glossary. The DSR SDT has proposed a definition for “Impact Events”
to support Attachment 1 as follows:
Summary Consideration:
“An Impact Event is any event that has either impacted or has the potential to impact the reliability of the Bulk Electric
System. Such events may be caused by equipment failure or mis-operation, environmental conditions, or human action.”
The DSR SDT has proposed this definition for inclusion in the NERC Glossary for “Impact Event”. The types of Impact Events that are
required to be reported are contained within Attachment 1. Only these events are required to be reported under this Standard.
Several commenters expressed concern that the team did not define ‘Sabotage’ and FERC directed that the modifications to this
standard include a definition of sabotage. The DSR SDT considered the FERC directive to “further define sabotage” and decided to
eliminate the term sabotage from the standard. The team felt that it was almost impossible to determine if an act or event was that
of sabotage or merely vandalism without the intervention of law enforcement after the fact. This will result in further ambiguity
with respect to reporting events. The term “sabotage” is no longer included in the standard and therefore it is inappropriate to
attempt to define it. The Impact Events listed in Attachment 1 provide guidance for reporting both actual events as well as events
which may have an impact on the Bulk Electric System. The DSR SDT believes that this is an equally effective and efficient means of
addressing the FERC Directive.
Some commenters were concerned that some of the events that require reporting that were specifically listed in the previous
version of the standard are not included in the revised standard. Attachment 1, Part A is to be used for those actions that have
impacted the electric system and in particular the section “Damage or destruction to equipment” clearly defines that all equipment
that intentional or non intentional human error be reported. Attachment 1, Part B covers the similar items but the action has not
fully occurred but may cause a risk to the electric system and is required to be reported.
March 1, 2011
171
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 12 Comment
Bonneville Power Administration
The definition of an impact event in EOP-004-2 seems clear, however the term "mis-operation" still may imply
intent in the action of an individual. The SDT should consider further defining that term.
Independent Electricity System
Operator
We do not have a view on what name is assigned to the reportable events for so long they are listed in
Attachment 1. However, the heading of the Table contains the words “Actual Reliability Impact”, which does
not accurately reflect the content inside the table and which may introduce confusion with the term “impact
event”. We suggest to change them to “Reportable Impact Events”.As we read the Summary of Concept and
Assumption, there appears to be a slightly different lists at the bottom of P. 21. With these events included,
the meaning of “impact event” would seem to be too broad. Rather than calling those events listed in
Attachment 1 “impact events”, why not simply call them “reportable events”?
CenterPoint Energy
No
CenterPoint Energy does not agree that the term “impact event” adequately replaces “disturbances” and
“sabotage”. CenterPoint Energy suggests that just as the SDT has come to consensus on a concept for
impact event, a definition could be derived for sabotage. “Potential”, as used in the SDT’s concept, is a vague
term and indicates an occurrence that hasn’t happened. Required reporting should be limited to actual events.
CenterPoint Energy offers the following definition of “sabotage”: “An actual or attempted act that intentionally
disrupts the reliable operation of the BES or results in damage to, destruction or misuse of BES facilities that
result in large scale customer outages (i.e. 300MW or more).”
City of Garland
No
1 In keeping with a Results Based Standard, the impact event should be a trigger for filing a report. At the
time of the event, one may not know if the event was caused by sabotage. Sabotage that does not affect the
BES should not be a reportable event.
2. To comply with the Commissioners request to define sabotage, Impact Event does not adequately replace
“sabotage”. If someone reports sabotage, people universally have a concept that someone(s) have taken
some type of action to purposely harm, disable, cripple, etc something. Impact Event does not convey that
same concept.
3. If Sabotage is left as a “trigger,” it should not include minor acts of vandalism but only acts that impact
reliability of the BES
Consolidated Edison Co. of NY,
Inc.
March 1, 2011
No
The definition is open for interpretation beyond events identified in Attachment 1. In addition, all Standards
are supposed to have Rationales. In the Draft Standard, the Rationales do not address the concept of
Potential, and how it relates to an actual system event. Additional work needs to be done addressing the
172
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 12 Comment
meaning of “potential”.
Duke Energy
No
We disagree with the stated concept of “impact event”. Including the phrase “or has the potential to
significantly impact” in the concept makes it impossibly broad for practical application and compliance. By not
attempting to define “sabotage”, the standard creates a broad reporting requirement. “Disturbance” is already
adequately defined. “Sabotage” should be defined as “the malicious destruction of, or damage to assets of
the electric industry, with the intention of disrupting or adversely affecting the reliability of the electric grid for
the purposes of weakening the critical infrastructure of our nation.”
Dynegy Inc.
No
The term is fine but FERC wants more specific examples. GO/GOP can't determine the effect on the BES.
E.ON Climate & Renewables
No
Acts of Sabotage is still not defined and if the registered entities are required to reports acts of sabotage,
NERC still needs to define this further.
ERCOT ISO
No
Exelon
No
Need to better define sabotage and provide examples, the term “impact events” create confusions as to what
constitutes an event. The definition of impact event is vague and needs to be quantified or qualified with a
term such as “significant”. Otherwise, almost any event could be deemed to be an impact event. Attachment
1 needs to clearly define that damage or destruction of BES equipment does not include cyber sabotage.
Events related to cyber sabotage are reported in accordance with CIP-008, "Cyber Security - Incident
Reporting and Response Planning," and therefore any type of event that is cyber initiated should be removed
from this Standard. In general, all impact events need to be as explicit as possible in threshold criteria to
eliminate any interpretation on the part of a reporting entity. Ambiguity in what constitutes an "impact event"
and what the definition of "occurrence" is will ultimately lead to confusion and differing interpretations.
FirstEnergy
No
For the most part we support this definition of impact events. However, we have the following suggestions:1.
We believe that it warrants an official NERC glossary definition. 2. The term "potential" in the definition should
point to the specific events detailed in Attachment 1 Part B.3. Since the standard does not cover
environmental events, the phrase "environmental conditions" in the definition is not an impact event in the
context of this standard.
March 1, 2011
173
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Great River Energy
No
We believe the SAR scope regarding addressing sabotage has not been addressed at all. It appears that
impact event essentially replaces sabotage. This standard needs to make it clear that sabotage, in some
cases, cannot be identified until an investigation is performed by the appropriate policing agencies such as
the FBI. Intent plays an important role in determining sabotage and only these agencies are equipped to
make these assessments.
Green Country Energy
No
Yes and no ... Yes impact events is an adequate term however since it is restrained by the tables it may be
helpful to define the term and scope of the term to be more inclusive of sabotage events.
Indeck Energy Services
No
Impact Events is OK. It needs to be balloted as a definition for the Glossary like Protection System.
IRC Standards Review
Committee
No
This term and the FERC directive do not recognize limitations in what a registered entity can do to determine
whether an act of sabotage has been committed. This term should recognize law enforcement’s and other
specialized agencies’, including international agencies’, role in defining acts of sabotage and not hold the
registered entity wholly responsible to do so.
ISO New England Inc.
No
The use of the term “impact events” has simply replaced the terms “disturbance” and “sabotage”, and has not
further defined sabotage as directed by FERC. We do feel that “impact events” needs to be a defined term.
While we agree with the SDT’s new direction, the FERC directive has not been met. This term and the FERC
directive do not recognize limitations in what a registered entity can do to determine whether an act of
sabotage has been committed. This term should recognize law enforcement and other specialized agencies,
including international agencies roles in defining acts of sabotage, and not hold the registered entity wholly
responsible to do so.
Luminant Energy
No
The term “Impact Event” does not adequately replace the term “Sabotage” The Impact Events table seems to
provide the definition of the term “Impact Event”. This table does not include sufficient definition for actual
sabotage events. Additionally, it does not include any provision for suspected sabotage events. Assuming the
Damage or Destruction of BES Equipment event type is intended to cover actual sabotage, the Threshold for
Reporting column should include specific levels of materiality that are specific to Functional Entity. For
instance, a GO and GOP could have a MW level to define materiality as a GO or GOP cannot assess impact
to an IROL or system reliability margin due to equipment damage. A threshold value consistent with
“Generation Loss” in the proposed EOP-004 Attachment 1 would be appropriate.
Manitoba Hydro
No
The majority of the items listed in Attachment 1 are typically and historically operating events. Yes these are
all “impact events”. Sabotage, cyber and security are typically viewed as separate events. These events are
March 1, 2011
Question 12 Comment
174
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 12 Comment
not part of “a typical day of BES operations”. These are outside event and though qualify as “impact events”
should still be treated separately.
Midwest ISO Standards
Collaborators
No
We believe the SAR scope regarding addressing sabotage has not been addressed at all. It appears that
impact event essentially replaces sabotage. This standard needs to make it clear that sabotage, in some
cases, cannot be identified until an investigation is performed by the appropriate policing agencies such as
the FBI. Intent plays an important role in determining sabotage and only these agencies are equipped to
make these assessments.
NERC Staff
No
NERC staff is concerned with the ambiguity of the term “impact event.” The definition of the term is not clear,
in part because it includes using the words “impact” and “event” (and thus violates the frowned-up practice of
using a word to define the word itself). NERC staff recommends the SDT consider using the term “Event.” The
following definition (modified from the one used the INPO Human Performance Fundamentals Desk
Reference, P. 11) would apply: Event: “An unwanted, undesirable change in the state of plants, systems or
components that leads to undesirable consequences to the safe and reliable operation of the Bulk Electric
System. ”Supporting statement following the definition: “An event is often driven by deficiencies in barriers
and defenses, latent organizational weaknesses and conditions, errors in human performance and factors,
and equipment design or maintenance issues.” Further, if this is intended for use in this standard, it should be
presented as an addition to Glossary to avoid confusion with the use of the term event in other standards. Of
course, this would require an analysis of how the term “Event” as defined herein would affect the other
standards to which the term is used. In the end, this is the cleanest manner for the standards.
Northeast Power Coordinating
Council
No
The use of the term “impact events” has simply replaced the terms “disturbance” and “sabotage”, and has not
further defined sabotage as directed by FERC. We do feel that “impact events” needs to be a defined
term.While we agree with the SDT’s new direction, the FERC directive has not been met.This term and the
FERC directive do not recognize limitations in what a registered entity can do to determine whether an act of
sabotage has been committed. This term should recognize law enforcement and other specialized agencies,
including international agencies roles in defining acts of sabotage, and not hold the registered entity wholly
responsible to do so.
Pacific Gas and Electric
Company
No
PG&E believes Attachment 1 Part A or B do not clearing specify “sabotage” events, other than “forced entry”
and the proposed definition of “impact event” does not meet FERC’s directive to “further define sabotage” nor
does it take into consideration their request to address the applicability to smaller entities.
Pacific Northwest Small Public
No
The comment group fails to see how changing the words meet the directive. Sabotage implies an organized
March 1, 2011
175
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Power Utility Comment Group
Question 12 Comment
intentional attack that may or may not result in an electrical disturbance. The distinction between sabotage
and vandalism is important since sabotage on a small system may be the first wave of an attack on many
entities. The proposed standard asks us to treat insulator damage caused by a frustrated hunter (an act of
vandalism) the same as attack by an unfriendly foreign government (an act of sabotage). The comment group
does not agree that these should be treated equally.
Pepco Holdings, Inc - Affiliates
No
The list of events misses many items considered as suspicious or potential sabotage, such as suspicious
observation of critical facilities.
PNM Resources
No
PNM believes the proposed definition of “impact event” does not meet FERC’s directive to “further define
sabotage” nor does it take into consideration their request to address the applicability to smaller entities.
Attachment 1 Part A or B do not clearing specify “sabotage” events, other than “forced entry”.
Puget Sound Energy
No
With some of the tight timeframes for reporting, it is reasonable to focus on impact rather than motivation.
Requiring further analysis of the event in order to assess the possibility that the event was caused by
sabotage, however, may be necessary to address FERC’s concerns with respect to sabotage.
Santee Cooper
No
The term "impact events" needs to be more clearly defined.
US Bureau of Reclamation
No
The two are distinctly different. Disturbances are what happened, sabotage is why. We can easily tell what
happened. Determining why it happened (e.g. sabotage) takes time.
We Energies
No
Impact Event could replace disturbance and sabotage but not in its present form. The proposed definition of
impact event “An impact event is any event that has either impacted or has the potential to impact the
reliability of the Bulk Electric System. Such events may be caused by equipment failure or mis-operation,
environmental conditions, or human action.” Is too vague. The “potential to impact the reliability” is too broad
and open to interpretation. It needs to be specific so entities know what is and is not an impact event and so
an auditor clearly knows what it is. Define “impact event” as the items listed in Attachment 1.As you have
done, focusing on an event’s impact on reliability is more important than determining an individuals intent
(sabotage v.s. theft).
WECC
No
The proposed definition of “impact event” does not meet FERC’s directive to “further define sabotage” nor
does it take into consideration their request to address the applicability to smaller entities. Attachment 1 Part
A or B do not clearing specify “sabotage” events, other than “forced entry”. The purpose of CIP-001-1 and its
requirements is to address the specific issue of possible sabotage of BES facilities. This is entirely different
March 1, 2011
176
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 12 Comment
than a “disturbance” or an “event” on the BES. The proposed definition for “impact events” is essentially any
event that has either impacted the BES or has the potential to impact the BES, caused only by three specific
things; equipment failure or misoperation, environmental conditions, or human action. Several of these
“impact events could be a result of sabotage. Actual or potential sabotage clearly poses a risk to the reliability
of the BES. It is important that the risks related to sabotage be reflected in either EOP or CIP
Ameren
Yes
However, the term Impact Event should be a new defined term. When the SDT determines this, it should use
the term consistently on both pages 5 and 21 of the SDT document.
ATC
Yes
Yes, if ATC’s recommended changes are made to Attachment 1 and the Standard.
BGE
Yes
The defined term “impact events” should be capitalized throughout the document to identify it as a defined
term. Additionally, BGE has noted in several comments that another term is used instead of “impact events”.
These terms should be eliminated and use “impact events” instead.
Electric Market Policy
Yes
The use of the term “impact events’ has simply replaced the terms “disturbance” and “sabotage” and has not
further defined sabotage as directed by FERC. We do feel that impact events needs to be a defined term.
Georgia System Operations
Corporation
Yes
The new term is much more clear than those two terms. This will improve uncertainty and confusion regarding
whether or not something should be reported.
Kansas City Power & Light
Yes
Should the word disturbance be removed from the title of EOP004-2 to avoid confusion and simply be called
Impact Event and Assessment, Analysis and Reporting.
MRO's NERC Standards Review
Subcommittee
Yes
As an industry we have looked at sabotage as a sub component of a disturbance. Sabotage is hard to
measure since it is based on a perpetrator’s intent and thus very hard to determine.
Nebraska Public Power District
Yes
I agree there is a lot of interpretation and confusion as to what sabotage or a Cyber Incident is, so would
welcome better clarity. Whether “impact events” can more effectively clarify, is yet to be seen. “it will be
easier to get the relevant information for mitigation, awareness, and tracking, while removing the distracting
element of motivation.” “An impact event is any situation that has the potential to significantly impact the
reliability of the Bulk Electric System. Such events may originate from malicious intent, accidental behavior, or
natural occurrences.” I do know that Cyber Sabotage may take time or days to become aware so not sure
March 1, 2011
177
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 12 Comment
how that might expedite reporting and awareness.
PPL Electric Utilities
Yes
Refer to clarification requested in question 10 comments.
RRI Energy, Inc.
Yes
Agree. However, strongly encourage this to be made into a defined term in the Glossary of Terms.
SERC OC Standards Review
Group
Yes
We do feel that this needs to be a defined term
United Illuminating
Yes
The term impact event can substitute for sabotage and disturbance. The use of Forced Intrusion is a bright
line for reporting.
American Electric Power (AEP)
Yes
Arizona Public Service Company
Yes
ATCO Electric Ltd.
Yes
City of Austin dba Austin Energy
Yes
Constellation Power Generation
and Constellation Commodities
Group
Yes
Idaho Power Company
Yes
March 1, 2011
178
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
MidAmerican Energy
Yes
North Carolina Electric Coops
Yes
PacifiCorp
Yes
PacifiCorp
Yes
PPL Supply
Yes
Southern Company Transmission
Yes
TransAlta Corporation
Yes
March 1, 2011
Question 12 Comment
179
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
13. The DSR SDT has combined EOP-004 and CIP-001 into one standard (please review the mapping document
that shows the translation of requirements from the already approved versions of CIP-001 and EOP-004 to the
proposed EOP-004), EOP-004-3 and retiring CIP-001. Do you agree that there is no reliability gap between the
existing standards and the proposed standard? Please explain in the comment box below.
While a majority of commenters who responded to this question support combining the two
standards, some commenters suggested that in combining the standards, the team left some gaps in coverage with respect to the
types of events that must be reported. The DSR SDT believes that combining EOP-004 and CIP-001 does not introduce a reliability
gap between the existing standards and the proposed standard and the industry comments received confirms this. Some events that
were specifically identified in the original standard (such as a bomb threat) are covered more generically in the revised standard.
This modification encourages entities to focus on the ‘types’ of events that may be impactive rather than having a finite list that may
omit an event that couldn’t be anticipated when drafting the requirements.
Summary Consideration:
The decision to eliminate the term sabotage from the standard and the retirement of CIP-001 should alleviate all concerns regarding
the term sabotage and its definition. The DSR SDT believes that “observation of suspicious activity” and “bomb threat” is considered
to be included in Part B – “Risk to BES equipment from a non-environmental physical threat”. We have added “and report of
suspicious device near BES equipment” to note 3 of the “Attachment 1, Potential Reliability – Part B”.
Organization
Yes or No
WECC
Question 13 Comment
A potential gap may exist. Attacks on BES facilities, via either vandalism or sabotage, are very different
events than impact events on the system. From a Compliance standpoint, a revised standard to address the
FERC directive on sabotage should be developed as an EOP standard (that is grouped with 693 Standards)
rather than as a CIP Standard (CIP-001-1).
Ameren
No
March 1, 2011
It appears that all requirements have been addressed from the existing standards. However, we believe there
is a reliability gap that continues from the existing standards because sabotage is not defined any better than
180
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 13 Comment
in the existing standards.
Bonneville Power Administration
No
BPA supports the concept behind the revisions to EOP-004-2. Creating a single reporting methodology will
improve the processes and lead to more consistency. BPA recommends that the Standards Drafting Team
(SDT) coordinate any revisions in the reporting requirements with those found in CIP-008-3 to ensure that
there are no conflicts. BPA asks the SDT to consider the impact of these changes on CIP-008-3 and work
with the CIP SDT to ensure that the wording of the two requirements is similar and clear. Based on
Attachment 1 part A of EOP-004-2, certain cyber security events, intrusions for example, would have to be
reported under both EOP-004-2 and CIP-008-3. That puts a burden on a Registered Entity to take additional
steps to coordinate reporting or face potential compliance risk for correctly reporting an event under one
standard and failing to report it under the other standard. The mapping document had errors: a. CIP-001 R1
to EOP-004 R2.9 (annual vs quarterly). b. EOP-004-1 R2 was translated to R2 & R3 of version 2. c. EOP004-1 R3 was translated to R6 of version 2 (which doesn’t say to whom to report).
City of Garland
No
EOP-004-1 R2 did not get translated to EOP-004-2 R2 - table states it is mapped to R1
E.ON U.S. LLC
No
The Version History contained with EOP-004-2 indicates that CIP-001-1 and EOP-004-1 are “Merged”,
however, the actions do not reflect the retirement of CIP-001-1a and therefore, it is unclear if there will be
remaining redundancies or potential gaps with the new version EOP-004-2 and CIP-001-1a.
Electric Market Policy
No
Per the mapping document, some of the existing requirements are awaiting a new reporting procedure being
developed by NERC EAWG. For those requirements that were transferred over, the resulting standard
seems overly complex and lacks clarity.
Exelon
No
Reporting form doesn’t allow for investigations which result in no impact events found or identified.
Georgia Transmission
Corporation
No
The only two events that apply to a TO are the ones related to CIP:1. Forced intrusion (report if motivation
cannot be determined, i.e. to steal copper)2. Detection of a cyber intrusion to critical cyber assets ( criteria of
CIP-008)Everything in this standard applies to a TOP and therefore E-004-2 and CIP-001 should not be
combined
March 1, 2011
181
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Great River Energy
No
It appears that all requirements have been addressed from the existing standards. However, we believe there
is a reliability gap that continues from the existing standards because sabotage is not defined any better than
in the existing standards.
Indeck Energy Services
No
Bomb threat has totally been lost.
Independent Electricity System
Operator
No
We do not agree with the mapping. The proposed mapping attempts to merge the reporting in CIP-001-1
which has more of an on-going awareness nature to alert operating and government authorities of suspected
sabotage to prompt investigation with a possible aim to identify the cause and develop remedies to curb the
sabotage/events. The proposed EOP-004-2 appears to be more of a post-event reporting for need-to-know
purpose only. This is not consistent with the purpose of the SAR.
ISO New England Inc.
No
Per the mapping document, some of the existing requirements are awaiting a new reporting procedure being
developed by the NERC EAWG. For those requirements that were transferred over, the resulting standard
seems overly complex and lacks clarity. EOP-004-3 should be EOP-004-2.
Luminant Energy
No
CIP-001-1 R3.1 includes instructions associated with the DOE OE-417 form. EOP-004-2 R2.6 should include
the DOE as an example of an external organization requiring notification. Additionally, the Rationale for R1
discusses the possibility of one electronic form satisfying US entities with related disturbance reporting
requirements but does not include any information about the likelihood of this outcome. Please elaborate on
the process required to combine these reports.
Midwest ISO Standards
Collaborators
No
It appears that all requirements have been addressed from the existing standards. However, we believe there
is a reliability gap that continues from the existing standards because sabotage is not defined any better than
in the existing standards.
North Carolina Electric Coops
No
Northeast Power Coordinating
Council
No
March 1, 2011
Question 13 Comment
Per the mapping document, some of the existing requirements are awaiting a new reporting procedure being
developed by the NERC EAWG. For those requirements that were transferred over, the resulting standard
seems overly complex and lacks clarity. EOP-004-3 should be EOP-004-2.
182
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Pepco Holdings, Inc - Affiliates
No
The list of events misses many items considered as suspicious or potential sabotage, such as suspicious
observation of critical facilities.
Santee Cooper
No
It is very difficult to assess this question with the standard as currently written.
SERC OC Standards Review
Group
No
US Bureau of Reclamation
No
The two could be combined with no reliability gap based on the concept rather than the proposed standard.
As the standard is currently written, there is a reliability gap. Consider that after the fact reporting of a
sabotage event (other than criminal acts which may have been witnessed) usually take some time to
investigate and analyze.
ATC
Yes
ATC agrees with this effort and does not currently see a reliability gap
BGE
Yes
None.
CenterPoint Energy
Yes
CenterPoint Energy agrees that there is no reliability gap between the existing standards and the proposed
standard. However, CenterPoint Energy believes that the SDT went too far in developing the proposed EOP004-2 and added additional unnecessary requirements. If the comments made above to Q1 - Q12 were to be
incorporated into the proposed Standard, CenterPoint Energy believes the product would be closer to a
results based Standard with no reliability gap.
City of Austin dba Austin Energy
Yes
If we can used OE 417 for NERC and DOE we do not perceive a reliability gap.
Georgia System Operations
Corporation
Yes
The new single standard will cover all necessary reporting requirements that are in the current two standards.
They are being combined into EOP-004-2 not EOP-004-3.
March 1, 2011
Question 13 Comment
183
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Green Country Energy
Yes
With the provision that definition and scope of "impact event" are developed and tables adjusted as needed to
address FERCs concerns specifically ."(1) further define sabotage and provide guidance as to the triggering
events that would cause an entity to report a sabotage event.”
MRO's NERC Standards Review
Subcommittee
Yes
Within the above question, the SDT is asking about EOP-004-2 not -3.
Nebraska Public Power District
Yes
Appears they only changed R1 for CIP-001 and moving R2-R4 directly over to EOP-004-2. R1 adds much
more detail on our part for a company operating plan but would definitely help some of the present confusion.
RRI Energy, Inc.
Yes
Assume reference to EOP-004-3 in the question 13 was meant to reference version 2 (EOP-004-2).
American Electric Power (AEP)
Yes
Arizona Public Service Company
Yes
ATCO Electric Ltd.
Yes
Consolidated Edison Co. of NY,
Inc.
Yes
Constellation Power Generation
and Constellation Commodities
Group
Yes
Duke Energy
Yes
Dynegy Inc.
Yes
ERCOT ISO
Yes
FirstEnergy
Yes
March 1, 2011
Question 13 Comment
184
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Idaho Power Company
Yes
Kansas City Power & Light
Yes
MidAmerican Energy
Yes
NERC Staff
Yes
Pacific Gas and Electric
Company
Yes
PacifiCorp
Yes
PacifiCorp
Yes
PNM Resources
Yes
PPL Electric Utilities
Yes
PPL Supply
Yes
Puget Sound Energy
Yes
Southern Company Transmission
Yes
TransAlta Corporation
Yes
United Illuminating
Yes
We Energies
Yes
March 1, 2011
Question 13 Comment
185
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
14. Do you agree with the proposed effective dates? Please explain in the comment box below.
While most stakeholders who responded to this question supported the 12 months originally proposed
for entities to become compliant, the drafting team has revised this to 6 months. The DSR SDT feels that six months and not more
than nine months is an adequate time frame. The current CIP-001 plan is adequate for the new EOP-004 and training should be met
in the proposed timeline.
Summary Consideration:
The Implementation Plan was developed for the revised Requirements, which do not include an electronic “one-stop shopping” tool.
This topic is to be addressed in the proposed revisions to the NERC Rules of Procedure.
Organization
Yes or No
Independent Electricity System
Operator
Question 14 Comment
We do not agree with the proposed standard. We therefore are unable to agree on any implementation plan.
City of Garland
No
Do not agree with this proposed draft - instead of combining 2 standards to gain efficiency, this expands the
standard with unnecessary paperwork, drills, training, etc.
Constellation Power Generation
and Constellation Commodities
Group
No
Based on the drastic differences between the previous revisions to these standards, and this proposed
revision, 24 months would be a more reasonable timeframe for an effective date.
IRC Standards Review
Committee
No
If the training and Operation Plan requirements are adopted as proposed, this may not be sufficient time for
some entities to comply, particularly those with limited number of staff but perform functions that have multiple
event reporting requirements.
ISO New England Inc.
No
If the training and Operation Plan requirements are adopted as proposed, this may not allow sufficient time for
some entities to comply, particularly those with limited number of staff, but perform functions that have
multiple event reporting requirements.
Kansas City Power & Light
No
April 2011 is too soon for considerations applicable to the creation of an Operating Plan.
March 1, 2011
186
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Manitoba Hydro
No
Though CIP-001-1a already contained provisions for sabotage response guidelines, the new EOP-004-2 R2
(2.1 to 2.9) will require reexamination of existing policies to remain compliant. Upon the approval of
Attachment 1, the existing disturbance guidelines will also have to be reexamined. With the addition of R3
(Identify and assess), R4 (Drills) and R5 (Training), will also require redevelopment of existing processes.
NERC Staff
No
In order to provide explicit dates, the language should be modified to state: “First calendar day of the first
calendar quarter one year after the date of the order providing applicable regulatory authority approval for all
requirements.”
Northeast Power Coordinating
Council
No
The effective dates in Canada need to be defined. The first bullet should be sufficient. If the training and
Puget Sound Energy
No
There are no effective dates listed in the proposed standard. The proposed effective date should allow at
least one year for entities to implement the requirements of the standard. In addition, if requirement R1
remains, then the requirement to implement an operating plan should only be triggered by the ERO’s
finalization of the form and system for reporting impact events and should provide at least six months for the
implementation of the operating plan.
Santee Cooper
No
With the proposed training and drill requirements in the current written standard, one year is not enough time.
United Illuminating
No
UI believes the implementation should be staged. For R1 and R2: First calendar day of the first calendar
quarter one year after applicable regulatory authority approval for all. This provides sufficient time to draft a
procedure Then time needs to be provided to provide training prior to implementation of R3 and R6. UI
believes two calendar quarters should be provided to complete training; therefore R3and R6 is effective six
calendar quarters following regulatory approval. Implementation for R4 should state that the initial calendar
year begins on the date R2 is effective and entities have 12 months following that date to complete their first
drill. R5 requires training once per calendar year. Implementation for R5 should state that the initial calendar
year begins on the date R2 is effective and entities have 12 months following that date to complete their first
drill.
March 1, 2011
Question 14 Comment
Operation Plan requirements are adopted as proposed, this may not allow sufficient time for some entities to
comply, particularly those with limited number of staff, but perform functions that have multiple event reporting
requirements.
187
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
US Bureau of Reclamation
No
There is a 15 month training requirement. If the standard goes into effect in one year, most entities will not
have had an opportunity to develop their new Operating Plans and train their staff. The effective date should
recognize Operating Plans need to be revised and then training needs to be implemented. The most
aggressive schedule is 18 months. Two years would be more appropriate. The implementation date could
recognize the Operating Plan development as one phase and the training as the second.
ATC
Yes
Yes, if ATC’s recommended changes are made to the Standard. However, if the changes are not supported
then ATC recommends that the implantation time be changed to two years. Entities will need time to develop
both the plan called for in this standard and to train the personnel identified in the plan.
BGE
Yes
None.
Exelon
Yes
Agree with the proposed implementation date. A 12 month implementation will provide adequate time to
generate, implement and provide any necessary training by a registered entity.
Ameren
Yes
Arizona Public Service Company
Yes
ATCO Electric Ltd.
Yes
Bonneville Power Administration
Yes
Consolidated Edison Co. of NY,
Inc.
Yes
Duke Energy
Yes
Dynegy Inc.
Yes
E.ON Climate & Renewables
Yes
Electric Market Policy
Yes
March 1, 2011
Question 14 Comment
188
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
ERCOT ISO
Yes
FirstEnergy
Yes
Georgia System Operations
Corporation
Yes
Great River Energy
Yes
Green Country Energy
Yes
Idaho Power Company
Yes
Indeck Energy Services
Yes
Luminant Energy
Yes
MidAmerican Energy
Yes
Midwest ISO Standards
Collaborators
Yes
MRO's NERC Standards Review
Subcommittee
Yes
North Carolina Electric Coops
Yes
Pacific Gas and Electric
Company
Yes
PacifiCorp
Yes
PacifiCorp
Yes
March 1, 2011
Question 14 Comment
189
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Pepco Holdings, Inc - Affiliates
Yes
PNM Resources
Yes
PPL Electric Utilities
Yes
PPL Supply
Yes
RRI Energy, Inc.
Yes
SERC OC Standards Review
Group
Yes
Southern Company Transmission
Yes
TransAlta Corporation
Yes
We Energies
Yes
WECC
Yes
March 1, 2011
Question 14 Comment
190
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
15. Do you have any other comments that you have not identified above?
The DSR SDT has met with the EAWG and has put in place a process to ensure the cooperation and
coordination between the DSR SDT and the EAWG. The impact event list is comprehensive and addresses the needs of the EAWG
and EOP-004.
Summary Consideration:
There were concerns expressed that the impact event list should include deliberate acts against infrastructure. The impact list
includes “Risk to BES equipment from a non-environmental physical threat” the DSR SDT feels that this is inclusive of deliberate acts
against infrastructure.
During discussions around the use and definition of the term sabotage, the DSR SDT considered the NRC definition and decided to
eliminate the use of the term sabotage from EOP-004 and replaced it with impact events. The DSR SDT has developed a definition
for “Impact Events” to support Attachment 1 as follows:
“An Impact Event is any event that has either impacted or has the potential to impact the reliability of the Bulk Electric
System. Such events may be caused by equipment failure or mis-operation, environmental conditions, or human action.”
The DSR SDT has proposed this definition for inclusion in the NERC Glossary for “Impact Event”. The types of Impact Events that are
required to be reported are contained within Attachment 1. Only these events are required to be reported under this Standard. The
DSR SDT considered the FERC directive to “further define sabotage” and decided to eliminate the term sabotage from the standard.
The team felt that it was almost impossible to determine if an act or event was that of sabotage or merely vandalism without the
intervention of law enforcement after the fact. This will result in further ambiguity with respect to reporting events. The term
“sabotage” is no longer included in the standard and therefore it is inappropriate to attempt to define it. The Impact Events listed in
Attachment 1 provide guidance for reporting both actual events as well as events which may have an impact on the Bulk Electric
System. The DSR SDT believes that this is an equally effective and efficient means of addressing the FERC Directive. Attachment 1,
Part A is to be used for those actions that have impacted the electric system and in particular the section “Damage or destruction to
equipment” clearly defines that all equipment that intentional or non intentional human error be reported. Attachment 1, Part B
March 1, 2011
191
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
covers the similar items but the action has not fully occurred but may cause a risk to the electric system and is required to be
reported.
The industry commented on the need for e-mail addresses and fax numbers for back up purposes. These details were added to the
standard and will also be covered in the implementation plan.
The proposed ballot in December was incorrect and has been deleted from the future development plan. The plan was updated
with the correct project plan dates.
Organization
Yes or No
Indeck Energy Services
IRC Standards Review
Committee
Question 15 Comment
Good start on a unified event reporting standard!
No
The standards should be changed to define what a “disturbance” is for reporting in EOP-004. Also, sabotage
reporting requirements in CIP-001 should be rescinded as EOP-004 already has such requirements.
PSEG Companies
Arizona Public Service Company
No
ATCO Electric Ltd.
No
Duke Energy
No
Electric Market Policy
No
FirstEnergy
No
Independent Electricity System
Operator
No
Luminant Energy
No
March 1, 2011
192
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Manitoba Hydro
No
PacifiCorp
No
PPL Supply
No
RRI Energy, Inc.
No
United Illuminating
No
Ameren
Yes
We are concerned with the Future Development Plan. It shows an initial ballot period starting in December.
This standard has significant issues and will need another distinct comment period (and not the formal
comment period in parallel with balloting) prior to balloting.
American Electric Power (AEP)
Yes
The standard needs to be modified to allow the ability for one entity to report on behalf of other entities. For
example the loss of Generation over the threshold could be reported by the RC opposed to the GO
individually, if mutually agreed upon before the fact.
ATC
Yes
ATC believes that it is not evident in this draft that the SDT has worked collaboratively with the Events
Analysis working group to leverage their work. ATC believes that NERC must coordinate this project and the
EAWG efforts. The EAWG is proposing to modify NERC Rules of Procedure but the SDT is suggesting
requirement for the ERO be build within the standard. We believe that the Rules of Procedure is the proper
course to take to for identifying NERC obligations, but what is clear is that NERC itself does not seem to have
an overall plan for event reporting and analysis. Lastly, ATC would like to see the SDT expand the mapping
document to include the work of the EAWG. The industry needs to be presented with a clear picture as to
how all these things will work together along with their reporting obligations. The definition of an “impact
event” needs to be revised. First, if these events are to include any equipment failure or mis-operation that
impacts the BES, the standard is requiring more than is intended based upon the reading of the requirements.
PRC-004 already covers the reporting of protection system mis-operations, and if reading this definition
verbatim, it would lead one to conclude that those same mis-operations reported under PRC-004 shall also be
reported under EOP-004. The definition should be revised to something like: “An impact event is a system
disturbance affecting the Bulk Electric System beyond loss of a single element under normal operating
conditions and does not include events normally reported under PRC-004. Such events may be caused by...”
March 1, 2011
Question 15 Comment
193
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
BGE
Yes
One item that is properly addressed is the removal of Load Serving Entity from the Applicable Functional
Entities. There may be a need to provide some guidance to Functional Entities when there are separate
Transmission Owners and Transmission Operators or Generation Owners and Generation Operators. If they
are separate, there may be redundancy in reporting.From the documentation, it doesn’t seem like the SDT
are combining all reports into one form as we would like to see. In the rational for R1 section, it talks of getting
both forms (NERC and OE-417) together in one document (however it sounds like the forms within the
document are still separate), available electronically, which only seems like a step forward. However, it does
not take away the confusing process for the operators of which part of the form would need to be filled, who
should be set this form depending on what part is filled, if one part of the form is filled out do the other parts
need to be filled, etc. If the forms cannot be consolidated, BGE would rather the forms be separate to reduce
confusion.BGE believes all these reports should require one form with one set of recipients, period.This may
mean that NERC needs to get DOE to modify their OE-417 form.
Bonneville Power Administration
Yes
The document retention times in EOP-004-3 should be spelled out more clearly. The Compliance summary
does so (but needs some punctuation clarification regarding investigation), the SDT should consider making
that part of the requirements or clarifying the wording in the requirements.
CenterPoint Energy
Yes
CenterPoint Energy appreciates the efforts of the SDT in removing outdated and unnecessary language from
the existing EOP-004 standard. Additionally, CenterPoint Energy urges the SDT to also remove the proposed
“how to” prescriptive requirements. CenterPoint Energy believes the SDT team’s focus should be on drafting
a results-based standard for reporting actual system disturbances and acts of sabotage that disrupt the
reliable operation of the BES. The SDT should not delve into trying to identify a list of events that have a
potential reliability impact.As stated in response to Q10, CenterPoint Energy strongly believes that cyberrelated events should not be in the scope of this standard since they are already required to be identified and
reported to appropriate entities under CIP-008. Excluding cyber events from this standard further supports the
elimination of redundancies within the body of standards.
City of Garland
Yes
Do not agree with this proposed draft - instead of combining 2 standards to gain efficiency, this expands the
standard with unnecessary paperwork, drills, training, etc.For reports required under this standard, companies
with multiple registration numbers and functions should only have to file one report for all functions and
registrations.
Consolidated Edison Co. of NY,
Inc.
Yes
Overriding Comment and Concern: It is absolutely essential that the work on EOP-004 and that on the NERC
Event Analysis Process (EAP) be fully coordinated. We find that there are a number of inconsistencies
between these two documents. The EAP and EOP-004 are not aligned. In order to operate and report
March 1, 2011
Question 15 Comment
194
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 15 Comment
effectively entities need consistent requirements.
Constellation Power Generation
and Constellation Commodities
Group
Yes
As stated earlier, the “summary of concepts” for this latest revision, as written by the SDT, includes the
following items: o A single form to report disturbances and impact events that threaten the reliability of the
bulk electric system o Other opportunities for efficiency, such as development of an electronic form and
possible inclusion of regional reporting requirements o Clear criteria for reporting o Consistent reporting
timelines o Clarity around of who will receive the information and how it will be used. Each and every
requirement should be mapped to one of these 5 items; otherwise, it should not be included in this standard.
Summarizing all of the comments above, Constellation Power Generation proposes the following revision to
EOP-004-2:1. Title: Impact Event and Disturbance Assessment, Analysis, and Reporting 2. Number: EOP004-2 3. Purpose: Responsible Entities shall report impact events and their known causes to support
situational awareness and the reliability of the Bulk Electric System (BES). 4. Applicability 4.1. Functional
Entities:4.1.1. Reliability Coordinator 4.1.2. Balancing Authority 4.1.3. Transmission Operator 4.1.4. Generator
Operator 4.1.5. Distribution Provider 4.1.6. Electric Reliability Organization. Requirements and Measures R1.
The ERO shall establish, maintain and utilize a system for receiving and distributing impact event reports,
received pursuant to Requirement R6, to applicable government, provincial or law enforcement agencies and
Registered Entities to enhance and support situational awareness.R2. Each Applicable Entity identified in
Attachment 1 shall have an Operating Plan(s) for identifying, assessing and reporting impact events listed in
Attachment 1 that includes the following components: 2.1. Method(s) for identifying impact events listed in
Attachment 2.2. Method(s) for assessing cause(s) of impact events listed in Attachment 12.3. Method(s) for
making internal and external notifications should an impact event listed in Attachment 1 occur. 2.4. Method(s)
for updating the Operating Plan.2.5 Method(s) for making operation personnel aware of changes to the
Operating Plan.R3. Each Applicable Entity shall implement their Operating Plan(s) to identify and assess
cause of impact events listed in Attachment 1.R4. Each Applicable Entity shall provide training to all operation
personnel at least annually.R5. Each Applicable Entity shall report impact events in accordance with its
Operating Plan created pursuant to Requirement 2 and the timelines outlined in Attachment 1.
Dynegy Inc.
Yes
This does not address the inability of a GO/GOP to determine effects on the BES. Surrounding BES
knowledge is limited for a GO/GOP.
E.ON Climate & Renewables
Yes
Refrain from having redundant reporting forms if at all possible. This can create confusion and lead to
unnecessary penalty amounts and violations for registered entities. Potential” impacts of an event on the
BES need to be clearly defined in the standard.
E.ON U.S. LLC
Yes
The new standard should incorporate all other disturbance, sabotage, or “impact event” reporting standards,
such as CIP-008-3. At the very least it should reference those other standards that have within their scope
March 1, 2011
195
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 15 Comment
same/similar events in order to ensure complete reporting and full compliance. Suggesting that one standard
provides the single reporting procedure, when in actuality it does not, is counterproductive. The discussion of
“impact event” clearly indicates the SDT’s intent to include sabotage events in the proposed standard EOP004-2.
ERCOT ISO
Yes
ERCOT ISO supports the comments provided by the SRC. However, if the standard is to be established,
ERCOT ISO has offered the comments contained herein as improvements to the requirements proposed. The
requirements listed do not take into consideration the hierarchical reporting necessary for events (i.e.: GO to
GOP to BA). The current structure will lead to redundant and conflicting reporting from multiple entities. This
will lead to confusion in the analysis of the event. Any system developed and used to report impact events
must include notification to the other relevant entities (i.e.: Reliability Coordinator, Balancing Authority,
Transmission Operator, and Generator Operator). The proposed standard should not rely on a centralized
system that does not follow the established hierarchy of dissemination of information.
Exelon
Yes
The standard is lacking guidance for DOE Form OE-417 reporting as outlined in the current version of EOP004 and doesn’t contain any non-BES related reporting. What is the governing process for OE-417
reporting?. Need clarification if one entity can respond on behalf to all entities in one company. Need a
provision for entities to provide one report for all entities. Radiological sabotage is a defined term within the
NRC glossary of terms. It would seem that a deliberate act directed towards a plant would also constitute an
"impact event." In general, the DSR SDT should include discussions with the NRC to ensure communications
are coordinated or consider utilizing existing reporting requirements currently required by the NRC for each
nuclear generator operator for consistency. The definition of sabotage is defined by NRC is as follows: Any
deliberate act directed against a plant or transport in which an activity licensed pursuant to 10 CFR Part 73 of
NRC's regulations is conducted or against a component of such a plant or transport that could directly or
indirectly endanger the public health and safety by exposure to radiation.
Georgia System Operations
Corporation
Yes
Light years better than the current CIP-001-1 and EOP-004-1! With some changes from this comment period,
we should have a clearer set of realistic requirements which could likely pass the ballot. Thanks go out to the
drafting team for bringing clarity to this topic. Capitalization throughout this document is inconsistent. It is not
in synch with the NERC Glossary. All terms that remain capitalized in the next draft (other than when used as
a title or heading) should be defined in the Glossary of Terms Used in NERC Reliability Standards. Examples
of not in synch with the Glossary: Registered Entity, Responsible Entity, Law Enforcement. These are not
defined in the Glossary. The requirements that apply to entities should not use the word "analysis."
"Assessment" should be used. Analysis is a different process (an ERO process) and is being addressed by
March 1, 2011
196
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 15 Comment
another group within NERC (Dave Nevius). This EOP-004 drafting team and the NERC analysis group should
closely coordinate such that there are no conflicts and the combined requirements/processes are realistic
(mainly regarding timelines).
Great River Energy
Yes
We are concerned with the Future Development Plan. It shows an initial ballot period starting in December.
This standard has significant issues and will need another distinct comment period (and not the formal
comment period in parallel with balloting) prior to balloting.
Please provide an e-mail address for the
submittal of the report to NERC (and any other parties above a Regional Entity) within this Standard and a fax
number as a backup to electronic submittal.
Green Country Energy
Yes
I think the drafting team has done a wonderful job of beginning the task of combining two related standards. I
ask them to keep in mind the small generators, and others who do not have the wide view capability, that
more than likely react to events that occur wih no knowledge of why they occured, and limited staff to address
administrative standard requirements. Many times the KISS approach is the best approach.
Idaho Power Company
Yes
By including training requirements in each standard, creates confusion and compliance or failure to comply
potentian. PER standards are in place for personel training, these standards should be utilized for adding
requirements that require training for NERC Standards.
ISO New England Inc.
Yes
Request clarification on how RCIS is part of this Standard. The form should be filled out in two stages. First
stage would be the immediately available information. The second stage would be the additional information
such as one line diagrams. There is concern with burdening the reporting operator on filling out forms instead
of operating the Bulk Electric System. Most of the draft requirements are written as administrative in nature,
and this is not most effective. Changes need to be made to (or possibly elimination of) R1, R2, R3.The
standards should be changed to define what a “disturbance” is for reporting in EOP-004. Sabotage reporting
as per CIP-001 should be rescinded as EOP-004 already has such a requirement.
Kansas City Power & Light
Yes
The standard addressed a preliminary report it should also address the requirements of a final report.
MidAmerican Energy
Yes
This entire standard needs to be revised to consider a results based standard.
Midwest ISO Standards
Collaborators
Yes
We are concerned with the Future Development Plan. It shows an initial ballot period starting in December.
This standard has significant issues and will need another distinct comment period (and not the formal
comment period in parallel with balloting) prior to balloting.
March 1, 2011
197
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
MRO's NERC Standards Review
Subcommittee
Yes
Please provide an e-mail address for the submittal of the report to NERC (and any other parties above a
Regional Entity) within this Standard and a fax number as a backup to electronic submittal.EOP-004
Attachment 2: Impact Event Reporting Form (note in the proposed standards it states EOP-002) seems to be
written for Actual Impact Events only. Perhaps another section could be added for “Potential” Impact Events.
NERC Staff
Yes
NERC staff commends the SDT on its work so far. Merging CIP-001 and EOP-004 is a significant
improvement and eliminates some current redundancies for reporting events. NERC staff believes
opportunities to improve the proposed standard still exist. In particular, the team should consider possible
redundancies with the Reliability Coordinator Working Group (RCWG) reporting guidelines, the Electricity
Sector - Information Sharing and Analysis Center (ES-ISAC) reporting requirements for sharing information
across sectors, and the Events Analysis Working Group (EAWG) efforts to develop event reporting
processes. Ideally, the SDT and the EAWG should work together to develop a single consistent set of
reporting criteria that can be utilized in both the EAWG event reporting process and in the requirements of the
EOP-004-2 Reliability Standard.
North Carolina Electric Coops
Yes
Keep in mind that redundancy in reporting requirements from the DOE does not improve or enhance bulk
electric system reliability but rather creates more work for the reporting entity.
Northeast Power Coordinating
Council
Yes
Request clarification on how RCIS is part of this Standard. The form should be filled out in two stages. First
stage would be the immediately available information. The second stage would be the additional information
such as one line diagrams. There is concern with burdening the reporting operator on filling out forms instead
of operating the Bulk Electric System. Most of the draft requirements are written as administrative in nature,
and this is not most effective. Changes need to be made to (or possibly elimination of) R1, R2, R3.The
standards should be changed to define what a “disturbance” is for reporting in EOP-004. Sabotage reporting
as per CIP-001 should be rescinded as EOP-004 already has such a requirement.
Pacific Gas and Electric
Company
Yes
PG&E believes as the training requirements continue to expand, having one training standard that captures
all the training required within the NERC standards will allow for better clarity for the training departments in
providing and meeting all NERC Standard compliance issues.
Pacific Northwest Small Public
Power Utility Comment Group
Yes
The proposed standard has a huge impact on small DPs. DPs that presently do not maintain 24/7 dispatch
centers will need to begin doing so to meet the reporting deadlines such as 1 hour after an occurrence is
identified (possibly identified by a third party) or 24 hour after an occurrence (regardless of when it was
discovered by the DP). The planning, assessing, drilling, training, and reporting requirements (R2-R6), as well
as documentation (M2-M6) by small entities will cause utility rates to rise, will reduce local level of service,
March 1, 2011
Question 15 Comment
198
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Question 15 Comment
and will not represent a corresponding increase to the reliability of the BES.The SDT concept of clear criteria
for reporting has not been met, since R2 effectively directs the applicable entities to develop their own criteria.
The decision of which types of events will be reported to which external organizations has been left up to the
applicable entity. The comment group notes that there is no coordination of effort required between the
applicable entities and the RCs or TOs that issue reliability directives. Energy Emergencies requiring voltage
reduction or load shedding are likely to be communicated to applicable entities via directives. The likely result
of this lack of coordination is that entities will plan, drill, and train for an event, but when the directive comes it
will not be the one planned, drilled, and trained for. Coordination between those sending and receiving
directives would ensure the probable events and directed responses are the ones planned, drilled, and
trained for.
PacifiCorp
Yes
This is yet another standard with training requirements not covered under any PER standards.Having different
training requirements spread throughout the standards makes it increasingly difficult to ensure all training
requirements are met.Developing a "Training Standard" that lists ALL required training would streamline the
process and aid greatly in compliance monitoring.
Pepco Holdings, Inc - Affiliates
Yes
The EAWG is developing processes that will be enforced through the Rules of Procedure. It may be
inappropriate to reference the EAWG process in the Mapping Document.
PNM Resources
Yes
PNM believes that having one training standard that captures all the training required within the NERC
standards will allow for better clarity for the training departments in providing and meeting all NERC Standard
compliance issues. This will become even more of an issue as training requirements continue to expand.
PPL Electric Utilities
Yes
Combining EOP-004, CIP-001 and CIP-008’s reporting requirements reduces redundancy and will add clarity
to the compliance activities.
Puget Sound Energy
Yes
The DSR SDT’s concepts for implementing a new structure for reporting are appropriate. Proper
implementation of those concepts is likely to result in a very much improved standard. However, the
proposed standard falls well short of implementing the concepts and is not much of an improvement on the
current standard.
Santee Cooper
Yes
We don’t believe that entities should be subjected to duplicate reporting to existing DOE requirements. How
does redundancy in reporting requirements improve or enhance bulk electric system reliability?
SERC OC Standards Review
Yes
We find it disturbing that NERC is headed down a path of codifying requirements that are redundant to
March 1, 2011
199
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
Group
Question 15 Comment
existing DOE requirements. How does redundancy in reporting requirements improve or enhance bulk
electric system reliability? Disclaimer:” The comments expressed herein represent a consensus of the views
of the above named members of the SERC OC Standards Review group only and should not be construed as
the position of SERC Reliability Corporation, its board or its officers.”
Southern Company Transmission
Yes
The only concern that we have with the proposed standard is that it feels like it is creating dual, not quite
redundant, reporting requirements for cyber intrusions in concert with CIP-008. Hopefully, there will not have
to be a redundant reporting requirement if we continue to merge efforts with the CIP Drafting Team. Since we
will no longer use the word SABOTAGE in the new EOP-004, we are hoping the industry and the CIP Drafting
Team will give us the criteria they wish for us to use in order to report CIP-008 incidents. We will then
achieve a “ONE STOP SHOP” reporting standard.
Tenaska
Yes
Since the proposed EOP-004-2 Standard does not eliminate the OE-417 reporting requirement, it does not
streamline the existing CIP-001-1 and EOP-004-1 reporting requirements for GO/GOP’s. The "laundry list" of
components required in the Operating Plan described in R2 is too specific and would make it more difficult to
prove compliance during an audit. We prefer that the existing CIP-001-1 and EOP-004-1 Standards remain
unchanged.
TransAlta Corporation
Yes
A Confidential Impact Event Report form is included in attachment 2 but nowhere in the standard does it say
to use this form. This form appears to be similar to the “Preliminary Disturbance Report” form used in EOP004-1. Clarity is required.
US Bureau of Reclamation
Yes
The SDT should consider that in reality it would be more streamlined to require immediate notification of an
event for situational awareness, and then give adequate time for analysis of the cause. Reports that have an
arbitrary rush will be diseased with low quality information and not much value in the long run to the BES. The
Attachment A should be constructed around notification of situational awareness. The reporting timeline
should be constructed around the different levels severity. The more severe the event, usually the more
complicated the event is to analyze. Simple events usually do not have a significant impact.
We Energies
Yes
Please be careful to capitalize defined terms. If the intent is to not use the defined term, use another
word."Forced intrusion" (cutting a fence, breaking in a door) may not be discovered for quite some time after it
occurs. Should it be reported as soon as discovered? Even if there was no impact event (disturbance)?
"Destruction of a Bulk Electric System Component" seems pretty specific. However, if a transformer kicks off
line due to criminal damage, yet is considered repairable, is the event reportable?
March 1, 2011
200
�Consideration of Comments on Disturbance & Sabotage Reporting— Project 2009-01
Organization
Yes or No
WECC
Yes
March 1, 2011
Question 15 Comment
Having one training standard that captures all the training required within the NERC standards will allow for
better clarity for the training departments in providing and meeting all NERC Standard compliance issues.
This will become even more of an issue as training requirements continue to expand.CIP-001-1 has
surprisingly been one of the most violated standards during the initial period. However, most entities have
now developed and demonstrated a decent compliance process. Unless a revised standard to address the
FERC directive on sabotage is developed (as suggested in 13 above) this proposed standard appears to
eliminate sabotage reporting as a reliability standard to the potential detriment of BES reliability.
201
�EOP-004-2 — Impact Event Reporting
Standard Development Timeline
This section is maintained by the drafting team during the development of the standard and will
be removed when the standard becomes effective.
Development Steps Completed
1. SC approved SAR for initial posting (April, 2009).
2. SAR posted for comment (April 22 – May 21, 2009).
3. SC authorized moving the SAR forward to standard development (September 2009).
4. Concepts Paper posted for comment (March 17 – April 16, 2010).
5. Initial Informal Comment Period (September 2010)
Proposed Action Plan and Description of Current Draft
This is the first posting of the proposed standard in accordance with Results-Based Criteria. The
drafting team requests posting for a 30-day formal comment period.
Future Development Plan
Anticipated Actions
Drafting team considers comments, makes conforming changes, and
proceed to second comment
Anticipated Date
October 2010 –
February 2011
Second Comment Period
March – May 2011
Third Comment/Ballot period
June- July 2011
Recirculation Ballot period
July-August 2011
Receive BOT approval
September 2011
Draft 2: March 7, 2011
1
�EOP-004-2 — Impact Event Reporting
Effective Dates
1.
The standard shall become effective on the first calendar day of the third calendar quarter
after the date of the order providing applicable regulatory approval.
2.
In those jurisdictions where no regulatory approval is required, the standard shall
become effective on the first calendar day of the third calendar quarter after Board of Trustees
adoption.
Version History
Version
2
Date
Draft 2: March 7, 2011
Action
Merged CIP-001-1 Sabotage Reporting
and EOP-004-1 Disturbance Reporting
into EOP-004-2 Impact Event
Reporting; Retire CIP-001-1a Sabotage
Reporting and Retired EOP-004-1
Disturbance Reporting.
Change Tracking
Revision to entire
standard (Project 200901)
2
�EOP-004-2 — Impact Event Reporting
Definitions of Terms Used in Standard
This section includes all newly defined or revised terms used in the proposed standard. Terms
already defined in the Reliability Standards Glossary of Terms are not repeated here. New or
revised definitions listed below become approved when the proposed standard is approved.
When the standard becomes effective, these defined terms will be removed from the individual
standard and added to the Glossary.
Impact Event: Any event which has either impacted or has the potential to impact the
reliability of the Bulk Electric System. Such events may be caused by equipment failure or
mis-operation, environmental conditions, or human action.
Draft 2: March 7, 2011
3
�EOP-004-2 — Impact Event Reporting
When this standard has received ballot approval, the text boxes will be moved to the Guideline
and Technical Basis Section.
Introduction
1. Title:
Impact Event Reporting
2. Number:
EOP-004-2
3. Purpose:
To improve industry awareness and the reliability of the Bulk Electric
System by requiring the reporting of Impact Events and their causes, if
known, by the Responsible Entities.
4. Applicability
4.1.
Functional Entities: Within the context of EOP-004-2, the term “Responsible
Entity” shall mean:
4.1.1. Reliability Coordinator
4.1.2. Balancing Authority
4.1.3. Interchange Authority
4.1.4. Transmission Service Provider
4.1.5. Transmission Owner
4.1.6. Transmission Operator
4.1.7. Generator Owner
4.1.8. Generator Operator
4.1.9. Distribution Provider
4.1.10 Load Serving Entity
5.
Background:
NERC established a SAR Team in 2009 to investigate revisions to the CIP-001 and EOP-004
Reliability Standards.
1.
2.
3.
4.
CIP-001 may be merged with EOP-004 to eliminate redundancies.
Acts of sabotage have to be reported to the DOE as part of EOP-004.
Specific references to the DOE form need to be eliminated.
EOP-004 has some ‘fill-in-the-blank’ components to eliminate.
The development may include other improvements to the standards deemed appropriate by the
drafting team, with the consensus of stakeholders, consistent with establishing high quality,
enforceable and technically sufficient bulk power system reliability standards (see tables for each
standard at the end of this SAR for more detailed information).
Draft 2: March 7, 2011
4
�EOP-004-2 — Impact Event Reporting
The SAR for Project 2009-01, Disturbance and Sabotage Reporting was moved forward for
standard drafting by the NERC SC in August of 2009. The Disturbance and Sabotage Reporting
Standard Drafting Team (DSR SDT) was formed in late 2009. A “concepts paper” was designed
to solicit stakeholder input regarding the proposed reporting concepts that the DSR SDT has
developed.
The concept paper sought comments from stakeholders on the “road map” that will be used by
the SDR SDT in updating or revising CIP-001 and EOP-004. The concept paper provided
stakeholders the background information and thought process of the SDR SDT.
The DSR SDT has reviewed the existing standards, the SAR, issues from the NERC database
and FERC Order 693 Directives in order to determine a prudent course of action with respect to
these standards.
The DSR SDT has used a working definition for “Impact Events” to develop Attachment 1 as
follows:
“An Impact Event is any event that has either impacted or has the potential to impact the
reliability of the Bulk Electric System. Such events may be caused by equipment failure
or mis-operation, environmental conditions, or human action.”
The DSR SDT has proposed this definition for inclusion in the NERC Glossary for “Impact
Event”. The types of Impact Events that are required to be reported are contained within
Attachment 1. Only these events are required to be reported under this Standard. The DSR SDT
considered the FERC directive to “further define sabotage” and decided to eliminate the term
sabotage from the standard. The team felt that it was almost impossible to determine if an act or
event was that of sabotage or merely vandalism without the intervention of law enforcement after
the fact. This will result in further ambiguity with respect to reporting events. The term
“sabotage” is no longer included in the standard and therefore it is inappropriate to attempt to
define it. The Impact Events listed in Attachment 1 provide guidance for reporting both actual
events as well as events which may have an impact on the Bulk Electric System. The DSR SDT
believes that this is an equally effective and efficient means of addressing the FERC Directive.
Attachment 1, Part A is to be used for those actions that have impacted the electric system and in
particular the section “Damage or destruction to equipment” clearly defines that all equipment
that intentional or non intentional human error be reported. Attachment 1, Part B covers the
similar items but the action has not fully occurred but may cause a risk to the electric system and
is required to be reported.
To support this concept, the DSR SDT has provided specific event for reporting including types
of Impact Events and timing thresholds pertaining to the different types of Impact Events and
who’s responsibility for reporting under the different Impact Events. This information is
outlined in Attachment 1 to the proposed standard.
The DSR SDT wishes to make clear that the proposed changes do not include any real-time
operating notifications for the types of events covered by CIP-001, EOP-004. This is achieved
Draft 2: March 7, 2011
5
�EOP-004-2 — Impact Event Reporting
through the RCIS and is covered in other standards (e.g. TOP). The proposed standard deals
exclusively with after-the-fact reporting.
The DSR SDT is proposing to consolidate disturbance and Impact Event reporting under a single
standard. These two components and other key concepts are discussed in the following sections.
Summary of Concepts
• A single form to report disturbances and Impact Events that threaten the reliability of the
bulk electric system
• Other opportunities for efficiency, such as development of an electronic form and
possible inclusion of regional reporting requirements
• Clear criteria for reporting
• Consistent reporting timelines
• Clarity around of who will receive the information and how it will be used
Law Enforcement Reporting
The reliability objective of EOP-004-2 is to prevent outages which could lead to Cascading by
effectively reporting Impact Events. Certain outages, such as those due to vandalism and
terrorism, are not preventable. Entities rely upon law enforcement agencies to respond and
investigate those Impact Events which have the potential of wider area affect upon the industry
which enables and supports reliability principles such as protection of bulk power systems from
malicious physical or cyber attack. The Standard is intended to reduce the risk of Cascading
involving Impact Events. The importance of BES awareness of the threat around them is
essential to the effective operation and planning to mitigate the potential risk to the BES.
Stakeholders in the Reporting Process
•
•
•
•
•
•
•
•
•
•
Industry
NERC (ERO)
FERC
DOE
DHS – Federal
Homeland Security- State
State Regulators
Local Law Enforcement
State Law Enforcement
FBI
The above stakeholders have an interest in the timely notification, communication and response
to an incident at an industry facility. The stakeholders have various levels of accountability and
have a vested interest in the protection and response to ensure the reliability of the BES.
Present expectations of the industry under CIP-001:
Draft 2: March 7, 2011
6
�EOP-004-2 — Impact Event Reporting
It has been the understanding by industry participants that an occurrence of sabotage has to be
reported to the FBI. The FBI has the jurisdictional requirements to investigate acts of sabotage
and terrorism. The present CIP-001-1 standard requires a liaison relationship on behalf of the
industry and FBI. Annual requirements, under the standard, of the industry have not been clear
and have lead to misunderstandings and confusion in the industry as to how to demonstrate the
liaison is in place and effective. FBI offices have been asked to confirm, on FBI letterhead, the
existence of a working relationship to report acts of sabotage to include references to years the
liaison has been in existence and confirming telephone numbers for the FBI.
Coordination of Local and State Law Enforcement Agencies with the FBI
The Joint Terrorism Task Force (JTTF) came into being with the first task force being
established in 1980. JTTFs are small cells of highly trained, locally based, passionately
committed investigators, analysts, linguists, SWAT experts, and other specialists from dozens of
U.S. law enforcement and intelligence agencies. The JTTF is a multi-agency effort led by the
Justice Department and FBI designed to combine the resources of federal, state, and local law
enforcement. Coordination and communications largely through the interagency National Joint
Terrorism Task Force, working out of FBI Headquarters, which makes sure that information and
intelligence flows freely among the local JTTFs. This information flow can be most beneficial to
the industry in analytical intelligence, incident response and investigation. Historically, the most
immediate response to an industry incident has been local and state law enforcement agencies to
suspected vandalism and criminal damages at industry facilities. Relying upon the JTTF
coordination between local, state and FBI law enforcement would be beneficial to effective
communications and the appropriate level of investigative response.
Coordination of Local and Provincial Law Enforcement Agencies with the RCMP
A similar law enforecment coordination hierarchy exists in Canada. Local and Provincial law
enforcement coordinate to investigate suspected acts of vandalism and sabotage. The Provincial
law enforcement agency has a reporting relationship with the Royla Canadian Mounted Police
(RCMP).
A Reporting Process Solution – EOP-004
A proposal discussed with FBI, FERC Staff, NERC Standards Project Coordinator and SDT
Chair is reflected in the flowchart below (Reporting Hierarchy for Impact Event EOP-004-2).
Essentially, reporting an Impact Event to law enforcement agencies will only require the industry
to notify the state or provincial level law enforcement agency. The state or provincial level law
enforcement agency will coordinate with local law enforcement to investigate. If the state or
provincial level law enforcement agency decides federal agency law enforcement or the RCMP
should respond and investigate, the state or provincial level law enforcement agency will notify
and coordinate with the FBI or the RCMP.
Draft 2: March 7, 2011
7
�EOP-004-2 — Impact Event Reporting
Reporting Hierachy for Impact Event EOP-004-2
Entity Experiencing an Actual Impact Event
from Attachment 1
Report to Law Enforcement?
NO
YES
Refer to Ops Plan for Reporting
procedures
Refer to Ops Plan for Reporting
procedures
Report Impact Event to
NERC, Regional Entity
File DOE Form 417
with Dept of Energy
NERC and Regional
Entities conduct
investigation
Procedure to
Report to Law
Enforcement
Procedure to
Report to
NERC
Report Impact Event
to NERC, Regional
Entity
Notification Protocol to
State Agency Law
Enforcement
NERC and Regional
Entities conduct
investigation
State Agency Law
Enforcement coordinates
as appropriate with FBI
*
NERC
Events Analysis
NERC
Events Analysis
NERC Reports Applicable
Events to FERC Per Rules
of Procedure
NERC Reports
Applicable Events to
FERC Per Rules of
Procedure
Confirmed
Sabotage?
NO
YES
State Agency Law
Enforcement
Investigates
State Agency Law
Enforcement
notifies FBI
FBI Responds and
makes notification
to DHS
*Canadian entities will follow law enforcement protocols applicable in
their jurisdictions
Draft 2: March 7, 2011
8
�EOP-004-2 — Impact Event Reporting
Requirements and Measures
R1. Each Responsible Entity shall have an Impact
Event Operating Plan that includes: [Violation Risk:
Factor Medium] [Time Horizon: Long-term
Planning]
1.1. An Operating Process for identifying Impact
Events listed in Attachment 1.
1.2. An Operating Procedure for gathering
information for Attachment 2 regarding
observed Impact Events listed in
Attachment 1.
1.3. An Operating Process for communicating
recognized Impact Events to the following:
1.3.1. Internal company personnel
notification(s).
1.3.2. External organizations to notify to
include but not limited to the
Responsible Entities’ Reliability
Coordinator, NERC, Responsible
Entities’ Regional Entity, Law
Enforcement, and Governmental or
Provincial Agencies.
1.4. Provision(s) for updating the Impact Event
Operating Plan within 90 days of any
change to its content.
M1. Each Responsible Entity shall provide the
current in force Impact Event Operating
Plan to the Compliance Enforcement
Authority.
Rationale for R1
Every industry participant that owns or
operates elements or devices on the grid has a
formal or informal process, procedure, or
steps it takes to gather information regarding
what happened and why it happened when
Impact Events occur. This requirement has
the Registered Entity establish documentation
on how that procedure, process, or plan is
organized.
For the Impact Event Operating Plan, the DSR
SDT envisions that Part 1.2 includes
performing sufficient analysis and information
gathering to be able to complete the report for
reportable Impact Events. The main issue is
to make sure an entity can a) identify when an
Impact Event has occurred and b) be able to
gather enough information to complete the
report.
Part 1.3 could include a process flowchart,
identification of internal positions to be
notified and to make notifications, or a list of
personnel by name as well as telephone
numbers.
The Impact Event Operating Plan may
include, but not be limited to, the following:
how the entity is notified of event’s
occurrence, person(s) initially tasked with the
overseeing the assessment or analytical study,
investigatory steps typically taken, and
documentation of the assessment / remedial
action plan.
R2. Each Responsible Entity shall implement its Impact Event Operating Plan documented in
Requirement R1 for Impact Events listed in Attachment 1 (Parts A and B). [Violation
Risk: Factor Medium] [Time Horizon: Real-time Operations and Same-day Operations]
M2. To the extent that an Responsible Entity has an Impact Event on its Facilities, the
Responsible Entity shall provide documentation of the implementation of its Impact Event
Operating Plans. Such evidence could include, but is not limited to, operator logs, voice
Draft 2: March 7, 2011
9
�EOP-004-2 — Impact Event Reporting
recordings, or other notations and documents retained by the Registered Entity for each
Impact Event.
R3. Each Responsible Entity shall
conduct a test of its Operating Process
for communicating recognized Impact
Events created pursuant to
Requirement R1, Part 1.3 at least
annually, with no more than 15
calendar months between tests.
[Violation Risk: Factor Medium]
[Time Horizon: Long-term Planning]
M3. In the absence of an actual Impact
Event, the Responsible Entity shall
provide evidence that it conducted a
mock Impact Event and followed its
Operating Process for communicating
recognized Impact Events created
pursuant to Requirement R1, Part 1.3.
The time period between actual and
or mock Impact Events shall be no
more than 15 months. Evidence may
include, but is not limited to, operator
logs, voice recordings, or
documentation. (R3)
Rationale for R3
The DSR SDT intends for each Responsible
Entity to verify that its Operating Process for
communicating recognized Impact Events is
correct so that the entity can respond
appropriately in the case of an actual Impact
Event. The Responsible Entity may conduct
a drill or exercise of its Operating Process for
communicating recognized Impact Events as
often as it desires but the time period between
such drill or exercise can be no longer than
15 months from the previous drill/exercise or
actual Impact Event (i.e., if you conducted an
exercise/drill/actual employment of the
Operating Process in January of one year,
there would be another exercise/drill/actual
employment by March 31 of the next
calendar year)). Multiple exercises in a 15
month period are not a violation of the
requirement and would be encouraged to
improve reliability.
R4. Each Responsible Entity shall review its Impact Event Operating Plan with those personnel who
have responsibilities identified in that plan at least annually with no more than 15 calendar months
between review sessions[Violation Risk: Factor Medium] [Time Horizon: Long-term
Planning ].
M4. Responsible Entities shall provide the materials presented to verify content and the
association between the people listed in the plan and those who participated in the review,
documentation showing who was present and when internal personnel were trained on the
responsibilities in the plan.
R5. Each Responsible Entity shall report Impact Events in accordance with the Impact Event
Operating Plan pursuant to Requirement R1 and Attachment 1 using the form in
Attachment 2 or the DOE OE-417 reporting form. [Violation Risk: Factor: Medium]
[Time Horizon: Real-time Operations and Same-day Operations].
M5. Responsible Entities shall provide evidence demonstrating the submission of reports using
the plan created pursuant to Requirement R1 and Attachment 1 using either the form in
Draft 2: March 7, 2011
10
�EOP-004-2 — Impact Event Reporting
Attachment 2 or the DOE OE-417 report. Such evidence will include a copy of the
Attachment 2 form or OE-417 report submitted, evidence to support the type of Impact
Event experienced; the date and time of the Impact Event; as well as evidence of report
submittal that includes date and time.
Compliance
Compliance Enforcement Authority
•
Regional Entity; or
•
If the Responsible Entity works for the Regional Entity, then the Regional Entity will
establish an agreement with the ERO or another entity approved by the ERO and
FERC (i.e. another Regional Entity) to be responsible for compliance enforcement.
Compliance Monitoring and Enforcement Processes:
•
•
•
•
•
•
Compliance Audits
Self-Certifications
Spot Checking
Compliance Violation Investigations
Self-Reporting
Complaints
Evidence Retention
Each Responsible Entity shall retain data or evidence for three calendar years or for the
duration of any regional or Compliance Enforcement Authority investigation; whichever is
longer.
If a Registered Entity is found non-compliant, it shall keep information related to the noncompliance until found compliant or for the duration specified above, whichever is longer.
The Compliance Enforcement Authority shall keep the last audit records and all requested
and submitted subsequent audit records.
Draft 2: March 7, 2011
11
�EOP-004-2 — Impact Event Reporting
Additional Compliance Information
None
Table of Compliance Elements
R#
Time
Horizon
VRF
Violation Severity Levels
Lower VSL
Moderate VSL
High VSL
Severe VSL
R1
Long-term
Planning
Medium
The Responsible Entity The Responsible Entity
has an Impact Event
has a Impact Event
Operating Plan but
Operating Plan but
failed to include one of failed to include two of
Parts 1.1 through 1.4.
Parts 1.1 through 1.4.
The Responsible Entity The Responsible Entity
has an Impact Event
failed to include all of
Operating Plan but
Parts 1.1 through 1.4.
failed to include three
of Parts 1.1 through
1.4.
R2
Real-time
Operations
and Sameday
Operations
Medium
N/A
N/A
R3
Long-term
Planning
Medium
The Responsible Entity The Responsible Entity The Responsible Entity The Responsible Entity
failed to conduct a test failed to conduct a test failed to conduct a test failed to conduct a test
of its Operating
of its Operating
of its Operating
of its Operating
Process for
Process for
Process for
Process for
communicating
communicating
communicating
communicating
recognized Impact
recognized Impact
recognized Impact
recognized Impact
Events created
Events created
Events created
Events created
pursuant to
pursuant to
pursuant to
pursuant to
Requirement R1, Part
Requirement R1, Part
Requirement R1, Part
Requirement R1, Part
Draft 2: March 7, 2011
N/A
The Responsible Entity
failed to implement its
Impact Event
Operating Plan for an
Impact Event listed in
Attachment 1.
12
�EOP-004-2 — Impact Event Reporting
1.3 in more than 15
months but less than
18 months.
R4
R5
Long-term
Planning
Real-time
Operations
and Sameday
Operations
Medium
Medium
Draft 2: March 7, 2011
1.3in more than 18
months but less than
21 months.
1.3 in more than 21
months but less than
24 months.
1.3 in more than 24
months
The Responsible Entity The Responsible Entity The Responsible Entity The Responsible Entity
failed to review its
failed to review its
failed to review its
failed to review its
Impact Event Operating
Plan with those
personnel who have
responsibilities identified
in that plan l in more
Impact Event Operating
Plan with those
personnel who have
responsibilities identified
in that plan in more
Impact Event Operating
Plan with those
personnel who have
responsibilities identified
in that plan in more
Impact Event Operating
Plan with those
personnel who have
responsibilities identified
in that plan in more
than 15 months but
less than 18 months.
than 18 months but
less than 21 months.
than 21 months but
less than 24 months.
than 24 months
The Responsible Entity The Responsible Entity The Responsible Entity The Responsible Entity
failed to submit a
failed to submit a
failed to submit a
failed to submit a
report in more than 36 report in more than 48 report in more than 60
report in less than 36
hours but less than or
hours but less than or
hours for an Impact
hours for an Impact
Event requiring
equal to 48 hours for
equal to 60 hours for
Event requiring
reporting within 24
an Impact Event
an Impact Event
reporting within 24
hours in Attachment 1. requiring reporting
requiring reporting
hours in Attachment 1.
within 24 hours in
within 24 hours in
OR
Attachment 1.
Attachment 1.
The Responsible Entity
OR
failed to submit a
The Responsible Entity report in more than 2
hours for an Impact
failed to submit a
report in more than 1
Event requiring
reporting within 1 hour
hour but less than 2
hours for an Impact
in Attachment 1.
Event requiring
OR
reporting within 1 hour
The responsible entity
in Attachment 1.
failed to submit a
13
�EOP-004-2 — Impact Event Reporting
report for an Impact
Event in Attachment 1.
Variances
None
Interpretations
None
Draft 2: March 7, 2011
14
�EOP-004-2 — Impact Event Reporting
EOP-004 - Attachment 1: Impact Events Table
NOTE: Under certain adverse conditions, e.g. severe weather, it may not be possible to report the damage caused by an Impact Event
and issue a written Impact Event Report within the timing in the table below. In such cases, the affected Responsible Entity shall
notify its Regional Entity(ies) and NERC, (e-mail: esisac@nerc.com, Facsimile: 609-452-9550, Voice: 609-452-1422) and provide as
much information as is available. The affected Responsible Entity shall then provide periodic verbal updates until adequate
information is available to issue a written Impact Event report.
EOP-004 – Attachment 1 - Actual Reliability Impact – Part A
Event
Entity with Reporting
Responsibility
Threshold for Reporting
Time to Submit Report
Energy Emergency
requiring Public appeal
for load reduction
Initiating entity is responsible
for reporting
Each public appeal for load reduction
Within 1 hour of issuing a public
appeal
Energy Emergency
requiring system-wide
voltage reduction
Initiating entity is responsible
for reporting
System wide voltage reduction of 3% or more
Within 1 hour after event is initiated
Energy Emergency
requiring manual firm
load shedding
Initiating entity is responsible
for reporting
Manual firm load shedding ≥ 100 MW
Within 1 hour after event is initiated
Energy Emergency
resulting in automatic
firm load shedding
Each DP or TOP that
experiences the Impact Event
Firm load shedding ≥ 100 MW (via automatic
undervoltage or underfrequency load
shedding schemes, or SPS/RAS)
Within 1 hour after event is initiated
Voltage Deviations on
BES Facilities
Each RC, TOP, GOP that
experiences the Impact Event
± 10% sustained for ≥ 15 continuous minutes
Within 24 hours after 15 minute
threshold
IROL Violation
Each RC, TOP that
experiences the Impact Event
Operate outside the IROL for time greater
than IROL Tv
Within 24 hours after Tv threshold
Loss of Firm load for ≥
15 Minutes
Each RC, BA, TOP, DP that
experiences the Impact Event
•
•
System Separation
Each RC, BA, TOP, DP that
Draft 2: March 7, 2011
≥ 300 MW for entities with previous year’s Within 1 hour after 15 minute
threshold
demand ≥ 3000 MW
≥ 200 MW for all other entities
Each separation resulting in an island of
Within 1 hour after occurrence is
15
�EOP-004-2 — Impact Event Reporting
EOP-004 – Attachment 1 - Actual Reliability Impact – Part A
Event
Entity with Reporting
Responsibility
Threshold for Reporting
(Islanding)
experiences the Impact Event
generation and load ≥ 100 MW
Generation loss
Each RC, BA, GOP that
experiences the Impact Event
•
•
Time to Submit Report
identified
≥ 2,000 MW for entities in the Eastern or
Western Interconnection
≥ 1000 MW for entities in the ERCOT or
Quebec Interconnection
Within 24 hours after occurrence
Loss of Off-site power
to a nuclear generating
plant (grid supply)
Each RC, BA, TO, TOP, GO,
GOP that experiences the
Impact Event
Affecting a nuclear generating station per the
Nuclear Plant Interface Requirement
Report within 24 hours after
occurrence
Transmission loss
Each RC, TOP that
experiences the Impact Event
Three or more BES Transmission Elements
Within 24 hours after occurrence
Damage or destruction
of BES equipment 1
Each RC, BA, TO, TOP, GO,
GOP, DP that experiences the
Impact Event
Through operational error, equipment failure,
external cause, or intentional or unintentional
human action.
Within 1 hour after occurrence is
identified
Damage or destruction
of Critical Asset
Applicable Entities under CIP002 or its successor.
Through operational error, equipment failure,
external cause, or intentional or unintentional
human action.
Within 1 hour after occurrence is
identified
Damage or destruction
of a Critical Cyber
Asset
Applicable Entities under CIP002 or its successor.
Through intentional or unintentional human
action.
Within 1 hour after occurrence is
identified
1
BES equipment that: i) Affects an IROL; ii) Significantly affects the reliability margin of the system (e.g., has the potential to result in the need for emergency
actions); iii) Damaged or destroyed due to intentional or unintentional human action; or iv) Do not report copper theft from BES equipment unless it degrades the
ability of equipment to operate correctly e.g., removal of grounding straps rendering protective relaying inoperative.
Draft 2: March 7, 2011
16
�EOP-004-2 — Impact Event Reporting
EOP-004 – Attachment 1 - Potential Reliability Impact – Part B
Event
Entity with
Reporting
Responsibility
Threshold for Reporting
Time to Submit Report
Unplanned Control Center
evacuation
Each RC, BA, TOP
that experiences
the potential
Impact Event
Unplanned evacuation from BES
control center facility
Report within 24 hour after occurrence
Fuel supply emergency
Each RC, BA, GO,
GOP that
experiences the
potential Impact
Event
Affecting BES reliability 2
Report within 1 hour after occurrence
Loss of all monitoring or voice
communication capability
Each RC, BA,
TOP that
experiences the
potential Impact
Event
Affecting a BES control center
for ≥ 30 continuous minutes
Report within 24 hours after occurrence
Forced intrusion 3
Each RC, BA, TO,
TOP, GO, GOP
At a BES facility
Report within 1 hour after verification of intrusion
that experiences the
potential Impact
Event
2
Report if problems with the fuel supply chain result in the projected need for emergency actions to manage reliability.
3
Report if you cannot reasonably determine likely motivation (i.e., intrusion to steal copper or spray graffiti is not reportable unless it effects the reliability of the
BES).
Draft 2: March 7, 2011
17
�EOP-004-2 — Impact Event Reporting
Risk to BES equipment 4
Each RC, BA, TO, From a non-environmental
physical threat
TOP, GO, GOP,
DP that experiences
the potential
Report within 1 hour after identification
Impact Event
Detection of a reportable Cyber
Security Incident.
Each RC, BA, TO, That meets the criteria in CIP-008
(or its successor)
TOP, GO, GOP,
DP that experiences
the potential
Report within 1 hour after detection
Impact Event
4
Examples include a train derailment adjacent to BES equipment, that either could have damaged the equipment directly or has the potential to damage the
equipment (e.g. flammable or toxic cargo that could pose fire hazard or could cause evacuation of a BES facility control center) and report of suspicious device
near BES equipment).
Draft 2: March 7, 2011
18
�EOP-004-2 — Impact Event Reporting
EOP-004 - Attachment 2: Impact Event Reporting Form
This form is to be used to report Impact Events to the ERO. NERC will accept the DOE OE-417 form in lieu of this form if the entity
is required to submit an OE-417 report. Reports should be submitted via one of the following: e-mail: esisac@nerc.com, Facsimile:
609-452-9550
Impact Event Reporting for EOP-004-2
Task
1.
Entity filing the report (include company
name and Compliance Registration ID
number):
2.
Date and Time of Impact Event.
Comments
Date: (mm/dd/yyyy)
Time/Zone:
3.
Name of contact person:
Email address:
Telephone Number:
4.
5.
Did the actual or potential Impact Event
originate in your system?
Actual Impact Event Potential Impact Event
Yes
No Unknown
Under which NERC function are you
reporting? (RC, TOP, BA, other)
Draft 2: March 7, 2011
19
�EOP-004-2 — Impact Event Reporting
Impact Event Reporting for EOP-004-2
Task
6.
Comments
Brief Description of actual or potential
Impact Event:
(More detail should be provided in the
Sequence of Events section below.)
7.
Generation tripped off-line*.
MW Total
List units tripped
8.
Frequency*.
Just prior to Impact Event (Hz):
Immediately after Impact Event (Hz max):
Immediately after Impact Event (Hz min):
9.
List transmission facilities (lines,
transformers, buses, etc.) tripped and lockedout*.
(Specify voltage level of each facility listed).
10.
FIRM
INTERRUPTIBLE
Demand tripped (MW)*:
Number of affected customers*:
Draft 2: March 7, 2011
20
�EOP-004-2 — Impact Event Reporting
Impact Event Reporting for EOP-004-2
Task
Comments
Demand lost (MW-Minutes)*:
11. Restoration Time*.
INITIAL
FINAL
Transmission:
Generation:
Demand:
12. Sequence of Events of actual or potential Impact Event (if potential Impact Event, please describe your assessment of potential impact to
BES) :
Draft 2: March 7, 2011
21
�EOP-004-2 — Impact Event Reporting
Impact Event Reporting for EOP-004-2
Task
Comments
13. Identify the initial probable cause or known root cause of the actual or potential Impact Event if known at time of submittal of Part I of this
report:
1
14. Identify any protection system misoperation(s) :
15. Additional Information that helps to further explain the actual or potential Impact Event if needed.
1
Only applicable if it is part of the impact event the responsible entity is reporting on
Draft 2: March 7, 2011
22
�EOP-004-2 — Impact Event Reporting
Guideline and Technical Basis
Disturbance and Sabotage Reporting Standard Drafting Team (Project 2009-01) Reporting Concepts
Introduction
The SAR for Project 2009-01, Disturbance and Sabotage Reporting was moved forward for
standard drafting by the NERC Standards Committee in August of 2009. The Disturbance and
Sabotage Reporting Standard Drafting Team (DSR SDT) was formed in late 2009 and is
progressing toward developing standards based on the SAR. This concepts paper is designed to
solicit stakeholder input regarding the proposed reporting concepts that the DSR SDT has
developed.
The standards listed under the SAR are:
• CIP-001 — Sabotage Reporting
• EOP-004 — Disturbance Reporting
The DSR SDT also proposed to investigate incorporation of the cyber incident reporting aspects
of CIP-008 under this project. This will be coordinated with the Cyber Security - Order 706
SDT (Project 2008-06).
The DSR SDT has reviewed the existing standards, the SAR, issues from the NERC database
and FERC Order 693 Directives to determine a prudent course of action with respect to these
standards.
This concept paper provides stakeholders with a proposed “road map” that will be used by the
DSR SDT in updating or revising CIP-001 and EOP-004. This concept paper provides the
background information and thought process of the DSR SDT.
The proposed changes do not include any real-time operating notifications for the types of events
covered by CIP-001 and EOP-004. The real-time reporting requirements are achieved through
the RCIS and are covered in other standards (e.g. EOP-002-Capacity and Energy Emergencies).
The proposed standards deal exclusively with after-the-fact reporting.
The DSR SDT is proposing to consolidate disturbance and event reporting under a single
standard. These two components and other key concepts are discussed in the following sections.
Draft 2: March 7, 2011
23
�EOP-004-2 — Impact Event Reporting
Summary of Concepts and Assumptions:
The Standard Will: Require use of a single form to report disturbances and “Impact Events” that
threaten the reliability of the bulk electric system
• Provide clear criteria for reporting
• Include consistent reporting timelines
• Identify appropriate applicability, including a reporting hierarchy in the case of
disturbance reporting
• Provide clarity around of who will receive the information
The drafting team will explore other opportunities for efficiency, such as development of an
electronic form and possible inclusion of regional reporting requirements
Discussion of Disturbance Reporting
Disturbance reporting requirements currently exist in EOP-004. The current approved definition
of Disturbance from the NERC Glossary of Terms is:
1. An unplanned event that produces an abnormal system condition.
2. Any perturbation to the electric system.
3. The unexpected change in ACE that is caused by the sudden failure of generation or
interruption of load.
Disturbance reporting requirements and criteria are in the existing EOP-004 standard and its
attachments. The DSR SDT discussed the reliability needs for disturbance reporting and
developed the list of Impact Events that are to be reported under this standard (attachment 1).
Discussion of “Impact Event” Reporting
There are situations worthy of reporting because they have the potential to impact reliability. The
DSR SDT proposes calling such incidents ‘Impact Events’ with the following concept:
An Impact Event is any situation that has the potential to significantly impact the
reliability of the Bulk Electric System. Such events may originate from malicious intent,
accidental behavior, or natural occurrences.
Impact Event reporting facilitates industry awareness, which allows potentially impacted parties
to prepare for and possibly mitigate the reliability risk. It also provides the raw material, in the
case of certain potential reliability threats, to see emerging patterns.
Examples of Impact Events include:
• Bolts removed from transmission line structures
• Detection of cyber intrusion that meets criteria of CIP-008 or its successor standard
• Forced intrusion attempt at a substation
• Train derailment near a transmission right-of-way
• Destruction of Bulk Electrical System equipment
Draft 2: March 7, 2011
24
�EOP-004-2 — Impact Event Reporting
What about sabotage?
One thing became clear in the DSR SDT’s discussion concerning sabotage: everyone has a
different definition. The current standard CIP-001 elicited the following response from FERC in
FERC Order 693, paragraph 471 which states in part: “. . . the Commission directs the ERO to
develop the following modifications to the Reliability Standard through the Reliability Standards
development process: (1) further define sabotage and provide guidance as to the triggering
events that would cause an entity to report a sabotage event.”
Often, the underlying reason for an event is unknown or cannot be confirmed. The DSR SDT
believes that reporting material risks to the Bulk Electrical System using the Impact Event
categorization, it will be easier to get the relevant information for mitigation, awareness, and
tracking, while removing the distracting element of motivation.
The DST SDT discussed the reliability needs for Impact Event reporting and will consider
guidance found in the document “NERC Guideline: Threat and Incident Reporting” in the
development of requirements, which will include clear criteria for reporting.
Certain types of Impact Events should be reported to NERC, the Department of Homeland
Security (DHS), the Federal Bureau of Investigation (FBI), and/or Provincial or local law
enforcement. Other types of Impact Events may have different reporting requirements. For
example, an Impact Event that is related to copper theft may only need to be reported to the local
law enforcement authorities.
Potential Uses of Reportable Information
Event analysis, correlation of data, and trend identification are a few potential uses for the
information reported under this standard. As envisioned, the standard will only require
Functional entities to report the incidents and provide information or data necessary for these
analyses. Other entities (e.g. – NERC, Law Enforcement, etc) will be responsible for performing
the analyses. The NERC Rules of Procedure (section 800) provide an overview of the
responsibilities of the ERO in regards to analysis and dissemination of information for reliability.
Jurisdictional agencies (which may include DHS, FBI, NERC, RE, FERC, Provincial Regulators,
and DOE) have other duties and responsibilities.
Collection of Reportable Information or “One stop shopping”
The goal of the DSR SDT is to have one reporting form for all functional entities (US, Canada,
Mexico) to submit to NERC. Ultimately, it may make sense to develop an electronic version to
expedite completion, sharing and storage. Ideally, entities would complete a single form which
could then be distributed to jurisdictional agencies and functional entities as appropriate.
Specific reporting forms 6 that exist today (i.e. - OE-417, etc) could be included as part of the
6
The DOE Reporting Form, OE-417 is currently a part of the EOP-004 standard. If this report is removed from the
standard, it should be noted that this form is still required by law as noted on the form: NOTICE: This report is
mandatory under Public Law 93-275. Failure to comply may result in criminal fines, civil penalties and other
sanctions as provided by law. For the sanctions and the provisions concerning the confidentiality of information
submitted on this form, see General Information portion of the instructions. Title 18 USC 1001 makes it a criminal
Draft 2: March 7, 2011
25
�EOP-004-2 — Impact Event Reporting
electronic form to accommodate US entities with a requirement to submit the form, or may be
removed (but still be mandatory for US entities under Public Law 93-275) to streamline the
proposed consolidated reliability standard for all North American entities (US, Canada, Mexico).
Jurisdictional agencies may include DHS, FBI, NERC, RE, FERC, Provincial Regulators, and
DOE. Functional entities may include the RC, TOP, and BA for industry awareness.
Applicability of the standard will be determined based on the specific requirements.
The DSR SDT recognizes that some regions require reporting of additional information beyond
what is in EOP-004. The DSR SDT is planning to update the listing of reportable events from
discussions with jurisdictional agencies, NERC, Regional Entities and stakeholder input. There
is a possibility that regional differences may still exist.
The reporting proposed by the DSR SDT is intended to meet the uses and purposes of NERC.
The DSR SDT recognizes that other requirements for reporting exist (e.g., DOE-417 reporting),
which may duplicate or overlap the information required by NERC. To the extent that other
reporting is required, the DSR SDT envisions that duplicate entry of information is not
necessary, and the submission of the alternate report will be acceptable to NERC so long as all
information required by NERC is submitted. For example, if the NERC Report duplicates
information from the DOE form, the DOE report may be included or attached to the NERC
report, in lieu of entering that information on the NERC report.
offense for any person knowingly and willingly to make to any Agency or Department of the United States any
false, fictitious, or fraudulent statements as to any matter within its jurisdiction.
Draft 2: March 7, 2011
26
�EOP-004-2 — Impact Event and Disturbance Assessment, Analysis, and Reporting
Standard Development Timeline
This section is maintained by the drafting team during the development of the standard and will
be removed when the standard becomes effective.
Development Steps Completed
1. SC approved SAR for initial posting (April, 2009).
2. SAR posted for comment (April 22 – May 21, 2009).
3. SC authorized moving the SAR forward to standard development (September 2009).
4. Concepts Paper posted for comment (March 17 – April 16, 2010).
5. Initial Informal Comment Period (September 2010)
Proposed Action Plan and Description of Current Draft
This is the first posting of the proposed standard in accordance with Results-Based Criteria. The
drafting team requests posting for a 30-day formal comment period.
Future Development Plan
Anticipated Actions
Initial Comment PeriodDrafting team considers comments, makes
conforming changes, and proceed to second comment
Drafting team considers comments, makes conforming changes, and
proceed to second comment Second Comment Period
Third Comment Period/Initial /Ballot period
Successive Comment/Recirculation Ballot period
Receive BOT approval
Draft 1: September 10, 20102: March 7, 2011
Anticipated Date
SeptemberOctober
2010 – February
2011
October – December
2010March – May
2011
December 2010JanuaryJune- July
2011
February –
MarchJuly-August
2011
AprilSeptember
2011
1
�EOP-004-2 — Impact Event and Disturbance Assessment, Analysis, and Reporting
Effective Dates
1.
USA: The standard shall become effective on the Ffirst calendar day of the firstthird
calendar quarter one year after the date of the order providing applicable regulatory authority
approval. for all requirements
2.
Canada and Mexico: First calendar day ofConcurrent with the first calendar quarter
one year following Board of Trustees adoption unless governmental authority withholds
approvalEffective Date for the USA. In those jurisdictions where no regulatory approval is
required, the standard shall become effective on the first calendar day of the third calendar
quarter after Board of Trustees adoption.
Formatted: Font: 12 pt
Formatted: Font: 12 pt
Formatted: Font: 12 pt
Formatted: Font: 12 pt
Formatted: Normal
Version History
Version
2
Date
Action
Merged CIP-001-1 Sabotage Reporting
and EOP-004-1 Disturbance Reporting
into EOP-004-2;
Impact Event Reporting; Retire CIP001-1a Sabotage Reporting and Retired
EOP-004-1, R1, R3.2, R3.3, R3.4, R4,
R5 and associated measures, evidence
retention and VSLs Disturbance
Reporting.
Added new requirements for ERO – R1,
R7, R8.
Draft 1: September 10, 20102: March 7, 2011
Change Tracking
Revision to entire
standard (Project 200901)
2
�EOP-004-2 — Impact Event and Disturbance Assessment, Analysis, and Reporting
Definitions of Terms Used in Standard
This section includes all newly defined or revised terms used in the proposed standard. Terms
already defined in the Reliability Standards Glossary of Terms are not repeated here. New or
revised definitions listed below become approved when the proposed standard is approved.
When the standard becomes effective, these defined terms will be removed from the individual
standard and added to the Glossary.
None
Impact Event: Any event which has either impacted or has the potential to impact the
reliability of the Bulk Electric System. Such events may be caused by equipment failure or
mis-operation, environmental conditions, or human action.
Draft 1: September 10, 20102: March 7, 2011
3
�EOP-004-2 — Impact Event and Disturbance Assessment, Analysis, and Reporting
When this standard has received ballot approval, the text boxes will be moved to the Guideline
and Technical Basis Section.
Introduction
1. Title:
Impact Event and Disturbance Assessment, Analysis, and Reporting
2. Number:
EOP-004-2
3. Purpose:
Responsible Entities shall report impact events and their known causes to
support situationalTo improve industry awareness and the reliability of the
Bulk Electric System (BES).by requiring the reporting of Impact Events
and their causes, if known, by the Responsible Entities.
4. Applicability
4.1.
Functional Entities: Within the context of EOP-004-2, the term “Responsible
Entity” shall mean:
4.1.1. Reliability Coordinator
4.1.2. Balancing Authority
4.1.3. Interchange Authority
4.1.4. Transmission Service Provider
4.1.3.4.1.5.
Transmission Owner
4.1.4.4.1.6.
Transmission Operator
4.1.5.4.1.7.
Generator Owner
4.1.6.4.1.8.
Generator Operator
4.1.7.4.1.9.
Distribution Provider
4.1.8. Electric Reliability Organization
4.1.10 Load Serving Entity
5.
Background:
NERC established a SAR Team in 2009 to investigate revisions to the CIP-001 and EOP-004
Reliability Standards.
1.
2.
3.
4.
CIP-001 may be merged with EOP-004 to eliminate redundancies.
Acts of sabotage have to be reported to the DOE as part of EOP-004.
Specific references to the DOE form need to be eliminated.
EOP-004 has some ‘fill-in-the-blank’ components to eliminate.
The development may include other improvements to the standards deemed appropriate by the
drafting team, with the consensus of stakeholders, consistent with establishing high quality,
Draft 1: September 10, 20102: March 7, 2011
4
�EOP-004-2 — Impact Event and Disturbance Assessment, Analysis, and Reporting
enforceable and technically sufficient bulk power system reliability standards (see tables for each
standard at the end of this SAR for more detailed information).
The SAR for Project 2009-01, Disturbance and Sabotage Reporting was moved forward for
standard drafting by the NERC SC in August of 2009. The Disturbance and Sabotage Reporting
Standard Drafting Team (DSR SDT) was formed in late 2009. A “concepts paper” was designed
to solicit stakeholder input regarding the proposed reporting concepts that the DSR SDT has
developed.
The concept paper sought comments from stakeholders on the “road map” that will be used by
the SDR SDT in updating or revising CIP-001 and EOP-004. The concept paper provided
stakeholders the background information and thought process of the SDR SDT.
The DSR SDT has reviewed the existing standards, the SAR, issues from the NERC database
and FERC Order 693 Directives in order to determine a prudent course of action with respect to
these standards.
The DSR SDT has proposed the following concept for impact eventused a working definition for
“Impact Events” to develop Attachment 1 as follows:
“An impact eventImpact Event is any event that has either impacted or has the potential
to impact the reliability of the Bulk Electric System. Such events may be caused by
equipment failure or mis-operation, environmental conditions, or human action..”
The DSR SDT has proposed this definition for inclusion in the NERC Glossary for “Impact
Event”. The types of Impact Events that are required to be reported are contained within
Attachment 1. Only these events are required to be reported under this Standard. The DSR SDT
considered the FERC directive to “further define sabotage” and decided to eliminate the term
sabotage from the standard. The team felt that it was almost impossible to determine if an act or
event was that of sabotage or merely vandalism without the intervention of law enforcement after
the fact. This will result in further ambiguity with respect to reporting events. The term
“sabotage” is no longer included in the standard and therefore it is inappropriate to attempt to
define it. The Impact Events listed in Attachment 1 provide guidance for reporting both actual
events as well as events which may have an impact on the Bulk Electric System. The DSR SDT
believes that this is an equally effective and efficient means of addressing the FERC Directive.
Attachment 1, Part A is to be used for those actions that have impacted the electric system and in
particular the section “Damage or destruction to equipment” clearly defines that all equipment
that intentional or non intentional human error be reported. Attachment 1, Part B covers the
similar items but the action has not fully occurred but may cause a risk to the electric system and
is required to be reported.
To support this concept, the DSR SDT has provided specific event for reporting including types
of impact eventsImpact Events and timing thresholds pertaining to the different types of impact
eventsImpact Events and who’s responsibility for reporting under the different impact
eventsImpact Events. This information is outlined in Attachment 1 to the proposed standard.
Draft 1: September 10, 20102: March 7, 2011
5
�EOP-004-2 — Impact Event and Disturbance Assessment, Analysis, and Reporting
The DSR SDT wishes to make clear that the proposed changes do not include any real-time
operating notifications for the types of events covered by CIP-001, EOP-004. This is achieved
through the RCIS and is covered in other standards (e.g. TOP). The proposed standard deals
exclusively with after-the-fact reporting.
The DSR SDT is proposing to consolidate disturbance and impact eventImpact Event reporting
under a single standard. These two components and other key concepts are discussed in the
following sections.
Summary of Concepts
• A single form to report disturbances and impact eventsImpact Events that threaten the
reliability of the bulk electric system
• Other opportunities for efficiency, such as development of an electronic form and
possible inclusion of regional reporting requirements
• Clear criteria for reporting
Rationale for R1
• Consistent reporting timelines
The goal of the DSR SDT is to have a generic
• Clarity around of who will
reporting form and a system for all functional entities
receive the information and how
(US, Canada, Mexico) to submit impact event reports
it will be used
to NERC and other entities. Ultimately, it may make
sense to develop an electronic version of the form to
Law Enforcement Reporting
expedite completion, sharing and storage. Ideally,
entities would complete a single electronic form online which could then be electronically forwarded or
The reliability objective of EOP-004-2 is
distributed to jurisdictional agencies and functional
to prevent outages which could lead to
entities as appropriate using check boxes or other
Cascading by effectively reporting
coding within the electronic form. Specific reporting
Impact Events. Certain outages, such as
forms that exist today (i.e. - OE-417, etc) could be
those due to vandalism and terrorism, are
included as part of the electronic form to
not preventable. Entities rely upon law
accommodate US entities with a requirement to
enforcement agencies to respond and
submit the form or may be removed (but still be
investigate those Impact Events which
mandatory for US entities under Public Law 93-275)
have the potential of wider area affect
to streamline the proposed consolidated reliability
upon the industry which enables and
standard for all North American entities (US, Canada,
supports reliability principles such as
Mexico). Jurisdictional agencies may include DHS,
protection of bulk power systems from
FBI, NERC, RE, FERC, Provincial Regulators, and
malicious physical or cyber attack. The
DOE. Functional entities may include the RC, TOP,
Standard is intended to reduce the risk of
and BA for situational awareness. Applicability of the
Cascading involving Impact Events. The
standard will be determined based on the specific
importance of BES awareness of the
requirements.
threat around them is essential to the
effective operation and planning to
The DSR SDT recognizes that some regions require
mitigate the potential risk to the BES.
reporting of additional information beyond what is in
EOP-004. The DSR SDT is planning to update the
Stakeholders in the Reporting Process
listing of reportable events from discussions with
• Industry
jurisdictional agencies, NERC, Regional Entities and
stakeholder input. There is a possibility that regional
differences may still exist.
Draft 1: September 10, 20102: March 7, 2011
6
Responsible entities will ultimately be responsible for
ensuring that OE-417 reports are received at the DOE.
�EOP-004-2 — Impact Event and Disturbance Assessment, Analysis, and Reporting
•
•
•
•
•
•
•
•
•
NERC (ERO)
FERC
DOE
DHS – Federal
Homeland Security- State
State Regulators
Local Law Enforcement
State Law Enforcement
FBI
The above stakeholders have an interest in the timely notification, communication and response
to an incident at an industry facility. The stakeholders have various levels of accountability and
have a vested interest in the protection and response to ensure the reliability of the BES.
Present expectations of the industry under CIP-001:
It has been the understanding by industry participants that an occurrence of sabotage has to be
reported to the FBI. The FBI has the jurisdictional requirements to investigate acts of sabotage
and terrorism. The present CIP-001-1 standard requires a liaison relationship on behalf of the
industry and FBI. Annual requirements, under the standard, of the industry have not been clear
and have lead to misunderstandings and confusion in the industry as to how to demonstrate the
liaison is in place and effective. FBI offices have been asked to confirm, on FBI letterhead, the
existence of a working relationship to report acts of sabotage to include references to years the
liaison has been in existence and confirming telephone numbers for the FBI.
Coordination of Local and State Law Enforcement Agencies with the FBI
The Joint Terrorism Task Force (JTTF) came into being with the first task force being
established in 1980. JTTFs are small cells of highly trained, locally based, passionately
committed investigators, analysts, linguists, SWAT experts, and other specialists from dozens of
U.S. law enforcement and intelligence agencies. The JTTF is a multi-agency effort led by the
Justice Department and FBI designed to combine the resources of federal, state, and local law
enforcement. Coordination and communications largely through the interagency National Joint
Terrorism Task Force, working out of FBI Headquarters, which makes sure that information and
intelligence flows freely among the local JTTFs. This information flow can be most beneficial to
the industry in analytical intelligence, incident response and investigation. Historically, the most
immediate response to an industry incident has been local and state law enforcement agencies to
suspected vandalism and criminal damages at industry facilities. Relying upon the JTTF
coordination between local, state and FBI law enforcement would be beneficial to effective
communications and the appropriate level of investigative response.
Coordination of Local and Provincial Law Enforcement Agencies with the RCMP
A similar law enforecment coordination hierarchy exists in Canada. Local and Provincial law
enforcement coordinate to investigate suspected acts of vandalism and sabotage. The Provincial
Draft 1: September 10, 20102: March 7, 2011
7
�EOP-004-2 — Impact Event and Disturbance Assessment, Analysis, and Reporting
law enforcement agency has a reporting relationship with the Royla Canadian Mounted Police
(RCMP).
A Reporting Process Solution – EOP-004
A proposal discussed with FBI, FERC Staff, NERC Standards Project Coordinator and SDT
Chair is reflected in the flowchart below (Reporting Hierarchy for Impact Event EOP-004-2).
Essentially, reporting an Impact Event to law enforcement agencies will only require the industry
to notify the state or provincial level law enforcement agency. The state or provincial level law
enforcement agency will coordinate with local law enforcement to investigate. If the state or
provincial level law enforcement agency decides federal agency law enforcement or the RCMP
should respond and investigate, the state or provincial level law enforcement agency will notify
and coordinate with the FBI or the RCMP.
Draft 1: September 10, 20102: March 7, 2011
8
�EOP-004-2 — Impact Event and Disturbance Assessment, Analysis, and Reporting
Reporting Hierachy for Impact Event EOP-004-2
Entity Experiencing an Actual Impact Event
from Attachment 1
Report to Law Enforcement?
NO
YES
Refer to Ops Plan for Reporting
procedures
Refer to Ops Plan for Reporting
procedures
Report Impact Event to
NERC, Regional Entity
NERC and Regional
Entities conduct
investigation
Procedure to
Report to Law
Enforcement
Procedure to
Report to
NERC
File DOE Form 417
with Dept of Energy
Report Impact Event
to NERC, Regional
Entity
Notification Protocol to
State Agency Law
Enforcement
NERC and Regional
Entities conduct
investigation
State Agency Law
Enforcement coordinates
as appropriate with FBI
*
NERC
Events Analysis
NERC
Events Analysis
NERC Reports Applicable
Events to FERC Per Rules
of Procedure
NERC Reports
Applicable Events to
FERC Per Rules of
Procedure
Confirmed
Sabotage?
NO
YES
State Agency Law
Enforcement
Investigates
State Agency Law
Enforcement
notifies FBI
FBI Responds and
makes notification
to DHS
*Canadian entities will follow law enforcement protocols applicable in
their jurisdictions
Draft 1: September 10, 20102: March 7, 2011
9
�EOP-004-2 — Impact Event and Disturbance Assessment, Analysis, and Reporting
Requirements and Measures
R1. The ERO shall establish, maintain and utilize a
system for receiving and distributing impact
event reports, received pursuant to
Requirement R6, to applicable government,
provincial or law enforcement agencies and
Registered Entities to enhance and support
situational awareness.
M1. The ERO shall provide evidence that it
established, maintained and utilized a system
for the distribution of the reports it receives to
the various organizations or agencies. Such
evidence could include, but is not limited to,
dated records indicating that reports were
distributed as shown on the submitted report or
electronic logs indicating distribution of
reports. (R1)
Rationale for R1
Every industry participant that owns or
operates elements or devices on the grid has a
formal or informal process, procedure, or
steps it takes to gather information regarding
what happened and why it happened when
Impact Events occur. This requirement has
the Registered Entity establish documentation
on how that procedure, process, or plan is
organized.
For the Impact Event Operating Plan, the DSR
SDT envisions that Part 1.2 includes
performing sufficient analysis and information
gathering to be able to complete the report for
reportable Impact Events. The main issue is
to make sure an entity can a) identify when an
Impact Event has occurred and b) be able to
gather enough information to complete the
report.
Part 1.3 could include a process flowchart,
identification of internal positions to be
notified and to make notifications, or a list of
personnel by name as well as telephone
numbers.
The Impact Event Operating Plan may
include, but not be limited to, the following:
how the entity is notified of event’s
occurrence, person(s) initially tasked with the
overseeing the assessment or analytical study,
investigatory steps typically taken, and
documentation of the assessment / remedial
action plan.
Draft 1: September 10, 20102: March 7, 2011
10
�EOP-004-2 — Impact Event and Disturbance Assessment, Analysis, and Reporting
R2.
Each ApplicableResponsible Entity identified in Attachment 1 shall have an Impact
Event Operating Plan(s) that includes: [Violation Risk: Factor Medium] [Time Horizon: Longterm Planning]
1.1. An Operating Process for identifying, assessing and reporting impact events Impact Events
listed in Attachment 1 that includes.
1.2. An Operating Procedure for gathering information for Attachment 2 regarding observed
Impact Events listed in Attachment 1.
Rationale for R2
1.1.1.3. An Operating Process for
Every industry participant that owns or
communicating recognized Impact Events to
operates elements or devices on the grid has a
the following components:
formal or informal process, procedure, or
1.2. Method(s) for identifying impact events
steps it takes to assess what happened and
why it happened when impact events occur.
1.3. Method(s) for assessing cause(s) of
This requirement has the Registered Entity
impact events
establish documentation on how that
1.4. Method(s) for making internal and
procedure, process, or plan is organized.
external notifications pursuant to Parts
2.5 and 2.6
For the Operating Plan, the DSR SDT
envisions that “assessing” includes performing
1.4.1.1.3.1. List of internalInternal
sufficient analysis to be able to complete the
company personnel responsible for
report for reportable impact events. The main
making initial notification(s) pursuant
issue is to make sure an entity can a) identify
to Parts 2.5.and 2.6.).
when an impact event has occurred and b) be
1.5. List of internal company personnel to
able to gather enough information to complete
notify
the report.
1.5.1.1.3.2. List of externalExternal
Parts 3.3 and 3.4 include, but not limited to,
organizations to notify to include but
operating personnel who could be involved
not limited to NERC,the Responsible
with any aspect of the operating plan.
Entities’ Reliability Coordinator,
NERC, Responsible Entities’ Regional
The Operating Plan may include, but not be
Entity, Law Enforcement, and
limited to, the following: how the entity is
Governmental or Provincial Agencies.
notified of event’s occurrence, person(s)
1.6.1.4. MethodProvision(s) for updating the
initially tasked with the overseeing the
Impact Event Operating Plan when there is
assessment or analytical study, investigatory
a component change within 3090 days of
steps typically taken, and documentation of
the notification of theany change. to its
the assessment / remedial action plan.
content.
1.7. A provision for updating the Operating
Plan based on lessons learned from an exercise or implementation of the Operating
Plan within 30 days of identifying the lessons learned.
1.8. A provision for updating the Operating Plan based on applicable lessons learned from
the annual NERC report issued pursuant to Requirement R8 within 30 days of NERC
publishing lessons learned.
Draft 1: September 10, 20102: March 7, 2011
11
�EOP-004-2 — Impact Event and Disturbance Assessment, Analysis, and Reporting
M2
M1. Each ApplicableResponsible Entity shall provide the current in force Impact Event
Operating Plan to the Compliance Enforcement Authority upon request. (R2) .
Draft 1: September 10, 20102: March 7, 2011
12
�EOP-004-2 — Impact Event and Disturbance Assessment, Analysis, and Reporting
R3
R2. Each ApplicableResponsible Entity shall identify and assess initial probable cause of
impact events listed in Attachment 1 in accordance with itsimplement its Impact Event
Operating Plan documented in Requirement
Rationale for R3
R2.R1 for Impact Events listed in
The DSR SDT intends for each
Attachment 1 (Parts A and B). [Violation
Applicable Entity to assess the causes
Risk: Factor Medium] [Time Horizon: Realof the reportable impact event and
time Operations and Same-day Operations]
gather enough information to complete
the report that is required to be filed.
M3M2.
To the extent that an
ApplicableResponsible Entity has an impact
eventImpact Event on its Facilities, the
ApplicableResponsible Entity shall provide documentation of its assessment or analysisthe
implementation of its Impact Event Operating Plans. Such evidence could include, but is
not limited to, operator logs, voice recordings, or power flow analysis cases. (R3)other
notations and documents retained by the Registered Entity for each Impact Event.
R4
R3. Each ApplicableResponsible Entity
shall conduct a drill, exercise, or
Real-time implementationtest of its
Operating PlanProcess for
reportingcommunicating recognized
Impact Events created pursuant to
Requirement R2R1, Part 1.3 at least
annually, with no more than 15
calendar months between exercises
ortests. [Violation Risk: Factor
Medium] [Time Horizon: Long-term
Planning]
Rationale for R4
Rationale
The for
DSRR3
SDT intends for each
The DSR
SDT
intends
forto
each
Responsible
Applicable
Entity
conduct
a drill or
Entity toexercise
verify that
Operating
Process
for as
of itits
Operating
Plan
as often
communicating
recognized
Impact
Events
is
merited but no longer than 15 months
correct so
that
the
entity
can
respond
from the previous exercise to prevent a
appropriately
in theofcase
of an actual
Impact
long cycle
exercises
(i.e., conducting
Event. The
Responsible
Entity
may
conduct
an exercise in January of one year and
a drill orthen
exercise
of its of
Operating
December
the nextProcess
year). for
communicating
Eventsperiod
as
Multiplerecognized
exercises inImpact
a 15 month
often asisit not
desires
but
the
time
period
between
a violation of the requirement and
such drill
or exercise
can be no
than
would
be encouraged
tolonger
improve
15 months
from theAprevious
drill/exercise
or a
reliability.
drill or exercise
may be
actual Impact
Event
(i.e.,
if
you
conducted
an
table-top exercise, a simulation or an
exercise/drill/actual
employment
of
the
actual implementation of the Operating
Operating
Process in January of one year,
Plan.
there would be another exercise/drill/actual
employment by March 31 of the next
calendar year)). Multiple exercises in a 15
month period are not a violation of the
requirement and would be encouraged to
improve reliability.
M3. In the absence of an actual use.
Impact Event, the Responsible Entity
shall provide evidence that it
conducted a mock Impact Event and
followed its Operating Process for
communicating recognized Impact
Events created pursuant to
Requirement R1, Part 1.3. The time
period between actual and or mock
Impact Events shall be no more than
15 months. Evidence may include, but is not limited to, operator logs, voice recordings, or
documentation. (R3)
Draft 1: September 10, 20102: March 7, 2011
13
�EOP-004-2 — Impact Event and Disturbance Assessment, Analysis, and Reporting
M4. The ApplicableR4.
Each Responsible Entity shall provide evidence that it conducted a
drill, exercise or Real-time implementation of thereview its Impact Event Operating Plan for
reporting as specified in the requirement. Such evidence could include, but is not limited to,
a dated, exercise scenario with notes on the exercise or operator logs, voice recordings, or
power flow analysis cases for an actual implementation of the Operating Plan. (R4)
Draft 1: September 10, 20102: March 7, 2011
14
�EOP-004-2 — Impact Event and Disturbance Assessment, Analysis, and Reporting
R5. Each Applicable Entity shall provide training to all internal those personnel who have
responsibilities identified in its Operating Plan
Rationale for R5
for reporting pursuant to Requirement R2
The SDT is not prescribing how training is
subject to the following:
to be conducted and leaves that decision to
5.1 The training includes the personnel
each Applicable Entity as they best know
required to respond and their required
how to conduct such activities. Conduct of
actions under the Operating Plan.
an exercise constitutes training for
compliance with this requirement.
Training conductedthat plan at least once per
calendar year,annually with no more than 15
For changes to the Operating Plan (5.3), the
calendar months between trainingreview
training may simply consist of a review of
sessions for personnel with existing
the revised responsibilities and a “sign-off”
responsibilities. [Violation Risk: Factor
that personnel have reviewed the revisions.
Medium] [Time Horizon: Long-term
Planning ].
5.2 If the Operating Plan is revised (with the exception of contact information revisions),
training shall be conducted within 30 days of the Operating Plan revisions.
5.3 For internal personnel added to the Operating Plan or those with revised
responsibilities under the Operating Plan, training shall be conducted prior to
assuming the responsibilities in the plan.
M5.
Applicable
M4. Responsible Entities shall provide the actual training materialmaterials presented to verify
content and the association between the people listed in the plan and those who participated
in the trainingreview, documentation showing who was trainedpresent and when internal
personnel were trained on the responsibilities in the Operating Plan as well as dates for
personnel changes and evidence that the training was conducted following personnel
changes. (R5)plan.
R6R5. Each ApplicableResponsible Entity shall report impact eventsImpact Events in
accordance with itsthe Impact Event Operating Plan created pursuant to Requirement R2R1
and Attachment 1 using the timelines outlinedform in Attachment 1.2 or the DOE OE-417
reporting form. [Violation Risk: Factor: Medium] [Time Horizon: Real-time Operations
and Same-day Operations].
M6. RegisteredM5. Responsible Entities shall provide evidence demonstrating the submission
of reports using the Operating Planplan created pursuant to Requirement R2 for impact
eventsR1 and Attachment 1 using either the form in Attachment 2 or the DOE OE-417
report. Such evidence will include a copy of the original impact eventAttachment 2 form or
OE-417 report submitted, evidence to support the type of impact eventImpact Event
Draft 1: September 10, 20102: March 7, 2011
15
�EOP-004-2 — Impact Event and Disturbance Assessment, Analysis, and Reporting
experienced; the date and time of the impact event Impact Event; as well as evidence of
report submittal that includes date and time. (R6)
Draft 1: September 10, 20102: March 7, 2011
16
�EOP-004-2 — Impact Event and Disturbance Assessment, Analysis, and Reporting
R7. The ERO shall annually review and
propose revisions to the impact event
table (Attachment 1) if warranted based
on its analysis of reported impact events.
Revisions to Attachment 1 shall follow
the Reliability Standards Development
Procedure.
M7. The ERO shall provide evidence that it
reviewed the impact event table. If
applicable, the ERO shall provide
evidence that it followed the Reliability
Standards Development Procedure to
propose and implement revisions to
Attachment 1. Such evidence may
include, but not be limited to,
documentation that compares or assesses
the list of impact events (Attachment 1)
against the analysis of reported impact
events. (R7)
R8. The ERO shall publish a quarterly report
of the year’s reportable impact events
subject to the following:
8.1 Issued no later than 30 days following
the end of the calendar quarter
8.2 Identifies trends on the BES
8.3 Identifies threats to the BES
8.4 Identifies other vulnerabilities to the
BES
Rationale for R7-R8
Some of the concepts contained in
Requirements R7 and R8 are contained in the
NERC Rules of Procedure, section 800. The
DSR SDT felt that, in order to have a
complete standard for reporting impact events
that improved reliability, there needed to be
feedback to industry on a regular basis as
well as when issues are discovered. The
analysis of impact events is crucial and the
subsequent dissemination of the results of
that analysis must be performed.
In accordance with Sections 401(2) and 405
of the Rules of Procedures, the ERO can be
set as an applicable entity in a requirement or
standard. After careful consideration, the
DSR SDT believes that these requirements
(R7-8) are best applicable to the ERO.
Rationale for R8
The ERO will analyze Impact Events that are
reported through requirement R6. The DSR
SDT envisions the ERO issuing reports
identifying trends, threats or other
vulnerabilities when available or at least
quarterly. The report will include lessons
learned and recommended actions (such as
mitigation plans) to improve reliability as
applicable.
8.5 Documents lessons learned
8.6 Includes recommended actions.
M8. The ERO shall provide evidence that it issued a report identifying trends, threats, or other
vulnerabilities on the bulk electric system at least quarterly. Such evidence will include a
copy of the report as well as dated evidence of the report’s issuance. (R8)
Compliance
Compliance Enforcement Authority
Draft 1: September 10, 20102: March 7, 2011
17
�EOP-004-2 — Impact Event and Disturbance Assessment, Analysis, and Reporting
•
Regional Entity; or
•
For requirements applicable to the ERO, an entity contracted to perform an audit.
•
If the Responsible Entity works for the Regional Entity, then the Regional Entity will
establish an agreement with the ERO or another entity approved by the ERO and
FERC (i.e. another Regional Entity) to be responsible for compliance enforcement.
Compliance Monitoring and Enforcement Processes:
•
•
•
•
•
•
Compliance Audits
Self-Certifications
Spot Checking
Compliance Violation Investigations
Self-Reporting
Complaints
Evidence Retention
Each Reliability Coordinator, Balancing Authority, Transmission Owner, Transmission
Operator, Generator Owner, Generator Operator and Distribution ProviderResponsible Entity
shall keepretain data or evidence to show compliance as identified below unless directed by
its Compliance Enforcement Authority to retain specific evidence for a longer period of time
as part of an investigation:
The ERO shall retain evidence of Requirements 1, 7 and 8, Measures 1, 7, and 8 for three
calendar years.
Each Reliability Coordinator, Balancing Authority, Transmission Owner, Transmission
Operator, Generator Owner, Generator Operator and Distribution Provider shall retain data or
evidence of Requirements 2, 3, 4, and 5 and Measures 2, 3, 4, and 5 for three calendar years
for the duration of any regional or Compliance Enforcement Authority investigation,;
whichever is longer to show compliance unless directed by its Compliance Enforcement
Authority to retain specific evidence for a longer period of time as part of an investigation.
Each Reliability Coordinator, Balancing Authority, Transmission Owner, Transmission
Operator, Generator Owner, Generator Operator and Distribution Provider shall retain data or
evidence of Requirement 6 and Measure 6 for three calendar years for the duration of any
regional investigation, whichever is longer to show compliance unless directed by its
Compliance Enforcement Authority to retain specific evidence for a longer period of time as part
of an investigation.
If a Registered Entity is found non-compliant, it shall keep information related to the noncompliance until found compliant or for the duration specified above, whichever is longer.
The Compliance Enforcement Authority shall keep the last audit records and all requested
and submitted subsequent audit records.
Draft 1: September 10, 20102: March 7, 2011
18
�EOP-004-2 — Impact Event and Disturbance Assessment, Analysis, and Reporting
Additional Compliance Information
To be determined.
None
Table of Compliance Elements
R#
Time
Horizon
VRF
Violation Severity Levels
Lower VSL
Moderate VSL
High VSL
Severe VSL
R1
Long-term
Planning
Medium
The Responsible Entity The Responsible Entity
has an Impact Event
has a Impact Event
Operating Plan but
Operating Plan but
failed to include one of failed to include two of
Parts 1.1 through 1.4.
Parts 1.1 through 1.4.
The Responsible Entity The Responsible Entity
has an Impact Event
failed to include all of
Operating Plan but
Parts 1.1 through 1.4.
failed to include three
of Parts 1.1 through
1.4.
R2
Real-time
Operations
and Sameday
Operations
Medium
N/A
N/A
R3
Long-term
Planning
Medium
The Responsible Entity The Responsible Entity The Responsible Entity The Responsible Entity
failed to conduct a test failed to conduct a test failed to conduct a test failed to conduct a test
of its Operating
of its Operating
of its Operating
of its Operating
Process for
Process for
Process for
Process for
communicating
communicating
communicating
communicating
recognized Impact
recognized Impact
recognized Impact
recognized Impact
Events created
Events created
Events created
Events created
pursuant to
pursuant to
pursuant to
pursuant to
Draft 1: September 10, 20102: March 7, 2011
N/A
The Responsible Entity
failed to implement its
Impact Event
Operating Plan for an
Impact Event listed in
Attachment 1.
19
�EOP-004-2 — Impact Event and Disturbance Assessment, Analysis, and Reporting
Requirement R1, Part
1.3 in more than 15
months but less than
18 months.
R4
R5
Long-term
Planning
Real-time
Operations
and Sameday
Operations
Medium
Medium
Requirement R1, Part
1.3in more than 18
months but less than
21 months.
Requirement R1, Part
1.3 in more than 21
months but less than
24 months.
Requirement R1, Part
1.3 in more than 24
months
The Responsible Entity The Responsible Entity The Responsible Entity The Responsible Entity
failed to review its
failed to review its
failed to review its
failed to review its
Impact Event Operating
Plan with those
personnel who have
responsibilities identified
in that plan l in more
Impact Event Operating
Plan with those
personnel who have
responsibilities identified
in that plan in more
Impact Event Operating
Plan with those
personnel who have
responsibilities identified
in that plan in more
Impact Event Operating
Plan with those
personnel who have
responsibilities identified
in that plan in more
than 15 months but
less than 18 months.
than 18 months but
less than 21 months.
than 21 months but
less than 24 months.
than 24 months
The Responsible Entity The Responsible Entity The Responsible Entity The Responsible Entity
failed to submit a
failed to submit a
failed to submit a
failed to submit a
report in less than 36
report in more than 36 report in more than 48 report in more than 60
hours for an Impact
hours but less than or
hours but less than or
hours for an Impact
Event requiring
equal to 48 hours for
equal to 60 hours for
Event requiring
reporting within 24
an Impact Event
an Impact Event
reporting within 24
hours in Attachment 1. requiring reporting
requiring reporting
hours in Attachment 1.
within 24 hours in
within 24 hours in
OR
Attachment 1.
Attachment 1.
The Responsible Entity
OR
failed to submit a
The Responsible Entity report in more than 2
failed to submit a
hours for an Impact
report in more than 1
Event requiring
hour but less than 2
reporting within 1 hour
hours for an Impact
in Attachment 1.
Event requiring
OR
reporting within 1 hour
The responsible entity
Draft 1: September 10, 20102: March 7, 2011
20
�EOP-004-2 — Impact Event and Disturbance Assessment, Analysis, and Reporting
in Attachment 1.
Variances
None
Interpretations
None
Draft 1: September 10, 20102: March 7, 2011
21
failed to submit a
report for an Impact
Event in Attachment 1.
�EOP-004-2 — Impact Event and Disturbance Assessment, Analysis, and Reporting
EOP-004 - Attachment 1: Impact Events Table
NOTE: Under certain adverse conditions, e.g.,. severe weather, it may not be possible to assessreport the damage caused by an impact
eventImpact Event and issue a written Impact Event Report within the timing in the table below. In such cases, the affected
ApplicableResponsible Entity shall notify its Regional Entity(ies) and NERC, and verbally (e-mail: esisac@nerc.com, Facsimile: 609452-9550, Voice: 609-452-1422) and provide as much information as is available at that time.. The affected ApplicableResponsible
Entity shall then provide periodic verbal updates until adequate information is available to issue a written Preliminary Impact Event
Reportreport.
EOP-004 – Attachment 1 - Actual Reliability Impact – Part A
Event
Entity with Reporting
Responsibility
Threshold for Reporting
Time to Submit Report
Energy Emergency
requiring Public appeal
for load reduction
RC, BAInitiating entity is
responsible for reporting
To reduce consumption in order to maintain
the continuity of the BES
Each public appeal for load reduction
Within 1 hour of issuing a public
appeal
Energy Emergency
requiring system-wide
voltage reduction
RC, TO, TOP, DP Initiating
entity is responsible for
reporting
System wide voltage reduction of 3% or more
Within 1 hour after occurrenceevent
is identifiedinitiated
Energy Emergency
requiring manual firm
load shedding
Initiating entity is responsible
for reporting
Manual firm load shedding ≥ 100 MW
Within 1 hour after event is initiated
Energy Emergency
requiringresulting in
automatic firm load
shedding
RC, BA, TOP, DP Each DP or
TOP that experiences the
Impact Event
Firm load shedding ≥ 100 MW (manually or
via automatic undervoltage or underfrequency
load shedding schemes, or SPS/RAS)
Within 24 hours1 hour after
occurrenceevent is initiated
Voltage Deviations on
BES Facilities
Frequency Deviations
Each RC, TOP, GOP that
experiences the Impact Event
RC, BA
± 10% sustained for ≥ 15 continuous minutes
IROL Violation
Each RC, TOP that
experiences the Impact Event
Within 24 hours after 15 minute
threshold
Within 24 hours after 15 minute
threshold
Within 24 hours after Tv threshold
Draft 1: September 10, 20102: March 7, 2011
± Deviations ≥ than Frequency Trigger Limit
(FTL) more than 15 minutes
Operate outside the IROL for time greater
than IROL Tv
22
�EOP-004-2 — Impact Event and Disturbance Assessment, Analysis, and Reporting
EOP-004 – Attachment 1 - Actual Reliability Impact – Part A
Event
Loss of Firm load for ≥
15 Minutes
Entity with Reporting
Responsibility
Each RC, BA, TO, TOP, DP
that experiences the Impact
Event
Threshold for Reporting
•
•
≥ 300 MW for entities with previous year’s Within 24 hours1 hour after 15 minute
threshold
demand ≥ 3000 MW
≥ 200 MW for all other entities
System Separation
(Islanding)
Each RC, BA, TOP, DP that
experiences the Impact Event
Each separation resulting in an island of
generation and load ≥ 100 MW
Generation loss
Each RC, BA, GO, GOP that
experiences the Impact Event
•
•
•
Time to Submit Report
Within 1 hour after occurrence is
identified
≥ 2,000 MW for entities in the Eastern or
Western Interconnection
≥ 1000 MW for entities in the ERCOT or
Quebec Interconnection
An entire generating station of ≥ 5
generators with aggregate capacity of ≥
500 MW
Within 24 hours after occurrence
Loss of Off-site power
to a nuclear generating
plant (grid supply)
Each RC, BA, TO, TOP, GO,
GOP that experiences the
Impact Event
Affecting a nuclear generating station per the
Nuclear Plant Interface Requirement
Report within 24 hours after
occurrence
Transmission loss
Each RC, TO, TOP that
experiences the Impact Event
• An entire DC converter station
Multiple BES transmission elements
(simultaneous or common-mode event)Three
or more BES Transmission Elements
Within 24 hours after occurrence
Damage or destruction
of BES
equipment1equipment 1
Each RC, BA, TO, TOP, GO,
GOP, DP that experiences the
Impact Event
Through operational error, equipment failure,
or external cause, or intentional or
unintentional human action.
Within 1 hour after occurrence is
identified
1
BES equipment that: i) Affects an IROL; ii) Significantly affects the reliability margin of the system (e.g., has the potential to result in the need for emergency
actions); iii) Damaged or destroyed due to intentional or unintentional human action; or iv) Do not report copper theft from BES equipment unless it degrades the
ability of equipment to operate correctly e.g., removal of grounding straps rendering protective relaying inoperative.
Draft 1: September 10, 20102: March 7, 2011
23
�EOP-004-2 — Impact Event and Disturbance Assessment, Analysis, and Reporting
EOP-004 – Attachment 1 - Actual Reliability Impact – Part A
Event
Entity with Reporting
Responsibility
Threshold for Reporting
Time to Submit Report
Damage or destruction
of Critical Asset
Applicable Entities under CIP002 or its successor.
Through operational error, equipment failure,
external cause, or intentional or unintentional
human action.
Within 1 hour after occurrence is
identified
Damage or destruction
of a Critical Cyber
Asset
Applicable Entities under CIP002 or its successor.
Through intentional or unintentional human
action.
Within 1 hour after occurrence is
identified
Examples:
a. BES equipment that is:
i. A critical asset
ii. Affects an IROL
iii. Significantly affects the reliability margin of the system e.g., has the potential to result in the need for emergency
actions
iv. Damaged or destroyed due to a non-environmental external cause
Report copper theft from BES equipment only if it degrades the ability of equipment to operate correctly e.g., removal of
grounding straps rendering protective relaying ineffective
Draft 1: September 10, 20102: March 7, 2011
24
�EOP-004-2 — Impact Event and Disturbance Assessment, Analysis, and Reporting
EOP-004 – Attachment 1 - Potential Reliability Impact – Part B
Event
Entity with
Reporting
Responsibility
Threshold for Reporting
Time to Submit Report
Unplanned Control Center
evacuation
Each RC, BA, TOP
that experiences
the potential
Impact Event
Unplanned evacuation from BES
control center facility
reportReport within 124 hour after occurrence
Fuel supply emergency
Each RC, BA, GO,
GOP that
experiences the
potential Impact
Event
Affecting BES
reliability1reliability 2
reportReport within 1 hour after occurrence
Loss of off-site power (grid
supply)
RC, BA, TO, TOP,
GO, GOP
Affecting a nuclear generating
station
report within 1 hour after occurrence
Loss of all monitoring or voice
communication capability
Each RC, BA,
TOP that
experiences the
potential Impact
Event
Affecting a BES control center
for ≥ 30 continuous minutes
reportReport within 1 hour24 hours after
occurrence
Forced intrusion2intrusion 3
Each RC, BA, TO,
TOP, GO, GOP
At a BES facility
reportReport within 24 hours1 hour after
occurrenceverification of intrusion
that experiences the
2
Report if problems with the fuel supply chain result in the projected need for emergency actions to manage reliability.
3
Report if you cannot reasonably determine likely motivation (i.e., intrusion to steal copper or spray graffiti is not reportable unless it effects the reliability of the
BES).
Draft 1: September 10, 20102: March 7, 2011
25
�EOP-004-2 — Impact Event and Disturbance Assessment, Analysis, and Reporting
potential Impact
Event
Risk to BES
equipment3equipment 4
Each RC, BA, TO, From a non-environmental
physical threat
TOP, GO, GOP,
DP that experiences
the potential
reportReport within 24 hours1 hour after
occurrenceidentification
Impact Event
Detection of a cyber intrusion to
critical cyber assetsreportable
Cyber Security Incident.
Each RC, BA, TO, That meets the criteria in CIP-008
(or its successor)
TOP, GO, GOP,
DP that experiences
the potential
reportReport within 24 hours1 hour after
occurrencedetection
Impact Event
1. Report if problems with the fuel supply chain result in the projected need for emergency actions to manage reliability.
2. Report if you cannot reasonably determine likely motivation (i.e., intrusion to steal copper or spray graffiti is not reportable unless
it effects the reliability of the BES).
Examples include a train derailment adjacent to BES equipment, that either could have damaged the equipment directly or has the
potential to damage the equipment (e.g. flammable or toxic cargo that could pose fire hazard or could cause evacuation of a BES
facility control center).
4
Examples include a train derailment adjacent to BES equipment, that either could have damaged the equipment directly or has the potential to damage the
equipment (e.g. flammable or toxic cargo that could pose fire hazard or could cause evacuation of a BES facility control center) and report of suspicious device
near BES equipment).
Draft 1: September 10, 20102: March 7, 2011
26
�EOP-004-2 — Impact Event and Disturbance Assessment, Analysis, and Reporting
EOP-002004 - Attachment 2: Impact Event Reporting Form
This form is to be used to report Impact Events to the ERO. NERC will accept the DOE OE-417 form in lieu of this form if the entity
is required to submit an OE-417 report. Reports should be submitted via one of the following: e-mail: esisac@nerc.com, Facsimile:
609-452-9550
EOP-004 – Confidential Impact Event ReportReporting for EOP-004-2
Task
1.
Entity filing the report (include company
name and Compliance Registration ID
number):
2.
Date and Time of impact eventImpact Event.
Comments
Date: (mm/dd/yyyyyy)
Time/Zone:
3.
Name of contact person:
Email address:
Telephone Number:
4.
5.
Did the impact eventactual or potential
Impact Event originate in your system?
Actual Impact Event Potential Impact Event
Yes
No Unknown
Under which NERC function are you
reporting? (RC, TOP, BA, other)
Draft 1: September 10, 20102: March 7, 2011
27
Formatted Table
�EOP-004-2 — Impact Event and Disturbance Assessment, Analysis, and Reporting
EOP-004 – Confidential Impact Event ReportReporting for EOP-004-2
Task
6.
Comments
Brief Description of impact eventactual or
potential Impact Event:
(More detail should be provided in the
Sequence of Events section below.)
7.
Generation tripped off-line.*.
MW Total
List units tripped
8.
Frequency.*.
Just prior to impact eventImpact Event (Hz):
Immediately after impact eventImpact Event
(Hz max):
Immediately after impact eventImpact Event
(Hz min):
9.
List transmission facilities (lines,
transformers, buses, etc.) tripped and lockedout.*.
(Specify voltage level of each facility listed).
10.
FIRM
INTERRUPTIBLE
Demand tripped (MW):)*:
Draft 1: September 10, 20102: March 7, 2011
28
Formatted Table
�EOP-004-2 — Impact Event and Disturbance Assessment, Analysis, and Reporting
EOP-004 – Confidential Impact Event ReportReporting for EOP-004-2
Task
Comments
Number of affected customers:*:
Demand lost (MW-Minutes):)*:
11. Restoration Time.*.
INITIAL
FINAL
Transmission:
Generation:
Demand:
12. Sequence of Events:
Sequence of Events of actual or potential Impact Event (if potential Impact Event, please describe your assessment of potential impact to
BES) :
Draft 1: September 10, 20102: March 7, 2011
29
Formatted Table
�EOP-004-2 — Impact Event and Disturbance Assessment, Analysis, and Reporting
EOP-004 – Confidential Impact Event ReportReporting for EOP-004-2
Task
Comments
13. Identify the initial probable cause or known root cause of the impact eventactual or potential Impact Event if known at time of submittal of
Part I of this report:
1
14. Identify any protection system misoperation(s):) :
15. Additional Information that the helps to further explain the eventactual or potential Impact Event if needed. A one-line diagram may be
attached, if readily available, to assist in the evaluation of the event.:
1
Only applicable if it is part of the impact event the responsible entity is reporting on
Draft 1: September 10, 20102: March 7, 2011
30
Formatted Table
�EOP-004-2 — Impact Event and Disturbance Assessment, Analysis, and Reporting
EOP-004 – Confidential Impact Event ReportReporting for EOP-004-2
Task
Draft 1: September 10, 20102: March 7, 2011
Comments
31
Formatted Table
�EOP-004-2 — Impact Event and Disturbance Assessment, Analysis, and Reporting
Guideline and Technical Basis
Disturbance and Sabotage Reporting Standard Drafting Team (Project 2009-01) Reporting Concepts
Introduction
The SAR for Project 2009-01, Disturbance and Sabotage Reporting was moved forward for
standard drafting by the NERC Standards Committee in August of 2009. The Disturbance and
Sabotage Reporting Standard Drafting Team (DSR SDT) was formed in late 2009 and is
progressing toward developing standards based on the SAR. This concepts paper is designed to
solicit stakeholder input regarding the proposed reporting concepts that the DSR SDT has
developed.
The standards listed under the SAR are:
• CIP-001 — Sabotage Reporting
• EOP-004 — Disturbance Reporting
The DSR SDT also proposed to investigate incorporation of the cyber incident reporting aspects
of CIP-008 under this project. This will be coordinated with the Cyber Security - Order 706
SDT (Project 2008-06).
The DSR SDT has reviewed the existing standards, the SAR, issues from the NERC database
and FERC Order 693 Directives to determine a prudent course of action with respect to these
standards.
This concept paper provides stakeholders with a proposed “road map” that will be used by the
DSR SDT in updating or revising CIP-001 and EOP-004. This concept paper provides the
background information and thought process of the DSR SDT.
The proposed changes do not include any real-time operating notifications for the types of events
covered by CIP-001 and EOP-004. The real-time reporting requirements are achieved through
the RCIS and are covered in other standards (e.g. EOP-002-Capacity and Energy Emergencies).
The proposed standards deal exclusively with after-the-fact reporting.
The DSR SDT is proposing to consolidate disturbance and event reporting under a single
standard. These two components and other key concepts are discussed in the following sections.
Draft 1: September 10, 20102: March 7, 2011
32
�EOP-004-2 — Impact Event and Disturbance Assessment, Analysis, and Reporting
Summary of Concepts and Assumptions:
The Standard Will: Require use of a single form to report disturbances and “impact
eventsImpact Events” that threaten the reliability of the bulk electric system
• Provide clear criteria for reporting
• Include consistent reporting timelines
• Identify appropriate applicability, including a reporting hierarchy in the case of
disturbance reporting
• Provide clarity around of who will receive the information
The drafting team will explore other opportunities for efficiency, such as development of an
electronic form and possible inclusion of regional reporting requirements
Discussion of Disturbance Reporting
Disturbance reporting requirements currently exist in EOP-004. The current approved definition
of Disturbance from the NERC Glossary of Terms is:
1. An unplanned event that produces an abnormal system condition.
2. Any perturbation to the electric system.
3. The unexpected change in ACE that is caused by the sudden failure of generation or
interruption of load.
Disturbance reporting requirements and criteria are in the existing EOP-004 standard and its
attachments. The DSR SDT discussed the reliability needs for disturbance reporting and
developed the list of impact eventsImpact Events that are to be reported under this standard
(attachment 1).
Discussion of “impact eventImpact Event” Reporting
There are situations worthy of reporting because they have the potential to impact reliability. The
DSR SDT proposes calling such incidents ‘impact events’Impact Events’ with the following
concept:
An impact eventImpact Event is any situation that has the potential to significantly
impact the reliability of the Bulk Electric System. Such events may originate from
malicious intent, accidental behavior, or natural occurrences.
Impact eventEvent reporting facilitates situationalindustry awareness, which allows potentially
impacted parties to prepare for and possibly mitigate the reliability risk. It also provides the raw
material, in the case of certain potential reliability threats, to see emerging patterns.
Examples of impact eventsImpact Events include:
• Bolts removed from transmission line structures
• Detection of cyber intrusion that meets criteria of CIP-008 or its successor standard
• Forced intrusion attempt at a substation
Draft 1: September 10, 20102: March 7, 2011
33
�EOP-004-2 — Impact Event and Disturbance Assessment, Analysis, and Reporting
•
•
Train derailment near a transmission right-of-way
Destruction of Bulk Electrical System equipment
What about sabotage?
One thing became clear in the DSR SDT’s discussion concerning sabotage: everyone has a
different definition. The current standard CIP-001 elicited the following response from FERC in
FERC Order 693, paragraph 471 which states in part: “. . . the Commission directs the ERO to
develop the following modifications to the Reliability Standard through the Reliability Standards
development process: (1) further define sabotage and provide guidance as to the triggering
events that would cause an entity to report a sabotage event.”
Often, the underlying reason for an event is unknown or cannot be confirmed. The DSR SDT
believes that reporting material risks to the Bulk Electrical System using the impact eventImpact
Event categorization, it will be easier to get the relevant information for mitigation, awareness,
and tracking, while removing the distracting element of motivation.
The DST SDT discussed the reliability needs for impact eventImpact Event reporting and will
consider guidance found in the document “NERC Guideline: Threat and Incident Reporting” in
the development of requirements, which will include clear criteria for reporting.
Certain types of impact eventsImpact Events should be reported to NERC, the Department of
Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and/or Provincial or local
law enforcement. Other types of impact eventsImpact Events may have different reporting
requirements. For example, an impact eventImpact Event that is related to copper theft may only
need to be reported to the local law enforcement authorities.
Potential Uses of Reportable Information
Event analysis, correlation of data, and trend identification are a few potential uses for the
information reported under this standard. As envisioned, the standard will only require
Functional entities to report the incidents and provide information or data necessary for these
analyses. Other entities (e.g. – NERC, Law Enforcement, etc) will be responsible for performing
the analyses. The NERC Rules of Procedure (section 800) provide an overview of the
responsibilities of the ERO in regards to analysis and dissemination of information for reliability.
Jurisdictional agencies (which may include DHS, FBI, NERC, RE, FERC, Provincial Regulators,
and DOE) have other duties and responsibilities.
Collection of Reportable Information or “One stop shopping”
The goal of the DSR SDT is to have one reporting form for all functional entities (US, Canada,
Mexico) to submit to NERC. Ultimately, it may make sense to develop an electronic version to
expedite completion, sharing and storage. Ideally, entities would complete a single form which
could then be distributed to jurisdictional agencies and functional entities as appropriate.
Specific reporting forms 6 that exist today (i.e. - OE-417, etc) could be included as part of the
6
The DOE Reporting Form, OE-417 is currently a part of the EOP-004 standard. If this report is removed from the
standard, it should be noted that this form is still required by law as noted on the form: NOTICE: This report is
mandatory under Public Law 93-275. Failure to comply may result in criminal fines, civil penalties and other
Draft 1: September 10, 20102: March 7, 2011
34
�EOP-004-2 — Impact Event and Disturbance Assessment, Analysis, and Reporting
electronic form to accommodate US entities with a requirement to submit the form, or may be
removed (but still be mandatory for US entities under Public Law 93-275) to streamline the
proposed consolidated reliability standard for all North American entities (US, Canada, Mexico).
Jurisdictional agencies may include DHS, FBI, NERC, RE, FERC, Provincial Regulators, and
DOE. Functional entities may include the RC, TOP, and BA for situationalindustry awareness.
Applicability of the standard will be determined based on the specific requirements.
The DSR SDT recognizes that some regions require reporting of additional information beyond
what is in EOP-004. The DSR SDT is planning to update the listing of reportable events from
discussions with jurisdictional agencies, NERC, Regional Entities and stakeholder input. There
is a possibility that regional differences may still exist.
The reporting proposed by the DSR SDT is intended to meet the uses and purposes of NERC.
The DSR SDT recognizes that other requirements for reporting exist (e.g., DOE-417 reporting),
which may duplicate or overlap the information required by NERC. To the extent that other
reporting is required, the DSR SDT envisions that duplicate entry of information is not
necessary, and the submission of the alternate report will be acceptable to NERC so long as all
information required by NERC is submitted. For example, if the NERC Report duplicates
information from the DOE form, the DOE report may be included or attached to the NERC
report, in lieu of entering that information on the NERC report.
sanctions as provided by law. For the sanctions and the provisions concerning the confidentiality of information
submitted on this form, see General Information portion of the instructions. Title 18 USC 1001 makes it a criminal
offense for any person knowingly and willingly to make to any Agency or Department of the United States any
false, fictitious, or fraudulent statements as to any matter within its jurisdiction.
Draft 1: September 10, 20102: March 7, 2011
35
�Unofficial Comment Form for Disturbance and Sabotage Reporting (Project
2009-01)
Please DO NOT use this form to submit comments. Please use the electronic comment
form located at the link below to submit comments on the Second Posting of EOP-004-2,
Impact Event Reporting (Project 2009-01). The electronic comment form must be
completed by April 8, 2011.
Project 2009-01 Disturbance and Sabotage Reporting
If you have questions please contact Stephen Crutchfield at Stephen.Crutchfield@nerc.net
or by telephone at 609-651-9455.
Background Information
The Disturbance and Sabotage Reporting Drafting Team posted the first draft of EOP-004-2
– Impact Event Reporting for a 30-day informal comment period from September 15, 2010
through October 15, 2010. Based on stakeholder comments, and also on the results of the
observations made by the Quality Review team, the drafting team made the following
significant changes to the standard following the posting period that ended on October 15,
2011.
Scope: A common thread through most of the comments was that the DSR SDT went
beyond the reliability intent of the standard (reporting) and concentrated too much on the
analysis of the event. The DSR SDT agrees with this response, and revised the purpose as
follows:
Original Purpose: Responsible Entities shall report impact events and their known causes to
support situational awareness and the reliability of the Bulk Electric System (BES).
Revised Purpose: To improve industry awareness and the reliability of the Bulk Electric System by
requiring the reporting of Impact Events and their causes, if known, by the Responsible Entities.
Definitions:
Impact Event: The DSR SDT had proposed a working definition for “impact events” to
support EOP-004 - Attachment 1 as follows:
“An impact event is any event that has either impacted or has the potential to impact
the reliability of the Bulk Electric System. Such events may be caused by equipment
failure or mis-operation, environmental conditions, or human action.”
Many stakeholders indicated that the definition should be added to the NERC Glossary and
the DSR SDT adopted this suggestion. The types of Impact Events that are required to be
reported are contained within EOP-004 - Attachment 1. Only the events identified in EOP004 – Attachment 1 are required to be reported under this Standard.
Sabotage:
FERC Order 693, paragraph 471 states in part: “. . . the Commission directs the ERO to
develop the following modifications to the Reliability Standard through the Reliability
Standards development process: (1) further define sabotage and provide guidance as to the
triggering events that would cause an entity to report a sabotage event.” The DSR SDT
made a conscious, deliberate decision to exclude a strict definition of sabotage from this
standard and sought stakeholder feedback on this issue. Some suggested adopting the NRC
116-390 Village Blvd.
Princeton, NJ 08540
609.452.8060 | www.nerc.com
�Unofficial Comment Form for Disturbance and Sabotage Reporting (Project 2009-01)
definition of the term sabotage, and the DSR SDT did consider adopting the NRC definition
shown below but determined that the definition is too narrowly focused.
Any deliberate act directed against a plant or transport in which an activity licensed
pursuant to 10 CFR Part 73 of NRC's regulations is conducted or against a
component of such a plant or transport that could directly or indirectly endanger the
public health and safety by exposure to radiation.
Most respondents agreed that in order to be labeled as an act of sabotage, the intent of the
perpetrators must be known. The team felt that it was almost impossible to determine if an
act or event was that of sabotage or merely vandalism without the intervention of law
enforcement after the fact. This would result in further ambiguity with respect to reporting
events, and the timeline associated with the reporting requirements does not lend itself to
the in-depth analysis required to identify a disturbance (or potential disturbance) as
sabotage. The SDT felt that a likely consequence of having to meet this criterion, in the
time allotted, would be an under-reporting of events. Accordingly, all references to
sabotage have been deleted from the standard. Instead, the SDT concentrated on providing
clear guidance on the events that should trigger a report. The SDT believes that this more
than adequately meets the reliability intent of the Commission as expressed in paragraph
471 of Order 693 in an equally efficient and effective manner.
Situational Awareness versus Industry Awareness: Some commenters correctly
pointed out that “situational awareness” is a desirable by-product of an effective event
reporting system, and not the driver of that system. Accordingly, all references to
“situational awareness” have been deleted from the standard. The more generic “industry
awareness” has been substituted where appropriate.
Applicability: The DSR SDT had protracted discussions on the applicability of this standard
to the LSE. Per the Functional Model, the LSE does not own assets and therefore should not
be an applicable entity (no equipment that could experience a “disturbance”). However, the
Registry Criteria contains language that could imply that the LSE does own assets, or is at
least responsible for assets. In addition, the DSR SDT modified Attachment 1 to include
reporting of damage or destruction of Critical Cyber Assets per CIP-002. The LSE, as well
as the Interchange Authority and Transmission Service Provider are applicable entities
under CIP-002 and should be included for Impact Events under EOP-004.
There were several comments that the asset owners (GO/TO) would be less likely than the
asset operators (GOP/TOP) to be aware of an impact event. The DSR SDT recognizes that
this may be true in some cases, but not all. In order to meet the reliability objectives of
this requirement, the applicability for GO/TO will remain as per Attachment 1.
Requirement R1: Based on stakeholder comments, Requirement R1, which assigned the
ERO the responsibility for collecting and distributing impact event reports was deleted.
There was strong support for a central system for receiving and distributing impact event
reports (“one stop shopping”). There was general agreement that NERC was the most
likely, logical entity to perform that function. However several respondents expressed their
concern that the ERO could not be compelled to do so by a requirement in a Reliability
Standard (not a User, Owner or Operator of the BES). In their own comments, NERC did
not oppose the concept, but suggested that the more appropriate place to assign this
responsibility would be the NERC Rules of Procedure. The DSR SDT concurs. The DSR SDT
has removed the requirement from the standard and is proposing to make revisions to the
NERC Rules of Procedure as follows:
Page 2 of 9
�Unofficial Comment Form for Disturbance and Sabotage Reporting (Project 2009-01)
812. NERC will establish a system to collect impact event reports as established for
this section, from any Registered Entities, pertaining to data requirements identified
in Section 800 of this Procedure. Upon receipt of the submitted report, the system
shall then forward the report to the appropriate NERC departments, applicable
regional entities, other designated registered entities, and to appropriate
governmental, law enforcement, and regulatory agencies as necessary. These
reports shall be forwarded to the Federal Energy Regulatory Commission for impact
events that occur in the United States. The ERO shall solicit contact information
from Registered Entities appropriate governmental, law enforcement and regulatory
agencies for distributing reports.
Requirement R2 (now R1 in the revised standard)
There were objections to the use of the term “Operating Plan” to describe the procedure to
identify and report the occurrence of a disturbance. The DSR SDT believes that the use of
a defined term is appropriate and has revised Requirement R1 to include Operating Plan,
Operating Process and Operating Procedure.
Many commenters felt that the requirements around updating the Operating Plan were too
prescriptive, and impossible to comply with during the time frame allowed. The DSR SDT
agrees, and Requirement R2, Parts 2.5 through 2.9 have been eliminated. They have been
replaced with Requirement R1, Part 1.4 to require updating the Impact Event Operating Plan
within 90 days of any change to content.
R1. Each Responsible Entity shall have an Impact Event Operating Plan that includes: [Violation Risk:
Factor Medium] [Time Horizon: Long-term Planning]:
1.1. An Operating Process for identifying Impact Events listed in Attachment 1.
1.2. An Operating Procedure for gathering information for Attachment 2 regarding observed Impact
Events listed in Attachment 1.
1.3. An Operating Process for communicating recognized Impact Events to the following:
1.3.1 Internal company personnel notification(s).
1.3.2. External organizations to notify to include but not limited to the Responsible Entities’
Reliability Coordinator, NERC, Responsible Entities’ Regional Entity, Law Enforcement,
and Governmental or Provincial Agencies.
1.4. Provision(s) for updating the Impact Event Operating Plan within 90 days of any change to its
content.
Other requirements reference the Operating Plan as appropriate. The requirements of EOP004-2 fit precisely into the definition of Operating Plan:
Operating Plan: A document that identifies a group of activities that may be used to
achieve some goal. An Operating Plan may contain Operating Procedures and
Operating Processes. A company-specific system restoration plan that includes an
Operating Procedure for black-starting units, Operating Processes for communicating
restoration progress with other entities, etc., is an example of an Operating Plan.
Requirement R3: Requirement R3 (now R2 in the revised standard) has been re-written to
exclude the requirement to “assess the initial probable cause”. The only remaining
reference to “cause” is in the Impact Event Reporting Form (Attachment 2). Here, there is
no longer a requirement to assess the probable cause. The probable cause only needs to be
identified, and only if it is known at the time of the submittal of the report.
Page 3 of 9
�Unofficial Comment Form for Disturbance and Sabotage Reporting (Project 2009-01)
R2. Each Responsible Entity shall implement its Impact Event Operating Plan
documented in Requirement R1 for Impact Events listed in Attachment 1 (Parts
A and B).
Requirement R4: (Now R3 in the revised standard.) The DSR SDT did a full review based
on comments that were received. R3 now is stream lined to read:
R3.
Each Responsible Entity shall conduct a test of its Operating Process for
communicating recognized Impact Events created pursuant to Requirement R1,
Part 1.3 at least annually, with no more than 15 months between such tests.
The testing of the Operating Process for communicating recognized Impact Events (as
stated in R1) is the main component of this requirement. Several commenters provided
input that too much “how” was previously within R3 and the DSR DST should only provide
the “what”. The DSR SDT did not provide any prescriptive guidance on how to accomplish
the required testing within the rewrite. Testing of the entity’s procedure (R1) could be by
an actual exercise of the process (testing as stated in FERC Order 693 section 471), a
formal review process or real time implementation of the procedure. The DSR SDT
reviewed Order 693 and section 465 directs, with respect to processes, that entities “verify
that they achieve the desired result”. This is the basis of R3, above.
Requirement R5: Note R5 has been moved to R4 due to rearranging of requirements. The
DSR SDT did a full review based on comments that were received. The major issues that
were provided by commenters involved the inclusion of Requirement R5, Part 5.3 and Part
5.4.
5.3
If the Operating Plan is revised (with the exception of contact information revisions), training
shall be conducted within 30 days of the Operating Plan revisions.
5.4
For internal personnel added to the Operating Plan or those with revised responsibilities under
the Operating Plan, training shall be conducted prior to assuming the responsibilities in the
plan.
Upon detailed review the DSR SDT agrees with the majority of comments received
regarding Requirement R5, Parts 5.3 and 5.4 and has removed Parts 5.3 and 5.4 completely
from the Standard. Training is still the main theme of this requirement (now R4) as it
pertains to the personnel required to implement the Impact Event Operating Plan (R1). R4
now is stream lined to read:
R4. Each Responsible Entity shall review its Impact Event Operating Plan with those personnel
who have responsibilities identified in that plan at least annually with no more than 15 calendar
months between review sessions.
Requirement R6: Note R6 been moved to R5 due to rearranging of requirements. The
DSR SDT did a full review based on comments that were received. Many comments
received identified concerns on the reporting time lines within Attachment 1. Several
commenters wanted the ability to report impact events to their responsible parties via the
DOE Form OE-417. Upon discussions with the DOE and NERC, the DSR SDT has added the
ability to use the DOE Form OE-417 when the same or similar items are required to be
reported to NERC and the DOE. This will reduce the need to file multiple forms when the
same or similar events must be reported to the DOE and NERC. The reliability intent of
reporting impact events within prescribed guidelines, to provide industry awareness and to
Page 4 of 9
�Unofficial Comment Form for Disturbance and Sabotage Reporting (Project 2009-01)
start any required analysis processes can be met without duplicate reporting. R5 now is
stream lined to read:
R5. Each Responsible Entity shall report Impact Events in accordance with its Impact Event
Operating Plan pursuant to Requirement R1 and Attachment 1 using the form in Attachment 2 or
the DOE OE-417 reporting form.
Requirements R7 and R8: The DSR SDT did a full review based on comments that were
received. The DSR SDT has determined that R7 and R8 are not required to be within a
NERC Standard since Section 800 of the Rules of Procedure already assigns this
responsibility to NERC.
Attachment 1: The DSR SDT did a full review based on comments that were received.
The DSR SDT, the Events Analysis Working Group (EAWG), NERC Staff (to include NERC
Senior VP and Chief Reliability Officer) had an open discussion involving this topic. The
EAWG and the DSR SDT aligned Attachment 1 with the Event Analysis Program category 1
analysis responsibilities. This will assure that impact events in EOP-004-2 reporting
requirements are the starting vehicle for any required Event Analysis within the NERC Event
Analysis Program. The DSR SDT reviewed the “hierarchy” of reporting within Attachment 1.
To reduce multiple entities reporting the same impact event, the DSR SDT has stated that
the entity that performs the action or is directly affected by an action will report per EOP004-2. As an example, during a system emergency, the TOP or RC may request manual
load shedding by a DP or TOP. The DP or TOP would have the responsibility to report the
action that it took if it meets or exceeds the bright-line criteria established in Attachment 1.
Upon reporting, the NERC Event Analysis Program would be made aware of the impact
event and start the Event Analysis Process which is outside the scope of this Standard.
Several bright-line criteria were removed from Attachment 1. These criteria (DC converter
station, 5 generator outages, and frequency trigger limits) were removed after discussions
with the EAWG and NERC staff, who concurred that these items should be removed from a
reporting standard and analysis process.
Several respondents expressed concern that the reporting requirements were redundant.
The general sentiment was that unclear responsibility to report a disturbance could trigger a
flood of event reports. Attachment 1 has been modified to assign clear responsibility for
reporting, for each category of Impact Event.
Some commenters indicated a concern that the list of events in Attachment 1 isn’t as
comprehensive as the existing standard since the existing standard includes bomb threats
and observations of suspicious activities. Others commented that the impact event list
should include deliberate acts against infrastructure. The DSR SDT believes that
“observation of suspicious activity” and “bomb threats” are addressed in Attachment 1 Part
B – “Risk to BES equipment from a non-environmental physical threat”. The SDT has added
the phrase, “and report of suspicious device near BES equipment” to note 3 of the
“Attachment 1, Potential Reliability – Part B” for additional clarity.
Attachment 2: The proposed Impact Event Report (Attachment 2) generated comments
regarding the duplicative nature of the form when compared to the OE-417. The DSR SDT
has added language to the proposed form to clarify that NERC will accept a DOE OE-417
form in lieu of Attachment 2 if the responsible entity is required to submit an OE-417 form.
In collaboration with the NERC Event Analysis Working Group (EAWG) the DSR SDT
modified the attachment to eliminate confusion. This revised form will be Attachment 2 of
the Standard and collects the only information required to be reported for EOP-004-2.
Page 5 of 9
�Unofficial Comment Form for Disturbance and Sabotage Reporting (Project 2009-01)
Further information may be requested through the Events Analysis Process (NERC Rules of
Procedure), but the collection of this information is outside of the scope of EOP-004.
The DSR SDT has also clarified the form’s purpose with the following addition to the form:
“This form is to be used to report impact events to the ERO.”
Other Standard Issues:
The DSR SDT proposed that combining EOP-004 and CIP-001 would not introduce a
reliability gap between the existing standards and the proposed standard and the industry
comments received confirms this.
Several entities expressed their concern with the fact that Attachment 1 contained most of
the elements already called for in the OE-417. The DSR SDT agrees, and Attachment 1 part
1 has been modified to even more closely mirror the Department of Energy’s OE-417
Emergency Incident and Disturbance Report form. Additionally, the standard has been
modified to allow for the use of the OE-417.
There was some concern expressed that there could be confusion between the reporting
requirements in this standard, and those found in CIP-008. The DSR SDT agrees, and
Attachment 1 Part B, has been modified to provide the process for reporting a Cyber
Security Incident.
The DSR SDT also believes NERC’s additional concern about what data is applicable is
addressed by the revisions to Attachment 1, and the inclusion of the OE-417 as an
acceptable interim vehicle.
Implementation Plan:
The DSR SDT asked stakeholders to provide feedback on the proposed effective date which
provided entities at least a year following board approval of the standard. Most
stakeholders supported the one year minimum, however based on the revisions made to the
requirements, the drafting team is now proposing that this time period be shortened to
between six months and nine months. The current CIP-001 plan is adequate for the new
EOP-004 and training should be met in the proposed timeline. Note that the
Implementation Plan was developed for the revised Requirements, which do not include an
electronic “one-stop shopping” tool. The tool for “one stop shopping” will be addressed in
the proposed revisions to the NERC Rules of Procedure.
Page 6 of 9
�Unofficial Comment Form for Disturbance and Sabotage Reporting (Project 2009-01)
You do not have to answer all questions. Enter All Comments in Simple
Text Format.
Insert a “check” mark in the appropriate boxes by double-clicking the gray areas.
1. Do you agree with the revised Purpose Statement of EOP-004-2, Impact Event
Reporting? If not, please explain why not and if possible, provide an alternative that
would be acceptable to you.
Yes
No
Comments:
2. Do you agree with the proposed definition of Impact Event? If not, please explain why
not and if possible, provide an alternative that would be acceptable to you.
Yes
No
Comments:
3. Do you agree that the DSR SDT has provided and equally efficient and effective solution
to the FERC Order 693 directive to “further define sabotage”? If not, please explain why
not and if possible, provide an alternative that would be acceptable to you.
Yes
No
Comments:
4. Do you agree with the proposed applicability of EOP-004-2 shown in Section 4 and
Attachment 1 of the standard? If not, please explain why not and if possible, provide an
alternative that would be acceptable to you.
Yes
No
Comments:
5. Stakeholders suggested removing original Requirements 1, 7 and 8 from the standard
and addressing the reliability concepts in the NERC Rules of Procedure. Do you agree
with the removal of original requirements 1, 7 and 8 (which were assigned to the ERO)
and the proposed language for the Rules of Procedure (Paragraph 812)? If not, please
explain why not and if possible, provide an alternative that would be acceptable to you.
Yes
No
Comments:
6. Do you agree with the proposed revisions to Requirement 2 (now R1) including the use
of defined terms Operating Plan, Operating Process and Operating Procedure? If not,
Page 7 of 9
�Unofficial Comment Form for Disturbance and Sabotage Reporting (Project 2009-01)
please explain why not and if possible, provide an alternative that would be acceptable
to you.
Yes
No
Comments:
7. Do you agree with the proposed revisions to Requirement 3 (now R2)? If not, please
explain why not and if possible, provide an alternative that would be acceptable to you.
Yes
No
Comments:
8. Do you agree with the proposed revisions to Requirement 4 (now R3)? If not, please
explain why not and if possible, provide an alternative that would be acceptable to you.
Yes
No
Comments:
9. Do you agree with the proposed revisions to Requirement 5 (now R4)? If not, please
explain why not and if possible, provide an alternative that would be acceptable to you.
Yes
No
Comments:
10. Do you agree with the proposed revisions to Requirement 6 (now R5) and the use of
either Attachment 2 or the DOE-OE-417 form for reporting? If not, please explain why
not and if possible, provide an alternative that would be acceptable to you.
Yes
No
Comments:
11. Do you agree with the proposed revisions to Attachment 1? If not, please explain why
not and if possible, provide an alternative that would be acceptable to you.
Yes
No
Comments:
12. Do you agree with the proposed measures for Requirements 1-5? If not, please explain
why not and if possible, provide an alternative that would be acceptable to you.
Yes
No
Comments:
Page 8 of 9
�Unofficial Comment Form for Disturbance and Sabotage Reporting (Project 2009-01)
13. Do you agree with the proposed Violation Risk Factors for Requirements 1-5? If not,
please explain why not and if possible, provide an alternative that would be acceptable
to you.
Yes
No
Comments:
14. Do you agree with the proposed Violation Severity Levels for Requirements 1-5? If not,
please explain why not and if possible, provide an alternative that would be acceptable
to you.
Yes
No
Comments:
15. Do you agree with the proposed Time Horizons for Requirements 1-5? If not, please
explain why not and if possible, provide an alternative that would be acceptable to you.
Yes
No
Comments:
16. Do you agree with the proposed Implementation Plan for EOP-004-2? If not, please
explain why not and if possible, provide an alternative that would be acceptable to you.
Yes
No
Comments:
17. If you have any other comments you have not already provided in response to the
questions above, please provide them here.
Comments:
Page 9 of 9
�Project 2009-01 Disturbance and Sabotage Reporting
Implementation Plan
Implementation Plan for EOP-004-2 - Impact Event Assessment, Analysis, and Reporting
Prerequisite Approvals
None
Revisions to Approved Standards and Definitions
Retire all requirements of EOP-004-1 and CIP-001-1.
Compliance with the Standard
The following entities are responsible for being compliant with all requirements of EOP-004-2:
• Reliability Coordinator
• Balancing Authority
• Load-serving Entity
• Interchange Authority
• Transmission Service Provider
• Transmission Owner
• Transmission Operator
• Generator Owner
• Generator Operator
• Distribution Provider
Effective Date
The standard shall become effective on the first calendar day of the third calendar quarter after the
date of the order providing applicable regulatory approval. In those jurisdictions where no
regulatory approval is required, the standard shall become effective on the first calendar day of the
third calendar quarter after Board of Trustees adoption.
116-390 Village Blvd.
Princeton, NJ 08540
609.452.8060 | www.nerc.com
�S ta n d a rd CIP -001-1 — S a b o ta g e Re p o rtin g
A. Introduction
1.
Title:
Sabotage Reporting
2.
Number:
CIP-001-1
3.
Purpose: Disturbances or unusual occurrences, suspected or determined to be
caused by sabotage, shall be reported to the appropriate systems, governmental
agencies, and regulatory bodies.
4.
Applicability
4.1. Reliability Coordinators.
4.2. Balancing Authorities.
4.3. Transmission Operators.
4.4. Generator Operators.
4.5. Load Serving Entities.
5.
Effective Date:
January 1, 2007
B. Requirements
R1.
Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator, and Load Serving Entity shall have procedures for the recognition of and for
making their operating personnel aware of sabotage events on its facilities and
multi-site sabotage affecting larger portions of the Interconnection.
R2.
Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator, and Load Serving Entity shall have procedures for the communication of
information concerning sabotage events to appropriate parties in the Interconnection.
R3.
Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator, and Load Serving Entity shall provide its operating personnel with sabotage
response guidelines, including personnel to contact, for reporting disturbances due to
sabotage events.
R4.
Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator, and Load Serving Entity shall establish communications contacts, as
applicable, with local Federal Bureau of Investigation (FBI) or Royal Canadian
Mounted Police (RCMP) officials and develop reporting procedures as appropriate to
their circumstances.
C. Measures
M1. Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator, and Load Serving Entity shall have and provide upon request a procedure
(either electronic or hard copy) as defined in Requirement 1
M2. Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator, and Load Serving Entity shall have and provide upon request the procedures
or guidelines that will be used to confirm that it meets Requirements 2 and 3.
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 1 of 3
�S ta n d a rd CIP -001-1 — S a b o ta g e Re p o rtin g
M3. Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator, and Load Serving Entity shall have and provide upon request evidence that
could include, but is not limited to procedures, policies, a letter of understanding,
communication records, or other equivalent evidence that will be used to confirm that it
has established communications contacts with the applicable, local FBI or RCMP
officials to communicate sabotage events (Requirement 4).
D. Compliance
1.
Compliance Monitoring Process
1.1. Compliance Monitoring Responsibility
Regional Reliability Organizations shall be responsible for compliance
monitoring.
1.2. Compliance Monitoring and Reset Time Frame
One or more of the following methods will be used to verify compliance:
- Self-certification (Conducted annually with submission according to
schedule.)
- Spot Check Audits (Conducted anytime with up to 30 days notice given to
prepare.)
- Periodic Audit (Conducted once every three years according to schedule.)
- Triggered Investigations (Notification of an investigation must be made
within 60 days of an event or complaint of noncompliance. The entity will
have up to 30 days to prepare for the investigation. An entity may request an
extension of the preparation period and the extension will be considered by
the Compliance Monitor on a case-by-case basis.)
The Performance-Reset Period shall be 12 months from the last finding of noncompliance.
1.3. Data Retention
Each Reliability Coordinator, Transmission Operator, Generator Operator,
Distribution Provider, and Load Serving Entity shall have current, in-force
documents available as evidence of compliance as specified in each of the
Measures.
If an entity is found non-compliant the entity shall keep information related to the
non-compliance until found compliant or for two years plus the current year,
whichever is longer.
Evidence used as part of a triggered investigation shall be retained by the entity
being investigated for one year from the date that the investigation is closed, as
determined by the Compliance Monitor,
The Compliance Monitor shall keep the last periodic audit report and all requested
and submitted subsequent compliance records.
1.4. Additional Compliance Information
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 2 of 3
�S ta n d a rd CIP -001-1 — S a b o ta g e Re p o rtin g
None.
Levels of Non-Compliance:
2.
2.1. Level 1: There shall be a separate Level 1 non-compliance, for every one of the
following requirements that is in violation:
2.1.1
Does not have procedures for the recognition of and for making its
operating personnel aware of sabotage events (R1).
2.1.2
Does not have procedures or guidelines for the communication of
information concerning sabotage events to appropriate parties in the
Interconnection (R2).
2.1.3
Has not established communications contacts, as specified in R4.
2.2. Level 2: Not applicable.
2.3. Level 3: Has not provided its operating personnel with sabotage response
procedures or guidelines (R3).
2.4. Level 4:.Not applicable.
E. Regional Differences
None indicated.
Version History
Version
Date
Action
Change Tracking
0
April 1, 2005
Effective Date
New
0
August 8, 2005
Removed “Proposed” from Effective
Date
Errata
1
November 1,
2006
Adopted by Board of Trustees
Amended
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 3 of 3
�S ta n d a rd EOP -004-1 — Dis tu rb a n c e Re p o rtin g
A. Introduction
1.
Title:
Disturbance Reporting
2.
Number:
EOP-004-1
3.
Purpose: Disturbances or unusual occurrences that jeopardize the operation of the
Bulk Electric System, or result in system equipment damage or customer interruptions,
need to be studied and understood to minimize the likelihood of similar events in the
future.
4.
Applicability
4.1. Reliability Coordinators.
4.2. Balancing Authorities.
4.3. Transmission Operators.
4.4. Generator Operators.
4.5. Load Serving Entities.
4.6. Regional Reliability Organizations.
5.
Effective Date:
January 1, 2007
B. Requirements
R1.
Each Regional Reliability Organization shall establish and maintain a Regional
reporting procedure to facilitate preparation of preliminary and final disturbance
reports.
R2.
A Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator or Load Serving Entity shall promptly analyze Bulk Electric System
disturbances on its system or facilities.
R3.
A Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator or Load Serving Entity experiencing a reportable incident shall provide a
preliminary written report to its Regional Reliability Organization and NERC.
R3.1.
The affected Reliability Coordinator, Balancing Authority, Transmission
Operator, Generator Operator or Load Serving Entity shall submit within 24
hours of the disturbance or unusual occurrence either a copy of the report
submitted to DOE, or, if no DOE report is required, a copy of the NERC
Interconnection Reliability Operating Limit and Preliminary Disturbance
Report form. Events that are not identified until some time after they occur
shall be reported within 24 hours of being recognized.
R3.2.
Applicable reporting forms are provided in Attachments 1-EOP-004 and 2EOP-004.
R3.3.
Under certain adverse conditions, e.g., severe weather, it may not be possible
to assess the damage caused by a disturbance and issue a written
Interconnection Reliability Operating Limit and Preliminary Disturbance
Report within 24 hours. In such cases, the affected Reliability Coordinator,
Balancing Authority, Transmission Operator, Generator Operator, or Load
Serving Entity shall promptly notify its Regional Reliability Organization(s)
and NERC, and verbally provide as much information as is available at that
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 1 of 13
�S ta n d a rd EOP -004-1 — Dis tu rb a n c e Re p o rtin g
time. The affected Reliability Coordinator, Balancing Authority, Transmission
Operator, Generator Operator, or Load Serving Entity shall then provide
timely, periodic verbal updates until adequate information is available to issue
a written Preliminary Disturbance Report.
R3.4.
If, in the judgment of the Regional Reliability Organization, after consultation
with the Reliability Coordinator, Balancing Authority, Transmission Operator,
Generator Operator, or Load Serving Entity in which a disturbance occurred, a
final report is required, the affected Reliability Coordinator, Balancing
Authority, Transmission Operator, Generator Operator, or Load Serving Entity
shall prepare this report within 60 days. As a minimum, the final report shall
have a discussion of the events and its cause, the conclusions reached, and
recommendations to prevent recurrence of this type of event. The report shall
be subject to Regional Reliability Organization approval.
R4.
When a Bulk Electric System disturbance occurs, the Regional Reliability Organization
shall make its representatives on the NERC Operating Committee and Disturbance
Analysis Working Group available to the affected Reliability Coordinator, Balancing
Authority, Transmission Operator, Generator Operator, or Load Serving Entity
immediately affected by the disturbance for the purpose of providing any needed
assistance in the investigation and to assist in the preparation of a final report.
R5.
The Regional Reliability Organization shall track and review the status of all final
report recommendations at least twice each year to ensure they are being acted upon in
a timely manner. If any recommendation has not been acted on within two years, or if
Regional Reliability Organization tracking and review indicates at any time that any
recommendation is not being acted on with sufficient diligence, the Regional
Reliability Organization shall notify the NERC Planning Committee and Operating
Committee of the status of the recommendation(s) and the steps the Regional
Reliability Organization has taken to accelerate implementation.
C. Measures
M1. The Regional Reliability Organization shall have and provide upon request as
evidence, its current regional reporting procedure that is used to facilitate preparation
of preliminary and final disturbance reports. (Requirement 1)
M2. Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator, and Load-Serving Entity that has a reportable incident shall have and provide
upon request evidence that could include, but is not limited to, the preliminary report,
computer printouts, operator logs, or other equivalent evidence that will be used to
confirm that it prepared and delivered the NERC Interconnection Reliability Operating
Limit and Preliminary Disturbance Reports to NERC within 24 hours of its recognition
as specified in Requirement 3.1.
M3. Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator, and/or Load Serving Entity that has a reportable incident shall have and
provide upon request evidence that could include, but is not limited to, operator logs,
voice recordings or transcripts of voice recordings, electronic communications, or other
equivalent evidence that will be used to confirm that it provided information verbally
as time permitted, when system conditions precluded the preparation of a report in 24
hours. (Requirement 3.3)
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 2 of 13
�S ta n d a rd EOP -004-1 — Dis tu rb a n c e Re p o rtin g
D. Compliance
1.
Compliance Monitoring Process
1.1. Compliance Monitoring Responsibility
NERC shall be responsible for compliance monitoring of the Regional Reliability
Organizations.
Regional Reliability Organizations shall be responsible for compliance monitoring
of Reliability Coordinators, Balancing Authorities, Transmission Operators,
Generator Operators, and Load-serving Entities.
1.2. Compliance Monitoring and Reset Time Frame
One or more of the following methods will be used to assess compliance:
- Self-certification (Conducted annually with submission according to
schedule.)
- Spot Check Audits (Conducted anytime with up to 30 days notice given to
prepare.)
- Periodic Audit (Conducted once every three years according to schedule.)
- Triggered Investigations (Notification of an investigation must be made
within 60 days of an event or complaint of noncompliance. The entity will
have up to 30 days to prepare for the investigation. An entity may request an
extension of the preparation period and the extension will be considered by
the Compliance Monitor on a case-by-case basis.)
The Performance-Reset Period shall be 12 months from the last finding of noncompliance.
1.3. Data Retention
Each Regional Reliability Organization shall have its current, in-force, regional
reporting procedure as evidence of compliance. (Measure 1)
Each Reliability Coordinator, Balancing Authority, Transmission Operator,
Generator Operator, and/or Load Serving Entity that is either involved in a Bulk
Electric System disturbance or has a reportable incident shall keep data related to
the incident for a year from the event or for the duration of any regional
investigation, whichever is longer. (Measures 2 through 4)
If an entity is found non-compliant the entity shall keep information related to the
noncompliance until found compliant or for two years plus the current year,
whichever is longer.
Evidence used as part of a triggered investigation shall be retained by the entity
being investigated for one year from the date that the investigation is closed, as
determined by the Compliance Monitor,
The Compliance Monitor shall keep the last periodic audit report and all requested
and submitted subsequent compliance records.
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 3 of 13
�S ta n d a rd EOP -004-1 — Dis tu rb a n c e Re p o rtin g
1.4. Additional Compliance Information
See Attachments:
- EOP-004 Disturbance Reporting Form
- Table 1 EOP-004
Levels of Non-Compliance for a Regional Reliability Organization
2.
2.1. Level 1: Not applicable.
2.2. Level 2: Not applicable.
2.3. Level 3: Not applicable.
2.4. Level 4: No current procedure to facilitate preparation of preliminary and final
disturbance reports as specified in R1.
Levels of Non-Compliance for a Reliability Coordinator, Balancing Authority,
Transmission Operator, Generator Operator, and Load- Serving Entity:
3.
3.1. Level 1: There shall be a level one non-compliance if any of the following
conditions exist:
3.1.1
Failed to prepare and deliver the NERC Interconnection Reliability
Operating Limit and Preliminary Disturbance Reports to NERC within 24
hours of its recognition as specified in Requirement 3.1
3.1.2
Failed to provide disturbance information verbally as time permitted,
when system conditions precluded the preparation of a report in 24 hours
as specified in R3.3
3.1.3
Failed to prepare a final report within 60 days as specified in R3.4
3.2. Level 2: Not applicable.
3.3. Level 3: Not applicable
3.4. Level 4: Not applicable.
E. Regional Differences
None identified.
Version History
Version
Date
Action
Change Tracking
0
April 1, 2005
Effective Date
New
0
May 23, 2005
Fixed reference to attachments 1-EOP004-0 and 2-EOP-004-0, Changed chart
title 1-FAC-004-0 to 1-EOP-004-0,
Fixed title of Table 1 to read 1-EOP004-0, and fixed font.
Errata
0
July 6, 2005
Fixed email in Attachment 1-EOP-004-0 Errata
from info@nerc.com to
esisac@nerc.com.
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 4 of 13
�S ta n d a rd EOP -004-1 — Dis tu rb a n c e Re p o rtin g
0
July 26, 2005
Fixed Header on page 8 to read EOP004-0
Errata
0
August 8, 2005
Removed “Proposed” from Effective
Date
Errata
1
November 1,
2006
Adopted by Board of Trustees
Revised
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 5 of 13
�S ta n d a rd EOP -004-1 — Dis tu rb a n c e Re p o rtin g
Attachment 1-EOP-004
NERC Disturbance Report Form
Introduction
These disturbance reporting requirements apply to all Reliability Coordinators, Balancing
Authorities, Transmission Operators, Generator Operators, and Load Serving Entities, and
provide a common basis for all NERC disturbance reporting. The entity on whose system a
reportable disturbance occurs shall notify NERC and its Regional Reliability Organization of the
disturbance using the NERC Interconnection Reliability Operating Limit and Preliminary
Disturbance Report forms. Reports can be sent to NERC via email (esisac@nerc.com) by
facsimile (609-452-9550) using the NERC Interconnection Reliability Operating Limit and
Preliminary Disturbance Report forms. If a disturbance is to be reported to the U.S. Department
of Energy also, the responding entity may use the DOE reporting form when reporting to NERC.
Note: All Emergency Incident and Disturbance Reports (Schedules 1 and 2) sent to DOE shall be
simultaneously sent to NERC, preferably electronically at esisac@nerc.com.
The NERC Interconnection Reliability Operating Limit and Preliminary Disturbance Reports are
to be made for any of the following events:
1.
2.
3.
4.
5.
The loss of a bulk power transmission component that significantly affects the integrity of
interconnected system operations. Generally, a disturbance report will be required if the
event results in actions such as:
a.
Modification of operating procedures.
b.
Modification of equipment (e.g. control systems or special protection systems) to
prevent reoccurrence of the event.
c.
Identification of valuable lessons learned.
d.
Identification of non-compliance with NERC standards or policies.
e.
Identification of a disturbance that is beyond recognized criteria, i.e. three-phase fault
with breaker failure, etc.
f.
Frequency or voltage going below the under-frequency or under-voltage load shed
points.
The occurrence of an interconnected system separation or system islanding or both.
Loss of generation by a Generator Operator, Balancing Authority, or Load-Serving Entity
2,000 MW or more in the Eastern Interconnection or Western Interconnection and 1,000
MW or more in the ERCOT Interconnection.
Equipment failures/system operational actions which result in the loss of firm system
demands for more than 15 minutes, as described below:
a.
Entities with a previous year recorded peak demand of more than 3,000 MW are
required to report all such losses of firm demands totaling more than 300 MW.
b.
All other entities are required to report all such losses of firm demands totaling more
than 200 MW or 50% of the total customers being supplied immediately prior to the
incident, whichever is less.
Firm load shedding of 100 MW or more to maintain the continuity of the bulk electric
system.
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 6 of 13
�S ta n d a rd EOP -004-1 — Dis tu rb a n c e Re p o rtin g
6.
7.
8.
Any action taken by a Generator Operator, Transmission Operator, Balancing Authority, or
Load-Serving Entity that results in:
a.
Sustained voltage excursions equal to or greater than ±10%, or
b.
Major damage to power system components, or
c.
Failure, degradation, or misoperation of system protection, special protection schemes,
remedial action schemes, or other operating systems that do not require operator
intervention, which did result in, or could have resulted in, a system disturbance as
defined by steps 1 through 5 above.
An Interconnection Reliability Operating Limit (IROL) violation as required in reliability
standard TOP-007.
Any event that the Operating Committee requests to be submitted to Disturbance Analysis
Working Group (DAWG) for review because of the nature of the disturbance and the
insight and lessons the electricity supply and delivery industry could learn.
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 7 of 13
�S ta n d a rd EOP -004-1 — Dis tu rb a n c e Re p o rtin g
NERC Interconnection Reliability Operating Limit and Preliminary Disturbance
Report
Check here if this is an Interconnection Reliability Operating Limit (IROL) violation report.
1. Organization filing report.
2. Name of person filing report.
3. Telephone number.
4. Date and time of disturbance.
Date:(mm/dd/yy)
Time/Zone:
5. Did the disturbance originate in your
system?
Yes
No
6. Describe disturbance including: cause,
equipment damage, critical services
interrupted, system separation, key
scheduled and actual flows prior to
disturbance and in the case of a
disturbance involving a special
protection or remedial action scheme,
what action is being taken to prevent
recurrence.
7. Generation tripped.
MW Total
List generation tripped
8. Frequency.
Just prior to disturbance (Hz):
Immediately after disturbance (Hz
max.):
Immediately after disturbance (Hz
min.):
9. List transmission lines tripped (specify
voltage level of each line).
10.
FIRM
INTERRUPTIBLE
Demand tripped (MW):
Number of affected Customers:
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 8 of 13
�S ta n d a rd EOP -004-1 — Dis tu rb a n c e Re p o rtin g
Demand lost (MW-Minutes):
11. Restoration time.
INITIAL
FINAL
Transmission:
Generation:
Demand:
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 9 of 13
�S ta n d a rd EOP -004-1 — Dis tu rb a n c e Re p o rtin g
Attachment 2-EOP-004
U.S. Department of Energy Disturbance Reporting Requirements
Introduction
The U.S. Department of Energy (DOE), under its relevant authorities, has established mandatory
reporting requirements for electric emergency incidents and disturbances in the United States.
DOE collects this information from the electric power industry on Form EIA-417 to meet its
overall national security and Federal Energy Management Agency’s Federal Response Plan
(FRP) responsibilities. DOE will use the data from this form to obtain current information
regarding emergency situations on U.S. electric energy supply systems. DOE’s Energy
Information Administration (EIA) will use the data for reporting on electric power emergency
incidents and disturbances in monthly EIA reports. In addition, the data may be used to develop
legislative recommendations, reports to the Congress and as a basis for DOE investigations
following severe, prolonged, or repeated electric power reliability problems.
Every Reliability Coordinator, Balancing Authority, Transmission Operator, Generator Operator
or Load Serving Entity must use this form to submit mandatory reports of electric power system
incidents or disturbances to the DOE Operations Center, which operates on a 24-hour basis,
seven days a week. All other entities operating electric systems have filing responsibilities to
provide information to the Reliability Coordinator, Balancing Authority, Transmission Operator,
Generator Operator or Load Serving Entity when necessary for their reporting obligations and to
file form EIA-417 in cases where these entities will not be involved. EIA requests that it be
notified of those that plan to file jointly and of those electric entities that want to file separately.
Special reporting provisions exist for those electric utilities located within the United States, but
for whom Reliability Coordinator oversight responsibilities are handled by electrical systems
located across an international border. A foreign utility handling U.S. Balancing Authority
responsibilities, may wish to file this information voluntarily to the DOE. Any U.S.-based utility
in this international situation needs to inform DOE that these filings will come from a foreignbased electric system or file the required reports themselves.
Form EIA-417 must be submitted to the DOE Operations Center if any one of the following
applies (see Table 1-EOP-004-0 — Summary of NERC and DOE Reporting Requirements for
Major Electric System Emergencies):
1. Uncontrolled loss of 300 MW or more of firm system load for more than 15 minutes from a
2.
3.
4.
5.
single incident.
Load shedding of 100 MW or more implemented under emergency operational policy.
System-wide voltage reductions of 3 percent or more.
Public appeal to reduce the use of electricity for purposes of maintaining the continuity of the
electric power system.
Actual or suspected physical attacks that could impact electric power system adequacy or
reliability; or vandalism, which target components of any security system. Actual or
suspected cyber or communications attacks that could impact electric power system
adequacy or vulnerability.
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 10 of 13
�S ta n d a rd EOP -004-1 — Dis tu rb a n c e Re p o rtin g
6. Actual or suspected cyber or communications attacks that could impact electric power system
adequacy or vulnerability.
7. Fuel supply emergencies that could impact electric power system adequacy or reliability.
8. Loss of electric service to more than 50,000 customers for one hour or more.
9. Complete operational failure or shut-down of the transmission and/or distribution electrical
system.
The initial DOE Emergency Incident and Disturbance Report (form EIA-417 – Schedule 1) shall
be submitted to the DOE Operations Center within 60 minutes of the time of the system
disruption. Complete information may not be available at the time of the disruption. However,
provide as much information as is known or suspected at the time of the initial filing. If the
incident is having a critical impact on operations, a telephone notification to the DOE Operations
Center (202-586-8100) is acceptable, pending submission of the completed form EIA-417.
Electronic submission via an on-line web-based form is the preferred method of notification.
However, electronic submission by facsimile or email is acceptable.
An updated form EIA-417 (Schedule 1 and 2) is due within 48 hours of the event to provide
complete disruption information. Electronic submission via facsimile or email is the preferred
method of notification. Detailed DOE Incident and Disturbance reporting requirements can be
found at: http://www.eia.doe.gov/cneaf/electricity/page/form_417.html.
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 11 of 13
�S ta n d a rd EOP -004-1 — Dis tu rb a n c e Re p o rtin g
Table 1-EOP-004-0
Summary of NERC and DOE Reporting Requirements for Major Electric System
Emergencies
Incident
Report
Incident
Threshold
Time
No.
Required
EIA – SchUncontrolled loss
1 hour
1
of Firm System
≥ 300 MW – 15 minutes or more
48
1
EIA – SchLoad
hour
2
EIA – Sch1 hour
≥ 100 MW under emergency
1
Load Shedding
48
2
operational policy
EIA – Schhour
2
EIA – Sch1 hour
Voltage
1
3% or more – applied system-wide
48
3
EIA – SchReductions
hour
2
EIA – Sch1 hour
1
Emergency conditions to reduce
Public Appeals
48
4
EIA – Schdemand
hour
2
EIA – SchPhysical sabotage,
1 hour
On physical security systems –
1
terrorism or
48
5
suspected or real
EIA – Schvandalism
hour
2
EIA – SchCyber sabotage,
1 hour
If the attempt is believed to have or
1
terrorism or
48
6
did happen
EIA – Schvandalism
hour
2
EIA – Sch1 hour
Fuel supply
Fuel inventory or hydro storage levels 1
48
7
EIA – Schemergencies
≤ 50% of normal
hour
2
EIA – Sch1 hour
Loss of electric
1
≥
50,000
for
1
hour
or
more
48
8
service
EIA – Schhour
2
Complete
EIA – SchIf isolated or interconnected electrical
1 hour
operation failure
1
48
systems suffer total electrical system
9
of electrical
EIA – Schcollapse
hour
system
2
All DOE EIA-417 Schedule 1 reports are to be filed within 60-minutes after the start of an
incident or disturbance
All DOE EIA-417 Schedule 2 reports are to be filed within 48-hours after the start of an
incident or disturbance
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 12 of 13
�S ta n d a rd EOP -004-1 — Dis tu rb a n c e Re p o rtin g
All entities required to file a DOE EIA-417 report (Schedule 1 & 2) shall send a copy of these
reports to NERC simultaneously, but no later than 24 hours after the start of the incident or
disturbance.
Incident
Report
Incident
Threshold
Time
No.
Required
NERC
24
Loss of major
Significantly affects integrity of
Prelim
hour
1
system component
interconnected system operations
Final
60 day
report
Interconnected
NERC
Total system shutdown
24
system separation
Prelim
Partial shutdown, separation, or
hour
2
or system
Final
islanding
60 day
islanding
report
NERC
24
≥ 2,000 – Eastern Interconnection
Prelim
Loss of generation
≥ 2,000 – Western Interconnection
hour
3
Final
≥ 1,000 – ERCOT Interconnection
60 day
report
Entities with peak demand ≥3,000:
NERC
24
loss ≥300 MW
Prelim
Loss of firm load
hour
4
All others ≥200MW or 50% of total
Final
≥15-minutes
60 day
demand
report
NERC
24
Firm load
≥100 MW to maintain continuity of
Prelim
hour
5
shedding
bulk system
Final
60 day
report
• Voltage excursions ≥10%
System operation
NERC
24
• Major damage to system
or operation
Prelim
hour
6
components
actions resulting
Final
60 day
•
Failure,
degradation,
or
in:
report
misoperation of SPS
NERC
72
Prelim
IROL violation
Reliability standard TOP-007.
hour
7
Final
60 day
report
NERC
Due to nature of disturbance &
24
As requested by
Prelim
usefulness to industry (lessons
hour
8
ORS Chairman
Final
learned)
60 day
report
All NERC Operating Security Limit and Preliminary Disturbance reports will be filed within 24
hours after the start of the incident. If an entity must file a DOE EIA-417 report on an incident,
which requires a NERC Preliminary report, the Entity may use the DOE EIA-417 form for both
DOE and NERC reports.
Any entity reporting a DOE or NERC incident or disturbance has the responsibility to also
notify its Regional Reliability Organization.
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 13 of 13
�Standards Announcement
Project 2009-01 Disturbance and Sabotage Reporting
Formal Comment Period Open March 9 – April 8, 2011
Now available at: http://www.nerc.com/filez/standards/Project2009-
01_Disturbance_Sabotage_Reporting.html
Formal 30-day Comment Period Open through 8 p.m. on April 8, 2011
The Disturbance and Sabotage Reporting SDT has posted a revised draft of EOP-004-2 — Impact Event
Reporting, along with the associated implementation plan and a redline of EOP-004-2 showing changes made
since an informal comment period for this project concluded in October 2010. These documents are posted for
a 30-day formal comment period.
The drafting team proposes to retire CIP-001-1 and incorporate its requirements into EOP-004-2. As a result,
the changes to EOP-004 are so extensive that a redline showing changes against the last approved version
would be impractical. For reference, the last approved versions of EOP-004 and CIP-001 have been posted.
Instructions
Please use this electronic form to submit comments. If you experience any difficulties in using the electronic
form, please contact Monica Benson at monica.benson@nerc.net. An off-line, unofficial copy of the comment
form is posted on the project page: http://www.nerc.com/filez/standards/Project200901_Disturbance_Sabotage_Reporting.html
Next Steps
The drafting team will consider all comments and determine whether to make additional changes to the
standard. The team will post its response to comments and, if changes are made to the standard and supporting
documents, submit the revised documents for quality review prior to ballot.
Project Background
Stakeholders have indicated that identifying potential acts of “sabotage” is difficult to do in real time, and
additional clarity is needed to identify thresholds for reporting potential acts of sabotage in CIP-001-1.
Stakeholders have also reported that EOP-004-1 has some requirements that reference out-of-date Department
of Energy forms, making the requirements ambiguous. EOP-004-1 also has some ‘fill-in-the-blank’
components to eliminate.
The project will include addressing previously identified stakeholder concerns and FERC directives; will bring
the standards into conformance with the latest approved version of the ERO Rules of Procedure; and may
include other improvements to the standards deemed appropriate by the drafting team, with the consensus of
stakeholders, consistent with establishing high quality, enforceable and technically sufficient bulk power system
reliability standards.
�Standards Process
The Standard Processes Manual contains all the procedures governing the standards development process. The
success of the NERC standards development process depends on stakeholder participation. We extend our
thanks to all those who participate.
For more information or assistance, please contact Monica Benson,
Standards Process Administrator, at monica.benson@nerc.net or at 404-446-2560.
North American Electric Reliability Corporation
116-390 Village Blvd.
Princeton, NJ 08540
609.452.8060 | www.nerc.com
�Individual or group. (60 Responses)
Name (39 Responses)
Organization (39 Responses)
Registered Ballot body segment (check all industry segments in which your company is
registered) (39 Responses)
Group Name (21 Responses)
Lead Contact (21 Responses)
Question 1 (56 Responses)
Question 1 Comments (60 Responses)
Question 2 (57 Responses)
Question 2 Comments (60 Responses)
Question 3 (55 Responses)
Question 3 Comments (60 Responses)
Question 4 (53 Responses)
Question 4 Comments (60 Responses)
Question 5 (53 Responses)
Question 5 Comments (60 Responses)
Question 6 (55 Responses)
Question 6 Comments (60 Responses)
Question 7 (54 Responses)
Question 7 Comments (60 Responses)
Question 8 (54 Responses)
Question 8 Comments (60 Responses)
Question 9 (53 Responses)
Question 9 Comments (60 Responses)
Question 10 (55 Responses)
Question 10 Comments (60 Responses)
Question 11 (57 Responses)
Question 11 Comments (60 Responses)
Question 12 (54 Responses)
Question 12 Comments (60 Responses)
Question 13 (45 Responses)
Question 13 Comments (60 Responses)
Question 14 (41 Responses)
Question 14 Comments (60 Responses)
Question 15 (42 Responses)
Question 15 Comments (60 Responses)
Question 16 (48 Responses)
Question 16 Comments (60 Responses)
Question 17 (0 Responses)
Question 17 Comments (60 Responses)
Group
Progress Energy
Jim Eckelkamp
No
Progress Energy appreciates the Standard Drafting Team’s work on this project. “Any potential impact” is too vague
and impossible to measure. Progress is unsure of how the ERO or Regional Entity measure impact. Potential is very
subjective.
Yes
�Yes
Yes
Yes
Yes
Do all individuals who are assigned roles and responsibilities in the Impact Event Operating Plan have to be involved
with the test each time? Since there are multiple different types of Impact Events, it seems likely that only a subset of
those Impact Events would be tested during an annual test, and therefore only a subset of individuals with
responsibilities in the Impact Event Operating Plan would participate. For example, one test may exercise the
Operating Process for properly reporting damage to a power plant that is a Critical Asset, and personnel from the
Distribution Provider would not be involved in that test. Would such a scenario meet the requirement for the annual
test? If so, it seems that some aspects of the Plan may never actually be required to be tested. This is ok, since R4
requires an annual review with personnel with responsibilities in the Impact Event Operating Plan. It must be made
clear what is required in the annual test.
Yes
No
Progress Energy appreciates the effort of the Standard Drafting Team, but we do have some issues with the content of
Attachment 1. The loss of three Transmission Elements can occur with a single transmission line outage. Progress is
concerned that the possible frequency of this type of reporting could be an extreme burden. Under the column “Entity
with Reporting Responsibility,” why do all related entities have to report the same event? (i.e. do the RC and the TOP
in the RC footprint both have to report an event, or is it either/or? The word ‘Each’ implies separate reports. What is the
Reliability-based need for both an RC and the BA/TOP/GO within the footprint to file the same report for the same
event?) For vertically integrated companies it should be clear that only one report is required per Impact Event that will
cover the reporting requirements for all registered entities within that company. The “damage or destruction of BES
equipment” footnote contains the language “Significantly affects the reliability margin….” The word significantly should
not be used in a Standard because it is subjective. Reliability margin is also undefined. System Operators must be
trained on how to comply with the Standard, and thus objective criteria must be developed for reporting. “1 hour after
occurrence” places a burden on System Operators for reporting when response to and information gathering dealing
with the Impact Event may still be occurring. There is a note that states that the timing guidelines may not be met
“under certain conditions…” but then requires a call to both its Regional Entity and notification to NERC. The focus
should be on the event response and this type of reporting should occur “within an hour or as soon as practical.” It is
unclear what the voltage deviations of +-10% based on (i.e. is that +-10% of nominal voltage? This may require new
alarm set-points to be placed in service in Energy Management Systems in order for entities to able to prove in an audit
that they reported all occurrences of voltage exceeding the 10% limit for 15 minutes or more. It has been stated by
Regional Entity audit and enforcement personnel that attestations cannot be used to “prove the positive.”) The word
“potential” should be removed from Attachment 1 and from the definition of Impact Event. An event is either an Impact
Event or not. If an entity has to evacuate its control center facility temporarily for a small fire, or any other such minor
occurrence, then it activates its EOP-008 compliant backup control center, and there is no impact to reliability, then why
does there need to be a report generated? The “Forced Intrusion” category is problematic. The footnote 3 states:
“Report if you cannot reasonably determine likely motivation (i.e., intrusion to steal copper or spray graffiti is not
reportable unless it effects (sic) the reliability of the BES).” “Reasonably determine likely motivation” makes this
subjective. If someone breaks into a BES substation fence to steal copper, is interrupted and leaves, then entity
personnel determine someone tried to break into the substation, but cannot determine why, then this table requires a
report to be filed within an hour. It is unclear what the purpose of such a report would be. Progress agrees that multiple
reports in a short time across multiple entities may indicate a larger issue.
No
M3 states that “In the absence of an actual Impact Event, the Responsible Entity shall provide evidence that it
conducted a mock Impact Event…” Does this mean that, if an entity experiences an Impact Event that is reportable,
then the entity does not have to perform its annual test? If so, this should be made clear in the Requirement.
No
No
Progress disagrees with the High and Severe VSLs listed for R5. If an entity experiences an Impact Event and fails to
submit a report within an hour as required, it may be that there are multiple mitigating circumstances. It is not
reasonable to require reporting within an hour since identifying a reportable event often takes longer than this time
period.
�Progress thanks the Standard Drafting Team for their efforts on this project. The BES definition is still being revised
under “Project 2010-17: Proposed Definition of Bulk Electric System.” “BES equipment” is mentioned several times in
this Standard. A better definition of BES is important to the effectiveness of this Standard and integral to entities ability
to comply with the Standard requirements. In Attachment 2, on the Impact Event Reporting form, item 10 is “Demand
Tripped” and the categories include “FIRM” and “INTERRUPTIBLE.” It is unclear why interruptible load is included on
the reporting form.
Individual
John Bee
Exelon
1 - Transmission Owners, 5 - Electric Generators
No
Although Exelon agrees that the proposed revision to the purpose statement of EOP-004-2 is better than the original
draft; the DSR SDT should consider aligning the definition with the existing OE-417 terms. "Impact Events" are not
clearly defined as reportable criteria in the DOE forms and may create confusion. Suggest rewording the purpose
statement to simply "Incident Reporting" to align with existing terminology in OE-417 and removing the addition of a
new term. A Purpose Statement is defined as “The reliability outcome achieved through compliance with the
requirements of the standard.” Propose that the purpose should be, “ To require a review, assessment and report of
events that could have an adverse material impact on the Bulk Electric System”.
No
The definition of impact events should be reworded to align with OE-417 and to explicitly reference that only events
identified in EOP-004 – Attachment 1 are to be reported. Suggest the following: "An incident that has either impacted or
has the potential to impact the reliability of the Bulk Electric System. Such events may be caused by equipment failure
or mis-opeation, environmental conditions, or human action as defined in EOP-004 Attachment 1." Propose the
definition be changed to include “material” impact and read as follows; “Any event which has either caused or has the
potential to cause an adverse material impact to the reliability of the Bulk Electric System. Such events may be caused
by equipment failure or mis-operation, environmental conditions, or human action”
Yes
Exelon agrees with the DSR SDT in that the currently proposed solution effectively addresses the intent of FERC Order
693 directive to both clarify the triggering event for an entity to take action and by deleting all references to "sabotage"
in effect removes the very term that had no clear definition.
No
Remove LSE. As has been determined in previous filings, FERC has ruled that asset owning DP’s must be registered
as LSE’s. The standard as proposed is applicable to DP’s. This addresses any concern with a “reliability gap” for
reporting events that could have an adverse material impact to the BES. See FERC Docket RC-07-4-003, -6-003, -7003 paragraphs 24 and 25. “The Commission approves … revisions to the Registry Criteria to have registered
distribution providers also register as the LSE for all load directly connected to their distribution facilities… The
registration of the distribution provider as the LSE for all load directly connected to its distribution facilities is for the
purpose of compliance with the Reliability Standards. As NERC explains, distribution providers have both the
infrastructure and access to information to enable them to comply with the Reliability Standards that apply to LSEs…
The Commission finds that, based on these facts, NERC acted reasonably in determining that the distribution provider
is the most appropriate entity to register as the LSE for the load directly connected to its distribution facilities.”
Attachment 1, Part A – Energy Emergency requiring Public appeal for load reduction – In the current draft Standard,
the applicability has been revised from an RC and BA to "initiating entity". As a GO/GOP, I cannot see any event where
a GO/GOP would be the responsible "initiating entity" or have the ability to determine an "Energy Emergency". Suggest
revising back to specific entities that would be likely responsible for this action (e.g., RC, BA, TOP). Attachment 1, Part
A – Energy Emergency requiring system-wide voltage reduction – In the current draft Standard, the applicability has
been revised from an RC, TO, TOP, and DP to "initiating entity". As a GO/GOP, I cannot see any event where a
GO/GOP would be the responsible "initiating entity" or have the ability to determine an "Energy Emergency" related to
system-wide voltage reduction. Suggest revising back to specific entities that would be likely responsible for this action.
Attachment 1, Part A – Voltage Deviations on BES facilities - A GOP may not be able to make the determination of a
+/- 10% voltage deviation for ≥ 15 continuous minutes, this should be a TOP RC function only. Attachment 1, Part A –
Loss of off-site power (grid supply) affecting a nuclear generating station – this event applicability should be removed in
its entirety for a Nuclear Plant Generator Operator. The impact of loss of off-site power on a nuclear generation unit is
dependent on the specific plant design, if it is a partial loss of off-site power (per the plant specific NPIRs) and may not
result in a loss of generation (i.e., unit trip). If a loss of off-site power were to result in a unit trip, an Emergency
Notification System (ENS) would be required to the Nuclear Regulatory Commission (NRC). Depending on the unit
design, the notification to the NRC may be 1 hour, 8 hours or none at all. Consideration should be given to coordinating
such reporting with existing required notifications to the NRC as to not duplicate effort or add unnecessary burden on
the part of a Nuclear Plant Generator Operator during a potential transient on the unit. In addition, if the loss of off-site
power were to result in a unit trip, if the impact to the BES were ≥2,000 MW, then required notifications would be made
�in accordance with the threshold for reporting for Attachment 1, Part A – Generation Loss. However, to align with the
importance of ensuring nuclear plant safe operation and shutdown as implemented in NERC Standard NUC-001, if a
transmission entity experiences an event that causes an unplanned loss of off-site power (source) as defined in the
applicable Nuclear Plant Interface Requirements, then the responsible transmission entity should report the event
within 24 hours after occurrence. In addition, replace the words "grid supply" to "source" to ensure that notification
occurs on an unplanned loss of one or multiple sources to a nuclear power plant. Suggest rewording as follows
(including replacing the words "grid supply" to "source" and adding in the word "unplanned" to eliminate unnecessary
reporting of planned maintenance activities in the table below): Event Entity with Reporting Responsibility Threshold for
Reporting Time to Submit Report Unplanned loss of off-site power to a Nuclear generating plant (source) as defined in
the applicable Nuclear Plant Interface Requirements (NPIRs) Each transmission entity responsible for providing
services related to NPIRs (e.g., RC, BA, TO, TOP, TO, GO, GOP) that experiences the event causing an unplanned
loss of off-site power (source) Unplanned loss of off-site power (source) to a Nuclear Power Plant as defined in the
applicable NPIRs. Within 24 hours after occurrence
Yes
No
• R.1 Does an entity need to develop a stand alone Operating Plan if there is an existing process to address
identification, assessing and reporting certain events? Suggest rewording to state "Each Responsible Entity shall have
an Impact Event Operating Plan or equivalent implementing process that includes:" Disagree these new terms are
required. Commonly accepted descriptions of programs, processes and procedures exist in registrar entities that would
suffice. For example, R1 could use “Impact Event evaluation and reporting process” as a generic term to describe what
is required. This would allow an entity to utilize any existing protocols or management guidelines and naming
conventions in effect in their organization.
No
Agree that each Responsible Entity shall implement the [Impact] Events listed in Attachment 1 (Parts A and B);
however, disagree with certain events, reporting responsibilities, threshold for reporting and time to submit reports as
currently outlined in Attachment 1 (Parts A and B). Also suggest that R.2 be reworded to state for applicable [Impact]
Events listed in Attachment 1 (Parts A and B). This requirement should only be applied to those events applicable to
the registered entity. R2 is redundant to R1. No entity could claim to have met R1 if their plan / process was not
operational and approved in the manner consistent with any other approved program, process, guideline etc. within
their company.
No
• Each entity should be able to determine if they need a drill for a particular event. Is this document implying that the
annual drill covering all applicable [Impact] Events? • A provision should be added to be able to take credit for an
existing drill/exercise that could incorporate the required communications to meet the intent of R.3 to alleviate the
burden on conducting a stand alone annual drill. The DSR SDT needs to provide more guidance on the objectives and
format of the drill expected (e.g., table top, simulator, mock drill). • A provision should be added to R.3 to allow for an
actual event to be used as credit for the annual requirement. It would seem that the intent is as such based on the
wording in M.3; however, it needs to be explicit in the Requirement. • Must a test include communicating to NERC or
the Region?
No
• Need more guidance on what personnel are expected to participate in the annual review. Training for all participants
in a plan should not be required. Many organizations have dozens if not hundreds of procedures that a particular
individual must use in the performance of various tasks and roles. Checking a box that states someone read a
procedure does not add any value. This is an administrative burden with no contribution to reliability. • If the intention is
that internal personnel who have responsibilities related to the Operating Plan cannot assume the responsibilities
unless they have completed training. This requirement places an unnecessary burden on the registered entities to track
and maintain a database of all personnel trained and should not be a requirement for job function. A current procedure
and/or operating plan that addresses each threshold for reporting should provide adequate assurance that the
notifications will be made per an individual's core job responsibilities.
No
Agree that each Responsible Entity should be able to use either Attachment 2 or the DOE OE-417 form for reporting;
however, a GO/GOP will not have the ability to respond to Attachment 2 Task numbers 8, 9, 10, 11, and 12. Suggest
that the DSR SDT either evaluate a shortened form version, provide a note or provision for "N/A" based on registration,
or revise form to be submitted by the most knowledgeable functional entity (e.g., TOP or RC). Need clear guidance as
to which form is to be used for which Impact Event, we feel that one and only one form should be used to eliminate
confusion. Attachment 2 has a asterisk on #s 7, 8, 9, 10 and 11 there is not reference corresponding to it.
No
Attachment 1, Part A – Energy Emergency requiring Public appeal for load reduction – In the current draft Standard,
the applicability has been revised from an RC and BA to "initiating entity". As a GO/GOP, I cannot see any event where
a GO/GOP would be the responsible "initiating entity" or have the ability to determine an "Energy Emergency". Suggest
revising back to specific entities that would be likely responsible for this action (e.g., RC, BA, TOP). Attachment 1, Part
�A – Energy Emergency requiring system-wide voltage reduction – In the current draft Standard, the applicability has
been revised from an RC, TO, TOP, and DP to "initiating entity". As a GO/GOP, I cannot see any event where a
GO/GOP would be the responsible "initiating entity" or have the ability to determine an "Energy Emergency" related to
system-wide voltage reduction. Suggest revising back to specific entities that would be likely responsible for this action.
Attachment 1, Part A – Voltage Deviations on BES facilities - A GOP may not be able to make the determination of a
+/- 10% voltage deviation for ≥ 15 continuous minutes, this should be a TOP RC function only. Attachment 1, Part A –
Generation Loss of ≥ 2, 000 MW for a GOP does not provide a time threshold. If the 2, 000 MW is from a combination
of units in a single location, what is the time threshold for the combined unit loss? Suggest that a time threshold be
added for clarity. Attachment 1, Part A – Loss of off-site power (grid supply) affecting a nuclear generating station – this
event applicability should be removed in its entirety for a Nuclear Plant Generator Operator. The impact of loss of offsite power on a nuclear generation unit is dependent on the specific plant design, if it is a partial loss of off-site power
(per the plant specific NPIRs) and may not result in a loss of generation (i.e., unit trip). If a loss of off-site power were to
result in a unit trip, an Emergency Notification System (ENS) would be required to the Nuclear Regulatory Commission
(NRC). Depending on the unit design, the notification to the NRC may be 1 hour, 8 hours or none at all. Consideration
should be given to coordinating such reporting with existing required notifications to the NRC as to not duplicate effort
or add unnecessary burden on the part of a Nuclear Plant Generator Operator during a potential transient on the unit.
In addition, if the loss of off-site power were to result in a unit trip, if the impact to the BES were ≥2,000 MW, then
required notifications would be made in accordance with the threshold for reporting for Attachment 1, Part A –
Generation Loss. However, to align with the importance of ensuring nuclear plant safe operation and shutdown as
implemented in NERC Standard NUC-001, if a transmission entity experiences an event that causes an unplanned loss
of off-site power (source) as defined in the applicable Nuclear Plant Interface Requirements, then the responsible
transmission entity should report the event within 24 hours after occurrence. In addition, replace the words "grid supply"
to "source" to ensure that notification occurs on an unplanned loss of one or multiple sources to a nuclear power plant.
Suggest rewording as follows (including replacing the words "grid supply" to "source" and adding in the word
"unplanned" to eliminate unnecessary reporting of planned maintenance activities in the table below): Event Entity with
Reporting Responsibility Threshold for Reporting Time to Submit Report Unplanned loss of off-site power to a Nuclear
generating plant (source) as defined in the applicable Nuclear Plant Interface Requirements (NPIRs) Each transmission
entity responsible for providing services related to NPIRs (e.g., RC, BA, TO, TOP, TO, GO, GOP) that experiences the
event causing an unplanned loss of off-site power (source) Unplanned loss of off-site power (source) to a Nuclear
Power Plant as defined in the applicable NPIRs. Within 24 hours after occurrence Attachment 1, Part A – Damage or
destruction of BES equipment • The event criteria is still ambiguous and does not provide clear guidance; specifically,
the determination of the aggregate impact of damage may not be immediately understood – it does not seem
reasonable to expect that the 1 hour report time clock starts on identification of an occurrence. Suggest that the 1 hour
report time clock begins following confirmation of event. • The initiating event needs to explicitly state that it is a
physical and not cyber. • If the damage or destruction is related to a deliberate act, consideration should also be given
to coordinating such reporting with existing required notifications to the NRC and FBI as to not duplicate effort or add
unnecessary burden on the part of a nuclear GO/GOP during a potential security event (see additional comments in
response to item 17 below). Attachment 1, Part A – Damage or destruction of Critical Cyber Asset The events that are
associated with Critical Cyber Assets should be removed from this Standard. Critical Cyber Asset related events are
better addressed in the reporting of Cyber Security Incidents which is already included in Attachment 1, Part B and the
CIP standards currently require details about Critical Cyber Assets to be protected with access to that information
restricted to only specifically authorized personnel. Attachment 1, Part A – Damage or destruction of Critical Asset The
events that are associated with Critical Assets should be removed from this Standard. Critical Assets are typically
whole control centers, substations or generation plants and the damage or destruction of individual pieces of
equipment at one of these locations will usually not have much impact to the BES. Any important impacts located at
these sites are already addressed in the other existing [Impact] Event types or would be addressed in the Cyber
Security Incident event which is already included in Attachment 1, Part B. The CIP standards also currently require that
details about Critical Assets and Critical Cyber Assets must be protected with access to that information restricted to
only specifically authorized personnel. The identification of Critical Asset is also only an interim step used to identify the
Critical Cyber Assets that need to have cyber security protections and the NERC Project 2008-06 CSO706 Standards
Drafting Team is currently expecting to eliminate the requirement to identify Critical Assets in the draft revisions they
are currently working on. Attachment 1, Part B – Forced intrusion at a BES facility – Consideration should also be given
to coordinating such reporting with existing required notifications to the NRC and FBI as to not duplicate effort or add
unnecessary burden on the part of a nuclear GO/GOP during a potential security event (see additional comments in
response to item 17 below). Attachment 1, Part B – Risk to BES equipment from a non-environmental physical threat –
this event leaves the interpretation of what constitutes a "risk" with the reporting entity. Although the DSR SDT has
provided some examples, there needs to be more specific criteria for this event as this threshold still remains
ambiguous and will lead to difficulty in determining within 1 hour if a report is necessary. Consideration should also be
given to coordinating such reporting with existing required notifications to the NRC and FBI as to not duplicate effort or
add unnecessary burden on the part of a nuclear GO/GOP during a potential security event (see additional comments
in response to item 17 below). Attachment 1, Part B – Detection of a reportable Cyber Security Incident Although the
DSR SDT agreed that there may be confusion between reporting requirements in this draft and the current CIP-008,
"Cyber Security – Incident Reporting and Response Planning", Part B now requires a 1 hour report after occurrence.
The DSR SDT should verify the timing and reporting required for these Cyber Security Incident events is coordinated
with the NERC Project 2008-06 CSO706 Standards Drafting Team.
�No
• M1 - Suggest rewording to state "Each Responsible Entity shall provide the current revision of the Impact Event
Operating Plan or equivalent implementing process" • M3 – Need to provide more guidance on evidence of compliance
to meet R.3 The DSR SDT needs to provide more guidance on the objectives and format of the drill expected (e.g.,
table top, simulator, mock drill) and what evidence will be required to illustrate compliance. • M5 - Suggest that the DSR
SDT provide a note or provision to allow for the DOE OE-417 reporting form be submitted by the most knowledgeable
functional entity (e.g., the TOP or RC) experiencing the event.
No
R.4 should be a low risk factor, this is an administrative requirement with no contribution to reliability.
No
Suggest rewording the 1 hour reporting for High and Severe to state "communicate or submit" a report within …
depending on the severity of the event, an actual report may not be feasible. Similar to an NRC event report, a
provision should be made for verbal notifications in lieu of an actual submitted report. An entity should not be penalized
for failing to submit a written report within 1 hour if the communications were completed within the 1 hour time period
meeting the intent of the Standard.
No
The DSR SDT reduced the implementation from one year to between six and nine months based on the revised
standard requirements. Exelon disagrees with the proposed shortened implementation timeframe. The current revision
to EOP-004 still requires an entity to generate, implement and provide any necessary training for the "Impact Event
Operating Plan" by a registered entity. Commenters previously supported a one year minimum; but the requirements
for implementation have not changed measurably - six to nine months is not adequate to implement as written.
The DSR SDT makes reference to comments that were previously provided that suggested adopting the NRC definition
of "sabotage." Respectfully, this commenter believes the DSR SDT did not understand the intent of the original
comment. The comment made by Exelon in the October 15, 2009 submittal was to ensure that the DSR SDT made an
effort to include the Nuclear Regulatory Commission (NRC) as a key Stakeholder in the Reporting Process and to
consider utilizing existing reporting requirements currently required by the NRC for each nuclear generator operator.
Depending on the event, a nuclear generator operator (NRC licensee) also has specific regulatory requirements to
notify the NRC for certain notifications to other governmental agencies in accordance with 10 CFR 50.72, "Immediate
notification requirements for operating nuclear power reactors," paragraph (b)(2)(xi). The one hour notification
requirement for an intrusion event would also meet an emergency event classification at a nuclear power plant. If an
operations crew is responsible for the one hour notification and if separate notifications must be completed within the
Emergency Plan event response, then an evaluation in accordance with 10 CFR 50.54, "Conditions of licensees,"
paragraph (q), would need to be performed to ensure that this notification requirement would not impact the ability to
implement the Emergency Plan. At a minimum the DSR SDT should communicate this project to the NRC to ensure
that existing communication and reporting that a licensee is required to perform in response to a radiological sabotage
event (as defined by the NRC) or any incident that has impacted or has the potential to impact the BES does not create
either duplicate reporting, conflicting reporting thresholds or confusion on the part of the nuclear generator operator.
Note that existing reporting/communication requirements are already established with the FBI, DHS, NORAD, FAA,
State Police, LLEA and the NRC depending on the event. There are existing nuclear plant specific memorandums of
understanding between the NRC and the FBI and each nuclear generating site licensee must have a NRC approved
Security Plan that outlines applicable notifications to the FBI. Depending on the severity of the security event, the
nuclear licensee may initiate the Emergency Plan. The proposed "Reporting Hierarchy for Impact Event EOP-004-2,"
needs to be communicated and coordinated with the NRC to ensure that the flow chart does not conflict with existing
expected NRC requirements and protocol associated with site specific Emergency and Security Plans. Propose
allowing for verbal reporting via telephone, for 1 hr. reporting with a follow up using the forms. With the revised
standard EOP-004-2 it eliminates the #8; loss of electric service >= 50K, however, that requirement is still required for
the DOE-OE-417 form. The question is do we still have to send it to NERC / Region if NERC/ Region does not
specifically still have that as a requirement? Also, with that requirement, on the current EOP-004-1 it says that schedule
1 has to be filled out within 1 hour? This doe not coincide with DOE-OE-417 form. The bottom line, it looks like there is
inconsistency as to what is reportable per EOP-004-2 and DOE-OE-417 form, some of the items are redundant, some
are not, but better guidance is needs as to which form to use when. The SDT should have a Webaniar with the industry
to create an understanding as to who is responsible to report what and at what time.
Individual
Jennifer Wright
SDG&E
1 - Transmission Owners, 3 - Load-serving Entities, 5 - Electric Generators
No
SDG&E does not agree with the revised Purpose Statement because it does not reflect the standard’s purpose of
identifying reporting requirements for impact events. SDG&E recommends the following revised Purpose Statement:
“To identify the reporting requirements for events considered to have an impact on the reliability of the Bulk Electric
System and to allow an awareness of these Impact Events to be understood by the industry in recognizing potential
�enhancements that may be made to the reliability of the BES.”
Yes
Yes
No
SDG&E recommends that “Load Serving Entity,” “Transmission Service Provider,” and “Interchange Authority” be
removed from the proposed applicability shown in Section 4. These entities do not own assets that could have an
impact on the Bulk Electric System. Additionally, none of these entities is listed as an “Entity with Reporting
Responsibility” in Attachment 1. Finally, “Transmission Service Provider” is covered by either “Transmission Owner” or
“Balancing Authority,” which are entities also listed in the proposed Applicability section, and “Load Service Entity” and
“Interchange Authority” are covered by “Balancing Authority.”
No
SDG&E agrees with removing original Requirements 1, 7, 8 from the standard. In addition, SDG&E recommends that
the standard reference Section 812 of the Rules of Procedure.
Yes
Yes
Yes
Yes
Yes
No
For “Detection of a reportable Cyber Security Incident,” Attachment 1 identifies the threshold for reporting as: “that
meets the criteria in CIP-008 (or its successor)”; however, CIP-008 has no specified criteria, so this is an unusable
threshold. Additionally, SDG&E recommends that the timing of any follow-up and/or final reports required by the
standard be listed in the Attachment 1 table.
Yes
Yes
No
This Reliability Standard provides a list of reporting requirements that are applicable to registered entities, thus it is a
paperwork exercise; therefore, SDG&E recommends that none of the requirements should exceed a “Moderate”
Violation Severity Level. Failure on the part of an applicable Registered Entity to provide an event report will have no
immediate impact on the Bulk Electric System.
No
SDG&E recommends a 9 month minimum timeframe for implementation.
Individual
Alan Gale
City of Tallahassee (TAL)
3 - Load-serving Entities, 5 - Electric Generators
Yes
No
While I agree with the overall concept, I am concerned with “or has the potential to impact”. While the standard makes
reference to Attachment 1 Parts A and B, the inclusion of the attachment is not in the definition. This leaves ambiguity
in the definition that could enable second guessing by auditors. Proposed: “An impact event is any event that has either
impacted or has the potential to impact (above the thresholds described in EOP-004-2 Attachment 1) the reliability of
the Bulk Electric System. Such events may be caused by equipment failure or mis-operation, environmental conditions,
or human action.”
�Yes
Yes
Yes
Yes
Yes
No
Comments: The verbiage “at least annually, with no more than 15 months between such tests” is an attempt to define
annually. If you want every 15 months say “at least every 15 months”. Otherwise just say annual and let the entities
decide what that is, as is being done with other “annual” requirements. Additionally, while the Measure (M3) implies
that an actual event would suffice it is not stated in the requirement, and the entire plan should be tested, not just a
component. Proposed: Each Responsible Entity shall conduct a test of its Impact Event Operating Plan at least
annually. A test of the Impact Event Operating Plan can range from a paper drill, to the response to an actual event.
No
The verbiage “at least annually, with no more than 15 months between review sessions” is an attempt to define
annually. If you want every 15 months say “at least every 15 months”. Otherwise just say annual and let the entities
decide what that is, as is being done with other “annual” requirements.
Yes
No
One hour should be expanded. While I realize the importance of getting information to NERC/ESISAC/whoever, most
of the 1-hour requirements are tied to events that may not be resolved within one hour. This will result in stopping
restoration efforts or monitoring to submit paperwork. Calling in additional assistance, while certainly a possibility, may
not be feasible to accomplish in sufficient time to meet the one-hour deadline. If any of these events were to truly have
a detrimental effect on the BES, the effects would have already been felt. Recommend all 1-hour reports be extended
to 4-hours. This should also be placed on the list to modify the OE-417 report time lines.
No
M3 & M4 should be modified if comments above (#8 and #9) are incorporated. M4 - Providing the “materials presented”
is beyond the scope of compliance. This constitutes a review of the training program which is beyond the scope of the
standard. Review of attendance sheets should be sufficient. The personnel will be listed in the
Plan/Process/Procedure. Modify M4: Responsible Entities shall provide evidence of those who participated in the
review, showing who was present and when internal personnel were trained on their responsibilities in the plan.
No
R1 is administrative in nature (must have a document) and should be Lower.
Yes
Yes
Yes
Attachment 2 (Impact Event Reporting Form) items 8, 9, 10, and 11 have an asterisk but no identification as to what the
asterisks refer to.
Individual
Mace Hunter
Lakeland Electric
1 - Transmission Owners, 3 - Load-serving Entities, 5 - Electric Generators
Yes
Yes
Yes
�No
Event – Transmission loss Threshold for Reporting – Revise to “Loss of three or more BES Transmission elements
within a 15 minute period”. This change would capture a sequence of transmission element losses and remove the
question if timing that will arise if other transmission elements trip, cascade, due to loss of the first element. There may
also be a need for a footnote to clarify that a transmission element that is removed from service by a transmission
operator to prevent uncontrolled cascading would be classified as a loss (something for the SDT to consider). Event –
Energy Emergency requiring Public appeal for load reduction Threshold for Reporting – Add a footnote: Repeated
public appeals for the same initiating Impact Event shall be reported as one Public Appeal Event. The initiation and
release to the media of the Public appeal(s) should be the reportable event. Question: would an internal request to
large industrial customers for voluntary load reductions be reportable under this Event?
Yes
Yes
Individual
Nathaniel Larson
New Harquahala Generating Co.
1 - Transmission Owners, 5 - Electric Generators
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
�Yes
Yes
Yes
Group
PJM Interconnection LLC
Srinivas Kappagantula
Yes
No
The term "Impact Event" has been too broadly defined. According to the current definition, any event (including routine
operations) can have the potential to impact the reliability of the Bulk Electric System and hence can be an Impact
Event. The definition should only include unplanned events. Attachment 1 lists the events that are reportable. It seems
that the definition of Impact Event refers to the events in Attachment 1 as opposed to defining “Impact Event”. As such,
it is best that the SDT not define “Impact Event” but use words to the effect that requires an entity to have a plan and
implement it for reporting unplanned events outlined in Attachment 1. If “Impact Event” were to be defined, we suggest
the following definiton would be a better option: "An Impact Event is any unplanned event listed in Attachment I that
has either adversely impacted or has the potential to adversely impact the reliability of the Bulk Electric System."
Yes
Yes
1. We agree that the entities listed should be responsible for ensuring events are reported, provided they own BES
assets, but more guidance should be provided on which entity in Attachment 1 should actually file the report to avoid
multiple entities reporting a single event. Current Attachment 1 results in significant duplicate reporting. 2. Although the
applicable entities listed in Section 4 capture all entities that are assigned a reporting responsibility in Attachment 1,
some events in Attachment 1 refer to entities applicable under a different standard (e.g CIP-002) as the responsible
entites for reporting. This results in IA, TSP, and LSE (none of which, generally own Critical Assets and hence not likely
own CCAs) as being repsonsible for reporting an event. We urge the SDT review the need to include IA, TSP, and LSE
in applable entities. Also, why is NERC an applicable entity in CIP-002-3 but not in this standard?
No
We agree that the standard should not have requirements applicable to the ERO, but disagree with revising the NERC
Rules of Procedure (RoP) to include suggested Section 812. The reporting responsibility should not be solely given to
NERC. Other learning organizations must also be considered for performing this responsibility. Additionally, the
proposed wording of Section 812 appears to imply that NERC will notify the appropriate law enforcement agencies as
opposed to the local responsible entity.
No
1. This is an “after-the-fact” reporting requirement and should not be confused with Operating Plans that have specific
operating actions and goals. Each entity should prepare its own impact event operating guideline that addresses
impact events, identification of impact events, information gathering, and communication without specifying a specific
format such as Operating Plans, Operating Process, and Operating Procedures. In fact, all three documents mentioned
can all be a single document. 2. 1.3.2 requires notification of law enforcement agencies for all events listed in
Attachment 1. This is essentially not true. For example, firm load is shed requires notification to law enforcement but an
IROL violation, generation loss, or voltage deviation do not.
No
We agree with the concept but disagree with the use of the term “Operating Plan” as a defined term in line with our
comments in Question 6 above.
No
1. This is an “after-the-fact” reporting requirement (administrative in nature). Annual testing of such a requirement does
not add to the reliability of the BES. 2. R3 attempts to define “Annual” for the Registered Entity to test its Operating
Process. We believe R3 should follow the NERC definition of Annual as defined in the NERC Compliance Application
Notice (CAN) – CAN-0010 – Definition of Annual as opposed to creating a new definition of Annual – or – refer to an
entity’s defined use of the term annual.
Yes
1. We agree with the concept but disagree with the use of the term “Operating Plan” as a defined term in line with our
comments to Question 6 above. 3. R4 attempts to define “Annual” for the Registered Entity to review its Impact
�Operating Plan. We believe R4 should follow the NERC definition of Annual as defined in the NERC Compliance
Application Notice (CAN) – CAN-0010 – Definition of Annual as opposed to creating a new definition of Annual – or –
refer to an entity’s defined use of the term annual.
No
R5 seems redundant as R2 already requires an entity to report any Impact Events by executing/implementing its
Impact Event Operating Plan. R5 merely stipulates the use of Attachment 2 or DOE-417, which an entity automatically
would use for reporting purposes while implementing its Impact Event Operating Plan.
No
There is still a significant amount of duplicate reporting involved in Attachment 1, which needs to be cleared. See
comments to Question 4.
No
1. We disagree with M4 as it seems to indicate that all training needs to be in person and precludes any form of
Computer Based Training (CBT). 2. As indicated in 10, R5 is redundant as R2 already required an entity to report any
Impact Events by executing/implementing its Impact Event Operating plan. If R5 is to remain as is, then M5 goes
beyond the requirement by requiring the entity to produce evidence of compliance for the type of Impact Event
experienced. It is not clear as to what additional evidence is needed to “support the type of Impact Event experienced”.
No
All VRFs should be lower as Requirements 1-5 are all administrative in nature. A violation of any of these requirements
does not directly or indirectly affect the reliability of the BES.
No
VSLs should reflect the comments on the VRFs above.
No
R2 and R5 should be in Operations Assessment Time Horizon as they deal with “after-the-fact” reporting.
Yes
In the Compliance Enforcement Authority Section on Page 11, the second bullet says “If the Responsible Entity works
for the Regional Entity, then the Regional Entity will establish an agreement with the ERO or another entity approved
by the ERO and FERC (i.e. another Regional Entity) to be responsible for compliance enforcement”. We are not sure
what this exactly implies or means. Additional clarification is required.
Individual
Brian Pillittere
Tenaska
5 - Electric Generators
No
We already have adequate procedures in place to address sabotage and other significant events, pursuant to the
existing CIP-001-1 and EOP-004-1 Standards. The requirement to develop a new Impact Event Operating Plan would
increase the administrative burden on Registered Entities to comply with the proposed Standard, without providing a
foreseeable improvement in system reliability. The “laundry list” of required Impact Event Operating Plan components
is too specific and would make it more difficult to prove compliance with EOP-004-2 during an audit. A revised version
of the proposed R5 is the only Requirement that is necessary to achieve the stated purpose of Project 2009-01.
No
The proposed Impact Event Operating Plan should not be required.
No
The proposed Impact Event Operating Plan should not be required, therefore any tests of the Operating Process
should not be required.
No
The proposed Impact Event Operating Plan should not be required.
No
R5 should be changed to “Each Responsible Entity shall report Impact Events listed in Attachment 1 using the form in
Attachment 2 or the DOE OE-417 reporting form”. This revised version of the proposed R5 is the only Requirement that
is necessary to achieve the stated purpose of Project 2009-01. The proposed R1 through R4 should be deleted and R5
should be changed to R1.
�No
The proposed R1 through R4 should be deleted and a revised version of R5 should become R1. The proposed
measures for the new R1 should be revised accordingly.
Individual
MIchael Johnson
APX Power Markets
8 - Small End Users
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
The reporting of Impact Events needs to be clear spelled out and if moving some of that to State Agencies it needs to
be consistent in all States at the same time and which State it should be reported to. We have a 24-hour Desk in one
state that handles facilites in many other States. If there is an Impact Event that needs to be reported, where is that
report sent to. The State the facility resides in or the State where our 24-hour Desk resides in.
Individual
Jonathan Appelbaum
United Illuminating Co
1 - Transmission Owners
No
�UI agrees with the idea but believes the statement can be improved to remove ambiguities. For example: “if known”
can be modifying the word causes, or the word Impact events. To improve industry awareness and the reliability of the
Bulk Electric System by requiring the reporting of identified Impact Events and if known their causes, if known, by the
Responsible Entities.
Yes
Yes
No
Will an entity be required to develop an Operating Process for every Impact Event in Attachment 1, or only those
events that apply to its Registration. For example, does a DP require evidence of an Operating Process/Procedure for
Voltage Deviations on a BES Facility? Some items in Attachment 1 state “Each RC, BA, TOP, DP that experiences the
Impact Event” (such as Loss of Firm Load). DP’s may have arranged with TOP and RC to communicate the event to
TOP who then will file the NERC report and OE-417. The requirements in the Standard would allow for this as long as
the Operating Plan documents it. Attachment 1 though can be interpreted that this arrangement would not be allowed
and each entity shall file its own and separate report. UI suggests that Attachment 1 be modified to allow for an Entities
Operating Plan to rely on another Entity making the final communication to NERC. “Each RC, BA, TOP, DP that
experiences the Impact Event, either individually or combined on a single filing”
Yes
No
Does R1.1 require an Operating Process for each Impact Event in attachment 1 or an Operating Process that in
general applies to all Impact Events?
Yes
Yes
: FERC did state in Order 693 that the reporting procedure requires testing. UI is concerned that the scope of the
requirement is unspecified. Does the exercise require only one type of Impact Event to be exercised per period, or is an
entity required to simulate each Impact Event and notification
Yes
As written it is a training burden. Certain persons will have only one step in one operating procedure to perform. There
is no necessity to review the entire Operating Plan with them. For example, Field Personnel need to know that if they
see something not right to report it immediately. In this instance there is no benefit to review the Operating
Procedure/Process for firm load shedding with them.
Yes
Put “its” before Impact Event Operating Plan.
No
R3 should be Low. It is a test of the communication Plan which is use of telephone and email.
Yes
Yes
No
The SDT should be specific that on the effective date an Entity will have the Operating documented and approved. The
SDT should be specific that the first simulation is required to occur 15 months following the effective date. The SDT
should be specific that the first annual review shall occur with in 15 months after the effective date.
Group
Georgia Transmission Corporation & Oglethorpe Power Corporation
David Revill
Yes
We find it unnecessary to state that the purpose of a Reliability Standard is to "improve…the reliability of the Bulk
Electric System."
No
We do not think that Impact Event should be defined using a recursive definition, i.e. that the word "impact" should be
�used in the definition of the term "Impact Event." Instead, we suggest using an enumerative definition in that the tables
included in Attachment 1 are themselves used to define "Impact Event." If this definition is not acceptable, we suggest
replacing the word "impact" in the definition with the word reduce, reduced, or …potential to reduce the reliability of the
BES.
Yes
We agree with the approach taken by the SDT.
No
We do not believe that GO, TO, TSP, DP, or LSE should be included in the applicability of this standard. It is our
opinion that the reporting requirements lie primarily with the applicable operator and should be limited as such. We
recommend modifications as discussed in our response to question 6 to clearly define what types of events each
Responsible Entity needs to prepare for. Currently, it seems that multiple entities are being required to report the same
event for some events where only one entity should have a reporting responsibility. However, NERC should not decide
which one entity should report a given event. The entities should have the flexibility to create a process which allows for
coordination and communication at a local level and to work out with neighboring entities who might ultimately report
events to the applicable organizations.
No
The terms "Operating Procedure, Operating Plan, and Operating Process," while included in the NERC glossary, are
not consistently used throughout the body of NERC standards as they are used in R1 of EOP-004-2. As such, we do
not see a reliability benefit in using the defined terms over the more commonly used terms of simply "plans, processes,
and procedures." In part 1.1 of R1, we think that the requirement should clearly indicate that a particular Responsible
Entity's Impact Event Plan should only be required to include those particular Impact Events for which the Responsible
Entity has the reporting obligation. Therefore, we suggest the following modification to R1: "1.1 An Operating Process
for identifying Impact Events listed in Attachment 1 for those Impact Events where the Responsible Entity is identified
as having the reporting responsibility." Additionally, in part 1.3 of R1, we believe the language to be vague and will
introduce the need for further clarification either through an interpretation or the CAN process in part because the verb
tenses of the sub-sub-requirements do not agree and it appears to require notification to all listed parties for every
Impact Event instead of only those that make sense for a particular event. As such, we suggest adding a column to the
tables in Attachment 1 that identifies precisely which organizations should be notified in the case of a particular Impact
Event and modifying part 1.3.2 to read: "1.3.2 External organizations to notify as specified in Attachment 1." Currently,
as written, the standard could be interpreted to require notification to law enforcement for an IROL violation, for
instance. Furthermore, we are concerned that as written, the standard may require that the same event must be
reported by multiple responsible entities. Our current process uses notification between Responsible Entities (i.e. from
a TO to a TOP and then from the TOP to NERC) to allow for a centralized and coordinated notification to law
enforcement, NERC, etc. We are concerned that the requirement as written does not appear to allow this flexibility and
may require both the TO and TOP to report the same event in order to prove compliance with the Standard.
No
We are concerned with having a separate requirement to implement the Plan. Is this requirement necessary on its
own? Should R1 instead require a Responsible Entity to "document and implement" an Impact Event Operating Plan?
More specifically, if an Entity does not have an Impact Event, are they in violation of this requirement? If merging this
requirement with R1 is not acceptable we suggest moving the language from the measure to the requirement as such:
"To the extent that a Reponsible Entity has an Impact Event on its Facilities, Each Responsible Entity shall
implement…" Additionally, R1 uses the phrase "recognized Impact Event" where as R2 simply uses the term "Impact
Event." The phrase "recognized Impact Event" should be used consistently in R2 as well.
No
With the current CAN on the definition of annual, we do not believe that the additional qualification that the test shall be
conducted "with no more that 15 calendar months between tests" is necessary. If instead the team believes that, in
order to support the reliability of the BES, tests should be performed at least every 15 months, then the requirement
should be to perform a test at least every 15 calendar months and remove the annual component.
No
We do not believe that the requirement should specify that the plan must be reviewed with those personnel who have
responsibilities identified in that plan as there is no requirement in R1 that the plan must identify any specific personnel
responsibilities. Additionally, we seek clarification on whether review in this instance means train as indicated in the
measure.
No
As stated above in response to question 6, we believe that a column should be added to the tables to explicitly indicate
what external organizations should receive the communications of a particular Impact Event type. Additionally we have
concerns with the following table items: Threshold for reporting Transmission Loss: As stated, this will require the
reporting of almost all transmission outages. This is particularly true taking into consideration the current work of the
drafting team to define the Bulk Electric System. The loss of a single 115kV network line could meet the threshold for
�reporting as the definition of Element includes both the line itself and the circuit breakers. Instead, we recommend the
following threshold "Three or more BES Transmission lines." This threshold has consistency with CIP-002-4 and draft
PRC-002-2. This threshold also needs additional clarification as to the timeframe involved. Is the intent the reporting of
the loss of 3 or more BES Transmission Elements anytime within a 24 hour period or must they be lost simultaneously?
Also, we recommend that thtese three losses be the result of a related event to require reporting. Entity with Reporting
Responsibility for Loss of Off-site power to a nuclear generating plant (grid supply): The reporting responsibility should
clarify that this is only entities included in the Nuclear Plan Interface Requirements.
No
Several of the measures appear to introduce items that are not required by the standard. For instance, R3 requires that
a test of the communications process be performed, however Measure 3 indicates that a mock impact event be
performed. Measure 4 indicates that personnel be listed in the plan and be trained on the plan, however there is no
requirement to include people in the plan or to train them.
In the discussion and related flowchart described as "A Reporting Process Solution - EOP-004," the discussion
suggests that Industry should notify the state law enforcement agency and then allow the state agency to coordinate
with local law enforcement. It has been our experience that we receive very good response from local law enforcement
and they have existing processes to notify state or federal agencies as necessary. It appears the recommendation is to
bypass the local law enforcement, but it is not clear that representatives from state or local law enforcement were
included in this discussion (see proposal discussed with "FBI, FERC Staff, NERC Standards Project Coordinator and
SDT Chair"). It would be helpful to see some additional clarification to understand why the state agency was chosen
over local or federal agencies. Finally, we would like to express our gratitude to the DSR SDT for their hard work in
making improvements to the NERC standards for event reporting.
Group
Northeast Power Coordinating Council
Guy Zito
Yes
No
Is there a need for this definition? By itself the term is not specific on the types of events that are regarded as having an
“impact”. The detailed listing of events that fall into a reportable event category, hence the basis for the Impact Event, is
provided in Attachment A. The events that are to be reported can be called anything. Defining the term Impact Event
does not serve the purpose of replacing the details in Attachment A, and such a term is not used anywhere else in the
NERC Reliability Standards. For a complete definition of Impact Event, all the elements in Attachment A must be a part
of it. Suggest consider not defining the term Impact Event, but rather use words to stipulate the need to have a plan, to
implement the plan and to report to the appropriate entities those events listed in Attachment A.
Yes
It is more important to report suspicious events than to determine if an event is caused by sabotage before it gets
reported.
No
Disagree with the following inclusion/exclusion of several entities: a. The applicable entities listed in Section 4 capture
all the entities that are assigned a reporting responsibility in Attachment 1 of the standard. While some events in
Attachment 1 have specific entities identified as responsible for reporting, certain events refer to the entities listed in
specific standards (e.g. CIP-002) as the responsible entities for reporting. The latter results in IA, TSP and LSE (none
of which being specifically identified as having a reporting responsibility) being included in the Applicability Section.
NERC should be included in the Applicability Section as it is an applicable entity identified in CIP-002-3. b. If the above
approach was not strictly followed, then suggest the SDT review the need to include IA, TSP and LSE since they
generally do not own any Critical Assets and hence will likely not own any Critical Cyber Assets.
Yes
Agree with the proposed removal, but have not assessed the proposed language for RoP para. 812 because unable to
access it (not on the RoP page).
Yes
Yes
No
The annual testing requirement is too frequent for a reporting, and not an operational process. The testing interval
�should be extended to five years.
Yes
No
R5 stipulates the use of Attachment 2 or the DOE-417, which is the vehicle for reporting only. This is the “how” part, not
the “what”. The vehicle for reporting can easily be included in R2 where an entity is required to implement (execute) the
Operating Plan upon detection of an Impact Event. Suggest combining R2 with R5.
No
As indicated under Question 4, we question the need to include IA, TSP and LSE in the responsible entities for
reporting.
No
Concerns with M5: a. As suggested in the response to Question 10 above, R5 should be combined with R2; b. If R5 to
remain as is, then M5 goes beyond the requirement in R5 in that it asks for evidence to support the type of Impact
Event experienced. Attachment 2 already requires the reporting entity to provide all the details pertaining to the Impact
Event. It is not clear what kind of additional evidence is needed to “support the type of Impact Event experienced”.
Also, the date and time of the Impact Event is provided in the reporting form. Why the need to provide additional
evidence on the date and time of the Impact Event?
No
If R5 is to remain as is, then the VRF should be a Lower, not a Medium. R5 stipulates the form to be used. It is a
vehicle to convey the needed information, and as such it is an administrative requirement. Failure to use the form
provided in Attachment 2 or the DOE form does not lead to unreliability.
No
No major issues with the proposed VSLs. However, because of the preceding comments, want to see the next revision
of the draft.
No
For the purpose of developing and updating an Impact Event Operating Plan, there should not be any requirements
that fall into the Long-term planning horizon. As the name implies, the plan is used in the operating time frame.
Consistent with other plans such as system restoration plans which need to be updated and tested annually, most of
the Time Horizons in that standard (EOP-005-2) are either Operations Planning or Real-time Operations. Suggest the
Time Horizon for R1, R3 and R4 be changed to Operations Planning.
Yes
Individual
Kevin Koloini
American Municipal Power
3 - Load-serving Entities, 4 - Transmission-dependent Utilities, 5 - Electric Generators
Yes
The purpose is acceptable. I think it could be improved and simplified. There were not any questions on the title.
Consider changing the title to Reportable Events. There were not any questions on the category. I suggest changing
the category from Emergency Operations to Communications. Reporting events can trigger and be more than just
Emergency Operations. I feel the reporting function performed by entities should be under the Communications
category. Title: Reportable Events Purpose: To improve reliability by communicating timely information about an event
or events.
Yes
The definition of Impact Event is acceptable and an improvement. I feel it could be improved and simplified further.
Consider changing Impact Event to a "reportable event".
Yes
Well done.
No
No, I do not agree. The DP and LSE functions should be removed.
Yes
A software solution may provide an easy expansion for reporting EOP-004, CIP-001, and additional standards.
No
No, remove R1. R1 is not an acceptable requirement nor should this be an operation. Focusing on a plan and
procedure is overly prescriptive and costly. The only requirement should be to have an entity submit a report. Let the
entity decide how they want to implement the reporting.
�No
No, remove R2. R2 is not an acceptable requirement nor should this be an operation. Focusing on a plan is overly
prescriptive and costly. The only requirement should be to have an entity submit a report. Let the entity decide how
they want to implement the reporting.
No
No, remove R3. R3 is not an acceptable requirement nor should this be an operation. Focusing on a test is overly
prescriptive and costly. The only requirement should be to have an entity submit a report. Let the entity decide how
they want to implement the reporting.
No
No, remove R4. R4 is not an acceptable requirement nor should this be an operation. Focusing on a plan and
personnel tracking is overly prescriptive. The only requirement should be to have an entity submit a report. Let the
entity decide how they want to implement the reporting.
No
R5 is not an acceptable requirement, but it can be improved. Each Responsible Entity shall report "Impact Events" to
_____________ (address specified in attachment 1, website, entity, email address, or fax, etc.) Focusing on a plan and
procedure is overly prescriptive. The only requirement should be to have an entity submit a report. Let the entity decide
how they want to implement the reporting.
Yes
No
M1-M4 should be eliminated and M5 should be revised to incorporate a simplified R5. M5 - Date and time of submitted
report
No
No, this is not acceptable. Eliminate R1-R4. Change R5 to Lower.
No, this is not acceptable. Eliminate R1-R4 and change R5. Severe: n/a High VSL: n/a Medium VSL: No report for a
reportable event Low VSL: Late report for a reportable event
No
Yes
Individual
Daniel Duff
Liberty Electric Power LLC
5 - Electric Generators
Yes
Yes
I am interpreting the phrase "has the potential" to exclude events which had the potential, but did not impact the BES.
An example would be a generation trip - if the trip had happened during a system emergency it could have affected the
BES, but since it happened under normal conditions there is no reporting responsibility. Some assurance on this
interpretation would be appreciated.
Yes
Yes
Yes
Yes
Yes
No
It is not the proper role of the standards to dictate how an entity conducts training. Large utilities with backup control
rooms and enough personnel can conduct routine drills without disturbing operations, but this is not always the case for
small entities. Further, classroom training where emergency responses are discussed can be a better tool at times for
�assuring compliance with operating procedures. I would suggest R3 read "Each entity shall assure that personnel are
aware of the requirements of EOP-004 and capable of responding as required".
No
Again, the entity should determine the need for review of any procedure. Changing circumstances may dictate a
shorter cycle, but no changes could dictate a longer review. I will note that spill prevention plans are required to be
reviewed every five years, so I question the need for an 18-month review of the EOP plan.
Yes
Yes
A qualified yes here - please clarify footnote 1 to the table. Are the listed qualifications "and" or "or" statements -IOW, if
destruction of BES equipment through human error does not have the potential to result in the need for emergency
actions, is it still reportable? If a 18-240 KV step-up transformer suffers minor damage because a conservator tank was
valved out, is this reportable under this definition?
No
Due to disagreement with R3 and R4.
No
See Q 12.
No
See Q 12.
Yes
Yes
Individual
Philip Huff
Arkansas Electric Cooperative Corporation
3 - Load-serving Entities, 4 - Transmission-dependent Utilities, 5 - Electric Generators, 6 - Electicity Brokers,
Aggregators
No
The purpose statement reads "To improve industry awareness…of the BES". We suggest the purpose should state "To
improve industry awareness and effectiveness in addressing risks to the BES". We feel the remaining purpose
statement is unnecessary.
Yes
Yes
Yes
Yes
No
We appreciate the effort the team has taken in improving the requirements since the last posting. For 1.3, it appears to
suggest the communication must always include communicating to internal personnel and ALL external organizations.
We suggest removing the reference to 1.3.1 and 1.3.2 and move 1.3.1 and 1.3.2 to 1.4 and 1.5 respectively. For 1.3.2,
modify to state "Internal company personnel notification(s) deemed necessary by the Responsible Entity". For 1.4, we
feel the term "content" is too broad as used here. For example, if the FBI changes the contact info for the JTTF, the
Responsible Entity may not find out until an incident or annual exercise. Or if the contact person for the state agency
changes position without notifying us, it would require us to then change the plan within 90 days. We suggest an
annual review of the plan is sufficient for the objective of this requirement.
Yes
Yes
No
We appreciate the effort the team has taken in improving the requirements since the last posting. We request the team
�clarify if this also includes personnel observing and reporting the requirements or only those specifically listed in the
plan. The measure seems to indicate it only includes those listed in the plan, but this is not clear in the requirement. If it
includes those personnel involved in observing and notifying management, then this might include a significant portion
of the organization. In either case, we feel the requirement should be modified as "…review applicable portions of its
Impact Event Operating Plan...”.
No
We appreciate the effort the team has taken in improving the requirements since the last posting. For R5, we suggest
including the reporting form as part of the plan in R1. Otherwise, a violation of R5 would also indicate a violation of R2.
No
We appreciate the effort the team has taken in improving the requirements since the last posting. Event Forced
Intrusion: The timeframe is very small given the possibly minimal risk to the BES. It often takes much longer than 1
hour after verification of intrusion to determine the intrusion was only for copper theft. We suggest a 24 hour time frame
or tie the timeframe to the "verification of forced intrusion".
No
We applaud the drafting team's effort in crafting more meaningful measures. However, we have concerns with the
measures reading like requirements in stating Responsible Entities "shall" do something. We suggest crafting the
measures to provide acceptable, but not all exclusive, forms of evidence by stating something similar to "Acceptable
forms of evidence may include…”
Yes
Yes
Yes
Yes
We appreciate the added context through the use of extended background information, rationale statements, and
corresponding guideline and hope this context will remain in line with the Standards through the ballot and approval
process. We have a few suggestions and questions related to this context. Our comments for this question relate to the
contextual information. First of all, in the diagram on page 8, we suggest the appropriate question to ask is "Is event
associated with potential criminal activity?" rather than "Report to Law Enforcement?” Also, it would be helpful to make
clear the communication flow associated with the State Agency is the responsibility of the State Agency and not the
Responsible Entity. This could be shown with a different colored background that calls this process out separately. In
the rationale box for R3, it states "The DSR SDT intends…” We propose this should read similar to "The objective of
this requirement is…” Overall, we suggest the SDT review the guidance document to make sure any changes made to
the requirements are consistent with the guidance.
Individual
Joe Petaski
Manitoba Hydro
1 - Transmission Owners, 3 - Load-serving Entities, 5 - Electric Generators, 6 - Electicity Brokers, Aggregators
No
”Situational Awareness” was replaced by the generic “Industry awareness”. Justification for this was that “Situational
Awareness” was a “by product” of a successful event reporting system and not a “driver”. Using “Industry awareness”
clouds the clarity of the purpose. If personal are properly trained and conscious of their responsibilities, then they are in
fact “situationally aware”, and will therefore drive the reporting process on the detection an “Impact Event”. “Industry
awareness” falsely labels this Standard as unique to the electrical industry when clearly many outside and international
agencies will be notified and involved. “Situational Awareness” seems much more appropriate and encompassing.
Other then that the Purpose is a large improvement from the original.
Yes
“Disturbance” has a unique and traditional meaning in the electrical industry, basically meaning “a notable electrical
event causing in imbalance of load and generation”. Attempting to include the many scenarios can that can affect
reliability blurred the current vision of “Disturbance” and the addition of “unusual occurrences” just added to the
confusion. It never seemed appropriate to submit an “unusual occurrence” on a “Disturbance Report”. “Impact Event” is
very encompassing and then detailed specifically in Attachment 1.
Yes
“Impact event”, The DSR SDT reasoning for this “A sabotage event can only be typically determined by law
enforcement after the fact” is very creative and concise!
Yes
All registered entities are included. This means all field and office personal involved will create a 360 degree view of the
�BES, and fulfill “Situational awareness of the industry”. In Attachment 1, the “Entity with Reporting Responsibility”
entities vary. It might be clearer to leave all impact levels “Entity with Reporting Responsibility” as the RC, BA and TOP,
as these are likely the only parties that will report as required. All other entities must report to the RC, BA and TOP.
Yes
Agree with R1, a central system for receiving and distributing reports. There is limited time and resources for control
operators to follow up and ensure ALL required entities have received all information required in a timely manner.
Agree with R7 and R8.
No
Plan, Process and Procedure are all too interchangeable with each other and have no value being used in “one
paragraph” as they do not differentiate from one or other. The terms “identify”, “gather” and “communicate” better
describe “Process, plan or procedure” so simplify to: 1.4. Identification of Impact Events as listed in Attachment 1. 1.5.
Gathering information for inclusion into Attachment 2 regarding observed Impact Events listed in Attachment 1. 1.6.
Communicate recognized Impact Events to the following:
Yes
Removing “assess the initial probable cause” from the statement removes the ambiguity in the same way as replacing
sabotage with impact level. Let the staff trained in this field determine probable cause after the fact.
Yes
This requirement appears to be written so as to leave how each entity tests this procedure is up to them and not how.
The testing of this procedure could vary vastly from entity to entity, meaning there is no set protocol on this procedure.
As long as this requirement remains open, it is fair.
Yes
Removing the extreme details “within 30 days of revision” and “train before given responsibility” and giving leeway to
when this training is necessary, will allow training to be integrated into other existing training schedules. Inclusion of 5.3
and 5.4 would require unique set of time lines and additional resources to monitor and implement.
Yes
The DOE-OE-417 appears more intuitive and descriptive (and on line ability), but having the either or option is fine.
DOE-OE-417 Form is mentioned several time in this Standard, but no link to this document.
No
Reporting for CCA's should be limited to damage associated with a detected cyber security incident.
Yes
No
Reduce the Long Term Planning items to Lower VRF. The planning items will not have the same impact on the
reliability of the system as real time operations.
Yes
Yes
Yes
Individual
Mike Albosta
Sweeny Cogeneration LP
5 - Electric Generators
Yes
Yes
No
The threshold for reporting what could be sabotage still leaves the door open for second guessing after-the-fact. For
example, if graffiti is sprayed on a BES asset, the entity is to assume that the event is not to be reported. However,
intent to harm the BES may be discovered at a later point – with ramifications to the entity who did not report it. A
solution may be to strengthen footnote 3 to both reporting tables, which makes an allowance to report “if you cannot
reasonably determine likely motivation” of sabotage. If acceptable methods to provide justifiable evidence that reporting
was NOT required, then this loophole may be corrected.
No
�In Attachment 1, Generator Operators who experience a ± 10% sustained voltage deviation for ≥ 15 continuous must
issue a report For externally driven events, the GOP will have little if any knowledge of the cause or remedies taken to
address it. We believe the language presently in EOP-004-1 is satisfactory that any “action taken by a Generator
Operator” that results in a voltage deviation has to be reported by the GOP.
Yes
We agree that these requirements appropriately belong in the NERC Rules of Procedure. However, we are concerned
with the multiple reporting requirements being driven by EOP-004-2, CIP-008-3, the ERO Events Analysis Team, the
Reliability Assessment and Performance Analysis Group (RAPA). It is imperative that these efforts be consolidated into
a single procedure using a single reporting template.
Yes
Yes
No
We doe not see a reliability benefit in the planning and execution of tests or drills to ensure that regulatory reporting is
performed in a timely fashion. It is sufficient that penalties can be assessed against entities that do not properly
respond in accordance with EOP-004-2, leaving it to us to determine how to avoid them.
Yes
Yes
No
In Attachment 1, Part A, Generator Operators who experience a ± 10% sustained voltage deviation for ≥ 15 continuous
must issue a report For externally driven events, the GOP will have little if any knowledge of the cause or remedies
taken to address it. We believe the language presently in EOP-004-1 is satisfactory that any “action taken by a
Generator Operator” that results in a voltage deviation has to be reported by the GOP.
Yes
Yes
Yes
Yes
Yes
Individual
Thad Ness
American Electric Power
1 - Transmission Owners, 3 - Load-serving Entities, 5 - Electric Generators, 6 - Electicity Brokers, Aggregators
Yes
No
The definition is too broad and vague. The text in the comment form has the following sentence “Only the events
identified in EOP-004 – Attachment 1 are required to be reported under this Standard.” The definition should contain
that caveat or something similar.
Yes
Yes
AEP agrees, but it further supports the notion that this standard should not apply to the IA, TSP, and LSE functions.
Yes
No
Even best developed plans, processes and procedures do not always lend themselves to address the issues at hand.
There needs to be flexibility to allow entities to first address the reliability concern and second report correspondingly.
�Currently, this requirement is overly prescriptive and places unnecessary emphasis on the means to an end and not
the outcome. The outcome for this requirement is to report Impact Events.
No
Requirement 5 and Requirement 2 are redundant. We recommend Requirement 2 be replaced with the language in
Requirement 5. “Each Responsible Entity shall report Impact Events in accordance with the Impact Event Operating
Plan pursuant to Requirement R1 and Attachment 1 using the form in Attachment 2 or the DOE OE-417.”
No
It is unclear if actual events would qualify for a test in the requirement; however, the associated measure and rationale
appear to support this. We suggest the requirement be restated to allow for actual events to count for this requirement.
Yes
No
This should be one step covered by the implementation in requirement 2. We like the ability to use one form (i.e. NERC
Attachment 2 or the DOE-417); however, we would prefer to have this information only be reported once.
No
The time to submit a report for the inclusion of the damage or destruction of BES equipment, critical asset, or critical
cyber asset is too aggressive. The critical cyber asset reporting is redundant with CIP-008. Furthermore, reporting
equipment failures within an hour for Critical Assets is going to overwhelm operators that need to focus on the
restoration efforts. Self-evident equipment failures at a Critical Asset (such as a tube leak at a generator which is a
Critical Asset) should not be required to be reported. Maybe the wording should be stated as an “abnormal occurrence”
rather than “equipment failure.” It would be helpful if there was a defining or a footnote that defines the nature and/or
duration for loss of some equipment. For example, is a transmission loss for sustain or momentary outages?
Yes
No
With the scope of applicable functions expanding, more time will be required to develop broader processes and
training. This will need to be extended for 18 months to get the process implemented and everyone trained.
We still do not agree that LSE, TSP and IA should be included in the applicability of this standard. Having processes to
report to local or federal law enforcement agencies is “legislating the obvious”. The focus on this standard should only
be on Impact Event reporting to reliability entities.
Group
Southern Company
Cindy Martin
Yes
Yes
There is concern that the proposed definition for Impact Event does not allow for prudent judgment and preliminary
situational assessment by the entity to declare a Potential Impact Event (especially threats) as non-credible. The
thresholds for reporting established in Attachment 1 – Part A provide a somewhat definitive bright line with regard to
those events identified in Part A, but for some of the events in Part B there should be allowance for an assessment by
the entity to reasonably determine whether the event poses a credible threat to the reliability of the BES. This is
attempted in the footnote to the “Forced Intrusion” event in Attachment 1 – Part B, but we think this allowance for entity
assessment and prudent judgment needs to apply more pervasively, perhaps by including the term “credible” in the
definition of Impact Event or at least by adding the term “credible” wherever the term “physical threat” is used.
Yes
Yes
This will cause the duplication of reporting for some events. Reference EOP-004 Attachment 1: Impact Events Table;
Event - Loss of Firm Load for ≥ 15 minutes (page 15 of standard) This requires the RC, BA, TOP, and DP to report. So
if a storm front goes through our system and takes out 400MW of load in Alabama and Georgia the PCC would have to
report as the RC, BA, and TOP. Alabama Power and Georgia Power would also have to report as DPs. The way it is
now the PCC reports for any of these events.
Yes
Yes
�Yes
Yes
This will cause all of the entities listed in R1.3.2 to receive test communications from all of the applicable entities
annually.
Yes
Yes
Yes
Yes
Yes
Yes
Yes
No
The implementation time should be 12 months after approval regardless of the elapsed time taken to get the standard
approved.
Need guidance for incorporating disturbance reporting that is in CIP-008.
Individual
Andres Lopez
USACE
5 - Electric Generators, 9 - Federal, State, Provincial Regulatory, or other Government Entities
Yes
No
1) You cannot use the terms impact and event to define impact event. 2) The phrase “has the potential to impact”
makes the definition too vague. Every action taken to modify the system or its components has the “potential to impact”
the Bulk Electric System. 3) Recommend to change the definition to” “Any occurrence which has adversely affected the
reliability of the Bulk Electric System. Such events may be caused by equipment failure or mis-operation,
environmental conditions, or human action.”
No
The DSR SDT should have defined sabotage since it helps the SDT working on CIP standards further define its action.
Sabotage can be defined as the deliberate act of destruction, disruption, or damage of assets to impact the reliability of
the BES.
Yes
Yes
Yes
Yes
Yes
Yes
Yes
�No
The "Potential Reliability Impact" table should be taken out. Refered to previous comment on our position on potentail
impacts.
Yes
Yes
Yes
No
Yes
Individual
Nathaniel Larson
New Harquahala Generating Co.
1 - Transmission Owners, 5 - Electric Generators
Yes
Yes
Yes
Yes
Yes
Yes
Yes
No
M3. In the absence of an actual Impact Event, the Responsible Entity shall provide evidence that it conducted a mock
Impact Event and followed its Operating Process for communicating recognized Impact Events created pursuant to
Requirement R1, Part 1.3. The time period between actual and or mock Impact Events shall be no more than 15
months. Evidence may include, but is not limited to, operator logs, voice recordings, or documentation. (R3). The
measure for R3 needs to make it clear that “exercise/drill/actual employment” can be a classroom exercise, utilizing
scenarios for discussion. It should not be necessary to fully test the plan by making actual phone calls, notifications etc.
Yes
Yes
Yes
No
See R3 comments
Yes
Yes
Yes
Yes
�Group
Bonneville Power Administration
Denise Koehn
Yes
Yes
Agree, but note that this will add many more situations to reporting and it will require more staff time to accomplish this.
Yes
Yes
Yes
Ensure distribution of trends.
No
Not sure that a 90-day update is needed to be sent to CEF.
No
Minimize the number of requirements. Not sure what the new R2 intends that is different than having a valid plan
(signed?). Why can't R1 have develop and implement? R5 is the reporting. Implement should be with R1 or R5
depending on the interpretation.
No
Too burdensome to go through EACH and ALL individual Impacts and report each one on a drill basis with outside
entities. One or two scenarios may be OK.
Yes
Yes
Reporting form OK. Note that the Frequency Maximum/Minimum Section should be clarified. A Gen Loss doesn't
usually experience a high (maximum) frequency, just the low immediately following the event.
No
Generally OK, but there are too many events to report. The loss of 3 BES elements for a large geographic entity for a
(5 county?) windstorm that has little impact to the system is not needed. 3 elements within the same minute could be
acceptable and 6? elements still out within an hour ... or something to that affect could work.
Yes
No
R2, R3 and R4 should be lower VRFs than R5 and R1.
No
For R5 VSL's: suggest moving the 1-2 hours down one level to Moderate and move the >2 hours down to High with a
range of 2-8 hours. Leave the "Failed to Submit" in the Severe category.
No
Depends on the answer to #7. If implementation means a signed and valid Plan, then it should be with Long Term. If
reporting the events, then it should be Real-Time/Same Day Operations.
Yes
Work needed on Part A Damage or Destruction of BES equipment. The Note 1 is OK, but the Threshold doesn't match
well. If a PCB is damaged by lightning or an earthquake, Note 1 (human action) doesn't require Reporting (proper
interpretation), but the Threshold still requires "equipment damage".
Group
Midwest Reliability Organization
Carol Gerou
Yes
The addition of “industry awareness” adds to the scope of this Standard. Whereby an entity is required to inform the RC
and others of actual and potential Impact Events.
No
�The proposed definition is not supported by any of the established “bright line” criteria’s that are contained within
attachment 1. This Results Based Standard should close any loop-holes that could be read into any section, especially
the definition. According to rules of writing a definition, a definition should not contain part of the word that is being
defined. Recommend the definition be enhanced to read: “Impact Event: Any Contingency which has either effected or
has the potential to effect the Stability of the BES as outlined per attachment 1. Within this enhanced recommendation,
presently defined NERC terms are used (Contingency and Stability), thus supporting what is current used within our
industry. There is also a quantifiable aspect of “as outlined per attachment 1” that clearly defines Impact Events.
Yes
Sabotage is usually associated with a “malicious” attack. Entities have always lacked the clinical expertise to determine
if an event was malicious or not. The Impact Event bright line criteria clearly states what the minimum reporting
requirements are.
Yes
Yes
The ERO is not a user, owner or operator of the BES and the best place to contain their responsibilities, is in the Rules
of Procedure.
Yes
This is a NERC defined term and will assist entities in maintaining compliance with this (proposed) Standard.
Yes
This clearly states that an entity’s Operating Plan is to be used for reporting of Impact Events.
Yes
Yes
Yes
This will reduce any double reporting to the ERO and FERC.
No
1) Section 9 of the Impact Reporting Form states: "List transmission facilities (lines, transformers, busses, etc.) tripped
and locked out". But Part A of Attachment 1 states: "Three or more BES Transmission Elements". a. Should section 9
state: "List transmission facilities (lines, transformers, busses, etc.) tripped or locked out"? b. Should section 9 state:
"List transmission elements (lines, transformers, busses, etc.) tripped or locked out"? This will align the reporting
criteria with the actual reporting form. 2) Section 13 of the Impact Reporting Form states: "Identify the initial probable
cause or known root cause of the actual or potential Impact Event if know at the time of submittal of Part I of this
report:". Recommend that "of Part I" be removed since there is no Part 2. 3) Every Threshold in attachment 1 gives a
clear measurable bright line, except: “Transmission Loss”. As presently written “Three or more BES Transmission
Elements” could imply that a Report will be required to be submitted if a BES transmission substation is removed from
service to perform maintenance. Or there could be three separate elements within a large substation that are out of
service (and don’t effect each other) that will require a Report. Upon review of the TPL standards, there are normally
planned items that our industry plans for. It is recommended that the Threshold for Reporting of Transmission Loss be
enhanced to read: “Two or more BES Transmission Elements that exceed TPL Category D operating criteria or its
successor”. This threshold now is based on a actively enforced NERC Standard, and each RC and TOP are aware of
what this bright line is.
Yes
Yes
Yes
Yes
Yes
On the Impact Reporting Form, number 7,8,9,10, and 11 have an astrict (*) but nothing describes what the astrict
means. Recommend a foot note be added to state: * If applicable to the reported Impact Event.
Group
SRP
Cynthia Oder
�Yes
No
Suggest that definition include reference to the fact that this is non-desired occurence, as the word 'impact' has neither
a positivie nor negative implication. This is not a well formed definition as it contains circular refernces to 'impacted' and
'event' within the definition.
Yes
No
The threshold for Reporting is broad, vague and repetitive. "Three or more BES Transmission Elements" is vauge and
could be interpreted as 3 breakers in a large system.
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Individual
Eric Salsbury
Consumers Energy
3 - Load-serving Entities, 4 - Transmission-dependent Utilities, 5 - Electric Generators
No
The definition of “Impact Event” seems very vague and nebulous. This definition should be modified to be clear and
concise, such that entities clearly understand what is included within the definition.
No
EOP-004 does not appear to address a reliability need. Reporting “after-the-fact” information such as that described in
“Impact Events” does not do anything to improve Bulk Electric System reliability. Therefore, we recommend that CIP001 be updated to address sabotage events, and that NERC otherwise rely on the statutory reporting to the DOE that
is represented by OE-417 for any “after-the fact” information. The remainder of our comments reflects detailed
comments on the posted draft, presuming that our objection represented above will be disregarded.
No
Requirement R1, “Have a plan …” with all of the listed criteria, seems to present a serious compliance risk to applicable
entities without a direct reliability benefit, as long as entities still indentify and report relevant events. Ad-hoc
�procedures, as discussed within the R1 “Rationale” have been acknowledged within the rationale to be working
effectively, and should remain sufficient without having a documented and by inference, signed, approved, dated
document with revision history (as is being demanded today by compliance auditors wherever a “documented plan” is
specified within the requirements).
No
We understand that DOE is migrating to an on-line reporting facility rather than the email-submitted OE-417. If they do
so, the OE-417 will not be available for providing to NERC, and the reporting specified by EOP-004 will be duplicative
of that for DOE. We recommend that NERC, RFC and the DOE work cooperatively to enable a single reporting system
in which on-line reports are made available to all appropriate parties.
No
1. In reference to the Impact Event addressing “Loss of Firm load for greater than or equal to 15 minutes”, this is likely
to occur for most entities most frequently during storm events, where the loss of load builds slowly over time. In these
cases, exceeding the threshold may not be apparent until a considerable time has lapsed, making the submittal time
frame impossible to meet. Even more, it may be very difficult to determine if/when 300 MW load (for the larger utilities)
has been lost during storm events, as the precise load represented by distribution system outages may not be
determinable, since this load is necessarily dynamic. Suggest that the threshold be modified to “Within 1 hour after
detection of exceeding 15-minute threshold”. Additionally, these criteria are specifically storm related wide spread
distribution system outages. These events do not pose a risk to the BES. 2. Many of the Impact Events listed are likely
to occur, if they occur, at widely-distributed system facilities, making reporting “Within 1 hour after occurrence is
identified” possibly impractical, particularly in order to provide any meaningful information. Please give consideration to
clearly permitting some degree of investigation by the entity prior to triggering the “time to submit” 3. Referring to the
“Transmission Loss” Impact Event, please provide more specificity. Is this intended to address : - anytime that three or
more BES Transmission Elements are out of service, - only when three or more BES Transmission Elements are
concurrently out-of-service due to unscheduled events, - only when three or more BES Transmission Elements are
simultaneously automatically forced out-of-service, or - only when three or more BES Transmission Elements are
forced from service in some proximity to each other? It is not unusual, for a large transmission system, that this many
elements may be concurrently forced out-of-service at widely-separated locations for independent reasons. 4. Referring
to the “Fuel Supply Emergency” Impact Event, OE-417 requires 6-hour reporting, where the Impact Event Table
requires 1-hour reporting. The reporting period for EOP-004-2 should be consistent with OE-417. 5. For that matter, the
SDT should carefully compare the Impact Event Table with OE-417. Where similar Impact Events are listed, consistent
terminology should be used, and identical reporting periods specified. Where the Impact Event Table contains
additional events, they should be clarified as being distinct from OE-417 to assist entities in implementation. Further,
since OE-417 must be reviewed and updated every three years, EOP-004 should defer to the reporting time constraints
within OE-417 wherever listed in order to assure that conflicting reporting requirements are not imposed.
No
We understand that DOE is migrating to an on-line reporting facility rather than the email-submitted OE-417. If they do
so, the OE-417 will not be available for providing to NERC, and the reporting specified by EOP-004 will be duplicative
of that for DOE. We recommend that NERC, RFC and the DOE work cooperatively to enable a single reporting system
in which on-line reports are made available to all appropriate parties.
No
1. In reference to the Impact Event addressing “Loss of Firm load for greater than or equal to 15 minutes”, this is likely
to occur for most entities most frequently during storm events, where the loss of load builds slowly over time. In these
cases, exceeding the threshold may not be apparent until a considerable time has lapsed, making the submittal time
frame impossible to meet. Even more, it may be very difficult to determine if/when 300 MW load (for the larger utilities)
has been lost during storm events, as the precise load represented by distribution system outages may not be
determinable, since this load is necessarily dynamic. Suggest that the threshold be modified to “Within 1 hour after
detection of exceeding 15-minute threshold”. Additionally, these criteria are specifically storm related wide spread
distribution system outages. These events do not pose a risk to the BES. 2. Many of the Impact Events listed are likely
to occur, if they occur, at widely-distributed system facilities, making reporting “Within 1 hour after occurrence is
identified” possibly impractical, particularly in order to provide any meaningful information. Please give consideration to
clearly permitting some degree of investigation by the entity prior to triggering the “time to submit”. 3. Referring to the
“Fuel Supply Emergency” Impact Event, OE-417 requires 6-hour reporting, where the Impact Event Table requires 1hour reporting. The reporting period for EOP-004-2 should be consistent with OE-417.
No
1. In reference to the Impact Event addressing “Loss of Firm load for greater than or equal to 15 minutes”, this is likely
to occur for most entities most frequently during storm events, where the loss of load builds slowly over time. In these
cases, exceeding the threshold may not be apparent until a considerable time has lapsed, making the submittal time
frame impossible to meet. Even more, it may be very difficult to determine if/when 300 MW load (for the larger utilities)
�has been lost during storm events, as the precise load represented by distribution system outages may not be
determinable, since this load is necessarily dynamic. Suggest that the threshold be modified to “Within 1 hour after
detection of exceeding 15-minute threshold”. Additionally, these criteria are specifically storm related wide spread
distribution system outages. These events do not pose a risk to the BES. 2. Many of the Impact Events listed are likely
to occur, if they occur, at widely-distributed system facilities, making reporting “Within 1 hour after occurrence is
identified” possibly impractical, particularly in order to provide any meaningful information. Please give consideration to
clearly permitting some degree of investigation by the entity prior to triggering the “time to submit”. 3. Referring to the
“Fuel Supply Emergency” Impact Event, OE-417 requires 6-hour reporting, where the Impact Event Table requires 1hour reporting. The reporting period for EOP-004-2 should be consistent with OE-417.
No
1. We appreciate the aggregation of redundant standards on this subject, but have some concerns about the content of
the aggregated standard as listed below and in reference to previous questions on this comment form. 2. It is not clear
whether an event that meets OE-417 reporting criteria but is not defined within EOP-004-2 is an Impact Event; for
example, “loss of 50,000 or more customers for 1 hour or more” is required to be reported to DOE as a OE-417 type 11
event but it is not clear whether EOP-004-2 requires that such events be also reported to NERC. The “Reporting
Hierarchy” flow chart seems to suggest that any OE-417 must still be filed with NERC/RE. If the flow chart is not
consistent with the intent of the Requirements, it must be clarified. 3. NERC implies active involvement of law
enforcement. This assumes that law enforcement has the resources to be involved in an Impact Event investigation
and fulfill the standard reporting requirements. This is an unrealistic expectation as we have experienced first-hand, a
lack of response by law enforcement agencies as their resources shrink due to economic issues. Additionally, NERC is
asking that we place credence in law enforcement, on our behalf, to make a definitive decision about the reporting of
events. Refer to page 6 of EOP-004-2 under “Law Enforcement Reporting”: “…Entities rely upon law enforcement
agencies to respond and investigate those Impact Events which have the potential of wider area affect…” In many
cases, the internal security function must work with system operations personnel to thoroughly understand the system
and the effects of certain events. It is unrealistic to think law enforcement would be in a position to make BES decisions
within the timeframe given without having system operations experience. It is our experience that external agencies do
not understand the integration / inter-connectivity, resiliency, or implications of our energy infrastructure. 4. Within
Michigan, a “Michigan Fusion Center: Michigan Intelligence Operations Center (MIOC)” has been established. - Today,
we share information such as substation issues and identity theft (not internal issues) to the MIOC. The MIOC is
trending incidents on critical infrastructure assets and sectors around the state. The private sector is encouraged to
report to the Fusion Center. If NERC is collecting this type of information for future studies and trending / analysis, they
should coordinate with each state’s Fusion Center.
Individual
Michael Falvo
Independent Electricity System Operator
2 - RTOs and ISOs
Yes
Yes
We do not have any issue with the wording of the definition, but question the need for this definition since by itself the
term is not specific on the types of events that are regarded as having an “impact”. The detailed listing of events that
fall into a reportable event category, hence the basis for the Impact Event, is provided in Attachment A. For that matter,
these events that are to be reported can be called anything. Defining the term Impact Event does not serve the purpose
of replacing the details in Attachment A, and such a term is not used anywhere else in the NERC reliability standards.
In fact, for the term Impact Event to be fully defined, all the elements in Attachment A must become a part of it. We
therefore suggest the SDT to consider not defining the term Impact Event, but rather use words to stipulate the need to
have a plan, to implement the plan and to report to the appropriate entities those events listed in Attachment A.
Yes
We agree since it is more important to report suspicious events than to determine if an event is caused by sabotage
before it gets reported.
No
We disagree with the following inclusion/exclusion of several entities: a. We assess that the applicable entities listed in
Section 4 capture all the entities that are assigned a reporting responsibility in Attachment 1 of the standard. While
some events in Attachment 1 have specific entities identified as responsible for reporting, certain events refer to the
entities listed in specific standards (e.g. CIP-002) as the responsible entities for reporting. The latter results in IA, TSP
and LSE (none of which being specifically identified as having a reporting responsibility) being included in the
Applicability Section. If our reasoning is correct, we question why NERC was dropped from the Applicability Section as
it is an applicable entity identified in CIP-002-3. b. If the above approach was not strictly followed, then we’d suggest
the SDT review the need to include IA, TSP and LSE since they generally do not own any Critical Assets and hence
will likely not own any Critical Cyber Assets.
�Yes
Yes
Yes
Yes
Yes
No
R5 stipulates the use of Attachment 2 or the DOE-417, which is the vehicle for reporting only. This is the “how” part, not
the “what”. The vehicle for reporting can easily be included in R2 where an entity is required to implement (execute) the
Operating Plan upon detection of an Impact Event. We suggest the SDT combine R2 with R5.
No
As indicated under Q4, we question the need to include IA, TSP and LSE in the responsible entities for reporting.
No
We do not have any issues with Measures M1, M2 and M4, but have a concern with M3 and a couple of concerns with
M5: M3: This Measure contains a requirement for the Responsible Entities to conduct a mock Impact Event. We
disagree to have this included in the Measure. R3 requires the Responsible Entity to conduct a test of its Operating
Process for communicating recognized Impact Events created pursuant to Requirement R1, Part 1.3. The Measure
should adhere to this condition only. We suggest to change the wording to: The Responsible Entity shall provide
evidence that it conducted a test of it its Operating Process for communicating recognized Impact Events created
pursuant to Requirement R1, Part 1.3. The time period between actual and or mock Impact Events shall be no more
than 15 months. Evidence may include, but is not limited to, operator logs, voice recordings, documentation or a report
on an actual Impact Event. M5: a. As suggested above, R5 should be combined with R2; b. If R5 to remain as is, then
M5 goes beyond the requirement in R5 in that it asks for evidence to support the type of Impact Event experienced.
Attachment 2 already requires the reporting entity to provide all the details pertaining to the Impact Event. It is not clear
what kind of additional evidence is needed to “support the type of Impact Event experienced”. Also, the date and time
of the Impact Event is provided in the reporting from. Why do we need to provide additional evidence on the date and
time of the Impact Event?
No
If R5 were to remain as is, then the VRF should be a Lower, not a Medium since R5 stipulates the form to be used. It is
a vehicle to convey the needed information, and as such it is an administrative requirement. Failure to use the form
provided in Attachment 2 or the DOE form does not give rise to unreliability.
We do not have any major issues with the proposed VSLs. However, in view of our comments on some of the
Questions, above, we reserve our comments upon seeing a revised draft.
No
For the purpose of developing and updating an Impact Event Operating Plan, there should not be any requirements
that fall into the Long-term planning horizon. As the name implies, the plan is used in the operating time frame. And
consistent with other plans such as system restoration plan which needs to be updated and tested annually, most of
the Time Horizons in that standard (EOP-005-2) are either Operations Planning or Real-time Operations. We suggest
the Time Horizon for R1, R3 and R4 be changed to Operations Planning.
Yes
Group
Western Electricity Coordinating Council
Steve Rueckert
Yes
No
We question the need for a defined term. It appears that an Impact Event is any event identified in Attachment 1. The
use of the defined term combined with the language of Requirement 2 to implement the Impact Event Opeating Plan for
Impact Events listed in Attachment 1 may be confusing. Is an Impact Event any event described by the proposed
definition or is an Impact Event any event listed in Attachment 1?
Yes
�Yes
Yes
Yes
Are "Law Enforcement" considered a "Governmental Agency" (they are listed separately and both required) If not, is
there any qualifiers on whether Law Enforcement or Governmental Agency refers to municipal, county, state or federal
or any combination? Since the term "Provincial" is associated with "Governmental" it tends to indicate State level. As it
is written now an auditor would require documentation of “some” Law Enforcement (other than company security) and
an additional communication to at least “some” Agency which could be considered Governmental. Municipal or higher.
Contact with City police or Sheriff and either city or county government rep would satisfy. Additional clarity would would
help from a compliance enforcement perspective.
Yes
Yes
Yes
Yes
Yes
Regarding the proposed VSLs for R3, since communication testing involves multiple parties it would be more
appropriate to base severity level on the number of applicable parties which were not tested rather than how long after
15 months it took to do the test. The standard already builds in a 3 month leeway, In reality the way it is written almost
guarantees a lower severity level.
Actual Reliability Impact Table comments: Note that per the NERC glossary "Energy Emergency" only is defined for an
LSE. Energy Emergency is the precursor term in the first three lines. Thus logically an LSE is the only entity which
would be initiating the event and responsible for reporting for first three items. We don't believe that is the intent. We
suggest you consider just eliminating “Energy Emergency” and going with: • Public appeal for load reduction • systemwide voltage reduction • manual firm load shedding For Loss of Off site power at Nuc Station is reporting really
expected of each of the entities listed? (lots of reports) We suggest you consider just the Nuclear GOP and perhaps the
associated TOP. Perhaps you could use the CIP approach as in the next two rows and say Applicable GOP and
Transmission Entities under NUC-001-2 Potential Reliability Impact Table Comments: For Fuel Supply Emergency,
Forced Intrusion, Risk to BES Equipment, Cyber Security Incident where owner/operator are both listed (GO/GOP or
TO/TOP) could consider perhaps reporting to be assigned to only one rather than both.
Group
PPL Supply
Annette Bannon
Yes
Yes
Yes
Yes
Yes
Yes
�Yes
Reporting consistency and timelines may need to reviewed for example: Fuel Supply Emergency - OE-417 requires
reporting within 6 hours / Attachment 1 Part B requires reporting within 1 hour.
No
Recommendation: Add a column in Attachment 1 to acknowledge the events that require a OE-417 Report and list the
number under Schedule 1 that required the OE-417 Report. This would add accuracy and consistency among reporting
entities.
Yes
Yes
Individual
Kirit Shah
Ameren
1 - Transmission Owners, 3 - Load-serving Entities, 5 - Electric Generators, 6 - Electicity Brokers, Aggregators
No
The original Purpose wording was clear, concise and understandable.
No
The documentation from the SDT included the reliability objective for EOP-004-2 which should be included in the
definition of Impact Event. Our suggested alternate defintion for Impact Event: "An Impact Event is any event that has
either caused, or has the likely potential to cause, an outage which could lead to Cascading. Such events will be
identified as being caused by, to the best of the reporting entity's information: (1) equipment falure or equipment misoperation, (2) environmental conditions, and/or (3) human actions." This alternate wording includes the reliability
objective and clarifies the three known, or likely, causes of the Impact Event.
No
The SDT did not further define sabotage as directed by FERC, but instead created a new term that does not address
the order. The Term Impact Event has no clarity or quantitative qualities by which an entity can determine what sould
be reported. the use of the phrase "has the potential to impact reliability" has such a vague scope, an auditor can
interpret to mean any "off-normal" condition, which makes this standard impossible to comply with. The SDT should
use the DOE definition of sabotage as follows: Sabotage – Defined by Department of Energy (DOE) as: • An actual or
suspected physical or Cyber attack that could impact electric power system adequacy or reliability • Vandalism that
targets components of any security system on the Bulk Electric System • Actual or suspected Cyber or communications
attacks that could impact electric power system adequacy or vulnerability, including ancillary systems which support
networks (e.g. batteries) • Any other event which needs to be reported by the Balancing Authority (Transmission
Operations) to the Department of Energy. Sabotage can be the work of a single saboteur, a disgruntled employee or a
group of individuals.
No
The 1 hour reporting requirement, as reference in Attachment 1 is inappropriate. In the event an "Impact Event" were to
be dicovered the Responsible Entity should focus on public and personnel saftey. The reporting requirement should
read "Within 1 hour or as soon as conditions are deemed to be safe." This statement would be applicable to "Damage
or destruction of Critical Asset" The SDT should not put personnel in the position of choosing to either comply with
NERC or address public or co-worker safety. The Time to Submit Report states "within 1 hour after occurrence is
identified" This gives an auditor a wide area to question. If personnel report the occurrence 1 hour after identified, but
24 hours after it occurred, we are subject to the personal beliefs of the auditor that the event was not identied 24 hours
ago, and reported 24 hours late. This will also be difficult to measure as the operator will have to document in the plant
log the time the event was identified, while possibly dealing with Emergency Conditions. In the Note above the Actual
Reliability Impact Table, the SDT identifies that under certain conditions, NERC / RRO staff may not be available for
continuous 24 hour reporting. The SDT should consider the same stipulations apply to operating personnel and they
should not be held to a higher standard that NERC / RRO.
�No
The "Responsible Entity" should be limited to those functions with the most oversight such as the BA, RC, or TOP.
Otherwise there will be multiple DOE OE-417 reports sent by multiple entities.
No
See response to question 4.
Yes
The following is a list of our greatest concerns. (1) We are concerned about the lack of definitions and use of critical
non-capitalized terms. As an example, there is a reportable Impact Event if there is a +/- 10% Voltage Deviation for 15
minutes or more on BES Facilities. As a first example, why is the term Voltage Deviation capitalized when it is not in
the NERC Glossary and not proposed to be added? Where is the deviation measured - at any BES metering device?
What is the deviation to be reported - the nominal voltage? the high-side of the Voltage Schedule? the low-side of the
Voltage Schedule? the generator terminals? when a unit is starting up? All of these are possible interpretations, but <
1% of them would ever result in a Cascading outage - which is the reliability objective of this Standard. A second
example is a Generation loss. The threshold for reporting is 2,000 MW, or more, for the Eastern or Western
Interconnection. Is this simultaneous loss of capacity over the entire Interconnection? Or, cumulative loss within 1
hour? Or, cumulative loss within 24 hours? How many individual GOPs have responsibility for > 2,000 MW? It seems
this would more effectively apply only to an RC and/or BA. The likelihood that one GOP would lose that much
generation at once is probably remote. A third example would be the damage or destruction of BES equipment event.
The term "equipment" was left lower case with a footnote explanation that includes "…due to intentional or
unintentional human action…". This is likely to require the determination of intent by the human involved, which will
almost certainly impossible to determine within the 1 hour reporting time. Also, what is the definition of the terms
"damage" and "destruction"? Once again, if the reliability intent is to ONLY report Events that have a likely chance of
leading to Cascading, this will greatly reduce the potentially enormous reporting burden. that could result without this
type of clarification. (2) Without a very thorough understanding of the definitions of the terms requiring reporting, the 1
hour reporting constraint on most events will likely require that we frequently overreport events to minimize any chance
of non-compliance. A webinar explaining expected reporting requirements would very useful and valuable. It is also
unclear why so many Impact Events require such a short reporting time period. There will almost certainly be many
times at 2:00 AM on a weekend when experts and the appropriate personnel will be available to quickly analyze an
event and decide, within 1 hour, if a report is necessary. (3) Have all the new Impact Event reporting requirements
been checked against reporting requirements from other Standards? For example, the Voltage Deviation Event would
appear to potentially overlap/conflict with instructions from a TOP for VAR-002 compliance. Since VAR-002-2 is now in
draft, has the SDT worked with that Team to determine if the requirements dovetail?
Individual
Kathleen Goodman
ISO New England, Inc
2 - RTOs and ISOs
No
The purposed states “To improve industry awareness and the reliability of the Bulk Electric System by requiring the
reporting of Impact Events and their causes, if known, by the Responsible Entities.” Awareness by who in the industry?
No
We question the need for this definition since by itself the term is not specific on the types of events that are regarded
as having an “impact”. The detailed listing of events that fall into a reportable event category, hence the basis for the
Impact Event, is provided in Attachment A. For that matter, these events that are to be reported can be called anything,
or just simply be titled “Event to be Reported” without having to define them. Defining the term Impact Event does not
serve the purpose of replacing the details in Attachment A, and such a term is not used anywhere else in the NERC
reliability standards. In fact, for the term Impact Event to be fully defined, all the elements in Attachment A must
become a part of it. We therefore suggest the SDT to consider not defining the term Impact Event, but rather use words
to stipulate the need to have a plan, to implement the plan and to report to the appropriate entities those events listed
in Attachment A. If the SDT still wishes to retain a definition despite our reservations noted above, we strongly suggest
an improvement. The proposed definition of Impact Event is overly broad because of the use of “potential to impact”
and the “Such as” list. Consider that routine switching has the potential to result in a mis-operation. In that regard most
routine switching could be interpreted as an impact event. The “Such as” list should be struck and “potential” language
should be struck. An alternative definition to consider: An Impact Event is any deliberate action designed to reduce
�BES reliability; unintended accident that could result in an Adverse Reliability Impact; or an unusual natural event that
causes or could cause an Adverse Reliability Impact.
Yes
We agree since it is more important to report suspicious events than to determine if an event is caused by sabotage
before it gets reported.
No
We disagree with the following inclusion/exclusion of several entities: a. We acknowledge that the applicable entities
listed in Section 4 capture all the entities that are assigned a reporting responsibility in Attachment 1 of the standard.
While some events in Attachment 1 have specific entities identified as responsible for reporting, certain events refer to
the entities listed in specific standards (e.g. CIP-002) as the responsible entities for reporting. The latter results in IA,
TSP and LSE (none of which being specifically identified as having a reporting responsibility) being included in the
Applicability Section. If our reasoning is correct, we question why NERC was dropped from the Applicability Section as
it is an applicable entity identified in CIP-002-3. b. If the above approach was not strictly followed, then we’d suggest
the SDT review the need to include IA, TSP and LSE since they generally do not own any Critical Assets and hence
will likely not own any Critical Cyber Assets. c. There is still significant duplicate reporting included. For instance, why
do both the RC and TOP to report voltage deviations? As written, a voltage deviation on the BES would require both to
report. The same would hold true for IROLs. Perhaps IROLs should only be reported by the RC to be consistent with
the recently FERC approved Interconnection Reliability Operating Limit standards.
Yes
No
We do not believe that the use of the Operating Process, Operating Procedure, and Operating Plan for a reporting
requirement is consistent with their definitions nor with the intent of the definitions. For instance, an Operating Process
is intended to meet an operating goal. What operating goal does this requirement meet? An Operating Procedure
includes tasks that must be completed by “specific operating positions”. This reporting requirement could be met by
back office personnel. We suggest that R1.3.2 delete the list of entities to notify. The terms used to identify who to
notify are not defined terms and can lead to subjective interpretations. As written, the requirement does not aid the
Applicable entity or the Compliance enforcers in clearly including or excluding who to notify. We also believe that parts
1.3 and 1.3.2 under Requirement 1 will require notification of law enforcement agencies for all Impact Events defined in
Attachment 1. While some should require notification to law enforcement such as when there has been destruction to
BES equipment, others certainly would not. For instance, law enforcement does not need to know that an IROL
violation, generation loss or voltage deviation occurred. We believe the reporting time lines are too aggressive for some
events. Reporting events within an hour is not reasonable as an entity may still be dealing the event. This will be
particularly difficult when support personnel are not present such as during nights, holidays and weekends. We further
suggest that as explicit statement that “reliable operations must ALWAYS take precedence to reporting times” be
included in the standard.
No
Fuel Supply Emergency is not a defined condition. We suggest that the SDT poll the ballot body regarding the reporting
of Fuel Supply Emergencies. Fuel Supply is an economic consideration and the concept of Fuel Supply Emergency is
subjective. A resource that uses coal or oil may vary its supplies based on economic considerations (the price of the
fuel). For a conservative BA a fuel-on-demand supply line can be viewed as a fuel supply emergency whereas the
resource owner sees the matter as good business. Moreover, the release of such reports to the public can have
unintended consequences. Fuel disruptions caused by contract negotiations when reported to the public can result in
non-union transportation employees being physically harmed by fuel supply organizers thus resulting in the loss of noncontract fuel. Further, this information may aggravate the situation by causing the cost of fuel to be inflated by suppliers
when demand is great. If this event is not deleted, then we would suggest that the definition be constrained to
“declared” fuel supply emergencies. Suggest the deletion of category: Risk to BES equipment. Because of the broad
definition of BES, the risk to BES equipment is overly broad and can be applied to any risk to any “part of” any BES
asset. The footnote helps identify what the SDT was intending, however, the words themselves can result in overly
broad findings by compliance enforcement people.
No
We appreciate and agree with the drafting team recognizes that actual implementation of the plan for a real event
should qualify as a “test”. However, we are concerned that review of this requirement in isolation and without the
benefit of the background material and information provided by the drafting team may cause a compliance auditor to
believe that a test cannot be met by actual implementation. Furthermore, we do not believe testing a reporting
procedure is necessary. Periodic reminders to personnel responsible for implementing the procedure make sense but
testing it does not add to reliability. If they don’t report an event, it will become obvious to compliance auditors.
Recommend using language similar to CIP-009. “Each Responsible Entity shall conduct a an exercise of its operating
process for communicating recognized Impact Events created pursuant to Requirement R1, Part 1.3 at least annually,
with no more than 15 calendar months between exercises. An exercise can range from a paper drill, to a full
operational exercise, to reporting of actual incident Also, we question the need to conduct a test annually. Since this is
only a reporting Standard and, as such, has no direct impact on reliability, we suggest modifying the testing
�requirement to once every three years.
Yes
No
R5 stipulates the use of Attachment 2 or the DOE-417, which is the vehicle for reporting only. This is the “how” part, not
the “what”. The vehicle for reporting can easily be included in R2 where an entity is required to implement (execute) the
Operating Plan upon detection of an Impact Event. We suggest the SDT combine R2 with R5.
No
As indicated under Q4, we question the need to include IA, TSP and LSE in the responsible entities for reporting. There
is still significant duplicate reporting included. For instance, why do both the RC and TOP to report voltage deviations?
As written, a voltage deviation on the BES would require both to report. The same would hold true for IROLs. Perhaps
IROLs should only be reported by the RC to be consistent with the recently FERC approved Interconnection Reliability
Operating Limit standards. Also, the CIP reporting requirements duplicate was is already contained in the CIP
Standards, specifically CIP-008. Also, we are required to intentionally destroy Critical Cyber Assets when they are
retired, why would we be required to report this?
No
We do not have any issues with Measures M1, M2 and M4, but have a comment on M3 and a couple of concerns with
M5: M3: This Measure contains a requirement for the Responsible Entities to conduct a mock Impact Event. We
disagree to have this included in the Measure. R3 requires the Responsible Entity to conduct a test of its Operating
Process for communicating recognized Impact Events created pursuant to Requirement R1, Part 1.3. The Measure
should adhere to this condition only. We suggest to change the wording to: The Responsible Entity shall provide
evidence that it conducted a test of it its Operating Process for communicating recognized Impact Events created
pursuant to Requirement R1, Part 1.3. The time period between actual and or mock Impact Events shall be no more
than 15 months. Evidence may include, but is not limited to, operator logs, voice recordings, documentation or a report
on an actual Impact Event. M5: a. As suggested above, R5 should be combined with R2; b. If R5 to remain as is, then
M5 goes beyond the requirement in R5 in that it asks for evidence to support the type of Impact Event experienced.
Attachment 2 already requires the reporting entity to provide all the details pertaining to the Impact Event. It is not clear
what kind of additional evidence is needed to “support the type of Impact Event experienced”. Also, the date and time
of the Impact Event is provided in the reporting from. Why do we need to provide additional evidence on the date and
time of the Impact Event? c. We disagree with Measurement 4. It implies that the review must be conducted in person.
Why couldn’t other means such as web training or a reminder memo not satisfy the requirement?
No
If R5 is to remain as is, then the VRF should be a Lower, not a Medium since R5 stipulates the form to be used. It is a
vehicle to convey the needed information, and as such it is an administrative requirement. Failure to use the form
provided in Attachment 2 or the DOE form has no impact on reliability. All violation risk factors should be Lower. All
requirements are administrative in nature. While they are necessary because a certain amount of regulatory reporting
will always be required, a violation will not in any direct or indirect affect reliability.
We do not have any major issues with the proposed VSLs. However, in view of our comments on some of the
Questions, above, we reserve our comments upon seeing a revised draft.
No
For the purpose of developing and updating an Impact Event Operating Plan, there should not be any requirements
that fall into the Long-term planning horizon. As the name implies, the plan is used in the operating time frame. And
consistent with other plans such as system restoration plan which needs to be updated and tested annually, most of
the Time Horizons in that standard (EOP-005-2) are either Operations Planning or Real-time Operations. We suggest
the Time Horizon for R1, R3 and R4 be changed to Operations Planning. The Time Horizon for R2 and R5 should be
changed to Operations Assessment since they both deal with after the fact reporting.
Yes
Under the “Law Enforcement Reporting” it is stated “The Standard is intended to reduce the risk of Cascading involving
Impact Events. The importance of BES awareness of the threat around them is essential to the effective operation and
planning to mitigate the potential risk to the BES.” We question whether a reporting standard can “reduce the risk of
cascading” and wonder if the reference to the threat “around them” refers to law enforcement? We would expect that
the appropriate operating personnel are the only entities that would be able to mitigate the potential risk to the BES. As
it currently stands there is a potential duplication between the reporting requirements under EOP-004-2 (i.e.
Attachment 2 Form) and the ERO Event Analysis Process that is undergoing field test (i.e. Event Report Form). This
will result in entities (potentially multiple) reporting same event under two separate processes using two very similar
forms. Is this the intent or will information requirements be coordinated further prior to adoption in order to meet the
declared objective that the impact event reporting under EOP-004 be “the starting vehicle for any required Event
Analysis within the NERC Event Analysis Program?
Individual
Deborah Schaneman
�Platte River Power Authority
1 - Transmission Owners, 3 - Load-serving Entities, 5 - Electric Generators, 6 - Electicity Brokers, Aggregators
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Group
Pacific Northwest Small Public Power Utility Comment Group
Steve Alexanderson
Yes
No
We believe that facilities used in the local distribution of electric energy should be excluded from these requirements
due the language of 16 U.S.C. § 824o(a)(1) and 16 U.S.C. § 824o(i)(1).
Yes
No
1.4 makes no sense. The operating plan update and the change to its content occur simultaneously. Perhaps the SDT
meant to say “Provision(s) for updating the Impact Event Operating Plan within 90 days of identification of a needed
change to its content. This would be consistent with the “lessons learned” language of the prior version.
Yes
�Yes
Yes
Yes
No
The comment group is composed of smaller entities that do not all maintain 24/7 administrative support. While many of
the 1 hour reporting thresholds do not affect us, some do. Others may come into play as standards are revised, such
as the CIPs. We ask the SDT to consider the identification or verification that starts the clock on these may come at
inopportune times for meeting a one hour deadline for these entities. Restoration may be delayed in an attempt to meet
these time limits. Safety should always be the number one priority, and restoration and continuity of service second.
We see reporting of these events much further down the list. We note that FERC order 693, paragraph 471 does not
dictate a specific reporting time period and therefore we suggest timing requirements that promote situational
awareness but allow smaller entities needed flexibility. FERC order 693, paragraph 470 directed the ERO to consider
“APPA’s concerns regarding events at unstaffed or remote facilities, and triggering events occurring outside staffed
hours at small entities.” Our comment group does not believe the SDT has adequately responded to APPA’s concerns
but rather took the 1 hour Homeland security requirement referenced in paragraph 470 verbatim. While a report within
an hour might be ideal, it is not always practicable. We suggest: 1) as soon as possible after service has been restored
to critical services within the service territory, or 2) By the COB the first business day after discovery. Our comment
group realizes the difficulty in wording standards/requirements that lump small entities in with larger ones and we
believe our suggestion achieves some balance. Expecting smaller entities to achieve timing requirements that can only
be normally met under ideal conditions at large entities is not feasible or fair.
No
It is unclear when reporting to the Compliance Enforcement Authority is required. Does the registered entity report
initially, and then anytime a change to the plan is made, or a drill is performed. Or is the information only provided
following a request of the Compliance Enforcement Authority, and if so what is the acceptable time limit to respond?
All five requirements refer to Attachment 1 Part A either directly, or indirectly by referring to R1 plans. Attachment 1
Part A, though, only provides the thresholds required for reporting (R5). No thresholds are provided for planning (R1) or
the requirements referencing the plan (R2-R4). Strictly interpreted, an entity would be required to plan for any amount
of firm load loss exceeding 15 minutes (for example), implement the plan for any amount and then report only those
events that exceeded the applicable 200 or 300 MW level. An entity that had a peak load of less than 200 MW would
still need to meet R1-R4 regarding load loss. We believe the SDT intended to use common thresholds for all the
requirements. Suggest relabeling the Attachment 1 Part A column header from “Threshold for Reporting” to
“Threshold.” We also fail to see how an entity’s size in MWh affects the threshold for reporting firm load loss.
Group
PSEG Companies
Patricia Hervochon
Yes
Yes
Yes
No
The PSEG Companies believe the defining language, roles and responsibilities outlined in Attachment 1 are unclear
and inconsistent. For example fuel supply emergency reporting footnote 2 “Report if problems with the fuel supply
chain result in the projected need for emergency actions to manage reliability” attempts to clarify the condition for
reporting but does not. Whose “emergency actions” are being referred to in the footnote? It is not clear if those actions
would be related to the specific station or the overall Bulk Electric System (BES). Can this be interpreted to imply a gas
supply issue to one generating station as the result of pipeline maintenance, or local pressure issues would also
requiring reporting? The PSEG Companies believe the definition of a fuel supply emergency needs to be more specific
and less open to broad interpretation. In addition, the “Time to Submit Report” section of attachment 1 has a significant
number of changes from the previous version. Accelerating the twenty four (24) hour to one (1) hour requirement for
submitting the reports for several of the events takes resources away from managing the actual event.For the above
�comments failure to submit a report within 1 hour is a high or severe VSL for a fuel supply emergency. This approach
seems inconsistent with ensuring the operation and reliability of the BES. One (1) hour reporting, in most cases, is not
adequate time to compile the needed information, prepare report, ensure the accuracy, submit, and simultaneously
manage the actual event. We recommend 24 hour reporting for: Damage or destruction to BES, Fuel Supply
Emergency, Forced Intrusion, and Risk to BES equipment sections of Attachment 1.
Yes
No
The PSEG Companies believe that sections 1.3 and 1.3.2 will require notification of law enforcement agencies for all
Impact Events defined in Attachment 1. This is appropriate for some events if there has been destruction to BES
equipment, for example, but not in certain operational events. It should not be necessary to notify law enforcement that
a non sabotage event like an IROL violation, generation loss or voltage deviation has occurred.
No
Fuel supply emergency, as discussed in response to question 4 above, is not a defined condition. This event should be
removed.
Yes
Yes
Yes
No
For the reasons cited in response to question 4 above the language roles and responsibilities remain inconsistent and
unclear. The Time to Report changes are unreasonable and there is significant duplicate reporting required.
Yes
No
If Requirements 1-5 remain intact the Violation Risk Factor should be reduced to a Lower not a Medium since this is an
administrative requirement and does not impact the reliability of the BES.
Individual
Phil Porter
Calpine Corp
5 - Electric Generators
No
The purpose has moved significantly from the originally approved SAR. The purpose should focus on reporting
requirements for reporting electrical disturbances to the Bulk Electric System that exceed specific thresholds.
Sabotage/vandalism/theft are a subset of the reportable events that could have or do cause a Bulk Electric System
Electrical Disturbance. The Standard’s content should focus on setting requirements to report specific types of
electrical disturbance events and providing guidance for performing that reporting. Alternative language: Purpose: To
establish reporting requirements for events that either cause, or have the potential to cause, significant disturbances on
the Bulk Electric System.
No
Adding a definition for “Impact Event” is unnecessary and does not provide useful clarification of the actual reporting
requirement for events that either impact the Bulk Electric System or have the potential to impact the Bulk Electric
System. The all-encompassing nature of the proposed definition seems to conflict with the finite listing of events that
actually require reporting. Although FERC specifically requested additional clarification of the term “sabotage” to clarify
reporting requirements, the Drafting Team is correct in noting that “sabotage” implies intent and that the intent of
human acts is not always easily determined. The fact that intent is not always determinable within the reporting
timeframe can be dealt with more simply by requiring (in attachment 1) that human intrusions that have not been
identified within the reporting timeframe as theft or vandalism should be reported as potential sabotage pending further
clarification. This approach negates the need for an additional definition that may cause confusion regarding which
events are reportable and eliminates the potential for under-reporting based on the assumption that the cause might be
theft or vandalism.
No
�The additional definition for “Impact Event” is unnecessary and does not provide useful clarification regarding actual
reporting requirements. Sabotage, whatever the exact definition used, implies intent to damage or disrupt. The
committee correctly notes that determination of actual intent is not always readily available. However, adding a general
expansive definition encompasses all events that might disrupt the Bulk Electric System does not add clarity to the
types of events that require reporting – which are listed in detail in Attachment 1. The issue can be more simply
addressed by replacing the item “Human Intrusion” on Attachment 1, as follows: Event: Sabotage (note 3) Entity with
Reporting Responsibility: All affected Responsible Entities listed in the Applicability Section of this Standard. Threshold
for Reporting: Forced Intrusions at a BES facility that have not been determined within the reporting period to be theft
or vandalism that does not affect the operability of BES equipment. Note 3 For purposes of reporting under Attachment
1, reportable sabotage includes all forced intrusions at BES facilities that have potential to cause, or cause, any of the
disturbance events listed in Attachment 1 and have not been determined to be theft or vandalism that did not result in
any event listed in Attachment 1. Responsible Entities are not required to report incidents of theft or vandalism that do
not result in disturbance events. This approach also eliminates the need to reference copper theft as a particular type
of theft that does not require reporting.
No
Expanding the current applicability of CIP-001-1 and EOP-004-1 to the GO function is unnecessary and will result in
numerous duplicate reports, self-certifications, spot checks, and audits reviews, with no benefit to the reliability of the
Bulk Electric System. The GOP is the appropriate applicable entity for generation facilities.
Yes
No
In the “Rationale for R1”, the draft states “Every industry participant that owns or operates elements or devices on the
grid has formal or informal process, procedure, or steps it takes to gather information regarding what happened and
why it happened when Impact Events occur. This requirement has the Registered Entity establish documentation on
how that procedure, process, or plan is organized.” Absent substantial evidence that the proposed requirement
addresses an actual systemic problem with the “formal or informal process, procedure, or steps it takes” for internal
and external evaluation and notification of items listed in Attachment 1, there is no obvious need for this additional
paperwork burden, which in most cases will result in a written procedure that documents another existing written
procedure or procedures, that will be maintained for the sole purpose of demonstrating compliance with the
requirement. Failure to properly report events is currently sanctionable under CIP-001-1 and EOP-004-1 and will
continue to be sanctionable under proposed EOP-004-2. Adding a requirement to implement an “Impact Event
Operating Plan”, “Operating Procedure”, and “Operating Process” is unnecessary. However, if the requirement is
maintained, the related Measure M1 should state in plain language exactly what elements are required for compliance.
Statements such as “The Impact Event Operating Plan may include, but not be limited to, the following…” begs the
question regarding what other elements are required to demonstrate compliance. As written, M1 requires that entities
provide an “Impact Event Operating Plan”, but does specify the required elements of the plan. In the absence of much
more detailed instruction on exactly what elements must be included in the various documents, the proposed
requirement will create confusion with both compliance and enforcement of the requirement. An example of each of the
various required documents would be helpful. Any difficulty in developing such an example would be instructive of the
probable compliance issues that would ensure from the necessarily varying approaches taken by disparate entities
attempting to meet the requirement.
No
Requirement R2 is unnecessary for the same reasons listed above in answer to question 6 regarding Requirement R1.
A new Reliability Standard requirement is not needed to verify that internal notifications are made within Registered
Entities or to ensure that Registered Entities notify local law enforcement of suspicious activity, sabotage, theft, or
vandalism. Such notifications are made by any company, and this requirement does not clearly enhance the reliability
of the Bulk Electric System. Requirement R5 provides sanction in the event that events listed in Attachment 1 are not
made appropriately. However, if the requirement is maintained, the related Measure M2 should state in plain language
exactly what elements are required for compliance. In the absence of much more detailed instruction on exactly what
elements must be included in the various documents, the proposed requirement will create confusion with both
compliance and enforcement of the requirement. A detailed example of example documentation would be helpful. Any
difficulty in developing such an example would be instructive of the probable compliance issues that would ensure from
the necessarily varying approaches that would be taken by disparate entities attempting to meet the requirement.
No
Absent substantial evidence that the proposed requirement addresses an actual systemic problem with actual submittal
of reports of electrical disturbances, Requirement R4 should be removed. Failure to properly report events is currently
sanctionable under CIP-001-1 and EOP-004-1 and will continue to be sanctionable under proposed EOP-004-2.
Entities are capable of implementing procedures appropriate to ensure compliance with the actual reporting
requirements without the addition of this “test”. Alternately, if this requirement for annual tests is retained, it should be
supplemented with a detailed example of an acceptable test and acceptable documentation of the test to avoid future
compliance and enforcement issues. Stating “evidence may include, but is not limited to...” provides broad and
unnecessary opportunity for future compliance and enforcement issues. Any difficulty the committee might encounter in
developing such a detailed example would be instructive of the probable compliance and issues that would ensure from
�implementation of the requirement.
No
Failure to properly report events is currently sanctionable under CIP-001-1 and EOP-004-1 and will continue to be
sanctionable under proposed EOP-004-2. Entities are capable of implementing procedures appropriate to ensure
compliance with the actual reporting requirements without the addition a formal requirement to annually review their
internal procedures with personnel. In the unlikely event that an entity cannot attain this level of operating competence
without implementation of a new requirement, such Entities would be subject to enforcement under Requirement R5.
Absent substantial evidence of systemic problems by Entities in contacting local law enforcement properly or failures to
complete event reports to appropriate agencies when provided with clear guidance on the events to be reported, this
requirement is unnecessary.
No
The use of DOE OE-417 is acceptable, but the language of Requirement R5 should be modified. The disturbance
event form must be filled out correctly, irrespective of the requirements of an Entity’s “Impact Event Operating Plan”.
Reference to that Plan does not add clarity to the requirement to report events. The requirement should delete the
reference to the “Impact Event Operating Plan” and simply state: Each Responsible Entity shall report events listed in
Attachment 1 using the provided form, or where also required to complete the current version of DOE OE-417, that
form. Although one of the primary stated purposes of the original SAR was to simplify the reporting process by creating
a single form, the fact that some entities are already required to report substantially identical information to DOE argues
for retention of the use of the DOE form.
No
1. Additional clarity on the nature of reportable “Fuel Emergencies” is needed. Does loss of interruptible gas
transportation require reporting? 2. Additional clarity on the threshold for “damage or destruction of BES equipment” is
needed. Footnote 1 on page 16 states, in part “Significantly affects the reliability margin of the system (e.g. has the
potential to result the need for emergency actions”. For generating facilities, does this statement refer specifically to the
parallel requirement to report any loss of generation >= 2,000 in the Eastern or Western Connection or >= 1,000 in the
ERCOT or Quebec Interconnection” If not, exactly what level of damage at a generating plant requires reporting? Use
of imprecise terms such as “significantly” sets the stage for future compliance and enforcement confusion. 3. Additional
clarity is required for “Detection of reportable Cyber Security Incident". Is this item intended to apply only to Critical
Cyber Assets, or is it an extension of the requirement to all applicable entities irrespective of their Critical Asset status?
If it applies only to Critical Cyber Assets, does this reporting requirement create redundant reporting (as reporting is
already required under CIP-008-4)? CIP-008-4 requires reporting only of events affecting Critical Cyber Assets. If a
more expansive application is intended, what equipment or systems are to be included in the reporting requirement?
No
Requirements R1, R2, R3, and R4 are unnecessary, as discussed above. The measure for Requirement R5 should
focus on the need to report accurately and promptly, not on a Responsible Entity’s “Operating Plan”. If the
Requirements are retained, the measures should state in much greater detail what actions and documentation are
required for compliance.
No
Requirements R1, R2, R3, and R4 are unnecessary, as discussed above. If retained, the violation risk factors should
be low for those Requirements, as they all simply support the requirement to actually report correctly stated in
Requirement R5.
No
Requirements R1, R2, R3, and R4 are unnecessary, as discussed above. If retained, the violation risk factors should
be low for those requirements, as they all simply support the requirement to actually report correctly stated in
Requirement R5.
Focusing on reporting of actual disturbance events as listed in Attachment 1 based on potential or actual impact to the
Bulk Electric System will provide maximum benefit to system reliability without adding needless levels of new
documentation generated to demonstrate compliance. Absent significant evidence of systemic problems in the industry
with past reporting attributable to causes other than a lack of clear guidance on the types events that require reporting,
the proposed Standard should focus on the single issue of correct reporting, without attempting to micromanage how
Entities internally manage such reporting.
Group
Dominion
Louis Slade
No
It is not evident how Impact Event reporting will “improve industry awareness” as suggested in the Purpose Statement.
The transfer of Requirement R8 (ERO quarterly report) to the Rules of Procedure (paragraph 812) invalidates that
claim within the context of this standard. Suggest removing this phrase from the Purpose Statement.
�Yes
Dominion agrees with the proposed definition of Impact Events, but notes the use of the phrase “has the potential to
impact” is somewhat subjective. The concern being a Responsible Entity makes a judgment on an event’s potential
impact that is viewed differently after-the-fact by an auditor.
Yes
No
1) Several of the events require filing a written Impact Event report within one hour. System Separation, for example, is
going to require an “all hands on deck” response to the actual event. We note that the paragraph above Attachment 1,
Part A indicates that a verbal report would be allowed in certain circumstances, but this is the same issue with the
formal report in that the system operators are concerned with managing the event and not the reporting requirements.
Another example would be the Loss of Off-site power to a nuclear generating plant. Suggest reconsideration of one
hour reporting requirement for events requiring extensive operator actions to mitigate; 2) Several events seem to have
the “Threshold for Reporting” contained in footnotes rather than in the table. For example, Damage or destruction of
BES equipment – Footnote 1, Fuel supply emergency – Footnote 2, etc.) Suggest moving the actual threshold into the
table; 3) If one hour reporting remains as indicated in Attachment 1; align/rename events similar to that of the ‘criteria
for filing’ events listed in DOE OE-417 for consistency.
Yes
No
The requirement for Responsible Entities to establish an Impact Event Operating Plan, Operating Process, and
Operating Procedure seems overly cumbersome and prescriptive. The use of these NERC defined terms create
additional compliance burden for little, if any, improvement to reliability. Suggest simplification by requiring the
Responsible Entities to have a procedure to report Impact Events, to the appropriate parties, pursuant to EOP-004. In
addition, we request clarification of R1.4. It seems circular to us in that it requires the plan to be updated within 90 days
of when it changes. Is the intent that any necessary changes identified in the annual review required by R4 be
incorporated in a revision to the plan within 90 days of the review? If so, R1.4 belongs under R4. If not, we do not
understand the requirement. What starts the 90 day count down?
Yes
Dominion agrees subject to the comments provided in Question #6. In addition, Requirement R2 appears duplicative of
Requirement R5. Suggest R2 be clarified relative to the intent.
No
: The need to conduct a test of its Operating Process has not been established and is overly restrictive given that the
purpose of the standard is to report Impact Events.
No
The need to periodically review its Impact Event Operating Plan has not been established and is overly restrictive
(annually) given that the purpose of the standard is to report Impact Events. Suggest removing this requirement
No
Dominion does not agree because the Requirement is too restrictive giving the Responsible Entity the choice on
reporting forms as either Attachment 2 or DOE OE-417. The use of Attachment 2 or DOE OE-417 may be appropriate
when reporting to NERC, however, Requirement R 1.3.2 requires the Responsible Entities Impact Event Operating
Plan to address notifications to non-NERC entities such as Law Enforcement or Governmental Agencies. It is likely that
these organizations have specific reporting requirements or forms that will not line up the options prescribed in
Requirement R5. Suggest revising Requirement R5 to not require the use of these two forms as the only options. If
these 2 forms are used; suggest aligning the Event names in Attachment 1 to be similar to the ‘criteria for filing’ event
names in the DOE OE-417 to allow for consistency. Also suggest aligning the ‘time to submit’ for similar event names
in each form.
No
1) A particular Event could be applicable to multiple entities and Attachment 1 would require each applicable entity to
report the event. This is duplicative and would appear to overburden the reporting system. 2) Loss of off-site power
(grid supply) reporting for nuclear plants is duplicative of reporting done to satisfy NRC requirements. Given the activity
at a nuclear plant during this event, this additional reporting is not desired. 3) Cyber intrusion remains an event that
would need to be reported multiple times (e.g., this standard, OE-417, NRC requirements, etc.). 4) Since external
reporting for other regulators (e.g., DOE, NRC, etc.) remains an obligation of the Applicable Entity, suggest that
Attachment 1 only contain impact events as defined in the current version of EOP-004.
No
1) M1 is open ended. Suggest adding “on request” to the end of the sentence as written; 2) M4 requires evidence of
“when internal personnel were trained; however, Requirement R4 does not require training.
No
All the VRFs are "Medium". Since the requirements deal with after-the-fact reporting and the administration of reporting
�plans, procedures, and processes; all VRFs should be "Lower".
Yes
Yes
Dominion agrees with the Implementation Plan; however, notes that the title for EOP-004-2 is inconsistent with the
actual proposed standard.
The following comments are provided on the Reporting Hierarchy for Impact Events EOP-004-2: 1) A reference to
sabotage still exists in a “decision block”; 2) The “entry block” only specifies “actual Impact Events” and does not
address “potential”; 3) Hierarchy is misspelled in the title. Attachment 2: Impact Event Reporting Form; in questions 7,
8, 9, 10, 11 what is the purpose of the *(asterisk) behind each Task that is named?
Individual
Bill Keagle
BGE
1 - Transmission Owners
No
BGE believes that using the term “Impact Events” as currently defined is too vague. An alternative statement would be
“… requiring the reporting of events listed in Attachment 1 and their causes, if known …” and making the definition
change as noted in question 2.
No
Change the definition of “Impact Event”, to add the following phase to the definition “Any event (listed in Attachment 1)
which has either…”. Also, the phrase “… or has the potential to impact the reliability…” is too vague and broad. Such
broad statement is unhelpful in clarifying entities’ compliance obligation and potentially creates conflicted reporting
between entities. A clear statement of how the reliability is affected should be used, i.e., results in contingency
emergency situation or IROL.
Yes
No comments.
Yes
No comments.
Yes
No comments.
No
This seems overly restrictive in its use. Requirement is now telling entities how to resolve situations, not giving them a
requirement to resolve the situation.
Yes
No comments.
No
Requirement 3 (formerly R4) should be removed altogether because it is covered by the new R4. The topic of
Disturbance Reporting is covered several times each year during operator training classes and the operators are tested
on the material. Actual issued Disturbance Reports throughout the year are also covered during training class.
Yes
No comments.
No
Language needs to be more specific on when to use Attachment 2 or DOE-OE-417.
No
For the following Events (Damage or destruction of BES equipment, Damage of destruction of Critical Asset, and
Damage or destruction of a Critical Cyber Asset), submitting a report within 1 hour after occurrence is identified is too
short of a time frame. Generally, the initial time period is spent in recovering from the situation and restoring either
electric service or restoring computer services to assure proper operations. To distract from the restoration to normal
activities to focus on a report would be detrimental to reliability. Notification of an event may perhaps be made by
phone call within 1 hour but completing a report should be required no less than 6 or 12 hours. Determining a cause
(especially external or intentional) could take longer than 1 hour to determine and complete a report. It is important to
consider the imposition created by a compliance obligation and weigh it against the other demands before the operator
at that time. A compliance obligation should avoid becoming a distraction from reliability related work. Under impact
event type scenarios, in the first hour of the event, the primary concern should be coping with/resolving the event.
No position or comments.
Yes
�No comments.
Yes
No comments.
No position or comments.
Yes
No comments.
Please provide a Mapping Document which shows where the four CIP-001 requirements map to in the new EOP-0042, and note if any of the CIP-001 requirements have been eliminated. A Mapping Document was provided during the
first Comment Period, but not during the second Comment Period. A Mapping Document will be very helpful to
companies in aligning standard owners in reviewing this proposal and in transitioning compliance programs when the
revised standard is approved.
Group
We Energies
Howard Rulf
Yes
No
From an on-line dictionary, an event is “something that happens”. Combined with the phrase “has the potential to
impact” and the definition of Impact Event would include every routine operation performed by any entity. Taking a
generator on or off line, switching a transmission line in or out, traffic driving past a substation, all have the “potential to
impact” the BES. The Impact Event definition is overly broad and needs to be significantly narrowed.
Yes
No
Attachment 1: From the NERC Glossary, an Energy Emergency: A condition when a Load-Serving Entity has
exhausted all other options and can no longer provide its customers’ expected energy requirements. The first four
events listed can only apply to an LSE. Loss of Firm Load for >15 Minutes: By the NERC Glossary definitions of DP
and LSE, the LSE would seem to be more appropriate than the DP. With the proposed one-hour reporting requirement,
the industry would be undertaking significant regulatory risk with respect to timely reporting. The requirement to report
the crime-based events in the field within one hour, as shown in Attachment 1 Part A or Part B will be difficult. We could
even discover a theft in progress with the suspect trapped inside the substation fence and the police attempting to
make a safe arrest. We need more reporting time, especially when they have not even resulted in an outage. The
industry is keenly interested in understanding the benefit of taking on the risk. What analysis, insight, warnings or
recommendations would the ES-ISAC provide to the reporting entity, the industry or to law enforcement agencies in the
hours after such an incident is reported? Note too that DOE requires reporting of a physical attack within one hour only
when it “causes a major interruption or major negative impact on critical infrastructure facilities or to operations.” In
lesser cases, the entity gets up to six hours if it “impacts electric power system reliability”. DOE has said that it is not
interested in copper theft unless it causes one of these events. If the SDT is working to ensure consistency of reporting
requirements, please consider DOE requirements too. Meeting the reporting deadline will mean that available
resources in the control center will be devoted to ensuring the report is filed on time instead of making the site safe and
arranging for prompt repair. It may even mean that law enforcement won’t be contacted until the forms are filed with the
ES-ISAC. The exception contained in footnote #1 of Attachment 1 with respect to copper theft is not an exception at all.
The majority of copper theft from substations is, in fact, such grounding connectors which may or may not render the
protective relaying inoperative. You could end up receiving reports from all over the USA, Canada and Mexico, mostly
on Monday mornings as weekend copper thefts are discovered. Attachment 1 Part A table also contains redundancies.
One of the cells reads, “Damage or Destruction of Critical Asset”. One cannot destroy something without damaging it
first. Consequently, it is sufficient to simply say, “Damage to a Critical Asset”. Apply to all cells with the same phrase.
Yes
No
R1.2: By its NERC Glossary definition, an Operating Procedure is too prescriptive for data collection. An Operating
Procedure requires specific steps to be taken by specific people in a specific order. We would have to predict every
event that could happen to have every step in proper order to collect the data. It will be impossible to comply with this
requirement. R1.3: Change “Impact Event” to “Impact Event listed in Attachment 1”.
Yes
No
A test of the Operating Process for communication would be placing telephone calls. This requirement would have
virtually every entity in North America calling NERC, Regional Entities, FERC/Provincial Agency, Public Service
�Commission, FBI/RCMP, local Police, etc. annually. Every entity will probably be asking for a confirmation letter from
each telephone call for proof of compliance. This is an unnecessary requirement. Delete it.
No
Include that this is for internal personnel as stated in the associated measure.
Yes
No
It appears that the footnotes only apply one place in the table. Place the footnote in the table where it applies. Voltage
Deviations on BES Facilities: 10% compared to what? Rated? Forced Intrusion: “At a BES facility” facility or Facility?
No
M1 contains a redundancy: It currently reads, “Each Responsible Entity shall provide the current in force Impact Event
Operating Plan to the Compliance Enforcement Authority.” (“In force” is the same as “current”.) M2: Change “Impact
Event” to “Impact Event listed in Attachment 1”. M3: This is an additional requirement. R3 does not require a mock
Impact Event. R3 requires a test of the communicating Operating Process. As stated above, R3 and M3 should be
deleted. M4: This is written assuming classroom training. R4 does not require formal training much less classroom
training. R4 requires that those (internal) personnel who have responsibilities in the plan review the Impact Event
Operating Plan. M5: When we report, how do we show to an auditor that we reported “using the plan”? Delete the
reference to “the plan”.
No
All VRFs should be Lower. They are all administrative and will not affect BES Reliability.
No
Change the VRFs as indicated above and the Time Horizons as indicated below.
No
R2 and R5 should be Operations Assessment.
Yes
Attachment 2: What do the asterisks refer to? I didn’t see a comment or description related to them. #7 & #10: What is
“tripped”? Automatic or manual or both. #13: This report has no Part 1. Flowchart: By the flowchart, the only time an
OE-417 is filed is when I do not need to contact Law Enforcement. The Reporting Hierarchy flow chart should be
modified. In the lower right corner it indicates that if sabotage is not confirmed, the state law enforcement agency
investigates. Law enforcement agencies will not investigate an incident that is not a crime. Note too that state law
enforcement agencies do not even investigate these kinds of events unless and until requested by local law
enforcement. The local law enforcement agency always has initial jurisdiction until surrendered or seized by a superior
agency’s authority. Evidence Retention is incomplete. From the NERC Standards Process Manual: “Evidence
Retention: Identification, for each requirement in the standard, of the entity that is responsible for retaining evidence to
demonstrate compliance, and the duration for retention of that evidence.”
Individual
Kenneth A Goldsmith
Alliant Energy
4 - Transmission-dependent Utilities
Yes
No
The proposed definition is not supported by any of the established “bright line” criteria that are contained within
attachment 1. This Results Based Standard should close any loop-holes that could be read into any section, especially
the definition. We recommend the definition be enhanced to read: “Impact Event: Any Contingency which has either
effected or has the potential to effect the Stability of the BES as outlined per attachment 1. Within this enhanced
recommendation, presently defined NERC terms are used (Contingency and Stability), thus supporting what is current
used within our industry. There is also a quantifiable aspect of “as outlined per attachment 1” that clearly defines
Impact Events. If the above definition is not adopted, we believe it should be rephrased to narrow the scope to “those
events that result from malicious intent or human negligence/error.” We are concerned that by using phrases like
“unintentional or intentional human action” in combination with “damage or destruction” basically means everything
except copper theft becomes a reportable impact event (including planned actions we must perform to comply with
CIP-007 R7).
Yes
Yes
�Yes
Yes
This is a NERC defined term and will assist entities in maintaining compliance with this (proposed) Standard. We
believe the reference to Attachment 2 in R1.2 should be revised to the DOE Form and utilize only one reporting form, if
at all possible.
Yes
Yes
Yes
No
We believe Attachment 2 should be deleted, and NERC should work with the DOE to have one form for all events, if
possible. It makes the reporting procedure much simpler, only having to use one form.
No
The item relating to Loss of Firm Load for > 15 minutes should be revised to 500 MW and 300 MW. For many
companies, a storm moving across their system could cause more than 300 MW of firm load to be lost, but there is no
impact on the BES, so why does the detailed reporting need to be done? The items relating to “damage or destruction”
need to be revised to not be so wide. As currently written, a plan by a company to raze a facility could be considered a
violation and must be reported. We believe it needs to tightened to malicious intent or human negligence/error.
Yes
Yes
Yes
Yes
Yes
Group
Pepco Holdings Inc and Affiliates
David Thorne
Yes
No
The two sentence definition will not be adequate to serve well over the course of time. People will have to read and
understand the standard without benefit of the detailed information, explanations and interpretations available during
the standards development process. Without additional explanation as provided in the background and the guideline
and technical basis sections, to support the definition, the standard will be subject to confusion and interpretations.
Consider adding a lot of the information and explanation that is in those sections to the standard. Any event could be
an impact event. However, only a subset is reportable. What is really being addressed are reportable events. More
specifically after the fact reporting of unplanned events.
No
See #2. With out the explanation contained in background information, over time those that have not been involved
with this standard development will struggle with how to interpret the code words of non environmental and intentional
human action.
Yes
More guidance is needed for which entity in Attachment 1 actually files the report to avoid duplicate filing.
Yes
Agree that NERC should not have requirements applicable to them.
No
An Operating Plan, Operating Process or Operating Procedure implies something different than an after the fact
reporting activity.
�Yes
Yes
Yes
Yes
No
The entity responsible for reporting is not clear. Is the initiating entity the same as requesting entity or implementing
entity? In the paper it indicates the DT intent is for the entity that performs the action or is directly affected will report. It
seems that the proposal would result in a significant amount of duplicate reporting.
Yes
No
This standard involves after the fact reporting of events. Other standards deal with the real time notifications. How do
the risk factors between the two line up? A VRF of Low would seem appropriate, since a violation would not affect the
reliability of the BES.
No
This standard involves after the fact reporting of events. Other standards deal with the real time notifications. How do
the severity level between the two line up? See above VRF comments.
Yes
However, do they line up with the corresponding real time reporting procedures as mentioned above, #13 and #14?
No
The proposed time line is too short. It is easy to revise procedures. However developing training and integrating the
training into the schedule takes time. Shorter time frame takes away adequate time to integrate into the training plan
and disrupts operator schedules. Since notifications already exist and after the fact reporting does not impact BES
reliability, why the need to expedite? There are many other training activities that must be coordinated with this.
IRO-000-1, Sec D1.5 and TOP-007, Sec D1.1 there are “after the fact” reporting requirements for IROL violations.
Since IROL violations are included in this standard, should those standards be modified? Should the standard include a
specific statement that this standard deals only with after the fact and other standards deal with real time reporting?
Since this standard deals with after the fact reporting, consideration should be given to extending the time to report as
defined in Attachment 1. One hour does not seem to be reasonable.
Individual
John Brockhan
CenterPoint Energy
1 - Transmission Owners
Yes
No
CenterPoint Energy suggests that the phrase “…or has the potential to impact…” be deleted as it makes the definition
vague and broad. Similar issues encountered in trying to define sabotage may resurface, such as varying definitions or
interpretations of “potential”. If this standard is to support after-the-fact reporting, the focus should be on actual events,
not potential situations or events. Effective and efficient prevention would come from analysis of actual events.
Resources and reporting could become overwhelmed upon having to consider “potential”. All references to “potential”
should be removed from the standard, guidance, and attachments.
No
CenterPoint Energy would agree if the definition for Impact Event was changed as suggested in the response to
Question 2.
Yes
Yes
No
CenterPoint Energy recommends deleting the current R2 as it is an inherent part of the current R5. For an entity to
�“report Impact Events in accordance with the Impact Event Operating Plan pursuant to R1” (see R5), the entity must
“implement its Impact Operating Plan documented in Requirement 1…” (see R2). Including both requirements is
unnecessary and duplicative. Likewise, M2 should be deleted.
Yes
Yes
Yes
CenterPoint Energy agrees with the idea of streamlining the reporting process through the use of existing report forms.
However, as noted in the response to Question 11, the Company has concerns about the DOE OE-417 Form,
specifically the timeframes in which to submit reports. CenterPoint Energy will be making the same recommendation to
extend reporting timeframes during the DOE OE-417 report revision process when the current form expires on
12/31/11. Any future changes to the DOE Form could also impact reporting for this requirement.
No
(1) CenterPoint Energy believes that the “Entity with Reporting Responsibility” for the first three events in Part A should
be clarified. There could still be confusion regarding the “initiating entity” for events where one entity directs another to
take action. From the text on page 5 of the Unofficial Comment Form, it appears that the SDT intended for the “initiating
entity” to be the entity that takes action. To make this clear in Attachment 1, CenterPoint Energy recommends replacing
“initiating entity” with “Each (insert applicable entities) that (insert action). For example, for “Energy Emergency
requiring a Public appeal” the Entity with Reporting Responsibility should be “Each…that issues a public appeal for
load reduction”. (2) Part A: The threshold for reporting “System Separation” should not be fixed at greater than or equal
to 100 MW for all entities, but rather should be scaled to previous year’s demand as in “Loss of Firm load for greater
than or equal to 15 minutes”, so that for entities with demand greater than or equal to 3000 MW, the island would be
greater than or equal to 300MW. (3) Part A: The one hour reporting requirements are unreasonable and burdensome.
The Background text indicates that “proposed changes do not include any real-time operating notifications…”
CenterPoint Energy believes all one hour reporting requirements could potentially divert resources away from
responding to the event. In many instances the event may still be developing within one hour. Likewise, the 24 hour
reporting requirements are also burdensome. CenterPoint Energy recommends changing all reporting requirements to
48 hours. CenterPoint Energy acknowledges that the DOE OE-417 report requires certain one hour and 6 hour
reporting. Those requirements should also be extended, and CenterPoint Energy will be making the same
recommendation during the DOE OE-417 report revision process when the current form expires on 12/31/11. (4) Part
B: CenterPoint Energy is very concerned with the “events” listed under Attachment 1 – Potential Reliability Impact –
Part B and believes Part B should be deleted. These arbitrary “events” with “potential reliability impact” and reporting
times place unnecessary burden on entities to report “situations” that would rarely impact the reliability of the BES.
Entities should be aware of developing situations; however, this standard should not require reporting of such
occurrences. (5) Part B: Of particular concern is the overly broad “Risk to BES equipment” and the example provided in
the footnote. CenterPoint Energy believes the SDT has already identified the events with the greatest risk to impact the
BES in Part A. Also including “potential reliability impact” situations in Part B inappropriately dilutes attention away from
the truly important events. The industry, NERC and FERC should not lose sight of the forest for the trees.
No
M1: CenterPoint Energy recommends that the phrase “current in force” be updated to “current” or “currently effective”.
Additionally, CenterPoint Energy suggests clarifying M1 by adding “within 30 days upon request”, which would be
consistent with language found in measures in other standards. The revised measure would read, “Each Responsible
Entity shall provide the currently effective Impact Event Operating Plan to the Compliance Enforcement Authority within
30 days upon request.” M2: If R2 is deleted (as recommended in response to Question 7), then M2 should be deleted.
No
CenterPoint Energy believes that the Severe VSL for R5 (Reporting) in the current draft incorrectly equates 2X
reporting with failure to submit a report. CenterPoint Energy believes the VSLs for R5 should all reflect a factor
increase in time. For example, the lower VSL should be 1.5X the reporting time frame. The Moderate VSL should be 2x
the reporting time frame. The High VSL should be 3x the reporting time frame. The Severe VSL should be failure to
report.
Yes
No
CenterPoint Energy prefers the previously accepted timeline of 1 year.
CenterPoint Energy believes the flowchart found on page 8 identifying the reporting hierarchy for EOP-004 is helpful.
CenterPoint Energy believes the DOE reporting items should also be included on the right side of the chart. Some of
the issues with CIP-001 were a result of law enforcement’s preference and procedures for notification. Law
enforcement’s preferences and procedures should be considered for this draft. (Reference: http://www.fbi.gov/contactus/when)
�Individual
Martin Kaufman
ExxonMobil Research and Engineering
1 - Transmission Owners, 5 - Electric Generators, 7 - Large Electricity End Users
Yes
No
The use of the word potential is ominous.
Yes
Yes
No
Obstain from commenting on this question.
No
The requirement to notify State Law Enforcement deviates from existing government security requirements that
Petrochemical Facilities (Cogenerators) are required to follow. Per the Maritime Transportation Security Act of 2002
(MTSA) and the Chemical Facility Anti-Terrorism Standard (CFATS), Petrochemical Facilities are required to report the
security incidents identified in EOP-004 Revision 2 to the National Response Center which is staffed by the United
States Coast Guard. The National Response Center coordinates incident reporting to both the Department of
Homeland Security and Federal Bureau of Investigation. Requiring Petrochemical Facilities to report security
incidences to State Law Enforcement agencies duplicates their reporting of incidences to the appropriate law
enforcement agencies. EOP-004 Revision 2 should be modified to synergize with existing federal security regulations
so that those facilities that are required to comply with the MTSA and CFATS are, by default, compliant with EOP-004
Revision 2 when they comply with these existing federal security regulations. It is unclear, from the documentation
provided in this revision of EOP-004, which entities a Responsible Entity is required to notify when certain types of
Impact Events occur. Previously, CIP-001 included a similarly vague instruction that required notifications to the
'appropriate parties in the interconnection' and the FBI/RCMP. The Standard Drafting Team should identify which
NERC Functional Entities should be notified when each of the Impact Events identified in Attachment 1 occurs. Current
revisions of CIP-001 Revision 1 or EOP-004 Revision 1 do not include corresponding requirements to update
procedures within a certain time frame. It's difficult to foresee a situation where an Entity would initiate a change to its
response plan without being required to update the formal response plan documentation per their management of
change process. Additionally, failure to update the procedure would result in the entity deviating from the procedure
any time an impact event occurred, which would automatically force a violation of EOP-004-2 R2 for failure to properly
implement their Operating Process. Furthermore, the only changes occurring between review cycles should be
revisions to the contact information for third parties. It is beyond an entity's power to require third parties to notify the
entity when the third party changes their contact information, and, as such, this requirement burdens registered
facilities with responsibility for compliance for items that are beyond their realm of control.
No
The notification requirement and documentation in Attachment 1 do not clearly identify which entities need to be
notified for each type of event detailed in Attachment 1. While it makes sense to notify the Reliability Coordinator,
NERC, Regional Entity, Law Enforcement and other Governmental Agencies for sabotage type events, it does not
seem proper to notify Law Enforcement agencies of a system disturbance that is unrelated to improper human
intervention. Furthermore, it is our belief that a time frame of 1 hour is a short window for making a verbal notification to
third parties, and an impossibly short window for requiring the submittal of a completed form regardless of the
simplicity. When a Petrochemical Facility experiences an impact event, the initial focus should emphasize safe control
of the chemical process. For those cases where registered entities are required to submit a form within 1 hour, the
Standard Drafting Team should alter the requirement to allow for verbal notification during the first few hours following
the initiation of an Impact Event (i.e. allow the facility time to appropriately respond to and gain control of the situation
prior to making a notification which may take several hours) and provide separate notifications windows for those
parties that will need to respond to an Impact Event immediately and those entities that need to be informed that one
occurred for the purposes of investigating the cause of and response to an Impact Event. For example, a GOP should
immediately notify a TOP when it experiences a forced outage of generation capacity as soon as possible, but there is
no immediate benefit to notify NERC when site personnel are responding to the event in order to gain control of of the
situation and determine the extent of the problem. The existing standard’s requirement to file an initial report to entities,
such as NERC, within 24 hours seems reasonable provided that proper real time notifications are made and the
Standard Drafting Team reinstates EOP-004 Revision 1's Requirement 3.3, which allows for the extension of the 24
hour window during adverse conditions, into the requirement section of EOP-004 [the current revision locates this
extension in Attachment 1, which, according to input received from Regional Entities, means that the extension would
not be enforceable].
No
�The annual (15 month) time window for conducting annual performance tests appears to be reasonable. However, the
required scope of the test is vague. The Standard Drafting Team should modify the testing requirement to include
boundary criteria such as whether notifications to third parties and law enforcement are required or if the test is limited
to internal notifications and response processes. Furthermore, the current measure associated with this requirement,
EOP-004 Revision 2 Measure 3, implies, that if an Impact Event occurs, the registered entity can count the activation of
its Impact Event Operating Plan as a test and extend the test window 15 months from the date of activation. The
Standard Drafting Team should revise the requirement to clarify that the test window resets when a site initiates its
Impact Event Operating Plan in response to a real Impact Event as requirement criteria should not be included in a
measure.
No
It’s unclear whether R4 is a training requirement to train all individuals who may be required to implement its Impact
Event Operating Plan on an annual basis or a requirement for an Entity to review the Impact Event Operating Plan with
atleast one person from each position that has a role in the Impact Event Operating Plan in order to complete a quality
review of the Impact Event Operating Plan. The SDT should clarify the intent of the requirement. If the intent is that
both of the aforementioned interpretations is expected to occur, the SDT should break R4 into two requirements so that
an entity is not violation of Requirement R4 when the entity fails to comply with one of the two imbedded requirements
(e.g. if the quality review is not performed but all individuals were trained).
No
The notification requirement and documentation in Attachment 1 do not clearly identify which entities need to be
notified for each type of event detailed in Attachment 1. While it makes sense to notify the Reliability Coordinator,
NERC, Regional Entity, Law Enforcement and other Governmental Agencies for sabotage type events, it does not
seem proper to notify Law Enforcement agencies of a system disturbance that is unrelated to improper human
intervention. Furthermore, it is our belief that a time frame of 1 hour is a short window for making a verbal notification to
third parties, and an impossibly short window for requiring the submittal of a completed form regardless of the
simplicity. When a Petrochemical Facility experiences an impact event, the initial focus should emphasize safe control
of the chemical process. For those cases where registered entities are required to submit a form within 1 hour, the
Standard Drafting Team should alter the requirement to allow for verbal notification during the first few hours following
the initiation of an Impact Event (i.e. allow the facility time to appropriately respond to and gain control of the situation
prior to making a notification which may take several hours) and provide separate notifications windows for those
parties that will need to respond to an Impact Event immediately and those entities that need to be informed that one
occurred for the purposes of investigating the cause of and response to an Impact Event. For example, a GOP should
immediately notify a TOP when it experiences a forced outage of generation capacity as soon as possible, but there is
no immediate benefit to notify NERC when site personnel are responding to the event in order to gain control of of the
situation and determine the extent of the problem. The existing standard’s requirement to file an initial report to entities,
such as NERC, within 24 hours seems reasonable provided that proper real time notifications are made and the
Standard Drafting Team reinstates EOP-004 Revision 1's Requirement 3.3, which allows for the extension of the 24
hour window during adverse conditions, into the requirement section of EOP-004 [the current revision locates this
extension in Attachment 1, which, according to input received from Regional Entities, means that the extension would
not be enforceable].
No
The notification requirement and documentation in Attachment 1 do not clearly identify which entities need to be
notified for each type of event detailed in Attachment 1. While it makes sense to notify the Reliability Coordinator,
NERC, Regional Entity, Law Enforcement and other Governmental Agencies for sabotage type events, it does not
seem proper to notify Law Enforcement agencies of a system disturbance that is unrelated to improper human
intervention. Furthermore, it is our belief that a time frame of 1 hour is a short window for making a verbal notification to
third parties, and an impossibly short window for requiring the submittal of a completed form regardless of the
simplicity. When a Petrochemical Facility experiences an impact event, the initial focus should emphasize safe control
of the chemical process. For those cases where registered entities are required to submit a form within 1 hour, the
Standard Drafting Team should alter the requirement to allow for verbal notification during the first few hours following
the initiation of an Impact Event (i.e. allow the facility time to appropriately respond to and gain control of the situation
prior to making a notification which may take several hours) and provide separate notifications windows for those
parties that will need to respond to an Impact Event immediately and those entities that need to be informed that one
occurred for the purposes of investigating the cause of and response to an Impact Event. For example, a GOP should
immediately notify a TOP when it experiences a forced outage of generation capacity as soon as possible, but there is
no immediate benefit to notify NERC when site personnel are responding to the event in order to gain control of of the
situation and determine the extent of the problem. The existing standard’s requirement to file an initial report to entities,
such as NERC, within 24 hours seems reasonable provided that proper real time notifications are made and the
Standard Drafting Team reinstates EOP-004 Revision 1's Requirement 3.3, which allows for the extension of the 24
hour window during adverse conditions, into the requirement section of EOP-004 [the current revision locates this
extension in Attachment 1, which, according to input received from Regional Entities, means that the extension would
not be enforceable].
No
Measure M3 introduces a psuedo-requirement by implying you are able to reset the testing clock if you implement our
�Impact Event Operating Plan in response to an Impact Event. This should be covered in Requirement R3. Measure M4
should refer to positions and evidence that people occupying those positions participated in the annual review of the
Impact Event Operating Plan. Given the number of individuals involved in operations and the cycle of promotions and
reassignments, it’s unreasonable to expect an entity to identify specific individuals in their Impact Event Operating Plan.
As the one hour time window is not long enough for entities to report all types of events when responding to the impact
the Imact Event had on its facility, Measure M5 should be modified to include voice recordings and log book entries to
capture verbal information reported to required parties.
No
VRFs, VSLs, and THs ideally should be based on the impact event type; alternatively a low VRF seems more
appropriate for this requirements of this standard.
No
VRFs, VSLs, and THs ideally should be based on the impact event type; alternatively a low VRF seems more
appropriate for this requirements of this standard.
No
VRFs, VSLs, and THs ideally should be based on the impact event type; alternatively a low VRF seems more
appropriate for this requirements of this standard.
Recommend 4th calendar quarter instead of 3rd.
Group
SPP Standards Review Group
Robert Rhodes
No
We would suggest changing the purpose to read ‘To improve industry awareness and effectiveness in addressing risk
to the BES by requiring the reporting of Impact Events and their causes, if known, by the Responsible Entities.’
Yes
Yes
No
While the SDT has recognized the issue of applicability to GO/TO in its background information with the Unofficial
Comment Form, we still do not feel comfortable with the GO/TO being listed as a responsible entity when in fact it may
be days before they become aware of an event worthy of reporting. If the GOP/TOP makes the report, are the GO/TO
still responsible for filing a report? If the GOP/TOP do not file the report, would the GO/TO then be non-compliant? This
issue appears to put additional risk on the GO/TO over which they have no control. We need some mechanism to
eliminate unnecessary risk while at the same time ensuring that we have coverage for the BES. Perhaps this could be
done through delegation agreements between the entities involved or through allowances within the standard itself. For
example, could the phrase ‘appropriate parties in the Interconnection’ as currently contained in CIP-001-1, R2 be
incorporated into the standard to basically replace GO/TO?
Yes
No
We would suggest rewording Part 1.3.2 to read ‘External organizations to notify may include but are not limited to the
Responsible Entity’s Reliability Coordinator, NERC, Responsible Entity’s Regional Entity, Law Enforcement and
Governmental or Provincial Agencies. We would also suggest the following for Part 1.4: ‘Provision(s) for updating the
Impact Event Operating Plan within 90 days of any known changes to its content.’ Would also suggest adding ‘as
requested’ at the end of M1.
Yes
No
The SDT included a formal review process in the discussion of R4 in the Background Information in the Unofficial
Comment Form as one of three options for demonstrating compliance with the testing requirements of R4, yet M3 only
contains two of those options – a mock Impact Event exercise and a real-time implementation of its Operating Process.
The third option, a formal review process, is missing from M3 and needs to be added. We would suggest the following
for M3: ‘In the absence of an actual Impact Event, the Responsible Entity shall provide evidence that it conducted a
mock Impact Event and followed its Operating Process for communicating recognized Impact Events created pursuant
to Requirement R1, Part 1.3 or conducted a formal review of its Operating Process. The time period between tests,
actual Impact Events or formal reviews shall be no more than 15 calendar months. Evidence may include, but is not
limited to, operator logs, voice recordings or documentation.
No
�There is confusion surrounding the use of the term ‘review’ in R3 and R4. In R3 and the suggested revision to M3 in
Question 8, review is an analysis of the plan by a specific group tasked to determine if the plan requires updating or
modifying to remain viable. Review in R4 has training connotations for all personnel who have responsibilities identified
in the plan. Although we understand the use of ‘review’ in R4 is new to this version of EOP-004-2, we believe it may be
more appropriate to use training rather than review in R4. And further, we feel the training should be focused on those
specific portions of the plan that apply to specific job functions.
No
We feel there is redundancy between R2 and R5. To eliminate this redundancy, we propose to take the phrase
‘…using the form in Attachment 2 or the DOE OE-417 reporting form’ and adding it at the end of R2. Then what’s left of
R5 could be deleted. The new R2 would read ‘Each Responsible Entity shall implement its Impact Event Operating
Plan documented in Requirement R1 for Impact Events listed in Attachment 1 (Parts A and B) using the form in
Attachment 2 or the DOE OE-417 reporting form.’
No
Threshold for Reporting – Some of the thresholds used to trigger event reporting seem arbitrary. For example, why
were three BES Transmission Elements selected for the transmission loss trigger? What’s significant with three? There
may be situations where one element can impact reliability more than other situations where three or more lines may
be lost. The defining line should be impact to reliability, not a simple count of elements. Also, timing of the loss of these
elements is important. If the three elements are lost over a 3-day span, does this trigger an event report? We would
think not and would like to see that clarification in the standard. Public appeals – Some entities may utilize load
reduction (Demand Response, interruptible loads, etc) in the normal course of daily operation in lieu of committing
additional generation resources. Because this is not an Energy Emergency as defined in the NERC Glossary, would
such an event trigger the filing of an Impact Event report under EOP-004-2? We would like clarification on this issue.
Multiple entity reporting responsibility – Several of the triggering events in Attachment 1 list multiple entity reporting
responsibility. The SDT needs to clarify precisely who has the actual reporting responsibility for those events. For
example, if a DP loses ≥ 300 MW (or ≥ 200 MW depending on size) of load who files the report? Is it the DP, TOP, BA
or RC? Attachment 1 would lead us to believe all four are required to file reports. This redundancy is unnecessary and
creates unneeded paperwork. Surely this redundancy is not the intent of the SDT. Reporting timeframe – The
timeframes for reporting these after-the-fact reports need to be thoroughly reviewed and, we believe, realigned. Which
is more important to the reliability of the BES, operating and controlling the BES following an Impact Event or filing a
report describing that event? Most operating desks are staffed by a single operator at nights and on weekends. Their
focus should be on operating the system, not filing a report with NERC or DOE within one hour. There appears to be
inconsistency in the reporting times among the triggering events. There doesn’t appear to be any logic regarding how
the times were selected. Shouldn’t impact to the reliability of the BES be that basis? Why is a BA with 50 MW of load
who makes a public appeal to customers for load reduction required to report within 1 hour while an IROL violation
doesn’t need to be reported for 24 hours? Clearly the IROL violation has a greater impact on the reliability of the BES.
Therefore, shouldn’t these types of reports be filed sooner than those events with less impact on BES reliability? Risk
to BES equipment – The Threshold for Reporting this event indicates that only those events associated with a nonenvironmental physical threat should be reported. The train derailment example in the footnote then conversely
describes just such an environmental threat with flammable or toxic cargo. Which should it be? Additionally, how does
one determine the applicability of a potential threat? Is this time dependent, is it threat dependent, how do we factor all
this in?
No
The measures are written as if they are adding requirements to the standards. Using wording such as ‘shall provide’
gives this implication. We would suggest wording such as ‘examples of acceptable evidence to demonstrate
compliance may be…’ See Question 6 for comments regarding M1. See Question 8 for comments regarding M3.
No
These are reporting requirements and therefore do not deserve the ‘medium’ VRF. We suggest making the VRFs for all
requirements for EOP-004-2 ‘low’.
No
Requirement 4: We would suggest the following: Low – The Responsible Entity reviewed its Impact Event Operating
Plan with those personnel who have responsibilities identified in that plan in more than 15 calendar months but less
than 18 calendar months since the last review. Moderate - The Responsible Entity reviewed its Impact Event Operating
Plan with those personnel who have responsibilities identified in that plan in more than 18 calendar months but less
than 21 calendar months since the last review. High - The Responsible Entity reviewed its Impact Event Operating Plan
with those personnel who have responsibilities identified in that plan in more than 21 calendar months but less than 24
calendar months since the last review. Severe - The Responsible Entity failed to review its Impact Event Operating
Plan with those personnel who have responsibilities identified in that plan within 24 calendar months since the last
review. Requirement 5: With our suggested deletion of Requirement 5, we further suggest deleting the VSLs
associated with Requirement 5.
No
Based on our previous comments in response to Question 11, we feel that the Time Horizon for R2 should be
lengthened. Assigning it a Real-time Operations and Same –day Operations timeframe has too much of an impact on
�real-time operations. Pushing it back will allow support personnel to do the after-the-fact reporting and keep this burden
off of the operators.
Yes
In Attachment 2 just before the table, the statement is made that ‘NERC will accept the DOE OE-417 form in lieu of this
form if the entity is required to submit an OE-417 report.’ But the last sentence in the Guideline and Technical Basis
white paper, it is stated that ‘ For example, if the NERC Report duplicates information from the DOE form, the DOE
report may be included or attached to the NERC report, in lieu of entering that information on the NERC report.’ These
are in conflict with each other. Which is correct? We prefer the former over the latter. In Attachment 2 in Tasks 7-11 an
asterisk appears in those tasks. To what does this asterisk refer?
Individual
Brenda Truhe
PPL Electric Utilities
1 - Transmission Owners
Yes
Yes
PPL EU agrees with the definition. We would like to point out that our interpretation of the definition excludes
maintenance work. Our interpretation also concludes that maintenance work that does not go as planned or goes awry
and impacts the reliability of the BES would be an impact event and reported as required per Attachment 1.
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
We would like to suggest the language be changed such that ‘submission via a NERC system’ would be acceptable in
addition to the use of the Attachment 2 Form or the DOE OE-417 form. The standard would then accommodate the
proposed revision to NERC Rules of Procedure 812. ‘…NERC will establish a system to collect impact events
reports…’
No
We very much appreciate the work performed by SDT and consideration of all the comments received. While we agree
with the majority of the Attachment 1 changes, we suggest the SDT add further clarification to Attachment 1, Part A,
Event 'Transmission Loss'. Does this mean permanent loss? Do two lines and a pole constitute a loss of three
elements? E.g. Consider the loss of a 230 kV line with two tapped transformers. This does not have a significant effect
on the BES, yet would it be reportable? We would prefer Attachment 1, Part A, ‘Threshold Reporting’ be clarified. E.g.
‘Three or more "unrelated" pieces of equipment for a single event’.
Yes
Yes
Yes
We thank the SDT for addressing so many Industry concerns with the 2010 draft of EOP-004-2. We feel the current
draft version of EOP-004-2 is a significant improvement over current EOP-004-1 and CIP-001-1 standard and the
�previous draft. Thank you for your time.
Individual
Tim Soles
Occidental Power Marketing
3 - Load-serving Entities
Yes
No
The SDT includes in the definition the "potential to impact the reliability of the BES." This seems vague, although
Attachment 1 clarifies what actually has to be reported. An LSE may have limited or no knowledge of "potential to
impact." The SDT may want to refine the definition,e.g., "to the extent the entities' knowledge could reasonably reveal
the impact."
Yes
No
Load Serving Entities that do not own or operate BES assets (or assets that support the BES) should not be included in
the Applicability. The SDT includes LSEs based on CIP-002; however, if the LSE does not have any BES assets (or
assets that support the BES), CIP-002 should also not be applicable because the LSE could not have any Critical
Assets or Critical Cyber Assets. It is understood that the SDT is trying to comply with FERC Order 693, Sections 460
and 461; however, Section 461 also states: "Further, when addressing such applicability issues, the ERO should
consider whether separate, less burdensome requirements for smaller entities may be appropriate to address these
concerns." A qualifier in the Applicability of EOP-004-2 that would include only LSEs that own, operate or control BES
assets (or assets that support the BES)would seem appropriate and acceptable to FERC.
Yes
Yes
However, only LSEs with BES assets (or assets that support the BES)should be included in the Applicability section of
the standard.
Yes
However, only LSEs with BES assets (or assets that directly support the BES)should be included in the Applicability
section of the standard.
No
We understand that this requirement is meant to comply with FERC Order 693, Section 466; however, there needs to
be more specificity concerning what sort of "test" would be accepted for auditing purposes. Also, only LSEs with BES
assets should be included in the Applicability section of the standard.
Yes
However, only LSEs with BES assets (or assets that directly support the BES) should be included in the Applicability
section of the standard.
Yes
Yes
There does not appear to be any reportable events for LSEs that do not own, operate, or control BES assets (or assets
that directly support the BES) in Attachment 1. This would support removing such entities from the Applicability.
Yes
In general, the measures are okay. However, as mentioned above for R3, there needs to be more specificity as to what
is acceptable as a "mock Impact Event" for auditing purposes--especially for small entities such as LSEs that do not
own, operate, or control BES assets.
Yes
Yes
Yes
Yes
Occidental Power Marketing appreciates the extensive work accomplished by the SDT and their responsiveness to
�comments. Also, the presentation of this draft with its extensive explanation of the SDT's considerations during
development of the draft were very helpful in preparing our comments.
Individual
Eric Ruskamp
Lincoln Electric System
1 - Transmission Owners, 3 - Load-serving Entities, 5 - Electric Generators, 6 - Electicity Brokers, Aggregators
Yes
No
As currently drafted, the proposed definition of “Impact Event” appears vague and provides entities minimal clarity in
terms of distinguishing events of significance. Recommend the drafting team reference “Attachment 1: Impact Events
Tables” within the definition to direct industry towards more specific criteria.
Yes
Yes
Yes
Yes
Yes
No
As currently drafted, requirement R3 states one must “conduct a test” whereas the associated Measure requests
evidence that one “conducted a mock Impact Event”. The Rationale box lends to further confusion by referencing a
“drill or exercise” as a process to verify one’s Operating Process. To avoid potential confusion between R3 and M3, as
well as to maintain consistency with the Rationale box, recommend the drafting team replace the word “test” with “drill
or exercise” within R3 and the associated Measure.
Yes
Yes
No
While LES supports the bright line criteria listed in Attachment 1 for reporting Impact Events, we have concerns
regarding the reporting threshold for “Transmission loss”. For Transmission loss of three or more Transmission
Elements, LES supports the MRO NSRS’ suggested wording of “Two or more BES Transmission Elements that exceed
TPL Category D operating criteria or its successor.”
Yes
Yes
Yes
Yes
Yes
Individual
Linda Jacobson
Farmington Electric Utility System
3 - Load-serving Entities
Yes
Yes
�Yes
Yes
Yes
No
consider rewording 1.4; the wording implies a change to content already occurred, so it would be updated concurrently
– consider, updating the plan within 90 days of discovery of content requiring a change?
Yes
No
The measure for R3 indicates an actual Impact Event would count as a test, consider aligning the requirement with the
measure to clarify an Impact Event could be considered a test.
Yes
A review of the Impact Event Operating Plan can be interrupted as an informal examination of the plan. The measure
for R4 indicates evidence of a review, parties conducting the review AND when internal training occurred. It should be
clarified in R4 training is expected as part of the review for personnel with responsibilities. This is an improvement from
the previous 5.3 and 5.4; however, the team should consider adding back, ‘review/training shall be conducted prior to
assuming the responsibility in the plan.’
Yes
Yes
No
See comments in requirements for R3 and R4
Yes
Yes
Yes
Yes
Nine months would be preferred
Individual
Andrew Z Pusztai
American Transmission Company
1 - Transmission Owners
Yes
No
ATC does not agree with the proposed definition and further disagrees whether a definition is needed at all. Proposed
Definition: The definition, read outside of the proposed standard, does not provide Registered Entities with a clear
meaning of the purpose of the definition. It is ATC’s opinion that the SDT is using the term “Impact Event” as an
introduction phrase to Attachment 1. ATC would be more comfortable if the definition was dropped and the team would
re-write the requirement to specifically point to Attachment 1. It is our opinion that this type of structure would achieve
the goal of the team to get Registered Entities to report on events identified in Attachment 1. The other option is for the
team to write into the definition that the events being discussed are limited to those identified in Attachment 1. Also the
language currently being used in the definition includes “potential” and “such as”. These terms should be struck from
the definition.
Yes
No
First, under Part A, the reporting requirement for three or more BES Transmission Elements will create confusion. The
NERC definition for an Element is: “Any electrical device with terminals that may be connected to other electrical
�devices such as a generator, transformer, circuit breaker, bus section, or transmission line. An element may be
comprised of one or more components.” This could be interpreted to be three potential transformers on a bus section;
therefore, any bus section would require a report. It is suggested that this be reworded to indicate three or more BES
transmission lines, bus sections, or transformers. Second, under Part A, the reporting requirement for “Damage or
destruction of BES equipment” is too broad and needs to be modified. For example, an output contact on a relay could
be damaged unintentionally during routine testing resulting in a reportable event. It is suggested that the list of BES
equipment and full intent of this be further defined in the footnote. The intent needs to be clarified, such as “events that
have an immediate and significant impact to the stability or reliability of the BES.” Third, under Part A, the reporting
requirement for “Damage or destruction of a Critical Cyber Asset” is too broad and needs to be modified. For example,
an output contact on a relay could be damaged unintentionally during routine testing resulting in a reportable event.
Yes
Yes
No
ATC does not agree with the proposed language in Requirement 3. ATC is concerned that, in order to demonstrate
compliance, an entity will have to show that each step in the plan was followed which will likely leave entities facing the
choice of choosing between different compliance violations. If the plan is not followed, but the report is made within the
time given, then an entity is in violations of their plan. If the plan is followed, but the report does not get filed within the
time allotted, then they face a possible violation of the time to report. ATC believes that the team should enforce the
position that the report being filed in the time allotted is key, not that they necessarily follow and document that their
plan was followed. Depending on the situation, the internal reporting will vary; however, based on the purpose of the
Standard, the key is to get a report to NERC.
Yes
Yes
No
Attachment 2, Task #14 in the report should be modified to read, “Identify any known protection system
misoperation(s).” If this report is filed quickly, there is not enough time to assess all operations to determine any
misoperation. As a case in point, it typically takes at least 24 hrs. to receive final lightning data; therefore, not all data is
available to make a proper determination of a misoperation
No
Energy Emergency requiring Public Appeal ATC believes that the phrase “initiating entity” is unclear and could be
interpreted in multiple ways. 1) the entity has the authority to call for public appeals, 2) the entity has the authority to
declare an Energy Emergency, or 3) the entity determines and identifies the need for the Energy Emergency Typically
the BA’s call for public appeals, so does every BA that calls for the public appeal have to make a filing? The RC
declares the need for an Energy Emergency, so are they the initiating entity? A TOP could also identify the need for
public appeals and notify the RC about the request. In this case, is the TOP the initiating entity? Given the above
examples, ATC believes that the SDT needs to clarify who is required to make the filing. Voltage Deviations on BES
Facilities ATC believes that this should be clarified because one may assume that a loss of a single bus in which
voltage goes to zero for more than 15 minutes is reportable. It is ATC understands that what the SDT means is a
voltage dip, not an outage to a BES facility. However, given the brief description, ATC is not 100% sure whether there
is a clear understanding of the standard’s intent. Energy Emergency resulting in automatic firm load shedding Please
provide additional clarify. ATC believes that the SDT should not use the term “Impact Event” when identifying the entity
with reporting responsibility. The term “Impact Event” is identified in the standard and points to Attachment 1 but now is
being used outside of that context and requires entities to interpret what qualifies as an Impact Event. The above
observation also applies to those other events that use the term “Impact Event” to describe Reporting Responsibility.
Footnote 1: ATC would like the phrase “as determined by the equipment owner” added to the footnote. This simple
phrase will allow entities to be sure that they are responsible for determining if the damage significantly affects the
reliability margin of the system. Without this phrase, entities could be subject to non-compliance actions based on
differences of opinions to the extent of the damage on the system. The other option the SDT has is to provide
additional clarity on what qualifies as a significant affect. Time to Submit Report: ATC strongly disagrees with the 1
hour time to submit a report because it does not fit with the purpose of this standard. The purpose of this standard is to
increase awareness, however, requiring a one-hour reporting window following the event provides little to no benefit.
ATC believes that these events should have a 24 hour reporting window which allows for a reasonable amount of time
to gather information and report the issue. If the SDT disagrees with this observation, ATC believes a complete
explanation should be provided on why knowledge of an event within an hour is significantly better than having the
knowledge of the event in a 24 hour time period. ATC strongly believes that NERC will gain as much or more
knowledge of the event by giving entities time to understand the event and report.
Yes
�Yes
Yes
Yes
Yes
Group
LG&E and KU Energy LLC
Brent Ingebrigtson
No
In Attachment 1, the existing EOP-004-1 Attachment 1, point 6 includes an “Or” for the entities (RC, TOP, GOP) for a, b
and c. The way the SDT has pulled this apart, they have included the GOP as having an impact on the Voltage
Deviations on BES Facilities. The TOP monitors the transmission system and directs GOPs when they need to change
in order to protect the system reliability. This is not something the GOP is responsible for monitoring. The GOP is
required to be at the TOP assigned voltage schedule and that actually falls under VAR-002 already. Please remove the
GOP from the line of “Voltage Deviations on BES Equipment.” The way EOP-004-1 Attachment 1 point 6 is currently
written, the GOP is an “or” and does fall into parts b or c, where part 6b is similar to the proposed line “Damage or
destruction of BES equipment” identified in the proposed EOP-004-2 Attachment 1. However, currently the GO/GOP
reports “Loss of Major System Components” on EOP-004-1 within 24 hours of determining damage to the equipment.
The proposed “One hour” is too tight of a window as the GO/GOP often do not know the extent of damage that soon.
Typically the OEM is called upon to come and do a thorough inspection and assess the extent of damage, of if there
even is any damage; once the “loss of major system components” is determined, then the 24 hour clock begins today.
Individual
Michelle D'Antuono
Ingleside Cogeneration LP
5 - Electric Generators
Yes
The addition of the modifier “if known” to reporting the cause of an Impact Event is appropriate. It often proves counterproductive to speculate – as initial conjectures of the cause of an event are easy to come up with, but difficult to back
out of later.
No
The SDT includes in the definition the “potential to impact the reliabilty of the BES”. This seems vague, although
ultimately the events which meet the threshold of a reportable Impact Event are governed by the tables under
Attachment 1. We believe that there should be close, if not perfect, synchronization between the ERO’s Event Analysis
Process and Attachment 1 since they share the same ultimate goal as EOP-004-2 to improve industry awareness and
BES reliability.
�Yes
Sabotage cannot be confirmed until after the fact, so we support this initiative.
No
Owners and operators of facilities whose total removal from the BES would not meet any reportable threshold under
Attachment 1, should not have to create and maintain Operating documents. The same would be true of any LSE, TSP,
or IA that does not oversee any Critical Cyber Assets as identified under CIP-002. A statement to that effect could be
made in Section 4 of EOP-004-2.
Yes
Ingleside Cogeneration agrees that the NERC Rules of Procedure are the appropriate location for ERO assigned
activities. However, we would like to get a solid commitment from NERC that the Events Analysis Process and the
Reliability Assessment and Performance Analysis Group (RAPA) data analysis requirements for Protection System
Misoperations is coordinated through a single process. Their unique data needs are understandable, but should not
require the downstream entity to evaluate what is required by each sub-committee – and which reporting template to
use.
Yes
Yes
No
Since the reporting of event data to regulatory agencies does not support a front-line operations capability to mitigate or
restore a BES impairment, regular simulations are not needed. Those notification items which test coordination
between operating entities can be addressed in emergency operations exercises.
Yes
Yearly refresher training on the reporting process is appropriate. Ingleside Cogeneration also agrees that a “review”
with those individuals with assigned responsibilities under the Operating Plan is a better way to frame the requirement.
Yes
Although our preference would be to have a single form, Ingleside Cogeneration realizes that is not likely in the near
term. We would like to see that remain as a goal of the project team or the ERO.
Yes
We believe that there should be close, if not perfect, synchronization between the ERO’s Event Analysis Process and
Attachment 1 since they share the same ultimate goal as EOP-004-2 to improve industry awareness and BES
reliability.
Yes
Yes
Yes
Yes
Yes
Group
Midwest ISO Standards Collaborators
Marie Knox
Yes
No
The definition of Impact Event is overly broad because of the use of “potential to impact” and the “Such as” list.
Consider routine switching has the potential to result in a mis-operation. This means all routine switching is an impact
event. The “Such as” list should be struck and “potential” language should be struck.
No
In general, we agree that the standard drafting team has provided an equally efficient and effective alternative, but we
wonder if the SDT has not in essence already defined sabotage in their description for why they can’t define sabotage.
It seems that sabotage involves willful intent to destroy equipment. In general, intent would have to be determined by
�an investigation of law enforcement. This could be part of the definition. There might be some obvious acts that could
be included without investigation such as detonation of a bomb. Is it possible for the SDT to use the DOE definition for
sabotage? We encourage the SDT to provide a definition for sabotage.
Yes
No
We see no issue with imposing requirements on NERC. However, we are not opposed to making these changes in the
Rules of Procedure either.
No
We do not believe that the use of the Operating Process, Operating Procedure, and Operating Plan for a reporting
requirement is consistent with their definitions and certainly not with the intent of the definitions. For instance, an
Operating Process is intended to meet an operating goal. What operating goal does this requirement meet? An
Operating Procedure includes tasks that must be completed by “specific operating positions”. This reporting
requirement could be met by back office personnel. We also believe that parts 1.3 and 1.3.2 under Requirement 1 will
require notification of law enforcement agencies for all Impact Events defined in Attachment 1. While some should
require notification to law enforcement such as when firm load is shed, others certainly would not. For instance, law
enforcement does not need to know that an IROL violation, generation loss or voltage deviation occurred.
Yes
No
We appreciate the drafting team recognizes that actual implementation of the plan for a real event should qualify as a
“test”. However, we are concerned that review of this requirement in isolation of the background material and
information provided by the drafting team may cause a compliance auditor to believe that a test cannot be met by
actual implementation. Furthermore, we do not believe testing a reporting procedure is necessary. Periodic reminders
to personnel responsible for implementing the procedure make sense but testing it does not add to reliability. If they
don’t report an event, it will become obvious with all the tools (SAFNR project) the regulators have to observe system
operations.
Yes
No
Requirement 2 and Requirement 5 appear to be very similar. Requirement 2 requires implementation of the Operating
Plan, Operating Process and/or Operating Procedure in Requirement 1. The Operating Procedure requires gathering
and reporting of information for the form in Attachment 2. What does Requirement 5 add that is not already covered in
Requirement 2 except the ability to use the DOE OE-417 reporting form which could be included in Requirement 2?
Yes
No
We disagree with Measurement 4. It implies that the review must be conducted in person. Why could other means such
as a web training or a reminder memo not satisfy the requirement? Because Requirement 1 does not require submittal
of the Operating Plan, Operating Process and/or the Operating Procedure, Measurement 1 should only require
submittal to the Compliance Enforcement Authority upon its request.
No
All violation risk factors should be Lower. All requirements are administrative in nature. While they are necessary
because a certain amount of regulatory reporting will always be required, a violation will not in any direct or indirect way
lead to reliability problem on the Bulk Electric System
Yes
No
R2 and R5 should be Operations Assessment since it deals with after the fact reporting. R3 should included Operations
Assessment since an actual event could be used as the test.
Yes
We believe the reporting time lines are too aggressive for some events. Reporting events within an hour is not
reasonable as an entity may still be dealing with the event. This will be particularly difficult when support personnel are
not present such as during nights, holidays, and weekends.
Individual
Greg Rowland
Duke Energy
�1 - Transmission Owners, 3 - Load-serving Entities, 5 - Electric Generators, 6 - Electicity Brokers, Aggregators
Yes
However, as we have noted previously, the DSR SDT statement that the proposed changes do not include any realtime operating notifications is inconsistent with requiring notification within one hour for thirteen of the twenty listed
Events in Attachment 1 “Impact Event Table”. Also, in the Background discussion, under Law Enforcement, the DSR
SDT states that the objective of EOP-004-2 is to prevent outages which could lead to Cascading by effectively
reporting Impact Events. As we have previously commented, we are still required to make real-time reports under other
standards. Requiring duplicate real-time reporting under EOP-004-2 is a waste of resources which could otherwise be
used to improve reliability.
No
The phrase “or has the potential to impact” makes this an impossibly broad definition, and demonstrating compliance
will not be straightforward.
No
Sabotage is still identified on the flowchart. Timeframes for reporting on Attachment 1 should be made consistent with
DOE OE-417 reporting. Also on Attachment 1, the Threshold for Reporting on a Forced Intrusion Event should be
“Affecting BES reliability” instead of “At a BES facility”.
No
Section 4 is fine, but on Attachment 1, Entity with Reporting Responsibility should just identify “Initiating entity” for every
Event, as was done with the first three Events. That way you avoid errors in leaving an entity off, or including an entity
incorrectly (as was done with the GOP on Voltage Deviations).
No
Proposed language for Section 812 is very confusing. Is the NERC “system” really going to perform all notifications:
“applicable regional entities, other designated registered entities, and to appropriate governmental, law enforcement,
and regulatory agencies as necessary”? Is it intended that the NERC “system” will relieve registered entities of the
obligation to make these other reports? Is there an implementation plan to achieve that objective? It appears that this
current version of EOP-004-2 has the potential for significantly creating redundant reporting. Will the NERC reports be
protected from FOIA disclosure? How will FERC Order 630 be followed (CEII disclosure)?
Yes
Yes
Yes
We understand that the objective of this requirement is to test the Operating Process for communicating Impact Events;
and that such test could be an actual exercise, a formal review, or a real-time implementation. But given that R1.4
requires updating the Operating Plan within 90 days of any changes, we believe the VRF for R3 should be LOW
instead of MEDIUM.
Yes
Yes
There is so much overlap between Attachment 2 and the DOE OE-417 that we believe the DOE OE-417 should be
revised to include the additional items that must be reported to NERC, so that there is only one form to submit to NERC
and DOE.
No
• Attachment 1 contains three reportable events (Damage or destruction of Critical Asset, Damage or destruction of a
Critical Cyber Asset, and Detection of a reportable Cyber Security Incident) that overlap with CIP-008-3 Cyber Security
Incident Reporting and Response Planning and could result in redundant or conflicting content between the two
standards. We propose either of the following options: 1. Remove the requirement for reporting these events from
EOP-004-2 and add the timing and reporting requirements into CIP-008-3, R1.3. “Process for reporting Cyber Security
Incidents to the Electricity Sector Information Sharing and Analysis Center (ES-ISAC). The Responsible Entity must
ensure that all reportable Cyber Security Incidents are reported to the ES-ISAC either directly or through an
intermediary.” OR 2. Replace the reporting requirement in CIP-008-3, R1.3. with a reference to report as required in
EOP-004-2. • Also, as noted in our comment to Question #4 above, the Attachment 1 Section “Entity with Reporting
Responsibility” should just identify “Initiating entity” for every Event, as was done with the first three Events. That way
you avoid errors in leaving an entity off, or including an entity incorrectly (as was done with the GOP on Voltage
Deviations). We note that LSE is listed in the standard as an Applicable entity, and should be included in Attachment 1.
Our suggestion would handle this oversight. We also note that CIP-001 does not include Distribution Provider in the list
of applicable entities, but EOP-004-2 does include the DP. • We reiterate our comment to Question #1 above that the
DSR SDT statement that the proposed changes do not include any real-time operating notifications is inconsistent with
requiring notification within one hour for thirteen of the twenty listed Events in Attachment 1. • The last six events refer
to the entity that experiences the potential Impact Event. We believe that the word “potential” should be struck, as this
�creates an impossibly broad reporting requirement. • Footnote 1 should be revised to strike the phrase “has the
potential to” from the parenthetical, as this creates an impossibly broad reporting requirement. • The Impact Event “Risk
to BES equipment” should be revised to “Risk to BES equipment that results in the need for emergency actions”. The
accompanying footnote 4 should be revised to read as follows: Examples could include a train derailment adjacent to
BES equipment (e.g. flammable or toxic cargo that would cause the evacuation of a BES facility control center), or a
report of a suspicious device near BES equipment.
Yes
Yes
Yes
Yes
Yes
Individual
Amir Hammad
Constellation Power Generation
5 - Electric Generators
Yes
While CPG generally agrees with the purpose statement, we believe that the term Impact Events should be removed.
Please see CPG’s response to Question 2 discussing the term Impact Events.
No
The currently proposed definition is vague and can be easily misinterpreted. Coining a term to define the events that
the DSR SDT hopes to capture in EOP-004-2 is a difficult task, one that may not be necessary. Replacing the term
“Impact Events” with “events in Attachment 1,” would eliminate the need to define such a term. In addition, the phrase
“… or has the potential to impact the reliability…” is too vague and broad. Such broad statement is unhelpful in
clarifying entities’ compliance obligation and potentially creates conflicted reporting between entities. The language in
the reporting requirements should be limited to real impact events, while information sharing on “near miss” or
“deficiency” incidents should be handled as good industry practices and not subject to onerous compliance obligations.
The drafting team should also give careful consideration to the existing reporting and information sharing currently in
place in the industry. When an event occurs, partners in the electric sector are notified as part of existing requirements
outside of NERC compliance.
Yes
No
As stated in comments to earlier versions of EOP-004-2, CPG disagrees with the inclusion of Generator Owners. Since
one of the goals in revising this standard is to streamline impact event reporting obligations, Generator Operators are
the appropriate entity to manage event reporting as the entity most aware of events should they arise. At times, the
information required to complete a report may warrant input from entities connected to generation, but the generator
operator remains the best entity to fulfill the reporting obligation.
Yes
No
Per NERC’s glossary of terms, an Operating Plan can include Operating Process documents and Operating
Procedures. An Operating Process identifies general tasks while an Operating Procedure identifies specific tasks. CPG
is unclear as to why R1.1 and R1.3 require the use of an Operating Process while R1.2 requires an Operating
Procedure. CPG believes that R1.2 should be changed to require the use of an Operating Process instead of Operating
Procedure. R1.2 is merely requiring an entity to fill out the necessary forms should an event occur, so requiring a clear
and concise step by step procedure for filling out a form only adds a compliance burden to an entity instead of
improving the reliability of the BES. CPG does agree with the DSR SDT that an entity should have a process in place
mandating that the proper paperwork be completed in a timely manner should an event occur.
Yes
Although CPG agrees with the wording of Requirement 2, CPG has several comments and suggested changes
regarding the Attachments, to which this requirement points. Please see those comments below.
No
�As CPG stated in comments to earlier versions of EOP-004-2, this requirement adds a substantial compliance burden
with little to no reliability improvement to the BES. Numerous entities in the NERC footprint have created fleet wide
compliance programs for their facilities, instead of overseeing multiple stand alone compliance programs. This was
done not just for the ease of administration, but it also greatly improves the reliability of the BES by ensuring
consistency across multiple facilities. By requiring each responsible entity to test the Operating Process, those under a
fleet wide compliance program will end up testing the same Operating Process numerous times. This would be
inefficient, ineffective and unnecessarily costly. If the testing requirement remains, then the Responsible Entity should
be able to take credit for testing of the Operating Process regardless of which entity in the fleet tested it. Alternatively,
the drafting team should consider removing Requirement 3 (formerly R4) because in practice it is covered by the new
R4. As discussed below R4 needs refinement, but the topic of Disturbance Reporting is covered during annual training.
No
The purpose of this requirement as currently worded is unclear. It seems to insinuate that a formal review of the
Operating Plan takes place annually, and that any and all personnel identified in the plant are part of the review. If that
is correct, than CPG believes this requirement is echoing Requirement 3. These two requirements can be incorporated
into one. Furthermore, the Measure for R4 is too prescriptive, going so far as to specifically describe how this formal
review should take place. It even states that the Responsible Entity needs to present documentation showing that the
personnel in the plan were trained, yet there is no requirement for training. CPG would like the DSR SDT to revisit the
purpose and intent of this requirement, alone and in concert with R3. If there are indeed similar then consolidate them
into one requirement.
No
The requirements for filling out the DOE-OE-417 form are not necessarily the same as the requirements prescribed in
Attachment 1. CPG suggests that the drafting team create a new requirement, spelling out when an entity is required to
complete the DOE-OE-417 form.
No
CPG has the following concerns regarding Attachment 1: •Real-Time - On page 5 of the proposed standard, the team
noted that “the proposed changes do not include any real-time operating notifications.” However, several events in
Attachment 1 require that documentation be completed and submitted to the ERO within 1 hour. For generation sites
that are unmanned, or only have 1 to 2 operators on site at all times, a 1 hour requirement is not only onerous but is
essentially “real time.” •Response within 1 hour - It is important to consider the imposition created by a compliance
obligation and weigh it against the other demands before the operator at that time. A compliance obligation should
avoid becoming a distraction from reliability related work. Under impact event type scenarios, in the first hour of the
event, the primary concern should be coping with/resolving the event. Other notification requirements exists based on
required agency response relative to the concern at hand (e.g. public evacuations, fire assistance, etc.) Notification
within an hour under EOP-004 does not appear to represent a relevant benefit to resolving the situation and the
potential cost would be borne by reliability and recovery efforts. Anything performed within the first hour of the event
must be to benefit the public or benefit the restoration of power. •Damage or destruction of BES equipment – the
reporting requirement of 1 hour is extremely onerous. A good example is the failure of a major piece of equipment at a
remote combustion turbine generation site. Combustion turbine generation sites are not usually manned with many
people. If a failure of a major piece of equipment were to occur, the few people on site need to complete
communications to affected entities, communications to their management, as well as emergency switching and
ensuring that no other pieces of equipment are effected or harmed. There is little time to complete a form in 1 hour.
This should be changed to 48 hours. The form is also inadequate for this type of event. o Using the example above of a
failure of a major piece of equipment, CPG is not sure if it’s reportable per Attachment 1, which further proves that
Attachment 1 is not clear. Per the footnote regarding damage to BES equipment, the failure would not be reportable, as
it does not affect IROL, given the information at the plant it does not significantly affect the reliability margin of the
system, and was not damaged or destroyed due to intentional or unintentional human action. However, it would be
reportable per the table as the table states “equipment failure” and “external cause.” Clarification is needed. •Damage
or destruction of Critical Asset – This item should be removed or significantly refined. For generation assets, a critical
asset is essentially the entire plant, so in many cases the information reported at this level would not be useful if the
valuable details reside at the equipment level. If it is not removed, then see the notes above on the 1 hour requirement
for the completion of the form. •Fuel supply emergency – 1 hour for reporting the document is unreasonable. See the
earlier notes. •Risk to BES equipment – “From a non-environmental physical threat” This item is too vague and
subjective. A catch all category to capture a broad list of potential risks is problematic for entities to manage in their
compliance programs and to audit. This should be removed.
No
See CPG’s earlier comments regarding the Requirements and Measures.
CPG has the following comments regarding Attachment 2: •Generally, this attachment is inadequate for all events. The
real-life experience with the recent SW cold snap demonstrated that the questions inadequately capture what may be
�of greatest concern in the situation. •Question 4 – this question is vague. It should be removed. •Question 7 – the role
of generation in an event may not always be related to a trip. As experienced with the recent SW cold snap, this
question may inadequately capture information relevant to the situation at hand. The drafting team should reassess
how best to gather information relevant to the event and useful for evaluation. •Question 8 – generation is not required
to monitor frequency during events, so this would not be answered. This question also assumes that frequency had
been impacted, which is not always the case (i.e., the plant could not come online). •The asterisk on some questions in
Attachment 2 is not defined.
Group
FirstEnergy
Sam Ciccone
Yes
No
Although we agree with the definition of Impact Event, we believe that it should be clear that this term is specific to the
events listed in Attachment 1 of the standard. Therefore, we suggest adding the phrase “(as detailed in Attachment 1 of
EOP-004-2)” in the definition.
Yes
No
Attachment 1, Part A – Energy Emergency requiring Public appeal for load reduction – In the current draft Standard,
the applicability has been revised from an RC and BA to "initiating entity". We can’t see where the GO/GOP would ever
make this determination. Needs to be clarified. Attachment 1, Part A – Energy Emergency requiring system-wide
voltage reduction – In the current draft Standard, the applicability has been revised from an RC, TO, TOP, and DP to
"initiating entity". We can’t see where the GO/GOP would ever make this determination. Needs to be clarified.
Attachment 1, Part A – Voltage Deviations on BES facilities - A GOP may not be able to make the determination of a
+/- 10% voltage deviation for ≥ 15 continuous minutes, this should be a TOP RC function only. Attachment 1, Part A Loss of offsite power (LOOP) classification should not apply to nuclear generators. The impact of a LOOP is dependent
on the design of the specific nuclear unit and may not necessarily result in a unit trip. If a LOOP did result in a unit trip,
the NRC requires notification by the nuclear GO/GOP via the Emergency Notification System (ENS), and time allowed
for that notification (1 hour, 4 hours, 8 hour, or none at all) is, as mentioned above, dependent on the design of the
plant. We believe it would be beneficial if consideration were given to coordinating reporting requirements for nuclear
units with existing required notifications to the NRC to avoid duplication of effort. Attachment 1 should align NERC
Standard NUC-001 concerning the importance of ensuring nuclear plant safe operation and shutdown. If a transmission
entity experiences an event that causes a loss of off-site power as defined in the nuclear generator’s Nuclear Plant
Interface Requirements, then the responsible transmission entity should report the event within 24 hours after
occurrence. Also, for clarity "grid supply" should be replaced with "source" to ensure that notification occurs on a loss of
one or multiple sources to a nuclear power plant. Attachment 1, Part A – Damage or destruction of BES equipment.
See Nuclear comments on question 17 below. Attachment 1, Part B – Forced intrusion at a BES facility. See Nuclear
comments on question 17 below. Attachment 1, Part B – Risk to BES equipment from a non-environmental physical
threat. What constitutes a "risk" to the reporting entity is still somewhat ambiguous, and although the DSR SDT has
provided some examples, without more specific criteria for this event the affected entity will have difficulty in
determining within 1 hour if a report is necessary. Also, see Nuclear comments on question 17 below.
Yes
No
1. We believe that the use of stringent definitions for an entity’s process requires too much of the “how” instead of the
“what”. As long as the entity has a process, procedure (or whatever they want to call it) that includes the necessary
information detailed in sub-parts 1.1 through 1.4 then that should suffice. 2. In sub-part 1.3, we suggest adding the
phrase “as applicable” to clarify that not every event will require a notification to, for example, law enforcement. 3. In
sub-part 1.4, we suggest adding clarification that the 90-day framework is only required for substantive changes and
that all other minor editorial changes can be updated within a year.
Yes
No
We believe that a separate requirement for testing the reporting process is unnecessary. The FERC directive that
required periodic testing was directed at sabotage events per CIP-001. Since the proposed standard moves the
responsibility for classifying an event as sabotage from the entity to the applicable law enforcement authority, the need
for a periodic drill is no longer necessary. We believe that Requirement R4 should suffice in ensuring that the
individuals involved in the process are aware of their responsibilities.
No
�We believe that Requirement 4 does not warrant a “Medium” risk factor. For example, a simple review of the process
does not have the same impact on the Bulk Electric System as the implementation of the Operating Plan per R2.
Therefore, we believe R4 is at best a “Low” risk to the BES.
No
We believe that Requirement 5 does not warrant a “Medium” risk factor. Not using a particular form is strictly
administrative in nature and the VRF should be “Low”.
No
Nuclear facilities should be explicitly excluded from the events which have CIP standards as the threshold for reporting
since they are exempt from the CIP standards.
No
Measure M4 includes the phrase “when internal personnel were trained on the responsibilities in the plan” implies the
Requirement R4 requires training. R4 is only requiring the review of a document of the necessary personnel and that
the rest of the measure covers the needed evidence for R4. This phrase in the measure should be removed. We
suggest the following for M4: M4. Responsible Entities shall provide the materials presented to verify content and the
association between the people listed in the plan and those who participated in the review, documentation showing
who was present.
No
1. We believe that Requirement 5 does not warrant a “Medium” risk factor. Not using a particular form is strictly
administrative in nature and the VRF should be “Low”. 2. We believe that Requirement 4 does not warrant a “Medium”
risk factor. For example, a simple review of the process does not have the same impact on the Bulk Electric System as
the implementation of the Operating Plan per R2. Therefore, we believe R4 is at best a “Low” risk to the BES.
Yes
No
We believe the previous proposal for a 12 month implementation was more appropriate and suggest the team revert
back to that timeframe.
FE offers the following additional comments and suggestions: 1. In the Background section of EOP-004-2, on page 6
under Stakeholders in the Reporting Process, we suggest adding “Regional Entity” and “Nuclear Regulatory
Commission”. 2. The DSR SDT makes reference to comments that Exelon provided that suggested adopting the NRC
definition of "sabotage." We feel the comment made by Exelon in their previous submittal was to ensure that the DSR
SDT included the Nuclear Regulatory Commission (NRC) as a key Stakeholder in the Reporting Process and FE
agrees with this suggestion. Nuclear generator operators already have specific regulatory requirements to notify the
NRC for certain notifications to other governmental agencies in accordance with 10 CFR 50.72(b)(s)(xi). We ask that
the DSR SDT contact the NRC about this project to ensure that existing communication and reporting that a licensee is
required to perform in response to a radiological sabotage event (as defined by the NRC) or any incident that has
impacted or has the potential to impact the BES does not create either duplicate reporting, conflicting reporting
thresholds or confusion on the part of the nuclear generator operator. We believe this is a similar situation as what was
recently resolved between NERC and the NRC concerning the applicability of CIPs 002 – 009 for nuclear plants. Each
nuclear generating site licensee must have an NRC approved Security Plan that outlines applicable notifications to the
FBI. Depending on the severity of the security event, the nuclear licensee may initiate the Emergency Plan (E-Plan).
We ask that the proposed "Reporting Hierarchy for Impact Event EOP-004-2," flow chart be coordinated with the NRC
to ensure it does not conflict with existing expected NRC requirements and protocol associated with site specific
Emergency and Security Plans.
Individual
Scott Barfield-McGinnis
Georgia System Operations Corporation
3 - Load-serving Entities, 4 - Transmission-dependent Utilities
Yes
We agree with the purpose. However, we do not agree that the purpose will be achieved as this standard is currently
drafted or that the standard is ready for balloting.
No
It is not clear for the purposes of complying with this standard what it means to “impact reliability.” Impact in what way?
To what degree? Do not define this term. An alternative would be to define it as those events listed in Appendix 1.
Yes
None.
No
We do not agree that this standard assigns clear responsibility for reporting. It seems that multiple entities are being
required to report the same event for some events. Only one entity should report. See comments later regarding
�Attachment 1. NERC should not decide which ONE entity should report. The entities should be allowed to decide this
(and include it in the Impact Event Operating Plan) and to let NERC or the region know who will report (or give them a
copy of the plan).
Yes
None.
No
-R1.3.2: “Law Enforcement”, “Governmental Agencies”, and “Provincial Agencies” are not proper nouns/names and are
not defined in the NERC Glossary. They should not be capitalized. -R1.4: Keeping documents current and in force
should be a matter of an entity’s compliance program and not of a NERC requirement. It is not clear what the difference
is between “updating the Impact Event Operating Plan” and changing “its content.” How is compliance with this
measured? Delete R1.4.
No
-We suggest moving the language from the measure to the requirement as such: "To the extent that a Reponsible
Entity has an Impact Event on its Facilities, each Responsible Entity shall implement…" Additionally, R1 uses the
phrase "recognized Impact Event" where as R2 simply uses the term "Impact Event." The phrase "recognized Impact
Event" should be used consistently in R2 as well.
No
-With the current CAN on the definition of annual, we do not believe that the additional qualification that the test shall
be conducted "with no more that 15 calendar months between tests" is necessary. Although we understand the
additional qualification is used in the VSL matrix, we recommend removing "with no more that 15 calendar months
between tests" and rely on the Responsible Entity's definition of annual and not to exceed timeframes. -We suggest
moving the language from the measure to the requirement as such: "In the absense of an acutal Impact Event, each
Responsible Entity shall …"
No
-With the current CAN on the definition of annual, we do not believe that the additional qualification that the test shall
be conducted "with no more that 15 calendar months between reviews" is necessary. Remove "with no more that 15
calendar months between reviews". -R3 requires testing the process. R4 requires reviewing the plan. Testing a process
and reviewing a plan both seem to imply verifying the process/plan is correct and the appropriate actions will take
place. Training implies making personnel aware of and providing them an understanding of what the process/plan
involves and not verifying whether or not it is correct or appropriate. It is not clear what is being required in R4. -The
measure says that documentation showing when personnel were trained is required. R4 does not require training. The
requirement and the measure should be made clear and consistent.
No
R5: This standard should not require all Responsible Entities to report the same event. Entities should be allowed to
report in a hierarchical manner. They should be allowed to coordinate impact event plans and include in their plans the
entity that has the responsibility for reporting various events. Flexibility should be allowed to provide different reporting
entities depending on the type of event. In R5, does “Each Responsible Entity shall report Impact Events in accordance
with the Impact Event Operating Plan …” allow this hierarchical reporting and flexibility? An entity should be allowed to
report to another operating entity by whatever reporting form or mechanism works and then the other entity reports to
NERC using the required NERC or DOE form. Add "To the extent that a Responsible Entity had an Impact Event," at
the beginning of R5 and M5.
No
Energy Emergency requiring public appeal for load reduction: -The NERC Glossary defines “Energy Emergency” as a
“condition when a Load-Serving Entity has exhausted all other options and can no longer provide its customers’
expected energy requirements.” Per EOP-002, an Energy Emergency Alert may be initiated by the RC upon RC sole
discretion, upon BA request, or upon LSE request. -Question: Is it intended that the LSE reports the event if the LSE
requests an alert, the BA reports the event if the BA requests an alert, and the RC reports it if it is a RC sole discretion
decision? What if an alert is not initiated? Is it an Energy Emergency? Is it an impact event? Who must initiate the
public appeal? Since it must be reported within a certain time after the issuance of the public appeal, is it not an impact
event until after the initiation of the public appeal (which should be after the initiation of the alert)? Shouldn’t the
reporting of the impact event be done by the initiator of the public appeal? The event should probably be the public
appeal and not the Energy Emergency. -“Public” should not be capitalized. -The reliability objective of this standard is
not achieved by NERC knowing of this within 1 hour and the need for NERC to know this within 1 hour to meet its
objective of analyzing events has not been justified or explained. • Energy Emergency requiring system-wide voltage
reduction: See Energy Emergency requiring public appeal for load reduction above regarding requesting Energy
Emergency Alerts. If this event is to be reported within a certain time after “the event”, at what time is the event
marked? Or is it within a certain time after the initiation of the voltage reduction and, if so, shouldn’t the reporting of the
impact event be done by the initiator of the voltage reduction? The event should probably be the system-wide voltage
reduction and not the Energy Emergency. The reliability objective of this standard is not achieved by NERC knowing of
this within 1 hour and NERC does not need to know this within 1 hour and the need for NERC to know this within 1
hour to meet its objective of analyzing events has not been justified or explained. Energy Emergency requiring manual
firm load shedding: -See Energy Emergency requiring public appeal for load reduction above regarding requesting
�Energy Emergency Alerts. If this event is to be reported within a certain time after “the event”, at what time is the event
marked? Or is it a certain time after the initiation of the shedding of load, if so, shouldn’t the reporting of the impact
event be done by the initiator of the shedding of the load? If the RC directs a BA to shed load, then the BA directs a DP
to do it, then the DP sheds the load, who is the initiator of the load shedding? The event should probably be the firm
load shedding and not the Energy Emergency. -The reliability objective of this standard is not achieved by NERC
knowing of this within 1 hour and the need for NERC to know this within 1 hour to meet its objective of analyzing events
has not been justified or explained. Energy Emergency resulting in automatic firm load shedding: Whenever load is
automatically shed both the DP and the TOP “experience” the event. So does the BA and the LSE. This event includes
“or” between “DP” and “TOP.” Is that intentional? Other events in the table do not include either an “and” or an “or.” The
entities are separated only by commas. NERC should not require multiple entities to report the same event. See
comment for R5 above. If a DP "experiences" an automatic load shedding doesn't the TOP also experience it? Both
should not report the same event. -The reliability objective of this standard is not achieved by NERC knowing of this
within 1 hour and the need for NERC to know this within 1 hour to meet its objective of analyzing events has not been
justified or explained. Voltage deviations on BES Facilities: -Should GOs/GOPs be required instead to report to BAs
when this condition exists with the BA then reporting to NERC? The idea of a deviation "on BES Facilities" is not clear.
On any one Facility? On all Facilities in an area? How wide of an area? -“Voltage Deviation” is not proper noun/name
and is not defined in the NERC Glossary. It should not be capitalized. IROL violation: Multiple entities should not report
the same event. Please define “IROL Violation” or use lowercase. It is assumed that “IROL Violation” means operation
“outside the IROL for a time greater than IROL TV.” Loss of firm load for ≥ 15 minutes: -Multiple entities should not
report the same event. The reliability objective of this standard is not achieved by NERC knowing of this within 1 hour
and the need for NERC to know this within 1 hour to meet its objective of analyzing events has not been justified or
explained. “Firm Demand” is defined but not “Firm load.” System separation (islanding): -Multiple entities should not
report the same event. A DP separating from the transmission system should not be a reportable event for a DP in and
of itself. If it leads to a sufficient loss of load, it is reportable as above. -The reliability objective of this standard is not
achieved by NERC knowing of this within 1 hour and the need for NERC to know this within 1 hour to meet its objective
of analyzing events has not been justified or explained. The words “separation” and “islanding” should not be
capitalized. Generation loss: -Should GOs/GOPs be required instead to report to BAs when their generation is lost with
the BA then reporting to NERC when the total is ≥ 2,000 MW? A “loss” of generation should be clarified. Is the
discovery of damaged equipment in an offline plant which makes the plant unavailable for an extended period of time a
“loss” of generation? -It should be clarified if this event means the concurrent loss of the generation or losing the
generation non-concurrently but they are concurrently unavailable. What is the time window for losing the generation?
Lost within seconds of each other? Minutes? Hours? Loss of off-site power to a nuclear generating plant (grid supply): Multiple entities should not report the same event. -“Off” should be lowercase. Transmission loss: -RCs should not be
required to report the loss of transmission elements to NERC. A “loss” of a BES Transmission Element should be
clarified.It should be clarified if this event means the concurrent loss of elements or the non-concurrent loss of the
elements but they are concurrently unavailable. What is the time window for losing the elements? When elements are
lost, it will be difficult to differentiate if they are BES Transmission Elements or not. Alarms don't immediately identify
this. It could lead to gross over-reporting if no distinction is made by a TOP and the TOP reports all losses of 3
elements. It may still be over-reporting (from a reasonableness/practicality basis) even if the differentiation could be
easily made and only BES Transmission Elements are reported. Threshold for reporting Transmission Loss: As stated,
this will require the reporting of almost all transmission outages. This is particularly true taking into consideration the
current work of the drafting team to define the Bulk Electric System. The loss of a single 115kV network line could meet
the threshold for reporting as the definition of Element includes both the line itself and the circuit breakers. Instead, we
recommend the following threshold "Three or more BES Transmission lines." This threshold has consistency with CIP002-4 and draft PRC-002-2. This threshold also needs additional clarification as to the timeframe involved. Is the intent
the reporting of the loss of 3 or more BES Transmission Elements anytime within a 24 hour period or must they be lost
simultaneously? Also, we recommend that the three losses be the result of a related event to require reporting.
Damage or destruction of BES equipment that i. affects an IROL; ii. significantly affects the reliability margin of the
system (e.g., has the potential to result in the need for emergency actions); or iii. damaged or destroyed due to
intentional or unintentional human action (Do not report copper theft from BES equipment unless it degrades the ability
of equipment to operate correctly, e.g., removal of grounding straps rendering protective relaying inoperative.): -What is
“BES equipment?” Would an operator know which equipment is BES equipment and which is not or which BES
equipment affects an IROL (if we had one) or which does not? It is a judgment call as to whether the effect was
significant or not or if it has the potential or not. Multiple entities should not report the same event. Unplanned control
center evacuation: -“Control Center” should be lowercase. -The reliability objective of this standard is not achieved by
NERC knowing of this within 1 hour and the need for NERC to know this within 1 hour to meet its objective of analyzing
events has not been justified or explained. Fuel supply emergency: Multiple entities should not report the same event.
Should GOs/GOPs be required instead to report to BAs when they have a fuel supply emergency with the BA then
reporting to NERC if the situation is projected to require emergency action at the BA level? -The reliability objective of
this standard is not achieved by NERC knowing of this within 1 hour and the need for NERC to know this within 1 hour
to meet its objective of analyzing events has not been justified or explained. Loss of all monitoring or voice
communication capability (affecting a BES control center for ≥ 30 minutes): -Does this event mean that ALL capability
at both the primary and backup control centers or just one? Forced intrusion at a BES facility (report if you cannot
reasonably determine likely motivation, i.e., intrusion to steal copper or spray graffiti is not reportable unless it affects
(affects – not effects) the reliability of the BES): -What is a “BES facility?” It is not clear for the purposes of complying
�with this standard what it means to affect the reliability of the BES. Deferred for ECMS review and additional
comments. Risk to BES equipment (examples include a train derailment adjacent to BES equipment that either could
have damaged the equipment directly or has the potential to damage the equipment, e.g., flammable or toxic cargo that
could pose fire hazard or could cause evacuation of a BES facility control center, and report of suspicious device near
BES equipment.): -In the footnote, delete “could have” from “…either could have damaged…” Something that could
cause evacuation of a control center does not pose a risk to damaging BES equipment. The threshold is “from a nonenvironmental physical threat” but the example (toxic cargo) IS an environmental threat.
No
There are a lot of inconsistencies between the requirements and the measures. The measures add requirements that
are not stated in the requirements. The measures need to be made consistent with the requirements and to not add to
them. Also see comments on requirements earlier for language to move from the measures into the requirements. M2:
Remove "on its Facilities." The word "its" leads to a lot of confusion regarding who reports what. Attachment 1 should
make clear "what" needs to be reported. The entities' operating plan should make it clear as to who should report each
"what." Furthermore, not all Impact Events are "on Facilities." M3: Replace "that it conducted a mock Impact Event"
with "that it conducted a test of its Operating Process". Delete "The time period between actual and or mock Impact
Events shall be nor more than 15 months." M4: The measure says that documentation showing when personnel were
trained is required. R4 does not require training. The requirement and the measure should be made clear and
consistent.
No
Failing to report to NERC any of many of the listed events does not present a reliability risk. The exception to this would
be those threat events where the ES-ISAC needs to be notified. The object of the standard is to prevent or reduce the
risk of Cascading. Reporting system situations to appropriate operating entities who can take some mitigating action
(e.g., a LSE reporting to its BA or a BA reporting to its RC) and reporting threats to law enforcement officials could
prevent or reduce the risk of Cascading but reporting to NERC (except for events where the ES-ISAC needs to know)
is unlikely to do that. Reporting of most of the listed events to NERC does not meet the objective of this standard and
should be removed from this standard. Such events should be reported to NERC through some other (than a Reliability
Standard) requirement for reporting to NERC so that NERC can accomplish its mission of analyzing events. Analyzing
events may lead to an understanding that could reduce the future risk of Cascading but analyzing events cannot be
performed in time to reduce any impending risks.
No
None.
Yes
None.
No
There is nothing about the revisions that were made to the requirements that shortens the time needed by the industry
to get prepared for this revision. The removal of requirements for NERC does not shorten the requirements for the
industry. Eighteen months (or 12 months minimum) should be alloted to prepare for this revision.
Attachment 2: Impact Event Reporting Form -Instructions for filling out this form are needed. -Line 7, Generation
tripped off-line: What is the asterisk for after this task and after the many others following? This should only be reported
by a BA. Does generation “tripped off-line” mean the same as generation “lost?” -Line 9, List of transmission facilities
(lines, transformers, buses, etc.) tripped and locked-out: Does this means the same as BES Transmission Elements
lost? -Line 10: The column headings in white text on lighter blue background at the top do not seem to apply from this
line on. -Line 11, Restoration Time: Restoration of what? Initial/Final clock time? Transmission? What about
transmission? Generation/Demand? -Line 13, Identify the initial probable cause or known root cause of the actual or
potential Impact Event if known at time of submittal of Part I of this report: “At the time of submittal of Part I of this
report”?? Where is Part II? Did you mean Part A? Is Part B to be submitted at a different time? Background -Page 5,
last sentence which is continued on page 6: This standard does not recognize the various “versions” of companies in
the industry. The standard is made applicable to a long list of registered entity types. In many cases, many of these
entities are wrapped into one company. A company may be responsible for “everything” in a geographic area. It may be
almost every registered entity type with no other registered entities within its geographic area. There should be no
conflicts or need for coordination with others for this company. Everything would be coordinated internally within that
one company before being reported to NERC and no one else would be reporting to NERC. However, sometimes one
company is only a LSE. When an LSE-only is having a LSE impact event, the LSE should report to some higher
operating entity like its BA and should not report to NERC. Reporting should be done in a hierarchical manner within
appropriate operating entities and then reported to NERC at the RC (or BA) level or as agreed among entities in any
coordinated impact event reporting plans. The RC, BA, TOP, and LSE should not all be held accountable for reporting
the same event. This standard does not deal exclusively with after-the-fact reporting. Some events deal with the
condition of the system (risk of possible future events) or condition of an entity’s ability to operate (supplying fuel,
covering load, etc.) or with a threat to the BES. -Page 6, Summary of Concepts: A single form may have been an
objective but it is obviously not a concept being implemented by the standard. There are two forms. -Page 6, Law
Enforcement Reporting: The object of the standard may be to prevent or reduce the risk of Cascading. Reporting
system situations to appropriate operating entities who can take some mitigating action (e.g., a LSE reporting to its BA
�or a BA reporting to its RC) and reporting threats to law enforcement officials could prevent or reduce the risk of
Cascading but reporting to NERC is unlikely to a do that. Reporting of most of the listed events to NERC does not meet
the objective of this standard and should be removed from this standard. Such events should be reported to NERC
through some other (than a Reliability Standard) requirement for reporting to NERC so that NERC can accomplish its
mission of analyzing events. Analyzing events may lead to an understanding that could reduce the future risk of
Cascading but not any impending risks. -Page 6, Stakeholders: What is “Homeland Security – State?” We know what
the Department of Homeland Security and the State Department are but this term is not clear. -Page 6, “State
Regulators”, “Local Law Enforcement”, and State Law Enforcement”: These are not proper nouns/names and are not
defined in the NERC Glossary. They should not be capitalized. -Pages 7 & 8, Law enforcement: Is each entity required
to determine procedures for reporting to law enforcement and work it out with the state law enforcement agency? Do
the state law enforcement agencies know this? Or is there a pre-determine procedure that is already worked out with
the state law enforcement agency that entities are to follow?
Individual
Max Emrick
City of Tacoma, Department of Public Utilities, Light Division, dba Tacoma Power
1 - Transmission Owners, 3 - Load-serving Entities, 4 - Transmission-dependent Utilities, 5 - Electric Generators, 6 Electicity Brokers, Aggregators
No
"To improve industry awareness and the reliability fo the Bulk Electric System by requiring the reporting of Impact
Events and their causes, if known by the Responsible Entities" The revised purpose statement includes the phrase, “if
known”. This seems like a huge loophole. They should change it to “when discovered” or “when notified”.
Yes
Yes
Yes
Yes
Yes
However, there needs to be some clarity on which government agencies (if not the FBI) are responsible for reporting
these type of events.
No
There are generally several events during the year. If the process is well documented, a drill or exercise is excessive. It
should be sufficient to say “provide training”.
Yes
Yes
Yes
No
The one hour reporting timeline is unrealistic for this event. In general it looks like other events requiring the 1 hour
reporting timeline are for event that are ‘initiated’ by the system operator. (ie load shedding, public load reduction,
EEP…). Loss of BES equipment is in general 24 hour reporting timeline. It should be, “as soon as possible but within
24 hours".
No
M3 -The testing of the Plan by drill or mock impact event is unnecessary and burdensome.
No
Yes
No
Why shorten the normal process?
No
The implementation Plan was to move up the timeline and we do not see why this needs to be pushed forward on a
shortened timeline. It should remain at the one year implementation schedule especially if annual exercises are not
�removed from the standard requirements as this take some time to prepare.
We like the option to use the OE_417 as the reporting form for these events.
Group
Compliance & Responsiblity Organization
Silvia Parada Mitchell
No
See comments set forth in number 2.
No
NextEra Energy Inc. (NextEra) appreciates the drafting team providing valuable ideas and a framework on how to
improve and consolidate CIP-001 and EOP-004. However, NextEra also believes that the currently drafted EOP-004-2
needs to be revised and enhanced to more clearly explain the Responsible Entities’ duties, the definition of sabotage
and address FERC directives and concerns. For example, NextEra is not in favor using the term “Impact Event” which
seems to add considerable confusion of what is or is not sabotage. In Order No. 693, FERC stated its interest in NERC
revising CIP-001 to better define sabotage and requiring notification to the certain appropriate federal authorities, such
as the Department of Homeland Security. FERC Order 693 at PP 461, 462, 467, 468, 471. NextEra has provided an
approach that accomplishes FERC’s objectives and remains within the framework of the drafting team, but also
focuses the process of determining and reporting only those sabotage acts that could impact other BES systems.
Today, there are too many events that are being reported as sabotage to all parties in the Interconnection, when in
reality these acts have no material affect or potential impact to other BES systems other than the one that experienced
it. For example, while the drafting team notes the issue of copper theft is a localized act, there are other localized acts
of sabotage that are committed by an individual, and these acts pose little, if any, impact or threat to other BES
systems other than the one experiencing the sabotage event. Reporting sabotage that has no need to sent of everyone
does not necessary add to the security or reliability of the BES. Related, there is a need to clarify some of the current
industry confusion on who should (and has the capabilities to) be reporting to a boarder audience of entities. Hence,
NextEra approach provides a clear definition of sabotage, as well as the process for determining and reporting
sabotage. NextEra further believes that some of the requirements can be consolidated and more clearly stated, and
NextEra has attempted to do that in the approach presented below. Lastly, NextEra comments on Attachment 1 are
submitted in response to question 17. NextEra Approach Delete definition of Impact Event and its use in the
requirements and in Attachment 1 Delete 13, 14, 15 and 19 in Attachment 1 Delete and replace R1 through R5 with the
following: New Definition Attempted or Actual Sabotage: an intentional act that attempts to or does destroy or damage
BES equipment or a Critical Cyber Asset for the purpose of disrupting the operations of BES equipment, Critical Cyber
Asset or the BES, and has a potential to materially threaten or impact the reliability of one or more BES systems (i.e., is
one act in a larger conspiracy to threaten the reliability of the Interconnection or other BES systems). R1. Each
Responsible Entity shall document and implement a procedure (either individually or jointly with other Responsible
Entities) to accomplish the reporting requirements, including the time frames, assigned to the Responsible Entity as set
forth in Attachment 1 items 1 through 12, 16, 17 and 18 for reporting from the Responsible Entity to its Regional Entity
and NERC, using the form in Attachment 2 or the DOE OE-417 reporting form. R2. Each Responsible Entity shall
document and implement a procedure (either individually or jointly with other Responsible Entities) to report to its
internal personnel with a need to know and its Reliability Coordinator an act of Attempted or Actual Sabotage, using the
form in Attachment 2 or the DOE OE-417 reporting form, within one hour after a determination has been made that an
act Attempted or Actual Sabotage has occurred. To make a determination that an act of Attempted or Actual Sabotage
has occurred, the Responsible Entity shall document and implement a procedure that requires it, as soon as
practicable after the discovering an act appearing to be Attempted or Actual Sabotage, to engage local law
enforcement or the Federal Bureau of Investigation or Royal Canadian Mounted Police, as deemed appropriate, to
assist the Registered Entity make such a determination. Upon receiving a report of Attempted or Actual Sabotage from
a Responsible Entity, the Reliability Coordinator shall within one hour forward the report to other impacted Reliability
Coordinators, Responsible Entities, Regional Entities, NERC, Department of Homeland Security, and the Federal
Bureau of Investigation or the Royal Canadian Mounted Police. R3. Each Responsible Entity shall review (and conduct
a test for sabotage only) of its documented procedure required in R1 and R2 with no more than 15 calendar months
between tests for sabotage reporting. If, based on the review or test, the Responsible Entity determines there is a need
to update its documented procedure, it shall update the procedures within 90 calendar days of the review or test.
No
See comments set forth in number 2.
Yes
No
See comments to 2. Also, although NextEra agrees that a documented procedure is appropriate, NextEra does not
favor the current approach of pre-defined layers of processes and documentation that seem to overly complicate, and,
possibly contradict, already established internal methods by which a company implements policies, procedures and
processes. Thus, NextEra’s options suggest using a more generic approach that allows entities more flexibility to
establish documents and processes, and demonstrate compliance. Such a generic approach was used in NextEra’s
�proposed options set forth in response to number 2.
No
See comments set forth in number 2.
No
See comments set forth in number 2. Also, while NextEra understands the need to have a testing requirement for
sabotage (Order 693 at P 446), it does not find it necessary to have a testing requirement for the other events. At this
time in the process, additional requirements for the sake of having a requirement are likely to detract from reliability.
Thus, NextEra requests that the testing requirement be limited to sabotage related events.
No
See comments set forth in number 2
Yes
No
See comments set forth in number 2
No
See comments set forth in number 2.
No
See comments set forth in number 2.
No
See comments set forth in number 2.
Yes
Nuclear power plants (a need for a revised approach) With respect to sabotage, damage or destruction of BES
equipment, damage or destruction of a Critical Asset, damage or destruction of a Critical Cyber Asset, forced intrusion,
etc., nuclear plants already have a responsibility to report the events to the FBI and the Nuclear Regulatory
Commission (NRC). Performing another report to NERC, with potentially different requirements, within 60 minutes of an
event does not seem necessary or practical. It would also be difficult, during an event, to report to external
organizations, including but not limited to the Responsible Entities’ Reliability Coordinator, NERC, Responsible Entities’
Regional Entity, Law Enforcement, and Governmental or Provincial Agencies when operations personnel are preoccupied with an abnormal or emergency situation. Further, nuclear plants already have an obligation to report the loss
of off site power to NRC. Similarly, now that cyber assets will be regulated by the NRC, these reporting requirements
should not be applicable to a nuclear power plant. Thus, there is a need to exempt nuclear power plants from these
requirements or provide more flexibility to such plants, given its pre-existing NRC reporting requirements. Attachment
1. There is no explanation for why a report must be submitted within one hour of a event. As stated with respect to
nuclear, an entity should not be prioritizing between stabilizing the system and reporting. One approach that would help
balance conflicting priorities is to start the time frame after “all is clear.” Another approach could involve the use of
target times, with an allowance for exceptions during emergencies or situations in which it is impracticable. Another
alternative is to have two times: an earlier “target reporting time” and second later “mandatory reporting time.” Further,
the current wording suggests that a generator owner or generator operator will be able to determine the impact or
potential impact on the BES. This is not realistic, given that impacts to the BES are generally only understood at a
transmission operator or reliability coordinator level. Thus, the concept of relying on generators to determine impacts
on the BES needs to be eliminated. Also, as written, for a generator, Attachment 1 appears to require a report when a
lighting arrestor fails at a Critical Asset. NextEra cannot see any justification for reporting such an event, and this is
another reason why Attachment 1 needs more review and revision prior to the next draft of EOP-004-2. This one
reason why NextEra has suggested a materiality test for reporting in a definition of Attempted or Actual Sabotage.
Individual
Rex Roehl
Indeck Energy Services
5 - Electric Generators
No
The reporting of events does not improve the reliability of the BES. If someone takes action based on the reporting,
there might be an improvement. Because many of these events are not preventable, such as sabotage or weather,
reporting them won't improve reliability. The original Purpose was satisfactory.
No
It's not a definition. It needs some quantification, such as, a Reportable Disturbance (NERC glossary), a reportable
event under DOE OE-417, sabotage or bomb threat. Defining it as having or potentially having an impact is no
definition. What is an impact? It needs to be quantified or auditors will have license to define it any way that they want.
It shouldn't be a NERC Glossary definition if its only use is in EOP-004. Within EOP-004, it can be defined as anything
�in Attachment 1.
No
The SDT hasn't defined sabotage. Attachment 1 does not do justice to the concept of sabotage. Sabotage should be
defined as any intentional damage to BES facilities the causes a Reportable Disturbance, reportable event under DOE
OE-417 or involves a bomb or bomb threat.
No
Voltage Deviations should not be reportable by GOP. That's why we have TOP's. Damage or destruction of BES
equipment should be reportable only if it causes or could cause a Reportable Disturbance, reportable DOE OE-417
event or sabotage (as defined above). Otherwise, an auditor could require reporting of a relay failure caused by human
error even though the relay was in test mode and no BES impact was experienced. This category could be dropped in
favor of the next one, damage to Critical Asset. Fuel Supply Emergency needs a definition. For natural gas, various
conditions could be referred to as emergencies, but unless they actually affect generation, they should not need to be
reported. Fuel Supply Emergencies that cause a Reportable Disturbance or reportable DOE OE-417 event should be
reported. It is unclear why Forced Intrusion should be reportable under EOP-004. If it causes a problem, it will be
reportable as another category and is one more unpreventable event. Forced Intrusion isn't, in many cases, as the
exceptions try to define, an impact event at all, but could be a cause, which would be reported as the cause of an
impact event. Risk to BES Equipment is not well defined. It should be expanded to Risk to BES Equipment from a nonenvironmental physical threat within a reasonable distance of the Equipment. A train derailment on the line past the
plant would likely be known, whereas one that was 1/2 mile or more away with flammable materials might not be known
about unless a public warning was made.
Yes
No
The terms are not important and many plans or procedures already exist and restructuring them to match the terms is
wasteful. R1 is too prescriptive. R1 should state that a written document should show how the entity will comply with
EOP-004. R1.2 is superfluous and should be deleted. The data must be gathered and the process will vary with the
event. Trying to define the multitude of possibilities for the collection process is not productive and leaves open the
possibility of missing something for an auditor to nit pick. R1.3 should just be a written communications
plan/process/procedure for external notifications. R1.4 is redundant because it can't be changed within 90 days until
the content has already been changed. R1.4 should be deleted. The Violation Risk Factor should be Low, if any,
because this is historical reporting, with little or no reliability consequence.
No
R2 is direct and to the point. The Violation Risk Factor should be Low, if any, because this is historical reporting, with
little or no reliability consequence.
No
For smaller entities, for which few of the Attachment 1 events apply (eg a 75 MW wind farm), a drill is overkill.
Reviewing the procedure during training should be sufficient. The solution is to require a drill for any entity for which
any of the Attachment 1 events would cause a Reportable Disturbance or reportable DOE OE-417 event and training
review for any other entities. The Violation Risk Factor should be Low, if any, because this is historical reporting, with
little or no reliability consequence.
R4 is redundant with R3 and should be deleted. The Violation Risk Factor should be Low, if any, because this is
historical reporting, with little or no reliability consequence.
No
The Violation Risk Factor should be Low, if any, because this is historical reporting, with little or no reliability
consequence.
No
Comments were included in previous comments.
No
M1 is OK. M2 should be about implementation, not about any particular events--M5 is about events. Implementation
would include distribution and training. M3 should be modified to reflect a training review by entities that cannot cause a
Reportable Disturbance or reportable DOE OE-417 event and for the others documentation of an actual event (which is
not included in the present M3) or a drill or mock event. M4 is OK. M5 should only include the reports submitted and
the date of submission. Further evidence of the event is redundant.
No
If there are any, they should all be Low because this is reporting of historical events. There is no direct effect on BES
reliability. Some effect could occur if someone reacts to the reports, but many are concerning unpreventable events.
No
There should be only Lower VSL's. This is reporting of historical events and there is no direct effect on BES reliability.
How does missing 3 parts of R1 compare to tripping a 4,000 MW generating station because vegetation was not
properly managed? Just because there are 4 levels, doesn't mean that all Standards need to use them all. If you step
�back, and think about causes of cascading outages, reporting events 1 hour or 24 hours later has no significance.
There is no direct preventative causation either.
No
These requirements have no time horizon. There about history and not about the future.
Yes
This revision seriously missed the mark.
Group
SERC OC Standards Review Group
Gerald Beckerle
Yes
No
We believe the definition is too broad even considering Attachment 1, footnote1, which, for example, uses the term
significantly and other ambiguous terms. Consideration should be given to limiting the definition to unplanned events.
Yes
No
We agree that all of the entities listed should be responsible for reporting an event, provided they own BES assets, but
guidance should be given for which entity in Attachment 1 actually files the report to avoid duplication for a single
event.
No
We agree that the ERO should not have requirements applicable to them, but disagree with changing or revising the
Rules of Procedure (ROP) giving this reporting responsibility solely to NERC. This responsibility may be performed by
NERC but other learning organizations should also be considered for performing this responsibility. In addition, the
proposed wording of the revision to the ROP appears to place the responsibility of notifying the appropriate law
enforcement with NERC rather than with the local responsible entity.
No
This is a reporting requirement and should not be confused with Operating Plans that have specific operating actions
and goals. Each entity should prepare its own event reporting guideline that address impact events, identification,
information gathering, and communication without specifying a specific format such as Operating Plans, Operating
Process and Operating Procedures.
No
We agree with the concept, but disagree with the use of the term “Operating Plan” as a defined term in line with our
comments in question 6 above.
No
Annual testing of an “after-the-fact” reporting procedure does not add to the reliability of the BES!
Yes
We agree with the concept, but disagree with the use of the term “Operating Plan” as a defined term in line with our
comments in question 6 above.
Yes
We agree with the concept, but disagree with the use of the term “Operating Plan” as a defined term in line with our
comments in question 6 above.
No
While we agree with the changes made, we do not believe the goal of eliminating duplicate reporting has been
accomplished. In addition, the threshold for transmission loss does not adequately translate to previous “loss of major
system components” which had a threshold of “significantly affects the integrity of interconnected system operations”.
No
The measures should be revised to match the general nature of the comments we have made on each requirement.
No
How can an after-the-fact report require a VRF greater than low?
No
The VSLs should reflect the comments on the requirements above.
No
R2 and R5 should be in the Operations Assessment time horizon.
Yes
�In Attachment 1, the reporting timeline should be no less than the end of the next business day for after-the-fact
reporting of events. If reporting in a time frame less than this is required for reliability, the groups or organizations
receiving the reports should be included in the functional model. The emphasis should be on giving the operators the
time to respond to events and not to reporting requirements. “The comments expressed herein represent a consensus
of the views of the above named members of the SERC OC Standards Review group only and should not be construed
as the position of SERC Reliability Corporation, its board or its officers.”
Individual
Patricia Robertson
BC Hydro
1 - Transmission Owners, 2 - RTOs and ISOs, 3 - Load-serving Entities, 5 - Electric Generators
Yes
Yes
For the change from 24hr to 1hr reporting for events, 1 hour goes extremely quickly in these types of events and it will
be difficult to report anything meaningful. As the RC is kept informed during the event why is the report required within
1hr?
Individual
Tony Kroskey
Brazos Electric Power Cooperative
1 - Transmission Owners
No
Instead of Impact Event could simply call it Event Information Reporting.
No
Yes
No
Inclusion of LSE and DP is questionable.
No
Yes
Yes
Yes
Yes
�No
Question applicability to DP.
No
M2 and M5 appear to duplicate each other.
No
A one year implementation is needed to develop and implement formal documents to meet requirements.
�Stakeholders in the Reporting Process
• Industry
• NERC (ERO)
• FERC
• DOE
• DHS – Federal
• Homeland Security- State
• State Regulators
• Local Law Enforcement
• State Law Enforcement
• FBI
• Royal Canadian Mounted Police (RCMP) (addition)
• Provincial Law Enforcement
(addition)
• Municipal Law Enforcement
(addition)
Coordination of Local and Provincial Law Enforcement Agencies with the RCMP
A similar law enforcement coordination hierarchy exists in Canada. Local and Provincial law enforcement
coordinate to investigate suspected acts of vandalism and sabotage. The Provincial law enforcement agency
has a reporting relationship with the Royal Canadian Mounted Police (RCMP).
The above should read as follows;
Coordination of Municipal and Provincial Law Enforcement Agencies with the RCMP
A similar law enforcement coordination hierarchy exists in Canada. Municipal and provincial law enforcement
coordinate to investigate suspected acts of vandalism and sabotage. Municipal and provincial law enforcement
agencies have a reporting relationship with the Royal Canadian Mounted Police (RCMP).
A Reporting Process Solution – EOP-004
A proposal discussed with FBI, FERC Staff, NERC Standards Project Coordinator and SDT Chair is reflected
in the flowchart below (Reporting Hierarchy for Impact Event EOP-004-2). Essentially, reporting an Impact
Event to law enforcement agencies will only require the industry to notify the state or provincial level law
enforcement agency. The state or provincial level law enforcement agency will coordinate with local law
enforcement to investigate. If the state or provincial level law enforcement agency decides federal agency law
enforcement or the RCMP should respond and investigate, the state or provincial level law enforcement
agency will notify and coordinate with the FBI or the RCMP.
The above should read as follows; (red reflects suggested changes)
A Reporting Process Solution – EOP-004
A proposal discussed with FBI, FERC Staff, NERC Standards Project Coordinator and SDT Chair is reflected
in the flowchart below (Reporting Hierarchy for Impact Event EOP-004-2). Essentially, reporting an Impact
Event to law enforcement agencies will only require the industry to notify the state or provincial or local or
municipal law enforcement agency. The state or provincial or local or municipal law enforcement agency will
coordinate with law enforcement of jurisdiction to investigate. If the state or provincial or local or municipal
law enforcement agency decides federal agency law enforcement should respond and investigate, the state or
provincial or local or municipal law enforcement agency will notify and coordinate with the FBI or the RCMP.
�Compliance
Compliance Enforcement Authority
• Regional Entity; or
• If the Responsible Entity works for the Regional Entity, then the Regional Entity will establish an
agreement with the ERO or another entity approved by the ERO and FERC (i.e. another Regional
Entity) to be responsible for compliance enforcement.
The above needs to reflect Canadian compliance authorities as they do not include FERC therefore I suggest
the following (red reflects suggested changes/additions)
• Regional Entity; and or applicable Canadian provincial authority; or
• If the Responsible Entity works for the Regional Entity, then the Regional Entity will establish an
agreement with the ERO or another entity approved by the ERO and FERC (i.e. another Regional
Entity), or applicable Canadian Provincial authority, responsible for compliance enforcement.
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Consideration of Comments on Disturbance & Sabotage Reporting —
Project 2009-01
The Disturbance & Sabotage Reporting Drafting Team (DSR SDT) thanks all commenters
who submitted comments on the Second Posting of EOP-004-2, Impact Event Reporting
(Project 2009-01).
This standard was posted for a 30-day public comment period from March 9, 2011 through
April 8, 2011. The stakeholders were asked to provide feedback on the standard through a
special Electronic Comment Form. There were 60 sets of comments, including comments
from 188 different people from approximately 132 companies representing 10 of the 10
Industry Segments as shown in the table on the following pages.
In this report, comments have been organized by question to make it easier to see where
there is consensus. Comments may be reviewed in their original format on the project
page:
http://www.nerc.com/filez/standards/Project2009-01_Disturbance_Sabotage_Reporting.html
If you feel that your comment has been overlooked, please let us know immediately. Our
goal is to give every comment serious consideration in this process! If you feel there has
been an error or omission, you can contact the Vice President and Director of Standards,
Herb Schrayshuen, at 404-446-2560 or at herb.schrayshuen@nerc.net. In addition, there is
a NERC Reliability Standards Appeals Process. 1
Summary Consideration: The DSR SDT received many comments regarding the proposed
definition of “Impact Event,” the requirements, and event reporting in Attachment 1. The
main stakeholder concerns were addressed as follows:
•
•
•
1
Many stakeholders disagreed with the need for the definition of “Impact Event” and
felt that the definition was ambiguous and created confusion. The DSR SDT agrees
and has deleted the proposed definition from the standard. The list of events in
Attachment 1 is all-inclusive and no further attempts to define “Impact Event” are
necessary.
Many stakeholders raised concerns with the 1 hour reporting requirement for certain
types of events. The commenters believed that the restoration of service or the
return to a stable bulk power system state may be jeopardized by having to report
certain events within one hour. The DSR SDT agreed and revised the reporting time
to 24 hours for most events, with the exception of damage or destruction of BES
equipment, forced intrusion or cyber related incidents.
Many stakeholders suggested that the reporting of events after the fact only justified
a VRF of “lower” for each requirement. With the revised standard, there are now
three requirements. Requirement 1 specifies that the responsible entity have an
Operating Plan for identifying and reporting events listed in Attachment 1. This is
procedural in nature and justifies a “lower” VRF, as this requirement deals with the
means to report events after the fact. The current approved VRFs for EOP-004-1 are
all “lower” with the exception of Requirement R2 which is a requirement to analyze
The appeals process is in the Standard Processes Manual:.
1
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
•
•
•
events. This standard relates only to reporting events. Analysis of reported events
is addressed through the NERC Events Analysis Program. Proposed changes to the
Electric Reliability Organization Events Analysis Process Field Trial documents that
clarify the role of the Events Analysis program in analyzing reported events will be
posted for stakeholder comment separately.
The two remaining requirements in EOP-004-2 are to report events based on the
specifics in Attachment 1 (R2) and to test the communications protocol of the
Operating Plan once per year (R3). Requirement R2 specifies that an entity is
responsible for reporting events to the appropriate entities in accordance with the
Operating Plan based on Attachment 1. Requirement R3 makes sure that an entity
can communicate information about events. Some of these events are dealing with
potential sabotage events, and part of the reason to communicate these types of
events is to make other entities aware to help prevent further sabotage events from
occurring. Existing CIP-001-1a deals with sabotage events and the approved VRFs
for each of the requirements is “medium.” The VRFs for EOP-004-2 are consistent
with the existing approved VRFs for both EOP-004 and CIP-001.
Several commenters wanted more clarity regarding which entities report and to
whom they report. Many stakeholders were confused regarding law enforcement
notifications and questioned whether certain types of events (IROL, Public Appeal,
etc.) needed to be reported to law enforcement. The background section of the
standard provides guidance with respect to reporting events to law enforcement. For
clarity, the DSR SDT has added the following sentence to the first paragraph under
the heading “Law Enforcement Reporting”: “These are the types of events that
should be reported to law enforcement.” The entire paragraph is:
o “The reliability objective of EOP-004-2 is to prevent outages which could lead
to Cascading by effectively reporting events. Certain outages, such as those
due to vandalism and terrorism, may not be reasonably preventable. These
are the types of events that should be reported to law enforcement. Entities
rely upon law enforcement agencies to respond to and investigate those
events which have the potential to impact a wider area of the BES. The
inclusion of reporting to law enforcement enables and supports reliability
principles such as protection of bulk power systems from malicious physical or
cyber attack. The Standard is intended to reduce the risk of Cascading
events. The importance of BES awareness of the threat around them is
essential to the effective operation and planning to mitigate the potential risk
to the BES.”
Some commenters also questioned whether or not the existing applicability would
result in multiple reports being submitted by different entities for the same event.
NERC staff has indicated that this is acceptable and that having multiple types of
entities report the same event may provide different types of information about the
event.
Commenters also had concerns about the applicability of the standard to Load Serving
Entities who may not own physical assets as well as to the ERO and Regional Entity. The
DSR SDT agrees that the Distribution Provider owns the assets per the Functional Model;
however the LSE is an applicable entity under CIP-002. Events relating the CIP-002 assets
are to be reported by the LSE. These are envisioned to be cyber assets. The DSR SDT also
include the ERO or the RE as applicable entities based on the applicability of CIP-002
2
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Some commenters identified issues with the footnotes in Attachment 1. These were revised
as suggested. There were a few instances where the word “sabotage” remained in the
standard or the flowchart. The DSR SDT has removed all instance of “sabotage” and
replaced them with “event,” and revised the flowchart to remove references to sabotage.
Several commenters were concerned that the DSR SDT and the NERC Events Analysis
Working Group (EAWG) may not be in alignment. The DSR SDT is working in close
coordination with the EAWG and will continue to develop the standard and will make the
EAWG aware of the DSR SDT’s efforts.
The issue of the FERC directives relating to this project was broached by several
commenters. The DSR SDT envisions EOP-004-2 to be a continent-wide reporting standard.
Any follow up investigation or analysis falls under the purview of the NERC Events Analysis
Program under the NERC Rules of Procedure. This process is being revised by the EAWG.
Discussions with FERC staff indicate that the current efforts of the DSR SDT and the EAWG
are sufficient to address the intent of the directive.
After the drafting team completed its consideration of stakeholder comments, the standards
and implementation plan were submitted for quality review. Based on feedback from the
quality review, the drafting team has made two significant revisions to the standard. The
first revision is to add a requirement for implementation of the Operating Plan listed in
Requirement R1. There was only a requirement to report events, but no requirement
specifically calling for updates to the Operating Plan or the annual review. This was
accomplished by having two requirements. The first is Requirement R2 which specifies that
an entity must implement the Operating Plan per Requirement R1, Parts 1.1, 1.2, 1.4 and
1.5:
R2. Each Responsible Entity shall implement the parts of its Operating Plan that
meet Requirement R1, Parts 1.1 and 1.2 for an actual event and Parts 1.4 and 1.5 as
specified.
The second Requirement is R3 which addresses Part 1.3:
R3. Each Responsible Entity shall report events in accordance with its Operating Plan
developed to address the events listed in Attachment 1.
The second revision based on the quality review pertains to Requirement R4. The quality
review suggested revising the requirement to more closely match the language in the
Rationale box that the drafting team developed. This would provide better guidance for
responsible entities as well as provide more clear direction to auditors. The revised
requirement is:
R4. Each Responsible Entity shall verify (through actual implementation for an
event, or through a drill or exercise) the communication process in its Operating
Plan, created pursuant to Requirement 1, Part 1.3, at least annually (once per
calendar year), with no more than 15 calendar months between verification or actual
implementation.
3
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Index to Questions, Comments, and Responses
1.
Do you agree with the revised Purpose Statement of EOP-004-2, Impact Event Reporting? If not,
please explain why not and if possible, provide an alternative that would be acceptable to you.
…. .................................................................................................................. …15
2.
Do you agree with the proposed definition of Impact Event? If not, please explain why not and if
possible, provide an alternative that would be acceptable to you. …. ................................. 23
3.
Do you agree that the DSR SDT has provided and equally efficient and effective solution to the
FERC Order 693 directive to “further define sabotage”? If not, please explain why not and if
possible, provide an alternative that would be acceptable to you. …. ................................. 38
4.
Do you agree with the proposed applicability of EOP-004-2 shown in Section 4 and Attachment 1
of the standard? If not, please explain why not and if possible, provide an alternative that would
be acceptable to you. …. ........................................................................................ 46
5.
Stakeholders suggested removing original Requirements 1, 7 and 8 from the standard and
addressing the reliability concepts in the NERC Rules of Procedure. Do you agree with the
removal of original requirements 1, 7 and 8 (which were assigned to the ERO) and the proposed
language for the Rules of Procedure (Paragraph 812)? If not, please explain why not and if
possible, provide an alternative that would be acceptable to you. …. ................................. 64
6.
Do you agree with the proposed revisions to Requirement 2 (now R1) including the use of
defined terms Operating Plan, Operating Process and Operating Procedure? If not, please explain
why not and if possible, provide an alternative that would be acceptable to you. …. .............. 70
7.
Do you agree with the proposed revisions to Requirement 3 (now R2)? If not, please explain why
not and if possible, provide an alternative that would be acceptable to you. …. .................... 87
8.
Do you agree with the proposed revisions to Requirement 4 (now R3)? If not, please explain why
not and if possible, provide an alternative that would be acceptable to you. …. .................... 98
9.
Do you agree with the proposed revisions to Requirement 5 (now R4)? If not, please explain why
not and if possible, provide an alternative that would be acceptable to you. …. .................. 113
10. Do you agree with the proposed revisions to Requirement 6 (now R5) and the use of either
Attachment 2 or the DOE-OE-417 form for reporting? If not, please explain why not and if
possible, provide an alternative that would be acceptable to you. …. ............................... 123
11. Do you agree with the proposed revisions to Attachment 1? If not, please explain why not and if
possible, provide an alternative that would be acceptable to you. …. ............................... 134
12. Do you agree with the proposed measures for Requirements 1-5? If not, please explain why not
and if possible, provide an alternative that would be acceptable to you. …. ....................... 159
13. Do you agree with the proposed Violation Risk Factors for Requirements 1-5? If not, please
explain why not and if possible, provide an alternative that would be acceptable to you. ….Error! Bookmark n
14. Do you agree with the proposed Violation Severity Levels for Requirements 1-5? If not, please
explain why not and if possible, provide an alternative that would be acceptable to you. ….Error! Bookmark n
15. Do you agree with the proposed Time Horizons for Requirements 1-5? If not, please explain why
not and if possible, provide an alternative that would be acceptable to you. …. .................. 189
16. Do you agree with the proposed Implementation Plan for EOP-004-2? If not, please explain why
not and if possible, provide an alternative that would be acceptable to you. …. .................. 195
17. If you have any other comments you have not already provided in response to the questions
above, please provide them here. …. ...................................................................... 201
4
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
The Industry Segments are:
1 — Transmission Owners
2 — RTOs, ISOs
3 — Load-serving Entities
4 — Transmission-dependent Utilities
5 — Electric Generators
6 — Electricity Brokers, Aggregators, and Marketers
7 — Large Electricity End Users
8 — Small Electricity End Users
9 — Federal, State, Provincial Regulatory or other Government Entities
10 — Regional Reliability Organizations, Regional Entities
Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
1.
Group
David Revill
Additional Member
Additional Organization
Georgia Transmission Corporation &
Oglethorpe Power Corporation
Georgia Transmission Corporation SERC
1
2. Greg Davis
Georgia Transmission Corporation SERC
1
3. Jason Snodgrass
Georgia Transmission Corporation SERC
1
4. Scott McGough
Oglethorpe Power Corporation
5
Group
Additional Member
Guy Zito
3
X
4
X
5
6
7
8
9
10
X
Region Segment Selection
1. John Miller
2.
2
SERC
Northeast Power Coordinating Council
Additional Organization
X
Region Segment Selection
1. Alan Adamson
New York State Reliability Council, LLC
NPCC
10
2. Gregory Campoli
New York Independent System Operator
NPCC
2
3. Kurtis Chong
Independent Electricity System Operator
NPCC
2
4. Sylvain Clermont
Hydro-Quebec TransEnergie
NPCC
1
5. Chris de Graffenried Consolidated Edison Co. of New York, Inc. NPCC
1
6. Gerry Dunbar
Northeast Power Coordinating Council
NPCC
10
7. Si Truc Phan
Hydro-Quebec TransEnergie
NPCC
1
5
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
8. Mike Garton
Dominion Resources Services, Inc.
NPCC
5
9. Brian L. Gooder
Ontario Power Generation Incorporated
NPCC
5
10. Kathleen Goodman
ISO - New England
NPCC
2
11. David Kiguel
Hydro One Networks Inc.
NPCC
1
12. Michael R. Lombardi Northeast Utilities
NPCC
1
13. Randy MacDonald
New Brunswick Power Transmission
NPCC
1
14. Bruce Metruck
New York Power Authority
NPCC
6
15. Chantel Haswell
FPL Group, Inc.
NPCC
5
16. Lee Pedowicz
Northeast Power Coordinating Council
NPCC
10
17. Robert Pellegrini
The United Illuminating Company
NPCC
1
18. Saurabh Saksena
National Grid
NPCC
1
19. Michael Schiavone
National Grid
NPCC
1
20. Wayne Sipperly
New York Power Authority
NPCC
5
21. Donald Weaver
New Brunswick System Operator
NPCC
1
22. Ben Wu
Orange and Rockland Utilities
NPCC
1
23. Peter Yost
Consolidated Edison Co. of New York, Inc. NPCC
3
3.
Group
Denise Koehn
Additional Member
1. Jim Burns
4.
Bonneville Power Administration
Additional Organization
2
3
X
4
X
5
6
X
X
X
X
7
8
9
10
Region Segment Selection
BPA, Transmission, Technical Operations WECC 1
Group
Additional Member
Carol Gerou
Midwest Reliability Organization
Additional Organization
X
X
Region Segment Selection
1. Mahmood Safi
Omaha Public Utility District
MRO
1, 3, 5, 6
2. Chuck Lawrence
American Transmission Company
MRO
1
3. Tom Webb
Wisconsin Public Service Corporation MRO
3, 4, 5, 6
4. Jodi Jenson
Western Area Power Administration
MRO
1, 6
5. Ken Goldsmith
Alliant Energy
MRO
4
6. Alice Ireland
Xcel Energy
MRO
1, 3, 5, 6
7. Dave Rudolph
Basin Electric Power Cooperative
MRO
1, 3, 5, 6
6
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
8. Eric Ruskamp
Lincoln Electric System
MRO
1, 3, 5, 6
9. Joseph Knight
Great River Energy
MRO
1, 3, 5, 6
10. Joe DePoorter
Madison Gas & Electric
MRO
3, 4, 5, 6
11. Scott Nickels
Rochester Public Utilties
MRO
4
12. Terry Harbour
MidAmerican Energy Company
MRO
1, 3, 5, 6
13. Richard Burt
Minnkota Power Cooperative, Inc.
MRO
1, 3, 5, 6
5.
Group
Steve Rueckert
2
3
Western Electricity Coordinating Council
4
5
6
7
8
9
10
X
Additional Member Additional Organization Region Segment Selection
1. Don Pape
WECC
WECC 10
2. Phil O'Donnell
WECC
WECC 10
6.
Group
Annette Bannon
PPL Supply
Additional Member Additional Organization
1.
7.
Mark Heimbach
Group
Additional Member
Region
X
X
5, 6
Pacific Northwest Small Public Power Utility
Comment Group
Additional Organization
X
Segment
Selection
PPL Martins Creek, LLC RFC
Steve Alexanderson
X
X
X
Region Segment Selection
1. Dave Proebstel
Clallam County PUD No.1
WECC 3
2. Russell A. Noble
Cowlitz County PUD No. 1
WECC 3, 4, 5
3. Ronald Sporseen
Blachly-Lane Electric Cooperative
WECC 3
4. Ronald Sporseen
Central Electric Cooperative
WECC 3
5. Ronald Sporseen
Clearwater Power Company
WECC 3
6. Ronald Sporseen
Douglas Electric Cooperative
WECC 3
7. Ronald Sporseen
Fall River Rural Electric Cooperative
WECC 3
8. Ronald Sporseen
Northern Lights
WECC 3
9. Ronald Sporseen
Lane Electric Cooperative
WECC 3
10. Ronald Sporseen
Lincoln Electric Cooperative
WECC 3
11. Ronald Sporseen
Raft River Rural Electric Cooperative
WECC 3
7
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
12. Ronald Sporseen
Lost River Electric Cooperative
WECC 3
13. Ronald Sporseen
Salmon River Electric Cooperative
WECC 3
14. Ronald Sporseen
Umatilla Electric Cooperative
WECC 3
15. Ronald Sporseen
Coos-Curry Electric Cooperative
WECC 3
16. Ronald Sporseen
West Oregon Electric Cooperative
WECC 3
17. Ronald Sporseen
Pacific Northwest Generating Cooperative WECC 3, 4, 8
18. Ronald Sporseen
Power Resources Cooperative
WECC 5
19. Ronald Sporseen
Consumers Power
WECC 1, 3
20. Steven J. Grega
Public Utility District #1 of Lewis County
Group
8.
Patricia Hervochon
2
3
4
5
6
7
8
9
10
WECC 5
PSEG Companies
X
X
Additional Member Additional Organization Region Segment Selection
1. Jeffrey Mueller
PSE&G
3
2. Kenneth Brown
PSE&G
1
3. Peter Dolan
PSEG ER&T
6
4. Eric Schmidt
PSEG ER&T
6
5. Clint Bogan
PSEG Fossil
5
6. Dominic Grasso
PSEG Fossil
5
7. Kenneth Petroff
PSEG Nuclear
5
8. Patricia Hervochon PSEG NERC Compliance
Group
9.
NA
Louis Slade
Dominion
X
X
X
Additional Member Additional Organization Region Segment Selection
1. Lou Roeder
Electric Transmission
SERC
1, 3
2. Mike Garton
Electric Market Policy
NPCC
5, 6
3. Connie Lowe
Electric Market Policy
RFC
5, 6
4. Jack Kerr
Electric Transmission
SERC
3, 1
5. Len Sandberg
Electric Transmission
SERC
10.
Group
David Thorne
3, 1
Pepco Holdings Inc and Affiliates
X
8
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
Additional Member Additional Organization Region
1.
Mark Godfrey
11.
Group
RFC
SPP Standards Review Group
Additional Organization
SPP
1, 4
2. George Allan
Sunflower Electric Power Corporation
SPP
1
3. Michelle Corley
CLECO
SPP
1, 3, 5, 6
4. Robert Cox
Lea County Electric Cooperative
SPP
1, 3
5. Kevin Emery
Carthage Water and Electric
SPP
3
6. Denney Fales
Kansas City Power & Light
SPP
1, 3, 5, 6
7. Louis Guidry
CLECO
SPP
1, 3, 5, 6
8. Jonathan Hayes
SPP
SPP
2
9. Philip Huff
Arkansas Electric Cooperative Corporation
SPP
3, 4, 5, 6
10. Gregory McAuley
Oklamoma Gas & Electric
SPP
1, 3, 5
11. Terri Pyle
Oklahoma Municipal Power Authority
SPP
4
12. Sean Simpson
Board of Public Utilities, City of McPherson, KS SPP
1, 3, 5
13. Tay Sing
Oklahoma Municipal Power Authority
SPP
4
14. Chad Wasinger
Sunflower Electric Power Corporation
SPP
1
15. Mark Wurm
Board of Public Utilities, City of McPherson, KS SPP
1, 3, 5
16. Ron Gunderson
Nebraska Public Power District
MRO
1, 3, 5
17. Bruce Schutte
Nebraska Public Power District
MRO
1, 3, 5
18. Jeff Elting
Nebraska Public Power District
MRO
1, 3, 5
Additional Member
Marie Knox
Additional Organization
5
6
7
8
9
10
X
X
X
X
Region Segment Selection
City Utilities of Springfield, MO
Group
4
1, 3
1. John Allen
12.
3
Segment
Selection
Robert Rhodes
Additional Member
2
Midwest ISO Standards Collaborators
X
Region Segment Selection
1. Bob Thomas
Illinois Municipal Electric Agency RFC
4
2. Jim Cyrulewski
JDRJC Associates, LLC
RFC
8
3. Terry Harbour
MidAmerican
MRO
1
4. Joe O'Brien
NIPSCO
RFC
6
9
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
5. Robert Thomasson Big Rivers Electric Corp.
13.
Group
SERC
Sam Ciccone
2
3
4
5
6
7
8
9
10
1, 3
FirstEnergy
X
X
X
X
Additional Member Additional Organization Region Segment Selection
1. Doug Hohlbaugh
FE
RFC
1, 3, 4, 5, 6
2. Bill Duge
FE
RFC
5
3. John Reed
FE
RFC
1
4. Jim Eckels
FE
RFC
1
5. Kevin Querry
FE
RFC
5
6. Ken Dresner
FE
RFC
5
14.
Group
Gerald Beckerle
SERC OC Standards Review Group
X
Additional Member Additional Organization Region Segment Selection
1. David Trego
Fayetteville PWC
SERC
1, 3, 4, 9
2. Melinda Montgomery Entergy
SERC
1, 3
3. Andy Burch
EEI
SERC
1, 5
4. Eugene Warnecke
Ameren
SERC
1, 3
5. Chuck Feagans
TVA
SERC
1, 3, 5, 9
6. Larry Rodriquez
Entegra Power
SERC
5, 6
7. Gary Hutson
SMEPA
SERC
1, 3, 5, 9
8. Jennifer Weber
TVA
SERC
1, 3, 5, 9
9. Doug White
NCEMC
SERC
1, 3, 5, 9
10. Shaun Anders
CWLP
SERC
1, 3, 5, 9
11. Jake Miller
Dynegy
SERC
5, 6
12. Reggie Wallace
Fayette PWC
SERC
1, 3, 4, 9
13. Dan Roethemeyer
Dynegy
SERC
5, 6
14. Alvis Lanton
SIPC
SERC
1, 3, 5, 9
15. Marc Butts
Southern
SERC
1, 3, 5
16. Robert Thomasson
BREC
SERC
1, 3, 5, 9
SERC
2
17. Srinivas kappagantula PJM
10
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
18. Barry Hardy
OMU
SERC
1, 3, 5, 9
19. Rene' Free
Santee Cooper
SERC
1, 3, 5, 9
20. Greg Matejka
CWLP
SERC
1, 3, 5, 9
SERC Reliability Corp.
SERC
10
21. John Troha
15.
Individual
Srinivas Kappagantula
PJM Interconnection LLC
16.
Individual
Cindy Martin
Southern Company
17.
Individual
Cynthia Oder
SRP
X
18.
Individual
Howard Rulf
We Energies
X
19.
Individual
Brent Ingebrigtson
LG&E and KU Energy LLC
X
20.
Individual
Silvia Parada Mitchell
Compliance & Responsiblity Organization
21.
Individual
John Bee
Exelon
22.
Individual
Jennifer Wright
SDG&E
23.
Individual
Alan Gale
City of Tallahassee (TAL)
24.
Individual
Mace Hunter
Lakeland Electric
25.
Individual
Nathaniel Larson
New Harquahala Generating Co.
26.
Individual
Brian Pillittere
Tenaska
27.
Individual
MIchael Johnson
APX Power Markets
2
3
4
5
6
7
8
9
10
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
11
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
28.
Individual
Jonathan Appelbaum
United Illuminating Co
29.
Individual
Kevin Koloini
American Municipal Power
30.
Individual
Daniel Duff
Liberty Electric Power LLC
X
31.
Individual
Philip Huff
Arkansas Electric Cooperative Corporation
X
32.
Individual
Joe Petaski
Manitoba Hydro
X
33.
Individual
Mike Albosta
Sweeny Cogeneration LP
34.
Individual
Thad Ness
American Electric Power
35.
Individual
Andres Lopez
USACE
36.
Individual
Nathaniel Larson
New Harquahala Generating Co.
37.
Individual
Eric Salsbury
Consumers Energy
38.
Individual
Michael Falvo
Independent Electricity System Operator
39.
Individual
Kirit Shah
Ameren
40.
Individual
Kathleen Goodman
ISO New England, Inc
41.
Individual
Deborah Schaneman
Platte River Power Authority
42.
Individual
Phil Porter
Calpine Corp
43.
Individual
Bill Keagle
BGE
2
X
3
X
4
X
5
X
6
7
8
9
10
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
12
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
44.
Individual
Kenneth A Goldsmith
Alliant Energy
45.
Individual
John Brockhan
CenterPoint Energy
46.
Individual
Martin Kaufman
ExxonMobil Research and Engineering
47.
Individual
Brenda Truhe
PPL Electric Utilities
48.
Individual
Tim Soles
Occidental Power Marketing
49.
Individual
Eric Ruskamp
Lincoln Electric System
X
50.
Individual
Linda Jacobson
Farmington Electric Utility System
X
51.
Individual
Andrew Z Pusztai
American Transmission Company
X
52.
Individual
Michelle D'Antuono
Ingleside Cogeneration LP
53.
Individual
Greg Rowland
Duke Energy
54.
Individual
Amir Hammad
Constellation Power Generation
55.
Individual
Scott Barfield-McGinnis
Georgia System Operations Corporation
Individual
Max Emrick
City of Tacoma, Department of Public
Utilities, Light Division, dba Tacoma Power
57.
Individual
Rex Roehl
Indeck Energy Services
58.
Individual
Patricia Robertson
BC Hydro
56.
2
3
4
5
6
7
8
9
10
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
13
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
59.
Individual
Tony Kroskey
Brazos Electric Power Cooperative
60.
Individual
Jim Eckelkamp
Progress Energy
2
3
X
4
5
6
7
8
9
10
X
X
14
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
1. Do you agree with the revised Purpose Statement of EOP-004-2, Impact Event Reporting? If not, please explain
why not and if possible, provide an alternative that would be acceptable to you.
Summary Consideration: The majority of stakeholders agree with the purpose statement. Some commenters had concerns
with the use of the words "if known” and “industry awareness" and statements on requiring information from an analysis in the
report which may not be known at the time of the report. Comments on this being an “after the fact” report and not real-time
reporting have been addressed by a significant revision to the change in reporting times reflected in Attachment 1.
A number of commenters offered suggestions on the use of terms "situational awareness" versus "industry awareness.” The
DSR SDT used “industry awareness” to address concerns about real-time reporting (which this standard does not cover) and to
avoid confusion with the NERC Situational Awareness organization.
The purpose statement was slightly revised to remove the defined term “Impact Event” and replace with the phrase “events
with the potential to impact reliability”. No other revisions were made.
“To improve industry awareness and the reliability of the Bulk Electric System by requiring the reporting of events with
the potential to impact reliability and their causes, if known, by the Responsible Entities.”
Organization
Exelon
Yes or No
No
Question 1 Comment
Although Exelon agrees that the proposed revision to the purpose statement of EOP-004-2 is better than the
original draft; the DSR SDT should consider aligning the definition with the existing OE-417 terms. "Impact
Events" are not clearly defined as reportable criteria in the DOE forms and may create confusion. Suggest
rewording the purpose statement to simply "Incident Reporting" to align with existing terminology in OE-417
and removing the addition of a new term.
A Purpose Statement is defined as “The reliability outcome achieved through compliance with the
requirements of the standard.” Propose that the purpose should be, “To require a review, assessment and
report of events that could have an adverse material impact on the Bulk Electric System.”
Response: The DSR DT thanks you for your comment.
Form OE-417 report is a DOE report that is not specifically related to BES reliability and is not
applicable outside of the United States. The standard only requires reporting of events. Analysis occurs through the NERC Events Analysis Program.
SDG&E
No
SDG&E does not agree with the revised Purpose Statement because it does not reflect the standard’s
purpose of identifying reporting requirements for impact events. SDG&E recommends the following revised
Purpose Statement:
“To identify the reporting requirements for events considered to have an impact on the reliability of the Bulk
15
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 1 Comment
Electric System and to allow an awareness of these Impact Events to be understood by the industry in
recognizing potential enhancements that may be made to the reliability of the BES.”
Response: The DSR SDT thanks you for your comment. The DSR SDT believes that the existing purpose statement addresses most of your suggested
rewording. The last phrase “recognizing potential enhancements that may be made to the reliability of the BES” is not in the scope of the standard or this
project.
Dominion
No
It is not evident how Impact Event reporting will “improve industry awareness“ as suggested in the Purpose
Statement. The transfer of Requirement R8 (ERO quarterly report) to the Rules of Procedure (paragraph
812) invalidates that claim within the context of this standard. Suggest removing this phrase from the Purpose
Statement.
Response: The DSR DT thanks you for your comment. The ERO will issue reports for industry awareness purposes under the Rules of Procedure. If entities
do not report events to the ERO, then these reports will not be issued.
SPP Standards Review Group
No
We would suggest changing the purpose to read “To improve industry awareness and effectiveness in
addressing risk to the BES by requiring the reporting of Impact Events and their causes, if known, by the
Responsible Entities.”
Response: The DSR DT thanks you for your comment.
which is not covered under the standard.
United Illuminating Co
No
The DSR SDT contends that the phrase “addressing risk to the BES” applies to the analysis of events
UI agrees with the idea but believes the statement can be improved to remove ambiguities. For example:
“if known” can be modifying the word causes, or the word Impact events. To improve industry awareness and
the reliability of the Bulk Electric System by requiring the reporting of identified Impact Events and if known
their causes, if known, by the Responsible Entities.
Response: The DSR SDT thanks you for your comment. The words “if known” are intended to modify the word ‘causes.’ The DSR SDT has revised the existing
wording (from the clean version of the standard) to:
To improve industry awareness and the reliability of the Bulk Electric System by requiring the reporting of events with the potential to impact reliability
and their causes, if known, by the Responsible Entities.
16
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Arkansas Electric Cooperative
Corporation
Yes or No
No
Question 1 Comment
The purpose statement reads "To improve industry awareness of the BES.” We suggest the purpose should
state "To improve industry awareness and effectiveness in addressing risks to the BES.” We feel the
remaining purpose statement is unnecessary.
Response: The DSR SDT thanks you for your comment. The DSR SDT contends that the phrase “addressing risk to the BES” applies to the analysis of events
which is not covered under the standard.
Manitoba Hydro
No
Situational Awareness was replaced by the generic “Industry awareness.” Justification for this was that
Situational Awareness was a byproduct of a successful event reporting system and not a driver.
Using Industry awareness clouds the clarity of the purpose. If personal are properly trained and conscious of
their responsibilities, then they are in fact situationally aware, and will therefore drive the reporting process on
the detection an Impact Event. Industry awareness falsely labels this Standard as unique to the electrical
industry when clearly many outside and international agencies will be notified and involved. Situational
Awareness seems much more appropriate and encompassing. Other then that the Purpose is a large
improvement from the original.
Response: The DSR SDT thanks you for your comment. The DSR SDT changed “situational awareness” to “industry awareness” to address concerns about realtime reporting (which this standard does not cover) and to avoid confusion with the NERC Situational Awareness organization.
Ameren
No
The original Purpose wording was clear, concise and understandable.
Response: The DSR SDT thanks you for your comment. The original purpose statement was in the form of a requirement and not a purpose statement.
ISO New England, Inc
No
The purposed states To improve industry awareness and the reliability of the Bulk Electric System by
requiring the reporting of Impact Events and their causes, if known, by the Responsible Entities. Awareness
by who in the industry?
Response: The DSR SDT thanks you for your comment. The requirements of this standard require that events be reported after-the-fact. The NERC Events
Analysis Program will take certain events reported under this standard and analyze them to provide information to the entire body of users, owners and operators
of the BES.
Calpine Corp
No
The purpose has moved significantly from the originally approved SAR. The purpose should focus on
reporting requirements for reporting electrical disturbances to the Bulk Electric System that exceed specific
thresholds. Sabotage/vandalism/theft are a subset of the reportable events that could have or do cause a
Bulk Electric System Electrical Disturbance. The Standards content should focus on setting requirements to
17
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 1 Comment
report specific types of electrical disturbance events and providing guidance for performing that reporting.
Alternative language: Purpose: To establish reporting requirements for events that either cause, or have the
potential to cause, significant disturbances on the Bulk Electric System.
Response: The DSR SDT thanks you for your comment. The purpose covers the EOP-004 and CIP-001 standards which include disturbance and sabotage. The
use of the word ‘events’ and the definition of the specific events to be reported (see Attachment 1) is a result of combining these two standards as well as the
drafting team’s efforts to address FERC Order 693 Directives. The proposed purpose statement does not adequately address these items.
BGE
No
BGE believes that using the term Impact Events as currently defined is too vague. An alternative statement
would be requiring the reporting of events listed in Attachment 1 and their causes, if known and making the
definition change as noted in question 2.
Response: The DSR SDT thanks you for your comment. The DSR SDT has eliminated the defined term “Impact Events” and uses the generic term “events: in
the purpose statement.
To improve industry awareness and the reliability of the Bulk Electric System by requiring the reporting of events with the potential to impact reliability
and their causes, if known, by the Responsible Entities.
City of Tacoma, Department of
Public Utilities, Light Division, dba
Tacoma Power
No
"To improve industry awareness and the reliability fo the Bulk Electric System by requiring the reporting of
Impact Events and their causes, if known by the Responsible Entities.” The revised purpose statement
includes the phrase, if known. This seems like a huge loophole. They should change it to when discovered
or when notified.
Response: The DSR SDT thanks you for your comment. The intent of “if known” was to make sure that events were reported regardless of whether the cause
was known. It is important for entities to report events and to return the BES to a reliable operating state. Investigation of causes can occur at a later time.
Indeck Energy Services
No
The reporting of events does not improve the reliability of the BES. If someone takes action based on the
reporting, there might be an improvement. Because many of these events are not preventable, such as
sabotage or weather, reporting them won't improve reliability. The original Purpose was satisfactory.
Response: The DSR SDT thanks you for your comment. The requirements of this standard require that events be reported after-the-fact. The NERC Events
Analysis Program will take certain events reported under this standard and analyze them to provide information that will lead to improvements in BES reliability.
Brazos Electric Power
Cooperative
No
Instead of Impact Event could simply call it Event Information Reporting.
18
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 1 Comment
Response: The DSR SDT thanks you for your comment. We have deleted the proposed defined term “Impact Events” and will use the generic term “event.”
Compliance & Responsiblity
Organization
No
See comments set forth in number 2.
Georgia Transmission
Corporation & Oglethorpe Power
Corporation
Yes
We find it unnecessary to state that the purpose of a Reliability Standard is to "improve the reliability of the
Bulk Electric System."
Response: The DSR DT thanks you for your comment.
Midwest Reliability Organization
Yes
The addition of “industry awareness” adds to the scope of this Standard. Whereby an entity is required to
inform the RC and others of actual and potential Impact Events.
Response: The DSR DT thanks you for your comment.
American Municipal Power
Yes
The DSR SDT disagrees. This is an integral part of the purpose of reporting events.
The DSR SDT has streamlined Attachment 1 to ensure that the proper reporting is accomplished.
The purpose is acceptable. I think it could be improved and simplified. There were not any questions on the
title. Consider changing the title to Reportable Events. There were not any questions on the category. I
suggest changing the category from Emergency Operations to Communications. Reporting events can trigger
and be more than just Emergency Operations. I feel the reporting function performed by entities should be
under the Communications category. Title: Reportable Events Purpose: To improve reliability by
communicating timely information about an event or events.
Response: The DSR SDT thanks you for your comment. The DSR SDT revised the existing title of the standard to conform to the intended purpose of reporting
events. The team discussed making this a COM standard during the initial DT discussions but decided to retain the existing EOP-004 standard category and
number. This is not a real-time reporting standard but requires after the fact reporting.
Ingleside Cogeneration LP
Yes
The addition of the modifier if known to reporting the cause of an Impact Event is appropriate. It often proves
counter-productive to speculate as initial conjectures of the cause of an event are easy to come up with, but
difficult to back out of later.
Response: The DSR SDT thanks you for your comment.
Duke Energy
Yes
However, as we have noted previously, the DSR SDT statement that the proposed changes do not include
any real-time operating notifications is inconsistent with requiring notification within one hour for thirteen of the
19
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 1 Comment
twenty listed Events in Attachment 1 Impact Event Table. Also, in the Background discussion, under Law
Enforcement, the DSR SDT states that the objective of EOP-004-2 is to prevent outages which could lead to
Cascading by effectively reporting Impact Events. As we have previously commented, we are still required to
make real-time reports under other standards. Requiring duplicate real-time reporting under EOP-004-2 is a
waste of resources which could otherwise be used to improve reliability.
Response: The DSR SDT thanks you for your comment. We have made significant revisions to Attachment 1 and the reporting time requirements to address
the real-time reporting concern.
Constellation Power Generation
Yes
While CPG generally agrees with the purpose statement, we believe that the term Impact Events should be
removed. Please see CPGs response to Question 2 discussing the term Impact Events.
Response: The DSR SDT thanks you for your comment. We have deleted the proposed defined term “Impact Events” and will use the generic term “event.”
Please see responses to comments on question 2.
Georgia System Operations
Corporation
Yes
We agree with the purpose. However, we do not agree that the purpose will be achieved as this standard is
currently drafted or that the standard is ready for balloting.
Response: The DSR SDT thanks you for your comment. We have made significant revisions to the body of the standard and Attachment 1.
Northeast Power Coordinating
Council
Yes
Bonneville Power Administration
Yes
Western Electricity Coordinating
Council
Yes
PPL Supply
Yes
Pacific Northwest Small Public
Power Utility Comment Group
Yes
PSEG Companies
Yes
20
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Pepco Holdings Inc and Affiliates
Yes
Midwest ISO Standards
Collaborators
Yes
FirstEnergy
Yes
SERC OC Standards Review
Group
Yes
PJM Interconnection LLC
Yes
Southern Company
Yes
SRP
Yes
We Energies
Yes
City of Tallahassee (TAL)
Yes
Lakeland Electric
Yes
New Harquahala Generating Co.
Yes
APX Power Markets
Yes
Liberty Electric Power LLC
Yes
Sweeny Cogeneration LP
Yes
American Electric Power
Yes
USACE
Yes
Question 1 Comment
21
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
New Harquahala Generating Co.
Yes
Independent Electricity System
Operator
Yes
Platte River Power Authority
Yes
Alliant Energy
Yes
CenterPoint Energy
Yes
ExxonMobil Research and
Engineering
Yes
PPL Electric Utilities
Yes
Occidental Power Marketing
Yes
Lincoln Electric System
Yes
Farmington Electric Utility System
Yes
American Transmission
Company
Yes
BC Hydro
Yes
Question 1 Comment
22
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
2. Do you agree with the proposed definition of Impact Event? If not, please explain why not and if possible,
provide an alternative that would be acceptable to you.
Summary Consideration: The majority of the commenters do not agree with the definition and thought the definition as
overly broad, too subjective and confusing. Many commenters questioned whether there was a need for a definition of Impact
Event at all. The DSR SDT discussed the comments and suggestions and decided to incorporate commenters’ suggestion to
delete the definition and rely on the Attachment 1 to stand on its own.
The DSR SDT has deleted the Impact Event definition.
Organization
Georgia Transmission
Corporation & Oglethorpe Power
Corporation
Yes or No
No
Question 2 Comment
We do not think that Impact Event should be defined using a recursive definition, i.e. that the word "impact"
should be used in the definition of the term "Impact Event." Instead, we suggest using an enumerative
definition in that the tables included in Attachment 1 are themselves used to define "Impact Event." If this
definition is not acceptable, we suggest replacing the word "impact" in the definition with the word reduce,
reduced, or potential to reduce the reliability of the BES.
Response: The DSR SDT thanks you for your comment. We have deleted the proposed defined term “Impact Events” and will use the generic term “event.”
Reporting is only required for those events for the given thresholds listed in Attachment 1.
Northeast Power Coordinating
Council
No
Is there a need for this definition? By itself the term is not specific on the types of events that are regarded as
having an impact. The detailed listing of events that fall into a reportable event category, hence the basis for
the Impact Event, is provided in Attachment A. The events that are to be reported can be called anything.
Defining the term Impact Event does not serve the purpose of replacing the details in Attachment A, and such
a term is not used anywhere else in the NERC Reliability Standards. For a complete definition of Impact
Event, all the elements in Attachment A must be a part of it.
Suggest consider not defining the term Impact Event, but rather use words to stipulate the need to have a
plan, to implement the plan and to report to the appropriate entities those events listed in Attachment A.
Response: The DSR SDT thanks you for your comment. We have deleted the proposed defined term “Impact Events” and will use the generic term “event.”
Reporting is only required for those events for the given thresholds listed in Attachment 1.
23
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Bonneville Power Administration
Yes or No
Yes
Question 2 Comment
Agree, but note that this will add many more situations to reporting and it will require more staff time to
accomplish this.
Response: The DSR SDT thanks you for your comment. We have deleted the proposed defined term “Impact Events” and will use the generic term “event.”
Reporting is only required for those events for the given thresholds listed in Attachment 1.
Midwest Reliability Organization
No
The proposed definition is not supported by any of the established bright line criterias that are contained
within attachment 1. This Results Based Standard should close any loop-holes that could be read into any
section, especially the definition. According to rules of writing a definition, a definition should not contain part
of the word that is being defined. Recommend the definition be enhanced to read: Impact Event: Any
Contingency which has either effected or has the potential to effect the Stability of the BES as outlined per
attachment 1. Within this enhanced recommendation, presently defined NERC terms are used (Contingency
and Stability), thus supporting what is current used within our industry. There is also a quantifiable aspect of
as outlined per attachment 1 that clearly defines Impact Events.
Response: The DSR SDT thanks you for your comment. The DSR SDT believes the definition is embodied in Attachment 1 criteria and needs no further
clarification. We have deleted the proposed defined term “Impact Events” and will use the generic term “event.”
Western Electricity Coordinating
Council
No
We question the need for a defined term. It appears that an Impact Event is any event identified in Attachment
1. The use of the defined term combined with the language of Requirement 2 to implement the Impact Event
Operating Plan for Impact Events listed in Attachment 1 may be confusing. Is an Impact Event any event
described by the proposed definition or is an Impact Event any event listed in Attachment 1?
Response: The DSR SDT thanks you for your comment. The DSR SDT agrees the definition could be confusing. We have deleted the proposed defined term
“Impact Events” and will use the generic term “event.” Reporting is only required for those events for the given thresholds listed in Attachment 1.
Dominion
Yes
Dominion agrees with the proposed definition of Impact Events, but notes the use of the phrase has the
potential to impact is somewhat subjective. The concern being a Responsible Entity makes a judgment on an
events potential impact that is viewed differently after-the-fact by an auditor.
Response: The DSR SDT thanks you for your comment. We have deleted the proposed defined term “Impact Events” and will use the generic term “event.”
Reporting is only required for those events for the given thresholds listed in Attachment 1.
Pepco Holdings Inc and Affiliates
No
The two sentence definition will not be adequate to serve well over the course of time. People will have to
read and understand the standard without benefit of the detailed information, explanations and interpretations
24
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 2 Comment
available during the standards development process. Without additional explanation as provided in the
background and the guideline and technical basis sections, to support the definition, the standard will be
subject to confusion and interpretations. Consider adding a lot of the information and explanation that is in
those sections to the standard. Any event could be an impact event. However, only a subset is reportable.
What is really being addressed are reportable events. More specifically after the fact reporting of unplanned
events.
Response: Thank you for your comment. We have deleted the proposed defined term “Impact Events” and will use the generic term “event.” Reporting is only
required for those events for the given thresholds listed in Attachment 1.
Midwest ISO Standards
Collaborators
No
The definition of Impact Event is overly broad because of the use of potential to impact and the Such as list.
Consider routine switching has the potential to result in a mis-operation. This means all routine switching is
an impact event. The Such as list should be struck and potential language should be struck.
Response: Thank you for your comment. The DSR SDT has deleted the proposed defined term “Impact Events” and will use the generic term “event.”
FirstEnergy
No
Although we agree with the definition of Impact Event, we believe that it should be clear that this term is
specific to the events listed in Attachment 1 of the standard. Therefore, we suggest adding the phrase (as
detailed in Attachment 1 of EOP-004-2) in the definition.
Response: Thank you for your comment. We have deleted the proposed defined term “Impact Events” and will use the generic term “event.” Reporting is only
required for those events and for the given thresholds listed in Attachment 1.
SERC OC Standards Review
Group
No
We believe the definition is too broad even considering Attachment 1, footnote1, which, for example, uses the
term significantly and other ambiguous terms. Consideration should be given to limiting the definition to
unplanned events.
Response: Thank you for your comment. We have deleted the proposed defined term “Impact Events” and will use the generic term “event.”
PJM Interconnection LLC
No
The term "Impact Event" has been too broadly defined. According to the current definition, any event
(including routine operations) can have the potential to impact the reliability of the Bulk Electric System and
hence can be an Impact Event. The definition should only include unplanned events. Attachment 1 lists the
events that are reportable. It seems that the definition of Impact Event refers to the events in Attachment 1 as
opposed to defining Impact Event. As such, it is best that the SDT not define Impact Event but use words to
the effect that requires an entity to have a plan and implement it for reporting unplanned events outlined in
Attachment 1. If Impact Event were to be defined, we suggest the following definiton would be a better
25
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 2 Comment
option:"An Impact Event is any unplanned event listed in Attachment I that has either adversely impacted or
has the potential to adversely impact the reliability of the Bulk Electric System."
Response: Thank you for your comment. We have deleted the proposed defined term “Impact Events” and will use the generic term “event.”
SRP
No
Suggest that definition include reference to the fact that this is non-desired occurence, as the word 'impact'
has neither a positivie nor negative implication. This is not a well formed definition as it contains circular
refernces to 'impacted' and 'event' within the definition.
Response: Thank you for your comment. The DSR SDT has deleted the proposed defined term “Impact Events” and will use the generic term “event.”
We Energies
No
From an on-line dictionary, an event is something that happens. Combined with the phrase has the potential
to impact and the definition of Impact Event would include every routine operation performed by any entity.
Taking a generator on or off line, switching a transmission line in or out, traffic driving past a substation, all
have the potential to impact the BES. The Impact Event definition is overly broad and needs to be
significantly narrowed.
Response: Thank you for your comment. The DSR SDT has deleted the proposed defined term “Impact Events” and will use the generic term “event.”
Compliance & Responsiblity
Organization
No
NextEra Energy Inc. (NextEra) appreciates the drafting team providing valuable ideas and a framework on
how to improve and consolidate CIP-001 and EOP-004. However, NextEra also believes that the currently
drafted EOP-004-2 needs to be revised and enhanced to more clearly explain the Responsible Entities’
duties, the definition of sabotage and address FERC directives and concerns.
For example, NextEra is not in favor using the term “Impact Event” which seems to add considerable
confusion of what is or is not sabotage. In Order No. 693, FERC stated its interest in NERC revising CIP-001
to better define sabotage and requiring notification to the certain appropriate federal authorities, such as the
Department of Homeland Security. FERC Order 693 at PP 461, 462, 467, 468, 471.
NextEra has provided an approach that accomplishes FERC’s objectives and remains within the framework of
the drafting team, but also focuses the process of determining and reporting only those sabotage acts that
could impact other BES systems. Today, there are too many events that are being reported as sabotage to all
parties in the Interconnection, when in reality these acts have no material affect or potential impact to other
BES systems other than the one that experienced it.
For example, while the drafting team notes the issue of copper theft is a localized act, there are other
localized acts of sabotage that are committed by an individual, and these acts pose little, if any, impact or
threat to other BES systems other than the one experiencing the sabotage event. Reporting sabotage that
26
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 2 Comment
has no need to sent of everyone does not necessary add to the security or reliability of the BES. Related,
there is a need to clarify some of the current industry confusion on who should (and has the capabilities to) be
reporting to a boarder audience of entities.
Hence, NextEra approach provides a clear definition of sabotage, as well as the process for determining and
reporting sabotage. NextEra further believes that some of the requirements can be consolidated and more
clearly stated, and NextEra has attempted to do that in the approach presented below.
Lastly, NextEra comments on Attachment 1 are submitted in response to question 17. NextEra Approach
Delete definition of Impact Event and its use in the requirements and in Attachment 1 Delete 13, 14, 15 and
19 in Attachment 1 Delete and replace R1 through R5 with the following: New Definition Attempted or Actual
Sabotage: an intentional act that attempts to or does destroy or damage BES equipment or a Critical Cyber
Asset for the purpose of disrupting the operations of BES equipment, Critical Cyber Asset or the BES, and
has a potential to materially threaten or impact the reliability of one or more BES systems (i.e., is one act in a
larger conspiracy to threaten the reliability of the Interconnection or other BES systems).
R1. Each Responsible Entity shall document and implement a procedure (either individually or jointly with
other Responsible Entities) to accomplish the reporting requirements, including the time frames, assigned to
the Responsible Entity as set forth in Attachment 1 items 1 through 12, 16, 17 and 18 for reporting from the
Responsible Entity to its Regional Entity and NERC, using the form in Attachment 2 or the DOE OE-417
reporting form.
R2. Each Responsible Entity shall document and implement a procedure (either individually or jointly with
other Responsible Entities) to report to its internal personnel with a need to know and its Reliability
Coordinator an act of Attempted or Actual Sabotage, using the form in Attachment 2 or the DOE OE-417
reporting form, within one hour after a determination has been made that an act Attempted or Actual
Sabotage has occurred. To make a determination that an act of Attempted or Actual Sabotage has occurred,
the Responsible Entity shall document and implement a procedure that requires it, as soon as practicable
after the discovering an act appearing to be Attempted or Actual Sabotage, to engage local law enforcement
or the Federal Bureau of Investigation or Royal Canadian Mounted Police, as deemed appropriate, to assist
the Registered Entity make such a determination. Upon receiving a report of Attempted or Actual Sabotage
from a Responsible Entity, the Reliability Coordinator shall within one hour forward the report to other
impacted Reliability Coordinators, Responsible Entities, Regional Entities, NERC, Department of Homeland
Security, and the Federal Bureau of Investigation or the Royal Canadian Mounted Police.
R3. Each Responsible Entity shall review (and conduct a test for sabotage only) of its documented procedure
required in R1 and R2 with no more than 15 calendar months between tests for sabotage reporting. If, based
on the review or test, the Responsible Entity determines there is a need to update its documented procedure,
it shall update the procedures within 90 calendar days of the review or test.
27
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 2 Comment
Response: Thank you for your comments and suggestions. The DSR SDT has deleted the proposed defined term “Impact Events” and will use the generic term
“event.” Other revisions were made to the standard based on comments received on specific requirements. The DSR SDT believes that these revisions clarify
the requirements and has provided additional details in response to comments from questions Q3, Q6, Q7, Q8, Q11, Q12, Q13, Q14 and Q17. Please see the
revised standard.
In regards to sabotage, the DSR SDT believes that the reporting of events supports the reliability of the BES. Sabotage usually is determined after the event is
investigated and sabotage may be one aspect of a single event. The intent is to report events (per Thresholds of Reporting in Attachment 1) that have an impact
on BES reliability.
The background section of the standard provides guidance with respect to reporting events to law enforcement. For clarity, the DSR SDT has
added the following sentence to the first paragraph under the heading “Law Enforcement Reporting”: “These are the types of events that
should be reported to law enforcement.” The entire paragraph is:
“The reliability objective of EOP-004-2 is to prevent outages which could lead to Cascading by effectively reporting events. Certain outages,
such as those due to vandalism and terrorism, may not be reasonably preventable. These are the types of events that should be reported to
law enforcement. Entities rely upon law enforcement agencies to respond to and investigate those events which have the potential to impact
a wider area of the BES. The inclusion of reporting to law enforcement enables and supports reliability principles such as protection of bulk
power systems from malicious physical or cyber attack. The Standard is intended to reduce the risk of Cascading events. The importance of
BES awareness of the threat around them is essential to the effective operation and planning to mitigate the potential risk to the BES.”
Exelon
No
The definition of impact events should be reworded to align with OE-417 and to explicitly reference that only
events identified in EOP-004 ? Attachment 1 are to be reported. Suggest the following:"An incident that has
either impacted or has the potential to impact the reliability of the Bulk Electric System. Such events may be
caused by equipment failure or mis-opeation, environmental conditions, or human action as defined in EOP004 Attachment 1." Propose the definition be changed to include material impact and read as follows; Any
event which has either caused or has the potential to cause an adverse material impact to the reliability of the
Bulk Electric System. Such events may be caused by equipment failure or mis-operation, environmental
conditions, or human action?
Response: Thank you for your comment. The DSR SDT has deleted the proposed defined term “Impact Events” and will use the generic term “event.”
Reporting is only required for those events and for the given thresholds listed in Attachment 1.
City of Tallahassee (TAL)
No
While I agree with the overall concept, I am concerned with “or has the potential to impact.” While the
standard makes reference to Attachment 1 Parts A and B, the inclusion of the attachment is not in the
definition. This leaves ambiguity in the definition that could enable second guessing by auditors.
Proposed: “An impact event is any event that has either impacted or has the potential to impact (above the
28
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 2 Comment
thresholds described in EOP-004-2 Attachment 1) the reliability of the Bulk Electric System. Such events may
be caused by equipment failure or mis-operation, environmental conditions, or human action.”
Response: Thank you for your comments. The DSR SDT has deleted the proposed defined term “Impact Events” and will use the generic term “event.”
American Electric Power
No
The definition is too broad and vague. The text in the comment form has the following sentence Only the
events identified in EOP-004 Attachment 1 are required to be reported under this Standard. The definition
should contain that caveat or something similar.
Response: Thank you for your comment. The DSR SDT has deleted the proposed defined term “Impact Events” and will use the generic term “event.” Reporting
is only required for those events and for the given thresholds listed in Attachment 1.
USACE
No
1) You cannot use the terms impact and event to define impact event.
2) The phrase “has the potential to impact” makes the definition too vague. Every action taken to modify the
system or its components has the potential to impact the Bulk Electric System.
3) Recommend to change the definition to “Any occurrence which has adversely affected the reliability of the
Bulk Electric System. Such events may be caused by equipment failure or mis-operation, environmental
conditions, or human action.”
Response: Thank you for your comment. The DSR SDT has deleted the proposed defined term “Impact Events” and will use the generic term “event.” Reporting
is only required for those events and for the given thresholds listed in Attachment 1.
Consumers Energy
No
The definition of Impact Event seems very vague and nebulous. This definition should be modified to be clear
and concise, such that entities clearly understand what is included within the definition.
Response: Thank you for your comment. The DSR SDT has deleted the proposed defined term “Impact Events” and will use the generic term “event.” Reporting
is only required for those events and for the given thresholds listed in Attachment 1.
Ameren
No
The documentation from the SDT included the reliability objective for EOP-004-2 which should be included in
the definition of Impact Event. Our suggested alternate defintion for Impact Event:
"An Impact Event is any event that has either caused, or has the likely potential to cause, an outage which
could lead to Cascading. Such events will be identified as being caused by, to the best of the reporting entity's
information: (1) equipment falure or equipment mis-operation, (2) environmental conditions, and/or (3) human
actions."
29
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 2 Comment
This alternate wording includes the reliability objective and clarifies the three known, or likely, causes of the
Impact Event.
Response: Thank you for your comment. The DSR SDT has deleted the proposed defined term “Impact Events” and will use the generic term “event.” Reporting
is only required for those events and for the given thresholds listed in Attachment 1.
ISO New England, Inc
No
We question the need for this definition since by itself the term is not specific on the types of events that are
regarded as having an impact. The detailed listing of events that fall into a reportable event category, hence
the basis for the Impact Event, is provided in Attachment A. For that matter, these events that are to be
reported can be called anything, or just simply be titled “Event to be Reported” without having to define them.
Defining the term Impact Event does not serve the purpose of replacing the details in Attachment A, and such
a term is not used anywhere else in the NERC reliability standards. In fact, for the term Impact Event to be
fully defined, all the elements in Attachment A must become a part of it.
We therefore suggest the SDT to consider not defining the term Impact Event, but rather use words to
stipulate the need to have a plan, to implement the plan and to report to the appropriate entities those events
listed in Attachment A. If the SDT still wishes to retain a definition despite our reservations noted above, we
strongly suggest an improvement. The proposed definition of Impact Event is overly broad because of the
use of “potential to impact” and the “Such as” list. Consider that routine switching has the potential to result in
a mis-operation. In that regard most routine switching could be interpreted as an impact event. The “Such as”
list should be struck and “potential” language should be struck.
An alternative definition to consider:
An Impact Event is any deliberate action designed to reduce BES reliability; unintended accident that could
result in an Adverse Reliability Impact; or an unusual natural event that causes or could cause an Adverse
Reliability Impact.
Response: Thank you for your comment. The DSR SDT has deleted the proposed defined term “Impact Events” and will use the generic term “event.” Reporting
is only required for those events and for the given thresholds listed in Attachment 1.
Calpine Corp
No
Adding a definition for Impact Event is unnecessary and does not provide useful clarification of the actual
reporting requirement for events that either impact the Bulk Electric System or have the potential to impact the
Bulk Electric System. The all-encompassing nature of the proposed definition seems to conflict with the finite
listing of events that actually require reporting. Although FERC specifically requested additional clarification of
the term sabotage to clarify reporting requirements, the Drafting Team is correct in noting that sabotage
implies intent and that the intent of human acts is not always easily determined. The fact that intent is not
always determinable within the reporting timeframe can be dealt with more simply by requiring (in attachment
30
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 2 Comment
1) that human intrusions that have not been identified within the reporting timeframe as theft or vandalism
should be reported as potential sabotage pending further clarification. This approach negates the need for an
additional definition that may cause confusion regarding which events are reportable and eliminates the
potential for under-reporting based on the assumption that the cause might be theft or vandalism.
Response: Thank you for your comment. The DSR SDT has deleted the proposed defined term “Impact Events” and will use the generic term “event.” Reporting
is only required for those events and for the given thresholds listed in Attachment 1.
BGE
No
Change the definition of “Impact Event”, to add the following phase to the definition “Any event (listed in
Attachment 1) which has either….” Also, the phrase “…or has the potential to impact the reliability…” is too
vague and broad. Such broad statement is unhelpful in clarifying entities’ compliance obligation and
potentially creates conflicted reporting between entities. A clear statement of how the reliability is affected
should be used, i.e., results in contingency emergency situation or IROL.
Response: Thank you for your comment. The DSR SDT has deleted the proposed defined term “Impact Events” and will use the generic term “event.” Reporting
is only required for those events and for the given thresholds listed in Attachment 1.
Alliant Energy
No
The proposed definition is not supported by any of the established bright line criteria that are contained within
attachment 1. This Results Based Standard should close any loop-holes that could be read into any section,
especially the definition. We recommend the definition be enhanced to read: Impact Event: Any Contingency
which has either effected or has the potential to effect the Stability of the BES as outlined per attachment 1.
Within this enhanced recommendation, presently defined NERC terms are used (Contingency and Stability),
thus supporting what is current used within our industry. There is also a quantifiable aspect of as outlined per
attachment 1 that clearly defines Impact Events.
If the above definition is not adopted, we believe it should be rephrased to narrow the scope to those events
that result from malicious intent or human negligence/error.
We are concerned that by using phrases like unintentional or intentional human action in combination with
damage or destruction basically means everything except copper theft becomes a reportable impact event
(including planned actions we must perform to comply with CIP-007 R7).
Response: Thank you for your comment. The DSR SDT has deleted the proposed defined term “Impact Events” and will use the generic term “event.” Reporting
is only required for those events and for the given thresholds listed in Attachment 1.
CenterPoint Energy
No
CenterPoint Energy suggests that the phrase “…or has the potential to impact…” be deleted as it makes the
definition vague and broad. Similar issues encountered in trying to define sabotage may resurface, such as
31
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 2 Comment
varying definitions or interpretations of “potential.” If this standard is to support after-the-fact reporting, the
focus should be on actual events, not potential situations or events. Effective and efficient prevention would
come from analysis of actual events. Resources and reporting could become overwhelmed upon having to
consider “potential.” All references to “potential” should be removed from the standard, guidance, and
attachments.
Response: Thank you for your comment. The DSR SDT has deleted the proposed defined term “Impact Events” and will use the generic term “event.” Reporting
is only required for those events and for the given thresholds listed in Attachment 1.
ExxonMobil Research and
Engineering
No
The use of the word potential is ominous.
Response: Thank you for your comment. The DSR SDT has deleted the proposed defined term “Impact Events” and will use the generic term “event.” Reporting
is only required for those events and for the given thresholds listed in Attachment 1.
Occidental Power Marketing
No
The SDT includes in the definition the "potential to impact the reliability of the BES." This seems vague,
although Attachment 1 clarifies what actually has to be reported. An LSE may have limited or no knowledge
of "potential to impact." The SDT may want to refine the definition, e.g., "to the extent the entities' knowledge
could reasonably reveal the impact."
Response: Thank you for your comment. The DSR SDT has deleted the proposed defined term “Impact Events” and will use the generic term “event.” Reporting
is only required for those events and for the given thresholds listed in Attachment 1.
Lincoln Electric System
No
As currently drafted, the proposed definition of Impact Event appears vague and provides entities minimal
clarity in terms of distinguishing events of significance. Recommend the drafting team reference Attachment
1:
Impact Events Tables within the definition to direct industry towards more specific criteria.
Response: Thank you for your comment. The DSR SDT has deleted the proposed defined term “Impact Events” and will use the generic term “event.” Reporting
is only required for those events and for the given thresholds listed in Attachment 1.
American Transmission
Company
No
ATC does not agree with the proposed definition and further disagrees whether a definition is needed at all.
Proposed Definition: The definition, read outside of the proposed standard, does not provide Registered
Entities with a clear meaning of the purpose of the definition. It is ATCs opinion that the SDT is using the
term Impact Event as an introduction phrase to Attachment 1. ATC would be more comfortable if the
32
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 2 Comment
definition was dropped and the team would re-write the requirement to specifically point to Attachment 1. It is
our opinion that this type of structure would achieve the goal of the team to get Registered Entities to report
on events identified in Attachment 1.The other option is for the team to write into the definition that the events
being discussed are limited to those identified in Attachment 1. Also the language currently being used in the
definition includes potential and such as. These terms should be struck from the definition.
Response: Thank you for your comment. The DSR SDT has deleted the proposed defined term “Impact Events” and will use the generic term “event.” Reporting
is only required for those events and for the given thresholds listed in Attachment 1.
Ingleside Cogeneration LP
No
The SDT includes in the definition the potential to impact the reliabilty of the BES. This seems vague,
although ultimately the events which meet the threshold of a reportable Impact Event are governed by the
tables under Attachment 1. We believe that there should be close, if not perfect, synchronization between the
EROs Event Analysis Process and Attachment 1 since they share the same ultimate goal as EOP-004-2 to
improve industry awareness and BES reliability.
Response: Thank you for your comment. The DSR SDT has deleted the proposed defined term “Impact Events” and will use the generic term “event.” Reporting
is only required for those events and for the given thresholds listed in Attachment 1.
Duke Energy
No
The phrase “…or has the potential to impact…” makes this an impossibly broad definition, and demonstrating
compliance will not be straightforward.
Response: Thank you for your comment. The DSR SDT has deleted the proposed defined term “Impact Events” and will use the generic term “event.” Reporting
is only required for those events and for the given thresholds listed in Attachment 1.
Constellation Power Generation
No
The currently proposed definition is vague and can be easily misinterpreted. Coining a term to define the
events that the DSR SDT hopes to capture in EOP-004-2 is a difficult task, one that may not be necessary.
Replacing the term Impact Events with events in Attachment 1, would eliminate the need to define such a
term.
In addition, the phrase or has the potential to impact the reliability is too vague and broad. Such broad
statement is unhelpful in clarifying entities compliance obligation and potentially creates conflicted reporting
between entities. The language in the reporting requirements should be limited to real impact events, while
information sharing on near miss or deficiency incidents should be handled as good industry practices and not
subject to onerous compliance obligations.
The drafting team should also give careful consideration to the existing reporting and information sharing
currently in place in the industry. When an event occurs, partners in the electric sector are notified as part of
33
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 2 Comment
existing requirements outside of NERC compliance.
Response: Thank you for your comment. The DSR SDT has deleted the proposed defined term “Impact Events” and will use the generic term “event.” Reporting
is only required for those events and for the given thresholds listed in Attachment 1.
Georgia System Operations
Corporation
No
It is not clear for the purposes of complying with this standard what it means to impact reliability. Impact in
what way. To what degree. Do not define this term. An alternative would be to define it as those events listed
in Appendix 1.
Response: Thank you for your comment. The DSR SDT has deleted the proposed defined term “Impact Events” and will use the generic term “event.” Reporting
is only required for those events and for the given thresholds listed in Attachment 1.
Indeck Energy Services
No
It's not a definition. It needs some quantification, such as, a Reportable Disturbance (NERC glossary), a
reportable event under DOE OE-417, sabotage or bomb threat. Defining it as having or potentially having an
impact is no definition. What is an impact? It needs to be quantified or auditors will have license to define it
any way that they want. It shouldn't be a NERC Glossary definition if its only use is in EOP-004. Within EOP004, it can be defined as anything in Attachment 1.
Response: Thank you for your comment. The DSR SDT has deleted the proposed defined term “Impact Events” and will use the generic term “event.” Reporting
is only required for those events and for the given thresholds listed in Attachment 1.
Progress Energy
No
Progress Energy appreciates the Standard Drafting Teams work on this project. Any potential impact is too
vague and impossible to measure. Progress is unsure of how the ERO or Regional Entity measure impact.
Potential is very subjective.
Response: Thank you for your comment. The DSR SDT has deleted the proposed defined term “Impact Events” and will use the generic term “event.” Reporting
is only required for those events and for the given thresholds listed in Attachment 1.
Brazos Electric Power
Cooperative
No
Southern Company
Yes
There is concern that the proposed definition for Impact Event does not allow for prudent judgment and
preliminary situational assessment by the entity to declare a Potential Impact Event (especially threats) as
non-credible. The thresholds for reporting established in Attachment 1 ? Part A provide a somewhat definitive
bright line with regard to those events identified in Part A, but for some of the events in Part B there should be
allowance for an assessment by the entity to reasonably determine whether the event poses a credible threat
34
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 2 Comment
to the reliability of the BES. This is attempted in the footnote to the Forced Intrusion event in Attachment 1 ?
Part B, but we think this allowance for entity assessment and prudent judgment needs to apply more
pervasively, perhaps by including the term credible in the definition of Impact Event or at least by adding the
term credible wherever the term physical threat is used.
Response: Thank you for your comments. We have deleted the proposed defined term “Impact Events” and will use the generic term “event.” The word
“credible” could lead to many interpretations as well. Reporting is only required for those events and for the given thresholds listed in Attachment 1.
American Municipal Power
Yes
The definition of Impact Event is acceptable and an improvement. I feel it could be improved and simplified
further. Consider changing Impact Event to a "reportable event.”
Response: Thank you for your comment. The DSR SDT has deleted the proposed defined term “Impact Events” and will use the generic term “event.”
Reporting is only required for those events and for the given thresholds listed in Attachment 1.
Liberty Electric Power LLC
Yes
I am interpreting the phrase "has the potential" to exclude events which had the potential, but did not impact
the BES. An example would be a generation trip - if the trip had happened during a system emergency it
could have affected the BES, but since it happened under normal conditions there is no reporting
responsibility. Some assurance on this interpretation would be appreciated.
Response: The DSR SDT thanks you for your comment. We have deleted the proposed defined term “Impact Events” and will use the generic term “event.”
Reporting is only required for those events and for the given thresholds listed in Attachment 1.
Manitoba Hydro
Yes
“Disturbance” has a unique and traditional meaning in the electrical industry, basically meaning “a notable
electrical event causing in imbalance of load and generation.” Attempting to include the many scenarios can
that can affect reliability blurred the current vision of “Disturbance” and the addition of “unusual occurrences”
just added to the confusion. It never seemed appropriate to submit an unusual occurrence on a “Disturbance
Report.” “Impact Event” is very encompassing and then detailed specifically in Attachment 1.
Response: Thank you for your comment. The DSR SDT has deleted the proposed defined term “Impact Events” and will use the generic term “event.” Reporting
is only required for those events and for the given thresholds listed in Attachment 1.
Independent Electricity System
Operator
Yes
We do not have any issue with the wording of the definition, but question the need for this definition since by
itself the term is not specific on the types of events that are regarded as having an “impact.” The detailed
listing of events that fall into a reportable event category, hence the basis for the Impact Event, is provided in
Attachment A. For that matter, these events that are to be reported can be called anything. Defining the term
Impact Event does not serve the purpose of replacing the details in Attachment A, and such a term is not
35
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 2 Comment
used anywhere else in the NERC reliability standards. In fact, for the term Impact Event to be fully defined, all
the elements in Attachment A must become a part of it.
We therefore suggest the SDT to consider not defining the term Impact Event, but rather use words to
stipulate the need to have a plan, to implement the plan and to report to the appropriate entities those events
listed in Attachment A.
Response: Thank you for your comment. The DSR SDT has deleted the proposed defined term “Impact Events” and will use the generic term “event.” Reporting
is only required for those events and for the given thresholds listed in Attachment 1.
PPL Electric Utilities
Yes
PPL EU agrees with the definition. We would like to point out that our interpretation of the definition excludes
maintenance work. Our interpretation also concludes that maintenance work that does not go as planned or
goes awry and impacts the reliability of the BES would be an impact event and reported as required per
Attachment 1.
Response: Thank you for your comment. The DSR SDT has deleted the proposed defined term “Impact Events” and will use the generic term “event.” Reporting
is only required for those events and for the given thresholds listed in Attachment 1.
SDG&E
Yes
PPL Supply
Yes
PSEG Companies
Yes
SPP Standards Review Group
Yes
Lakeland Electric
Yes
New Harquahala Generating Co.
Yes
APX Power Markets
Yes
United Illuminating Co
Yes
Arkansas Electric Cooperative
Yes
36
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 2 Comment
Corporation
Sweeny Cogeneration LP
Yes
New Harquahala Generating Co.
Yes
Platte River Power Authority
Yes
Farmington Electric Utility System
Yes
City of Tacoma, Department of
Public Utilities, Light Division, dba
Tacoma Power
Yes
BC Hydro
Yes
Response: Thank you for your response. Most commenters who responded to this question disagreed with the proposed definition and some suggested that the
definition is not needed. In response, the drafting team has deleted the proposed defined term “Impact Events” and will use the generic term “event.” Reporting
is only required for those events and for the given thresholds listed in Attachment 1.
37
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
3. Do you agree that the DSR SDT has provided an equally efficient and effective solution to the FERC Order 693
directive to “further define sabotage”? If not, please explain why not and if possible, provide an alternative
that would be acceptable to you.
Summary Consideration: Most stakeholders agreed that the drafting team addressed the directive to further define
sabotage. Commenters generally agreed that the DSR SDT approach in the currently proposed solution effectively addresses
FERC Order 693 directive. The approach clarifies the triggering event for an entity to take action and, by deleting all references
to "sabotage," in effect removes the very term that had no clear definition.
Organization
Pepco Holdings Inc and Affiliates
Yes or No
No
Question 3 Comment
See #2. With out the explanation contained in background information, over time those that have not been
involved with this standard development will struggle with how to interpret the code words of non
environmental and intentional human action.
Response: The DSR DT thanks you for your comment. This is a Results-based standard and the format includes all of the information, with the exception of the
Rationale boxes, through the ballot and filing of the standard. The background section of the proposed standard will be retained with the standard for future
reference.
Midwest ISO Standards
Collaborators
No
In general, we agree that the standard drafting team has provided an equally efficient and effective
alternative, but we wonder if the SDT has not in essence already defined sabotage in their description for why
they cant define sabotage. It seems that sabotage involves willful intent to destroy equipment. In general,
intent would have to be determined by an investigation of law enforcement. This could be part of the
definition. There might be some obvious acts that could be included without investigation such as detonation
of a bomb. Is it possible for the SDT to use the DOE definition for sabotage? We encourage the SDT to
provide a definition for sabotage.
Response: The DSR DT thanks you for your comment. The DSR SDT believes that the reporting of events supports the reliability of the BES. Sabotage usually
is determined after the event is investigated and that sabotage may be one aspect of a single event. The intent is to report (per Thresholds of Reporting in
Attachment 1) events that have an impact on BES reliability. The background section of the standard provides guidance with respect to reporting events to law
enforcement. For clarity, the DSR SDT has added the following sentence to the first paragraph under the heading “Law Enforcement Reporting”: “These are the
types of events that should be reported to law enforcement.” The entire paragraph is:
o
“The reliability objective of EOP-004-2 is to prevent outages which could lead to Cascading by effectively reporting events. Certain outages, such as those
due to vandalism and terrorism, may not be reasonably preventable. These are the types of events that should be reported to law enforcement. Entities rely
38
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 3 Comment
upon law enforcement agencies to respond to and investigate those events which have the potential to impact a wider area of the BES. The inclusion of reporting
to law enforcement enables and supports reliability principles such as protection of bulk power systems from malicious physical or cyber attack. The Standard is
intended to reduce the risk of Cascading events. The importance of BES awareness of the threat around them is essential to the effective operation and planning
to mitigate the potential risk to the BES.”
Compliance & Responsiblity
Organization
No
See comments set forth in number 2.
Response: The DSR DT thanks you for your comment. Please see the DSR DT response above for question number 2.
Sweeny Cogeneration LP
No
The threshold for reporting what could be sabotage still leaves the door open for second guessing after-thefact. For example, if graffiti is sprayed on a BES asset, the entity is to assume that the event is not to be
reported. However, intent to harm the BES may be discovered at a later point with ramifications to the entity
who did not report it.
A solution may be to strengthen footnote 3 to both reporting tables, which makes an allowance to report if you
cannot reasonably determine likely motivation of sabotage. If acceptable methods to provide justifiable
evidence that reporting was NOT required, then this loophole may be corrected.
Response: The DSR SDT thanks you for your comment. The DSR SDT believes that the reporting of events supports the reliability of the BES. Sabotage usually
is determined after the event is investigated and that Sabotage may be one aspect of a single event. The intent is to report events (per Thresholds of Reporting
in Attachment 1) that have an impact on BES reliability. Attachment 1 has been updated per comments received.
USACE
No
The DSR SDT should have defined sabotage since it helps the SDT working on CIP standards further define
its action. Sabotage can be defined as the deliberate act of destruction, disruption, or damage of assets to
impact the reliability of the BES.
Response: The DSR SDT thanks you for your comment. The DSR SDT believes that the reporting of events supports the reliability of the BES. Sabotage usually
is determined after the event is investigated and that Sabotage may be one aspect of a single event. The intent is to report events (in Attachment 1) that have
an impact on BES reliability. Attachment 1 has been updated per comments received.
Consumers Energy
No
EOP-004 does not appear to address a reliability need. Reporting after-the-fact information such as that
described in Impact Events does not do anything to improve Bulk Electric System reliability. Therefore, we
recommend that CIP-001 be updated to address sabotage events, and that NERC otherwise rely on the
statutory reporting to the DOE that is represented by OE-417 for any after-the fact information. The
remainder of our comments reflects detailed comments on the posted draft, presuming that our objection
39
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 3 Comment
represented above will be disregarded.
Response: The DSR SDT thanks you for your comment. Providing event reporting information will start the event analysis process done by the current NERC
Event Analysis Program. EOP-004-2 is the reporting vehicle to the ERO that will support the analysis phase of any event.
Ameren
No
The SDT did not further define sabotage as directed by FERC, but instead created a new term that does not
address the order. The Term Impact Event has no clarity or quantitative qualities by which an entity can
determine what should be reported. The use of the phrase "has the potential to impact reliability" has such a
vague scope, an auditor can interpret to mean any "off-normal" condition, which makes this standard
impossible to comply with. The SDT should use the DOE definition of sabotage as follows:
Sabotage - Defined by Department of Energy (DOE) as:
An actual or suspected physical or Cyber attack that could impact electric power system adequacy or
reliability
Vandalism that targets components of any security system on the Bulk Electric System
Actual or suspected Cyber or communications attacks that could impact electric power system
adequacy or vulnerability, including ancillary systems which support networks (e.g. batteries)
Any other event which needs to be reported by the Balancing Authority (Transmission Operations) to
the Department of Energy. Sabotage can be the work of a single saboteur, a disgruntled employee or a
group of individuals.
Response: The DSR SDT thanks you for your comment. The DSR SDT believes that the reporting of events supports the reliability of the BES. Sabotage usually
is determined after the event is investigated and that Sabotage may be one aspect of a single event. The intent is to report events (per Thresholds of Reporting
in Attachment 1) that have an impact on BES reliability. Attachment 1 has been updated per comments received. EOP-004-2 sets the minimum reporting
requirements for events.
Calpine Corp
No
The additional definition for “Impact Event” is unnecessary and does not provide useful clarification regarding
actual reporting requirements. Sabotage, whatever the exact definition used, implies intent to damage or
disrupt. The committee correctly notes that determination of actual intent is not always readily available.
However, adding a general expansive definition encompasses all events that might disrupt the Bulk Electric
System does not add clarity to the types of events that require reporting - which are listed in detail in
Attachment 1.The issue can be more simply addressed by replacing the item “Human Intrusion” on
Attachment 1, as follows:
Event: Sabotage (note 3) Entity with Reporting Responsibility: All affected Responsible Entities listed
40
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 3 Comment
in the Applicability Section of this Standard.
Threshold for Reporting: Forced Intrusions at a BES facility that have not been determined within the
reporting period to be theft or vandalism that does not affect the operability of BES equipment.
Note 3 For purposes of reporting under Attachment 1, reportable sabotage includes all forced intrusions at
BES facilities that have potential to cause, or cause, any of the disturbance events listed in Attachment 1 and
have not been determined to be theft or vandalism that did not result in any event listed in Attachment 1.
Responsible Entities are not required to report incidents of theft or vandalism that do not result in disturbance
events. This approach also eliminates the need to reference copper theft as a particular type of theft that does
not require reporting.
Response: The DSR SDT thanks you for your comment. The DSR SDT has deleted the proposed defined term “Impact Events” and will use the generic term
“event.”. Attachment 1 has been updated per comments received. The DSR SDT believes that the reporting of events supports the reliability of the BES.
Sabotage usually is determined after the event is investigated and that Sabotage may be one aspect of a single event. The intent is to report events (per
Thresholds of Reporting in Attachment 1) that have an impact on BES reliability. Footnotes have been updated per comments received.
CenterPoint Energy
No
CenterPoint Energy would agree if the definition for Impact Event was changed as suggested in the response
to Question 2.
Response: The DSR SDT thanks you for your comment. The DSR SDT has deleted the proposed defined term “Impact Events” and will use the generic term
“event.”. Attachment 1 has been updated per comments received. The DSR SDT believes that the reporting of events supports the reliability of the BES.
Duke Energy
No
Sabotage is still identified on the flowchart. Timeframes for reporting on Attachment 1 should be made
consistent with DOE OE-417 reporting. Also on Attachment 1, the Threshold for Reporting on a Forced
Intrusion Event should be Affecting BES reliability instead of At a BES facility.
Response: The DSR SDT thanks you for your comment. The DSR SDT has updated the flowchart. The DOE Form OE-417 is reviewed biennially by the DOE
and can be updated or changed without NERC’s involvement. The DSR SDT has taken into consideration the possible use of Form OE-417 to report events to
NERC and agrees that this will fulfill EOP-004-2’s reporting requirements. The DSR SDT has removed sabotage from the flowchart and has replaced it with:
“Criminal act under federal jurisdiction.”
41
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Indeck Energy Services
Yes or No
No
Question 3 Comment
The SDT hasn't defined sabotage. Attachment 1 does not do justice to the concept of sabotage. Sabotage
should be defined as any intentional damage to BES facilities the causes a Reportable Disturbance,
reportable event under DOE OE-417 or involves a bomb or bomb threat.
Response: The DSR SDT thanks you for your comment. The DSR SDT believes that the reporting of events supports the reliability of the BES. The intent is to
report events (per Thresholds of Reporting in Attachment 1) that have an impact on BES reliability. Sabotage usually is determined after the event is investigated
and that Sabotage may be one aspect of a single event. The DOE Form OE-417 is reviewed biennially by the DOE and can be updated or changed without
NERC’s involvement. The DSR SDT has taken into consideration the possible use of Form OE-417 to report events to NERC and agrees that this will fulfill EOP004-2’s reporting requirements.
Exelon
Yes
Exelon agrees with the DSR SDT in that the currently proposed solution effectively addresses the intent of
FERC Order 693 directive to both clarify the triggering event for an entity to take action and by deleting all
references to "sabotage" in effect removes the very term that had no clear definition.
Response: Thank you for your comment.
Georgia Transmission
Corporation & Oglethorpe Power
Corporation
Yes
We agree with the approach taken by the SDT.
Northeast Power Coordinating
Council
Yes
It is more important to report suspicious events than to determine if an event is caused by sabotage before it
gets reported.
Midwest Reliability Organization
Yes
Sabotage is usually associated with a malicious attack. Entities have always lacked the clinical expertise to
determine if an event was malicious or not. The Impact Event bright line criteria clearly states what the
minimum reporting requirements are.
Manitoba Hydro
Yes
“Impact event”, The DSR SDT reasoning for this. ‘A sabotage event can only be typically determined by law
enforcement after the fact” is very creative and concise!
Response: The DSR SDT thanks you for your comment.
42
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Independent Electricity System
Operator
Yes or No
Yes
Question 3 Comment
We agree since it is more important to report suspicious events than to determine if an event is caused by
sabotage before it gets reported.
Response: The DSR SDT thanks you for your comment.
ISO New England, Inc
Yes
We agree since it is more important to report suspicious events than to determine if an event is caused by
sabotage before it gets reported.
Ingleside Cogeneration LP
Yes
Sabotage cannot be confirmed until after the fact, so we support this initiative.
Bonneville Power Administration
Yes
Western Electricity Coordinating
Council
Yes
PPL Supply
Yes
PSEG Companies
Yes
Dominion
Yes
SPP Standards Review Group
Yes
FirstEnergy
Yes
SERC OC Standards Review
Group
Yes
PJM Interconnection LLC
Yes
Southern Company
Yes
SRP
Yes
43
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
We Energies
Yes
SDG&E
Yes
City of Tallahassee (TAL)
Yes
Lakeland Electric
Yes
New Harquahala Generating Co.
Yes
APX Power Markets
Yes
United Illuminating Co
Yes
American Municipal Power
Yes
Liberty Electric Power LLC
Yes
Arkansas Electric Cooperative
Corporation
Yes
American Electric Power
Yes
New Harquahala Generating Co.
Yes
Platte River Power Authority
Yes
BGE
Yes
Alliant Energy
Yes
ExxonMobil Research and
Engineering
Yes
Question 3 Comment
Well done.
No comments.
44
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
PPL Electric Utilities
Yes
Occidental Power Marketing
Yes
Lincoln Electric System
Yes
Farmington Electric Utility
System
Yes
American Transmission
Company
Yes
Constellation Power Generation
Yes
Georgia System Operations
Corporation
Yes
City of Tacoma, Department of
Public Utilities, Light Division,
dba Tacoma Power
Yes
Brazos Electric Power
Cooperative
Yes
Question 3 Comment
None.
Response: The DSR SDT thanks you for your response. Several commenters proposed revisions to the definition, and after deliberation the SDT has deleted the
proposed defined term “Impact Events” and will use the generic term “event”. Attachment 1 has been updated per comments received. The DSR SDT believes
that the reporting of events supports the reliability of the BES.
45
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
4. Do you agree with the proposed applicability of EOP-004-2 shown in Section 4 and Attachment 1 of the
standard? If not, please explain why not and if possible, provide an alternative that would be acceptable to
you.
Summary Consideration: The SDT believes that it has properly identified registered entities that may potentially have events
and the appropriate types of events. A Registered Entity is only required to submit an events report for events listed in
Attachment 1 if the registered entity was affected by the event. If an event occurs, only affected Registered Entities listed in
Attachment 1 are required to submit a report on the event. The SDT believes that the industry will gain valuable information
from having different perspectives of a single event. Differing viewpoints on the same event will provide for better clarity to all
parties on the actual impact to the bulk electric system. The SDT would like to point out that reporting of events is from the
time of identification not the time of the event. In response to the comments received, the SDT has made numerous
enhancements to Attachment 1. These revisions include:
•
•
•
Added new column “Submit Attachment 2 or DOE OE-417 Report to:” which references Part 1.3 and provide
the time required to submit the report.
Combined Parts A and B into one table and reorganized it so that the events are listed in order of reporting
times (either one hour or 24 hours)
Removed references to “Impact Event” and replaced with the specific language for the event type in the
“Entity with Reporting Responsibility”. For example, replaced “Impact Event” with “automatic load
shedding”.
The ERO and the RE were added as applicable entities to reflect CIP-002 applicability to this standard.
Organization
Georgia Transmission
Corporation & Oglethorpe Power
Corporation
Yes or No
Question 4 Comment
No
We do not believe that GO, TO, TSP, DP, or LSE should be included in the applicability of this standard. It is
our opinion that the reporting requirements lie primarily with the applicable operator and should be limited as
such. We recommend modifications as discussed in our response to question 6 to clearly define what types
of events each Responsible Entity needs to prepare for. Currently, it seems that multiple entities are being
required to report the same event for some events where only one entity should have a reporting
responsibility. However, NERC should not decide which one entity should report a given event.
The entities should have the flexibility to create a process which allows for coordination and communication at
a local level and to work out with neighboring entities who might ultimately report events to the applicable
46
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 4 Comment
organizations.
Response: Thank you for your comments. The SDT disagrees that the operators are the only entities with obligations to report; owners and users may have
very credible and valuable information relating to events. Such information may be extremely beneficial in developing lessons learned and analyzing events.
Your suggestion to allow for local coordination and communication is a practical suggestion and the standard allows for it.
Northeast Power Coordinating
Council
No
Disagree with the following inclusion/exclusion of several entities:
a. The applicable entities listed in Section 4 capture all the entities that are assigned a reporting responsibility
in Attachment 1 of the standard. While some events in Attachment 1 have specific entities identified as
responsible for reporting, certain events refer to the entities listed in specific standards (e.g. CIP-002) as the
responsible entities for reporting. The latter results in IA, TSP and LSE (none of which being specifically
identified as having a reporting responsibility) being included in the Applicability Section. NERC should be
included in the Applicability Section as it is an applicable entity identified in CIP-002-3.
b. If the above approach was not strictly followed, then suggest the SDT review the need to include IA, TSP
and LSE since they generally do not own any Critical Assets and hence will likely not own any Critical Cyber
Assets.
Response: The DSR SDT thanks you for your comment. The SDT believes it needs to follow the requirements of the standards as they currently apply. Since
these entities are applicable to the underlying standards identified in Attachment 1, then they will be subject to reporting. If those standards are modified to
remove the applicability to these functional registrations, then the appropriate SDT can modify the applicability of this standard. The SDT has reviewed the CIP002-3 standard and has included the ERO and the RE in this standard.
Pacific Northwest Small Public
Power Utility Comment Group
No
We believe that facilities used in the local distribution of electric energy should be excluded from these
requirements due the language of 16 U.S.C. ? 824o(a)(1) and 16 U.S.C. ? 824o(i)(1).
Response: The DSR SDT thanks you for your comment. The SDT constructed Attachment 1 based upon the existing requirements in the various reliability
standards and established reporting obligations. The information about events and the analysis of those events will be useful to all owners, operators, and users
of the bulk power system. The SDT has clarified the reporting requirement such that only those affected by the event are required to submit a report.
PSEG Companies
No
The PSEG Companies believe the defining language, roles and responsibilities outlined in Attachment 1 are
unclear and inconsistent. For example fuel supply emergency reporting footnote 2 “Report if problems with
the fuel supply chain result in the projected need for emergency actions to manage reliability” attempts to
clarify the condition for reporting but does not. Whose “emergency actions” are being referred to in the
footnote? It is not clear if those actions would be related to the specific station or the overall Bulk Electric
47
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 4 Comment
System (BES). Can this be interpreted to imply a gas supply issue to one generating station as the result of
pipeline maintenance, or local pressure issues would also requiring reporting? The PSEG Companies believe
the definition of a fuel supply emergency needs to be more specific and less open to broad interpretation.
In addition, the “Time to Submit Report” section of attachment 1 has a significant number of changes from the
previous version. Accelerating the twenty four (24) hour to one (1) hour requirement for submitting the reports
for several of the events takes resources away from managing the actual event. For the above comments
failure to submit a report within 1 hour is a high or severe VSL for a fuel supply emergency. This approach
seems inconsistent with ensuring the operation and reliability of the BES. One (1) hour reporting, in most
cases, is not adequate time to compile the needed information, prepare report, ensure the accuracy, submit,
and simultaneously manage the actual event. We recommend 24 hour reporting for: Damage or destruction to
BES, Fuel Supply Emergency, Forced Intrusion, and Risk to BES equipment sections of Attachment 1.
Response: The DSR SDT thanks you for your comment. The SDT appreciates the observation on Fuel Supply Emergency and has adjusted Attachment 1 to
address it. Reporting under the standard requires that the Registered Entity provide what information it has at the time of the report. The report may not
provide the entire record or identification of the event. If the Registered Entity desires to submit an updated report, it may choose to do so; but there is no
obligation to do so.
The DSR SDT has significantly revised Attachment 1. We have removed the timing column and replaced it with more specific information regarding which form to
submit and to whom the report is to be submitted. All events are now to be reported within 24 hours with the exception of Destruction of BES equipment,
Damage or destruction of Critical Assets and Damage or destruction of Critical Cyber Asset events, Forced Intrusion, Risk to BES equipment and Detection of a
reportable Cyber Security Incident. These events are to be reported within 1 hour. Notification of law enforcement (per Requirement R1, Part 1.3.2) is only
required for these events. The background section of the standard provides guidance with respect to reporting events to law enforcement. For clarity, the DSR
SDT has added the following sentence to the first paragraph under the heading “Law Enforcement Reporting”: “These are the types of events that should be
reported to law enforcement.” The entire paragraph is:
o
“The reliability objective of EOP-004-2 is to prevent outages which could lead to Cascading by effectively reporting events. Certain outages,
such as those due to vandalism and terrorism, may not be reasonably preventable. These are the types of events that should be reported to law enforcement.
Entities rely upon law enforcement agencies to respond to and investigate those events which have the potential to impact a wider area of the BES. The inclusion
of reporting to law enforcement enables and supports reliability principles such as protection of bulk power systems from malicious physical or cyber attack. The
Standard is intended to reduce the risk of Cascading events. The importance of BES awareness of the threat around them is essential to the effective operation
and planning to mitigate the potential risk to the BES.”
Dominion
No
1) Several of the events require filing a written Impact Event report within one hour. System Separation, for
example, is going to require an “all hands on deck” response to the actual event. We note that the paragraph
above Attachment 1, Part A indicates that a verbal report would be allowed in certain circumstances, but this
48
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 4 Comment
is the same issue with the formal report in that the system operators are concerned with managing the event
and not the reporting requirements. Another example would be the Loss of Off-site power to a nuclear
generating plant. Suggest reconsideration of one hour reporting requirement for events requiring extensive
operator actions to mitigate;
2) Several events seem to have the “Threshold for Reporting” contained in footnotes rather than in the table.
For example, Damage or destruction of BES equipment - Footnote 1, Fuel supply emergency - Footnote 2,
etc.) Suggest moving the actual threshold into the table;
3) If one hour reporting remains as indicated in Attachment 1; align/rename events similar to that of the
‘criteria for filing’ events listed in DOE OE-417 for consistency.
Response: Thank you for your comment. Reporting under the standard requires that the Registered Entity provide what information it has at the time of the
report. The report may not provide the entire record or identification of the event. If the Registered Entity desires to submit an updated report, it may choose to
do so; but there is no obligation to do so. Based upon comments received, the SDT has updated the time reporting requirements in Attachment 1. Most events
are to be reported within 24 hours. The DSR SDT has retained a one-hour reporting requirement for those events the DSR SDT believes are the types of event
that would be typically reported to law enforcement and are of a more urgent nature.
SPP Standards Review Group
No
While the SDT has recognized the issue of applicability to GO/TO in its background information with the
Unofficial Comment Form, we still do not feel comfortable with the GO/TO being listed as a responsible entity
when in fact it may be days before they become aware of an event worthy of reporting. If the GOP/TOP
makes the report, are the GO/TO still responsible for filing a report? If the GOP/TOP do not file the report,
would the GO/TO then be non-compliant? This issue appears to put additional risk on the GO/TO over which
they have no control. We need some mechanism to eliminate unnecessary risk while at the same time
ensuring that we have coverage for the BES. Perhaps this could be done through delegation agreements
between the entities involved or through allowances within the standard itself. For example, could the phrase
“appropriate parties in the Interconnection” as currently contained in CIP-001-1, R2 be incorporated into the
standard to basically replace GO/TO?
Response: The DSR SDT thanks you for your comment. The SDT believes that it has properly identified registered entities that may potentially have events and
the appropriate types of events. A Registered Entity is only required to submit an events report for events listed in Attachment 1 if the registered entity was
affected by the event. If an event occurs, only affected Registered Entities listed in Attachment 1 are required to submit a report on the event. Having reports
from different entities for the same event may provide a more complete understanding of the event.
FirstEnergy
No
1.
Attachment 1, Part A - Energy Emergency requiring Public appeal for load reduction - In the current draft
Standard, the applicability has been revised from an RC and BA to "initiating entity.” We can’t see where
the GO/GOP would ever make this determination. Needs to be clarified.
49
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 4 Comment
2.
3.
4.
5.
6.
7.
8.
Attachment 1, Part A - Energy Emergency requiring system-wide voltage reduction - In the current draft
Standard, the applicability has been revised from an RC, TO, TOP, and DP to "initiating entity.” We can’t
see where the GO/GOP would ever make this determination. Needs to be clarified.
Attachment 1, Part A - Voltage Deviations on BES facilities - A GOP may not be able to make the
determination of a +/- 10% voltage deviation for ≥ 15 continuous minutes, this should be a TOP RC
function only.
Attachment 1, Part A - Loss of offsite power (LOOP) classification should not apply to nuclear generators.
The impact of a LOOP is dependent on the design of the specific nuclear unit and may not necessarily
result in a unit trip. If a LOOP did result in a unit trip, the NRC requires notification by the nuclear
GO/GOP via the Emergency Notification System (ENS), and time allowed for that notification (1 hour, 4
hours, 8 hour, or none at all) is, as mentioned above, dependent on the design of the plant. We believe it
would be beneficial if consideration were given to coordinating reporting requirements for nuclear units
with existing required notifications to the NRC to avoid duplication of effort.
Attachment 1 should align NERC Standard NUC-001 concerning the importance of ensuring nuclear
plant safe operation and shutdown. If a transmission entity experiences an event that causes a loss of
off-site power as defined in the nuclear generator’s Nuclear Plant Interface Requirements, then the
responsible transmission entity should report the event within 24 hours after occurrence. Also, for clarity
"grid supply" should be replaced with "source" to ensure that notification occurs on a loss of one or
multiple sources to a nuclear power plant.
Attachment 1, Part A - Damage or destruction of BES equipment. See Nuclear comments on question
17 below.
Attachment 1, Part B - Forced intrusion at a BES facility. See Nuclear comments on question 17 below.
Attachment 1, Part B - Risk to BES equipment from a non-environmental physical threat. What
constitutes a "risk" to the reporting entity is still somewhat ambiguous, and although the DSR SDT has
provided some examples, without more specific criteria for this event the affected entity will have difficulty
in determining within 1 hour if a report is necessary. Also, see Nuclear comments on question 17 below.
Response: The DSR SDT thanks you for your comment. As a general note, the Applicability section of the standard includes each entity that will be responsible
for reporting an event. Attachment 1 has a column “Entity with Reporting Responsibility” to indicate the appropriate entity that is required to report under this
standard. For items 1-3 above, the GO or GOP will not be the likely deficient or initiating entity. This will most likely be the BA, TOP or the RC. For item 4, the
LOOP event is to be reported by the TO and TOP, not the nuclear plant. For item 5, the TO and TOP are to report within 24 hours. The DSR discussed using
“source”, however this indicates a single source whereas “supply” encompasses all sources. For items 6, 7 and 8, please see response to Question 17 comments.
SERC OC Standards Review
Group
No
We agree that all of the entities listed should be responsible for reporting an event, provided they own BES
assets, but guidance should be given for which entity in Attachment 1 actually files the report to avoid
duplication for a single event.
50
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 4 Comment
Response: The DSR SDT thanks you for your comment. The SDT believes that it has properly identified registered entities that may potentially have events and
the appropriate types of events. A Registered Entity is only required to submit an events report for events listed in Attachment 1 if the registered entity was
affected by the event. If an event occurs, only affected Registered Entities listed in Attachment 1 are required to submit a report on the event. Having reports
from the different entities may provide valuable information on understanding the event.
PJM Interconnection LLC
Yes
1. We agree that the entities listed should be responsible for ensuring events are reported, provided they own
BES assets, but more guidance should be provided on which entity in Attachment 1 should actually file the
report to avoid multiple entities reporting a single event. Current Attachment 1 results in significant duplicate
reporting.
2. Although the applicable entities listed in Section 4 capture all entities that are assigned a reporting
responsibility in Attachment 1, some events in Attachment 1 refer to entities applicable under a different
standard (e.g CIP-002) as the responsible entities for reporting. This results in IA, TSP, and LSE (none of
which, generally own Critical Assets and hence not likely own CCAs) as being responsible for reporting an
event. We urge the SDT review the need to include IA, TSP, and LSE in applicable entities. Also, why is
NERC an applicable entity in CIP-002-3 but not in this standard?
Response: Thank you for your comments. 1. The “Entity with Reporting Responsibility” column of Attachment 1 indicates who is responsible for submitting
reports for each event type. It is expected that multiple reports will be received for the same event. Each entity experiencing the event may see something
different. This reporting will allow for a more robust analysis process after the fact. 2. The IA. TSP and LSE are included as applicable entities for EOP-004 only
because they are applicable under CIP-002. The only events that these entities are required to report are related to cyber assets. The ERO and the RE were
added as applicable entities for consistency with CIP-002.
SRP
No
The threshold for Reporting is broad, vague and repetitive. "Three or more BES Transmission Elements" is
vague and could be interpreted as 3 breakers in a large system.
Response: The DSR SDT thanks you for your comment. Based upon comments received, the SDT has modified Attachment 1 accordingly.
We Energies
No
Attachment 1: From the NERC Glossary, an Energy Emergency: A condition when a Load-Serving Entity has
exhausted all other options and can no longer provide its customers’ expected energy requirements. The first
four events listed can only apply to an LSE.
Loss of Firm Load for >15 Minutes: By the NERC Glossary definitions of DP and LSE, the LSE would seem
to be more appropriate than the DP.
With the proposed one-hour reporting requirement, the industry would be undertaking significant regulatory
risk with respect to timely reporting. The requirement to report the crime-based events in the field within one
51
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 4 Comment
hour, as shown in Attachment 1 Part A or Part B will be difficult. We could even discover a theft in progress
with the suspect trapped inside the substation fence and the police attempting to make a safe arrest. We
need more reporting time, especially when they have not even resulted in an outage.
The industry is keenly interested in understanding the benefit of taking on the risk. What analysis, insight,
warnings or recommendations would the ES-ISAC provide to the reporting entity, the industry or to law
enforcement agencies in the hours after such an incident is reported? Note too that DOE requires reporting
of a physical attack within one hour only when it “causes a major interruption or major negative impact on
critical infrastructure facilities or to operations.” In lesser cases, the entity gets up to six hours if it “impacts
electric power system reliability.” DOE has said that it is not interested in copper theft unless it causes one of
these events. If the SDT is working to ensure consistency of reporting requirements, please consider DOE
requirements too. Meeting the reporting deadline will mean that available resources in the control center will
be devoted to ensuring the report is filed on time instead of making the site safe and arranging for prompt
repair. It may even mean that law enforcement won’t be contacted until the forms are filed with the ES-ISAC.
The exception contained in footnote #1 of Attachment 1 with respect to copper theft is not an exception at all.
The majority of copper theft from substations is, in fact, such grounding connectors which may or may not
render the protective relaying inoperative. You could end up receiving reports from all over the USA, Canada
and Mexico, mostly on Monday mornings as weekend copper thefts are discovered. Attachment 1 Part A
table also contains redundancies. One of the cells reads, “Damage or Destruction of Critical Asset.” One
cannot destroy something without damaging it first. Consequently, it is sufficient to simply say, “Damage to a
Critical Asset.” Apply to all cells with the same phrase.
Response: Thank you for your comments. Only Registered Entities affected by the event have to submit a report. Entities that were not affected by the event
are under no obligation to submit a report. Registered Entities are to report what information they have at the submission timeline. The SDT recognizes that a
final report may not be possible at the submission time. The reporting requirements are consistent with the current reporting requirements of the various
authorities. The one hour reporting times are listed as “one hour within recognition of an event”. This should be sufficient to allow the reporting entity time to
submit the report after the event has been recognized. Based upon comments received from many stakeholders, the SDT has modified Attachment 1. The
background section of the standard provides guidance with respect to reporting events to law enforcement. For clarity, the DSR SDT has added the following
sentence to the first paragraph under the heading “Law Enforcement Reporting”: “These are the types of events that should be reported to law enforcement.”
The entire paragraph is:
o
“The reliability objective of EOP-004-2 is to prevent outages which could lead to Cascading by effectively reporting events. Certain outages,
such as those due to vandalism and terrorism, may not be reasonably preventable. These are the types of events that should be reported to law enforcement.
Entities rely upon law enforcement agencies to respond to and investigate those events which have the potential to impact a wider area of the BES. The inclusion
of reporting to law enforcement enables and supports reliability principles such as protection of bulk power systems from malicious physical or cyber attack. The
Standard is intended to reduce the risk of Cascading events. The importance of BES awareness of the threat around them is essential to the effective operation
and planning to mitigate the potential risk to the BES.”
52
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Exelon
Yes or No
Question 4 Comment
No
Remove LSE. As has been determined in previous filings, FERC has ruled that asset owning DP’s must be
registered as LSE’s. The standard as proposed is applicable to DP’s. This addresses any concern with a
“reliability gap” for reporting events that could have an adverse material impact to the BES. See FERC Docket
RC-07-4-003, -6-003, -7-003 paragraphs 24 and 25. “The Commission approves … revisions to the Registry
Criteria to have registered distribution providers also register as the LSE for all load directly connected to their
distribution facilities… The registration of the distribution provider as the LSE for all load directly connected to
its distribution facilities is for the purpose of compliance with the Reliability Standards. As NERC explains,
distribution providers have both the infrastructure and access to information to enable them to comply with the
Reliability Standards that apply to LSEs… The Commission finds that, based on these facts, NERC acted
reasonably in determining that the distribution provider is the most appropriate entity to register as the LSE for
the load directly connected to its distribution facilities.”
Attachment 1, Part A – Energy Emergency requiring Public appeal for load reduction – In the current draft
Standard, the applicability has been revised from an RC and BA to "initiating entity.” As a GO/GOP, I cannot
see any event where a GO/GOP would be the responsible "initiating entity" or have the ability to determine an
"Energy Emergency.” Suggest revising back to specific entities that would be likely responsible for this action
(e.g., RC, BA, TOP). Attachment 1, Part A – Energy Emergency requiring system-wide voltage reduction – In
the current draft Standard, the applicability has been revised from an RC, TO, TOP, and DP to "initiating
entity.” As a GO/GOP, I cannot see any event where a GO/GOP would be the responsible "initiating entity" or
have the ability to determine an "Energy Emergency" related to system-wide voltage reduction. Suggest
revising back to specific entities that would be likely responsible for this action. Attachment 1, Part A –
Voltage Deviations on BES facilities - A GOP may not be able to make the determination of a +/- 10% voltage
deviation for ≥ 15 continuous minutes, this should be a TOP RC function only. Attachment 1,
Part A – Loss of off-site power (grid supply) affecting a nuclear generating station – this event applicability
should be removed in its entirety for a Nuclear Plant Generator Operator. The impact of loss of off-site power
on a nuclear generation unit is dependent on the specific plant design, if it is a partial loss of off-site power
(per the plant specific NPIRs) and may not result in a loss of generation (i.e., unit trip). If a loss of off-site
power were to result in a unit trip, an Emergency Notification System (ENS) would be required to the Nuclear
Regulatory Commission (NRC). Depending on the unit design, the notification to the NRC may be 1 hour, 8
hours or none at all. Consideration should be given to coordinating such reporting with existing required
notifications to the NRC as to not duplicate effort or add unnecessary burden on the part of a Nuclear Plant
Generator Operator during a potential transient on the unit. In addition, if the loss of off-site power were to
result in a unit trip, if the impact to the BES were ≥2,000 MW, then required notifications would be made in
accordance with the threshold for reporting for Attachment 1, Part A – Generation Loss. However, to align
with the importance of ensuring nuclear plant safe operation and shutdown as implemented in NERC
Standard NUC-001, if a transmission entity experiences an event that causes an unplanned loss of off-site
power (source) as defined in the applicable Nuclear Plant Interface Requirements, then the responsible
53
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 4 Comment
transmission entity should report the event within 24 hours after occurrence. In addition, replace the words
"grid supply" to "source" to ensure that notification occurs on an unplanned loss of one or multiple sources to
a nuclear power plant. Suggest rewording as follows (including replacing the words "grid supply" to "source"
and adding in the word "unplanned" to eliminate unnecessary reporting of planned maintenance activities in
the table below): Event Entity with Reporting Responsibility Threshold for Reporting Time to Submit Report
Unplanned loss of off-site power to a Nuclear generating plant (source) as defined in the applicable Nuclear
Plant Interface Requirements (NPIRs) Each transmission entity responsible for providing services related to
NPIRs (e.g., RC, BA, TO, TOP, TO, GO, GOP) that experiences the event causing an unplanned loss of offsite power (source) Unplanned loss of off-site power (source) to a Nuclear Power Plant as defined in the
applicable NPIRs. Within 24 hours after occurrence
Response: Thank you for your comments. The SDT constructed Attachment 1 based upon the existing requirements in the various reliability standards and
established reporting obligations. The LSE is an applicable entity under CIP-002 and CIP-008. The types of events that you list are not applicable to a GO/GOP.
The Applicability section of the standard lists each entity that is applicable for some portion of the standard. The information in Attachment 1 specifies which
entity must report for which type of event. The loss of off-site power is only applicable to the TO and TOP and not the nuclear plant operator.
SDG&E
No
SDG&E recommends that “Load Serving Entity,” “Transmission Service Provider,” and “Interchange Authority”
be removed from the proposed applicability shown in Section 4. These entities do not own assets that could
have an impact on the Bulk Electric System. Additionally, none of these entities is listed as an “Entity with
Reporting Responsibility” in Attachment 1. Finally, “Transmission Service Provider” is covered by either
“Transmission Owner” or “Balancing Authority,” which are entities also listed in the proposed Applicability
section, and “Load Service Entity” and “Interchange Authority” are covered by “Balancing Authority.”
Response: Thank you for your comments. The SDT constructed Attachment 1 based upon the existing requirements in the various reliability standards and
established reporting obligations. The LSE, TSP and IC are applicable entities under CIP-002 and CIP-008.
United Illuminating Co
No
Will an entity be required to develop an Operating Process for every Impact Event in Attachment 1, or only
those events that apply to its Registration. For example, does a DP require evidence of an Operating
Process/Procedure for Voltage Deviations on a BES Facility? Some items in Attachment 1 state “Each RC,
BA, TOP, DP that experiences the Impact Event” (such as Loss of Firm Load). DP’s may have arranged with
TOP and RC to communicate the event to TOP who then will file the NERC report and OE-417. The
requirements in the Standard would allow for this as long as the Operating Plan documents it. Attachment 1
though can be interpreted that this arrangement would not be allowed and each entity shall file its own and
separate report. UI suggests that Attachment 1 be modified to allow for an Entities Operating Plan to rely on
another Entity making the final communication to NERC. “Each RC, BA, TOP, DP that experiences the Impact
Event, either individually or combined on a single filing”
54
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 4 Comment
Response: The DSR SDT thanks you for your comment. The SDT believes that it is not necessary to develop a separate Operating Process for each event,
unless the company requires it. The SDT feels that any Registered Entity affected by an event needs to submit a report. The SDT believes that the Registered
Entity can utilize any resource it has available to complete the reporting obligations and does not believe that Attachment 1 inhibits any options from being used.
Based upon comments received, the SDT has decided to remove the definition of Impact Event from the standard and leave as identified through Attachment 1.
American Municipal Power
No
No, I do not agree. The DP and LSE functions should be removed.
Response: The DSR SDT thanks you for your comment. The SDT constructed Attachment based upon the existing requirements in the various reliability
standards and established reporting obligations. This information will be useful to all owners, operators, and users of the bulk power system. The DP and LSE
are applicable entities under CIP-002 and CIP-008.
Sweeny Cogeneration LP
No
In Attachment 1, Generator Operators who experience a ± 10% sustained voltage deviation for ≥ 15
continuous must issue a report For externally driven events, the GOP will have little if any knowledge of the
cause or remedies taken to address it. We believe the language presently in EOP-004-1 is satisfactory that
any “action taken by a Generator Operator” that results in a voltage deviation has to be reported by the GOP.
Response: Thank you for your comment. Reporting of events is an obligation of affected Registered Entities. Registered Entities who do not experience an
event do not have any reporting obligations.
Independent Electricity System
Operator
No
We disagree with the following inclusion/exclusion of several entities:
a. We assess that the applicable entities listed in Section 4 capture all the entities that are assigned a
reporting responsibility in Attachment 1 of the standard. While some events in Attachment 1 have specific
entities identified as responsible for reporting, certain events refer to the entities listed in specific standards
(e.g. CIP-002) as the responsible entities for reporting. The latter results in IA, TSP and LSE (none of which
being specifically identified as having a reporting responsibility) being included in the Applicability Section. If
our reasoning is correct, we question why NERC was dropped from the Applicability Section as it is an
applicable entity identified in CIP-002-3.
b. If the above approach was not strictly followed, then we’d suggest the SDT review the need to include IA,
TSP and LSE since they generally do not own any Critical Assets and hence will likely not own any Critical
Cyber Assets.
Response: The DSR SDT thanks you for your comment. The SDT believes it needs to follow the requirements of the standards as they currently apply. Since
these entities are applicable to the underlying standards identified in Attachment 1, they will be subject to reporting. If those standards are modified to remove
the applicability to these functional registrations, then the appropriate SDT can modify the applicability of this standard. The SDT has reviewed the CIP-002-3
55
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 4 Comment
standard and have added the ERO and the RE as applicable entities. If an IA, TSP or LSE does not own Critical Assets nor Critical Cyber Assets, then they will
have nothing to report under this standard.
Ameren
No
The 1 hour reporting requirement, as reference in Attachment 1 is inappropriate. In the event an "Impact
Event" were to be discovered the Responsible Entity should focus on public and personnel safety. The
reporting requirement should read "Within 1 hour or as soon as conditions are deemed to be safe." This
statement would be applicable to "Damage or destruction of Critical Asset" The SDT should not put
personnel in the position of choosing to either comply with NERC or address public or co-worker safety. The
Time to Submit Report states "within 1 hour after occurrence is identified" This gives an auditor a wide area
to question. If personnel report the occurrence 1 hour after identified, but 24 hours after it occurred, we are
subject to the personal beliefs of the auditor that the event was not identified 24 hours ago, and reported 24
hours late. This will also be difficult to measure as the operator will have to document in the plant log the time
the event was identified, while possibly dealing with Emergency Conditions. In the Note above the Actual
Reliability Impact Table, the SDT identifies that under certain conditions, NERC / RRO staff may not be
available for continuous 24 hour reporting. The SDT should consider the same stipulations apply to operating
personnel and they should not be held to a higher standard that NERC / RRO.
Response: Thank you for your comment. The reporting timelines for most events have been changed from 1 hour to 24 hours. The events that retain the one
hour requirement are those that are more closely related to sabotage type events. The DSR SDT chose the wording “upon identification of an event” to allow for
cases where an event may not be recognized for some time due to an asset being in a remote location for example. It is expected that an auditor will follow what
is written in the standard rather their personal preference. In the note above Attachment 1, it does not state that the ERO may not be available. This note is
related to R3.3 of EOP_004-1 and provides for delayed reporting by an entity during storms or other such instances.
ISO New England, Inc
No
We disagree with the following inclusion/exclusion of several entities:
a. We acknowledge that the applicable entities listed in Section 4 capture all the entities that are assigned a
reporting responsibility in Attachment 1 of the standard. While some events in Attachment 1 have specific
entities identified as responsible for reporting, certain events refer to the entities listed in specific standards
(e.g. CIP-002) as the responsible entities for reporting. The latter results in IA, TSP and LSE (none of which
being specifically identified as having a reporting responsibility) being included in the Applicability Section. If
our reasoning is correct, we question why NERC was dropped from the Applicability Section as it is an
applicable entity identified in CIP-002-3.
b. If the above approach was not strictly followed, then we’d suggest the SDT review the need to include IA,
TSP and LSE since they generally do not own any Critical Assets and hence will likely not own any Critical
Cyber Assets.
c. There is still significant duplicate reporting included. For instance, why do both the RC and TOP to report
56
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 4 Comment
voltage deviations? As written, a voltage deviation on the BES would require both to report. The same would
hold true for IROLs. Perhaps IROLs should only be reported by the RC to be consistent with the recently
FERC approved Interconnection Reliability Operating Limit standards.
Response: The DSR SDT thanks you for your comment. (a) The SDT believes it needs to follow the requirements of the standards as they currently apply.
Since these entities are applicable to the underlying standards identified in Attachment 1, then they will be subject to reporting. If those standards are modified
to remove the applicability to these functional registrations, then the appropriate SDT can modify the applicability of this standard. The SDT has reviewed the
CIP-002-3 standard and have added the ERO and the RE as applicable entities. (b) The IA, TSP and LSE are included in the Applicability only as it relates to CIP002 events listed in the table. (c) The DSR SDT has removed the RC from “Voltage Deviations” and the TOP from the IROL to address the comment.
Calpine Corp
No
Expanding the current applicability of CIP-001-1 and EOP-004-1 to the GO function is unnecessary and will
result in numerous duplicate reports, self-certifications, spot checks, and audits reviews, with no benefit to the
reliability of the Bulk Electric System. The GOP is the appropriate applicable entity for generation facilities.
Response: The DSR SDT thanks you for your comment. The SDT believes that it has properly identified registered entities that may potentially have events and
the appropriate types of events. A Registered Entity is only required to submit an events report for events listed in Attachment 1 if the registered entity was
affected by the event. If an event occurs, only affected Registered Entities listed in Attachment 1 are required to submit a report on the event. Having reports
from the different entities may provide valuable information on understanding the event. The SDT would like to point out that reporting of events is from the
time of identification not the time of the event.
Occidental Power Marketing
No
Load Serving Entities that do not own or operate BES assets (or assets that support the BES) should not be
included in the Applicability. The SDT includes LSEs based on CIP-002; however, if the LSE does not have
any BES assets (or assets that support the BES), CIP-002 should also not be applicable because the LSE
could not have any Critical Assets or Critical Cyber Assets. It is understood that the SDT is trying to comply
with FERC Order 693, Sections 460 and 461; however, Section 461 also states: "Further, when addressing
such applicability issues, the ERO should consider whether separate, less burdensome requirements for
smaller entities may be appropriate to address these concerns." A qualifier in the Applicability of EOP-004-2
that would include only LSEs that own, operate or control BES assets (or assets that support the BES) would
seem appropriate and acceptable to FERC.
Response: The DSR SDT thanks you for your comment. The SDT believes it needs to follow the requirements of the standards as they currently apply. Since
these entities are applicable to the underlying standards identified in Attachment 1, then they will be subject to reporting. The LSE is an applicable entity under
CIP-002 and CIP-008. If those standards are modified to remove the applicability to these functional registrations, then the appropriate SDT can modify the
applicability of this standard.
57
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
American Transmission
Company
Yes or No
No
Question 4 Comment
First, under Part A, the reporting requirement for three or more BES Transmission Elements will create
confusion. The NERC definition for an Element is: “Any electrical device with terminals that may be
connected to other electrical devices such as a generator, transformer, circuit breaker, bus section, or
transmission line. An element may be comprised of one or more components.” This could be interpreted to
be three potential transformers on a bus section; therefore, any bus section would require a report. It is
suggested that this be reworded to indicate three or more BES transmission lines, bus sections, or
transformers.
Second, under Part A, the reporting requirement for “Damage or destruction of BES equipment” is too broad
and needs to be modified. For example, an output contact on a relay could be damaged unintentionally
during routine testing resulting in a reportable event. It is suggested that the list of BES equipment and full
intent of this be further defined in the footnote. The intent needs to be clarified, such as “events that have an
immediate and significant impact to the stability or reliability of the BES.”
Third, under Part A, the reporting requirement for “Damage or destruction of a Critical Cyber Asset” is too
broad and needs to be modified. For example, an output contact on a relay could be damaged unintentionally
during routine testing resulting in a reportable event.
Response: Thank you for your comments. (1) The event “Transmission Loss” has been modified to remove the word Element. This now refers to Facilities. 2.
If damage to a contact on a relay poses a reliability threat, then it should be reported. There is a footnote for this the type of event that helps clarify what is
expected to be reported. It states:
1 BES equipment that: i) Affects an IROL; ii) Significantly affects the reliability margin of the system (e.g., has the potential to result in the need for emergency
actions); iii) Damaged or destroyed due to intentional or unintentional human action which removes the BES equipment from service. Do not report copper theft
from BES equipment unless it degrades the ability of equipment to operate correctly (e.g., removal of grounding straps rendering protective relaying inoperative).
3. This relates only to Critical Cyber Assets identified under CIP-002. If a relay contact is identified under CIP-002 as a Critical Cyber Asset, then its damage or
destruction should be reported.
Ingleside Cogeneration LP
No
Owners and operators of facilities whose total removal from the BES would not meet any reportable threshold
under Attachment 1 should not have to create and maintain Operating documents. The same would be true
of any LSE, TSP, or IA that does not oversee any Critical Cyber Assets as identified under CIP-002. A
statement to that effect could be made in Section 4 of EOP-004-2.
Response: Thank you for your comments. Requirements under Standards can only be enforced against Registered Entities, not whether or not they own or
operate certain types of assets. The SDT believes it needs to follow the requirements of the standards as they currently apply. Since these entities are applicable
to the underlying standards identified in Attachment 1, then they will be subject to reporting. If those standards are modified to remove the applicability to these
58
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 4 Comment
functional registrations, then the appropriate SDT can modify the applicability of this standard.
Duke Energy
No
Section 4 is fine, but on Attachment 1, Entity with Reporting Responsibility should just identify “Initiating entity”
for every Event, as was done with the first three Events. That way you avoid errors in leaving an entity off, or
including an entity incorrectly (as was done with the GOP on Voltage Deviations).
Response: Thank you for comment. The SDT considered your comment in the development of Attachment 1 decided against including the Initiating Entity
designation as it was not appropriate in those cases. Based upon comments received, the SDT has modified Attachment 1 accordingly.
Constellation Power Generation
No
As stated in comments to earlier versions of EOP-004-2, CPG disagrees with the inclusion of Generator
Owners. Since one of the goals in revising this standard is to streamline impact event reporting obligations,
Generator Operators are the appropriate entity to manage event reporting as the entity most aware of events
should they arise. At times, the information required to complete a report may warrant input from entities
connected to generation, but the generator operator remains the best entity to fulfill the reporting obligation.
Response: Thank you for your comment. The SDT has chosen not to distinguish between Registered Entities as far as reporting. Instead the SDT has included
Registered Entities which are involved or potentially involved in the types of events. Registered Entities need to recognize that only entities that are affected by
the event have the reporting obligation.
Georgia System Operations
Corporation
No
We do not agree that this standard assigns clear responsibility for reporting. It seems that multiple entities are
being required to report the same event for some events. Only one entity should report. See comments later
regarding Attachment 1. NERC should not decide which ONE entity should report. The entities should be
allowed to decide this (and include it in the Impact Event Operating Plan) and to let NERC or the region know
who will report (or give them a copy of the plan).
Response: Thank you for your comment. The SDT has chosen not to distinguish between Registered Entities as far as reporting. Instead the SDT has included
Registered Entities which are involved or potentially involved in the types of events. Registered Entities need to recognize that only entities that are affected by
the event have the reporting obligation.
Indeck Energy Services
No
Voltage Deviations should not be reportable by GOP. That's why we have TOP's.
Damage or destruction of BES equipment should be reportable only if it causes or could cause a Reportable
Disturbance, reportable DOE OE-417 event or sabotage (as defined above). Otherwise, an auditor could
require reporting of a relay failure caused by human error even though the relay was in test mode and no BES
impact was experienced. This category could be dropped in favor of the next one, damage to Critical Asset.
Fuel Supply Emergency needs a definition. For natural gas, various conditions could be referred to as
59
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 4 Comment
emergencies, but unless they actually affect generation, they should not need to be reported. Fuel Supply
Emergencies that cause a Reportable Disturbance or reportable DOE OE-417 event should be reported.
It is unclear why Forced Intrusion should be reportable under EOP-004. If it causes a problem, it will be
reportable as another category and is one more unpreventable event. Forced Intrusion isn't, in many cases,
as the exceptions try to define, an impact event at all, but could be a cause, which would be reported as the
cause of an impact event.
Risk to BES Equipment is not well defined. It should be expanded to Risk to BES Equipment from a nonenvironmental physical threat within a reasonable distance of the Equipment. A train derailment on the line
past the plant would likely be known, whereas one that was 1/2 mile or more away with flammable materials
might not be known about unless a public warning was made.
Response: The DSR SDT thanks you for your comment. Voltage Deviation reporting no longer applies to the GOP. There is a footnote on Damage or
Destruction to BES equipment that addresses your comment. It states:
1
BES equipment that: i) Affects an IROL; ii) Significantly affects the reliability margin of the system (e.g., has the potential to result in the need for emergency actions); iii)
Damaged or destroyed due to intentional or unintentional human action which removes the BES equipment from service. Do not report copper theft from BES equipment unless
it degrades the ability of equipment to operate correctly (e.g., removal of grounding straps rendering protective relaying inoperative).
Fuel Supply Emergency has been removed from Attachment 1. Forced Intrusion is an event could be related to sabotage. Identification and reporting of such
events may help identify trends. The footnote associated with Risk TO BES Equipment addresses your comment:
Examples include a train derailment adjacent to BES equipment that either could have damaged the equipment directly or has the potential to damage the equipment (e.g. flammable
or toxic cargo that could pose fire hazard or could cause evacuation of a BES facility control center) and report of suspicious device near BES equipment.
Brazos Electric Power
Cooperative
No
Inclusion of LSE and DP is questionable.
Response: The DSR SDT thanks you for your comment. The SDT believes that it has properly identified registered entities that may potentially have events and
the appropriate types of events. A Registered Entity is only required to submit an events report for events listed in Attachment 1 if the registered entity was
affected by the event. The LSE and DP are applicable entities under CIP-002 and CIP-008. If an event occurs, only affected Registered Entities listed in
Attachment 1 are required to submit a report on the event. Having reports from the different entities may provide valuable information on understanding the
event. The SDT would like to point out that reporting of events is from the time of identification not the time of the event.
60
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Manitoba Hydro
Yes or No
Question 4 Comment
Yes
All registered entities are included. This means all field and office personal involved will create a 360 degree
view of the BES, and fulfill “Situational awareness of the industry.” In Attachment 1, the “Entity with Reporting
Responsibility” entities vary. It might be clearer to leave all impact levels “Entity with Reporting Responsibility”
as the RC, BA and TOP, as these are likely the only parties that will report as required. All other entities must
report to the RC, BA and TOP.
Response: Thank you for your comment. The SDT had previously considered a hierarchal approach to report; however, this concept was rejected by the
industry.
American Electric Power
Yes
AEP agrees, but it further supports the notion that this standard should not apply to the IA, TSP, and LSE
functions.
Response: The DSR SDT thanks you for your comment. The SDT constructed Attachment based upon the existing requirements in the various reliability
standards and established reporting obligations. The LSE, TSP and IC are applicable entities under CIP-002 and CIP-008. The information about an event will be
useful to all owners, operators, and users of the bulk power system.
Southern Company
Yes
This will cause the duplication of reporting for some events.
Reference EOP-004 Attachment 1: Impact Events Table; Event - Loss of Firm Load for ≥ 15 minutes (page 15
of standard)
This requires the RC, BA, TOP, and DP to report. So if a storm front goes through our system and takes out
400MW of load in Alabama and Georgia the PCC would have to report as the RC, BA, and TOP. Alabama
Power and Georgia Power would also have to report as DPs. The way it is now the PCC reports for any of
these events.
Response: The DSR SDT thanks you for your comment. The SDT believes that it has properly identified registered entities that may potentially have events and
the appropriate types of events. A Registered Entity is only required to submit an events report for events listed in Attachment 1 if the registered entity was
affected by the event. If an event occurs, only affected Registered Entities listed in Attachment 1 are required to submit a report on the event. Having reports
from the different entities for the same event may provide a more complete understanding of the event.
Pepco Holdings Inc and Affiliates
Yes
More guidance is needed for which entity in Attachment 1 actually files the report to avoid duplicate filing.
Response: The DSR SDT thanks you for your comment. The SDT believes that it has properly identified registered entities that may potentially have events and
the appropriate types of events. A Registered Entity is only required to submit an events report for events listed in Attachment 1 if the registered entity was
affected by the event. If an event occurs, only affected Registered Entities listed in Attachment 1 are required to submit a report on the event. Having reports
61
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 4 Comment
from different entities for the same event may provide a more complete understanding of the event.
Midwest ISO Standards
Collaborators
Yes
Bonneville Power Administration
Yes
Midwest Reliability Organization
Yes
Western Electricity Coordinating
Council
Yes
PPL Supply
Yes
City of Tallahassee (TAL)
Yes
New Harquahala Generating Co.
Yes
APX Power Markets
Yes
Liberty Electric Power LLC
Yes
Arkansas Electric Cooperative
Corporation
Yes
USACE
Yes
New Harquahala Generating Co.
Yes
Platte River Power Authority
Yes
BGE
Yes
Alliant Energy
Yes
No comments.
62
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
ExxonMobil Research and
Engineering
Yes
PPL Electric Utilities
Yes
Lincoln Electric System
Yes
Farmington Electric Utility System
Yes
City of Tacoma, Department of
Public Utilities, Light Division, dba
Tacoma Power
Yes
Progress Energy
Yes
Question 4 Comment
Response: The DSR SDT thanks you for your comment. Several commenters provided suggestions that led to modifications of Attachment 1.
63
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
5. Stakeholders suggested removing original Requirements 1, 7 and 8 from the standard and addressing the
reliability concepts in the NERC Rules of Procedure. Do you agree with the removal of original requirements 1,
7 and 8 (which were assigned to the ERO) and the proposed language for the Rules of Procedure (Paragraph
812)? If not, please explain why not and if possible, provide an alternative that would be acceptable to you.
Summary Consideration: Most commenters agreed with the removal of R1, R7 and R8. The SDT has provided suggested
language to NERC for inclusion into the Rules of Procedure.
Organization
Midwest ISO Standards
Collaborators
Yes or No
No
Question 5 Comment
We see no issue with imposing requirements on NERC. However, we are not opposed to making these
changes in the Rules of Procedure either.
Response: Thank you for your comments. We are pursuing changes to the Rules of Procedure.
SERC OC Standards Review
Group
No
We agree that the ERO should not have requirements applicable to them, but disagree with changing or
revising the Rules of Procedure (ROP) giving this reporting responsibility solely to NERC. This responsibility
may be performed by NERC but other learning organizations should also be considered for performing this
responsibility. In addition, the proposed wording of the revision to the ROP appears to place the responsibility
of notifying the appropriate law enforcement with NERC rather than with the local responsible entity.
Response: Thank you for your comments. The responsibility for notifying law enforcement remains with the entity and has been clarified in Attachment 1.
PJM Interconnection LLC
No
We agree that the standard should not have requirements applicable to the ERO, but disagree with revising
the NERC Rules of Procedure (RoP) to include suggested Section 812. The reporting responsibility should
not be solely given to NERC. Other learning organizations must also be considered for performing this
responsibility. Additionally, the proposed wording of Section 812 appears to imply that NERC will notify the
appropriate law enforcement agencies as opposed to the local responsible entity.
Response: Thank you for your comments. The responsibility for notifying law enforcement remains with the entity and has been clarified in Attachment 1.
SDG&E
No
SDG&E agrees with removing original Requirements 1, 7, 8 from the standard. In addition, SDG&E
recommends that the standard reference Section 812 of the Rules of Procedure.
64
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 5 Comment
Response: Thank you for your comments.
Duke Energy
No
Proposed language for Section 812 is very confusing. Is the NERC “system” really going to perform all
notifications: “applicable regional entities, other designated registered entities, and to appropriate
governmental, law enforcement, and regulatory agencies as necessary?” Is it intended that the NERC
“system” will relieve registered entities of the obligation to make these other reports? Is there an
implementation plan to achieve that objective? It appears that this current version of EOP-004-2 has the
potential for significantly creating redundant reporting. Will the NERC reports be protected from FOIA
disclosure? How will FERC Order 630 be followed (CEII disclosure)?
Response: Thank you for your comments. The SDT expects any system would facilitate the reporting to organizations specified in the submitted report. Until
such time that the system can be established, the Registered Entity will be obligated to make the notifications as specified in its Operating Plan(s). The SDT has
proposed an amendment to the NERC Rules of Procedure to assist in the development of a single reporting process for all three obligations.
ExxonMobil Research and
Engineering
No
Brazos Electric Power
Cooperative
No
Ingleside Cogeneration LP
Yes
Abstain from commenting on this question.
Ingleside Cogeneration agrees that the NERC Rules of Procedure are the appropriate location for ERO
assigned activities. However, we would like to get a solid commitment from NERC that the Events Analysis
Process and the Reliability Assessment and Performance Analysis Group (RAPA) data analysis requirements
for Protection System Misoperations is coordinated through a single process. Their unique data needs are
understandable, but should not require the downstream entity to evaluate what is required by each subcommittee - and which reporting template to use.
Response: Thank you for your comments. Your comment addresses a concern that is beyond the scope of this project and cannot be addressed here. The SDT
has communicated with the NERC Events Analysis Working Group and DOE in efforts to develop a single reporting process. The SDT will continue to work with
those organizations to complete this task.
Northeast Power Coordinating
Council
Yes
Agree with the proposed removal, but have not assessed the proposed language for RoP para. 812 because
unable to access it (not on the RoP page).
Response: Thank you for your comments.
65
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Bonneville Power Administration
Yes or No
Yes
Question 5 Comment
Ensure distribution of trends.
Response: Thank you for your comments.
Midwest Reliability Organization
Yes
The ERO is not a user, owner or operator of the BES and the best place to contain their responsibilities, is in
the Rules of Procedure.
Response: Thank you for your comments.
Pepco Holdings Inc and Affiliates
Yes
Agree that NERC should not have requirements applicable to them.
Response: Thank you for your comments.
American Municipal Power
Yes
A software solution may provide an easy expansion for reporting EOP-004, CIP-001, and additional
standards.
Response: Thank you for your comments.
Manitoba Hydro
Yes
Agree with R1, a central system for receiving and distributing reports. There is limited time and resources for
control operators to follow up and ensure ALL required entities have received all information required in a
timely manner. Agree with R7 and R8.
Response: Thank you for your comments.
Sweeny Cogeneration LP
Yes
We agree that these requirements appropriately belong in the NERC Rules of Procedure. However, we are
concerned with the multiple reporting requirements being driven by EOP-004-2, CIP-008-3, the ERO Events
Analysis Team, the Reliability Assessment and Performance Analysis Group (RAPA). It is imperative that
these efforts be consolidated into a single procedure using a single reporting template.
Response: Thank you for your comments. The DSR SDT agrees with the concept of the single reporting template and is working with other agencies to see if the
single form would be achievable.
Western Electricity Coordinating
Council
Yes
66
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
PPL Supply
Yes
Pacific Northwest Small Public
Power Utility Comment Group
Yes
PSEG Companies
Yes
Dominion
Yes
SPP Standards Review Group
Yes
FirstEnergy
Yes
Southern Company
Yes
SRP
Yes
We Energies
Yes
Compliance & Responsiblity
Organization
Yes
Exelon
Yes
City of Tallahassee (TAL)
Yes
New Harquahala Generating Co.
Yes
APX Power Markets
Yes
United Illuminating Co
Yes
Liberty Electric Power LLC
Yes
Question 5 Comment
67
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Arkansas Electric Cooperative
Corporation
Yes
American Electric Power
Yes
USACE
Yes
New Harquahala Generating Co.
Yes
Independent Electricity System
Operator
Yes
ISO New England, Inc
Yes
Platte River Power Authority
Yes
Calpine Corp
Yes
BGE
Yes
Alliant Energy
Yes
CenterPoint Energy
Yes
PPL Electric Utilities
Yes
Occidental Power Marketing
Yes
Lincoln Electric System
Yes
Farmington Electric Utility System
Yes
American Transmission
Company
Yes
Question 5 Comment
No comments.
68
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Constellation Power Generation
Yes
Georgia System Operations
Corporation
Yes
City of Tacoma, Department of
Public Utilities, Light Division, dba
Tacoma Power
Yes
Indeck Energy Services
Yes
Progress Energy
Yes
Question 5 Comment
None.
69
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
6. Do you agree with the proposed revisions to Requirement 2 (now R1) including the use of defined terms
Operating Plan, Operating Process and Operating Procedure? If not, please explain why not and if possible,
provide an alternative that would be acceptable to you.
Summary Consideration: Stakeholders were fairly evenly divided on this question. Overall, there appears to be a
misconception on what is and isn’t included in the Operating Plan(s). The SDT believes that current Sabotage Reporting
substantially meets the requirements outlined in the standard, albeit there may be some needed alterations to accommodate
the new standard. The updated subrequirement is a result of a FERC directive in Order No. 693. The DSR SDT removed
references to Operating Process and Operating Procedure and revised the Requirement to:
R1. Each Responsible Entity shall have an Operating Plan that includes: [Violation Risk: Factor: Lower] [Time Horizon:
Operations Planning]
1.1.
A process for identifying events listed in Attachment 1.
1.2.
A process for gathering information for Attachment 2 regarding events listed in Attachment 1.
1.3.
A process for communicating events listed in Attachment 1 to the Electric Reliability Organization, the
Responsible Entity’s Reliability Coordinator and the following as appropriate:
•
Internal company personnel
•
The Responsible Entity’s Regional Entity
•
Law enforcement
•
Governmental or provincial agencies
1.4.
Provision(s) for updating the Operating Plan within 90 calendar days of any change in assets, personnel, other
circumstances that may no longer align with the Operating Plan; or incorporating lessons learned pursuant to R3.
1.5.
A Process for ensuring the responsible entity reviews the Operating Plan at least annually (once each calendar
year) with no more than 15 months between reviews.
Organization
Georgia Transmission
Corporation & Oglethorpe Power
Yes or No
No
Question 6 Comment
The terms "Operating Procedure, Operating Plan, and Operating Process," while included in the NERC
glossary, are not consistently used throughout the body of NERC standards as they are used in R1 of EOP-
70
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Corporation
Question 6 Comment
004-2. As such, we do not see a reliability benefit in using the defined terms over the more commonly used
terms of simply "plans, processes, and procedures.” In part 1.1 of R1, we think that the requirement should
clearly indicate that a particular Responsible Entity's Impact Event Plan should only be required to include
those particular Impact Events for which the Responsible Entity has the reporting obligation. Therefore, we
suggest the following modification to R1:
"1.1 An Operating Process for identifying Impact Events listed in Attachment 1 for those Impact Events where
the Responsible Entity is identified as having the reporting responsibility."
Additionally, in part 1.3 of R1, we believe the language to be vague and will introduce the need for further
clarification either through an interpretation or the CAN process in part because the verb tenses of the subsub-requirements do not agree and it appears to require notification to all listed parties for every Impact Event
instead of only those that make sense for a particular event.
As such, we suggest adding a column to the tables in Attachment 1 that identifies precisely which
organizations should be notified in the case of a particular Impact Event and modifying part 1.3.2 to read:
"1.3.2 External organizations to notify as specified in Attachment 1."
Currently, as written, the standard could be interpreted to require notification to law enforcement for an IROL
violation, for instance. Furthermore, we are concerned that as written, the standard may require that the same
event must be reported by multiple responsible entities. Our current process uses notification between
Responsible Entities (i.e. from a TO to a TOP and then from the TOP to NERC) to allow for a centralized and
coordinated notification to law enforcement, NERC, etc. We are concerned that the requirement as written
does not appear to allow this flexibility and may require both the TO and TOP to report the same event in
order to prove compliance with the Standard.
Response: Thank you for your comments. The SDT believes that in order for a term to become consistent with the body of the reliability standards, each SDT
will have to incorporate the terms as the opportunity to revise each standard arises. The SDT envisions that each Registered Entity will develop Operating Plan(s)
appropriate to meet its obligations as outlined in the standard. Part 1.3 has been revised to indicate that each report must be sent to the ERO and the Registered
Entity’s Reliability Coordinator and the remaining entities as appropriate. Law Enforcement would certainly not be interested in an IROL violation, but they would
be interested in Forced Intrusion.
Bonneville Power Administration
No
Not sure that a 90-day update is needed to be sent to CEF.
Response: Thank you for your comments. That is not required in the standard. The SDT believes that it is unnecessary to forward any update to any
organization outside of the Registered Entity. Updates should be used to inform internal personnel of any Operating Plan changes.
71
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Pacific Northwest Small Public
Power Utility Comment Group
Yes or No
Question 6 Comment
No
1.4 makes no sense. The operating plan update and the change to its content occur simultaneously. Perhaps
the SDT meant to say “Provision(s) for updating the Impact Event Operating Plan within 90 days of
identification of a needed change to its content. This would be consistent with the “lessons learned” language
of the prior version.
Response: Thank you for your comment. The DSR SDT added additional detail to Part 1.4 to address the broader term “content.”
PSEG Companies
No
The PSEG Companies believe that sections 1.3 and 1.3.2 will require notification of law enforcement
agencies for all Impact Events defined in Attachment 1. This is appropriate for some events if there has been
destruction to BES equipment, for example, but not in certain operational events. It should not be necessary
to notify law enforcement that a non sabotage event like an IROL violation, generation loss or voltage
deviation has occurred.
Response: Thank you for your comments. The DSR SDT feels that the Registered Entity will establish Operating Plan(s) appropriate for its needs including the
specification of how and when law enforcement agencies are contacted. Part 1.3 has been revised to indicate that each report must be sent to the ERO and the
Registered Entity’s Reliability Coordinator and the remaining entities as appropriate. Law Enforcement would certainly not be interested in an IROL violation, but
they would be interested in Forced Intrusion. Attachment 1 language has been updated to say “The parties identified…” which should be included in the entity’s
Operating Plan(s).
Dominion
No
The requirement for Responsible Entities to establish an Impact Event Operating Plan, Operating Process,
and Operating Procedure seems overly cumbersome and prescriptive. The use of these NERC defined terms
create additional compliance burden for little, if any, improvement to reliability. Suggest simplification by
requiring the Responsible Entities to have a procedure to report Impact Events, to the appropriate parties,
pursuant to EOP-004.
In addition, we request clarification of R1.4. It seems circular to us in that it requires the plan to be updated
within 90 days of when it changes. Is the intent that any necessary changes identified in the annual review
required by R4 be incorporated in a revision to the plan within 90 days of the review? If so, R1.4 belongs
under R4. If not, we do not understand the requirement.
What starts the 90 day count down?
Response: Thank you for your comment. The language in Requirement R1, Part 1.4 was inserted in response to a directive in FERC Order 693. The SDT feels
that the directive requires Registered Entities to update their Operating Plan(s) within 90 days of the time the entity identified the need for the change, such as a
new telephone number, personnel staff name/title, or addition/deletion of person or organization. The DSR SDT has made changes to better clarify “content.”
72
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Pepco Holdings Inc and Affiliates
Yes or No
No
Question 6 Comment
An Operating Plan, Operating Process or Operating Procedure implies something different than an after the
fact reporting activity.
Response: Thank you for your comment. An Operating Plan is more than an after the fact reporting activity. The Operating Plan(s) incorporates the tasks or
steps involved in the identification of events, establishing which internal personnel are to be involved in the communications and or reporting, and establishing the
list of outside organizations to be contacted when an event happens.
SPP Standards Review Group
No
We would suggest rewording Part 1.3.2 to read “External organizations to notify may include but are not
limited to the Responsible Entity’s Reliability Coordinator, NERC, Responsible Entity’s Regional Entity, Law
Enforcement and Governmental or Provincial Agencies.”
We would also suggest the following for Part 1.4: “Provision(s) for updating the Impact Event Operating Plan
within 90 days of any known changes to its content.”
Would also suggest adding “as requested” at the end of M1.
Response: Thank you for your comments. (1) Requirement R1, Part 1.3 has been updated to “as appropriate” to address the parties to communicate event to.
(2) The SDT agrees with your suggestions and has made similar word changes. 3) Agreed.
Midwest ISO Standards
Collaborators
No
We do not believe that the use of the Operating Process, Operating Procedure, and Operating Plan for a
reporting requirement is consistent with their definitions and certainly not with the intent of the definitions. For
instance, an Operating Process is intended to meet an operating goal. What operating goal does this
requirement meet?
An Operating Procedure includes tasks that must be completed by “specific operating positions.” This
reporting requirement could be met by back office personnel. We also believe that parts 1.3 and 1.3.2 under
Requirement 1 will require notification of law enforcement agencies for all Impact Events defined in
Attachment 1. While some should require notification to law enforcement such as when firm load is shed,
others certainly would not. For instance, law enforcement does not need to know that an IROL violation,
generation loss or voltage deviation occurred.
Response: Thank you for your comments. The Glossary Definition of Operating Plan is:
A document that identifies a group of activities that may be used to achieve some goal. An Operating Plan may contain Operating Procedures and
Operating Processes. A company-specific system restoration plan that includes an Operating Procedure for black-starting units, Operating Processes for
communicating restoration progress with other entities, etc., is an example of an Operating Plan.
The definition uses “goal” rather than “operating goal”. The goal of the Operating Plan is to ensure that entities know how to identify the events listed in
73
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 6 Comment
Attachment 1 and report them to the appropriate parties. The SDT disagrees with your views on Operating Process, Operating Procedure, and Operating Plan.
The SDT appropriately describes the task at hand. The SDT feels that the Operating Plan can identify when law enforcement agencies need to be notified without
specification from the SDT. The Background section of the standard contains a heading for “Law Enforcement” and provides clarification regarding the types of
events that should be reported to law enforcement.
FirstEnergy
No
1. We believe that the use of stringent definitions for an entity’s process requires too much of the “how”
instead of the “what.” As long as the entity has a process, procedure (or whatever they want to call it) that
includes the necessary information detailed in sub-parts 1.1 through 1.4 then that should suffice.
2. In sub-part 1.3, we suggest adding the phrase “as applicable” to clarify that not every event will require a
notification to, for example, law enforcement.
3. In sub-part 1.4, we suggest adding clarification that the 90-day framework is only required for substantive
changes and that all other minor editorial changes can be updated within a year.
Response: Thank you for your comments. (1) The SDT agrees with your suggestion that the entity can best determine what is included in its Operating Plan.
The SDT does not envision instructing an entity on what or how of the Operating Plan(s). (2) The SDT feels that the Operating Plan can identify when law
enforcement agencies need to be notified without specification from the SDT. (3) The update requirement comes from a FERC directive in Order No. 693. The
SDT has validated the intent of the directive and has included that intent in the requirement. The SDT feels that the directive requires Registered Entities to
update their Operating Plan(s) within 90 days of the time the entity identified the need for the change, such as a new telephone number, personnel staff
name/title, or addition/deletion of person or organization. The DSR SDT has made changes to better clarify “content.”
SERC OC Standards Review
Group
No
This is a reporting requirement and should not be confused with Operating Plans that have specific operating
actions and goals. Each entity should prepare its own event reporting guideline that address impact events,
identification, information gathering, and communication without specifying a specific format such as
Operating Plans, Operating Process and Operating Procedures.
Response: Thank you for your comment. The SDT agrees with your viewpoint and believes that your statement is consistent with the intent of the requirement.
PJM Interconnection LLC
No
1. This is an “after-the-fact” reporting requirement and should not be confused with Operating Plans that have
specific operating actions and goals. Each entity should prepare its own impact event operating guideline that
addresses impact events, identification of impact events, information gathering, and communication without
specifying a specific format such as Operating Plans, Operating Process, and Operating Procedures. In fact,
all three documents mentioned can all be a single document.
2. 1.3.2 requires notification of law enforcement agencies for all events listed in Attachment 1. This is
essentially not true. For example, firm load is shed requires notification to law enforcement but an IROL
74
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 6 Comment
violation, generation loss, or voltage deviation do not.
Response: Thank you for your comment. (1) The SDT disagrees with your viewpoint that this requirement specifies after-the-fact reporting. The reporting
requirement is later in the standard. The SDT agrees with your viewpoint on the operating guideline you provide and believes that your statement is consistent
with the intent of the requirement. (2) The SDT believes that the Registered Entity’s Operating Plan(s) can establish when and how law enforcement agencies
are notified.
We Energies
No
R1.2: By its NERC Glossary definition, an Operating Procedure is too prescriptive for data collection. An
Operating Procedure requires specific steps to be taken by specific people in a specific order. We would
have to predict every event that could happen to have every step in proper order to collect the data. It will be
impossible to comply with this requirement.
R1.3: Change “Impact Event” to “Impact Event listed in Attachment 1.”
Response: Thank you for your comment. The SDT has changed R1 to simply “Operating Plan. The term “Impact Event” has been removed from the standard
and R1 and its Parts refer to Attachment 1 as appropriate.
Compliance & Responsiblity
Organization
No
See comments to 2. Also, although NextEra agrees that a documented procedure is appropriate, NextEra
does not favor the current approach of pre-defined layers of processes and documentation that seem to
overly complicate, and, possibly contradict, already established internal methods by which a company
implements policies, procedures and processes. Thus, NextEra’s options suggest using a more generic
approach that allows entities more flexibility to establish documents and processes, and demonstrate
compliance. Such a generic approach was used in NextEra’s proposed options set forth in response to
number 2.
Response: Thank you for your comments. The SDT believes that most entities already have plans to mostly satisfy the requirements of EOP-004. These would
be the procedures that are required under existing CIP-001, R1 and R2.
Exelon
No
R.1 Does an entity need to develop a standalone Operating Plan if there is an existing process to address
identification, assessing and reporting certain events?
Suggest rewording to state "Each Responsible Entity shall have an Impact Event Operating Plan or equivalent
implementing process that includes:"
Disagree these new terms are required. Commonly accepted descriptions of programs, processes and
procedures exist in registrar entities that would suffice. For example, R1 could use “Impact Event evaluation
75
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 6 Comment
and reporting process” as a generic term to describe what is required. This would allow an entity to utilize any
existing protocols or management guidelines and naming conventions in effect in their organization.
Response: Thank you for your comments. The SDT The SDT believes that most entities already have plans to mostly satisfy the requirements of EOP-004.
These would be the procedures that are required under existing CIP-001, R1 and R2. The Registered Entity will need to examine its current processes to ensure
that all aspects of the new requirements are addressed. Thank you for the suggested re-wording. The SDT revised “Impact Event Operating Plan” to just
“Operating Plan”, thus allowing the entity to implement the requirements as needed.
Tenaska
No
We already have adequate procedures in place to address sabotage and other significant events, pursuant to
the existing CIP-001-1 and EOP-004-1 Standards. The requirement to develop a new Impact Event
Operating Plan would increase the administrative burden on Registered Entities to comply with the proposed
Standard, without providing a foreseeable improvement in system reliability.
The “laundry list” of required Impact Event Operating Plan components is too specific and would make it more
difficult to prove compliance with EOP-004-2 during an audit.
A revised version of the proposed R5 is the only Requirement that is necessary to achieve the stated purpose
of Project 2009-01.
Response: Thank you for your comments. The SDT The SDT believes that most entities already have plans to mostly satisfy the requirements of EOP-004.
These would be the procedures that are required under existing CIP-001, R1 and R2 and these should mostly meet the intent of EOP-004. The Registered Entity
will need to examine its current processes to ensure that all aspects of the new requirements are addressed. The Parts of R1 are not prescriptive and only provide
the minimum information that is required to be in the Operating Plan. The SDT has removed R2 and revised R5 (now R2) to eliminate any duplication.
United Illuminating Co
No
Does R1.1 require an Operating Process for each Impact Event in attachment 1 or an Operating Process that
in general applies to all Impact Events?
Response: Thank you for question. The SDT feels that the Registered Entity can have an Operating Plan that in general applies to all events.
American Municipal Power
No
No, remove R1. R1 is not an acceptable requirement nor should this be an operation. Focusing on a plan
and procedure is overly prescriptive and costly. The only requirement should be to have an entity submit a
report. Let the entity decide how they want to implement the reporting.
Response: Thank you for your comment. The SDT agrees that the Registered Entity can decide on the how to implement the reporting; however, this
requirement mandates that the Registered Entity document its process.
76
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Arkansas Electric Cooperative
Corporation
Yes or No
No
Question 6 Comment
We appreciate the effort the team has taken in improving the requirements since the last posting. For 1.3, it
appears to suggest the communication must always include communicating to internal personnel and ALL
external organizations. We suggest removing the reference to 1.3.1 and 1.3.2 and move 1.3.1 and 1.3.2 to
1.4 and 1.5 respectively. For 1.3.2, modify to state "Internal company personnel notification(s) deemed
necessary by the Responsible Entity.” For 1.4, we feel the term "content" is too broad as used here. For
example, if the FBI changes the contact info for the JTTF, the Responsible Entity may not find out until an
incident or annual exercise. Or if the contact person for the state agency changes position without notifying
us, it would require us to then change the plan within 90 days. We suggest an annual review of the plan is
sufficient for the objective of this requirement.
Response: Thank you for your comments. The SDT has added language “as appropriate” to allow the entity to make its own determination who to contact. The
term “content” has been removed and replaced with more detail. The requirement for updates requires changes within 90-days. The SDT believes that the
timeline for updating can only be based upon the notification to the Registered Entity. The SDT believes that 90-days from the date the Registered Entity is
notified or made aware of the change is a suitable time period to update the document.
Manitoba Hydro
No
Plan, Process and Procedure are all too interchangeable with each other and have no value being used in
“one paragraph” as they do not differentiate from one or other.
The terms “identify”, “gather” and “communicate” better describe “Process, plan or procedure” so simplify
to:1.4. Identification of Impact Events as listed in Attachment 1.1.5. Gathering information for inclusion into
Attachment 2 regarding observed Impact Events listed in Attachment 1.1.6. Communicate recognized Impact
Events to the following:
Response: Thank you for your comments. The SDT has revised R1 to only include an Operating Plan. Part 1.2 has been revised to “A process for gathering
information…”
American Electric Power
No
Even best developed plans, processes and procedures do not always lend themselves to address the issues
at hand. There needs to be flexibility to allow entities to first address the reliability concern and second report
correspondingly. Currently, this requirement is overly prescriptive and places unnecessary emphasis on the
means to an end and not the outcome. The outcome for this requirement is to report Impact Events.
Response: Thank you for your comments. While the SDT appreciates your views, it disagrees with your assessment. The outcome of this requirement is not to
report events; the outcome is to ensure that the Registered Entity has Operating Plan(s) for the identification of events, establishing which internal personnel are
involved, identification of outside agencies to be notified, and having a provision for updating the plan(s). Reporting of events is a requirement later in the
standard.
77
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Consumers Energy
Yes or No
No
Question 6 Comment
Requirement R1, “Have a plan…” with all of the listed criteria, seems to present a serious compliance risk to
applicable entities without a direct reliability benefit, as long as entities still indentify and report relevant
events. Ad-hoc procedures, as discussed within the R1 “Rationale” have been acknowledged within the
rationale to be working effectively, and should remain sufficient without having a documented and by
inference, signed, approved, dated document with revision history (as is being demanded today by
compliance auditors wherever a “documented plan” is specified within the requirements).
Response: Thank you for your comments. While the SDT appreciates your views, it disagrees with your assessment. The SDT believes that most entities already
have plans to mostly satisfy the requirements of EOP-004. These would be the procedures that are required under existing CIP-001, R1 and R2. The measure
calls for a current, dated, in force Operating Plan to be provided.
ISO New England, Inc
No
We do not believe that the use of the Operating Process, Operating Procedure, and Operating Plan for a
reporting requirement is consistent with their definitions nor with the intent of the definitions. For instance, an
Operating Process is intended to meet an operating goal. What operating goal does this requirement meet?
An Operating Procedure includes tasks that must be completed by “specific operating positions.” This
reporting requirement could be met by back office personnel. We suggest that R1.3.2 delete the list of
entities to notify. The terms used to identify who to notify are not defined terms and can lead to subjective
interpretations. As written, the requirement does not aid the Applicable entity or the Compliance enforcers in
clearly including or excluding who to notify.
We also believe that parts 1.3 and 1.3.2 under Requirement 1 will require notification of law enforcement
agencies for all Impact Events defined in Attachment 1. While some should require notification to law
enforcement such as when there has been destruction to BES equipment, others certainly would not. For
instance, law enforcement does not need to know that an IROL violation, generation loss or voltage deviation
occurred.
We believe the reporting time lines are too aggressive for some events. Reporting events within an hour is not
reasonable as an entity may still be dealing the event. This will be particularly difficult when support personnel
are not present such as during nights, holidays and weekends.
We further suggest that as explicit statement that “reliable operations must ALWAYS take precedence to
reporting times” be included in the standard.
Response: Thank you for your comments. While the SDT appreciates your views, it disagrees with your assessment.
(P1) The outcome of this requirement is not to report events; the outcome is to ensure that the Registered Entity has Operating Plan(s) for the identification of
events, establishing which internal personnel are involved, identification of outside agencies to be notified, and having a provision for updating the plan(s). The
78
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 6 Comment
SDT feels that current Sabotage Reporting guides already provides much of the information needed in the new R1.
(P2) We have revised Requirement R1, Part 1.3 to “A process for communicating events listed in Attachment 1 to the Electric Reliability Organization, the
Responsible Entity’s Reliability Coordinator and the following as appropriate:” This should address your concern regarding law enforcement notification.
(P3) We have revised most reporting times to 24 hours. Events of a “sabotage” type nature remain at one hour.
(P4) While the DSR SDT sees the point you are trying to make, we do not believe that reporting the events in Attachment 1, under the times listed, is
burdensome. At the least, this can be accomplished by back office personnel who are not involved in restoration or other reliability efforts.
Calpine Corp
No
In the “Rationale for R1”, the draft states:
“Every industry participant that owns or operates elements or devices on the grid has formal or informal
process, procedure, or steps it takes to gather information regarding what happened and why it happened
when Impact Events occur. This requirement has the Registered Entity establish documentation on how that
procedure, process, or plan is organized.”
Absent substantial evidence that the proposed requirement addresses an actual systemic problem with the
“formal or informal process, procedure, or steps it takes” for internal and external evaluation and notification of
items listed in Attachment 1, there is no obvious need for this additional paperwork burden, which in most
cases will result in a written procedure that documents another existing written procedure or procedures, that
will be maintained for the sole purpose of demonstrating compliance with the requirement. Failure to properly
report events is currently sanctionable under CIP-001-1 and EOP-004-1 and will continue to be sanctionable
under proposed EOP-004-2. Adding a requirement to implement an “Impact Event Operating Plan”,
“Operating Procedure”, and “Operating Process” is unnecessary.
However, if the requirement is maintained, the related Measure M1 should state in plain language exactly
what elements are required for compliance. Statements such as “The Impact Event Operating Plan may
include, but not be limited to, the following?” begs the question regarding what other elements are required to
demonstrate compliance. As written, M1 requires that entities provide an “Impact Event Operating Plan”, but
does specify the required elements of the plan.
In the absence of much more detailed instruction on exactly what elements must be included in the various
documents, the proposed requirement will create confusion with both compliance and enforcement of the
requirement. An example of each of the various required documents would be helpful. Any difficulty in
developing such an example would be instructive of the probable compliance issues that would ensure from
the necessarily varying approaches taken by disparate entities attempting to meet the requirement.
Response: The DSR SDT thanks you for your comment. Requirement R1 comes from existing CIP-001, R1. The SDT believes it has addressed these concerns
by removing the terms “Operating Procedure” and “Operating Process” and has generically referred to them in the elements of the Operating Plan outlined in
79
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 6 Comment
Parts 1.1-1.5 of the requirement.
BGE
No
This seems overly restrictive in its use. Requirement is now telling entities how to resolve situations, not
giving them a requirement to resolve the situation.
Response: Thank you for your comments. The requirement is written so that an entity has an Operating Plan that contains certain items. The SDT does not
specify in the standard how the entity meets these obligations nor does it specify the form nor format of these items.
80
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
ExxonMobil Research and
Engineering
Yes or No
Question 6 Comment
No
The requirement to notify State Law Enforcement deviates from existing government security requirements
that Petrochemical Facilities (Cogenerators) are required to follow. Per the Maritime Transportation Security
Act of 2002 (MTSA) and the Chemical Facility Anti-Terrorism Standard (CFATS), Petrochemical Facilities are
required to report the security incidents identified in EOP-004 Revision 2 to the National Response Center
which is staffed by the United States Coast Guard. The National Response Center coordinates incident
reporting to both the Department of Homeland Security and Federal Bureau of Investigation. Requiring
Petrochemical Facilities to report security incidences to State Law Enforcement agencies duplicates their
reporting of incidences to the appropriate law enforcement agencies. EOP-004 Revision 2 should be
modified to synergize with existing federal security regulations so that those facilities that are required to
comply with the MTSA and CFATS are, by default, compliant with EOP-004 Revision 2 when they comply
with these existing federal security regulations.
It is unclear, from the documentation provided in this revision of EOP-004, which entities a Responsible Entity
is required to notify when certain types of Impact Events occur. Previously, CIP-001 included a similarly
vague instruction that required notifications to the 'appropriate parties in the interconnection' and the
FBI/RCMP. The Standard Drafting Team should identify which NERC Functional Entities should be notified
when each of the Impact Events identified in Attachment 1 occurs.
Current revisions of CIP-001 Revision 1 or EOP-004 Revision 1 do not include corresponding requirements to
update procedures within a certain time frame. It's difficult to foresee a situation where an Entity would initiate
a change to its response plan without being required to update the formal response plan documentation per
their management of change process. Additionally, failure to update the procedure would result in the entity
deviating from the procedure any time an impact event occurred, which would automatically force a violation
of EOP-004-2 R2 for failure to properly implement their Operating Process. Furthermore, the only changes
occurring between review cycles should be revisions to the contact information for third parties. It is beyond
an entity's power to require third parties to notify the entity when the third party changes their contact
information, and, as such, this requirement burdens registered facilities with responsibility for compliance for
items that are beyond their realm of control.
Response: Thank you for your comments. (P1) The SDT believes that the requirement does not mandate contact to State Law Enforcement agencies; but
merely to include them if appropriate. While we have tried to coordinate with the US DOE, Federal security regulations are outside the scope of this project. (P2)
We have revised Requirement R1, Part 1.3 to “A process for communicating events listed in Attachment 1 to the Electric Reliability Organization, the Responsible
Entity’s Reliability Coordinator and the following as appropriate:” Each type of event should be assessed by the entity to determine whether or not law
enforcement needs to be notified,
(P3)The subrequirement for updating comes from a FERC directive in Order No. 693. If the Registered Entity’s Operating Plan(s) have a provision for updating,
then the entity only needs to verify that the updating does not exceed 90 days from the date of being aware.
81
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Farmington Electric Utility System
Yes or No
No
Question 6 Comment
consider rewording 1.4; the wording implies a change to content already occurred, so it would be updated
concurrently ? consider, updating the plan within 90 days of discovery of content requiring a change?
Response: Thank you for your comment. The SDT agrees with your suggestion and has revised Requirement R1, Part 1.4 to: Provision(s) for updating the
Operating Plan within 90 calendar days of any change in assets, personnel, other circumstances that may no longer align with the Operating Plan; or
incorporating lessons learned pursuant to R3.
Constellation Power Generation
No
Per NERC’s glossary of terms, an Operating Plan can include Operating Process documents and Operating
Procedures. An Operating Process identifies general tasks while an Operating Procedure identifies specific
tasks.
CPG is unclear as to why R1.1 and R1.3 require the use of an Operating Process while R1.2 requires an
Operating Procedure.
CPG believes that R1.2 should be changed to require the use of an Operating Process instead of Operating
Procedure. R1.2 is merely requiring an entity to fill out the necessary forms should an event occur, so
requiring a clear and concise step by step procedure for filling out a form only adds a compliance burden to
an entity instead of improving the reliability of the BES.
CPG does agree with the DSR SDT that an entity should have a process in place mandating that the proper
paperwork be completed in a timely manner should an event occur.
Response: Thank you for your comments. The SDT has modified Requirement R1, Part 1.1 and Part 1.3 to a “process” as part of the elements of the
referenced “Operating Plan” in R1. The SDT has also changed “Operating Procedure” to a “process” in R1.2. This sub-requirement provides for establishing the
list of internal personnel to be notified in the case of an event, not the reporting of the event.
Georgia System Operations
Corporation
No
-R1.3.2: “Law Enforcement”, “Governmental Agencies”, and “Provincial Agencies” are not proper
nouns/names and are not defined in the NERC Glossary. They should not be capitalized.
-R1.4: Keeping documents current and in force should be a matter of an entit
Response: Thank you for your comments. The SDT agrees with your suggestions on capitalization and has made the corrections. The update provision comes
from a FERC directive in Order No. 693.
Indeck Energy Services
No
The terms are not important and many plans or procedures already exist and restructuring them to match the
82
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 6 Comment
terms is wasteful. R1 is too prescriptive.
R1 should state that a written document should show how the entity will comply with EOP-004.
R1.2 is superfluous and should be deleted. The data must be gathered and the process will vary with the
event. Trying to define the multitude of possibilities for the collection process is not productive and leaves
open the possibility of missing something for an auditor to nit pick.
R1.3 should just be a written communications plan/process/procedure for external notifications.
R1.4 is redundant because it can't be changed within 90 days until the content has already been changed.
R1.4 should be deleted. The Violation Risk Factor should be Low, if any, because this is historical reporting,
with little or no reliability consequence.
Response: The SDT disagrees with your viewpoints associated with R1 because the requirement only specifies the elements required, now how to implement
them. The SDT believes that many Registered Entities will be able to use their current Sabotage Reporting processes, with some slight modification to address
the new sub-requirements. Requirement R1, Part 1.2: The requirement is written so that it is not prescriptive and allows the entity to identify the steps it will
take to gather information for filing the report. The DSR SDT does not envision this as being a tome that contains specific data gathering protocol for each event
type. Requirement R1, Part 1.3: Has been revised to: “1.3. A process for communicating recognized impact events listed in EOP-004 - Attachment 1 that
includes to the Electric Reliability Organization, the Responsible Entity’s Reliability Coordinator and , but is not limited to the following as appropriate :” For
Requirement R1, Part 1.4, the update provision comes from a FERC directive in Order No. 693. In addition, the SDT believes that the update is required within 90
days from the date of being notified of the change or update. With the revised standard, there are now three requirements. Requirement 1 specifies that the
responsible entity have an Operating Plan for identifying and reporting events listed in Attachment 1. This is procedural in nature and justifies a “lower” VRF.
This requirement is administrative in nature and deals with the means to report events after the fact. The current approved VRFs for EOP-004-1 are all lower with
the exception of Requirement R2 which is a requirement to analyze events. This standard relates only to reporting events. The analysis portion is addressed
through the NERC Rules of Procedure and the Events Analysis Program. The two remaining requirements in EOP-004-2 are to report events based on the
specifics in Attachment 1 (R2) and to test the communications protocol of the Operating Plan once per year (R3). Requirement 2 specifies that an entity is
responsible for reporting events in accordance with the Operating Plan based on Attachment 1. Requirement 3 is insurance to make sure that an entity can
communicate information about events. Requirement 2 specifies that the responsible entity must report an event to the appropriate entities. Some of these
events are dealing with potential sabotage events. Part of the reason to report these types of events is to make other entities aware to help prevent further
sabotage events from occurring. Existing CIP-001-1a deals with sabotage events and the approved VRFs for each of the requirements is “medium.” The VRFs for
EOP-004-2 comport with the existing approved VRFs for both EOP-004 and CIP-001.
Midwest Reliability Organization
Yes
This is a NERC defined term and will assist entities in maintaining compliance with this (proposed) Standard.
Response: Thank you for your comment.
83
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Western Electricity Coordinating
Council
Yes or No
Question 6 Comment
Yes
Are "Law Enforcement" considered a "Governmental Agency" (they are listed separately and both required) If
not, is there any qualifiers on whether Law Enforcement or Governmental Agency refers to municipal, county,
state or federal or any combination”
Since the term "Provincial" is associated with "Governmental" it tends to indicate State level. As it is written
now an auditor would require documentation of “some” Law Enforcement (other than company security) and
an additional communication to at least “some” Agency which could be considered Governmental. Municipal
or higher.
Contact with City police or Sheriff and either city or county government rep would satisfy.
Additional clarity would help from a compliance enforcement perspective.
Response: Thank you for your comments. The SDT expects that Registered Entities will identify the proper outside organizations needed for their organization.
The SDT feels that law enforcement agencies include federal, state, provincial, or local law agencies and these are not the same as governmental or regulatory
agencies. Please refer to the Background section of the standard for further clarification on law enforcement notifications.
Alliant Energy
Yes
This is a NERC defined term and will assist entities in maintaining compliance with this (proposed) Standard.
We believe the reference to Attachment 2 in R1.2 should be revised to the DOE Form and utilize only one
reporting form, if at all possible.
Response: Thank you for your comments. The DSR SDT continues to work with the DOE to develop a single reporting form that is acceptable to both.
Occidental Power Marketing
Yes
However, only LSEs with BES assets (or assets that support the BES) should be included in the Applicability
section of the standard.
Response: Thank you for your comment. LSE applicability is related to their applicability under CIP-002 and CIP-008.
City of Tacoma, Department of
Public Utilities, Light Division, dba
Tacoma Power
Yes
However, there needs to be some clarity on which government agencies (if not the FBI) are responsible for
reporting these type of events.
Response: Thank you for your comments. Each Registered Entity should be aware of any reporting obligations it may have to various government agencies
(federal, state/provincial, local). To the extent they exist, the notification needs to be included in the entity’s Operating Plan(s).
Northeast Power Coordinating
Yes
84
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 6 Comment
Council
PPL Supply
Yes
Southern Company
Yes
SRP
Yes
SDG&E
Yes
City of Tallahassee (TAL)
Yes
New Harquahala Generating Co.
Yes
Liberty Electric Power LLC
Yes
APX Power Markets
Yes
Sweeny Cogeneration LP
Yes
USACE
Yes
New Harquahala Generating Co.
Yes
Independent Electricity System
Operator
Yes
Platte River Power Authority
Yes
CenterPoint Energy
Yes
PPL Electric Utilities
Yes
Lincoln Electric System
Yes
85
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
American Transmission
Company
Yes
Ingleside Cogeneration LP
Yes
Duke Energy
Yes
Progress Energy
Yes
Question 6 Comment
86
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
7. Do you agree with the proposed revisions to Requirement 3 (now R2)? If not, please explain why not and if
possible, provide an alternative that would be acceptable to you.
Summary Consideration: The slight majority of commenters agreed with the language of Requirement R2. A significant
minority opinion exists where commenters suggest revisiting R2 and R5 to eliminate potential redundancy and confusion.
Similar comments were received pertaining to Requirement 5 (question 10 below). The DSR SDT has revised Attachment 1 to
indicate that entities must submit Attachment 2 or the DOE OE-417 form. This information was contained in Requirement R5.
The intent of the two requirements is to have entities make appropriate notifications and report impact events contained in
Attachment 1. By eliminating R2 and revising R5 (now R2), the DSR SDT has maintained the intent of the requirements while
eliminating potential confusion and redundancy. The revised requirements are shown below:
R2. Each Responsible Entity shall implement its Impact Event Operating Plan documented in Requirement R1 for Impact
Events listed in Attachment 1 (Parts A and B). [Violation Risk: Factor Medium] [Time Horizon: Real-time Operations and Sameday Operations]
Old R5, New R2. Each Responsible Entity shall report impact events in accordance with its Operating Plan developed to address
the events listed in Attachment 1. [Violation Risk: Factor: Medium] [Time Horizon: Operations Assessment].
Organization
Georgia Transmission
Corporation & Oglethorpe Power
Corporation
Yes or No
No
Question 7 Comment
We are concerned with having a separate requirement to implement the Plan.
Is this requirement necessary on its own? Should R1 instead require a Responsible Entity to "document and
implement" an Impact Event Operating Plan? More specifically, if an Entity does not have an Impact Event,
are they in violation of this requirement?
If merging this requirement with R1 is not acceptable we suggest moving the language from the measure to
the requirement as such: "To the extent that a Reponsible Entity has an Impact Event on its Facilities, Each
Responsible Entity shall implement?"
Additionally, R1 uses the phrase "recognized Impact Event" where as R2 simply uses the term "Impact
Event." The phrase "recognized Impact Event" should be used consistently in R2 as well.
Response: The DSR SDT thanks you for your comment. The DSR SDT has deleted requirement 2 and revised requirements 1 and 5 to address your concern.
The DSR SDT believes that the requirement should remain separate to eliminate the possibility of double jeopardy. Old R5, New R2. Each Responsible
Entity shall report impact events in accordance with its Operating Plan developed to address the events listed in Attachment 1. [Violation
Risk: Factor: Medium] [Time Horizon: Operations Assessment].
87
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Bonneville Power Administration
Yes or No
No
Question 7 Comment
Minimize the number of requirements. Not sure what the new R2 intends that is different than having a valid
plan (signed?). Why can't R1 have develop and implement? R5 is the reporting. Implement should be with
R1 or R5 depending on the interpretation.
Response: The DSR SDT thanks you for your comment.
The DSR SDT has deleted requirement 2 and revised requirements 1 and 5 to address your concern. The DSR SDT believes that the requirement should remain
separate to eliminate the possibility of double jeopardy. Old R5, New R2. Each Responsible Entity shall report impact events in accordance with its
Operating Plan developed to address the events listed in Attachment 1. [Violation Risk: Factor: Medium] [Time Horizon: Operations
Assessment].
PSEG Companies
No
Fuel supply emergency, as discussed in response to question 4 above, is not a defined condition. This event
should be removed.
Response: The DSR SDT thanks you for your comment. The DSR SDT has deleted Fuel Supply Emergency from Attachment 1. This item was removed in
coordination with the NERC Events Analysis Working Group and the proposed Events Analysis Program.
SERC OC Standards Review
Group
No
We agree with the concept, but disagree with the use of the term “Operating Plan” as a defined term in line
with our comments in question 6 above.
Response: The DSR SDT thanks you for your comment. Please see response to comments in Question 6 The DSR SDT has revised R1 to eliminate the use of
Operating Process and Operating Procedure and have used more generic terms.
PJM Interconnection LLC
No
We agree with the concept but disagree with the use of the term “Operating Plan” as a defined term in line
with our comments in Question 6 above.
88
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 7 Comment
Response: The DSR SDT thanks you for your comment. Please see response to comments in Question 6
Compliance & Responsiblity
Organization
No
See comments set forth in number 2.
Response: The DSR SDT thanks you for your comment. Please see response to question 2.
Exelon
No
Agree that each Responsible Entity shall implement the [Impact] Events listed in Attachment 1 (Parts A and
B); however, disagree with certain events, reporting responsibilities, threshold for reporting and time to submit
reports as currently outlined in Attachment 1 (Parts A and B).
Also suggest that R.2 be reworded to state for applicable [Impact] Events listed in Attachment 1 (Parts A and
B). This requirement should only be applied to those events applicable to the registered entity.R2 is
redundant to R1. No entity could claim to have met R1 if their plan / process was not operational and
approved in the manner consistent with any other approved program, process, guideline etc. within their
company.
Response: The DSR SDT thanks you for your comment.
The DSR SDT has significantly revised Attachment 1. We have removed the timing column and replaced it with more specific information regarding which form to
submit and to whom to submit the report. All events are now to be reported within 24 hours with the exception of Destruction of BES equipment, Damage or
destruction of Critical Assets and Damage or destruction of Critical Cyber Asset events, Forced Intrusion, Risk to BES equipment and Detection of a reportable
Cyber Security Incident. These events are to be reported within 1 hour. Notification of law enforcement per Part 1.3.2 is also required for these events only.
The DSR SDT has also eliminated R2 and revised R5 for clarity and to eliminate potential redundancy. The DSR SDT believes that the requirement should remain
separate to eliminate the possibility of double jeopardy. Old R5, New R2. Each Responsible Entity shall report impact events in accordance with its
Operating Plan developed to address the events listed in Attachment 1. [Violation Risk: Factor: Medium] [Time Horizon: Operations
Assessment].
Tenaska
No
The proposed Impact Event Operating Plan should not be required.
Response: The DSR SDT thanks you for your comment.
89
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 7 Comment
The DSR SDT has revised R1 to only include development of an Operating Plan that includes the Parts of R1. This Operating Plan is required so that the entity’s
personnel will know what to do in the event of an event, how to report the event and to whom the report should be sent.
American Municipal Power
No
No, remove R2. R2 is not an acceptable requirement nor should this be an operation. Focusing on a plan is
overly prescriptive and costly. The only requirement should be to have an entity submit a report. Let the
entity decide how they want to implement the reporting.
Response: The DSR SDT thanks you for your comment.
The DSR SDT has eliminated R2 and revised R5 for clarity and to eliminate potential redundancy. Old R5, New R2. Each Responsible Entity shall report
impact events in accordance with its Operating Plan developed to address the events listed in Attachment 1. [Violation Risk: Factor: Medium]
[Time Horizon: Operations Assessment].
American Electric Power
No
Requirement 5 and Requirement 2 are redundant. We recommend Requirement 2 be replaced with the
language in Requirement 5. “Each Responsible Entity shall report Impact Events in accordance with the
Impact Event Operating Plan pursuant to Requirement R1 and Attachment 1 using the form in Attachment 2
or the DOE OE-417.”
Response: The DSR SDT thanks you for your comment. The DSR SDT has eliminated R2 and revised R5 for clarity and to eliminate potential redundancy. The
old Requirement R5 has been revised as the new Requirement R2, which reads: Each Responsible Entity shall report impact events in
accordance with its Operating Plan developed to address the events listed in Attachment 1. [Violation Risk: Factor: Medium] [Time Horizon:
Operations Assessment].
ISO New England, Inc
No
Fuel Supply Emergency is not a defined condition. We suggest that the SDT poll the ballot body regarding
the reporting of Fuel Supply Emergencies. Fuel Supply is an economic consideration and the concept of Fuel
Supply Emergency is subjective. A resource that uses coal or oil may vary its supplies based on economic
considerations (the price of the fuel). For a conservative BA a fuel-on-demand supply line can be viewed as a
fuel supply emergency whereas the resource owner sees the matter as good business. Moreover, the
release of such reports to the public can have unintended consequences. Fuel disruptions caused by contract
negotiations when reported to the public can result in non-union transportation employees being physically
90
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 7 Comment
harmed by fuel supply organizers thus resulting in the loss of non-contract fuel. Further, this information may
aggravate the situation by causing the cost of fuel to be inflated by suppliers when demand is great.
If this event is not deleted, then we would suggest that the definition be constrained to “declared” fuel supply
emergencies. Suggest the deletion of category: Risk to BES equipment. Because of the broad definition of
BES, the risk to BES equipment is overly broad and can be applied to any risk to any “part of” any BES asset.
The footnote helps identify what the SDT was intending, however, the words themselves can result in overly
broad findings by compliance enforcement people.
Response: The DSR SDT thanks you for your comment. The DSR SDT has deleted Fuel Supply Emergency from Attachment 1. This item was removed in
coordination with the NERC Events Analysis Working Group and the proposed Events Analysis Program.
Calpine Corp
No
Requirement R2 is unnecessary for the same reasons listed above in answer to question 6 regarding
Requirement R1. A new Reliability Standard requirement is not needed to verify that internal notifications are
made within Registered Entities or to ensure that Registered Entities notify local law enforcement of
suspicious activity, sabotage, theft, or vandalism. Such notifications are made by any company, and this
requirement does not clearly enhance the reliability of the Bulk Electric System. Requirement R5 provides
sanction in the event that events listed in Attachment 1 are not made appropriately. However, if the
requirement is maintained, the related Measure M2 should state in plain language exactly what elements are
required for compliance. In the absence of much more detailed instruction on exactly what elements must be
included in the various documents, the proposed requirement will create confusion with both compliance and
enforcement of the requirement. A detailed example of example documentation would be helpful. Any
difficulty in developing such an example would be instructive of the probable compliance issues that would
ensure from the necessarily varying approaches that would be taken by disparate entities attempting to meet
the requirement.
Response: The DSR SDT thanks you for your comment. The DSR SDT has eliminated R2 and revised R5 for clarity and to eliminate potential redundancy. Old
R5, New R2. Each Responsible Entity shall report impact events in accordance with its Operating Plan developed to address the events listed
in Attachment 1. [Violation Risk: Factor: Medium] [Time Horizon: Operations Assessment].
CenterPoint Energy
No
CenterPoint Energy recommends deleting the current R2 as it is an inherent part of the current R5. For an
entity to “report Impact Events in accordance with the Impact Event Operating Plan pursuant to R1” (see R5),
the entity must “implement its Impact Operating Plan documented in Requirement 1?” (see R2). Including
91
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 7 Comment
both requirements is unnecessary and duplicative. Likewise, M2 should be deleted.
Response: The DSR SDT thanks you for your comment. The DSR SDT has eliminated R2 and revised R5 for clarity and to eliminate potential redundancy. Old
R5, New R2. Each Responsible Entity shall report impact events in accordance with its Operating Plan developed to address the events listed
in Attachment 1. [Violation Risk: Factor: Medium] [Time Horizon: Operations Assessment].
ExxonMobil Research and
Engineering
No
The notification requirement and documentation in Attachment 1 do not clearly identify which entities need to
be notified for each type of event detailed in Attachment 1. While it makes sense to notify the Reliability
Coordinator, NERC, Regional Entity, Law Enforcement and other Governmental Agencies for sabotage type
events, it does not seem proper to notify Law Enforcement agencies of a system disturbance that is
unrelated to improper human intervention. Furthermore, it is our belief that a time frame of 1 hour is a short
window for making a verbal notification to third parties, and an impossibly short window for requiring the
submittal of a completed form regardless of the simplicity. When a Petrochemical Facility experiences an
impact event, the initial focus should emphasize safe control of the chemical process. For those cases where
registered entities are required to submit a form within 1 hour, the Standard Drafting Team should alter the
requirement to allow for verbal notification during the first few hours following the initiation of an Impact Event
(i.e. allow the facility time to appropriately respond to and gain control of the situation prior to making a
notification which may take several hours) and provide separate notifications windows for those parties that
will need to respond to an Impact Event immediately and those entities that need to be informed that one
occurred for the purposes of investigating the cause of and response to an Impact Event. For example, a
GOP should immediately notify a TOP when it experiences a forced outage of generation capacity as soon as
possible, but there is no immediate benefit to notify NERC when site personnel are responding to the event in
order to gain control of of the situation and determine the extent of the problem. The existing standard’s
requirement to file an initial report to entities, such as NERC, within 24 hours seems reasonable provided that
proper real time notifications are made and the Standard Drafting Team reinstates EOP-004 Revision 1's
Requirement 3.3, which allows for the extension of the 24 hour window during adverse conditions, into the
requirement section of EOP-004 [the current revision locates this extension in Attachment 1, which, according
to input received from Regional Entities, means that the extension would not be enforceable].
Response: The DSR SDT thanks you for your comment. The DSR SDT has eliminated R2 and revised R5 for clarity and to eliminate potential redundancy. Old
R5, New R2. Each Responsible Entity shall report impact events in accordance with its Operating Plan developed to address the events listed
in Attachment 1. [Violation Risk: Factor: Medium] [Time Horizon: Operations Assessment].
The DSR SDT has significantly revised Attachment 1. We have removed the timing column and replaced it with more specific information regarding which form to
submit and to whom to submit the report. All events are now to be reported within 24 hours with the exception of Destruction of BES equipment, Damage or
destruction of Critical Assets and Damage or destruction of Critical Cyber Asset events in Part A and Forced Intrusion, Risk to BES equipment and Detection of a
reportable Cyber Security Incident in Part B. These events are to be reported within 1 hour. Notification of law enforcement per Part 1.3.2 is also required for
92
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 7 Comment
No
ATC does not agree with the proposed language in Requirement 3. ATC is concerned that, in order to
demonstrate compliance, an entity will have to show that each step in the plan was followed which will likely
leave entities facing the choice of choosing between different compliance violations. If the plan is not
followed, but the report is made within the time given, then an entity is in violations of their plan. If the plan is
followed, but the report does not get filed within the time allotted, then they face a possible violation of the
time to report. ATC believes that the team should enforce the position that the report being filed in the time
allotted is key, not that they necessarily follow and document that their plan was followed. Depending on the
situation, the internal reporting will vary; however, based on the purpose of the Standard, the key is to get a
report to NERC.
these events only.
American Transmission
Company
Response: The DSR SDT thanks you for your comment. The DSR SDT has eliminated R2 and revised R5 for clarity and to eliminate potential redundancy. Old
R5, New R2. Each Responsible Entity shall report impact events in accordance with its Operating Plan developed to address the events listed
in Attachment 1. [Violation Risk: Factor: Medium] [Time Horizon: Operations Assessment].
Georgia System Operations
Corporation
No
-We suggest moving the language from the measure to the requirement as such:"To the extent that a
Reponsible Entity has an Impact Event on its Facilities, each Responsible Entity shall
implement?"Additionally, R1 uses the phrase "recognized Impact Event"
Response: The DSR SDT thanks you for your comment.
Requirement 2 has been deleted along with its associated Measure M2. R1 no longer references “recognized” events.
City of Tacoma, Department of
Public Utilities, Light Division, dba
Tacoma Power
No
There are generally several events during the year. If the process is well documented, a drill or exercise is
excessive. It should be sufficient to say “provide training.”
Response: The DSR SDT thanks you for your comment.
This appears to be related to R3 in question 8. If an event occurs during the year, additional testing is not required.
Indeck Energy Services
No
R2 is direct and to the point. The Violation Risk Factor should be Low, if any, because this is historical
reporting, with little or no reliability consequence.
93
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 7 Comment
Response: The DSR SDT thanks you for your comment. With the revised standard, there are now three requirements. Requirement 1 specifies that the
responsible entity have an Operating Plan for identifying and reporting events listed in Attachment 1. This is procedural in nature and justifies a “lower” VRF.
This requirement is administrative in nature and deals with the means to report events after the fact. The current approved VRFs for EOP-004-1 are all lower with
the exception of Requirement R2 which is a requirement to analyze events. This standard relates only to reporting events. The analysis portion is addressed
through the NERC Rules of Procedure and the Events Analysis Program. The two remaining requirements in EOP-004-2 are to report events based on the
specifics in Attachment 1 (R2) and to test the communications protocol of the Operating Plan once per year (R3). Requirement 2 specifies that an entity is
responsible for reporting events in accordance with the Operating Plan based on Attachment 1. Requirement 3 is insurance to make sure that an entity can
communicate information about events. Requirement 2 specifies that the responsible entity must report an event to the appropriate entities. Some of these
events are dealing with potential sabotage events. Part of the reason to report these types of events is to make other entities aware to help prevent further
sabotage events from occurring. Existing CIP-001-1a deals with sabotage events and the approved VRFs for each of the requirements is “medium.” The VRFs for
EOP-004-2 comport with the existing approved VRFs for both EOP-004 and CIP-001.
Midwest Reliability Organization
Yes
This clearly states that an entity’s Operating Plan is to be used for reporting of Impact Events.
Response: The DSR SDT thanks you for your comment.
Dominion
Yes
Dominion agrees subject to the comments provided in Question #6. In addition, Requirement R2 appears
duplicative of Requirement R5.Suggest R2 be clarified relative to the intent.
Response: The DSR SDT thanks you for your comment. Please see responses to comments in Question 6. R2 was deleted and R5 was revised. Old R5, New
R2. Each Responsible Entity shall report impact events in accordance with its Operating Plan developed to address the events listed in
Attachment 1. [Violation Risk: Factor: Medium] [Time Horizon: Operations Assessment]. The DSR SDT has revised R1 to eliminate the use of
Operating Process and Operating Procedure and have used more generic terms.
Manitoba Hydro
Yes
Removing “assess the initial probable cause” from the statement removes the ambiguity in the same way as
replacing sabotage with impact level. Let the staff trained in this field determine probable cause after the fact.
Response: The DSR SDT thanks you for your comment.
Occidental Power Marketing
Yes
However, only LSEs with BES assets (or assets that directly support the BES) should be included in the
Applicability section of the standard.
Response: The DSR SDT thanks you for your comment. Attachment 1 specifies which types of events are required to be reported by each entity.
94
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Constellation Power Generation
Yes or No
Yes
Question 7 Comment
Although CPG agrees with the wording of Requirement 2, CPG has several comments and suggested
changes regarding the Attachments, to which this requirement points. Please see those comments below.
Response: The DSR SDT thanks you for your comment. Please see responses below.
Northeast Power Coordinating
Council
Yes
Western Electricity Coordinating
Council
Yes
Pacific Northwest Small Public
Power Utility Comment Group
Yes
Pepco Holdings Inc and Affiliates
Yes
SPP Standards Review Group
Yes
Midwest ISO Standards
Collaborators
Yes
FirstEnergy
Yes
Southern Company
Yes
SRP
Yes
We Energies
Yes
SDG&E
Yes
City of Tallahassee (TAL)
Yes
New Harquahala Generating Co.
Yes
95
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
APX Power Markets
Yes
United Illuminating Co
Yes
Liberty Electric Power LLC
Yes
Arkansas Electric Cooperative
Corporation
Yes
Sweeny Cogeneration LP
Yes
USACE
Yes
New Harquahala Generating Co.
Yes
Independent Electricity System
Operator
Yes
Platte River Power Authority
Yes
BGE
Yes
Alliant Energy
Yes
PPL Electric Utilities
Yes
Lincoln Electric System
Yes
Farmington Electric Utility System
Yes
Ingleside Cogeneration LP
Yes
Duke Energy
Yes
Question 7 Comment
No comments.
96
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Brazos Electric Power
Cooperative
Yes
Progress Energy
Yes
Question 7 Comment
Response: The DSR SDT thanks you for your comment. Based on stakeholder comments, Requirement R2 was deleted and R5 was revised. Old R5, New R2.
Each Responsible Entity shall report impact events in accordance with its Operating Plan developed to address the events listed in Attachment
1. [Violation Risk: Factor: Medium] [Time Horizon: Operations Assessment].
97
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
8. Do you agree with the proposed revisions to Requirement 4 (now R3)? If not, please explain why not and if
possible, provide an alternative that would be acceptable to you.
Summary Consideration: There were several issues that commenters raised regarding removing the requirement. Below is a
summary:
1)
Review annual component CAN0010 states: Regardless of the registered entity’s documented definition of annual, it will
not supersede any requirement stated in the standard. The DSR SDT is defining “annual” within this Standard (and only for
this Standard).
2)
Remove R3-requirement – Several stakeholders believed the testing to be onerous. The language of the requirement
was revised to indicate that only the communications portion of the Operating Plan is required to be tested. Each Responsible
Entity shall conduct a test of the communication process in its Operating Plan, created pursuant to Requirement 1, Part 1.3, at
least annually (once per calendar year), with no more than 15 calendar months between tests.
3)
Unclear if actual events would qualify for a test in the requirement – The language in the measure was revised to add
“Implementation of the communication process as documented in its Operating Plan for an actual event may be used as
evidence to meet this requirement. “
4)
VRF is too high on R3 – With the revised standard, there are now three requirements. Requirement R1 specifies that the
responsible entity have an Operating Plan for identifying and reporting events listed in Attachment 1. This is procedural in
nature and justifies a “lower” VRF. This requirement is administrative in nature and deals with the means to report events after
the fact. The current approved VRFs for EOP-004-1 are all lower with the exception of Requirement R2 which is a requirement
to analyze events. This standard relates only to reporting events. The analysis portion is addressed through the NERC Rules of
Procedure and the Events Analysis Program. The two remaining requirements in EOP-004-2 are to report events based on the
specifics in Attachment 1 (R2) and to test the communications protocol of the Operating Plan once per year (R3). Requirement
R2 specifies that an entity is responsible for reporting events in accordance with the Operating Plan based on Attachment 1.
Requirement R3 is insurance to make sure that an entity can communicate information about events. Requirement R2 specifies
that the responsible entity must report an event to the appropriate entities. Some of these events are dealing with potential
sabotage events. Part of the reason to report these types of events is to make other entities aware to help prevent further
sabotage events from occurring. Existing CIP-001-1a deals with sabotage events and the approved VRFs for each of the
requirements is “medium.” The VRFs for EOP-004-2 comport with the existing approved VRFs for both EOP-004 and CIP-001.
Organization
Yes or No
Question 8 Comment
98
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Georgia Transmission
Corporation & Oglethorpe Power
Corporation
Yes or No
No
Question 8 Comment
With the current CAN on the definition of annual, we do not believe that the additional qualification that the
test shall be conducted "with no more that 15 calendar months between tests" is necessary. If instead the
team believes that, in order to support the reliability of the BES, tests should be performed at least every 15
months, then the requirement should be to perform a test at least every 15 calendar months and remove the
annual component.
Response: The DSR SDT thanks you for your comment.
The DSR SDT intends for each Responsible Entity to verify that its Operating Process for communicating recognized events is correct so that the entity can
respond appropriately in the case of an actual event. Per the CAN, “Regardless of the registered entity’s documented definition of annual, it will not supersede any
requirement stated in the standard.” The team believes the requirement is specifying what the team believes to be appropriate.
Northeast Power Coordinating
Council
No
The annual testing requirement is too frequent for a reporting, and not an operational process. The testing
interval should be extended to five years.
Response: The DSR SDT thanks you for your comment.
The DSR SDT intends for each Responsible Entity to verify that its Operating Process for communicating recognized events is correct so that the entity can
respond appropriately in the case of an actual event. We feel that five years is too long of an interval between tests as contact information contained in the plan
may change more often. A one year test is more likely to catch problems with the Operating Plan. If an entity has an event, then they do not need to test the
plan during the annual cycle.
Bonneville Power Administration
No
Too burdensome to go through EACH and ALL individual Impacts and report each one on a drill basis with
outside entities. One or two scenarios may be OK.
Response: The DSR SDT thanks you for your comment. It is not intended to perform a test for each type of event listed in Attachment 1. The entity is free to
choose any single event to test its operating plan. The DSR SDT intends for each Responsible Entity to verify that its Operating Process for communicating
recognized events is correct so that the entity can respond appropriately in the case of an actual event. The test under R3 Operating Plan is to test the
communication aspect of your Operating Plan.
Dominion
No
: The need to conduct a test of its Operating Process has not been established and is overly restrictive given
that the purpose of the standard is to report Impact Events.
Response: The DSR SDT thanks you for your comment.
The DSR SDT intends for each Responsible Entity to verify that its Operating Process for communicating recognized events is correct so that the entity can
99
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 8 Comment
respond appropriately in the case of an actual event. The SDT thinks it is critical to test the Operating Plan to verify that employees know the appropriate actions
to take and that there are no issues with the reporting procedures. Not testing the Operating Plan could result in employees being unprepared to communicate
and report for an actual event.
SPP Standards Review Group
No
The SDT included a formal review process in the discussion of R4 in the Background Information in the
Unofficial Comment Form as one of three options for demonstrating compliance with the testing requirements
of R4, yet M3 only contains two of those options ? a mock Impact Event exercise and a real-time
implementation of its Operating Process. The third option, a formal review process, is missing from M3 and
needs to be added. We would suggest the following for M3: ?In the absence of an actual Impact Event, the
Responsible Entity shall provide evidence that it conducted a mock Impact Event and followed its Operating
Process for communicating recognized Impact Events created pursuant to Requirement R1, Part 1.3 or
conducted a formal review of its Operating Process. The time period between tests, actual Impact Events or
formal reviews shall be no more than 15 calendar months. Evidence may include, but is not limited to,
operator logs, voice recordings or documentation.
Response: The DSR SDT thanks you for your comment.
The DSR SDT intends for each Responsible Entity to verify that its Operating Process for communicating recognized events is correct so that the entity can
respond appropriately in the case of an actual event. The standard now has only three requirements. The requirement to test the communications process is
important so that any issues or errors in the Operating Plan can be identified. The team feels that a formal review will not be able to identify any of these errors
unless the communications process is tested.
Midwest ISO Standards
Collaborators
No
We appreciate the drafting team recognizes that actual implementation of the plan for a real event should
qualify as a ?test?. However, we are concerned that review of this requirement in isolation of the background
material and information provided by the drafting team may cause a compliance auditor to believe that a test
cannot be met by actual implementation. Furthermore, we do not believe testing a reporting procedure is
necessary. Periodic reminders to personnel responsible for implementing the procedure make sense but
testing it does not add to reliability. If they don?t report an event, it will become obvious with all the tools
(SAFNR project) the regulators have to observe system operations.
Response: The DSR SDT thanks you for your comment. We have added the following to the measure: “Implementation of the communication process as
documented in its Operating Plan for an actual event may be used as evidence to meet this requirement.”
FirstEnergy
No
We believe that a separate requirement for testing the reporting process is unnecessary. The FERC directive
that required periodic testing was directed at sabotage events per CIP-001. Since the proposed standard
100
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 8 Comment
moves the responsibility for classifying an event as sabotage from the entity to the applicable law
enforcement authority, the need for a periodic drill is no longer necessary. We believe that Requirement R4
should suffice in ensuring that the individuals involved in the process are aware of their responsibilities.
Response: The DSR SDT thanks you for your comment. The DSR SDT intends for each Responsible Entity to verify that its Operating Process for communicating
recognized events is correct so that the entity can respond appropriately in the case of an actual event. The standard now has only three requirements. The
requirement to test the communications process is important so that any issues or errors in the Operating Plan can be identified.
SERC OC Standards Review
Group
No
Annual testing of an ?after-the-fact? reporting procedure does not add to the reliability of the BES!
Response: The DSR SDT thanks you for your comment. The DSR SDT intends for each Responsible Entity to verify that its Operating Process for communicating
recognized events is correct so that the entity can respond appropriately in the case of an actual event. The standard now has only three requirements. The
requirement to test the communications process is important so that any issues or errors in the Operating Plan can be identified. This will allow for reporting to
the appropriate entities in the case of an actual event.
PJM Interconnection LLC
No
1. This is an ?after-the-fact? reporting requirement (administrative in nature). Annual testing of such a
requirement does not add to the reliability of the BES.
2. R3 attempts to define ?Annual? for the Registered Entity to test its Operating Process. We believe R3
should follow the NERC definition of Annual as defined in the NERC Compliance Application Notice (CAN) ?
CAN-0010 ? Definition of Annual as opposed to creating a new definition of Annual ? or ? refer to an entity?s
defined use of the term annual.
Response: The DSR SDT thanks you for your comment. The DSR SDT intends for each Responsible Entity to verify that its Operating Process for communicating
recognized events is correct so that the entity can respond appropriately in the case of an actual event. The standard now has only three requirements. The
requirement to test the communications process is important so that any issues or errors in the Operating Plan can be identified. This will allow for reporting to
the appropriate entities in the case of an actual event.
The DSR SDT intends for each Responsible Entity to verify that its Operating Process for communicating recognized events is correct so that the entity can
respond appropriately in the case of an actual event. Per the CAN, “Regardless of the registered entity’s documented definition of annual, it will not supersede any
101
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 8 Comment
requirement stated in the standard.” The team believes the requirement is specifying what the team believes to be appropriate.
We Energies
No
A test of the Operating Process for communication would be placing telephone calls. This requirement would
have virtually every entity in North America calling NERC, Regional Entities, FERC/Provincial Agency, Public
Service Commission, FBI/RCMP, local Police, etc. annually. Every entity will probably be asking for a
confirmation letter from each telephone call for proof of compliance. This is an unnecessary requirement.
Delete it.
Response: The DSR SDT thanks you for your comment.
The DSR SDT intends for each Responsible Entity to verify that its Operating Process for communicating recognized events is correct so that the entity can
respond appropriately in the case of an actual event. The standard now has only three requirements. The requirement to test the communications process is
important so that any issues or errors in the Operating Plan can be identified. This will allow for reporting to the appropriate entities in the case of an actual
event.
Compliance & Responsiblity
Organization
No
See comments set forth in number 2.
Also, while NextEra understands the need to have a testing requirement for sabotage (Order 693 at P 446), it
does not find it necessary to have a testing requirement for the other events. At this time in the process,
additional requirements for the sake of having a requirement are likely to detract from reliability. Thus,
NextEra requests that the testing requirement be limited to sabotage related events.
Response: The DSR SDT thanks you for your comment. Please see responses to Question 2 above. Each entity may choose an event type for which to perform
the communications process test. It need not be performed for each and every event type listed in Attachment 1. The test must include all aspects of the
communications process, including NERC and the RE. The measure for R3 was revised to make it explicit that evidence for compliance for R3 includes an actual
event.
M3. The Responsible Entity shall provide evidence that it conducted a test of the communication process as documented in its Operating Plan impact events
created pursuant to Requirement R1, Part 1.3. Implementation of the communication process as documented in its Operating Plan for an actual impact event
may be used as evidence to meet this requirement. The time period between an actual impact event or test shall be no more than 15 months. Evidence may
include, but is not limited to, operator logs, voice recordings, or dated documentation of a test. (R3)
Exelon
No
- Each entity should be able to determine if they need a drill for a particular event. Is this document implying
that the annual drill covering all applicable [Impact] Events?
102
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 8 Comment
- A provision should be added to be able to take credit for an existing drill/exercise that could incorporate the
required communications to meet the intent of R.3 to alleviate the burden on conducting a standalone annual
drill. The DSR SDT needs to provide more guidance on the objectives and format of the drill expected (e.g.,
table top, simulator, mock drill).
- A provision should be added to R.3 to allow for an actual event to be used as credit for the annual
requirement. It would seem that the intent is as such based on the wording in M.3; however, it needs to be
explicit in the Requirement.
- Must a test include communicating to NERC or the Region?
Response: The DSR SDT thanks you for your comment. Each entity may choose an event type for which to perform the communications process test. It need
not be performed for each and every event type listed in Attachment 1. The test must include all aspects of the communications process, including NERC and the
RE. The measure for R3 was revised to make it explicit that evidence for compliance for R3 includes an actual event.
M3. The Responsible Entity shall provide evidence that it conducted a test of the communication process as documented in its Operating Plan impact events
created pursuant to Requirement R1, Part 1.3. Implementation of the communication process as documented in its Operating Plan for an actual impact event
may be used as evidence to meet this requirement. The time period between an actual impact event or test shall be no more than 15 months. Evidence may
include, but is not limited to, operator logs, voice recordings, or dated documentation of a test. (R3)
City of Tallahassee (TAL)
No
Comments: The verbiage “at least annually, with no more than 15 months between such tests” is an attempt
to define annually. If you want every 15 months say “at least every 15 months.” Otherwise just say annual
and let the entities decide what that is, as is being done with other “annual” requirements.
Additionally, while the Measure (M3) implies that an actual event would suffice it is not stated in the
requirement, and the entire plan should be tested, not just a component. Proposed: Each Responsible Entity
shall conduct a test of its Impact Event Operating Plan at least annually. A test of the Impact Event Operating
Plan can range from a paper drill, to the response to an actual event.
Response: The DSR SDT thanks you for your comment. The language now reads: “annually (once per calendar year), with no more than 15 calendar months
between tests”. This comports with the intent and with the recent CAN from NERC on the use of “Annual”. The intent of the requirement is to verify that an
entity’s personnel can communicate with other entities when a real event occurs. It is expected that such a test will include all aspects of the communications
process. The measure was revised to clarify that an actual event can be used in lieu of a test. R3 reads:
“Each Responsible Entity shall conduct a test of the communication process as documented in its Operating Plan, created pursuant to Requirement 1, Part 1.3,
impact events at least annually, (once per calendar year), with no more than 15 calendar months between tests.”
103
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Tenaska
Yes or No
No
Question 8 Comment
The proposed Impact Event Operating Plan should not be required, therefore any tests of the Operating
Process should not be required.
Response: The DSR SDT thanks you for your comment. Stakeholder consensus indicates that the majority of stakeholders agree with the Operating Plan
requirement.
American Municipal Power
No
No, remove R3. R3 is not an acceptable requirement nor should this be an operation. Focusing on a test is
overly prescriptive and costly. The only requirement should be to have an entity submit a report. Let the
entity decide how they want to implement the reporting.
Response: The DSR SDT thanks you for your comment. The intent of the requirement is to verify that an entity’s personnel can communicate with other entities
when a real event occurs. It is expected that such a test will include all aspects of the communications process. The measure was revised to clarify that an
actual event can be used in lieu of a test. This should not be a costly nor burdensome requirement.
Liberty Electric Power LLC
No
It is not the proper role of the standards to dictate how an entity conducts training. Large utilities with backup
control rooms and enough personnel can conduct routine drills without disturbing operations, but this is not
always the case for small entities. Further, classroom training where emergency responses are discussed can
be a better tool at times for assuring compliance with operating procedures. I would suggest R3 read "Each
entity shall assure that personnel are aware of the requirements of EOP-004 and capable of responding as
required.”
Response: The DSR SDT thanks you for your comment. The DSR SDT agrees and has removed the training Requirement, R4.
Sweeny Cogeneration LP
No
We do not see a reliability benefit in the planning and execution of tests or drills to ensure that regulatory
reporting is performed in a timely fashion. It is sufficient that penalties can be assessed against entities that
do not properly respond in accordance with EOP-004-2, leaving it to us to determine how to avoid them.
Response: The DSR SDT thanks you for your comment. The intent of the requirement is to verify that an entity’s personnel can communicate with other entities
when a real event occurs. It is expected that such a test will include all aspects of the communications process. The measure was revised to clarify that an
actual event can be used in lieu of a test.
American Electric Power
No
It is unclear if actual events would qualify for a test in the requirement; however, the associated measure and
rationale appear to support this. We suggest the requirement be restated to allow for actual events to count
for this requirement.
104
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 8 Comment
Response: The DSR SDT thanks you for your comment. The intent of the requirement is to verify that an entity’s personnel can communicate with other entities
when a real event occurs. It is expected that such a test will include all aspects of the communications process. The measure was revised to clarify that an
actual event can be used in lieu of a test.
New Harquahala Generating Co.
No
M3. In the absence of an actual Impact Event, the Responsible Entity shall provide evidence that it conducted
a mock Impact Event and followed its Operating Process for communicating recognized Impact Events
created pursuant to Requirement R1, Part 1.3. The time period between actual and or mock Impact Events
shall be no more than 15 months. Evidence may include, but is not limited to, operator logs, voice recordings,
or documentation. (R3). The measure for R3 needs to make it clear that “exercise/drill/actual employment”
can be a classroom exercise, utilizing scenarios for discussion. It should not be necessary to fully test the
plan by making actual phone calls, notifications etc.
Response: The DSR SDT thanks you for your comment. The intent of the requirement is to verify that an entity’s personnel can communicate with other entities
when a real event occurs. It is expected that such a test will include all aspects of the communications process including making actual phone calls, etc. The
measure was revised to clarify that an actual event can be used in lieu of a test. The purpose of the requirement is to ensure that the communications process
works.
ISO New England, Inc
No
We appreciate and agree with the drafting team recognizes that actual implementation of the plan for a real
event should qualify as a “test.” However, we are concerned that review of this requirement in isolation and
without the benefit of the background material and information provided by the drafting team may cause a
compliance auditor to believe that a test cannot be met by actual implementation. Furthermore, we do not
believe testing a reporting procedure is necessary. Periodic reminders to personnel responsible for
implementing the procedure make sense but testing it does not add to reliability. If they don’t report an event,
it will become obvious to compliance auditors. Recommend using language similar to CIP-009. “Each
Responsible Entity shall conduct a an exercise of its operating process for communicating recognized Impact
Events created pursuant to Requirement R1, Part 1.3 at least annually, with no more than 15 calendar
months between exercises.” An exercise can range from a paper drill, to a full operational exercise, to
reporting of actual incident Also, we question the need to conduct a test annually. Since this is only a
reporting Standard and, as such, has no direct impact on reliability, we suggest modifying the testing
requirement to once every three years.
CIP-009-3
R.2 Exercises —The recovery plan(s) shall be exercised at least annually. An exercise of the recovery plan(s)
can range from a paper drill, to a full operational exercise, to recovery from an actual incident.
M2. The Responsible Entity shall make available its records documenting required exercises as specified in
105
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 8 Comment
Requirement R2.
Response: The DSR SDT thanks you for your comment. The intent of the requirement is to verify that an entity’s personnel can communicate with other
entities when a real event occurs. It is expected that such a test will include all aspects of the communications process. The measure was revised to clarify that
an actual event can be used in lieu of a test.
Calpine Corp
No
Absent substantial evidence that the proposed requirement addresses an actual systemic problem with actual
submittal of reports of electrical disturbances, Requirement R4 should be removed. Failure to properly report
events is currently sanctionable under CIP-001-1 and EOP-004-1 and will continue to be sanctionable under
proposed EOP-004-2. Entities are capable of implementing procedures appropriate to ensure compliance
with the actual reporting requirements without the addition of this “test.”
Alternately, if this requirement for annual tests is retained, it should be supplemented with a detailed example
of an acceptable test and acceptable documentation of the test to avoid future compliance and enforcement
issues. Stating “evidence may include, but is not limited to...” provides broad and unnecessary opportunity for
future compliance and enforcement issues. Any difficulty the committee might encounter in developing such a
detailed example would be instructive of the probable compliance and issues that would ensure from
implementation of the requirement.
Response: The DSR SDT thanks you for your comment. The DSR SDT intends for each Responsible Entity to verify that its Operating Process for communicating
recognized events is correct so that the entity can respond appropriately in the case of an actual event. The requirement is written so that it is not prescriptive
and allows the entity flexibility in how it tests its communications process.
BGE
No
Requirement 3 (formerly R4) should be removed altogether because it is covered by the new R4. The topic of
Disturbance Reporting is covered several times each year during operator training classes and the operators
are tested on the material. Actual issued Disturbance Reports throughout the year are also covered during
training class.
Response: The DSR SDT thanks you for your comment. R4 was a training requirement which has been revised and incorporated into Requirement R1, Part 1.5.
This now calls for an annual review of the Operating Plan rather than training. The intent of the review is to ensure that the plan is up to date.
Georgia System Operations
Corporation
No
-With the current CAN on the definition of annual, we do not believe that the additional qualification that the
test shall be conducted "with no more that 15 calendar months between tests" is necessary. Although we
understand the additional qualification
106
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 8 Comment
Response: The DSR SDT thanks you for your comment. The CAN language defers to the standard drafting team for any qualifications on “annual.” The DSR
SDT prefers the existing language.
Indeck Energy Services
No
For smaller entities, for which few of the Attachment 1 events apply (eg a 75 MW wind farm), a drill is overkill.
Reviewing the procedure during training should be sufficient. The solution is to require a drill for any entity for
which any of the Attachment 1 events would cause a Reportable Disturbance or reportable DOE OE-417
event and training review for any other entities. The Violation Risk Factor should be Low, if any, because this
is historical reporting, with little or no reliability consequence.
Response: The DSR SDT thanks you for your comment. The DSR SDT intends for each Responsible Entity to verify that its Operating Process for communicating
recognized events is correct so that the entity can respond appropriately in the case of an actual event. Any drill or exercise that meets the intent of the
requirement is acceptable.
VRF: With the revised standard, there are now three requirements. Requirement R1 specifies that the responsible entity have an Operating Plan for identifying
and reporting events listed in Attachment 1. This is procedural in nature and justifies a “lower” VRF. This requirement is administrative in nature and deals with
the means to report events after the fact. The current approved VRFs for EOP-004-1 are all lower with the exception of Requirement R2 which is a requirement
to analyze events. This standard relates only to reporting events. The analysis portion is addressed through the NERC Rules of Procedure and the Events
Analysis Program. The two remaining requirements in EOP-004-2 are to report events based on the specifics in Attachment 1 (R2) and to test the
communications protocol of the Operating Plan once per year (R3). Requirement R2 specifies that an entity is responsible for reporting events in accordance with
the Operating Plan based on Attachment 1. Requirement R3 is insurance to make sure that an entity can communicate information about events. Requirement
R2 specifies that the responsible entity must report an event to the appropriate entities. Some of these events are dealing with potential sabotage events. Part
of the reason to report these types of events is to make other entities aware to help prevent further sabotage events from occurring. Existing CIP-001-1a deals
with sabotage events and the approved VRFs for each of the requirements is “medium.” The VRFs for EOP-004-2 comport with the existing approved VRFs for
both EOP-004 and CIP-001.
ExxonMobil Research and
Engineering
No
The annual (15 month) time window for conducting annual performance tests appears to be reasonable.
However, the required scope of the test is vague. The Standard Drafting Team should modify the testing
requirement to include boundary criteria such as whether notifications to third parties and law enforcement
are required or if the test is limited to internal notifications and response processes. Furthermore, the current
measure associated with this requirement, EOP-004 Revision 2 Measure 3, implies, that if an Impact Event
occurs, the registered entity can count the activation of its Impact Event Operating Plan as a test and extend
the test window 15 months from the date of activation. The Standard Drafting Team should revise the
requirement to clarify that the test window resets when a site initiates its Impact Event Operating Plan in
response to a real Impact Event as requirement criteria should not be included in a measure.
107
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 8 Comment
Response: The DSR SDT thanks you for your comment.
The DSR SDT intends for each Responsible Entity to verify that its Operating Process for communicating recognized events is correct so that the entity can
respond appropriately in the case of an actual event. It is expected that such a test will include all aspects of the communications process. The measure was
revised to clarify that an actual event can be used in lieu of a test.
Occidental Power Marketing
No
We understand that this requirement is meant to comply with FERC Order 693, Section 466; however, there
needs to be more specificity concerning what sort of "test" would be accepted for auditing purposes. Also,
only LSEs with BES assets should be included in the Applicability section of the standard.
Response: The DSR SDT thanks you for your comment.
The DSR SDT intends for each Responsible Entity to verify that its Operating Process for communicating recognized events is correct so that the entity can
respond appropriately in the case of an actual event. The requirement is written so that it is not prescriptive and allows the entity flexibility in how it tests its
communications process.
Lincoln Electric System
No
As currently drafted, requirement R3 states one must “conduct a test” whereas the associated Measure
requests evidence that one “conducted a mock Impact Event.” The Rationale box lends to further confusion
by referencing a “drill or exercise” as a process to verify one’s Operating Process. To avoid potential
confusion between R3 and M3, as well as to maintain consistency with the Rationale box, recommend the
drafting team replace the word “test” with “drill or exercise” within R3 and the associated Measure.
Response: The DSR SDT thanks you for your comment. The DSR SDT intends for each Responsible Entity to verify that its Operating Process for communicating
recognized events is correct so that the entity can respond appropriately in the case of an actual event. It is not a common practice to include explanatory text in
a requirement. The Results-based standards format allows the Rationale boxes to serve this role. The Rationale box includes language that indicates that an
actual implementation of the plan counts as a test.
Farmington Electric Utility System
No
The measure for R3 indicates an actual Impact Event would count as a test, consider aligning the requirement
with the measure to clarify an Impact Event could be considered a test.
Response: The DSR SDT thanks you for your comment. The DSR SDT intends for each Responsible Entity to verify that its Operating Process for communicating
recognized events is correct so that the entity can respond appropriately in the case of an actual event. It is not a common practice to include explanatory text in
a requirement. The Results-based standards format allows the Rationale boxes to serve this role. The Rationale box includes language that indicates that an
actual implementation of the plan counts as a test.
108
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Ingleside Cogeneration LP
Yes or No
Question 8 Comment
No
Since the reporting of event data to regulatory agencies does not support a front-line operations capability to
mitigate or restore a BES impairment, regular simulations are not needed. Those notification items which test
coordination between operating entities can be addressed in emergency operations exercises.
Response: The DSR SDT thanks you for your comment. We concur with your comment. The DSR SDT intends for each Responsible Entity to verify that its
Operating Process for communicating recognized events is correct so that the entity can respond appropriately in the case of an actual event.
Constellation Power Generation
No
As CPG stated in comments to earlier versions of EOP-004-2, this requirement adds a substantial compliance
burden with little to no reliability improvement to the BES. Numerous entities in the NERC footprint have
created fleet wide compliance programs for their facilities, instead of overseeing multiple stand alone
compliance programs. This was done not just for the ease of administration, but it also greatly improves the
reliability of the BES by ensuring consistency across multiple facilities. By requiring each responsible entity to
test the Operating Process, those under a fleet wide compliance program will end up testing the same
Operating Process numerous times. This would be inefficient, ineffective and unnecessarily costly. If the
testing requirement remains, then the Responsible Entity should be able to take credit for testing of the
Operating Process regardless of which entity in the fleet tested it. Alternatively, the drafting team should
consider removing Requirement 3 (formerly R4) because in practice it is covered by the new R4. As
discussed below R4 needs refinement, but the topic of Disturbance Reporting is covered during annual
training.
Response: The DSR SDT thanks you for your comment. The DSR SDT intends for each Responsible Entity to verify that its Operating Process for communicating
recognized events is correct so that the entity can respond appropriately in the case of an actual event. If the intent of this requirement is fulfilled by another
exercise or drill conducted by the responsible entity, then that will meet the requirement.
Duke Energy
Yes
We understand that the objective of this requirement is to test the Operating Process for communicating
Impact Events; and that such test could be an actual exercise, a formal review, or a real-time implementation.
But given that R1.4 requires updating the Operating Plan within 90 days of any changes, we believe the VRF
for R3 should be LOW instead of MEDIUM.
Response: The DSR SDT thanks you for your comment. With the revised standard, there are now three requirements. Requirement R1 specifies that the
responsible entity have an Operating Plan for identifying and reporting events listed in Attachment 1. This is procedural in nature and justifies a “lower” VRF.
This requirement is administrative in nature and deals with the means to report events after the fact. The current approved VRFs for EOP-004-1 are all lower with
the exception of Requirement R2 which is a requirement to analyze events. This standard relates only to reporting events. The analysis portion is addressed
through the NERC Rules of Procedure and the Events Analysis Program. The two remaining requirements in EOP-004-2 are to report events based on the
specifics in Attachment 1 (R2) and to test the communications protocol of the Operating Plan once per year (R3). Requirement R2 specifies that an entity is
109
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 8 Comment
responsible for reporting events in accordance with the Operating Plan based on Attachment 1. Requirement R3 is insurance to make sure that an entity can
communicate information about events. Requirement R2 specifies that the responsible entity must report an event to the appropriate entities. Some of these
events are dealing with potential sabotage events. Part of the reason to report these types of events is to make other entities aware to help prevent further
sabotage events from occurring. Existing CIP-001-1a deals with sabotage events and the approved VRFs for each of the requirements is “medium.” The VRFs for
EOP-004-2 comport with the existing approved VRFs for both EOP-004 and CIP-001.
Progress Energy
Yes
Do all individuals who are assigned roles and responsibilities in the Impact Event Operating Plan have to be
involved with the test each time? Since there are multiple different types of Impact Events, it seems likely
that only a subset of those Impact Events would be tested during an annual test, and therefore only a subset
of individuals with responsibilities in the Impact Event Operating Plan would participate. For example, one
test may exercise the Operating Process for properly reporting damage to a power plant that is a Critical
Asset, and personnel from the Distribution Provider would not be involved in that test. Would such a scenario
meet the requirement for the annual test? If so, it seems that some aspects of the Plan may never actually
be required to be tested. This is ok, since R4 requires an annual review with personnel with responsibilities
in the Impact Event Operating Plan. It must be made clear what is required in the annual test.
Response: The DSR SDT thanks you for your comment. The DSR SDT intends for each Responsible Entity to verify that its Operating Process for communicating
recognized events is correct so that the entity can respond appropriately in the case of an actual event. The requirement is written so that it is not prescriptive
and allows the entity flexibility in how it tests its communications process.
Manitoba Hydro
Yes
This requirement appears to be written so as to leave how each entity tests this procedure is up to them and
not how. The testing of this procedure could vary vastly from entity to entity, meaning there is no set protocol
on this procedure. As long as this requirement remains open, it is fair.
Response: The DSR SDT thanks you for your comment.
United Illuminating Co
Yes
: FERC did state in Order 693 that the reporting procedure requires testing. UI is concerned that the scope of
the requirement is unspecified. Does the exercise require only one type of Impact Event to be exercised per
period, or is an entity required to simulate each Impact Event and notification
Response: The DSR SDT thanks you for your comment. The DSR SDT intends for each Responsible Entity to verify that its Operating Process for communicating
recognized events is correct so that the entity can respond appropriately in the case of an actual event. If your communications process differs by event type,
then all communications should be tested.
110
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Southern Company
Yes or No
Yes
Question 8 Comment
This will cause all of the entities listed in R1.3.2 to receive test communications from all of the applicable
entities annually.
Response: The DSR SDT thanks you for your comment. The DSR SDT intends for each Responsible Entity to verify that its Operating Process for communicating
recognized events is correct so that the entity can respond appropriately in the case of an actual event. The standard now has only three requirements. The
requirement to test the communications process is important so that any issues or errors in the Operating Plan can be identified. This will allow for reporting to
the appropriate entities in the case of an actual event.
SRP
Yes
SDG&E
Yes
New Harquahala Generating Co.
Yes
APX Power Markets
Yes
Arkansas Electric Cooperative
Corporation
Yes
Platte River Power Authority
Yes
Alliant Energy
Yes
CenterPoint Energy
Yes
USACE
Yes
Independent Electricity System
Operator
Yes
PPL Electric Utilities
Yes
American Transmission
Company
Yes
111
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
City of Tacoma, Department of
Public Utilities, Light Division, dba
Tacoma Power
Yes
Brazos Electric Power
Cooperative
Yes
Midwest Reliability Organization
Yes
Western Electricity Coordinating
Council
Yes
Pacific Northwest Small Public
Power Utility Comment Group
Yes
PSEG Companies
Yes
Pepco Holdings Inc and Affiliates
Yes
Question 8 Comment
112
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
9. Do you agree with the proposed revisions to Requirement 5 (now R4)? If not, please explain why not and if
possible, provide an alternative that would be acceptable to you.
Summary Consideration: A significant number of commenters indicated that there was confusion surrounding the use of the
term “review” in Requirements R3 and R4. Similar comments suggested that the measure for Requirement R4 has a training
connotation, which is inconsistent with the language in the requirement, which uses the term “review.” The DSR SDT has
eliminated Requirement R4 and added a part to Requirement 1, Part 1.5, to require a process for ensuring that the event
Operating Plan is reviewed at least annually, with no more than 15 calendar months between review sessions. Eliminating R4
and adding Part 1.5 maintains the intent while eliminating potential confusion and redundancy.
Other commenters suggested revisions to the use of the term annual. The DSR SDT reviewed the NERC definition of Annual as
defined in the NERC Compliance Application Notice (CAN) CAN-0010, which provides drafting teams latitude to define the term
within a requirement as they intend it to be used.
Organization
Georgia Transmission
Corporation & Oglethorpe
Power Corporation
Yes or No
No
Question 9 Comment
We do not believe that the requirement should specify that the plan must be reviewed with those personnel
who have responsibilities identified in that plan as there is no requirement in R1 that the plan must identify
any specific personnel responsibilities. Additionally, we seek clarification on whether review in this instance
means train as indicated in the measure.
Response: The DSR SDT thanks you for your comment. The DSR SDT has eliminated requirement R4 and added a Part under Requirement R1, to require a
process for ensuring that the event Operating Plan is reviewed at least annually, with no more than 15 calendar months between review sessions. By adding
this Part to Requirement R1, the SDT has eliminated confusion and redundancy around the use of the term “review” and the training connotation in the
Measure.
Dominion
No
The need to periodically review its Impact Event Operating Plan has not been established and is overly
restrictive (annually) given that the purpose of the standard is to report Impact Events. Suggest removing this
requirement
Response: The DSR SDT thanks you for your comment. The DSR SDT has eliminated requirement R4 and added a Part under Requirement R1, to require a
process for ensuring that the event Operating Plan is reviewed at least annually, with no more than 15 calendar months between review sessions. The DSR SDT
113
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 9 Comment
‘s intent is to ensure that there is no gap in the review of the Operating Plan even though the plan has provision(s) for updating the event Operating Plan within
90 days of any change to its content. By adding this Part to Requirement R1, the SDT has eliminated confusion and redundancy around the use of the term
“review” and the training connotation in the Measure.
SPP Standards Review Group
No
There is confusion surrounding the use of the term review in R3 and R4. In R3 and the suggested revision to
M3 in Question 8, review is an analysis of the plan by a specific group tasked to determine if the plan requires
updating or modifying to remain viable. Review in R4 has training connotations for all personnel who have
responsibilities identified in the plan. Although we understand the use of review in R4 is new to this version of
EOP-004-2, we believe it may be more appropriate to use training rather than review in R4. And further, we
feel the training should be focused on those specific portions of the plan that apply to specific job functions.
Response: The DSR SDT thanks you for your comment. The DSR SDT has eliminated Requirement R4 and added a Part under Requirement R1, to require a
process for ensuring that the event Operating Plan is reviewed at least annually, with no more than 15 calendar months between review sessions. By adding
this Part to Requirement R1, the SDT has eliminated confusion and redundancy around the use of the term “review” and the training connotation in the
Measure.
FirstEnergy
No
We believe that Requirement 4 does not warrant a Medium risk factor. For example, a simple review of the
process does not have the same impact on the Bulk Electric System as the implementation of the Operating
Plan per R2. Therefore, we believe R4 is at best a Low risk to the BES.
Response: The DSR SDT thanks you for your comment. The DSR SDT has eliminated Requirement R4 and has re-evaluated the Violation Risk Factors for each
requirement. With the revised standard, there are now three requirements. Requirement R1 specifies that the responsible entity have an Operating Plan for
identifying and reporting events listed in Attachment 1. This is procedural in nature and justifies a “lower” VRF. This requirement is administrative in nature and
deals with the means to report events after the fact. The current approved VRFs for EOP-004-1 are all lower with the exception of Requirement R2 which is a
requirement to analyze events. This standard relates only to reporting events. The analysis portion is addressed through the NERC Rules of Procedure and the
Events Analysis Program. The two remaining requirements in EOP-004-2 are to report events based on the specifics in Attachment 1 (R2) and to test the
communications protocol of the Operating Plan once per year (R3). Requirement R2 specifies that an entity is responsible for reporting events in accordance with
the Operating Plan based on Attachment 1. Requirement R3 is insurance to make sure that an entity can communicate information about events. Requirement 2
specifies that the responsible entity must report an event to the appropriate entities. Some of these events are dealing with potential sabotage events. Part of
the reason to report these types of events is to make other entities aware to help prevent further sabotage events from occurring. Existing CIP-001-1a deals with
sabotage events and the approved VRFs for each of the requirements is “medium.” The VRFs for EOP-004-2 comport with the existing approved VRFs for both
EOP-004 and CIP-001.
We Energies
No
Include that this is for internal personnel as stated in the associated measure.
114
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 9 Comment
Response: The DSR SDT thanks you for your comment. The DSR SDT has eliminated Requirement R4 and the associated Measure.
Compliance & Responsibility
Organization
No
See comments set forth in number 2
Response: Thank you for your comments and suggestions. Please see responses to question 2.
Exelon
No
Need more guidance on what personnel are expected to participate in the annual review.
Training for all participants in a plan should not be required. Many organizations have dozens if not hundreds
of procedures that a particular individual must use in the performance of various tasks and roles. Checking a
box that states someone read a procedure does not add any value. This is an administrative burden with no
contribution to reliability. If the intention is that internal personnel who have responsibilities related to the
Operating Plan cannot assume the responsibilities unless they have completed training. This requirement
places an unnecessary burden on the registered entities to track and maintain a database of all personnel
trained and should not be a requirement for job function. A current procedure and/or operating plan that
addresses each threshold for reporting should provide adequate assurance that the notifications will be made
per an individual's core job responsibilities.
Response: Thank you for your comments. The DSR SDT intends for each Responsible Entity to verify that its Operating Process for communicating
recognized events is correct so that the entity can respond appropriately in the case of an actual event. The requirement is written so that it is not prescriptive
and allows the entity flexibility in how it tests its communications process.
City of Tallahassee (TAL)
No
The verbiage at least annually, with no more than 15 months between review sessions is an attempt to define
annually. If you want every 15 months say at least every 15 months. Otherwise just say annual and let the
entities decide what that is, as is being done with other annual requirements.
Response: Thank you for your comment. The DSR SDT took into consideration the CAN on the definition of ‘Annual” and wrote the requirement to meet the
intent of the team.
Tenaska
No
The proposed Impact Event Operating Plan should not be required.
Response: The DSR SDT thanks you for your comment. The DSR SDT considers the proposed event Operating Plan a document that identifies the activities
to achieve the purpose to improve industry awareness and the reliability of the Bulk Electric System.
The DSR SDT has revised R1 to only include
development of an Operating Plan that includes the sub-requirements of R1.
115
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
American Municipal Power
Yes or No
No
Question 9 Comment
No, remove R4. R4 is not an acceptable requirement nor should this be an operation. Focusing on a plan
and personnel tracking is overly prescriptive. The only requirement should be to have an entity submit a
report. Let the entity decide how they want to implement the reporting.
Response: The DSR SDT thanks you for your comment. The DSR SDT has taken into consideration your comment, eliminated Requirement R4, and added
Requirement R1, Part 1.5. The SDT agrees that the Registered Entity can decide on the how to implement the reporting; however, this requirement mandates
that the Registered Entity document its process.
Liberty Electric Power LLC
No
Again, the entity should determine the need for review of any procedure. Changing circumstances may dictate
a shorter cycle, but no changes could dictate a longer review. I will note that spill prevention plans are
required to be reviewed every five years, so I question the need for an 18-month review of the EOP plan.
Response: The DSR SDT thanks you for your comment. The review provisions are designed to ensure that contact information for internal and external
organizations are correct and up to date.
Arkansas Electric Cooperative
Corporation
No
We appreciate the effort the team has taken in improving the requirements since the last posting. We request
the team clarify if this also includes personnel observing and reporting the requirements or only those
specifically listed in the plan. The measure seems to indicate it only includes those listed in the plan, but this
is not clear in the requirement. If it includes those personnel involved in observing and notifying management,
then this might include a significant portion of the organization. In either case, we feel the requirement should
be modified as "review applicable portions of its Impact Event Operating Plan....
Response: The DSR SDT thanks you for your comment. The training provisions of the standard have been removed. The DSR SDT intent is to ensure that
the Registered Entity has Operating Plan(s) for the identification of events, establishing which internal personnel are involved, identification of outside agencies
to be notified, and having a provision for updating the plan(s). The SDT feels that current Sabotage Reporting guidelines already provide much of the
information needed in the new R1.
Calpine Corp
No
Failure to properly report events is currently sanctionable under CIP-001-1 and EOP-004-1 and will continue
to be sanctionable under proposed EOP-004-2. Entities are capable of implementing procedures appropriate
to ensure compliance with the actual reporting requirements without the addition a formal requirement to
annually review their internal procedures with personnel. In the unlikely event that an entity cannot attain this
level of operating competence without implementation of a new requirement, such Entities would be subject to
enforcement under Requirement R5. Absent substantial evidence of systemic problems by Entities in
contacting local law enforcement properly or failures to complete event reports to appropriate agencies when
provided with clear guidance on the events to be reported, this requirement is unnecessary.
116
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 9 Comment
Response: The DSR SDT thanks you for your comment. The DSR SDT has deleted Requirement R2 and revised Requirements R1 and R5 to address your
concern. Requirement R5 (now R2) reads:
R2. Each Responsible Entity shall report events in accordance with its Operating Plan developed to address the events listed in Attachment 1.
ExxonMobil Research and
Engineering
No
Its unclear whether R4 is a training requirement to train all individuals who may be required to implement its
Impact Event Operating Plan on an annual basis or a requirement for an Entity to review the Impact Event
Operating Plan with at least one person from each position that has a role in the Impact Event Operating Plan
in order to complete a quality review of the Impact Event Operating Plan. The SDT should clarify the intent of
the requirement. If the intent is that both of the aforementioned interpretations is expected to occur, the SDT
should break R4 into two requirements so that an entity is not violation of Requirement R4 when the entity
fails to comply with one of the two imbedded requirements (e.g. if the quality review is not performed but all
individuals were trained).
Response: The DSR SDT thanks you for your comment. The DSR SDT has deleted Requirement R4 and added a new Part 1.5 under R1 to address your
concern. Part 1.5 calls for an annual review of the plan.
Constellation Power
Generation
No
The purpose of this requirement as currently worded is unclear. It seems to insinuate that a formal review of
the Operating Plan takes place annually, and that any and all personnel identified in the plant are part of the
review. If that is correct, than CPG believes this requirement is echoing Requirement 3. These two
requirements can be incorporated into one. Furthermore, the Measure for R4 is too prescriptive, going so far
as to specifically describe how this formal review should take place. It even states that the Responsible Entity
needs to present documentation showing that the personnel in the plan were trained, yet there is no
requirement for training. CPG would like the DSR SDT to revisit the purpose and intent of this requirement,
alone and in concert with R3. If there are indeed similar then consolidate them into one requirement.
Response: The DSR SDT thanks you for your comment. The DSR SDT has deleted Requirement R4 and added a new Part 1.5 under R1 to address your
concern. Part 1.5 calls for an annual review of the plan.
Georgia System Operations
Corporation
No
With the current CAN on the definition of annual, we do not believe that the additional qualification that the
test shall be conducted "with no more that 15 calendar months between reviews" is necessary. Remove "with
no more that 15 calendar months between reviews.
Response: The DSR SDT thanks you for your comment. The SDT has revised the term annual to align with the definition in the NERC Compliance Application
117
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 9 Comment
Yes
We agree with the concept, but disagree with the use of the term Operating Plan as a defined term in line with
our comments in question 6 above.
Notice (CAN) CAN-0010.
SERC OC Standards Review
Group
Response: The DSR SDT thanks you for your comment. The DSR SDT believes that the use of a defined term “Operating Plan” to describe the procedure to
identify and report the occurrence of a disturbance is appropriate and has revised Requirement R1 to remove the terms Operating Process and Operating
Procedure to eliminate confusion.
PJM Interconnection LLC
Yes
1. We agree with the concept but disagree with the use of the term Operating Plan as a defined term in line
with our comments to Question 6 above.
2. R4 attempts to define Annual for the Registered Entity to review its Impact Operating Plan. We believe R4
should follow the NERC definition of Annual as defined in the NERC Compliance Application Notice (CAN)
CAN-0010 Definition of Annual as opposed to creating a new definition of Annual or refer to an entities
defined use of the term annual.
Response: The DSR SDT thanks you for your comment. Please see responses to question 6 above. The DSR SDT reviewed the NERC definition of Annual as
defined in the NERC Compliance Application Notice (CAN) CAN-0010. The NERC CAN provides drafting teams latitude to define annual within a Requirement as
they believe is appropriate in the context of a particular standard.
United Illuminating Co
Yes
As written it is a training burden. Certain persons will have only one step in one operating procedure to
perform. There is no necessity to review the entire Operating Plan with them. For example, Field Personnel
need to know that if they see something not right to report it immediately. In this instance there is no benefit
to review the Operating Procedure/Process for firm load shedding with them.
Response: The DSR SDT thanks you for your comment. The training requirement has been removed. The DSR SDT intends for each Responsible Entity to
verify that its Operating Process for communicating recognized events is correct so that the entity can respond appropriately in the case of an actual event.
The DSR SDT has removed R4 to eliminate potential confusion and redundancy around the training connotation.
Manitoba Hydro
Yes
Removing the extreme details within 30 days of revision and train before given responsibility and giving
leeway to when this training is necessary, will allow training to be integrated into other existing training
schedules. Inclusion of 5.3 and 5.4 would require unique set of time lines and additional resources to monitor
and implement.
Response: The DSR SDT thanks you for your comment. The training provisions of the standard have been removed.
118
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Occidental Power Marketing
Yes or No
Yes
Question 9 Comment
However, only LSEs with BES assets (or assets that directly support the BES) should be included in the
Applicability section of the standard.
Response: The DSR SDT thanks you for your comment. Attachment 1 specifies which types of events are required to be reported by each entity. LSE is
included here due to CIP-002-3 applicability.
Farmington Electric Utility
System
Yes
A review of the Impact Event Operating Plan can be interrupted as an informal examination of the plan. The
measure for R4 indicates evidence of a review, parties conducting the review AND when internal training
occurred. It should be clarified in R4 training is expected as part of the review for personnel with
responsibilities. This is an improvement from the previous 5.3 and 5.4, however, the team should consider
adding back, and review/training shall be conducted prior to assuming the responsibility in the plan.
Response: The DSR SDT thanks you for your comment. The DSR SDT has deleted Requirement R4 and added a new Part 1.5 under R1 to address your
concern. Part 1.5 calls for an annual review of the plan.
Ingleside Cogeneration LP
Yes
Yearly refresher training on the reporting process is appropriate. Ingleside Cogeneration also agrees that a
review with those individuals with assigned responsibilities under the Operating Plan is a better way to frame
the requirement.
Response: The DSR SDT thanks you for your comment. The DSR SDT has deleted Requirement R4 and added a new Part 1.5 under R1 to address your
concern. Part 1.5 calls for an annual review of the plan.
Indeck Energy Services
R4 is redundant with R3 and should be deleted. The Violation Risk Factor should be Low, if any, because
this is historical reporting, with little or no reliability consequence.
Response: The DSR SDT thanks you for your comment. The DSR SDT has deleted Requirement R4 and revised R3. With the revised standard, there are now
three requirements. Requirement R1 specifies that the responsible entity have an Operating Plan for identifying and reporting events listed in Attachment 1.
This is procedural in nature and justifies a “lower” VRF. This requirement is administrative in nature and deals with the means to report events after the fact.
The current approved VRFs for EOP-004-1 are all lower with the exception of Requirement R2 which is a requirement to analyze events. This standard relates
only to reporting events. The analysis portion is addressed through the NERC Rules of Procedure and the Events Analysis Program. The two remaining
requirements in EOP-004-2 are to report events based on the specifics in Attachment 1 (R2) and to test the communications protocol of the Operating Plan
once per year (R3). Requirement R2 specifies that an entity is responsible for reporting events in accordance with the Operating Plan based on Attachment 1.
Requirement R3 is insurance to make sure that an entity can communicate information about events. Requirement R2 specifies that the responsible entity
must report an event to the appropriate entities. Some of these events are dealing with potential sabotage events. Part of the reason to report these types of
events is to make other entities aware to help prevent further sabotage events from occurring. Existing CIP-001-1a deals with sabotage events and the
119
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 9 Comment
approved VRFs for each of the requirements is “medium.” The VRFs for EOP-004-2 comport with the existing approved VRFs for both EOP-004 and CIP-001.
Northeast Power Coordinating
Council
Yes
Bonneville Power
Administration
Yes
Midwest Reliability
Organization
Yes
Western Electricity
Coordinating Council
Yes
Pacific Northwest Small Public
Power Utility Comment Group
Yes
PSEG Companies
Yes
Pepco Holdings Inc and
Affiliates
Yes
Midwest ISO Standards
Collaborators
Yes
Southern Company
Yes
SRP
Yes
SDG&E
Yes
New Harquahala Generating
Co.
Yes
120
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
APX Power Markets
Yes
Sweeny Cogeneration LP
Yes
American Electric Power
Yes
USACE
Yes
New Harquahala Generating
Co.
Yes
Independent Electricity
System Operator
Yes
ISO New England, Inc
Yes
Platte River Power Authority
Yes
BGE
Yes
Alliant Energy
Yes
CenterPoint Energy
Yes
PPL Electric Utilities
Yes
Lincoln Electric System
Yes
American Transmission
Company
Yes
Duke Energy
Yes
City of Tacoma, Department
Yes
Question 9 Comment
No comments.
121
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 9 Comment
of Public Utilities, Light
Division, dba Tacoma Power
Brazos Electric Power
Cooperative
Yes
Progress Energy
Yes
122
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
10.
Do you agree with the proposed revisions to Requirement 6 (now R5) and the use of either Attachment 2 or
the DOE-OE-417 form for reporting? If not, please explain why not and if possible, provide an alternative that
would be acceptable to you.
Summary Consideration: The slight majority of commenters suggested revisiting R2 and R5 to eliminate potential
redundancy and confusion. The intent of the two requirements is to have entities utilize the DOE Form OE-417 to
report events listed on Attachment 1. If the entity completes DOE Form OE-417 to report an event, it does not
have to transcribe the same information onto Attachment 2 but may be required to submit the form to the DOE and
NERC. By eliminating R2 and revising R5 (now R2), the DSR SDT has maintained the intent of the requirements.
R2. Each Responsible Entity shall report events in accordance with its Operating Plan developed to address the
events listed in Attachment 1.
Organization
Northeast Power Coordinating
Council
Yes or No
Question 10 Comment
No
R5 stipulates the use of Attachment 2 or the DOE-417, which is the vehicle for reporting only. This is the how
part, not the what. The vehicle for reporting can easily be included in R2 where an entity is required to
implement (execute) the Operating Plan upon detection of an Impact Event. Suggest combining R2 with
R5.
Response: The DSR SDT thanks you for your comment. The DSR SDT has also eliminated R2 and revised R5 (now R2) for clarity and to eliminate potential
redundancy.
R2. Each Responsible Entity shall report events in accordance with its Operating Plan developed to address the events listed in Attachment 1.
Dominion
No
Dominion does not agree because the Requirement is too restrictive giving the Responsible Entity the choice
on reporting forms as either Attachment 2 or DOE OE-417. The use of Attachment 2 or DOE OE-417 may be
appropriate when reporting to NERC, however, Requirement R 1.3.2 requires the Responsible Entities Impact
Event Operating Plan to address notifications to non-NERC entities such as Law Enforcement or
Governmental Agencies. It is likely that these organizations have specific reporting requirements or forms
that will not line up the options prescribed in Requirement R5.Suggest revising Requirement R5 to not require
the use of these two forms as the only options. If these 2 forms are used, suggest aligning the Event names in
Attachment 1 to be similar to the criteria for filing event names in the DOE OE-417 to allow for consistency.
123
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 10 Comment
Also suggest aligning the time to submit for similar event names in each form.
Response: The DSR SDT thanks you for your comment. The DSR SDT has revised Attachment 1 to indicate that entities must submit Attachment 2 or the DOE
OE-417 form. This information was contained in Requirement 5. The intent of the two requirements is to have entities make appropriate notifications and report
events contained in Attachment 1. By eliminating R2 and revising R5 (now R2), the DSR SDT has maintained the intent of the requirements while eliminating
potential confusion and redundancy.
R2. Each Responsible Entity shall report events in accordance with its Operating Plan developed to address the events listed in Attachment 1.
The DSR SDT has enhanced Attachment 1 and clarified the intent of each event, threshold and reporting time limits. The DSR SDT removed the column, Time to
Submit Report and replaced it with Submit Attachment 2 or DOE OE-417 Report.
SPP Standards Review Group
No
We feel there is redundancy between R2 and R5. To eliminate this redundancy, we propose to take the
phrase using the form in Attachment 2 or the DOE OE-417 reporting form and adding it at the end of R2.
Then what is left of R5 could be deleted. The new R2 would read Each Responsible Entity shall implement its
Impact Event Operating Plan documented in Requirement R1 for Impact Events listed in Attachment 1 (Parts
A and B) using the form in Attachment 2 or the DOE OE-417 reporting form.?
Response: The DSR SDT has revised Attachment 1 to indicate that entities must submit Attachment 2 or the DOE OE-417 form. This information was contained
in Requirement 5. The intent of the two requirements is to have entities make appropriate notifications and report events contained in Attachment 1. By
eliminating R2 and revising R5 (now R2), the DSR SDT has maintained the intent of the requirements while eliminating potential confusion and redundancy.
R2. Each Responsible Entity shall report events in accordance with its Operating Plan developed to address the events listed in Attachment 1.
Midwest ISO Standards
Collaborators
No
Requirement 2 and Requirement 5 appear to be very similar. Requirement 2 requires implementation of the
Operating Plan, Operating Process and/or Operating Procedure in Requirement 1. The Operating Procedure
requires gathering and reporting of information for the form in Attachment 2. What does Requirement 5 add
that is not already covered in Requirement 2 except the ability to use the DOE OE-417 reporting form which
Response: The DSR SDT thanks you for your comment. The intent of the two requirements is to have entities utilize the DOE Form OE-417 to report events
listed on Attachment 1. If the entity completes DOE Form OE-417 to report an event, they do not have to transcribe onto attachment 2 but may be required to
submit it to the U.S. Department of Energy (DOE) and NERC. By eliminating R2 and revising R5 (now R2), the DSR SDT has maintained the intent of the
requirements.
R2. Each Responsible Entity shall report events in accordance with its Operating Plan developed to address the events listed in Attachment 1.
FirstEnergy
No
We believe that Requirement 5 does not warrant a Medium risk factor. Not using a particular form is strictly
124
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 10 Comment
administrative in nature and the VRF should be Low.
Response: The DSR SDT thanks you for your comment. With the revised standard, there are now three requirements. Requirement R1 specifies that the
responsible entity have an Operating Plan for identifying and reporting events listed in Attachment 1. This is procedural in nature and justifies a “lower” VRF.
This requirement is administrative in nature and deals with the means to report events after the fact. The current approved VRFs for EOP-004-1 are all lower with
the exception of Requirement R2 which is a requirement to analyze events. This standard relates only to reporting events. The analysis portion is addressed
through the NERC Rules of Procedure and the Events Analysis Program. The two remaining requirements in EOP-004-2 are to report events based on the
specifics in Attachment 1 (R2) and to test the communications protocol of the Operating Plan once per year (R3). Requirement R2 specifies that an entity is
responsible for reporting events in accordance with the Operating Plan based on Attachment 1. Requirement R3 is insurance to make sure that an entity can
communicate information about events. Requirement R2 specifies that the responsible entity must report an event to the appropriate entities. Some of these
events are dealing with potential sabotage events. Part of the reason to report these types of events is to make other entities aware to help prevent further
sabotage events from occurring. Existing CIP-001-1a deals with sabotage events and the approved VRFs for each of the requirements is “medium.” The VRFs for
EOP-004-2 comport with the existing approved VRFs for both EOP-004 and CIP-001.
PJM Interconnection LLC
No
R5 seems redundant as R2 already requires an entity to report any Impact Events by executing/implementing
its Impact Event Operating Plan. R5 merely stipulates the use of Attachment 2 or DOE-417, which an entity
automatically would use for reporting purposes while implementing its Impact Event Operating Plan.
Response: The DSR SDT thanks you for your comment. The intent of the two requirements is to have entities utilize the DOE Form OE-417 to report events
listed on Attachment 1. If the entity completes DOE Form OE-417 to report an event, they do not have to transcribe onto attachment 2 but may be required to
submit it to the U.S. Department of Energy (DOE) and NERC. By eliminating R2 and revising R5 (now R2), the DSR SDT has maintained the intent of the
requirements.
R2. Each Responsible Entity shall report events in accordance with its Operating Plan developed to address the events listed in Attachment 1.
Exelon
No
Agree that each Responsible Entity should be able to use either Attachment 2 or the DOE OE-417 form for
reporting; however, a GO/GOP will not have the ability to respond to Attachment 2 Task numbers 8, 9, 10, 11,
and 12. Suggest that the DSR SDT either evaluate a shortened form version, provide a note or provision for
"N/A" based on registration, or revise form to be submitted by the most knowledgeable functional entity (e.g.,
TOP or RC).Need clear guidance as to which form is to be used for which Impact Event, we feel that one and
only one form should be used to eliminate confusion. Attachment 2 has an asterisk on #s 7, 8, 9, 10 and 11
there is not reference corresponding to it.
Response: The DSR SDT thanks you for your comment. The DSR SDT has updated Attachment 2 to per comments received.
125
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Tenaska
Yes or No
Question 10 Comment
No
R5 should be changed to Each Responsible Entity shall report Impact Events listed in Attachment 1 using the
form in Attachment 2 or the DOE OE-417 reporting form. This revised version of the proposed R5 is the only
Requirement that is necessary to achieve the stated purpose of Project 2009-01. The proposed R1 through
R4 should be deleted and R5 should be changed to R1.
Response: The DSR SDT thanks you for your comment. The SDT agrees the reporting is a fundamental aspect, but the operation plans are integral piece of the
BES. The DSR SDT believes that the revisions created will provide clarity for the requirements. Please see the revised standard.
American Municipal Power
No
R5 is not an acceptable requirement, but it can be improved. Each Responsible Entity shall report "Impact
Events" to _____________ (address specified in attachment 1, website, entity, email address, or fax, etc.)
Focusing on a plan and procedure is overly prescriptive. The only requirement should be to have an entity
submit a report. Let the entity decide how they want to implement the reporting.
Response: The DSR SDT thanks you for your comment. The DSR SDT has eliminated R2 and revised R5 (now R2) for clarity and to eliminate potential
redundancy. The SDT agrees that the Registered Entity can decide on the how to implement the reporting; however, this requirement mandates that the
Registered Entity document its process.
R2. Each Responsible Entity shall report events in accordance with its Operating Plan developed to address the events listed in Attachment 1.
Arkansas Electric Cooperative
Corporation
No
We appreciate the effort the team has taken in improving the requirements since the last posting. For R5, we
suggest including the reporting form as part of the plan in R1. Otherwise, a violation of R5 would also indicate
a violation of R2.
Response: The DSR SDT thanks you for your comment. The DSR SDT has also eliminated R2 and revised R5 (now R2) for clarity and to eliminate potential
redundancy.
R2. Each Responsible Entity shall report events in accordance with its Operating Plan developed to address the events listed in Attachment 1.
American Electric Power
No
This should be one-step covered by the implementation in requirement 2. We like the ability to use one form
(i.e. NERC Attachment 2 or the DOE-417); however, we would prefer to have this information only be
reported once.
Response: The DSR SDT thanks you for your comment. EOP-004-2 allows entities to utilize the DOE Form OE-417 to report events listed on Attachment 1. If
the entity completes DOE Form OE-417 to report an event, they do not have to transcribe onto attachment 2 but may be required to submit it to the U.S.
Department of Energy (DOE) and NERC.
126
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Consumers Energy
Yes or No
No
Question 10 Comment
We understand that DOE is migrating to an on-line reporting facility rather than the email-submitted OE-417.
If they do so, Form OE-417will not be available for providing to NERC, and the reporting specified by EOP004 will be duplicative of that for DOE. We recommend that NERC, RFC and the DOE work cooperatively to
enable a single reporting system in which on-line reports are made available to all appropriate parties.
Response: The DSR SDT thanks you for your comment. The SDT agrees with the concept of the single reporting template and is working with other agencies to
see if the single form would be achievable.
Independent Electricity System
Operator
No
R5 stipulates the use of Attachment 2 or the DOE-417, which is the vehicle for reporting only. This is the how
part, not the what. The vehicle for reporting can easily be included in R2 where an entity is required to
implement (execute) the Operating Plan upon detection of an Impact Event. We suggest the SDT combine R2
with R5.
Response: The DSR SDT thanks you for your comment. The DSR SDT has also eliminated R2 and revised R5 (now R2)for clarity and to eliminate potential
redundancy.
R2. Each Responsible Entity shall report events in accordance with its Operating Plan developed to address the events listed in Attachment 1.
Ameren
No
The "Responsible Entity" should be limited to those functions with the most oversight such as the BA, RC, or
TOP. Otherwise there will be multiple DOE OE-417 reports sent by multiple entities.
Response: Thank you for your comments. The DSR SDT has reviewed and updated the entities that need to report an event. Some have been reduced to a
single entity where others have multiple entities. These multiple entities will have different views of the event, and will be able to provide the ERO and others
with a different view of what has happened. The entire Attachment 1 has been updated to reflect the comments that were received.
ISO New England, Inc
No
R5 stipulates the use of Attachment 2 or the DOE-417, which is the vehicle for reporting only. This is the how
part, not the what. The vehicle for reporting can easily be included in R2 where an entity is required to
implement (execute) the Operating Plan upon detection of an Impact Event. We suggest the SDT combine R2
with R5.
Response: The DSR SDT thanks you for your comment. The DSR SDT has also eliminated R2 and revised R5 (now R2) for clarity and to eliminate potential
redundancy.
Calpine Corp
No
The use of DOE OE-417 is acceptable, but the language of Requirement R5 should be modified. The
disturbance event form must be filled out correctly, irrespective of the requirements of an Entities Impact
Event Operating Plan. Reference to that Plan does not add clarity to the requirement to report events. The
127
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 10 Comment
requirement should delete the reference to the Impact Event Operating Plan? and simply state: Each
Responsible Entity shall report events listed in Attachment 1 using the provided form, or where also required
to complete the current version of DOE OE-417, that form. Although one of the primary stated purposes of
the original SAR was to simplify the reporting process by creating a single form, the fact that some entities are
already required to report substantially identical information to DOE argues for retention of the use of the DOE
form.
Response: The DSR SDT thanks you for your comment. DSR SDT has deleted requirement 2 and revised requirements R1 and R5 (now R2) to address your
concern. The entire Attachment 1 has been updated to reflect the comments that were received.
BGE
No
Language needs to be more specific on when to use Attachment 2 or DOE-OE-417.
Response: The DSR SDT thanks you for your comment. Attachment 2 should be the normal reporting vehicle unless the entity is required to submit an OE-417
to the DOE. This keeps the entity from having to file two distinctly different reports for the same event.
Alliant Energy
No
We believe Attachment 2 should be deleted, and NERC should work with the DOE to have one form for all
events, if possible. It makes the reporting procedure much simpler, only having to use one form.
Response The DSR SDT thanks you for your comment. EOP-004-2 allows entities to utilize the DOE Form OE-417 to report events listed on Attachment 1. If the
entity completes DOE Form OE-417 to report an event, they do not have to transcribe onto attachment 2 but may be required to submit it to the U.S. Department
of Energy (DOE) and NERC. The DSR SDT is currently working with the DOE to make revisions to Form OE-417 that would achieve the objective of your
comment. We will continue to pursue this.
ExxonMobil Research and
Engineering
No
The notification requirement and documentation in Attachment 1 do not clearly identify which entities need to
be notified for each type of event detailed in Attachment 1. While it makes sense to notify the Reliability
Coordinator, NERC, Regional Entity, Law Enforcement and other Governmental Agencies for sabotage type
events, it does not seem proper to notify Law Enforcement agencies of a system disturbance that is unrelated
to improper human intervention. Furthermore, it is our belief that a time frame of 1 hour is a short window for
making a verbal notification to third parties, and an impossibly short window for requiring the submittal of a
completed form regardless of the simplicity. When a Petrochemical Facility experiences an impact event, the
initial focus should emphasize safe control of the chemical process. For those cases where registered
entities are required to submit a form within 1 hour, the Standard Drafting Team should alter the requirement
to allow for verbal notification during the first few hours following the initiation of an Impact Event (i.e. allow
the facility time to appropriately respond to and gain control of the situation prior to making a notification which
may take several hours) and provide separate notifications windows for those parties that will need to respond
to an Impact Event immediately and those entities that need to be informed that one occurred for the
128
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 10 Comment
purposes of investigating the cause of and response to an Impact Event. For example, a GOP should
immediately notify a TOP when it experiences a forced outage of generation capacity as soon as possible, but
there is no immediate benefit to notify NERC when site personnel are responding to the event in order to gain
control of the situation and determine the extent of the problem. The existing standards requirement to file an
initial report to entities, such as NERC, within 24 hours seems reasonable provided that proper real time
notifications are made and the Standard Drafting Team reinstates EOP-004 Revision 1's Requirement 3.3,
which allows for the extension of the 24 hour window during adverse conditions, into the requirement section
of EOP-004 [the current revision locates this extension in Attachment 1, which, according to input received
from Regional Entities, means that the extension would not be enforceable].
Response: The DSR SDT thanks you for your comment. The SDT envisions that each Registered Entity will develop Operating Plan(s) appropriate to meet its
obligations as outlined in the standard. The SDT doesn’t feel it necessary to prescribe to the Registered Entity any particular interpretation on how to achieve
compliance, including who the information should be reported to. The entire Attachment 1 has been updated to reflect the comments that were received.
American Transmission
Company
No
Attachment 2, Task #14 in the report should be modified to read, Identify any known protection system
misoperation(s). If this report is filed quickly, there is not enough time to assess all operations to determine
any misoperation. As a case in point, it typically takes at least 24 hrs. to receive final lightning data; therefore,
not all data is available to make a proper determination of a misoperation
Response: The DSR SDT thanks you for your comment. The entire Attachment 1 has been updated to reflect your comment.
Constellation Power Generation
No
The requirements for filling out the DOE-OE-417 form are not necessarily the same as the requirements
prescribed in Attachment 1. CPG suggests that the drafting team create a new requirement, spelling out when
an entity is required to complete the DOE-OE-417 form.
Response: The DSR SDT thanks you for your comment. Any entity that is obligated to submit Form OE-417 may submit that completed form to NERC in lieu of
Attachment 2.
Georgia System Operations
Corporation
No
R5: This standard should not require all Responsible Entities to report the same event. Entities should be
allowed to report in a hierarchical manner. They should be allowed to coordinate impact event plans and
include in their plans the entity that has the responsibility for reporting various events. Flexibility should be
allowed to provide different reporting entities depending on the type of event. In R5, does each Responsible
Entity shall report Impact Events in accordance with the Impact Event Operating Plan? Allow this hierarchical
reporting and flexibility? An entity should be allowed to report to another operating entity by whatever
reporting form or mechanism works and then the other entity reports to NERC using the required NERC or
DOE form. Add "To the extent that a Responsible Entity had an Impact Event," at the beginning of R5 and
129
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 10 Comment
M5.
Response: The DSR SDT thanks you for your comment. Each entity is required to report their portion of the event, however they can coordinate. The DSR SDT
has reviewed and updated the entities that need to report an event. Some have been reduced to a single entity where others have multiple entities. These
multiple entities will have different views of the event, will be able to provide the ERO and others with a different views of what has happened. The DSR SDT
understands that there may be multiple reports (for certain events) that are required by different government agencies. NERC will continue to streamline the
reporting process as we move into the future. The DSR SDT has also eliminated R2 and revised R5 (now R2) for clarity and to eliminate potential redundancy.
Indeck Energy Services
No
The Violation Risk Factor should be Low, if any, because this is historical reporting, with little or no reliability
consequence.
Response: The DSR SDT thanks you for your comment. With the revised standard, there are now three requirements. Requirement R1 specifies that the
responsible entity have an Operating Plan for identifying and reporting events listed in Attachment 1. This is procedural in nature and justifies a “lower” VRF.
This requirement is administrative in nature and deals with the means to report events after the fact. The current approved VRFs for EOP-004-1 are all lower with
the exception of Requirement R2 which is a requirement to analyze events. This standard relates only to reporting events. The analysis portion is addressed
through the NERC Rules of Procedure and the Events Analysis Program. The two remaining requirements in EOP-004-2 are to report events based on the
specifics in Attachment 1 (R2) and to test the communications protocol of the Operating Plan once per year (R3). Requirement R2 specifies that an entity is
responsible for reporting events in accordance with the Operating Plan based on Attachment 1. Requirement R3 is insurance to make sure that an entity can
communicate information about events. Requirement R2 specifies that the responsible entity must report an event to the appropriate entities. Some of these
events are dealing with potential sabotage events. Part of the reason to report these types of events is to make other entities aware to help prevent further
sabotage events from occurring. Existing CIP-001-1a deals with sabotage events and the approved VRFs for each of the requirements is “medium.” The VRFs for
EOP-004-2 comport with the existing approved VRFs for both EOP-004 and CIP-001.
Bonneville Power Administration
Yes
Reporting form OK. Note that the Frequency Maximum/Minimum Section should be clarified. A Gen Loss
doesn't usually experience a high (maximum) frequency, just the low immediately following the event.
Response: The DSR SDT thanks you for your comment
Midwest Reliability Organization
Yes
This will reduce any double reporting to the ERO and FERC.
PPL Supply
Yes
Reporting consistency and timelines may need to be reviewed for example: Fuel Supply Emergency - OE417 requires reporting within 6 hours / Attachment 1 Part B requires reporting within 1 hour.
Response: The DSR SDT thanks you for your comment The DSR SDT has significantly revised Attachment 1 and deleted Fuel Supply Emergency from
Attachment 1. This item was removed in coordination with the NERC Events Analysis Working Group and the proposed Events Analysis Program. All events are
130
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 10 Comment
now to be reported within 24 hours with the exception of Destruction of BES equipment, Damage or destruction of Critical Assets and Damage or destruction of
Critical Cyber Asset events in Part A and Forced Intrusion, Risk to BES equipment and Detection of a reportable Cyber Security Incident in Part B.
SERC OC Standards Review
Group
Yes
We agree with the concept, but disagree with the use of the term Operating Plan as a defined term in line with
our comments in question 6 above.
Response: The DSR SDT thanks you for your comment. The SDT agrees with your viewpoint and believes that your statement is consistent with the intent of the
requirement. (refer to question 6)
United Illuminating Co
Yes
Put it’s before Impact Event Operating Plan.
Response: The DSR SDT thanks you for your comment. Please see the revised standard.
Manitoba Hydro
Yes
The DOE-OE-417 appears more intuitive and descriptive (and on line ability), but having the either or option is
fine.DOE-OE-417 Form is mentioned several time in this Standard, but no link to this document.
Response: The DSR SDT thanks you for your comment. Please see the revised standard.
CenterPoint Energy
Yes
CenterPoint Energy agrees with the idea of streamlining the reporting process through the use of existing
report forms. However, as noted in the response to Question 11, the Company has concerns about the DOE
OE-417 Form, specifically the timeframes in which to submit reports. CenterPoint Energy will be making the
same recommendation to extend reporting timeframes during the DOE OE-417 report revision process when
the current form expires on 12/31/11. Any future changes to the DOE Form could also impact reporting for
this requirement.
Response: The entire Attachment 1 has been updated to reflect the comments that were received. Footnotes in Attachment 1 have been updated to reflect the
comments that the DSR SDT received. The DOE Form OE-417 is under review by the U.S. Department of Energy (DOE) and can be updated or changed without
NERC’s involvement. The DSR SDT has taken into consideration the use of OE-417 to report events to NERC and agrees that this will fulfill EOP-004-2’s reporting
requirements.
PPL Electric Utilities
Yes
We would like to suggest the language be changed such that submission via a NERC system would be
acceptable in addition to the use of the Attachment 2 Form or the DOE OE-417 form. The standard would
then accommodate the proposed revision to NERC Rules of Procedure 812. NERC will establish a system to
collect impact events reports??
131
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 10 Comment
Response: The DSR SDT thanks you for your comment. The SDT expects any system would facilitate the reporting to organizations specified in the submitted
report. Until such time that the system can be established, the Registered Entity will be obligated to make the notifications as specified in its Operating Plan(s).
The DSR SDT is currently working with the U.S. Department of Energy (DOE) to make revisions to Form OE-417that would achieve the objective of your
comment, and will continue to pursue this.
Ingleside Cogeneration LP
Yes
Although our preference would be to have a single form, Ingleside Cogeneration realizes that is not likely in
the near term. We would like to see that remain as a goal of the project team or the ERO.
Response: The DSR SDT thanks you for your comment. The DSR SDT is currently working with the DOE to make revisions to Form Form OE-417that would
achieve the objective of your comment, and will continue to pursue this.
Duke Energy
Yes
There is so much overlap between Attachment 2 and the DOE OE-417 that we believe the DOE OE-417
should be revised to include the additional items that must be reported to NERC, so that there is only one
form to submit to NERC and DOE.
Response: The DSR SDT thanks you for your comment. The DSR SDT is currently working with the DOE to make revisions to Form OE-417 that would achieve
the objective of your comment, and will continue to pursue this.
Western Electricity Coordinating
Council
Yes
Pacific Northwest Small Public
Power Utility Comment Group
Yes
PSEG Companies
Yes
Pepco Holdings Inc and Affiliates
Yes
Southern Company
Yes
SRP
Yes
We Energies
Yes
132
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Compliance & Responsibility
Organization
Yes
SDG&E
Yes
City of Tallahassee (TAL)
Yes
New Harquahala Generating Co.
Yes
APX Power Markets
Yes
Liberty Electric Power LLC
Yes
Sweeny Cogeneration LP
Yes
USACE
Yes
New Harquahala Generating Co.
Yes
Platte River Power Authority
Yes
Occidental Power Marketing
Yes
Lincoln Electric System
Yes
Farmington Electric Utility System
Yes
City of Tacoma, Department of
Public Utilities, Light Division, dba
Tacoma Power
Yes
Brazos Electric Power
Cooperative
Yes
Question 10 Comment
133
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
11. Do you agree with the proposed revisions to Attachment 1? If not, please explain why not and if possible,
provide an alternative that would be acceptable to you.
Summary Consideration: Most commenters expressed concerns with the reporting times listed in Attachment 1. Upon
review of comments received concerning Attachment 1, the DSR SDT did a thorough review and updated the entire document,
along with all Footnotes. The DSR SDT removed the column, Time to Submit Report and replaced it with Submit Attachment 2
or DOE OE-417 Report. There were many noted comments that a one hour reporting time frame does not coincide with an
after the fact reporting Standard. The DSR SDT reviewed each time frame to report and has extended most of the time frames
to 24 hours. There are a few events that have a one hour reporting requirement that was not changed because these are
events that would generally be reported to law enforcement authorities and prompt reporting is in the interest of BES reliability.
Duplicate reporting of events was minimized where possible. There are several events that will require reporting by multiple
entities to achieve a complete enough picture to facilitate industry awareness.
Organization
Georgia Transmission
Corporation & Oglethorpe Power
Corporation
Yes or No
Question 11 Comment
No
As stated above in response to question 6, we believe that a column should be added to the tables to
explicitly indicate what external organizations should receive the communications of a particular Impact Event
type. Additionally we have concerns with the following table items: Threshold for reporting Transmission Loss:
As stated, this will require the reporting of almost all transmission outages. This is particularly true taking into
consideration the current work of the drafting team to define the Bulk Electric System. The loss of a single
115kV network line could meet the threshold for reporting as the definition of Element includes both the line
itself and the circuit breakers. Instead, we recommend the following threshold "Three or more BES
Transmission lines." This threshold has consistency with CIP-002-4 and draft PRC-002-2. This threshold
also needs additional clarification as to the timeframe involved. Is the intent the reporting of the loss of 3 or
more BES Transmission Elements anytime within a 24 hour period or must they be lost simultaneously?
Also, we recommend that these three losses be the result of a related event to require reporting.Entity with
Reporting Responsibility for Loss of Off-site power to a nuclear generating plant (grid supply): The reporting
responsibility should clarify that this is only entities included in the Nuclear Plan Interface Requirements.
Response: The DSR DT thanks you for your comment. Upon review the DSR SDT has included a column to indicate the minimum parties who are required to
receive the entity’s notification. The Threshold for Reporting has been updated to reflect comments that have been received.
Northeast Power Coordinating
No
As indicated under Question 4, we question the need to include IA, TSP and LSE in the responsible entities
134
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Council
Question 11 Comment
for reporting.
Response: The DSR DT thanks you for your comment. The DSR SDT has established that CIP-002 and CIP-008 are applicable to an IA, TSP, and LSE.
These entities will report a Cyber Security Incident per Attachment 2 (or OE-417) as the vehicle to inform the ERO, their Regional Entity and their Reliability
Coordinator.
Bonneville Power Administration
No
Generally OK, but there are too many events to report. The loss of 3 BES elements for a large geographic
entity for a (5 county?) windstorm that has little impact to the system is not needed. 3 elements within the
same minute could be acceptable and 6? elements still out within an hour ... or something to that affect could
work.
Response: The DSR DT thanks you for your comment. Upon review the DSR SDT has included a column to indicate the minimum parties who are
required to receive the entity’s notification. The Threshold for Reporting has been updated to reflect comments that have been received.
Midwest Reliability Organization
No
1) Section 9 of the Impact Reporting Form states: "List transmission facilities (lines, transformers, busses,
etc.) tripped and locked out.” But Part A of Attachment 1 states: "Three or more BES Transmission
Elements.” a. Should section 9 state: "List transmission facilities (lines, transformers, busses, etc.) tripped or
locked out"? b. Should section 9 state: "List transmission elements (lines, transformers, busses, etc.) tripped
or locked out"? This will align the reporting criteria with the actual reporting form.2) Section 13 of the Impact
Reporting Form states: "Identify the initial probable cause or known root cause of the actual or potential
Impact Event if know at the time of submittal of Part I of this report:.” Recommend that "of Part I" be removed
since there is no Part 2.3) Every Threshold in attachment 1 gives a clear measurable bright line, except:
?Transmission Loss?. As presently written ?Three or more BES Transmission Elements? could imply that a
Report will be required to be submitted if a BES transmission substation is removed from service to perform
maintenance. Or there could be three separate elements within a large substation that are out of service (and
don?t effect each other) that will require a Report. Upon review of the TPL standards, there are normally
planned items that our industry plans for. It is recommended that the Threshold for Reporting of Transmission
Loss be enhanced to read: ?Two or more BES Transmission Elements that exceed TPL Category D operating
criteria or its successor?. This threshold now is based on a actively enforced NERC Standard, and each RC
and TOP are aware of what this bright line is.
Response: The DSR DT thanks you for your comment. Upon review the DSR SDT has included a column to indicate the minimum parties who are
required to receive the entity’s notification. The Threshold for Reporting has been updated to reflect comments that have been received. Attachment 2 has been
updated to reflect the changes noted in your comments and changes per the received comments.
PPL Supply
No
Recommendation: Add a column in Attachment 1 to acknowledge the events that require a OE-417 Report
135
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 11 Comment
and list the number under Schedule 1 that required Form OE-417Report. This would add accuracy and
consistency among reporting entities.
Response: The DSR DT thanks you for your comment. The DOE Form OE-417 is under review by the DOE and can be updated or changed without
NERC’s involvement. The DSR SDT has taken into consideration the use of OE-417 to report events to NERC and agrees that this will fulfill EOP-004-2’s reporting
requirements.
Pacific Northwest Small Public
Power Utility Comment Group
No
The comment group is composed of smaller entities that do not all maintain 24/7 administrative support. While
many of the 1 hour reporting thresholds do not affect us, some do. Others may come into play as standards
are revised, such as the CIPs. We ask the SDT to consider the identification or verification that starts the
clock on these may come at inopportune times for meeting a one hour deadline for these entities. Restoration
may be delayed in an attempt to meet these time limits. Safety should always be the number one priority, and
restoration and continuity of service second. We see reporting of these events much further down the list. We
note that FERC order 693, paragraph 471 does not dictate a specific reporting time period and therefore we
suggest timing requirements that promote situational awareness but allow smaller entities needed flexibility.
FERC order 693, paragraph 470 directed the ERO to consider ?APPA?s concerns regarding events at
unstaffed or remote facilities, and triggering events occurring outside staffed hours at small entities.? Our
comment group does not believe the SDT has adequately responded to APPA?s concerns but rather took the
1 hour Homeland security requirement referenced in paragraph 470 verbatim. While a report within an hour
might be ideal, it is not always practicable. We suggest: 1) as soon as possible after service has been
restored to critical services within the service territory, or 2) By the COB the first business day after
discovery. Our comment group realizes the difficulty in wording standards/requirements that lump small
entities in with larger ones and we believe our suggestion achieves some balance. Expecting smaller entities
to achieve timing requirements that can only be normally met under ideal conditions at large entities is not
feasible or fair.
Response: The DSR DT thanks you for your comment. Upon review the DSR SDT has included a column to indicate the minimum parties who are
required to receive the entity’s notification. The Threshold for Reporting has been updated to reflect comments that have been received. EOP-004-2 requires an
entity to “push” information to certain parties for industry awareness. Since this Standard is an after the fact reporting Standard, reporting times for a majority of
event types reporting times for a majority of event types have been extended to allow the impacted entity to recover from the event and then report. The
starting time to report is upon an entity’s recognized the event, per Submit Report column of Attachment 1.
PSEG Companies
No
For the reasons cited in response to question 4 above the language roles and responsibilities remain
inconsistent and unclear. The Time to Report changes are unreasonable and there is significant duplicate
reporting required.
136
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 11 Comment
Response: The DSR DT thanks you for your comment. Upon review the DSR SDT has included a column to indicate the minimum parties who are
required to receive the entity’s notification. The Threshold for Reporting has been updated to reflect comments that have been received. EOP-004-2 requires an
entity to “push” information to certain parties for industry awareness. Since this Standard is an after the fact reporting Standard, reporting times for a majority of
event types have been extended to allow the impacted entity to recover from the event and then report.
Dominion
No
1) A particular Event could be applicable to multiple entities and Attachment 1 would require each applicable
entity to report the event. This is duplicative and would appear to overburden the reporting system. 2) Loss
of off-site power (grid supply) reporting for nuclear plants is duplicative of reporting done to satisfy NRC
requirements. Given the activity at a nuclear plant during this event, this additional reporting is not desired.
3) Cyber intrusion remains an event that would need to be reported multiple times (e.g., this standard, OE417, NRC requirements, etc.). 4) Since external reporting for other regulators (e.g., DOE, NRC, etc.) remains
an obligation of the Applicable Entity, suggest that Attachment 1 only contain impact events as defined in the
current version of EOP-004.
Response: The DSR DT thanks you for your comment.
The DSR SDT has reviewed and updated the functional entities that need to report an event.
Some have been reduced to a single entity where others have multiple entities. These multiple entities will have different views of the event, and will be able to
provide the ERO and others with a different view of what has happened. The DSR SDT understands that there may be multiple reports (for certain events) that
are required by different governing agencies. NERC will continue to streamline the reporting process in the future.
Pepco Holdings Inc and Affiliates
No
The entity responsible for reporting is not clear. Is the initiating entity the same as requesting entity or
implementing entity? In the paper it indicates the DT intent is for the entity that performs the action or is
directly affected will report.It seems that the proposal would result in a significant amount of duplicate
reporting.
Response: The DSR DT thanks you for your comment. The DSR SDT believes it is clear that the reporting entity is the entity that experiences an event or
initiates the event (per Threshold for Reporting in Attachment 1). The DSR SDT will ensure that the supporting guideline clearly states this. The DSR SDT has
reviewed and updated the entities that need to report an event. Some have been reduced to a single entity where others have multiple entities. These multiple
entities will have different views of the event, and will be able to provide the ERO and others with a different view to what has happened.
SPP Standards Review Group
No
Threshold for Reporting ? Some of the thresholds used to trigger event reporting seem arbitrary. For example,
why were three BES Transmission Elements selected for the transmission loss trigger? What?s significant
with three? There may be situations where one element can impact reliability more than other situations
where three or more lines may be lost. The defining line should be impact to reliability, not a simple count of
elements. Also, timing of the loss of these elements is important. If the three elements are lost over a 3-day
span, does this trigger an event report? We would think not and would like to see that clarification in the
137
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 11 Comment
standard.Public appeals ? Some entities may utilize load reduction (Demand Response, interruptible loads,
etc) in the normal course of daily operation in lieu of committing additional generation resources. Because this
is not an Energy Emergency as defined in the NERC Glossary, would such an event trigger the filing of an
Impact Event report under EOP-004-2? We would like clarification on this issue.Multiple entity reporting
responsibility ? Several of the triggering events in Attachment 1 list multiple entity reporting responsibility. The
SDT needs to clarify precisely who has the actual reporting responsibility for those events. For example, if a
DP loses ? 300 MW (or ? 200 MW depending on size) of load who files the report? Is it the DP, TOP, BA or
RC? Attachment 1 would lead us to believe all four are required to file reports. This redundancy is
unnecessary and creates unneeded paperwork. Surely this redundancy is not the intent of the SDT.Reporting
timeframe ? The timeframes for reporting these after-the-fact reports need to be thoroughly reviewed and, we
believe, realigned. Which is more important to the reliability of the BES, operating and controlling the BES
following an Impact Event or filing a report describing that event? Most operating desks are staffed by a single
operator at nights and on weekends. Their focus should be on operating the system, not filing a report with
NERC or DOE within one hour.There appears to be inconsistency in the reporting times among the triggering
events. There doesn?t appear to be any logic regarding how the times were selected. Shouldn?t impact to the
reliability of the BES be that basis? Why is a BA with 50 MW of load who makes a public appeal to customers
for load reduction required to report within 1 hour while an IROL violation doesn?t need to be reported for 24
hours? Clearly the IROL violation has a greater impact on the reliability of the BES. Therefore, shouldn?t
these types of reports be filed sooner than those events with less impact on BES reliability?Risk to BES
equipment ? The Threshold for Reporting this event indicates that only those events associated with a nonenvironmental physical threat should be reported. The train derailment example in the footnote then
conversely describes just such an environmental threat with flammable or toxic cargo. Which should it be?
Additionally, how does one determine the applicability of a potential threat? Is this time dependent, is it threat
dependent, how do we factor all this in?
Response: The DSR DT thanks you for your comment. The DSR SDT believes it is clear that the reporting entity is the entity that experiences an event or
initiates the event (per Threshold for Reporting in Attachment 1). The DSR SDT will ensure that the supporting guideline clearly states this. The DSR SDT has
reviewed and updated the entities that need to report an event. Some have been reduced to a single entity where others have multiple entities. These multiple
entities will have different views of the event, and will be able to provide the ERO and others with a different view to what has happened. The entire Attachment
1 has been updated to reflect the comments that were received.
FirstEnergy
No
Nuclear facilities should be explicitly excluded from the events which have CIP standards as the threshold for
reporting since they are exempt from the CIP standards.
Response: The DSR DT thanks you for your comment. The DSR SDT understands that nuclear facilities are exempt from CIP Standards but the Loss of
Off Site Power to a nuclear generating plant is a Transmission Owner’s and Transmission Operator’s responsibility and needs to be reported to the ERO and their
138
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 11 Comment
Regional Entity for the follow up as described by the Event Analysis Program.
SERC OC Standards Review
Group
No
While we agree with the changes made, we do not believe the goal of eliminating duplicate reporting has
been accomplished. In addition, the threshold for transmission loss does not adequately translate to previous
?loss of major system components? which had a threshold of ?significantly affects the integrity of
interconnected system operations?.
Response: The DSR DT thanks you for your comment. The DSR SDT has reviewed and updated the entities that need to report an event. Some have
been reduced to a single entity where others have multiple entities. These multiple entities will have different views of the event, and will be able to provide the
ERO and others with a different view of what has happened. The entire Attachment 1 has been updated to reflect the comments that were received.
PJM Interconnection LLC
No
There is still a significant amount of duplicate reporting involved in Attachment 1, which needs to be cleared.
See comments to Question 4.
Response: The DSR DT thanks you for your comment. The DSR SDT has reviewed and updated the entities that need to report an event. Some have
been reduced to a single entity where others have multiple entities. These multiple entities will have different views of the event, and will be able to provide the
ERO and others a different view of what has happened. The entire Attachment 1 has been updated to reflect the comments that were received.
We Energies
No
It appears that the footnotes only apply one place in the table. Place the footnote in the table where it
applies.Voltage Deviations on BES Facilities: 10% compared to what? Rated?Forced Intrusion: ?At a BES
facility? facility or Facility?
Response: The DSR DT thanks you for your comment. The entire Attachment 1 has been updated to reflect the comments that were received. The
Footnotes have been reviewed and updated per comments received.
LG&E and KU Energy LLC
No
In Attachment 1, the existing EOP-004-1 Attachment 1, point 6 includes an ?Or? for the entities (RC, TOP,
GOP) for a, b and c. The way the SDT has pulled this apart, they have included the GOP as having an
impact on the Voltage Deviations on BES Facilities. The TOP monitors the transmission system and directs
GOPs when they need to change in order to protect the system reliability. This is not something the GOP is
responsible for monitoring. The GOP is required to be at the TOP assigned voltage schedule and that
actually falls under VAR-002 already. Please remove the GOP from the line of ?Voltage Deviations on BES
Equipment.? The way EOP-004-1 Attachment 1 point 6 is currently written, the GOP is an ?or? and does fall
into parts b or c, where part 6b is similar to the proposed line ?Damage or destruction of BES equipment?
identified in the proposed EOP-004-2 Attachment 1. However, currently the GO/GOP reports ?Loss of Major
System Components? on EOP-004-1 within 24 hours of determining damage to the equipment. The
proposed ?One hour? is too tight of a window as the GO/GOP often do not know the extent of damage that
139
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 11 Comment
soon. Typically the OEM is called upon to come and do a thorough inspection and assess the extent of
damage, of if there even is any damage; once the ?loss of major system components? is determined, then
the 24 hour clock begins today.
Response: The DSR DT thanks you for your comment. The DSR SDT has reviewed and updated the entities that need to report an event. Some have
been reduced to a single entity where others have multiple entities. These multiple entities will have different views of the event, and will be able to provide the
ERO and others with a different view of what has happened. The entire Attachment 1 has been updated to reflect the comments that were received.
Compliance & Responsiblity
Organization
No
See comments set forth in number 2
Exelon
No
Attachment 1, Part A ? Energy Emergency requiring Public appeal for load reduction ? In the current draft
Standard, the applicability has been revised from an RC and BA to "initiating entity.” As a GO/GOP, I cannot
see any event where a GO/GOP would be the responsible "initiating entity" or have the ability to determine an
"Energy Emergency.” Suggest revising back to specific entities that would be likely responsible for this action
(e.g., RC, BA, TOP). Attachment 1, Part A ? Energy Emergency requiring system-wide voltage reduction ? In
the current draft Standard, the applicability has been revised from an RC, TO, TOP, and DP to "initiating
entity.” As a GO/GOP, I cannot see any event where a GO/GOP would be the responsible "initiating entity" or
have the ability to determine an "Energy Emergency" related to system-wide voltage reduction. Suggest
revising back to specific entities that would be likely responsible for this action.Attachment 1, Part A ? Voltage
Deviations on BES facilities - A GOP may not be able to make the determination of a +/- 10% voltage
deviation for ? 15 continuous minutes, this should be a TOP RC function only. Attachment 1, Part A ?
Generation Loss of ? 2, 000 MW for a GOP does not provide a time threshold. If the 2, 000 MW is from a
combination of units in a single location, what is the time threshold for the combined unit loss? Suggest that a
time threshold be added for clarity.Attachment 1, Part A ? Loss of off-site power (grid supply) affecting a
nuclear generating station ? this event applicability should be removed in its entirety for a Nuclear Plant
Generator Operator. The impact of loss of off-site power on a nuclear generation unit is dependent on the
specific plant design, if it is a partial loss of off-site power (per the plant specific NPIRs) and may not result in
a loss of generation (i.e., unit trip). If a loss of off-site power were to result in a unit trip, an Emergency
Notification System (ENS) would be required to the Nuclear Regulatory Commission (NRC). Depending on
the unit design, the notification to the NRC may be 1 hour, 8 hours or none at all. Consideration should be
given to coordinating such reporting with existing required notifications to the NRC as to not duplicate effort or
add unnecessary burden on the part of a Nuclear Plant Generator Operator during a potential transient on the
unit. In addition, if the loss of off-site power were to result in a unit trip, if the impact to the BES were ?2,000
MW, then required notifications would be made in accordance with the threshold for reporting for Attachment
1, Part A ? Generation Loss. However, to align with the importance of ensuring nuclear plant safe operation
and shutdown as implemented in NERC Standard NUC-001, if a transmission entity experiences an event
140
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 11 Comment
that causes an unplanned loss of off-site power (source) as defined in the applicable Nuclear Plant Interface
Requirements, then the responsible transmission entity should report the event within 24 hours after
occurrence. In addition, replace the words "grid supply" to "source" to ensure that notification occurs on an
unplanned loss of one or multiple sources to a nuclear power plant. Suggest rewording as follows (including
replacing the words "grid supply" to "source" and adding in the word "unplanned" to eliminate unnecessary
reporting of planned maintenance activities in the table below):Event Entity with Reporting Responsibility
Threshold for Reporting Time to Submit ReportUnplanned loss of off-site power to a Nuclear generating plant
(source) as defined in the applicable Nuclear Plant Interface Requirements (NPIRs) Each transmission entity
responsible for providing services related to NPIRs (e.g., RC, BA, TO, TOP, TO, GO, GOP) that experiences
the event causing an unplanned loss of off-site power (source) Unplanned loss of off-site power (source) to a
Nuclear Power Plant as defined in the applicable NPIRs. Within 24 hours after occurrenceAttachment 1, Part
A ? Damage or destruction of BES equipment ? The event criteria is still ambiguous and does not provide
clear guidance; specifically, the determination of the aggregate impact of damage may not be immediately
understood ? it does not seem reasonable to expect that the 1 hour report time clock starts on identification of
an occurrence. Suggest that the 1 hour report time clock begins following confirmation of event. ? The
initiating event needs to explicitly state that it is a physical and not cyber. ? If the damage or destruction is
related to a deliberate act, consideration should also be given to coordinating such reporting with existing
required notifications to the NRC and FBI as to not duplicate effort or add unnecessary burden on the part of
a nuclear GO/GOP during a potential security event (see additional comments in response to item 17 below).
Attachment 1, Part A ? Damage or destruction of Critical Cyber Asset The events that are associated with
Critical Cyber Assets should be removed from this Standard. Critical Cyber Asset related events are better
addressed in the reporting of Cyber Security Incidents which is already included in Attachment 1, Part B and
the CIP standards currently require details about Critical Cyber Assets to be protected with access to that
information restricted to only specifically authorized personnel.Attachment 1, Part A ? Damage or destruction
of Critical Asset The events that are associated with Critical Assets should be removed from this Standard.
Critical Assets are typically whole control centers, substations or generation plants and the damage or
destruction of individual pieces of equipment at one of these locations will usually not have much impact to
the BES. Any important impacts located at these sites are already addressed in the other existing [Impact]
Event types or would be addressed in the Cyber Security Incident event which is already included in
Attachment 1, Part B. The CIP standards also currently require that details about Critical Assets and Critical
Cyber Assets must be protected with access to that information restricted to only specifically authorized
personnel. The identification of Critical Asset is also only an interim step used to identify the Critical Cyber
Assets that need to have cyber security protections and the NERC Project 2008-06 CSO706 Standards
Drafting Team is currently expecting to eliminate the requirement to identify Critical Assets in the draft
revisions they are currently working on. Attachment 1, Part B ? Forced intrusion at a BES facility ?
Consideration should also be given to coordinating such reporting with existing required notifications to the
NRC and FBI as to not duplicate effort or add unnecessary burden on the part of a nuclear GO/GOP during a
141
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 11 Comment
potential security event (see additional comments in response to item 17 below).Attachment 1, Part B ? Risk
to BES equipment from a non-environmental physical threat ? this event leaves the interpretation of what
constitutes a "risk" with the reporting entity. Although the DSR SDT has provided some examples, there
needs to be more specific criteria for this event as this threshold still remains ambiguous and will lead to
difficulty in determining within 1 hour if a report is necessary. Consideration should also be given to
coordinating such reporting with existing required notifications to the NRC and FBI as to not duplicate effort or
add unnecessary burden on the part of a nuclear GO/GOP during a potential security event (see additional
comments in response to item 17 below).Attachment 1, Part B ? Detection of a reportable Cyber Security
IncidentAlthough the DSR SDT agreed that there may be confusion between reporting requirements in this
draft and the current CIP-008, "Cyber Security ? Incident Reporting and Response Planning", Part B now
requires a 1 hour report after occurrence. The DSR SDT should verify the timing and reporting required for
these Cyber Security Incident events is coordinated with the NERC Project 2008-06 CSO706 Standards
Drafting Team.
Response: The DSR DT thanks you for your comment. The DSR SDT has reviewed and updated the entities that need to report an event. Some have
been reduced to a single entity where others have multiple entities. These multiple entities will have different views of the event, and will be able to provide the
ERO and others with a different view of what has happened. The entire Attachment 1 has been updated to reflect the comments that were received. The DSR
SDT has worked closely with NERC Staff, the Event Analysis Working Group, Project 2008-06 and the U.S. Department of Energy to ensure that EOP-004-2
captures what FERC has directed and will improve the reliability of the BES.
SDG&E
No
For ?Detection of a reportable Cyber Security Incident,? Attachment 1 identifies the threshold for reporting as:
?that meets the criteria in CIP-008 (or its successor)?; however, CIP-008 has no specified criteria, so this is
an unusable threshold. Additionally, SDG&E recommends that the timing of any follow-up and/or final reports
required by the standard be listed in the Attachment 1 table.
Response: The DSR DT thanks you for your comment. CIP-008 states that an entity will report a Cyber Security Incident to the ES-ISAC. EOP-004-2,
Attachment 2 is the vehicle to report a Cyber Security Incident. It is also required to be sent to their RC which will give them the industry awareness of a single
event or is it a multiple event within their area.
City of Tallahassee (TAL)
No
One hour should be expanded. While I realize the importance of getting information to
NERC/ESISAC/whoever, most of the 1-hour requirements are tied to events that may not be resolved within
one hour. This will result in stopping restoration efforts or monitoring to submit paperwork. Calling in
additional assistance, while certainly a possibility, may not be feasible to accomplish in sufficient time to meet
the one-hour deadline. If any of these events were to truly have a detrimental effect on the BES, the effects
would have already been felt.Recommend all 1-hour reports be extended to 4-hours. This should also be
placed on the list to modify Form OE-417report time lines.
142
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 11 Comment
Response: The DSR DT thanks you for your comment. The DSR SDT has reviewed and updated the entities that need to report an event. Some have
been reduced to a single entity where others have multiple entities. These multiple entities will have different views of the event, and will be able to provide the
ERO and others with a different view of what has happened. The entire Attachment 1 has been updated to reflect the comments that were received. The DOE
Form OE-417 is not governed by NERC but the DSR SDT is proposing to allow an entity to use it to report an event in lieu of Attachment 2.
Lakeland Electric
No
Event ? Transmission lossThreshold for Reporting ? Revise to ?Loss of three or more BES Transmission
elements within a 15 minute period?. This change would capture a sequence of transmission element losses
and remove the question if timing that will arise if other transmission elements trip, cascade, due to loss of the
first element. There may also be a need for a footnote to clarify that a transmission element that is removed
from service by a transmission operator to prevent uncontrolled cascading would be classified as a loss
(something for the SDT to consider). Event ? Energy Emergency requiring Public appeal for load
reductionThreshold for Reporting ? Add a footnote: Repeated public appeals for the same initiating Impact
Event shall be reported as one Public Appeal Event. The initiation and release to the media of the Public
appeal(s) should be the reportable event. Question: would an internal request to large industrial customers for
voluntary load reductions be reportable under this Event?
Response: The DSR DT thanks you for your comment. The DSR SDT has reviewed and updated the entities that need to report an event. Some have
been reduced to a single entity where others have multiple entities. These multiple entities will have different views of the event, and will be able to provide the
ERO and others with a different view of what has happened. The entire Attachment 1 has been updated to reflect the comments that were received. Demand
responsive load is not covered within this proposed Standard unless it fulfills a Threshold of Reporting within Attachment 1. Footnotes have been update to
reflect comments received.
Arkansas Electric Cooperative
Corporation
No
We appreciate the effort the team has taken in improving the requirements since the last posting. Event
Forced Intrusion: The timeframe is very small given the possibly minimal risk to the BES. It often takes much
longer than 1 hour after verification of intrusion to determine the intrusion was only for copper theft. We
suggest a 24 hour time frame or tie the timeframe to the "verification of forced intrusion.”
Response: The DSR DT thanks you for your comment. The entire Attachment 1 has been updated to reflect the comments that were received.
Manitoba Hydro
No
Reporting for CCA's should be limited to damage associated with a detected cyber security incident.
Response: The DSR DT thanks you for your comment. The entire Attachment 1 has been updated to reflect the comments that were received. Damage
or destruction of Critical Cyber Assets s is per CIP-002 and may not fall into the category of Cyber Security Response as outlined by an entity.
Sweeny Cogeneration LP
No
In Attachment 1, Part A, Generator Operators who experience a ? 10% sustained voltage deviation for ? 15
143
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 11 Comment
continuous must issue a report For externally driven events, the GOP will have little if any knowledge of the
cause or remedies taken to address it. We believe the language presently in EOP-004-1 is satisfactory that
any ?action taken by a Generator Operator? that results in a voltage deviation has to be reported by the GOP.
Response: The DSR DT thanks you for your comment. The entire Attachment 1 has been updated to reflect the comments that were received.
American Electric Power
No
The time to submit a report for the inclusion of the damage or destruction of BES equipment, critical asset, or
critical cyber asset is too aggressive. The critical cyber asset reporting is redundant with CIP-008.
Furthermore, reporting equipment failures within an hour for Critical Assets is going to overwhelm operators
that need to focus on the restoration efforts. Self-evident equipment failures at a Critical Asset (such as a
tube leak at a generator which is a Critical Asset) should not be required to be reported. Maybe the wording
should be stated as an ?abnormal occurrence? rather than ?equipment failure.?It would be helpful if there
was a defining or a footnote that defines the nature and/or duration for loss of some equipment. For example,
is a transmission loss for sustain or momentary outages?
Response: The DSR DT thanks you for your comment. The Implementation Plan for this project now includes a provision to retire the requirement in CIP008 for reporting (Requirement 1, Part 1.3). The entire Attachment 1 has been updated to reflect the comments that were received.
USACE
No
The "Potential Reliability Impact" table should be taken out. Refered to previous comment on our position on
potentail impacts.
Response: The DSR DT thanks you for your comment.
awareness.
Consumers Energy
No
The DSR SDT believes that potential events are required to be reported to provide industry
1. In reference to the Impact Event addressing ?Loss of Firm load for greater than or equal to 15 minutes?,
this is likely to occur for most entities most frequently during storm events, where the loss of load builds slowly
over time. In these cases, exceeding the threshold may not be apparent until a considerable time has lapsed,
making the submittal time frame impossible to meet. Even more, it may be very difficult to determine if/when
300 MW load (for the larger utilities) has been lost during storm events, as the precise load represented by
distribution system outages may not be determinable, since this load is necessarily dynamic. Suggest that
the threshold be modified to ?Within 1 hour after detection of exceeding 15-minute threshold?. Additionally,
these criteria are specifically storm related wide spread distribution system outages. These events do not
pose a risk to the BES.2. Many of the Impact Events listed are likely to occur, if they occur, at widelydistributed system facilities, making reporting ?Within 1 hour after occurrence is identified? possibly
impractical, particularly in order to provide any meaningful information. Please give consideration to clearly
permitting some degree of investigation by the entity prior to triggering the ?time to submit?3. Referring to the
144
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 11 Comment
?Transmission Loss? Impact Event, please provide more specificity. Is this intended to address :- anytime
that three or more BES Transmission Elements are out of service, - only when three or more BES
Transmission Elements are concurrently out-of-service due to unscheduled events, - only when three or
more BES Transmission Elements are simultaneously automatically forced out-of-service, or- only when
three or more BES Transmission Elements are forced from service in some proximity to each other? It is not
unusual, for a large transmission system, that this many elements may be concurrently forced out-of-service
at widely-separated locations for independent reasons.4. Referring to the ?Fuel Supply Emergency? Impact
Event, OE-417 requires 6-hour reporting, where the Impact Event Table requires 1-hour reporting. The
reporting period for EOP-004-2 should be consistent with OE-417.5. For that matter, the SDT should carefully
compare the Impact Event Table with OE-417. Where similar Impact Events are listed, consistent
terminology should be used, and identical reporting periods specified. Where the Impact Event Table
contains additional events, they should be clarified as being distinct from OE-417 to assist entities in
implementation. Further, since OE-417 must be reviewed and updated every three years, EOP-004 should
defer to the reporting time constraints within OE-417 wherever listed in order to assure that conflicting
reporting requirements are not imposed.
Response: The DSR DT thanks you for your comment. The DSR SDT has reviewed’ Loss of Firm Load’ as a reporting event, and believe the reporting
requirement currently approved in EOP-004-1 should remain in EOP-004-2. The DSR SDT has removed the ‘Fuel Supply Emergencies’ event after considering
comments the DSR SDT received on this event. The DOE Form OE-417 is reviewed biennially by the DOE and can be updated or changed without NERC’s
involvement. The DSR SDT has taken into consideration the use of Form O- 417 to report events to NERC and agrees that this will fulfill EOP-004-2’s reporting
requirements. The entire Attachment 1 has been updated to reflect the comments that were received.
Independent Electricity System
Operator
No
As indicated under Q4, we question the need to include IA, TSP and LSE in the responsible entities for
reporting.
Response: The DSR DT thanks you for your comment. The DSR SDT has established that CIP-002-4 and CIP-008-3 are applicable to an IA, TSP, and LSE.
These entities will report a Cyber Security Incident per Attachment 2 (or OE-417) as the vehicle to inform the ERO, their Regional Entity and their Reliability
Coordinator.
Ameren
No
See response to question 4.
Response: The DSR DT thanks you for your comment. Please see question 4 response.
ISO New England, Inc
No
As indicated under Q4, we question the need to include IA, TSP and LSE in the responsible entities for
reporting. There is still significant duplicate reporting included. For instance, why do both the RC and TOP to
report voltage deviations? As written, a voltage deviation on the BES would require both to report. The same
145
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 11 Comment
would hold true for IROLs. Perhaps IROLs should only be reported by the RC to be consistent with the
recently FERC approved Interconnection Reliability Operating Limit standards. Also, the CIP reporting
requirements duplicate was is already contained in the CIP Standards, specifically CIP-008. Also, we are
required to intentionally destroy Critical Cyber Assets when they are retired, why would we be required to
report this?
Response: The DSR DT thanks you for your comment. The DSR SDT has established that CIP-002-3 and CIP-008-3 are applicable to an IA, TSP, and LSE.
These entities will report a Cyber Security Incident per Attachment 2 (or OE-417) as the vehicle to inform the ERO, their Regional Entity and their Reliability
Coordinator. If a Critical Cyber Asset (CCA) was to be retired, the entity would declassify it as a CCA and therefore it would not be required to be reported. The
Implementation Plan for this project now includes a provision to retire the requirement in CIP-008 for reporting (Requirement 1, Part 1.3)
Calpine Corp
No
1. Additional clarity on the nature of reportable ?Fuel Emergencies? is needed. Does loss of interruptible gas
transportation require reporting? 2. Additional clarity on the threshold for ?damage or destruction of BES
equipment? is needed. Footnote 1 on page 16 states, in part ?Significantly affects the reliability margin of the
system (e.g. has the potential to result the need for emergency actions?. For generating facilities, does this
statement refer specifically to the parallel requirement to report any loss of generation >= 2,000 in the Eastern
or Western Connection or >= 1,000 in the ERCOT or Quebec Interconnection? If not, exactly what level of
damage at a generating plant requires reporting? Use of imprecise terms such as ?significantly? sets the
stage for future compliance and enforcement confusion.3. Additional clarity is required for ?Detection of
reportable Cyber Security Incident.” Is this item intended to apply only to Critical Cyber Assets, or is it an
extension of the requirement to all applicable entities irrespective of their Critical Asset status? If it applies
only to Critical Cyber Assets, does this reporting requirement create redundant reporting (as reporting is
already required under CIP-008-4)? CIP-008-4 requires reporting only of events affecting Critical Cyber
Assets. If a more expansive application is intended, what equipment or systems are to be included in the
reporting requirement?
Response: The DSR DT thanks you for your comment. The event of Fuel Supply Emergencies has been removed per comments the DSR SDT received.
The entire Attachment 1 has been updated to reflect the comments that were received. Footnotes in Attachment 1 have been updated to reflect the comments
that the DSR SDT received. Damage to BES equipment’s foot note has been enhanced to mean that the BES piece of equipment is required to be removed from
service. CIP-008 states that an entity will report a Cyber Security Incident to the ES-ISAC. EOP-004-2, Attachment 2 is the vehicle to report a Cyber Security
Incident.
BGE
No
For the following Events (Damage or destruction of BES equipment, Damage of destruction of Critical Asset,
and Damage or destruction of a Critical Cyber Asset), submitting a report within 1 hour after occurrence is
identified is too short of a time frame. Generally, the initial time period is spent in recovering from the
situation and restoring either electric service or restoring computer services to assure proper operations. To
146
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 11 Comment
distract from the restoration to normal activities to focus on a report would be detrimental to reliability.
Notification of an event may perhaps be made by phone call within 1 hour but completing a report should be
required no less than 6 or 12 hours. Determining a cause (especially external or intentional) could take longer
than 1 hour to determine and complete a report.It is important to consider the imposition created by a
compliance obligation and weigh it against the other demands before the operator at that time. A compliance
obligation should avoid becoming a distraction from reliability related work. Under impact event type
scenarios, in the first hour of the event, the primary concern should be coping with/resolving the event.
Response: The DSR DT thanks you for your comment. The entire Attachment 1 has been updated to reflect the comments that were received. Footnotes
in Attachment 1 have been updated to reflect the comments that the DSR SDT received. Damage to BES equipment’s foot note has been enhanced to mean that
the BES piece of equipment is required to be removed from service.
Alliant Energy
No
The item relating to Loss of Firm Load for > 15 minutes should be revised to 500 MW and 300 MW. For many
companies, a storm moving across their system could cause more than 300 MW of firm load to be lost, but
there is no impact on the BES, so why does the detailed reporting need to be done?The items relating to
?damage or destruction? need to be revised to not be so wide. As currently written, a plan by a company to
raze a facility could be considered a violation and must be reported. We believe it needs to tightened to
malicious intent or human negligence/error.
Response: The DSR DT thanks you for your comment. The DSR SDT has reviewed Loss of Firm load and believe the reporting requirement presented
approved in EOP-004-1 is substantial and should remain within EOP-004-2. If a Critical Cyber Asset (CCA) was to be retired, the entity would declassify it as a
CCA and therefore it would not be required to be reported.
CenterPoint Energy
No
(1) CenterPoint Energy believes that the ?Entity with Reporting Responsibility? for the first three events in
Part A should be clarified. There could still be confusion regarding the ?initiating entity? for events where one
entity directs another to take action. From the text on page 5 of the Unofficial Comment Form, it appears that
the SDT intended for the ?initiating entity? to be the entity that takes action. To make this clear in Attachment
1, CenterPoint Energy recommends replacing ?initiating entity? with ?Each (insert applicable entities) that
(insert action). For example, for ?Energy Emergency requiring a Public appeal? the Entity with Reporting
Responsibility should be ?Each?that issues a public appeal for load reduction?. (2) Part A: The threshold for
reporting ?System Separation? should not be fixed at greater than or equal to 100 MW for all entities, but
rather should be scaled to previous year?s demand as in ?Loss of Firm load for greater than or equal to 15
minutes?, so that for entities with demand greater than or equal to 3000 MW, the island would be greater than
or equal to 300MW. (3) Part A: The one hour reporting requirements are unreasonable and burdensome. The
Background text indicates that ?proposed changes do not include any real-time operating notifications??
CenterPoint Energy believes all one hour reporting requirements could potentially divert resources away from
147
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 11 Comment
responding to the event. In many instances the event may still be developing within one hour. Likewise, the
24 hour reporting requirements are also burdensome. CenterPoint Energy recommends changing all
reporting requirements to 48 hours. CenterPoint Energy acknowledges that the DOE OE-417 report requires
certain one hour and 6 hour reporting. Those requirements should also be extended, and CenterPoint Energy
will be making the same recommendation during the DOE OE-417 report revision process when the current
form expires on 12/31/11.(4) Part B: CenterPoint Energy is very concerned with the ?events? listed under
Attachment 1 ? Potential Reliability Impact ? Part B and believes Part B should be deleted. These arbitrary
?events? with ?potential reliability impact? and reporting times place unnecessary burden on entities to report
?situations? that would rarely impact the reliability of the BES. Entities should be aware of developing
situations; however, this standard should not require reporting of such occurrences.(5) Part B: Of particular
concern is the overly broad ?Risk to BES equipment? and the example provided in the footnote. CenterPoint
Energy believes the SDT has already identified the events with the greatest risk to impact the BES in Part A.
Also including ?potential reliability impact? situations in Part B inappropriately dilutes attention away from the
truly important events. The industry, NERC and FERC should not lose sight of the forest for the trees.
Response: The DSR DT thanks you for your comment. The entire Attachment 1 has been updated to reflect the comments that were received. Footnotes
in Attachment 1 have been updated to reflect the comments that the DSR SDT received. The DOE Form OE-417 is under review by the DOE and can be updated
or changed without NERC’s involvement. The DSR SDT has taken into consideration the use of OE-417 to report events to NERC and agrees that this will fulfill
EOP-004-2’s reporting requirements.
ExxonMobil Research and
Engineering
No
The notification requirement and documentation in Attachment 1 do not clearly identify which entities need to
be notified for each type of event detailed in Attachment 1. While it makes sense to notify the Reliability
Coordinator, NERC, Regional Entity, Law Enforcement and other Governmental Agencies for sabotage type
events, it does not seem proper to notify Law Enforcement agencies of a system disturbance that is
unrelated to improper human intervention. Furthermore, it is our belief that a time frame of 1 hour is a short
window for making a verbal notification to third parties, and an impossibly short window for requiring the
submittal of a completed form regardless of the simplicity. When a Petrochemical Facility experiences an
impact event, the initial focus should emphasize safe control of the chemical process. For those cases where
registered entities are required to submit a form within 1 hour, the Standard Drafting Team should alter the
requirement to allow for verbal notification during the first few hours following the initiation of an Impact Event
(i.e. allow the facility time to appropriately respond to and gain control of the situation prior to making a
notification which may take several hours) and provide separate notifications windows for those parties that
will need to respond to an Impact Event immediately and those entities that need to be informed that one
occurred for the purposes of investigating the cause of and response to an Impact Event. For example, a
GOP should immediately notify a TOP when it experiences a forced outage of generation capacity as soon as
possible, but there is no immediate benefit to notify NERC when site personnel are responding to the event in
order to gain control of of the situation and determine the extent of the problem. The existing standard?s
148
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 11 Comment
requirement to file an initial report to entities, such as NERC, within 24 hours seems reasonable provided that
proper real time notifications are made and the Standard Drafting Team reinstates EOP-004 Revision 1's
Requirement 3.3, which allows for the extension of the 24 hour window during adverse conditions, into the
requirement section of EOP-004 [the current revision locates this extension in Attachment 1, which, according
to input received from Regional Entities, means that the extension would not be enforceable].
Response: The DSR DT thanks you for your comment. The entire Attachment 1 has been updated to reflect the comments that were received. Footnotes
in Attachment 1 have been updated to reflect the comments that the DSR SDT received.
PPL Electric Utilities
No
We very much appreciate the work performed by SDT and consideration of all the comments received. While
we agree with the majority of the Attachment 1 changes, we suggest the SDT add further clarification to
Attachment 1, Part A, Event 'Transmission Loss'. Does this mean permanent loss? Do two lines and a pole
constitute a loss of three elements? E.g. Consider the loss of a 230 kV line with two tapped transformers.
This does not have a significant effect on the BES, yet would it be reportable? We would prefer Attachment
1, Part A, ?Threshold Reporting? be clarified. E.g. ?Three or more "unrelated" pieces of equipment for a
single event?.
Response: The DSR DT thanks you for your comment. The entire Attachment 1 has been updated to reflect the comments that were received. Footnotes
in Attachment 1 have been updated to reflect the comments that the DSR SDT received.
Lincoln Electric System
No
While LES supports the bright line criteria listed in Attachment 1 for reporting Impact Events, we have
concerns regarding the reporting threshold for ?Transmission loss?. For Transmission loss of three or more
Transmission Elements, LES supports the MRO NSRS? suggested wording of ?Two or more BES
Transmission Elements that exceed TPL Category D operating criteria or its successor.?
Response: The DSR DT thanks you for your comment. The entire Attachment 1 has been updated to reflect the comments that were received.
American Transmission
Company
No
Energy Emergency requiring Public AppealATC believes that the phrase ?initiating entity? is unclear and
could be interpreted in multiple ways. 1) the entity has the authority to call for public appeals, 2) the entity has
the authority to declare an Energy Emergency, or 3) the entity determines and identifies the need for the
Energy EmergencyTypically the BA?s call for public appeals, so does every BA that calls for the public appeal
have to make a filing?The RC declares the need for an Energy Emergency, so are they the initiating entity? A
TOP could also identify the need for public appeals and notify the RC about the request. In this case, is the
TOP the initiating entity?Given the above examples, ATC believes that the SDT needs to clarify who is
required to make the filing. Voltage Deviations on BES FacilitiesATC believes that this should be clarified
because one may assume that a loss of a single bus in which voltage goes to zero for more than 15 minutes
149
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 11 Comment
is reportable. It is ATC understands that what the SDT means is a voltage dip, not an outage to a BES
facility. However, given the brief description, ATC is not 100% sure whether there is a clear understanding of
the standard?s intent.Energy Emergency resulting in automatic firm load shedding Please provide additional
clarify.ATC believes that the SDT should not use the term ?Impact Event? when identifying the entity with
reporting responsibility. The term ?Impact Event? is identified in the standard and points to Attachment 1 but
now is being used outside of that context and requires entities to interpret what qualifies as an Impact
Event.The above observation also applies to those other events that use the term ?Impact Event? to describe
Reporting Responsibility.Footnote 1: ATC would like the phrase ?as determined by the equipment owner?
added to the footnote. This simple phrase will allow entities to be sure that they are responsible for
determining if the damage significantly affects the reliability margin of the system. Without this phrase,
entities could be subject to non-compliance actions based on differences of opinions to the extent of the
damage on the system. The other option the SDT has is to provide additional clarity on what qualifies as a
significant affect.Time to Submit Report:ATC strongly disagrees with the 1 hour time to submit a report
because it does not fit with the purpose of this standard. The purpose of this standard is to increase
awareness, however, requiring a one-hour reporting window following the event provides little to no benefit.
ATC believes that these events should have a 24 hour reporting window which allows for a reasonable
amount of time to gather information and report the issue.If the SDT disagrees with this observation, ATC
believes a complete explanation should be provided on why knowledge of an event within an hour is
significantly better than having the knowledge of the event in a 24 hour time period. ATC strongly believes
that NERC will gain as much or more knowledge of the event by giving entities time to understand the event
and report.
Response: The DSR DT thanks you for your comment. The entire Attachment 1 has been updated to reflect the comments that were received.
Duke Energy
No
? Attachment 1 contains three reportable events (Damage or destruction of Critical Asset, Damage or
destruction of a Critical Cyber Asset, and Detection of a reportable Cyber Security Incident) that overlap with
CIP-008-3 Cyber Security Incident Reporting and Response Planning and could result in redundant or
conflicting content between the two standards. We propose either of the following options:1. Remove the
requirement for reporting these events from EOP-004-2 and add the timing and reporting requirements into
CIP-008-3, R1.3. ?Process for reporting Cyber Security Incidents to the Electricity Sector Information Sharing
and Analysis Center (ES-ISAC). The Responsible Entity must ensure that all reportable Cyber Security
Incidents are reported to the ES-ISAC either directly or through an intermediary.? OR2. Replace the reporting
requirement in CIP-008-3, R1.3. with a reference to report as required in EOP-004-2.? Also, as noted in our
comment to Question #4 above, the Attachment 1 Section ?Entity with Reporting Responsibility? should just
identify ?Initiating entity? for every Event, as was done with the first three Events. That way you avoid errors
in leaving an entity off, or including an entity incorrectly (as was done with the GOP on Voltage Deviations).
We note that LSE is listed in the standard as an Applicable entity, and should be included in Attachment 1.
150
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 11 Comment
Our suggestion would handle this oversight. We also note that CIP-001 does not include Distribution Provider
in the list of applicable entities, but EOP-004-2 does include the DP.? We reiterate our comment to Question
#1 above that the DSR SDT statement that the proposed changes do not include any real-time operating
notifications is inconsistent with requiring notification within one hour for thirteen of the twenty listed Events in
Attachment 1.? The last six events refer to the entity that experiences the potential Impact Event. We believe
that the word ?potential? should be struck, as this creates an impossibly broad reporting requirement.?
Footnote 1 should be revised to strike the phrase ?has the potential to? from the parenthetical, as this creates
an impossibly broad reporting requirement.? The Impact Event ?Risk to BES equipment? should be revised to
?Risk to BES equipment that results in the need for emergency actions?. The accompanying footnote 4
should be revised to read as follows: Examples could include a train derailment adjacent to BES equipment
(e.g. flammable or toxic cargo that would cause the evacuation of a BES facility control center), or a report of
a suspicious device near BES equipment.
Response: The DSR DT thanks you for your comment. The entire Attachment 1 has been updated to reflect the comments that were received. CIP-008
states that an entity will report a Cyber Security Incident to the ES-ISAC. EOP-004-2, Attachment 2 is the vehicle to report a Cyber Security Incident. The DSR
SDT has reviewed and updated the entities that need to report an event. Some have been reduced to a single entity where others have multiple entities. These
multiple entities will have different views of the event, and will be able to provide the ERO and others with a different view of what has happened. The DSR SDT
understands that there may be multiple reports (for certain events) that are required by different government agencies. NERC will continue to streamline the
reporting process as we move into the future.
Constellation Power Generation
No
CPG has the following concerns regarding Attachment 1: ?Real-Time - On page 5 of the proposed standard,
the team noted that ?the proposed changes do not include any real-time operating notifications.? However,
several events in Attachment 1 require that documentation be completed and submitted to the ERO within 1
hour. For generation sites that are unmanned, or only have 1 to 2 operators on site at all times, a 1 hour
requirement is not only onerous but is essentially ?real time.??Response within 1 hour - It is important to
consider the imposition created by a compliance obligation and weigh it against the other demands before the
operator at that time. A compliance obligation should avoid becoming a distraction from reliability related
work. Under impact event type scenarios, in the first hour of the event, the primary concern should be coping
with/resolving the event. Other notification requirements exists based on required agency response relative to
the concern at hand (e.g. public evacuations, fire assistance, etc.) Notification within an hour under EOP-004
does not appear to represent a relevant benefit to resolving the situation and the potential cost would be
borne by reliability and recovery efforts. Anything performed within the first hour of the event must be to
benefit the public or benefit the restoration of power.?Damage or destruction of BES equipment ? the
reporting requirement of 1 hour is extremely onerous. A good example is the failure of a major piece of
equipment at a remote combustion turbine generation site. Combustion turbine generation sites are not
usually manned with many people. If a failure of a major piece of equipment were to occur, the few people on
site need to complete communications to affected entities, communications to their management, as well as
151
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 11 Comment
emergency switching and ensuring that no other pieces of equipment are effected or harmed. There is little
time to complete a form in 1 hour. This should be changed to 48 hours. The form is also inadequate for this
type of event.
o Using the example above of a failure of a major piece of equipment, CPG is not sure if
it?s reportable per Attachment 1, which further proves that Attachment 1 is not clear. Per the footnote
regarding damage to BES equipment, the failure would not be reportable, as it does not affect IROL, given the
information at the plant it does not significantly affect the reliability margin of the system, and was not
damaged or destroyed due to intentional or unintentional human action. However, it would be reportable per
the table as the table states ?equipment failure? and ?external cause.? Clarification is needed.?Damage or
destruction of Critical Asset ? This item should be removed or significantly refined. For generation assets, a
critical asset is essentially the entire plant, so in many cases the information reported at this level would not
be useful if the valuable details reside at the equipment level. If it is not removed, then see the notes above
on the 1 hour requirement for the completion of the form. ?Fuel supply emergency ? 1 hour for reporting the
document is unreasonable. See the earlier notes. ?Risk to BES equipment ? ?From a non-environmental
physical threat? This item is too vague and subjective. A catch all category to capture a broad list of potential
risks is problematic for entities to manage in their compliance programs and to audit. This should be
removed.
Response: The DSR DT thanks you for your comment. The entire Attachment 1 has been updated to reflect the comments that were received.
Georgia System Operations
Corporation
No
Energy Emergency requiring public appeal for load reduction:-The NERC Glossary defines ?Energy
Emergency? as a ?condition when a Load-Serving Entity has exhausted all other options and can no longer
provide its customers? expected energy requirements.? Per EOP-002, an Energy Emergency Alert may be
initiated by the RC upon RC sole discretion, upon BA request, or upon LSE request.-Question: Is it intended
that the LSE reports the event if the LSE requests an alert, the BA reports the event if the BA requests an
alert, and the RC reports it if it is a RC sole discretion decision? What if an alert is not initiated? Is it an
Energy Emergency? Is it an impact event? Who must initiate the public appeal? Since it must be reported
within a certain time after the issuance of the public appeal, is it not an impact event until after the initiation of
the public appeal (which should be after the initiation of the alert)? Shouldn?t the reporting of the impact event
be done by the initiator of the public appeal? The event should probably be the public appeal and not the
Energy Emergency.-?Public? should not be capitalized.-The reliability objective of this standard is not
achieved by NERC knowing of this within 1 hour and the need for NERC to know this within 1 hour to meet its
objective of analyzing events has not been justified or explained.? Energy Emergency requiring system-wide
voltage reduction: See Energy Emergency requiring public appeal for load reduction above regarding
requesting Energy Emergency Alerts. If this event is to be reported within a certain time after ?the event?, at
what time is the event marked? Or is it within a certain time after the initiation of the voltage reduction and, if
so, shouldn?t the reporting of the impact event be done by the initiator of the voltage reduction? The event
should probably be the system-wide voltage reduction and not the Energy Emergency. The reliability objective
152
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 11 Comment
of this standard is not achieved by NERC knowing of this within 1 hour and NERC does not need to know this
within 1 hour and the need for NERC to know this within 1 hour to meet its objective of analyzing events has
not been justified or explained.Energy Emergency requiring manual firm load shedding:-See Energy
Emergency requiring public appeal for load reduction above regarding requesting Energy Emergency Alerts. If
this event is to be reported within a certain time after ?the event?, at what time is the event marked? Or is it a
certain time after the initiation of the shedding of load, if so, shouldn?t the reporting of the impact event be
done by the initiator of the shedding of the load? If the RC directs a BA to shed load, then the BA directs a DP
to do it, then the DP sheds the load, who is the initiator of the load shedding? The event should probably be
the firm load shedding and not the Energy Emergency.-The reliability objective of this standard is not
achieved by NERC knowing of this within 1 hour and the need for NERC to know this within 1 hour to meet its
objective of analyzing events has not been justified or explained.Energy Emergency resulting in automatic
firm load shedding:Whenever load is automatically shed both the DP and the TOP ?experience? the event.
So does the BA and the LSE. This event includes ?or? between ?DP? and ?TOP.? Is that intentional? Other
events in the table do not include either an ?and? or an ?or.? The entities are separated only by commas.
NERC should not require multiple entities to report the same event. See comment for R5 above. If a DP
"experiences" an automatic load shedding doesn't the TOP also experience it? Both should not report the
same event.-The reliability objective of this standard is not achieved by NERC knowing of this within 1 hour
and the need for NERC to know this within 1 hour to meet its objective of analyzing events has not been
justified or explained.Voltage deviations on BES Facilities:-Should GOs/GOPs be required instead to report to
BAs when this condition exists with the BA then reporting to NERC? The idea of a deviation "on BES
Facilities" is not clear. On any one Facility? On all Facilities in an area? How wide of an area?-?Voltage
Deviation? is not proper noun/name and is not defined in the NERC Glossary. It should not be
capitalized.IROL violation: Multiple entities should not report the same event. Please define ?IROL Violation?
or use lowercase. It is assumed that ?IROL Violation? means operation ?outside the IROL for a time greater
than IROL TV.?Loss of firm load for ? 15 minutes:-Multiple entities should not report the same event. The
reliability objective of this standard is not achieved by NERC knowing of this within 1 hour and the need for
NERC to know this within 1 hour to meet its objective of analyzing events has not been justified or explained.
?Firm Demand? is defined but not ?Firm load.?System separation (islanding):-Multiple entities should not
report the same event. A DP separating from the transmission system should not be a reportable event for a
DP in and of itself. If it leads to a sufficient loss of load, it is reportable as above.-The reliability objective of
this standard is not achieved by NERC knowing of this within 1 hour and the need for NERC to know this
within 1 hour to meet its objective of analyzing events has not been justified or explained. The words
?separation? and ?islanding? should not be capitalized.Generation loss:-Should GOs/GOPs be required
instead to report to BAs when their generation is lost with the BA then reporting to NERC when the total is ?
2,000 MW? A ?loss? of generation should be clarified. Is the discovery of damaged equipment in an offline
plant which makes the plant unavailable for an extended period of time a ?loss? of generation?-It should be
clarified if this event means the concurrent loss of the generation or losing the generation non-concurrently
153
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 11 Comment
but they are concurrently unavailable. What is the time window for losing the generation? Lost within seconds
of each other? Minutes? Hours?Loss of off-site power to a nuclear generating plant (grid supply):-Multiple
entities should not report the same event.-?Off? should be lowercase.Transmission loss:-RCs should not be
required to report the loss of transmission elements to NERC. A ?loss? of a BES Transmission Element
should be clarified.It should be clarified if this event means the concurrent loss of elements or the nonconcurrent loss of the elements but they are concurrently unavailable. What is the time window for losing the
elements? When elements are lost, it will be difficult to differentiate if they are BES Transmission Elements or
not. Alarms don't immediately identify this. It could lead to gross over-reporting if no distinction is made by a
TOP and the TOP reports all losses of 3 elements. It may still be over-reporting (from a
reasonableness/practicality basis) even if the differentiation could be easily made and only BES Transmission
Elements are reported. Threshold for reporting Transmission Loss: As stated, this will require the reporting of
almost all transmission outages. This is particularly true taking into consideration the current work of the
drafting team to define the Bulk Electric System. The loss of a single 115kV network line could meet the
threshold for reporting as the definition of Element includes both the line itself and the circuit breakers.
Instead, we recommend the following threshold "Three or more BES Transmission lines." This threshold has
consistency with CIP-002-4 and draft PRC-002-2. This threshold also needs additional clarification as to the
timeframe involved. Is the intent the reporting of the loss of 3 or more BES Transmission Elements anytime
within a 24 hour period or must they be lost simultaneously? Also, we recommend that the three losses be
the result of a related event to require reporting.Damage or destruction of BES equipment that i. affects an
IROL; ii. significantly affects the reliability margin of the system (e.g., has the potential to result in the need for
emergency actions); or iii. damaged or destroyed due to intentional or unintentional human action (Do not
report copper theft from BES equipment unless it degrades the ability of equipment to operate correctly, e.g.,
removal of grounding straps rendering protective relaying inoperative.):-What is ?BES equipment?? Would an
operator know which equipment is BES equipment and which is not or which BES equipment affects an IROL
(if we had one) or which does not? It is a judgment call as to whether the effect was significant or not or if it
has the potential or not. Multiple entities should not report the same event. Unplanned control center
evacuation:-?Control Center? should be lowercase.-The reliability objective of this standard is not achieved by
NERC knowing of this within 1 hour and the need for NERC to know this within 1 hour to meet its objective of
analyzing events has not been justified or explained.Fuel supply emergency:Multiple entities should not report
the same event. Should GOs/GOPs be required instead to report to BAs when they have a fuel supply
emergency with the BA then reporting to NERC if the situation is projected to require emergency action at the
BA level?-The reliability objective of this standard is not achieved by NERC knowing of this within 1 hour and
the need for NERC to know this within 1 hour to meet its objective of analyzing events has not been justified
or explained.Loss of all monitoring or voice communication capability (affecting a BES control center for ? 30
minutes):-Does this event mean that ALL capability at both the primary and backup control centers or just
one?Forced intrusion at a BES facility (report if you cannot reasonably determine likely motivation, i.e.,
intrusion to steal copper or spray graffiti is not reportable unless it affects (affects ? not effects) the reliability
154
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 11 Comment
of the BES):-What is a ?BES facility?? It is not clear for the purposes of complying with this standard what it
means to affect the reliability of the BES. Deferred for ECMS review and additional comments.Risk to BES
equipment (examples include a train derailment adjacent to BES equipment that either could have damaged
the equipment directly or has the potential to damage the equipment, e.g., flammable or toxic cargo that could
pose fire hazard or could cause evacuation of a BES facility control center, and report of suspicious device
near BES equipment.):-In the footnote, delete ?could have? from ??either could have damaged?? Something
that could cause evacuation of a control center does not pose a risk to damaging BES equipment. The
threshold is ?from a non-environmental physical threat? but the example (toxic cargo) IS an environmental
threat.
Response: The DSR DT thanks you for your comment. The entire Attachment 1 has been updated to reflect the comments that were received. The DSR
SDT reviewed the term ‘Energy Emergency’ and has removed it from Attachment 1.
City of Tacoma, Department of
Public Utilities, Light Division, dba
Tacoma Power
No
The one hour reporting timeline is unrealistic for this event. In general it looks like other events requiring the 1
hour reporting timeline are for event that are ?initiated? by the system operator. (ie load shedding, public load
reduction, EEP?). Loss of BES equipment is in general 24 hour reporting timeline. It should be, ?as soon as
possible but within 24 hours.”
Response: The DSR DT thanks you for your comment. The entire Attachment 1 has been updated to reflect the comments that were received.
Indeck Energy Services
No
Comments were included in previous comments.
Response: The DSR DT thanks you for your comment. The entire Attachment 1 has been updated to reflect the comments that were received.
BC Hydro
For the change from 24hr to 1hr reporting for events, 1 hour goes extremely quickly in these types of events
and it will be difficult to report anything meaningful. As the RC is kept informed during the event why is the
report required within 1hr?
Response: The DSR DT thanks you for your comment. The entire Attachment 1 has been updated to reflect the comments that were received. EOP-0042 is an after the fact reporting Standard. The entity experiencing an event is required to inform their RC per other NERC Standards.
Brazos Electric Power
Cooperative
No
Question applicability to DP.
Response: The DSR DT thanks you for your comment. The DSR SDT has reviewed and updated the entities that need to report an event. Some have
been reduced to a single entity where others have multiple entities. These multiple entities will have different views of the event, and will be able to provide the
155
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 11 Comment
ERO and others with a different view of what has happened. The entire Attachment 1 has been updated to reflect the comments that were received.
Progress Energy
No
Progress Energy appreciates the effort of the Standard Drafting Team, but we do have some issues with the
content of Attachment 1. The loss of three Transmission Elements can occur with a single transmission line
outage. Progress is concerned that the possible frequency of this type of reporting could be an extreme
burden. Under the column ?Entity with Reporting Responsibility,? why do all related entities have to report
the same event? (i.e. do the RC and the TOP in the RC footprint both have to report an event, or is it
either/or? The word ?Each? implies separate reports. What is the Reliability-based need for both an RC and
the BA/TOP/GO within the footprint to file the same report for the same event?) For vertically integrated
companies it should be clear that only one report is required per Impact Event that will cover the reporting
requirements for all registered entities within that company.The ?damage or destruction of BES equipment?
footnote contains the language ?Significantly affects the reliability margin?.? The word significantly should
not be used in a Standard because it is subjective. Reliability margin is also undefined. System Operators
must be trained on how to comply with the Standard, and thus objective criteria must be developed for
reporting. ?1 hour after occurrence? places a burden on System Operators for reporting when response to
and information gathering dealing with the Impact Event may still be occurring. There is a note that states
that the timing guidelines may not be met ?under certain conditions?? but then requires a call to both its
Regional Entity and notification to NERC. The focus should be on the event response and this type of
reporting should occur ?within an hour or as soon as practical.? It is unclear what the voltage deviations of +10% based on (i.e. is that +-10% of nominal voltage? This may require new alarm set-points to be placed in
service in Energy Management Systems in order for entities to able to prove in an audit that they reported all
occurrences of voltage exceeding the 10% limit for 15 minutes or more. It has been stated by Regional Entity
audit and enforcement personnel that attestations cannot be used to ?prove the positive.?)The word
?potential? should be removed from Attachment 1 and from the definition of Impact Event. An event is either
an Impact Event or not. If an entity has to evacuate its control center facility temporarily for a small fire, or
any other such minor occurrence, then it activates its EOP-008 compliant backup control center, and there is
no impact to reliability, then why does there need to be a report generated?The ?Forced Intrusion? category
is problematic. The footnote 3 states: ?Report if you cannot reasonably determine likely motivation (i.e.,
intrusion to steal copper or spray graffiti is not reportable unless it effects (sic) the reliability of the BES).?
?Reasonably determine likely motivation? makes this subjective. If someone breaks into a BES substation
fence to steal copper, is interrupted and leaves, then entity personnel determine someone tried to break into
the substation, but cannot determine why, then this table requires a report to be filed within an hour. It is
unclear what the purpose of such a report would be. Progress agrees that multiple reports in a short time
across multiple entities may indicate a larger issue.
Response: The DSR DT thanks you for your comment. The entire Attachment 1 has been updated to reflect the comments that were received. Footnotes
156
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 11 Comment
have been updated per comments received.
Liberty Electric Power LLC
Yes
A qualified yes here - please clarify footnote 1 to the table. Are the listed qualifications "and" or "or"
statements -IOW, if destruction of BES equipment through human error does not have the potential to result
in the need for emergency actions, is it still reportable? If a 18-240 KV step-up transformer suffers minor
damage because a conservator tank was valved out, is this reportable under this definition?
Response: The DSR DT thanks you for your comment. Footnotes have been update to reflect comments received. This proposed Standard is targeted at
BES level Thresholds for Reporting as outlined in Attachment 1.
Ingleside Cogeneration LP
Yes
We believe that there should be close, if not perfect, synchronization between the ERO?s Event Analysis
Process and Attachment 1 since they share the same ultimate goal as EOP-004-2 to improve industry
awareness and BES reliability.
Response: The DSR DT thanks you for your comment. EOP-004-2 is an after the fact reporting Standard and the reports submitted by entities complying
with the standard may be used by the NERC Event Analysis Program to review reported events. The Event Analysis Program may change their categories of
events at anytime, but revisions to an approved standard must follow the standards development process embodied in the NERC Standard Processes Manual.
Despite the differences in process, the DSR SDT is working closely with the Event Analysis Working Group to ensure alignment between the standard and the
program to the maximum extent possible.
Occidental Power Marketing
Yes
There does not appear to be any reportable events for LSEs that do not own, operate, or control BES assets
(or assets that directly support the BES) in Attachment 1. This would support removing such entities from the
Applicability.
Response: The DSR DT thanks you for your comment. The DSR SDT understands that every LSE may not own or operate BES assets. If of the LSE does
not own or operate BES assets, then EOP-004-2 would not be applicable to that LSE. Since CIP-002 and CIP-008 are applicable to LSEs they will be required to
be applicable under EOP-004-2 for cyber incidents.
Farmington Electric Utility System
Yes
Platte River Power Authority
Yes
New Harquahala Generating Co.
Yes
Western Electricity Coordinating
Yes
157
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 11 Comment
Council
Midwest ISO Standards
Collaborators
Yes
Southern Company
Yes
SRP
Yes
New Harquahala Generating Co.
Yes
APX Power Markets
Yes
American Municipal Power
Yes
158
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
12. Do you agree with the proposed measures for Requirements 1-5? If not, please explain why not and if
possible, provide an alternative that would be acceptable to you.
Summary Consideration: The majority of commenters agree with the proposed measures. Since two requirements were
removed, the DSR SDT did a complete review of the Requirements and associated Measure and assured that Measurements did
not add to any Requirement. The Measures have been rewritten to reflect strict accuracy to each Requirement and provide a
minimum measure required for an entity to be compliant.
Organization
Georgia Transmission
Corporation & Oglethorpe Power
Corporation
Yes or No
No
Question 12 Comment
Several of the measures appear to introduce items that are not required by the standard. For instance, R3
requires that a test of the communications process be performed, however Measure 3 indicates that a mock
impact event be performed. Measure 4 indicates that personnel be listed in the plan and be trained on the
plan, however there is no requirement to include people in the plan or to train them.
Response: The DSR SDT thanks you for your comment. Each measure has been rewritten for the associated requirement to reflect only what is within the
requirement.
Northeast Power Coordinating
Council
No
Concerns with M5:a. As suggested in the response to Question 10 above, R5 should be combined with R2;
b. If R5 to remain as is, then M5 goes beyond the requirement in R5 in that it asks for evidence to support the
type of Impact Event experienced. Attachment 2 already requires the reporting entity to provide all the details
pertaining to the Impact Event. It is not clear what kind of additional evidence is needed to ?support the type
of Impact Event experienced?. Also, the date and time of the Impact Event is provided in the reporting form.
Why the need to provide additional evidence on the date and time of the Impact Event?
Response: The DSR SDT thanks you for your comment. Requirement 2 has been deleted as requested by the industry. Requirement R5 (now R2) was revised
along with the measure:
R2. Each Responsible Entity shall report events in accordance with its Operating Plan developed to address the events listed in Attachment 1. [Violation Risk:
Factor: Medium] [Time Horizon: Operations Assessment].
M2. Responsible Entities shall provide a record of the type of event experienced; a dated copy of the Attachment 2 form or OE-417 report; and dated and time-
159
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 12 Comment
stamped transmittal records to show that the event was reported.
Pacific Northwest Small Public
Power Utility Comment Group
No
It is unclear when reporting to the Compliance Enforcement Authority is required. Does the registered entity
report initially, and then anytime a change to the plan is made, or a drill is performed. Or is the information
only provided following a request of the Compliance Enforcement Authority, and if so what is the acceptable
time limit to respond?
Response: The DSR SDT thanks you for your comment. The Measure is designed to inform applicable entities of the minimum acceptable evidence needed to
prove compliance with a requirement. The reference to Compliance Enforcement Authority has been removed since it does not assist an entity in the minimum
level of evidence needed per the requirement.
Dominion
No
1) M1 is open ended. Suggest adding ?on request? to the end of the sentence as written; 2) M4 requires
evidence of ?when internal personnel were trained; however, Requirement R4 does not require training.
Response: The DSR SDT thanks you for your comment. The Measure is designed to inform applicable entities of the minimum acceptable evidence needed to
prove compliance with a requirement. The reference to Compliance Enforcement Authority has been removed since it does not assist an entity in the minimum
level of evidence needed per the requirement.
SPP Standards Review Group
No
The measures are written as if they are adding requirements to the standards. Using wording such as ?shall
provide? gives this implication. We would suggest wording such as ?examples of acceptable evidence to
demonstrate compliance may be??See Question 6 for comments regarding M1.See Question 8 for comments
regarding M3.
Response: The DSR SDT thanks you for your comment. Each measure has been rewritten for the associated requirement to reflect only what is within the
requirement.
Midwest ISO Standards
Collaborators
No
We disagree with Measurement 4. It implies that the review must be conducted in person. Why could other
means such as a web training or a reminder memo not satisfy the requirement? Because Requirement 1 does
not require submittal of the Operating Plan, Operating Process and/or the Operating Procedure,
Measurement 1 should only require submittal to the Compliance Enforcement Authority upon its request.
Response: The DSR SDT thanks you for your comment. Each measure has been rewritten for the associated requirement to reflect only what is within the
requirement. Requirement 4 has been deleted.
FirstEnergy
No
Measure M4 includes the phrase ?when internal personnel were trained on the responsibilities in the plan?
implies the Requirement R4 requires training. R4 is only requiring the review of a document of the necessary
160
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 12 Comment
personnel and that the rest of the measure covers the needed evidence for R4. This phrase in the measure
should be removed. We suggest the following for M4:M4. Responsible Entities shall provide the materials
presented to verify content and the association between the people listed in the plan and those who
participated in the review, documentation showing who was present.
Response: The DSR SDT thanks you for your comment. Each measure has been rewritten for the associated requirement to reflect only what is within the
requirement. Requirement 4 has been deleted.
SERC OC Standards Review
Group
No
The measures should be revised to match the general nature of the comments we have made on each
requirement.
Response: The DSR SDT thanks you for your comment. Each measure has been rewritten for the associated requirement to reflect only what is within the
requirement.
PJM Interconnection LLC
No
1. We disagree with M4 as it seems to indicate that all training needs to be in person and precludes any form
of Computer Based Training (CBT). 2. As indicated in 10, R5 is redundant as R2 already required an entity to
report any Impact Events by executing/implementing its Impact Event Operating plan. If R5 is to remain as is,
then M5 goes beyond the requirement by requiring the entity to produce evidence of compliance for the type
of Impact Event experienced. It is not clear as to what additional evidence is needed to ?support the type of
Impact Event experienced?.
The DSR SDT thanks you for your comment. Each measure has been rewritten for the associated requirement to reflect only what is within the requirement.
We Energies
No
M1 contains a redundancy: It currently reads, ?Each Responsible Entity shall provide the current in force
Impact Event Operating Plan to the Compliance Enforcement Authority.? (?In force? is the same as
?current?.)M2: Change ?Impact Event? to ?Impact Event listed in Attachment 1?.M3: This is an additional
requirement. R3 does not require a mock Impact Event. R3 requires a test of the communicating Operating
Process. As stated above, R3 and M3 should be deleted.M4: This is written assuming classroom training.
R4 does not require formal training much less classroom training. R4 requires that those (internal) personnel
who have responsibilities in the plan review the Impact Event Operating Plan.M5: When we report, how do
we show to an auditor that we reported ?using the plan?? Delete the reference to ?the plan?.
Response: The DSR SDT thanks you for your comment. Each measure has been rewritten for the associated requirement to reflect only what is within the
requirement.
161
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 12 Comment
Compliance & Responsiblity
Organization
No
See comments set forth in number 2.
Exelon
No
? M1 - Suggest rewording to state "Each Responsible Entity shall provide the current revision of the Impact
Event Operating Plan or equivalent implementing process"? M3 ? Need to provide more guidance on
evidence of compliance to meet R.3 The DSR SDT needs to provide more guidance on the objectives and
format of the drill expected (e.g., table top, simulator, mock drill) and what evidence will be required to
illustrate compliance.? M5 - Suggest that the DSR SDT provide a note or provision to allow for the DOE OE417 reporting form be submitted by the most knowledgeable functional entity (e.g., the TOP or RC)
experiencing the event.
Response: The DSR SDT thanks you for your comment. Each measure has been rewritten for the associated requirement to reflect only what is within the
requirement.
City of Tallahassee (TAL)
No
M3 & M4 should be modified if comments above (#8 and #9) are incorporated.M4 - Providing the ?materials
presented? is beyond the scope of compliance. This constitutes a review of the training program which is
beyond the scope of the standard. Review of attendance sheets should be sufficient. The personnel will be
listed in the Plan/Process/Procedure. Modify M4: Responsible Entities shall provide evidence of those who
participated in the review, showing who was present and when internal personnel were trained on their
responsibilities in the plan.
Response: The DSR SDT thanks you for your comment. Each measure has been rewritten for the associated requirement to reflect only what is within the
requirement.
Tenaska
No
The proposed R1 through R4 should be deleted and a revised version of R5 should become R1. The
proposed measures for the new R1 should be revised accordingly.
Response: The DSR SDT thanks you for your comment. Each measure has been rewritten for the associated requirement to reflect only what is within the
requirement.
American Municipal Power
No
M1-M4 should be eliminated and M5 should be revised to incorporate a simplified R5. M5 - Date and time of
submitted report
Response: The DSR SDT thanks you for your comment. Each measure has been rewritten for the associated requirement to reflect only what is within the
requirement.
162
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Liberty Electric Power LLC
Yes or No
No
Question 12 Comment
Due to disagreement with R3 and R4.
Response: The DSR SDT thanks you for your comment. Each measure has been rewritten for the associated requirement to reflect only what is within the
requirement.
Arkansas Electric Cooperative
Corporation
No
We applaud the drafting team's effort in crafting more meaningful measures. However, we have concerns with
the measures reading like requirements in stating Responsible Entities "shall" do something. We suggest
crafting the measures to provide acceptable, but not all exclusive, forms of evidence by stating something
similar to "Acceptable forms of evidence may include??
Response: The DSR SDT thanks you for your comment. Each measure has been rewritten for the associated requirement to reflect only what is within the
requirement.
New Harquahala Generating Co.
No
See R3 comments
Response: The DSR SDT thanks you for your comment. Please see R3 responses.
Consumers Energy
No
We understand that DOE is migrating to an on-line reporting facility rather than the email-submitted OE-417.
If they do so, Form OE-417will not be available for providing to NERC, and the reporting specified by EOP004 will be duplicative of that for DOE. We recommend that NERC, RFC and the DOE work cooperatively to
enable a single reporting system in which on-line reports are made available to all appropriate parties.
Response: The DSR SDT thanks you for your comment. The DSR SDT has been working with the U.S. Department of Energy (DOE) to streamline the reporting
process. The DOE Form OE-417 will be accepted at NERC if you are reporting an event to the DOE.
Independent Electricity System
Operator
No
We do not have any issues with Measures M1, M2 and M4, but have a concern with M3 and a couple of
concerns with M5:M3: This Measure contains a requirement for the Responsible Entities to conduct a mock
Impact Event. We disagree to have this included in the Measure. R3 requires the Responsible Entity to
conduct a test of its Operating Process for communicating recognized Impact Events created pursuant to
Requirement R1, Part 1.3. The Measure should adhere to this condition only. We suggest to change the
wording to:The Responsible Entity shall provide evidence that it conducted a test of it its Operating Process
for communicating recognized Impact Events created pursuant to Requirement R1, Part 1.3. The time period
between actual and or mock Impact Events shall be no more than 15 months. Evidence may include, but is
not limited to, operator logs, voice recordings, documentation or a report on an actual Impact Event.M5: a. As
163
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 12 Comment
suggested above, R5 should be combined with R2;b. If R5 to remain as is, then M5 goes beyond the
requirement in R5 in that it asks for evidence to support the type of Impact Event experienced. Attachment 2
already requires the reporting entity to provide all the details pertaining to the Impact Event. It is not clear
what kind of additional evidence is needed to ?support the type of Impact Event experienced?. Also, the date
and time of the Impact Event is provided in the reporting from. Why do we need to provide additional evidence
on the date and time of the Impact Event?
Response: The DSR SDT thanks you for your comment. Each measure has been rewritten for the associated requirement to reflect only what is within the
requirement. Requirement R5 (now R2) was revised along with the measure:
R2. Each Responsible Entity shall report events in accordance with its Operating Plan developed to address the events listed in Attachment 1. [Violation Risk:
Factor: Medium] [Time Horizon: Operations Assessment].
M2. Responsible Entities shall provide a record of the type of event experienced; a dated copy of the Attachment 2 form or OE-417 report; and dated and timestamped transmittal records to show that the event was reported.
ISO New England, Inc
No
We do not have any issues with Measures M1, M2 and M4, but have a comment on M3 and a couple of
concerns with M5:M3: This Measure contains a requirement for the Responsible Entities to conduct a mock
Impact Event. We disagree to have this included in the Measure. R3 requires the Responsible Entity to
conduct a test of its Operating Process for communicating recognized Impact Events created pursuant to
Requirement R1, Part 1.3. The Measure should adhere to this condition only. We suggest to change the
wording to:The Responsible Entity shall provide evidence that it conducted a test of it its Operating Process
for communicating recognized Impact Events created pursuant to Requirement R1, Part 1.3. The time period
between actual and or mock Impact Events shall be no more than 15 months. Evidence may include, but is
not limited to, operator logs, voice recordings, documentation or a report on an actual Impact Event.M5:a. As
suggested above, R5 should be combined with R2;b. If R5 to remain as is, then M5 goes beyond the
requirement in R5 in that it asks for evidence to support the type of Impact Event experienced. Attachment 2
already requires the reporting entity to provide all the details pertaining to the Impact Event. It is not clear
what kind of additional evidence is needed to ?support the type of Impact Event experienced?. Also, the date
and time of the Impact Event is provided in the reporting from. Why do we need to provide additional evidence
on the date and time of the Impact Event?c. We disagree with Measurement 4. It implies that the review must
be conducted in person. Why couldn?t other means such as web training or a reminder memo not satisfy the
requirement?
Response: The DSR SDT thanks you for your comment. Each measure has been rewritten for the associated requirement to reflect only what is within the
requirement. Requirement R5 (now R2) was revised along with the measure:
164
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 12 Comment
R2. Each Responsible Entity shall report events in accordance with its Operating Plan developed to address the events listed in Attachment 1. [Violation Risk:
Factor: Medium] [Time Horizon: Operations Assessment].
M2. Responsible Entities shall provide a record of the type of event experienced; a dated copy of the Attachment 2 form or OE-417 report; and dated and timestamped transmittal records to show that the event was reported.
Calpine Corp
No
Requirements R1, R2, R3, and R4 are unnecessary, as discussed above. The measure for Requirement R5
should focus on the need to report accurately and promptly, not on a Responsible Entity?s ?Operating Plan?.
If the Requirements are retained, the measures should state in much greater detail what actions and
documentation are required for compliance.
Response: The DSR SDT thanks you for your comment. Each measure has been rewritten for the associated requirement to reflect only what is within the
requirement. Requirement R5 (now R2) was revised along with the measure:
R2. Each Responsible Entity shall report events in accordance with its Operating Plan developed to address the events listed in Attachment 1. [Violation Risk:
Factor: Medium] [Time Horizon: Operations Assessment].
M2. Responsible Entities shall provide a record of the type of event experienced; a dated copy of the Attachment 2 form or OE-417 report; and dated and timestamped transmittal records to show that the event was reported.
CenterPoint Energy
No
M1: CenterPoint Energy recommends that the phrase ?current in force? be updated to ?current? or ?currently
effective?. Additionally, CenterPoint Energy suggests clarifying M1 by adding ?within 30 days upon request?,
which would be consistent with language found in measures in other standards. The revised measure would
read, ?Each Responsible Entity shall provide the currently effective Impact Event Operating Plan to the
Compliance Enforcement Authority within 30 days upon request.? M2: If R2 is deleted (as recommended in
response to Question 7), then M2 should be deleted.
Response: The DSR SDT thanks you for your comment. Each measure has been rewritten for the associated requirement to reflect only what is within the
requirement. R2 was deleted along with the measure M2.
ExxonMobil Research and
Engineering
No
Measure M3 introduces a psuedo-requirement by implying you are able to reset the testing clock if you
implement our Impact Event Operating Plan in response to an Impact Event. This should be covered in
Requirement R3. Measure M4 should refer to positions and evidence that people occupying those positions
participated in the annual review of the Impact Event Operating Plan. Given the number of individuals
involved in operations and the cycle of promotions and reassignments, it?s unreasonable to expect an entity
165
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 12 Comment
to identify specific individuals in their Impact Event Operating Plan. As the one hour time window is not long
enough for entities to report all types of events when responding to the impact the Imact Event had on its
facility, Measure M5 should be modified to include voice recordings and log book entries to capture verbal
information reported to required parties.
Response: The DSR SDT thanks you for your comment. Each measure has been rewritten for the associated requirement to reflect only what is within the
requirement.
Constellation Power Generation
No
See CPG?s earlier comments regarding the Requirements and Measures.
Response: The DSR SDT thanks you for your comment. See response to comments on Requirements and Measures.
Georgia System Operations
Corporation
No
There are a lot of inconsistencies between the requirements and the measures. The measures add
requirements that are not stated in the requirements. The measures need to be made consistent with the
requirements and to not add to them. Also see comments on requirements earlier for language to move from
the measures into the requirements.M2: Remove "on its Facilities." The word "its" leads to a lot of confusion
regarding who reports what. Attachment 1 should make clear "what" needs to be reported. The entities'
operating plan should make it clear as to who should report each "what." Furthermore, not all Impact Events
are "on Facilities."M3: Replace "that it conducted a mock Impact Event" with "that it conducted a test of its
Operating Process.” Delete "The time period between actual and or mock Impact Events shall be nor more
than 15 months."M4: The measure says that documentation showing when personnel were trained is
required. R4 does not require training. The requirement and the measure should be made clear and
consistent.
Response: The DSR SDT thanks you for your comment. Each measure has been rewritten for the associated requirement to reflect only what is within the
requirement.
City of Tacoma, Department of
Public Utilities, Light Division, dba
Tacoma Power
No
M3 -The testing of the Plan by drill or mock impact event is unnecessary and burdensome.
Response: The DSR SDT thanks you for your comment. The Measure M3 has been revised as follows:
M3. The Responsible Entity shall provide evidence that it conducted a test of the communication process in its Operating Plan events created pursuant to
Requirement R1, Part 1.3. Implementation of the communication process as documented in its Operating Plan for an actual event may be used as evidence to
meet this requirement. The time period between an actual event or test shall be no more than 15 months. Evidence may include, but is not limited to, operator logs,
166
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 12 Comment
voice recordings, or dated documentation of a test. (R3)
The intent of R3 is to ensure that the communications process of the Operating Plan works when needed. The annual test is not burdensome and an actual event
will take the place of the test.
Farmington Electric Utility System
No
See comments in requirements for R3 and R4
Response: The DSR SDT thanks you for your comment. See response to comments on R3 and R4.
Indeck Energy Services
No
M1 is OK. M2 should be about implementation, not about any particular events--M5 is about events.
Implementation would include distribution and training. M3 should be modified to reflect a training review by
entities that cannot cause a Reportable Disturbance or reportable DOE OE-417 event and for the others
documentation of an actual event (which is not included in the present M3) or a drill or mock event. M4 is OK.
M5 should only include the reports submitted and the date of submission. Further evidence of the event is
redundant.
Response: The DSR SDT thanks you for your comment. Each measure has been rewritten for the associated requirement to reflect only what is within the
requirement.
Brazos Electric Power
Cooperative
No
M2 and M5 appear to duplicate each other.
Response: The DSR SDT thanks you for your comment. Each measure has been rewritten for the associated requirement to reflect only what is within the
requirement. R2/M2 have been deleted and R5/M5 is now R2/M2.
Progress Energy
No
M3 states that ?In the absence of an actual Impact Event, the Responsible Entity shall provide evidence that
it conducted a mock Impact Event?? Does this mean that, if an entity experiences an Impact Event that is
reportable, then the entity does not have to perform its annual test? If so, this should be made clear in the
Requirement.
Response: The DSR SDT thanks you for your comment. That is the intent of the requirement. The Rationale box has been revised to express this intent. The
measure now reads:
The Responsible Entity shall provide evidence that it conducted a test of the communication process in its Operating Plan for events created pursuant
to Requirement R1, Part 1.3. Implementation of the communication process as documented in its Operating Plan for an actual event may be used as
evidence to meet this requirement. The time period between an actual event or test shall be no more than 15 months. Evidence may include, but is
167
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 12 Comment
not limited to, operator logs, voice recordings, or dated documentation of a test. (R3)
Occidental Power Marketing
Yes
In general, the measures are okay. However, as mentioned above for R3, there needs to be more specificity
as to what is acceptable as a "mock Impact Event" for auditing purposes--especially for small entities such as
LSEs that do not own, operate, or control BES assets.
Response: The DSR SDT thanks you for your comment. Each measure has been rewritten for the associated requirement to reflect only what is within the
requirement.
SDG&E
Yes
Lakeland Electric
Yes
New Harquahala Generating Co.
Yes
Bonneville Power Administration
Yes
Midwest Reliability Organization
Yes
PSEG Companies
Yes
Pepco Holdings Inc and Affiliates
Yes
Southern Company
Yes
SRP
Yes
APX Power Markets
Yes
Manitoba Hydro
Yes
Sweeny Cogeneration LP
Yes
American Electric Power
Yes
168
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
USACE
Yes
Ameren
Yes
BGE
Question 12 Comment
No position or comments.
Platte River Power Authority
Yes
Alliant Energy
Yes
PPL Electric Utilities
Yes
Lincoln Electric System
Yes
American Transmission
Company
Yes
Ingleside Cogeneration LP
Yes
Duke Energy
Yes
169
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
13. Do you agree with the proposed Violation Risk Factors for Requirements 1-5? If not, please explain why not
and if possible, provide an alternative that would be acceptable to you.
Summary Consideration: Many stakeholders suggested that the reporting of events after the fact only justified a VRF of
Lower for each requirement. With the revised standard, there are now three requirements. Requirement 1 specifies that the
responsible entity have an Operating Plan for identifying and reporting events listed in Attachment 1. This is procedural in
nature and justifies a “lower” VRF. This requirement is administrative in nature and deals with the means to report events after
the fact. The current approved VRFs for EOP-004-1 are all lower with the exception of Requirement R2 which is a requirement
to analyze events. This standard relates only to reporting events. The analysis portion is addressed through the NERC Rules of
Procedure and the Events Analysis Program. The two remaining requirements in EOP-004-2 are to report events based on the
specifics in Attachment 1 (R2) and to test the communications protocol of the Operating Plan once per year (R3). Requirement
2 specifies that an entity is responsible for reporting events in accordance with the Operating Plan based on Attachment 1.
Requirement 3 is insurance to make sure that an entity can communicate information about events. Requirement 2 specifies
that the responsible entity must report an event to the appropriate entities. Some of these events are dealing with potential
sabotage events. Part of the reason to report these types of events is to make other entities aware to help prevent further
sabotage events from occurring. Existing CIP-001-1a deals with sabotage events and the approved VRFs for each of the
requirements is “medium.” The VRFs for EOP-004-2 comport with the existing approved VRFs for both EOP-004 and CIP-001.
Organization
Northeast Power Coordinating
Council
Yes or No
No
Question 13 Comment
If R5 is to remain as is, then the VRF should be a Lower, not a Medium. R5 stipulates the form to be used. It
is a vehicle to convey the needed information, and as such it is an administrative requirement. Failure to use
the form provided in Attachment 2 or the DOE form does not lead to unreliability.
Response: The DSR SDT thanks you for your comment. With the revised standard, there are now three requirements. Requirement 1 specifies that the
responsible entity have an Operating Plan for identifying and reporting events listed in Attachment 1. This is procedural in nature and justifies a “lower” VRF.
This requirement is administrative in nature and deals with the means to report events after the fact. The current approved VRFs for EOP-004-1 are all lower with
the exception of Requirement R2 which is a requirement to analyze events. This standard relates only to reporting events. The analysis portion is addressed
through the NERC Rules of Procedure and the Events Analysis Program. The two remaining requirements in EOP-004-2 are to report events based on the
specifics in Attachment 1 (R2) and to test the communications protocol of the Operating Plan once per year (R3). Requirement 2 specifies that an entity is
responsible for reporting events in accordance with the Operating Plan based on Attachment 1. Requirement 3 is insurance to make sure that an entity can
communicate information about events. Requirement 2 specifies that the responsible entity must report an event to the appropriate entities. Some of these
events are dealing with potential sabotage events. Part of the reason to report these types of events is to make other entities aware to help prevent further
sabotage events from occurring. Existing CIP-001-1a deals with sabotage events and the approved VRFs for each of the requirements is “medium.” The VRFs for
EOP-004-2 comport with the existing approved VRFs for both EOP-004 and CIP-001.
170
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Bonneville Power Administration
Yes or No
No
Question 13 Comment
R2, R3 and R4 should be lower VRFs than R5 and R1.
Response: The DSR SDT thanks you for your comment. With the revised standard, there are now three requirements. Requirement 1 specifies that the
responsible entity have an Operating Plan for identifying and reporting events listed in Attachment 1. This is procedural in nature and justifies a “lower” VRF.
This requirement is administrative in nature and deals with the means to report events after the fact. The current approved VRFs for EOP-004-1 are all lower with
the exception of Requirement R2 which is a requirement to analyze events. This standard relates only to reporting events. The analysis portion is addressed
through the NERC Rules of Procedure and the Events Analysis Program. The two remaining requirements in EOP-004-2 are to report events based on the
specifics in Attachment 1 (R2) and to test the communications protocol of the Operating Plan once per year (R3). Requirement 2 specifies that an entity is
responsible for reporting events in accordance with the Operating Plan based on Attachment 1. Requirement 3 is insurance to make sure that an entity can
communicate information about events. Requirement 2 specifies that the responsible entity must report an event to the appropriate entities. Some of these
events are dealing with potential sabotage events. Part of the reason to report these types of events is to make other entities aware to help prevent further
sabotage events from occurring. Existing CIP-001-1a deals with sabotage events and the approved VRFs for each of the requirements is “medium.” The VRFs for
EOP-004-2 comport with the existing approved VRFs for both EOP-004 and CIP-001.
PSEG Companies
No
If Requirements 1-5 remain intact the Violation Risk Factor should be reduced to a Lower not a Medium since
this is an administrative requirement and does not impact the reliability of the BES.
Response: The DSR SDT thanks you for your comment. With the revised standard, there are now three requirements. Requirement 1 specifies that the
responsible entity have an Operating Plan for identifying and reporting events listed in Attachment 1. This is procedural in nature and justifies a “lower” VRF.
This requirement is administrative in nature and deals with the means to report events after the fact. The current approved VRFs for EOP-004-1 are all lower with
the exception of Requirement R2 which is a requirement to analyze events. This standard relates only to reporting events. The analysis portion is addressed
through the NERC Rules of Procedure and the Events Analysis Program. The two remaining requirements in EOP-004-2 are to report events based on the
specifics in Attachment 1 (R2) and to test the communications protocol of the Operating Plan once per year (R3). Requirement 2 specifies that an entity is
responsible for reporting events in accordance with the Operating Plan based on Attachment 1. Requirement 3 is insurance to make sure that an entity can
communicate information about events. Requirement 2 specifies that the responsible entity must report an event to the appropriate entities. Some of these
events are dealing with potential sabotage events. Part of the reason to report these types of events is to make other entities aware to help prevent further
sabotage events from occurring. Existing CIP-001-1a deals with sabotage events and the approved VRFs for each of the requirements is “medium.” The VRFs for
EOP-004-2 comport with the existing approved VRFs for both EOP-004 and CIP-001.
Dominion
No
All the VRFs are "Medium.” Since the requirements deal with after-the-fact reporting and the administration of
reporting plans, procedures, and processes; all VRFs should be "Lower.”
Response: The DSR SDT thanks you for your comment. With the revised standard, there are now three requirements. Requirement 1 specifies that the
responsible entity have an Operating Plan for identifying and reporting events listed in Attachment 1. This is procedural in nature and justifies a “lower” VRF.
This requirement is administrative in nature and deals with the means to report events after the fact. The current approved VRFs for EOP-004-1 are all lower with
171
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 13 Comment
the exception of Requirement R2 which is a requirement to analyze events. This standard relates only to reporting events. The analysis portion is addressed
through the NERC Rules of Procedure and the Events Analysis Program. The two remaining requirements in EOP-004-2 are to report events based on the
specifics in Attachment 1 (R2) and to test the communications protocol of the Operating Plan once per year (R3). Requirement 2 specifies that an entity is
responsible for reporting events in accordance with the Operating Plan based on Attachment 1. Requirement 3 is insurance to make sure that an entity can
communicate information about events. Requirement 2 specifies that the responsible entity must report an event to the appropriate entities. Some of these
events are dealing with potential sabotage events. Part of the reason to report these types of events is to make other entities aware to help prevent further
sabotage events from occurring. Existing CIP-001-1a deals with sabotage events and the approved VRFs for each of the requirements is “medium.” The VRFs for
EOP-004-2 comport with the existing approved VRFs for both EOP-004 and CIP-001.
Pepco Holdings Inc and Affiliates
No
This standard involves after the fact reporting of events. Other standards deal with the real time notifications.
How do the risk factors between the two line up? A VRF of Low would seem appropriate, since a violation
would not affect the reliability of the BES.
Response: The DSR SDT thanks you for your comment. With the revised standard, there are now three requirements. Requirement 1 specifies that the
responsible entity have an Operating Plan for identifying and reporting events listed in Attachment 1. This is procedural in nature and justifies a “lower” VRF.
This requirement is administrative in nature and deals with the means to report events after the fact. The current approved VRFs for EOP-004-1 are all lower with
the exception of Requirement R2 which is a requirement to analyze events. This standard relates only to reporting events. The analysis portion is addressed
through the NERC Rules of Procedure and the Events Analysis Program. The two remaining requirements in EOP-004-2 are to report events based on the
specifics in Attachment 1 (R2) and to test the communications protocol of the Operating Plan once per year (R3). Requirement 2 specifies that an entity is
responsible for reporting events in accordance with the Operating Plan based on Attachment 1. Requirement 3 is insurance to make sure that an entity can
communicate information about events. Requirement 2 specifies that the responsible entity must report an event to the appropriate entities. Some of these
events are dealing with potential sabotage events. Part of the reason to report these types of events is to make other entities aware to help prevent further
sabotage events from occurring. Existing CIP-001-1a deals with sabotage events and the approved VRFs for each of the requirements is “medium.” The VRFs for
EOP-004-2 comport with the existing approved VRFs for both EOP-004 and CIP-001.
SPP Standards Review Group
No
These are reporting requirements and therefore do not deserve the “medium” VRF. We suggest making the
VRFs for all requirements for EOP-004-2 “low.”
Response: The DSR SDT thanks you for your comment. With the revised standard, there are now three requirements. Requirement 1 specifies that the
responsible entity have an Operating Plan for identifying and reporting events listed in Attachment 1. This is procedural in nature and justifies a “lower” VRF.
This requirement is administrative in nature and deals with the means to report events after the fact. The current approved VRFs for EOP-004-1 are all lower with
the exception of Requirement R2 which is a requirement to analyze events. This standard relates only to reporting events. The analysis portion is addressed
through the NERC Rules of Procedure and the Events Analysis Program. The two remaining requirements in EOP-004-2 are to report events based on the
specifics in Attachment 1 (R2) and to test the communications protocol of the Operating Plan once per year (R3). Requirement 2 specifies that an entity is
responsible for reporting events in accordance with the Operating Plan based on Attachment 1. Requirement 3 is insurance to make sure that an entity can
172
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 13 Comment
communicate information about events. Requirement 2 specifies that the responsible entity must report an event to the appropriate entities. Some of these
events are dealing with potential sabotage events. Part of the reason to report these types of events is to make other entities aware to help prevent further
sabotage events from occurring. Existing CIP-001-1a deals with sabotage events and the approved VRFs for each of the requirements is “medium.” The VRFs for
EOP-004-2 comport with the existing approved VRFs for both EOP-004 and CIP-001.
Midwest ISO Standards
Collaborators
No
All violation risk factors should be Lower. All requirements are administrative in nature. While they are
necessary because a certain amount of regulatory reporting will always be required, a violation will not in any
direct or indirect way lead to reliability problem on the Bulk Electric System
Response: The DSR SDT thanks you for your comment. With the revised standard, there are now three requirements. Requirement 1 specifies that the
responsible entity have an Operating Plan for identifying and reporting events listed in Attachment 1. This is procedural in nature and justifies a “lower” VRF.
This requirement is administrative in nature and deals with the means to report events after the fact. The current approved VRFs for EOP-004-1 are all lower with
the exception of Requirement R2 which is a requirement to analyze events. This standard relates only to reporting events. The analysis portion is addressed
through the NERC Rules of Procedure and the Events Analysis Program. The two remaining requirements in EOP-004-2 are to report events based on the
specifics in Attachment 1 (R2) and to test the communications protocol of the Operating Plan once per year (R3). Requirement 2 specifies that an entity is
responsible for reporting events in accordance with the Operating Plan based on Attachment 1. Requirement 3 is insurance to make sure that an entity can
communicate information about events. Requirement 2 specifies that the responsible entity must report an event to the appropriate entities. Some of these
events are dealing with potential sabotage events. Part of the reason to report these types of events is to make other entities aware to help prevent further
sabotage events from occurring. Existing CIP-001-1a deals with sabotage events and the approved VRFs for each of the requirements is “medium.” The VRFs for
EOP-004-2 comport with the existing approved VRFs for both EOP-004 and CIP-001.
FirstEnergy
No
1. We believe that Requirement 5 does not warrant a “Medium” risk factor. Not using a particular form is
strictly administrative in nature and the VRF should be “Low.”
2. We believe that Requirement 4 does not warrant a “Medium” risk factor. For example, a simple review of
the process does not have the same impact on the Bulk Electric System as the implementation of the
Operating Plan per R2. Therefore, we believe R4 is at best a “Low” risk to the BES.
Response: The DSR SDT thanks you for your comment. With the revised standard, there are now three requirements. Requirement 1 specifies that the
responsible entity have an Operating Plan for identifying and reporting events listed in Attachment 1. This is procedural in nature and justifies a “lower” VRF.
This requirement is administrative in nature and deals with the means to report events after the fact. The current approved VRFs for EOP-004-1 are all lower with
the exception of Requirement R2 which is a requirement to analyze events. This standard relates only to reporting events. The analysis portion is addressed
through the NERC Rules of Procedure and the Events Analysis Program. The two remaining requirements in EOP-004-2 are to report events based on the
specifics in Attachment 1 (R2) and to test the communications protocol of the Operating Plan once per year (R3). Requirement 2 specifies that an entity is
responsible for reporting events in accordance with the Operating Plan based on Attachment 1. Requirement 3 is insurance to make sure that an entity can
communicate information about events. Requirement 2 specifies that the responsible entity must report an event to the appropriate entities. Some of these
173
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 13 Comment
events are dealing with potential sabotage events. Part of the reason to report these types of events is to make other entities aware to help prevent further
sabotage events from occurring. Existing CIP-001-1a deals with sabotage events and the approved VRFs for each of the requirements is “medium.” The VRFs for
EOP-004-2 comport with the existing approved VRFs for both EOP-004 and CIP-001.
SERC OC Standards Review
Group
No
How can an after-the-fact report require a VRF greater than low?
Response: The DSR SDT thanks you for your comment. With the revised standard, there are now three requirements. Requirement 1 specifies that the
responsible entity have an Operating Plan for identifying and reporting events listed in Attachment 1. This is procedural in nature and justifies a “lower” VRF.
This requirement is administrative in nature and deals with the means to report events after the fact. The current approved VRFs for EOP-004-1 are all lower with
the exception of Requirement R2 which is a requirement to analyze events. This standard relates only to reporting events. The analysis portion is addressed
through the NERC Rules of Procedure and the Events Analysis Program. The two remaining requirements in EOP-004-2 are to report events based on the
specifics in Attachment 1 (R2) and to test the communications protocol of the Operating Plan once per year (R3). Requirement 2 specifies that an entity is
responsible for reporting events in accordance with the Operating Plan based on Attachment 1. Requirement 3 is insurance to make sure that an entity can
communicate information about events. Requirement 2 specifies that the responsible entity must report an event to the appropriate entities. Some of these
events are dealing with potential sabotage events. Part of the reason to report these types of events is to make other entities aware to help prevent further
sabotage events from occurring. Existing CIP-001-1a deals with sabotage events and the approved VRFs for each of the requirements is “medium.” The VRFs for
EOP-004-2 comport with the existing approved VRFs for both EOP-004 and CIP-001.
PJM Interconnection LLC
No
All VRFs should be lower as Requirements 1-5 are all administrative in nature. A violation of any of these
requirements does not directly or indirectly affect the reliability of the BES.
Response: The DSR SDT thanks you for your comment. With the revised standard, there are now three requirements. Requirement 1 specifies that the
responsible entity have an Operating Plan for identifying and reporting events listed in Attachment 1. This is procedural in nature and justifies a “lower” VRF.
This requirement is administrative in nature and deals with the means to report events after the fact. The current approved VRFs for EOP-004-1 are all lower with
the exception of Requirement R2 which is a requirement to analyze events. This standard relates only to reporting events. The analysis portion is addressed
through the NERC Rules of Procedure and the Events Analysis Program. The two remaining requirements in EOP-004-2 are to report events based on the
specifics in Attachment 1 (R2) and to test the communications protocol of the Operating Plan once per year (R3). Requirement 2 specifies that an entity is
responsible for reporting events in accordance with the Operating Plan based on Attachment 1. Requirement 3 is insurance to make sure that an entity can
communicate information about events. Requirement 2 specifies that the responsible entity must report an event to the appropriate entities. Some of these
events are dealing with potential sabotage events. Part of the reason to report these types of events is to make other entities aware to help prevent further
sabotage events from occurring. Existing CIP-001-1a deals with sabotage events and the approved VRFs for each of the requirements is “medium.” The VRFs for
EOP-004-2 comport with the existing approved VRFs for both EOP-004 and CIP-001.
We Energies
No
All VRFs should be Lower. They are all administrative and will not affect BES Reliability.
174
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 13 Comment
Response: The DSR SDT thanks you for your comment. With the revised standard, there are now three requirements. Requirement 1 specifies that the
responsible entity have an Operating Plan for identifying and reporting events listed in Attachment 1. This is procedural in nature and justifies a “lower” VRF.
This requirement is administrative in nature and deals with the means to report events after the fact. The current approved VRFs for EOP-004-1 are all lower with
the exception of Requirement R2 which is a requirement to analyze events. This standard relates only to reporting events. The analysis portion is addressed
through the NERC Rules of Procedure and the Events Analysis Program. The two remaining requirements in EOP-004-2 are to report events based on the
specifics in Attachment 1 (R2) and to test the communications protocol of the Operating Plan once per year (R3). Requirement 2 specifies that an entity is
responsible for reporting events in accordance with the Operating Plan based on Attachment 1. Requirement 3 is insurance to make sure that an entity can
communicate information about events. Requirement 2 specifies that the responsible entity must report an event to the appropriate entities. Some of these
events are dealing with potential sabotage events. Part of the reason to report these types of events is to make other entities aware to help prevent further
sabotage events from occurring. Existing CIP-001-1a deals with sabotage events and the approved VRFs for each of the requirements is “medium.” The VRFs for
EOP-004-2 comport with the existing approved VRFs for both EOP-004 and CIP-001.
LG&E and KU Energy LLC
Compliance & Responsiblity
Organization
No
See comments set forth in number 2.
Response: The DSR SDT thanks you for your comment. See response to comments on Question 2.
Exelon
No
R.4 should be a low risk factor, this is an administrative requirement with no contribution to reliability.
Response: The DSR SDT thanks you for your comment. With the revised standard, there are now three requirements. Requirement 1 specifies that the
responsible entity have an Operating Plan for identifying and reporting events listed in Attachment 1. This is procedural in nature and justifies a “lower” VRF.
This requirement is administrative in nature and deals with the means to report events after the fact. The current approved VRFs for EOP-004-1 are all lower with
the exception of Requirement R2 which is a requirement to analyze events. This standard relates only to reporting events. The analysis portion is addressed
through the NERC Rules of Procedure and the Events Analysis Program. The two remaining requirements in EOP-004-2 are to report events based on the
specifics in Attachment 1 (R2) and to test the communications protocol of the Operating Plan once per year (R3). Requirement 2 specifies that an entity is
responsible for reporting events in accordance with the Operating Plan based on Attachment 1. Requirement 3 is insurance to make sure that an entity can
communicate information about events. Requirement 2 specifies that the responsible entity must report an event to the appropriate entities. Some of these
events are dealing with potential sabotage events. Part of the reason to report these types of events is to make other entities aware to help prevent further
sabotage events from occurring. Existing CIP-001-1a deals with sabotage events and the approved VRFs for each of the requirements is “medium.” The VRFs for
EOP-004-2 comport with the existing approved VRFs for both EOP-004 and CIP-001.
City of Tallahassee (TAL)
No
R1 is administrative in nature (must have a document) and should be Lower.
175
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 13 Comment
Response: The DSR SDT thanks you for your comment. The DSR SDT concurs and has assigned a “lower” VRF for Requirement R1.
United Illuminating Co
No
R3 should be Low. It is a test of the communication Plan which is use of telephone and email.
Response: The DSR SDT thanks you for your comment. With the revised standard, there are now three requirements. Requirement 1 specifies that the
responsible entity have an Operating Plan for identifying and reporting events listed in Attachment 1. This is procedural in nature and justifies a “lower” VRF.
This requirement is administrative in nature and deals with the means to report events after the fact. The current approved VRFs for EOP-004-1 are all lower with
the exception of Requirement R2 which is a requirement to analyze events. This standard relates only to reporting events. The analysis portion is addressed
through the NERC Rules of Procedure and the Events Analysis Program. The two remaining requirements in EOP-004-2 are to report events based on the
specifics in Attachment 1 (R2) and to test the communications protocol of the Operating Plan once per year (R3). Requirement 2 specifies that an entity is
responsible for reporting events in accordance with the Operating Plan based on Attachment 1. Requirement 3 is insurance to make sure that an entity can
communicate information about events. Requirement 2 specifies that the responsible entity must report an event to the appropriate entities. Some of these
events are dealing with potential sabotage events. Part of the reason to report these types of events is to make other entities aware to help prevent further
sabotage events from occurring. Existing CIP-001-1a deals with sabotage events and the approved VRFs for each of the requirements is “medium.” The VRFs for
EOP-004-2 comport with the existing approved VRFs for both EOP-004 and CIP-001.
American Municipal Power
No
No, this is not acceptable. Eliminate R1-R4. Change R5 to Lower.
Response: The DSR SDT thanks you for your comment. With the revised standard, there are now three requirements. Requirement 1 specifies that the
responsible entity have an Operating Plan for identifying and reporting events listed in Attachment 1. This is procedural in nature and justifies a “lower” VRF.
This requirement is administrative in nature and deals with the means to report events after the fact. The current approved VRFs for EOP-004-1 are all lower with
the exception of Requirement R2 which is a requirement to analyze events. This standard relates only to reporting events. The analysis portion is addressed
through the NERC Rules of Procedure and the Events Analysis Program. The two remaining requirements in EOP-004-2 are to report events based on the
specifics in Attachment 1 (R2) and to test the communications protocol of the Operating Plan once per year (R3). Requirement 2 specifies that an entity is
responsible for reporting events in accordance with the Operating Plan based on Attachment 1. Requirement 3 is insurance to make sure that an entity can
communicate information about events. Requirement 2 specifies that the responsible entity must report an event to the appropriate entities. Some of these
events are dealing with potential sabotage events. Part of the reason to report these types of events is to make other entities aware to help prevent further
sabotage events from occurring. Existing CIP-001-1a deals with sabotage events and the approved VRFs for each of the requirements is “medium.” The VRFs for
EOP-004-2 comport with the existing approved VRFs for both EOP-004 and CIP-001.
Liberty Electric Power LLC
No
See Q 12.
Response: The DSR SDT thanks you for your comment. Please see response to Question 12.
176
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Manitoba Hydro
Yes or No
No
Question 13 Comment
Reduce the Long Term Planning items to Lower VRF. The planning items will not have the same impact on
the reliability of the system as real time operations.
Response: The DSR SDT thanks you for your comment. Each Requirement is in the Operations Assessment or Operations Planning time horizon. With the
revised standard, there are now three requirements. Requirement R1 specifies that the responsible entity have an Operating Plan for identifying and reporting
events listed in Attachment 1. This is procedural in nature and justifies a “lower” VRF. This requirement is administrative in nature and deals with the means to
report events after the fact. The current approved VRFs for EOP-004-1 are all lower with the exception of Requirement R2 which is a requirement to analyze
events. This standard relates only to reporting events. The analysis portion is addressed through the NERC Rules of Procedure and the Events Analysis Program.
The two remaining requirements in EOP-004-2 are to report events based on the specifics in Attachment 1 (R2) and to test the communications protocol of the
Operating Plan once per year (R3). Requirement R2 specifies that an entity is responsible for reporting events in accordance with the Operating Plan based on
Attachment 1. Requirement R3 is insurance to make sure that an entity can communicate information about events. Requirement R2 specifies that the
responsible entity must report an event to the appropriate entities. Some of these events are dealing with potential sabotage events. Part of the reason to report
these types of events is to make other entities aware to help prevent further sabotage events from occurring. Existing CIP-001-1a deals with sabotage events
and the approved VRFs for each of the requirements is “medium.” The VRFs for EOP-004-2 comport with the existing approved VRFs for both EOP-004 and CIP001.
Independent Electricity System
Operator
No
If R5 were to remain as is, then the VRF should be a Lower, not a Medium since R5 stipulates the form to be
used. It is a vehicle to convey the needed information, and as such it is an administrative requirement. Failure
to use the form provided in Attachment 2 or the DOE form does not give rise to unreliability.
Response: The DSR SDT thanks you for your comment. With the revised standard, there are now three requirements. Requirement 1 specifies that the
responsible entity have an Operating Plan for identifying and reporting events listed in Attachment 1. This is procedural in nature and justifies a “lower” VRF.
This requirement is administrative in nature and deals with the means to report events after the fact. The current approved VRFs for EOP-004-1 are all lower with
the exception of Requirement R2 which is a requirement to analyze events. This standard relates only to reporting events. The analysis portion is addressed
through the NERC Rules of Procedure and the Events Analysis Program. The two remaining requirements in EOP-004-2 are to report events based on the
specifics in Attachment 1 (R2) and to test the communications protocol of the Operating Plan once per year (R3). Requirement 2 specifies that an entity is
responsible for reporting events in accordance with the Operating Plan based on Attachment 1. Requirement 3 is insurance to make sure that an entity can
communicate information about events. Requirement 2 specifies that the responsible entity must report an event to the appropriate entities. Some of these
events are dealing with potential sabotage events. Part of the reason to report these types of events is to make other entities aware to help prevent further
sabotage events from occurring. Existing CIP-001-1a deals with sabotage events and the approved VRFs for each of the requirements is “medium.” The VRFs for
EOP-004-2 comport with the existing approved VRFs for both EOP-004 and CIP-001.
ISO New England, Inc
No
If R5 is to remain as is, then the VRF should be a Lower, not a Medium since R5 stipulates the form to be
177
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 13 Comment
used. It is a vehicle to convey the needed information, and as such it is an administrative requirement. Failure
to use the form provided in Attachment 2 or the DOE form has no impact on reliability.
All violation risk factors should be Lower. All requirements are administrative in nature. While they are
necessary because a certain amount of regulatory reporting will always be required, a violation will not in any
direct or indirect affect reliability.
Response: The DSR SDT thanks you for your comment. With the revised standard, there are now three requirements. Requirement 1 specifies that the
responsible entity have an Operating Plan for identifying and reporting events listed in Attachment 1. This is procedural in nature and justifies a “lower” VRF.
This requirement is administrative in nature and deals with the means to report events after the fact. The current approved VRFs for EOP-004-1 are all lower with
the exception of Requirement R2 which is a requirement to analyze events. This standard relates only to reporting events. The analysis portion is addressed
through the NERC Rules of Procedure and the Events Analysis Program. The two remaining requirements in EOP-004-2 are to report events based on the
specifics in Attachment 1 (R2) and to test the communications protocol of the Operating Plan once per year (R3). Requirement 2 specifies that an entity is
responsible for reporting events in accordance with the Operating Plan based on Attachment 1. Requirement 3 is insurance to make sure that an entity can
communicate information about events. Requirement 2 specifies that the responsible entity must report an event to the appropriate entities. Some of these
events are dealing with potential sabotage events. Part of the reason to report these types of events is to make other entities aware to help prevent further
sabotage events from occurring. Existing CIP-001-1a deals with sabotage events and the approved VRFs for each of the requirements is “medium.” The VRFs for
EOP-004-2 comport with the existing approved VRFs for both EOP-004 and CIP-001.
Calpine Corp
No
Requirements R1, R2, R3, and R4 are unnecessary, as discussed above. If retained, the violation risk factors
should be low for those Requirements, as they all simply support the requirement to actually report correctly
stated in Requirement R5.
Response: The DSR SDT thanks you for your comment. With the revised standard, there are now three requirements. Requirement 1 specifies that the
responsible entity have an Operating Plan for identifying and reporting events listed in Attachment 1. This is procedural in nature and justifies a “lower” VRF.
This requirement is administrative in nature and deals with the means to report events after the fact. The current approved VRFs for EOP-004-1 are all lower with
the exception of Requirement R2 which is a requirement to analyze events. This standard relates only to reporting events. The analysis portion is addressed
through the NERC Rules of Procedure and the Events Analysis Program. The two remaining requirements in EOP-004-2 are to report events based on the
specifics in Attachment 1 (R2) and to test the communications protocol of the Operating Plan once per year (R3). Requirement 2 specifies that an entity is
responsible for reporting events in accordance with the Operating Plan based on Attachment 1. Requirement 3 is insurance to make sure that an entity can
communicate information about events. Requirement 2 specifies that the responsible entity must report an event to the appropriate entities. Some of these
events are dealing with potential sabotage events. Part of the reason to report these types of events is to make other entities aware to help prevent further
sabotage events from occurring. Existing CIP-001-1a deals with sabotage events and the approved VRFs for each of the requirements is “medium.” The VRFs for
EOP-004-2 comport with the existing approved VRFs for both EOP-004 and CIP-001.
ExxonMobil Research and
No
VRFs, VSLs, and THs ideally should be based on the impact event type; alternatively a low VRF seems more
178
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Engineering
Question 13 Comment
appropriate for this requirements of this standard.
Response: The DSR SDT thanks you for your comment. With the revised standard, there are now three requirements. Requirement 1 specifies that the
responsible entity have an Operating Plan for identifying and reporting events listed in Attachment 1. This is procedural in nature and justifies a “lower” VRF.
This requirement is administrative in nature and deals with the means to report events after the fact. The current approved VRFs for EOP-004-1 are all lower with
the exception of Requirement R2 which is a requirement to analyze events. This standard relates only to reporting events. The analysis portion is addressed
through the NERC Rules of Procedure and the Events Analysis Program. The two remaining requirements in EOP-004-2 are to report events based on the
specifics in Attachment 1 (R2) and to test the communications protocol of the Operating Plan once per year (R3). Requirement 2 specifies that an entity is
responsible for reporting events in accordance with the Operating Plan based on Attachment 1. Requirement 3 is insurance to make sure that an entity can
communicate information about events. Requirement 2 specifies that the responsible entity must report an event to the appropriate entities. Some of these
events are dealing with potential sabotage events. Part of the reason to report these types of events is to make other entities aware to help prevent further
sabotage events from occurring. Existing CIP-001-1a deals with sabotage events and the approved VRFs for each of the requirements is “medium.” The VRFs for
EOP-004-2 comport with the existing approved VRFs for both EOP-004 and CIP-001.
Georgia System Operations
Corporation
No
Failing to report to NERC any of many of the listed events does not present a reliability risk. The exception to
this would be those threat events where the ES-ISAC needs to be notified. The object of the standard is to
prevent or reduce the risk of Cascading. Reporting system situations to appropriate operating entities who
can take some mitigating action (e.g., a LSE reporting to its BA or a BA reporting to its RC) and reporting
threats to law enforcement officials could prevent or reduce the risk of Cascading but reporting to NERC
(except for events where the ES-ISAC needs to know) is unlikely to do that. Reporting of most of the listed
events to NERC does not meet the objective of this standard and should be removed from this standard.
Such events should be reported to NERC through some other (than a Reliability Standard) requirement for
reporting to NERC so that NERC can accomplish its mission of analyzing events. Analyzing events may lead
to an understanding that could reduce the future risk of Cascading but analyzing events cannot be performed
in time to reduce any impending risks.
Response: The DSR SDT thanks you for your comment. With the revised standard, there are now three requirements. Requirement 1 specifies that the
responsible entity have an Operating Plan for identifying and reporting events listed in Attachment 1. This is procedural in nature and justifies a “lower” VRF.
This requirement is administrative in nature and deals with the means to report events after the fact. The current approved VRFs for EOP-004-1 are all lower with
the exception of Requirement R2 which is a requirement to analyze events. This standard relates only to reporting events. The analysis portion is addressed
through the NERC Rules of Procedure and the Events Analysis Program. The two remaining requirements in EOP-004-2 are to report events based on the
specifics in Attachment 1 (R2) and to test the communications protocol of the Operating Plan once per year (R3). Requirement 2 specifies that an entity is
responsible for reporting events in accordance with the Operating Plan based on Attachment 1. Requirement 3 is insurance to make sure that an entity can
communicate information about events. Requirement 2 specifies that the responsible entity must report an event to the appropriate entities. Some of these
events are dealing with potential sabotage events. Part of the reason to report these types of events is to make other entities aware to help prevent further
sabotage events from occurring. Existing CIP-001-1a deals with sabotage events and the approved VRFs for each of the requirements is “medium.” The VRFs for
179
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 13 Comment
EOP-004-2 comport with the existing approved VRFs for both EOP-004 and CIP-001.
Indeck Energy Services
No
If there are any, they should all be Low because this is reporting of historical events. There is no direct effect
on BES reliability. Some effect could occur if someone reacts to the reports, but many are concerning
unpreventable events.
Response: The DSR SDT thanks you for your comment. With the revised standard, there are now three requirements. Requirement 1 specifies that the
responsible entity have an Operating Plan for identifying and reporting events listed in Attachment 1. This is procedural in nature and justifies a “lower” VRF.
This requirement is administrative in nature and deals with the means to report events after the fact. The current approved VRFs for EOP-004-1 are all lower with
the exception of Requirement R2 which is a requirement to analyze events. This standard relates only to reporting events. The analysis portion is addressed
through the NERC Rules of Procedure and the Events Analysis Program. The two remaining requirements in EOP-004-2 are to report events based on the
specifics in Attachment 1 (R2) and to test the communications protocol of the Operating Plan once per year (R3). Requirement 2 specifies that an entity is
responsible for reporting events in accordance with the Operating Plan based on Attachment 1. Requirement 3 is insurance to make sure that an entity can
communicate information about events. Requirement 2 specifies that the responsible entity must report an event to the appropriate entities. Some of these
events are dealing with potential sabotage events. Part of the reason to report these types of events is to make other entities aware to help prevent further
sabotage events from occurring. Existing CIP-001-1a deals with sabotage events and the approved VRFs for each of the requirements is “medium.” The VRFs for
EOP-004-2 comport with the existing approved VRFs for both EOP-004 and CIP-001.
City of Tacoma, Department of
Public Utilities, Light Division, dba
Tacoma Power
No
Progress Energy
No
BGE
Yes
Platte River Power Authority
Yes
Alliant Energy
Yes
Midwest Reliability Organization
Yes
Southern Company
Yes
SRP
Yes
No comments.
180
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
SDG&E
Yes
New Harquahala Generating Co.
Yes
APX Power Markets
Yes
Arkansas Electric Cooperative
Corporation
Yes
Sweeny Cogeneration LP
Yes
USACE
Yes
New Harquahala Generating Co.
Yes
Occidental Power Marketing
Yes
Lincoln Electric System
Yes
Farmington Electric Utility System
Yes
American Transmission
Company
Yes
Ingleside Cogeneration LP
Yes
Duke Energy
Yes
Question 13 Comment
181
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
14. Do you agree with the proposed Violation Severity Levels for Requirements 1-5? If not, please explain why
not and if possible, provide an alternative that would be acceptable to you.
Summary Consideration: Most commenters agreed with the VSLs. The DSR SDT has deleted R4 and R2, and R5 has become
R2. The VSLs have been aligned with the revised requirements. The ‘Severe’ rating for excessively long reporting times has
been retained as the DSR SDT believes that fairly reflects the definition of ‘Severe’ i.e., The performance or product measured
does not substantively meet the intent of the requirement.
Org a n iza tio n
Yes or No
Northeast Power Coordinating
Council
No
Qu e s tio n 14 Co m m e n t
No major issues with the proposed VSLs. However, because of the preceding comments, want to see the
next revision of the draft.
Re s p o n s e : The DSR SDT thanks you for your comment.
Bonneville Power
Administration
No
For R5 VSL's: suggest moving the 1-2 hours down one level to Moderate and move the >2 hours down to
High with a range of 2-8 hours. Leave the "Failed to Submit" in the Severe category.
Re s p o n s e : The DSR SDT thanks you for your comment. The DSR SDT has increased most reporting timeframes to 24 hours. Those that still require 1 hour
reporting have been adjusted to better align with the 24 hour VSLs. Namely, taking twice as long to report is a ‘Medium’ VSL. The ‘Severe’ rating for excessively
long reporting times has been retained as the DSR SDT believes that fairly reflects the definition of ‘Severe’ i.e., The pe rforma nce or product me a s ure d doe s not
s ubs ta ntive ly me e t the inte nt of the re quire me nt.
Western Electricity Coordinating
Council
Regarding the proposed VSLs for R3, since communication testing involves multiple parties it would be
more appropriate to base severity level on the number of applicable parties which were not tested rather
than how long after 15 months it took to do the test. The standard already builds in a 3 month leeway, In
reality the way it is written almost guarantees a lower severity level.
Re s p o n s e : The DSR SDT thanks you for your comment. VSLs reflect the degree to which the requirements are met. The DSR SDT envisions that
communication testing will include all parties referenced in the entity’s operating plan. Failure to test any part of that communication process is a failure of that
Part of the requirement.
Pepco Holdings Inc and
Affiliates Org a n iza tio n
No
This standard involves after the fact reporting of events. Other standards deal with the real time
notifications. How do the severity level between the two line up? See above VRF comments.
182
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Org a n iza tio n
Yes or No
Qu e s tio n 14 Co m m e n t
Re s p o n s e : The DSR SDT thanks you for your comment. The DSR SDT believe the VSLs appropriately align with the NERC Guidelines.
SPP Standards Review Group
No
Requirement 4: We would suggest the following:Low ? The Responsible Entity reviewed its Impact Event
Operating Plan with those personnel who have responsibilities identified in that plan in more than 15
calendar months but less than 18 calendar months since the last review.Moderate - The Responsible Entity
reviewed its Impact Event Operating Plan with those personnel who have responsibilities identified in that
plan in more than 18 calendar months but less than 21 calendar months since the last review.High - The
Responsible Entity reviewed its Impact Event Operating Plan with those personnel who have
responsibilities identified in that plan in more than 21 calendar months but less than 24 calendar months
since the last review.Severe - The Responsible Entity failed to review its Impact Event Operating Plan with
those personnel who have responsibilities identified in that plan within 24 calendar months since the last
review.Requirement 5: With our suggested deletion of Requirement 5, we further suggest deleting the
VSLs associated with Requirement 5.
Re s p o n s e : The DSR SDT thanks you for your comment. The DSR SDT has deleted R4 and R2, and R5 has become R2.
SERC OC Standards Review
Group
No
The VSLs should reflect the comments on the requirements above.
Re s p o n s e : The DSR SDT thanks you for your comment. The DSR SDT has deleted R4 and R2, and R5 has become R2. The VSLs have been aligned with the
revised requirements.
PJM Interconnection LLC
No
VSLs should reflect the comments on the VRFs above.
Re s p o n s e : The DSR SDT thanks you for your comment. The DSR SDT believe the VSLs appropriately align with the NERC Guidelines.
We Energies
No
Change the VRFs as indicated above and the Time Horizons as indicated below.
Re s p o n s e : The DSR SDT thanks you for your comment. Please see responses to those comments.
Compliance & Responsiblity
Organization
No
See comments set forth in number 2.
Re s p o n s e : The DSR SDT thanks you for your comment. Please see responses Question 2.
183
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Org a n iza tio n
Exelon
Yes or No
No
Qu e s tio n 14 Co m m e n t
Suggest rewording the 1 hour reporting for High and Severe to state "communicate or submit" a report
within ? depending on the severity of the event, an actual report may not be feasible. Similar to an NRC
event report, a provision should be made for verbal notifications in lieu of an actual submitted report. An
entity should not be penalized for failing to submit a written report within 1 hour if the communications were
completed within the 1 hour time period meeting the intent of the Standard.
Re s p o n s e : The DSR SDT thanks you for your comment. Attachment 1 allows you to provide a verbal report under the conditions you contemplate.
SDG&E
No
This Reliability Standard provides a list of reporting requirements that are applicable to registered entities,
thus it is a paperwork exercise; therefore, SDG&E recommends that none of the requirements should
exceed a ?Moderate? Violation Severity Level. Failure on the part of an applicable Registered Entity to
provide an event report will have no immediate impact on the Bulk Electric System.
Re s p o n s e : The DSR SDT thanks you for your comment. VSLs describe how fully an entity meets the requirements and are not a measure of severity or impact.
These items are captured in the VRFs.
American Municipal Power
No, this is not acceptable. Eliminate R1-R4 and change R5. Severe: n/aHigh VSL: n/aMedium VSL: No
report for a reportable eventLow VSL: Late report for a reportable event
Re s p o n s e : The DSR SDT thanks you for your comment. The DSR SDT has deleted R4 and R2, and R5 has become R2. The VSLs have been aligned with the
revised requirements.
Liberty Electric Power LLC
No
See Q 12.
Re s p o n s e : The DSR SDT thanks you for your comment. Please see responses to Question 12.
Consumers Energy
No
1. In reference to the Impact Event addressing ?Loss of Firm load for greater than or equal to 15 minutes?,
this is likely to occur for most entities most frequently during storm events, where the loss of load builds
slowly over time. In these cases, exceeding the threshold may not be apparent until a considerable time
has lapsed, making the submittal time frame impossible to meet. Even more, it may be very difficult to
determine if/when 300 MW load (for the larger utilities) has been lost during storm events, as the precise
load represented by distribution system outages may not be determinable, since this load is necessarily
dynamic. Suggest that the threshold be modified to ?Within 1 hour after detection of exceeding 15-minute
threshold?. Additionally, these criteria are specifically storm related wide spread distribution system
outages. These events do not pose a risk to the BES.2. Many of the Impact Events listed are likely to
occur, if they occur, at widely-distributed system facilities, making reporting ?Within 1 hour after occurrence
184
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Org a n iza tio n
Yes or No
Qu e s tio n 14 Co m m e n t
is identified? possibly impractical, particularly in order to provide any meaningful information. Please give
consideration to clearly permitting some degree of investigation by the entity prior to triggering the ?time to
submit?.3. Referring to the ?Fuel Supply Emergency? Impact Event, OE-417 requires 6-hour reporting,
where the Impact Event Table requires 1-hour reporting. The reporting period for EOP-004-2 should be
consistent with OE-417.
Re s p o n s e : The DSR SDT thanks you for your comment. The DSR SDT has increased almost all reporting timeframe to 24 hours. Also, the fuel supply
emergency has been removed from Attachment 1. Reporting period was chosen to meet NERC needs, you may have more restrictive periods for OE-417, but
that is outside the jurisdiction of the DSR SDT.
Calpine Corp
No
Requirements R1, R2, R3, and R4 are unnecessary, as discussed above. If retained, the violation risk
factors should be low for those requirements, as they all simply support the requirement to actually report
correctly stated in Requirement R5.
Re s p o n s e : The DSR SDT thanks you for your comment. The DSR SDT has deleted R4 and R2, and R5 has become R2. The VSLs have been aligned with the
revised requirements.
CenterPoint Energy
No
CenterPoint Energy believes that the Severe VSL for R5 (Reporting) in the current draft incorrectly equates
2X reporting with failure to submit a report. CenterPoint Energy believes the VSLs for R5 should all reflect
a factor increase in time. For example, the lower VSL should be 1.5X the reporting time frame. The
Moderate VSL should be 2x the reporting time frame. The High VSL should be 3x the reporting time frame.
The Severe VSL should be failure to report.
Re s p o n s e : The DSR SDT thanks you for your comment. The DSR SDT has deleted R4 and R2, and R5 has become R2. The VSLs have been aligned with the
revised requirements. The ‘Severe’ rating for excessively long reporting times has been retained as the DSR SDT believes that fairly reflects the definition of
‘Severe’ i.e., The pe rforma nce or product me a s ure d doe s not s ubs ta ntive ly me e t the inte nt of the re quire me nt.
ExxonMobil Research and
Engineering
No
VRFs, VSLs, and THs ideally should be based on the impact event type; alternatively a low VRF seems
more appropriate for the requirements of this standard.
Re s p o n s e : The DSR SDT thanks you for your comment. The DSR SDT believe the VSLs and time horizons appropriately align with the requirements and
NERC Guidelines. With the revised standard, there are now three requirements. Requirement R1 specifies that the responsible entity have an Operating Plan
for identifying and reporting events listed in Attachment 1. This is procedural in nature and justifies a “lower” VRF. This requirement is administrative in
nature and deals with the means to report events after the fact. The current approved VRFs for EOP-004-1 are all lower with the exception of Requirement R2
which is a requirement to analyze events. This standard relates only to reporting events. The analysis portion is addressed through the NERC Rules of
Procedure and the Events Analysis Program. The two remaining requirements in EOP-004-2 are to report events based on the specifics in Attachment 1 (R2)
185
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Org a n iza tio n
Yes or No
Qu e s tio n 14 Co m m e n t
and to test the communications protocol of the Operating Plan once per year (R3). Requirement R2 specifies that an entity is responsible for reporting events
in accordance with the Operating Plan based on Attachment 1. Requirement R3 is insurance to make sure that an entity can communicate information about
events. Requirement R2 specifies that the responsible entity must report an event to the appropriate entities. Some of these events are dealing with potential
sabotage events. Part of the reason to report these types of events is to make other entities aware to help prevent further sabotage events from occurring.
Existing CIP-001-1a deals with sabotage events and the approved VRFs for each of the requirements is “medium.” The VRFs for EOP-004-2 comport with the
existing approved VRFs for both EOP-004 and CIP-001.
Indeck Energy Services
No
There should be only Lower VSL's. This is reporting of historical events and there is no direct effect on
BES reliability. How does missing 3 parts of R1 compare to tripping a 4,000 MW generating station
because vegetation was not properly managed? Just because there are 4 levels, doesn't mean that all
Standards need to use them all. If you step back, and think about causes of cascading outages, reporting
events 1 hour or 24 hours later has no significance. There is no direct preventative causation either.
Re s p o n s e : The DSR SDT thanks you for your comment. VSLs describe how fully an entity meets the requirements and are not a measure of severity or impact
to the BES. These items are captured in the VRFs.
Progress Energy
No
Progress disagrees with the High and Severe VSLs listed for R5. If an entity experiences an Impact Event
and fails to submit a report within an hour as required, it may be that there are multiple mitigating
circumstances. It is not reasonable to require reporting within an hour since identifying a reportable event
often takes longer than this time period.
Re s p o n s e : The DSR SDT thanks you for your comment. The DSR SDT has increased almost all reporting timeframe to 24 hours. Also, VSLs describe how fully
an entity meets the requirements and are not a measure of severity or impact to the BES. These items are captured in the VRFs.
Georgia System Operations
Corporation
Independent Electricity System
Operator
No
None.
We do not have any major issues with the proposed VSLs. However, in view of our comments on some of
the Questions, above, we reserve our comments upon seeing a revised draft.
Re s p o n s e : The DSR SDT thanks you for your comment.
ISO New England, Inc
We do not have any major issues with the proposed VSLs. However, in view of our comments on some of
the Questions, above, we reserve our comments upon seeing a revised draft.
186
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Org a n iza tio n
Yes or No
Qu e s tio n 14 Co m m e n t
Re s p o n s e : The DSR SDT thanks you for your comment.
Midwest Reliability Organization
Yes
Midwest ISO Standards
Collaborators
Yes
Southern Company
Yes
SRP
Yes
City of Tallahassee (TAL)
Yes
New Harquahala Generating
Co.
Yes
APX Power Markets
Yes
United Illuminating Co
Yes
Arkansas Electric Cooperative
Corporation
Yes
Manitoba Hydro
Yes
Sweeny Cogeneration LP
Yes
American Electric Power
Yes
New Harquahala Generating
Co.
Yes
Platte River Power Authority
Yes
187
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Org a n iza tio n
Yes or No
BGE
Yes
Alliant Energy
Yes
Occidental Power Marketing
Yes
Lincoln Electric System
Yes
Farmington Electric Utility
System
Yes
American Transmission
Company
Yes
Ingleside Cogeneration LP
Yes
Duke Energy
Yes
City of Tacoma, Department of
Public Utilities, Light Division,
dba Tacoma Power
Yes
Qu e s tio n 14 Co m m e n t
No comments.
188
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
15.Do you agree with the proposed Time Horizons for Requirements 1-5? If not, please explain why not and if
possible, provide an alternative that would be acceptable to you.
Summary Consideration: Many stakeholders suggested that the Time Horizons for this standard should be
Operations Assessment or Operations Planning rather than Long Term Planning. The DSR SDT agrees. The DSR
SDT has deleted R2, and R5 has become R2 with a time horizon of Operations Assessment, which is defined as ‘follow-up
evaluations and reporting of real time operations’. R4 has been deleted and the time horizon for R1 and R3 has been changed
to Operations Planning.
Org a n iza tio n
Northeast Power Coordinating
Council
Ye s o r No
Qu e s tio n 15 Co m m e n t
No
For the purpose of developing and updating an Impact Event Operating Plan, there should not be any
requirements that fall into the Long-term planning horizon. As the name implies, the plan is used in the
operating time frame. Consistent with other plans such as system restoration plans which need to be updated
and tested annually, most of the Time Horizons in that standard (EOP-005-2) are either Operations Planning
or Real-time Operations. Suggest the Time Horizon for R1, R3 and R4 be changed to Operations Planning.
Re s p o n s e : The DSR SDT thanks you for your comment. The DSR SDT has deleted R2, and R5 has become R2 with a time horizon of Operations Assessment,
which is defined as ‘follow-up evaluations and reporting of real time operations’. R4 has been deleted and the time horizon for R1 and R3 has been changed to
Operations Planning.
Bonneville Power Administration
No
Depends on the answer to #7. If implementation means a signed and valid Plan, then it should be with Long
Term. If reporting the events, then it should be Real-Time/Same Day Operations.
Re s p o n s e : The DSR SDT thanks you for your comment. The DSR SDT has deleted the separate requirement to ‘implement the plan’. The reporting obligation is
now R2 with a time horizon of Operations Assessment, which is defined as ‘follow-up evaluations and reporting of real time operations’.
189
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
SPP Standards Review Group
No
Based on our previous comments in response to Question 11, we feel that the Time Horizon for R2 should be
lengthened. Assigning it a Real-time Operations and Same ?day Operations timeframe has too much of an
impact on real-time operations. Pushing it back will allow support personnel to do the after-the-fact reporting
and keep this burden off of the operators.
Re s p o n s e : The DSR SDT thanks you for your comment. The reporting obligation is now R2 with a time horizon of Operations Planning, which is defined as
‘follow-up evaluations and reporting of real time operations’.
Midwest ISO Standards
Collaborators
No
R2 and R5 should be Operations Assessment since it deals with after the fact reporting. R3 should included
Operations Assessment since an actual event could be used as the test.
Re s p o n s e : The DSR SDT thanks you for your comment. The DSR SDT has deleted R2, and R5 has become R2 with a time horizon of Operations Planning, which
is defined as ‘follow-up evaluations and reporting of real time operations’. R4 has been deleted and the time horizon for R1 and R3 have been changed to
Operations Planning
SERC OC Standards Review
Group
No
R2 and R5 should be in the Operations Assessment time horizon.
Re s p o n s e : The DSR SDT thanks you for your comment. The DSR SDT has deleted R2, and R5 has become R2 with a time horizon of Operations Planning, which
is defined as ‘follow-up evaluations and reporting of real time operations’. R4 has been deleted and the time horizon for R1 and R3 have been changed to
Operations Planning
PJM Interconnection LLC
No
R2 and R5 should be in Operations Assessment Time Horizon as they deal with ?after-the-fact? reporting.
Re s p o n s e : The DSR SDT thanks you for your comment. The DSR SDT has deleted R2, and R5 has become R2 with a time horizon of Operations Planning, which
is defined as ‘follow-up evaluations and reporting of real time operations’. R4 has been deleted and the time horizon for R1 and R3 have been changed to
Operations Planning
We Energies
No
R2 and R5 should be Operations Assessment.
Re s p o n s e : The DSR SDT thanks you for your comment. The DSR SDT has deleted R2, and R5 has become R2 with a time horizon of Operations Planning, which
is defined as ‘follow-up evaluations and reporting of real time operations’. R4 has been deleted and the time horizon for R1 and R3 have been changed to
Operations Planning
190
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Consumers Energy
No
1. In reference to the Impact Event addressing ?Loss of Firm load for greater than or equal to 15 minutes?,
this is likely to occur for most entities most frequently during storm events, where the loss of load builds slowly
over time. In these cases, exceeding the threshold may not be apparent until a considerable time has lapsed,
making the submittal time frame impossible to meet. Even more, it may be very difficult to determine if/when
300 MW load (for the larger utilities) has been lost during storm events, as the precise load represented by
distribution system outages may not be determinable, since this load is necessarily dynamic. Suggest that the
threshold be modified to ?Within 1 hour after detection of exceeding 15-minute threshold?. Additionally, these
criteria are specifically storm related wide spread distribution system outages. These events do not pose a
risk to the BES.2. Many of the Impact Events listed are likely to occur, if they occur, at widely-distributed
system facilities, making reporting ?Within 1 hour after occurrence is identified? possibly impractical,
particularly in order to provide any meaningful information. Please give consideration to clearly permitting
some degree of investigation by the entity prior to triggering the ?time to submit?.3. Referring to the ?Fuel
Supply Emergency? Impact Event, OE-417 requires 6-hour reporting, where the Impact Event Table requires
1-hour reporting. The reporting period for EOP-004-2 should be consistent with OE-417.
Re s p o n s e : The DSR SDT thanks you for your comment. The DSR SDT has increased almost all reporting timeframe to 24 hours. Also, the fuel supply emergency
has been removed from Attachment 1. Reporting period was chosen to meet NERC needs, you may have more restrictive periods for OE-417, but that is outside
the jurisdiction of the DSR SDT.
Independent Electricity System
Operator
No
For the purpose of developing and updating an Impact Event Operating Plan, there should not be any
requirements that fall into the Long-term planning horizon. As the name implies, the plan is used in the
operating time frame. And consistent with other plans such as system restoration plan which needs to be
updated and tested annually, most of the Time Horizons in that standard (EOP-005-2) are either Operations
Planning or Real-time Operations. We suggest the Time Horizon for R1, R3 and R4 be changed to Operations
Planning.
Re s p o n s e : The DSR SDT thanks you for your comment. The DSR SDT has deleted R2, and R5 has become R2 with a time horizon of Operations Planning, which
is defined as ‘follow-up evaluations and reporting of real time operations’. R4 has been deleted and the time horizon for R1 and R3 have been changed to
Operations Planning
191
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
ISO New England, Inc
No
For the purpose of developing and updating an Impact Event Operating Plan, there should not be any
requirements that fall into the Long-term planning horizon. As the name implies, the plan is used in the
operating time frame. And consistent with other plans such as system restoration plan which needs to be
updated and tested annually, most of the Time Horizons in that standard (EOP-005-2) are either Operations
Planning or Real-time Operations. We suggest the Time Horizon for R1, R3 and R4 be changed to Operations
Planning. The Time Horizon for R2 and R5 should be changed to Operations Assessment since they both
deal with after the fact reporting.
Re s p o n s e : The DSR SDT thanks you for your comment. The DSR SDT has deleted R2, and R5 has become R2 with a time horizon of Operations Planning, which
is defined as ‘follow-up evaluations and reporting of real time operations’. R4 has been deleted and the time horizon for R1 and R3 have been changed to
Operations Planning
ExxonMobil Research and
Engineering
No
VRFs, VSLs, and THs ideally should be based on the impact event type; alternatively a low VRF seems more
appropriate for this requirements of this standard.
Re s p o n s e : The DSR SDT thanks you for your comment. With the revised standard, there are now three requirements. Requirement R1 specifies that the
responsible entity have an Operating Plan for identifying and reporting events listed in Attachment 1. This is procedural in nature and justifies a “lower” VRF.
This requirement is administrative in nature and deals with the means to report events after the fact. The current approved VRFs for EOP-004-1 are all lower with
the exception of Requirement R2 which is a requirement to analyze events. This standard relates only to reporting events. The analysis portion is addressed
through the NERC Rules of Procedure and the Events Analysis Program. The two remaining requirements in EOP-004-2 are to report events based on the
specifics in Attachment 1 (R2) and to test the communications protocol of the Operating Plan once per year (R3). Requirement R2 specifies that an entity is
responsible for reporting events in accordance with the Operating Plan based on Attachment 1. Requirement R3 is insurance to make sure that an entity can
communicate information about events. Requirement R2 specifies that the responsible entity must report an event to the appropriate entities. Some of these
events are dealing with potential sabotage events. Part of the reason to report these types of events is to make other entities aware to help prevent further
sabotage events from occurring. Existing CIP-001-1a deals with sabotage events and the approved VRFs for each of the requirements is “medium.” The VRFs for
EOP-004-2 comport with the existing approved VRFs for both EOP-004 and CIP-001.
The DSR SDT believe the VSLs and revised time horizons appropriately align.
City of Tacoma, Department of
Public Utilities, Light Division, dba
Tacoma Power
No
Why shorten the normal process?
Re s p o n s e : The DSR SDT thanks you for your comment. The DSR SDT has revised most of the reporting timelines 24 hours.
192
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Indeck Energy Services
No
These requirements have no time horizon. There about history and not about the future.
Re s p o n s e : The DSR SDT thanks you for your comment. All NERC standards must have a time horizon associated with each requirement. Time horizons are used
as a factor in determining size of a sanction.
American Municipal Power
No
USACE
No
Pepco Holdings Inc and Affiliates
Yes
However, do they line up with the corresponding real time reporting procedures as mentioned above, #13 and
#14?
Re s p o n s e : The DSR DT thanks you for your comment. Please see responses to comments #13 and #14. Since the time for reporting impact events is no more
than 24 hours, the time horizon has been revised to Operations Planning.
Midwest Reliability Organization
Yes
PPL Supply
Yes
Dominion
Yes
FirstEnergy
Yes
Southern Company
Yes
SRP
Yes
City of Tallahassee (TAL)
Yes
New Harquahala Generating Co.
Yes
APX Power Markets
Yes
United Illuminating Co
Yes
193
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Liberty Electric Power LLC
Yes
Arkansas Electric Cooperative
Corporation
Yes
Manitoba Hydro
Yes
Sweeny Cogeneration LP
Yes
New Harquahala Generating Co.
Yes
Platte River Power Authority
Yes
BGE
No position or comments.
Alliant Energy
Yes
CenterPoint Energy
Yes
PPL Electric Utilities
Yes
Occidental Power Marketing
Yes
Lincoln Electric System
Yes
Farmington Electric Utility System
Yes
American Transmission
Company
Yes
Ingleside Cogeneration LP
Yes
Duke Energy
Yes
194
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Georgia System Operations
Corporation
Yes
None.
16. Do you agree with the proposed Implementation Plan for EOP-004-2? If not, please explain why not and if
possible, provide an alternative that would be acceptable to you.
Summary Consideration: The majority of commenters agreed with the Implementation Plan. The DSR SDT believe the
revisions made as part of this comment period have made the standard easier to implement. This latest revision more closely
aligns with existing EOP-004 requirements, which entities are already complaint with. Consequently the effective date remains
as first calendar day of the third calendar quarter following the regulatory approval/BOT adoption as applicable.
Org a n iza tio n
Pepco Holdings Inc and Affiliates
Ye s o r No
Qu e s tio n 16 Co m m e n t
No
The proposed time line is too short. It is easy to revise procedures. However developing training and
integrating the training into the schedule takes time. Shorter time frame takes away adequate time to
integrate into the training plan and disrupts operator schedules. Since notifications already exist and after the
fact reporting does not impact BES reliability, why the need to expedite? There are many other training
activities that must be coordinated with this.
Re s p o n s e : The DSR SDT thanks you for your comment. The DSR SDT believe the revisions made as part of this comment period have made the standard easier
to implement. This latest revision more closely aligns with existing EOP-004 requirements, which entities are already complaint with.
FirstEnergy
No
We believe the previous proposal for a 12 month implementation was more appropriate and suggest the team
revert back to that timeframe.
Re s p o n s e : The DSR SDT thanks you for your comment. The DSR SDT believe the revisions made as part of this comment period have made the standard easier
to implement. This latest revision more closely aligns with existing EOP-004 requirements, which entities are already complaint with.
Southern Company
No
The implementation time should be 12 months after approval regardless of the elapsed time taken to get the
standard approved.
195
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Re s p o n s e : The DSR SDT thanks you for your comment. The DSR SDT believe the revisions made as part of this comment period have made the standard easier
to implement. This latest revision more closely aligns with existing EOP-004 requirements, which entities are already complaint with.
Exelon
No
The DSR SDT reduced the implementation from one year to between six and nine months based on the
revised standard requirements. Exelon disagrees with the proposed shortened implementation timeframe.
The current revision to EOP-004 still requires an entity to generate, implement and provide any necessary
training for the "Impact Event Operating Plan" by a registered entity. Commenters previously supported a one
year minimum; but the requirements for implementation have not changed measurably - six to nine months is
not adequate to implement as written.
Re s p o n s e : The DSR SDT thanks you for your comment. The DSR SDT believe the revisions made as part of this comment period have made the standard easier
to implement. This latest revision more closely aligns with existing EOP-004 requirements, which entities are already complaint with.
SDG&E
No
SDG&E recommends a 9 month minimum timeframe for implementation.
Re s p o n s e : The DSR SDT thanks you for your comment. The DSR SDT believe the revisions made as part of this comment period have made the standard easier
to implement. This latest revision more closely aligns with existing EOP-004 requirements, which entities are already complaint with.
United Illuminating Co
No
The SDT should be specific that on the effective date an Entity will have the Operating documented and
approved. The SDT should be specific that the first simulation is required to occur 15 months following the
effective date. The SDT should be specific that the first annual review shall occur with in 15 months after the
effective date.
Re s p o n s e : The DSR SDT thanks you for your comment. The DSR SDT believe the revisions made as part of this comment period have made the standard easier
to implement. This latest revision more closely aligns with existing EOP-004 requirements, which entities are already complaint with.
American Electric Power
No
With the scope of applicable functions expanding, more time will be required to develop broader processes
and training. This will need to be extended for 18 months to get the process implemented and everyone
trained.
Re s p o n s e : The DSR SDT thanks you for your comment. The DSR SDT believe the revisions made as part of this comment period have made the standard easier
to implement. This latest revision more closely aligns with existing EOP-004 requirements, which entities are already complaint with.
CenterPoint Energy
No
CenterPoint Energy prefers the previously accepted timeline of 1 year.
196
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Re s p o n s e : The DSR SDT thanks you for your comment. The DSR SDT believe the revisions made as part of this comment period have made the standard easier
to implement. This latest revision more closely aligns with existing EOP-004 requirements, which entities are already complaint with.
Georgia System Operations
Corporation
No
There is nothing about the revisions that were made to the requirements that shortens the time needed by the
industry to get prepared for this revision. The removal of requirements for NERC does not shorten the
requirements for the industry. Eighteen months (or 12 months minimum) should be alloted to prepare for this
revision.
Re s p o n s e : The DSR SDT thanks you for your comment. The DSR SDT believe the revisions made as part of this comment period have made the standard easier
to implement. This latest revision more closely aligns with existing EOP-004 requirements, which entities are already complaint with.
Brazos Electric Power
Cooperative
No
A one year implementation is needed to develop and implement formal documents to meet requirements.
Re s p o n s e : The DSR SDT thanks you for your comment. The DSR SDT believe the revisions made as part of this comment period have made the standard easier
to implement. This latest revision more closely aligns with existing EOP-004 requirements, which entities are already complaint with.
City of Tacoma, Department of
Public Utilities, Light Division, dba
Tacoma Power
No
The implementation Plan was to move up the timeline and we do not see why this needs to be pushed
forward on a shortened timeline. It should remain at the one year implementation schedule especially if
annual exercises are not removed from the standard requirements as this take some time to prepare.
Re s p o n s e : The DSR SDT thanks you for your comment. The DSR SDT believe the revisions made as part of this comment period have made the standard easier
to implement. This latest revision more closely aligns with existing EOP-004 requirements, which entities are already complaint with.
ExxonMobil Research and
Engineering
Recommend 4th calendar quarter instead of 3rd.
Re s p o n s e : The DSR SDT thanks you for your comment. The DSR SDT believe the revisions made as part of this comment period have made the standard easier
to implement. This latest revision more closely aligns with existing EOP-004 requirements, which entities are already complaint with.
Consumers Energy
No
Dominion
Yes
Dominion agrees with the Implementation Plan; however, notes that the title for EOP-004-2 is inconsistent
with the actual proposed standard.
197
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Re s p o n s e : The DSR SDT thanks you for your comment. The DSR SDT believe the revisions made as part of this comment period have made the standard easier
to implement. This latest revision more closely aligns with existing EOP-004 requirements, which entities are already complaint with.
Farmington Electric Utility System
Re s p o n s e :
unchanged.
Yes
Nine months would be preferred
The DSR SDT thanks you for your comment.
Northeast Power Coordinating
Council
Yes
Bonneville Power Administration
Yes
Midwest Reliability Organization
Yes
PPL Supply
Yes
SPP Standards Review Group
Yes
Midwest ISO Standards
Collaborators
Yes
SERC OC Standards Review
Group
Yes
PJM Interconnection LLC
Yes
SRP
Yes
We Energies
Yes
Compliance & Responsiblity
Organization
Yes
City of Tallahassee (TAL)
Yes
The majority of stakeholders agree with the proposed implementation plan and it will remain
198
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Lakeland Electric
Yes
New Harquahala Generating Co.
Yes
APX Power Markets
Yes
American Municipal Power
Yes
Liberty Electric Power LLC
Yes
Arkansas Electric Cooperative
Corporation
Yes
Manitoba Hydro
Yes
Sweeny Cogeneration LP
Yes
USACE
Yes
New Harquahala Generating Co.
Yes
Independent Electricity System
Operator
Yes
ISO New England, Inc
Yes
Platte River Power Authority
Yes
BGE
Yes
Alliant Energy
Yes
PPL Electric Utilities
Yes
No comments.
199
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Occidental Power Marketing
Yes
Lincoln Electric System
Yes
American Transmission
Company
Yes
Ingleside Cogeneration LP
Yes
Duke Energy
Yes
Indeck Energy Services
Yes
200
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
17. If you have any other comments you have not already provided in response to the questions above, please
provide them here.
Summary Consideration: The majority of comments received relate to Attachment 1 and the Flowchart in the
background section. The DSR SDT has made conforming revisions to each based on the comments received. The
Flowchart waqs updated to remove references to sabotage and replaced with “Criminal act invoking federal
jurisdiction”. In response to the comments received, the SDT has made numerous enhancements to Attachment 1.
These revisions include:
•
•
•
Added new column “Submit Attachment 2 or DOE OE-417 Report to:” which references Part 1.3 and provide
the time required to submit the report.
Combined Parts A and B into one table and reorganized it so that the events are listed in order of reporting
times (either one hour or 24 hours)
Removed references to “Impact Event” and replaced with the specific language for the event type in the
“Entity with Reporting Responsibility”. For example, replaced “Impact Event” with “automatic load
shedding”.
The ERO and the RE were added as applicable entities to reflect CIP-002 applicability to this standard.
Organization
Georgia Transmission
Corporation & Oglethorpe Power
Corporation
Yes or No
Question 17 Comment
In the discussion and related flowchart described as "A Reporting Process Solution - EOP-004," the
discussion suggests that Industry should notify the state law enforcement agency and then allow the state
agency to coordinate with local law enforcement. It has been our experience that we receive very good
response from local law enforcement and they have existing processes to notify state or federal agencies as
necessary. It appears the recommendation is to bypass the local law enforcement, but it is not clear that
representatives from state or local law enforcement were included in this discussion (see proposal discussed
with "FBI, FERC Staff, NERC Standards Project Coordinator and SDT Chair"). It would be helpful to see
some additional clarification to understand why the state agency was chosen over local or federal agencies.
Finally, we would like to express our gratitude to the DSR SDT for their hard work in making improvements to
the NERC standards for event reporting.
201
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 17 Comment
Response: The DSR DT thanks you for your comment.
The Flowchart has been updated. The DSR SDT has reviewed all comments and believes it is the
responsibility of the Reporting Entity to contact the appropriate law enforcement officials.
Bonneville Power Administration
Work needed on Part A Damage or Destruction of BES equipment. The Note 1 is OK, but the Threshold
doesn't match well. If a PCB is damaged by lightning or an earthquake, Note 1 (human action) doesn't
require Reporting (proper interpretation), but the Threshold still requires "equipment damage.”
Response: The DSR DT thanks you for your comment.
footnote has been revised.
Midwest Reliability Organization
On the Impact Reporting Form, number 7,8,9,10, and 11 have an astrict (*) but nothing describes what the
astrict means. Recommend a foot note be added to state: * If applicable to the reported Impact Event.
Response: The DSR DT thanks you for your comment.
Western Electricity Coordinating
Council
Attachment 1 has been updated concerning Destruction of BES equipment and the associated
Attachment 1, Part B has been updated to reflect these noted changes.
Actual Reliability Impact Table comments: Note that per the NERC glossary "Energy Emergency" only is
defined for an LSE. Energy Emergency is the precursor term in the first three lines. Thus logically an LSE is
the only entity which would be initiating the event and responsible for reporting for first three items. We don't
believe that is the intent.We suggest you consider just eliminating ?Energy Emergency? and going with:?
Public appeal for load reduction? system-wide voltage reduction? manual firm load sheddingFor Loss of Off
site power at Nuc Station is reporting really expected of each of the entities listed? (lots of reports) We
suggest you consider just the Nuclear GOP and perhaps the associated TOP. Perhaps you could use the CIP
approach as in the next two rows and say Applicable GOP and Transmission Entities under NUC-0012Potential Reliability Impact Table Comments:For Fuel Supply Emergency, Forced Intrusion, Risk to BES
Equipment, Cyber Security Incident where owner/operator are both listed (GO/GOP or TO/TOP) could
consider perhaps reporting to be assigned to only one rather than both.
Response: The DSR DT thanks you for your comment. The DSR SDT has removed the use of “Energy Emergency” and has updated Loss of offsite power
to a nuclear generating plant within Attachment 1.
Fuel Supply emergency has been removed from Attachment 1 per comments received. The entire
Attachment 1 has been updated per comments received.
Pacific Northwest Small Public
Power Utility Comment Group
All five requirements refer to Attachment 1 Part A either directly, or indirectly by referring to R1 plans.
Attachment 1 Part A, though, only provides the thresholds required for reporting (R5). No thresholds are
provided for planning (R1) or the requirements referencing the plan (R2-R4). Strictly interpreted, an entity
would be required to plan for any amount of firm load loss exceeding 15 minutes (for example), implement the
202
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 17 Comment
plan for any amount and then report only those events that exceeded the applicable 200 or 300 MW level. An
entity that had a peak load of less than 200 MW would still need to meet R1-R4 regarding load loss. We
believe the SDT intended to use common thresholds for all the requirements. Suggest relabeling the
Attachment 1 Part A column header from ?Threshold for Reporting? to ?Threshold.?We also fail to see how
an entity?s size in MWh affects the threshold for reporting firm load loss.
Response: The DSR DT thanks you for your comment. The DSR SDT has revised each Requirement and Attachment 1. There are other events within
Attachment 1 that a responsible entity will be required to report.
Dominion
The following comments are provided on the Reporting Hierarchy for Impact Events EOP-004-2: 1) A
reference to sabotage still exists in a ?decision block?; 2) The ?entry block? only specifies ?actual Impact
Events? and does not address ?potential?; 3) Hierarchy is misspelled in the title.Attachment 2: Impact Event
Reporting Form; in questions 7, 8, 9, 10, 11 what is the purpose of the *(asterisk) behind each Task that is
named?
Response: The DSR DT thanks you for your comment.
to reflect comments received.
Pepco Holdings Inc and Affiliates
The Flowchart has been updated based on comments received. Attachment 2 has been updated
IRO-000-1, Sec D1.5 and TOP-007, Sec D1.1 there are ?after the fact? reporting requirements for IROL
violations. Since IROL violations are included in this standard, should those standards be modified?Should
the standard include a specific statement that this standard deals only with after the fact and other standards
deal with real time reporting?Since this standard deals with after the fact reporting, consideration should be
given to extending the time to report as defined in Attachment 1. One hour does not seem to be reasonable.
Response: The DSR DT thanks you for your comment. The DSR SDT has reviewed TOP-007 and note that the 72 hour issue is not defined within a
Requirement. This issue has been forwarded to the “NERC Issues Data base.” Attachment 1 has been updated to reflect this event to 24 hours per comments
received.
SPP Standards Review Group
In Attachment 2 just before the table, the statement is made that ?NERC will accept the DOE OE-417 form in
lieu of this form if the entity is required to submit an OE-417 report.? But the last sentence in the Guideline
and Technical Basis white paper, it is stated that ? For example, if the NERC Report duplicates information
from the DOE form, the DOE report may be included or attached to the NERC report, in lieu of entering that
information on the NERC report.? These are in conflict with each other. Which is correct? We prefer the
former over the latter.In Attachment 2 in Tasks 7-11 an asterisk appears in those tasks. To what does this
asterisk refer?
203
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 17 Comment
Response: The DSR DT thanks you for your comment. The DSR SDT’s White Paper was the initial road map for the SDT to follow. The DSR SDT has
proposed allowing entities to use the DOE Form OE-417 to report events listed within Attachment 1.
Midwest ISO Standards
Collaborators
We believe the reporting time lines are too aggressive for some events. Reporting events within an hour is not
reasonable as an entity may still be dealing with the event. This will be particularly difficult when support
personnel are not present such as during nights, holidays, and weekends.
Response: The DSR DT thanks you for your comment. Attachment 1 has been updated per comments received.
FirstEnergy
FE offers the following additional comments and suggestions:
1. In the Background section of EOP-004-2, on page 6 under Stakeholders in the Reporting Process, we
suggest adding ?Regional Entity? and ?Nuclear Regulatory Commission?.
2. The DSR SDT makes reference to comments that Exelon provided that suggested adopting the NRC
definition of "sabotage." We feel the comment made by Exelon in their previous submittal was to ensure that
the DSR SDT included the Nuclear Regulatory Commission (NRC) as a key Stakeholder in the Reporting
Process and FE agrees with this suggestion. Nuclear generator operators already have specific regulatory
requirements to notify the NRC for certain notifications to other governmental agencies in accordance with 10
CFR 50.72(b)(s)(xi). We ask that the DSR SDT contact the NRC about this project to ensure that existing
communication and reporting that a licensee is required to perform in response to a radiological sabotage
event (as defined by the NRC) or any incident that has impacted or has the potential to impact the BES does
not create either duplicate reporting, conflicting reporting thresholds or confusion on the part of the nuclear
generator operator. We believe this is a similar situation as what was recently resolved between NERC and
the NRC concerning the applicability of CIPs 002 ? 009 for nuclear plants. Each nuclear generating site
licensee must have an NRC approved Security Plan that outlines applicable notifications to the FBI.
Depending on the severity of the security event, the nuclear licensee may initiate the Emergency Plan (EPlan). We ask that the proposed "Reporting Hierarchy for Impact Event EOP-004-2," flow chart be
coordinated with the NRC to ensure it does not conflict with existing expected NRC requirements and protocol
associated with site specific Emergency and Security Plans.
Response: The DSR DT thanks you for your comment. 1. We have added these as requested. 2. The NRC was added to the list on page 6 as requested.
The events in Attachment 1 that are applicable to nuclear plants are: Generation loss (>1,000 MW WECC, >2,000 MW Elsewhere); Destruction of BES
Equipment; Damage or destruction of Critical Asset per CIP-002; Damage or destruction of a Critical Cyber Asset per CIP-002; Forced Intrusion; Risk to BES
Equipment; and Detection of a Reportable Cyber Security incident. Two of these events are addressed in the situation that you mention above (CIP-002). The
other events should be reported to both the NRC and ERO if they occur. These are considered to be sabotage type events.
204
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
SERC OC Standards Review
Group
Yes or No
Question 17 Comment
In Attachment 1, the reporting timeline should be no less than the end of the next business day for after-thefact reporting of events. If reporting in a time frame less than this is required for reliability, the groups or
organizations receiving the reports should be included in the functional model. The emphasis should be on
giving the operators the time to respond to events and not to reporting requirements.?The comments
expressed herein represent a consensus of the views of the above named members of the SERC OC
Standards Review group only and should not be construed as the position of SERC Reliability Corporation, its
board or its officers.?
Response: The DSR DT thanks you for your comment.
have been revised to 24 hours.
PJM Interconnection LLC
In the Compliance Enforcement Authority Section on Page 11, the second bullet says ?If the Responsible
Entity works for the Regional Entity, then the Regional Entity will establish an agreement with the ERO or
another entity approved by the ERO and FERC (i.e. another Regional Entity) to be responsible for compliance
enforcement?. We are not sure what this exactly implies or means. Additional clarification is required.
Response: The DSR DT thanks you for your comment.
model obligation.
Southern Company
Attachment 1 has been updated to reflect comments received. Many of the reporting time frames
The statement that PJM is referring to applies to Regional Entities that also have a functional
Need guidance for incorporating disturbance reporting that is in CIP-008.
Response: The DSR DT thanks you for your comment. EOP-004-2 is the reporting vehicle for CIP-008. CIP-008-4, Requirement 1, Part 1,3 will be retired
upon approval of EOP-004-2.
We Energies
Attachment 2: What do the asterisks refer to? I didn?t see a comment or description related to them.#7 &
#10: What is ?tripped?? Automatic or manual or both.#13: This report has no Part 1.Flowchart: By the
flowchart, the only time an OE-417 is filed is when I do not need to contact Law Enforcement. The Reporting
Hierarchy flow chart should be modified. In the lower right corner it indicates that if sabotage is not confirmed,
the state law enforcement agency investigates. Law enforcement agencies will not investigate an incident
that is not a crime. Note too that state law enforcement agencies do not even investigate these kinds of
events unless and until requested by local law enforcement. The local law enforcement agency always has
initial jurisdiction until surrendered or seized by a superior agency?s authority. Evidence Retention is
incomplete. From the NERC Standards Process Manual: ?Evidence Retention: Identification, for each
requirement in the standard, of the entity that is responsible for retaining evidence to demonstrate
compliance, and the duration for retention of that evidence.?
205
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 17 Comment
Response: The DSR DT thanks you for your comment.
been updated per your comment.
Compliance & Responsiblity
Organization
Nuclear power plants (a need for a revised approach)With respect to sabotage, damage or destruction of BES
equipment, damage or destruction of a Critical Asset, damage or destruction of a Critical Cyber Asset, forced
intrusion, etc., nuclear plants already have a responsibility to report the events to the FBI and the Nuclear
Regulatory Commission (NRC). Performing another report to NERC, with potentially different requirements,
within 60 minutes of an event does not seem necessary or practical. It would also be difficult, during an
event, to report to external organizations, including but not limited to the Responsible Entities? Reliability
Coordinator, NERC, Responsible Entities? Regional Entity, Law Enforcement, and Governmental or
Provincial Agencies when operations personnel are pre-occupied with an abnormal or emergency situation.
Further, nuclear plants already have an obligation to report the loss of off site power to NRC. Similarly, now
that cyber assets will be regulated by the NRC, these reporting requirements should not be applicable to a
nuclear power plant. Thus, there is a need to exempt nuclear power plants from these requirements or
provide more flexibility to such plants, given its pre-existing NRC reporting requirements.Attachment 1.There
is no explanation for why a report must be submitted within one hour of a event. As stated with respect to
nuclear, an entity should not be prioritizing between stabilizing the system and reporting. One approach that
would help balance conflicting priorities is to start the time frame after ?all is clear.? Another approach could
involve the use of target times, with an allowance for exceptions during emergencies or situations in which it
is impracticable. Another alternative is to have two times: an earlier ?target reporting time? and second later
?mandatory reporting time.? Further, the current wording suggests that a generator owner or generator
operator will be able to determine the impact or potential impact on the BES. This is not realistic, given that
impacts to the BES are generally only understood at a transmission operator or reliability coordinator level.
Thus, the concept of relying on generators to determine impacts on the BES needs to be eliminated.Also, as
written, for a generator, Attachment 1 appears to require a report when a lighting arrestor fails at a Critical
Asset. NextEra cannot see any justification for reporting such an event, and this is another reason why
Attachment 1 needs more review and revision prior to the next draft of EOP-004-2. This one reason why
NextEra has suggested a materiality test for reporting in a definition of Attempted or Actual Sabotage.
Response: The DSR DT thanks you for your comment.
outside the scope of this project.
Exelon
Attachment 1 and Attachment 2 have been updated per comments received. The Flowchart has
Attachment 1 has been updated per comments received. Any NRC requirements or comments fall
The DSR SDT makes reference to comments that were previously provided that suggested adopting the NRC
definition of "sabotage." Respectfully, this commenter believes the DSR SDT did not understand the intent of
the original comment. The comment made by Exelon in the October 15, 2009 submittal was to ensure that
the DSR SDT made an effort to include the Nuclear Regulatory Commission (NRC) as a key Stakeholder in
206
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 17 Comment
the Reporting Process and to consider utilizing existing reporting requirements currently required by the NRC
for each nuclear generator operator.Depending on the event, a nuclear generator operator (NRC licensee)
also has specific regulatory requirements to notify the NRC for certain notifications to other governmental
agencies in accordance with 10 CFR 50.72, "Immediate notification requirements for operating nuclear power
reactors," paragraph (b)(2)(xi).The one hour notification requirement for an intrusion event would also meet an
emergency event classification at a nuclear power plant. If an operations crew is responsible for the one hour
notification and if separate notifications must be completed within the Emergency Plan event response, then
an evaluation in accordance with 10 CFR 50.54, "Conditions of licensees," paragraph (q), would need to be
performed to ensure that this notification requirement would not impact the ability to implement the
Emergency Plan.At a minimum the DSR SDT should communicate this project to the NRC to ensure that
existing communication and reporting that a licensee is required to perform in response to a radiological
sabotage event (as defined by the NRC) or any incident that has impacted or has the potential to impact the
BES does not create either duplicate reporting, conflicting reporting thresholds or confusion on the part of the
nuclear generator operator. Note that existing reporting/communication requirements are already established
with the FBI, DHS, NORAD, FAA, State Police, LLEA and the NRC depending on the event. There are
existing nuclear plant specific memorandums of understanding between the NRC and the FBI and each
nuclear generating site licensee must have a NRC approved Security Plan that outlines applicable
notifications to the FBI. Depending on the severity of the security event, the nuclear licensee may initiate the
Emergency Plan. The proposed "Reporting Hierarchy for Impact Event EOP-004-2," needs to be
communicated and coordinated with the NRC to ensure that the flow chart does not conflict with existing
expected NRC requirements and protocol associated with site specific Emergency and Security Plans.
Propose allowing for verbal reporting via telephone, for 1 hr. reporting with a follow up using the forms.With
the revised standard EOP-004-2 it eliminates the #8; loss of electric service >= 50K, however, that
requirement is still required for the DOE-OE-417 form. The question is do we still have to send it to NERC /
Region if NERC/ Region does not specifically still have that as a requirement? Also, with that requirement, on
the current EOP-004-1 it says that schedule 1 has to be filled out within 1 hour? This doe not coincide with
DOE-OE-417 form. The bottom line, it looks like there is inconsistency as to what is reportable per EOP-004-2
and DOE-OE-417 form, some of the items are redundant, some are not, but better guidance is needs as to
which form to use when. The SDT should have a Webaniar with the industry to create an understanding as
to who is responsible to report what and at what time.
Response: The DSR DT thanks you for your comment. The NRC issues falls outside the scope of this project
City of Tallahassee (TAL)
Attachment 2 (Impact Event Reporting Form) items 8, 9, 10, and 11 have an asterisk but no identification as
to what the asterisks refer to.
Response: The DSR DT thanks you for your comment.
The asterisk was addressed at the bottom of the second page of the form. Attachment 2 has been
207
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 17 Comment
updated to align with the types of events that are to be reported.
APX Power Markets
The reporting of Impact Events needs to be clear spelled out and if moving some of that to State Agencies it
needs to be consistent in all States at the same time and which State it should be reported to. We have a 24hour Desk in one state that handles facilites in many other States. If there is an Impact Event that needs to
be reported, where is that report sent to. The State the facility resides in or the State where our 24-hour Desk
resides in.
Response: The DSR DT thanks you for your comment. Attachment 1 has been updated per comments received and a new column has been added to reflect
who the impacted entity is required to report to.
Arkansas Electric Cooperative
Corporation
We appreciate the added context through the use of extended background information, rationale statements,
and corresponding guideline and hope this context will remain in line with the Standards through the ballot
and approval process. We have a few suggestions and questions related to this context. Our comments for
this question relate to the contextual information. First of all, in the diagram on page 8, we suggest the
appropriate question to ask is "Is event associated with potential criminal activity?" rather than "Report to Law
Enforcement?? Also, it would be helpful to make clear the communication flow associated with the State
Agency is the responsibility of the State Agency and not the Responsible Entity. This could be shown with a
different colored background that calls this process out separately. In the rationale box for R3, it states "The
DSR SDT intends?? We propose this should read similar to "The objective of this requirement is?? Overall,
we suggest the SDT review the guidance document to make sure any changes made to the requirements are
consistent with the guidance.
Response: The DSR DT thanks you for your comment. The flowchart has been updated per comments received. The Rationale box will be removed upon this
Standard being Filled for approval.
American Electric Power
We still do not agree that LSE, TSP and IA should be included in the applicability of this standard. Having
processes to report to local or federal law enforcement agencies is ?legislating the obvious?. The focus on
this standard should only be on Impact Event reporting to reliability entities.
Response: The DSR DT thanks you for your comment. Attachment 1 has been reviewed and updated. The LSE, TSP, and IA are required under the CIP
Standards and Attachment 1 is based on reporting per the CIP requirements.
Consumers Energy
1. We appreciate the aggregation of redundant standards on this subject, but have some concerns about the
content of the aggregated standard as listed below and in reference to previous questions on this comment
form.2. It is not clear whether an event that meets OE-417 reporting criteria but is not defined within EOP-
208
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 17 Comment
004-2 is an Impact Event; for example, ?loss of 50,000 or more customers for 1 hour or more? is required to
be reported to DOE as a OE-417 type 11 event but it is not clear whether EOP-004-2 requires that such
events be also reported to NERC. The ?Reporting Hierarchy? flow chart seems to suggest that any OE-417
must still be filed with NERC/RE. If the flow chart is not consistent with the intent of the Requirements, it must
be clarified.3. NERC implies active involvement of law enforcement. This assumes that law enforcement has
the resources to be involved in an Impact Event investigation and fulfill the standard reporting requirements.
This is an unrealistic expectation as we have experienced first-hand, a lack of response by law enforcement
agencies as their resources shrink due to economic issues. Additionally, NERC is asking that we place
credence in law enforcement, on our behalf, to make a definitive decision about the reporting of events. Refer
to page 6 of EOP-004-2 under ?Law Enforcement Reporting?: ??Entities rely upon law enforcement
agencies to respond and investigate those Impact Events which have the potential of wider area affect?? In
many cases, the internal security function must work with system operations personnel to thoroughly
understand the system and the effects of certain events. It is unrealistic to think law enforcement would be in
a position to make BES decisions within the timeframe given without having system operations experience. It
is our experience that external agencies do not understand the integration / inter-connectivity, resiliency, or
implications of our energy infrastructure.4. Within Michigan, a ?Michigan Fusion Center: Michigan Intelligence
Operations Center (MIOC)? has been established. - Today, we share information such as substation issues
and identity theft (not internal issues) to the MIOC. The MIOC is trending incidents on critical infrastructure
assets and sectors around the state. The private sector is encouraged to report to the Fusion Center. If
NERC is collecting this type of information for future studies and trending / analysis, they should coordinate
with each state?s Fusion Center.
Response: The DSR DT thanks you for your comment. The DSR SDT has reviewed and updated the Requirements per the comments received. Attachment 1
has been updated and the team has an additional column to reflect where a report should be sent. EOP-004-2 does not define what “law enforcement”” is and
that will be left up to each entity.
Ameren
The following is a list of our greatest concerns. (1) We are concerned about the lack of definitions and use of
critical non-capitalized terms. As an example, there is a reportable Impact Event if there is a +/- 10% Voltage
Deviation for 15 minutes or more on BES Facilities. As a first example, why is the term Voltage Deviation
capitalized when it is not in the NERC Glossary and not proposed to be added? Where is the deviation
measured - at any BES metering device? What is the deviation to be reported - the nominal voltage? the
high-side of the Voltage Schedule? the low-side of the Voltage Schedule? the generator terminals? when a
unit is starting up? All of these are possible interpretations, but < 1% of them would ever result in a
Cascading outage - which is the reliability objective of this Standard. A second example is a Generation loss.
The threshold for reporting is 2,000 MW, or more, for the Eastern or Western Interconnection. Is this
simultaneous loss of capacity over the entire Interconnection? Or, cumulative loss within 1 hour? Or,
cumulative loss within 24 hours? How many individual GOPs have responsibility for > 2,000 MW? It seems
209
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 17 Comment
this would more effectively apply only to an RC and/or BA. The likelihood that one GOP would lose that much
generation at once is probably remote. A third example would be the damage or destruction of BES
equipment event. The term "equipment" was left lower case with a footnote explanation that includes "?due
to intentional or unintentional human action?.” This is likely to require the determination of intent by the
human involved, which will almost certainly impossible to determine within the 1 hour reporting time. Also,
what is the definition of the terms "damage" and "destruction"? Once again, if the reliability intent is to ONLY
report Events that have a likely chance of leading to Cascading, this will greatly reduce the potentially
enormous reporting burden. that could result without this type of clarification. (2) Without a very thorough
understanding of the definitions of the terms requiring reporting, the 1 hour reporting constraint on most
events will likely require that we frequently overreport events to minimize any chance of non-compliance. A
webinar explaining expected reporting requirements would very useful and valuable. It is also unclear why so
many Impact Events require such a short reporting time period. There will almost certainly be many times at
2:00 AM on a weekend when experts and the appropriate personnel will be available to quickly analyze an
event and decide, within 1 hour, if a report is necessary. (3) Have all the new Impact Event reporting
requirements been checked against reporting requirements from other Standards? For example, the Voltage
Deviation Event would appear to potentially overlap/conflict with instructions from a TOP for VAR-002
compliance. Since VAR-002-2 is now in draft, has the SDT worked with that Team to determine if the
requirements dovetail?
Response: The DSR DT thanks you for your comment. The DSR SDT has updated the Requirements within EOP-004-2 and both Attachments 1 and 2 per
comments received. Many of the reporting time frames have been extended to 24 hours per comments received. Voltage deviation is no longer capitalized. All
event types are not intended to be new defined terms for the NERC Glossary and have been revised to lower case words. The reporting of voltage deviations is no
longer applicable to the GOP which obviates the need to coordinate with the VAR-002 standard drafting team.
ISO New England, Inc
Under the ?Law Enforcement Reporting? it is stated ?The Standard is intended to reduce the risk of
Cascading involving Impact Events. The importance of BES awareness of the threat around them is essential
to the effective operation and planning to mitigate the potential risk to the BES.? We question whether a
reporting standard can ?reduce the risk of cascading? and wonder if the reference to the threat ?around
them? refers to law enforcement? We would expect that the appropriate operating personnel are the only
entities that would be able to mitigate the potential risk to the BES.As it currently stands there is a potential
duplication between the reporting requirements under EOP-004-2 (i.e. Attachment 2 Form) and the ERO
Event Analysis Process that is undergoing field test (i.e. Event Report Form). This will result in entities
(potentially multiple) reporting same event under two separate processes using two very similar forms. Is this
the intent or will information requirements be coordinated further prior to adoption in order to meet the
declared objective that the impact event reporting under EOP-004 be ?the starting vehicle for any required
Event Analysis within the NERC Event Analysis Program?
210
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 17 Comment
Response: The DSR DT thanks you for your comment. The Background section was provided to assist entities in understanding the DSR SDT’s process for
updating CIP-001 and EOP-004, only.
Calpine Corp
Focusing on reporting of actual disturbance events as listed in Attachment 1 based on potential or actual
impact to the Bulk Electric System will provide maximum benefit to system reliability without adding needless
levels of new documentation generated to demonstrate compliance. Absent significant evidence of systemic
problems in the industry with past reporting attributable to causes other than a lack of clear guidance on the
types events that require reporting, the proposed Standard should focus on the single issue of correct
reporting, without attempting to micromanage how Entities internally manage such reporting.
Response: The DSR DT thanks you for your comment. The DSR SDT has updated the requirements andAttachments 1 and 2 per comments received.
BGE
Please provide a Mapping Document which shows where the four CIP-001 requirements map to in the new
EOP-004-2, and note if any of the CIP-001 requirements have been eliminated. A Mapping Document was
provided during the first Comment Period, but not during the second Comment Period. A Mapping Document
will be very helpful to companies in aligning standard owners in reviewing this proposal and in transitioning
compliance programs when the revised standard is approved.
Response: The DSR DT thanks you for your comment. The DSR SDT has a current Mapping Document and it will be updated to reflect the changes that the
DSR SDT has made to EOP-004-2. This Mapping document will be posted with the standard when it is posted for comment and ballot.
CenterPoint Energy
•
CenterPoint Energy believes the flowchart found on page 8 identifying the reporting hierarchy for EOP-004 is
helpful. CenterPoint Energy believes the DOE reporting items should also be included on the right side of the
chart. Some of the issues with CIP-001 were a result of law enforcement?s preference and procedures for
notification. Law enforcement?s preferences and procedures should be considered for this draft. (Reference:
http://www.fbi.gov/contact-us/when)
Response: The DSR DT thanks you for your comment. The DSR SDT has updated the flowchart and a current Mapping Document and it will be updated to
reflect the changes that the DSR SDT has made to EOP-004-2. The background section of the standard provides guidance with respect to
reporting events to law enforcement. For clarity, the DSR SDT has added the following sentence to the first paragraph under the heading
“Law Enforcement Reporting”: “These are the types of events that should be reported to law enforcement.” The entire paragraph is:
“The reliability objective of EOP-004-2 is to prevent outages which could lead to Cascading by effectively reporting events. Certain outages,
such as those due to vandalism and terrorism, may not be reasonably preventable. These are the types of events that should be reported to
law enforcement. Entities rely upon law enforcement agencies to respond to and investigate those events which have the potential to impact
211
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 17 Comment
a wider area of the BES. The inclusion of reporting to law enforcement enables and supports reliability principles such as protection of bulk
power systems from malicious physical or cyber attack. The Standard is intended to reduce the risk of Cascading events. The importance of
BES awareness of the threat around them is essential to the effective operation and planning to mitigate the potential risk to the BES.”
PPL Electric Utilities
We thank the SDT for addressing so many Industry concerns with the 2010 draft of EOP-004-2. We feel the
current draft version of EOP-004-2 is a significant improvement over current EOP-004-1 and CIP-001-1
standard and the previous draft. Thank you for your time.
Response: Thank you for your comment.
Occidental Power Marketing
Occidental Power Marketing appreciates the extensive work accomplished by the SDT and their
responsiveness to comments. Also, the presentation of this draft with its extensive explanation of the SDT's
considerations during development of the draft were very helpful in preparing our comments.
Response: Thank you for your comment.
Constellation Power Generation
CPG has the following comments regarding Attachment 2:?Generally, this attachment is inadequate for all
events. The real-life experience with the recent SW cold snap demonstrated that the questions inadequately
capture what may be of greatest concern in the situation. ?Question 4 ? this question is vague. It should be
removed. ?Question 7 ? the role of generation in an event may not always be related to a trip. As
experienced with the recent SW cold snap, this question may inadequately capture information relevant to the
situation at hand. The drafting team should reassess how best to gather information relevant to the event and
useful for evaluation.?Question 8 ? generation is not required to monitor frequency during events, so this
would not be answered. This question also assumes that frequency had been impacted, which is not always
the case (i.e., the plant could not come online). ?The asterisk on some questions in Attachment 2 is not
defined.
Response: The DSR DT thanks you for your comment. The DSR SDT has updated the requirements and Attachments 1 and 2 per comments received.
Attachment 2 has been streamlined to match the types of events that are to be reported. The purpose of this standard is to have events reported. Once
reported, the events are included in the NERC Events Analysis Program for possible further investigation. The asterisk has been removed from Attachment 2.
Georgia System Operations
Corporation
Attachment 2: Impact Event Reporting Form-Instructions for filling out this form are needed.-Line 7,
Generation tripped off-line: What is the asterisk for after this task and after the many others following? This
should only be reported by a BA. Does generation ?tripped off-line? mean the same as generation ?lost??Line 9, List of transmission facilities (lines, transformers, buses, etc.) tripped and locked-out: Does this means
the same as BES Transmission Elements lost?-Line 10: The column headings in white text on lighter blue
212
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 17 Comment
background at the top do not seem to apply from this line on.-Line 11, Restoration Time: Restoration of what?
Initial/Final clock time? Transmission? What about transmission? Generation/Demand?-Line 13, Identify the
initial probable cause or known root cause of the actual or potential Impact Event if known at time of submittal
of Part I of this report: ?At the time of submittal of Part I of this report??? Where is Part II? Did you mean Part
A? Is Part B to be submitted at a different time?Background-Page 5, last sentence which is continued on
page 6: This standard does not recognize the various ?versions? of companies in the industry. The standard
is made applicable to a long list of registered entity types. In many cases, many of these entities are wrapped
into one company. A company may be responsible for ?everything? in a geographic area. It may be almost
every registered entity type with no other registered entities within its geographic area. There should be no
conflicts or need for coordination with others for this company. Everything would be coordinated internally
within that one company before being reported to NERC and no one else would be reporting to
NERC.However, sometimes one company is only a LSE. When an LSE-only is having a LSE impact event,
the LSE should report to some higher operating entity like its BA and should not report to NERC. Reporting
should be done in a hierarchical manner within appropriate operating entities and then reported to NERC at
the RC (or BA) level or as agreed among entities in any coordinated impact event reporting plans. The RC,
BA, TOP, and LSE should not all be held accountable for reporting the same event.This standard does not
deal exclusively with after-the-fact reporting. Some events deal with the condition of the system (risk of
possible future events) or condition of an entity?s ability to operate (supplying fuel, covering load, etc.) or with
a threat to the BES.-Page 6, Summary of Concepts: A single form may have been an objective but it is
obviously not a concept being implemented by the standard. There are two forms.-Page 6, Law Enforcement
Reporting: The object of the standard may be to prevent or reduce the risk of Cascading. Reporting system
situations to appropriate operating entities who can take some mitigating action (e.g., a LSE reporting to its
BA or a BA reporting to its RC) and reporting threats to law enforcement officials could prevent or reduce the
risk of Cascading but reporting to NERC is unlikely to a do that. Reporting of most of the listed events to
NERC does not meet the objective of this standard and should be removed from this standard. Such events
should be reported to NERC through some other (than a Reliability Standard) requirement for reporting to
NERC so that NERC can accomplish its mission of analyzing events. Analyzing events may lead to an
understanding that could reduce the future risk of Cascading but not any impending risks.-Page 6,
Stakeholders: What is ?Homeland Security ? State?? We know what the Department of Homeland Security
and the State Department are but this term is not clear. -Page 6, ?State Regulators?, ?Local Law
Enforcement?, and State Law Enforcement?: These are not proper nouns/names and are not defined in the
NERC Glossary. They should not be capitalized.-Pages 7 & 8, Law enforcement: Is each entity required to
determine procedures for reporting to law enforcement and work it out with the state law enforcement
agency? Do the state law enforcement agencies know this? Or is there a pre-determine procedure that is
already worked out with the state law enforcement agency that entities are to follow?
•
Response: The DSR DT thanks you for your comment. The DSR SDT has updated the requirements and Attachments 1 and 2 per comments received.
213
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
Organization
Yes or No
Question 17 Comment
Attachment 2 has been streamlined to match the types of events that are to be reported. The purpose of this standard is to have events reported. Once
reported, the events are included in the NERC Events Analysis Program for possible further investigation. The background section of the standard
provides guidance with respect to reporting events to law enforcement. For clarity, the DSR SDT has added the following sentence to the
first paragraph under the heading “Law Enforcement Reporting”: “These are the types of events that should be reported to law
enforcement.” The entire paragraph is:
“The reliability objective of EOP-004-2 is to prevent outages which could lead to Cascading by effectively reporting events. Certain outages,
such as those due to vandalism and terrorism, may not be reasonably preventable. These are the types of events that should be reported to
law enforcement. Entities rely upon law enforcement agencies to respond to and investigate those events which have the potential to impact
a wider area of the BES. The inclusion of reporting to law enforcement enables and supports reliability principles such as protection of bulk
power systems from malicious physical or cyber attack. The Standard is intended to reduce the risk of Cascading events. The importance of
BES awareness of the threat around them is essential to the effective operation and planning to mitigate the potential risk to the BES.”
City of Tacoma, Department of
Public Utilities, Light Division, dba
Tacoma Power
We like the option to use the OE_417 as the reporting form for these events.
Response: The DSR DT thanks you for your comment. EOP-004-2 allows entities to utilize the DOE Form OE-417 to report events.
Indeck Energy Services
This revision seriously missed the mark.
Response: The DSR DT thanks you for your comment. The DSR SDT has updated the requirements and Attachments 1 and 2 per comments received.
Progress Energy
Progress thanks the Standard Drafting Team for their efforts on this project.The BES definition is still being
revised under ?Project 2010-17: Proposed Definition of Bulk Electric System.? ?BES equipment? is
mentioned several times in this Standard. A better definition of BES is important to the effectiveness of this
Standard and integral to entities ability to comply with the Standard requirements. In Attachment 2, on the
Impact Event Reporting form, item 10 is ?Demand Tripped? and the categories include ?FIRM? and
?INTERRUPTIBLE.? It is unclear why interruptible load is included on the reporting form.
Response: The DSR DT thanks you for your comment. The definition of BES will apply to this standard after it is approved by stakeholders, the NERC BOT and
FERC. The DSR SDT has updated the requirements, Attachments 1 and 2 per comments received. Attachment 2 has been streamlined to match the types of
events that are to be reported. The purpose of this standard is to have events reported. Once reported, the events are included in the NERC Events Analysis
Program for possible further investigation. Firm and Interruptible load have been removed from the list of reportable events in Attachment 1.
214
�Consideration of Comments on Disturbance & Sabotage Reporting – 2009-01
215
�EOP-004-2 — Event Reporting
Standard Development Timeline
This section is maintained by the drafting team during the development of the standard and will
be removed when the standard becomes effective.
Development Steps Completed
1. SC approved SAR for initial posting (April, 2009).
2. SAR posted for comment (April 22 – May 21, 2009).
3. SC authorized moving the SAR forward to standard development (September 2009).
4. Concepts Paper posted for comment (March 17 – April 16, 2010).
5. Initial Informal Comment Period (September 15 – October 15, 2010)
6. Second Comment Period (Formal) (March 9 – April 8, 2011)
Proposed Action Plan and Description of Current Draft
This is the third posting of the proposed standard in accordance with Results-Based Criteria. The
drafting team requests posting for a 45-day formal comment period concurrent with the
formation of the ballot pool and the initial ballot.
Future Development Plan
Anticipated Actions
Drafting team considers comments, makes conforming changes on
second posting
Anticipated Date
April - October
2011
Third Comment/Ballot period
Recirculation Ballot period
NovemberDecember 2011
December 2011
Receive BOT approval
February 2012
Draft 3: October 25, 2011
1
�EOP-004-2 — Event Reporting
Effective Dates
EOP-004-2 shall become effective on the first day of the third calendar quarter after applicable
regulatory approval. In those jurisdictions where no regulatory approval is required, this
standard shall become effective on the first day of the third calendar quarter after Board of
Trustees approval.
Version History
Version
2
Date
Draft 3: October 25, 2011
Action
Merged CIP-001-2a Sabotage Reporting
and EOP-004-1 Disturbance Reporting
into EOP-004-2 Impact Event
Reporting; Retire CIP-001-2a Sabotage
Reporting and Retired EOP-004-1
Disturbance Reporting. Retire CIP-0084, Requirement 1, Part 1.3.
Change Tracking
Revision to entire
standard (Project 200901)
2
�EOP-004-2 — Event Reporting
Definitions of Terms Used in Standard
This section includes all newly defined or revised terms used in the proposed standard. Terms
already defined in the Reliability Standards Glossary of Terms are not repeated here. New or
revised definitions listed below become approved when the proposed standard is approved.
When the standard becomes effective, these defined terms will be removed from the individual
standard and added to the Glossary.
None
Draft 3: October 25, 2011
3
�EOP-004-2 — Event Reporting
When this standard has received ballot approval, the text boxes will be moved to the Guideline
and Technical Basis Section.
A.
Introduction
1. Title:
Event Reporting
2. Number:
EOP-004-2
3. Purpose:
To improve industry awareness and the reliability of the Bulk Electric
System by requiring the reporting of events with the potential to impact
reliability and their causes, if known, by the Responsible Entities.
4. Applicability
4.1.
Functional Entities: Within the context of EOP-004-2, the term “Responsible
Entity” shall mean:
4.1.1. Reliability Coordinator
4.1.2. Balancing Authority
4.1.3. Interchange Coordinator
4.1.4. Transmission Service Provider
4.1.5. Transmission Owner
4.1.6. Transmission Operator
4.1.7. Generator Owner
4.1.8. Generator Operator
4.1.9. Distribution Provider
4.1.10. Load Serving Entity
4.1.11. Electric Reliability Organization
4.1.12. Regional Entity
5.
Background:
NERC established a SAR Team in 2009 to investigate and propose revisions to the CIP-001 and
EOP-004 Reliability Standards. The team was asked to consider the following:
1.
2.
3.
4.
CIP-001 could be merged with EOP-004 to eliminate redundancies.
Acts of sabotage have to be reported to the DOE as part of EOP-004.
Specific references to the DOE form need to be eliminated.
EOP-004 had some ‘fill-in-the-blank’ components to eliminate.
Draft 3: October 25, 2011
4
�EOP-004-2 — Event Reporting
The development included other improvements to the standards deemed appropriate by the
drafting team, with the consensus of stakeholders, consistent with establishing high quality,
enforceable and technically sufficient bulk power system reliability standards.
The SAR for Project 2009-01, Disturbance and Sabotage Reporting was moved forward for
standard drafting by the NERC SC in August of 2009. The Disturbance and Sabotage Reporting
Standard Drafting Team (DSR SDT) was formed in late 2009.
The DSR SDT developed a concept paper to solicit stakeholder input regarding the proposed
reporting concepts that the DSR SDT had developed. The posting of the concept paper sought
comments from stakeholders on the “road map” that will be used by the DSR SDT in updating or
revising CIP-001 and EOP-004. The concept paper provided stakeholders the background
information and thought process of the DSR SDT. The DSR SDT has reviewed the existing
standards, the SAR, issues from the NERC issues database and FERC Order 693 Directives in
order to determine a prudent course of action with respect to revision of these standards.
Summary of Key Concepts
The DSRSDT identified the following principles to assist them in developing the standard:
• Develop a single form to report disturbances and events that threaten the reliability of the
bulk electric system
• Investigate other opportunities for efficiency, such as development of an electronic form
and possible inclusion of regional reporting requirements
• Establish clear criteria for reporting
• Establish consistent reporting timelines
• Provide clarity around who will receive the information and how it will be used
During the development of concepts, the DSR SDT considered the FERC directive to “further
define sabotage”. There was concern among stakeholders that a definition may be ambiguous
and subject to interpretation. Consequently, the DSR SDT decided to eliminate the term
sabotage from the standard. The team felt that it was almost impossible to determine if an act or
event was sabotage or vandalism without the intervention of law enforcement. The DSR SDT
felt that attempting to define sabotage would result in further ambiguity with respect to reporting
events. The term “sabotage” is no longer included in the standard. The events listed in
Attachment 1 were developed to provide guidance for reporting both actual events as well as
events which may have an impact on the Bulk Electric System. The DSR SDT believes that this
is an equally effective and efficient means of addressing the FERC Directive.
The types of events that are required to be reported are contained within Attachment 1. The DSR
SDT has coordinated with the NERC Events Analysis Working Group to develop the list of
events that are to be reported under this standard. Attachment 1, Part A pertains to those actions
or events that have impacted the Bulk Electric System. These events were previously reported
under EOP-004-1, CIP-001-1 or the Department of Energy form OE-417. Attachment 1, Part B
covers similar items that may have had an impact on the Bulk Electric System or has the
potential to have an impact and should be reported.
Draft 3: October 25, 2011
5
�EOP-004-2 — Event Reporting
The DSR SDT wishes to make clear that the proposed Standard does not include any real-time
operating notifications for the events listed in Attachment 1. Real-time reporting is achieved
through the RCIS and is covered in other standards (e.g. the TOP family of standards). The
proposed standard deals exclusively with after-the-fact reporting.
Data Gathering
The requirements of EOP-004-1 require that entities “promptly analyze Bulk Electric System
disturbances on its system or facilities” (Requirement R2). The requirements of EOP-004-2
specify that certain types of events are to be reported but do not include provisions to analyze
events. Events reported under EOP-004-2 may trigger further scrutiny by the ERO Events
Analysis Program. If warranted, the Events Analysis Program personnel may request that more
data for certain events be provided by the reporting entity or other entities that may have
experienced the event. Entities are encouraged to become familiar with the Events Analysis
Program and the NERC Rules of Procedure to learn more about with the expectations of the
program.
Law Enforcement Reporting
The reliability objective of EOP-004-2 is to prevent outages which could lead to Cascading by
effectively reporting events. Certain outages, such as those due to vandalism and terrorism, may
not be reasonably preventable. These are the types of events that should be reported to law
enforcement. Entities rely upon law enforcement agencies to respond to and investigate those
events which have the potential to impact a wider area of the BES. The inclusion of reporting to
law enforcement enables and supports reliability principles such as protection of bulk power
systems from malicious physical or cyber attack. The Standard is intended to reduce the risk of
Cascading events. The importance of BES awareness of the threat around them is essential to the
effective operation and planning to mitigate the potential risk to the BES.
Stakeholders in the Reporting Process
• Industry
• NERC (ERO), Regional Entity
• FERC
• DOE
• NRC
• DHS – Federal
• Homeland Security- State
• State Regulators
• Local Law Enforcement
• State or Provincial Law Enforcement
• FBI
• Royal Canadian Mounted Police (RCMP)
Draft 3: October 25, 2011
6
�EOP-004-2 — Event Reporting
The above stakeholders have an interest in the timely notification, communication and response
to an incident at an industry facility. The stakeholders have various levels of accountability and
have a vested interest in the protection and response to ensure the reliability of the BES.
Present expectations of the industry under CIP-001-1a:
It has been the understanding by industry participants that an occurrence of sabotage has to be
reported to the FBI. The FBI has the jurisdictional requirements to investigate acts of sabotage
and terrorism. The CIP-001-1-1a standard requires a liaison relationship on behalf of the
industry and the FBI or RCMP. Annual requirements, under the standard, of the industry have
not been clear and have lead to misunderstandings and confusion in the industry as to how to
demonstrate that the liaison is in place and effective. As an example of proof of compliance with
Requirement R4, responsible entities have asked FBI Office personnel to provide, on FBI
letterhead, confirmation of the existence of a working relationship to report acts of sabotage, , the
number of years the liaison relationship has been in existence, and the validity of the telephone
numbers for the FBI.
Coordination of Local and State Law Enforcement Agencies with the FBI
The Joint Terrorism Task Force (JTTF) came into being with the first task force being
established in 1980. JTTFs are small cells of highly trained, locally based, committed
investigators, analysts, linguists, SWAT experts, and other specialists from dozens of U.S. law
enforcement and intelligence agencies. The JTTF is a multi-agency effort led by the Justice
Department and FBI designed to combine the resources of federal, state, and local law
enforcement. Coordination and communications largely through the interagency National Joint
Terrorism Task Force, working out of FBI Headquarters, which makes sure that information and
intelligence flows freely among the local JTTFs. This information flow can be most beneficial to
the industry in analytical intelligence, incident response and investigation. Historically, the most
immediate response to an industry incident has been local and state law enforcement agencies to
suspected vandalism and criminal damages at industry facilities. Relying upon the JTTF
coordination between local, state and FBI law enforcement would be beneficial to effective
communications and the appropriate level of investigative response.
Coordination of Local and Provincial Law Enforcement Agencies with the RCMP
A similar law enforcement coordination hierarchy exists in Canada. Local and Provincial law
enforcement coordinate to investigate suspected acts of vandalism and sabotage. The Provincial
law enforcement agency has a reporting relationship with the Royal Canadian Mounted Police
(RCMP).
A Reporting Process Solution – EOP-004
A proposal discussed with the FBI, FERC Staff, NERC Standards Project Coordinator and the
SDT Chair is reflected in the flowchart below (Reporting Hierarchy for Reportable Events).
Essentially, reporting an event to law enforcement agencies will only require the industry to
Draft 3: October 25, 2011
7
�EOP-004-2 — Event Reporting
notify the state or provincial or local level law enforcement agency. The state or provincial or
local level law enforcement agency will coordinate with law enforcement with jurisdiction to
investigate. If the state or provincial or local level law enforcement agency decides federal
agency law enforcement or the RCMP should respond and investigate, the state or provincial or
local level law enforcement agency will notify and coordinate with the FBI or the RCMP.
Draft 3: October 25, 2011
8
�EOP-004-2 — Event Reporting
Reporting Hierarchy for Reportable Events
Entity Experiencing an event in Attachment 1
Report to Law Enforcement?
NO
YES
Refer to Ops Plan for Reporting
procedures
Refer to Ops Plan for Reporting
procedures
Report Event to ERO,
Regional Entity
ERO and Regional
Entities conduct
investigation
Procedure to
Report to Law
Enforcement
Procedure to
Report to
ERO
Report Event to ERO,
Regional Entity
Notification Protocol to
State Agency Law
Enforcement
ERO and Regional
Entities conduct
investigation
State Agency Law
Enforcement coordinates
as appropriate with FBI
ERO
Events Analysis
Criminal act
invoking
federal
jurisdiction?
*
ERO
Events Analysis
ERO Reports Applicable
Events to FERC Per Rules
of Procedure
ERO Reports
Applicable Events to
FERC Per Rules of
Procedure
NO
YES
State Agency Law
Enforcement
Investigates
State Agency Law
Enforcement
notifies FBI
FBI Responds and
makes notification
to DHS
*Canadian entities will follow law enforcement protocols applicable in
their jurisdictions
Draft 3: October 25, 2011
9
�EOP-004-2 — Event Reporting
B.
Requirements and Measures
R1. Each Responsible Entity shall have an
Operating Plan that includes: [Violation Risk:
Factor: Lower] [Time Horizon: Operations
Planning]
1.1. A process for identifying events listed in
Attachment 1.
1.2. A process for gathering information for
Attachment 2 regarding events listed in
Attachment 1.
1.3. A process for communicating events listed
in Attachment 1 to the Electric Reliability
Organization, the Responsible Entity’s
Reliability Coordinator and the following
as appropriate:
•
Internal company personnel
•
The Responsible Entity’s Regional
Entity
•
Law enforcement
•
Governmental or provincial agencies
1.4. Provision(s) for updating the Operating Plan
within 90 calendar days of any change in
assets, personnel, other circumstances that
may no longer align with the Operating
Plan; or incorporating lessons learned
pursuant to Requirement R3.
1.5. A Process for ensuring the responsible
entity reviews the Operating Plan at least
annually (once each calendar year) with no
more than 15 months between reviews.
Rationale for R1
Every industry participant that owns
or operates elements or devices on
the grid has a formal or informal
process, procedure, or steps it takes
to gather information regarding what
happened when events occur. This
requirement has the Responsible
Entity establish documentation on
how that procedure, process, or plan
is organized. This documentation
may be a single document or a
combination of various documents
that achieve the reliability objective.
For the Operating Plan, Part 1.2
includes information gathering to be
able to complete the report for
reportable events. The main issue is
to make sure an entity can a) identify
when an event has occurred and b) be
able to gather enough information to
complete the report.
Part 1.3 could include a process
flowchart, identification of internal
and external personnel or entities to
be notified, or a list of personnel by
name and their associated telephone
numbers.
M1. Each Responsible Entity will provide the current, dated, in force Operating Plan
which includes Parts 1.1 - 1.5 as requested.
Draft 3: October 25, 2011
10
�EOP-004-2 — Event Reporting
R2. Each Responsible Entity shall implement the parts of its Operating Plan that meet
Requirement R1, Parts 1.1 and 1.2 for an actual event and Parts 1.4 and 1.5 as specified.
[Violation Risk Factor: Medium] [Time Horizon: Operations Assessment].
M2. Responsible Entities shall provide
evidence that it implemented the parts of
its Operating Plan to meet Requirement
R1, Parts 1.1 and 1.2 for an actual event
and Parts, 1.4 and 1.5 as specified.
Evidence may include, but is not limited
to, an event report form (Attachment 2) or
the OE-417 report submitted, operator
logs, voice recordings, or dated
documentation of review and update of
the Operating Plan. (R2)
R3. Each Responsible Entity shall report
events in accordance with its Operating
Plan developed to address the events listed
in Attachment 1. [Violation Risk Factor:
Medium] [Time Horizon: Operations
Assessment].
Rationale for R2
Each Responsible Entity must implement
the various parts of Requirement R1.
Parts 1.1 and 1.2 call for identifying and
gathering information for actual events.
Parts 1.4 and 1.5 require updating and
reviewing the Operating Plan.
Rationale for R3
Each Responsible Entity must report
events via its Operating Plan based on
Attachment 1. For each event listed in
Attachment 1, there are entities listed
that are to be notified as well as the time
required to perform the reporting.
M3. Responsible Entities shall provide a record
of the type of event experienced; a dated
copy of the Attachment 2 form or OE-417 report; and dated and time-stamped transmittal
records to show that the event was reported. (R3)
R4. Each Responsible Entity shall
verify (through actual
implementation for an event, or
through a drill or exercise) the
communication process in its
Operating Plan, created pursuant
to Requirement 1, Part 1.3, at least
annually (once per calendar year),
with no more than 15 calendar
months between verification or
actual implementation.
[Violation Risk Factor: Medium]
[Time Horizon: Operations
Planning]
Draft 3: October 25, 2011
Rationale for R4
Each Responsible Entity must verify that its Operating
Plan for communicating events is correct so that the
entity can respond appropriately in the case of an actual
event. The Responsible Entity may conduct a drill or
exercise to test its Operating Plan for communicating
events as often as it desires but the time period between
tests can be no longer than 15 calendar months from the
previous drill/exercise or actual event (i.e., if you
conducted an exercise/drill/actual employment of the
Operating Plan in January of one year, there would be
another exercise/drill/actual employment by March 31 of
the next calendar year). Multiple exercises in a 15 month
period are not a violation of the requirement and would
be encouraged to improve reliability.
Evidence showing that an entity used the communication
process in its Operating Plan for an actual event qualifies
as evidence to meet this requirement.
11
�EOP-004-2 — Event Reporting
M4. The Responsible Entity shall provide evidence that it verified the communication process in
its Operating Plan for events created pursuant to Requirement R1, Part 1.3. Either
implementation of the communication process as documented in its Operating Plan for an
actual event or documented evidence of a drill or exercise may be used as evidence to meet
this requirement. The time period between an actual event or verification shall be no more
than 15 months. Evidence may include, but is not limited to, operator logs, voice
recordings, or dated documentation of a verification. (R3)
C.
Compliance
1. Compliance Monitoring Process
1.1
Compliance Enforcement Authority
Regional Entity; or
If the Responsible Entity works for the Regional Entity, then the Regional Entity
will establish an agreement with the ERO or another entity approved by the ERO
and FERC (i.e. another Regional Entity) to be responsible for compliance
enforcement; or
Third-party monitor without vested interest in the outcome for the ERO
.
1.2
Evidence Retention
The following evidence retention periods identify the period of time an entity is
required to retain specific evidence to demonstrate compliance. For instances
where the evidence retention period specified below is shorter than the time since
the last audit, the Compliance Enforcement Authority may ask an entity to
provide other evidence to show that it was compliant for the full time period since
the last audit.
Each Responsible Entity shall retain the current, in force document plus the ‘dated
revision history’ from each version issued since the last audit for 3 calendar years
for Requirement R1 and Measure M1.
Each Responsible Entity shall retain evidence from prior 3 calendar years for
Requirements R2, R3, R4, and Measures M2, M3, M4.
Each Responsible Entity shall retain data or evidence for three calendar years or
for the duration of any regional or Compliance Enforcement Authority
investigation; whichever is longer.
Draft 3: October 25, 2011
12
�EOP-004-2 — Event Reporting
If a Registered Entity is found non-compliant, it shall keep information related to
the non-compliance until found compliant or for the duration specified above,
whichever is longer.
The Compliance Enforcement Authority shall keep the last audit records and all
requested and submitted subsequent audit records.
1.3
Compliance Monitoring and Enforcement Processes:
Compliance Audits
Self-Certifications
Spot Checking
Compliance Violation Investigations
Self-Reporting
Complaints
1.4
Additional Compliance Information
None
Draft 3: October 25, 2011
13
�EOP-004-2 — Event Reporting
Table of Compliance Elements
R#
Time
Horizon
VRF
Violation Severity Levels
Lower VSL
Moderate VSL
High VSL
Severe VSL
R1
Long-term
Planning
Lower
The Reliability
Coordinator, Balancing
Authority, Interchange
Coordinator,
Transmission Service
Provider, Transmission
Owner, Transmission
Operator, Generator
Owner, Generator
Operator, Distribution
Provider or Load
Serving Entity has an
Operating Plan but
failed to include one of
Parts 1.1 through 1.5.
The Reliability
Coordinator, Balancing
Authority, Interchange
Coordinator,
Transmission Service
Provider, Transmission
Owner, Transmission
Operator, Generator
Owner, Generator
Operator, Distribution
Provider or Load
Serving Entity has an
Operating Plan but
failed to include two of
Parts 1.1 through 1.5.
The Reliability
Coordinator, Balancing
Authority, Interchange
Coordinator,
Transmission Service
Provider, Transmission
Owner, Transmission
Operator, Generator
Owner, Generator
Operator, Distribution
Provider or Load
Serving Entity has an
Operating Plan but
failed to include three
of Parts 1.1 through
1.5.
The Reliability
Coordinator, Balancing
Authority, Interchange
Coordinator,
Transmission Service
Provider, Transmission
Owner, Transmission
Operator, Generator
Owner, Generator
Operator, Distribution
Provider or Load
Serving Entity failed to
include four or more of
Parts 1.1 through 1.5.
R2
Real-time
Operations
and Sameday
Operations
Medium
1.1: N/A
1.1: N/A
1.1: N/A
1.2: N/A
1.2: N/A
1.2: N/A
1.4: The Reliability
Coordinator,
Balancing Authority,
1.4: The Reliability
Coordinator,
Balancing Authority,
1.4: The Reliability
Coordinator,
Balancing Authority,
1.1: The Reliability
Coordinator, Balancing
Authority, Interchange
Coordinator,
Transmission Service
Provider, Transmission
Owner, Transmission
Operator, Generator
Draft 3: October 25, 2011
14
�EOP-004-2 — Event Reporting
Interchange
Coordinator,
Transmission Service
Provider, Transmission
Owner, Transmission
Operator, Generator
Owner, Generator
Operator, Distribution
Provider or Load
Serving Entity failed
to update the
Operating Plan more
than 90 days of a
change, but not more
than 100 days after a
change.
Interchange
Coordinator,
Transmission Service
Provider, Transmission
Owner, Transmission
Operator, Generator
Owner, Generator
Operator, Distribution
Provider or Load
Serving Entity failed to
update the Operating
Plan more than 100
days of a change, but
not more than 110
days after a change.
Interchange
Coordinator,
Transmission Service
Provider, Transmission
Owner, Transmission
Operator, Generator
Owner, Generator
Operator, Distribution
Provider or Load
Serving Entity failed to
update the Operating
Plan more than 110
days of a change, but
not more than 120
days after a change.
Owner, Generator
Operator, Distribution
Provider or Load
Serving Entity failed to
implement the process
for identifying events.
1.2: The Reliability
Coordinator, Balancing
Authority, Interchange
Coordinator,
Transmission Service
Provider, Transmission
Owner, Transmission
Operator, Generator
Owner, Generator
1.5: The Reliability
1.5: The Reliability
Operator, Distribution
1.5: The Reliability
Coordinator,
Coordinator,
Provider or Load
Coordinator,
Balancing Authority,
Balancing Authority,
Serving Entity failed to
Balancing Authority,
Interchange
Interchange
implement the process
Interchange
Coordinator,
Coordinator,
for gathering
Coordinator,
Transmission Service
Transmission Service
information for
Transmission Service
Provider, Transmission Provider, Transmission Attachment 2.
Provider, Transmission Owner, Transmission
Owner, Transmission
Owner, Transmission
Operator, Generator
Operator, Generator
1.4: The Reliability
Operator, Generator
Owner, Generator
Owner, Generator
Owner, Generator
Operator, Distribution Operator, Distribution Coordinator, Balancing
Authority, Interchange
Operator, Distribution Provider or Load
Provider or Load
Coordinator,
Provider or Load
Serving Entity
Serving Entity
Transmission Service
reviewed the
reviewed the
Serving Entity
Provider, Transmission
Operating Plan, more
Operating Plan, more
reviewed the
Owner, Transmission
Operating Plan, more
than 18 calendar
than 21 calendar
Operator, Generator
Draft 3: October 25, 2011
15
�EOP-004-2 — Event Reporting
than 15 calendar
months after its
previous review, but
not more than 18
calendar months after
its previous review.
months after its
previous review, but
not more than 21
calendar months after
its previous review.
months after its
previous review, but
not more than 24
calendar months after
its previous review.
Owner, Generator
Operator, Distribution
Provider or Load
Serving Entity failed to
update the Operating
Plan more than 120
days of a change.
1.5: The Reliability
Coordinator, Balancing
Authority, Interchange
Coordinator,
Transmission Service
Provider, Transmission
Owner, Transmission
Operator, Generator
Owner, Generator
Operator, Distribution
Provider or Load
Serving Entity
reviewed the Operating
Plan, more than 24
calendar months after
its previous review.
R3
Real-time
Operations
and Sameday
Operations
Medium
Draft 3: October 25, 2011
The Reliability
Coordinator, Balancing
Authority, Interchange
Coordinator,
Transmission Service
Provider, Transmission
Owner, Transmission
Operator, Generator
The Reliability
Coordinator, Balancing
Authority, Interchange
Coordinator,
Transmission Service
Provider, Transmission
Owner, Transmission
Operator, Generator
The Reliability
Coordinator, Balancing
Authority, Interchange
Coordinator,
Transmission Service
Provider, Transmission
Owner, Transmission
Operator, Generator
16
The Reliability
Coordinator, Balancing
Authority, Interchange
Coordinator,
Transmission Service
Provider, Transmission
Owner, Transmission
Operator, Generator
�EOP-004-2 — Event Reporting
Owner, Generator
Operator, Distribution
Provider or Load
Serving Entity
submitted a report
more than 24 hours but
less than or equal to 36
hours after an event
requiring reporting
within 24 hours in
Attachment 1.
Draft 3: October 25, 2011
Owner, Generator
Operator, Distribution
Provider or Load
Serving Entity
submitted a report
more than 36 hours but
less than or equal to 48
hours after an event
requiring reporting
within 24 hours in
Attachment 1.
Owner, Generator
Owner, Generator
Operator, Distribution Operator, Distribution
Provider or Load
Provider or Load
Serving Entity
Serving Entity
submitted a report
submitted a report
more than 48 hours but more than 60 hours
less than or equal to 60 after an event requiring
hours after an event
reporting within 24
requiring reporting
hours in Attachment 1.
within 24 hours in
OR
Attachment 1.
The Reliability
OR
OR
Coordinator, Balancing
Authority, Interchange
The Reliability
The Reliability
Coordinator, Balancing Coordinator, Balancing Coordinator,
Authority, Interchange Authority, Interchange Transmission Service
Coordinator,
Coordinator,
Provider, Transmission
Transmission Service
Transmission Service
Owner, Transmission
Provider, Transmission Provider, Transmission Operator, Generator
Owner, Transmission
Owner, Transmission
Owner, Generator
Operator, Generator
Operator, Generator
Operator, Distribution
Provider or Load
Owner, Generator
Owner, Generator
Operator, Distribution Operator, Distribution Serving Entity
Provider or Load
Provider or Load
submitted a report
Serving Entity
Serving Entity
more than 3 hours after
an event requiring
submitted a report
submitted a report in
reporting within 1 hour
more than 1 hour but
more than 2 hours but
in Attachment 1.
less than 2 hours after
less than 3 hours after
an event requiring
an event requiring
OR
reporting within 1 hour reporting within 1 hour
The Reliability
in Attachment 1.
in Attachment 1.
Coordinator, Balancing
Authority, Interchange
Coordinator,
17
�EOP-004-2 — Event Reporting
Transmission Service
Provider, Transmission
Owner, Transmission
Operator, Generator
Owner, Generator
Operator, Distribution
Provider or Load
Serving Entity failed to
submit a report for an
event in Attachment 1.
R4
Operations
Planning
Medium
The Reliability
Coordinator, Balancing
Authority, Interchange
Coordinator,
Transmission Service
Provider, Transmission
Owner, Transmission
Operator, Generator
Owner, Generator
Operator, Distribution
Provider or Load
Serving Entity verified
the communication
process in its
Operating Plan, more
than 15 calendar
months after its
previous test, but not
more than 18 calendar
months after its
previous test.
The Reliability
Coordinator, Balancing
Authority, Interchange
Coordinator,
Transmission Service
Provider, Transmission
Owner, Transmission
Operator, Generator
Owner, Generator
Operator, Distribution
Provider or Load
Serving Entity verified
the communication
process in its
Operating Plan, more
than 18 calendar
months after its
previous test, but not
more than 21 months
after its previous test.
The Reliability
Coordinator, Balancing
Authority, Interchange
Coordinator,
Transmission Service
Provider, Transmission
Owner, Transmission
Operator, Generator
Owner, Generator
Operator, Distribution
Provider or Load
Serving Entity verified
the communication
process in its
Operating Plan, more
than 21 calendar
months after its
previous test, but not
more than 24 months
after its previous test.
OR
The Reliability
Coordinator, Balancing
Authority, Interchange
OR
Draft 3: October 25, 2011
The Reliability
Coordinator, Balancing
Authority, Interchange
Coordinator,
Transmission Service
Provider, Transmission
Owner, Transmission
Operator, Generator
Owner, Generator
Operator, Distribution
Provider or Load
Serving Entity verified
the communication
process in its
Operating Plan, more
than 24 calendar
months after its
previous test.
18
�EOP-004-2 — Event Reporting
The Reliability
Coordinator, Balancing
Authority, Interchange
Coordinator,
Transmission Service
Provider, Transmission
Owner, Transmission
Operator, Generator
Owner, Generator
Operator, Distribution
Provider or Load
Serving Entity failed to
verify the
communication
process in its
Operating Plan within
the calendar year.
D.
Variances
None.
E.
Interpretations
None.
F.
Interpretations
Guideline and Technical Basis (attached).
Draft 3: October 25, 2011
Coordinator,
Transmission Service
Provider, Transmission
Owner, Transmission
Operator, Generator
Owner, Generator
Operator, Distribution
Provider or Load
Serving Entity failed to
verify the
communication
process in its
Operating Plan.
19
�EOP-004-2 — Event Reporting
EOP-004 - Attachment 1: Events Table
NOTE: Under certain adverse conditions (e.g. severe weather, multiple events) it may not be possible to report the damage caused by
an event and issue a written Event Report within the timing in the table below. In such cases, the affected Responsible Entity shall
notify parties per R1 and provide as much information as is available at the time of the notification. The affected Responsible Entity
shall provide periodic verbal updates until adequate information is available to issue a written Event report. Reports to the ERO should
be submitted to one of the following: e-mail: esisac@nerc.com, Facsimile: 609-452-9550, Voice: 609-452-1422.
Attachment 1 - Reportable Events
Event
Entity with Reporting
Responsibility
Threshold for Reporting
Submit Attachment 2 or DOE OE417 Report to:
Destruction of BES
equipment 1
Each RC, BA, TO, TOP, GO,
GOP, DP that experiences the
destruction of BES equipment
Initial indication the event was due to
operational error, equipment failure, external
cause, or intentional or unintentional human
action.
The parties identified pursuant to
R1.3 within 1 hour of recognition of
event.
Damage or destruction
of Critical Asset per
CIP-002
Applicable Entities under CIP002
Initial indication the event was due to
operational error, equipment failure, external
cause, or intentional or unintentional human
action.
The parties identified pursuant to
R1.3 within 1 hour of recognition of
event.
Damage or destruction
of a Critical Cyber
Asset per CIP-002
Applicable Entities under CIP002.
Through intentional or unintentional human
action.
The parties identified pursuant to
R1.3 within 1 hour of recognition of
event.
Forced intrusion 2
Each RC, BA, TO, TOP, GO,
GOP that experiences the
At a BES facility
The parties identified pursuant to
R1.3 within 1 hour of recognition of
1
BES equipment that: i) Affects an IROL; ii) Significantly affects the reliability margin of the system (e.g., has the potential to result in the need for emergency
actions); iii) Damaged or destroyed due to intentional or unintentional human action which removes the BES equipment from service. Do not report copper theft
from BES equipment unless it degrades the ability of equipment to operate correctly (e.g., removal of grounding straps rendering protective relaying inoperative).
2
Report if you cannot reasonably determine likely motivation (i.e., intrusion to steal copper or spray graffiti is not reportable unless it effects the reliability of the
BES).
Draft 3: October 25, 2011
20
�EOP-004-2 — Event Reporting
Attachment 1 - Reportable Events
Event
Entity with Reporting
Responsibility
Threshold for Reporting
Submit Attachment 2 or DOE OE417 Report to:
forced intrusion
event.
Risk to BES
equipment 3
Each RC, BA, TO, TOP, GO,
GOP, DP that experiences the
risk to BES equipment
From a non-environmental physical threat
The parties identified pursuant to
R1.3 within 1 hour of recognition of
event.
Detection of a
reportable Cyber
Security Incident.
Each RC, BA, TO, TOP, GO,
GOP, DP, ERO or RE that
experiences the Cyber Security
Incident
That meets the criteria in CIP-008
The parties identified pursuant to
R1.3 within 1 hour of recognition of
event.
BES Emergency
requiring public appeal
for load reduction
Deficient entity is responsible
for reporting
Each public appeal for load reduction
The parties identified pursuant to
R1.3 within 24 hours of recognition
of the event.
BES Emergency
requiring system-wide
voltage reduction
Initiating entity is responsible
for reporting
System wide voltage reduction of 3% or more
The parties identified pursuant to
R.1.3 within 24 hours of recognition
of the event.
BES Emergency
requiring manual firm
load shedding
Initiating entity is responsible
for reporting
Manual firm load shedding ≥ 100 MW
The parties identified pursuant to
R1.3 within 24 hours of recognition
of the event.
BES Emergency
resulting in automatic
firm load shedding
Each DP or TOP that
experiences the automatic load
shedding
Firm load shedding ≥ 100 MW (via automatic
undervoltage or underfrequency load
shedding schemes, or SPS/RAS)
The parties identified pursuant to
R1.3 within 24 hours of recognition
of the event.
Voltage deviations on
BES Facilities
Each TOP that experiences
the voltage deviation
± 10% sustained for ≥ 15 continuous minutes
The parties identified pursuant to
R1.3 within 24 hours after 15
minutes of exceeding the threshold.
3
Examples include a train derailment adjacent to BES equipment that either could have damaged the equipment directly or has the potential to damage the
equipment (e.g. flammable or toxic cargo that could pose fire hazard or could cause evacuation of a BES facility control center) and report of suspicious device
near BES equipment.
Draft 3: October 25, 2011
21
�EOP-004-2 — Event Reporting
Attachment 1 - Reportable Events
Event
Entity with Reporting
Responsibility
Threshold for Reporting
IROL Violation (all
Interconnections) or
SOL Violation (WECC
only)
Each RC that experiences the
IROL Violation (all
Interconnections) or SOL
violation (WECC only)
Operate outside the IROL for time greater
than IROL Tv (all Interconnections) or
Operate outside the SOL for a time greater
than the SOL Tv (WECC only).
Loss of Firm load for ≥
15 Minutes
Each BA, TOP, DP that
experiences the loss of firm
load
•
•
The parties identified pursuant to
R1.3 within 24 hours after exceeding
the Tv threshold.
≥ 300 MW for entities with previous year’s The parties identified pursuant to R1.3
24 hours after
demand ≥ 3000 MW
exceeding the 15 minute threshold
≥ 200 MW for all other entities
System Separation
(Islanding)
Each RC, BA, TOP, DP that
experiences the system
separation
Each separation resulting in an island of
generation and load ≥ 100 MW
Generation loss
Each BA, GOP that
experiences the generation loss
•
•
Submit Attachment 2 or DOE OE417 Report to:
The parties identified pursuant to
R1.3 within 24 hours after
occurrence is identified
≥ 2,000 MW for entities in the Eastern or
Western Interconnection
≥ 1000 MW for entities in the ERCOT or
Quebec Interconnection
The parties identified pursuant to
R1.3within 24 hours after
occurrence.
Loss of Off-site power
to a nuclear generating
plant (grid supply)
Each TO, TOP that
experiences the loss of off-site
power to a nuclear generating
plant
Affecting a nuclear generating station per the
Nuclear Plant Interface Requirement
The parties identified pursuant to
R1.3 within 24 hours after
occurrence
Transmission loss
Each TOP that experiences
the transmission loss
Unintentional loss of Three or more
Transmission Facilities (excluding successful
automatic reclosing)
The parties identified pursuant to
R1.3 within 24 hours after
occurrence
Unplanned Control
Center evacuation
Each RC, BA, TOP that
experiences the potential
event
Unplanned evacuation from BES control
center facility
The parties identified pursuant to
R1.3 within 24 hours of recognition
of event.
Loss of monitoring or
all voice
Each RC, BA, TOP that
experiences the loss of
Voice Communications: Affecting a BES
control center for ≥ 30 continuous minutes
The parties identified pursuant to
R1.3 within 24 hours of recognition
Draft 3: October 25, 2011
22
�EOP-004-2 — Event Reporting
Attachment 1 - Reportable Events
Event
communication
capability
Entity with Reporting
Responsibility
monitoring or all voice
communication capability
Draft 3: October 25, 2011
Threshold for Reporting
Submit Attachment 2 or DOE OE417 Report to:
Monitoring: Affecting a BES control center
for ≥ 30 continuous minutes such that analysis
tools (State Estimator, Contingency Analysis)
are rendered inoperable.
23
of event.
�EOP-004-2 — Event Reporting
EOP-004 - Attachment 2: Event Reporting Form
EOP-004, Attachment 2: Event Reporting Form
This form is to be used to report events to parties listed in Attachment 1, column labeled “Submit Attachment 2 or
DOE OE-417 Report to:”. These parties will accept the DOE OE-417 form in lieu of this form if the entity is required
to submit an OE-417 report. Reports should be submitted via one of the following: e-mail: esisac@nerc.com,
Facsimile: 609-452-9550, voice: 609-452-1422.
Task
1.
2.
Comments
Entity filing the report include:
Company name:
Name of contact person:
Email address of contact person:
Telephone Number:
Submitted by (name):
Date and Time of recognized event.
Date: (mm/dd/yyyy)
Time: (hh:mm)
Time/Zone:
3.
4.
Did the actual or potential event originate in
your system?
Actual event Potential event
Yes
No Unknown
Event Identification and Description:
(Check applicable box)
public appeal
voltage reduction
manual firm load shedding
firm load shedding(undervoltage,
underfrequency, SPS/RAS)
voltage deviation
IROL violation
Draft 3: October 25, 2011
Written description (optional unless Other is checked):
24
�EOP-004-2 — Event Reporting
EOP-004, Attachment 2: Event Reporting Form
This form is to be used to report events to parties listed in Attachment 1, column labeled “Submit Attachment 2 or
DOE OE-417 Report to:”. These parties will accept the DOE OE-417 form in lieu of this form if the entity is required
to submit an OE-417 report. Reports should be submitted via one of the following: e-mail: esisac@nerc.com,
Facsimile: 609-452-9550, voice: 609-452-1422.
Task
Comments
loss of firm load
system separation(islanding)
generation loss
loss of off-site power to nuclear
generating plant
transmission loss
damage or destruction of BES equipment
damage or destruction of Critical Asset
damage or destruction of Critical Cyber
Asset
unplanned control center evacuation
fuel supply emergency
loss of all monitoring or voice
communication capability
forced intrusion Risk to BES equipment
reportable Cyber Security Incident
other
Draft 3: October 25, 2011
25
�EOP-004-2 — Event Reporting
Guideline and Technical Basis
Disturbance and Sabotage Reporting Standard Drafting Team (Project 2009-01) Reporting Concepts
Introduction
The SAR for Project 2009-01, Disturbance and Sabotage Reporting was moved forward for
standard drafting by the NERC Standards Committee in August of 2009. The Disturbance and
Sabotage Reporting Standard Drafting Team (DSR SDT) was formed in late 2009 and has
developed updated standards based on the SAR.
The standards listed under the SAR are:
• CIP-001 — Sabotage Reporting
• EOP-004 — Disturbance Reporting
The changes do not include any real-time operating notifications for the types of events covered
by CIP-001 and EOP-004. The real-time reporting requirements are achieved through the RCIS
and are covered in other standards (e.g. EOP-002-Capacity and Energy Emergencies). These
standard deals exclusively with after-the-fact reporting.
The DSR SDT has consolidated disturbance and sabotage event reporting under a single
standard. These two components and other key concepts are discussed in the following sections.
Summary of Concepts and Assumptions:
The Standard:
• Requires reporting of “events” that impact or may impact the reliability of the bulk
electric system
• Provides clear criteria for reporting
• Includes consistent reporting timelines
• Identifies appropriate applicability, including a reporting hierarchy in the case of
disturbance reporting
• Provides clarity around of who will receive the information
Discussion of Disturbance Reporting
Disturbance reporting requirements existed in the previous version of EOP-004. The current
approved definition of Disturbance from the NERC Glossary of Terms is:
1. An unplanned event that produces an abnormal system condition.
2. Any perturbation to the electric system.
Draft 3: October 25, 2011
26
�EOP-004-2 — Event Reporting
3. The unexpected change in ACE that is caused by the sudden failure of generation or
interruption of load.
Disturbance reporting requirements and criteria were in the previous EOP-004 standard and its
attachments. The DSR SDT discussed the reliability needs for disturbance reporting and
developed the list of events that are to be reported under this standard (attachment 1).
Discussion of Event Reporting
There are situations worthy of reporting because they have the potential to impact reliability.
t Event reporting facilitates industry awareness, which allows potentially impacted parties to
prepare for and possibly mitigate any associated reliability risk. It also provides the raw material,
in the case of certain potential reliability threats, to see emerging patterns.
Examples of such events include:
• Bolts removed from transmission line structures
• Detection of cyber intrusion that meets criteria of CIP-008 or its successor standard
• Forced intrusion attempt at a substation
• Train derailment near a transmission right-of-way
• Destruction of Bulk Electrical System equipment
What about sabotage?
One thing became clear in the DSR SDT’s discussion concerning sabotage: everyone has a
different definition. The current standard CIP-001 elicited the following response from FERC in
FERC Order 693, paragraph 471 which states in part: “. . . the Commission directs the ERO to
develop the following modifications to the Reliability Standard through the Reliability Standards
development process: (1) further define sabotage and provide guidance as to the triggering
events that would cause an entity to report a sabotage event.”
Often, the underlying reason for an event is unknown or cannot be confirmed. The DSR SDT
believes that by reporting material risks to the Bulk Electrical System using the event
categorization in this standard, it will be easier to get the relevant information for mitigation,
awareness, and tracking, while removing the distracting element of motivation.
Certain types of events should be reported to NERC, the Department of Homeland Security
(DHS), the Federal Bureau of Investigation (FBI), and/or Provincial or local law enforcement.
Other types of impact events may have different reporting requirements. For example, an event
that is related to copper theft may only need to be reported to the local law enforcement
authorities.
Potential Uses of Reportable Information
Event analysis, correlation of data, and trend identification are a few potential uses for the
information reported under this standard. The standard requires Functional entities to report the
incidents and provide known information at the time of the report. Further data gathering
necessary for event analysis is provided for under the Events Analysis Program and the NERC
Draft 3: October 25, 2011
27
�EOP-004-2 — Event Reporting
Rules of Procedure. Other entities (e.g. – NERC, Law Enforcement, etc) will be responsible for
performing the analyses. The NERC Rules of Procedure (section 800) provide an overview of
the responsibilities of the ERO in regards to analysis and dissemination of information for
reliability. Jurisdictional agencies (which may include DHS, FBI, NERC, RE, FERC, Provincial
Regulators, and DOE) have other duties and responsibilities.
Collection of Reportable Information or “One stop shopping”
The DSR SDT recognizes that some regions require reporting of additional information beyond
what is in EOP-004. The DSR SDT has updated the listing of reportable events in Attachment 1
based on discussions with jurisdictional agencies, NERC, Regional Entities and stakeholder
input. There is a possibility that regional differences still exist.
The reporting required by this standard is intended to meet the uses and purposes of NERC. The
DSR SDT recognizes that other requirements for reporting exist (e.g., DOE-417 reporting),
which may duplicate or overlap the information required by NERC. To the extent that other
reporting is required, the DSR SDT envisions that duplicate entry of information should not be
necessary, and the submission of the alternate report will be acceptable to NERC so long as all
information required by NERC is submitted. For example, if the NERC Report duplicates
information from the DOE form, the DOE report may be included or attached to the NERC
report, in lieu of entering that information on the NERC report.
Draft 3: October 25, 2011
28
�EOP-004-2 — Impact Event Reporting
Standard Development Timeline
This section is maintained by the drafting team during the development of the standard and will
be removed when the standard becomes effective.
Development Steps Completed
1. SC approved SAR for initial posting (April, 2009).
2. SAR posted for comment (April 22 – May 21, 2009).
3. SC authorized moving the SAR forward to standard development (September 2009).
4. Concepts Paper posted for comment (March 17 – April 16, 2010).
5. Initial Informal Comment Period (September 15 – October 15, 2010)
6. Second Comment Period (Formal) (March 9 – April 8, 2011)
Proposed Action Plan and Description of Current Draft
This is the firstthird posting of the proposed standard in accordance with Results-Based Criteria.
The drafting team requests posting for a 3045-day formal comment period concurrent with the
formation of the ballot pool and the initial ballot.
Future Development Plan
Anticipated Actions
Drafting team considers comments, makes conforming changes, and
proceed to on second commentposting
Second Comment Period
Third Comment/Ballot period
Recirculation Ballot period
Receive BOT approval
Draft 2: March 73: October 25, 2011
Anticipated Date
April - October
2010 – February
2011
March – May 2011
JuneJulyNovemberDecember 2011
JulyAugustDecember
2011
September
2011February 2012
1
�EOP-004-2 — Impact Event Reporting
Effective Dates
1.
The standardEOP-004-2 shall become effective on the first calendar day of the third
calendar quarter after the date of the order providing applicable regulatory approval.
2.
In those jurisdictions where no regulatory approval is required, thethis standard shall
become effective on the first calendar day of the third calendar quarter after Board of Trustees
adoptionapproval.
Version History
Version
2
Date
Action
Merged CIP-001-12a Sabotage
Reporting and EOP-004-1 Disturbance
Reporting into EOP-004-2 Impact Event
Reporting; Retire CIP-001-1a2a
Sabotage Reporting and Retired EOP004-1 Disturbance Reporting. Retire
CIP-008-4, Requirement 1, Part 1.3.
Draft 2: March 73: October 25, 2011
Change Tracking
Revision to entire
standard (Project 200901)
2
�EOP-004-2 — Impact Event Reporting
Definitions of Terms Used in Standard
This section includes all newly defined or revised terms used in the proposed standard. Terms
already defined in the Reliability Standards Glossary of Terms are not repeated here. New or
revised definitions listed below become approved when the proposed standard is approved.
When the standard becomes effective, these defined terms will be removed from the individual
standard and added to the Glossary.
Impact Event: Any event which has either impacted or has the potential to impact the
reliability of the Bulk Electric System. Such events may be caused by equipment failure or
mis-operation, environmental conditions, or human action.
None
Draft 2: March 73: October 25, 2011
3
�EOP-004-2 — Impact Event Reporting
When this standard has received ballot approval, the text boxes will be moved to the Guideline
and Technical Basis Section.
A.
Introduction
1. Title:
Impact Event Reporting
2. Number:
EOP-004-2
3. Purpose:
To improve industry awareness and the reliability of the Bulk Electric
System by requiring the reporting of Impact Eventsevents with the
potential to impact reliability and their causes, if known, by the
Responsible Entities.
4. Applicability
4.1.
Functional Entities: Within the context of EOP-004-2, the term “Responsible
Entity” shall mean:
4.1.1. Reliability Coordinator
4.1.2. Balancing Authority
4.1.3. Interchange AuthorityCoordinator
4.1.4. Transmission Service Provider
4.1.5. Transmission Owner
4.1.6. Transmission Operator
4.1.7. Generator Owner
4.1.8. Generator Operator
4.1.9. Distribution Provider
4.1.10. 4.1.10 Load Serving Entity
4.1.11. Electric Reliability Organization
4.1.12. Regional Entity
5.
Background:
NERC established a SAR Team in 2009 to investigate and propose revisions to the CIP-001 and
EOP-004 Reliability Standards. The team was asked to consider the following:
1.
2.
3.
4.
CIP-001 maycould be merged with EOP-004 to eliminate redundancies.
Acts of sabotage have to be reported to the DOE as part of EOP-004.
Specific references to the DOE form need to be eliminated.
EOP-004 hashad some ‘fill-in-the-blank’ components to eliminate.
Draft 2: March 73: October 25, 2011
4
�EOP-004-2 — Impact Event Reporting
The development may includeincluded other improvements to the standards deemed appropriate
by the drafting team, with the consensus of stakeholders, consistent with establishing high
quality, enforceable and technically sufficient bulk power system reliability standards (see tables
for each standard at the end of this SAR for more detailed information)..
The SAR for Project 2009-01, Disturbance and Sabotage Reporting was moved forward for
standard drafting by the NERC SC in August of 2009. The Disturbance and Sabotage Reporting
Standard Drafting Team (DSR SDT) was formed in late 2009. A “concepts paper” was designed
to solicit stakeholder input regarding the proposed reporting concepts that the DSR SDT has
developed.
The
The DSR SDT developed a concept paper to solicit stakeholder input regarding the proposed
reporting concepts that the DSR SDT had developed. The posting of the concept paper sought
comments from stakeholders on the “road map” that will be used by the SDRDSR SDT in
updating or revising CIP-001 and EOP-004. The concept paper provided stakeholders the
background information and thought process of the SDRDSR SDT.
The DSR SDT has reviewed the existing standards, the SAR, issues from the NERC issues
database and FERC Order 693 Directives in order to determine a prudent course of action with
respect to revision of these standards.
The DSR SDT has used a working definition for “Impact Events” to develop Attachment 1 as
follows:
“An Impact Event is any event that has either impacted or has the potential to impact the
reliability of the Bulk Electric System. Such events may be caused by equipment failure
or mis-operation, environmental conditions, or human action.”
The DSR SDT has proposed this definition for
Summary of Key Concepts
The DSRSDT identified the following principles to assist them in developing the standard:
• Develop a single form to report disturbances and events that threaten the reliability of the
bulk electric system
• Investigate other opportunities for efficiency, such as development of an electronic form
and possible inclusion in the NERC Glossary for “Impact Event”. The types of Impact
Events that are required to be reported are contained within Attachment 1. Only these
events are required to be reported under this Standard. The DSR SDT of regional
reporting requirements
• Establish clear criteria for reporting
• Establish consistent reporting timelines
• Provide clarity around who will receive the information and how it will be used
Draft 2: March 73: October 25, 2011
5
�EOP-004-2 — Impact Event Reporting
During the development of concepts, the DSR SDT considered the FERC directive to “further
define sabotage” and ”. There was concern among stakeholders that a definition may be
ambiguous and subject to interpretation. Consequently, the DSR SDT decided to eliminate the
term sabotage from the standard. The team felt that it was almost impossible to determine if an
act or event was that of sabotage or merely vandalism without the intervention of law
enforcement after the fact. This will. The DSR SDT felt that attempting to define sabotage
would result in further ambiguity with respect to reporting events. The term “sabotage” is no
longer included in the standard and therefore it is inappropriate to attempt to define it.. The
Impact Eventsevents listed in Attachment 1 were developed to provide guidance for reporting
both actual events as well as events which may have an impact on the Bulk Electric System. The
DSR SDT believes that this is an equally effective and efficient means of addressing the FERC
Directive. Attachment 1, Part A is to be used for those actions that have impacted the electric
system and in particular the section “Damage or destruction to equipment” clearly defines that all
equipment that intentional or non intentional human error be reported. Attachment 1, Part B
covers the similar items but the action has not fully occurred but may cause a risk to the electric
system and is required to be reported.
To support this concept, the The types of events that are required to be reported are contained
within Attachment 1. The DSR SDT has provided specific event for reporting including types of
Impactcoordinated with the NERC Events and timing thresholds pertaining to Analysis Working
Group to develop the different types of Impact Events and who’s responsibility for reportinglist
of events that are to be reported under the different Impact Events. This information is outlined
in Attachment 1 to the proposed this standard. Attachment 1, Part A pertains to those actions or
events that have impacted the Bulk Electric System. These events were previously reported
under EOP-004-1, CIP-001-1 or the Department of Energy form OE-417. Attachment 1, Part B
covers similar items that may have had an impact on the Bulk Electric System or has the
potential to have an impact and should be reported.
The DSR SDT wishes to make clear that the proposed changes doStandard does not include any
real-time operating notifications for the types of events covered by CIP-001, EOP-004. Thislisted
in Attachment 1. Real-time reporting is achieved through the RCIS and is covered in other
standards (e.g. TOPthe TOP family of standards). The proposed standard deals exclusively with
after-the-fact reporting.
The DSR SDT is proposing to consolidate disturbance and Impact Event reporting under a single
standard. These two components and other key concepts are discussed in the following sections.
Summary of Concepts
• A single form to report disturbances and Impact Events that threaten the reliability of the
bulk electric system
• Other opportunities for efficiency, such as development of an electronic form and
possible inclusion of regional reporting requirements
• Clear criteria for reporting
• Consistent reporting timelines
• Clarity around of who will receive the information and how it will be used
Draft 2: March 73: October 25, 2011
6
�EOP-004-2 — Impact Event Reporting
Data Gathering
The requirements of EOP-004-1 require that entities “promptly analyze Bulk Electric System
disturbances on its system or facilities” (Requirement R2). The requirements of EOP-004-2
specify that certain types of events are to be reported but do not include provisions to analyze
events. Events reported under EOP-004-2 may trigger further scrutiny by the ERO Events
Analysis Program. If warranted, the Events Analysis Program personnel may request that more
data for certain events be provided by the reporting entity or other entities that may have
experienced the event. Entities are encouraged to become familiar with the Events Analysis
Program and the NERC Rules of Procedure to learn more about with the expectations of the
program.
Law Enforcement Reporting
The reliability objective of EOP-004-2 is to prevent outages which could lead to Cascading by
effectively reporting Impact Events.events. Certain outages, such as those due to vandalism and
terrorism, aremay not be reasonably preventable. These are the types of events that should be
reported to law enforcement. Entities rely upon law enforcement agencies to respond to and
investigate those Impact Eventsevents which have the potential ofto impact a wider area affect
upon the industry whichof the BES. The inclusion of reporting to law enforcement enables and
supports reliability principles such as protection of bulk power systems from malicious physical
or cyber attack. The Standard is intended to reduce the risk of Cascading involving Impact
Events.events. The importance of BES awareness of the threat around them is essential to the
effective operation and planning to mitigate the potential risk to the BES.
Stakeholders in the Reporting Process
• Industry
• NERC (ERO)), Regional Entity
• FERC
• DOE
• NRC
• DHS – Federal
• Homeland Security- State
• State Regulators
• Local Law Enforcement
• State or Provincial Law Enforcement
• FBI
• Royal Canadian Mounted Police (RCMP)
The above stakeholders have an interest in the timely notification, communication and response
to an incident at an industry facility. The stakeholders have various levels of accountability and
have a vested interest in the protection and response to ensure the reliability of the BES.
Draft 2: March 73: October 25, 2011
7
�EOP-004-2 — Impact Event Reporting
Present expectations of the industry under CIP-001-1a:
It has been the understanding by industry participants that an occurrence of sabotage has to be
reported to the FBI. The FBI has the jurisdictional requirements to investigate acts of sabotage
and terrorism. The present CIP-001-1-1a standard requires a liaison relationship on behalf of the
industry and the FBI or RCMP. Annual requirements, under the standard, of the industry have
not been clear and have lead to misunderstandings and confusion in the industry as to how to
demonstrate that the liaison is in place and effective. FBI offices As an example of proof of
compliance with Requirement R4, responsible entities have been asked FBI Office personnel to
confirmprovide, on FBI letterhead, confirmation of the existence of a working relationship to
report acts of sabotage to include references to, , the number of years the liaison relationship has
been in existence, and confirmingthe validity of the telephone numbers for the FBI.
Coordination of Local and State Law Enforcement Agencies with the FBI
The Joint Terrorism Task Force (JTTF) came into being with the first task force being
established in 1980. JTTFs are small cells of highly trained, locally based, passionately
committed investigators, analysts, linguists, SWAT experts, and other specialists from dozens of
U.S. law enforcement and intelligence agencies. The JTTF is a multi-agency effort led by the
Justice Department and FBI designed to combine the resources of federal, state, and local law
enforcement. Coordination and communications largely through the interagency National Joint
Terrorism Task Force, working out of FBI Headquarters, which makes sure that information and
intelligence flows freely among the local JTTFs. This information flow can be most beneficial to
the industry in analytical intelligence, incident response and investigation. Historically, the most
immediate response to an industry incident has been local and state law enforcement agencies to
suspected vandalism and criminal damages at industry facilities. Relying upon the JTTF
coordination between local, state and FBI law enforcement would be beneficial to effective
communications and the appropriate level of investigative response.
Coordination of Local and Provincial Law Enforcement Agencies with the RCMP
A similar law enforecmentenforcement coordination hierarchy exists in Canada. Local and
Provincial law enforcement coordinate to investigate suspected acts of vandalism and sabotage.
The Provincial law enforcement agency has a reporting relationship with the RoylaRoyal
Canadian Mounted Police (RCMP).
A Reporting Process Solution – EOP-004
A proposal discussed with the FBI, FERC Staff, NERC Standards Project Coordinator and the
SDT Chair is reflected in the flowchart below (Reporting Hierarchy for Impact Event EOP-0042Reportable Events). Essentially, reporting an Impact Eventevent to law enforcement agencies
will only require the industry to notify the state or provincial or local level law enforcement
agency. The state or provincial or local level law enforcement agency will coordinate with local
law enforcement with jurisdiction to investigate. If the state or provincial or local level law
enforcement agency decides federal agency law enforcement or the RCMP should respond and
Draft 2: March 73: October 25, 2011
8
�EOP-004-2 — Impact Event Reporting
investigate, the state or provincial or local level law enforcement agency will notify and
coordinate with the FBI or the RCMP.
Draft 2: March 73: October 25, 2011
9
�EOP-004-2 — Impact Event Reporting
Reporting Hierarchy for Reportable Events
Entity Experiencing an event in Attachment 1
Report to Law Enforcement?
NO
YES
Refer to Ops Plan for Reporting
procedures
Refer to Ops Plan for Reporting
procedures
Report Event to ERO,
Regional Entity
ERO and Regional
Entities conduct
investigation
Procedure to
Report to Law
Enforcement
Procedure to
Report to
ERO
Report Event to ERO,
Regional Entity
Notification Protocol to
State Agency Law
Enforcement
ERO and Regional
Entities conduct
investigation
State Agency Law
Enforcement coordinates
as appropriate with FBI
ERO
Events Analysis
Criminal act
invoking
federal
jurisdiction?
*
ERO
Events Analysis
ERO Reports Applicable
Events to FERC Per Rules
of Procedure
ERO Reports
Applicable Events to
FERC Per Rules of
Procedure
NO
YES
State Agency Law
Enforcement
Investigates
State Agency Law
Enforcement
notifies FBI
FBI Responds and
makes notification
to DHS
*Canadian entities will follow law enforcement protocols applicable in
their jurisdictions
Draft 2: March 73: October 25, 2011
10
�EOP-004-2 — Impact Event Reporting
Reporting Hierarchy for Reportable Events
Entity Experiencing an event in Attachment 1
Report to Law Enforcement?
NO
YES
Refer to Ops Plan for Reporting
procedures
Refer to Ops Plan for Reporting
procedures
Procedure to
Report to Law
Enforcement
Procedure to
Report to
ERO
Report Event to ERO,
Regional Entity
ERO and Regional
Entities conduct
investigation
Report Event to ERO,
Regional Entity
Notification Protocol to
State Agency Law
Enforcement
ERO and Regional
Entities conduct
investigation
State Agency Law
Enforcement coordinates
as appropriate with FBI
ERO
Events Analysis
Criminal act
invoking
federal
jurisdiction?
*
ERO
Events Analysis
ERO Reports Applicable
Events to FERC Per Rules
of Procedure
ERO Reports
Applicable Events to
FERC Per Rules of
Procedure
NO
YES
State Agency Law
Enforcement
Investigates
State Agency Law
Enforcement
notifies FBI
FBI Responds and
makes notification
to DHS
*Canadian entities will follow law enforcement protocols applicable in
their jurisdictions
Draft 2: March 73: October 25, 2011
11
�EOP-004-2 — Impact Event Reporting
B.
Requirements and Measures
R1. Each Responsible Entity shall have an Impact
Event Operating Plan that includes: [Violation Risk:
Factor Medium: Lower] [Time Horizon: LongtermOperations Planning]
1.1. An Operating ProcessA process for
identifying Impact Eventsevents listed in
Attachment 1.
1.2. An Operating ProcedureA process for
gathering information for Attachment 2
regarding observed Impact Eventsevents
listed in Attachment 1.
1.3. An Operating ProcessA process for
communicating recognized Impact Events
events listed in Attachment 1 to the Electric
Reliability Organization, the Responsible
Entity’s Reliability Coordinator and the
following as appropriate:
•
Internal company personnel
notification(s).
•
External organizations to notify to
include but not limited to the
Responsible Entities’ Reliability
Coordinator, NERC, The
Responsible Entities’Entity’s
Regional Entity,
•
Law Enforcement, and enforcement
•
Governmental or Provincial
Agencies.provincial agencies
Rationale for R1
Every industry participant that owns or
or operates
operates
elements
elements
or devices
or devices
on on
the grid has a
the gridorhas
formal
informal
a formal
process,
or informal
procedure, or
process,
steps
it takes
procedure,
to gather
or steps
information
it takesregarding
to gather
what
happened
information
and why
regarding
it happened
what when
happened
Impact
Events
whenoccur.
eventsThis
occur.
requirement
This
has
requirement
the
Registered
hasEntity
the Responsible
establish documentation
Entity
on
howestablish
that procedure,
documentation
process,on
or plan is
how that procedure, process, or plan
organized.
is organized. This documentation
maythe
For
be Impact
a singleEvent
document
Operating
or a Plan, the DSR
combination
SDT
envisions
of that
various
Partdocuments
1.2 includes
that achievesufficient
performing
the reliability
analysis
objective.
and information
gathering to be able to complete the report for
For the Operating
reportable
Impact Events.
Plan, PartThe
1.2main issue is
includes
to
make sure
information
an entitygathering
can a) identify
to be when an
able to complete
Impact
Event hasthe
occurred
report and
for b) be able to
reportable
gather
enough
events.
information
The maintoissue
complete
is the
to make sure an entity can a) identify
report.
when an event has occurred and b) be
able 1.3
Part
to gather
could enough
include information
a process flowchart,
to
complete the report.
identification
of internal positions to be
notified and to make notifications, or a list of
Part 1.3 could
personnel
by name
include
as well
a process
as telephone
flowchart, identification of internal
numbers.
and external personnel or entities to
be notified,
The
Impact or
Event
a listOperating
of personnel
Planby
may
name andbut
include,
their
notassociated
be limitedtelephone
to, the following:
numbers.
how
the entity is notified of event’s
occurrence, person(s) initially tasked with the
overseeing the assessment or analytical study,
investigatory steps typically taken, and
documentation of the assessment / remedial
action plan.
1.4. Provision(s) for updating the Impact Event
Operating Plan within 90 calendar days of
any change to its content. in assets,
personnel, other circumstances that may no
longer align with the Operating Plan; or
incorporating lessons learned pursuant to Requirement R3.
1.5. A Process for ensuring the responsible entity reviews the Operating Plan at least
annually (once each calendar year) with no more than 15 months between reviews.
1.4.
Draft 2: March 73: October 25, 2011
12
�EOP-004-2 — Impact Event Reporting
M1. Each Responsible Entity shallwill provide the current, dated, in force Impact Event
Operating Plan to the Compliance Enforcement Authoritywhich includes Parts 1.1 1.5 as requested.
Draft 2: March 73: October 25, 2011
13
�EOP-004-2 — Impact Event Reporting
R2. Each Responsible Entity shall implement the parts of its Impact Event Operating Plan
documented inthat meet Requirement R1 for Impact Events listed in Attachment 1 (, Parts
A1.1 and B).1.2 for an actual event and Parts 1.4 and 1.5 as specified. [Violation Risk::
Factor: Medium] [Time Horizon: Real-time Operations and Same-day
Operations] Assessment].
M2. To the extent that an Responsible Entity
Rationale for R2
has an Impact Event on its Facilities, the
Each Responsible Entity must implement
Responsible EntityEntities shall
the various parts of Requirement R1.
documentation of provide evidence that it
Parts 1.1 and 1.2 call for identifying and
implemented the implementationparts of
gathering information for actual events.
its Impact Event Operating Plans. Such
Parts 1.4 and 1.5 require updating and
evidence couldPlan to meet Requirement
reviewing the Operating Plan.
R1, Parts 1.1 and 1.2 for an actual event
and Parts, 1.4 and 1.5 as specified.
Evidence may include, but is not limited
to, an event report form (Attachment 2) or the OE-417 report submitted, operator logs,
voice recordings, or other notations and documents retained by the Registered Entity for
each Impact Event. dated documentation of review and update of the Operating Plan. (R2)
Rationale for R3
The DSR SDT intends for each Responsible
R3. Each Responsible Entity shall
Entity
to verify that
Rationale
for its
R3Operating Process for
conduct a test of report events in
communicating
recognized
Events is
Each Responsible
EntityImpact
must report
accordance with its Operating
correct
so
that
the
entity
can
respond
events via its Operating Plan based on
ProcessPlan developed to address the
appropriately
in the
caseeach
of anevent
actual
Impact
Attachment
1. For
listed
in
events listed in Attachment 1.
Event.
The
Responsible
Entity
may
conduct
Attachment
1,
there
are
entities
listed
[Violation Risk Factor: Medium]
a drill
or are
exercise
of its Operating
Process
for
that
to be notified
as well as
the time
[Time Horizon: Operations
communicating
recognized
Impact
Events
as
required to perform the reporting.
Assessment].
often as it desires but the time period between
such drill or exercise can be no longer than
M3. Responsible Entities shall provide a
15 months from the previous drill/exercise or
record of the type of event
actual Impact
Event (i.e., if you conducted an
Rationale
for R4
experienced; a dated copy of the
exercise/drill/actual
theits Operating
Each Responsible Entityemployment
must verify of
that
Attachment 2 form or OE-417
Process in events
Januaryisof
one year,
PlanOperating
for communicating
correct
so that the
report; and dated and timethere
would
be
another
exercise/drill/actual
entity can respond appropriately in the case of an actual
stamped transmittal records to
employment
by March
31 ofmay
the conduct
next
event.
The Responsible
Entity
a drill or
show that the event was reported.
calendar
year)).
Multiple
exercises
in a 15
exercise
to
test
its
Operating
Plan
for
communicating
(R3)
month
period
not a violation
of the
events
as often
asare
it desires
but the time
period between
and would
be calendar
encouraged
to from the
testsrequirement
can be no longer
than 15
months
improve
reliability.
previous drill/exercise or actual event (i.e., if you
R4. Each Responsible Entity shall
conducted an exercise/drill/actual employment of the
verify (through actual
Operating Plan in January of one year, there would be
implementation for
another exercise/drill/actual employment by March 31 of
communicating recognized Impact
the next calendar year). Multiple exercises in a 15 month
period are not a violation of the requirement and would
be encouraged to improve reliability.
Evidence showing that an entity used the communication
14
Draft 2: March 73: October 25, 2011
process in its Operating Plan for an actual event qualifies
as evidence to meet this requirement.
�EOP-004-2 — Impact Event Reporting
Eventsan event, or through a drill or exercise) the communication process in its Operating
Plan, created pursuant to Requirement R11, Part 1.3, at least annually, (once per calendar
year), with no more than 15 calendar months between tests.verification or actual
implementation. [Violation Risk: Factor: Medium] [Time Horizon: Long-termOperations
Planning]
M3. In the absence of an actual Impact Event, theM4. The Responsible Entity shall provide
evidence that it conducted a mock Impact Event and followedverified the communication
process in its Operating ProcessPlan for communicating recognized Impact Eventsevents
created pursuant to Requirement R1, Part 1.3. Either implementation of the
communication process as documented in its Operating Plan for an actual event or
documented evidence of a drill or exercise may be used as evidence to meet this
requirement. The time period between an actual andevent or mock Impact
Eventsverification shall be no more than 15 months. Evidence may include, but is not
limited to, operator logs, voice recordings, or dated documentation. of a verification. (R3)
R4. Each Responsible Entity shall review its Impact Event Operating Plan with those personnel who
have responsibilities identified in that plan at least annually with no more than 15 calendar months
between review sessions[Violation Risk: Factor Medium] [Time Horizon: Long-term
Planning ].
M4. Responsible Entities shall provide the materials presented to verify content and the
association between the people listed in the plan and those who participated in the review,
documentation showing who was present and when internal personnel were trained on the
responsibilities in the plan.
R5. Each Responsible Entity shall report Impact Events in accordance with the Impact Event
Operating Plan pursuant to Requirement R1 and Attachment 1 using the form in
Attachment 2 or the DOE OE-417 reporting form. [Violation Risk: Factor: Medium]
[Time Horizon: Real-time Operations and Same-day Operations].
M5. Responsible Entities shall provide evidence demonstrating the submission of reports using
the plan created pursuant to Requirement R1 and Attachment 1 using either the form in
Attachment 2 or the DOE OE-417 report. Such evidence will include a copy of the
Attachment 2 form or OE-417 report submitted, evidence to support the type of Impact
Event experienced; the date and time of the Impact Event; as well as evidence of report
submittal that includes date and time.
C.
Compliance
1. Compliance Monitoring Process
1.1
Compliance Enforcement Authority
Draft 2: March 73: October 25, 2011
15
�EOP-004-2 — Impact Event Reporting
•
Regional Entity; or
•
If the Responsible Entity works for the Regional Entity, then the Regional
Entity will establish an agreement with the ERO or another entity approved by the
ERO and FERC (i.e. another Regional Entity) to be responsible for compliance
enforcement.; or
Compliance Monitoring and Enforcement Processes:
•
Compliance Audits
•
Self-Certifications
•
Spot Checking
•
Compliance Violation Investigations
•
Self-Reporting
• Complaints
Third-party monitor without vested interest in the outcome for the ERO
.
1.2
Evidence Retention
The following evidence retention periods identify the period of time an entity is
required to retain specific evidence to demonstrate compliance. For instances
where the evidence retention period specified below is shorter than the time since
the last audit, the Compliance Enforcement Authority may ask an entity to
provide other evidence to show that it was compliant for the full time period since
the last audit.
Each Responsible Entity shall retain the current, in force document plus the ‘dated
revision history’ from each version issued since the last audit for 3 calendar years
for Requirement R1 and Measure M1.
Each Responsible Entity shall retain evidence from prior 3 calendar years for
Requirements R2, R3, R4, and Measures M2, M3, M4.
Each Responsible Entity shall retain data or evidence for three calendar years or
for the duration of any regional or Compliance Enforcement Authority
investigation; whichever is longer.
If a Registered Entity is found non-compliant, it shall keep information related to
the non-compliance until found compliant or for the duration specified above,
whichever is longer.
The Compliance Enforcement Authority shall keep the last audit records and all
requested and submitted subsequent audit records.
1.3
Compliance Monitoring and Enforcement Processes:
Draft 2: March 73: October 25, 2011
16
�EOP-004-2 — Impact Event Reporting
Compliance Audits
Self-Certifications
Spot Checking
Compliance Violation Investigations
Self-Reporting
Complaints
Draft 2: March 73: October 25, 2011
17
�EOP-004-2 — Impact Event Reporting
1.4
Additional Compliance Information
None
Draft 2: March 73: October 25, 2011
18
�EOP-004-2 — Impact Event Reporting
Table of Compliance Elements
R#
Time
Horizon
VRF
Violation Severity Levels
Lower VSL
Moderate VSL
High VSL
Severe VSL
R1
Long-term
Planning
MediumLower The
The
The
The
ResponsibleReliabilit ResponsibleReliabilit ResponsibleReliabilit ResponsibleReliabilit
y Coordinator,
y Coordinator,
y Coordinator,
y Coordinator,
Balancing Authority,
Balancing Authority, Balancing Authority, Balancing Authority,
Interchange
Interchange
Interchange
Interchange
Coordinator,
Coordinator,
Coordinator,
Coordinator,
Transmission Service Transmission Service Transmission Service Transmission Service
Provider,
Provider,
Provider,
Provider,
Transmission Owner, Transmission Owner, Transmission Owner, Transmission Owner,
Transmission
Transmission
Transmission
Transmission
Operator, Generator
Operator, Generator
Operator, Generator
Operator, Generator
Owner, Generator
Owner, Generator
Owner, Generator
Owner, Generator
Operator, Distribution Operator, Distribution Operator, Distribution Operator, Distribution
Provider or Load
Provider or Load
Provider or Load
Provider or Load
Serving Entity has an Serving Entity has a
Serving Entity has an Serving Entity failed
Impact Event
Impact Eventan
Impact Event
to include allfour or
Operating Plan but
Operating Plan but
Operating Plan but
more of Parts 1.1
failed to include one
failed to include two
failed to include three through 1.45.
of Parts 1.1 through
of Parts 1.1 through
of Parts 1.1 through
1.45.
1.45.
1.45.
R2
Real-time
Operations
and Sameday
Medium
Draft 2: March 73: October 25, 2011
N/A
N/A
N/A
19
The Responsible
Entity failed to
implement its Impact
Event Operating Plan
�EOP-004-2 — Impact Event Reporting
Operations
R3R2 Long-term
PlanningReal
-time
Operations
and Sameday
Operations
for an Impact Event
listed in Attachment
1.
Medium
Draft 2: March 73: October 25, 2011
1.1: N/A
1.1: N/A
1.1: N/A
1.2: N/A
1.2: N/A
1.2: N/A
1.1: The
ResponsibleReliabilit
y Coordinator,
Balancing Authority,
Interchange
Coordinator,
Transmission Service
Provider,
Transmission Owner,
Transmission
Operator, Generator
Owner, Generator
Operator, Distribution
Provider or Load
Serving Entity failed
to conduct a test of its
implement the process
for identifying events.
1.4: The
1.4: The
1.4: The
ResponsibleReliabilit ResponsibleReliabilit ResponsibleReliabilit
y Coordinator,
y Coordinator,
y Coordinator,
Balancing Authority, Balancing Authority, Balancing Authority,
Interchange
Interchange
Interchange
Coordinator,
Coordinator,
Coordinator,
Transmission Service Transmission Service Transmission Service
Provider,
Provider,
Provider,
Transmission Owner, Transmission Owner, Transmission Owner,
Transmission
Transmission
Transmission
Operator, Generator
Operator, Generator
Operator, Generator
Owner, Generator
Owner, Generator
Owner, Generator
Operator, Distribution Operator, Distribution Operator, Distribution
Provider or Load
Provider or Load
Provider or Load
Serving Entity failed
Serving Entity failed
Serving Entity failed 1.2: The Reliability
to conduct a test of its to conduct a test of its to conduct a test of its Coordinator,
update the Operating
update the Operating
update the Operating
Balancing Authority,
Process for
Process for
Process for
Interchange
communicating
communicating
communicating
Coordinator,
recognized Impact
recognized Impact
recognized Impact
Transmission Service
Events created
Events created
Events created
Provider,
pursuant to
pursuant to
pursuant to
Transmission Owner,
Requirement R1, Part Requirement R1, Part Requirement R1, Part Transmission
1.3 inPlan more than
1.3inPlan more than
1.3 inPlan more than
Operator, Generator
20
�EOP-004-2 — Impact Event Reporting
Draft 2: March 73: October 25, 2011
90 days of a change,
but not more than 100
days after a change.
100 days of a change,
but not more than 110
days after a change.
110 days of a change,
but not more than 120
days after a change.
1.5: The Reliability
Coordinator,
Balancing Authority,
Interchange
Coordinator,
Transmission Service
Provider,
Transmission Owner,
Transmission
Operator, Generator
Owner, Generator
Operator, Distribution
Provider or Load
Serving Entity
reviewed the
Operating Plan, more
than 15 calendar
months but lessafter
its previous review,
but not more than 18
calendar months. after
its previous review.
1.5: The Reliability
1.5: The Reliability
Coordinator,
Coordinator,
Balancing Authority, Balancing Authority,
Interchange
Interchange
Coordinator,
Coordinator,
Transmission Service Transmission Service 1.4: The Reliability
Provider,
Provider,
Coordinator,
Transmission Owner, Transmission Owner, Balancing Authority,
Transmission
Transmission
Interchange
Operator, Generator
Operator, Generator
Coordinator,
Owner, Generator
Owner, Generator
Transmission Service
Operator, Distribution Operator, Distribution Provider,
Provider or Load
Provider or Load
Transmission Owner,
Serving Entity
Serving Entity
Transmission
reviewed the
reviewed the
Operator, Generator
Operating Plan, more Operating Plan, more Owner, Generator
than 18 calendar
than 21 calendar
Operator, Distribution
months but lessafter
months but lessafter
Provider or Load
its previous review,
its previous review,
Serving Entity failed
but not more than 21
but not more than 24
to update the
calendar months after calendar months after Operating Process for
its previous review.
its previous review.
communicating
recognized Impact
Events created
pursuant to
Requirement R1, Part
1.3 inPlan more than
120 days of a change.
21
Owner, Generator
Operator, Distribution
Provider or Load
Serving Entity failed
to implement the
process for gathering
information for
Attachment 2.
�EOP-004-2 — Impact Event Reporting
1.5: The Reliability
Coordinator,
Balancing Authority,
Interchange
Coordinator,
Transmission Service
Provider,
Transmission Owner,
Transmission
Operator, Generator
Owner, Generator
Operator, Distribution
Provider or Load
Serving Entity
reviewed the
Operating Plan, more
than 24 calendar
months after its
previous review.
R4
Long-term
Planning
R5R3 Real-time
Medium
Medium
Draft 2: March 73: October 25, 2011
The Responsible
Entity failed to review
The Responsible
Entity failed to review
The Responsible
Entity failed to review
The Responsible
Entity failed to review
its Impact Event
Operating Plan with
those personnel who
have responsibilities
identified in that plan l
its Impact Event
Operating Plan with
those personnel who
have responsibilities
identified in that plan in
its Impact Event
Operating Plan with
those personnel who
have responsibilities
identified in that plan in
its Impact Event
Operating Plan with
those personnel who
have responsibilities
identified in that plan in
in more than 15
months but less than
18 months.
more than 18 months
but less than 21
months.
more than 21 months
but less than 24
months.
more than 24 months
The
The
The
The Responsible
22
�EOP-004-2 — Impact Event Reporting
Operations
and Sameday
Operations
Draft 2: March 73: October 25, 2011
ResponsibleReliabilit
y Coordinator,
Balancing Authority,
Interchange
Coordinator,
Transmission Service
Provider,
Transmission Owner,
Transmission
Operator, Generator
Owner, Generator
Operator, Distribution
Provider or Load
Serving Entity failed
to submitsubmitted a
report inmore than 24
hours but less than or
equal to 36 hours
forafter an Impact
Eventevent requiring
reporting within 24
hours in Attachment
1.
ResponsibleReliabilit
y Coordinator,
Balancing Authority,
Interchange
Coordinator,
Transmission Service
Provider,
Transmission Owner,
Transmission
Operator, Generator
Owner, Generator
Operator, Distribution
Provider or Load
Serving Entity failed
to submitsubmitted a
report in more than 36
hours but less than or
equal to 48 hours
forafter an Impact
Eventevent requiring
reporting within 24
hours in Attachment
1.
ResponsibleReliabilit
y Coordinator,
Balancing Authority,
Interchange
Coordinator,
Transmission Service
Provider,
Transmission Owner,
Transmission
Operator, Generator
Owner, Generator
Operator, Distribution
Provider or Load
Serving Entity failed
to submitsubmitted a
report in more than 48
hours but less than or
equal to 60 hours
forafter an Impact
Eventevent requiring
reporting within 24
hours in Attachment
1.
OR
OR
The Reliability
Coordinator,
Balancing Authority,
Interchange
Coordinator,
Transmission Service
Provider,
Transmission Owner,
The
ResponsibleReliabilit
y Coordinator,
Balancing Authority,
Interchange
Coordinator,
Transmission Service
Provider,
23
Entity failed to submit
a report in Reliability
Coordinator,
Balancing Authority,
Interchange
Coordinator,
Transmission Service
Provider,
Transmission Owner,
Transmission
Operator, Generator
Owner, Generator
Operator, Distribution
Provider or Load
Serving Entity
submitted a report
more than 60 hours
forafter an Impact
Eventevent requiring
reporting within 24
hours in Attachment
1.
OR
The
ResponsibleReliabilit
y Coordinator,
Balancing Authority,
Interchange
Coordinator,
Transmission Service
Provider,
Transmission Owner,
�EOP-004-2 — Impact Event Reporting
Transmission
Operator, Generator
Owner, Generator
Operator, Distribution
Provider or Load
Serving Entity
submitted a report
more than 1 hour but
less than 2 hours after
an event requiring
reporting within 1
hour in Attachment 1.
Draft 2: March 73: October 25, 2011
Transmission Owner, Transmission
Transmission
Operator, Generator
Operator, Generator
Owner, Generator
Owner, Generator
Operator, Distribution
Operator, Distribution Provider or Load
Provider or Load
Serving Entity failed
Serving Entity failed
to submitsubmitted a
to submitsubmitted a
report in more than 23
report in more than 1 hours forafter an
hour2 hours but less
Impact Eventevent
than 23 hours forafter requiring reporting
an Impact Eventevent within 1 hour in
requiring reporting
Attachment 1.
within 1 hour in
OR
Attachment 1.
The responsible
entityReliability
Coordinator,
Balancing Authority,
Interchange
Coordinator,
Transmission Service
Provider,
Transmission Owner,
Transmission
Operator, Generator
Owner, Generator
Operator, Distribution
Provider or Load
Serving Entity failed
to submit a report for
an Impact Eventevent
in Attachment 1.
24
�EOP-004-2 — Impact Event Reporting
R4
Operations
Planning
Medium
Draft 2: March 73: October 25, 2011
The Reliability
The Reliability
The Reliability
The Reliability
Coordinator,
Coordinator,
Coordinator,
Coordinator,
Balancing Authority,
Balancing Authority, Balancing Authority, Balancing Authority,
Interchange
Interchange
Interchange
Interchange
Coordinator,
Coordinator,
Coordinator,
Coordinator,
Transmission Service Transmission Service Transmission Service Transmission Service
Provider,
Provider,
Provider,
Provider,
Transmission Owner, Transmission Owner, Transmission Owner, Transmission Owner,
Transmission
Transmission
Transmission
Transmission
Operator, Generator
Operator, Generator
Operator, Generator
Operator, Generator
Owner, Generator
Owner, Generator
Owner, Generator
Owner, Generator
Operator, Distribution Operator, Distribution Operator, Distribution Operator, Distribution
Provider or Load
Provider or Load
Provider or Load
Provider or Load
Serving Entity
Serving Entity
Serving Entity
Serving Entity
verified the
verified the
verified the
verified the
communication
communication
communication
communication
process in its
process in its
process in its
process in its
Operating Plan, more Operating Plan, more Operating Plan, more Operating Plan, more
than 15 calendar
than 18 calendar
than 21 calendar
than 24 calendar
months after its
months after its
months after its
months after its
previous test, but not
previous test, but not
previous test, but not
previous test.
more than 18 calendar more than 21 months more than 24 months OR
months after its
after its previous test. after its previous test.
The Reliability
previous test.
Coordinator,
OR
Balancing Authority,
The Reliability
Interchange
Coordinator,
Coordinator,
Balancing Authority,
Transmission Service
Interchange
Provider,
Coordinator,
Transmission Owner,
Transmission Service
Transmission
Provider,
Operator, Generator
25
�EOP-004-2 — Impact Event Reporting
Transmission Owner,
Transmission
Operator, Generator
Owner, Generator
Operator, Distribution
Provider or Load
Serving Entity failed
to verify the
communication
process in its
Operating Plan within
the calendar year.
D.
Variances
None.
E.
Interpretations
None.
F.
Interpretations
Guideline and Technical Basis (attached).
Draft 2: March 73: October 25, 2011
Owner, Generator
Operator, Distribution
Provider or Load
Serving Entity failed
to verify the
communication
process in its
Operating Plan.
26
�EOP-004-2 — Impact Event Reporting
EOP-004 - Attachment 1: Impact Events Table
NOTE: Under certain adverse conditions, (e.g. severe weather, multiple events) it may not be possible to report the damage caused
by an Impact Eventevent and issue a written Impact Event Report within the timing in the table below. In such cases, the affected
Responsible Entity shall notify its Regional Entity(ies) and NERC, (e-mail: esisac@nerc.com, Facsimile: 609-452-9550, Voice: 609452-1422)parties per R1 and provide as much information as is available. at the time of the notification. The affected Responsible
Entity shall then provide periodic verbal updates until adequate information is available to issue a written Impact Event report.
EOP-004 – Attachment 1 - Actual Reliability Impact – Part A
Event
Entity with Reporting
Responsibility
Threshold for Reporting
Time to Submit Report
Energy Emergency
requiring Public appeal
for load reduction
Initiating entity is responsible
for reporting
Each public appeal for load reduction
Within 1 hour of issuing a public
appeal
Energy Emergency
requiring system-wide
voltage reduction
Initiating entity is responsible
for reporting
System wide voltage reduction of 3% or more
Within 1 hour after event is initiated
Energy Emergency
requiring manual firm
load shedding
Initiating entity is responsible
for reporting
Manual firm load shedding ≥ 100 MW
Within 1 hour after event is initiated
Energy Emergency
resulting in automatic
firm load shedding
Each DP or TOP that
experiences the Impact Event
Firm load shedding ≥ 100 MW (via automatic
undervoltage or underfrequency load
shedding schemes, or SPS/RAS)
Within 1 hour after event is initiated
Voltage Deviations on
BES Facilities
Each RC, TOP, GOP that
experiences the Impact Event
± 10% sustained for ≥ 15 continuous minutes
Within 24 hours after 15 minute
threshold
IROL Violation
Each RC, TOP that
experiences the Impact Event
Operate outside the IROL for time greater
than IROL Tv
Within 24 hours after Tv threshold
Loss of Firm load for ≥
15 Minutes
Each RC, BA, TOP, DP that
experiences the Impact Event
•
•
System Separation
Each RC, BA, TOP, DP that
Draft 2: March 73: October 25, 2011
≥ 300 MW for entities with previous year’s Within 1 hour after 15 minute
threshold
demand ≥ 3000 MW
≥ 200 MW for all other entities
Each separation resulting in an island of
Within 1 hour after occurrence is
27
�EOP-004-2 — Impact Event Reporting
EOP-004 – Attachment 1 - Actual Reliability Impact – Part A
Event
Entity with Reporting
Responsibility
Threshold for Reporting
(Islanding)
experiences the Impact Event
generation and load ≥ 100 MW
Generation loss
Each RC, BA, GOP that
experiences the Impact Event
•
•
Time to Submit Report
identified
≥ 2,000 MW for entities in the Eastern or
Western Interconnection
≥ 1000 MW for entities in the ERCOT or
Quebec Interconnection
Within 24 hours after occurrence
Loss of Off-site power
to a nuclear generating
plant (grid supply)
Each RC, BA, TO, TOP, GO,
GOP that experiences the
Impact Event
Affecting a nuclear generating station per the
Nuclear Plant Interface Requirement
Report within 24 hours after
occurrence
Transmission loss
Each RC, TOP that
experiences the Impact Event
Three or more BES Transmission Elements
Within 24 hours after occurrence
Damage or destruction
of BES equipment 1
Each RC, BA, TO, TOP, GO,
GOP, DP that experiences the
Impact Event
Through operational error, equipment failure,
external cause, or intentional or unintentional
human action.
Within 1 hour after occurrence is
identified
Damage or destruction
of Critical Asset
Applicable Entities under CIP002 or its successor.
Through operational error, equipment failure,
external cause, or intentional or unintentional
human action.
Within 1 hour after occurrence is
identified
Damage or destruction
of a Critical Cyber
Asset
Applicable Entities under CIP002 or its successor.
Through intentional or unintentional human
action.
Within 1 hour after occurrence is
identified
1
BES equipment that: i) Affects an IROL; ii) Significantly affects the reliability margin of the system (e.g., has the potential to result in the need for emergency
actions); iii) Damaged or destroyed due to intentional or unintentional human action; or iv) Do not report copper theft from BES equipment unless it degrades the
ability of equipment to operate correctly e.g., removal of grounding straps rendering protective relaying inoperative.
Draft 2: March 73: October 25, 2011
28
�EOP-004-2 — Impact Event Reporting
EOP-004 – Attachment 1 - Potential Reliability Impact – Part B
Event
Entity with
Reporting
Responsibility
Threshold for Reporting
Time to Submit Report
Unplanned Control Center
evacuation
Each RC, BA, TOP
that experiences
the potential
Impact Event
Unplanned evacuation from BES
control center facility
Report within 24 hour after occurrence
Fuel supply emergency
Each RC, BA, GO,
GOP that
experiences the
potential Impact
Event
Affecting BES reliability2
Report within 1 hour after occurrence
Loss of all monitoring or voice
communication capability
Each RC, BA,
TOP that
experiences the
potential Impact
Event
Affecting a BES control center
for ≥ 30 continuous minutes
Report within 24 hours after occurrence
Forced intrusion 3
Each RC, BA, TO,
TOP, GO, GOP
At a BES facility
Report within 1 hour after verification of intrusion
that experiences the
potential Impact
Event
2
Report if problems with the fuel supply chain result in the projected need for emergency actions to manage reliability.
3
Report if you cannot reasonably determine likely motivation (i.e., intrusion to steal copper or spray graffiti is not reportable unless it effects the reliability of the
BES).
Draft 2: March 73: October 25, 2011
29
�EOP-004-2 — Impact Event Reporting
Risk to BES equipment 4
Each RC, BA, TO, From a non-environmental
physical threat
TOP, GO, GOP,
DP that experiences
the potential
Report within 1 hour after identification
Impact Event
Detection of a reportable Cyber
Security Incident.
Each RC, BA, TO, That meets the criteria in CIP-008
(or its successor)
TOP, GO, GOP,
DP that experiences
the potential
Report within 1 hour after detection
Impact Event
4
Examples include a train derailment adjacent to BES equipment, that either could have damaged the equipment directly or has the potential to damage the
equipment (e.g. flammable or toxic cargo that could pose fire hazard or could cause evacuation of a BES facility control center) and report of suspicious device
near BES equipment).
Draft 2: March 73: October 25, 2011
30
�EOP-004-2 — Impact Event Reporting
EOP-004 - Attachment 2: Impact Event Reporting Form
This form is to be used to report Impact Events Reports to the ERO. NERC will accept the DOE OE-417 form in lieu of this form if
the entity is required to submit an OE-417 report. Reports should be submitted viato one of the following: e-mail: esisac@nerc.com,
Facsimile: 609-452-9550, Voice: 609-452-1422.
Attachment 1 - Reportable Events
Event
Entity with Reporting
Responsibility
Task
1.
Destruction of BES
equipment 5
2.
Damage or
destruction of
Critical Asset per
Submit Attachment 2 or DOE OE-417 Report to:
Impact Event Threshold
for Reporting for EOP004-2
Comments
Entity filing the report
(include company name
and Compliance
Registration ID
number):Each RC, BA,
TO, TOP, GO, GOP,
DP that experiences the
destruction of BES
equipment
Initial indication the event
was due to operational error,
equipment failure, external
cause, or intentional or
unintentional human action.
The parties identified pursuant to R1.3 within 1 hour of
recognition of event.
Applicable Entities
under CIP-002
Initial indication the event
was due to operational error,
equipment failure, external
Date and Time of
Impact Event.
5
BES equipment that: i) Affects an IROL; ii) Significantly affects the reliability margin of the system (e.g., has the potential to result in the need for emergency
actions); iii) Damaged or destroyed due to intentional or unintentional human action which removes the BES equipment from service. Do not report copper theft
from BES equipment unless it degrades the ability of equipment to operate correctly (e.g., removal of grounding straps rendering protective relaying inoperative).
Draft 2: March 73: October 25, 2011
31
�EOP-004-2 — Impact Event Reporting
Attachment 1 - Reportable Events
Event
Entity with Reporting
Responsibility
Task
CIP-002
3.
Applicable Entities
under CIP-002.
4.
Did the actual or
potential Impact Event
originate in your
system?Each RC, BA,
TO, TOP, GO, GOP
that experiences the
forced intrusion
Forced
intrusion 6
Comments
cause, or intentional or
unintentional human action.
Damage or
destruction of a
Critical Cyber
Asset per CIP-002
Submit Attachment 2 or DOE OE-417 Report to:
Impact Event Threshold
for Reporting for EOP004-2
Through intentional or
unintentional human action.
Date: (mm/dd/yyyy)
Time/Zone:The
parties identified
pursuant to R1.3 within
1 hour of recognition of
event.
Name of contact person:
Email address:
Telephone Number:The
parties identified
pursuant to R1.3 within
1 hour of recognition of
event.
Actual Impact Event
Potential Impact Event
The parties identified pursuant to R1.3 within 1 hour of
recognition of event.
Yes No Unknown
At a BES facility
6
Report if you cannot reasonably determine likely motivation (i.e., intrusion to steal copper or spray graffiti is not reportable unless it effects the reliability of the
BES).
Draft 2: March 73: October 25, 2011
32
�EOP-004-2 — Impact Event Reporting
Attachment 1 - Reportable Events
Event
Entity with Reporting
Responsibility
Task
Submit Attachment 2 or DOE OE-417 Report to:
Impact Event Threshold
for Reporting for EOP004-2
Comments
5.
Risk to
BES equipment 7
Under which NERC
function are you
reporting? (RC, TOP,
BA, other)Each RC,
BA, TO, TOP, GO,
GOP, DP that
experiences the risk to
BES equipment
From a non-environmental
physical threat
The parties identified pursuant to R1.3 within 1 hour of
recognition of event.
6.
Each RC, BA, TO,
TOP, GO, GOP, DP,
ERO or RE that
experiences the Cyber
Security Incident
That meets the criteria in
CIP-008
Brief Description of
actual or potential
Impact Event:
Detection
of a reportable
Cyber Security
Incident.
(More detail should be
provided in the
Sequence of Events
section below.)The
parties identified
pursuant to R1.3 within
1 hour of recognition of
event.
7
Examples include a train derailment adjacent to BES equipment that either could have damaged the equipment directly or has the potential to damage the
equipment (e.g. flammable or toxic cargo that could pose fire hazard or could cause evacuation of a BES facility control center) and report of suspicious device
near BES equipment.
Draft 2: March 73: October 25, 2011
33
�EOP-004-2 — Impact Event Reporting
Attachment 1 - Reportable Events
Event
Entity with Reporting
Responsibility
Task
7.
Submit Attachment 2 or DOE OE-417 Report to:
Impact Event Threshold
for Reporting for EOP004-2
Comments
Generation tripped off-line*.
MW Total
List units tripped
8.
BES
Emergency
requiring public
appeal for load
reduction
Deficient entity is
responsible for
reporting
Each public appeal for load
reduction
Frequency*.
Just prior to Impact
Event (Hz):
Immediately after
Impact Event (Hz max):
Immediately after
Impact Event (Hz
min):The parties
identified pursuant to
R1.3 within 24 hours of
recognition of the event.
9.
BES
Emergency
requiring systemwide voltage
reduction
Initiating entity is
responsible for
reporting
Draft 2: March 73: October 25, 2011
List transmission facilities
(lines, transformers, buses,
etc.) tripped and lockedout*.
The parties identified pursuant to R.1.3 within 24 hours of
recognition of the event.
(SpecifySystem wide
voltage levelreduction of
each facility listed).3% or
34
�EOP-004-2 — Impact Event Reporting
Attachment 1 - Reportable Events
Event
Entity with Reporting
Responsibility
Submit Attachment 2 or DOE OE-417 Report to:
Impact Event Threshold
for Reporting for EOP004-2
Task
Comments
more
10.
BES
Emergency
requiring manual
firm load shedding
FIRMManual firm load
shedding ≥ 100 MW
INTERRUPTIBLEThe parties identified pursuant to R1.3 within
24 hours of recognition of the event.
Demand tripped
(MW)*:
Number of affected
customers*:
Demand lost (MWMinutes)*:Initiating
entity is responsible for
reporting
11.
12.
13.
Draft 2: March 73: October 25, 2011
35
�EOP-004-2 — Impact Event Reporting
Attachment 1 - Reportable Events
Event
Entity with Reporting
Responsibility
Submit Attachment 2 or DOE OE-417 Report to:
Impact Event Threshold
for Reporting for EOP004-2
Task
Comments
14. Restoration Time*.
INITIAL
FINAL
Transmission:
Generation:
Demand:
15.
BES
Emergency
resulting in
automatic firm load
shedding
Each DP or TOP that
experiences the
automatic load shedding
Draft 2: March 73: October 25, 2011
Sequence of Events of
actual or potential Impact
Event (if potential Impact
Event, please describe your
assessment of potential
impact to BES) :
The parties identified pursuant to R1.3 within 24 hours of
recognition of the event.
36
�EOP-004-2 — Impact Event Reporting
Attachment 1 - Reportable Events
Event
Entity with Reporting
Responsibility
Task
Submit Attachment 2 or DOE OE-417 Report to:
Impact Event Threshold
for Reporting for EOP004-2
Comments
Firm load shedding ≥ 100
MW (via automatic
undervoltage or
underfrequency load
shedding schemes, or
SPS/RAS)
Voltage deviations
on BES Facilities
Each TOP that
experiences the voltage
deviation
± 10% sustained for ≥ 15
continuous minutes
The parties identified pursuant to R1.3 within 24 hours after 15
minutes of exceeding the threshold.
16.
Each RC that
experiences the IROL
Violation (all
Interconnections) or
SOL violation (WECC
only)
Identify the initial probable
cause or known root cause
of the actual or potential
Impact Event if known at
time of submittal of Part I of
this report:
The parties identified pursuant to R1.3 within 24 hours after
exceeding the Tv threshold.
IROL
Violation (all
Interconnections) or
SOL Violation
(WECC only)
Operate outside the IROL
for time greater than IROL
Tv (all Interconnections) or
Operate outside the SOL for
Draft 2: March 73: October 25, 2011
37
�EOP-004-2 — Impact Event Reporting
Attachment 1 - Reportable Events
Event
Entity with Reporting
Responsibility
Submit Attachment 2 or DOE OE-417 Report to:
Impact Event Threshold
for Reporting for EOP004-2
Task
Comments
a time greater than the SOL
Tv (WECC only).
Loss of Firm load
for ≥ 15 Minutes
17.
System
Separation
(Islanding)
≥ 300 MW for entities wit The parties identified pursuant to R1.3 the entity’s within 24 hours
demand ≥ 3000 MW exceeding the 15 minute threshold
≥ 200 MW for all other
entities
Each BA, TOP, DP that
experiences the loss of
firm load
•
Identify any protection
system
misoperation(s) 8:
Each separation resulting in
an island of generation and
load ≥ 100 MW
•
The parties identified pursuant to R1.3 within 24 hours after
occurrence is identified
Each RC, BA, TOP, DP
that experiences the
system separation
Generation loss
Each BA, GOP that
experiences the
generation loss
•
•
Loss of Off-site
8
Each TO, TOP that
≥ 2,000 MW for entities
in the Eastern or
Western Interconnection
≥ 1000 MW for entities
in the ERCOT or
Quebec Interconnection
Affecting a nuclear
The parties identified pursuant to R1.3within 24 hours after
occurrence.
The parties identified pursuant to R1.3 within 24 hours after
Only applicable if it is part of the impact event the responsible entity is reporting on
Draft 2: March 73: October 25, 2011
38
�EOP-004-2 — Impact Event Reporting
Attachment 1 - Reportable Events
Event
Entity with Reporting
Responsibility
Task
Submit Attachment 2 or DOE OE-417 Report to:
Impact Event Threshold
for Reporting for EOP004-2
Comments
power to a nuclear
generating plant
(grid supply)
experiences the loss of
off-site power to a
nuclear generating plant
generating station per the
Nuclear Plant Interface
Requirement
occurrence
Transmission loss
Each TOP that
experiences the
transmission loss
Unintentional loss of Three
or more Transmission
Facilities (excluding
successful automatic
reclosing)
The parties identified pursuant to R1.3 within 24 hours after
occurrence
Unplanned Control
Center evacuation
Each RC, BA, TOP that
experiences the
potential event
Unplanned evacuation from
BES control center facility
The parties identified pursuant to R1.3 within 24 hours of
recognition of event.
Additional
InformationEach RC,
BA, TOP that helps to
further explain
experiences the actual
Voice Communications:
Affecting a BES control
center for ≥ 30 continuous
minutes
The parties identified pursuant to R1.3 within 24 hours of
recognition of event.
18.
Loss of
monitoring or all
voice
communication
capability
loss of monitoring or
potential Impact Event
if needed.
all voice
communication
Draft 2: March 73: October 25, 2011
Monitoring: Affecting a
BES control center for ≥ 30
continuous minutes such
that analysis tools (State
Estimator, Contingency
Analysis) are rendered
inoperable.
39
�EOP-004-2 — Impact Event Reporting
Attachment 1 - Reportable Events
Event
Entity with Reporting
Responsibility
Task
Impact Event Threshold
for Reporting for EOP004-2
Submit Attachment 2 or DOE OE-417 Report to:
Comments
capability
Draft 2: March 73: October 25, 2011
40
�EOP-004-2 — Impact Event Reporting
EOP-004 - Attachment 2: Event Reporting Form
EOP-004, Attachment 2: Event Reporting Form
This form is to be used to report events to parties listed in Attachment 1, column labeled “Submit Attachment 2 or
DOE OE-417 Report to:”. These parties will accept the DOE OE-417 form in lieu of this form if the entity is required
to submit an OE-417 report. Reports should be submitted via one of the following: e-mail: esisac@nerc.com,
Facsimile: 609-452-9550, voice: 609-452-1422.
Task
1.
2.
Comments
Entity filing the report include:
Company name:
Name of contact person:
Email address of contact person:
Telephone Number:
Submitted by (name):
Date and Time of recognized event.
Date: (mm/dd/yyyy)
Time: (hh:mm)
Time/Zone:
3.
4.
Did the actual or potential event originate in
your system?
Actual event Potential event
Yes
No Unknown
Event Identification and Description:
(Check applicable box)
public appeal
voltage reduction
manual firm load shedding
firm load shedding(undervoltage,
underfrequency, SPS/RAS)
voltage deviation
IROL violation
Draft 2: March 73: October 25, 2011
Written description (optional unless Other is checked):
41
�EOP-004-2 — Impact Event Reporting
EOP-004, Attachment 2: Event Reporting Form
This form is to be used to report events to parties listed in Attachment 1, column labeled “Submit Attachment 2 or
DOE OE-417 Report to:”. These parties will accept the DOE OE-417 form in lieu of this form if the entity is required
to submit an OE-417 report. Reports should be submitted via one of the following: e-mail: esisac@nerc.com,
Facsimile: 609-452-9550, voice: 609-452-1422.
Task
Comments
loss of firm load
system separation(islanding)
generation loss
loss of off-site power to nuclear
generating plant
transmission loss
damage or destruction of BES equipment
damage or destruction of Critical Asset
damage or destruction of Critical Cyber
Asset
unplanned control center evacuation
fuel supply emergency
loss of all monitoring or voice
communication capability
forced intrusion Risk to BES equipment
reportable Cyber Security Incident
other
Draft 2: March 73: October 25, 2011
42
�EOP-004-2 — Impact Event Reporting
Guideline and Technical Basis
Disturbance and Sabotage Reporting Standard Drafting Team (Project 2009-01) Reporting Concepts
Introduction
The SAR for Project 2009-01, Disturbance and Sabotage Reporting was moved forward for
standard drafting by the NERC Standards Committee in August of 2009. The Disturbance and
Sabotage Reporting Standard Drafting Team (DSR SDT) was formed in late 2009 and is
progressing toward developing standards based on the SAR. This concepts paper is designed to
solicit stakeholder input regarding the proposed reporting concepts that the DSR SDT has
developed.has developed updated standards based on the SAR.
The standards listed under the SAR are:
• CIP-001 — Sabotage Reporting
• EOP-004 — Disturbance Reporting
The DSR SDT also proposed to investigate incorporation of the cyber incident reporting aspects
of CIP-008 under this project. This will be coordinated with the Cyber Security - Order 706
SDT (Project 2008-06).
The DSR SDT has reviewed the existing standards, the SAR, issues from the NERC database
and FERC Order 693 Directives to determine a prudent course of action with respect to these
standards.
This concept paper provides stakeholders with a proposed “road map” that will be used by the
DSR SDT in updating or revising CIP-001 and EOP-004. This concept paper provides the
background information and thought process of the DSR SDT.
The proposedThe changes do not include any real-time operating notifications for the types of
events covered by CIP-001 and EOP-004. The real-time reporting requirements are achieved
through the RCIS and are covered in other standards (e.g. EOP-002-Capacity and Energy
Emergencies). The proposed standards dealThese standard deals exclusively with after-the-fact
reporting.
The DSR SDT is proposing to consolidatehas consolidated disturbance and sabotage event
reporting under a single standard. These two components and other key concepts are discussed
in the following sections.
Draft 2: March 73: October 25, 2011
43
�EOP-004-2 — Impact Event Reporting
Summary of Concepts and Assumptions:
The Standard Will: Require use:
• Requires reporting of a single form to report disturbances and “Impact Events“events”
that threatenimpact or may impact the reliability of the bulk electric system
• ProvideProvides clear criteria for reporting
• IncludeIncludes consistent reporting timelines
• IdentifyIdentifies appropriate applicability, including a reporting hierarchy in the case of
disturbance reporting
• ProvideProvides clarity around of who will receive the information
The drafting team will explore other opportunities for efficiency, such as development of an
electronic form and possible inclusion of regional reporting requirements
Discussion of Disturbance Reporting
Disturbance reporting requirements currently existexisted in the previous version of EOP-004.
The current approved definition of Disturbance from the NERC Glossary of Terms is:
1. An unplanned event that produces an abnormal system condition.
2. Any perturbation to the electric system.
3. The unexpected change in ACE that is caused by the sudden failure of generation or
interruption of load.
Disturbance reporting requirements and criteria arewere in the existingprevious EOP-004
standard and its attachments. The DSR SDT discussed the reliability needs for disturbance
reporting and developed the list of Impact Eventsevents that are to be reported under this
standard (attachment 1).
Discussion of “Impact Event” Reporting
There are situations worthy of reporting because they have the potential to impact reliability. The
DSR SDT proposes calling such incidents ‘Impact Events’ with the following concept:
An Impact Event is any situation that has the potential to significantly impact the
reliability of the Bulk Electric System. Such events may originate from malicious intent,
accidental behavior, or natural occurrences.
Impactt Event reporting facilitates industry awareness, which allows potentially impacted parties
to prepare for and possibly mitigate theany associated reliability risk. It also provides the raw
material, in the case of certain potential reliability threats, to see emerging patterns.
Examples of Impact Eventssuch events include:
• Bolts removed from transmission line structures
• Detection of cyber intrusion that meets criteria of CIP-008 or its successor standard
• Forced intrusion attempt at a substation
Draft 2: March 73: October 25, 2011
44
�EOP-004-2 — Impact Event Reporting
•
•
Train derailment near a transmission right-of-way
Destruction of Bulk Electrical System equipment
What about sabotage?
One thing became clear in the DSR SDT’s discussion concerning sabotage: everyone has a
different definition. The current standard CIP-001 elicited the following response from FERC in
FERC Order 693, paragraph 471 which states in part: “. . . the Commission directs the ERO to
develop the following modifications to the Reliability Standard through the Reliability Standards
development process: (1) further define sabotage and provide guidance as to the triggering
events that would cause an entity to report a sabotage event.”
Often, the underlying reason for an event is unknown or cannot be confirmed. The DSR SDT
believes that by reporting material risks to the Bulk Electrical System using the Impact
Eventevent categorization in this standard, it will be easier to get the relevant information for
mitigation, awareness, and tracking, while removing the distracting element of motivation.
The DST SDT discussed the reliability needs for Impact Event reporting and will consider
guidance found in the document “NERC Guideline: Threat and Incident Reporting” in the
development of requirements, which will include clear criteria for reporting.
Certain types of Impact Eventsevents should be reported to NERC, the Department of Homeland
Security (DHS), the Federal Bureau of Investigation (FBI), and/or Provincial or local law
enforcement. Other types of Impact Eventsimpact events may have different reporting
requirements. For example, an Impact Eventevent that is related to copper theft may only need
to be reported to the local law enforcement authorities.
Potential Uses of Reportable Information
Event analysis, correlation of data, and trend identification are a few potential uses for the
information reported under this standard. As envisioned, theThe standard will only
requirerequires Functional entities to report the incidents and provide known information orat the
time of the report. Further data gathering necessary for these analysesevent analysis is provided
for under the Events Analysis Program and the NERC Rules of Procedure. Other entities (e.g. –
NERC, Law Enforcement, etc) will be responsible for performing the analyses. The NERC
Rules of Procedure (section 800) provide an overview of the responsibilities of the ERO in
regards to analysis and dissemination of information for reliability. Jurisdictional agencies
(which may include DHS, FBI, NERC, RE, FERC, Provincial Regulators, and DOE) have other
duties and responsibilities.
Collection of Reportable Information or “One stop shopping”
The goal of the DSR SDT is to have one reporting form for all functional entities (US, Canada,
Mexico) to submit to NERC. Ultimately, it may make sense to develop an electronic version to
expedite completion, sharing and storage. Ideally, entities would complete a single form which
could then be distributed to jurisdictional agencies and functional entities as appropriate.
Draft 2: March 73: October 25, 2011
45
�EOP-004-2 — Impact Event Reporting
Specific reporting forms 9 that exist today (i.e. - OE-417, etc) could be included as part of the
electronic form to accommodate US entities with a requirement to submit the form, or may be
removed (but still be mandatory for US entities under Public Law 93-275) to streamline the
proposed consolidated reliability standard for all North American entities (US, Canada, Mexico).
Jurisdictional agencies may include DHS, FBI, NERC, RE, FERC, Provincial Regulators, and
DOE. Functional entities may include the RC, TOP, and BA for industry awareness.
Applicability of the standard will be determined based on the specific requirements.
The DSR SDT recognizes that some regions require reporting of additional information beyond
what is in EOP-004. The DSR SDT is planning to updatehas updated the listing of reportable
events fromin Attachment 1 based on discussions with jurisdictional agencies, NERC, Regional
Entities and stakeholder input. There is a possibility that regional differences may still exist.
The reporting proposedrequired by the DSR SDTthis standard is intended to meet the uses and
purposes of NERC. The DSR SDT recognizes that other requirements for reporting exist (e.g.,
DOE-417 reporting), which may duplicate or overlap the information required by NERC. To the
extent that other reporting is required, the DSR SDT envisions that duplicate entry of
information isshould not be necessary, and the submission of the alternate report will be
acceptable to NERC so long as all information required by NERC is submitted. For example, if
the NERC Report duplicates information from the DOE form, the DOE report may be included
or attached to the NERC report, in lieu of entering that information on the NERC report.
9
The DOE Reporting Form, OE-417 is currently a part of the EOP-004 standard. If this report is removed from the
standard, it should be noted that this form is still required by law as noted on the form: NOTICE: This report is
mandatory under Public Law 93-275. Failure to comply may result in criminal fines, civil penalties and other
sanctions as provided by law. For the sanctions and the provisions concerning the confidentiality of information
submitted on this form, see General Information portion of the instructions. Title 18 USC 1001 makes it a criminal
offense for any person knowingly and willingly to make to any Agency or Department of the United States any
false, fictitious, or fraudulent statements as to any matter within its jurisdiction.
Draft 2: March 73: October 25, 2011
46
�Unofficial Comment Form
Disturbance and Sabotage Reporting (Project 2009-01)
Please DO NOT use this form to submit comments. Please use the electronic comment form to
submit comments on the first formal posting for Project 2009-01—Disturbance and Sabotage
Reporting. The electronic comment form must be completed by December 12, 2011.
2009-01 Project Page
If you have questions please contact Stephen Crutchfield at stephen.crutchfield@nerc.net
or by telephone at 609-651-9455.
Background
The DST SDT posted the draft standard EOP-004-2 for a formal comment period from March 9,
2011 through April 8, 2011. Based on stakeholder feedback, the DSR SDT made several revisions
to the standard to improve clarity and address other concerns identified by stakeholders. The main
stakeholder concerns were addressed as follows:
Definition of Impact Event. Many stakeholders disagreed with the need for the definition of
“Impact Event” and felt that that the definition was ambiguous and created confusion. The DSR
SDT agrees and has deleted the proposed definition from the standard. The list of events that are
to be reported in Attachment 1 is inclusive and no further attempts to define ”Impact Event” are
necessary.
Timeframe for Reporting and Event. Many stakeholders raised concerns with the one-hour
reporting requirement for certain types of events. The commenters believed that the restoration of
service or the return to a stable bulk power system state may be jeopardized by having to report
certain events within one hour. The DSR SDT agreed and revised the reporting time to 24 hours
for most events, with the exception of damage to or destruction of BES equipment, forced intrusion
or cyber related incidents.
VRFs. Many stakeholders suggested that the reporting of events after the fact only justified a VRF
of “lower” for each requirement. With the revised standard, there are now three requirements.
Requirement 1 specifies that the responsible entity have an Operating Plan for identifying and
reporting events listed in Attachment A. This is procedural in nature and justifies a “lower” VRF, as
this requirement deals with the means to report events after the fact. The current approved VRFs
for EOP-004-1 are all lower with the exception of Requirement R2 which is a requirement to
analyze events. This standard relates only to reporting events. The analysis of reported events is
addressed through the NERC Events Analysis Program in accordance with the NERC Rules of
Procedure.
The three remaining requirements in EOP-004-2 require entities affected by events to report those
events based on the specifics in Attachment A (Requirement R3) and to test the communications
protocol of their Operating Plan once per year (R4). Requirement R2 provides for implementation
of the Operating Plan as it relates to Requirement R1, Parts 1.1, 1.2, 1.4 and 1.5. Requirement
R3 specifies that an entity is responsible for reporting events to the appropriate entities in
accordance with the Operating Plan based on Attachment A. Requirement R4 is intended to ensure
that an entity can communicate information about events. Some of these events are potential
sabotage events, and communicating these events is intended to make other entities aware to help
prevent further sabotage events from occurring. Existing CIP-001-1a deals with sabotage events,
Unofficial Comment Form
Project 2009-01 Disturbance and Sabotage Reporting
1
�and the approved VRFs for each of the requirements is “medium.” The proposed VRFs for EOP004-2 are consistent with the existing approved VRFs for both EOP-004 and CIP-001.
Applicability. Commenters also had concerns about the applicability of the standard to Load
Serving Entities, who may not own physical assets, as well as to the ERO and Regional Entity. The
DSR SDT agrees that the Distribution Provider owns the assets per the Functional Model, however
the LSE is an applicable entity under CIP-002, and under the CIP standards is responsible for
reporting cyber security incidents. The ERO and RE are also responsible for reporting cyber
security incidents under CIP-002. Therefore, the SDT determined that it was appropriate to include
LSEs, the ERO and the RE in the applicability of EOP-004-2.
After the drafting team completed its consideration of stakeholder comments, the standards and
implementation plan were submitted for quality review. Based on feedback from the quality
review, the drafting team has made two significant revisions to the standard. The first revision is
to add a requirement for implementation of the Operating Plan listed in Requirement R1. There
was only a requirement to report events, but no requirement specifically calling for updates to the
Operating Plan or the annual review. This was accomplished by having two requirements. The first
is Requirement R2 which specifies that an entity must implement the Operating Plan per
Requirement R1, Parts 1.1, 1.2, 1.4 and 1.5:
R2. Each Responsible Entity shall implement the parts of its Operating Plan that meet
Requirement R1, Parts 1.1 and 1.2 for an actual event and Parts 1.4 and 1.5 as specified.
The second Requirement is R3 which addresses Part 1.3:
R3. Each Responsible Entity shall report events in accordance with its Operating Plan
developed to address the events listed in Attachment 1.
The second revision based on the quality review pertains to Requirement R4. The quality review
suggested revising the requirement to more closely match the language in the Rationale box that
the drafting team developed. This would provide better guidance for responsible entities as well as
provide more clear direction to auditors. The revised requirement is:
R4. Each Responsible Entity shall verify (through actual implementation for an event, or
through a drill or exercise) the communication process in its Operating Plan, created
pursuant to Requirement 1, Part 1.3, at least annually (once per calendar year), with no
more than 15 calendar months between verification or actual implementation.
Unofficial Comment Form
Project 2009-01 Disturbance and Sabotage Reporting
2
�You do not have to answer all questions. Enter all comments in Simple
Text Format.
1. The DSR SDT has revised EOP-004-2 to remove the training requirement R4 based on
stakeholder comments from the second formal posting. Do you agree this revision?
If not, please explain in the comment area below.
Yes
No
Comments:
2. The DSR SDT includes two requirement regarding implementation of the Operating
Plan specified in Requirement R1. The previous version of the standard had a
requirement to implement the Operating plan as well as a requirement to report
events. The two requirements R2 and R3 were written to delineate implementation of
the Parts of R1. Do you agree with these revisions? If not, please explain in the
comment area below.
R2. Each Responsible Entity shall implement the parts of its Operating Plan that meet
Requirement R1, Parts 1.1 and 1.2 for an actual event and Parts 1.4 and 1.5 as specified.
R3. Each Responsible Entity shall report events in accordance with its Operating Plan
developed to address the events listed in Attachment 1.
Yes
No
Comments:
3. The DSR SDT revised reporting times for many events listed in Attachment 1 from one
hour to 24 hours. Do you agree with these revisions? If not, please explain in the
comment area below.
Yes
No
Comments:
4.
Do you have any other comment, not expressed in questions above, for the DSR SDT?
Comments:
Unofficial Comment Form
Project 2009-01 Disturbance and Sabotage Reporting
3
�Implementation Plan
Project 2009-01 Disturbance and Sabotage Reporting
Implementation Plan for EOP-004-2 – Event Reporting
Approvals Required
EOP-004-2 – Event Reporting
Prerequisite Approvals
Revisions to Sections 807 and 808 of the NERC Rules of Procedure
Addition of Section 812 to the NERC Rules of Procedure
R evisions to Glossary Term s
None
Applicable Entities
Reliability Coordinator
Balancing Authority
Interchange Coordinator
Transmission Service provider
Transmission Owner
Transmission Operator
Generator Owner
Generator Operator
Distribution Provider
Load-Serving Entity
Electric Reliability Organization
Regional Entity
Conform ing Changes to Other Standards
None
Effective Dates
EOP-004-2 shall become effective on the first day of the third calendar quarter after applicable regulatory
approval. In those jurisdictions where no regulatory approval is required, this standard shall become effective
on the first day of the third calendar quarter after Board of Trustees approval.
�R etirem ents
EOP-004-1 – Disturbance Reporting and CIP-001-2a – Sabotage Reporting should be retired at midnight
of the day immediately prior to the Effective Date of EOP-004-2 in the particular jurisdiction in which
the new standard is becoming effective.
CIP-008-4 – Cyber Security - Incident Reporting and Response Planning: Retire R1.3 which contains
provisions for reporting Cyber Security Incidents. This is addressed in EOP-004-2, Requirement 1, Part
1.3.
Project 2009-01 Disturbance and Sabotage Reporting
Implementation Plan
2
�Implementation Plan
Project 2009-01 Disturbance and Sabotage Reporting
Implementation Plan for EOP-004-2 – Event Reporting
Approvals Required
EOP-004-2 – Event Reporting
Prerequisite Approvals
Revisions to Sections 807 and 808 of the NERC Rules of Procedure
Addition of Section 812 to the NERC Rules of Procedure
R evisions to Glossary Term s
None
Applicable Entities
Reliability Coordinator
Balancing Authority
Interchange Coordinator
Transmission Service provider
Transmission Owner
Transmission Operator
Generator Owner
Generator Operator
Distribution Provider
Load-Serving Entity
Electric Reliability Organization
Regional Entity
Conform ing Changes to Other Standards
None
Effective Dates
EOP-004-2 shall become effective on the first day of the third calendar quarter after applicable regulatory
approval. In those jurisdictions where no regulatory approval is required, this standard shall become effective
on the first day of the third calendar quarter after Board of Trustees approval.
�Project 2009-01 Disturbance and Sabotage Reporting
Implementation Plan
2
�R etirem ents
EOP-004-1 – Disturbance Reporting and CIP-001-2a – Sabotage Reporting should be retired at midnight
of the day immediately prior to the Effective Date of EOP-004-2 in the particular jurisdiction in which
the new standard is becoming effective.
CIP-008-4 – Cyber Security - Incident Reporting and Response Planning: Retire R1.3 which contains
provisions for reporting Cyber Security Incidents. This is addressed in EOP-004-2, Requirement 1, Part
1.3.
Project 2009-01 Disturbance and Sabotage Reporting
Implementation Plan
3
�Project 2009-01 Disturbance and Sabotage Reporting
Mapping Document
Translation of CIP-002-2a – Sabotage Reporting, EOP-004-1 – Disturbance Reporting and CIP-008-4 – Cyber Security – Incident
Reporting and Response Planning (R 1.3), into EOP-004-2 – Impact Event and Disturbance Assessment, Analysis, and Reporting
Requirement in Approved Standard
Standard: CIP-001-2a – Sabotage Reporting
Translation to
Proposed Language in EOP-004-2 - Impact Event and Disturbance
New Standard or
Assessment, Analysis, and Reporting
Other Action
R1. Each Reliability Coordinator, Balancing
Authority, Transmission Operator, Generator
Operator, and Load-Serving Entity shall have
procedures for the recognition of and for making
their operating personnel aware of sabotage events
on its facilities and multi site sabotage affecting
larger portions of the Interconnection.
Moved into EOP004-2, R1
R1. Each Responsible Entity shall have an Operating Plan that includes:
[Violation Risk Factor: Lower] [Time Horizon: Operations Planning]
1.1. A process for identifying events listed in Attachment 1.
1.2. A process for gathering information for Attachment 2 regarding
events listed in Attachment 1.
1.3. A process for communicating events listed in Attachment 1 to
the Electric Reliability Organization, the Responsible Entity’s
Reliability Coordinator and the following as appropriate:
•
•
Internal company personnel
The Responsible Entities’ Regional Entity
�•
•
Law enforcement
Governmental or provincial agencies
1.4. Provision(s) for updating the Operating Plan within 90 calendar
days of any change in assets, personnel, other circumstances that
may no longer align with the plan or incorporating lessons learned
pursuant to Requirement R3.
1.5. Process for ensuring the responsible entity reviews the
Operating Plan at least annually (once each calendar year) with no
more than 15 months between reviews.
R2. Each Reliability Coordinator, Balancing
Authority, Transmission Operator, Generator
Operator, and Load-Serving Entity shall have
procedures for the communication of information
concerning sabotage events to appropriate parties
in the Interconnection.
Moved into EOP004-2, R1
R1. Each Responsible Entity shall have an Operating Plan that includes:
[Violation Risk: Factor: Lower] [Time Horizon: Operations Planning]
1.1. A process for identifying events listed in Attachment 1.
1.2. A process for gathering information for Attachment 2 regarding
events listed in Attachment 1.
1.3. A process for communicating events listed in Attachment 1 that
includes the Electric Reliability Organization, the Responsible
Entity’s Reliability Coordinator and the following as appropriate:
•
Project 2009-01 Disturbance and Sabotage Reporting
Mapping Document – October, 2011
Internal company personnel
2
�•
•
•
The Responsible Entities’ Regional Entity
Law enforcement
Governmental or provincial agencies
1.4. Provision(s) for updating the Operating Plan within 90 calendar
days of any change in assets, personnel, other circumstances that
may no longer align with the plan or incorporating lessons learned
pursuant to R3.
1.5. Process for ensuring the responsible entity reviews the
Operating Plan at least annually (once each calendar year) with no
more than 15 months between reviews.
R3. Each Reliability Coordinator, Balancing
Authority, Transmission Operator, Generator
Operator, and Load-Serving Entity shall provide its
operating personnel with sabotage response
guidelines, including personnel to contact, for
reporting disturbances due to sabotage events.
Moved into EOP004-2, R1
R1. Each Responsible Entity shall have an Operating Plan that includes:
[Violation Risk: Factor: Lower] [Time Horizon: Operations Planning]
1.1. A process for identifying events listed in Attachment 1.
1.2. A process for gathering information for Attachment 2 regarding
events listed in Attachment 1.
1.3. A process for communicating events listed in Attachment 1 that
includes the Electric Reliability Organization, the Responsible
Entity’s Reliability Coordinator and the following as appropriate:
•
Project 2009-01 Disturbance and Sabotage Reporting
Mapping Document – October, 2011
Internal company personnel
3
�•
•
•
Responsible Entities’ Regional Entity
Law enforcement
Governmental or provincial agencies
1.4. Provision(s) for updating the Operating Plan within 90 calendar
days of any change in assets, personnel, other circumstances that
may no longer align with the plan or incorporating lessons learned
pursuant to R3.
1.5. Process for ensuring the responsible entity reviews the
Operating Plan at least annually (once each calendar year) with no
more than 15 months between reviews.
R4. Each Reliability Coordinator, Balancing
Authority, Transmission Operator, Generator
Operator, and Load-Serving Entity shall establish
communications contacts, as applicable, with local
Federal Bureau of Investigation (FBI) or Royal
Canadian Mounted Police (RCMP) officials and
develop reporting procedures as appropriate to
their circumstances.
Moved into EOP004-2, R1
R1. Each Responsible Entity shall have an Operating Plan that includes:
[Violation Risk: Factor: Lower] [Time Horizon: Operations Planning]
1.1. A process for identifying events listed in Attachment 1.
1.2. A process for gathering information for Attachment 2 regarding
events listed in Attachment 1.
1.3. A process for communicating events listed in Attachment 1 that
includes the Electric Reliability Organization, the Responsible
Entity’s Reliability Coordinator and the following as appropriate:
•
Project 2009-01 Disturbance and Sabotage Reporting
Mapping Document – October, 2011
Internal company personnel
4
�•
•
•
Responsible Entities’ Regional Entity
Law enforcement
Governmental or provincial agencies
1.4. Provision(s) for updating the Operating Plan within 90 calendar
days of any change in assets, personnel, other circumstances that
may no longer align with the plan or incorporating lessons learned
pursuant to R3.
1.5. Process for ensuring the responsible entity reviews the
Operating Plan at least annually (once each calendar year) with no
more than 15 months between reviews.
Project 2009-01 Disturbance and Sabotage Reporting
Mapping Document – October, 2011
5
�Requirement in Approved Standard
Standard: EOP-004-1 – Disturbance Reporting
Translation to
Proposed Language in EOP-004-2 - Impact Event and Disturbance
New Standard or
Assessment, Analysis, and Reporting Comments
Other Action
R1. Each Regional Reliability Organization shall
establish and maintain a Regional reporting
procedure to facilitate preparation of preliminary
and final disturbance reports.
Retire this fill-inthe-blank
requirement.
R2. A Reliability Coordinator, Balancing Authority,
Transmission Operator, Generator Operator or
Load-Serving Entity shall promptly analyze Bulk
Electric System disturbances on its system or
facilities.
Translated into
EOP-004-2, R1
and the NERC
Events Analysis
Process
The requirements of EOP-004-2 specify that an entity must report
certain types of impact events. The NERC EAWG is developing
continent wide reporting and analysis guidelines applicable under the
NERC Rules of Procedure.
R3. A Reliability Coordinator, Balancing Authority,
Transmission Operator, Generator Operator or
Load-Serving Entity experiencing a reportable
incident shall provide a preliminary written report
to its Regional Reliability Organization and NERC.
Translated into
EOP-004-2, R3
R3. Each Responsible Entity shall report impact events in accordance
with the Operating Plan developed to address events listed in
Attachment 1. [Violation Risk: Factor: Lower] [Time Horizon:
Operations Assessment].
Project 2009-01 Disturbance and Sabotage Reporting
Mapping Document – October, 2011
Replace with new
reporting and
analysis
procedure
developed by
NERC EAWG.
The requirements of EOP-004-2 specify that an entity must report
certain types of impact events. The NERC EAWG is developing
continent wide reporting and analysis guidelines applicable under the
NERC Rules of Procedure.
6
�R3.1. The affected Reliability Coordinator, Balancing
Authority, Transmission Operator, Generator
Operator or Load-Serving Entity shall submit within
24 hours of the disturbance or unusual occurrence
either a copy of the report submitted to DOE, or, if
no DOE report is required, a copy of the NERC
Interconnection Reliability Operating Limit and
Preliminary Disturbance Report form. Events that
are not identified until sometime after they occur
shall be reported within 24 hours of being
recognized.
Translated into
EOP-004-2, R3
R3.2. Applicable reporting forms are provided in
Attachments 022-1 and 022-2.
Retire –
informational
statement
Project 2009-01 Disturbance and Sabotage Reporting
Mapping Document – October, 2011
R3. Each Responsible Entity shall report impact events in accordance
with the Operating Plan developed to address events listed in
Attachment 1. [Violation Risk: Factor: Lower] [Time Horizon:
Operations Assessment].
7
�R3.3. Under certain adverse conditions, e.g., severe
weather, it may not be possible to assess the
damage caused by a disturbance and issue a written
Interconnection Reliability Operating Limit and
Preliminary Disturbance Report within 24 hours. In
such cases, the affected Reliability Coordinator,
Balancing Authority, Transmission Operator,
Generator Operator, or Load-Serving Entity shall
promptly notify its Regional Reliability
Organization(s) and NERC, and verbally provide as
much information as is available at that time. The
affected Reliability Coordinator, Balancing
Authority, Transmission Operator, Generator
Operator, or Load-Serving Entity shall then provide
timely, periodic verbal updates until adequate
information is available to issue a written
Preliminary Disturbance Report.
Project 2009-01 Disturbance and Sabotage Reporting
Mapping Document – October, 2011
Retire as a
requirement.
Added as a
“Note” to EOP004Attachment1Impact Events
Table
NOTE: Under certain adverse conditions (e.g. severe weather, multiple
events) it may not be possible to report the damage caused by an
event and issue a written Event Report within the timing in the table
below. In such cases, the affected Responsible Entity shall notify
parties per R1 and provide as much information as is available at the
time of the notification. The affected Responsible Entity shall provide
periodic verbal updates until adequate information is available to issue
a written Event report. Reports to the ERO should be submitted to one
of the following: e-mail: esisac@nerc.com, Facsimile: 609-452-9550,
Voice: 609-452-1422.
8
�R3.4. If, in the judgment of the Regional Reliability
Organization, after consultation with the Reliability
Coordinator, Balancing Authority, Transmission
Operator, Generator Operator, or Load-Serving
Entity in which a disturbance occurred, a final
report is required, the affected Reliability
Coordinator, Balancing Authority, Transmission
Operator, Generator Operator, or Load-Serving
Entity shall prepare this report within 60 days. As a
minimum, the final report shall have a discussion of
the events and its cause, the conclusions reached,
and recommendations to prevent recurrence of this
type of event. The report shall be subject to
Regional Reliability Organization approval.
Retire this fill-inthe-blank
requirement.
R4. When a Bulk Electric System disturbance
occurs, the Regional Reliability Organization shall
make its representatives on the NERC Operating
Committee and Disturbance Analysis Working
Group available to the affected Reliability
Coordinator, Balancing Authority, Transmission
Operator, Generator Operator, or Load-Serving
Entity immediately affected by the disturbance for
the purpose of providing any needed assistance in
the investigation and to assist in the preparation of
a final report.
Retire this fill-inthe-blank
requirement.
Project 2009-01 Disturbance and Sabotage Reporting
Mapping Document – October, 2011
The requirements of EOP-004-2 specify that an entity must report
certain types of impact events. The NERC EAWG is developing
continent wide reporting and analysis guidelines applicable under the
NERC Rules of Procedure.
Replace with new
reporting
procedure
developed by
NERC EAWG.
The requirements of EOP-004-2 specify that an entity must report
certain types of impact events. The NERC EAWG is developing
continent wide reporting and analysis guidelines applicable under the
NERC Rules of Procedure.
Replace with new
reporting
procedure
developed by
NERC EAWG.
9
�R5. The Regional Reliability Organization shall track
and review the status of all final report
recommendations at least twice each year to
ensure they are being acted upon in a timely
manner. If any recommendation has not been
acted on within two years, or if Regional Reliability
Organization tracking and review indicates at any
time that any recommendation is not being acted
on with sufficient diligence, the Regional Reliability
Organization shall notify the NERC Planning
Committee and Operating Committee of the status
of the recommendation(s) and the steps the
Regional Reliability Organization has taken to
accelerate implementation.
Retire this fill-inthe-blank
requirement.
Request for Interpretation of CIP-001-2a, R2: Please
clarify what is meant by the term, “appropriate
parties.” Moreover, who within the Interconnection
hierarchy deems parties to be appropriate?
Retire the
interpretation
Project 2009-01 Disturbance and Sabotage Reporting
Mapping Document – October, 2011
The requirements of EOP-004-2 specify that an entity must report
certain types of impact events. The NERC EAWG is developing
continent wide reporting and analysis guidelines applicable under the
NERC Rules of Procedure.
Replace with new
reporting
procedure
developed by
NERC EAWG.
Addressed in EOP-004-2, R1 by replacing the term, ‘appropriate
parties’ with a broader, more specific list of specific entities to contact
in Part 1.3.
10
�Standard: CIP-008-4 – Cyber Security – Incident Reporting and Response Planning
Requirement in Approved Standard
Translation to New
Proposed Language in EOP-004-2 - Impact Event and
Standard or Other
Disturbance Assessment, Analysis, and Reporting Comments
Action
R1.3. Process for reporting Cyber Security
Incidents to the Electricity Sector Information
Sharing and Analysis Center (ES-ISAC). The
Responsible Entity must ensure that all
reportable Cyber Security Incidents are reported
to the ES-ISAC either directly or through an
intermediary.
Translated into EOP004-2 Requirement 1,
Part 1.3 and
Attachment 1.
Cyber Security Incidents are defined as:
Any malicious act or suspicious event that:
• Compromises, or was an attempt to compromise, the
Electronic Security Perimeter or Physical Security
Perimeter of a Critical Cyber Asset, or,
• Disrupts, or was an attempt to disrupt, the operation
of a Critical Cyber Asset.
Such events are listed in Attachment 1 as “Detection of a
reportable Cyber Security Incident” and are events that are
required to be reported under Reliability Standard EOP-004-2.
Requirement R1, Part 1.3 requires the Responsible Entity to
have “A process for communicating events listed in Attachment
1 to the Electric Reliability Organization,...” The note at the top
of Attachment 1 includes the following:
“Reports to the ERO should be submitted to one of the
following: e-mail: esisac@nerc.com, Facsimile: 609-452-9550,
Voice: 609-452-1422.”
Project 2009-01 Disturbance and Sabotage Reporting
Mapping Document – October, 2011
11
�Violation Risk Factor and Violation Severity Level Assignments
Project 2009-01 – Disturbance and Sabotage Reporting
This document provides the drafting team’s justification for assignment of violation risk factors (VRFs)
and violation severity levels (VSLs) for each requirement in
EOP-004-2 — Event Reporting
Each primary requirement is assigned a VRF and a set of one or more VSLs. These elements support the
determination of an initial value range for the Base Penalty Amount regarding violations of requirements
in FERC-approved Reliability Standards, as defined in the ERO Sanction Guidelines.
Justification for Assignment of Violation Risk Factors in EOP-004-2
The Disturbance and Sabotage Reporting Standard Drafting Team applied the following NERC criteria
when proposing VRFs for the requirements in EOP-004-2:
High Risk Requirement
A requirement that, if violated, could directly cause or contribute to bulk electric system
instability, separation, or a cascading sequence of failures, or could place the bulk electric system
at an unacceptable risk of instability, separation, or cascading failures; or, a requirement in a
planning time frame that, if violated, could, under emergency, abnormal, or restorative conditions
anticipated by the preparations, directly cause or contribute to bulk electric system instability,
separation, or a cascading sequence of failures, or could place the bulk electric system at an
unacceptable risk of instability, separation, or cascading failures, or could hinder restoration to a
normal condition.
Medium Risk Requirement
A requirement that, if violated, could directly affect the electrical state or the capability of the
bulk electric system, or the ability to effectively monitor and control the bulk electric system.
However, violation of a medium risk requirement is unlikely to lead to bulk electric system
instability, separation, or cascading failures; or, a requirement in a planning time frame that, if
violated, could, under emergency, abnormal, or restorative conditions anticipated by the
preparations, directly and adversely affect the electrical state or capability of the bulk electric
system, or the ability to effectively monitor, control, or restore the bulk electric system.
However, violation of a medium risk requirement is unlikely, under emergency, abnormal, or
restoration conditions anticipated by the preparations, to lead to bulk electric system instability,
separation, or cascading failures, nor to hinder restoration to a normal condition.
�Lower Risk Requirement
A requirement that is administrative in nature and a requirement that, if violated, would not be
expected to adversely affect the electrical state or capability of the bulk electric system, or the
ability to effectively monitor and control the bulk electric system; or, a requirement that is
administrative in nature and a requirement in a planning time frame that, if violated, would not,
under the emergency, abnormal, or restorative conditions anticipated by the preparations, be
expected to adversely affect the electrical state or capability of the bulk electric system, or the
ability to effectively monitor, control, or restore the bulk electric system. A planning requirement
that is administrative in nature.
The SDT also considered consistency with the FERC Violation Risk Factor Guidelines for setting
1
VRFs:
Guideline (1) — Consistency with the Conclusions of the Final Blackout Report
The Commission seeks to ensure that Violation Risk Factors assigned to Requirements of
Reliability Standards in these identified areas appropriately reflect their historical critical impact
on the reliability of the Bulk-Power System.
In the VSL Order, FERC listed critical areas (from the Final Blackout Report) where violations could
severely affect the reliability of the Bulk-Power System: 2
−
−
−
−
−
−
−
−
−
−
−
−
Emergency operations
Vegetation management
Operator personnel training
Protection systems and their coordination
Operating tools and backup facilities
Reactive power and voltage control
System modeling and data exchange
Communication protocol and facilities
Requirements to determine equipment ratings
Synchronized data recorders
Clearer criteria for operationally critical facilities
Appropriate use of transmission loading relief.
Guideline (2) — Consistency within a Reliability Standard
The Commission expects a rational connection between the sub-Requirement Violation Risk
Factor assignments and the main Requirement Violation Risk Factor assignment.
1
North American Electric Reliability Corp., 119 FERC ¶ 61,145, order on reh’g and compliance filing, 120 FERC ¶ 61,145
(2007) (“VRF Rehearing Order”).
2
Id. at footnote 15.
�Guideline (3) — Consistency among Reliability Standards
The Commission expects the assignment of Violation Risk Factors corresponding to
Requirements that address similar reliability goals in different Reliability Standards would be
treated comparably.
Guideline (4) — Consistency with NERC’s Definition of the Violation Risk Factor Level
Guideline (4) was developed to evaluate whether the assignment of a particular
Violation Risk Factor level conforms to NERC’s definition of that risk level.
Guideline (5) — Treatment of Requirements that Co-mingle More Than One Obligation
Where a single Requirement co-mingles a higher risk reliability objective and a lesser risk
reliability objective, the VRF assignment for such Requirements must not be watered down to
reflect the lower risk level associated with the less important objective of the Reliability
Standard.
The following discussion addresses how the SDT considered FERC’s VRF Guidelines 2 through 5. The
team did not address Guideline 1 directly because of an apparent conflict between Guidelines 1 and 4.
Whereas Guideline 1 identifies a list of topics that encompass nearly all topics within NERC’s
Reliability Standards and implies that these requirements should be assigned a “High” VRF, Guideline 4
directs assignment of VRFs based on the impact of a specific requirement to the reliability of the system.
The SDT believes that Guideline 4 is reflective of the intent of VRFs in the first instance and therefore
concentrated its approach on the reliability impact of the requirements.
VRF for EOP-004-2:
There are four requirements in EOP-004-2. Requirement R1 was assigned a “Lower” VRF while
Requirements R2, R3 and R4 were assigned a “Medium” VRF.
VRF for EOP-004-2, Requirements R1:
•
FERC’s Guideline 2 — Consistency within a Reliability Standard. The Requirement specifies which
functional entities are required to have procedure(s) for recognition of events, gather information for
completing an event report, and communicating with other entities. The VRFs are only applied at
the Requirement level and each Requirement Part is treated equally.
•
FERC’s Guideline 3 — Consistency among Reliability Standards. This requirement calls for an
entity to have procedure(s) for recognition of events, gather information for completing an event
report, and communicating with other entities. This requirement is administrative in nature and deals
with the means to report events after the fact. Most event reporting requirements in Attachment 1 are
VRF and VSL Assignments Project 2009-01
3
�for 24 hours after an event has occurred. The current approved VRFs for EOP-004-1 are all lower
with the exception of Requirement R2 which is a requirement to analyze events. This standard
relates only to reporting events. The analysis portion is addressed through the NERC Rules of
Procedure and the Events Analysis Program.
•
FERC’s Guideline 4 — Consistency with NERC’s Definition of a VRF. Failure to have a
procedure(s) is not likely to directly affect the electrical state or the capability of the bulk electric
system, or the ability to effectively monitor and control the bulk electric system if an entity cannot
report an event and that event led to other preventable events on the BES had the report been made in
a timely fashion. Development of the procedure(s) is a requirement that is administrative in nature
and is in a planning time frame that, if violated, would not, under emergency, abnormal, or
restorative conditions anticipated by the preparations, be expected to adversely affect the electrical
state or capability of the bulk electric system, or the ability to effectively monitor, control, or restore
the bulk electric system.. Therefore this requirement was assigned a lower VRF.
•
FERC’s Guideline 5 — Treatment of Requirements that Co-mingle More Than One Objective.
EOP-004-2, Requirement R1 contain only one objective which is to have procedure(s). The content
of the procedure is specified in Parts 1.1-1.5. Since the requirement is to have a procedure(s), only
one VRF was assigned.
VRF for EOP-004-2, Requirement R2:
•
FERC’s Guideline 2 — Consistency within a Reliability Standard. The requirement has no subrequirements; only one VRF was assigned so there is no conflict.
•
FERC’s Guideline 3 — Consistency among Reliability Standards. EOP-004-2, Requirement R4 is a
requirement for entities to report events using the procedure(s) for recognition of events per
Requirement R1. The Standard Drafting Team views this as an aspect of implementing the
Operating Plan for reporting events. The act of reporting in and of itself is not likely to “directly
affect the electrical state or the capability of the bulk electric system, or the ability to effectively
monitor and control the bulk electric system.” However, violation of a medium risk requirement
should also be “unlikely to lead to bulk electric system instability, separation, or cascading
failures…” Such an instance could occur if personnel do not report events. Therefore, this
requirement was assigned a Medium VRF.
•
FERC’s Guideline 4 — Consistency with NERC’s Definition of a VRF. EOP-004-2, Requirement
R5 mandates that report events per their procedure(s). Bulk power system instability, separation, or
cascading failures are not likely to occur due to a failure to notify another entity of the event failure,
but there is a slight chance that it could occur. Therefore, this requirement was assigned a Medium
VRF.
VRF and VSL Assignments Project 2009-01
4
�•
FERC’s Guideline 5 - Treatment of Requirements that Co-mingle More Than One Objective. EOP004-2, Requirement R5 addresses a single objective and has a single VRF.
VRF for EOP-004-2, Requirement R3:
•
FERC’s Guideline 2 — Consistency within a Reliability Standard. The requirement has no subrequirements; only one VRF was assigned so there is no conflict.
•
FERC’s Guideline 3 — Consistency among Reliability Standards. EOP-004-2, Requirement R4 is a
requirement for entities to report events using the procedure(s) for recognition of events per
Requirement R1. The act of reporting in and of itself is not likely to “directly affect the electrical
state or the capability of the bulk electric system, or the ability to effectively monitor and control the
bulk electric system.” However, violation of a medium risk requirement should also be “unlikely to
lead to bulk electric system instability, separation, or cascading failures…” Such an instance could
occur if personnel do not report events. Therefore, this requirement was assigned a Medium VRF.
•
FERC’s Guideline 4 — Consistency with NERC’s Definition of a VRF. EOP-004-2, Requirement
R5 mandates that report events per their procedure(s). Bulk power system instability, separation, or
cascading failures are not likely to occur due to a failure to notify another entity of the event failure,
but there is a slight chance that it could occur. Therefore, this requirement was assigned a Medium
VRF.
•
FERC’s Guideline 5 - Treatment of Requirements that Co-mingle More Than One Objective. EOP004-2, Requirement R5 addresses a single objective and has a single VRF.
VRF for EOP-004-2, Requirement R4:
•
FERC’s Guideline 2 — Consistency within a Reliability Standard. The requirement has no subrequirements; only one VRF was assigned so there is no conflict.
•
FERC’s Guideline 3 — Consistency among Reliability Standards. EOP-004-2, Requirement R3
specifies a time frame in which to verify the communications protocols developed in the procedures
pursuant to Requirement R1. Both requirements have a Medium VRF.
•
FERC’s Guideline 4 — Consistency with NERC’s Definition of a VRF. Failure to verify a
communications protocol could directly affect the electrical state or the capability of the bulk electric
system, or the ability to effectively monitor and control the bulk electric system if an entity cannot
report an event and that event led to other preventable events on the BES had the report been made
in a timely fashion. Therefore this requirement was assigned a medium VRF.
•
FERC’s Guideline 5 — Treatment of Requirements that Co-mingle More Than One Objective.
EOP-004-2, Requirement R3 addresses a single objective and has a single VRF.
VRF and VSL Assignments Project 2009-01
5
�Justification for Assignment of Violation Severity Levels for EOP-004-2:
In developing the VSLs for the EOP-004-2 standard, the SDT anticipated the evidence that would be
reviewed during an audit, and developed its VSLs based on the noncompliance an auditor may find
during a typical audit. The SDT based its assignment of VSLs on the following NERC criteria:
Lower
Missing a minor
element (or a small
percentage) of the
required performance
The performance or
product measured has
significant value as it
almost meets the full
intent of the
requirement.
Moderate
High
Severe
Missing at least one
significant element (or a
moderate percentage)
of the required
performance.
The performance or
product measured still
has significant value in
meeting the intent of the
requirement.
Missing more than one
significant element (or is
missing a high
percentage) of the
required performance or
is missing a single vital
component.
The performance or
product has limited
value in meeting the
intent of the
requirement.
Missing most or all of
the significant elements
(or a significant
percentage) of the
required performance.
The performance
measured does not
meet the intent of the
requirement or the
product delivered
cannot be used in
meeting the intent of the
requirement.
FERC’s VSL guidelines are presented below, followed by an analysis of whether the VSLs proposed for
each requirement in EOP-004-2 meet the FERC Guidelines for assessing VSLs:
Guideline 1: Violation Severity Level Assignments Should Not Have the Unintended Consequence
of Lowering the Current Level of Compliance
Compare the VSLs to any prior levels of non-compliance and avoid significant changes that may
encourage a lower level of compliance than was required when levels of non-compliance were
used.
Guideline 2: Violation Severity Level Assignments Should Ensure Uniformity and Consistency in
the Determination of Penalties
A violation of a “binary” type requirement must be a “Severe” VSL.
Do not use ambiguous terms such as “minor” and “significant” to describe noncompliant
performance.
Guideline 3: Violation Severity Level Assignment Should Be Consistent with the Corresponding
Requirement
VRF and VSL Assignments Project 2009-01
6
�VSLs should not expand on what is required in the requirement.
Guideline 4: Violation Severity Level Assignment Should Be Based on A Single Violation, Not on A
Cumulative Number of Violations
. . . unless otherwise stated in the requirement, each instance of non-compliance with a
requirement is a separate violation. Section 4 of the Sanction Guidelines states that assessing
penalties on a per violation per day basis is the “default” for penalty calculations.
VRF and VSL Assignments Project 2009-01
7
�VSLs for EOP-004-2 Requirements R1:
Compliance with
NERC’s VSL
Guidelines
R#
Guideline 1
Guideline 2
Violation Severity Level
Assignments Should Not
Have the Unintended
Consequence of Lowering
the Current Level of
Compliance
Violation Severity Level
Assignments Should Ensure
Uniformity and Consistency in the
Determination of Penalties
Guideline 2a: The Single Violation
Severity Level Assignment
Category for "Binary"
Requirements Is Not Consistent
Guideline 3
Guideline 4
Violation Severity Level
Assignment Should Be
Consistent with the
Corresponding
Requirement
Violation Severity
Level Assignment
Should Be Based on
A Single Violation,
Not on A
Cumulative Number
of Violations
The proposed VSL uses the
same terminology as used
in the associated
requirement, and is,
therefore, consistent with
the requirement.
The VSL is based on
a single violation
and not cumulative
violations.
Guideline 2b: Violation Severity
Level Assignments that Contain
Ambiguous Language
R1
Meets NERC’s
VSL guidelines.
There is an
incremental
aspect to the
violation and the
VSLs follow the
guidelines for
incremental
violations.
The proposed
requirement is a revision
of CIP-001-1, R1-R4, and
EOP-004-1, R2. Since the
Requirement has four
Parts, the VSLs were
developed to count a
violation of each Part
equally. Therefore, four
VSLs were developed.
The proposed VSL does not use
any ambiguous terminology,
thereby supporting uniformity and
consistency in the determination
of similar penalties for similar
violations.
�VSLs for EOP-004-2 Requirement R2:
Compliance with
NERC’s VSL
Guidelines
R#
Guideline 1
Guideline 2
Violation Severity Level
Assignments Should Not
Have the Unintended
Consequence of Lowering
the Current Level of
Compliance
Violation Severity Level
Assignments Should Ensure
Uniformity and Consistency in the
Determination of Penalties
Guideline 2a: The Single Violation
Severity Level Assignment
Category for "Binary"
Requirements Is Not Consistent
Guideline 3
Guideline 4
Violation Severity Level
Assignment Should Be
Consistent with the
Corresponding
Requirement
Violation Severity
Level Assignment
Should Be Based on
A Single Violation,
Not on A Cumulative
Number of
Violations
The proposed VSL uses the
same terminology as used
in the associated
requirement, and is,
therefore, consistent with
the requirement.
The VSL is based on
a single violation and
not cumulative
violations.
Guideline 2b: Violation Severity
Level Assignments that Contain
Ambiguous Language
R2.
Meets NERC’s VSL
guidelines. There
is an incremental
aspect to the
violation and the
VSLs follow the
guidelines for
incremental
violations.
The proposed
requirement is for
entities to implement the
Operating Plan for event
reporting. There are four
Parts that are addressed
under this requirement.
Parts 1.1 and 1.2 are only
applicable for an actual
event and are binary in
nature. Parts 1.4 and 1.5
require updates or
reviews based on certain
intervals. Based on the
VSL Guidance, the DSR
SDT developed four VSLs
based on tardiness of the
submittal of the report.
If the update or review is
not performed, then the
VSL is Severe.
VRF and VSL Assignments Project 2009-01
The proposed VSL does not use
any ambiguous terminology,
thereby supporting uniformity and
consistency in the determination
of similar penalties for similar
violations.
9
�VSLs for EOP-004-2 Requirement R3:
Compliance with
NERC’s VSL
Guidelines
R#
Guideline 1
Guideline 2
Violation Severity Level
Assignments Should Not
Have the Unintended
Consequence of
Lowering the Current
Level of Compliance
Violation Severity Level
Assignments Should Ensure
Uniformity and Consistency in the
Determination of Penalties
Guideline 2a: The Single Violation
Severity Level Assignment
Category for "Binary"
Requirements Is Not Consistent
Guideline 3
Guideline 4
Violation Severity Level
Assignment Should Be
Consistent with the
Corresponding
Requirement
Violation Severity
Level Assignment
Should Be Based on
A Single Violation,
Not on A
Cumulative Number
of Violations
The proposed VSL uses the
same terminology as used
in the associated
requirement, and is,
therefore, consistent with
the requirement.
The VSL is based on
a single violation
and not cumulative
violations.
Guideline 2b: Violation Severity
Level Assignments that Contain
Ambiguous Language
R2.
Meets NERC’s VSL
guidelines. There
is an incremental
aspect to the
violation and the
VSLs follow the
guidelines for
incremental
violations.
The proposed
requirement is a revision
of EOP-004-1, R3. There
is only a Severe VSL for
that requirement.
However, the reporting
of events is based on
timing intervals listed in
attachment 1. Based on
the VSL Guidance, the
DSR SDT developed four
VSLs based on tardiness
of the submittal of the
report. If a report is not
submitted, then the VSL
is Severe. This maintains
the current VSL.
VRF and VSL Assignments Project 2009-01
The proposed VSL does not use
any ambiguous terminology,
thereby supporting uniformity and
consistency in the determination
of similar penalties for similar
violations.
10
�VSLs for EOP-004-2 Requirement R4:
Compliance with
NERC’s Revised VSL
Guidelines
R#
Guideline 1
Guideline 2
Violation Severity Level
Assignments Should Not
Have the Unintended
Consequence of Lowering
the Current Level of
Compliance
Violation Severity Level Assignments
Should Ensure Uniformity and
Consistency in the Determination of
Penalties
Guideline 3
Guideline 4
Violation Severity Level
Assignment Should Be
Consistent with the
Corresponding Requirement
Violation Severity
Level Assignment
Should Be Based on A
Single Violation, Not
on A Cumulative
Number of Violations
The proposed VSLs use the
same terminology as used in
the associated requirement,
and are, therefore, consistent
with the requirement.
The VSLs are based
on a single violation
and not cumulative
violations.
Guideline 2a: The Single Violation
Severity Level Assignment Category for
"Binary" Requirements Is Not
Consistent
Guideline 2b: Violation Severity Level
Assignments that Contain Ambiguous
Language
R3.
Meets NERC’s VSL
guidelines - Severe:
The performance or
product measured
does not
substantively meet
the intent of the
requirement.
The most comparable VSLs
for a similar requirement is
EOP-008-0, R1.7 which calls
for an annual update to a
plan. Based on the VSL
Guidance, the DSR SDT
developed four VSLs based
on tardiness of the
verification of the
communication protocol. If
the verification is not
achieved, then the VSL is
Severe.
VRF and VSL Assignments Project 2009-01
The proposed VSLs do not use any
ambiguous terminology, thereby
supporting uniformity and consistency
in the determination of similar
penalties for similar violations.
11
�S ta n d a rd CIP -001-1 — S a b o ta g e Re p o rtin g
A. Introduction
1.
Title:
Sabotage Reporting
2.
Number:
CIP-001-1
3.
Purpose: Disturbances or unusual occurrences, suspected or determined to be
caused by sabotage, shall be reported to the appropriate systems, governmental
agencies, and regulatory bodies.
4.
Applicability
4.1. Reliability Coordinators.
4.2. Balancing Authorities.
4.3. Transmission Operators.
4.4. Generator Operators.
4.5. Load Serving Entities.
5.
Effective Date:
January 1, 2007
B. Requirements
R1.
Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator, and Load Serving Entity shall have procedures for the recognition of and for
making their operating personnel aware of sabotage events on its facilities and
multi-site sabotage affecting larger portions of the Interconnection.
R2.
Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator, and Load Serving Entity shall have procedures for the communication of
information concerning sabotage events to appropriate parties in the Interconnection.
R3.
Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator, and Load Serving Entity shall provide its operating personnel with sabotage
response guidelines, including personnel to contact, for reporting disturbances due to
sabotage events.
R4.
Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator, and Load Serving Entity shall establish communications contacts, as
applicable, with local Federal Bureau of Investigation (FBI) or Royal Canadian
Mounted Police (RCMP) officials and develop reporting procedures as appropriate to
their circumstances.
C. Measures
M1. Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator, and Load Serving Entity shall have and provide upon request a procedure
(either electronic or hard copy) as defined in Requirement 1
M2. Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator, and Load Serving Entity shall have and provide upon request the procedures
or guidelines that will be used to confirm that it meets Requirements 2 and 3.
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 1 of 3
�S ta n d a rd CIP -001-1 — S a b o ta g e Re p o rtin g
M3. Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator, and Load Serving Entity shall have and provide upon request evidence that
could include, but is not limited to procedures, policies, a letter of understanding,
communication records, or other equivalent evidence that will be used to confirm that it
has established communications contacts with the applicable, local FBI or RCMP
officials to communicate sabotage events (Requirement 4).
D. Compliance
1.
Compliance Monitoring Process
1.1. Compliance Monitoring Responsibility
Regional Reliability Organizations shall be responsible for compliance
monitoring.
1.2. Compliance Monitoring and Reset Time Frame
One or more of the following methods will be used to verify compliance:
- Self-certification (Conducted annually with submission according to
schedule.)
- Spot Check Audits (Conducted anytime with up to 30 days notice given to
prepare.)
- Periodic Audit (Conducted once every three years according to schedule.)
- Triggered Investigations (Notification of an investigation must be made
within 60 days of an event or complaint of noncompliance. The entity will
have up to 30 days to prepare for the investigation. An entity may request an
extension of the preparation period and the extension will be considered by
the Compliance Monitor on a case-by-case basis.)
The Performance-Reset Period shall be 12 months from the last finding of noncompliance.
1.3. Data Retention
Each Reliability Coordinator, Transmission Operator, Generator Operator,
Distribution Provider, and Load Serving Entity shall have current, in-force
documents available as evidence of compliance as specified in each of the
Measures.
If an entity is found non-compliant the entity shall keep information related to the
non-compliance until found compliant or for two years plus the current year,
whichever is longer.
Evidence used as part of a triggered investigation shall be retained by the entity
being investigated for one year from the date that the investigation is closed, as
determined by the Compliance Monitor,
The Compliance Monitor shall keep the last periodic audit report and all requested
and submitted subsequent compliance records.
1.4. Additional Compliance Information
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 2 of 3
�S ta n d a rd CIP -001-1 — S a b o ta g e Re p o rtin g
None.
Levels of Non-Compliance:
2.
2.1. Level 1: There shall be a separate Level 1 non-compliance, for every one of the
following requirements that is in violation:
2.1.1
Does not have procedures for the recognition of and for making its
operating personnel aware of sabotage events (R1).
2.1.2
Does not have procedures or guidelines for the communication of
information concerning sabotage events to appropriate parties in the
Interconnection (R2).
2.1.3
Has not established communications contacts, as specified in R4.
2.2. Level 2: Not applicable.
2.3. Level 3: Has not provided its operating personnel with sabotage response
procedures or guidelines (R3).
2.4. Level 4:.Not applicable.
E. Regional Differences
None indicated.
Version History
Version
Date
Action
Change Tracking
0
April 1, 2005
Effective Date
New
0
August 8, 2005
Removed “Proposed” from Effective
Date
Errata
1
November 1,
2006
Adopted by Board of Trustees
Amended
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 3 of 3
�S ta n d a rd EOP -004-1 — Dis tu rb a n c e Re p o rtin g
A. Introduction
1.
Title:
Disturbance Reporting
2.
Number:
EOP-004-1
3.
Purpose: Disturbances or unusual occurrences that jeopardize the operation of the
Bulk Electric System, or result in system equipment damage or customer interruptions,
need to be studied and understood to minimize the likelihood of similar events in the
future.
4.
Applicability
4.1. Reliability Coordinators.
4.2. Balancing Authorities.
4.3. Transmission Operators.
4.4. Generator Operators.
4.5. Load Serving Entities.
4.6. Regional Reliability Organizations.
5.
Effective Date:
January 1, 2007
B. Requirements
R1.
Each Regional Reliability Organization shall establish and maintain a Regional
reporting procedure to facilitate preparation of preliminary and final disturbance
reports.
R2.
A Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator or Load Serving Entity shall promptly analyze Bulk Electric System
disturbances on its system or facilities.
R3.
A Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator or Load Serving Entity experiencing a reportable incident shall provide a
preliminary written report to its Regional Reliability Organization and NERC.
R3.1.
The affected Reliability Coordinator, Balancing Authority, Transmission
Operator, Generator Operator or Load Serving Entity shall submit within 24
hours of the disturbance or unusual occurrence either a copy of the report
submitted to DOE, or, if no DOE report is required, a copy of the NERC
Interconnection Reliability Operating Limit and Preliminary Disturbance
Report form. Events that are not identified until some time after they occur
shall be reported within 24 hours of being recognized.
R3.2.
Applicable reporting forms are provided in Attachments 1-EOP-004 and 2EOP-004.
R3.3.
Under certain adverse conditions, e.g., severe weather, it may not be possible
to assess the damage caused by a disturbance and issue a written
Interconnection Reliability Operating Limit and Preliminary Disturbance
Report within 24 hours. In such cases, the affected Reliability Coordinator,
Balancing Authority, Transmission Operator, Generator Operator, or Load
Serving Entity shall promptly notify its Regional Reliability Organization(s)
and NERC, and verbally provide as much information as is available at that
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 1 of 13
�S ta n d a rd EOP -004-1 — Dis tu rb a n c e Re p o rtin g
time. The affected Reliability Coordinator, Balancing Authority, Transmission
Operator, Generator Operator, or Load Serving Entity shall then provide
timely, periodic verbal updates until adequate information is available to issue
a written Preliminary Disturbance Report.
R3.4.
If, in the judgment of the Regional Reliability Organization, after consultation
with the Reliability Coordinator, Balancing Authority, Transmission Operator,
Generator Operator, or Load Serving Entity in which a disturbance occurred, a
final report is required, the affected Reliability Coordinator, Balancing
Authority, Transmission Operator, Generator Operator, or Load Serving Entity
shall prepare this report within 60 days. As a minimum, the final report shall
have a discussion of the events and its cause, the conclusions reached, and
recommendations to prevent recurrence of this type of event. The report shall
be subject to Regional Reliability Organization approval.
R4.
When a Bulk Electric System disturbance occurs, the Regional Reliability Organization
shall make its representatives on the NERC Operating Committee and Disturbance
Analysis Working Group available to the affected Reliability Coordinator, Balancing
Authority, Transmission Operator, Generator Operator, or Load Serving Entity
immediately affected by the disturbance for the purpose of providing any needed
assistance in the investigation and to assist in the preparation of a final report.
R5.
The Regional Reliability Organization shall track and review the status of all final
report recommendations at least twice each year to ensure they are being acted upon in
a timely manner. If any recommendation has not been acted on within two years, or if
Regional Reliability Organization tracking and review indicates at any time that any
recommendation is not being acted on with sufficient diligence, the Regional
Reliability Organization shall notify the NERC Planning Committee and Operating
Committee of the status of the recommendation(s) and the steps the Regional
Reliability Organization has taken to accelerate implementation.
C. Measures
M1. The Regional Reliability Organization shall have and provide upon request as
evidence, its current regional reporting procedure that is used to facilitate preparation
of preliminary and final disturbance reports. (Requirement 1)
M2. Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator, and Load-Serving Entity that has a reportable incident shall have and provide
upon request evidence that could include, but is not limited to, the preliminary report,
computer printouts, operator logs, or other equivalent evidence that will be used to
confirm that it prepared and delivered the NERC Interconnection Reliability Operating
Limit and Preliminary Disturbance Reports to NERC within 24 hours of its recognition
as specified in Requirement 3.1.
M3. Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator, and/or Load Serving Entity that has a reportable incident shall have and
provide upon request evidence that could include, but is not limited to, operator logs,
voice recordings or transcripts of voice recordings, electronic communications, or other
equivalent evidence that will be used to confirm that it provided information verbally
as time permitted, when system conditions precluded the preparation of a report in 24
hours. (Requirement 3.3)
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 2 of 13
�S ta n d a rd EOP -004-1 — Dis tu rb a n c e Re p o rtin g
D. Compliance
1.
Compliance Monitoring Process
1.1. Compliance Monitoring Responsibility
NERC shall be responsible for compliance monitoring of the Regional Reliability
Organizations.
Regional Reliability Organizations shall be responsible for compliance monitoring
of Reliability Coordinators, Balancing Authorities, Transmission Operators,
Generator Operators, and Load-serving Entities.
1.2. Compliance Monitoring and Reset Time Frame
One or more of the following methods will be used to assess compliance:
- Self-certification (Conducted annually with submission according to
schedule.)
- Spot Check Audits (Conducted anytime with up to 30 days notice given to
prepare.)
- Periodic Audit (Conducted once every three years according to schedule.)
- Triggered Investigations (Notification of an investigation must be made
within 60 days of an event or complaint of noncompliance. The entity will
have up to 30 days to prepare for the investigation. An entity may request an
extension of the preparation period and the extension will be considered by
the Compliance Monitor on a case-by-case basis.)
The Performance-Reset Period shall be 12 months from the last finding of noncompliance.
1.3. Data Retention
Each Regional Reliability Organization shall have its current, in-force, regional
reporting procedure as evidence of compliance. (Measure 1)
Each Reliability Coordinator, Balancing Authority, Transmission Operator,
Generator Operator, and/or Load Serving Entity that is either involved in a Bulk
Electric System disturbance or has a reportable incident shall keep data related to
the incident for a year from the event or for the duration of any regional
investigation, whichever is longer. (Measures 2 through 4)
If an entity is found non-compliant the entity shall keep information related to the
noncompliance until found compliant or for two years plus the current year,
whichever is longer.
Evidence used as part of a triggered investigation shall be retained by the entity
being investigated for one year from the date that the investigation is closed, as
determined by the Compliance Monitor,
The Compliance Monitor shall keep the last periodic audit report and all requested
and submitted subsequent compliance records.
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 3 of 13
�S ta n d a rd EOP -004-1 — Dis tu rb a n c e Re p o rtin g
1.4. Additional Compliance Information
See Attachments:
- EOP-004 Disturbance Reporting Form
- Table 1 EOP-004
Levels of Non-Compliance for a Regional Reliability Organization
2.
2.1. Level 1: Not applicable.
2.2. Level 2: Not applicable.
2.3. Level 3: Not applicable.
2.4. Level 4: No current procedure to facilitate preparation of preliminary and final
disturbance reports as specified in R1.
Levels of Non-Compliance for a Reliability Coordinator, Balancing Authority,
Transmission Operator, Generator Operator, and Load- Serving Entity:
3.
3.1. Level 1: There shall be a level one non-compliance if any of the following
conditions exist:
3.1.1
Failed to prepare and deliver the NERC Interconnection Reliability
Operating Limit and Preliminary Disturbance Reports to NERC within 24
hours of its recognition as specified in Requirement 3.1
3.1.2
Failed to provide disturbance information verbally as time permitted,
when system conditions precluded the preparation of a report in 24 hours
as specified in R3.3
3.1.3
Failed to prepare a final report within 60 days as specified in R3.4
3.2. Level 2: Not applicable.
3.3. Level 3: Not applicable
3.4. Level 4: Not applicable.
E. Regional Differences
None identified.
Version History
Version
Date
Action
Change Tracking
0
April 1, 2005
Effective Date
New
0
May 23, 2005
Fixed reference to attachments 1-EOP004-0 and 2-EOP-004-0, Changed chart
title 1-FAC-004-0 to 1-EOP-004-0,
Fixed title of Table 1 to read 1-EOP004-0, and fixed font.
Errata
0
July 6, 2005
Fixed email in Attachment 1-EOP-004-0 Errata
from info@nerc.com to
esisac@nerc.com.
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 4 of 13
�S ta n d a rd EOP -004-1 — Dis tu rb a n c e Re p o rtin g
0
July 26, 2005
Fixed Header on page 8 to read EOP004-0
Errata
0
August 8, 2005
Removed “Proposed” from Effective
Date
Errata
1
November 1,
2006
Adopted by Board of Trustees
Revised
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 5 of 13
�S ta n d a rd EOP -004-1 — Dis tu rb a n c e Re p o rtin g
Attachment 1-EOP-004
NERC Disturbance Report Form
Introduction
These disturbance reporting requirements apply to all Reliability Coordinators, Balancing
Authorities, Transmission Operators, Generator Operators, and Load Serving Entities, and
provide a common basis for all NERC disturbance reporting. The entity on whose system a
reportable disturbance occurs shall notify NERC and its Regional Reliability Organization of the
disturbance using the NERC Interconnection Reliability Operating Limit and Preliminary
Disturbance Report forms. Reports can be sent to NERC via email (esisac@nerc.com) by
facsimile (609-452-9550) using the NERC Interconnection Reliability Operating Limit and
Preliminary Disturbance Report forms. If a disturbance is to be reported to the U.S. Department
of Energy also, the responding entity may use the DOE reporting form when reporting to NERC.
Note: All Emergency Incident and Disturbance Reports (Schedules 1 and 2) sent to DOE shall be
simultaneously sent to NERC, preferably electronically at esisac@nerc.com.
The NERC Interconnection Reliability Operating Limit and Preliminary Disturbance Reports are
to be made for any of the following events:
1.
2.
3.
4.
5.
The loss of a bulk power transmission component that significantly affects the integrity of
interconnected system operations. Generally, a disturbance report will be required if the
event results in actions such as:
a.
Modification of operating procedures.
b.
Modification of equipment (e.g. control systems or special protection systems) to
prevent reoccurrence of the event.
c.
Identification of valuable lessons learned.
d.
Identification of non-compliance with NERC standards or policies.
e.
Identification of a disturbance that is beyond recognized criteria, i.e. three-phase fault
with breaker failure, etc.
f.
Frequency or voltage going below the under-frequency or under-voltage load shed
points.
The occurrence of an interconnected system separation or system islanding or both.
Loss of generation by a Generator Operator, Balancing Authority, or Load-Serving Entity
2,000 MW or more in the Eastern Interconnection or Western Interconnection and 1,000
MW or more in the ERCOT Interconnection.
Equipment failures/system operational actions which result in the loss of firm system
demands for more than 15 minutes, as described below:
a.
Entities with a previous year recorded peak demand of more than 3,000 MW are
required to report all such losses of firm demands totaling more than 300 MW.
b.
All other entities are required to report all such losses of firm demands totaling more
than 200 MW or 50% of the total customers being supplied immediately prior to the
incident, whichever is less.
Firm load shedding of 100 MW or more to maintain the continuity of the bulk electric
system.
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 6 of 13
�S ta n d a rd EOP -004-1 — Dis tu rb a n c e Re p o rtin g
6.
7.
8.
Any action taken by a Generator Operator, Transmission Operator, Balancing Authority, or
Load-Serving Entity that results in:
a.
Sustained voltage excursions equal to or greater than ±10%, or
b.
Major damage to power system components, or
c.
Failure, degradation, or misoperation of system protection, special protection schemes,
remedial action schemes, or other operating systems that do not require operator
intervention, which did result in, or could have resulted in, a system disturbance as
defined by steps 1 through 5 above.
An Interconnection Reliability Operating Limit (IROL) violation as required in reliability
standard TOP-007.
Any event that the Operating Committee requests to be submitted to Disturbance Analysis
Working Group (DAWG) for review because of the nature of the disturbance and the
insight and lessons the electricity supply and delivery industry could learn.
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 7 of 13
�S ta n d a rd EOP -004-1 — Dis tu rb a n c e Re p o rtin g
NERC Interconnection Reliability Operating Limit and Preliminary Disturbance
Report
Check here if this is an Interconnection Reliability Operating Limit (IROL) violation report.
1. Organization filing report.
2. Name of person filing report.
3. Telephone number.
4. Date and time of disturbance.
Date:(mm/dd/yy)
Time/Zone:
5. Did the disturbance originate in your
system?
Yes
No
6. Describe disturbance including: cause,
equipment damage, critical services
interrupted, system separation, key
scheduled and actual flows prior to
disturbance and in the case of a
disturbance involving a special
protection or remedial action scheme,
what action is being taken to prevent
recurrence.
7. Generation tripped.
MW Total
List generation tripped
8. Frequency.
Just prior to disturbance (Hz):
Immediately after disturbance (Hz
max.):
Immediately after disturbance (Hz
min.):
9. List transmission lines tripped (specify
voltage level of each line).
10.
FIRM
INTERRUPTIBLE
Demand tripped (MW):
Number of affected Customers:
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 8 of 13
�S ta n d a rd EOP -004-1 — Dis tu rb a n c e Re p o rtin g
Demand lost (MW-Minutes):
11. Restoration time.
INITIAL
FINAL
Transmission:
Generation:
Demand:
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 9 of 13
�S ta n d a rd EOP -004-1 — Dis tu rb a n c e Re p o rtin g
Attachment 2-EOP-004
U.S. Department of Energy Disturbance Reporting Requirements
Introduction
The U.S. Department of Energy (DOE), under its relevant authorities, has established mandatory
reporting requirements for electric emergency incidents and disturbances in the United States.
DOE collects this information from the electric power industry on Form EIA-417 to meet its
overall national security and Federal Energy Management Agency’s Federal Response Plan
(FRP) responsibilities. DOE will use the data from this form to obtain current information
regarding emergency situations on U.S. electric energy supply systems. DOE’s Energy
Information Administration (EIA) will use the data for reporting on electric power emergency
incidents and disturbances in monthly EIA reports. In addition, the data may be used to develop
legislative recommendations, reports to the Congress and as a basis for DOE investigations
following severe, prolonged, or repeated electric power reliability problems.
Every Reliability Coordinator, Balancing Authority, Transmission Operator, Generator Operator
or Load Serving Entity must use this form to submit mandatory reports of electric power system
incidents or disturbances to the DOE Operations Center, which operates on a 24-hour basis,
seven days a week. All other entities operating electric systems have filing responsibilities to
provide information to the Reliability Coordinator, Balancing Authority, Transmission Operator,
Generator Operator or Load Serving Entity when necessary for their reporting obligations and to
file form EIA-417 in cases where these entities will not be involved. EIA requests that it be
notified of those that plan to file jointly and of those electric entities that want to file separately.
Special reporting provisions exist for those electric utilities located within the United States, but
for whom Reliability Coordinator oversight responsibilities are handled by electrical systems
located across an international border. A foreign utility handling U.S. Balancing Authority
responsibilities, may wish to file this information voluntarily to the DOE. Any U.S.-based utility
in this international situation needs to inform DOE that these filings will come from a foreignbased electric system or file the required reports themselves.
Form EIA-417 must be submitted to the DOE Operations Center if any one of the following
applies (see Table 1-EOP-004-0 — Summary of NERC and DOE Reporting Requirements for
Major Electric System Emergencies):
1. Uncontrolled loss of 300 MW or more of firm system load for more than 15 minutes from a
2.
3.
4.
5.
single incident.
Load shedding of 100 MW or more implemented under emergency operational policy.
System-wide voltage reductions of 3 percent or more.
Public appeal to reduce the use of electricity for purposes of maintaining the continuity of the
electric power system.
Actual or suspected physical attacks that could impact electric power system adequacy or
reliability; or vandalism, which target components of any security system. Actual or
suspected cyber or communications attacks that could impact electric power system
adequacy or vulnerability.
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 10 of 13
�S ta n d a rd EOP -004-1 — Dis tu rb a n c e Re p o rtin g
6. Actual or suspected cyber or communications attacks that could impact electric power system
adequacy or vulnerability.
7. Fuel supply emergencies that could impact electric power system adequacy or reliability.
8. Loss of electric service to more than 50,000 customers for one hour or more.
9. Complete operational failure or shut-down of the transmission and/or distribution electrical
system.
The initial DOE Emergency Incident and Disturbance Report (form EIA-417 – Schedule 1) shall
be submitted to the DOE Operations Center within 60 minutes of the time of the system
disruption. Complete information may not be available at the time of the disruption. However,
provide as much information as is known or suspected at the time of the initial filing. If the
incident is having a critical impact on operations, a telephone notification to the DOE Operations
Center (202-586-8100) is acceptable, pending submission of the completed form EIA-417.
Electronic submission via an on-line web-based form is the preferred method of notification.
However, electronic submission by facsimile or email is acceptable.
An updated form EIA-417 (Schedule 1 and 2) is due within 48 hours of the event to provide
complete disruption information. Electronic submission via facsimile or email is the preferred
method of notification. Detailed DOE Incident and Disturbance reporting requirements can be
found at: http://www.eia.doe.gov/cneaf/electricity/page/form_417.html.
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 11 of 13
�S ta n d a rd EOP -004-1 — Dis tu rb a n c e Re p o rtin g
Table 1-EOP-004-0
Summary of NERC and DOE Reporting Requirements for Major Electric System
Emergencies
Incident
Report
Incident
Threshold
Time
No.
Required
EIA – SchUncontrolled loss
1 hour
1
of Firm System
≥ 300 MW – 15 minutes or more
48
1
EIA – SchLoad
hour
2
EIA – Sch1 hour
≥ 100 MW under emergency
1
Load Shedding
48
2
operational policy
EIA – Schhour
2
EIA – Sch1 hour
Voltage
1
3% or more – applied system-wide
48
3
EIA – SchReductions
hour
2
EIA – Sch1 hour
1
Emergency conditions to reduce
Public Appeals
48
4
EIA – Schdemand
hour
2
EIA – SchPhysical sabotage,
1 hour
On physical security systems –
1
terrorism or
48
5
suspected or real
EIA – Schvandalism
hour
2
EIA – SchCyber sabotage,
1 hour
If the attempt is believed to have or
1
terrorism or
48
6
did happen
EIA – Schvandalism
hour
2
EIA – Sch1 hour
Fuel supply
Fuel inventory or hydro storage levels 1
48
7
EIA – Schemergencies
≤ 50% of normal
hour
2
EIA – Sch1 hour
Loss of electric
1
≥
50,000
for
1
hour
or
more
48
8
service
EIA – Schhour
2
Complete
EIA – SchIf isolated or interconnected electrical
1 hour
operation failure
1
48
systems suffer total electrical system
9
of electrical
EIA – Schcollapse
hour
system
2
All DOE EIA-417 Schedule 1 reports are to be filed within 60-minutes after the start of an
incident or disturbance
All DOE EIA-417 Schedule 2 reports are to be filed within 48-hours after the start of an
incident or disturbance
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 12 of 13
�S ta n d a rd EOP -004-1 — Dis tu rb a n c e Re p o rtin g
All entities required to file a DOE EIA-417 report (Schedule 1 & 2) shall send a copy of these
reports to NERC simultaneously, but no later than 24 hours after the start of the incident or
disturbance.
Incident
Report
Incident
Threshold
Time
No.
Required
NERC
24
Loss of major
Significantly affects integrity of
Prelim
hour
1
system component
interconnected system operations
Final
60 day
report
Interconnected
NERC
Total system shutdown
24
system separation
Prelim
Partial shutdown, separation, or
hour
2
or system
Final
islanding
60 day
islanding
report
NERC
24
≥ 2,000 – Eastern Interconnection
Prelim
Loss of generation
≥ 2,000 – Western Interconnection
hour
3
Final
≥ 1,000 – ERCOT Interconnection
60 day
report
Entities with peak demand ≥3,000:
NERC
24
loss ≥300 MW
Prelim
Loss of firm load
hour
4
All others ≥200MW or 50% of total
Final
≥15-minutes
60 day
demand
report
NERC
24
Firm load
≥100 MW to maintain continuity of
Prelim
hour
5
shedding
bulk system
Final
60 day
report
• Voltage excursions ≥10%
System operation
NERC
24
• Major damage to system
or operation
Prelim
hour
6
components
actions resulting
Final
60 day
•
Failure,
degradation,
or
in:
report
misoperation of SPS
NERC
72
Prelim
IROL violation
Reliability standard TOP-007.
hour
7
Final
60 day
report
NERC
Due to nature of disturbance &
24
As requested by
Prelim
usefulness to industry (lessons
hour
8
ORS Chairman
Final
learned)
60 day
report
All NERC Operating Security Limit and Preliminary Disturbance reports will be filed within 24
hours after the start of the incident. If an entity must file a DOE EIA-417 report on an incident,
which requires a NERC Preliminary report, the Entity may use the DOE EIA-417 form for both
DOE and NERC reports.
Any entity reporting a DOE or NERC incident or disturbance has the responsibility to also
notify its Regional Reliability Organization.
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 13 of 13
�Standards Announcement
Project 2009-01 Disturbance and Sabotage Reporting
Ballot Pool Window Now Open: Oct. 28 – Nov. 28, 2011
Formal Comment Period Open: Oct. 28 – Dec. 12, 2011
Initial Ballot Window: Dec. 2 – 12, 2011
Available Now
EOP-004-2 – Event Reporting (clean and redline showing changes to the last posting), an
implementation plan (clean and redline to the last posting), and several associated documents
(listed below) have been posted for a formal comment period and initial ballot that will end at 8
p.m. Eastern on Monday, December 12, 2011. Two ballot pools are being formed – one for
balloting the standard, and a separate ballot pool for the non-binding poll of the associated VRFs
and VSLs. The ballot pool window is open through 8 a.m. Eastern on Monday, November 28.
(Please note that this is 8 a.m. on the Monday following Thanksgiving weekend – Registered
Ballot Body members interested in joining the ballot pools for this project should plan
accordingly).
The following associated documents have been posted for stakeholder review and comment:
•
Consideration of Comments Report – Provides a summary of the modifications made to the
proposed standard and supporting documents based on comments submitted during the
formal comment period that ended April 8, 2011
•
Mapping Document - Identifies each requirement in the two already-approved standards that
are being consolidated into EOP-004-2 (EOP-004-1 and CIP-001-1a), and identifies how the
requirement has been treated in the revisions proposed Draft 3 of EOP-004-2
•
VRF/VSL Justification – Explains how the VRFs and VSLs the drafting team has proposed for
EOP-004-2 comply with guidelines that FERC and NERC have established for VRFs and VSLs
•
Unofficial comment form in Word format – This is for informal use when compiling responses
– the final must be submitted electronically
Instructions for Joining Ballot Pools for EOP-004-2 and Associated VRFs/VSLs
Two separate ballot pools are being formed – one ballot pool for Registered Ballot Body (RBB)
members interested in balloting of EOP-004-2, and a second for RBB members interested in
casting an opinion during the non-binding poll of VRFs and VSLs associated with EOP-004-2. RBB
�members who join the ballot pool for the standard will not be automatically entered in the ballot
pool for the non-binding poll, but must elect to join the second ballot pool.
To join the ballot pool to be eligible to vote in the upcoming ballots and non-binding poll go to:
Join Ballot Pool
During the pre-ballot windows, members of the ballot pool may communicate with one another
by using their “ballot pool list server.” (Once the balloting begins, ballot pool members are
prohibited from using the ballot pool list servers.)
The ballot pool list server for the initial ballot is: bp-2009-01_DSR_in@nerc.com
The ballot pool list server for the non-binding poll is:
bp-2009-01_DSR_NB_2011_in@nerc.com
Instructions for Commenting
Please use this electronic form ONLY to submit comments. In order to avoid duplication, please
indicate “submitted comments electronically” on the ballot and non-binding poll comment section
to avoid duplication.
If you experience any difficulties in using the electronic form, please contact Monica Benson at
monica.benson@nerc.net. An off-line, unofficial copy of the comment form is posted on the
project page.
Next Steps
An initial ballot of EOP-004-2 will be conducted beginning on Friday, December 2, 2011 through 8
p.m. Eastern on Monday, December 12, 2011.
Background
Stakeholders have indicated that identifying potential acts of “sabotage” is difficult to do in real
time, and additional clarity is needed to identify thresholds for reporting potential acts of
sabotage in CIP-001-1. Stakeholders have also reported that EOP-004-1 has some requirements
that reference out-of-date Department of Energy forms, making the requirements ambiguous.
EOP-004-1 also has some ‘fill-in-the-blank’ components to eliminate.
The project will include addressing previously identified stakeholder concerns and FERC directives;
will bring the standards into conformance with the latest approved version of the ERO Rules of
Procedure; and may include other improvements to the standards deemed appropriate by the
drafting team, with the consensus of stakeholders, consistent with establishing high quality,
enforceable and technically sufficient bulk power system reliability standards.
Standards Announcement: Project 2009-01 DSR
2
�Additional information is available on the project webpage.
A stakeholder interested in following the Disturbance and Sabotage Reporting Drafting Team’s
development of EOP-004-2 may monitor meeting agendas and notes on the team’s “Related Files”
web page or may submit a request to join the team’s “plus” e-mail list to receive meeting agendas
and meeting notes as they are distributed to the team. To join the team’s “plus” e-mail list, send
an e-mail request to: sarcomm@nerc.net. Please indicate the drafting team’s name in the subject
line of the e-mail.
Standards Process
The Standard Processes Manual contains all the procedures governing the standards development
process. The success of the NERC standards development process depends on stakeholder
participation. We extend our thanks to all those who participate.
For more information or assistance, please contact Monica Benson,
Standards Process Administrator, at monica.benson@nerc.net or at 404-446-2560.
North American Electric Reliability Corporation
116-390 Village Blvd.
Princeton, NJ 08540
609.452.8060 | www.nerc.com
Standards Announcement: Project 2009-01 DSR
3
�Standards Announcement
Project 2009-01 Disturbance and Sabotage Reporting
Initial Ballot Window and Non-Binding Poll
Open: December 2 –12, 2011
Available December 2nd
An initial ballot of EOP-004-2 – Event Reporting and its associated implementation plan, and a nonbinding poll of the associated VRFs and VSLs, are open tomorrow through 8 p.m. Eastern on Monday,
December 12, 2011.
Instructions for Balloting
Members of the ballot pools associated with this project may log in and submit their vote for the
standard and opinion for the non-binding poll from the following page:
https://standards.nerc.net/CurrentBallots.aspx.
Instructions for Commenting
A formal comment period is also open through 8 p.m. Eastern on Monday, December 12, 2011. Please
use this electronic form to submit comments. If you experience any difficulties in using the electronic
form, please contact Monica Benson at monica.benson@nerc.net. An off-line, unofficial copy of the
comment form is posted on the project page.
Special Instructions for Submitting Comments with a Ballot
Please note that comments submitted during the formal comment period, the ballot for the standard,
and the non-binding poll of VRFs and VSLs all use the same electronic form, and it is NOT necessary for
ballot pool members to submit more than one set of comments (one through the electronic form, one
with the ballot, and one with the non-binding poll). The drafting team requests that all stakeholders
(ballot pool members as well as other stakeholders) submit all comments through the electronic
comment form.
Please use this electronic form to submit comments. If you experience any difficulties in using the
electronic form, please contact Monica Benson at monica.benson@nerc.net. An off-line, unofficial
copy of the comment form is posted on the project page.
Next Steps
The drafting team will consider all comments and determine what changes to make in response to
stakeholder input from the comments.
�Background
Stakeholders have indicated that identifying potential acts of “sabotage” is difficult to do in real time,
and additional clarity is needed to identify thresholds for reporting potential acts of sabotage in CIP001-1. Stakeholders have also reported that EOP-004-1 has some requirements that reference out-ofdate Department of Energy forms, making the requirements ambiguous. EOP-004-1 also has some ‘fillin-the-blank’ components to eliminate.
The project will include addressing previously identified stakeholder concerns and FERC directives; will
bring the standards into conformance with the latest approved version of the ERO Rules of Procedure;
and may include other improvements to the standards deemed appropriate by the drafting team, with
the consensus of stakeholders, consistent with establishing high quality, enforceable and technically
sufficient bulk power system reliability standards.
Additional information is available on the project webpage.
A stakeholder interested in following the Disturbance and Sabotage Reporting Drafting Team’s
development of EOP-004-2 may monitor meeting agendas and notes on the team’s “Related Files” web
page or may submit a request to join the team’s “plus” e-mail list to receive meeting agendas and
meeting notes as they are distributed to the team. To join the team’s “plus” e-mail list, send an e-mail
request to: sarcomm@nerc.net. Please indicate the drafting team’s name in the subject line of the email.
Standards Process
The Standard Processes Manual contains all the procedures governing the standards development
process. The success of the NERC standards development process depends on stakeholder
participation. We extend our thanks to all those who participate.
For more information or assistance, please contact Monica Benson,
Standards Process Administrator, at monica.benson@nerc.net or at 404-446-2560.
North American Electric Reliability Corporation
116-390 Village Blvd.
Princeton, NJ 08540
609.452.8060 | www.nerc.com
Standards Announcement Project 2009-01
Disturbance and Sabotage Reporting
2
�Standards Announcement
Project 2009-01 Disturbance and Sabotage Reporting
Ballot Pool Window Now Open: Oct. 28 – Nov. 28, 2011
Formal Comment Period Open: Oct. 28 – Dec. 12, 2011
Initial Ballot Window: Dec. 2 – 12, 2011
Available Now
EOP-004-2 – Event Reporting (clean and redline showing changes to the last posting), an
implementation plan (clean and redline to the last posting), and several associated documents
(listed below) have been posted for a formal comment period and initial ballot that will end at 8
p.m. Eastern on Monday, December 12, 2011. Two ballot pools are being formed – one for
balloting the standard, and a separate ballot pool for the non-binding poll of the associated VRFs
and VSLs. The ballot pool window is open through 8 a.m. Eastern on Monday, November 28.
(Please note that this is 8 a.m. on the Monday following Thanksgiving weekend – Registered
Ballot Body members interested in joining the ballot pools for this project should plan
accordingly).
The following associated documents have been posted for stakeholder review and comment:
•
Consideration of Comments Report – Provides a summary of the modifications made to the
proposed standard and supporting documents based on comments submitted during the
formal comment period that ended April 8, 2011
•
Mapping Document - Identifies each requirement in the two already-approved standards that
are being consolidated into EOP-004-2 (EOP-004-1 and CIP-001-1a), and identifies how the
requirement has been treated in the revisions proposed Draft 3 of EOP-004-2
•
VRF/VSL Justification – Explains how the VRFs and VSLs the drafting team has proposed for
EOP-004-2 comply with guidelines that FERC and NERC have established for VRFs and VSLs
•
Unofficial comment form in Word format – This is for informal use when compiling responses
– the final must be submitted electronically
Instructions for Joining Ballot Pools for EOP-004-2 and Associated VRFs/VSLs
Two separate ballot pools are being formed – one ballot pool for Registered Ballot Body (RBB)
members interested in balloting of EOP-004-2, and a second for RBB members interested in
casting an opinion during the non-binding poll of VRFs and VSLs associated with EOP-004-2. RBB
�members who join the ballot pool for the standard will not be automatically entered in the ballot
pool for the non-binding poll, but must elect to join the second ballot pool.
To join the ballot pool to be eligible to vote in the upcoming ballots and non-binding poll go to:
Join Ballot Pool
During the pre-ballot windows, members of the ballot pool may communicate with one another
by using their “ballot pool list server.” (Once the balloting begins, ballot pool members are
prohibited from using the ballot pool list servers.)
The ballot pool list server for the initial ballot is: bp-2009-01_DSR_in@nerc.com
The ballot pool list server for the non-binding poll is:
bp-2009-01_DSR_NB_2011_in@nerc.com
Instructions for Commenting
Please use this electronic form ONLY to submit comments. In order to avoid duplication, please
indicate “submitted comments electronically” on the ballot and non-binding poll comment section
to avoid duplication.
If you experience any difficulties in using the electronic form, please contact Monica Benson at
monica.benson@nerc.net. An off-line, unofficial copy of the comment form is posted on the
project page.
Next Steps
An initial ballot of EOP-004-2 will be conducted beginning on Friday, December 2, 2011 through 8
p.m. Eastern on Monday, December 12, 2011.
Background
Stakeholders have indicated that identifying potential acts of “sabotage” is difficult to do in real
time, and additional clarity is needed to identify thresholds for reporting potential acts of
sabotage in CIP-001-1. Stakeholders have also reported that EOP-004-1 has some requirements
that reference out-of-date Department of Energy forms, making the requirements ambiguous.
EOP-004-1 also has some ‘fill-in-the-blank’ components to eliminate.
The project will include addressing previously identified stakeholder concerns and FERC directives;
will bring the standards into conformance with the latest approved version of the ERO Rules of
Procedure; and may include other improvements to the standards deemed appropriate by the
drafting team, with the consensus of stakeholders, consistent with establishing high quality,
enforceable and technically sufficient bulk power system reliability standards.
Standards Announcement: Project 2009-01 DSR
2
�Additional information is available on the project webpage.
A stakeholder interested in following the Disturbance and Sabotage Reporting Drafting Team’s
development of EOP-004-2 may monitor meeting agendas and notes on the team’s “Related Files”
web page or may submit a request to join the team’s “plus” e-mail list to receive meeting agendas
and meeting notes as they are distributed to the team. To join the team’s “plus” e-mail list, send
an e-mail request to: sarcomm@nerc.net. Please indicate the drafting team’s name in the subject
line of the e-mail.
Standards Process
The Standard Processes Manual contains all the procedures governing the standards development
process. The success of the NERC standards development process depends on stakeholder
participation. We extend our thanks to all those who participate.
For more information or assistance, please contact Monica Benson,
Standards Process Administrator, at monica.benson@nerc.net or at 404-446-2560.
North American Electric Reliability Corporation
116-390 Village Blvd.
Princeton, NJ 08540
609.452.8060 | www.nerc.com
Standards Announcement: Project 2009-01 DSR
3
�Name (48 Responses)
Organization (48 Responses)
Group Name (28 Responses)
Lead Contact (28 Responses)
Question 1 (69 Responses)
Question 1 Comments (76 Responses)
Question 2 (68 Responses)
Question 2 Comments (76 Responses)
Question 3 (69 Responses)
Question 3 Comments (76 Responses)
Question 4 (0 Responses)
Question 4 Comments (76 Responses)
Individual
Bo Jones
Westar Energy
Yes
Yes
Yes
In Requirement 1.3, the statement “and the following as appropriate” is vague and subject to
interpretation. Who determines what is appropriate? We feel it would be better if the SDT would
specify for each event, which party should be notified.
Group
SERC OC Standards Review Group
Gerald Beckerle
No
We agree with removing the training requirement of R4; however we believe that drills and exercises
are also training and R4 should be removed in its entirety because drills and exercises on an after the
fact process do not enhance reliability.
No
It is confusing why R3 is not considered part of R2, which deals with implementation of the Operating
Plan and it appears that R3 could be interpreted as double jeopardy. We suggest deleting R3.
No
No event should have a reporting time less than at the close of the next business day. Any reporting
of an event that requires a less reporting time should only be to entities that can help mitigate an
event such as an RC or other Reliability Entity.
We believe that reporting of the events in Attachment 1 has no reliability benefit to the bulk electric
system. In addition, Attachment 1, in its current form, is likely to be impossible to implement
consistently across North America. A requirement, to be considered a reliability requirement, must be
implementable. We suggest that Attachment 1 should be removed. We have a question about what
looks like a gap in this standard: Assuming one of the drivers for the standard is to protect against a
coordinated physical or cyber attack on the grid, what happens if the attack occurs in 3-4
geographically diverse areas? State or provisional law enforcement officials are not accountable under
the standard, so we have no way of knowing if they report the attack to the FBI or the RCMP. Even if
one or two of them did, might not the FBI, in different parts of the country, interpret it as vandalism,
subject to local jurisdiction? It seems that NERC is the focal point that would have all the reports and,
ideally, some knowledge how the pieces fit together. It looks like NERC’s role is to solely pass
information on “applicable” events to the FERC. Unless the FERC has a 24x7 role not shown in the
standard, should not NERC have some type of assessment responsibility to makes inquiries at the
FBI/RCMP on whether they are aware of the potential issue and are working on it? “The comments
�expressed herein represent a consensus of the views of the above named members of the SERC OC
Standards Review group only and should not be construed as the position of SERC Reliability
Corporation, its board or its officers.”
Individual
Michael Johnson
APX Power Markets (NCR-11034)
Yes
Yes
Yes
In my opinion the remaining items with 1 hour reporting requirements will in most cases require the
input of in-complete information, since you maybe aware of the outage/disturbance, but not aware of
any reason for it. If that is acceptable just to get the intitial report that there was an
outage/disturbance then we are OK. I believe it would help to have that clarifed in the EOP, or maybe
a CAN can be created for that.
For Attachment 1 and the events titled "Unplanned Control Center evacuation" and "Loss of
monitoring or all voice communication capabiliy". RC, BA, and TOP are the only listed entity types
listed for reporting responsibility. We are a GOP that offers a SCADA service in several regions and
those type of events could result in a loss of situational awareness for the regions we provide
services. I believe the requirement for reporting should not be limited to Entity Type, but on their
impact for situational awareness to the BES based on the amount of generation they control (specific
to our case), or other criteria that would be critical to the BES (i.e. voltage, frequency).
Individual
David Proebstel
Clallam County PUD No.1
Yes
Yes
Yes
While we agree with the revisions as far as they went, we do not believe the SDT has adequately
addressed the FERC Order to “Consider whether separate, less burdensome requirements for smaller
entities may be appropriate.” The one and 24 hour reporting requirements continue to be
burdensome to the smaller entities that do not maintain 24/7 dispatch centers. The one hour
reporting requirement means that an untimely “recognition” starts the clock and reporting will
become a higher priority than restoration. The note regarding adverse conditions does not help unless
we were to consider the very lack of 24/7 dispatch to be such a condition.
Project 2008-06 proposes to withdraw the terms “Critical Asset” and “Critical Cyber Asset” from the
NERC Glossary. In order to avoid a reliability gap when this occurs, we propose including High and
Medium Impact BES Cyber Systems and Assets. The revised wording to add, “as appropriate” to R1.3
is a concern. We understand the SDT’s intent to not require all the bulleted parties to be notified for
every event type. But will a good faith effort on the part of the registered entity to deem
appropriateness be subject to second guessing and possible sanctions by the Compliance Enforcement
Authority if they disagree? We note that CIP-001 required an interpretation to address this issue, but
cannot assume that interpretation will carry over. We suggest spelling out exactly who shall deem
appropriateness. R4 continues to be an onerous requirement for smaller entities. Verification was not
part of the SAR and we are not convinced it is needed for reliability. We are unsure how a DP with no
generation, no BES assets, no Critical Cyber Assets, and less than 100 MW of load; would meet R4.
Shall they drill for impossible events? We ask that R4 be removed. At a minimum it should exclude
entities that cannot experience the events of Attachment 1. Entities that cannot experience the events
of Attachment 1should likewise be exempt from R1.2, 1.3, R2, and R3.
Group
�Northeast Power Coordinating Council
Guy Zito
No
Requirement R4 is unnecessary. Whether or not the process, plan, procedure, etc. is “verified” is of
no consequence. EOP standards are intended to have entities prepare for likely events
(restoration/evacuation), and to provide tools for similar unforeseen events (ice storms, tornadoes,
earthquakes, etc.). They should not force a script when results are what matters.
No
R1.3 should be revised as follows: A process for communicating events listed in Attachment 1 to the
Electric Reliability Organization, the Responsible Entity’s Reliability Coordinator and the following as
determined by the responsible entity:… Without this change it is not clear who determines what
communication level is appropriate. R1.4 should be revised as follows: Provision(s) for updating the
Operating Plan following any change in assets or personnel (if the Operating Plan specifies personnel
or assets), that may no longer align with the Operating Plan; or incorporating lessons learned
pursuant to Requirement R3. R1.5 should be deleted. Responsible Entities can determine the
frequency of Operating Plan updates. Requirement 1.4 requires updating the Operating Plan within 90
calendar days for changes in “assets, personnel…. or incorporating lessons learned”, (or our preceding
proposed revision). This requirement eliminates the need for Requirement 1.5 requiring a review of
the Operating Plan on an annual basis. The only true requirement that is results-based, not
administrative and is actually required to support the Purpose of the Standard is R3.
No
The SDT should work with the NERC team drafting the Events Analysis Process (EAP) to ensure that
the reporting events align and use the same descriptive language. EOP-004 should use the exact
same events as OE-417. These could be considered a baseline set of reportable events. If the SDT
believes that there is justification to add additional reporting events beyond those identified in OE417, then the event table could be expanded. If the list of reportable events is expanded beyond the
OE-417 event list, the supplemental events should be the same in both EOP-004-2 and in the EAP
Categories 1 through 5. It is not clear what the difference is between a footnote and “Threshold for
Reporting”. All information should be included in the body of the table, there should be no footnotes.
Event: Risk to BES equipment should be deleted. This is too vague and subjective. This will result in
many “prove the negative” situations. Event: Destruction of BES equipment is also too vague. The
footnote refers to equipment being “damaged or destroyed”. There is a major difference between
destruction and damage. Event: Damage or Destruction of a Critical Asset or Critical Cyber Asset
should be deleted. Disclosure policies regarding sensitive information could limit an entity’s ability to
report. Unintentional damage to a CCA does not warrant a report. Event: BES Emergency requiring
public appeal for load reduction should be modified to note that this does not apply to routine
requests for customer conservation during high load periods.
Requirement 4 does not specifically state the details necessary for an entity to achieve compliance.
Requirement 4 should provide more guidance as to what is required in a drill. Audit/enforcement of
any requirement language that is too broad will potentially lead to Regional interpretation,
inconsistency, and additional CANs. R4 should be revised to delete the 15 month requirement. CAN0010 recognizes that entities may determine the definition of annual. The standard is too specific, and
drills down into entity practices, when the results are all that should be looked for. The standard is
requiring multiple reports. The Purpose of the Standard is very broad and should be revised because
some of the events being reported on have no impact on the BES. Revise Purpose wording as follows:
To improve industry awareness and the reliability of the Bulk Electric System “by requiring the
reporting of major system events with the potential to impact reliability and their causes…” on the
Bulk Electric System it can be said that every event occurring on the Bulk Electric System would have
to be reported. Referring to Requirement R4, the testing of the communication process is the
responsibility of the Responsible Entity. There is an event analysis process already in place. The
standard prescribes different sets of criteria, and forms. There should be one recipient of event
information. That recipient should be a “clearinghouse” to ensure the proper dissemination of
information. Why is this standard applicable to the ERO? Requirement R2 is not necessary. It states
the obvious. Requirements R2 and R3 are redundant. The standard mentions collecting information
for Attachment 2, but nowhere does it state what to do with Attachment 2. None of the key concepts
identified on page 5 of the standard are clearly stated or described in the requirements: • Develop a
�single form to report disturbances and events that threaten the reliability of the bulk electric system.
• Investigate other opportunities for efficiency, such as development of an electronic form and
possible inclusion of regional reporting requirements. • Establish clear criteria for reporting. •
Establish consistent reporting timelines. • Provide clarity for who will receive the information and how
it will be used. The standard’s requirements should be reviewed with an eye for deleting those that
are redundant, or do not address the Purpose or intent of the standard.
Group
Luminant Power
Stewart Rake
Yes
No
Requirements R1, R2, and R4 are burdensome administrative requirements and are contradictory to
the NERC stated Standards Development goals of reducing administrative requirements by moving to
performance requirements. There is only one Requirement needed in this standard: “The Responsible
Entity shall report events in accordance with Attachment 1.” Attachment 1 should describe how
events should be reported by what Entity to which party within a defined timeframe. If this
requirement is met, all the other proposed requirements have no benefit to the reliability of the Bulk
Electric System. Per the NERC Standard Development guidelines, only items that provide a reliability
benefit should be included in a standard.
No
Luminant agrees with the changes the SDT made, however, the timeline should be modified to put
higher priority activities before reporting requirements. The SDT should consider allowing entities the
ability to put the safety of personnel, safety of the equipment, and possibly the stabilization of BES
equipment efforts prior to initiating the one hour reporting timeline. Reporting requirements should
not be prioritized above these important activities. The requirement to report one hour after the
recognition of such an event may not be sufficient in all instances. Entities should not have a potential
violation as a result of putting these priority issues first and not meeting the one hour reporting
timeline.
The following comments all apply to Attachment 1: • As a general comment, SDT should specifically
list the entities the reportable event applies to in the table for clarity. Do not use general language
referencing another standard or statements such as “Deficient entity is responsible for reporting”,
“Initiating entity is responsible for reporting”, or other similar statements used currently in the table.
This leaves this open and subject to interpretation. Also, there are a number of events that do not
apply to all entities. • Destruction of BES equipment should be Intentional Damage or Destruction of
BES equipment. Unintentional actions occur and should not be a requirement for reporting under
disturbance reporting. • Actions or situations affecting equipment or generation unit availability due to
human error, equipment failure, unintentional human action, external cause, etc. are reported in real
time to the BA and other entities as required by other NERC Standards. Disturbance reporting should
avoid the type of events that, for instance, would cause the total or partial loss of a generating unit
under normal operational circumstances. There are a number of issues with the table in this regard. •
For clarity, consider changing the table to identify for each event type “who” should be notified. This
appears to be missing from the table overall. • Reportable Events, the meaning for the Event labeled
“Destruction of BES equipment” is not clear. Footnote 1 adds the language “iii) Damaged or destroyed
due to intentional or unintentional human action which removes the BES equipment from service.”
This language can be interpreted to mean that any damage to any BES equipment caused by human
action, regardless of intention, must be reported within 1 hour of recognition of the event. This
requirement will be overly burdensome. If this is not the intent of the definition of “Destruction of BES
equipment”, the footnote should be re-worded. As such, it is subjective and left open to
interpretation. It should focus only on intentional actions to damage or interrupt BES functionality. It
should not be worded as such that every item that trips a unit or every item that is damaged on a
unit requires a report. That is where the language right now is not clear. There are and will continue
to be unintentional human error that results in taking equipment out of service. This standard was
meant to replace sabotage reporting. • Damage or destruction of Critical Asset per CIP-002 and
Damage or destruction of a Critical Cyber Asset per CIP-002 should be removed from the table as
Intentional Damage or Destruction of BES equipment would cover this as well. • Risk to BES
�equipment should be removed from the table as it is very subjective and broad. At a minimum, the 1
hour reporting timeline should begin after recognition and assessment of the incident. As an example,
a fire close to BES equipment may not truly be a threat to the equipment and will not be known until
an assessment can be made to determine the risk. • Detection of a Reportable Cyber Security incident
should be removed from the table as this is covered by CIP-008 requirements. Having this in two
separate standards is double jeopardy and confusing to entities. • Generation Loss event reporting
should only apply to the BA. These authorities have the ability and right to contact generation
resources to supply necessary information needed for reporting. This would also eliminate redundant
reporting by multiple entities for the same event. • Suggest that Generation Loss MW loss would
match up with the 1500 MW level identified in CIP Version 4 or Version 5 for consistency between
future CIP standards and this disturbance reporting standard. This would then cover CIP and
significant MW losses that should be reported. • The Generation Loss MW loss amount needs to have
a time boundary. Luminant would suggest a loss of 1500 MW within 15 minutes. • Unplanned Control
Center evacuation should not apply to entities that have backup Control Centers where normal
operations can continue without impact to the BES. • Loss of monitoring or all voice communication
capability should be separated. Also the 24 hour reporting requirement may not be feasible if
communications is down for longer than 24 hours. Luminant would suggest removal of the
communication reporting event as there are a number of things that could cause this to occur for
longer than the reporting requirement allows, thus putting entities at jeopardy of a potential violation
that is out of their control. How does an entity report if all systems and communications are down for
more than 24 hours? What about in instances of a partial or total blackout? These events could last
much longer than 24 hours. All computer communication would likely also be down thus rendering
electronic reporting unavailable.
Individual
Michael Moltane
ITC
Yes
Yes
No
See comments to Question #4
Footnote 1 and the corresponding Threshold For Reporting associated with the first Event in
Attachment 1 are not consistent and thus confusing. Qualifying the term BES equipment through a
footnote is inappropriate as it leads to this confusion. For instance, does iii under Footnote 1 apply
only to BES equipment that meet i and ii or is it applicable to all BES equipment? The inclusion of
equipment failure, operational error and unintentional human action within the threshold of reporting
for “destruction” required in the first 3 Events listed in Attachment 1 is also not appropriate. It is clear
through operational history that the intent of the equipment applied to the system, the operating
practices and personnel training developed/delivered to operate the BES is to result in reliable
operation of the BES which has been accomplished exceedingly well given past history. This is vastly
different than for intentional actions and should be excluded from the first 3 events listed in
Attachment. To the extent these issues are present in another event type they will be captured
accordingly. Footnote 1 should be removed and the Threshold for Reporting associated with the first
three events in Attachment 1 should be updated only to include intentional human action. This will
also result in including all BES equipment that was intentionally damaged in the reporting requirement
and not just the small subset qualified by the existing footnote 1. This provides a much better data
sample for law enforcement to make assessments from than the smaller subset qualified by what we
believe the intent of footnote 1 is.
Group
PacifiCorp
Sandra Shaffer
Yes
Yes
�Yes
No comment.
Group
Pacific Northwest Small Public Power Utility Comment Group
Steve Alexanderson
Yes
Yes
Yes
While we agree with the revisions as far as they went, we do not believe the SDT has adequately
addressed the FERC Order to “Consider whether separate, less burdensome requirements for smaller
entities may be appropriate.” The one and 24 hour reporting requirements continue to be
burdensome to the smaller entities that do not maintain 24/7 dispatch centers. The one hour
reporting requirement means that an untimely “recognition” starts the clock and reporting will
become a higher priority than restoration. The note regarding adverse conditions does not help unless
we were to consider the very lack of 24/7 dispatch to be such a condition.
Project 2008-06 proposes to withdraw the terms “Critical Asset” and “Critical Cyber Asset” from the
NERC Glossary. In order to avoid a reliability gap when this occurs, we propose including High and
Medium Impact BES Cyber Systems and Assets. The revised wording to add, “as appropriate” to R1.3
is a concern. We understand the SDT’s intent to not require all the bulleted parties to be notified for
every event type. But will a good faith effort on the part of the registered entity to deem
appropriateness be subject to second guessing and possible sanctions by the Compliance Enforcement
Authority if they disagree? We note that CIP-001 required an interpretation to address this issue, but
cannot assume that interpretation will carry over. We suggest spelling out exactly who shall deem
appropriateness. R4 continues to be an onerous requirement for smaller entities. Verification was not
part of the SAR and we are not convinced it is needed for reliability. We are unsure how a DP with no
generation, no BES assets, no Critical Cyber Assets, and less than 100 MW of load; would meet R4.
Shall they drill for impossible events? We ask that R4 be removed. At a minimum it should exclude
entities that cannot experience the events of Attachment 1. Entities that cannot experience the events
of Attachment 1should likewise be exempt from R1.2, 1.3, R2, and R3.
Individual
Tracy Richardson
Springfield Utility Board
Yes
Yes
Yes
• The Draft 3 Version History still lists the term “Impact Event” instead of “Event”. • Draft 3 of EOP004-2 – Event Reporting does not provide a definition for the term “Event” nor does the NERC
Glossary of Terms Used in Reliability Standards. SUB recommends that “Event” be listed and defined
in “Definitions and Terms Used in the Standard” as well as the NERC Glossary, providing a framework
and giving guidance to entities for how to determine what should be considered an “Event” (ex:
sabotage, unusual occurrence, metal theft, etc.).
Individual
Kasia Mihalchuk
Manitoba Hydro
Yes
�Yes
Yes
Attachment 1 - The term ‘Transmission Facilities’ used in Attachment 1 is capitalized, but it is not a
defined term in the NERC glossary. The drafting team should clarify this issue. Attachment 2 - The
inclusion of ‘Fuel supply emergency’ in Attachment 2 creates confusion as it infers that reporting a
‘fuel supply emergency’ may be required by the standard even though ‘fuel supply emergency’ is not
listed in Attachment 1. On a similar note, it is not clear what the drafting team is hoping to capture by
including a checkbox for ‘other’ in Attachment 2.
Group
Southwest Power Pool Regional Entity
Emily Pennel
Yes
Yes
Yes
1. EOP-004-2 R1.4 states entities must update their Operating Plans within 90 calendar days of
incorporating lessons learned pursuant to R3. However, neither R3 nor Attachment 1 include a
timeline for incorporating lessons learned. It is unclear when the “clock starts” on incorporating
improvements or lessons learned. Within 90 days of what? 90 days of the event? 90 days from when
management approved the lesson learned? Auditors need to know the trigger for the 90-day clock. 2.
The Event Analysis classification includes Category 1C “failure or misoperation of the BPS SPS/RAS”.
This category is not included in EOP-004-2’s Attachment 1. This event, “failure or misoperation of the
BPS SPS/RAS”, needs to either be added to Attachment 1 or removed from the Event Analysis
classification. It is important that EOP-004-2 Attachment 1 and the Event Analysis categories match
up. Thank you for your work on this standard.
Individual
Kevin Conway
Intellibind
Yes
No
The language proposed is not clear and will continue to add confusion to entities who are trying to
meet these requirements. It is not clear that the drafting team can put itself in the position of how
the auditors will interpret and implement compliance against thithe R2 requirement. Requirements
should be written to stand alone, not reference other requirements (or parts of the requirments. If the
R1 parts 1.1, 1.2, 1.4 and 1.5 are so significant for this requirement, then they should be rewritten in
R2.
Yes
Does this reporting conflict with reporting for DOE, and Regions? If so, what reporting requirements
will the entity be held accountable to? Managing multiple reporting requirements for the multiple
agencies is very problematic for entities and this standard should resolve those reporting requirments,
as well as reduce the reporting down to one form and one submission. Reporting to ESISAC should
take care of all reporting by the company. NERC should route all reports to the DOE, and regions
through this mechanism.
I do not see that the rewrite of this standard is meeting the goal of clear reliability standards, and in
fact the documents are looking more like legal documents. Though the original EOP-004 and CIP-001
was problematic at times, this rewrite, and the need to have such extensive guidance, attachments,
and references for EOP-004-2 will create an even more difficult standard to properly meet to ensure
�compliance during an audit. Though CIP-001 and EOP-004 were related, combining them in a single
standard is not resolving the issues, and is in fact complicating the tasks. Requirements in this
standard should deal with only one specific issue, not deal with multiple tasks. I am not sure how an
auditor will consistently audit against R2, and how a violation will be categorized when an entity
implements all portions of their Operating Plan, however fails to fully address all the requirements in
R1, thereby not fully implementing R2, in strict interpretation. The drafting team should not set up a
situation where an entity is in double jeopardy for missing an element of a requirement. I also
suggest that EOP-004-2 be given a new EOP designation rather than calling it a revision. This way
implementation can be better controlled, since most companies have written specific CIP-001 and
EOP-004 document that will not simple transfer over to the new version. This standard is a drastic
departure from the oringial versions. I appreciate the level of work that is going into EOP-004-2, it
appears that significant time and effort has been going into the supporting documentation. It is my
opinion that if this much material has to be created to state what the standard really requires, then
the standard is flawed. When there are 21 pages of explanation for five requirements, especially when
we have previously had 16 pages that originally covered 2 separate reliability standards, we need to
reevaluate what we are really doing.
Group
Arizona Public Service Company
Janet Smith, Regulatory Affairs Supervisor
Yes
Yes
Yes
No comments
Individual
Chris Higgins / Jim Burns / Ted Snodgrass / Jeff Millennor / Russell Funk
Bonneville Power Administration
Yes
Yes
BPA believes the measures for R2 are unclear since they are similar to R3’s reporting measures.
No
BPA believes that the first three elements in Attachment 1 are too generic and should be with only the
intentional human criterion. The suspicious device needs to be determined as a threat (and not left
behind tools) before requiring a report.
BPA believes that Attachment 1 has too many added reportable items because unintentional,
equipment failure & operational errors are included in the first three items. A. Change to only
“intentional human action”. Otherwise, the first item “destruction of BES equipment” is too
burdensome, along with its short time reporting time: i. - If a single transformer fails that shouldn’t
require a report. ii.- Emergency actions have to be taken for any failure of equipment, e.g. a loss of
line reduces a path SOL and requires curtailments to reduce risk to the system. B. The item for “risk
to BES” is not necessary until the suspicious object has been identified as a threat. If what turns out
to be air impact wrench left next to BES equipment, that should not be a reportable incident as this
current table implies. C. The nuclear “LOOP” should be only reported if total loss of off site source (i.e.
2 of 2 or 3 of 3) when supplying the plants load. If lightning or insulator fails causing one of the line
sources to trip that’s not a system disturbance especially if it is just used as a backup. It should only
be a NRC process if they want to monitor that. The VRF/VSL: BPA believes that the VRF for R2 & R4
should be “Lower”.
Individual
Chris de Graffenried
Consolidated Edison Co. of NY, Inc.
�Yes
No
Comments: • R1.3 should be revised as follows: A process for communicating events listed in
Attachment 1 to the Electric Reliability Organization, the Responsible Entity’s Reliability Coordinator
and the following as determined by the responsible entity: ["appropriate: - deleted] [otherwise it is
not clear who determines what communication level is appropriate] • R1.4 should be revised as
follows: Provision(s) for updating the Operating Plan following ["within 90 calendar days of any" deleted] change in assets or personnel (if the Operating Plan specifies personnel or assets) , ["other
circumstances" - deleted] that may no longer align with the Operating Plan; or incorporating lessons
learned pursuant to Requirement R3. • R1.5 should be deleted. Responsible Entities can determine
the frequency of Operating Plan updates. Requirement 1.4 requires updating the Operating Plan
within 90 calendar days for changes in “assets, personnel…. or incorporating lessons learned”. This
requirement eliminates the need for Requirement 1.5 requiring a review of the Operating Plan on an
annual basis.
No
Comments: We have a number of comments on Attachment 1 and will make them here: • Generally
speaking the SDT should work with the NERC team drafting the Events Analysis Process (EAP) to
ensure that the reporting events align and use the same descriptive language. • EOP-004 should use
the exact same events as OE-417. These could be considered a baseline set of reportable events. If
the SDT believes that there is justification to add additional reporting events beyond those identified
in OE-417, then the event table could be expanded. • If the list of reportable events is expanded
beyond the OE-417 event list, the supplemental events should be the same in both EOP-004-2 and in
the EAP Categories 1 through 5. • It is not clear what the difference is between a footnote and
“Threshold for Reporting”. All information should be included in the body of the table, there should be
no footnotes. • Event: “Risk to BES equipment” should be deleted. This is too vague and subjective.
Will result in many “prove the negative” situations.’ • Event: “Destruction of BES equipment” is again
too vague. The footnote refers to equipment being “damaged or destroyed”. There is a major
difference between destruction and damage. • Event: “Damage or Destruction of a Critical Asset or
Critical Cyber Asset” should be deleted. Disclosure policies regarding sensitive information could limit
an entity’s ability to report. Unintentional damage to a CCA does not warrant a report. • Event: “BES
Emergency requiring public appeal for load reduction” should be modified to note that this does not
apply to routine requests for customer conservation during high load periods.
Comments: • Requirement 4 does not specifically state details necessary for an entity to achieve
compliance. Requirement 4 should provide more guidance as to what is required in a drill. Audit /
enforcement of any requirement language that is too broad will potentially lead to Regional
interpretation, inconsistency, and additional CANs. • R4 should be revised to delete the 15 month
requirement. CAN-0010 recognizes that entities may determine the definition of annual. • The
Purpose of the Standard should be revised because some of the events being reported on have no
impact on the BES. Revise Purpose as follows: To improve industry awareness and the reliability of
the Bulk Electric System by requiring the reporting of [add] "major system events.” [delete - “with
the potential to impact reliability and their causes, if known, by the Responsible Entities.”]
Individual
David Burke
Orange and Rockland Utilities, Inc.
Yes
No
Comments: • R1.3 should be revised as follows: A process for communicating events listed in
Attachment 1 to the Electric Reliability Organization, the Responsible Entity’s Reliability Coordinator
and the following as determined by the responsible entity: ["appropriate: - deleted] [otherwise it is
not clear who determines what communication level is appropriate] • R1.4 should be revised as
follows: Provision(s) for updating the Operating Plan following ["within 90 calendar days of any" deleted] change in assets or personnel (if the Operating Plan specifies personnel or assets) , ["other
circumstances" - deleted] that may no longer align with the Operating Plan; or incorporating lessons
�learned pursuant to Requirement R3. • R1.5 should be deleted. Responsible Entities can determine
the frequency of Operating Plan updates. Requirement 1.4 requires updating the Operating Plan
within 90 calendar days for changes in “assets, personnel…. or incorporating lessons learned”. This
requirement eliminates the need for Requirement 1.5 requiring a review of the Operating Plan on an
annual basis.
No
• Generally speaking the SDT should work with the NERC team drafting the Events Analysis Process
(EAP) to ensure that the reporting events align and use the same descriptive language. • EOP-004
should use the exact same events as OE-417. These could be considered a baseline set of reportable
events. If the SDT believes that there is justification to add additional reporting events beyond those
identified in OE-417, then the event table could be expanded. • If the list of reportable events is
expanded beyond the OE-417 event list, the supplemental events should be the same in both EOP004-2 and in the EAP Categories 1 through 5. • It is not clear what the difference is between a
footnote and “Threshold for Reporting”. All information should be included in the body of the table,
there should be no footnotes. • Event: “Risk to BES equipment” should be deleted. This is too vague
and subjective. Will result in many “prove the negative” situations.’ • Event: “Destruction of BES
equipment” is again too vague. The footnote refers to equipment being “damaged or destroyed”.
There is a major difference between destruction and damage. • Event: “Damage or Destruction of a
Critical Asset or Critical Cyber Asset” should be deleted. Disclosure policies regarding sensitive
information could limit an entity’s ability to report. Unintentional damage to a CCA does not warrant a
report. • Event: “BES Emergency requiring public appeal for load reduction” should be modified to
note that this does not apply to routine requests for customer conservation during high load periods
Comments: • Requirement 4 does not specifically state details necessary for an entity to achieve
compliance. Requirement 4 should provide more guidance as to what is required in a drill. Audit /
enforcement of any requirement language that is too broad will potentially lead to Regional
interpretation, inconsistency, and additional CANs. • R4 should be revised to delete the 15 month
requirement. CAN-0010 recognizes that entities may determine the definition of annual. • The
Purpose of the Standard should be revised because some of the events being reported on have no
impact on the BES. Revise Purpose as follows: To improve industry awareness and the reliability of
the Bulk Electric System by requiring the reporting of [add] "major system events.” [delete - “with
the potential to impact reliability and their causes, if known, by the Responsible Entities.”]
Individual
Alice Ireland
Xcel Energy
Yes
No
Suggest modifying R3 to indicate this is related to R 1.3. Each Responsible Entity shall report events
to entities specified in R1.3 and as identified as appropriate in its Operating Plan.
Yes
Group
BC Hydro
Patricia Robertson
Yes
Yes
No
As an event would be verbally reported to the RC, all the one hour requirements to submit a written
report should be moved from one hour to 24 hours.
Attachment 1: Reportable Events: BC Hydro recommends further defining “BES equipment” for the
�events Destruction of BES equipment and Risk to BES equipment. Attachment 1: Reportable Events:
BC Hydro recommends defining the Forced intrusion event as the wording is very broad and open to
each entities interpretation. What would be a forced intrusion ie entry or only if equipment damage
occurs?
Individual
Greg Rowland
Duke Energy
Yes
Yes
No
All events in Attachment 1 should have reporting times of no less than 24 hours. As stated on page 6
of the current draft of the standard: “The DSR SDT wishes to make clear that the proposed Standard
does not include any real-time operating notifications for the events listed in Attachment 1. Real-time
reporting is achieved through the RCIS and is covered in other standards (e.g. the TOP family of
standards). The proposed standard deals exclusively with after-the-fact reporting.” We maintain that
a report which is required to be made within one hour after an event is, in fact, a real time report. In
the first hour or even several hours after an event the operator may appropriately still be totally
committed to restoring service or returning to a stable bulk power system state, and should not stop
that recovery activity in order to make this “after-the-fact” report.
1. Reporting under EOP-004-2 should be more closely aligned with Events Analysis Reporting. 2.
Attachment 1 – Under the column titled “Entity with Reporting Responsibility”, several Events list
multiple entities, using the phrase “Each RC, BA, TO, TOP, GO, GOP, DP that experiences…” or a
similar phrase requiring that multiple entities report the same event. We believe these entries should
be changed so that multiple reports aren’t required for the same event. 3. Attachment 1 – The phrase
“BES equipment” is used several times in the Events Table and footnotes to the table. “Equipment” is
not a defined term and lacks clarity. “Element” and “Facility” are defined terms. Replace “BES
equipment” with “BES Element” or “BES Facility”. 4. Attachment 1 – The Event “Risk to BES
equipment” is unclear, since some amount of risk is always present. Reword as follows: “Event that
creates additional risk to a BES Element or Facility.” 5. Attachment 1 – The Threshold for Reporting
Voltage deviations on BES Facilities is identified as “+ 10% sustained for > 15 continuous minutes.”
Need to clarify + 10% of what voltage? We think it should be nominal voltage. 6. Attachment 1 Footnote 1 contains the phrase “has the potential to”. This phrase should be struck because it creates
an impossibly broad compliance responsibility. Similarly, Footnote 3 contains the same phrase, as well
as the word “could” several times, which should be changed so that entities can reasonably comply.
7. Attachment 1 – The “Unplanned Control Center evacuation” Event has the word “potential” in the
column under “Entity with Reporting Responsibility”. The word “potential” should be struck. 8.
Attachment 2 – Includes “fuel supply emergency”, which is not listed on Attachment 1.
Group
Progress Energy
Jim Eckelkamp
(1) Attachment 1 lists “Destruction of BES Equipment” as a reportable event but then lists “equipment
failure” as one of several thresholds for reporting, with a one hour time limit for reporting. It is simply
not common sense to think of the simple failure of a single piece of equipment as “destruction of BES
equipment”. Does the standard really expect that every BES equipment failure must be reported
within one hour, regardless of cause or impact to BES reliability? What is the purpose of such
extensive reporting? (2) The same comment as (1) above is applicable to the “Damage or destruction
of Critical Asset” because one threshold is simple “equipment failure” as well. (3) Footnote 2 (page
20) says copper theft is not reportable “unless it effects the reliability of the BES”, but footnote 1 on
the same page says copper theft is reportable if “it degrades the ability of equipment to operate
�properly”. In this instance, the proposed standard provides two different criteria for reporting one of
the most common events on the same page. (4) Forced Intrusion must be reported if “you cannot
determine the likely motivation”, and not based on a conclusion that the intent was to commit
sabotage or intentional damage. This would require reporting many theft related instances of cut
fences and forced doors (including aborted theft attempts where nothing is stolen) which would
consume a great deal of time and resources and accomplish nothing. This criteria is exactly the
opposite of the existing philosophy of only reporting events if there is an indication of an intent to
commit sabotage or cause damage. (5) “Risk to BES equipment…from a non-environmental physical
threat” is reportable, but this is an example of a vague, open ended reporting requirement that will
either generate a high volume of unproductive reports or will expose reporting entities to audit risk
for not reporting potential threats that could have been reported. The standard helpfully lists train
derailments and suspicious devices as examples of reportable events. The existing CAN for CIP-001
(CAN-0016) is already asking for a list of events that were analyzed so the auditors can determine if a
violation was committed due to failure to report. I can envision the CAN for this new standard
requiring a list of all “non-environmental physical threats” that were analyzed during the audit period
to determine if applicable events were reported. This could generate a great deal of work simply to
provide audit documentation even if no events actually occur that are reportable. It would also be
easy for an audit team to second guess a decision that was made by an entity not to report an event
(what is risk?...how much risk was present due to the event?...). Also, the reporting for this vague
criteria must be done within one hour. Any event with a one hour reporting requirement should be
crystal clear and unambiguous. (6) Transmission Loss…of three or more Transmission Facilities” is
reportable. “Facility” is a defined term in the NERC Glossary, but “Transmission Facility” is not a
defined term, which will lead to confusion when this criteria is applied. This requirement raises many
confusing questions. What if three or more elements are lost due to two separate or loosely related
events – is this reportable or not? What processes will need to be put in place to count elements that
are lost for each event and determine if reporting is required? Why must events be reported that fit
an arbitrary numerical criteria without regard to any material impact on BES reliability?
Individual
Rodney Luck
Los Angeles Department of Water and Power
No
The reporting time of within 1 hour of recognition for a "Forced Intrusion" (last event category on
page 20 of Draft 3, dated October 25, 2011) when considered with the associated footnote “Report if
you cannot reasonably determine likely motivation” is overly burdensome and unrealistic. What is
“reasonably determine likely motivation” is too general and requires further clarity. For example,
LADWP has numerous facilities with extensive perimeter fencing. There is a significant difference
between a forced intrusion like a hole or cut in a property line fence of a facility versus a forced
intrusion at a control house. Often cuts in fences, after further investigation, are determined to be
cases of minor vandalism. An investigation of this nature will take much more than the allotted hour.
The NERC Design Team needs to develop difference levels for the term “Force Intrusion” that fit the
magnitude of the event and provide for adequate time to determine if the event was only a case of
minor vandalism or petty thief. The requirement, as currently written, would unnecessarily burden an
entity in reporting events that after given more time to investigate would more than likely not have
been a reportable event.
Individual
Daniel Duff
Liberty Electric Power
No
Training should be left in the standard as an option, along with an actual event, drill or exercise, to
demonstrate that operating personnel have knowledge of the procedure.
Yes
�Yes
Group
ZGlobal on behalf of City of Ukiah, Alameda Municipal Power, Salmen River Electric, City of Lodi
Mary Jo Cooper
Yes
Yes
Yes
We feel that the drafting team has done an excellent job of providing clarification and reasonable
reporting requirements to the right functional entity. However we feel additional clarification should
be made in the Attachment I Event Table. We suggest the following modifications: For the Event: BES
Emergency resulting in automatic firm load shedding Modify the Entity with Reporting Responsibility
to: Each DP or TOP that experiences the automatic load shedding within their respective distribution
serving or Transmission Operating area. For the Event: Loss of Firm load for ≥ 15 Minutes Modify the
Entity with Reporting Responsibility to: Each BA, TOP, DP that experiences the loss of firm load within
their respective balancing, Transmission operating, or distribution serving area.
Individual
Lisa Rosintoski
Colorado Springs Utilities
Yes
No
The act of implementing the plan needs to include reporting events per R1, sub-requirement 1.3. R2
should simply state something like, “Each Responsible Entity shall implement the Operating Plan that
meets the requirements of R1, as applicable, for an actual event or as specified.” Suggest eliminating
R3 which, seems to create double jeopardy effect.
Yes
Agree with concept to combine CIP-001 into EOP-004. Agree with elimination of “sabotage” concept.
Appreciate the attempt to combine reporting requirements, but it seems that in practice will still have
separate reporting to DOE and NERC/Regional Entities. EOP-004-2 A.5. “Summary of Key Concepts”
refers to Att. 1 Part A and Att. 1 Part B. I believe these have now been combined. EOP-004-2 A.5.
“Summary of Key Concepts” refers to development of an electronic reporting form and inclusion of
regional reporting requirements. It is unfortunate no progress was made on this front.
Individual
Michael Falvo
Independent Electricity System Operator
Yes
No
We agree with the revision to R2 and R3, but assess that a requirement to enforce implementation of
Part 1.3 in Requirement R1 is missing. Part 1.3 in Requirement R1 stipulates that: 1.3. A process for
communicating events listed in Attachment 1 to the Electric Reliability Organization, the Responsible
Entity’s Reliability Coordinator and the following as appropriate: • Internal company personnel • The
Responsible Entity’s Regional Entity • Law enforcement • Governmental or provincial agencies The
implementation of Part 1.3 is not enforced by R2 or R3 or any other Requirements in the standard.
Suggest to add another requirement or expand Requirement R4 (and M4) to require the
implementation of this Part in addition to verifying the process.
�Yes
1. Measures M1, M2 and M3: Suggest to achieve consistent wording among them by saying the
leading part to “Each Responsible Entity shall provide….” 2. In our comments on the previous version,
we suggested the SDT to review the need to include IA, TSP and LSE for some of the reporting
requirements in Attachment 1. The SDT’s responded that it had to follow the requirements of the
standards as they currently apply. Since these entities are applicable to the underlying standards
identified in Attachment 1, they will be subject to reporting. We accept this rationale. However, the
revised Attachment 1 appears to be still somewhat discriminative on who needs to report an event.
For example, the event of “Detection of a reportable Cyber Security Incident” (6th row in the table)
requires reporting by a list of responsible entities based on the underlying requirements in CIP-008,
but the list does not include the IA, TSP and LSE. We again suggest the SDT to review the need for
listing the specific entities versus leaving it general by saying: “Applicable Entities under CIP-008” for
this particular item, and review and establish a consistent approach throughout Attachment 1. 3.
VSLs: a. Suggest to not list all the specific entities, but replace them with “Each Responsible Entity” to
simplify the write-up which will allow readers to get to the violation condition much more quickly. b.
For R1, it is not clear whether the conditions listed under the four columns are “OR” or “AND”. We
believe it means “OR”, but this needs to be clarified in the VSL table. 4. The proposed implementation
plan conflicts with Ontario regulatory practice respecting the effective date of the standard. It is
suggested that this conflict be removed by appending to the implementation plan wording, after
“applicable regulatory approval” in the Effective Dates Section on P. 2 of the draft standard and P. 1
of the draft implementation plan, to the following effect: “, or as otherwise made effective pursuant to
the laws applicable to such ERO governmental authorities.”
Individual
John Bee on Behalf of Exelon
Exelon
Yes
Yes
Why is the reference to R1.3 missing from EOP-004-2 Requirement R2?
No
Due to the size of the service territories in ComEd and PECO it’s difficult to get to some of the stations
within in an hour to analyze an event which causes concern with the 1 hour criteria. It is conceivable
that the evaluation of an event could take longer then one hour to determine if it is reportable. Exelon
cannot support this version of the standard until the 1 hour reporting criteria is clarified so that the
reporting requirements are reasonable and obtainable. Exelon has concerns about the existing 1 hour
reporting requirements and feels that additional guidance and verbiage is required for clarification.
We would like a better understanding when the 1 hour clock starts please consider using the following
clarifying statement, in the statements that read, “recognition of events” please consider replacing
the word “recognition” with the word “confirmation” as in a “confirmed event”
1. Please replace the text “Operating Plan” with procedure(s). Many companies have procedure(s) for
the reporting and recognition of sabotage events. These procedures extend beyond operating groups
and provide guidance to the entire company. 2. The Loss of Off-site power event criteria is much
improved from the last draft of EOP 004-2; however, some clarification is needed to more accurately
align with NERC Standard NUC-001 in both nomenclature and intent. Specifically, as Exelon has
previously commented, there are many different configurations supplying offsite power to a nuclear
power plant and it is essential that all configurations be accounted for. As identified in the applicability
section of NUC-001 the applicable transmission entities may include one or more of the following (TO,
TOP, TP, TSP, BA, RC, PC, DP, LSE, and other non-nuclear GO/GOPs). Based on the response to
previous comments submitted for Draft 2, Exelon understands that the DSR SDT evaluated the use of
the word “source” but dismissed the use in favor of “supply” with the justification “[that] ‘supply’
encompasses all sources”. Exelon again suggests that the word “source” is used as the event criteria
in EOP-004-2 as this nomenclature is commonly used in the licensing basis of a nuclear power plant.
By revising the threshold criteria to “one or more” Exelon believes the concern the DSR SDT noted is
addressed and ensures all sources are addressed. In addition, by revising the threshold for reporting
to a loss of “one or more” will ensure that all potential events (regardless of configuration of off-site
�power supplies) will be reported by any applicable transmission entity specifically identified in the
nuclear plant site specific NPIRs. As previously suggested, Exelon again proposes that the loss of an
off-site power source be revised to an “unplanned” loss to account for planned maintenance that is
coordinated in advance in accordance with the site specific NPIRs and associated Agreements. This
will also eliminate unnecessary reporting for planned maintenance. Although the loss of one off-site
power source may not result in a nuclear generating unit trip, Exelon agrees that an unplanned loss of
an off-site power source regardless of impact should be reported within the 24 hour time limit as
proposed. Suggest that the Loss of Offsite power to a nuclear generating plant event be revised as
follows: Event: Unplanned loss of any off-site power source to a Nuclear Power Plant Entity with
Reporting Responsibility: The applicable Transmission Entity that owns and/or operates the off-site
power source to a Nuclear Power Plant as defined in the applicable Nuclear Plant Interface
Requirements (NPIRs) and associated Agreements. Threshold for Reporting: Unplanned loss of one or
more off-site power sources to a Nuclear Power Plant per the applicable NPIRs. 3. Attachment 1
Generation loss event criteria Generation loss The ≥ 2000 MW/≥ 1000 MW generation loss criteria do
not provide a time threshold or location criteria. If the 2000 MW/1000 MW is intended to be from a
combination of units in a single location, what is the time threshold for the combined unit loss? For
example, if a large two unit facility in the Eastern Interconnection with an aggregate full power output
of 2200 MW (1100 MW per unit) trips one unit (1100 MW) [T=0 loss of 1100 MW] and is ramping
back the other unit from 100% power and 2 hours later the other unit trips at 50% power [550 MW at
time of trip]. The total loss is 2200 MW; however, the loss was sustained over a 2 hour period. Would
this scenario require reporting in accordance with Attachment 1? What if it happened in 15 minutes? 1
hour? 24 hours? Exelon suggests the criteria revised to include a time threshold for the total loss at a
single location to provide this additional guidance to the GOP (e.g., within 15 minutes to align with
other similar threshold conditions). Threshold for Reporting ≥ 2,000 MW unplanned total loss at a
single location within 15 minutes for entities in the Eastern or Western Interconnection ≥ 1000 MW
unplanned total loss at a single location within 15 minutes for entities in the ERCOT or Quebec
Interconnection 4. Exelon appreciates that the DSR SDT has added the NRC to the list of Stakeholders
in the Reporting Process, but does not agree with the SDT response to FirstEnergy’s comment to
Question 17 [page 206] that stated “NRC requirements or comments fall outside the scope of this
project.” Quite the contrary, this project should be communicated and coordinated with the NRC to
eliminate confusion and duplicative reporting requirements. There are unique and specific reporting
criteria and coordination that is currently in place with the NRC, the FBI and the JTTF for all nuclear
power plants. If an event is in progress at a nuclear facility, consideration should be given to
coordinating such reporting as to not duplicate effort, introduce conflicting reporting thresholds, or
add unnecessary burden on the part of a nuclear GO/GOP who’s primary focus is to protect the health
and safety of the public during a potential radiological sabotage event (as defined by the NRC) in
conjunction with potential impact to the reliability of the BES. 5. Attachment 1 Detection of a
reportable Cyber Security Incident event criteria The threshold for reporting is “that meets the criteria
in CIP-008”. If an entity is exempt from CIP-008, does that mean that this reportable event is
therefore also not applicable in accordance with EOP-004-2 Attachment 1?
Individual
Public Utility District No. 1 of Snohomish County
John D. Martinsen
Yes
Yes
Yes
The proposed reporting form for EOP-004-2 is less extensive than the Brief Report required by the
Event Analysis process, but there is some duplication of efforts. The EOP-004 has an “optional”
Written Description section for the event, while the Brief Report requires more detailed information
such as a sequence of events, contributing causes, restoration times, etc. Please clarify if both forms
will still be required to be submitted. We also need to ensure that there won’t be a duplication of
efforts between the two reports. This is fairly minor, but the clarification need should be addressed.
Overarching Concern related to EOP-004-2 draft: The contemporaneous drafting efforts related to
both the proposed Bulk Electric System ("BES") definition changes, as well as the CIP standards
�Version 5, could significantly impact the EOP-004-2 reporting requirements. Caution needs to be
exercised when referencing these definitions, as the definitions of a BES element could change
significantly and Critical Assets may no longer exist. As it relates to the proposed reporting criteria, it
is debatable as to whether or not the destruction of, for example, one relay would be a reportable
incident under this definition going forward given the current drafting team efforts. Related to
“Reportable Events” of Attachment 1: 1. A reportable event is stated as, “Risk to the BES”, the
threshold for reporting is, “From a non-environmental physical threat”. This appears to be a catch-all
event, and basically every other event in Attachment 1 should be reported because it is a risk to the
BES. Due to the subjectivity of this event, suggest removing it from the list. 2. A reportable event is
stated as, “Damage or destruction of Critical Asset per CIP-002”. The term “Damage” would have to
be defined in order for an entity to determine a threshold for what qualifies as “Damage” to a CA. One
could argue that normal “Damage” can occur on a CA that is not necessary to report. There should
also be caution here in adding CIP interpretation within this standard. Reporting Thresholds 1. The
SDT made attempts to limit nuisance reporting related to copper thefts and so on which is supported.
However a number of the thresholds identified in EOP-004-2 Attachment 1 are very low and could
congest the reporting process with nuisance reporting and reviewing. An example is the “BES
Emergency requiring manual firm load shedding of greater than or equal to 100 MW or the Loss of
Firm load for ≥ 15 Minutes that is greater than or equal to 200 MW (300 MW if the manual demand is
greater than 3000 MW). In many cases these low thresholds represent reporting of minor wind events
or other seasonal system issues on Local Network used to provide distribution service. Firm Demand
1. The use of Firm Demand in the context of the draft Standards could be used to describe
commercial arrangements with a customer rather than a reliability issue. Clarification of Firm Demand
would be helpful
Group
MRO NSRF
WILL SMITH
Yes
Yes
Yes
: The MRO NSRF wishes to thank the SDT for incorporating changes that the industry had with
reporting time periods and aligning this with the Events Analysis Working Group and Department of
Energy’s OE 417 reporting form.
Group
Western Electricity Coordinating Council
Steve Rueckert
Yes
Yes
Yes
Results-based standards should include, within each requirement, the purpose or reason for the
requirement. The requirements of this standard, while we support the requirements, do not include
the goal or proupose of meeting each stated requirement. The Measures all include language stating
“the responsible entity shall provide…”. During a quality review of a WECC Regional Reliability
Standard we were told that the “shall provide” language is essentially another requirement to provide
something. If it is truly necessary to provide this it should be in the requirements. It was suggested to
us that we drop the “shall provide” language and just start each Measure with the “Evidence may
include but is not limited to…”.
Individual
�RoLynda Shumpert
South Carolina Electric and Gas
Yes
Yes
Yes
In terms of receiving reports, is it the drafting teams expectation that separate reports be developed
by both the RC and the TOP, GO, BA, etc. for an event that occurs on a company's system that is
within the RC's footprint? One by the RC and one by the TOP, GO, BA, etc. In terms of meeting
reporting thresholds, is it the drafting teams expectation that the RC aggregate events within its RC
Area to determine whether a reporting threshold has been met within its area for the quantitative
thresholds?
Individual
Kathleen Goodman
ISO New England
No
Please see further comments; we do not believe R4 is a necessary requirement in the standard and
suggest it be deleted.
No
In accordance with the results-based standards concept, all that is required, for the “what” is that
company X reported on event Y in accordance with the reporting requirements in attachment Z of the
draft standard. Therefore, we proposed the only requirement that is necessary is R3, which should be
re-written to read… "Each Responsible Entity shall report to address the events listed in Attachment
1."
Yes
Attachment 1should be revisited. “Equipment Damage” is overly vague and will also potentially result
in reporting on equipment failures which may simply be related to the age and/or vintage of
equipment.
Group
Imperial Irrigation District
Jesus Sammy Alcaraz
Yes
Yes
Yes
IID strongly believes the reporting flowchart should not be part of a standard. The suggestion is to
replace it with a more clear, right to the point requirement.
Individual
Curtis Crews
Texas Reliability Entity
Substantive comments: 1.ERO and Regional Entities should not be included in the Applicability of this
standard. Just because they may be subject to some CIP requirements does not mean they also have
to be included here. The ERO and Regional Entities do not operate equipment or systems that are
�integral to the operation of the BES. Also, none of the VSLs apply to the ERO or to Regional Entities.
2.The first entry in the Events Table should say “Damage or destruction of BES equipment.”
Equipment may be rendered inoperable without being “destroyed,” and entities should not have to
determine within one hour whether damage is sufficient to cause the equipment to be considered
“destroyed.” Footnote 1 refers to equipment that is “damaged or destroyed.” 3.In the Events Table,
consider whether the item for “Voltage deviations on BES facilities” should also be applicable to GOPs,
because a loss of voltage control at a generator (e.g. failure of an automatic voltage regulator and
power system stabilizer) could have a similar impact on the BES as other reportable items. 4.In the
Events Table, under Transmission Loss, does this item require that at least three Facilities owned by
one entity must be lost to trigger the reporting requirement, or is the reporting requirement also to
be triggered by loss of three Facilities during one event or occurrence that are owned by two or three
different entities? 5.In the Events Table, under Transmission Loss, it is unclear how Facilities are to be
counted to determine when “three or more” Facilities are lost. In the NERC Glossary, Facility is
ambiguously defined as “a set of electrical equipment that operates as a single Bulk Electric System
Element (e.g., a line, a generator, a shunt compensator, transformer, etc.).” In many cases, a “set of
electrical equipment” can be selected and counted in different ways, which makes this item
ambiguous. 6.In the Events Table, under Transmission Loss, it appears that a substation bus failure
would only count as a loss of one Facility, even though it might interrupt flow between several
transmission lines. We believe this type of event should be reported under this standard, and
appropriate revisions should be made to this entry. 7.In the Events Table, under Transmission Loss,
consider including generators that are lost as a result of transmission loss events when counting
Facilities. For example, if a transmission line and a transformer fail, resulting in a generator going offline, that should count as a loss of “three or more” facilities and be reportable under this standard.
8.In the Events Table, under “Unplanned Control Center evacuation” and “Loss of monitoring or all
voice communication capability,” GOPs should be included. GOPs also operate control centers that
would be subject to these kinds of occurrences. 9.In the Events Table, under “Loss of monitoring or
all voice communication capability,” we suggest adding that if there is a failure at one control center,
that event is not reportable if there is a successful failover to a backup system or control center.
10.“Fuel supply emergency” is included in the Event Reporting Form, but not in Attachment 1, so
there is no reporting threshold or deadline provided for this type of event. Clean-up items: 1.In R1.5,
capitalize “Responsible Entity” and lower-case “process”. 2.In footnote 1, add “or” before “iii)” to
clarify that this event type applies to equipment that satisfies any one of these three conditions. 3.In
the Event Reporting Form, “forced intrusion” and “Risk to BES equipment” are run together and
should be separated. VSLs: 1.We support the substance of the VSLs, but the repeated long list of
entities makes the VSLs extremely difficult to read and decipher. The repeated list of entities should
be replaced by “Responsible Entities.” 2.If the ERO and Regional Entities are to be subject to
requirements in this standard (which we oppose), they need to be added to the VSLs.
Individual
Andrew Z. Pusztai
American Transmission Company, LLC
Yes
Yes
Yes
ATC appreciates the work of the SDT in incorporating changes that the industry had with reporting
time periods and aligning this with the Events Analysis Working Group and Department of Energy’s
OE 417 reporting form.
Individual
Anthony Jablonski
ReliabilityFirst
�ReliabilityFirst thanks the SDT for their effort on this project. ReliabilityFirst has a number of
concerns/questions related to the draft EOP-004-2 standard which include the following: 1. General
Comment - The SDT should consider any possible impacts that could arise related to the applicability
of Generator Owners that may or may not own transmission facilities. This will help alleviate any
potential or unforeseen impacts on these Generator Owners 2. General Comment – Though the
rationale boxes contain useful editorial information for each requirement, they should rather contain
the technical rationale or answer the question “why is this needed” for each requirement. The
rationale boxes currently seem to contain suggestions on how to meet the requirements.
ReliabilityFirst suggests possibly moving some of the statements in the “Guideline and Technical
Basis” into the rationale boxes, as some of the rationale seems to be contained in that section. 3.
General comment – The end of Measure M4 is incorrectly pointing to R3. This should refer to R4. 4.
General Comment – ReliabilityFirst recommends the “Reporting Hierarchy for Reportable Events”
flowchart should be removed from the “Background” section and put into an appendix. ReliabilityFirst
believes the flowchart is not really background information, but an outline of the proposed process
found in the new standard. 5. Applicability Comment – ReliabilityFirst questions the newly added
applicability for both the Regional Entity (RE) and ERO. Standards, as outlined in many, if not all, the
FERC Orders, should have applicability to users, owners and operators of the BES and not to the
compliance monitoring entities (e.g. RE and ERO). Any requirements regarding event reporting for the
RE and ERO should be dealt with in the NERC Rules of Procedure and/or Regional Delegation
Agreements. It is also unclear who would enforce compliance on the ERO if the ERO remains an
applicable entity. 6. Requirement Comment - ReliabilityFirst believes the process for communicating
events in Requirement R1, Part 1.3 should be all inclusive and therefore include the bullet points.
Bullet points are considered to be “OR” statements and thus ReliabilityFirst believes they should be
characterized as sub-parts. Listed below is an example: 1.3. A process for communicating events
listed in Attachment 1 to the following: 1.3.1 Electric Reliability Organization, 1.3.2 Responsible
Entity’s Reliability Coordinator 1.3.3 Internal company personnel 1.3.4 The Responsible Entity’s
Regional Entity 1.3.5 Law enforcement 1.3.6 Governmental or provincial agencies 7. Requirement
Comment – ReliabilityFirst questions why Requirement R1, Part 1.1 and Part 1.2 are not required to
be verified when performing a drill or exercise in Requirement R4? ReliabilityFirst believes that
performing a drill or exercise utilizing the process for identifying events (Part 1.1) and the process for
gathering information (Part 1.2) are needed along with the verification of the process for
communicating events as listed in Part 1.3. 8. Compliance Section Comment – Section 1.1 states “If
the Responsible Entity works for the Regional Entity…” and ReliabilityFirst questions the intent of this
language. ReliabilityFirst is unaware of any Responsible Entities who work for a Regional Entity. Also,
if the Regional Entity and ERO remain as applicable entities, in Section 1.1 of the standard, it is
unclear who will act as the Compliance Enforcement Authority (CEA). 9. Compliance Section Comment
– ReliabilityFirst recommends removing the second, third and fourth paragraphs from Section 1.2
since ReliabilityFirst believes entities should retain evidence for the entire time period since their last
audit. 10. Compliance Section Comment – ReliabilityFirst recommends modifying the fifth paragraph
from Section 1.2 as follows: “If a Registered Entity is found non-compliant, it shall keep information
related to the non-compliance until found compliant or until a data hold release is issued by the CEA.”
ReliabilityFirst believes, as currently stated, the CEA would be required to retain information for an
indefinite period of time. 11. Compliance Section Comment – ReliabilityFirst recommends removing
the sixth paragraph from Section 1.2 since the requirement for the CEA to keep the last audit records
and all requested and submitted subsequent audit records is already covered in the NERC ROP. 12.
Attachment 1 Comment – It is unclear what the term/acronym “Tv” is referring to. It may be
beneficial to include a footnote clarifying what the term “Tv” stands for. 13. VSL General Comment –
although ReliabilityFirst believes that the applicability is not appropriate, as the REs and ERO are not
users, owners, or operators of the Bulk Electrcic System, the Regional Entity and ERO are missing
from all four sets of VSLs, if the applicability as currently written stays as is. If the Regional Entity and
ERO are subject to compliance for all four requirements, they need to be included in the VSLs as well.
Furthermore, for consistency with other standards, each VSL should begin with the phrase “The
Responsible Entity…” 14. VSL 4 Comment - The second “OR” statement under the “Lower” VSL should
be removed. By not verifying the communication process in its Operating Plan within the calendar
year, the responsible entity completely missed the intent of the requirement and is already covered
under the “Severe” VSL category.
Individual
Don Schmit
�Nebraska Public Power District
Yes
Yes
Yes
Although 24 hours is a vast improvement, one business day would make more sense for after the fact
reporting.
Individual
Dennis Sismaet
Seattle City Light
Yes
Yes
Yes
The proposed reporting form for EOP-004-2 is less extensive than the Brief Report required by the
Event Analysis process, but there is some duplication of efforts. The EOP-004 has an “optional”
Written Description section for the event, while the Brief Report requires more detailed information
such as a sequence of events, contributing causes, restoration times, etc. Please clarify if both forms
will still be required to be submitted. We also need to ensure that there won’t be a duplication of
efforts between the two reports. This is fairly minor, but the clarification need should be addressed.
Overarching Concern related to EOP-004-2 draft: The contemporaneous drafting efforts related to
both the proposed Bulk Electric System ("BES") definition changes, as well as the CIP standards
Version 5, could significantly impact the EOP-004-2 reporting requirements. Caution needs to be
exercised when referencing these definitions, as the definitions of a BES element could change
significantly and Critical Assets may no longer exist. As it relates to the proposed reporting criteria, it
is debatable as to whether or not the destruction of, for example, one relay would be a reportable
incident under this definition going forward given the current drafting team efforts. Related to
“Reportable Events” of Attachment 1: 1. A reportable event is stated as, “Risk to the BES”, the
threshold for reporting is, “From a non-environmental physical threat”. This appears to be a catch-all
event, and basically every other event in Attachment 1 should be reported because it is a risk to the
BES. Due to the subjectivity of this event, suggest removing it from the list. 2. A reportable event is
stated as, “Damage or destruction of Critical Asset per CIP-002”. The term “Damage” would have to
be defined in order for an entity to determine a threshold for what qualifies as “Damage” to a CA. One
could argue that normal “Damage” can occur on a CA that is not necessary to report. There should
also be caution here in adding CIP interpretation within this standard. Reporting Thresholds 1. The
SDT made attempts to limit nuisance reporting related to copper thefts and so on which is supported.
However a number of the thresholds identified in EOP-004-2 Attachment 1 are very low and could
congest the reporting process with nuisance reporting and reviewing. An example is the “BES
Emergency requiring manual firm load shedding of greater than or equal to 100 MW or the Loss of
Firm load for ≥ 15 Minutes that is greater than or equal to 200 MW (300 MW if the manual demand is
greater than 3000 MW). In many cases these low thresholds represent reporting of minor wind events
or other seasonal system issues on Local Network used to provide distribution service. Firm Demand
1. The use of Firm Demand in the context of the draft Standards could be used to describe
commercial arrangements with a customer rather than a reliability issue. Clarification of Firm Demand
would be helpful
Individual
John Seelke
PSEG
Yes
�Yes
Yes
We have several comments: 1. The “Law Enforcement Reporting” section on p. 6 is unclearly written.
The first three sentences are excerpted here: “The reliability objective of EOP-004-2 is to prevent
outages which could lead to Cascading by effectively reporting events. Certain outages, such as those
due to vandalism and terrorism, may not be reasonably preventable. These are the types of events
that should be reported to law enforcement.” The outages described prior to the last sentence are
“vandalism and terrorism.” The next sentence states “Entities rely upon law enforcement agencies to
respond to and investigate those events which have the potential to impact a wider area of the BES.”
If the SDT intended to only have events reported to law enforcement that could to Cascading, it
should state so clearly and succinctly. But other language implies otherwise. a. The footnote 1 on
Attachment 1 (p. 20) states: “Do not report copper theft from BES equipment unless it degrades the
ability of equipment to operate correctly (e.g., removal of grounding straps rendering protective
relaying inoperative).” Rendering a relay inoperative may or may not lead to Cascading. b. With
regard to “forced intrusion,” footnote 2 on Attachment 1 states: “Report if you cannot reasonably
determine likely motivation (i.e., intrusion to steal copper or spray graffiti is not reportable unless it
effects (sic) the reliability of the BES.” The criterion, or criteria, for reporting an event to law
enforcement needs to be unambiguous. The SDT needs to revise this “Law Enforcement Section” so
that is achieved. The “law enforcement reporting” criterion, or criteria, should also be added to the
flow chart on p. 9. We suggest the following as a starting point for the team to discuss: there should
be two criteria for reporting an event to law enforcement: (1) BES equipment appears to have been
deliberately damaged, destroyed, or stolen, whether by physical or cyber means, or (2) someone has
gained, or attempted to gain, unauthorized access by forced or unauthorized entry (e.g., via a stolen
employee keycard badge) into BES facilities, including by physical or cyber means. 2. The use of the
terms “communicating events” in R1.3, and the use of the term “communication process” are
confusing because in other places such as R3 the term “reporting” is used. If the SDT intends
“communicating” to mean “reporting” as that later term is used in R3, it should use the same
“reporting” term in lieu of “communicating” or “communication” elsewhere. Inconsistent terminology
causes confusion. PSEG prefers the word “reporting” because it is better understood. 3. Attachment 1
needs to more clearly define what is meant by “recognition of an event.” a. When equipment or a
facility is involved, it would better state within “X” time (e.g., 1 hour) of “of confirmation of an event
by the entity that either owns or operates the Element or Facility.” b. Other reports should have a
different specification of the starting time of the reporting deadline clock. For example, in the
requirement for reporting a “BES Emergency requiring public appeal for load reduction,” it is unclear
what event is required to be reported - the “BES Emergency requiring public appeal” or “public appeal
for load reduction.” If the later is intended, then the event should be reported within “24 hours after a
public appeal for load reduction is first issued.” These statements need to be reviewed and
customized for each event by the SDT so they are unambiguous. In summary, the starting time for
the reporting clock to start running should be made clear for each event. This will require that the
SDT review each event and customize the starting time appropriately. The phrase “recognition of an
event” should not be used because it is too vague. 4. When EOP-004-2 refers to other standards, it
frequently omits the version of the standard. Example: see the second and third row of Attachment 1
that refers to “CIP-002.” Include the version on all standards referenced.
Group
Compliance & Responsbility Office
Silvia Parada Mitchell
Yes
See comments in response to Question 4.
Yes
See comments in response to Question 4.
Yes
See comments in response to Question 4.
NextEra Energy, Inc. (NextEra) appreciates the DSR SDT revising proposed EOP-004-2, based on the
�previous comments of NextEra and the stakeholders. NextEra, however, believes that EOP-004-2
needs additional refinement prior to approval. R1.3 In R1.3, NextEra is concerned that the term
“internal company personnel” is unclear and may be misinterpreted. For example, NextEra does not
believe this term should include all company or corporate personnel, or even all personnel in the
Responsible Entity’s company or business unit. Instead, the definition of personnel should be limited
to those who could be directly impacted by the event or are working on the event. Thus, NextEra
suggests that the language in R1.3 be revised to read: “Internal Responsible Entity personnel whose
tasks require them to take specific actions to mitigate, stop the spread and/or normalize the event, or
personnel who are directly impacted by the event.” NextEra is concerned that R1.3, as written, will be
interpreted differently from company to company, region to region, auditor to auditor, and, therefore,
may result in considerable confusion during actual events as well as during the audits/stop checks of
EOP-004-2 compliance. Also, in R1.3, NextEra is concerned that many of the events listed in
Attachment A already must be reported to NERC under its trial (soon to be final) Event Analysis
Reporting requirements (Event Analysis). NextEra believes duplicative and different reporting
requirements in EOP-004-2 and the Event Analysis rules will cause confusion and inefficiencies during
an actual event, which will likely be counterproductive to promoting reliability of the bulk power
system. Thus, NextEra believes that any event already covered by NERC’s Event Analysis should be
deleted from Attachment 1. Events already covered include, for example, loss of monitoring or all
voice, loss of firm load and loss of generation. If this approach is not acceptable, NextEra proposes, in
the alternative, that the reporting requirements between EOP-004-2 and Event Analysis be identical.
For instance, in EOP-004-2, there is a requirement to report any loss of firm load lasting for more
than 15 minutes, while the Event Analysis only requires reporting the of loss of firm load above 300
megawatts and lasting more than 15 minutes. Similarly, EOP-004-2 requires the reporting of any
unplanned control center evacuation, while the Event Analysis only requires reporting after the
evacuation of the control center that lasted 30 minutes or more. Thus, NextEra requests that either
EOP-004-2 not address events that are already set forth in NERC’s Event Analysis, or, in the
alternative, for those duplicative events to be reconciled and made identical, so the thresholds set
forth in the Event Analysis are also used in EOP-004-2. In addition, NextEra believes that a
reconciliation between the language “of recognition” in Attachment 1 and “process to identify” in R1.1
is necessary. NextEra prefers that the language in Attachment 1 be revised to read “ . . . of the
identification of the event under the Responsible Entity’s R1.1 process.” For instance, the first event
under the “Submit Attachment 2 . . . .” column should read: “The parties identified pursuant to R1.3
within 1 hour of the identification of an event under the Responsible Entity’s R1.1 process.” This
change will help eliminate confusion, and will also likely address (and possibly make moot) many of
the footnotes and qualifications in Attachment 1, because a Responsible Entity’s process will likely
require that possible events are properly vetted with subject matter experts and law enforcement, as
appropriate, prior to identifying them as “events”. Thus, only after any such vetting and a formal
identification of an event would the one hour or twenty-four hour reporting clock start to run. R1.4,
R1.5, R3 and R4 NextEra is concerned with the wording and purpose of R1.4, R1.5, R3 and R4. For
example, R1.4 requires an update to the Operating Plan for “. . . any change in assets, personnel,
other circumstances . . . .” This language is much too broad to understand what is required or its
purpose. Further, R1.4 states that the Operating Plan shall be updated for lessons learned pursuant to
R3, but R3 does not address lessons learned. Although there may be lessons learned during a post
event assessment, there is no requirement to conduct such an assessment. Stepping back, it appears
that the proposed EOP-004-2 has a mix of updates, reviews and verifications, and the implication that
there will be lessons learned. Given that EOP-004-2 is a reporting Standard, and not an operational
Standard, NextEra is not inclined to agree that it needs the same testing and updating requirements
like EOP-005 (restoration) or EOP-008 (control centers). Thus, it is NextEra’s preference that R1.4,
R1.5 and R4 be deleted, and replaced with a new R1.4 as follows: R1.4 A process for ensuring that
the Responsibly Entity reviews, and updates, as appropriate its Operating Plan at least annually (once
each calendar year) with no more than 15 months between reviews. If the DSR SDT does not agree
with this approach, NextEra, in the alternative, proposes a second approach that consolidates R1.4,
R1.5 and R4 in a new R1.4 as follows: R1.4 A process for ensuring that the Responsibly Entity tests
and reviews its Operating Plan at least annually (once each calendar year) with no more than 15
months between a test and review. Based on the test and review, the Operating Plan shall be
updated, as appropriate, within 90 calendar days. If an actual event occurs, the Responsible Entity
shall conduct a post event assessment to identify any lessons learned within 90 calendar days of the
event. If the Responsible Entity identifies any lessons learned in post event assessment, the lessons
�learned shall be incorporated in the Operating Plan within 90 calendar days of the date of the final
post event assessment. NextEra purposely did not add language regarding “any change in assets,
personnel etc,” because that language is not sufficiently clear or understandable for purposes of a
mandatory requirement. Although it may be argued that it is a best practice to update an Operating
Plan for certain changes, unless the DST SDT can articulate specific, concrete and understandable
issues that require an updated Operating Plan prior to an annual review, NextEra recommends that
the concept be dropped. Nuclear Specific Concerns EOP-004-2 identifies the Nuclear Regulatory
Commission (NRC) as a stakeholder in the Reporting Process, but does not address the status of
reporting to the NRC in the Event Reporting flow diagram on page 9. Is the NRC considered Law
Enforcement as is presented in the diagram? Since nuclear stations are under a federal license, some
of the events that would trigger local/state law enforcement at non-nuclear facilities would be under
federal jurisdiction at a nuclear site. There are some events listed in Attachment 1 that seem
redundant or out of place. For example, a forced intrusion is a one hour report to NERC. However, if
there is an ongoing forced intrusion at a nuclear power plant, there are many actions taking place,
with the NRC Operations Center as the primary contact which will mobilize the local law enforcement
agency, etc. It is unclear that reporting to NERC in one hour promotes reliability or the resolution of
an emergency in progress. Also, is there an ability to have the NRC in an emergency notify NERC?
The same concerns related to cyber security events. Procedures versus Plan NextEra also suggests
replacing "Operating Plan" with "procedures". Given that EOP-004-2 is a reporting Standard and not
an operational Standard, it is typical for procedures that address this standard to reside in other
departments, such as Information Management and Security. In other words, the procedures needed
to address the requirements of EOP-004-2 are likely broader than the NERC-defined Operating Plan.
Clean-Up Items In Attachment 1, Control Centers should be capitalized in all columns so as not to be
confused with control rooms. Also, the final product should clearly state that the process flow chart
that is set forth before the Standard is for illustrative purposes, so there is no implication that a
Registered Entity must implement multiple procedures versus one comprehensive procedure to
address different reporting requirements.
Individual
Barry Lawson
NRECA
1. Please ensure that the work of the SDT is done in close coordination with Events Analysis Process
(EAP) work being undertaken by the PC/OC and BOT, and with any NERC ROP additions or
modifications. NRECA is concerned that the EAP work being done by these groups is not closely
coordinated even though their respective work products are closely linked -- especially since the EAP
references information in EOP-004. 2. The SDT needs to be consistent in its use of "BES" and "BPS" –
boths acronyms are used throughout the SDT documents. NRECA strongly prefers the use of "BES"
since that is what NERC standards are written for. 3. Under “Purpose” section of standard, 3rd line,
add “BES” between “impact” and “reliability.” Without making this change the "Purpose" section could
be misconstrued to refer to reliability beyond the BES. 4. In the Background section there is reference
to the Events Analysis Program. Is that the same thing as the Events Analysis Process? Is it
something different? Is it referring to a specific department at NERC? Please clarify in order to reduce
confusion. Also in the Background section there is reference to the Events Analysis Program
personnel. Who is this referring to -- NERC staff in a specific department? Please clarify. 5. In M1
please be specific regarding what “dated” means. 6. In M3 please make it clear that if there wasn’t an
event, this measure is not applicable 7. In R4 it is not clear what “verify” means. Please clarify. 8. In
Attachment 1 there are references to Critical Asset and Critical Cyber Asset. These terms will likely be
eliminated from the NERC Glossary of Terms when CIP V5 moves forward and is ultimately approved
by FERC. This could create future problems with EOP-004 if CIP V5 is made effective as currently
drafted. 9. In Attachment 1 the one hour timeframe for submitting data for the first 7 items listed is
very tight. Other than being required by the EOE )E-417 form, NRECA requests that the SDT provide
further support for this timeframe. If there are not distinct reasons why 1 hour is the right timeframe
for this, then other timeframes should be explored with DOE. 10. While including Footnote 1 is
appreciated, NRECA is concerned that this footnote will create confusion in the compliance and audit
areas and request the SDT to provide more definitive guidance to help explain what these "Events"
�refer to. NRECA has the same comment on Footnote 2 and 3. Specifically in Footnote 3, how do you
clearly determine and audit from a factual standpoint something that “could have damaged” or “has
the potential to damage the equiment?” 11. In the Guideline and Technical Basis section, in the 1st
bullet, how do you determine, demonstrate and audit for something that “may impact” BES reliability?
12. On p. 28, first line, this sentence seems to state that NERC, law enforcement and other entities –
not the responsible entity – will be doing event analysis. My understanding of the current and future
Event Analysis Process is that the responsible entity does the event analysis. Please confirm and
clarify.
Individual
Terry Harbour
MidAmerican Energy
Yes
Yes
No
MidAmerican Energy agrees with the direction of consolidating CIP-001, EOP-004 and portions of CIP008. However, we have concerns with some of the events included in Attachment 1 and reporting
timelines. EOP-004-2 needs to clearly state that initial reports can be made by a phone call, email or
another method, in accordance with paragraph 674 of FERC Order 706. MidAmerican Energy believes
draft Attachment 1 expands the scope of what must be reported beyond what is required by FERC
directives and beyond what is needed to improve security of the BES. Based on our understanding of
Attachment 1, the category of “damage or destruction of a critical cyber asset” will result in hundreds
or thousands of small equipment failures being reported to NERC and DOE, with no improvement to
security. For example, hard drive failures, server failures, PLC failures and relay failures could all
meet the criteria of “damage or destruction of a critical cyber asset.” We recommend replacing
Attachment 1 and Attachment 2 with the categories and timeframes that are listed in OE-417. This
eliminates confusion between government requirements in OE-417 and NERC standards. Reporting
timelines and reporting form FERC Order 706, paragraph 676, directed NERC to require a responsible
entity to “at a minimum, notify the ESISAC and appropriate government authorities of a cyber
security incident as soon as possible, but, in any event, within one hour of the event, even if it is a
preliminary report.” In paragraph 674, FERC stated that the Commission agrees that, in the
“aftermath of a cyber attack, restoring the system is the utmost priority.” They clarified: “the
responsible entity does not need to initially send a full report of the incident…To report to appropriate
government authorities and industry participants within one hour, it would be sufficient to simply
communicate a preliminary report, including the time and nature of the incident and whatever useful
preliminary information is available at the time. This could be accomplished by a phone call or another
method.” While FERC did not order completion of a full report within one hour in Order 706, the draft
EOP-004 Attachment 1 appears to require submittal of formal reports within one hour for six of the
categories, unless there have been “certain adverse conditions” (in which case, as much information
as is available must be submitted at the time of notification). The Violation Severity Levels are
extreme for late submittal of a report. For example, it would be a severe violation to submit a report
more than three hours following an event for an event requiring reporting in one hour. MidAmerican
Energy suggests incorporating the language from FERC Order 706, paragraph 674, into the EOP-004
reporting requirement to allow preliminary reporting within one hour to be done through a phone call
or another method to allow the responsible entity to focus on recovery and/or restoration, if needed.
MidAmerican Energy agrees with the use of DOE OE-417 for submittal of the full report of incidents
under EOP-004 and CIP-008. We would note there are two parts to this form -- Schedule 1-Alert
Notice, and Schedule 2-Narrative Description. Since OE-417 already requires submittal of a final
report that includes Schedule 2 within 48 hours of the event, MidAmerican Energy believes it is not
necessary to include a timeline for completion of the final report within the EOP-004 standard. We
would note that Schedule 2 has an estimated public reporting burden time of two hours so it is not
realistic to expect Schedule 2 to be completed within one hour. Events included in Attachment 1:
MidAmerican Energy believes draft Attachment 1 expands the scope of what must be reported beyond
what is required by FERC directives and beyond what is needed to improve security of the BES. The
categories listed in Attachment 1 with one-hour reporting timelines cause the greatest concern. None
�of these categories are listed in OE-417, and all but the last row would not be considered a Cyber
Security Incident under CIP-008, unless there was malicious or suspicious intent.
MidAmerican proposes eliminating the phrase “with no more than 15 months between reviews” from
R1.5. While we agree this is best practice, it creates the need to track two conditions for the review,
eliminates flexibility for the responsible entity and does not improve security to the Bulk Electric
System. There has not been a directive from FERC to specify the definition of annual within the
standard itself. In conjunction with this comment, the Violation Severity Levels for R4 should be
revised to remove the references to months.
Group
ACES Power Marketing Standards Collaborators
Jean Nitz
No
We understand and agree there should be verification of the information required for such reporting
(contact information, process flow charts, etc). But we still believe improvements can be made to the
draft standard, in particular to requirement R4. The use of the words “or through a drill or exercise”
still implies that training is required if no actual event has occurred. When you conduct a fire “drill”
you are training your employees on evacuation routes and who they need to report to. Not only are
you verifying your process but you are training your employees as well. It is imperative that the
information in the Event Reporting process is correct but we don't agree that performing a drill on the
process is necessary. We recommend modifying the requirement to focus on verifying the information
needed for appropriate communications on an event. And we agree this should take place at least
annually.
No
Requirement R2 requires Responsible Entities to implement the various sub-requirements in R1. We
believe it is unnecessary to state that an entity must implement their Operating Plan in a separate
requirement. Having a separate requirement seems redundant. If the processes in the Operating Plan
are not implemented, the entity is non-compliant with the standard. There doesn’t need to be an
extra requirement saying entities need to implement their Operating Plan.
Yes
For many of the events listed in Attachment 1, there would be duplicate reporting the way it is written
right now. For example, in the case of a fire in a substation (Destruction of BES equipment), the RC,
BA, TO, TOP and perhaps the GO and GOP could all experience the event and each would have to
report on it. This seems quite excessive and redundant. We recommend eliminating this duplicate
reporting.
Individual
Thad Ness
American Electric Power
Yes
No
AEP prefers to avoid requirements that are purely administrative in nature. Requirements should be
clear in their actions of supporting of the BES. For example, we would prefer requirements which
state what is to be expected, and allowing the entities to develop their programs, processes, and
procedures accordingly. It has been our understanding that industry, and perhaps NERC as well,
seeks to reduce the amount to administrative (i.e. document-based) requirements. We are confident
that the appropriate documentation and administrative elements would occur as a natural course of
implementing and adhering to action-based requirements. In light of this perspective, we believe that
that R1 and R2 is not necessary, and that R3 would be sufficient by itself. Our comments above
notwithstanding, AEP strongly encourages the SDT to consider that R2 and R3, if kept, be merged
into a single requirement as a violation of R2 would also be a violation of R3. Two violations would
then occur for what is essentially only a single incident. Rather than having both R2 and R3, might R3
be sufficient on its own? R2 is simply a means to an end of achieving R3. If there is a need to
explicitly reference implementation, that could be addressed as part of R1. For example, R1 could
�state “Each Responsible Entity shall implement an Operating Plan that includes...” R1 seems
disjointed, as subparts 1.4 and 1.5 (updating and reviewing the Operating Plan) do not align well with
subparts 1.1 through 1.3 which are process related. If 1.4 and 1.5 are indeed needed, we recommend
that they be a part of their own requirement(s). Furthermore, the action of these requirements should
be changed from emphasizing provision(s) of a process to demonstrating the underlying activity. 1.4:
AEP is concerned by the vagueness of requiring provision(s) for updating the Operating Plan for
“changes”, as such changes could occur frequently and unpredictably.
Yes
M4: Recommend removing the text “for events” so that it instead reads “The Responsible Entity shall
provide evidence that it verified the communication process in its Operating Plan created pursuant to
Requirement R1, Part 1.3.” R4: It is not clear to what extent the verification needs to be applied if the
process used is complex and includes a variety of paths and/or tasks. The draft team may wish to
consider changing the wording to simply state ”each Responsible Entity shall test each of the
communication paths in the operating plan”. We also recommend dropping “once per calendar year”
as it is inconstant with the measure itself which allows for 15 months.
Individual
Guy Andrews
Georgia System Operations Corporation
Yes
Yes
Yes
The ERO and the Regional Entity should not be listed as Responsible Entities. The ERO and the
Regional Entity should not have to meet the requirements of this standard, especially reporting to
itself. Attachment 1 (all page numbers are from the clean draft): Page 20, destruction of BES
equipment: part iii) of the footnote adds damage as an event but the heading is for destruction. Is it
just for destruction? Or is it for damage or destruction? Page 21, Risk to BES equipment: Footnote 3
gives an example where there is flammable or toxic cargo. These are environmental threats.
However, the threshold for reporting is for non-environmental threats. Which is it? Page 21, BES
emergency requiring public appeal for load reduction: A small deficient entity within a BA may not
initiate public appeals. The BA is typically the entity which initiates public appeals when the entire BA
is deficient. The initiating entity should be the responsible entity not the deficient entity. Page 21, BES
emergency requiring manual firm load shedding: If a RC directs a DP to shed load and the DP initiates
manually shedding its load as directed, is the RC the initiating entity? Or is it the DP? Page 22, system
separation (islanding): a DP does not have a view of the system to see that the system separated or
how much generation and load are in the island. Remove DP. Attachment 2 (all page numbers are
from the clean draft): Page 25: fuel supply emergencies will no longer be reportable under the
current draft. Miscellaneous typos and quality issues (all page numbers are from the clean draft):
Page 5, the last paragraph: There are two cases where Parts A or B are referred to. Attachment 1 no
longer has two parts (A & B). Page 27, Discussion of Event Reporting: the second paragraph has a
typo at the beginning of the sentence.
Group
Florida Municipal Power Agency
Frank Gaffney
No
First, we wish to thank the SDT for their hard work and making significant progress in significant
improvements in the standard. We commend the direction that the SDT is taking. There are;
however, a few unresolved issues that cause us to not support the standard at this time. An issue of
possible differences in interpretation between entities and compliance monitoring and enforcement is
the phrase in 1.3 that states “the following as appropriate”. Who has the authority to deem what is
appropriate? The requirements should be clear that the Responsible Entity is the decision maker of
�who is appropriate, otherwise there is opportunity for conflict between entities and compliance. In
addition, 1.4 is onerous and burdensome regarding the need to revise the plan within 90 days of
“any” change, especially considering the ambiguity of “other circumstances”. “Other circumstances” is
open to interpretation and a potential source of conflict.
No
Both requirements are to implement the Operating Plan. Hence, R3 should be a bullet under R2 and
not a separate requirement. In addition, for R2, the phrase “actual event” is ambiguous and should
mean: “actual event that meets the criteria of Attachment 1” We suggest the following wording to R2
(which will result in eliminating R3) “Each Responsible Entity shall implement its Operating Plan: • For
actual events meeting the threshold criteria of Attachment 1 in accordance with Requirement R1 parts
1.1, 1.2 and 1.3 • For review and updating of the Operating Plan in accordance with Requirement R1
parts 1.4 and 1.5” Note that we believe that if the SDT decides to not combine R2 and R3, then we
disagree with the distinction between the two requirements. The division of implementing R1 through
R2 and R3 as presented is “implementing” vs. “reporting”. We believe that the correct division should
rather be “implementation” of the plan (which includes reporting) vs. revisions to the plan.
No
The times don’t seem aggressive enough for some of the Events related to generation capacity
shortages, e.g., we would think public appeal, system wide voltage reduction and manual firm load
shedding ought to be within an hour. These are indicators that the BES is “on the edge” and to help
BES reliability, communication of this status is important to Interconnection-wide reliability.
The Rules of Procedure language for data retention (first paragraph of the Evidence Retention section)
should not be included in the standard, but instead referred to within the standard (e.g., “Refer to
Rules of Procedure, Appendix 4C: Compliance Monitoring and Enforcement Program, Section 3.1.4.2
for more retention requirements”) so that changes to the RoP do not necessitate changes to the
standard. In R4, it might be worth clarifying that, in this case, implementation of the plan for an
event that does not meet the criteria of Attachment 1 and going beyond the requirements R2 and R3
could be used as evidence. Consider adding a phrase as such to M4, or a descriptive footnote that in
this case, “actual event” may not be limited to those in Attachment 1. Comments to Attachment 1
table: On “Damage or destruction of Critical Asset” and “… Critical Cyber Asset”, Version 5 of the CIP
standards is moving away from the binary critical/non-critical paradigm to a high/medium/low risk
paradigm. Suggest adding description that if version 5 is approved by FERC, that “critical” would be
replaced with “high or medium risk”, or include changing this standard to the scope of the CIP SDT, or
consider posting multiple versions of this standard depending on the outcome of CIP v5 in a similar
fashion to how FAC-003 was posted as part of the GO/TO effort of Project 2010-07. On “forced
intrusion”, the phrase “at BES facility” is open to interpretation as “BES Facility” (e.g., controversy
surrounding CAN-0016) which would exclude control centers and other critical/high/medium cyber
system Physical Security Perimeters (PSPs). We suggest changing this to “BES Facility or the PSP or
Defined Physical Boundary of critical/high/medium cyber assets”. This change would cause a change
to the applicability of this reportable event to coincide with CIP standard applicability. On “Risk to BES
equipment”, that phrase is open to too wide a range of interpretation; we suggest adding the word
“imminent” in front of it, i.e., “Imminent risk to BES equipment”. For instance, heavy thermal loading
puts equipment at risk, but not imminent risk. Also, “non-environmental” used as the threshold
criteria is ambiguous. For instance, the example in the footnote, if the BES equipment is near railroad
tracks, then trains getting derailed can be interpreted as part of that BES equipment’s “environment”,
defined in Webster’s as “the circumstances, objects, or conditions by which one is surrounded”. It
seems that the SDT really means “non-weather related”, or “Not risks due to Acts of Nature”. On
“public appeal”, in the threshold, the descriptor “each” should be deleted, e.g., if a single event
causes an entity to be short of capacity, do you really want that entity reporting each time they issue
an appeal via different types of media, e.g., radio, TV, etc., or for a repeat appeal every several
minutes for the same event? Should LSE be an applicable entity to “loss of firm load”? As proposed,
the DP is but the LSE is not. In an RTO market, will a DP know what is firm and what is non-firm
load? Suggest eliminating DP from the applicability of “system separation”. The system separation we
care about is separation of one part of the BES from another which would not involve a DP. On
“Unplanned Control Center Evacuation”, CIP v5 might add GOP to the applicability, another reason to
add revision of EOP-004-2 to the scope of the CIP v5 drafting team, or in other ways coordinate this
SDT with that SDT. Consider posting a couple of versions of the standard depending on the outcome
of CIP v5 in a similar fashion to the multiple versions of FAC-003 posted with the Go/TO effort of
�Project 2010-07.
Individual
Ed Davis
Entergy Services
Entergy agrees with and supports comments submitted by the SERC OC Standards Review group.
Individual
Margaret McNaul
Thompson Coburn LLP on behalf of Miss. Delta Energy Agency
The first three incident categories designated on Attachment 1 as reportable events should be
modified. As the Standard is current drafted, each incident category (i.e., destruction of BES
equipment, damage or destruction of Critical Assets, and damage or destruction of Critical Cyber
Assets) requires reporting if the event was due to unintentional human action. For example, under the
reporting criteria as drafted, inadvertently dropping and damaging a piece of computer equipment
designated as a Critical Cyber Asset while moving or installing it would appear to require an event
report within an hour of the incident. MDEA requests that the Drafting Team consider modifying
footnote 1 and each of the first three event categories to reflect that reportable events include only
those that (i) affect an IROL; (ii) significantly affect the reliability margin of the system; or (iii)
involve equipment damage or destruction due to intentional human action that results in the removal
of the BES equipment, Critical Assets, and/or Critical Cyber Assets, as applicable, from service.
Footnote 2 (which now pertains only to the fourth incident category – forced intrusions) should also
apply to the first three event categories. Specifically, responsible entities should report intentional
damage or destruction of BES equipment, damage or destruction of Critical Assets, and damage or
destruction of Critical Cyber Assets if either the damage/destruction was clearly intentional or if
motivation for the damage or destruction cannot reasonably be determined and the damage or
destruction affects the reliability of the BES. Attachment 1 is also unclear to the extent that the
incident category involving reports for the detection of reportable Cyber Security Incidents includes a
reference to CIP-008 as the reporting threshold. While entities in various functional categories (i.e.,
RCs, BAs, TOPs/TOs, GOPs/GOs, and DPs) are listed as being responsible for the reporting of such
events, some entities in these functional categories may not currently be subject to CIP-008. If it is
the Drafting Team’s intent to limit event reports for Cyber Security Incidents to include only
registered entities subject to CIP-008, that clarification should be incorporated into the listing of
entities with reporting responsibility for this incident category in Attachment 1.
Group
Santee Cooper
Terry L. Blackwell
Yes
Yes
Yes
The on-going development of the definition of the BES could have significant impacts on reporting
requirements associated with this standard. The event titled “Risk to the BES” appears to be a catchall event and more guidance needs to be provided on this category. The event titled “Damage or
Destruction of a Critical Asset or Critical Cyber Asset per CIP-002” is ambiguous and further guidance
is recommended. Ambiguity in a standard leaves it open to interpretation for all involved.
Group
�Sacramento Municipal Utility District (SMUD)
Joe Tarantino
Yes
Yes
Yes
SMUD and BANC agree with the revised language in EOP-004-1 requirements, but we have identified
the following issues in A-1: We commend the SDT for properly addressing the sabotage issue.
However, additional confusion is caused by introducing term "damage". As "damage" is not a defined
term it would be beneficial for the drafting team to provide clarification for what is meant by
"damage". The threshold for reporting "Each public Appeal for load reduction" should clearly state the
triggering is for the BES Emergency as routine "public appeal" for conservation could be considered a
threshold for the report triggering. Regarding the SOL Violations in Attachment 1 the SOL Violations
should only be those that affect the WECC paths. The SDT made attempts to limit nuisance reporting
related to copper thefts and so on which is supported. However a number of the thresholds identified
in EOP-004-2 Attachment 1 are very low and could congest the reporting process with nuisance
reporting and reviewing.
Individual
Bob Thomas
Illinois Municipal Electric Agency
No
IMEA agrees with the removal of the training requirement, but also believes verification is not a
necessary requirement for this standard; therefore, R4 is not necessary and should be removed.
No
R2 is not necessary, and should be removed. Subrequirement R1.4 is also not necessary and should
be removed.
Yes
With the understanding this is within 24 hrs., and good professional judgment determines the amount
of time to report the event to appropriate parties.
IMEA appreciates this opportunity to comment. IMEA appreciates the SDT's efforts to simplify
reporting requirements by combining CIP-001 with EOP-004. [IMEA encourages NERC to continue
working towards a one-stop-shop to simplify reporting on ES-ISAC.] IMEA supports, and encourages
SDT consideration of, comments submitted by APPA and Florida Municipal Power Agency.
Individual
Kirit Shah
Ameren
No
The current language in the parenthesis of R4 suggests that the training requirement was actually not
removed, in that "a drill or exercise" constitutes training. As documented in the last sentence of the
Summary of Key Concepts section, "The proposed standard deals exclusively with after-the-fact
reporting." We feel that training, even if it is called drills or exercises is not necessary for an afterthe-fact report.
No
(1) The new wording while well intentioned, effectively does not add clarity and leads to confusion.
From our perspective, R1, which requires and Operating Plan, which is defined by the NERC glossary
as: "A document that identifies a group of activities that may be used to achieve some goal. An
Operating Plan may contain Operating Procedures and Operating Processes. A company-specific
system restoration plan that includes an Operating Procedure for black-starting units, Operating
Processes for communicating restoration progress with other entities, etc., is an example of an
Operating Plan." (2) Is not a proper location for an after-the-fact reporting standard? In fact it could
be argued that after-the-fact reports in and of themselves do not affect the reliability of the bulk
�electric system. (3) But considering the proposed standard as written with the Operating Plan in
requirement R1, and implementation of the Operating Plan in requirement R2 (except the actual
reporting which is in R3) and then R3 which requires implementing the reporting section R1.3, it is
not clear how these requirements can be kept separate in either implementation nor by the CEA. (4)
The second sentence in the second paragraph of “Rationale for R1” states: “The main issue is to make
sure an entity can a) identify when an event has occurred and b) be able to gather enough
information to complete the report.” This is crucial for a Standard like this that is intended to mandate
actions for events that are frequently totally unexpected and beyond normal planning criteria. This
language needs to be added to Attachment 1 by the DSR SDT as explained in the rest of our
comments
No
(1)By our count there are still six of the nineteen events listed with a one hour reporting requirement
and the rest are all within 24 hour after the occurrence (or recognition of the event). This in our
opinion, is reporting in real-time, which is against one of the key concepts listed in the background
section:"The DSR SDT wishes to make clear that the proposed Standard does not include any realtime operating notifications for the events listed in Attachment 1. Real-time reporting is achieved
through the RCIS and is covered in other standards (e.g. the TOP family of standards). The proposed
standard deals exclusively with after-the-fact reporting." (2)We believe the earliest preliminary report
required in this standard should at the close of the next business day. Operating Entities, such as the
RC, BA, TOP, GOP, DP, and LSE should not be burdened with unnecessary after-the-fact reporting
while they are addressing real-time operating conditions. Entities should have the ability to allow their
support staff to perform this function during the next business day as needed. We acknowledge it
would not be an undue burden to cc: NERC on other required governmental reports with shorter
reporting timeframes, but NERC should not expand on this practice. (3)We agree with the extension
in reporting times for events that now have 24 hours of reporting time. As a GO there are still too
many potential events that still require a 1 hour reporting time that is impractical, unrealistic and
could lead to inappropriate escalation of normal failures. For example, the sudden loss of several
control room display screens for a BES generator at 2 AM in the morning, with only 1 hour to report
something, might be mistakenly interpreted as a cyber-attack. The reality is most likely something far
more mundane such as the unexpected failure of an instrument transformer, critical circuit board, etc.
Yes. We have the other comments as follow: (1) The "EOP-004 Attachment 1: Events Table" is quite
lengthy and written in a manner that can be quite subjective in interpretation when determining if an
event is reportable. We believe this table should be clear and unambiguous for consistent and
repeatable application by both reliability entities and a CEA. The table should be divided into sections
such as: 9a) Events that affect the BES that are either clearly sabotage or suspected sabotage after
review by an entity's security department and local/state/federal law enforcement.(b) Events that
pose a risk to the BES and that clearly reach a defined threshold, such as load loss, generation loss,
public appeal, EEAs, etc. that entities are required to report by the end of the next business day.(c)
Other events that may prove valuable for lessons learned, but are less definitive than required
reporting events. These events should be reported voluntarily and not be subject to a CEA for nonreporting.(d)Events identified through other means outside of entity reporting, but due to their
nature, could benefit the industry by an event report with lessons learned. Requests to report and
perform analysis on these type of events should be vetted through a ERO/Functional Entity process to
ensure resources provided to this effort have an effective reliability benefit. (2)Any event reporting
shall not in any manner replace or inhibit an Entity's responsibility to coordinate with other Reliability
Entities (such as the RC, TOP, BA, GOP as appropriate) as required by other Standards, and good
utility practice to operate the electric system in a safe and reliable manner. (3) The 1 hour reporting
maximum time limit for all GO events in Attachment 1 should be lengthened to something reasonable
– at least 24 hours. Operators in our energy centers are well-trained and if they have good reason to
suspect an event that might have serious impact on the BES will contact the TOP quickly. However,
constantly reporting events that turn out to have no serious BES impact and were only reported for
fear of a violation or self-report will quickly result in a cry wolf syndrome and a great waste of
resources and risk to the GO and the BES. The risk to the GO will be potential fines, and the risk to
the BES will be ignoring events that truly have an impact of the BES.(4)The 2nd and 3rd Events on
Attachment 1 should be reworded so they do not use terms that may have been deleted from the
NERC Glossary by the time FERC approves this Standard. (5) The terms “destruction” and “damage”
are key to identifying reportable events. Neither has been defined in the Standard. The term
�destruction is usually defined as 100% unusable. However, the term damage can be anywhere from
1% to 99% unusable and take anywhere from 5 minutes to 5 months to repair. How will we know
what the SDT intended, or an auditor will expect, without additional information? (6)We also do not
understand why “destruction of BES equipment” (first item Attachment 1, first page) must be
reported < 1 hour, but “system separation (islanding) > 100 MW” (Attachment 1, page 3) does not
need to be reported for 24 hours. (7)The first 2 Events in Attachment 1 list criteria Threshold for
Reporting as “…operational error, equipment failure, external cause, or intentional or unintentional
human action.” The term “intentional or unintentional human action” appears to cover “operational
error” so these terms appear redundant and create risk of misreporting. Can this be clarified? (8)The
footnote of the first page of Attachment 1 includes the explanation “…ii) Significantly affects the
reliability margin of the system…” However, the GO is prevented from seeing the system and has no
idea what BES equipment can affect the reliability margin of the system. Can this be clarified by the
SDT? (9) The use of the term “BES equipment” is problematic for a GO. NERC Team 2010-17 (BES
Definition) has told the industry its next work phase will include identifying the interface between the
generator and the transmission system. The 2010-17 current effort at defining the BES still fails to
clearly define whether or not generator tie-lines are part of the BES. In addition, NERC Team 2010-07
may also be assigned the task of defining the generator/transmission interface and possibly whether
or not these are BES facilities. Can the SDT clarify the use of this term? For example, does it include
the entire generator lead-line from the GSU high-side to the point of interconnection? Does it include
any station service transformer supplied from the interconnected BES?
Individual
Linda Jacobson-Quinn
FEUS
Yes
Yes
No
The OE-417 requires several of the events listed in Attachment 1 be reported within 1 hour. FEUS
recommends the drafting team review the events and the OE-417 form and align the reporting
window requirements. For example, public appeals, load shedding, and system seperation have a 1
hour requirement in OE-417.
R4 requires verification through a drill or exercise the communication process created as part of R1.3.
Clarification of what a drill or exercise should be considered. In order to show compliance to R4 would
the entity have to send a pseudo event report to Internal Personnel, the Regional Entity, NERC ESISAC, Law Enforcement, and Governmental or provincial agencies listed in R1.3 to verify the
communications plan? It would not be a burden on the entity so much, however, I’m not sure the
external parties want to be the recipient of approximately 2000 psuedo event reports annually.
Attachment 1: BES equipment is too vague – consider changing to BES facility and including that
reduces the reliability of the BES in the footnote. Is the footnote an and or an or? Attachment 1:
Version 5 of CIP Requirements remove the terms Critical Asset and Critical Cyber Asset. The drafting
team should consider revising the table to include BES Cyber Systems. Clarify if Damage or
Destruction is physical damage (aka – cyber incidents would be part of CIP-008.) Attachment 1:
Unplanned Control Center evacuation – remove “potential” from the reporting responsibility
Attachment 2 – 3: change to, “Did the event originate in your system?” The requirement only
requires reporting for Events – not potential events. Attachment 2 4: “Damage or Destruction to BES
equipment” should be “Destruction of BES Equipment” like it is in Attachment 1 and “forced intrusion
risk to BES equipment” remove “risk”
Individual
Tom Foreman
Lower Colorado River Authority
Yes
Yes
�Yes
The proposed reporting form for EOP-004-2 is less extensive than the Brief Report required by the
Event Analysis process, but there is some duplication of efforts. EOP-004 has an “optional” Written
Description section for the event, while the Brief Report requires more detailed information such as a
sequence of events, contributing causes, restoration times, etc. Please clarify whether Registered
Entities will still be required to submit both forms. Please also ensure there will not be duplication of
efforts between the two reports. Although this is fairly minor, the clarification should be addressed.
Overarching Concern related to EOP-004-2 draft: The contemporaneous drafting efforts related to
both the proposed Bulk Electric System ("BES") definition changes and CIP Standards Version 5, could
significantly impact the EOP-004-2 reporting requirements. Caution needs to be exercised when
referencing these definitions, as the definition of a BES element could change significantly and the
concepts of “Critical Assets” and “Critical Cyber Assets” no longer exist in Version 5 of the CIP
Standards. Additionally, it is debatable whether the destruction of, for example, one relay would be a
reportable incident given the proposed language. Related to “Reportable Events” of Attachment 1: 1.
The “Purpose” section of the Standard indicates it is designed to require the reporting of events “with
the potential to impact reliability” of the BES. Footnote 1 and the “Threshold for Reporting” associated
with the Event described as “Destruction of BES equipment” expand the reporting scope beyond that
intent. For example, a fan on a generation unit can be destroyed because s plant employee drops a
screwdriver into it. We believe such an event should not be reportable under EOP-004-2. Yet, as
written, a Responsible Entity could interpret that event as reportable (because it would be
“unintentional human action” that destroyed a piece of equipment associated with the BES). If the
goal of the SDT was to include such events, we think the draft Standard goes too far in requiring
reporting. If the SDT did not intend to include such events, the draft Standard should be revised to
make that fact clear. 2. Item iii) in Footnote 1 seems redundant with the Threshold for Reporting. 3.
The word “Significantly” in item ii) of footnote 1 introduces an element of subjectivity. What is
“significant” to one person may not be significant to someone else. 4. The word “unintentional” in
Item iii) of footnote 1 may introduce nuisance reporting. The SDT should consider: (1) changing the
Event description to “Damage or destruction of BES equipment” (2) removing the footnote and (3)
replacing the existing “Threshold for Reporting” with the following language: “Initial indication the
event: (i) was due to intentional human action, (ii) affects an IROL or (iii) in the opinion of the
Responsible Entity, jeopardizes the reliability margin of the system (e.g., results in the need for
emergency actions)” 5. One reportable event is, “Risk to the BES” and the threshold for reporting is,
“From a non-environmental physical threat.” This appears to be intended as a catch-all reportable
event. Due to the subjectivity of this event description, we suggest removing it from the list. 6. One
reportable event is, “Damage or destruction of Critical Asset per CIP-002.” The SDT should define the
term “Damage” in order for an entity to determine a threshold for what qualifies as “Damage” to a
CA. Normal “damage” can occur on a CA that should not be reportable (e.g. the screwdriver example,
above). 7. For the event called “BES Emergency requiring public appeal for load reduction,” the SDT
should make it clear who should report such an event. For example, in the ERCOT Region, there is a
requirement that ERCOT issue public appeals for load reduction (See ERCOT Protocols Section
6.5.9.4). As the draft of EOP-004-2 is currently written, every Registered Entity in the ERCOT Region
would have to file a report when ERCOT issues such an appeal. Such a requirement is overly
burdensome and does not enhance the reliability of the BES. The Standard should require that the
Reliability Coordinator file a report when it issues a public appeal to reduce load. Reporting Thresholds
1. See Paragraph 1 in the “Related to “Reportable Events” of Attachment 1” section, above. 2. We
believe damage or destruction of Critical Assets or CCAs resulting from operational error, equipment
failure or unintentional human action should not be reportable under this Standard. We recommend
changing the thresholds for “Damage or destruction to Critical Assets …” and “Damage or destruction
of a [CCA]” to “Initial Indication the event was due to external cause or intentional human action.” 3.
We support the SDT’s attempted to limit nuisance reporting related to copper thefts. However, a
number of the thresholds identified in EOP-004-2 Attachment 1 are very low and could clog the
reporting process with nuisance reporting and reviewing. An example is the “BES Emergency requiring
manual firm load shedding” of ≥ 100 MW or “Loss of Firm load for ≥ 15 Minutes” that is ≥ 200 MW
(300 MW if the manual demand is greater than 3000 MW). In many cases, those low thresholds would
require reporting minor wind events or other seasonal system issues on a local network used to
provide distribution service. Firm Demand 1. The use of the term “Firm load” in the context of the
�draft Standard seems inappropriate. “Firm load” is not defined in the NERC Glossary (although “Firm
Demand” is defined). If the SDT intended to use “Firm Demand,” they should revise the draft
Standard. If the SDT wishes to use the term “Firm load” they should define it. [For example, we
understand that some load agrees to be dropped in an emergency. In fact, in the ERCOT Region, we
have a paid service referred to as “Emergency Interruptible Load Service” (EILS). If the SDT intends
that “Firm load” means load other than load which has agreed to be dropped, it should make that fact
clear.] Comments to Attachment 2 1. The checkbox for “fuel supply emergency” should be deleted
because it is not listed as an Event on Attachment 1. 2. There should be separation between “forced
intrusion” and “Risk to BES equipment.” They are separate Events on Attachment 1. Comments to
Guideline and Technical Basis The last paragraph appears to state NERC will accept an OE-417 form
as long as it contains all of the information required by the NERC form and goes on to state the DOE
form “may be included or attached to the NERC report.” If the intent is for NERC to accept the OE-417
in lieu of the NERC report, this paragraph should be clarified.
Individual
Richard Salgo
NV Energy
Yes
Thankyou for responding to the stakeholder comments on this issue.
No
On my read of the Standard, R2 and R3 appear to be duplicative, and I can't really distinguish the
difference between the two. The action required appears to be the same for both requirements. Even
the Measures for these two sound similar. It is not clear to me what it means to "implement" other
than to have evidence of the existence and understanding of roles and responsibilities under the
"Operating Plan." I suggest elimination of R2 and inclusion of a line item in Measure 1 calling for
evidence of the existence of an "Operating Plan" including all the required elements in R1.
Yes
Attachment 1 includes an item "Detection of a reportable cyber security incident." The reporting
requirement is a report via Attachment 2 or the OE417 report form submittal. However, under CIP008, to which this requirement is linked, the reporting is accomplished via NERC's secure CIPIS
reporting tool. This appears to be a conflict in that the entity is directed to file reporting under CIP008 that differs from this subject standard. Attachment 1 also includes a provision for reporting the
"loss of firm load greater than or equal to 15 minutes in an amount of 200MW (or 300MW for peaks
greater than 3000MW). This appears to be a rather low threshold, particularly in comparison with the
companion loss of generation reporting threshold elsewhere in the attachment. The volume of reports
triggered by this low threshold will likely lead to an inordinate number of filed reports, sapping NERC
staff time and deflecting resources from more severe events that require attention. I suggest either
an increase in the threshold, or the addition of the qualifier "caused by interruption/loss of BES
facilities" in this reporting item. This qualifier would therefore exclude distribution-only outages that
are not indicative of a BES reliability issue.
Group
SPP Standards Review Group
Robert Rhodes
Yes
Yes
No
The purpose of the reporting requirement should be clear either in the text of the requirements or
through an explanation that is embodied in the language of the approved set of standards. This would
be consistent with a “Results-based” architecture. What is lacking in the proposed language of this
standard is recognition that registered entities differ in size and relevance of their impact on the Bulk
Electric System. Also, events that are reportable differ in their impact on the registered entity. A
“one-size fits all” approach to this standard may cause smaller entities with low impact on the grid to
�take extraordinary measures to meet the reporting/timing requirements and yet be too “loose” for
larger more sophisticated and impacting entities to meet the same requirements. Therefore, we
believe language of the standard must clearly state the intent that entities must provide reports in a
manner consistent with their capabilities from a size/reliability impact perspective and from a
communications availability perspective. Timing requirements should allow for differences and
consider these variables. Also, we would suggest including language to specifically exclude situations
where communications facilities may not be available for reporting. For example, in situations where
communications facilities have been lost, initial reports would be due within 6 hours of the restoration
of those communication facilities. We would also suggest that Attachment 1 be broken into two
distinct parts such that those events which must be reported within 1 hour standout from those
events that have to be reported within 24 hours.
The inclusion of optional entities to which to report events in R1.3 introduces ambiguity into the
standard that we feel needs to be eliminated. We propose the following replacement language for
R1.3: A process for communicating events listed in Attachment 1 to the Electric Reliability
Organization, the Responsible Entity’s Reliability Coordinator and the Responsible Entity’s Regional
Entity. We would also propose to incorporate the law enforcement and governmental or provincial
agencies mentioned in R1.3 in Attachment 1 by adding them to the existing language for each of the
event cells. For example, the first cell in that column would read: The parties identified pursuant to
R1.3 and applicable law enforcement and governmental or provincial agencies within 1 hour of
recognition of event. Similarly, the phrase ‘…and applicable law enforcement and governmental or
provincial agencies…’ should be inserted in all the remaining cells in the 4th column.
Individual
Nathan Mitchell
American Public Power Association
Yes
APPA agrees that removal of the training requirement was an appropriate revision to limit the burden
on small registered entities. However, APPA requests clarification from the SDT on the current draft of
R4. If no event occurs during the calendar year, a drill or exercise of the Operating Plan
communication process is required. APPA believes that if this drill or exercise is required, then it
should be a table top verification of the internal communication process such as verification of phone
numbers and stepping through a Registered Entity specific scenario. This should not be a full drill with
requirements to contact outside entities such as law enforcement, NERC, the RC or other entities
playing out a drill scenario. This full drill would be a major burden for small entities.
Yes
No
APPA echoes the comments made by Central Lincoln: We do not believe the SDT has adequately
addressed the FERC Order to “Consider whether separate, less burdensome requirements for smaller
entities may be appropriate.” The one and 24 hour reporting requirements continue to be
burdensome to the smaller entities that do not maintain 24/7 dispatch centers. The one hour
reporting requirement means that an untimely “recognition” starts the clock and reporting will
become a higher priority than restoration. The note regarding adverse conditions does not help unless
we were to consider the very lack of 24/7 dispatch to be such a condition. APPA recommends the SDT
evaluate a less burdensome requirement for smaller entities with reporting requirements in
Attachment 1. This exception needs to address the fact that not all entities have 24 hour 7 day a
week operating personnel. However, APPA cautions the SDT that changes to this standard may
expose entities to reporting violations on DOE-OE-417 which imposes civil and criminal penalties on
reporting events to the Department of Energy. APPA recommends that the SDT reach out to DOE for
clarification of reporting requirements for DOE-OE-417 for small entities, asking DOE to change their
reporting requirement to match EOP-004-2. If DOE cannot change their reporting requirement the
SDT should provide an explanation in the guidance section of Reliability Standard EOP-004-2 that
addresses these competing FERC/DOE directives.
Requirement R1: 1.3. A process for communicating events listed in Attachment 1 to the Electric
Reliability Organization, the Responsible Entity’s Reliability Coordinator and the following as
appropriate: • Internal company personnel • The Responsible Entity’s Regional Entity • Law
enforcement • Governmental or provincial agencies APPA believes that including the list of other
�entities needing to be included in a process for communicating events under 1.3 may open this
requirement up for interpretation. APPA requests that the SDT remove from the requirement the
listing of; “Internal company personnel, The Responsible Entity’s Regional Entity, Law enforcement &
Governmental or provincial agencies” and include these references in a guidance document. The
registered entities need to communicate with the ERO and the RC if applicable for compliance with
this standard and to maintain the reliability of the BES. Communication with other entities such as
internal company personnel, law enforcement and the Regional Entity are expected, but do not impact
the reliability of the BES. This will simplify the reporting structure and will not be burdensome to
registered entities when documenting compliance. If this is not an acceptable solution, APPA suggests
revising 1.3 to remove the wording “the following as appropriate” and add “other entities as
determined by the Responsible Entity. Examples of other entities may include, but are not limited to:”
Then it is clear that the list is examples and should not be enforced by the auditor. 1.4. Provision(s)
for updating the Operating Plan within 90 calendar days of any change in assets, personnel, other
circumstances that may no longer align with the Operating Plan; or incorporating lessons learned
pursuant to Requirement R3. APPA understands that the SDT is following the FERC order requiring a
90 day limit on updates to any changes to the plan. However, APPA believes that “updating the
Operating Plan within 90 calendar days of any change…” is a very burdensome compliance
documentation requirement. APPA reminds the SDT that including DPs in this combined standard has
increased the number of small Responsible Entities that will be required to document compliance.
APPA requests that the SDT combine requirement 1.4 and 1.5 so the Operating Plan will be reviewed
and updated with any changes on a yearly basis. If this is not an acceptable solution, APPA suggests
that the “Lower VSL” exclude a violation to 1.4. The thought being, a violation of 1.4 by itself is a
documentation error and should not be levied a penalty. Attachment 1: Events Table APPA believes
that the intent of the SDT was to mirror the DOE OE-417 criteria in reporting requirements. With the
inclusion of DP in the Applicability, however, APPA believes the SDT created an unintended excessive
reporting requirement for DPs during insignificant events. APPA recommends that a qualifier be added
to the events table. In DOE OE-417 local electrical systems with less than 300MW are excluded from
reporting certain events since they are not significant to the BES. APPA believes that the benefit of
reporting certain events on systems below this value would not outweigh the compliance burden
placed on these small systems. Therefore, APPA requests that the standard drafting team add the
following qualifier to the Events Table of Attachment 1: “For systems with greater than 300MW peak
load.” This statement should be placed in the Threshold for Reporting column for the following Events:
BES Emergency requiring appeal for load reduction, BES Emergency requiring system-wide voltage
reduction, BES Emergency requiring manual firm load shedding, BES Emergency resulting in
automatic firm load shedding. This will match the DOE OE-417 reporting criteria and relieve the
burden on small entities. Definition of “Risk to BES equipment”: The SDT attempted to give examples
of the Event category “Risk to BES equipment” in a footnote. This footnote gives the Responsible
Entity and the Auditor a lot of room for interpretation. APPA suggests that the SDT either define this
term or give a triggering mechanism that the industry would understand. One suggestion would be
“Risk to BES equipment: An event that forces a Facility Owner to initiate an unplanned, non-standard
or conservative operating procedure.” Then list; “Examples include train derailment adjacent to BES
Facilities that either could have damaged the equipment directly or has the potential to damage the
equipment…” This will allow the entity to have an operating procedure linked to the event. If this
suggestion is taken by the SDT then the Reporting column of Attachment 1 needs to be changed to:
“The parties identified pursuant to R1.3 within 1 hour of initiating conservative operating procedures.”
Individual
Angela Summer
Southwestern Power Administration
Yes
No
One hour is not enough time to make these assessments for all of the six items in attachment 1. All
timing requirements should be made the same in order to simplify the reporting process.
Individual
�Michelle R D'Antuono
Ingleside Cogeneration LP
Yes
: Yes. Ingleside Cogeneration LP agrees that training on an incident reporting operations plan should
be at the option of the entity. However, we recommend that a statement be included in the “Guideline
and Technical Basis” section that encourages drills and exercises be coincident with those conducted
for Emergency Operations. Since front-line operators must send out the initial alert that a reportable
condition exists, such exercises may help determine how to manage their reporting obligations during
the early stages of the troubleshooting process. This is especially true where a notification must be
made within an hour of discovery – a very short time period.
No
Attachment 1 and requirement R3 are written in a manner which would seem to indicate that internal
personnel and law enforcement personnel would have to be copied on the submitted form – either
Attachment 2 or OE-417. We believe the intent is to submit such forms to the appropriate recipients
only (e.g.; the ERO and the DOE). The requirement should be re-written to clarify that this is the
case.
Yes
Yes. Any reporting that is mandated during the first hour of an event must be subject to close
scrutiny. Many of the same resources that are needed to troubleshoot and stabilize the local system
will be engaged in the reporting – which will impair reliability if not carefully applied. We believe that
the ERO should reassess the need for any immediate reporting requirements on a regular basis to
confirm that it provides some value to the restoration process.
We are encouraged that the 2009-01 project team has eliminated duplicate reporting requirements
from multiple organizations and governmental agencies. Ingleside Cogeneration LP believes that there
are further improvements that can be made in this area – as the remaining overlap seem to be a
result of legalities and preferences, not technical issues. We would like to see an ongoing commitment
by NERC for a single process that will consolidate and automate data entry, submission, and
distribution.
Individual
Tim Soles
Occidental Power Services, Inc. (OPSI)
Yes
No
Attachment 1 and R3 require event reports to be sent to the ERO and the entity’s RC and to others
“as appropriate.” Although this gives the entity some discretion, it might also create some “Monday
morning quarterbacking” situations. This is especially true for the one hour reporting situations as
personnel that would be responding to these events are the same ones needed to report the event.
OPSI suggests that the SDT reconsider and clarify reporting obligations with the objective of sending
initial reports to the minimum number of entities on a need-to-know basis.
Yes
Load Serving Entities that do not own or operate BES assets should not be included in the
Applicability. In current posting, the SDT states that it includes LSEs based on CIP-002; however, if
the LSE does not have any BES assets, CIP-002 should also not be applicable, because the LSE could
not have any Critical Assets or Critical Cyber Assets. It is understood that the SDT is trying to comply
with FERC Order 693, Section 460 and 461; however, Section 461 also states “Further, when
addressing such applicability issues, the ERO should consider whether separate, less burdensome
requirements for smaller entities may be appropriate to address these concerns.” A qualifier in the
Applicability of EOP-004-2 that would include only LSEs that own or operate BES assets would seem
appropriate. The proposed CIP-002 Version V has such a qualifier in that it applies to a “Load-Serving
Entity that owns Facilities that are part of any of the following systems or programs designed,
installed, and operated for the protection or restoration of the BES: • A UFLS program required by a
NERC or Regional Reliability Standard • A UVLS program required by a NERC or Regional Reliability
�Standard” The SDT should consider the same wording in the Applicability section of EOP-004-2 on
order to be consistent with what will become the standing version of CIP-002 (Version 5).
Group
Dominion
Connie Lowe
Yes
Yes
Yes
Dominion appreciates the changes that have been made to increase the 1 hr reporting time to 24
hours.
There is still inconsistency in Attachment 1 vs. the DOE OE-417 form; in future changes, Dominion
suggests align/rename events similar to that of the ‘criteria for filing’ events listed in the DOE OE417, by working in coordination with the DOE. Minor comment; in the Background section, the
drafting team refers to bulk power system (redline page 5; 1st paragraph and page 7; 2nd
paragraph) rather than bulk electric system. The note in Attachment 1 states in part that “the
affected Responsible Entity shall notify parties per R1 and …” Dominion believes the correct reference
to be R3. In addition, capitalized terms “Event” and “Event Report” are used in this note. Dominion
believes the terms should be non-capitalized as they are not NERC defined terms. Attachment 1 –
“Detection of a reportable Cyber Security Incident – That meets the criteria in CIP-008”. This
essentially equates the criteria to be defined by the entity in its procedures as required by CIP-008
R1.1., additional clarification should be added in Attachment 1 to make this clear. The last sentence in
Attachment 2 instructions should clarify that the email, facsimile and voice communication methods
are for ERO notification only. Dominion continues to believe that the drill or exercise specified in R4 is
unnecessary. Dominion suggests deleting this activity in the requirement.
Individual
Michael Lombardi
Northeast Utilities
Yes
Yes
Yes
- Incorporate NERC Event Analysis Reporting into this standard. Make the requirements more specific
to functional registrations as opposed to having requirements applicable to “Responsible Entities”. The description of a Transmission Loss Event in Attachment 1 should be clarified to indicate that this
only pertains to the loss of three or more BES elements due to a discrete event at a single point in
time as opposed to a storm/weather event which may last 24 hours or more and cause the loss of
three or more transmission facilities over the course of the weather event.
Group
Southern Comnpany
Antonio Grayson
No
Southern agrees with removing the training requirement of R4 from the previous version of the
standard. However, Southern suggests that drills and exercises are also training and R4 in this
revised standard should be removed in its entirety
No
These requirements as drafted in this revised standard potentially create a situation where an entity
could be deemed non-compliant for both R2 and R3. For example, if a Responsible Entity included a
reporting obligation in its Operating Plan, and failed to report an event, the Responsible Entity could
�be deemed non-compliant for R2 for not “implementing” its plan and for R3 for not reporting the
event to the appropriate entities. A potential solution to address this would be to add Requirement 1,
Part 1.3 to Requirement 2 and remove Requirement 3 in its entirety. We also request clarification on
Measure M3. Which records should have “dated and time-stamped transmittal records to show that
the event was reported”? Some of the communication is handled via face-to-face conversation or
through telephone conversation.
No
Southern request clarification on one of the entries in Attachment 1. The concern is with the last row
on page 21 of Draft 3. What is the basis for “Voltage deviations”? The Threshold is ±10% sustained
for ≥ 15 minutes. Is the voltage deviation based on the Voltage Schedule for that particular
timeframe, or is it something else (pre-contingency voltage level, nominal voltage, etc.)? In addition,
the second row of Attachment 1 lists “Damage or destruction of a Critical Cyber Asset per CIP-002” as
a reportable event. The threshold includes “…intentional or unintentional human action” and gives us
1 hour to report. The term “damage” may be overly broad and, without definition, is not limited in
any way. If a person mistypes a command and accidentally deletes a file, or renames something, or in
any way changes anything on the CCA in error, then this could be considered “damage” and becomes
a reportable event. The SDT should consider more thoroughly defining what is meant by “damage”.
Should it incorporate the idea that the essential functions that the CCA is performing must be
adversely impacted? Lastly, no event should have a reporting time shorter than at the close of the
next business day. Any reporting of an event that requires a shorter reporting time should only be to
entities that can help mitigate an event such as an RC or other Reliability Entity.
Southern has the following comments: (1) In Requirement R1.4, we request the SDT to clarify what is
meant by the term “assets”? (2) If requirement 4 is not deleted, should we have to test every
possible event described in our Operating Plan or each event listed in Attachment 1 to verify
communications? (3) In the last paragraph of the “Summary of Key Concepts” section on page 6 of
Draft 3, there is a statement that “Real-time reporting is achieved through the RCIS…” The only
reporting required on RCIS by the Standards is for EEAs and TLRs. Please review and modify this
language as needed. (4) Evidence Retention (page 12 of Draft 3): The 3 calendar year reference has
no bearing on a Standard that may be audited on a cycle greater than 3 years. (5) In the NOTE for
Attachment 1 (page 20 of Draft 3), what is meant by “periodic verbal updates” and to whom should
the updates be made? (6) There are Prerequisite Approvals listed in the Implementation Plan. Is it
appropriate to ask industry to vote on this Standard Revision that has a prerequisite approval of
changes in the Rules of Procedure that have not been approved? (7) We believe the reporting of the
events in Attachment 1 has no reliability benefit to the Bulk Electric System. We suggest that
Attachment 1 should be removed.
Individual
Andrew Gallo
City of Austin dba Austin Energy
Yes
Yes
Yes
The proposed reporting form for EOP-004-2 is less extensive than the Brief Report required by the
Event Analysis process, but there is some duplication of efforts. EOP-004 has an “optional” Written
Description section for the event, while the Brief Report requires more detailed information such as a
sequence of events, contributing causes, restoration times, etc. Please clarify whether Registered
Entities will still be required to submit both forms. Please also ensure there will not be duplication of
efforts between the two reports. Although this is fairly minor, the clarification should be addressed.
Overarching Concern related to EOP-004-2 draft: The contemporaneous drafting efforts related to
both the proposed Bulk Electric System ("BES") definition changes and CIP Standards Version 5 could
significantly impact the EOP-004-2 reporting requirements. Caution needs to be exercised when
referencing these definitions, as the definition of a BES element could change significantly and the
concepts of “Critical Assets” and “Critical Cyber Assets” no longer exist in Version 5 of the CIP
Standards. Additionally, it is debatable whether the destruction of, for example, one relay would be a
�reportable incident given the proposed language. Related to “Reportable Events” of Attachment 1: 1.
The “Purpose” section of the Standard indicates it is designed to require the reporting of events “with
the potential to impact reliability” of the BES. Footnote 1 and the “Threshold for Reporting” associated
with the Event described as “Destruction of BES equipment” expand the reporting scope beyond that
intent. For example, a fan on a generation unit can be destroyed because a plant employee drops a
screwdriver into it. We believe such an event should not be reportable under EOP-004-2. Yet, as
written, a Responsible Entity could interpret that event as reportable (because it would be
“unintentional human action” that destroyed a piece of equipment associated with the BES). If the
goal of the SDT was to include such events, we think the draft Standard goes too far in requiring
reporting. If the SDT did not intend to include such events, the draft Standard should be revised to
make that fact clear. 2. Item iii) in Footnote 1 seems redundant with the Threshold for Reporting. 3.
The word “Significantly” in item ii) of footnote 1 introduces an element of subjectivity. What is
“significant” to one person may not be significant to someone else. 4. The word “unintentional” in
Item iii) of footnote 1 may introduce nuisance reporting. The SDT should consider: (1) changing the
Event description to “Damage or destruction of BES equipment” (2) removing the footnote and (3)
replacing the existing “Threshold for Reporting” with the following language: “Initial indication the
event: (i) was due to intentional human action, (ii) affects an IROL or (iii) in the opinion of the
Responsible Entity, jeopardizes the reliability margin of the system (e.g., results in the need for
emergency actions)” 5. One reportable event is “Risk to the BES” and the threshold for reporting is,
“From a non-environmental physical threat.” This appears to be intended as a catch-all reportable
event. Due to the subjectivity of this event description, we suggest removing it from the list. 6. One
reportable event is “Damage or destruction of Critical Asset per CIP-002.” The SDT should define the
term “Damage” in order for an entity to determine a threshold for what qualifies as “Damage” to a
CA. Normal “damage” can occur on a CA that should not be reportable (e.g. the screwdriver example,
above). 7. For the event called “BES Emergency requiring public appeal for load reduction,” the SDT
should make it clear who should report such an event. For example, in the ERCOT Region, there is a
requirement that ERCOT issue public appeals for load reduction (See ERCOT Protocols Section
6.5.9.4). As the draft of EOP-004-2 is currently written, every Registered Entity in the ERCOT Region
would have to file a report when ERCOT issues such an appeal. Such a requirement is overly
burdensome and does not enhance the reliability of the BES. The Standard should require that the
Reliability Coordinator file a report when it issues a public appeal to reduce load. Reporting Thresholds
1. See Paragraph 1 in the “Related to 'Reportable Events' of Attachment 1” section, above. 2. We
believe damage or destruction of Critical Assets or CCAs resulting from operational error, equipment
failure or unintentional human action should not be reportable under this Standard. We recommend
changing the thresholds for “Damage or destruction of Critical Asset…” and “Damage or destruction of
a [CCA]” to “Initial Indication the event was due to external cause or intentional human action.” 3.
We support the SDT’s attempted to limit nuisance reporting related to copper thefts. However, a
number of the thresholds identified in EOP-004-2 Attachment 1 are very low and could clog the
reporting process with nuisance reporting and reviewing. An example is the “BES Emergency requiring
manual firm load shedding” of ≥ 100 MW or “Loss of Firm load for ≥ 15 Minutes” that is ≥ 200 MW
(300 MW if the manual demand is greater than 3000 MW). In many cases, those low thresholds would
require reporting minor wind events or other seasonal system issues on a local network used to
provide distribution service. Firm Load 1. The use of the term “Firm load” in the context of the draft
Standard seems inappropriate. “Firm load” is not defined in the NERC Glossary (although “Firm
Demand” is defined). If the SDT intended to use “Firm Demand,” they should revise the draft
Standard to use that language. If the SDT wishes to use the term “Firm load” they should define it.
[For example, we understand that some load agrees to be dropped in an emergency. In fact, in the
ERCOT Region, we have a paid service referred to as “Emergency Interruptible Load Service” (EILS).
If the SDT intends that “Firm load” means load other than load which has agreed to be dropped, it
should make that fact clear.] Comments to Attachment 2 1. The checkbox for “fuel supply
emergency” should be deleted because it is not listed as an Event on Attachment 1. 2. There should
be separation between “forced intrusion” and “Risk to BES equipment.” They are separate Events on
Attachment 1. Comments to Guideline and Technical Basis The last paragraph appears to state NERC
will accept an OE-417 form as long as it contains all of the information required by the NERC form and
goes on to state the DOE form “may be included or attached to the NERC report.” If the intent is for
NERC to accept the OE-417 in lieu of the NERC report, this paragraph should be clarified.
Group
FirstEnergy
�Sam Ciccone
Yes
FirstEnergy supports this removal and thanks the drafting team.
Yes
Yes
Although we agree with the timeframes for reporting, we have other concerns as listed in our
response to Question 4.
1. Attachment 1 – Regarding the 1st event listed in the table, “Destruction of BES Equipment” and its
accompanying Footnote 1, we believe that this event should be broken into two separate events that
incorporate the specifics in the footnote as follows: a. “Destruction of BES equipment that associated
with an IROL per FAC-014-2.” Regarding the 1st event we have proposed – We have proposed this be
made specific to IROL as stated in Footnote 1 part i. Also, we believe that only the RC and TOP would
have the ability to quickly determine and report within 1 hour if the destruction is associated with an
IROL. The other entities listed would not necessarily know if the event affects and IROL. Therefore,
we also propose that the Entities with Reporting Responsibilities (column 2) be revised to only include
the RC and TOP. b. "Destruction of BES equipment that removes the equipment from service.”
Regarding the 3rd event we have proposed – We have proposed this be made specific to destruction
of BES equipment that removes the equipment from service as stated in Footnote 1 part iii. Also, the
other part of footnote 1 part iii which states “Damaged or destroyed due to intentional or
unintentional human action” is not required since it is covered in the threshold for reporting. Also the
term “Damaged” in this part iii is not appropriate since these events are limited to equipment that has
been destroyed. We also propose that the Entities with Reporting Responsibilities (column 2) for this
event would remain the same as it states now since any of those entities may observe out of service
BES equipment. Regarding part ii of footnote 1, we do not believe that this event needs to be
separated. Regarding the phrase “significantly affects the reliability margin of the system be clarified
so that it is not left up to the entity to interpret a “significant” affect. Lastly, since we have
incorporated parts i and iii into the two separate events and removed part ii as proposed above, the
only statement that needs to be left in the Footnote 1 is: “Do not report copper theft from BES
equipment unless it degrades the ability of equipment to operate correctly (e.g., removal of
grounding straps rendering protective relaying inoperative).” 2. Attachment 1 – We ask that the team
add an “Event #” column to the table so that each of the events listed can be referred to by #, such
as Event 1, Event 2, etc. 3. Attachment 1 – Event titled “Damage or destruction of a Critical Cyber
Asset per CIP-002”, the proposed threshold for reporting seems incomplete. We suggest the threshold
for this event match the threshold for the Critical Asset event which states: “Initial indication the
event was due to operational error, equipment failure, external cause, or intentional or unintentional
human action.” 4. Attachment 1 – Events titled “Damage or destruction of a Critical Assets per CIP002” and “Damage or destruction of a Critical Cyber Asset per CIP-002” seem ambiguous due to the
term “damage”. We suggest removal of “damage” or clarity as to what is considered a damaged
asset. 5. VSL Table – Instead of listing every entity, it may be more efficient to simply say “The
Responsible Entity” in the VSL for each requirement. 6. Guideline and Technical Basis section – This
section does not provide guidance on each of the requirements of the standard. We suggest the team
consider adding guidance for the requirements.
Group
PPL Electric Utilities and PPL Supply Organizations`
Annette M. Bannon
Yes
Yes
Our comments center around the footnotes and events 'Destruction of BES equipment' and 'Loss of
Off-site power to a nuclear generating plant'. We request the SDT consider adding a statement to the
standard that acknowledges that not all registered entities have visibility to the information in the
footnotes. E.G. Destruction of BES equipment. A GO/GOP does not necessarily know if loss of specific
�BES equipment would affect any IROL and therefore would not be able to consider this criteria in its
reporting decision. Loss of BES equipment would be reported to the BA/RC and the BA/RC would
know of an IROL impact and the BA/RC is the appropriate entity to report. We request the SDT
consider the information in the footnotes for inclusion in the table directly. Consider Event
'Destruction of BES equipment'. Is footnote 1 a scoping statement? Is it part of the threshold? Is it
the impact? Is it defining Destruction? If the BES equipment was destroyed by weather and does not
affect an IROL, then is no report is needed? Alternatively, do you still apply the threshold and say it
was external cause and therefore report? We suggest including a flowchart on how to use Attachment
1 with an example. The flowchart would explain the order in which to consider the event and the
threshold, and footnotes if they remain. Regarding Attachment 1 Footnote 1 'do not report copper
theft...unless it degrades the ability of equipment to operate correctly.', is this defining destruction as
not operating correctly ? or is the entirety of footnote 1 a definition of destruction? Regarding
Attachment 1 Footnote 1, iii, we request this be changed for consistency with the Event and suggest
removing damage from the footnote. i.e. The event is 'destruction' whereas the footnote says
'damaged or destroyed'. The standard does not provide guidance on damage vs destruction which
could lead to differing reporting conclusions. Is the reporting line out of service, beyond repair, or is it
timeframe based? Regarding Attachment 1 Footnote 2 ' to steal copper... unless it affects the
reliability of the BES', is affecting the reliability of the BES a consideration in all the events? PPL
believes this is the case and request this statement be made. This could be included in the flowchart
as a decision point. Regarding Event 'Loss of Off-site power to a nuclear generating plant', the
threshold for reporting does not designate if the off-site loss is planned and/or unplanned – or if the
reporting threshold includes the loss of one source of off-site power or is the reporting limited to when
all off-site sources are unavailable. PPL recommends the event be ‘Total unplanned loss of offsite
power to a nuclear generating plant (grid supply)’ Thank you for considering our comments.
Group
CenterPoint Energy
John Brockhan
Yes
No
CenterPoint Energy believes the current R2 is unnecessary and duplicative. Upon reporting events as
required by R3, entities will be implementing the relevant parts of their Operating Plan that address
R1.1 and R1.2. This duplication is clear when reading M2 and M3. Acceptable evidence is an event
report. R2 should be modified to remove this duplicative requirement.
No
CenterPoint Energy agrees with the revision that allows more time for reporting some events;
however, some 1 hour requirements remain. The Company does not agree with this timeframe for
any event.
CenterPoint Energy appreciates the SDT’s consideration of comments and removal of the term,
Impact Event. However, the Company still suggests removing the phrase “with the potential to
impact” from the purpose as it is vast and vague. An alternative purpose would be "To improve
industry awareness and the reliability of the Bulk Electric System by requiring the reporting of events
that impact reliability and their causes if known". The focus should remain on those events that truly
impact the reliability of the BES. CenterPoint Energy remains very concerned about the types of
events that the SDT has retained in Attachment 1 as indicated in the following comments: Destruction
of BES Equipment – The loss of BES equipment should not be reportable unless the reliability of the
BES is impacted. Footnote 5, iii should be modified to tie the removal of a piece of equipment from
service back to reliability of the BES. Risk to BES equipment: This Event is too vague to be
meaningful and should be deleted. The Event should be modified to “Detection of an imminent
physical threat to BES equipment”. Any reporting time frame of 1 hour is unreasonable; Entities will
still be responding to the Event and gathering information. A 24 hour reporting time frame would be
more reasonable and would still provide timely information. System Separation: The 100 MW
threshold is too low for a reliability impact. A more appropriate threshold is 500 MW. Loss of
Monitoring or all voice communication capability: The two elements of this Event should be separated
for clarity as follows: “Loss of monitoring of Real-Time conditions” and “Loss of all voice
communication capability.”
�Individual
James Sauceda
Energy Northwest - Columbia
Yes
Yes
No
Energy Northwest - Columbia (ENWC) has concerns about the existing 1 hour reporting requirements
and feels that additional guidance and verbiage is required for clarification. ENWC would like the word
"recognition" in the statement that reads, "recognition of events," be replaced by "confirmation" as in
"confirmed event." Also, we would like clarification as to when the 1 hour clock starts. Please consider
changing recognition in "within 1 hour of recognition of event" and incorporating in "confirmation."
1. The Loss of Off-site power event criteria is much improved from the last draft of EOP 004-2;
however, some clarification is needed to more accurately align with NERC Standard NUC-001 in both
nomenclature and intent. Specifically, there are many different configurations supplying offsite power
to a nuclear power plant and it is essential that all configurations be accounted for. As identified in the
applicability section of NUC-001 the applicable transmission entities may include one or more of the
following (TO, TOP, TP, TSP, BA, RC, PC, DP, LSE, and other non-nuclear GO/GOPs). Based on the
response to previous comments submitted for Draft 2, Energy Northwest understands that the DSR
SDT evaluated the use of the word “source” but dismissed the use in favor of “supply” with the
justification “[that] ‘supply’ encompasses all sources”. Energy Northwest suggests that the word
“source” is used as the event criteria in EOP-004-2 as this nomenclature is commonly used in the
licensing basis of a nuclear power plant. By revising the threshold criteria to “one or more” Energy
Northwest believes the concern the DSR SDT noted is addressed and ensures all sources are
addressed. In addition, by revising the threshold for reporting to a loss of “one or more” will ensure
that all potential events (regardless of configuration of off-site power supplies) will be reported by any
applicable transmission entity specifically identified in the nuclear plant site specific NPIRs. Energy
Northwest proposes that the loss of an off-site power source be revised to an “unplanned” loss to
account for planned maintenance that is coordinated in advance in accordance with the site specific
NPIRs and associated Agreements. This will also eliminate unnecessary reporting for planned
maintenance. Although the loss of one off-site power source may not result in a nuclear generating
unit trip, Energy Northwest agrees that an unplanned loss of an off-site power source regardless of
impact should be reported within the 24 hour time limit as proposed. Suggest that the Loss of Offsite
power to a nuclear generating plant event be revised as follows: Event: Unplanned loss of any off-site
power source to a Nuclear Power Plant Entity with Reporting Responsibility: The applicable
Transmission Entity that owns and/or operates the off-site power source to a Nuclear Power Plant as
defined in the applicable Nuclear Plant Interface Requirements (NPIRs) and associated Agreements.
Threshold for Reporting: Unplanned loss of one or more off-site power sources to a Nuclear Power
Plant per the applicable NPIRs. 2. Please consider changing "Operating Plan" with "Procedure(s)".
Procedures extend beyond operating groups and provide guidance to the entire company.
Group
Electric Compliance
Tom McElhinney
Yes
Yes
Yes
The concepts of “Critical Assets” and “Critical Cyber Assets” no longer exist in Version 5 of the CIP
Standards and so this may cause confusion. Recommend modifying to be in accordance with Version
5. Additionally, it is debatable whether the destruction of, for example, one relay would be a
reportable incident given the proposed language. We recommend modifying the language to insure
�nuisance reporting is minimized. One reportable event is, “Risk to the BES” and the threshold for
reporting is, “From a non-environmental physical threat.” This appears to be a catch-all reportable
event. Due to the subjectivity of this event description, we suggest removing it from the list. Footnote
1 and the “Threshold for Reporting” associated with the Event described as “Destruction of BES
equipment” expand the reporting scope. For example, a fan on a transformer can be destroyed
because a technician drops a screwdriver into it. We believe such an event should not be reportable
under EOP-004-2. Yet, as written, a Responsible Entity could interpret that event as reportable
(because it would be “unintentional human action” that destroyed a piece of equipment associated
with the BES). If the goal of the SDT was to include such events, we think the draft Standard goes too
far in requiring reporting. If the SDT did not intend to include such events, the draft Standard should
be revised to make that fact clear. Proposed Footnote: BES equipment that become damaged or
destroyed due to intentional or unintentional human action which removes the BES equipment from
service that i) Affects an IROL; ii) Significantly affects the reliability margin of the system (e.g., has
the potential to result in the need for emergency actions); iii). Do not report copper theft from BES
equipment unless it degrades the ability of equipment to operate correctly (e.g., removal of
grounding straps rendering protective relaying inoperative). The word “Significantly” in item ii) of
footnote 1 and “as appropriate” in section 1.3 introduces elements of subjectivity. What is
“significant” or “appropriate” to one person may not be to someone else. In section 1.4, we believe
that revising the plan within 90 days of “any” change should be changed to 180 days or else classes
of events should be made so that only substantial changes are required to made within the 90 day
timeframe.
Individual
Scott Berry
Indiana Municipal Power Agency
No
IMPA does not believe that R4 is necessary. In addition, if a drill or exercise is used to verify the
communication process, some of the parties listed in R1.3 may not want to participate in the drill or
exercise every 15 months, such as law enforcement and governmental agencies. IMPA would propose
a contacting these agencies every 15 months to verify their contact information only and updating
their information in the plan as needed, without performing a drill or exercise.
No
Both requirements seem to be implementing the Operating Plan which means R3 should be a bullet
under R2 and not a separate requirement. IMPA supports making R2 and R3 one requirement and
eliminating the current R3 requirement. In addition, R2 needs to be clarified when addressing an
actual event. IMPA recommends saying “an actual event that meets the criteria of Attachment 1.”
No
IMPA believes that some of the times may not be aggressive enought that are related to generation
capacity shortages. In addition, IMPA believes clarity needs to be added when saying within 1 hour of
recognition of event. For example, A fence cutting may not be discovered for days at a remote
substation and then a determination has to be made if it was “forced intrusion” – Does that one hour
apply once the determination is made that is was “forced intrusion” or from the time the discovery
was made? Some of the 1 hour time limits can be expanded to allow for more time, such as forced
intrusion, destruction of BES equipment, Risk to BES equipment, etc.
Many of the items listed in Attachment 1 are onerous and burdensome when it comes to making
judgments or determinations. What one may consider “Risk to BES equipment” another person may
not make the same determination. Clarity needs to be added to make the events easier to determine
and that will result in less issues when it comes to compliance audits. IMPA does not understand the
usage of the terms Critical Asset and Critical Cyber Asset as they will be retired with CIP version 5.
IMPA believes the data retention requirements are way too complicated and need to be simplified. It
seems like it would be less complicated if one data retention period applied to all data associated with
this standard. On “public appeal”, in the threshold, the descriptor “each” should be deleted, e.g., if a
single event causes an entity to be short of capacity, do you really want that entity reporting each
time they issue an appeal via different types of media, e.g., radio, TV, etc., or for a repeat appeal
every several minutes for the same event?
Individual
Maggy Powell
�Constellation Energy on behalf of Baltimore Gas & Electric, Constellation Power Generation,
Constellation Energy Commodities Group, Constellation Control and Dispatch, Constellation
NewEnergy and Constellation Energy Nuclear Group.
Yes
Yes, we support removal of the training requirement.
Yes
While we support the delineation of the different activities associated with implementation and
reporting, further clarification would be helpful. R1. 1.3: As currently written, it is somewhat
confusing, in particular the use of the qualifier “as appropriate”. In addition, the use of the word
“communicating” to capture both reporting to reliability authorities and notifying others may leave the
requirement open to question. Below is a proposed revision: 1.3 A process for reporting events listed
in Attachment 1 to the Electric Reliability Organization, the Responsible Entity’s Reliability Coordinator
and for communicating to others as defined in the Responsible Entity’s Operating Plan, such as: •
Internal company personnel • The Responsible Entity’s Regional Entity • Law Enforcement •
Government or provincial agencies R1, 1.4: the last phrase of the requirements seems to be leftover
from an earlier version. The requirement should end after the word “Plan”. R1, 1.5: “Process” should
not be capitalized. While we understand the intent of the draft language and appreciate the effort to
streamline the requirements, we propose an adjusted delineation below that we feel tracks more
cleanly to the structure of a compliance program. Proposed revised language: R2. Each Responsible
Entity shall implement its Operating Plan to meet Requirement R1, parts 1.1 and 1.2 for an actual
event(s). M2. Responsible Entities shall provide evidence that it implemented it Operating Plan to
meet Requirement R1, Parts 1.1 and 1.2 for an actual event. Evidence may include, but is not limited
to, an submitted event report form (Attachment 2) or a submitted OE-417 report, operator logs, or
voice recording. R3. Each Responsible Entity shall implement its Operating Plan to meet Requirement
R1, parts 1.4 and 1.5. M3. Responsible Entities shall provide evidence that it implemented it
Operating Plan to meet Requirement R1, Parts 1.4 and 1.5. Evidence may include, but is not limited
to, dated documentation of review and update of the Operating Plan. R4. Each Responsible Entity
shall verify (through implementation for an actual event, or through a drill, exercise or table top
exercise) the communication process in its Operating Plan, created pursuant to Requirement 1, Part
1.3, at least annually (once per calendar year), with no more than 15 calendar months between
verification. M4. The Responsible Entity shall provide evidence that it verified the communication
process in its Operating Plan for events created pursuant to Requirement R1, Part 1.3. Either
implementation of the communication process as documented in its Operating Plan for an actual event
or documented evidence of a drill, exercise, or table top exercise may be used as evidence to meet
this requirement. The time period between verification shall be no more than 15 months. Evidence
may include, but is not limited to, operator logs, voice recordings, or dated documentation of a
verification.
Yes
We agree with the change to the reporting times in Attachment 1. While this is an improvement,
other concerns with the language in the events table language remain. Please see additional details
below: General items: • All submission instructions (column 4 in Events Table) should qualify the
recognition of the event as “of recognition of event as a reportable event.” • Is the ES-ISAC the
appropriate contact for the ERO given that these two entities are separate even though they are
currently managed by NERC? In addition, are the phone numbers in the Attachment 1 NOTE
accurate? Is it possible they will change in a different cycle than the standard? Specific Event
Language: • Destruction of BES Equipment, footnote: Footnote 1, item iii confuses the clarification
added in items i. and ii. Footnote 1 should be modified to state BES equipment that (i) an entity
knows will affect an IROL or has been notified the loss affects an IROL; (ii) significantly affects the
reserve margin of a Balancing Authority or Reserve Sharing Group. Item iii should be dropped. •
Damage or destruction of Critical Asset per CIP-002: Within the currently developing revisions to CIP002 (version 5), Critical Asset will be retired as a glossary term. As well as addressing the durability
of this event category, additional delineation is needed regarding which asset disruptions are to be
reported. A CA as currently defined incorporates assets in a broad perspective, for instance a
generating plant may be a Critical Asset. As currently written in Attachment 1, reporting may be
required for unintended events, such as a boiler leak that takes a plant offline for a minor repair.
Event #1 – Destruction of BES Equipment – captures incidents at the relevant equipment regardless
of whether they are a Critical Asset or not. We recommend dropping this event. However, if reference
�to CIP-002 assets remains, it will be important to capture reporting of the events relevant to reliability
and not just more events. • Damage or destruction of a Critical Cyber Asset per CIP-002: Because
CCAs are defined at the component level, including this trigger is appropriate; however, as with CAs,
the CCA term is scheduled to be retired under CIP-002 version 5. • Forced Intrusion: The footnote
confuses the goal of including this event category. In addition, “forced” doesn’t need to define the
incident. Constellation proposes the following to better define the event: Intrusion that affects or
attempts to affect the reliable operation of the BES (1) (1) Examples of "affecting reliable operation of
the BES are": (i) device operations, (ii) protective equipment degradation, (iii) communications
systems degradation including telemetered values and device status. • Risk to BES equipment: This
category is too vague to be effective and the footnote further complicates the expectations around
this event. The catch all concept of reporting potential risks to BES equipment is problematic. It’s not
clear what the reliability goal of this category is. Risk is not an event, it is an analysis. How are
entities to comply with this “event”, never mind within an hour? It appears that the information
contemplated within this scenario would be better captured within the greater efforts underway by
NERC to assess risks to the BES. This event should be removed from the Attachment 1 list in EOP004. • BES Emergency requiring system-wide voltage reduction: the Entity with Reporting
Responsibility should be limited to RC and TOP. • Voltage deviations on BES Facilities: The Threshold
for Reporting language needs more detail to explain +/- 10% of what? Proposed revision: ± 10%
outside the voltage schedule band sustained for ≥ 15 continuous minutes • IROL Violation (all
Interconnections) or SOL Violation (WECC only): Should “Interconnections” be capitalized? •
Transmission loss: The reporting threshold should provide more specifics around what constitutes
Transmission Facilities. One minor item, under the Threshold for Reporting, “Three” does not need to
be capitalized.
Background Section: The background section in this revision of EOP-004 reads more like guidance
than a background of the development of the event reporting standard. Because of the background
remains as part of the standard, the language raises questions as to role it plays relative to the
standard language. For instance, the Law Enforcement Reporting section states:”Entities rely upon
law enforcement agencies to respond to and investigate those events which have the potential to
impact a wider area of the BES.” It’s not clear how “potential to impact to a wider area of the BES” is
defined and where it fits into the standard. As well, and perhaps more problematic, is the Reporting
Hierarchy for Reportable Events flow chart. While the flow chart concept is quite useful as a guidance
tool, the flow chart currently in the Background raises questions. For instance, the Procedure to
Report to Law Enforcement sequence does not map to language in the requirements. Further, Entities
would not know about the interaction between law enforcement agencies. Please see additional
recommended revisions to the requirement language and to the Events Table in the Q2 and Q3
responses. Attachment 2: Event Reporting Form: The review of the form is one of the many aspects
to compare with the developments within the Events Analysis Process (EAP) developments. We
support the effort to create one form for submissions. The recent draft EAP posted as part of Planning
Committee and Operating Committee agendas includes a form requiring a few bits of additional
relevant information when compared to the EOP-004 form. This may be a valuable approach to avoid
follow up inquiries that may result if the form is too limited. We suggest that consideration be given
to the proposed EAP form. One specific note on the Proposed EOP-004 Attachment 2: The “Potential
event” box in item 3 should be eliminated to track with the removal of the “Risk to the BES” category.
Group
Salt River Project
Brenton Lopez
Yes
Yes
Yes
The proposed reporting form for EOP-004-2 is less extensive than the Brief Report required by the
NERC Event Analysis process, but there is some duplication of efforts. EOP-004 has an “optional”
Written Description section for the event, while the Brief Report requires more detailed information
such as a sequence of events, contributing causes, restoration times, etc. Please clarify whether
Registered Entities will still be required to submit both forms. Please also ensure there will not be
�duplication of efforts between the two reports. Although this is fairly minor, the clarification should be
addressed.
Overarching Concern related to EOP-004-2 draft: The contemporaneous drafting efforts related to
both the proposed Bulk Electric System ("BES") definition changes and CIP Standards Version 5, could
significantly impact the EOP-004-2 reporting requirements. Caution needs to be exercised when
referencing these definitions, as the definition of a BES element could change significantly and the
concepts of “Critical Assets” and “Critical Cyber Assets” no longer exist in Version 5 of the CIP
Standards. Additionally, it is debatable whether the destruction of, for example, one relay would be a
reportable incident given the proposed language. Related to “Reportable Events” of Attachment 1: 1.
The “Purpose” section of the Standard indicates it is designed to require the reporting of events “with
the potential to impact reliability” of the BES. Footnote 1 and the “Threshold for Reporting” associated
with the Event described as “Destruction of BES equipment” expand the reporting scope beyond that
intent. For example, a fan on a generation unit can be destroyed because a plant employee drops a
screwdriver into it. We believe such an event should not be reportable under EOP-004-2. Yet, as
written, a Responsible Entity could interpret that event as reportable (because it would be
“unintentional human action” that destroyed a piece of equipment associated with the BES). If the
goal of the SDT was to include such events, we think the draft Standard goes too far in requiring
reporting. If the SDT did not intend to include such events, the draft Standard should be revised to
make that fact clear. 2. Item iii) in Footnote 1 seems redundant with the Threshold for Reporting. 3.
The word “Significantly” in item ii) of footnote 1 introduces an element of subjectivity. What is
“significant” to one person may not be significant to someone else. 4. The word “unintentional” in
Item iii) of footnote 1 may introduce nuisance reporting. The SDT should consider: (1) changing the
Event description to “Damage or destruction of BES equipment” (2) removing the footnote and (3)
replacing the existing “Threshold for Reporting” with the following language: “Initial indication the
event: (i) was due to intentional human action, (ii) affects an IROL or (iii) in the opinion of the
Responsible Entity, jeopardizes the reliability margin of the system (e.g., results in the need for
emergency actions)” 5. One reportable event is, “Risk to the BES” and the threshold for reporting is,
“From a non-environmental physical threat.” This appears to be intended as a catch-all reportable
event. Due to the subjectivity of this event description, we suggest removing it from the list. 6. One
reportable event is, “Damage or destruction of Critical Asset per CIP-002.” The SDT should define the
term “Damage” in order for an entity to determine a threshold for what qualifies as “Damage” to a
CA. Normal “damage” can occur on a CA that should not be reportable (e.g. the screwdriver example,
above). Reporting Thresholds 1. We believe damage or destruction of Critical Assets or CCAs resulting
from operational error, equipment failure or unintentional human action should not be reportable
under this Standard. We recommend changing the thresholds for “Damage or destruction to Critical
Assets …” and “Damage or destruction of a [CCA]” to “Initial Indication the event was due to external
cause or intentional human action.” 2. We support the SDT’s attempted to limit nuisance reporting
related to copper thefts. However, a number of the thresholds identified in EOP-004-2 Attachment 1
are very low and could clog the reporting process with nuisance reporting and reviewing. An example
is the “BES Emergency requiring manual firm load shedding” of ≥ 100 MW or “Loss of Firm load for ≥
15 Minutes” that is ≥ 200 MW (300 MW if the manual demand is greater than 3000 MW). In many
cases, those low thresholds would require reporting minor wind events or other seasonal system
issues on a local network used to provide distribution service. Firm Demand 1. The use of the term
“Firm load” in the context of the draft Standard seems inappropriate. “Firm load” is not defined in the
NERC Glossary (although “Firm Demand” is defined). If the SDT intended to use “Firm Demand,” they
should revised the draft Standard. If the SDT wishes to use the term “Firm load” they should define it.
[For example, we understand that some load agrees to be dropped in an emergency. In fact, in the
ERCOT Region, we have a paid service referred to as “Emergency Interruptible Load Service” (EILS).
If the SDT intends that “Firm load” means load other than load which has agreed to be dropped, it
should make that fact clear.] Comments to Attachment 2 1. The checkbox for “fuel supply
emergency” should be deleted because it is not listed as an Event on Attachment 1. 2. There should
be separation between “forced intrusion” and “Risk to BES equipment.” They are separate Events on
Attachment 1. Comments to Guideline and Technical Basis The last paragraph appears to state NERC
will accept an OE-417 form as long as it contains all of the information required by the NERC form and
goes on to state the DOE form “may be included or attached to the NERC report.” If the intent is for
NERC to accept the OE-417 in lieu of the NERC report, this paragraph should be clarified.
Individual
�Michael Brytowski
Great River Energy
No
We understand and agree there should be verification of the information required for such reporting
(contact information, process flow charts, etc). But we still believe improvements can be made to the
draft standard, in particular to requirement R4. The use of the words “or through a drill or exercise”
still implies that training is required if no actual event has occurred. When you conduct a fire “drill”
you are training your employees on evacuation routes and who they need to report to. Not only are
you verifying your process but you are training your employees as well. It is imperative that the
information in the Event Reporting process is correct but we don't agree that performing a drill on the
process is necessary. We recommend modifying the requirement to focus on verifying the information
needed for appropriate communications on an event. And we agree this should take place at least
annually.
No
Requirement R2 requires Responsible Entities to implement the various subrequirements in R1. We
believe it is unnecessary to state that an entity must implement their Operating Plan in a separate
requirement. Having a separate requirement seems redundant. If the processes in the Operating Plan
are not implemented, the entity is non-compliant with the standard. There doesn’t need to be an
extra requirement saying entities need to implement their Operating Plan.
Yes
For many of the events listed in Attachment 1, there would be duplicate reporting the way it is written
right now. For example, in the case of a fire in a substation (Destruction of BES equipment), the RC,
BA, TO, TOP and perhaps the GO and GOP could all experience the event and each would have to
report on it. This seems quite excessive and redundant. We recommend eliminating this duplicate
reporting.
Individual
Christine Hasha
Electric Reliability Council of Texas, Inc.
Yes
Yes
No
Destruction of BES equipment: 1. Request that the term “destruction” be clarified. Damage or
destruction of Critical Asset per CIP-002: 1. Request that the terms “damage” and “destruction” be
clarified. 2. Is the expectation that an entity report each individual device or system equipment failure
or each mistake made by someone administering a system? 3. Request that “initial indication of the
event” be changed to “confirmation of the event”. Event monitoring and management systems may
receive many events that are determined to be harmless and put the entity at no risk. This can only
be determined after analysis of the associated events is performed. Damage or destruction of a
Critical Cyber Asset per CIP-002: 1. Request that the terms “damage” and “destruction” be clarified.
2. Is the expectation that an entity report each individual device or system equipment failure or each
mistake made by someone administering a system? 3. Request that “initial indication of the event” be
changed to “confirmation of the event”. Event monitoring and management systems may receive
many events that are determined to be harmless and put the entity at no risk. This can only be
determined after analysis of the associated events is performed. Risk to BES equipment: Request that
the terms “risk” be clarified.
Individual
Darryl Curtis
Oncor Electric Delivery Company LLC
Yes
�No
NERC's Event Analysis Program tends to parallel many of the reporting requirements as outlined in
EOP-004 Version 2. Oncor recommends that NERC considers ways of streamlining the reporting
process by either incorporating the Event Analysis obligations into EOP-004-2 or reducing the scope of
the Event Analysis program as currently designed to consist only of "exception" reporting.
Yes
NERC's Event Analysis Program tends to parallel many of the reporting requirements as outlined in
EOP-004 Version 2. Oncor recommends that NERC considers ways of streamlining the reporting
process by either incorporating the Event Analysis obligations into EOP-004-2 or reducing the scope of
the Event Analysis program as currently designed to consist only of "exception" reporting.
Group
Kansas City Power & Light
Michael Gammon
Yes
No
Requirement R1.1 is confusing regarding the “process for identifying events listed in Attachment 1”.
Considering Attachment 1, the Events Table, already identifies the events required for reporting,
please clearly describe in the requirement what the “process” referred to in requirement R1.1
represents.
No
The reportable events listed in Attachment 1 can be categorized as events that have had a reliability
impact and those events that could have a reliability impact. The listed events that could have a
reliability impact should have a 24 hour reporting requirement and the events that have had a
reliability impact are appropriate at a 1 hour reporting. The following events with a 1 hour report
requirement are recommended to change to 24 hour: Forced Intrusion and Risk to BES Equipment. In
addition, the Attachment 1 Events Table is incomplete as many of the listed events are incomplete
regarding reporting time requirements and event descriptions. Also recommend removing (ii) from
note 5 with event “Destruction of BES equipment” as this part of the note is already described in the
event description and insinuates reporting of equipment losses that do not have a reliability impact.
The events, “Damage or destruction of Critical Asset per CIP-002” and “Damage or destruction of a
Critical Cyber Asset per CIP-002”, does not have sufficient clarity regarding what that represents. A
note similar in nature to Note 5 for BES equipment is recommended.
The implementation plan indicates that much of CIP-008 is retained. The reporting requirements in
CIP-008 and the required reportable events outlined in Attachment 1 are an overlap with CIP-008-3
R1.1 which says “Procedures to characterize and classify events as reportable Cyber Security
Incidents” and CIP-008-3 R1.3 which requires processes to address reporting to the ES-ISAC. There is
also a NERC document titled, Security Guideline for the Electricity Sector: Threat and Incident
Reporting, which is a guideline to “assist entities to identify and classify incidents for reporting to the
ES-ISAC”. The SDT should consider the content of the Security Guideline for the Electricity Sector:
Threat and Incident Reporting when considering the reporting requirements proposed EOP-004. The
efforts to incorporate CIP-008 into EOP-004 are insufficient and will result in serious confusion
between proposed EOP-004 and CIP-008 and reporting expectations. Considering the complexity CIP
incident reporting and the interests of ES-ISAC, it may be beneficial to leave CIP-008 out of the
proposed EOP-004 and limit EOP-004 to the reporting interests of NERC. The flowchart states,
“Notification Protocol to State Agency Law Enforcement”. Please correct this to, “Notification to State,
Provincial, or Local Law Enforcement”, to be consistent with the language in the background section
part, “A Reporting Process Solution – EOP-004”. Measure 4 is not clear enough regarding the extent
to which drills should be performed. Does the measure mean that all events in the events list need to
be drilled or is drilling a subset of the events list sufficient? Please clearly indicate the extent of
drilling that is required or clearly indicate in the requirement the extent of the drills to be performed is
the responsibility of the Responsible Entity to identify in their “processes”. Evidence Retention – it is
not clear what the phrase “prior 3 calendar years” represents in the third paragraph of this section
�regarding data retention for requirements and measures for R2, R3, R4 and M2, M3, M4 respectively.
Please clarify what this means. Is that different than the meaning of “since the last audit for 3
calendar years” for R1 and M1? VSL for R2 under Severe regarding R1.1 may require revision
considering the comment regarding R1.1 in item 2 previously stated. In addition, the VRF for R2 is
MEDIUM. R2 is administrative regarding the implementation of the requirements specified in R1.
Documentation and maintenance should be considered LOWER. There is no VSL for R4 and a VSL for
R4 needs to be proposed.
Additional Comments Received:
Southwestern Power Administration's Comments for Project 2009-1
Submitted by Angela Summer
"Attachment 1 contains elements that do not need to be included, and redundant elements
such as:
Forced intrusion at BES Facility - A facility break-in does not necessarily mean that the facility
has been impacted or has undergone damage or destruction.
Detection of a reportable Cyber Security Incident per CIP-008 - If entities are addressing this
requirement in CIP-008, why do so again in
EOP-004 (Attachment 2-EOP-004, Reporting Requirement number 5)?
Transmission Loss: Each TOP that experiences transmission loss of three or more facilities - This
element should be removed or rewritten so that it only applies when the loss includes a
contingent element of an IROL facility."
�Standards Announcement
Project 2009-01 – Disturbance and Sabotage Reporting
Initial Ballot and Non-binding Poll Results
Now Available
An initial ballot of EOP-004-2 – Event Reporting and its implementation plan, and a non-binding poll of
the associated VRFs and VSLs, concluded on December 12, 2011. Voting statistics are listed below, and
the Ballot Results webpage provides a link to the initial ballot detailed results.
Initial Ballot Results for EOP-004-2
Quorum: 87.97%
Approval: 36.21%
Non-Binding Poll Results
85.28% of those who registered to participate provided an opinion or abstention; 45% of those
who provided an opinion indicated support for the VRFs and VSLs.
Next Steps
The drafting team will consider all comments received during the comment period and ballot.
Background
Stakeholders have indicated that identifying potential acts of “sabotage” is difficult to do in real time,
and additional clarity is needed to identify thresholds for reporting potential acts of sabotage in CIP001-1. Stakeholders have also reported that EOP-004-1 has some requirements that reference out-ofdate Department of Energy forms, making the requirements ambiguous. EOP-004-1 also has some ‘fillin-the-blank’ components to eliminate. The project will include addressing previously identified
stakeholder concerns and FERC directives; will bring the standards into conformance with the latest
approved version of the ERO Rules of Procedure; and may include other improvements to the
standards deemed appropriate by the drafting team, with the consensus of stakeholders, consistent
with establishing high quality, enforceable and technically sufficient bulk power system reliability
standards. Additional information is available on the project webpage.
A stakeholder interested in following the Disturbance and Sabotage Reporting Drafting Team’s
development of EOP-004-2 may monitor meeting agendas and notes on the team’s “Related Files” web
page or may submit a request to join the team’s “plus” email list to receive meeting agendas and
�meeting notes as they are distributed to the team. To join the team’s “plus” e-mail list, send an e-mail
request to: sarcomm@nerc.net. Please indicate the drafting team’s name in the subject line of the email.
Standards Development Process
The Standard Processes Manual contains all the procedures governing the standards development process.
The success of the NERC standards development process depends on stakeholder participation. We
extend our thanks to all those who participate.
For more information or assistance, please contact Monica Benson,
Standards Process Administrator, at monica.benson@nerc.net or at 404-446-2560.
North American Electric Reliability Corporation
116-390 Village Blvd.
Princeton, NJ 08540
609.452.8060 | www.nerc.com
Standards Announcement: Project 2009-01
2
�NERC Standards
Newsroom • Site Map • Contact NERC
Advanced Search
User Name
Ballot Results
Ballot Name: Project 2009-01 Disturbance and Sabotage Reporting Initial Ballot_in
Password
Ballot Period: 12/2/2011 - 12/12/2011
Ballot Type: Initial
Log in
Total # Votes: 373
Register
Total Ballot Pool: 424
Quorum: 87.97 % The Quorum has been reached
-Ballot Pools
-Current Ballots
-Ballot Results
-Registered Ballot Body
-Proxy Voters
Weighted Segment
36.21 %
Vote:
Ballot Results: The standard will proceed to recirculation ballot.
Home Page
Summary of Ballot Results
Affirmative
Segment
1 - Segment 1.
2 - Segment 2.
3 - Segment 3.
4 - Segment 4.
5 - Segment 5.
6 - Segment 6.
7 - Segment 7.
8 - Segment 8.
9 - Segment 9.
10 - Segment 10.
Totals
Ballot Segment
Pool
Weight
104
11
108
37
91
53
0
8
4
8
424
#
Votes
1
0.6
1
1
1
1
0
0.6
0.3
0.8
7.3
#
Votes
Fraction
32
1
33
12
32
14
0
4
0
3
131
Negative
Fraction
0.4
0.1
0.344
0.375
0.432
0.292
0
0.4
0
0.3
2.643
Abstain
No
# Votes Vote
48
5
63
20
42
34
0
2
3
5
222
0.6
0.5
0.656
0.625
0.568
0.708
0
0.2
0.3
0.5
4.657
6
1
4
1
5
2
0
1
0
0
20
18
4
8
4
12
3
0
1
1
0
51
Individual Ballot Pool Results
Segment
1
1
1
1
1
1
1
1
Organization
Ameren Services
American Electric Power
American Transmission Company, LLC
Arizona Public Service Co.
Associated Electric Cooperative, Inc.
Austin Energy
Avista Corp.
Balancing Authority of Northern California
Member
Ballot
Kirit Shah
Paul B. Johnson
Andrew Z Pusztai
Robert Smith
John Bussman
James Armke
Scott J Kinney
Kevin Smith
https://standards.nerc.net/BallotResults.aspx?BallotGUID=3e34fb5d-844a-4b88-874c-62d0c7d1e3d9[12/13/2011 11:13:16 AM]
Negative
Negative
Affirmative
Affirmative
Affirmative
Abstain
Negative
Negative
Comments
View
View
View
�NERC Standards
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
Baltimore Gas & Electric Company
BC Hydro and Power Authority
Beaches Energy Services
Black Hills Corp
Bonneville Power Administration
Brazos Electric Power Cooperative, Inc.
CenterPoint Energy Houston Electric, LLC
Central Maine Power Company
City of Tacoma, Department of Public
Utilities, Light Division, dba Tacoma Power
Clark Public Utilities
Colorado Springs Utilities
Consolidated Edison Co. of New York
CPS Energy
Dairyland Power Coop.
Dayton Power & Light Co.
Deseret Power
Dominion Virginia Power
Duke Energy Carolina
East Kentucky Power Coop.
Empire District Electric Co.
Entergy Services, Inc.
FirstEnergy Corp.
Florida Keys Electric Cooperative Assoc.
Florida Power & Light Co.
Gainesville Regional Utilities
Georgia Transmission Corporation
Grand River Dam Authority
Great River Energy
Hoosier Energy Rural Electric Cooperative,
Inc.
Hydro One Networks, Inc.
Hydro-Quebec TransEnergie
Idaho Power Company
Imperial Irrigation District
International Transmission Company Holdings
Corp
JEA
Kansas City Power & Light Co.
Keys Energy Services
Lakeland Electric
Lee County Electric Cooperative
Lincoln Electric System
Los Angeles Department of Water & Power
Lower Colorado River Authority
Manitoba Hydro
MEAG Power
MidAmerican Energy Co.
Minnkota Power Coop. Inc.
National Grid
Nebraska Public Power District
New Brunswick Power Transmission
Corporation
New York Power Authority
New York State Electric & Gas Corp.
Northeast Utilities
Northern Indiana Public Service Co.
NorthWestern Energy
Ohio Valley Electric Corp.
Oklahoma Gas and Electric Co.
Omaha Public Power District
Oncor Electric Delivery
Orlando Utilities Commission
PacifiCorp
PECO Energy
Platte River Power Authority
Portland General Electric Co.
Potomac Electric Power Co.
Gregory S Miller
Patricia Robertson
Joseph S Stonecipher
Eric Egge
Donald S. Watkins
Tony Kroskey
John Brockhan
Joseph Turano Jr.
Negative
Negative
Negative
View
View
View
Negative
Negative
Negative
Chang G Choi
Affirmative
Jack Stamper
Paul Morland
Christopher L de Graffenried
Richard Castrejana
Robert W. Roddy
Hertzel Shamash
James Tucker
Michael S Crowley
Douglas E. Hils
George S. Carruba
Ralph F Meyer
Edward J Davis
William J Smith
Dennis Minton
Mike O'Neil
Luther E. Fair
Jason Snodgrass
James M Stafford
Gordon Pietsch
Negative
Affirmative
Negative
Negative
Affirmative
Affirmative
Affirmative
View
View
View
View
Negative
View
Affirmative
Negative
Negative
View
View
View
Affirmative
Abstain
View
Affirmative
View
Bob Solomon
Negative
View
Ajay Garg
Bernard Pelletier
Ronald D. Schellberg
Tino Zaragoza
Negative
View
Affirmative
Affirmative
View
Michael Moltane
Negative
View
Ted Hobson
Michael Gammon
Stanley T Rzad
Larry E Watt
John W Delucca
Doug Bantam
Ly M Le
Martyn Turner
Joe D Petaski
Danny Dees
Terry Harbour
Richard Burt
Saurabh Saksena
Cole C Brodine
Negative
Negative
View
View
Negative
Negative
Affirmative
Negative
View
Affirmative
Abstain
Negative
Affirmative
View
Affirmative
View
Negative
View
Randy MacDonald
Arnold J. Schuff
Raymond P Kinney
David Boguslawski
Kevin M Largura
John Canavan
Robert Mattey
Marvin E VanBebber
Doug Peterchuck
Brenda Pulis
Brad Chase
Ryan Millard
Ronald Schloendorn
John C. Collins
John T Walker
David Thorne
https://standards.nerc.net/BallotResults.aspx?BallotGUID=3e34fb5d-844a-4b88-874c-62d0c7d1e3d9[12/13/2011 11:13:16 AM]
Negative
Negative
Negative
Affirmative
Affirmative
Negative
Abstain
Affirmative
Affirmative
Negative
Affirmative
Negative
Affirmative
Affirmative
Affirmative
View
View
View
View
View
View
�NERC Standards
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
2
PowerSouth Energy Cooperative
PPL Electric Utilities Corp.
Progress Energy Carolinas
Public Service Company of New Mexico
Public Service Electric and Gas Co.
Public Utility District No. 1 of Okanogan
County
Public Utility District No. 2 of Grant County
Puget Sound Energy, Inc.
Raj Rana
Rochester Gas and Electric Corp.
Sacramento Municipal Utility District
Salmon River Electric Cooperative
Salt River Project
Santee Cooper
SCE&G
Seattle City Light
Sho-Me Power Electric Cooperative
Sierra Pacific Power Co.
Snohomish County PUD No. 1
South California Edison Company
Southern Company Services, Inc.
Southern Illinois Power Coop.
Southwest Transmission Cooperative, Inc.
Sunflower Electric Power Corporation
Tampa Electric Co.
Tennessee Valley Authority
Tri-State G & T Association, Inc.
Tucson Electric Power Co.
United Illuminating Co.
Westar Energy
Western Area Power Administration
Xcel Energy, Inc.
Alberta Electric System Operator
2
BC Hydro
2
2
2
2
2
2
2
2
2
3
3
3
3
3
3
3
3
3
3
3
3
California ISO
Electric Reliability Council of Texas, Inc.
Independent Electricity System Operator
ISO New England, Inc.
Midwest ISO, Inc.
New Brunswick System Operator
New York Independent System Operator
PJM Interconnection, L.L.C.
Southwest Power Pool, Inc.
AEP
Alabama Power Company
Alameda Municipal Power
Ameren Services
American Public Power Association
Anaheim Public Utilities Dept.
APS
Arkansas Electric Cooperative Corporation
Atlantic City Electric Company
BC Hydro and Power Authority
Blachly-Lane Electric Co-op
Bonneville Power Administration
Central Electric Cooperative, Inc. (Redmond,
Oregon)
Central Lincoln PUD
City of Alexandria
City of Austin dba Austin Energy
City of Bartow, Florida
City of Clewiston
City of Farmington
City of Garland
City of Green Cove Springs
City of Palo Alto
3
3
3
3
3
3
3
3
3
3
Larry D Avery
Brenda L Truhe
Brett A Koelsch
Laurie Williams
Kenneth D. Brown
Negative
Negative
Negative
View
View
Negative
View
Dale Dunckel
Kyle M. Hussey
Denise M Lietz
Rajendrasinh D Rana
John C. Allen
Tim Kelley
Kathryn Spence
Robert Kondziolka
Terry L Blackwell
Henry Delk, Jr.
Pawel Krupa
Denise Stevens
Rich Salgo
Long T Duong
Steven Mavis
Robert Schaffeld
William Hutchison
James Jones
Noman Lee Williams
Beth Young
Larry Akens
Tracy Sliman
John Tolo
Jonathan Appelbaum
Allen Klassen
Brandy A Dunn
Gregory L Pieper
Mark B Thompson
Venkataramakrishnan
Vinnakota
Rich Vine
Charles B Manning
Barbara Constantinescu
Kathleen Goodman
Marie Knox
Alden Briggs
Gregory Campoli
Tom Bowe
Charles Yeung
Michael E Deloach
Richard J. Mandes
Douglas Draeger
Mark Peters
Nathan Mitchell
Kelly Nguyen
Steven Norris
Philip Huff
NICOLE BUCKMAN
Pat G. Harrington
Bud Tracy
Rebecca Berdahl
Affirmative
Abstain
Negative
Negative
Negative
Negative
Negative
View
View
View
Negative
View
Negative
Negative
Affirmative
Negative
Negative
Affirmative
Negative
View
Abstain
Affirmative
Affirmative
Negative
Affirmative
Affirmative
View
View
View
View
Abstain
View
Negative
View
Negative
Affirmative
Negative
View
View
View
Negative
Negative
View
View
Negative
Negative
Negative
Negative
Abstain
Affirmative
Affirmative
Negative
Affirmative
Negative
Negative
Negative
View
View
View
View
View
Dave Markham
Negative
View
Steve Alexanderson
Michael Marcotte
Andrew Gallo
Matt Culverhouse
Lynne Mila
Linda R Jacobson
Ronnie C Hoeinghaus
Gregg R Griffin
Eric R Scott
Negative
Negative
Negative
Negative
View
Negative
Abstain
Negative
Affirmative
View
https://standards.nerc.net/BallotResults.aspx?BallotGUID=3e34fb5d-844a-4b88-874c-62d0c7d1e3d9[12/13/2011 11:13:16 AM]
View
View
View
View
�NERC Standards
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
City of Redding
Clatskanie People's Utility District
Clearwater Power Co.
Cleco Corporation
Colorado Springs Utilities
ComEd
Consolidated Edison Co. of New York
Constellation Energy
Consumers Energy
Consumers Power Inc.
Coos-Curry Electric Cooperative, Inc
Cowlitz County PUD
CPS Energy
Delmarva Power & Light Co.
Detroit Edison Company
Dominion Resources Services
Duke Energy Carolina
Entergy
Fall River Rural Electric Cooperative
FirstEnergy Energy Delivery
Florida Municipal Power Agency
Florida Power Corporation
Georgia Power Company
Georgia Systems Operations Corporation
Grays Harbor PUD
Great River Energy
Gulf Power Company
Hydro One Networks, Inc.
Imperial Irrigation District
JEA
Kansas City Power & Light Co.
Kissimmee Utility Authority
Kootenai Electric Cooperative
Lakeland Electric
Lane Electric Cooperative, Inc.
Lincoln Electric System
Los Angeles Department of Water & Power
Louisville Gas and Electric Co.
Manitoba Hydro
Manitowoc Public Utilities
MidAmerican Energy Co.
Mississippi Power
Modesto Irrigation District
Municipal Electric Authority of Georgia
Muscatine Power & Water
Nebraska Public Power District
New York Power Authority
Niagara Mohawk (National Grid Company)
North Carolina Electric Membership Corp.
Northern Indiana Public Service Co.
Northern Lights Inc.
Ocala Electric Utility
Old Dominion Electric Coop.
Orange and Rockland Utilities, Inc.
Orlando Utilities Commission
Owensboro Municipal Utilities
Pacific Gas and Electric Company
PacifiCorp
Platte River Power Authority
PNM Resources
Potomac Electric Power Co.
Progress Energy Carolinas
Public Service Electric and Gas Co.
Public Utility District No. 1 of Benton County
Public Utility District No. 1 of Clallam County
Puget Sound Energy, Inc.
Raft River Rural Electric Cooperative
Bill Hughes
Brian Fawcett
Dave Hagen
Michelle A Corley
Charles Morgan
Bruce Krawczyk
Peter T Yost
CJ Ingersoll
Richard Blumenstock
Roman Gillen
Roger Meader
Russell A Noble
Jose Escamilla
Michael R. Mayer
Kent Kujala
Michael F. Gildea
Henry Ernst-Jr
Joel T Plessinger
Bryan Case
Stephan Kern
Joe McKinney
Lee Schuster
Anthony L Wilson
William N. Phinney
Wesley W Gray
Brian Glover
Paul C Caldwell
David Kiguel
Jesus S. Alcaraz
Garry Baker
Charles Locke
Gregory D Woessner
Dave Kahly
Norman D Harryhill
Rick Crinklaw
Jason Fortik
Daniel D Kurowski
Charles A. Freibert
Greg C. Parent
Thomas E Reed
Thomas C. Mielnik
Jeff Franklin
Jack W Savage
Steven M. Jackson
John S Bos
Tony Eddleman
Marilyn Brown
Michael Schiavone
Doug White
William SeDoris
Jon Shelby
David Anderson
Bill Watson
David Burke
Ballard K Mutters
Thomas T Lyons
John H Hagen
Dan Zollner
Terry L Baker
Michael Mertz
Robert Reuter
Sam Waters
Jeffrey Mueller
Gloria Bender
David Proebstel
Erin Apperson
Heber Carpenter
https://standards.nerc.net/BallotResults.aspx?BallotGUID=3e34fb5d-844a-4b88-874c-62d0c7d1e3d9[12/13/2011 11:13:16 AM]
Negative
Abstain
Negative
Affirmative
Affirmative
Negative
Negative
Negative
Negative
Negative
Negative
Negative
Negative
Affirmative
Affirmative
Affirmative
Negative
Negative
Negative
Negative
Negative
Negative
Negative
Negative
View
Affirmative
Negative
Negative
Affirmative
Affirmative
Negative
Negative
Affirmative
Negative
Negative
Affirmative
Negative
Negative
Affirmative
Affirmative
Negative
Negative
View
View
View
View
Abstain
Affirmative
Affirmative
Negative
Negative
Negative
Affirmative
Negative
Negative
Negative
Negative
Negative
Affirmative
Affirmative
Affirmative
Affirmative
Negative
Negative
Affirmative
Affirmative
Affirmative
Negative
View
View
View
View
View
View
View
View
View
View
View
View
View
View
View
View
View
View
View
View
View
View
View
View
View
View
View
View
View
View
�NERC Standards
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
5
5
5
5
5
5
5
5
5
Rutherford EMC
Sacramento Municipal Utility District
Salt River Project
Santee Cooper
Seattle City Light
Seminole Electric Cooperative, Inc.
Snohomish County PUD No. 1
South Carolina Electric & Gas Co.
Southern California Edison Co.
Southern Maryland Electric Coop.
Tacoma Public Utilities
Tampa Electric Co.
Tennessee Valley Authority
Tri-State G & T Association, Inc.
Umatilla Electric Cooperative
Westar Energy
Wisconsin Electric Power Marketing
Wisconsin Public Service Corp.
Xcel Energy, Inc.
Alliant Energy Corp. Services, Inc.
American Municipal Power
Arkansas Electric Cooperative Corporation
Blue Ridge Power Agency
Central Lincoln PUD
City of Austin dba Austin Energy
City of Clewiston
City of New Smyrna Beach Utilities
Commission
City of Redding
City Utilities of Springfield, Missouri
Consumers Energy
Cowlitz County PUD
Detroit Edison Company
Flathead Electric Cooperative
Florida Municipal Power Agency
Fort Pierce Utilities Authority
Georgia System Operations Corporation
Illinois Municipal Electric Agency
Imperial Irrigation District
Indiana Municipal Power Agency
Integrys Energy Group, Inc.
LaGen
Madison Gas and Electric Co.
North Carolina Electric Membership Corp.
Northern California Power Agency
Ohio Edison Company
Oklahoma Municipal Power Authority
Pacific Northwest Generating Cooperative
Public Utility District No. 1 of Douglas County
Public Utility District No. 1 of Snohomish
County
Sacramento Municipal Utility District
Seattle City Light
South Mississippi Electric Power Association
Tacoma Public Utilities
West Oregon Electric Cooperative, Inc.
White River Electric Association Inc.
Wisconsin Energy Corp.
AEP Service Corp.
AES Corporation
Amerenue
Arizona Public Service Co.
Avista Corp.
BC Hydro and Power Authority
Black Hills Corp
Boise-Kuna Irrigation District/dba Lucky peak
power plant project
Bonneville Power Administration
Thomas M Haire
James Leigh-Kendall
John T. Underhill
James M Poston
Dana Wheelock
James R Frauen
Mark Oens
Hubert C Young
David B Coher
Mark R Jones
Travis Metcalfe
Ronald L Donahey
Ian S Grant
Janelle Marriott
Steve Eldrige
Bo Jones
James R Keller
Gregory J Le Grave
Michael Ibold
Kenneth Goldsmith
Kevin Koloini
Ronnie Frizzell
Duane S Dahlquist
Shamus J Gamache
Reza Ebrahimian
Kevin McCarthy
Tim Beyrle
Nicholas Zettel
John Allen
David Frank Ronk
Rick Syring
Daniel Herring
Russ Schneider
Frank Gaffney
Thomas Richards
Guy Andrews
Bob C. Thomas
Diana U Torres
Jack Alvey
Christopher Plante
Richard Comeaux
Joseph DePoorter
Bob Beadle
Tracy R Bibb
Douglas Hohlbaugh
Ashley Stringer
Aleka K Scott
Henry E. LuBean
Affirmative
Negative
Negative
Negative
Negative
View
Negative
Affirmative
Negative
Affirmative
Affirmative
Negative
View
Affirmative
Negative
Affirmative
Affirmative
Negative
Affirmative
Negative
Negative
Affirmative
Negative
Negative
View
View
View
View
View
View
View
View
Negative
Negative
Affirmative
Negative
Negative
Affirmative
Negative
Negative
Affirmative
Negative
Negative
Affirmative
Negative
Affirmative
Negative
Affirmative
Negative
Affirmative
Negative
Affirmative
View
View
View
View
View
View
View
View
View
View
View
View
John D Martinsen
Negative
View
Mike Ramirez
Hao Li
Steven McElhaney
Keith Morisette
Marc M Farmer
Frank L. Sampson
Anthony Jankowski
Brock Ondayko
Leo Bernier
Sam Dwyer
Edward Cambridge
Edward F. Groce
Clement Ma
George Tatar
Negative
Negative
View
Affirmative
Negative
Abstain
Affirmative
Affirmative
Negative
Affirmative
Negative
Negative
Affirmative
Mike D Kukla
Negative
Francis J. Halpin
Negative
https://standards.nerc.net/BallotResults.aspx?BallotGUID=3e34fb5d-844a-4b88-874c-62d0c7d1e3d9[12/13/2011 11:13:16 AM]
View
View
View
View
�NERC Standards
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
BrightSource Energy, Inc.
Caithness Long Island, LLC
Chelan County Public Utility District #1
City and County of San Francisco
City of Austin dba Austin Energy
City of Redding
City of Tacoma, Department of Public
Utilities, Light Division, dba Tacoma Power
City of Tallahassee
City Water, Light & Power of Springfield
Cogentrix Energy, Inc.
Colorado Springs Utilities
Consolidated Edison Co. of New York
Constellation Power Source Generation, Inc.
Consumers Energy Company
Cowlitz County PUD
CPS Energy
Detroit Edison Company
Dominion Resources, Inc.
Duke Energy
Dynegy Inc.
E.ON Climate & Renewables North America,
LLC
Edison Mission Energy
Electric Power Supply Association
Exelon Nuclear
ExxonMobil Research and Engineering
FirstEnergy Solutions
Florida Municipal Power Agency
Great River Energy
Green Country Energy
Imperial Irrigation District
Indeck Energy Services, Inc.
JEA
Kissimmee Utility Authority
Lakeland Electric
Liberty Electric Power LLC
Lincoln Electric System
Los Angeles Department of Water & Power
Lower Colorado River Authority
Luminant Generation Company LLC
Manitoba Hydro
Massachusetts Municipal Wholesale Electric
Company
MEAG Power
MidAmerican Energy Co.
Muscatine Power & Water
Nebraska Public Power District
New York Power Authority
NextEra Energy
North Carolina Electric Membership Corp.
Northern California Power Agency
Northern Indiana Public Service Co.
Occidental Chemical
Omaha Public Power District
Orlando Utilities Commission
Pacific Gas and Electric Company
PacifiCorp
Platte River Power Authority
Portland General Electric Co.
PowerSouth Energy Cooperative
PPL Generation LLC
Progress Energy Carolinas
PSEG Fossil LLC
Public Utility District No. 1 of Lewis County
Puget Sound Energy, Inc.
Sacramento Municipal Utility District
Salt River Project
Chifong Thomas
Jason M Moore
John Yale
Daniel Mason
Jeanie Doty
Paul Cummings
Affirmative
Affirmative
Abstain
Affirmative
Negative
Negative
Max Emrick
Affirmative
Brian Horton
Steve Rose
Mike D Hirst
Jennifer Eckels
Wilket (Jack) Ng
Amir Y Hammad
David C Greyerbiehl
Bob Essex
Robert Stevens
Christy Wicke
Mike Garton
Dale Q Goodwine
Dan Roethemeyer
Affirmative
Affirmative
Negative
Negative
Abstain
Negative
Negative
Affirmative
Affirmative
Negative
Negative
View
View
View
View
View
View
View
Dana Showalter
Ellen Oswald
John R Cashin
Michael Korchynsky
Martin Kaufman
Kenneth Dresner
David Schumann
Preston L Walsh
Greg Froehling
Marcela Y Caballero
Rex A Roehl
John J Babik
Mike Blough
James M Howard
Daniel Duff
Dennis Florom
Kenneth Silver
Tom Foreman
Mike Laney
S N Fernando
David Gordon
Steven Grego
Christopher Schneider
Mike Avesing
Don Schmit
Gerald Mannarino
Allen D Schriver
Jeffrey S Brame
Hari Modi
William O. Thompson
Michelle R DAntuono
Mahmood Z. Safi
Richard Kinas
Richard J. Padilla
Sandra L. Shaffer
Roland Thiel
Gary L Tingley
Tim Hattaway
Annette M Bannon
Wayne Lewis
Tim Kucey
Steven Grega
Tom Flynn
Bethany Hunter
William Alkema
https://standards.nerc.net/BallotResults.aspx?BallotGUID=3e34fb5d-844a-4b88-874c-62d0c7d1e3d9[12/13/2011 11:13:16 AM]
Negative
Negative
Negative
Affirmative
Affirmative
Affirmative
Negative
Negative
Negative
Negative
Affirmative
Negative
Negative
Negative
Affirmative
View
View
View
View
View
View
View
View
Abstain
Abstain
Negative
Affirmative
Affirmative
Negative
Negative
Negative
Affirmative
Affirmative
Affirmative
Affirmative
Negative
Affirmative
Affirmative
Affirmative
Affirmative
Negative
Negative
Negative
Negative
Negative
Negative
Negative
View
View
View
View
View
View
�NERC Standards
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
Santee Cooper
Seattle City Light
Seminole Electric Cooperative, Inc.
Siemens PTI
Snohomish County PUD No. 1
South Mississippi Electric Power Association
Southern California Edison Co.
Southern Company Generation
Tampa Electric Co.
Tenaska, Inc.
Tennessee Valley Authority
Tri-State G & T Association, Inc.
U.S. Army Corps of Engineers
Vandolah Power Company L.L.C.
Wisconsin Electric Power Co.
Wisconsin Public Service Corp.
Xcel Energy, Inc.
ACES Power Marketing
AEP Marketing
Ameren Energy Marketing Co.
APS
Arkansas Electric Cooperative Corporation
Bonneville Power Administration
City of Austin dba Austin Energy
City of Redding
Cleco Power LLC
Colorado Springs Utilities
Consolidated Edison Co. of New York
Constellation Energy Commodities Group
Dominion Resources, Inc.
Duke Energy Carolina
Entergy Services, Inc.
Exelon Power Team
FirstEnergy Solutions
Florida Municipal Power Agency
Florida Municipal Power Pool
Florida Power & Light Co.
Imperial Irrigation District
Kansas City Power & Light Co.
Lakeland Electric
Lincoln Electric System
Los Angeles Department of Water & Power
Luminant Energy
Manitoba Hydro
MidAmerican Energy Co.
New York Power Authority
North Carolina Municipal Power Agency #1
Northern Indiana Public Service Co.
Omaha Public Power District
Orlando Utilities Commission
PacifiCorp
Platte River Power Authority
PPL EnergyPlus LLC
Progress Energy
PSEG Energy Resources & Trade LLC
Public Utility District No. 1 of Chelan County
Sacramento Municipal Utility District
Salt River Project
Santee Cooper
Seattle City Light
Seminole Electric Cooperative, Inc.
Snohomish County PUD No. 1
South California Edison Company
Southern Company Generation and Energy
Marketing
Tacoma Public Utilities
Tampa Electric Co.
Lewis P Pierce
Michael J. Haynes
Brenda K. Atkins
Edwin Cano
Sam Nietfeld
Jerry W Johnson
Denise Yaffe
William D Shultz
RJames Rocha
Scott M Helyer
David Thompson
Barry Ingold
Melissa Kurtz
Douglas A. Jensen
Linda Horn
Leonard Rentmeester
Liam Noailles
Jason L Marshall
Edward P. Cox
Jennifer Richardson
RANDY A YOUNG
Keith Sugg
Brenda S. Anderson
Lisa L Martin
Marvin Briggs
Robert Hirchak
Lisa C Rosintoski
Nickesha P Carrol
Brenda Powell
Louis S. Slade
Walter Yeager
Terri F Benoit
Pulin Shah
Kevin Querry
Richard L. Montgomery
Thomas Washburn
Silvia P. Mitchell
Cathy Bretz
Jessica L Klinghoffer
Paul Shipps
Eric Ruskamp
Brad Packer
Brad Jones
Daniel Prowse
Dennis Kimm
William Palazzo
Matthew Schull
Joseph O'Brien
David Ried
Claston Augustus Sunanon
Scott L Smith
Carol Ballantine
Mark A Heimbach
John T Sturgeon
Peter Dolan
Hugh A. Owen
Diane Enderby
Steven J Hulet
Michael Brown
Dennis Sismaet
Trudy S. Novak
William T Moojen
Lujuanna Medina
John J. Ciza
Michael C Hill
Benjamin F Smith II
https://standards.nerc.net/BallotResults.aspx?BallotGUID=3e34fb5d-844a-4b88-874c-62d0c7d1e3d9[12/13/2011 11:13:16 AM]
Negative
Negative
View
View
Affirmative
Negative
View
Negative
Negative
Negative
Affirmative
Abstain
Affirmative
Affirmative
Affirmative
Negative
Affirmative
Negative
Negative
Negative
Affirmative
Negative
Negative
Negative
Negative
Affirmative
Affirmative
Negative
Negative
Affirmative
Negative
Negative
Negative
Negative
Negative
Negative
Negative
Affirmative
Negative
Negative
Affirmative
Negative
Negative
Affirmative
Negative
Negative
Affirmative
Affirmative
Negative
Affirmative
Affirmative
Negative
Negative
Negative
Abstain
Negative
Negative
Negative
Negative
View
View
View
View
View
View
View
View
View
View
View
View
View
View
View
View
View
View
View
View
View
View
View
View
View
View
Negative
Negative
View
Negative
View
Affirmative
Negative
�NERC Standards
6
6
6
6
8
8
8
8
8
8
8
8
9
9
9
9
10
10
10
10
10
10
10
10
Tennessee Valley Authority
Westar Energy
Western Area Power Administration - UGP
Marketing
Xcel Energy, Inc.
JDRJC Associates
Pacific Northwest Generating Cooperative
Power Energy Group LLC
Utility Services, Inc.
Volkmann Consulting, Inc.
California Energy Commission
Commonwealth of Massachusetts Department
of Public Utilities
National Association of Regulatory Utility
Commissioners
New York State Department of Public Service
Midwest Reliability Organization
New York State Reliability Council
Northeast Power Coordinating Council
ReliabilityFirst Corporation
SERC Reliability Corporation
Southwest Power Pool RE
Texas Reliability Entity, Inc.
Western Electricity Coordinating Council
Marjorie S. Parsons
Grant L Wilkerson
Abstain
Affirmative
Peter H Kinney
David F. Lemmons
Edward C Stein
Roger C Zaklukiewicz
James A Maenner
Jim Cyrulewski
Margaret Ryan
Peggy Abbadini
Brian Evans-Mongeon
Terry Volkmann
William M Chamberlain
Affirmative
Affirmative
Negative
Abstain
Negative
Affirmative
Affirmative
Affirmative
View
Donald Nelson
Negative
View
Diane J Barney
Negative
View
Negative
Affirmative
Negative
Negative
Negative
Negative
Affirmative
Negative
Affirmative
View
Thomas Dvorsky
James D Burley
Alan Adamson
Guy V. Zito
Anthony E Jablonski
Carter B. Edge
Emily Pennel
Donald G Jones
Steven L. Rueckert
Legal and Privacy : 609.452.8060 voice : 609.452.9550 fax : 116-390 Village Boulevard : Princeton, NJ 08540-5721
Washington Office: 1120 G Street, N.W. : Suite 990 : Washington, DC 20005-3801
Copyright © 2010 by the North American Electric Reliability Corporation. : All rights reserved.
A New Jersey Nonprofit Corporation
https://standards.nerc.net/BallotResults.aspx?BallotGUID=3e34fb5d-844a-4b88-874c-62d0c7d1e3d9[12/13/2011 11:13:16 AM]
View
View
View
View
View
View
View
�2009-01 Disturbance and Sabotage Reporting
Non-Binding Poll Results
Ballot Results
Non-Binding Poll Project 2009-01 Disturbance And Sabotage Reporting-Non-binding
Name: Poll
Poll Period: 12/2/2011 - 12/12/2011
Total # Opinions: 264
Total Ballot Pool: 394
85.28% of those who registered to participate provided an opinion or
Summary Results: abstention; 45% of those who provided an opinion indicated support for the
VRFs and VSLs.
Individual Ballot Pool Results
Segment
Organization
1
1
1
1
1
1
1
1
Ameren Services
American Electric Power
American Transmission Company, LLC
Arizona Public Service Co.
Associated Electric Cooperative, Inc.
Avista Corp.
Balancing Authority of Northern
California
Baltimore Gas & Electric Company
BC Hydro and Power Authority
Beaches Energy Services
Black Hills Corp
Bonneville Power Administration
Brazos Electric Power Cooperative,
Inc.
CenterPoint Energy Houston Electric,
LLC
Central Maine Power Company
City of Tacoma, Department of Public
Utilities, Light Division, dba Tacoma
Power
Clark Public Utilities
Colorado Springs Utilities
1
Consolidated Edison Co. of New York
1
1
1
1
CPS Energy
Dairyland Power Coop.
Dayton Power & Light Co.
Deseret Power
1
1
1
1
1
1
1
1
1
1
Document Title
Member
Kirit Shah
Paul B. Johnson
Andrew Z Pusztai
Robert Smith
John Bussman
Scott J Kinney
Ballot
Negative
Negative
Abstain
Affirmative
Affirmative
Negative
Kevin Smith
Negative
Gregory S Miller
Patricia Robertson
Joseph S Stonecipher
Eric Egge
Donald S. Watkins
Abstain
Abstain
Negative
Comments
View
View
View
View
Affirmative
Tony Kroskey
John Brockhan
Joseph Turano Jr.
Abstain
Negative
Chang G Choi
Affirmative
Jack Stamper
Paul Morland
Christopher L de
Graffenried
Richard Castrejana
Robert W. Roddy
Hertzel Shamash
James Tucker
Abstain
Affirmative
Negative
View
Affirmative
Affirmative
Affirmative
Affirmative
1
�1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
Dominion Virginia Power
Duke Energy Carolina
East Kentucky Power Coop.
Empire District Electric Co.
Entergy Services, Inc.
FirstEnergy Corp.
Florida Keys Electric Cooperative
Assoc.
Florida Power & Light Co.
Gainesville Regional Utilities
Georgia Transmission Corporation
Grand River Dam Authority
Great River Energy
Hoosier Energy Rural Electric
Cooperative, Inc.
Hydro One Networks, Inc.
Hydro-Quebec TransEnergie
Idaho Power Company
Imperial Irrigation District
International Transmission Company
Holdings Corp
JEA
Kansas City Power & Light Co.
Keys Energy Services
Lakeland Electric
Lee County Electric Cooperative
Lincoln Electric System
Los Angeles Department of Water &
Power
Lower Colorado River Authority
Manitoba Hydro
MEAG Power
MidAmerican Energy Co.
Minnkota Power Coop. Inc.
National Grid
Nebraska Public Power District
New Brunswick Power Transmission
Corporation
New York Power Authority
New York State Electric & Gas Corp.
Northeast Utilities
Northern Indiana Public Service Co.
NorthWestern Energy
Ohio Valley Electric Corp.
Oklahoma Gas and Electric Co.
Omaha Public Power District
Oncor Electric Delivery
Orlando Utilities Commission
Document Title
Michael S Crowley
Douglas E. Hils
George S. Carruba
Ralph F Meyer
Edward J Davis
William J Smith
Negative
View
Affirmative
Negative
Negative
View
View
Dennis Minton
Mike O'Neil
Luther E. Fair
Jason Snodgrass
James M Stafford
Gordon Pietsch
Bob Solomon
Ajay Garg
Bernard Pelletier
Ronald D. Schellberg
Tino Zaragoza
Michael Moltane
Ted Hobson
Michael Gammon
Stanley T Rzad
Larry E Watt
John W Delucca
Doug Bantam
Ly M Le
Martyn Turner
Joe D Petaski
Danny Dees
Terry Harbour
Richard Burt
Saurabh Saksena
Cole C Brodine
Randy MacDonald
Arnold J. Schuff
Raymond P Kinney
David Boguslawski
Kevin M Largura
John Canavan
Robert Mattey
Marvin E VanBebber
Doug Peterchuck
Brenda Pulis
Brad Chase
Affirmative
Abstain
Affirmative
Affirmative
Abstain
Affirmative
Affirmative
Abstain
Affirmative
Negative
View
Negative
Abstain
Affirmative
Negative
Affirmative
Abstain
Negative
Affirmative
Abstain
Negative
Negative
Abstain
Affirmative
Affirmative
Affirmative
Negative
Abstain
Affirmative
Affirmative
Negative
View
2
�1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
2
PacifiCorp
PECO Energy
Platte River Power Authority
Portland General Electric Co.
PowerSouth Energy Cooperative
PPL Electric Utilities Corp.
Progress Energy Carolinas
Public Service Company of New
Mexico
Public Service Electric and Gas Co.
Public Utility District No. 1 of
Okanogan County
Puget Sound Energy, Inc.
Rochester Gas and Electric Corp.
Sacramento Municipal Utility District
Salmon River Electric Cooperative
Salt River Project
Santee Cooper
SCE&G
Seattle City Light
Sho-Me Power Electric Cooperative
Sierra Pacific Power Co.
Snohomish County PUD No. 1
South California Edison Company
Southern Company Services, Inc.
Southern Illinois Power Coop.
Southwest Transmission Cooperative,
Inc.
Southwestern Power Administration
Sunflower Electric Power Corporation
Tampa Electric Co.
Tennessee Valley Authority
Tri-State G & T Association, Inc.
Tucson Electric Power Co.
United Illuminating Co.
Westar Energy
Western Area Power Administration
Xcel Energy, Inc.
Alberta Electric System Operator
2
BC Hydro
2
California ISO
Electric Reliability Council of Texas,
Inc.
Independent Electricity System
Operator
Midwest ISO, Inc.
New Brunswick System Operator
New York Independent System
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
2
2
2
2
2
Document Title
Ryan Millard
Ronald Schloendorn
John C. Collins
John T Walker
Larry D Avery
Brenda L Truhe
Brett A Koelsch
Abstain
Negative
Affirmative
Affirmative
Negative
Negative
Negative
View
View
Laurie Williams
Kenneth D. Brown
Abstain
Dale Dunckel
Denise M Lietz
John C. Allen
Tim Kelley
Kathryn Spence
Robert Kondziolka
Terry L Blackwell
Henry Delk, Jr.
Pawel Krupa
Denise Stevens
Rich Salgo
Long T Duong
Steven Mavis
Robert Schaffeld
William Hutchison
James Jones
Affirmative
Angela L Summer
Noman Lee Williams
Beth Young
Larry Akens
Tracy Sliman
John Tolo
Jonathan Appelbaum
Allen Klassen
Brandy A Dunn
Gregory L Pieper
Mark B Thompson
Venkataramakrishnan
Vinnakota
Rich Vine
Negative
Affirmative
Charles B Manning
Barbara Constantinescu
Marie Knox
Alden Briggs
Gregory Campoli
Abstain
Negative
Negative
Negative
Negative
View
Negative
View
Affirmative
Abstain
Affirmative
Negative
Negative
View
View
Abstain
Affirmative
Negative
Negative
Abstain
Affirmative
View
View
View
Abstain
Abstain
Negative
View
Affirmative
Abstain
Abstain
3
�2
2
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
Operator
PJM Interconnection, L.L.C.
Southwest Power Pool, Inc.
AEP
Alabama Power Company
Ameren Services
Anaheim Public Utilities Dept.
APS
Arkansas Electric Cooperative
Corporation
BC Hydro and Power Authority
Bonneville Power Administration
Central Lincoln PUD
City of Austin dba Austin Energy
City of Bartow, Florida
City of Clewiston
City of Farmington
City of Garland
City of Green Cove Springs
City of Redding
Clatskanie People's Utility District
Cleco Corporation
Colorado Springs Utilities
ComEd
Consolidated Edison Co. of New York
Constellation Energy
Consumers Energy
Cowlitz County PUD
CPS Energy
Detroit Edison Company
Dominion Resources Services
Duke Energy Carolina
Entergy
FirstEnergy Energy Delivery
Florida Municipal Power Agency
Florida Power Corporation
Georgia Power Company
Georgia Systems Operations
Corporation
Grays Harbor PUD
Great River Energy
Gulf Power Company
Hydro One Networks, Inc.
Imperial Irrigation District
JEA
Kansas City Power & Light Co.
Kissimmee Utility Authority
Kootenai Electric Cooperative
Document Title
Tom Bowe
Charles Yeung
Michael E Deloach
Richard J. Mandes
Mark Peters
Kelly Nguyen
Steven Norris
Negative
Negative
Negative
Affirmative
Abstain
Philip Huff
Affirmative
Pat G. Harrington
Rebecca Berdahl
Steve Alexanderson
Andrew Gallo
Matt Culverhouse
Lynne Mila
Linda R Jacobson
Ronnie C Hoeinghaus
Gregg R Griffin
Bill Hughes
Brian Fawcett
Michelle A Corley
Charles Morgan
Bruce Krawczyk
Peter T Yost
CJ Ingersoll
Richard Blumenstock
Russell A Noble
Jose Escamilla
Kent Kujala
Michael F. Gildea
Henry Ernst-Jr
Joel T Plessinger
Stephan Kern
Joe McKinney
Lee Schuster
Anthony L Wilson
Abstain
Affirmative
Negative
Negative
Negative
William N. Phinney
Wesley W Gray
Brian Glover
Paul C Caldwell
David Kiguel
Jesus S. Alcaraz
Garry Baker
Charles Locke
Gregory D Woessner
Dave Kahly
View
View
View
Affirmative
Abstain
Negative
Negative
Abstain
Abstain
Affirmative
Negative
Negative
Abstain
Negative
Negative
Affirmative
Affirmative
Abstain
Negative
Negative
Negative
Negative
Negative
Negative
View
Negative
View
Affirmative
Negative
Abstain
Affirmative
Affirmative
Negative
Negative
Affirmative
View
View
View
View
View
View
View
View
View
4
�3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
Lakeland Electric
Lincoln Electric System
Los Angeles Department of Water &
Power
Louisville Gas and Electric Co.
Manitoba Hydro
Manitowoc Public Utilities
MidAmerican Energy Co.
Mississippi Power
Modesto Irrigation District
Municipal Electric Authority of Georgia
Muscatine Power & Water
Nebraska Public Power District
New York Power Authority
Niagara Mohawk (National Grid
Company)
North Carolina Electric Membership
Corp.
Northern Indiana Public Service Co.
Ocala Electric Utility
Old Dominion Electric Coop.
Orange and Rockland Utilities, Inc.
Orlando Utilities Commission
Owensboro Municipal Utilities
Pacific Gas and Electric Company
PacifiCorp
Platte River Power Authority
PNM Resources
Potomac Electric Power Co.
Progress Energy Carolinas
Public Service Electric and Gas Co.
Public Utility District No. 1 of Clallam
County
Puget Sound Energy, Inc.
Rutherford EMC
Sacramento Municipal Utility District
Salt River Project
Santee Cooper
Seattle City Light
Seminole Electric Cooperative, Inc.
Snohomish County PUD No. 1
South Carolina Electric & Gas Co.
Southern Maryland Electric Coop.
Tacoma Public Utilities
Tampa Electric Co.
Tennessee Valley Authority
Tri-State G & T Association, Inc.
Westar Energy
Document Title
Norman D Harryhill
Jason Fortik
Negative
Affirmative
Daniel D Kurowski
Negative
Charles A. Freibert
Greg C. Parent
Thomas E Reed
Thomas C. Mielnik
Jeff Franklin
Jack W Savage
Steven M. Jackson
John S Bos
Tony Eddleman
Marilyn Brown
Abstain
Affirmative
Abstain
Negative
Michael Schiavone
Negative
Affirmative
Affirmative
Abstain
Negative
Doug White
Affirmative
William SeDoris
David Anderson
Bill Watson
David Burke
Ballard K Mutters
Thomas T Lyons
John H Hagen
Dan Zollner
Terry L Baker
Michael Mertz
Robert Reuter
Sam Waters
Jeffrey Mueller
Affirmative
David Proebstel
Affirmative
Erin Apperson
Thomas M Haire
James Leigh-Kendall
John T. Underhill
James M Poston
Dana Wheelock
James R Frauen
Mark Oens
Hubert C Young
Mark R Jones
Travis Metcalfe
Ronald L Donahey
Ian S Grant
Janelle Marriott
Bo Jones
Affirmative
Affirmative
Negative
Negative
Negative
Negative
Negative
Negative
Negative
Affirmative
Affirmative
Affirmative
Abstain
Negative
Abstain
Negative
Abstain
Affirmative
Affirmative
Negative
View
View
View
View
View
View
View
View
Affirmative
Abstain
5
�3
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
5
5
5
5
5
5
5
5
5
Xcel Energy, Inc.
Alliant Energy Corp. Services, Inc.
American Municipal Power
Arkansas Electric Cooperative
Corporation
Blue Ridge Power Agency
Central Lincoln PUD
City of Austin dba Austin Energy
City of Clewiston
City of New Smyrna Beach Utilities
Commission
City of Redding
City Utilities of Springfield, Missouri
Consumers Energy
Cowlitz County PUD
Detroit Edison Company
Flathead Electric Cooperative
Florida Municipal Power Agency
Fort Pierce Utilities Authority
Georgia System Operations
Corporation
Illinois Municipal Electric Agency
Imperial Irrigation District
Indiana Municipal Power Agency
Integrys Energy Group, Inc.
LaGen
Madison Gas and Electric Co.
Northern California Power Agency
Ohio Edison Company
Public Utility District No. 1 of Douglas
County
Public Utility District No. 1 of
Snohomish County
Sacramento Municipal Utility District
Seattle City Light
South Mississippi Electric Power
Association
Tacoma Public Utilities
Wisconsin Energy Corp.
AEP Service Corp.
AES Corporation
Amerenue
Arizona Public Service Co.
Avista Corp.
BC Hydro and Power Authority
Black Hills Corp
Boise-Kuna Irrigation District/dba
Lucky peak power plant project
Bonneville Power Administration
Document Title
Michael Ibold
Kenneth Goldsmith
Kevin Koloini
Affirmative
Negative
Ronnie Frizzell
Affirmative
Duane S Dahlquist
Shamus J Gamache
Reza Ebrahimian
Kevin McCarthy
Affirmative
Negative
Negative
Tim Beyrle
Nicholas Zettel
John Allen
David Frank Ronk
Rick Syring
Daniel Herring
Russ Schneider
Frank Gaffney
Thomas Richards
Guy Andrews
Negative
Negative
Affirmative
Negative
Negative
Affirmative
Negative
Negative
Abstain
Negative
Bob C. Thomas
Diana U Torres
Jack Alvey
Christopher Plante
Richard Comeaux
Joseph DePoorter
Tracy R Bibb
Douglas Hohlbaugh
Abstain
Affirmative
Abstain
Henry E. LuBean
Affirmative
John D Martinsen
Abstain
Mike Ramirez
Hao Li
View
View
Affirmative
Affirmative
Negative
Negative
Negative
View
View
View
View
View
View
View
Steven McElhaney
Keith Morisette
Anthony Jankowski
Brock Ondayko
Leo Bernier
Sam Dwyer
Edward Cambridge
Edward F. Groce
Clement Ma
George Tatar
Affirmative
Affirmative
Affirmative
Negative
Abstain
Negative
Abstain
Affirmative
View
Mike D Kukla
Francis J. Halpin
Affirmative
6
�5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
BrightSource Energy, Inc.
Caithness Long Island, LLC
Chelan County Public Utility District
#1
City and County of San Francisco
City of Austin dba Austin Energy
City of Redding
City of Tacoma, Department of Public
Utilities, Light Division, dba Tacoma
Power
City of Tallahassee
City Water, Light & Power of
Springfield
Cleco Power
Cogentrix Energy, Inc.
Colorado Springs Utilities
Consolidated Edison Co. of New York
Constellation Power Source
Generation, Inc.
Consumers Energy Company
Cowlitz County PUD
CPS Energy
Detroit Edison Company
Dominion Resources, Inc.
Duke Energy
Dynegy Inc.
E.ON Climate & Renewables North
America, LLC
Edison Mission Energy
Electric Power Supply Association
Exelon Nuclear
ExxonMobil Research and Engineering
FirstEnergy Solutions
Florida Municipal Power Agency
Gainesville Regional Utilities
Great River Energy
Green Country Energy
Imperial Irrigation District
Indeck Energy Services, Inc.
JEA
Kissimmee Utility Authority
Lakeland Electric
Liberty Electric Power LLC
Lincoln Electric System
Los Angeles Department of Water &
Power
Lower Colorado River Authority
Luminant Generation Company LLC
Manitoba Hydro
Document Title
Chifong Thomas
Jason M Moore
John Yale
Daniel Mason
Jeanie Doty
Paul Cummings
Max Emrick
Affirmative
Abstain
Abstain
Abstain
Negative
Negative
View
View
Affirmative
Brian Horton
Steve Rose
Stephanie Huffman
Mike D Hirst
Jennifer Eckels
Wilket (Jack) Ng
Amir Y Hammad
David C Greyerbiehl
Bob Essex
Robert Stevens
Christy Wicke
Mike Garton
Dale Q Goodwine
Dan Roethemeyer
Abstain
Affirmative
Affirmative
Negative
View
View
Abstain
Abstain
Negative
Affirmative
Affirmative
Abstain
Negative
Negative
View
View
View
Dana Showalter
Ellen Oswald
John R Cashin
Michael Korchynsky
Martin Kaufman
Kenneth Dresner
David Schumann
Karen C Alford
Preston L Walsh
Greg Froehling
Marcela Y Caballero
Rex A Roehl
John J Babik
Mike Blough
James M Howard
Daniel Duff
Dennis Florom
Negative
Negative
Negative
Abstain
Affirmative
Affirmative
Affirmative
View
View
Affirmative
Negative
Negative
Negative
Affirmative
Kenneth Silver
Negative
Tom Foreman
Mike Laney
S N Fernando
Affirmative
Negative
Affirmative
View
7
�5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
6
6
6
6
Massachusetts Municipal Wholesale
Electric Company
MEAG Power
MidAmerican Energy Co.
Muscatine Power & Water
Nebraska Public Power District
New York Power Authority
NextEra Energy
North Carolina Electric Membership
Corp.
Northern California Power Agency
Northern Indiana Public Service Co.
Occidental Chemical
Omaha Public Power District
Orlando Utilities Commission
Pacific Gas and Electric Company
PacifiCorp
Platte River Power Authority
Portland General Electric Co.
PowerSouth Energy Cooperative
PPL Generation LLC
Progress Energy Carolinas
PSEG Fossil LLC
Public Utility District No. 1 of Lewis
County
Puget Sound Energy, Inc.
Sacramento Municipal Utility District
Salt River Project
Santee Cooper
Seattle City Light
Seminole Electric Cooperative, Inc.
Siemens PTI
Snohomish County PUD No. 1
South Mississippi Electric Power
Association
Southern California Edison Co.
Southern Company Generation
Tampa Electric Co.
Tenaska, Inc.
Tennessee Valley Authority
Tri-State G & T Association, Inc.
U.S. Army Corps of Engineers
Vandolah Power Company L.L.C.
Xcel Energy, Inc.
ACES Power Marketing
AEP Marketing
Ameren Energy Marketing Co.
APS
Document Title
David Gordon
Abstain
Steven Grego
Christopher Schneider
Mike Avesing
Don Schmit
Gerald Mannarino
Allen D Schriver
Abstain
Negative
Affirmative
Abstain
Negative
Negative
Jeffrey S Brame
Affirmative
Hari Modi
William O. Thompson
Michelle R DAntuono
Mahmood Z. Safi
Richard Kinas
Richard J. Padilla
Sandra L. Shaffer
Roland Thiel
Gary L Tingley
Tim Hattaway
Annette M Bannon
Wayne Lewis
Tim Kucey
Affirmative
Affirmative
Affirmative
Affirmative
Steven Grega
Tom Flynn
Bethany Hunter
William Alkema
Lewis P Pierce
Michael J. Haynes
Brenda K. Atkins
Edwin Cano
Sam Nietfeld
Affirmative
Abstain
Affirmative
Affirmative
Negative
Negative
Negative
Abstain
View
View
View
Negative
Negative
Negative
Negative
Negative
Affirmative
Negative
View
View
Jerry W Johnson
Denise Yaffe
William D Shultz
RJames Rocha
Scott M Helyer
David Thompson
Barry Ingold
Melissa Kurtz
Douglas A. Jensen
Liam Noailles
Jason L Marshall
Edward P. Cox
Jennifer Richardson
RANDY A YOUNG
Negative
Negative
Negative
Affirmative
Abstain
Affirmative
Affirmative
Affirmative
Negative
Negative
Affirmative
View
View
8
�6
6
Arkansas Electric Cooperative
Corporation
Bonneville Power Administration
City of Austin dba Austin Energy
City of Redding
Cleco Power LLC
Colorado Springs Utilities
Consolidated Edison Co. of New York
Constellation Energy Commodities
Group
Dominion Resources, Inc.
Duke Energy Carolina
Entergy Services, Inc.
Exelon Power Team
FirstEnergy Solutions
Florida Municipal Power Agency
Florida Municipal Power Pool
Florida Power & Light Co.
Imperial Irrigation District
Kansas City Power & Light Co.
Lakeland Electric
Lincoln Electric System
Los Angeles Department of Water &
Power
Luminant Energy
Manitoba Hydro
MidAmerican Energy Co.
New York Power Authority
North Carolina Municipal Power
Agency #1
Northern Indiana Public Service Co.
Omaha Public Power District
6
Orlando Utilities Commission
6
6
6
6
6
PacifiCorp
Platte River Power Authority
PPL EnergyPlus LLC
Progress Energy
PSEG Energy Resources & Trade LLC
Public Utility District No. 1 of Chelan
County
Sacramento Municipal Utility District
Salt River Project
Santee Cooper
Seattle City Light
Seminole Electric Cooperative, Inc.
Snohomish County PUD No. 1
South California Edison Company
Southern Company Generation and
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
Document Title
Keith Sugg
Affirmative
Brenda S. Anderson
Lisa L Martin
Marvin Briggs
Robert Hirchak
Lisa C Rosintoski
Nickesha P Carrol
Affirmative
Abstain
Negative
Abstain
Affirmative
Negative
Brenda Powell
Louis S. Slade
Walter Yeager
Terri F Benoit
Pulin Shah
Kevin Querry
Richard L. Montgomery
Thomas Washburn
Silvia P. Mitchell
Cathy Bretz
Jessica L Klinghoffer
Paul Shipps
Eric Ruskamp
Brad Packer
Brad Jones
Daniel Prowse
Dennis Kimm
William Palazzo
View
View
View
Negative
Abstain
Negative
Negative
Negative
Negative
Negative
Negative
Abstain
Affirmative
Negative
Negative
Affirmative
View
View
View
View
View
View
View
Negative
Negative
Affirmative
Negative
Negative
View
Matthew Schull
Joseph O'Brien
David Ried
Claston Augustus
Sunanon
Scott L Smith
Carol Ballantine
Mark A Heimbach
John T Sturgeon
Peter Dolan
Hugh A. Owen
Diane Enderby
Steven J Hulet
Michael Brown
Dennis Sismaet
Trudy S. Novak
William T Moojen
Lujuanna Medina
John J. Ciza
Affirmative
Affirmative
Negative
Abstain
Affirmative
Negative
Negative
Abstain
View
Abstain
Negative
Negative
Negative
Negative
View
View
Abstain
Negative
Negative
View
9
�6
6
6
6
6
6
8
8
8
8
8
8
8
8
9
9
9
10
10
10
10
10
10
10
10
Energy Marketing
Tacoma Public Utilities
Michael C Hill
Tampa Electric Co.
Benjamin F Smith II
Tennessee Valley Authority
Marjorie S. Parsons
Westar Energy
Grant L Wilkerson
Western Area Power Administration Peter H Kinney
UGP Marketing
Xcel Energy, Inc.
David F. Lemmons
Roger C Zaklukiewicz
Edward C Stein
James A Maenner
APX
Michael Johnson
JDRJC Associates
Jim Cyrulewski
Power Energy Group LLC
Peggy Abbadini
Utility Services, Inc.
Brian Evans-Mongeon
Volkmann Consulting, Inc.
Terry Volkmann
California Energy Commission
William M Chamberlain
Central Lincoln PUD
Bruce Lovelin
Commonwealth of Massachusetts
Donald Nelson
Department of Public Utilities
Midwest Reliability Organization
James D Burley
New York State Reliability Council
Alan Adamson
Northeast Power Coordinating Council Guy V. Zito
ReliabilityFirst Corporation
Anthony E Jablonski
SERC Reliability Corporation
Carter B. Edge
Southwest Power Pool RE
Emily Pennel
Texas Reliability Entity, Inc.
Donald G Jones
Western Electricity Coordinating
Steven L. Rueckert
Council
Document Title
Affirmative
Abstain
Abstain
Affirmative
Negative
Affirmative
Abstain
Abstain
Abstain
Affirmative
Negative
View
Negative
Affirmative
Affirmative
Negative
Negative
Abstain
Affirmative
Affirmative
View
View
View
Affirmative
10
�Consideration of Comments
Disturbance and Sabotage Reporting (Project 2009-01)
The Disturbance and Sabotage Reporting Drafting Team thanks all commenters who submitted
comments on the second formal posting for Project 2009-01—Disturbance and Sabotage Reporting.
The standard was posted for a 45-day public comment period from October 28, 2011 through
December 12, 2011 and included an initial ballot during the last 10 days of the comment period.
Stakeholders were asked to provide feedback on the standard and associated documents through a
special electronic comment form. There were 76 sets of comments, including comments from
approximately 171 different people from approximately 140 companies representing nine of the ten
Industry Segments as shown in the table on the following pages.
All comments submitted may be reviewed in their original format on the standard’s project page:
http://www.nerc.com/filez/standards/Project2009-01_Disturbance_Sabotage_Reporting.html
If you feel that your comment has been overlooked, please let us know immediately. Our goal is to give
every comment serious consideration in this process! If you feel there has been an error or omission,
you can contact the Vice President of Standards and Training, Herb Schrayshuen, at 404-446-2560 or at
herb.schrayshuen@nerc.net. In addition, there is a NERC Reliability Standards Appeals Process.1
Summary Consideration
EOP-004-2 was posted for a 45-day formal comment period and initial ballot from October 28December 12, 2011. The DSR SDT received comments from stakeholders to improve the readability
and clarity of the requirements of the standard. The revisions that were made to the standard are
summarized in the following paragraphs.
Purpose Statement
The DSR SDT revised the purpose statement to remove ambiguous language “with the potential to
impact reliability”. The Purpose statement now reads:
“To improve the reliability of the Bulk Electric System by requiring the reporting of events by
Responsible Entities.”
1
The appeals process is in the Standard Processes Manual
http://www.nerc.com/files/Appendix_3A_Standard_Processes_Manual_Rev%201_20110825.pdf
�Operating Plan
Based on stakeholder comments, Requirement R1 was revised for clarity. Part 1.1 was revised to
replace the word “identifying” with “recognizing” and Part 1.2 was eliminated. This also aligns the
language of the standard with FERC Order 693, Paragraph 471.
“(2) specify baseline requirements regarding what issues should be addressed in the procedures
for recognizing {emphasis added} sabotage events and making personnel aware of such
events;”
Requirement R1, Part 1.3 (now Part 1.2) was revised by eliminating the phrase “as appropriate” and
adding language indicating that the Responsible Entity is to define its process for reporting and with
whom to report events. Part 1.2 now reads:
“1.2 A process for communicating each of the applicable events listed in EOP-004
Attachment 1 in accordance with the timeframes specified in EOP-004 Attachment 1 to the
Electric Reliability Organization and other organizations needed for the event type; i.e. the
Regional Entity; company personnel; the Responsible Entity’s Reliability Coordinator; law
enforcement governmental or provincial agencies.”
The SDT envisions that most entities will only need to slightly modify their existing CIP-001 Sabotage
Reporting procedures to comply with the Operating Plan requirement in this proposed standard. As
many of the features of both sabotage reporting procedures and the Operating Plan are substantially
similar, the SDT feels that some information in the sabotage reporting procedures may need to
updated and verified.
Operating Plan Review and Communications Testing
Requirement R1, Part 1.4 was removed and Requirement 1, Part, 1.5 was separated out as new
Requirement 4. Requirement R4 was revised and is now R3. FERC Order 693, Paragraph 466 includes
provisions for periodic review and update of the Operating Plan:
“466. The Commission affirms the NOPR directive and directs the ERO to incorporate a periodic
review or updating of the sabotage reporting procedures and for the periodic testing of the
sabotage reporting procedures.”
2
�Requirement R3 requires an annual test of the communication portion of Requirement R1 while
Requirement R4 requires an annual review of the Operating Plan.:
“R3. Each Responsible Entity shall conduct an annual test, not including notification to the
Electric Reliability Organization, of the communications process in Part 1.2.”
“R4. Each Responsible Entity shall conduct an annual review of the event reporting Operating
Plan in Requirement R1.”
The DSR SDT envisions that the annual test will include verification that communication information
contained in the Operating Plan is correct. As an example, the annual update of the Operating Plan
could include calling “others as defined in the Responsibility Entity’s Operating Plan” (see Part 1.2) to
verify that their contact information is up to date. If any discrepancies are noted, the Operating Plan
would be updated. Note that there is no requirement to test the reporting of events to the Electric
Reliability Organization and the Responsible Entity’s Reliability Coordinator.
Operating Plan Implementation
Most stakeholders indicated that Requirements R2 and R3 were redundant and having both in the
standard was not necessary. Requirement R2 called for implementation of Parts 1.1, 1.2, 1.4 and 1.5.
Requirement R3 called for reporting events in accordance with the Operating Plan. The DSR SDT
deleted Requirement R2 based on stakeholder comments and revised R3 (now R2) to:
“R2. Each Responsible Entity shall implement its event reporting Operating Plan for applicable
events listed in EOP-004 Attachment 1, and in accordance with the timeframe specified in EOP004 Attachment1.”
Reporting Timelines
The DSR SDT received many comments regarding the various entries of Attachment 1. Many
commenters questioned the reliability benefit of reporting events to the ERO within 1 hour. Most of
the events with a one hour reporting requirement were revised to 24 hours based on stakeholder
comments; those types of events are currently required to be reported within 24 hours in the existing
mandatory and enforceable standards. The only remaining type of event that is to be reported within
one hour is “A reportable Cyber Security Incident” as it is required by CIP-008 and FERC Order 706,
Paragraph 673:
3
�“direct the ERO to modify CIP-008 to require each responsible entity to contact appropriate
government authorities and industry participants in the event of a cyber security incident as
soon as possible, but in any event, within one hour of the event…”
The table was reformatted to separate one hour reporting and 24 hour reporting. The last column of
the table was also deleted and the information contained in the table was transferred to the sentence
above each table. These sentences are:
“One Hour Reporting: Submit Attachment 2 or DOE-OE-417 report to the parties identified
pursuant to Requirement R1, Part 1.2 within one hour of recognition of the event.”
“Twenty-four Hour Reporting: Submit Attachment 2 or DOE-OE-417 report to the parties
identified pursuant to Requirement R1, Part 1.2 within twenty-four hour of recognition of the
event.”
Note that the reporting timeline of 24 hours starts when the situation has been determined as a threat,
not when it may have first occurred.
Cyber-Related Events
The ‘Damage or Destruction’ events specifically relating to Critical Assets and Critical Cyber Assets were
removed from Attachment 1. Stakeholders pointed out these events are adequately addressed through
the CIP-008 and ”Damage or Destruction of a Facility “reporting thresholds. CIP-008 addresses Cyber
Security Incidents which are defined as:
“Any malicious act or suspicious event that:
• Compromises, or was an attempt to compromise, the Electronic Security Perimeter or
Physical Security Perimeter of a Critical Cyber Asset, or,
• Disrupts, or was an attempt to disrupt, the operation of a Critical Cyber Asset.”
A Critical Asset is defined as:
“Facilities, systems, and equipment which, if destroyed, degraded, or otherwise rendered
unavailable, would affect the reliability or operability of the Bulk Electric System.”
Since there is an existing event category for damage or destruction of Facilities, having a separate event
for “Damage or Destruction of a Critical Asset” is unnecessary.
4
�Damage or Destruction
The event for “Destruction of BES equipment” has been revised to “Damage or destruction of a
Facility”. The threshold for reporting information was expanded for clarity:
“Damage or destruction of a Facility that: affects an IROL
OR
Results in the need for actions to avoid an Adverse Reliability Impact
OR
Results from intentional human action.”
Facility Definition
The DSR SDT used the defined term “Facility” to add clarity for this event as well as other events in
Attachment 1. A Facility is defined as:
“A set of electrical equipment that operates as a single Bulk Electric System Element (e.g., a line,
a generator, a shunt compensator, transformer, etc.)”
The DSR SDT did not intend the use of the term Facility to mean a substation or any other facility (not a
defined term) that one might consider in everyday discussions regarding the grid. This is intended to
mean ONLY a Facility as defined above.
Physical Threats
Several stakeholders expressed concerns relating to the “Forced Intrusion” event. Their concerns
related to ambiguous language in the footnote. The SDR SDT discussed this event as well as the event
“Risk to BES equipment”. These two event types had overlap in the perceived reporting requirements.
The DSR SDT removed “Forced Intrusion” as a category and the “Risk to BES equipment” event was
revised to “Any physical threat that could impact the operability of a Facility”.
Using judgment is unavoidable for this type of event. This language was chosen because the
Responsible Entity is the best position to exercise this judgment and determine whether or not an
event poses a threat to its Facilities. The DSR SDT believes this revised event type will minimize
administrative burden and ensure that events meaningful to industry awareness are reported.
5
�The footnote regarding this event type was expanded to provide additional guidance in:
“Examples include a train derailment adjacent to a Facility that either could have damaged a
Facility directly or could indirectly damage a Facility (e.g. flammable or toxic cargo that could
pose fire hazard or could cause evacuation of a control center). Also, report any suspicious
device or activity at a Facility. Do not report copper theft unless it impacts the operability of a
Facility.”
Use of DOE OE-417
The DSR SDT received many comments requesting consistency with DOE OE-417 thresholds and
timelines. These items, as well as, the Events Analysis Working Group’s (EAWG) requirements were
considered in creating Attachment 1, but differences remain for the following reasons:
• EOP-004 requirements were designed to meet NERC and the industry’s needs; accommodation
of other reporting obligations was considered as an opportunity not a ‘must-have’
• OE-417 only applies to US entities, whereas EOP-004 requirements apply across North America
• NERC has no control over the criteria in OE-417, which can change at any time
• Reports made under EOP-004 provide a minimum set of information, which may trigger further
information requests from EAWG as necessary
In an effort to minimize administrative burden, US entities may use the OE-417 form rather than
Attachment 2 to report under EOP-004. The SDT was informed by the DOE of its new online process
coming later this year. In this process, entities may be able to record email addresses associated with
their Operating Plan so that when the report is submitted to DOE, it will automatically be forwarded to
the posted email addresses, thereby eliminating some administrative burden to forward the report to
multiple organizations and agencies.
Miscellaneous
Other minor edits were made to Attachment 1. Several words were capitalized but not defined terms.
The DSR SDT did not intend for these terms to be capitalized (defined terms) and these words were
reverted to lower case. The event type “Loss of monitoring or all voice communication capability” was
divided into two separate events as “Loss of monitoring capability” and “Loss of all voice
communication capability”.
6
�Attachment 2 was updated to reflect the revisions to Attachment 1. The reference to “actual or
potential events” was removed. Also, the event type of “other” and “fuel supply emergency” was
removed as well.
It was noted that ‘Transmission Facilities’ is not a defined term in the NERC Glossary. Transmission and
Facilities are separately defined terms. The combination of these two definitions are what the DSR SDT
has based the applicability of “Transmission Facilities” in Attachment 1.
Index to Questions, Comments, and Responses
1.
The DSR SDT has revised EOP-004-2 to remove the training requirement R4 based on stakeholder
comments from the second formal posting. Do you agree this revision? If not, please explain in the
comment area below.…. .................................................................................................................... 18
2.
The DSR SDT includes two requirement regarding implementation of the Operating Plan specified
in Requirement R1. The previous version of the standard had a requirement to implement the
Operating plan as well as a requirement to report events. The two requirements R2 and R3 were
written to delineate implementation of the Parts of R1. Do you agree with these revisions? If not,
please explain in the comment area below.…. ................................................................................. 42
R2. Each Responsible Entity shall implement the parts of its Operating Plan that meet Requirement
R1, Parts 1.1 and 1.2 for an actual event and Parts 1.4 and 1.5 as specified.
R3. Each Responsible Entity shall report events in accordance with its Operating Plan developed to
address the events listed in Attachment 1.
3.
The DSR SDT revised reporting times for many events listed in Attachment 1 from one hour to 24
hours. Do you agree with these revisions? If not, please explain in the comment area below.…. .. 79
4.
Do you have any other comment, not expressed in the questions above, for the DSR
SDT?..............156
7
�The Industry Segments are:
1 — Transmission Owners
2 — RTOs, ISOs
3 — Load-serving Entities
4 — Transmission-dependent Utilities
5 — Electric Generators
6 — Electricity Brokers, Aggregators, and Marketers
7 — Large Electricity End Users
8 — Small Electricity End Users
9 — Federal, State, Provincial Regulatory or other Government Entities
10 — Regional Reliability Organizations, Regional Entities
Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
1.
Group
Gerald Beckerle
SERC OC Standards Review Group
Additional Member Additional Organization Region Segment Selection
1.
Charlie Cook
TVA
2.
Jake Miller
Dynegy
SERC
5
3.
Joel Wise
TVA
SERC
1, 3, 5, 6
4.
Tim Hattaway
PowerSouth
SERC
1, 5
5.
Robert Thomasson BREC
SERC
1
6.
Shaun Anders
CWLP
SERC
1, 3
7.
Jim Case
Entergy
SERC
1, 3, 6
8.
Tim Lyons
OMU
SERC
3, 5
9.
Len Sandberg
Dominion Virginia Power SERC
1, 3, 5, 6
LGE-KU
3
10. Brad Young
5, 6, 1, 3
SERC
X
2
3
X
4
5
6
7
8
9
10
�Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
11. Larry Akens
TVA
SERC
1, 3, 5, 6
12. Mike Hirst
Cogentrix
SERC
5
13. Wayne Van Liere
LGE-KU
SERC
3
14. Scott Brame
NCEMC
SERC
1, 3, 4, 5
15. Steve Corbin
SERC Reliability Corp.
SERC
10
16. John Johnson
SERC Reliability Corp.
SERC
10
17. John Troha
SERC Reliability Corp.
SERC
10
2.
Guy Zito
Group
Additional Member
Northeast Power Coordinating Council
Additional Organization
3
4
5
6
7
8
9
10
X
Region Segment Selection
1.
Alan Adamson
New York State Reliaiblity Council, LLC
NPCC 10
2.
Greg Campoli
New York Independent System Operator
NPCC 2
3.
Sylvain Clermont
Hydro-Quebec TransEnergie
NPCC 1
4.
Chris de Graffenried Consolidated Edison Co. of New York, Inc. NPCC 1
5.
Gerry Dunbar
Northeast Power Coordinating Council
NPCC 10
6.
Ben Wu
Orange and Rockland Utilities
NPCC 1
7.
Peter Yost
Consolidated Edison co. of New York, Inc. NPCC 3
8.
Kathleen Goodman ISO - New England
NPCC 2
9.
Chantel Haswell
FPL Group, Inc.
NPCC 5
Hydro One Networks Inc.
NPCC 1
10. David Kiguel
2
11. Michael R. Lombardi Northeast Utilities
NPCC 1
12. Randy Macdonald
New Brunswick Power Transmission
NPCC 9
13. Bruce Metruck
New York Power Authority
NPCC 6
14. Lee Pedowicz
Northeast Power Coordinating Council
NPCC 10
15. Robert Pellegrini
The United Illuminating Company
NPCC 1
16. Si-Truc Phan
Hydro-Quebec TransEnergie
NPCC 1
17. David Ramkalawan Ontario Power Generation, Inc.
NPCC 5
18. Saurabh Saksena
National Grid
NPCC 1
19. Michael Schiavone
National Grid
NPCC 1
20. Wayne Sipperly
New York Power Authority
NPCC 5
21. Tina Teng
Independent Electricity System Operator
NPCC 2
22. Donald Weaver
New Brunswick System Operator
NPCC 2
9
�Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
3.
Group
Steve Alexanderson
Additional Member
Pacific Northwest Small Public Power Utility
Comment Group
Additional Organization
Russell A. Noble
Cowlitz County PUD No. 1
WECC 3, 4, 5
2.
Ronald Sporseen
Blachly-Lane Electric Cooperative
WECC 3
3.
Ronald Sporseen
Central Electric Cooperative
WECC 3
4.
Ronald Sporseen
Consumers Power
WECC 1, 3
5.
Ronald Sporseen
Clearwater Power Company
WECC 3
6.
Ronald Sporseen
Douglas Electric Cooperative
WECC 3
7.
Ronald Sporseen
Fall River Rural Electric Cooperative
WECC 3
8.
Ronald Sporseen
Northern Lights
WECC 3
9.
Ronald Sporseen
Lane Electric Cooperative
WECC 3
10. Ronald Sporseen
Lincoln Electric Cooperative
WECC 3
11. Ronald Sporseen
Raft River Rural Electric Cooperative
WECC 3
12. Ronald Sporseen
Lost River Electric Cooperative
WECC 3
13. Ronald Sporseen
Salmon River Electric Cooperative
WECC 3
14. Ronald Sporseen
Umatilla Electric Cooperative
WECC 3
15. Ronald Sporseen
Coos-Curry Electric Cooperative
WECC 3
16. Ronald Sporseen
West Oregon Electric Cooperative
WECC 3
17. Ronald Sporseen
Pacific Northwest Generating Cooperative WECC 3, 4, 8
18. Ronald Sporseen
Power Resources Cooperative
4.
Emily Pennel
Additional Member
Additional Organization
X
6
7
8
9
10
X
X
Region Segment Selection
SPP
1, 4
2. Clem Cassmeyer
Western Farmer's Electric Cooperative
SPP
1, 3, 5
3. Michelle Corley
Cleco Power
SPP
1, 3, 5
4. Kevin Emery
Carthage Water and Electric Plant
SPP
NA
5. Jonathan Hayes
Southwest Power Pool
SPP
2
6. Philip Huff
Arkansas Electric Cooperative Corporation SPP
3, 4, 5, 6
7. Ashley Stringer
Oklahoma Municipal Power Authority
4
Patricia Robertson
5
Southwest Power Pool Regional Entity
City Utilities of Springfield
Group
X
4
WECC 5
1. John Allen
5.
3
Region Segment Selection
1.
Group
2
SPP
BC Hydro
X
X
X
X
10
�Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
2
3
4
5
6
7
8
9
10
Additional Member Additional Organization Region Segment Selection
1. Patricia Robertson
BC Hydro
WECC 1
2. Rama Vinnakota
BC Hydro
WECC 2
3. Pat Harrington
BC Hydro
WECC 3
4. Clement Ma
BC Hydro
WECC 5
5. Daniel O'Hearn
BC Hydro
WECC 6
6.
Group
Mary Jo Cooper
ZGlobal on behalf of City of Ukiah, Alameda
Municipal Power, Salmen River Electric, City
of Lodi
X
X
Additional Member Additional Organization Region Segment Selection
1. Elizabeth Kirkley
City of Lodi
WECC 3
2. Colin Murphey
City of Ukiah
WECC 3
3. Douglas Draeger
Alameda Municipal Power
WECC 3
4. Ken Dizes
Salmen River Electric Coop WECC 3
7.
Group
WILL SMITH
MRO NSRF
Additional Member Additional Organization Region Segment Selection
1.
MAHMOOD SAFI
MRO
1, 3, 5, 6
2.
CHUCK LAWRENCE ATC
OPPD
MRO
1
3.
TOM WEBB
WPS
MRO
3, 4, 5, 6
4.
JODI JENSON
WAPA
MRO
1, 6
5.
KEN GOLDSMITH
ALTW
MRO
4
6.
ALICE IRELAND
NSP (XCEL)
MRO
1, 3, 5, 6
7.
DAVE RUDOLPH
BEPC
MRO
1, 3, 5, 6
8.
ERIC RUSKAMP
LES
MRO
1, 3, 5, 6
9.
JOE DEPOORTER
MGE
MRO
3, 4, 5, 6
10. SCOTT NICKELS
RPU
MRO
4
11. TERRY HARBOUR
MEC
MRO
1, 3, 5, 6
12. MARIE KNOX
MISO
MRO
2
13. LEE KITTELSON
OTP
MRO
1, 3, 4, 5
14. SCOTT BOS
MPW
MRO
1, 3, 5, 6
15. TONY EDDLEMAN
NPPD
MRO
1, 3, 5
11
�Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
16. MIKE BRYTOWSKI
GRE
MRO
1, 3, 5, 6
17. RICHARD BURT
MPC
MRO
1, 3, 5, 6
8.
Group
Steve Rueckert
No Additional members listed.
Western Electricity Coordinating Council
9.
Imperial Irrigation District
Group
Jesus Sammy Alcaraz
2
3
4
5
6
7
8
9
10
X
X
X
X
X
X
Additional Member Additional Organization Region Segment Selection
1. Tino Zaragoza
IID
WECC 1
2. Jesus Sammy Alcaraz IID
WECC 3
3. Diana Torres
IID
WECC 4
4. Marcela Caballero
IID
WECC 5
5. Cathy Bretz
IID
WECC 6
10.
Group
Additional Member
ACES Power Marketing Standards
Collaborators
Jean Nitz
Additional Organization
Region Segment Selection
1. Chris Bradley
Big Rivers Electric Corporation
SERC
1
2. Erin Woods
East Kentucky Power Cooperative
SERC
1, 3, 5
3. Susan Sosbe
Wabash Valley Power Association
RFC
3
4. Scott Brame
North Carolina Electric Membership Corporation RFC
5. Shari Heino
Brazos Electric Power Cooperative, Inc.
ERCOT 1
6. Lindsay Shepard
Western Farmers Electric Cooperative
SPP
11.
Group
Frank Gaffney
X
5, 1, 3, 4
1, 5
Florida Municipal Power Agency
X
X
X
X
X
X
X
X
X
Additional Member Additional Organization Region Segment Selection
1. Timothy Beyrle
City of New Smyrna Beach FRCC
4
2. Greg Woessner
KissimmeeUtility Authority FRCC
3
3. Jim Howard
Lakeland Electric
FRCC
3
4. Lynne Mila
City of Clewiston
FRCC
3
5. Joe Stonecipher
Beaches Energy Services FRCC
1
6. Cairo Vanegas
Fort Pierce Utility Authority FRCC
4
7. Randy Hahn
Ocala Utility Services
3
12.
Group
Terry L. Blackwell
FRCC
Santee Cooper
Additional Member Additional Organization Region Segment Selection
12
�Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
1. S. T. Abrams
Santee Cooper
SERC
1
2. Wayne Ahl
Santee Cooper
SERC
1
3. Rene Free
Santee Cooper
SERC
1
13.
Group
Sacramento Municipal Utility District
(SMUD)
Joe Tarantino
2
X
3
X
4
X
5
6
X
X
X
X
X
X
7
8
9
10
Additional Member Additional Organization Region Segment Selection
1. Kevin Smith
14.
Group
BANC
WECC 1
Robert Rhodes
Additional Member
SPP Standards Review Group
Additional Organization
Region Segment Selection
1. John Allen
City Utilities of Springfield
SPP
1, 4
2. Clem Cassmeyer
Western Farmer's Electric Cooperative
SPP
1, 3, 5
3. Michelle Corley
Cleco Power
SPP
1, 3, 5
4. Kevin Emery
Carthage Water and Electric Plant
SPP
NA
5. Jonathan Hayes
Southwest Power Pool
SPP
2
6. Philip Huff
Arkansas Electric Cooperative Corporation SPP
3, 4, 5, 6
7. Ashley Stringer
Oklahoma Municipal Power Authority
4
15.
Group
Connie Lowe
X
SPP
Dominion
X
X
X
X
Additional Member Additional Organization Region Segment Selection
1. Louis Slade
RFC
3, 6
2. Michael Crowley
SERC
1, 3
3. Mike Garton
NPCC 5, 6
4. Michael Gildea
MRO
16.
Group
Sam Ciccone
5, 6
FirstEnergy
X
Additional Member Additional Organization Region Segment Selection
1. Doug Hohlbaugh
FE
RFC
1, 3, 4, 5, 6
2. Larry Raczkowski
FE
RFC
1, 3, 4, 5, 6
3. Jim Eckels
FE
RFC
1
4. John Reed
FE
RFC
1
5. Ken Dresner
FE
RFC
5
6. Bill Duge
FE
RFC
5
7. Kevin Querry
FE
RFC
5
13
�Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
17.
Group
PPL Electric Utilities and PPL Supply
Organizations`
Annette M. Bannon
2
3
X
4
5
X
6
7
8
9
10
X
Additional Member Additional Organization Region Segment Selection
1. Brenda Truhe
PPL Electric Utilities
RFC
1
2. Annette Bannon
PPL Generation
RFC
5
3. Annette Bannon
PPL Generation
WECC 5
4. Mark Heimbach
PPL EnergyPlus
MRO
5. Mark Heimbach
PPL EnergyPlus
NPCC 6
6. Mark Heimbach
PPL EnergyPlus
RFC
6
7. Mark Heimbach
PPL EnergyPlus
SERC
6
8. Mark Heimbach
PPL EnergyPlus
SPP
6
9. Mark Heimbach
PPL EnergyPlus
WECC 6
18.
Group
Tom McElhinney
6
Electric Compliance
X
X
X
X
X
X
Additional Member Additional Organization Region Segment Selection
1. Ted Hobson
FRCC
1
2. John Babik
FRCC
5
3. Garry Baker
19.
Group
3
Michael Gammon
Kansas City Power & Light
X
Additional Member Additional Organization Region Segment Selection
1. Scott Harris
KCP&L
SPP
1, 3, 5, 6
2. Monica Strain
KCP&L
SPP
1, 3, 5, 6
3. Brett Holland
KCP&L
SPP
1, 3, 5, 6
4. Jennifer Flandermeyer KCP&L
SPP
1, 3, 5, 6
20.
Individual
Stewart Rake
Luminant Power
21.
Individual
PacifiCorp
Individual
Sandra Shaffer
Janet Smith, Regulatory
Affairs Supervisor
23.
Individual
Jim Eckelkamp
24.
Individual
25.
Individual
22.
X
X
X
X
X
X
X
X
X
Progress Energy
X
X
X
X
Silvia Parada Mitchell
Compliance & Responsbility Office
X
X
X
X
Antonio Grayson
Southern Comnpany
X
X
X
X
Arizona Public Service Company
14
�Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
2
3
4
5
6
Individual
John Brockhan
CenterPoint Energy
X
Individual
28. Individual
Brenton Lopez
Bo Jones
Salt River Project
Westar Energy
X
X
X
X
X
X
X
X
29.
Individual
Michael Johnson
APX Power Markets (NCR-11034)
30.
Individual
David Proebstel
Clallam County PUD No.1
31.
Individual
Michael Moltane
ITC
32.
Individual
Tracy Richardson
Springfield Utility Board
33.
Individual
Kasia Mihalchuk
Manitoba Hydro
34.
Individual
Individual
Kevin Conway
Intellibind
Chris Higgins / Jim
Burns / Ted Snodgrass /
Jeff Millennor / Russell
Funk
Bonneville Power Administration
36.
Individual
Chris de Graffenried
37.
Individual
38.
39.
26.
27.
X
X
X
X
X
X
X
Consolidated Edison Co. of NY, Inc.
X
X
X
X
David Burke
Orange and Rockland Utilities, Inc.
X
X
Individual
Alice Ireland
Xcel Energy
X
X
X
X
Individual
Greg Rowland
X
X
X
X
X
X
X
X
Rodney Luck
Duke Energy
Los Angeles Department of Water and
Power
Individual
42. Individual
Daniel Duff
Lisa Rosintoski
Liberty Electric Power
Colorado Springs Utilities
43.
Independent Electricity System Operator
Individual
Michael Falvo
John Bee on Behalf of
Exelon
Individual
John D. Martinsen
Exelon
Public Utility District No. 1 of Snohomish
County
46.
Individual
RoLynda Shumpert
South Carolina Electric and Gas
47.
Individual
Kathleen Goodman
ISO New England
41.
44.
45.
Individual
10
X
X
Individual
9
X
X
40.
8
X
X
35.
7
X
X
X
X
X
X
X
X
X
X
X
X
X
X
15
�Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
48.
Individual
2
3
5
6
Texas Reliability Entity
Individual
50. Individual
Andrew Z. Pusztai
Anthony Jablonski
American Transmission Company, LLC
ReliabilityFirst
X
51.
Individual
Don Schmit
Nebraska Public Power District
52.
Individual
Dennis Sismaet
Seattle City Light
X
X
X
X
8
9
10
53.
Individual
John Seelke
PSEG
X
54.
Individual
Barry Lawson
NRECA
55.
Individual
Terry Harbour
MidAmerican Energy
56.
Individual
Thad Ness
57.
Individual
58.
X
X
X
X
X
X
X
X
X
X
American Electric Power
X
X
X
X
Guy Andrews
Georgia System Operations Corporation
X
X
X
X
Individual
Ed Davis
Individual
Margaret McNaul
Entergy Services
Thompson Coburn LLP on behalf of Miss.
Delta Energy Agency
60.
Individual
Bob Thomas
Illinois Municipal Electric Agency
61.
Individual
Kirit Shah
Ameren
X
X
62.
Individual
Linda Jacobson-Quinn
FEUS
63.
Individual
Tom Foreman
Lower Colorado River Authority
X
X
64.
Individual
Richard Salgo
NV Energy
65.
Individual
Nathan Mitchell
American Public Power Association
66.
Individual
Angela Summer
Southwestern Power Administration
67.
Individual
Michelle R D'Antuono
Ingleside Cogeneration LP
68.
Individual
Tim Soles
Occidental Power Services, Inc. (OPSI)
69.
Individual
Michael Lombardi
Northeast Utilities
X
X
X
70.
Individual
Andrew Gallo
City of Austin dba Austin Energy
X
X
71.
Individual
James Sauceda
Energy Northwest - Columbia
72.
Individual
Scott Berry
Indiana Municipal Power Agency
59.
7
X
Curtis Crews
49.
4
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
16
�Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
Individual
Maggy Powell
Constellation Energy on behalf of Baltimore
Gas & Electric, Constellation Power
Generation, Constellation Energy
Commodities Group, Constellation Control
and Dispatch, Constellation NewEnergy and
Constellation Energy Nuclear Group.
74.
Individual
Michael Brytowski
Great River Energy
75.
Individual
Christine Hasha
Electric Reliability Council of Texas, Inc.
76.
Individual
Darryl Curtis
Oncor Electric Delivery Company LLC
73.
2
3
4
5
6
X
X
X
X
X
X
X
X
7
8
9
10
X
X
17
�1.
The DSR SDT has revised EOP-004-2 to remove the training requirement R4 based on stakeholder comments from the second
formal posting. Do you agree this revision? If not, please explain in the comment area below.
Summary Consideration: As a result of the industry comments, the SDT has further modified the standard as follows:
- Requirement R1, Part 1.3 (now Part 1.2) was revised to add clarifying language by eliminating the phrase “as appropriate” and
indicating that the Responsible Entity is to define its process for reporting and with whom events are communicated.
- Combined relevant parts of Requirement R1, Parts 1.4, 1.5 and Requirement R4 into Requirement 1, Part 1.3.
- Deleted the requirement for drills or exercises
- Clarified that only Registered Entities conduct annual tests of the communication process outlined in Requirement 1, Part 1.2
- Changed the review of the Operating Plan to 'annually'
The DSR SDT envisions the testing under Requirement R1, Part 1.3 will include verification of contact information contained in the
Operating Plan is correct. As an example, the annual review of the Operating Plan could include calling “others as defined in the
Responsibility Entity’s Operating Plan” (see Part 1.2) to verify their contact information is up to date. If any discrepancies are noted,
the Operating Plan would be updated.
Despite some industry opposition, both the periodic review of the Operating Plan and the testing requirements were maintained to
meet the intent of FERC Order 693, Paragraph 466:
“The Commission affirms the NOPR directive and directs the ERO to incorporate a periodic review or updating of the sabotage
reporting procedures and for the periodic testing of the sabotage reporting procedures.”
Organization
Yes or No
Beaches Energy Services, City of
Negative
Question 1 Comment
First, I wish to thank the SDT for their hard work and making significant
progress in significant improvements in the standard. I commend the
18
�Organization
Yes or No
Green Cove Springs
Question 1 Comment
direction that the SDT is taking. There are; however, a few unresolved issues
that cause me to not support the standard at this time. 1. An issue of
possible differences in interpretation between entities and compliance
monitoring and enforcement is the phrase in 1.3 that states “the following
as appropriate”. Who has the authority to deem what is appropriate? The
requirements should be clear that the Responsible Entity is the decision
maker of who is appropriate, otherwise there is opportunity for conflict
between entities and compliance. Requirement R1, Part 1.3 (now Part 1.2)
was revised to add clarifying language by eliminating the phrase “as
appropriate” and indicating that the Responsible Entity is to define its
process for reporting and with whom to communicate events to as stated in
the entity’s Operating Plan.
In addition, 1.4 is onerous and burdensome regarding the need to revise the
plan within 90 days of “any” change, especially considering the ambiguity of
“other circumstances”. “Other circumstances” is open to interpretation and
a potential source of conflict.
Requirement R1, Part 1.4 was removed from the standard.
Response: Thank you for your comment. Please see response above.
New Brunswick Power Transmission
Corporation
Negative
It is NBPT’s opinion that because this is a standard associated with reporting
events after an occurrence, it is overly burdensome to require drills and
exercises for verification purposes as described in R4.
Requirement R4 related to an annual test of the communication portion of
Requirement R1 by a drill or exercise. This has been revised to:
R3. Each Responsible Entity shall conduct an annual test, not including
notification to the Electric Reliability Organization, of the communications
19
�Organization
Yes or No
Question 1 Comment
process in Part 1.2.
Response: Thank you for your comment. Please see response above.
United Illuminating Co.
Negative
R4 is not clear what is expected. There is a difference between testing a
process that consists of identify an event then select commuication contacts
versus needing to test contacts for each event in Attachment 1 and drill each
event and document each event drill.
Requirement R4 related to an annual test of the communication portion of
Requirement R1 by a drill or exercise and this has been removed. This has
been revised to:
R3. Each Responsible Entity shall conduct an annual test, not including
notification to the Electric Reliability Organization, of the communications
process in Part 1.2.
The DSR SDT envisions that the testing under Requirement r3 will include
verification of contact information contained in the Operating Plan is correct.
As an example, the annual review of the Operating Plan could include calling
“others as defined in the Responsible Entity’s Operating Plan” (see part 1.2)
to verify that their contact information is up to date. If any discrepancies are
noted, the Operating Plan would be updated.
In R2 the phrase "as specified" should be replaced or completed, as
specified by what.
The DSR SDT has deleted Requirement R2 based on stakeholder comments
and revised R3 (now R2) to read: “Each Responsible Entity shall implement
its event reporting Operating Plan for applicable events listed in EOP-004
Attachment 1, and in accordance with the timeframe specified in EOP-004
20
�Organization
Yes or No
Question 1 Comment
Attachment1.”
Response: Thank you for your comment. Please see response above.
City of Farmington
Negative
R4 requires verification through a drill or exercise the communication
process created as part of R1.3. Clarification of what a drill or exercise
should be considered. In order to show compliance to R4 would the entity
have to send a pseudo event report to Internal Personnel, the Regional
Entity, NERC ES-ISAC, Law Enforcement, and Governmental or provincial
agencies listed in R1.3 to verify the communications plan? It would not be a
burden on the entity so much, however, I’m not sure the external parties
want to be the recipient of approximately 2000 psuedo event reports
annually.
Requirement R4 related to an annual test of the communication portion of
Requirement R1 by a drill or exercise and this has been removed. This has
been revised to:
R3. Each Responsible Entity shall conduct an annual test, not including
notification to the Electric Reliability Organization, of the communications
process in Part 1.2.
The DSR SDT envisions that the testing under Requirement R3 will include
verification of contact information contained in the Operating Plan is correct.
As an example, the annual review of the Operating Plan could include calling
“others as defined in the Responsible Entity’s Operating Plan” (see part 1.2)
to verify that their contact information is up to date. If any discrepancies are
noted, the Operating Plan would be updated.
Response: Thank you for your comment. Please see response above.
Hydro One Networks, Inc.
Negative
Referring to Requirement R4, the communication process can be verified
without having to go through a drill or exercise. Any specific testing or
21
�Organization
Yes or No
Question 1 Comment
verification of the process is the responsibility of the Responsible Entity.
Requirement R4 related to an annual test of the communication portion of
Requirement R1 by a drill or exercise and this has been removed This has
been revised to:
R3. Each Responsible Entity shall conduct an annual test, not including
notification to the Electric Reliability Organization, of the communications
process in Part 1.2.
The DSR SDT envisions that the testing under Requirement R3 will include
verification of contact information contained in the Operating Plan is correct.
As an example, the annual review of the Operating Plan could include calling
“others as defined in the Responsible Entity’s Operating Plan” (see part 1.2)
to verify that their contact information is up to date. If any discrepancies are
noted, the Operating Plan would be updated.
Despite some industry opposition, both periodic review of the Operating Plan
and the test requirements were maintained to meet the intent of FERC Order
693, paragraph 466: “The Commission affirms the NOPR directive and
directs the ERO to incorporate a periodic review or updating of the sabotage
reporting procedures and for the periodic testing of the sabotage reporting
procedures.”
Response: Thank you for your comment. Please see response above.
Ameren Services
Negative
The current language in the parenthesis of R4 suggests that the training
requirement was actually not removed, in that "a drill or exercise"
constitutes training. As documented in the last sentence of the Summary of
Key Concepts section, "The proposed standard deals exclusively with afterthe-fact reporting." We feel that training, even if it is called drills or exercises
is not necessary for an after-the-fact report.
Requirement R4 related to an annual test of the communication portion of
22
�Organization
Yes or No
Question 1 Comment
Requirement R1 by a drill or exercise and this has been removed. This has
been revised to:
R3. Each Responsible Entity shall conduct an annual test, not including
notification to the Electric Reliability Organization, of the communications
process in Part 1.2.
The DSR SDT envisions that the testing under Requirement R3 will include
verification of contact information contained in the Operating Plan is correct.
As an example, the annual review of the Operating Plan could include calling
“others as defined in the Responsible Entity’s Operating Plan” (see part 1.2)
to verify that their contact information is up to date. If any discrepancies are
noted, the Operating Plan would be updated.
Despite some industry opposition, both periodic review of the Operating Plan
and the test requirements were maintained to meet the intent of FERC Order
693, paragraph 466: “The Commission affirms the NOPR directive and
directs the ERO to incorporate a periodic review or updating of the sabotage
reporting procedures and for the periodic testing of the sabotage reporting
procedures.”
Response: Thank you for your comment. Please see response above.
Liberty Electric Power LLC
Negative
Voting no due to training not being an option to fill the "drill" requirement.
The reason for R4 seems to be to assure personnel will respond to an event
in accordance with the entity procedure. Entities meet their obligations for
other regulatory requirements with training, and should be permitted to do
so for R4.
Requirement R4 related to an annual test of the communication portion of
Requirement R1 by a drill or exercise and this has been removed. This has
been revised to:
R3. Each Responsible Entity shall conduct an annual test, not including
23
�Organization
Yes or No
Question 1 Comment
notification to the Electric Reliability Organization, of the communications
process in Part 1.2.
The DSR SDT envisions that the testing under Requirement R3 will include
verification of contact information contained in the Operating Plan is correct.
As an example, the annual review of the Operating Plan could include calling
“others as defined in the Responsible Entity’s Operating Plan” (see part 1.2)
to verify that their contact information is up to date. If any discrepancies are
noted, the Operating Plan would be updated. This language does not
preclude the verification of contact information taking place during a
training event.
Response: Thank you for your comment. Please see response above.
ACES Power Marketing, Hoosier
Energy Rural Electric Cooperative,
Inc., Sunflower Electric Power
Corporation, Great River Energy
Negative
We appreciate the efforts of the SDT in considering the comments of
stakeholders from prior comment periods. We believe this draft is greatly
improved over the previous version and we agree with the elimination of
the term "sabotage" which is a difficult term to define. The determination of
an act of sabotage should be left to the proper law enforcement authorities.
However, we also realize that the proper authorities would be hard pressed
to make these determinations without reporting from industry when there
are threats to BES equipment or facilities. We understand and agree there
should be verification of the information required for such reporting
(contact information, process flow charts, etc). But we still believe
improvements can be made to the draft standard. The use of the words “or
through a drill or exercise” in Requirement R4 still implies that training is
required if no actual event has occurred. When you conduct a fire “drill” you
are training your employees on evacuation routes and who they need to
report to. Not only are you verifying your process but you are training your
employees as well. It is imperative that the information in the Event
24
�Organization
Yes or No
Question 1 Comment
Reporting process is correct but we don't agree that performing a drill on
the process is necessary. We recommend modifying the requirement to
focus on verifying the information needed for appropriate communications
on an event. And we agree this should take place at least annually.
Requirement R4 related to an annual test of the communication portion of
Requirement R1 by a drill or exercise and this has been removed. This has
been revised to:
R3. Each Responsible Entity shall conduct an annual test, not including
notification to the Electric Reliability Organization, of the communications
process in Part 1.2.
The DSR SDT envisions that the testing under Requirement R3 will include
verification of contact information contained in the Operating Plan is correct.
As an example, the annual review of the Operating Plan could include calling
“others as defined in the Responsible Entity’s Operating Plan” (see part 1.2)
to verify that their contact information is up to date. If any discrepancies are
noted, the Operating Plan would be updated.
This language does not preclude the verification of contact information
taking place during a training event.
Response: Thank you for your comment. Please see response above.
Florida Municipal Power Agency
No
First, we wish to thank the SDT for their hard work and making significant
progress in significant improvements in the standard. We commend the
direction that the SDT is taking. There are; however, a few unresolved issues
that cause us to not support the standard at this time. An issue of possible
differences in interpretation between entities and compliance monitoring
and enforcement is the phrase in 1.3 that states “the following as
appropriate”. Who has the authority to deem what is appropriate? The
25
�Organization
Yes or No
Question 1 Comment
requirements should be clear that the Responsible Entity is the decision
maker of who is appropriate, otherwise there is opportunity for conflict
between entities and compliance.
Requirement R1, Part 1.3 (now Part 1.2) was revised to add clarifying
language by eliminating the phrase “as appropriate” and indicating that the
Responsible Entity is to define its process for reporting and with whom to
communicate events to as stated in the entity’s Operating Plan. Part 1.2 now
reads: “A process for communicating each of the applicable events listed in
EOP-004 Attachment 1 in accordance with the timeframes specified in EOP004 Attachment 1 to the Electric Reliability Organization and other
organizations needed for the event type; i.e. the Regional Entity; company
personnel; the Responsible Entity’s Reliability Coordinator; law enforcement
governmental or provincial agencies.”
In addition, 1.4 is onerous and burdensome regarding the need to revise the
plan within 90 days of “any” change, especially considering the ambiguity of
“other circumstances”. “Other circumstances” is open to interpretation and
a potential source of conflict.
Requirement R1, Part 1.4 was removed from the standard.
Response: Thank you for your comment. Please see response above.
Illinois Municipal Electric Agency
No
IMEA agrees with the removal of the training requirement, but also believes
verification is not a necessary requirement for this standard; therefore, R4 is
not necessary and should be removed.
Requirement R4 related to an annual test of the communication portion of
Requirement 1. This has been revised to:
R3. Each Responsible Entity shall conduct an annual test, not including
26
�Organization
Yes or No
Question 1 Comment
notification to the Electric Reliability Organization, of the communications
process in Part 1.2.
The DSR SDT envisions that the testing under Requirement R3 will include
verification of contact information contained in the Operating Plan is correct.
As an example, the annual review of the Operating Plan could include calling
“others as defined in the Responsible Entity’s Operating Plan” (see part 1.2)
to verify that their contact information is up to date. If any discrepancies are
noted, the Operating Plan would be updated.
Response: Thank you for your comment. Please see response above.
Indiana Municipal Power Agency
No
IMPA does not believe that R4 is necessary. In addition, if a drill or exercise
is used to verify the communication process, some of the parties listed in
R1.3 may not want to participate in the drill or exercise every 15 months,
such as law enforcement and governmental agencies. IMPA would propose
a contacting these agencies every 15 months to verify their contact
information only and updating their information in the plan as needed,
without performing a drill or exercise.
This has been revised to:
R3. Each Responsible Entity shall conduct an annual test, not including
notification to the Electric Reliability Organization, of the communications
process in Part 1.2.
The DSR SDT envisions that the testing under Requirement R3 will include
verification of contact information contained in the Operating Plan is correct.
As an example, the annual review of the Operating Plan could include calling
“others as defined in the Responsible Entity’s Operating Plan” (see Part 1.2)
to verify that their contact information is up to date. If any discrepancies are
noted, the Operating Plan would be updated.
The testing requirement is included in the Standard to meet the intent of
27
�Organization
Yes or No
Question 1 Comment
FERC Order 693, paragraph 466: “The Commission affirms the NOPR
directive and directs the ERO to incorporate a periodic review or updating of
the sabotage reporting procedures and for the periodic testing of the
sabotage reporting procedures.”
Response: Thank you for your comment. Please see response above.
ISO New England
No
Please see further comments; we do not believe R4 is a necessary
requirement in the standard and suggest it be deleted.
Requirement R4 related to an annual test of the communication portion of
Requirement 1. This has been revised to:
R3. Each Responsible Entity shall conduct an annual test, not including
notification to the Electric Reliability Organization, of the communications
process in Part 1.2.
The DSR SDT envisions that the testing under Requirement R3 will include
verification of contact information contained in the Operating Plan is correct.
As an example, the annual review of the Operating Plan could include calling
“others as defined in the Responsible Entity’s Operating Plan” (see Part 1.2)
to verify that their contact information is up to date. If any discrepancies are
noted, the Operating Plan would be updated.
The testing requirement is included in the Standard to meet the intent of
FERC Order 693, paragraph 466: “The Commission affirms the NOPR
directive and directs the ERO to incorporate a periodic review or updating of
the sabotage reporting procedures and for the periodic testing of the
sabotage reporting procedures.”
28
�Organization
Yes or No
Question 1 Comment
Response: Thank you for your comment. Please see response above.
Northeast Power Coordinating
Council
No
Requirement R4 is unnecessary. Whether or not the process, plan,
procedure, etc. is “verified” is of no consequence. EOP standards are
intended to have entities prepare for likely events (restoration/evacuation),
and to provide tools for similar unforeseen events (ice storms, tornadoes,
earthquakes, etc.). They should not force a script when results are what
matters.
Requirement R4 related to an annual test of the communication portion of
Requirement 1. This has been revised to:
R3. Each Responsible Entity shall conduct an annual test, not including
notification to the Electric Reliability Organization, of the communications
process in Part 1.2.
The DSR SDT envisions that the testing under Requirement R3 will include
verification of contact information contained in the Operating Plan is correct.
As an example, the annual review of the Operating Plan could include calling
“others as defined in the Responsible Entity’s Operating Plan” (see Part 1.2)
to verify that their contact information is up to date. If any discrepancies are
noted, the Operating Plan would be updated.
The testing requirement is included in the Standard to meet the intent of
FERC Order 693, paragraph 466: “The Commission affirms the NOPR
directive and directs the ERO to incorporate a periodic review or updating of
the sabotage reporting procedures and for the periodic testing of the
sabotage reporting procedures.”
Response: Thank you for your comment. Please see response above.
29
�Organization
Southern Company
Yes or No
No
Question 1 Comment
Southern agrees with removing the training requirement of R4 from the
previous version of the standard. However, Southern suggests that drills
and exercises are also training and R4 in this revised standard should be
removed in its entirety
The “drill or exercise” language has been deleted. Requirement R4 related to
an annual test of the communication portion of Requirement 1. This has
been revised to:
R3. Each Responsible Entity shall conduct an annual test, not including
notification to the Electric Reliability Organization, of the communications
process in Part 1.2.
The DSR SDT envisions that the testing under Requirement R3 will include
verification of contact information contained in the Operating Plan is correct.
As an example, the annual review of the Operating Plan could include calling
“others as defined in the Responsible Entity’s Operating Plan” (see Part 1.2)
to verify that their contact information is up to date. If any discrepancies are
noted, the Operating Plan would be updated.
The testing requirement is included in the Standard to meet the intent of
FERC Order 693, paragraph 466: “The Commission affirms the NOPR
directive and directs the ERO to incorporate a periodic review or updating of
the sabotage reporting procedures and for the periodic testing of the
sabotage reporting procedures.”
Response: Thank you for your comment. Please see response above.
Ameren
No
The current language in the parenthesis of R4 suggests that the training
requirement was actually not removed, in that "a drill or exercise"
constitutes training. As documented in the last sentence of the Summary of
30
�Organization
Yes or No
Question 1 Comment
Key Concepts section, "The proposed standard deals exclusively with afterthe-fact reporting." We feel that training, even if it is called drills or
exercises is not necessary for an after-the-fact report.
The “drill or exercise” language has been deleted. Requirement R4 related to
an annual test of the communication portion of Requirement 1. This has
been revised to:
R3. Each Responsible Entity shall conduct an annual test, not including
notification to the Electric Reliability Organization, of the communications
process in Part 1.2.
The DSR SDT envisions that the testing under Requirement R3 will include
verification of contact information contained in the Operating Plan is correct.
As an example, the annual review of the Operating Plan could include calling
“others as defined in the Responsible Entity’s Operating Plan” (see part 1.2)
to verify that their contact information is up to date. If any discrepancies are
noted, the Operating Plan would be updated.
The testing requirement is included in the Standard to meet the intent of
FERC Order 693, paragraph 466: “The Commission affirms the NOPR
directive and directs the ERO to incorporate a periodic review or updating of
the sabotage reporting procedures and for the periodic testing of the
sabotage reporting procedures.”
Response: Thank you for your comment. Please see response above.
Liberty Electric Power
No
Training should be left in the standard as an option, along with an actual
event, drill or exercise, to demonstrate that operating personnel have
knowledge of the procedure.
The “drill or exercise” language has been deleted. Requirement R4 related
31
�Organization
Yes or No
Question 1 Comment
to an annual test of the communication portion of Requirement 1. This has
been revised to:
R3. Each Responsible Entity shall conduct an annual test, not including
notification to the Electric Reliability Organization, of the communications
process in Part 1.2.
The DSR SDT envisions that the testing under Requirement R3 will include
verification of contact information contained in the Operating Plan is correct.
As an example, the annual review of the Operating Plan could include calling
“others as defined in the Responsible Entity’s Operating Plan” (see part 1.2)
to verify that their contact information is up to date. If any discrepancies are
noted, the Operating Plan would be updated.
This language does not preclude the verification of contact information
taking place during a training event.
Response: Thank you for your comment. Please see response above.
SERC OC Standards Review Group
No
We agree with removing the training requirement of R4; however we
believe that drills and exercises are also training and R4 should be removed
in its entirety because drills and exercises on an after the fact process do not
enhance reliability.
The “drill or exercise” language has been removed. Requirement R4 related
to an annual test of the communication portion of Requirement 1 This has
been revised to:
R3. Each Responsible Entity shall conduct an annual test, not including
notification to the Electric Reliability Organization, of the communications
process in Part 1.2.
The DSR SDT envisions that the testing under Requirement R3 will include
32
�Organization
Yes or No
Question 1 Comment
verification of contact information contained in the Operating Plan is correct.
As an example, the annual review of the Operating Plan could include calling
“others as defined in the Responsible Entity’s Operating Plan” (see part 1.2)
to verify that their contact information is up to date. If any discrepancies are
noted, the Operating Plan would be updated.
The testing requirement is included in the Standard to meet the intent of
FERC Order 693, paragraph 466: “The Commission affirms the NOPR
directive and directs the ERO to incorporate a periodic review or updating of
the sabotage reporting procedures and for the periodic testing of the
sabotage reporting procedures.”
Response: Thank you for your comment. Please see response above.
ACES Power Marketing Standards
Collaborators/Great River Energy
No
We understand and agree there should be verification of the information
required for such reporting (contact information, process flow charts, etc).
But we still believe improvements can be made to the draft standard, in
particular to requirement R4. The use of the words “or through a drill or
exercise” still implies that training is required if no actual event has
occurred. When you conduct a fire “drill” you are training your employees
on evacuation routes and who they need to report to. Not only are you
verifying your process but you are training your employees as well. It is
imperative that the information in the Event Reporting process is correct but
we don't agree that performing a drill on the process is necessary. We
recommend modifying the requirement to focus on verifying the
information needed for appropriate communications on an event. And we
agree this should take place at least annually.
Requirement R4 related to an annual test of the communication portion of
Requirement R1 by a drill or exercise and this has been removed. This has
33
�Organization
Yes or No
Question 1 Comment
been revised to:
R3. Each Responsible Entity shall conduct an annual test, not including
notification to the Electric Reliability Organization, of the communications
process in Part 1.2.
The DSR SDT envisions that the testing under Requirement R3 will include
verification of contact information contained in the Operating Plan is correct.
As an example, the annual review of the Operating Plan could include calling
“others as defined in the Responsible Entity’s Operating Plan” (see part 1.2)
to verify that their contact information is up to date. If any discrepancies are
noted, the Operating Plan would be updated.
This language does not preclude the verification of contact information
taking place during a training event.
Response: Thank you for your comment. Please see response above.
Ingleside Cogeneration LP
Yes
: Yes. Ingleside Cogeneration LP agrees that training on an incident
reporting operations plan should be at the option of the entity. However,
we recommend that a statement be included in the “Guideline and
Technical Basis” section that encourages drills and exercises be coincident
with those conducted for Emergency Operations. Since front-line operators
must send out the initial alert that a reportable condition exists, such
exercises may help determine how to manage their reporting obligations
during the early stages of the troubleshooting process. This is especially true
where a notification must be made within an hour of discovery - a very short
time period.
The “drill or exercise” language has been removed. Requirement R4 related
to an annual test of the communication portion of Requirement 1. This has
34
�Organization
Yes or No
Question 1 Comment
been revised to:
R3. Each Responsible Entity shall conduct an annual test, not including
notification to the Electric Reliability Organization, of the communications
process in Part 1.2.
The DSR SDT envisions that the testing under Requirement R3 will include
verification of contact information contained in the Operating Plan is correct.
As an example, the annual review of the Operating Plan could include calling
“others as defined in the Responsible Entity’s Operating Plan” (see part 1.2)
to verify that their contact information is up to date. If any discrepancies are
noted, the Operating Plan would be updated.
This language does not preclude the verification of contact information
taking place during a training event.
Response: Thank you for your comment. Please see response above.
American Public Power Association
Yes
APPA agrees that removal of the training requirement was an appropriate
revision to limit the burden on small registered entities. However, APPA
requests clarification from the SDT on the current draft of R4. If no event
occurs during the calendar year, a drill or exercise of the Operating Plan
communication process is required. APPA believes that if this drill or
exercise is required, then it should be a table top verification of the internal
communication process such as verification of phone numbers and stepping
through a Registered Entity specific scenario. This should not be a full drill
with requirements to contact outside entities such as law enforcement,
NERC, the RC or other entities playing out a drill scenario. This full drill
would be a major burden for small entities.
The “drill or exercise” language has been removed. Requirement R4 related
to an annual test of the communication portion of Requirement 1. This has
35
�Organization
Yes or No
Question 1 Comment
been revised to:
R3. Each Responsible Entity shall conduct an annual test, not including
notification to the Electric Reliability Organization, of the communications
process in Part 1.2.
The DSR SDT envisions that the testing under Requirement R3 will include
verification of contact information contained in the Operating Plan is correct.
As an example, the annual review of the Operating Plan could include calling
“others as defined in the Responsible Entity’s Operating Plan” (see part 1.2)
to verify that their contact information is up to date. If any discrepancies are
noted, the Operating Plan would be updated.
Response: Thank you for your comment. Please see response above.
FirstEnergy
Yes
FirstEnergy supports this removal and thanks the drafting team.
Response: Thank you for your comment. Please see response above.
Compliance & Responsbility Office
Yes
See comments in response to Question 4.
Response: Thank you for your comment. See response to Question 4.
NV Energy
Yes
Thank you for responding to the stakeholder comments on this issue.
Yes
Yes, we support removal of the training requirement.
Response: Thank you for your comment.
Constellation Energy on behalf of
Baltimore Gas & Electric,
Constellation Power Generation,
Constellation Energy Commodities
36
�Organization
Yes or No
Question 1 Comment
Group, Constellation Control and
Dispatch, Constellation NewEnergy
and Constellation Energy Nuclear
Group.
Response: Thank you for your comment.
Pacific Northwest Small Public Power
Utility Comment Group
Yes
Southwest Power Pool Regional
Entity
Yes
BC Hydro
Yes
ZGlobal on behalf of City of Ukiah,
Alameda Municipal Power, Salmen
River Electric, City of Lodi
Yes
MRO NSRF
Yes
Western Electricity Coordinating
Council
Yes
Imperial Irrigation District
Yes
Santee Cooper
Yes
Sacramento Municipal Utility District
(SMUD)
Yes
37
�Organization
Yes or No
SPP Standards Review Group
Yes
Dominion
Yes
PPL Electric Utilities and PPL Supply
Organizations`
Yes
Electric Compliance
Yes
Kansas City Power & Light
Yes
Luminant Power
Yes
PacifiCorp
Yes
Arizona Public Service Company
Yes
CenterPoint Energy
Yes
Salt River Project
Yes
Westar Energy
Yes
APX Power Markets (NCR-11034)
Yes
Clallam County PUD No.1
Yes
ITC
Yes
Springfield Utility Board
Yes
Question 1 Comment
38
�Organization
Yes or No
Manitoba Hydro
Yes
Intellibind
Yes
Bonneville Power Administration
Yes
Consolidated Edison Co. of NY, Inc.
Yes
Orange and Rockland Utilities, Inc.
Yes
Xcel Energy
Yes
Duke Energy
Yes
Colorado Springs Utilities
Yes
Independent Electricity System
Operator
Yes
Exelon
Yes
Public Utility District No. 1 of
Snohomish County
Yes
South Carolina Electric and Gas
Yes
American Transmission Company,
LLC
Yes
Nebraska Public Power District
Yes
Question 1 Comment
39
�Organization
Yes or No
Seattle City Light
Yes
PSEG
Yes
MidAmerican Energy
Yes
American Electric Power
Yes
Georgia System Operations
Corporation
Yes
FEUS
Yes
Lower Colorado River Authority
Yes
Southwestern Power Administration
Yes
Occidental Power Services, Inc.
(OPSI)
Yes
Northeast Utilities
Yes
City of Austin dba Austin Energy
Yes
Energy Northwest - Columbia
Yes
Electric Reliability Council of Texas,
Inc.
Yes
Oncor Electric Delivery Company LLC
Yes
Question 1 Comment
40
�Organization
Yes or No
Question 1 Comment
Progress Energy
Los Angeles Department of Water
and Power
Texas Reliability Entity
ReliabilityFirst
NRECA
Entergy Services
Thompson Coburn LLP on behalf of
Miss. Delta Energy Agency
41
�2.
The DSR SDT includes two requirement regarding implementation of the Operating Plan specified in Requirement R1. The
previous version of the standard had a requirement to implement the Operating plan as well as a requirement to report events.
The two requirements R2 and R3 were written to delineate implementation of the Parts of R1. Do you agree with these
revisions? If not, please explain in the comment area below.
R2. Each Responsible Entity shall implement the parts of its Operating Plan that meet Requirement R1, Parts 1.1 and 1.2 for an
actual event and Parts 1.4 and 1.5 as specified.
R3. Each Responsible Entity shall report events in accordance with its Operating Plan developed to address the events listed in
Attachment 1.
Summary Consideration: Most stakeholders believed that Requirements R2 and R3 were redundant and having both in the standard
was not necessary. Requirement R2 called for implementation of Parts 1.1, 1.2, 1.4 and 1.5. Requirement R3 called for reporting
events in accordance with the Operating Plan. The DSR SDT deleted Requirement R2 based on stakeholder comments and revised R3
(now R2) to:
“R2. Each Responsible Entity shall implement its event reporting Operating Plan for applicable events listed in EOP-004 Attachment 1,
and in accordance with the timeframe specified in EOP-004 Attachment1.”
Organization
Yes or No
Ameren Services
Negative
Question 2 Comment
(2) The new wording while well intentioned, effectively does not add clarity and
leads to confusion. From our perspective, R1, which requires and Operating Plan,
which is defined by the NERC glossary as: "A document that identifies a group of
activities that may be used to achieve some goal. An Operating Plan may contain
Operating Procedures and Operating Processes. A company-specific system
restoration plan that includes an Operating Procedure for black-starting units,
Operating Processes for communicating restoration progress with other entities,
etc., is an example of an Operating Plan."
The DSR SDT thanks you for your comment. The SDT has made changes to the
42
�Organization
Yes or No
Question 2 Comment
requirements highlighted in your comments.
FERC Order 693, Paragraph 466 includes provisions for periodic review and update of
the Operating Plan: “466. The Commission affirms the NOPR directive and directs the
ERO to incorporate a periodic review or updating of the sabotage reporting procedures
and for the periodic testing of the sabotage reporting procedures.”
(3) Is not a proper location for an after-the-fact reporting standard? In fact it could
be argued that after-the-fact reports in and of themselves do not affect the reliability
of the bulk electric system.
The DSR SDT does not agree with this comment. Reporting of an event will give the
Electric Reliability Organization and your Reliability Coordinator the situational
awareness of what has occurred on your part of the BES. Plus as described in your
Operating Plan, you would have communicated the event as you saw fit. By
broadcasting that an event has occurred you will increase the awareness of your
company (as described in your Operating Plan) and increase the awareness of the
Electric Reliability Organization and your Reliability Coordinator.
(4) But considering the proposed standard as written with the Operating Plan in
requirement R1, and implementation of the Operating Plan in requirement R2
(except the actual reporting which is in R3) and then R3 which requires implementing
the reporting section R1.3, it is not clear how these requirements can be kept
separate in either implementation nor by the CEA.
Most stakeholders believed that Requirements R2 and R3 were redundant and having
both in the standard was not necessary. Requirement R2 called for implementation
of Parts 1.1, 1.2, 1.4 and 1.5. Requirement R3 called for reporting events in
accordance with the Operating Plan. The DSR SDT deleted Requirement R2 based on
stakeholder comments and revised R3 (now R2). The test and review requirement is
43
�Organization
Yes or No
Question 2 Comment
included in the Standard to meet the intent of FERC Order 693, paragraph 466: “The
Commission affirms the NOPR directive and directs the ERO to incorporate a periodic
review or updating of the sabotage reporting procedures and for the periodic testing
of the sabotage reporting procedures.”
(5) The second sentence in the second paragraph of “Rationale for R1” states:“The
main issue is to make sure an entity can a) identify when an event has occurred and
b) be able to gather enough information to complete the report.” This is crucial for a
Standard like this that is intended to mandate actions for events that are frequently
totally unexpected and beyond normal planning criteria. This language needs to be
added to Attachment 1 by the DSR SDT as explained in the rest of our comments.
The DSR SDT has updated the Rationale for Part 1.2 (previous Part 1.3) to read as:
“Part 1.2 could include a process flowchart, identification of internal and external
personnel or entities to be notified, or a list of personnel by name and their
associated contact information.” Whereas Part 1.2 now states:
“1.2 A process for communicating each of the applicable events listed in EOP-004
Attachment 1 in accordance with the timeframes specified in EOP-004 Attachment 1 to
the Electric Reliability Organization and other organizations needed for the event type;
i.e. the Regional Entity; company personnel; the Responsible Entity’s Reliability
Coordinator; law enforcement governmental or provincial agencies.”
Response: Thank you for your comment. Please see response above.
Old Dominion Electric Coop.
Negative
I disagree with two things in the presently drafted standard. First, I do not feel a
separate requirement to implement the plan is necessary (R2),
Most stakeholders believed that Requirements R2 and R3 were redundant and having
both in the standard was not necessary. Requirement R2 called for implementation of
44
�Organization
Yes or No
Question 2 Comment
Parts 1.1, 1.2, 1.4 and 1.5. Requirement R3 called for reporting events in accordance
with the Operating Plan. The DSR SDT deleted Requirement R2 based on stakeholder
comments and revised R3 (now R2) to read:
“R2. Each Responsible Entity shall implement its event reporting Operating Plan for
applicable events listed in EOP-004 Attachment 1, and in accordance with the
timeframe specified in EOP-004 Attachment1.”
and I do not think that verification of the communications process should require a
minimum of a drill or exercise. This is verified now under th current standard CIP-001
through verifice contact with the appropriate authorities and this should be enough
to verify that the communications for the plan is in place.
The “drill or exercise” language has been removed. Requirement R4 related to an
annual test of the communication portion of Requirement 1. This has been revised
to:
R3. Each Responsible Entity shall conduct an annual test, not including notification to
the Electric Reliability Organization, of the communications process in Part 1.2. The
DSR SDT envisions that the testing under Requirement R3 will include verification of
contact information contained in the Operating Plan is correct. As an example, the
annual review of the Operating Plan could include calling “others as defined in the
Responsible Entity’s Operating Plan” (see part 1.2) to verify that their contact
information is up to date. If any discrepancies are noted, the Operating Plan would
be updated.
Response: Thank you for your comment. Please see response above.
ACES Power Marketing,
Hoosier Energy Rural Electric
Cooperative, Inc., Sunflower
Electric Power Corporation,
Negative
Requirement R2 requires Responsible Entities to implement the various subrequirements in R1. We believe it is unnecessary to state that an entity must
implement their Operating Plan in a separate requirement. Having a separate
requirement seems redundant. If the processes in the Operating Plan are not
45
�Organization
Yes or No
Great River Energy/ ACES
Power Marketing Standards
Collaborators/ Great River
Energy
Question 2 Comment
implemented, the entity is non-compliant with the standard.
Most stakeholders believed that Requirements R2 and R3 were redundant and having
both in the standard was not necessary. Requirement R2 called for implementation of
Parts 1.1, 1.2, 1.4 and 1.5. Requirement R3 called for reporting events in accordance
with the Operating Plan. The DSR SDT deleted Requirement R2 based on stakeholder
comments and revised R3 (now R2) to read:
“R2. Each Responsible Entity shall implement its event reporting Operating Plan for
applicable events listed in EOP-004 Attachment 1, and in accordance with the
timeframe specified in EOP-004 Attachment1.”
There doesn’t need to be an extra requirement saying entities need to implement
their Operating Plan.
The test and review requirement is included in the Standard to meet the intent of
FERC Order 693, paragraph 466: “The Commission affirms the NOPR directive and
directs the ERO to incorporate a periodic review or updating of the sabotage
reporting procedures and for the periodic testing of the sabotage reporting
procedures.”
Response: Thank you for your comment. Please see response above.
Hydro One Networks, Inc.
Negative
Requirement R2 seems to not be necessary. Who would have a plan and not
implement it? This may also introduce double jeopardy issues should some entity not
have a plan as required in R1. They would be unable to implement something they
did not have so automatically non-compliant with R1 and R2. o Requirements R2 and
R3 seem to be redundant. Isn't implementing the Operating Plan the same as
reporting events in accordance with its Operating Plan?
Most stakeholders believed that Requirements R2 and R3 were redundant and having
both in the standard was not necessary. Requirement R2 called for implementation of
46
�Organization
Yes or No
Question 2 Comment
Parts 1.1, 1.2, 1.4 and 1.5. Requirement R3 called for reporting events in accordance
with the Operating Plan. The DSR SDT deleted Requirement R2 based on stakeholder
comments and revised R3 (now R2) to read:
“R2. Each Responsible Entity shall implement its event reporting Operating Plan for
applicable events listed in EOP-004 Attachment 1, and in accordance with the
timeframe specified in EOP-004 Attachment1.”
The standard mentions collecting information for Attachment 2, but the standard
does not state what to do with Attachment 2. Is it merely a record for demonstrating
compliance with R3?
The DSR SDT has updated Requirement R2 to read: “Each Responsible Entity must
report and communicate events according to its Operating Plan based on the
information in Attachment 1.”
The DSR SDT has also added the following statement to Attachment 1 for 1 hour
reporting time frame and 24 hour reporting time frame, respectfully:
“One Hour Reporting: Submit Attachment 2 or DOE-OE-417 report to the parties
identified pursuant to Requirement R1, Part 1.2 within one hour of recognition of the
event”
And
“Twenty-four Hour Reporting: Submit Attachment 2 or DOE-OE-417 report to the
parties identified pursuant to Requirement R1, Part 1.2 within twenty-four hour of
recognition of the event.”
Response: Thank you for your comment. Please see response above.
47
�Organization
Yes or No
Question 2 Comment
Beaches Energy Services, City
of Green Cove Springs
Negative
Requirements R2 and R3 are to implement the Operating Plan. Hence, R3 should be a
bullet under R2 and not a separate requirement. In addition, for R2, the phrase
“actual event” is ambiguous and should mean: “actual event that meets the criteria
of Attachment 1” I suggest the following wording to R2 (which will result in
eliminating R3) “Each Responsible Entity shall implement its Operating Plan: o For
actual events meeting the threshold criteria of Attachment 1, in accordance with
Requirement R1 parts 1.1, 1.2 and 1.3
Most stakeholders believed that Requirements R2 and R3 were redundant and having
both in the standard was not necessary. Requirement R2 called for implementation of
Parts 1.1, 1.2, 1.4 and 1.5. Requirement R3 called for reporting events in accordance
with the Operating Plan. The DSR SDT deleted Requirement R2 based on stakeholder
comments and revised R3 (now R2) to read:
“R2. Each Responsible Entity shall implement its event reporting Operating Plan for
applicable events listed in EOP-004 Attachment 1, and in accordance with the
timeframe specified in EOP-004 Attachment1.”
o For review and updating of the Operating Plan, in accordance with Requirement R1
parts 1.4 and 1.5” Note that I believe that if the SDT decides to not combine R2 and
R3, then we disagree with the distinction between the two requirements.
Requirements R2 and R3 have been combined. Requirement 1, Part 1.4 was removed.
The division of implementing R1 through R2 and R3 as presented is “implementing”
vs. “reporting”. We believe that the correct division should rather be
“implementation” of the plan (which includes reporting) vs. revisions to the plan.
The DSR SDT has updated Requirement R2 to read as: “R2. Each Responsible Entity
shall implement the Operating Plan that meets Requirement R1 for events listed in
Attachment 1.”
FERC Order 693 section 617 states “…the Commission directs the ERO to develop a
48
�Organization
Yes or No
Question 2 Comment
modification to EOP-004-1 through the reliability Standards development process that
includes any Requirement necessary for users, owners, and operators of the BulkPower System to provide data…”. In order for entities to provide data they are
required to implement their Operating Plan.
Response: Thank you for your comment. Please see response above.
Ameren
No
(1) The new wording while well intentioned, effectively does not add clarity and
leads to confusion. From our perspective, R1, which requires and Operating Plan,
which is defined by the NERC glossary as: "A document that identifies a group of
activities that may be used to achieve some goal. An Operating Plan may contain
Operating Procedures and Operating Processes. A company-specific system
restoration plan that includes an Operating Procedure for black-starting units,
Operating Processes for communicating restoration progress with other entities,
etc., is an example of an Operating Plan."
The DSR SDT has maintained Requirement 1 with the wording of “Operating Plan”
which gives entities the flexibility of containing an Operating Process or Operating
Procedure, as stated as “An Operating Plan may contain Operating Procedures and
Operating Processes. Please note the use of “may contain” in the NERC approved
definition.
Requirement 1 now reads as”
Each Responsible Entity shall have an Operating Plan that includes:
1.1. A process for recognizing each of the events listed in EOP-004 Attachment 1.
1.2. A process for communicating each of the applicable events listed in EOP-004
Attachment 1 in accordance with the timeframes specified in EOP-004
Attachment 1 to the Electric Reliability Organization and other organizations
needed for the event type; i.e. the Regional Entity; company personnel; the
49
�Organization
Yes or No
Question 2 Comment
Responsible Entity’s Reliability Coordinator; law enforcement governmental or
provincial agencies.
(2) Is not a proper location for an after-the-fact reporting standard? In fact it could
be argued that after-the-fact reports in and of themselves do not affect the reliability
of the bulk electric system.
The DSR SDT does not agree with this comment. Reporting of an event will give the
Electric Reliability Organization and your Reliability Coordinator the situational
awareness of what has occurred on your part of the BES. Plus as described in your
Operating Plan, you would have communicated the event as you saw fit. By
broadcasting that an event has occurred you will increase the awareness of your
company (as described in your Operating Plan) and increase the awareness of the
Electric Reliability Organization and your Reliability Coordinator.
(3) But considering the proposed standard as written with the Operating Plan in
requirement R1, and implementation of the Operating Plan in requirement R2
(except the actual reporting which is in R3) and then R3 which requires implementing
the reporting section R1.3, it is not clear how these requirements can be kept
separate in either implementation nor by the CEA.
Most stakeholders believed that Requirements R2 and R3 were redundant and having
both in the standard was not necessary. Requirement R2 called for implementation
of Parts 1.1, 1.2, 1.4 and 1.5. Requirement R3 called for reporting events in
accordance with the Operating Plan. The DSR SDT deleted Requirement R2 based on
stakeholder comments and revised R3 (now R2).
The test and review requirement is included in the Standard to meet the intent of
FERC Order 693, paragraph 466: “The Commission affirms the NOPR directive and
directs the ERO to incorporate a periodic review or updating of the sabotage
reporting procedures and for the periodic testing of the sabotage reporting
50
�Organization
Yes or No
Question 2 Comment
procedures.”
(4) The second sentence in the second paragraph of “Rationale for R1” states: “The
main issue is to make sure an entity can a) identify when an event has occurred and
b) be able to gather enough information to complete the report.” This is crucial for a
Standard like this that is intended to mandate actions for events that are frequently
totally unexpected and beyond normal planning criteria. This language needs to be
added to Attachment 1 by the DSR SDT as explained in the rest of our comments
The DSR SDT has updated the Rationale for Part 1.2 (previous Part 1.3) to read as:
“Part 1.2 could include a process flowchart, identification of internal and external
personnel or entities to be notified, or a list of personnel by name and their
associated contact information.” Whereas Part 1.2 now states:
“1.2 A process for communicating each of the applicable events listed in EOP-004
Attachment 1 in accordance with the timeframes specified in EOP-004 Attachment 1
to the Electric Reliability Organization and other organizations needed for the event
type; i.e. the Regional Entity; company personnel; the Responsible Entity’s Reliability
Coordinator; law enforcement governmental or provincial agencies.”
Response: Thank you for your comment. Please see response above.
American Electric Power
No
AEP prefers to avoid requirements that are purely administrative in nature.
Requirements should be clear in their actions of supporting of the BES. For example,
we would prefer requirements which state what is to be expected, and allowing the
entities to develop their programs, processes, and procedures accordingly. It has
been our understanding that industry, and perhaps NERC as well, seeks to reduce the
amount to administrative (i.e. document-based) requirements. We are confident
51
�Organization
Yes or No
Question 2 Comment
that the appropriate documentation and administrative elements would occur as a
natural course of implementing and adhering to action-based requirements. In light
of this perspective, we believe that that R1 and R2 is not necessary, and that R3
would be sufficient by itself. Our comments above notwithstanding, AEP strongly
encourages the SDT to consider that R2 and R3, if kept, be merged into a single
requirement as a violation of R2 would also be a violation of R3. Two violations
would then occur for what is essentially only a single incident. Rather than having
both R2 and R3, might R3 be sufficient on its own? R2 is simply a means to an end of
achieving R3.
Most stakeholders believed that Requirements R2 and R3 were redundant and having
both in the standard was not necessary. Requirement R2 called for implementation
of Parts 1.1, 1.2, 1.4 and 1.5. Requirement R3 called for reporting events in
accordance with the Operating Plan. The DSR SDT deleted Requirement R2 based on
stakeholder comments and revised R3 (now R2).
.
The test and review requirement is included in the Standard to meet the intent of
FERC Order 693, paragraph 466: “The Commission affirms the NOPR directive and
directs the ERO to incorporate a periodic review or updating of the sabotage
reporting procedures and for the periodic testing of the sabotage reporting
procedures.”
If there is a need to explicitly reference implementation, that could be addressed as
part of R1. For example, R1 could state “Each Responsible Entity shall implement an
Operating Plan that includes...”R1 seems disjointed, as subparts 1.4 and 1.5
(updating and reviewing the Operating Plan) do not align well with subparts 1.1
through 1.3 which are process related. If 1.4 and 1.5 are indeed needed, we
recommend that they be a part of their own requirement(s). Furthermore, the
action of these requirements should be changed from emphasizing provision(s) of a
process to demonstrating the underlying activity.
52
�Organization
Yes or No
Question 2 Comment
The DSR SDT has maintained Requirement 1 with the wording of “Operating Plan”
which gives entities the flexibility of containing an Operating Process or Operating
Procedure, as stated as “An Operating Plan may contain Operating Procedures and
Operating Processes. Please note the use of “may contain” in the NERC approved
definition.
Requirement 1 now reads as ”Each Responsible Entity shall have an Operating Plan
that includes:
1.1. A process for recognizing each of the events listed in EOP-004 Attachment 1.
1.2. A process for communicating each of the applicable events listed in EOP-004
Attachment 1 in accordance with the timeframes specified in EOP-004
Attachment 1 to the Electric Reliability Organization and other organizations
needed for the event type; i.e. the Regional Entity; company personnel; the
Responsible Entity’s Reliability Coordinator; law enforcement governmental or
provincial agencies.
1.4 AEP is concerned by the vagueness of requiring provision(s) for updating the
Operating Plan for “changes”, as such changes could occur frequently and
unpredictably.
Part 1.4 was removed from the standard.
It is the sole responsibility of the Applicable Entity to determine when an annual
review of the Operating Plan is required. The Operating Plan has the minimum
requirement for an annual review. You may review your Operating Plan as often as
you see appropriate.
Response: Thank you for your comment. Please see response above.
Occidental Power Services,
No
Attachment 1 and R3 require event reports to be sent to the ERO and the entity’s RC
and to others “as appropriate.” Although this gives the entity some discretion, it
53
�Organization
Yes or No
Inc. (OPSI)
Question 2 Comment
might also create some “Monday morning quarterbacking” situations. This is
especially true for the one hour reporting situations as personnel that would be
responding to these events are the same ones needed to report the event. OPSI
suggests that the SDT reconsider and clarify reporting obligations with the objective
of sending initial reports to the minimum number of entities on a need-to-know
basis.
Requirement R1, Part 1.3 (now Part 1.2) was revised to add clarifying language by
eliminating the phrase “as appropriate” and indicating that the Responsible Entity is
to define its process for reporting and with whom to communicate events to as stated
in the entity’s Operating Plan.
The DSR SDT also received many comments regarding the various events of
Attachment 1. Many commenters questioned the reliability benefit of reporting
events to the ERO and their Reliability Coordinator within 1 hour. Most of the events
with a one hour reporting requirement were revised to 24 hours based on stakeholder
comments as well as those types of events are currently required to be reported
within 24 hours in the existing mandatory and enforceable standards. The only
remaining type of event that is to be reported within one hour is “A reportable Cyber
Security Incident” as it required by CIP-008.
FERC Order 706, paragraph 673 states: “…each responsible entity to contact
appropriate government authorities and industry participants in the event of a cyber
security incident as soon as possible, but, in any event within one hour of the event…”
Response: Thank you for your comment. Please see response above.
Ingleside Cogeneration LP
No
Attachment 1 and requirement R3 are written in a manner which would seem to
indicate that internal personnel and law enforcement personnel would have to be
copied on the submitted form - either Attachment 2 or OE-417. We believe the
intent is to submit such forms to the appropriate recipients only (e.g.; the ERO and
54
�Organization
Yes or No
Question 2 Comment
the DOE). The requirement should be re-written to clarify that this is the case.
The DSR SDT thanks you for your comment. Requirement 1 has been updated and
now reads as”
Each Responsible Entity shall have an Operating Plan that includes:
1.1. A process for recognizing each of the events listed in EOP-004 Attachment 1.
1.2. A process for communicating each of the applicable events listed in EOP-004
Attachment 1 in accordance with the timeframes specified in EOP-004
Attachment 1 to the Electric Reliability Organization and other organizations
needed for the event type; i.e. the Regional Entity; company personnel; the
Responsible Entity’s Reliability Coordinator; law enforcement governmental or
provincial agencies.
The Applicable Entity’s Operating Plan is to contain the process for reporting events
listed in Attachment 1 to the Electric Reliability Organization, the Responsible Entity’s
Reliability Coordinator and for communicating to others as defined in the Responsible
Entity’s Operating Plan. All events in Attachment 1 are required to be reported to the
Electric Reliability Organization and the Responsible Entity’s Reliability Coordinator.
The Operating Plan may include: internal company personnel, your Regional Entity, law
enforcement, and governmental or provisional agencies, as you identify within your
Operating Plan. This gives you the flexibility to tailor your Operating Plan to fit your
company’s needs and wants.
Response: Thank you for your comment. Please see response above.
Florida Municipal Power
Agency
No
Both requirements are to implement the Operating Plan. Hence, R3 should be a
bullet under R2 and not a separate requirement. In addition, for R2, the phrase
“actual event” is ambiguous and should mean: “actual event that meets the criteria
of Attachment 1”We suggest the following wording to R2 (which will result in
eliminating R3)”Each Responsible Entity shall implement its Operating Plan: o For
actual events meeting the threshold criteria of Attachment 1 in accordance with
55
�Organization
Yes or No
Question 2 Comment
Requirement R1 parts 1.1, 1.2 and 1.3
Most stakeholders believed that Requirements R2 and R3 were redundant and having
both in the standard was not necessary. Requirement R2 called for implementation of
Parts 1.1, 1.2, 1.4 and 1.5. Requirement R3 called for reporting events in accordance
with the Operating Plan. The DSR SDT deleted Requirement R2 based on stakeholder
comments and revised R3 (now R2) to read:
“R2. Each Responsible Entity shall implement its event reporting Operating Plan for
applicable events listed in EOP-004 Attachment 1, and in accordance with the
timeframe specified in EOP-004 Attachment1.”
o For review and updating of the Operating Plan in accordance with Requirement R1
parts 1.4 and 1.5”Note that we believe that if the SDT decides to not combine R2 and
R3, then we disagree with the distinction between the two requirements.
The test and review requirement is included in the Standard to meet the intent of FERC
Order 693, paragraph 466: “The Commission affirms the NOPR directive and directs
the ERO to incorporate a periodic review or updating of the sabotage reporting
procedures and for the periodic testing of the sabotage reporting procedures.”
The division of implementing R1 through R2 and R3 as presented is “implementing”
vs. “reporting”. We believe that the correct division should rather be
“implementation” of the plan (which includes reporting) vs. revisions to the plan.
The DSR SDT has updated Requirement R2 to read as: “R2. Each Responsible Entity
shall implement the Operating Plan that meets Requirement R1 for events listed in
Attachment 1.”
FERC Order 693 section 617 states “…the Commission directs the ERO to develop a
modification to EOP-001-1 through the reliability Standards development process
that includes any Requirement necessary for users, owners, and operators of the
56
�Organization
Yes or No
Question 2 Comment
Bulk-Power System to provide data…”. In order for entities to provide data they are
required to implement their Operating Plan.
Response: Thank you for your comment. Please see response above.
Indiana Municipal Power
Agency
No
Both requirements seem to be implementing the Operating Plan which means R3
should be a bullet under R2 and not a separate requirement. IMPA supports making
R2 and R3 one requirement and eliminating the current R3 requirement.
Most stakeholders believed that Requirements R2 and R3 were redundant and having
both in the standard was not necessary. Requirement R2 called for implementation of
Parts 1.1, 1.2, 1.4 and 1.5. Requirement R3 called for reporting events in accordance
with the Operating Plan. The DSR SDT deleted Requirement R2 based on stakeholder
comments and revised R3 (now R2) to read:
“R2. Each Responsible Entity shall implement its event reporting Operating Plan for
applicable events listed in EOP-004 Attachment 1, and in accordance with the
timeframe specified in EOP-004 Attachment1.”
In addition, R2 needs to be clarified when addressing an actual event. IMPA
recommends saying “an actual event that meets the criteria of Attachment 1.”
The DSR SDT has implemented your suggestion.
Requirement R2now reads as: “Each Responsible Entity shall implement its event
reporting Operating Plan for applicable events listed in EOP-004 Attachment 1, and in
accordance with the timeframe specified in EOP-004 Attachment1.”.
Response: Thank you for your comment. Please see response above.
57
�Organization
CenterPoint Energy
Yes or No
No
Question 2 Comment
CenterPoint Energy believes the current R2 is unnecessary and duplicative. Upon
reporting events as required by R3, entities will be implementing the relevant parts
of their Operating Plan that address R1.1 and R1.2. This duplication is clear when
reading M2 and M3. Acceptable evidence is an event report. R2 should be modified
to remove this duplicative requirement.
Most stakeholders believed that Requirements R2 and R3 were redundant and having
both in the standard was not necessary. Requirement R2 called for implementation of
Parts 1.1, 1.2, 1.4 and 1.5. Requirement R3 called for reporting events in accordance
with the Operating Plan. The DSR SDT deleted Requirement R2 based on stakeholder
comments and revised R3 (now R2) to read:
“R2. Each Responsible Entity shall implement its event reporting Operating Plan for
applicable events listed in EOP-004 Attachment 1, and in accordance with the
timeframe specified in EOP-004 Attachment1.”
Response: Thank you for your comment. Please see response above.
Orange and Rockland Utilities,
Inc./Consolidated Edison Co.
Of NY, Inc.
No
Comments:
o R1.3 should be revised as follows: A process for communicating
events listed in Attachment 1 to the Electric Reliability Organization, the Responsible
Entity’s Reliability Coordinator and the following as determined by the responsible
entity: ["appropriate: - deleted] [otherwise it is not clear who determines what
communication level is appropriate] o R1.4 should be revised as follows:
Provision(s) for updating the Operating Plan following ["within 90 calendar days of
any" - deleted] change in assets or personnel (if the Operating Plan specifies
personnel or assets) , ["other circumstances" - deleted] that may no longer align with
the Operating Plan; or incorporating lessons learned pursuant to Requirement R3.
o R1.5 should be deleted. Responsible Entities can determine the frequency of
Operating Plan updates. Requirement 1.4 requires updating the Operating Plan
within 90 calendar days for changes in “assets, personnel.... or incorporating lessons
58
�Organization
Yes or No
Question 2 Comment
learned”.
Requirement 1 has been updated and now reads as”
Each Responsible Entity shall have an Operating Plan that includes:
1.1. A process for recognizing each of the events listed in EOP-004 Attachment 1.
1.2. A process for communicating each of the applicable events listed in EOP-004
Attachment 1 in accordance with the timeframes specified in EOP-004
Attachment 1 to the Electric Reliability Organization and other organizations
needed for the event type; i.e. the Regional Entity; company personnel; the
Responsible Entity’s Reliability Coordinator; law enforcement governmental or
provincial agencies.
This requirement eliminates the need for Requirement 1.5 requiring a review of the
Operating Plan on an annual basis.
The test and review requirement is included in the Standard to meet the intent of
FERC Order 693, paragraph 466: “The Commission affirms the NOPR directive and
directs the ERO to incorporate a periodic review or updating of the sabotage
reporting procedures and for the periodic testing of the sabotage reporting
procedures.”
Response: Thank you for your comment. Please see response above.
ISO New England
No
In accordance with the results-based standards concept, all that is required, for the
“what” is that company X reported on event Y in accordance with the reporting
requirements in attachment Z of the draft standard. Therefore, we proposed the
only requirement that is necessary is R3, which should be re-written to read..."Each
59
�Organization
Yes or No
Question 2 Comment
Responsible Entity shall report to address the events listed in Attachment 1."
Requirement 1 and 2 is the basis of the “what” you have described in your comment.
Whereas Attachment 1 contains a minimum list of events that apply to Requirement
1, this is why Requirement R2 was rewritten as: “R2. Each Responsible Entity shall
implement the Operating Plan that meets Requirement R1 for events listed in
Attachment 1.”
The DSR SDT was directed to incorporate certain items such as; FERC Order 693,
paragraph 466: “The Commission affirms the NOPR directive and directs the ERO to
incorporate a periodic review or updating of the sabotage reporting procedures and
for the periodic testing of the sabotage reporting procedures.”
Response: Thank you for your comment. Please see response above.
SERC OC Standards Review
Group
No
It is confusing why R3 is not considered part of R2, which deals with implementation
of the Operating Plan and it appears that R3 could be interpreted as double
jeopardy. We suggest deleting R3.
Most stakeholders believed that Requirements R2 and R3 were redundant and having
both in the standard was not necessary. Requirement R2 called for implementation of
Parts 1.1, 1.2, 1.4 and 1.5. Requirement R3 called for reporting events in accordance
with the Operating Plan. The DSR SDT deleted Requirement R2 based on stakeholder
comments and revised R3 (now R2) to read:
“R2. Each Responsible Entity shall implement the Operating Plan that meets
Requirement R1 for events listed in Attachment 1.”
Response: Thank you for your comment. Please see response above.
60
�Organization
Oncor Electric Delivery
Company LLC
Yes or No
Question 2 Comment
No
NERC's Event Analysis Program tends to parallel many of the reporting requirements
as outlined in EOP-004 Version 2. Oncor recommends that NERC considers ways of
streamlining the reporting process by either incorporating the Event Analysis
obligations into EOP-004-2 or reducing the scope of the Event Analysis program as
currently designed to consist only of "exception" reporting.
The Event Analysis Program may use a reported event as a basis to analyze an event.
The reporting required in EOP-004-2 provides the input to the Events Analysis
Process. The processes of the Event Analysis Program fall outside the scope of this
project, but the DSR SDT has collaborated with them of events contained in
Attachment 1.
Response: Thank you for your comment. Please see response above.
NV Energy
No
On my read of the Standard, R2 and R3 appear to be duplicative, and I can't really
distinguish the difference between the two. The action required appears to be the
same for both requirements. Even the Measures for these two sound similar. It is
not clear to me what it means to "implement" other than to have evidence of the
existence and understanding of roles and responsibilities under the "Operating Plan."
I suggest elimination of R2 and inclusion of a line item in Measure 1 calling for
evidence of the existence of an "Operating Plan" including all the required elements
in R1.
Most stakeholders believed that Requirements R2 and R3 were redundant and having
both in the standard was not necessary. Requirement R2 called for implementation of
Parts 1.1, 1.2, 1.4 and 1.5. Requirement R3 called for reporting events in accordance
with the Operating Plan. The DSR SDT deleted Requirement R2 based on stakeholder
comments and revised R3 (now R2) to read:
“R2 Each Responsible Entity shall implement its event reporting Operating Plan for
applicable events listed in EOP-004 Attachment 1, and in accordance with the
timeframe specified in EOP-004 Attachment1.”
61
�Organization
Yes or No
Question 2 Comment
Response: Thank you for your comment. Please see response above.
Northeast Power Coordinating
Council
No
R1.3 should be revised as follows: A process for communicating events listed in
Attachment 1 to the Electric Reliability Organization, the Responsible Entity’s
Reliability Coordinator and the following as determined by the responsible
entity:...Without this change it is not clear who determines what communication
level is appropriate.
Requirement 1, Part 1.3 (now Part 1.2) was updated per comments received.
1.2 A process for communicating each of the applicable events listed in EOP-004
Attachment 1 in accordance with the timeframes specified in EOP-004 Attachment 1 to
the Electric Reliability Organization and other organizations needed for the event type;
i.e. the Regional Entity; company personnel; the Responsible Entity’s Reliability
Coordinator; law enforcement governmental or provincial agencies.
R1.4 should be revised as follows: Provision(s) for updating the Operating Plan
following any change in assets or personnel (if the Operating Plan specifies personnel
or assets), that may no longer align with the Operating Plan; or incorporating lessons
learned pursuant to Requirement R3. R1.5 should be deleted. Responsible Entities
can determine the frequency of Operating Plan updates. Requirement 1.4 requires
updating the Operating Plan within 90 calendar days for changes in “assets,
personnel.... or incorporating lessons learned”, (or our preceding proposed revision).
Requirement 1, part 1.4 has been deleted and Requirement R2 has been updated to
read as: “R2. Each Responsible Entity shall implement its event reporting Operating
Plan for applicable events listed in EOP-004 Attachment 1, and in accordance with
the timeframe specified in EOP-004 Attachment1.”
This requirement eliminates the need for Requirement 1.5 requiring a review of the
Operating Plan on an annual basis.
62
�Organization
Yes or No
Question 2 Comment
The only true requirement that is results-based, not administrative and is actually
required to support the Purpose of the Standard is R3.
The DSR SDT revised the purpose statement to remove ambiguous language “with the
potential to impact reliability”. The Purpose statement now reads:
“To improve the reliability of the Bulk Electric System by requiring the reporting of
events by Responsible Entities.”
Response: Thank you for your comment. Please see response above.
Illinois Municipal Electric
Agency
No
R2 is not necessary, and should be removed. Subrequirement R1.4 is also not
necessary and should be removed.
Most stakeholders believed that Requirements R2 and R3 were redundant and having
both in the standard was not necessary. Requirement R2 called for implementation of
Parts 1.1, 1.2, 1.4 and 1.5. Requirement R3 called for reporting events in accordance
with the Operating Plan. The DSR SDT deleted Requirement R2based on stakeholder
comments and revised R3 (now R2) to read:
“R2. Each Responsible Entity shall implement its event reporting Operating Plan for
applicable events listed in EOP-004 Attachment 1, and in accordance with the
timeframe specified in EOP-004 Attachment1.”
Response: Thank you for your comment. Please see response above.
Kansas City Power & Light
No
Requirement R1.1 is confusing regarding the “process for identifying events listed in
Attachment 1”. Considering Attachment 1, the Events Table, already identifies the
events required for reporting, please clearly describe in the requirement what the
“process” referred to in requirement R1.1 represents.
The DSR SDT has reviewed FERC Order 693 and paragraph 471 states: “…(2) specify
63
�Organization
Yes or No
Question 2 Comment
baseline requirement regarding what issues should be addressed in the procedures for
recognizing sabotage events and making personnel aware of such events…”
The DSR SDT has written Requirement 1, Part 1.1 to read as: “A process for recognizing
each of the events listed in EOP-004 Attachment 1”. An Applicable Entity may rely on
SCADA alarms as a process for recognizing an event or being made aware of an event
through a scheduled Facility check. The DSR SDT has not been overly prescriptive on
part 1.1 but has allowed each Applicable Entity to determine their own process for
recognizing events listed in Attachment 1.
Response: Thank you for your comment. Please see response above.
Luminant Power
No
Requirements R1, R2, and R4 are burdensome administrative requirements and are
contradictory to the NERC stated Standards Development goals of reducing
administrative requirements by moving to performance requirements.
Most stakeholders believed that Requirements R2 and R3 were redundant and having
both in the standard was not necessary. Requirement R2 called for implementation of
Parts 1.1, 1.2, 1.4 and 1.5. Requirement R3 called for reporting events in accordance
with the Operating Plan. The DSR SDT deleted Requirement R2 based on stakeholder
comments and revised R3 (now R2) to read:
“R2. Each Responsible Entity shall implement its event reporting Operating Plan for
applicable events listed in EOP-004 Attachment 1, and in accordance with the
timeframe specified in EOP-004 Attachment1.”
Requirement R1, Part 1.3 (now Part 1.2) was revised to indicate that the Responsible
Entity is to define its process for reporting and with whom to report events. Part 1.2
now reads:
“1.2
A process for communicating each of the applicable events listed in EOP004 Attachment 1 in accordance with the timeframes specified in EOP-004
64
�Organization
Yes or No
Question 2 Comment
Attachment 1 to the Electric Reliability Organization and other organizations
needed for the event type; i.e. the Regional Entity; company personnel; the
Responsible Entity’s Reliability Coordinator; law enforcement governmental or
provincial agencies.”
There is only one Requirement needed in this standard: “The Responsible Entity
shall report events in accordance with Attachment 1.” Attachment 1 should describe
how events should be reported by what Entity to which party within a defined
timeframe. If this requirement is met, all the other proposed requirements have no
benefit to the reliability of the Bulk Electric System. Per the NERC Standard
Development guidelines, only items that provide a reliability benefit should be
included in a standard.
The DSR SDT has updated Attachment 1 to a minimum threshold for Applicable Entities
to report contained events. Requirement R2 has been updated to reflect that
Applicable Entities shall implement their Operating Plan per Requirement 1 for events
listed in Attachment 1. Requirement R2 reads as: “R2. Each Responsible Entity shall
implement its event reporting Operating Plan for applicable events listed in EOP-004
Attachment 1, and in accordance with the timeframe specified in EOP-004
Attachment1.”
Response: Thank you for your comment. Please see response above.
Xcel Energy
No
Suggest modifying R3 to indicate this is related to R 1.3.Each Responsible Entity shall
report events to entities specified in R1.3 and as identified as appropriate in its
Operating Plan.
Requirement R3 called for reporting events in accordance with the Operating Plan.
The DSR SDT deleted Requirement R2 based on stakeholder comments and revised R3
65
�Organization
Yes or No
Question 2 Comment
(now R2)
R2. Each Responsible Entity shall implement its event reporting Operating Plan for
applicable events listed in EOP-004 Attachment 1, and in accordance with the
timeframe specified in EOP-004 Attachment1.”
Response: Thank you for your comment. Please see response above.
Colorado Springs Utilities
No
The act of implementing the plan needs to include reporting events per R1, subrequirement 1.3. R2 should simply state something like, “Each Responsible Entity
shall implement the Operating Plan that meets the requirements of R1, as applicable,
for an actual event or as specified.” Suggest eliminating R3 which, seems to create
double jeopardy effect.
Requirement R2 was updated to reflect comments received to read as: “R2. Each
Responsible Entity shall implement its event reporting Operating Plan for applicable
events listed in EOP-004 Attachment 1, and in accordance with the timeframe
specified in EOP-004 Attachment 1.” R3 was deleted.
Response: Thank you for your comment. Please see response above.
Intellibind
No
The language proposed is not clear and will continue to add confusion to entities
who are trying to meet these requirements. It is not clear that the drafting team can
put itself in the position of how the auditors will interpret and implement
compliance against thithe R2 requirement. Requirements should be written to stand
alone, not reference other requirements (or parts of the requirments. If the R1 parts
1.1, 1.2, 1.4 and 1.5 are so significant for this requirement, then they should be
rewritten in R2.
Most stakeholders believed that Requirements R2 and R3 were redundant and having
66
�Organization
Yes or No
Question 2 Comment
both in the standard was not necessary. Requirement R2 called for implementation of
Parts 1.1, 1.2, 1.4 and 1.5. Requirement R3 called for reporting events in accordance
with the Operating Plan. The DSR SDT deleted Requirement R2 based on stakeholder
comments and revised R3 (now R2) to read:
“R2. Each Responsible Entity shall implement its event reporting Operating Plan for
applicable events listed in EOP-004 Attachment 1, and in accordance with the
timeframe specified in EOP-004 Attachment 1.”
Response: Thank you for your comment. Please see response above.
Southern Company
No
These requirements as drafted in this revised standard potentially create a situation
where an entity could be deemed non-compliant for both R2 and R3. For example, if
a Responsible Entity included a reporting obligation in its Operating Plan, and failed
to report an event, the Responsible Entity could be deemed non-compliant for R2 for
not “implementing” its plan and for R3 for not reporting the event to the appropriate
entities. A potential solution to address this would be to add Requirement 1, Part
1.3 to Requirement 2 and remove Requirement 3 in its entirety.
Most stakeholders believed that Requirements R2 and R3 were redundant and having
both in the standard was not necessary. Requirement R2 called for implementation of
Parts 1.1, 1.2, 1.4 and 1.5. Requirement R3 called for reporting events in accordance
with the Operating Plan. The DSR SDT deleted Requirement R2 based on stakeholder
comments and revised R3 (now R2) to read:
“R2. Each Responsible Entity shall implement its event reporting Operating Plan for
applicable events listed in EOP-004 Attachment 1, and in accordance with the
timeframe specified in EOP-004 Attachment 1.”
We also request clarification on Measure M3. Which records should have “dated
and time-stamped transmittal records to show that the event was reported”? Some
of the communication is handled via face-to-face conversation or through telephone
67
�Organization
Yes or No
Question 2 Comment
conversation.
Measurement 3 has been deleted since Requirement 3 has been deleted. The new
Measurement 2 allows for “…or other documentation”. This may be in any form that
the Applicable Entity wishes to maintain that they met Requirement 2. The Electric
Reliability Organization does allow “Attestations” along with voice recordings as
proof of compliance.
Response: Thank you for your comment. Please see response above.
Independent Electricity
System Operator
No
We agree with the revision to R2 and R3, but assess that a requirement to enforce
implementation of Part 1.3 in Requirement R1 is missing. Part 1.3 in Requirement R1
stipulates that:1.3. A process for communicating events listed in Attachment 1 to the
Electric Reliability Organization, the Responsible Entity’s Reliability Coordinator and
the following as appropriate: o Internal company personnel o The Responsible
Entity’s Regional Entity o Law enforcement o Governmental or provincial
agenciesThe implementation of Part 1.3 is not enforced by R2 or R3 or any other
Requirements in the standard. Suggest to add another requirement or expand
Requirement R4 (and M4) to require the implementation of this Part in addition to
verifying the process.
Most stakeholders believed that Requirements R2 and R3 were redundant and having
both in the standard was not necessary. Requirement R2 called for implementation of
Parts 1.1, 1.2, 1.4 and 1.5. Requirement R3 called for reporting events in accordance
with the Operating Plan. The DSR SDT deleted Requirement R2 based on stakeholder
comments and revised R3 (now R2) to read:
“R2. Each Responsible Entity shall implement its event reporting Operating Plan for
applicable events listed in EOP-004 Attachment 1, and in accordance with the
timeframe specified in EOP-004 Attachment 1.”
Requirement 1 has been updated and now reads as”
68
�Organization
Yes or No
Question 2 Comment
Each Responsible Entity shall have an Operating Plan that includes:
1.1 A process for recognizing each of the events listed in EOP-004 Attachment 1.
1.2 A process for communicating each of the applicable events listed in EOP-004
Attachment 1 in accordance with the timeframes specified in EOP-004 Attachment 1 to
the Electric Reliability Organization and other organizations needed for the event type;
i.e. the Regional Entity; company personnel; the Responsible Entity’s Reliability
Coordinator; law enforcement governmental or provincial agencies.
Response: Thank you for your comment. Please see response above.
Independent Electricity
System Operator
Affirmative
The IESO believes that a requirement to enforce implementation of Part 1.3 in
Requirement R1 is missing. Part 1.3 in Requirement R1 stipulates that: 1.3. A process
for communicating events listed in Attachment 1 to the Electric Reliability
Organization, the Responsible Entity’s Reliability Coordinator and the following as
appropriate: o Internal company personnel o The Responsible Entity’s Regional
Entity o Law enforcement o Governmental or provincial agencies The
implementation of Part 1.3 is not enforced by R2 or R3 or any other Requirements in
the standard. The IESO suggests that another requirement be added or Requirement
R4 (and M4) be expanded to require the implementation of this Part in addition to
verifying the process.
Most stakeholders believed that Requirements R2 and R3 were redundant and having
both in the standard was not necessary. Requirement R2 called for implementation of
Parts 1.1, 1.2, 1.4 and 1.5. Requirement R3 called for reporting events in accordance
with the Operating Plan. The DSR SDT deleted Requirement R2 based on stakeholder
comments and revised R3 (now R2) to read:
“R2. Each Responsible Entity shall implement its event reporting Operating Plan for
applicable events listed in EOP-004 Attachment 1, and in accordance with the
69
�Organization
Yes or No
Question 2 Comment
timeframe specified in EOP-004 Attachment 1.”
Requirement 1 has been updated and now reads as”
Each Responsible Entity shall have an Operating Plan that includes:
1.1 A process for recognizing each of the events listed in EOP-004 Attachment 1.
1.2 A process for communicating each of the applicable events listed in EOP-004
Attachment 1 in accordance with the timeframes specified in EOP-004 Attachment 1 to
the Electric Reliability Organization and other organizations needed for the event type;
i.e. the Regional Entity; company personnel; the Responsible Entity’s Reliability
Coordinator; law enforcement governmental or provincial agencies.
Response: Thank you for your comment. Please see response above.
Bonneville Power
Administration
Yes
BPA believes the measures for R2 are unclear since they are similar to R3’s reporting
measures.
Response: Thank you for your comment. The SDT has revised the standard to have a single implementation requirement with a
single associated measure.
Compliance & Responsbility
Office
Yes
See comments in response to Question 4.
Response: Thank you for your comment. See response to Question 4.
Constellation Energy on
behalf of Baltimore Gas &
Electric, Constellation Power
Generation, Constellation
Energy Commodities Group,
Yes
While we support the delineation of the different activities associated with
implementation and reporting, further clarification would be helpful. R1. 1.3: As
currently written, it is somewhat confusing, in particular the use of the qualifier “as
appropriate”.
The DSR SDT has updated Requirement 1, Part 1.2 to read as: “A process for
70
�Organization
Constellation Control and
Dispatch, Constellation
NewEnergy and Constellation
Energy Nuclear Group.
Yes or No
Question 2 Comment
communicating each of the applicable events listed in EOP-004 Attachment 1 in
accordance with the timeframes specified in EOP-004 Attachment 1 to the Electric
Reliability Organization and other organizations needed for the event type; i.e. the
Regional Entity; company personnel; the Responsible Entity’s Reliability Coordinator;
law enforcement governmental or provincial agencies.”
In addition, the use of the word “communicating” to capture both reporting to
reliability authorities and notifying others may leave the requirement open to
question. Below is a proposed revision: 1.3 A process for reporting events listed in
Attachment 1 to the Electric Reliability Organization, the Responsible Entity’s
Reliability Coordinator and for communicating to others as defined in the
Responsible Entity’s Operating Plan, such as: o Internal company personnel o The
Responsible Entity’s Regional Entity o Law Enforcement o Government or provincial
agenciesR1, 1.4: the last phrase of the requirements seems to be leftover from an
earlier version. The requirement should end after the word “Plan”.R1, 1.5: “Process”
should not be capitalized. While we understand the intent of the draft language and
appreciate the effort to streamline the requirements, we propose an adjusted
delineation below that we feel tracks more cleanly to the structure of a compliance
program. Proposed revised language:R2. Each Responsible Entity shall implement its
Operating Plan to meet Requirement R1, parts 1.1 and 1.2 for an actual event(s).M2.
Responsible Entities shall provide evidence that it implemented it Operating Plan to
meet Requirement R1, Parts 1.1 and 1.2 for an actual event.
The DSR SDT has updated Requirement 1, Part 1.2 to read as: “A process for
communicating each of the applicable events listed in EOP-004 Attachment 1 in
accordance with the timeframes specified in EOP-004 Attachment 1 to the Electric
Reliability Organization and other organizations needed for the event type; i.e. the
Regional Entity; company personnel; the Responsible Entity’s Reliability Coordinator;
71
�Organization
Yes or No
Question 2 Comment
law enforcement governmental or provincial agencies.”
The Applicable Entity’s Operating Plan is to contain the process for reporting events
listed in Attachment 1 to the Electric Reliability Organization, the Responsible Entity’s
Reliability Coordinator and for communicating to others as defined in the Responsible
Entity’s Operating Plan. All events in Attachment 1 are required to be reported to the
Electric Reliability Organization and the Responsible Entity’s Reliability Coordinator.
The Operating Plan may include: internal company personnel, your Regional Entity, law
enforcement, and governmental or provisional agencies, as you identify within your
Operating Plan. This gives you the flexibility to tailor your Operating Plan to fit your
company’s needs and wants.
DSR SDT has revised R2. Each Responsible Entity shall implement its event reporting
Operating Plan for applicable events listed in EOP-004 Attachment 1, and in
accordance with the timeframe specified in EOP-004 Attachment 1.
DSR SDT has revised M2. “Each Responsible Entity will have, for each event
experienced, a dated copy of the completed EOP-004 Attachment 2 form or DOE form
OE-417 report submitted for that event; and dated and time-stamped transmittal
records to show that the event was reported supplemented by operator logs or other
operating documentation. Other forms of evidence may include, but are not limited to,
dated and time stamped voice recordings and operating logs or other operating
documentation for situations where filing a written report was not possible.
Evidence may include, but is not limited to, an submitted event report form
(Attachment 2) or a submitted OE-417 report, operator logs, or voice recording.R3.
Each Responsible Entity shall implement its Operating Plan to meet Requirement R1,
parts 1.4 and 1.5.M3. Responsible Entities shall provide evidence that it
implemented it Operating Plan to meet Requirement R1, Parts 1.4 and 1.5. Evidence
may include, but is not limited to, dated documentation of review and update of the
Operating Plan.
72
�Organization
Yes or No
Question 2 Comment
R4. Each Responsible Entity shall verify (through implementation for an actual event,
or through a drill, exercise or table top exercise) the communication process in its
Operating Plan, created pursuant to Requirement 1, Part 1.3, at least annually (once
per calendar year), with no more than 15 calendar months between verification.
M4. The Responsible Entity shall provide evidence that it verified the communication
process in its Operating Plan for events created pursuant to Requirement R1, Part
1.3. Either implementation of the communication process as documented in its
Operating Plan for an actual event or documented evidence of a drill, exercise, or
table top exercise may be used as evidence to meet this requirement. The time
period between verification shall be no more than 15 months. Evidence may include,
but is not limited to, operator logs, voice recordings, or dated documentation of a
verification.
Requirement 4 (now R3) was revised as:
R3. Each Responsible Entity shall conduct an annual test, not including notification to
the Electric Reliability Organization, of the communications process in Part 1.2.
[Violation Risk Factor: Medium] [Time Horizon: Operations Planning]
M3. Each Responsible Entity will have dated and time-stamped records to show that
the annual test of Part 1.2 was conducted. Such evidence may include, but are not
limited to, dated and time stamped voice recordings and operating logs or other
communication documentation. The annual test requirement is considered to be
met if the responsible entity implements the communications process in Part 1.2
for an actual event. (R3)
Response: Thank you for your comment. Please see response above.
Exelon
Yes
Why is the reference to R1.3 missing from EOP-004-2 Requirement R2?
73
�Organization
Yes or No
Question 2 Comment
R1.3 was associated with implementation in R3 which was removed from the
standard. DSR SDT has revised R2 to read as: “Each Responsible Entity shall
implement its event reporting Operating Plan for applicable events listed in EOP-004
Attachment 1, and in accordance with the timeframe specified in EOP-004
Attachment 1.”
Response: Thank you for your comment. Please see response above.
Pacific Northwest Small Public
Power Utility Comment Group
Yes
Southwest Power Pool
Regional Entity
Yes
BC Hydro
Yes
ZGlobal on behalf of City of
Ukiah, Alameda Municipal
Power, Salmen River Electric,
City of Lodi
Yes
MRO NSRF
Yes
Western Electricity
Coordinating Council
Yes
Imperial Irrigation District
Yes
Santee Cooper
Yes
74
�Organization
Yes or No
Sacramento Municipal Utility
District (SMUD)
Yes
SPP Standards Review Group
Yes
Dominion
Yes
FirstEnergy
Yes
PPL Electric Utilities and PPL
Supply Organizations`
Yes
Electric Compliance
Yes
PacifiCorp
Yes
Arizona Public Service
Company
Yes
Salt River Project
Yes
Westar Energy
Yes
APX Power Markets (NCR11034)
Yes
Clallam County PUD No.1
Yes
ITC
Yes
Springfield Utility Board
Yes
Question 2 Comment
75
�Organization
Yes or No
Manitoba Hydro
Yes
Duke Energy
Yes
Liberty Electric Power
Yes
Public Utility District No. 1 of
Snohomish County
Yes
South Carolina Electric and
Gas
Yes
American Transmission
Company, LLC
Yes
Nebraska Public Power
District
Yes
Seattle City Light
Yes
PSEG
Yes
MidAmerican Energy
Yes
Georgia System Operations
Corporation
Yes
FEUS
Yes
Lower Colorado River
Authority
Yes
Question 2 Comment
76
�Organization
Yes or No
American Public Power
Association
Yes
Northeast Utilities
Yes
City of Austin dba Austin
Energy
Yes
Energy Northwest - Columbia
Yes
Electric Reliability Council of
Texas, Inc.
Yes
Question 2 Comment
R2 and R3 appear redundant.
Progress Energy
Los Angeles Department of
Water and Power
Texas Reliability Entity
ReliabilityFirst
NRECA
Entergy Services
Thompson Coburn LLP on
behalf of Miss. Delta Energy
Agency
77
�Organization
Yes or No
Question 2 Comment
Southwestern Power
Administration
78
�3.
The DSR SDT revised reporting times for many events listed in Attachment 1 from one hour to 24 hours. Do you agree with
these revisions? If not, please explain in the comment area below.
Summary Consideration: The DSR SDT appreciates the industry comments on the difficulty associated with reporting events that
impact reliability. However, the SDT desires to point out that it is not the objective of this standard to provide an analysis of the
event; but to provide the known facts of the events at the reporting threshold of onehour or 24hours depending upon the type of
event. The SDT worked with the DOE and the NERC EAWG to develop reporting timelines consistent between the parties in an effort
to promote consistency and uniformity.
The SDT has not established any requirement for a final or follow up report. The obligation is to report the facts known at the time.
Once the report has been provided to the parties identified in the Operating Plan, no further action is required. All one hour
reporting timelines have been changed to 24 hours with the exception of a ‘Reportable Cyber Security Incident’. This is maintained
due to FERC Order 706, Paragraph 673:
“…direct the ERO to modify CIP-008 to require each responsible entity to contact appropriate government authorities and
industry participants in the event of a cyber security incident as soon as possible, but in any event, within one hour of the
event…”
For the remaining events, 24 hours should provide sufficient time to manage the incident in real-time before having to report, and is
consistent with current in-force standard EOP-004-1.
Organization
Yes or No
Ameren Services
Negative
Question 3 Comment
(6)By our count there are still six of the nineteen events listed with a one hour
reporting requirement and the rest are all within 24 hour after the occurrence (or
recognition of the event). This in our opinion, is reporting in real-time, which is
against one of the key concepts listed in the background section:"The DSR SDT
wishes to make clear that the proposed Standard does not include any real-time
operating notifications for the events listed in Attachment 1. Real-time reporting is
achieved through the RCIS and is covered in other standards (e.g. the TOP family of
79
�Organization
Yes or No
Question 3 Comment
standards). The proposed standard deals exclusively with after-the-fact reporting."
All one hour reporting timelines have been changed to 24 hours with the exception of
a ‘Reportable Cyber Security Incident’. This is maintained due to FERC Order 706,
Paragraph 673:
“…direct the ERO to modify CIP-008 to require each responsible entity to contact
appropriate government authorities and industry participants in the event of a cyber
security incident as soon as possible, but in any event, within one hour of the event…”
For the remaining events, 24 hours should provide sufficient time to manage the
incident in real-time before having to report and is consistent with current in-force
standard EOP-004-1.
(7)We believe the earliest preliminary report required in this standard should at the
close of the next business day. Operating Entities, such as the RC, BA, TOP, GOP, DP,
and LSE should not be burdened with unnecessary after-the-fact reporting while they
are addressing real-time operating conditions. Entities should have the ability to
allow their support staff to perform this function during the next business day as
needed. We acknowledge it would not be an undue burden to cc: NERC on other
required governmental reports with shorter reporting timeframes, but NERC should
not expand on this practice.
No preliminary report is required within the revised standard. Also, timelines have
been revised (Please see response to item (6) above).
(8)We agree with the extension in reporting times for events that now have 24 hours
of reporting time. As a GO there are still too many potential events that still require a
1 hour reporting time that is impractical, unrealistic and could lead to inappropriate
escalation of normal failures. For example, the sudden loss of several control room
display screens for a BES generator at 2 AM in the morning, with only 1 hour to
report something, might be mistakenly interpreted as a cyber-attack. The reality is
80
�Organization
Yes or No
Question 3 Comment
most likely something far more mundane such as the unexpected failure of an
instrument transformer, critical circuit board, etc.
All one hour reporting timelines have been changed to 24 hours with the exception of
a ‘Reportable Cyber Security Incident’. This is maintained due to FERC Order 706,
Paragraph 673:
“…direct the ERO to modify CIP-008 to require each responsible entity to contact
appropriate government authorities and industry participants in the event of a cyber
security incident as soon as possible, but in any event, within one hour of the event…”
For the remaining events, 24 hours should provide sufficient time to manage the
incident in real-time before having to report and is consistent with current in-force
standard EOP-004-1.
(9) The "EOP-004 Attachment 1: Events Table" is quite lengthy and written in a
manner that can be quite subjective in interpretation when determining if an event is
reportable. We believe this table should be clear and unambiguous for consistent
and repeatable application by both reliability entities and a CEA. The table should be
divided into sections such as: 9a) Events that affect the BES that are either clearly
sabotage or suspected sabotage after review by an entity's security department and
local/state/federal law enforcement.(b) Events that pose a risk to the BES and that
clearly reach a defined threshold, such as load loss, generation loss, public appeal,
EEAs, etc. that entities are required to report by the end of the next business day.(c)
Other events that may prove valuable for lessons learned, but are less definitive than
required reporting events. These events should be reported voluntarily and not be
subject to a CEA for non-reporting.(d)Events identified through other means outside
of entity reporting, but due to their nature, could benefit the industry by an event
report with lessons learned. Requests to report and perform analysis on these type
of events should be vetted through a ERO/Functional Entity process to ensure
resources provided to this effort have an effective reliability benefit.
81
�Organization
Yes or No
Question 3 Comment
The DSR SDT has modified Attachment 1 to bring more clarity. The more subjective
events were rewritten as follows:
• The ‘Damage or Destruction’ event category has been revised to say ‘to a
Facility’, (a defined term) and thresholds have be modified to provide clarity.
The footnote was deleted
• ‘Forced intrusion’ and ‘Risk to BES Equipment’ have been combined under a new
event type called ‘A physical threat that could impact the operability of a
Facility’. Using judgment is unavoidable for this type of event. This language
was chosen because the Responsible Entity is the best position to exercise this
judgment and determine whether or not an event poses a threat to its
Facilities. The DSR SDT believes this revised event type will minimize
administrative burden and ensure that events meaningful to industry
awareness are reported. Note that the reporting timeline (now revised to 24
hours) starts when the situation has been determined as a threat, not when it
may have first occurred. Also, the footnote only contains examples.
These two remaining event categories that aren’t related to power system
phenomena are essential as they effectively translate the intent of CIP-001 into EOP004.
(10)Any event reporting shall not in any manner replace or inhibit an Entity's
responsibility to coordinate with other Reliability Entities (such as the RC, TOP, BA,
GOP as appropriate) as required by other Standards, and good utility practice to
operate the electric system in a safe and reliable manner.
The DSR SDT agrees and believes the revised reporting timelines support that
concept.
(11) The 1 hour reporting maximum time limit for all GO events in Attachment 1
should be lengthened to something reasonable - at least 24 hours. Operators in our
energy centers are well-trained and if they have good reason to suspect an event
82
�Organization
Yes or No
Question 3 Comment
that might have serious impact on the BES will contact the TOP quickly. However,
constantly reporting events that turn out to have no serious BES impact and were
only reported for fear of a violation or self-report will quickly result in a cry wolf
syndrome and a great waste of resources and risk to the GO and the BES. The risk to
the GO will be potential fines, and the risk to the BES will be ignoring events that
truly have an impact of the BES.
All one hour reporting timelines have been changed to 24 hours with the exception of
a ‘Reportable Cyber Security Incident’. This is maintained due to FERC Order 706,
Paragraph 673:
“…direct the ERO to modify CIP-008 to require each responsible entity to contact
appropriate government authorities and industry participants in the event of a cyber
security incident as soon as possible, but in any event, within one hour of the event…”
For the remaining events, 24 hours should provide sufficient time to manage the
incident in real-time before having to report and is consistent with current in-force
standard EOP-004-1.
(12)The 2nd and 3rd Events on Attachment 1 should be reworded so they do not use
terms that may have been deleted from the NERC Glossary by the time FERC
approves this Standard.
The ‘Damage or Destruction’ events specifically relating to Critical Assets and Critical
Cyber Assets were removed from Attachment 1, as these events are adequately
addressed through the CIP-008 and ‘Damage or Destruction of a Facility’ reporting
thresholds.
(13) The terms “destruction” and “damage” are key to identifying reportable events.
Neither has been defined in the Standard. The term destruction is usually defined as
100% unusable. However, the term damage can be anywhere from 1% to 99%
83
�Organization
Yes or No
Question 3 Comment
unusable and take anywhere from 5 minutes to 5 months to repair. How will we
know what the SDT intended, or an auditor will expect, without additional
information?
The ‘Damage or Destruction’ event category has been revised to say ‘ …to a Facility’, (a
defined term) and thresholds have be modified to provide clarity.
The DSR SDT used the defined term “Facility” to add clarity for several events listed in
Attachment 1. A Facility is defined as:
“A set of electrical equipment that operates as a single Bulk Electric System
Element (e.g., a line, a generator, a shunt compensator, transformer, etc.)”
The DSR SDT does not intend the use of the term Facility to mean a substation or any
other facility (not a defined term) that one might consider in everyday discussions
regarding the grid. This is intended to mean ONLY a Facility as defined above.
(14)We also do not understand why “destruction of BES equipment” (first item
Attachment 1, first page) must be reported < 1 hour, but “system separation
(islanding) > 100 MW” (Attachment 1, page 3) does not need to be reported for 24
hours.
All one hour reporting timelines have been changed to 24 hours with the exception of
a ‘Reportable Cyber Security Incident’. This is maintained due to FERC Order 706,
Paragraph 673:
“…direct the ERO to modify CIP-008 to require each responsible entity to contact
appropriate government authorities and industry participants in the event of a cyber
security incident as soon as possible, but in any event, within one hour of the event…”
For the remaining events, 24 hours should provide sufficient time to manage the
84
�Organization
Yes or No
Question 3 Comment
incident in real-time before having to report and is consistent with current in-force
standard EOP-004-1.
(15)The first 2 Events in Attachment 1 list criteria Threshold for Reporting as
“...operational error, equipment failure, external cause, or intentional or
unintentional human action.” The term “intentional or unintentional human action”
appears to cover “operational error” so these terms appear redundant and create
risk of misreporting. Can this be clarified?
The second event has been deleted and the language has been clarified in the
‘Threshold for Reporting’ column in the ‘Damage or Destruction’ event category. The
updated Threshold for Reporting now reads as:
“Damage or destruction of a Facility that:
• Affects an IROL (per FAC-014)
OR
• Results in the need for actions to avoid an Adverse Reliability Impact
OR
•
Results from intentional human action.”
(16)The footnote of the first page of Attachment 1 includes the explanation “...ii)
Significantly affects the reliability margin of the system...” However, the GO is
prevented from seeing the system and has no idea what BES equipment can affect
the reliability margin of the system. Can this be clarified by the SDT?
The footnote has been deleted and relevant information moved to the ‘Threshold for
Reporting column in the ‘Damage or Destruction’ event category.
(17) The use of the term “BES equipment” is problematic for a GO. NERC Team 201085
�Organization
Yes or No
Question 3 Comment
17 (BES Definition) has told the industry its next work phase will include identify
The term “BES equipment” is no longer used. The ‘Damage or Destruction’ event
category has been revised to say ‘to a Facility’, (a defined term) and thresholds have
be modified to provide clarity.
The DSR SDT used the defined term “Facility” to add clarity for several events listed in
Attachment 1. A Facility is defined as:
“A set of electrical equipment that operates as a single Bulk Electric System
Element (e.g., a line, a generator, a shunt compensator, transformer, etc.)”
The DSR SDT does not intend the use of the term Facility to mean a substation or any
other facility (not a defined term) that one might consider in everyday discussions
regarding the grid. This is intended to mean ONLY a Facility as defined above.
Response: Thank you for your comment. Please see response above.
Beaches Energy Services, City
of Green Cove Springs
Negative
3. Att. 1, going from 1 to 24 hrs: The times don’t seem aggressive enough for some of
the Events related to generation capacity shortages, e.g., we would think public
appeal, system wide voltage reduction and manual firm load shedding ought to be
within an hour. These are indicators that the BES is “on the edge” and to help BES
reliability, communication of this status is important to Interconnection-wide
reliability.
This standard concerns after-the-fact reporting. It is assumed that Responsible
Entities will make appropriate real-time notifications as per other applicable
standards, operating agreements, and good utility practice. This standard does not
preclude a Responsible Entity from reporting more quickly than required by
Attachment 1.
86
�Organization
Yes or No
Question 3 Comment
4. The Rules of Procedure language for data retention (first paragraph of the
Evidence Retention section) should not be included in the standard, but instead
referred to within the standard (e.g., “Refer to Rules of Procedure, Appendix 4C:
Compliance Monitoring and Enforcement Program, Section 3.1.4.2 for more
retention requirements”) so that changes to the RoP do not necessitate changes to
the standard.
The DSR SDT believes that although the evidence retention language is the same as
the current RoP, it is not specifically linked, so changes to the RoP will not necessitate
changes to the standard.
In R4, it might be worth clarifying that, in this case, implementation of the plan for an
event that does not meet the criteria of Attachment 1 and going beyond the
requirements R2 and R3 could be used as evidence. Consider adding a phrase as such
to M4, or a descriptive footnote that in this case, “actual event” may not be limited
to those in Attachment 1.
Most stakeholders believed that Requirements R2 and R3 were redundant and having
both in the standard was not necessary. Requirement R2 called for implementation of
Parts 1.1, 1.2, 1.4 and 1.5. Requirement R3 called for reporting events in accordance
with the Operating Plan. The DSR SDT deleted Requirement R2 based on stakeholder
comments and revised R3 (now R2) to read:
“R2. Each Responsible Entity shall implement its event reporting Operating Plan for
applicable events listed in EOP-004 Attachment 1, and in accordance with the
timeframe specified in EOP-004 Attachment1. ”
Comments to Attachment 1 table: On “Damage or destruction of Critical Asset” and
“... Critical Cyber Asset”, Version 5 of the CIP standards is moving away from the
87
�Organization
Yes or No
Question 3 Comment
binary critical/non-critical paradigm to a high/medium/low risk paradigm. Suggest
adding description that if version 5 is approved by FERC, that “critical” would be
replaced with “high or medium risk”, or include changing this standard to the scope
of the CIP SDT, or consider posting multiple versions of this standard depending on
the outcome of CIP v5 in a similar fashion to how FAC-003 was posted as part of the
GO/TO effort of Project 2010-07.
The ‘Damage or Destruction’ events specifically relating to Critical Assets and Critical
Cyber Assets were removed from Attachment 1, as these events are adequately
addressed through the CIP-008 and ‘Damage or Destruction of a Facility’ reporting
thresholds.
On “forced intrusion”, the phrase “at BES facility” is open to interpretation as “BES
Facility” (e.g., controversy surrounding CAN-0016) which would exclude control
centers and other critical/high/medium cyber system Physical Security Perimeters
(PSPs). We suggest changing this to “BES Facility or the PSP or Defined Physical
Boundary of critical/high/medium cyber assets”. This change would cause a change
to the applicability of this reportable event to coincide with CIP standard
applicability. On “Risk to BES equipment”, that phrase is open to too wide a range of
interpretation; we suggest adding the word “imminent” in front of it, i.e., “Imminent
risk to BES equipment”. For instance, heavy thermal loading puts equipment at risk,
but not imminent risk. Also, “non-environmental” used as the threshold criteria is
ambiguous. For instance, the example in the footnote, if the BES equipment is near
railroad tracks, then trains getting derailed can be interpreted as part of that BES
equipment’s “environment”, defined in Webster’s as “the circumstances, objects, or
conditions by which one is surrounded”. It seems that the SDT really means “nonweather related”, or “Not risks due to Acts of Nature”.
‘Forced intrusion’ and ‘Risk to BES Equipment’ have been combined under a new
event type called ‘A physical threat that could impact the operability of a Facility’.
Using judgment is unavoidable for this type of event. This language was chosen
88
�Organization
Yes or No
Question 3 Comment
because the Responsible Entity is the best position to exercise this judgment and
determine whether or not an event poses a threat to its Facilities. The DSR SDT
believes this revised event type will minimize administrative burden and ensure that
events meaningful to industry awareness are reported. Note that the reporting
timeline (now revised to 24 hours) starts when the situation has been determined as
a threat, not when it may have first occurred. Also, the footnote only contains
examples.
On “public appeal”, in the threshold, the descriptor “each” should be deleted, e.g., if
a single event causes an entity to be short of capacity, do you really want that entity
reporting each time they issue an appeal via different types of media, e.g., radio, TV,
etc., or for a repeat appeal every several minutes for the same event?
To clarify your point, the threshold has been changed to ‘Public appeal or load
reduction event’.
Should LSE be an applicable entity to “loss of firm load”? As proposed, the DP is but
the LSE is not. In an RTO market, will a DP know what is firm and what is non-firm
load? Suggest eliminating DP from the applicability of “system separation”. The
system separation we care about is separation of one part of the BES from another
which would not involve a DP.
The DSR SDT believes the current applicability is correct and the threshold provides
sufficient discrimination to drive the proper Applicable Entities to report.
On “Unplanned Control Center Evacuation”, CIP v5 might add GOP to the
applicability, another reason to add revision of EOP-004-2 to the scope of the CIP v5
drafting team, or in other ways coordinate this SDT with that SDT. Consider posting a
couple of versions of the standard depending on the outcome of CIP v5 in a similar
fashion to the multiple versions of FAC-003 posted with the GO/TO effort of Project
2010-07.
The DSR SDT believes the current applicability is correct. The ‘Damage or Destruction’
events specifically relating to Critical Assets and Critical Cyber Assets were removed
89
�Organization
Yes or No
Question 3 Comment
from Attachment 1, as these events are adequately addressed through the CIP-008
and ‘Damage or Destruction of a Facility’ reporting thresholds. Note that EOP-008-0
is only Applicable to Balancing Authorities, Transmission Operators and Reliability
Coordinators, this is the basis for the “Entity with reporting Responsibilities” and
reads as” “Each RC, BA, TOP that experiences the event”.
Response: Thank you for your comment. Please see response above.
Arkansas Electric Cooperative
Corporation
Negative
AECC appreciates the efforts of the SDT to address our comments from the previous
posting and feels the Standards have shown great improvement in the current
posting. Our negative vote stems from concerns around the 1 hour reporting
requirements for events having no size thresholds and ambiguity for external entity
reporting in R1.3. Please refer to the comments submitted by the SPP Standards
Review Group.
All one hour reporting timelines have been changed to 24 hours with the exception of
a ‘Reportable Cyber Security Incident’. This is maintained due to FERC Order 706,
Paragraph 673:
“…direct the ERO to modify CIP-008 to require each responsible entity to contact
appropriate government authorities and industry participants in the event of a cyber
security incident as soon as possible, but in any event, within one hour of the event…”
For the remaining events, 24 hours should provide sufficient time to manage the
incident in real-time before having to report and is consistent with current in-force
standard EOP-004-1. Also, Attachment 1 provides the flexibility to make a verbal
report under adverse conditions. For the revised event category ‘A physical threat
that could impact the operability of a Facility’ the reporting timeline of 24 hours
starts when the situation has been determined as a threat, not when it may have first
occurred.
Response: Thank you for your comment. Please see response above.
90
�Organization
Yes or No
PowerSouth Energy
Cooperative
Negative
Question 3 Comment
Attachment 1 needs to be eliminated. It is confusing to operators and doesn't
enhance the reliability of the BES.
Attachment 1 is the basis for EOP-004-2; it contains the events and thresholds for
reporting. OE-417, as well as, the EAWG’s requirements were considered in creating
Attachment 1, but there remain differences for the following reasons:
•
EOP-004 requirements were designed to meet NERC and the industry’s needs;
accommodation of other reporting obligations was considered as an
opportunity not a ‘must-have’
•
OE-417 only applies to US entities, whereas EOP-004 requirements apply across
North America
•
NERC has no control over the criteria in OE-417, which can change at any time
•
Reports made under EOP-004 provide a minimum set of information, which may
trigger further information requests from EAWG as necessary
In an effort to minimize administrative burden, US entities may use OE-417 rather
than Attachment 2 to report under EOP-004. Note you may have to report the same
event more quickly to the DOE than is required by EOP-004, but this cannot be helped
due to bullet point 2 above.
Response: Thank you for your comment. Please see response above.
Clark Public Utilities
Negative
Attachment 1 provides confusion not clarification. Just use the OE-417 reporting
form for any and all events identified in that form for any one-hour or six-hour
reporting. Utilities are required by law to provide the DOE notification and the SDT
has just confused the situation by attempting (as it appears) to rename the one-hour
reporting events. In some instances, Attachment 1 contradicts the DOE reporting.
Public appeals for load reduction are required within 24 hours (according to the
Events Table) but OE-417 requires such pubic appeals to be reported within one
91
�Organization
Yes or No
Question 3 Comment
hour.
Clark recommends the Events Table show first the one hour reporting of OE-417,
then the six hour reporting of OE-417, and finally any additional reporting that is
desired but not reportable to DOE. This will help in not confusing seemingly related
events. The table should indicate which form is to be used and should mandate Form
OE-417 for all DOE reportable events and the Attachment 2: Event Reporting Form
for all reportable events not subject to the DOE reporting requirements.
Attachment 1 is the basis for EOP-004-2; it contains the events and thresholds for
reporting. OE-417, as well as, the EAWG’s requirements were considered in creating
Attachment 1, but there remain differences for the following reasons:
•
EOP-004 requirements were designed to meet NERC and the industry’s needs;
accommodation of other reporting obligations was considered as an
opportunity not a ‘must-have’
•
OE-417 only applies to US entities, whereas EOP-004 requirements apply across
North America
•
NERC has no control over the criteria in OE-417, which can change at any time
•
Reports made under EOP-004 provide a minimum set of information, which may
trigger further information requests from EAWG as necessary
In an effort to minimize administrative burden, US entities may use OE-417 rather
than Attachment 2 to report under EOP-004. Note you may have to report the same
event more quickly to the DOE than is required by EOP-004, but this cannot be helped
due to bullet point 2 above.
Clark questions whether the event labeled Forced Intrusion really needs to be
reported in one hour. It can take several hours to determine if a forced entry actually
occurred. Clark is also unsure if reporting forced intrusions at these facilities (if no
other disturbance occurs) will provide any information useful in preventing system
disturbances but believes this event should be changed to a 24 hour notification.
92
�Organization
Yes or No
Question 3 Comment
‘Forced intrusion’ and ‘Risk to BES Equipment’ have been combined under a new
event type called ‘A physical threat that could impact the operability of a Facility’.
Using judgment is unavoidable for this type of event. This language was chosen
because the Responsible Entity is the best position to exercise this judgment and
determine whether or not an event poses a threat to its Facilities. The DSR SDT
believes this revised event type will minimize administrative burden and ensure that
events meaningful to industry awareness are reported. Note that the reporting
timeline (now revised to 24 hours) starts when the situation has been determined as
a threat, not when it may have first occurred.
The event labeled Detection of a reportable Cyber Security Incident should have the
Entity with Reporting Responsibility changed to the following: “Applicable Entities
under CIP-008.” The Threshold for Reporting on this event is based on the criteria in
CIP-008. If an entity is not an applicable entity under CIP-008, it should not have a
reporting requirement based on CIP-008 that appears in EOP-004.
The ‘Damage or Destruction’ events specifically relating to Critical Assets and Critical
Cyber Assets were removed from Attachment 1, as these events are adequately
addressed through the CIP-008 and ‘Damage or Destruction of a Facility’ reporting
thresholds.
Response: Thank you for your comment. Please see response above.
City of Farmington
Negative
Attachment 1: BES equipment is too vague - consider changing to BES facility and
including that reduces the reliability of the BES in the footnote. Is the footnote an
and or an or?
The ‘Damage or Destruction’ event category has been revised to say ‘to a Facility’, (a
defined term) and thresholds have be modified to provide clarity.
The DSR SDT used the defined term “Facility” to add clarity for several events listed in
Attachment 1. A Facility is defined as:
93
�Organization
Yes or No
Question 3 Comment
“A set of electrical equipment that operates as a single Bulk Electric System
Element (e.g., a line, a generator, a shunt compensator, transformer, etc.)”
The DSR SDT does not intend the use of the term Facility to mean a substation or any
other facility (not a defined term) that one might consider in everyday discussions
regarding the grid. This is intended to mean ONLY a Facility as defined above.
Attachment 1: Version 5 of CIP Requirements the use of the terms Critical Asset and
Critical Cyber Asset. The drafting team should consider revising the table to be
flexible so it will not require modification when new versions of CIP become
effective. Clarify if Damage or Destruction is physical damage (aka - cyber incidents
would be part of CIP-008 covered separately in Attachment 1.)
The ‘Damage or Destruction’ events specifically relating to Critical Assets and Critical
Cyber Assets were removed from Attachment 1, as these events are adequately
addressed through the CIP-008 and ‘Damage or Destruction of a Facility’ reporting
thresholds.
Attachment 1: Unplanned Control Center evacuation - remove “potential” from the
reporting responsibility Attachment 1:
The ‘potential’ language has been removed. The threshold for Reporting now reads
as: “Each RC, BA, TOP that experiences the event”.
SOL Tv - is not defined.
The SOL Violation (WECC only) event has been revised to remove Tv and replace it
with “30 minutes” to be consistent with TOP-007-WECC requirements. The event has
94
�Organization
Yes or No
Question 3 Comment
also been revised to indicate an SOL associated with a Major WECC transfer path.
Attachment 2 - 3: change to, “Did the event originate in your system?” The
requirement only requires reporting for Events - not potential events. This implies if
there is potential for an event to occur, the entity should report (potential of a public
appeal or potential to shed firm load)
The ‘actual or potential’ language has been removed.
Attachment 2 4: “Damage or Destruction to BES equipment” should be “Destruction
of BES Equipment” like it is in Attachment 1 and “forced intrusion risk to BES
equipment” remove “risk”
The ‘Damage or Destruction’ event category has been revised to say ‘…to a Facility’,
(a defined term) and thresholds have be modified to provide clarity. Also, the
reporting timeline is now 24 hours.
‘Forced intrusion’ and ‘Risk to BES Equipment’ have been combined under a new
event type called ‘A physical threat that could impact the operability of a Facility’.
Using judgment is unavoidable for this type of event. This language was chosen
because the Responsible Entity is the best position to exercise this judgment and
determine whether or not an event poses a threat to its Facilities. The DSR SDT
believes this revised event type will minimize administrative burden and ensure that
events meaningful to industry awareness are reported. Note that the reporting
timeline (now revised to 24 hours) starts when the situation has been determined as
a threat, not when it may have first occurred.
The OE-417 requires several of the events listed in Attachment 1 be reported within
1 hour. FEUS recommends the drafting team review the events and the OE-417 form
and align the reporting window requirements. For example, public appeals, load
shedding, and system separation have a 1 hour requirement in OE-417.
OE-417, as well as, the EAWG’s requirements were considered in creating Attachment
95
�Organization
Yes or No
Question 3 Comment
1, but there remain differences for the following reasons:
•
EOP-004 requirements were designed to meet NERC and the industry’s needs;
accommodation of other reporting obligations was considered as an
opportunity not a ‘must-have’
•
OE-417 only applies to US entities, whereas EOP-004 requirements apply across
North America
•
NERC has no control over the criteria in OE-417, which can change at any time
•
Reports made under EOP-004 provide a minimum set of information, which may
trigger further information requests from EAWG as necessary
In an effort to minimize administrative burden, US entities may use OE-417 rather
than Attachment 2 to report under EOP-004. Note you may have to report the same
event more quickly to the DOE than is required by EOP-004, but this cannot be helped
due to bullet point 2 above.
Response: Thank you for your comment. Please see response above.
Wisconsin Public Service Corp.
Negative
EOP-004 Attachment 1 states: That any Damage or destruction of a Critical Cyber
Asset per CIP-002 Applicable Entities under CIP-002 Through intentional or
unintentional human action. Requires reporting in 1 hour of recognition of event.
This is too low of a threshold for reporting. Unintentional damage could be caused by
an individual spilling coffee on a laptop. Hardly the item for a report.
The ‘Damage or Destruction’ events specifically relating to Critical Assets and Critical
Cyber Assets were removed from Attachment 1, as these events are adequately
addressed through the CIP-008 and ‘Damage or Destruction of a Facility’ reporting
thresholds.
Response: Thank you for your comment. Please see response above.
96
�Organization
Yes or No
Question 3 Comment
ACES Power Marketing,
Hoosier Energy Rural Electric
Cooperative, Inc., Sunflower
Electric Power Corporation,
Great River Energy
Negative
For many of the events listed in Attachment 1, there would be duplicate reporting
the way it is written right now. For example, in the case of a fire in a substation
(Destruction of BES equipment), the RC, BA, TO, TOP and perhaps the GO and GOP
could all experience the event and each would have to report on it. This seems quite
excessive and redundant. We recommend eliminating this duplicate reporting.
The DSR SDT has tried to minimize duplicative reporting, but recognizes there may be
events that trigger more than one report. The current applicability ensures an event
that could affect just one of the entities with reporting responsibility isn’t missed.
Response: Thank you for your comment. Please see response above.
Consumers Energy
Negative
Forced intrusion needs to be specifically defined. A 1-hour report requirement is not
necessary but for critical events that would have wide-ranging impact.
All one hour reporting timelines have been changed to 24 hours with the exception of
a ‘Reportable Cyber Security Incident’. This is maintained due to FERC Order 706,
Paragraph 673:
“…direct the ERO to modify CIP-008 to require each responsible entity to contact
appropriate government authorities and industry participants in the event of a cyber
security incident as soon as possible, but in any event, within one hour of the event…”
For the remaining events, 24 hours should provide sufficient time to manage the
incident in real-time before having to report and is consistent with current in-force
standard EOP-004-1. Also, Attachment 1 provides the flexibility to make a verbal
report under adverse conditions. For the revised event category ‘A physical threat
that could impact the operability of a Facility’ the reporting timeline of 24 hours
starts when the situation has been determined as a threat, not when it may have first
occurred.
97
�Organization
Yes or No
Question 3 Comment
Requirements 2 and 3 should be combined into a single requirement.
The DSR SDT deleted Requirement R2 based on stakeholder comments and revised R3
(now R2) to:
“R2. Each Responsible Entity shall implement its event reporting Operating Plan
for applicable events listed in EOP-004 Attachment 1, and in accordance with the
timeframe specified in EOP-004 Attachment 1.”
Response: Thank you for your comment. Please see response above.
MidAmerican Energy Co.
Negative
MidAmerican Energy believes Attachment 1 expands the scope of what must be
reported beyond what is required by FERC directives and beyond what is needed to
improve security of the BES. Based on our understanding of Attachment 1, the
category of “damage or destruction of a critical cyber asset” will likely result in
hundreds or thousands of small equipment failures being reported to NERC and DOE,
with no improvement to security. For example, hard drive failures, server failures,
PLC failures and relay failures could all meet the criteria of “damage or destruction of
a critical cyber asset.” which would be required reporting in 1 hour.
All one hour reporting timelines have been changed to 24 hours with the exception of
a ‘Reportable Cyber Security Incident’. This is maintained due to FERC Order 706,
Paragraph 673:
“…direct the ERO to modify CIP-008 to require each responsible entity to contact
appropriate government authorities and industry participants in the event of a cyber
security incident as soon as possible, but in any event, within one hour of the event…”
For the remaining events, 24 hours should provide sufficient time to manage the
incident in real-time before having to report and is consistent with current in-force
standard EOP-004-1. Also, Attachment 1 provides the flexibility to make a verbal
report under adverse conditions. For the revised event category ‘A physical threat
98
�Organization
Yes or No
Question 3 Comment
that could impact the operability of a Facility’ the reporting timeline of 24 hours
starts when the situation has been determined as a threat, not when it may have first
occurred.
EOP-004-2 needs to clearly state that initial reports can be made by a phone call,
email or another method, in accordance with paragraph 674 of FERC Order 706.
MidAmerican recommends replacing Attachment 1 and Attachment 2 with the
categories and timeframes that are listed in OE-417. This eliminates confusion
between government requirements in OE-417 and NERC standards.
Attachment 1 provides the flexibility to make a verbal report. The header of
Attachment 1 states:
“NOTE: Under certain adverse conditions (e.g. severe weather, multiple events) it may
not be possible to report the damage caused by an event and issue a written Event
Report within the timing in the table below. In such cases, the affected Responsible
Entity shall notify parties per R1 and provide as much information as is available at the
time of the notification. Reports to the ERO should be submitted to one of the
following: e-mail: esisac@nerc.com, Facsimile: 609-452-9550, Voice: 609-452-1422.”
Attachment 2 provides the flexibility to make a verbal report. The header of
Attachment 2 states:
“This form is to be used to report events. The Electric Reliability Organization and the
Responsible Entity’s Reliability Coordinator will accept the DOE OE-417 form in lieu of
this form if the entity is required to submit an OE-417 report. Reports to the ERO
should be submitted via one of the following: e-mail: esisac@nerc.com, Facsimile:
609-452-9550, voice: 609-452-1422.”
OE-417, as well as, the EAWG’s requirements were considered in creating Attachment
1, but there remain differences for the following reasons:
•
EOP-004 requirements were designed to meet NERC and the industry’s needs;
99
�Organization
Yes or No
Question 3 Comment
accommodation of other reporting obligations was considered as an
opportunity not a ‘must-have’
•
OE-417 only applies to US entities, whereas EOP-004 requirements apply across
North America
•
NERC has no control over the criteria in OE-417, which can change at any time
•
Reports made under EOP-004 provide a minimum set of information, which may
trigger further information requests from EAWG as necessary
In an effort to minimize administrative burden, US entities may use OE-417 rather
than Attachment 2 to report under EOP-004. Note you may have to report the same
event more quickly to the DOE than is required by EOP-004, but this cannot be helped
due to bullet point 2 above.
Response: Thank you for your comment. Please see response above.
MidAmerican Energy Co.
Negative
MidAmerican Energy believes Attachment 1 expands the scope of what must be
reported beyond what is required by FERC directives and beyond what is needed to
improve security of the BES. EOP-004-2 needs to clearly state that initial reports can
be made by a phone call, email or another method, in accordance with paragraph
674 of FERC Order 706. MidAmerican recommends replacing Attachment 1 and
Attachment 2 with the categories and timeframes that are listed in OE-417. This
eliminates confusion between government requirements in OE-417 and NERC
standards.
Attachment 1 provides the flexibility to make a verbal report. The header of
Attachment 1 states:
“NOTE: Under certain adverse conditions (e.g. severe weather, multiple events) it may
not be possible to report the damage caused by an event and issue a written Event
Report within the timing in the table below. In such cases, the affected Responsible
100
�Organization
Yes or No
Question 3 Comment
Entity shall notify parties per R1 and provide as much information as is available at the
time of the notification. Reports to the ERO should be submitted to one of the
following: e-mail: esisac@nerc.com, Facsimile: 609-452-9550, Voice: 609-452-1422.”
Attachment 2 provides the flexibility to make a verbal report. The header of
Attachment 2 states:
“This form is to be used to report events. The Electric Reliability Organization and the
Responsible Entity’s Reliability Coordinator will accept the DOE OE-417 form in lieu of
this form if the entity is required to submit an OE-417 report. Reports to the ERO
should be submitted via one of the following: e-mail: esisac@nerc.com, Facsimile:
609-452-9550, voice: 609-452-1422.”
OE-417, as well as, the EAWG’s requirements were considered in creating Attachment
1, but there remain differences for the following reasons:
•
EOP-004 requirements were designed to meet NERC and the industry’s needs;
accommodation of other reporting obligations was considered as an
opportunity not a ‘must-have’
•
OE-417 only applies to US entities, whereas EOP-004 requirements apply across
North America
•
NERC has no control over the criteria in OE-417, which can change at any time
•
Reports made under EOP-004 provide a minimum set of information, which may
trigger further information requests from EAWG as necessary
In an effort to minimize administrative burden, US entities may use OE-417 rather
than Attachment 2 to report under EOP-004. Note you may have to report the same
event more quickly to the DOE than is required by EOP-004, but this cannot be helped
due to bullet point 2 above.
101
�Organization
Yes or No
Question 3 Comment
Response: Thank you for your comment. Please see response above.
Seattle City Light
Negative
Overarching Concern related to EOP-004-2 draft: The contemporaneous drafting
efforts related to both the proposed Bulk Electric System ("BES") definition changes,
as well as the CIP standards Version 5, could significantly impact the EOP-004-2
reporting requirements. Caution needs to be exercised when referencing these
definitions, as the definitions of a BES element could change significantly and Critical
Assets may no longer exist. As it relates to the proposed reporting criteria, it is
debatable as to whether or not the destruction of, for example, one relay would be a
reportable incident under this definition going forward given the current drafting
team efforts.
The ‘Damage or Destruction’ events specifically relating to Critical Assets and Critical
Cyber Assets were removed from Attachment 1, as these events are adequately
addressed through the CIP-008 and ‘Damage or Destruction of a Facility’ reporting
thresholds.
Related to “Reportable Events” of Attachment 1: 1. A reportable event is stated as,
“Risk to the BES”, the threshold for reporting is, “From a non-environmental physical
threat”. This appears to be a catch-all event, and basically every other event in
Attachment 1 should be reported because it is a risk to the BES. Due to the
subjectivity of this event, suggest removing it from the list.
‘Forced intrusion’ and ‘Risk to BES Equipment’ have been combined under a new
event type called ‘A physical threat that could impact the operability of a Facility’.
Using judgment is unavoidable for this type of event. This language was chosen
because the Responsible Entity is the best position to exercise this judgment and
determine whether or not an event poses a threat to its Facilities. The DSR SDT
believes this revised event type will minimize administrative burden and ensure that
events meaningful to industry awareness are reported. Note that the reporting
timeline (now revised to 24 hours) starts when the situation has been determined as
102
�Organization
Yes or No
Question 3 Comment
a threat, not when it may have first occurred.
2. A reportable event is stated as, “Damage or destruction of Critical Asset per CIP002”. The term“Damage” would have to be defined in order for an entity to
determine a threshold for what qualifies as “Damage” to a CA. One could argue that
normal“Damage” can occur on a CA that is not necessary to report. There should also
be caution here in adding CIP interpretation within this standard. Reporting
Thresholds 1.
The ‘Damage or Destruction’ events specifically relating to Critical Assets and Critical
Cyber Assets were removed from Attachment 1, as these events are adequately
addressed through the CIP-008 and ‘Damage or Destruction of a Facility’ reporting
thresholds.
The SDT made attempts to limit nuisance reporting related to copper thefts and so
on which is supported. However a number of the thresholds identified in EOP-004-2
Attachment 1 are very low and could congest the reporting process with nuisance
reporting and reviewing. An example is the “BES Emergency requiring manual firm
load shedding of greater than or equal to 100 MW or the Loss of Firm load for = 15
Minutes that is greater than or equal to 200 MW (300 MW if the manual demand is
greater than 3000 MW). In many cases these low thresholds represent reporting of
minor wind events or other seasonal system issues on Local Network used to provide
distribution service.
These thresholds reflect those used in the current in-force EOP-004-1, and haven’t
congested the reporting process to date.
Firm Demand 1. The use of Firm Demand in the context of the draft Standards could
be used to describe commercial arrangements with a customer rather than a
103
�Organization
Yes or No
Question 3 Comment
reliability issue. Clarification of Firm Demand would be helpful
The DSR SDT did not use the words ‘Firm Demand’ anywhere in the proposed
standard.
Response: Thank you for your comment. Please see response above.
Constellation Energy;
Constellation Energy
Commodities Group;
Constellation Power Source
Generation, Inc.
Negative
Please see the comments offered in the concurrent comment form. While
Constellation is voting negative on this ballot, we recognize the progress made by
the drafting team and find the proposal very close to acceptable. It should be noted
that our negative vote is due to remaining concerns with the Attachment 1: Event
Table categories language. In the comment form Constellation proposes revisions to
both the requirement language and to the Event Table language; however, the Event
Table language is the greater hurdle
All one hour reporting timelines have been changed to 24 hours with the exception of
a ‘Reportable Cyber Security Incident’. This is maintained due to FERC Order 706,
Paragraph 673:
“…direct the ERO to modify CIP-008 to require each responsible entity to contact
appropriate government authorities and industry participants in the event of a cyber
security incident as soon as possible, but in any event, within one hour of the event…”
For the remaining events, 24 hours should provide sufficient time to manage the
incident in real-time before having to report and is consistent with current in-force
standard EOP-004-1. Also, Attachment 1 provides the flexibility to make a verbal
report under adverse conditions. For the revised event category ‘A physical threat
that could impact the operability of a Facility’ the reporting timeline of 24 hours
starts when the situation has been determined as a threat, not when it may have first
occurred.
104
�Organization
Yes or No
Question 3 Comment
Response: Thank you for your comment. Please see response above.
Salt River Project
Negative
Related to “Reportable Events” of Attachment 1: 1. A reportable event is stated as,
“Risk to the BES”, the threshold for reporting is, “From a non-environmental physical
threat”. This as appears to be a catch-all event, and basically every other event
should be reported because it is a risk to the BES. Due to the subjectivity of this
event, suggest removing it from the list.
‘Forced intrusion’ and ‘Risk to BES Equipment’ have been combined under a new
event type called ‘A physical threat that could impact the operability of a Facility’.
Using judgment is unavoidable for this type of event. This language was chosen
because the Responsible Entity is the best position to exercise this judgment and
determine whether or not an event poses a threat to its Facilities. The DSR SDT
believes this revised event type will minimize administrative burden and ensure that
events meaningful to industry awareness are reported. Note that the reporting
timeline (now revised to 24 hours) starts when the situation has been determined as
a threat, not when it may have first occurred.
2. A reportable event is stated as, “Damage or destruction of Critical Asset per CIP002”. The term “Damage” would have to be defined in order for an entity to
determine a threshold for what qualifies as “Damage” to a CA. One could argue that
normal “Damage” can occur on a CA that is not necessary to report. There should
also be caution here in adding CIP interpretation within this standard.
The ‘Damage or Destruction’ events specifically relating to Critical Assets and Critical
Cyber Assets were removed from Attachment 1, as these events are adequately
addressed through the CIP-008 and ‘Damage or Destruction of a Facility’ reporting
thresholds.
Response: Thank you for your comment. Please see response above.
Southern California Edison Co.
Negative
SCE and WECC are in agreement on one key point (removing the requirement to
105
�Organization
Yes or No
Question 3 Comment
determine if an act was "sabotage"), however, I continue to believe SCE will find the
one-hour reporting requirement difficult to manage.
All one hour reporting timelines have been changed to 24 hours with the exception of
a ‘Reportable Cyber Security Incident’. This is maintained due to FERC Order 706,
Paragraph 673:
“…direct the ERO to modify CIP-008 to require each responsible entity to contact
appropriate government authorities and industry participants in the event of a cyber
security incident as soon as possible, but in any event, within one hour of the event…”
For the remaining events, 24 hours should provide sufficient time to manage the
incident in real-time before having to report and is consistent with current in-force
standard EOP-004-1. Also, Attachment 1 provides the flexibility to make a verbal
report under adverse conditions. For the revised event category ‘A physical threat
that could impact the operability of a Facility’ the reporting timeline of 24 hours
starts when the situation has been determined as a threat, not when it may have first
occurred.
Response: Thank you for your comment. Please see response above.
City of Redding
Negative
The following comments are directed toward Attachment 1: We commend the SDT
for properly addressing the sabotage issue. However, additional confusion is caused
by introducing term "damage". As “damage” is not a defined term it would be
beneficial for the drafting team to provide clarification for what is meant by
“damage”.
The ‘Damage or Destruction’ event category has been revised to say ‘…to a Facility’,
(a defined term) and thresholds have be modified to provide clarity. Also, the
reporting timeline is now 24 hours.
106
�Organization
Yes or No
Question 3 Comment
The threshold for reporting “Each public Appeal for load reduction” should clearly
state the triggering is for the BES Emergency as routine “public appeal" for
conservation could be considered a threshold for the report triggering..
The DSR SDT believes the current language of the event category ‘BES Emergency...’
clearly excludes routine conservation requests. The Threshold for Reporting has been
updated to read as: “Public appeal for load reduction event”.
Regarding the SOL violations in Attachment 1 the SOL violations should only be those
that affect the WECC Paths.
The SOL Violation (WECC only) event has been revised to remove Tv and replace it
with “30 minutes” to be consistent with TOP-007-WECC requirements. The event is
now “SOL for Major WECC Transfer Paths (WECC only)”. .
Response: Thank you for your comment. Please see response above.
Avista Corp.
Negative
The VSLs associated with not reporting in an hour for some of the events
(Destruction of BES Equipment) is too severe. Operators need to be able to deal with
events and not worry about reporting until the system is secure. Back office
personnel are only available 40-50 hours per week, so the reporting burden falls on
the Operator.
The DSR SDT believes the VSL is appropriate for the only remaining 1 hour event.
Response: Thank you for your comment. Please see response above.
Avista Corp.
Negative
There is definitely a need to communicate and report out system events to NERC,
RCs, and adjacent utilities. However, this new standard has gone too far with regards
to reporting of certain events within a 1 hour timeframe and the associated VSLs for
going beyond the hour time period. Operators need to be able to deal with the
system events and not worry about reporting out for the “Destruction of BES
107
�Organization
Yes or No
Question 3 Comment
equipment” (first row in Attachment 1 -Reportable Events). Operators only have 4050 hours out of 168 hours in a week where supporting personnel are also on shift, so
this reporting burden will usually fall on the Operators not back office support. Again
this is another example of the documentation requirements of a standard being
more important than actually operating the system.
All one hour reporting timelines have been changed to 24 hours with the exception of
a ‘Reportable Cyber Security Incident’. This is maintained due to FERC Order 706,
Paragraph 673:
“…direct the ERO to modify CIP-008 to require each responsible entity to contact
appropriate government authorities and industry participants in the event of a cyber
security incident as soon as possible, but in any event, within one hour of the event…”
For the remaining events, 24 hours should provide sufficient time to manage the
incident in real-time before having to report and is consistent with current in-force
standard EOP-004-1. Also, Attachment 1 provides the flexibility to make a verbal
report under adverse conditions. For the revised event category ‘A physical threat
that could impact the operability of a Facility’ the reporting timeline of 24 hours
starts when the situation has been determined as a threat, not when it may have first
occurred.
The “Destruction of BES equipment” event is too ambiguous and will lead to
interpretations by auditors to determine violations. The ambiguity will also lead to
the reporting of all BES equipment outages to avoid potential violations of the
standard. It usually takes more than an hour to determine the cause and extent of an
outage.
The ‘Damage or Destruction’ event category has been revised to say ‘…to a Facility’,
(a defined term) and thresholds have be modified to provide clarity. Also, the
reporting timeline is now 24 hours.
108
�Organization
Yes or No
Question 3 Comment
Response: Thank you for your comment. Please see response above.
National Association of
Regulatory Utility
Commissioners
Negative
Therequirement that any event with the potential to impact reliability be reported is
overly broad and requires more focus.
‘Forced intrusion’ and ‘Risk to BES Equipment’ (which this footnote referenced) have
been combined under a new event type called ‘A physical threat that could impact
the operability of a Facility’. Using judgment is unavoidable for this type of event. This
language was chosen because the Responsible Entity is the best position to exercise
this judgment and determine whether or not an event poses a threat to its Facilities.
The DSR SDT believes this revised event type will minimize administrative burden and
ensure that events meaningful to industry awareness are reported. Note that the
reporting timeline (now revised to 24 hours) starts when the situation has been
determined as a threat, not when it may have first occurred.
Response: Thank you for your comment. Please see response above.
Alameda Municipal Power,
Salmon River Electric
Cooperative
Negative
We feel that the drafting team has done an excellent job of providing clarify and
reasonable reporting requirements to the right functional entity. We support the
modifications but would like to have two additional minor modification in order to
provide additional clarification to the Attachment I Event Table. We suggest the
following clarifications: For the Event: BES Emergency resulting in automatic firm
load shedding Modify the Entity with Reporting Responsibility to: Each DP or TOP
that experiences the automatic load shedding within their respective distribution
serving or Transmission Operating area.
The DSR SDT believes the current language is sufficient and cannot envision how a
BA, TOP, or DP could ‘experience the automatic load shedding’ if it didn’t take place
in its balancing, transmission operating, or distribution serving area.
109
�Organization
Yes or No
Question 3 Comment
For the Event: Loss of Firm load for = 15 Minutes Modify the Entity with Reporting
Responsibility to: Each BA, TOP, DP that experiences the loss of firm load within their
respective balancing, Transmission operating, or distribution serving area. With
these modifications or similar modifications we fully support the proposed Standard.
The DSR SDT believes the current language is sufficient and cannot envision how a
BA, TOP, or DP could ‘experience the loss of firm load’ if it didn’t take place in its
balancing, transmission operating, or distribution serving area.
Response: Thank you for your comment. Please see response above.
Orange and Rockland Utilities,
Inc.
No
o Generally speaking the SDT should work with the NERC team drafting the Events
Analysis Process (EAP) to ensure that the reporting events align and use the same
descriptive language. o EOP-004 should use the exact same events as OE-417.
These could be considered a baseline set of reportable events. If the SDT believes
that there is justification to add additional reporting events beyond those identified
in OE-417, then the event table could be expanded.
o If the list of reportable
events is expanded beyond the OE-417 event list, the supplemental events should be
the same in both EOP-004-2 and in the EAP Categories 1 through 5.
OE-417, as well as, the EAWG’s requirements were considered in creating Attachment
1, but there remain differences for the following reasons:
•
EOP-004 requirements were designed to meet NERC and the industry’s needs;
accommodation of other reporting obligations was considered as an
opportunity not a ‘must-have’
•
OE-417 only applies to US entities, whereas EOP-004 requirements apply across
North America
•
NERC has no control over the criteria in OE-417, which can change at any time
•
Reports made under EOP-004 provide a minimum set of information, which may
110
�Organization
Yes or No
Question 3 Comment
trigger further information requests from EAWG as necessary
In an effort to minimize administrative burden, US entities may use OE-417 rather
than Attachment 2 to report under EOP-004.
o It is not clear what the difference is between a footnote and “Threshold for
Reporting”. All information should be included in the body of the table, there should
be no footnotes.
All footnotes are deleted and appropriate content moved to ‘Thresholds for
Reporting’ with the exception of the footnote relating to the new event category ‘A
physical threat that could impact the operability of a Facility’. This remaining
footnote provides examples only.
o Event: “Risk to BES equipment” should be deleted. This is too vague and
subjective. Will result in many “prove the negative” situations.’
‘Forced intrusion’ and ‘Risk to BES Equipment’ have been combined under a new
event type called ‘A physical threat that could impact the operability of a Facility’.
Using judgment is unavoidable for this type of event. This language was chosen
because the Responsible Entity is the best position to exercise this judgment and
determine whether or not an event poses a threat to its Facilities. The DSR SDT
believes this revised event type will minimize administrative burden and ensure that
events meaningful to industry awareness are reported. Note that the reporting
timeline (now revised to 24 hours) starts when the situation has been determined as
a threat, not when it may have first occurred.
o Event: “Destruction of BES equipment” is again too vague. The footnote refers
to equipment being “damaged or destroyed”. There is a major difference between
111
�Organization
Yes or No
Question 3 Comment
destruction and damage.
The ‘Damage or Destruction’ event category has been revised to say ‘to a Facility’, (a
defined term) and thresholds have be modified to provide clarity.
o Event: “Damage or Destruction of a Critical Asset or Critical Cyber Asset” should
be deleted. Disclosure policies regarding sensitive information could limit an entity’s
ability to report. Unintentional damage to a CCA does not warrant a report.
The ‘Damage or Destruction’ events specifically relating to Critical Assets and Critical
Cyber Assets were removed from Attachment 1, as these events are adequately
addressed through the CIP-008 and ‘Damage or Destruction of a Facility’ reporting
thresholds.
o Event: “BES Emergency requiring public appeal for load reduction” should be
modified to note that this does not apply to routine requests for customer
conservation during high load periods
The DSR SDT believes the current language of the event category ‘BES Emergency...’
clearly excludes routine conservation requests.
Response: Thank you for your comment. Please see response above.
Ameren
No
(1)By our count there are still six of the nineteen events listed with a one hour
reporting requirement and the rest are all within 24 hour after the occurrence (or
recognition of the event). This in our opinion, is reporting in real-time, which is
against one of the key concepts listed in the background section:"The DSR SDT
wishes to make clear that the proposed Standard does not include any real-time
operating notifications for the events listed in Attachment 1. Real-time reporting is
achieved through the RCIS and is covered in other standards (e.g. the TOP family of
112
�Organization
Yes or No
Question 3 Comment
standards). The proposed standard deals exclusively with after-the-fact reporting."
All one hour reporting timelines have been changed to 24 hours with the exception of
a ‘Reportable Cyber Security Incident’. This is maintained due to FERC Order 706,
Paragraph 673:
“direct the ERO to modify CIP-008 to require each responsible entity to contact
appropriate government authorities and industry participants in the event of a cyber
security incident as soon as possible, but in any event, within one hour of the event…”
For the remaining events, 24 hours should provide sufficient time to manage the
incident in real-time before having to report and is consistent with current in-force
standard EOP-004-1. Also, Attachment 1 provides the flexibility to make a verbal
report under adverse conditions. For the revised event category ‘A physical threat
that could impact the operability of a Facility’ the reporting timeline of 24 hours
starts when the situation has been determined as a threat, not when it may have first
occurred.
(2)We believe the earliest preliminary report required in this standard should at the
close of the next business day. Operating Entities, such as the RC, BA, TOP, GOP, DP,
and LSE should not be burdened with unnecessary after-the-fact reporting while they
are addressing real-time operating conditions. Entities should have the ability to
allow their support staff to perform this function during the next business day as
needed. We acknowledge it would not be an undue burden to cc: NERC on other
required governmental reports with shorter reporting timeframes, but NERC should
not expand on this practice.
No preliminary report is required within the revised standard.
(3)We agree with the extension in reporting times for events that now have 24 hours
of reporting time. As a GO there are still too many potential events that still require
113
�Organization
Yes or No
Question 3 Comment
a 1 hour reporting time that is impractical, unrealistic and could lead to
inappropriate escalation of normal failures. For example, the sudden loss of several
control room display screens for a BES generator at 2 AM in the morning, with only 1
hour to report something, might be mistakenly interpreted as a cyber-attack. The
reality is most likely something far more mundane such as the unexpected failure of
an instrument transformer, critical circuit board, etc.
All one hour reporting timelines have been changed to 24 hours with the exception of
a ‘Reportable Cyber Security Incident’. This is maintained due to FERC Order 706,
Paragraph 673:
“direct the ERO to modify CIP-008 to require each responsible entity to contact
appropriate government authorities and industry participants in the event of a cyber
security incident as soon as possible, but in any event, within one hour of the event…”
For the remaining events, 24 hours should provide sufficient time to manage the
incident in real-time before having to report and is consistent with current in-force
standard EOP-004-1. Also, Attachment 1 provides the flexibility to make a verbal
report under adverse conditions. For the revised event category ‘A physical threat
that could impact the operability of a Facility’ the reporting timeline of 24 hours
starts when the situation has been determined as a threat, not when it may have first
occurred.
Response: Thank you for your comment. Please see response above.
Duke Energy
No
All events in Attachment 1 should have reporting times of no less than 24 hours. As
stated on page 6 of the current draft of the standard: “The DSR SDT wishes to make
clear that the proposed Standard does not include any real-time operating
notifications for the events listed in Attachment 1. Real-time reporting is achieved
through the RCIS and is covered in other standards (e.g. the TOP family of standards).
The proposed standard deals exclusively with after-the-fact reporting.”We maintain
114
�Organization
Yes or No
Question 3 Comment
that a report which is required to be made within one hour after an event is, in fact,
a real time report. In the first hour or even several hours after an event the operator
may appropriately still be totally committed to restoring service or returning to a
stable bulk power system state, and should not stop that recovery activity in order to
make this “after-the-fact” report.
All one hour reporting timelines have been changed to 24 hours with the exception of
a ‘Reportable Cyber Security Incident’. This is maintained due to FERC Order 706,
Paragraph 673:
“direct the ERO to modify CIP-008 to require each responsible entity to contact
appropriate government authorities and industry participants in the event of a cyber
security incident as soon as possible, but in any event, within one hour of the event…”
For the remaining events, 24 hours should provide sufficient time to manage the
incident in real-time before having to report and is consistent with current in-force
standard EOP-004-1. Also, Attachment 1 provides the flexibility to make a verbal
report under adverse conditions. For the revised event category ‘A physical threat
that could impact the operability of a Facility’ the reporting timeline of 24 hours
starts when the situation has been determined as a threat, not when it may have first
occurred.
Response: Thank you for your comment. Please see response above.
American Public Power
Association
No
APPA echoes the comments made by Central Lincoln: We do not believe the SDT has
adequately addressed the FERC Order to “Consider whether separate, less
burdensome requirements for smaller entities may be appropriate.” The one and 24
hour reporting requirements continue to be burdensome to the smaller entities that
do not maintain 24/7 dispatch centers. The one hour reporting requirement means
that an untimely “recognition” starts the clock and reporting will become a higher
115
�Organization
Yes or No
Question 3 Comment
priority than restoration. The note regarding adverse conditions does not help unless
we were to consider the very lack of 24/7 dispatch to be such a condition. APPA
recommends the SDT evaluate a less burdensome requirement for smaller entities
with reporting requirements in Attachment 1. This exception needs to address the
fact that not all entities have 24 hour 7 day a week operating personnel.
All one hour reporting timelines have been changed to 24 hours with the exception of
a ‘Reportable Cyber Security Incident’. This is maintained due to FERC Order 706,
Paragraph 673:
“direct the ERO to modify CIP-008 to require each responsible entity to contact
appropriate government authorities and industry participants in the event of a cyber
security incident as soon as possible, but in any event, within one hour of the event…”
For the remaining events, 24 hours should provide sufficient time to manage the
incident in real-time before having to report and is consistent with current in-force
standard EOP-004-1. Also, Attachment 1 provides the flexibility to make a verbal
report under adverse conditions. For the revised event category ‘A physical threat
that could impact the operability of a Facility’ the reporting timeline of 24 hours
starts when the situation has been determined as a threat, not when it may have first
occurred.
The DSR SDT believes that reliability is best served by imposing reporting criteria based
on impact to the BES rather than an arbitrary entity size threshold. With these latest
revisions, all the proposed event categories provide thresholds that will capture the
appropriate entities and provide a manageable timeframe.
However, APPA cautions the SDT that changes to this standard may expose entities
to reporting violations on DOE-OE-417 which imposes civil and criminal penalties on
reporting events to the Department of Energy. APPA recommends that the SDT
reach out to DOE for clarification of reporting requirements for DOE-OE-417 for small
entities, asking DOE to change their reporting requirement to match EOP-004-2. If
116
�Organization
Yes or No
Question 3 Comment
DOE cannot change their reporting requirement the SDT should provide an
explanation in the guidance section of Reliability Standard EOP-004-2 that addresses
these competing FERC/DOE directives.
OE-417, as well as, the EAWG’s requirements were considered in creating Attachment
1, but there remain differences for the following reasons:
•
EOP-004 requirements were designed to meet NERC and the industry’s needs;
accommodation of other reporting obligations was considered as an
opportunity not a ‘must-have’
•
OE-417 only applies to US entities, whereas EOP-004 requirements apply across
North America
•
NERC has no control over the criteria in OE-417, which can change at any time
•
Reports made under EOP-004 provide a minimum set of information, which may
trigger further information requests from EAWG as necessary
In an effort to minimize administrative burden, US entities may use OE-417 rather
than Attachment 2 to report under EOP-004. Note you may have to report the same
event more quickly to the DOE than is required by EOP-004, but this cannot be helped
due to bullet point 2 above.
Response: Thank you for your comment. Please see response above.
BC Hydro
No
As an event would be verbally reported to the RC, all the one hour requirements to
submit a written report should be moved from one hour to 24 hours.
All one hour reporting timelines have been changed to 24 hours with the exception of
a ‘Reportable Cyber Security Incident’. This is maintained due to FERC Order 706,
Paragraph 673:
“direct the ERO to modify CIP-008 to require each responsible entity to contact
117
�Organization
Yes or No
Question 3 Comment
appropriate government authorities and industry participants in the event of a cyber
security incident as soon as possible, but in any event, within one hour of the event…”
For the remaining events, 24 hours should provide sufficient time to manage the
incident in real-time before having to report and is consistent with current in-force
standard EOP-004-1. Also, Attachment 1 provides the flexibility to make a verbal
report under adverse conditions. For the revised event category ‘A physical threat
that could impact the operability of a Facility’ the reporting timeline of 24 hours
starts when the situation has been determined as a threat, not when it may have first
occurred.
Response: Thank you for your comment. Please see response above.
Bonneville Power
Administration
No
BPA believes that the first three elements in Attachment 1 are too generic and
should be with only the intentional human criterion. The suspicious device needs to
be determined as a threat (and not left behind tools) before requiring a report.
The ‘Damage or Destruction’ event category has been revised to say ‘to a Facility’, (a
defined term) and thresholds have be modified to provide clarity. These thresholds
include intentional human action as well as impact-based for those cases when cause
isn’t known. The determination of a threat as you suggest is now part of the revised
event type called ‘A physical threat that could impact the operability of a Facility’.
Using judgment is unavoidable for this type of event. This language was chosen
because the Responsible Entity is the best position to exercise this judgment and
determine whether or not an event poses a threat to its Facilities. The DSR SDT
believes this revised event type will minimize administrative burden and ensure that
events meaningful to industry awareness are reported. Note that the reporting
timeline (now revised to 24 hours) starts when the situation has been determined as
a threat, not when it may have first occurred.
118
�Organization
Yes or No
Question 3 Comment
Response: Thank you for your comment. Please see response above.
CenterPoint Energy
No
CenterPoint Energy agrees with the revision that allows more time for reporting
some events; however, some 1 hour requirements remain. The Company does not
agree with this timeframe for any event.
All one hour reporting timelines have been changed to 24 hours with the exception of
a ‘Reportable Cyber Security Incident’. This is maintained due to FERC Order 706,
Paragraph 673:
“direct the ERO to modify CIP-008 to require each responsible entity to contact
appropriate government authorities and industry participants in the event of a cyber
security incident as soon as possible, but in any event, within one hour of the event…”
For the remaining events, 24 hours should provide sufficient time to manage the
incident in real-time before having to report and is consistent with current in-force
standard EOP-004-1. Also, Attachment 1 provides the flexibility to make a verbal
report under adverse conditions. For the revised event category ‘A physical threat
that could impact the operability of a Facility’ the reporting timeline of 24 hours
starts when the situation has been determined as a threat, not when it may have first
occurred.
Response: Thank you for your comment Please see response above.
Consolidated Edison Co. of
NY, Inc.
No
Comments: We have a number of comments on Attachment 1 and will make them
here: o Generally speaking the SDT should work with the NERC team drafting the
Events Analysis Process (EAP) to ensure that the reporting events align and use the
same descriptive language. o EOP-004 should use the exact same events as OE-417.
These could be considered a baseline set of reportable events. If the SDT believes
that there is justification to add additional reporting events beyond those identified
in OE-417, then the event table could be expanded. o If the list of reportable events
119
�Organization
Yes or No
Question 3 Comment
is expanded beyond the OE-417 event list, the supplemental events should be the
same in both EOP-004-2 and in the EAP Categories 1 through 5.
OE-417, as well as, the EAWG’s requirements were considered in creating Attachment
1, but there remain differences for the following reasons:
•
EOP-004 requirements were designed to meet NERC and the industry’s needs;
accommodation of other reporting obligations was considered as an
opportunity not a ‘must-have’
•
OE-417 only applies to US entities, whereas EOP-004 requirements apply across
North America
•
NERC has no control over the criteria in OE-417, which can change at any time
•
Reports made under EOP-004 provide a minimum set of information, which may
trigger further information requests from EAWG as necessary
In an effort to minimize administrative burden, US entities may use OE-417 rather
than Attachment 2 to report under EOP-004.
o It is not clear what the difference is between a footnote and “Threshold for
Reporting”. All information should be included in the body of the table, there should
be no footnotes.
All footnotes are deleted and appropriate content moved to ‘Thresholds for
Reporting’ with the exception of the footnote relating to the new event category ‘Any
physical threat that could impact the operability of a Facility’. This remaining
footnote provides examples only.
o Event: “Risk to BES equipment” should be deleted. This is too vague and
subjective. Will result in many “prove the negative” situations.’
120
�Organization
Yes or No
Question 3 Comment
‘Forced intrusion’ and ‘Risk to BES Equipment’ have been combined under a new
event type called ‘A physical threat that could impact the operability of a Facility’.
Using judgment is unavoidable for this type of event. This language was chosen
because the Responsible Entity is the best position to exercise this judgment and
determine whether or not an event poses a threat to its Facilities. The DSR SDT
believes this revised event type will minimize administrative burden and ensure that
events meaningful to industry awareness are reported. Note that the reporting
timeline (now revised to 24 hours) starts when the situation has been determined as
a threat, not when it may have first occurred.
o Event: “Destruction of BES equipment” is again too vague. The footnote refers to
equipment being “damaged or destroyed”. There is a major difference between
destruction and damage.
The ‘Damage or Destruction’ event category has been revised to say ‘to a Facility’, (a
defined term) and thresholds have be modified to provide clarity.
o Event: “Damage or Destruction of a Critical Asset or Critical Cyber Asset” should be
deleted. Disclosure policies regarding sensitive information could limit an entity’s
ability to report. Unintentional damage to a CCA does not warrant a report.
The ‘Damage or Destruction’ events specifically relating to Critical Assets and Critical
Cyber Assets were removed from Attachment 1, as these events are adequately
addressed through the CIP-008 and ‘Damage or Destruction of a Facility’ reporting
thresholds.
o Event: “BES Emergency requiring public appeal for load reduction” should be
modified to note that this does not apply to routine requests for customer
conservation during high load periods.
121
�Organization
Yes or No
Question 3 Comment
The DSR SDT believes the current language ‘BES Emergency...’ clearly excludes
routine conservation requests.
Response: Thank you for your comment. Please see response above.
Electric Reliability Council of
Texas, Inc.
No
Destruction of BES equipment: 1. Request that the term “destruction” be clarified.
The ‘Damage or Destruction’ event category has been revised to say ‘to a Facility’, (a
defined term) and thresholds have be modified to provide clarity.
Damage or destruction of Critical Asset per CIP-002: 1. Request that the terms
“damage” and “destruction” be clarified. 2. Is the expectation that an entity report
each individual device or system equipment failure or each mistake made by
someone administering a system?
The ‘Damage or Destruction’ events specifically relating to Critical Assets and Critical
Cyber Assets were removed from Attachment 1, as these events are adequately
addressed through the CIP-008 and ‘Damage or Destruction of a Facility’ reporting
thresholds.
3. Request that “initial indication of the event” be changed to “confirmation of the
event”. Event monitoring and management systems may receive many events that
are determined to be harmless and put the entity at no risk. This can only be
determined after analysis of the associated events is performed.
The ‘initial indication of the event’ is no longer part of the threshold for ‘Damage or
Destruction of a Facility’
Risk to BES equipment: Request that the terms “risk” be clarified.
‘Forced intrusion’ and ‘Risk to BES Equipment’ have been combined under a new
event type called ‘A physical threat that could impact the operability of a Facility’.
122
�Organization
Yes or No
Question 3 Comment
Using judgment is unavoidable for this type of event. This language was chosen
because the Responsible Entity is the best position to exercise this judgment and
determine whether or not an event poses a threat to its Facilities. The DSR SDT
believes this revised event type will minimize administrative burden and ensure that
events meaningful to industry awareness are reported. Note that the reporting
timeline (now revised to 24 hours) starts when the situation has been determined as
a threat, not when it may have first occurred.
Response: Thank you for your comment. Please see response above.
Exelon
No
Due to the size of the service territories in ComEd and PECO it’s difficult to get to
some of the stations within in an hour to analyze an event which causes concern
with the 1 hour criteria. It is conceivable that the evaluation of an event could take
longer then one hour to determine if it is reportable. Exelon cannot support this
version of the standard until the 1 hour reporting criteria is clarified so that the
reporting requirements are reasonable and obtainable. Exelon has concerns about
the existing 1 hour reporting requirements and feels that additional guidance and
verbiage is required for clarification. We would like a better understanding when the
1 hour clock starts please consider using the following clarifying statement, in the
statements that read, “recognition of events” please consider replacing the word
“recognition” with the word “confirmation” as in a “confirmed event”
All one hour reporting timelines have been changed to 24 hours with the exception of
a ‘Reportable Cyber Security Incident’. This is maintained due to FERC Order 706,
Paragraph 673:
“direct the ERO to modify CIP-008 to require each responsible entity to contact
appropriate government authorities and industry participants in the event of a cyber
security incident as soon as possible, but in any event, within one hour of the event…”
For the remaining events, 24 hours should provide sufficient time to manage the
incident in real-time before having to report and is consistent with current in-force
123
�Organization
Yes or No
Question 3 Comment
standard EOP-004-1. Also, Attachment 1 provides the flexibility to make a verbal
report under adverse conditions. For the revised event category ‘A physical threat
that could impact the operability of a Facility’ the reporting timeline of 24 hours
starts when the situation has been determined as a threat, not when it may have first
occurred.
Response: Thank you for your comment. Please see response above.
Energy Northwest - Columbia
No
Energy Northwest - Columbia (ENWC) has concerns about the existing 1 hour
reporting requirements and feels that additional guidance and verbiage is required
for clarification. ENWC would like the word "recognition" in the statement that
reads, "recognition of events," be replaced by "confirmation" as in "confirmed
event."Also, we would like clarification as to when the 1 hour clock starts. Please
consider changing recognition in "within 1 hour of recognition of event" and
incorporating in "confirmation."
All one hour reporting timelines have been changed to 24 hours with the exception of
a ‘Reportable Cyber Security Incident’. This is maintained due to FERC Order 706,
Paragraph 673:
“direct the ERO to modify CIP-008 to require each responsible entity to contact
appropriate government authorities and industry participants in the event of a cyber
security incident as soon as possible, but in any event, within one hour of the event…”
For the remaining events, 24 hours should provide sufficient time to manage the
incident in real-time before having to report and is consistent with current in-force
standard EOP-004-1. Also, Attachment 1 provides the flexibility to make a verbal
report under adverse conditions.
Response: Thank you for your comment. Please see response above.
124
�Organization
Indiana Municipal Power
Agency
Yes or No
No
Question 3 Comment
IMPA believes that some of the times may not be aggressive enought that are
related to generation capacity shortages.
This standard concerns after-the-fact reporting. It is assumed that Responsible
Entities will make appropriate real-time notifications as per other applicable
standards, operating agreements, and good utility practice. This standard does not
preclude a Responsible Entity from reporting more quickly than required by
Attachment 1.
In addition, IMPA believes clarity needs to be added when saying within 1 hour of
recognition of event. For example, A fence cutting may not be discovered for days at
a remote substation and then a determination has to be made if it was “forced
intrusion” - Does that one hour apply once the determination is made that is was
“forced intrusion” or from the time the discovery was made? Some of the 1 hour
time limits can be expanded to allow for more time, such as forced intrusion,
destruction of BES equipment, Risk to BES equipment, etc.
‘Forced intrusion’ and ‘Risk to BES Equipment’ have been combined under a new
event type called ‘Any physical threat that could impact the operability of a Facility’.
Timelines start at the moment the Responsible Entity determines the event
represents a threat, not when it first occurred.
Response: Thank you for your comment. Please see response above.
Luminant Power
No
Luminant agrees with the changes the SDT made, however, the timeline should be
modified to put higher priority activities before reporting requirements. The SDT
should consider allowing entities the ability to put the safety of personnel, safety of
the equipment, and possibly the stabilization of BES equipment efforts prior to
initiating the one hour reporting timeline. Reporting requirements should not be
prioritized above these important activities. The requirement to report one hour
after the recognition of such an event may not be sufficient in all instances. Entities
125
�Organization
Yes or No
Question 3 Comment
should not have a potential violation as a result of putting these priority issues first
and not meeting the one hour reporting timeline.
All one hour reporting timelines have been changed to 24 hours with the exception of
a ‘Reportable Cyber Security Incident’. This is maintained due to FERC Order 706,
Paragraph 673:
“direct the ERO to modify CIP-008 to require each responsible entity to contact
appropriate government authorities and industry participants in the event of a cyber
security incident as soon as possible, but in any event, within one hour of the event…”
Actions taken to maintain the reliability of the BES in real-time always take
precedence over reporting. The revised thresholds should ensure there is no perverse
driver to act differently.
Response: Thank you for your comment. Please see response above.
MidAmerican Energy
No
MidAmerican Energy agrees with the direction of consolidating CIP-001, EOP-004 and
portions of CIP-008. However, we have concerns with some of the events included in
Attachment 1 and reporting timelines. EOP-004-2 needs to clearly state that initial
reports can be made by a phone call, email or another method, in accordance with
paragraph 674 of FERC Order 706.
All one hour reporting timelines have been changed to 24 hours with the exception of
a ‘Reportable Cyber Security Incident’. This is maintained due to FERC Order 706,
Paragraph 673:
“direct the ERO to modify CIP-008 to require each responsible entity to contact
appropriate government authorities and industry participants in the event of a cyber
security incident as soon as possible, but in any event, within one hour of the event…”
For the remaining events, 24 hours should provide sufficient time to manage the
incident in real-time before having to report. Also, Attachment 1 provides the
flexibility to make a verbal report under adverse conditions.
126
�Organization
Yes or No
Question 3 Comment
MidAmerican Energy believes draft Attachment 1 expands the scope of what must
be reported beyond what is required by FERC directives and beyond what is needed
to improve security of the BES. Based on our understanding of Attachment 1, the
category of “damage or destruction of a critical cyber asset” will result in hundreds
or thousands of small equipment failures being reported to NERC and DOE, with no
improvement to security. For example, hard drive failures, server failures, PLC
failures and relay failures could all meet the criteria of “damage or destruction of a
critical cyber asset.”
The DSR SDT agrees and the ‘Damage or Destruction’ events specifically relating to
Critical Assets and Critical Cyber Assets were removed from Attachment 1, as these
events are adequately addressed through the CIP-008 and ‘Damage or Destruction of
a Facility’ reporting thresholds.
We recommend replacing Attachment 1 and Attachment 2 with the categories and
timeframes that are listed in OE-417. This eliminates confusion between government
requirements in OE-417 and NERC standards.
OE-417, as well as, the EAWG’s requirements were considered in creating Attachment
1, but there remain differences for the following reasons:
•
EOP-004 requirements were designed to meet NERC and the industry’s needs;
accommodation of other reporting obligations was considered as an
opportunity not a ‘must-have’
•
OE-417 only applies to US entities, whereas EOP-004 requirements apply across
North America
•
NERC has no control over the criteria in OE-417, which can change at any time
•
Reports made under EOP-004 provide a minimum set of information, which may
127
�Organization
Yes or No
Question 3 Comment
trigger further information requests from EAWG as necessary
In an effort to minimize administrative burden, US entities may use OE-417 rather
than Attachment 2 to report under EOP-004.
Reporting timelines and reporting formFERC Order 706, paragraph 676, directed
NERC to require a responsible entity to “at a minimum, notify the ESISAC and
appropriate government authorities of a cyber security incident as soon as possible,
but, in any event, within one hour of the event, even if it is a preliminary report.” In
paragraph 674, FERC stated that the Commission agrees that, in the “aftermath of a
cyber attack, restoring the system is the utmost priority.” They clarified: “the
responsible entity does not need to initially send a full report of the incident...To
report to appropriate government authorities and industry participants within one
hour, it would be sufficient to simply communicate a preliminary report, including
the time and nature of the incident and whatever useful preliminary information is
available at the time. This could be accomplished by a phone call or another
method.” While FERC did not order completion of a full report within one hour in
Order 706, the draft EOP-004 Attachment 1 appears to require submittal of formal
reports within one hour for six of the categories, unless there have been “certain
adverse conditions” (in which case, as much information as is available must be
submitted at the time of notification).
It is assumed that Responsible Entities will make appropriate real-time notifications
as per other applicable standards, operating agreements, and good utility practice.
As stated above, all one hour reporting timelines have been changed to 24 hours with
the exception of a ‘Reportable Cyber Security Incident’. This is maintained due to
FERC Order 706, Paragraph 673. For the remaining events, 24 hours should provide
sufficient time to manage the incident in real-time before having to report. Also,
Attachment 1 provides the flexibility to make a verbal report under adverse
conditions, which would certainly include the aftermath of a cyber attack that had
128
�Organization
Yes or No
Question 3 Comment
major impact on the BES.
The Violation Severity Levels are extreme for late submittal of a report. For example,
it would be a severe violation to submit a report more than three hours following an
event for an event requiring reporting in one hour.
The DSR SDT believes the VSL is appropriate now that it only applies to the remaining
1 hour reportable event, which is the Reportable Cyber Event under CIP-008.
MidAmerican Energy suggests incorporating the language from FERC Order 706,
paragraph 674, into the EOP-004 reporting requirement to allow preliminary
reporting within one hour to be done through a phone call or another method to
allow the responsible entity to focus on recovery and/or restoration, if
needed.MidAmerican Energy agrees with the use of DOE OE-417 for submittal of the
full report of incidents under EOP-004 and CIP-008. We would note there are two
parts to this form -- Schedule 1-Alert Notice, and Schedule 2-Narrative Description.
Since OE-417 already requires submittal of a final report that includes Schedule 2
within 48 hours of the event, MidAmerican Energy believes it is not necessary to
include a timeline for completion of the final report within the EOP-004 standard.
We would note that Schedule 2 has an estimated public reporting burden time of
two hours so it is not realistic to expect Schedule 2 to be completed within one hour.
Events included in Attachment 1:MidAmerican Energy believes draft Attachment 1
expands the scope of what must be reported beyond what is required by FERC
directives and beyond what is needed to improve security of the BES. The categories
listed in Attachment 1 with one-hour reporting timelines cause the greatest concern.
None of these categories are listed in OE-417, and all but the last row would not be
considered a Cyber Security Incident under CIP-008, unless there was malicious or
suspicious intent.
All one hour reporting timelines have been changed to 24 hours with the exception of
129
�Organization
Yes or No
Question 3 Comment
a ‘Reportable Cyber Security Incident’. This is maintained due to FERC Order 706,
Paragraph 673:
“direct the ERO to modify CIP-008 to require each responsible entity to contact
appropriate government authorities and industry participants in the event of a cyber
security incident as soon as possible, but in any event, within one hour of the event…”
For the remaining events, 24 hours should provide sufficient time to manage the
incident in real-time before having to report. Also, Attachment 1 provides the
flexibility to make a verbal report under adverse conditions.
Response: Thank you for your comment. Please see response above.
SERC OC Standards Review
Group
No
No event should have a reporting time less than at the close of the next business
day. Any reporting of an event that requires a less reporting time should only be to
entities that can help mitigate an event such as an RC or other Reliability Entity.
All one hour reporting timelines have been changed to 24 hours with the exception of
a ‘Reportable Cyber Security Incident’. This is maintained due to FERC Order 706,
Paragraph 673:
“direct the ERO to modify CIP-008 to require each responsible entity to contact
appropriate government authorities and industry participants in the event of a cyber
security incident as soon as possible, but in any event, within one hour of the event…”
For the remaining events, 24 hours should provide sufficient time to manage the
incident in real-time before having to report and is consistent with current in-force
standard EOP-004-1. Also, Attachment 1 provides the flexibility to make a verbal
report under adverse conditions.
Response: Thank you for your comment. Please see response above.
130
�Organization
Southwestern Power
Administration
Yes or No
Question 3 Comment
No
One hour is not enough time to make these assessments for all of the six items in
attachment 1. All timing requirements should be made the same in order to simplify
the reporting process.
All one hour reporting timelines have been changed to 24 hours with the exception of
a ‘Reportable Cyber Security Incident’. This is maintained due to FERC Order 706,
Paragraph 673:
“direct the ERO to modify CIP-008 to require each responsible entity to contact
appropriate government authorities and industry participants in the event of a cyber
security incident as soon as possible, but in any event, within one hour of the event…”
For the remaining events, 24 hours should provide sufficient time to manage the
incident in real-time before having to report and is consistent with current in-force
standard EOP-004-1. Also, Attachment 1 provides the flexibility to make a verbal
report under adverse conditions.
Response: Thank you for your comment. Please see response above.
ITC
No
See comments to Question #4
Response: Thank you for your comment. See response to Question 4.
Southern Company
No
Southern request clarification on one of the entries in Attachment 1. The concern is
with the last row on page 21 of Draft 3. What is the basis for “Voltage deviations”?
The Threshold is ±10% sustained for ≥ 15 minutes. Is the voltage deviation
based on the Voltage Schedule for that particular timeframe, or is it something else
(pre-contingency voltage level, nominal voltage, etc.)?
A sustained voltage deviation of ± 10% on the BES is significant deviation and is
indicative of a shortfall of reactive resources either pre- or post-contingency. The DSR
SDT is indifferent to which of nominal, pre-contingency, or scheduled voltage, is used
131
�Organization
Yes or No
Question 3 Comment
as the baseline, but for simplicity and to promote a common understanding suggest
using nominal voltage.
In addition, the second row of Attachment 1 lists “Damage or destruction of a
Critical Cyber Asset per CIP-002” as a reportable event. The threshold includes
“...intentional or unintentional human action” and gives us 1 hour to report. The
term “damage” may be overly broad and, without definition, is not limited in any
way. If a person mistypes a command and accidentally deletes a file, or renames
something, or in any way changes anything on the CCA in error, then this could be
considered “damage” and becomes a reportable event. The SDT should consider
more thoroughly defining what is meant by “damage”. Should it incorporate the
idea that the essential functions that the CCA is performing must be adversely
impacted?
The DSR SDT agrees and the ‘Damage or Destruction’ events specifically relating to
Critical Assets and Critical Cyber Assets were removed from Attachment 1, as these
events are adequately addressed through the CIP-008 and ‘Damage or Destruction of
a Facility’ reporting thresholds.
Lastly, no event should have a reporting time shorter than at the close of the next
business day. Any reporting of an event that requires a shorter reporting time
should only be to entities that can help mitigate an event such as an RC or other
Reliability Entity.
All one hour reporting timelines have been changed to 24 hours with the exception of
a ‘Reportable Cyber Security Incident’. This is maintained due to FERC Order 706,
Paragraph 673:
“direct the ERO to modify CIP-008 to require each responsible entity to contact
appropriate government authorities and industry participants in the event of a cyber
132
�Organization
Yes or No
Question 3 Comment
security incident as soon as possible, but in any event, within one hour of the event…”
For the remaining events, 24 hours should provide sufficient time to manage the
incident in real-time before having to report and is consistent with current in-force
standard EOP-004-1. Also, Attachment 1 provides the flexibility to make a verbal
report under adverse conditions.
Response: Thank you for your comment. Please see response above.
FEUS
No
The OE-417 requires several of the events listed in Attachment 1 be reported within
1 hour. FEUS recommends the drafting team review the events and the OE-417 form
and align the reporting window requirements. For example, public appeals, load
shedding, and system seperation have a 1 hour requirement in OE-417.
OE-417 thresholds and reporting timelines were considered in creating Attachment 1,
but there remain differences for the following reasons:
•
EOP-004 requirements were designed to meet NERC and the industry’s needs;
accommodation of other reporting obligations was considered as an
opportunity not a ‘must-have’
•
OE-417 only applies to US entities, whereas EOP-004 requirements apply across
North America. Non-US Responsible Entities cannot be obligated to report in
shorter timelines simply to make the two forms line up. The current in-force
EOP-004 requires 24 hour reporting on the items you have identified and so
does the latest version of EOP-004-2
•
NERC has no control over the criteria in OE-417, which can change at any time
In an effort to minimize administrative burden, US entities may use OE-417 rather
than Attachment 2 to report under EOP-004.
133
�Organization
Yes or No
Question 3 Comment
Response: Thank you for your comment. Please see response above.
SPP Standards Review Group
No
The purpose of the reporting requirement should be clear either in the text of the
requirements or through an explanation that is embodied in the language of the
approved set of standards. This would be consistent with a “Results-based”
architecture. What is lacking in the proposed language of this standard is recognition
that registered entities differ in size and relevance of their impact on the Bulk
Electric System. Also, events that are reportable differ in their impact on the
registered entity. A “one-size fits all” approach to this standard may cause smaller
entities with low impact on the grid to take extraordinary measures to meet the
reporting/timing requirements and yet be too “loose” for larger more sophisticated
and impacting entities to meet the same requirements. Therefore, we believe
language of the standard must clearly state the intent that entities must provide
reports in a manner consistent with their capabilities from a size/reliability impact
perspective and from a communications availability perspective. Timing
requirements should allow for differences and consider these variables.Also, we
would suggest including language to specifically exclude situations where
communications facilities may not be available for reporting. For example, in
situations where communications facilities have been lost, initial reports would be
due within 6 hours of the restoration of those communication facilities.
The DSR SDT has reviewed Attachment 1 and made revisions to Event types, used the
NERC approved term ‘Facility’, and revised some of the language under ‘Entity with
Reporting Responsibility’ to ensure that these reportable events correctly represent
the relative impact to the BES. Also, all one hour reporting timelines have been
changed to 24 hours with the exception of a ‘Reportable Cyber Security Incident’. This
is maintained due to FERC Order 706, Paragraph 673:
“direct the ERO to modify CIP-008 to require each responsible entity to contact
appropriate government authorities and industry participants in the event of a cyber
security incident as soon as possible, but in any event, within one hour of the event…”
134
�Organization
Yes or No
Question 3 Comment
For the remaining events, 24 hours should provide sufficient time to manage the
incident in real-time before having to report and is consistent with current in-force
standard EOP-004-1. Also, Attachment 1 provides the flexibility to make a verbal
report under adverse conditions.
We would also suggest that Attachment 1 be broken into two distinct parts such that
those events which must be reported within 1 hour standout from those events that
have to be reported within 24 hours.
The DSR SDT agrees and has implemented your suggestion.
Response: Thank you for your comment. Please see response above.
Kansas City Power & Light
No
The reportable events listed in Attachment 1 can be categorized as events that have
had a reliability impact and those events that could have a reliability impact. The
listed events that could have a reliability impact should have a 24 hour reporting
requirement and the events that have had a reliability impact are appropriate at a 1
hour reporting. The following events with a 1 hour report requirement are
recommended to change to 24 hour: Forced Intrusion and Risk to BES Equipment.
All one hour reporting timelines have been changed to 24 hours with the exception of
a ‘Reportable Cyber Security Incident’. This is maintained due to FERC Order706,
Paragraph 673:
“direct the ERO to modify CIP-008 to require each responsible entity to contact
appropriate government authorities and industry participants in the event of a cyber
security incident as soon as possible, but in any event, within one hour of the event…”
For the remaining events, 24 hours should provide sufficient time to manage the
incident in real-time before having to report and is consistent with current in-force
standard EOP-004-1. Also, Attachment 1 provides the flexibility to make a verbal
report under adverse conditions.
135
�Organization
Yes or No
Question 3 Comment
In addition, the Attachment 1 Events Table is incomplete as many of the listed
events are incomplete regarding reporting time requirements and event
descriptions.
Attachment 1 has been revised to more clearly indicate reporting timelines and some
of the event descriptions were changed to add clarity.
Also recommend removing (ii) from note 5 with event “Destruction of BES
equipment” as this part of the note is already described in the event description and
insinuates reporting of equipment losses that do not have a reliability impact.
This footnote has been deleted
The events, “Damage or destruction of Critical Asset per CIP-002” and “Damage or
destruction of a Critical Cyber Asset per CIP-002”, does not have sufficient clarity
regarding what that represents. A note similar in nature to Note 5 for BES
equipment is recommended.
The ‘Damage or Destruction’ events specifically relating to Critical Assets and Critical
Cyber Assets were removed from Attachment 1, as these events are adequately
addressed through the CIP-008 and ‘Damage or Destruction of a Facility’ reporting
thresholds.
Response: Thank you for your comment. Please see response above.
Los Angeles Department of
Water and Power
No
The reporting time of within 1 hour of recognition for a "Forced Intrusion" (last event
category on page 20 of Draft 3, dated October 25, 2011) when considered with the
associated footnote “Report if you cannot reasonably determine likely motivation” is
overly burdensome and unrealistic. What is “reasonably determine likely
motivation” is too general and requires further clarity. For example, LADWP has
numerous facilities with extensive perimeter fencing. There is a significant
136
�Organization
Yes or No
Question 3 Comment
difference between a forced intrusion like a hole or cut in a property line fence of a
facility versus a forced intrusion at a control house. Often cuts in fences, after
further investigation, are determined to be cases of minor vandalism. An
investigation of this nature will take much more than the allotted hour. The NERC
Design Team needs to develop difference levels for the term “Force Intrusion” that
fit the magnitude of the event and provide for adequate time to determine if the
event was only a case of minor vandalism or petty thief. The requirement, as
currently written, would unnecessarily burden an entity in reporting events that after
given more time to investigate would more than likely not have been a reportable
event.
‘Forced intrusion’ and ‘Risk to BES Equipment’ have been combined under a new
event type called ‘A physical threat that could impact the operability of a Facility’.
Using judgment is unavoidable for this type of event. This language was chosen
because the Responsible Entity is the best position to exercise this judgment and
determine whether or not an event poses a threat to its Facilities. The DSR SDT
believes this revised event type will minimize administrative burden and ensure that
events meaningful to industry awareness are reported. Note that the reporting
timeline (now revised to 24 hours) starts when the situation has been determined as
a threat, not when it may have first occurred.
Response: Thank you for your comment. Please see response above.
Northeast Power Coordinating
Council
No
The SDT should work with the NERC team drafting the Events Analysis Process (EAP)
to ensure that the reporting events align and use the same descriptive language.EOP004 should use the exact same events as OE-417. These could be considered a
baseline
set of reportable events. If the SDT believes that there is justification to
add additional reporting events beyond those identified in OE-417, then the event
table could be expanded. If the list of reportable events is expanded beyond the OE417 event list, the supplemental events should be the same in both EOP-004-2 and
137
�Organization
Yes or No
Question 3 Comment
in the EAP Categories 1 through 5.
OE-417 thresholds and reporting timelines were considered in creating Attachment 1,
but there remain differences for the following reasons:
•
EOP-004 requirements were designed to meet NERC and the industry’s needs;
accommodation of other reporting obligations was considered as an
opportunity not a ‘must-have’
•
OE-417 only applies to US entities, whereas EOP-004 requirements apply across
North America. Non-US Responsible Entities cannot be obligated to report in
shorter timelines simply to make the two forms line up. The current in-force
EOP-004 requires 24 hour reporting on the items you have identified and so
does the latest version of EOP-004-2
•
NERC has no control over the criteria in OE-417, which can change at any time
In an effort to minimize administrative burden, US entities may use OE-417 rather
than Attachment 2 to report under EOP-004.
It is not clear what the difference is between a footnote and “Threshold for
Reporting”. All information should be included in the body of the table, there should
be no footnotes.
All footnotes are deleted and appropriate content moved to ‘Thresholds for
Reporting’ with the exception of the footnote relating to the new event category ‘A
physical threat that could impact the operability of a Facility’. This remaining
footnote provides examples only.
Event: Risk to BES equipment should be deleted. This is too vague and subjective.
This will result in many “prove the negative” situations.
‘Forced intrusion’ and ‘Risk to BES Equipment’ have been combined under a new
138
�Organization
Yes or No
Question 3 Comment
event type called ‘A physical threat that could impact the operability of a Facility’.
Using judgment is unavoidable for this type of event. This language was chosen
because the Responsible Entity is the best position to exercise this judgment and
determine whether or not an event poses a threat to its Facilities. The DSR SDT
believes this revised event type will minimize administrative burden and ensure that
events meaningful to industry awareness are reported. Note that the reporting
timeline (now revised to 24 hours) starts when the situation has been determined as
a threat, not when it may have first occurred.
Event: Damage or Destruction of a Critical Asset or Critical Cyber Asset should be
deleted. Disclosure policies regarding sensitive information could limit an entity’s
ability to report. Unintentional damage to a CCA does not warrant a report.
The ‘Damage or Destruction’ events specifically relating to Critical Assets and Critical
Cyber Assets were removed from Attachment 1, as these events are adequately
addressed through the CIP-008 and ‘Damage or Destruction of a Facility’ reporting
thresholds.
Event: BES Emergency requiring public appeal for load reduction should be modified
to note that this does not apply to routine requests for customer conservation during
high load periods.
The DSR SDT believes the current language of the event category ‘BES Emergency...’
clearly excludes routine conservation requests.
Response: Thank you for your comment. Please see response above.
Florida Municipal Power
Agency
No
The times don’t seem aggressive enough for some of the Events related to
generation capacity shortages, e.g., we would think public appeal, system wide
voltage reduction and manual firm load shedding ought to be within an hour. These
are indicators that the BES is “on the edge” and to help BES reliability,
139
�Organization
Yes or No
Question 3 Comment
communication of this status is important to Interconnection-wide reliability.
This standard concerns after-the-fact reporting. It is assumed that Responsible
Entities will make appropriate real-time notifications as per other applicable
standards, operating agreements, and good utility practice. This standard does not
preclude a Responsible Entity from reporting more quickly than required by
Attachment 1.
Response: Thank you for your comment. Please see response above.
NorthWestern Energy
Affirmative
In Attachment 1 NorthWestern Eneergy does not agree with the Transmission loss
event, the threshold for reporting is “Unintentional loss of Three or more
Transmission Facilities (excluding successful automatic reclosing).” There are lots of
instances where this can happen and not have any major impacts to the BES. This
reporting requirement is stemming from the Event Analysis Reporting Requirements
and in many instances does not constitute an emergency.
You are correct. This event is used as a trigger to the Events Analysis Process.
Also, in Attachment 1 it is not clear when the DOE OE-417 form MUST be submitted.
It give an option to use this form or another form but does not state when it must be
used - confusing.
For the purposes of EOP-004, Responsible Entities may use either Attachment 2 or
OE-417. Submission of OE-417 to the DOE is mandatory for US entities and outside
the scope of NERC. Giving you the option to submit OE-417 to NERC and your RC to
satisfy EOP-004 is permitted as a matter of convenience so you don’t have to submit
two different forms for the same event.
Response: Thank you for your comment. Please see response above.
Rutherford EMC
Affirmative
The SDT should consider adding a clause in the standard exempting small DP/LSEs
140
�Organization
Yes or No
Question 3 Comment
from the standard if the DP/LSE annually reviews and approves that it owns no
facilities or equipment creating an event as decribed in Attachment 1.
The DSR SDT believes that reliability is best served by imposing reporting criteria based
on impact to the BES rather than an arbitrary entity size threshold. With these latest
revisions, all the proposed event categories provide thresholds that will capture the
appropriate entities and provide a manageable timeframe.
Response: Thank you for your comment. Please see response above.
Fort Pierce Utilities Authority
Affirmative
The triggering event “Detection of a reportable Cyber Security Incident” listed in
Attachment 1 assigns essentially all utilities reporting responsibility. This is not in line
its reporting threshold, which is an event meeting the criteria in CIP-008. Shouldn’t
the responsibility fall on only those responsible for compliance with CIP-008, version
3 or 4, as determined by CIP-002? The SDT should also give additional consideration
to necessary provisions to make it align with the proposed CIP-008-5.
The ‘Entity with Reporting Responsibility’ has been changed to reflect your comment
to ‘Each Responsible Entity applicable under CIP-008 that experiences the Cyber
Security Incident.
Response: Thank you for your comment. Please see response above.
Nebraska Public Power
District
Yes
Although 24 hours is a vast improvement, one business day would make more sense
for after the fact reporting.
All one hour reporting timelines have been changed to 24 hours with the exception of
a ‘Reportable Cyber Security Incident’. This is maintained due to FERC Order 706,
Paragraph 673:
“direct the ERO to modify CIP-008 to require each responsible entity to contact
appropriate government authorities and industry participants in the event of a cyber
141
�Organization
Yes or No
Question 3 Comment
security incident as soon as possible, but in any event, within one hour of the event…”
For the remaining events, 24 hours should provide sufficient time to manage the
incident in real-time before having to report and is consistent with current in-force
standard EOP-004-1. Also, Attachment 1 provides the flexibility to make a verbal
report under adverse conditions.
Response: Thank you for your comment. Please see response above.
FirstEnergy
Yes
Although we agree with the timeframes for reporting, we have other concerns as
listed in our response to Question 4.
Response: Thank you for your comment. Please see response to question 4.
Intellibind
Yes
Does this reporting conflict with reporting for DOE, and Regions? If so, what
reporting requirements will the entity be held accountable to? Managing multiple
reporting requirements for the multiple agencies is very problematic for entities and
this standard should resolve those reporting requirments, as well as reduce the
reporting down to one form and one submission. Reporting to ESISAC should take
care of all reporting by the company. NERC should route all reports to the DOE, and
regions through this mechanism.
OE-417 thresholds and reporting timelines were considered in creating Attachment 1,
but there remain differences for the following reasons:
•
EOP-004 requirements were designed to meet NERC and the industry’s needs;
accommodation of other reporting obligations was considered as an
opportunity not a ‘must-have’
•
OE-417 only applies to US entities, whereas EOP-004 requirements apply across
North America. Non-US Responsible Entities cannot be obligated to report in
shorter timelines simply to make the two forms line up. NERC has no control
over the criteria in OE-417, which can change at any time
142
�Organization
Yes or No
Question 3 Comment
In an effort to minimize administrative burden, US entities may use OE-417 rather
than Attachment 2 to report under EOP-004. NERC cannot take on the statutory
obligation of US entities to report to the DOE.
Response: Thank you for your comment. Please see response above.
Dominion
Yes
Dominion appreciates the changes that have been made to increase the 1 hr
reporting time to 24 hours.
Response: Thank you for your comment.
APX Power Markets (NCR11034)
Yes
In my opinion the remaining items with 1 hour reporting requirements will in most
cases require the input of in-complete information, since you maybe aware of the
outage/disturbance, but not aware of any reason for it. If that is acceptable just to
get the intitial report that there was an outage/disturbance then we are OK. I
believe it would help to have that clarifed in the EOP, or maybe a CAN can be created
for that.
All one hour reporting timelines have been changed to 24 hours with the exception of
a ‘Reportable Cyber Security Incident’. This is maintained due to FERC Order 706,
Paragraph 673:
“direct the ERO to modify CIP-008 to require each responsible entity to contact
appropriate government authorities and industry participants in the event of a cyber
security incident as soon as possible, but in any event, within one hour of the event…”
For the remaining events, 24 hours should provide sufficient time to manage the
incident in real-time before having to report and is consistent with current in-force
standard EOP-004-1. Also, Attachment 1 provides the flexibility to make a verbal
report under adverse conditions.
143
�Organization
Yes or No
Question 3 Comment
Response: Thank you for your comment. Please see response above.
Compliance & Responsbility
Office
Yes
See comments in response to Question 4.
Response: Thank you for your comment. See response to Question 4.
Lower Colorado River
Authority
Yes
The proposed reporting form for EOP-004-2 is less extensive than the Brief Report
required by the Event Analysis process, but there is some duplication of efforts. EOP004 has an “optional” Written Description section for the event, while the Brief
Report requires more detailed information such as a sequence of events,
contributing causes, restoration times, etc. Please clarify whether Registered Entities
will still be required to submit both forms. Please also ensure there will not be
duplication of efforts between the two reports. Although this is fairly minor, the
clarification should be addressed.
Reports made under EOP-004 provide a minimum set of information, which may
trigger further information requests from EAWG as necessary.
Response: Thank you for your comment. Please see response above.
City of Austin dba Austin
Energy
Yes
The proposed reporting form for EOP-004-2 is less extensive than the Brief Report
required by the Event Analysis process, but there is some duplication of efforts. EOP004 has an “optional” Written Description section for the event, while the Brief
Report requires more detailed information such as a sequence of events,
contributing causes, restoration times, etc. Please clarify whether Registered Entities
will still be required to submit both forms. Please also ensure there will not be
duplication of efforts between the two reports. Although this is fairly minor, the
clarification should be addressed.
Reports made under EOP-004 provide a minimum set of information, which may
144
�Organization
Yes or No
Question 3 Comment
trigger further information requests from EAWG as necessary.
Response: Thank you for your comment. Please see response above.
Public Utility District No. 1 of
Snohomish County
Yes
The proposed reporting form for EOP-004-2 is less extensive than the Brief Report
required by the Event Analysis process, but there is some duplication of efforts. The
EOP-004 has an “optional” Written Description section for the event, while the Brief
Report requires more detailed information such as a sequence of events,
contributing causes, restoration times, etc. Please clarify if both forms will still be
required to be submitted. We also need to ensure that there won’t be a duplication
of efforts between the two reports. This is fairly minor, but the clarification need
should be addressed.
Reports made under EOP-004 provide a minimum set of information, which may
trigger further information requests from EAWG as necessary.
Response: Thank you for your comment. Please see response above.
Seattle City Light
Yes
The proposed reporting form for EOP-004-2 is less extensive than the Brief Report
required by the Event Analysis process, but there is some duplication of efforts. The
EOP-004 has an “optional” Written Description section for the event, while the Brief
Report requires more detailed information such as a sequence of events,
contributing causes, restoration times, etc. Please clarify if both forms will still be
required to be submitted. We also need to ensure that there won’t be a duplication
of efforts between the two reports. This is fairly minor, but the clarification need
should be addressed.
Reports made under EOP-004 provide a minimum set of information, which may
trigger further information requests from EAWG as necessary.
Response: Thank you for your comment. Please see response above.
145
�Organization
Salt River Project
Yes or No
Question 3 Comment
Yes
The proposed reporting form for EOP-004-2 is less extensive than the Brief Report
required by the NERC Event Analysis process, but there is some duplication of
efforts. EOP-004 has an “optional” Written Description section for the event, while
the Brief Report requires more detailed information such as a sequence of events,
contributing causes, restoration times, etc. Please clarify whether Registered Entities
will still be required to submit both forms. Please also ensure there will not be
duplication of efforts between the two reports. Although this is fairly minor, the
clarification should be addressed.
Reports made under EOP-004 provide a minimum set of information, which may
trigger further information requests from EAWG as necessary.
Response: Thank you for your comment. Please see response above.
Constellation Energy on
behalf of Baltimore Gas &
Electric, Constellation Power
Generation, Constellation
Energy Commodities Group,
Constellation Control and
Dispatch, Constellation
NewEnergy and Constellation
Energy Nuclear Group.
Yes
We agree with the change to the reporting times in Attachment 1. While this is an
improvement, other concerns with the language in the events table language
remain. Please see additional details below:General items: o All submission
instructions (column 4 in Events Table) should qualify the recognition of the event as
“of recognition of event as a reportable event.”
Column 4 has been deleted. The table headings now state that Responsible Entities
must submit the report within X hours of recognition of event.
o Is the ES-ISAC the appropriate contact for the ERO given that these two entities are
separate even though they are currently managed by NERC?
Yes. This is the current reporting contact and this is the advice that the DSR SDT team
received from NERC.
In addition, are the phone numbers in the Attachment 1 NOTE accurate? Is it
possible they will change in a different cycle than the standard?
146
�Organization
Yes or No
Question 3 Comment
Yes. The standard will require updating should the phone number change.
Specific Event Language: o Destruction of BES Equipment, footnote: Footnote 1,
item iii confuses the clarification added in items i. and ii. Footnote 1 should be
modified to state BES equipment that (i) an entity knows will affect an IROL or has
been notified the loss affects an IROL; (ii) significantly affects the reserve margin of a
Balancing Authority or Reserve Sharing Group. Item iii should be dropped.
The ‘Damage or Destruction’ event category has been revised to say “to a Facility’, (a
defined term) and thresholds have be modified to provide clarity. Footnotes for this
event have been deleted.
o Damage or destruction of Critical Asset per CIP-002: Within the currently
developing revisions to CIP-002 (version 5), Critical Asset will be retired as a glossary
term. As well as addressing the durability of this event category, additional
delineation is needed regarding which asset disruptions are to be reported. A CA as
currently defined incorporates assets in a broad perspective, for instance a
generating plant may be a Critical Asset. As currently written in Attachment 1,
reporting may be required for unintended events, such as a boiler leak that takes a
plant offline for a minor repair. Event #1 - Destruction of BES Equipment - captures
incidents at the relevant equipment regardless of whether they are a Critical Asset or
not. We recommend dropping this event. However, if reference to CIP-002 assets
remains, it will be important to capture reporting of the events relevant to reliability
and not just more events. o Damage or destruction of a Critical Cyber Asset per CIP002: Because CCAs are defined at the component level, including this trigger is
appropriate; however, as with CAs, the CCA term is scheduled to be retired under
CIP-002 version 5.
The ‘Damage or Destruction’ events specifically relating to Critical Assets and Critical
Cyber Assets were removed from Attachment 1, as these events are adequately
147
�Organization
Yes or No
Question 3 Comment
addressed through the CIP-008 and ‘Damage or Destruction of a Facility’ reporting
thresholds.
o Forced Intrusion: The footnote confuses the goal of including this event category.
In addition, “forced” doesn’t need to define the incident. Constellation proposes the
following to better define the event:Intrusion that affects or attempts to affect the
reliable operation of the BES (1)(1) Examples of "affecting reliable operation of the
BES are": (i) device operations, (ii) protective equipment degradation, (iii)
communications systems degradation including telemetered values and device
status. o Risk to BES equipment: This category is too vague to be effective and the
footnote further complicates the expectations around this event. The catch all
concept of reporting potential risks to BES equipment is problematic. It’s not clear
what the reliability goal of this category is. Risk is not an event, it is an analysis. How
are entities to comply with this “event”, never mind within an hour? It appears that
the information contemplated within this scenario would be better captured within
the greater efforts underway by NERC to assess risks to the BES. This event should
be removed from the Attachment 1 list in EOP-004.
‘Forced intrusion’ and ‘Risk to BES Equipment’ (which this footnote referenced) have
been combined under a new event type called ‘A physical threat that could impact
the operability of a Facility’. Using judgment is unavoidable for this type of event. This
language was chosen because the Responsible Entity is the best position to exercise
this judgment and determine whether or not an event poses a threat to its Facilities.
The DSR SDT believes this revised event type will minimize administrative burden and
ensure that events meaningful to industry awareness are reported. Note that the
reporting timeline (now revised to 24 hours) starts when the situation has been
determined as a threat, not when it may have first occurred.
o BES Emergency requiring system-wide voltage reduction: the Entity with Reporting
Responsibility should be limited to RC and TOP.
148
�Organization
Yes or No
Question 3 Comment
Entity with Reporting Responsibility states ‘Initiating entity is responsible for
reporting’, which the DSR SDT feels is adequate direction in conjunction with the
event: BES Emergency requiring system-wide voltage reduction.
o Voltage deviations on BES Facilities: The Threshold for Reporting language needs
more detail to explain +/- 10% of what? Proposed revision: ± 10% outside the
voltage schedule band sustained for ≥ 15 continuous minutes o IROL Violation
(all Interconnections) or SOL Violation (WECC only): Should “Interconnections” be
capitalized? o Transmission loss: The reporting threshold should provide more
specifics around what constitutes Transmission Facilities. One minor item, under the
Threshold for Reporting, “Three” does not need to be capitalized.
Both Transmission and Facilities are defined terms and the DSR SDT feels this gives
sufficient direction.
Response: Thank you for your comment. Please see response above.
Pacific Northwest Small Public
Power Utility Comment Group
Yes
While we agree with the revisions as far as they went, we do not believe the SDT has
adequately addressed the FERC Order to “Consider whether separate, less
burdensome requirements for smaller entities may be appropriate.” The one and 24
hour reporting requirements continue to be burdensome to the smaller entities that
do not maintain 24/7 dispatch centers. The one hour reporting requirement means
that an untimely “recognition” starts the clock and reporting will become a higher
priority than restoration. The note regarding adverse conditions does not help unless
we were to consider the very lack of 24/7 dispatch to be such a condition.
All one hour reporting timelines have been changed to 24 hours with the exception of
a ‘Reportable Cyber Security Incident’. This is maintained due to FERC Order 706,
Paragraph 673:
“direct the ERO to modify CIP-008 to require each responsible entity to contact
appropriate government authorities and industry participants in the event of a cyber
149
�Organization
Yes or No
Question 3 Comment
security incident as soon as possible, but in any event, within one hour of the event…”
For the remaining events, 24 hours should provide sufficient time to manage the
incident in real-time before having to report and is consistent with current in-force
standard EOP-004-1. Also, Attachment 1 provides the flexibility to make a verbal
report under adverse conditions. For the revised event category ‘A physical threat
that could impact the operability of a Facility’ the reporting timeline of 24 hours
starts when the situation has been determined as a threat, not when it may have first
occurred.
The DSR SDT believes that reliability is best served by imposing reporting criteria based
on impact to the BES rather than an arbitrary entity size threshold. With these latest
revisions, all the proposed event categories provide thresholds that will capture the
appropriate entities and provide a manageable timeframe.
Response: Thank you for your comment. Please see response above.
Clallam County PUD No.1
Yes
While we agree with the revisions as far as they went, we do not believe the SDT has
adequately addressed the FERC Order to “Consider whether separate, less
burdensome requirements for smaller entities may be appropriate.” The one and 24
hour reporting requirements continue to be burdensome to the smaller entities that
do not maintain 24/7 dispatch centers. The one hour reporting requirement means
that an untimely “recognition” starts the clock and reporting will become a higher
priority than restoration. The note regarding adverse conditions does not help unless
we were to consider the very lack of 24/7 dispatch to be such a condition.
All one hour reporting timelines have been changed to 24 hours with the exception of
a ‘Reportable Cyber Security Incident’. This is maintained due to FERC Order 706,
Paragraph 673:
“direct the ERO to modify CIP-008 to require each responsible entity to contact
appropriate government authorities and industry participants in the event of a cyber
150
�Organization
Yes or No
Question 3 Comment
security incident as soon as possible, but in any event, within one hour of the event…”
For the remaining events, 24 hours should provide sufficient time to manage the
incident in real-time before having to report and is consistent with current in-force
standard EOP-004-1. Also, Attachment 1 provides the flexibility to make a verbal
report under adverse conditions. For the revised event category ‘A physical threat
that could impact the operability of a Facility’ the reporting timeline of 24 hours
starts when the situation has been determined as a threat, not when it may have first
occurred.
The DSR SDT believes that reliability is best served by imposing reporting criteria based
on impact to the BES rather than an arbitrary entity size threshold. With these latest
revisions, all the proposed event categories provide thresholds that will capture the
appropriate entities and provide a manageable timeframe.
Response: Thank you for your comment. Please see response above.
Illinois Municipal Electric
Agency
Yes
With the understanding this is within 24 hrs., and good professional judgment
determines the amount of time to report the event to appropriate parties.
Response: Thank you for your comment.
Ingleside Cogeneration LP
Yes
Yes. Any reporting that is mandated during the first hour of an event must be
subject to close scrutiny. Many of the same resources that are needed to
troubleshoot and stabilize the local system will be engaged in the reporting - which
will impair reliability if not carefully applied. We believe that the ERO should
reassess the need for any immediate reporting requirements on a regular basis to
confirm that it provides some value to the restoration process.
All one hour reporting timelines have been changed to 24 hours with the exception of
a ‘Reportable Cyber Security Incident’. This is maintained due to FERC Order 706,
151
�Organization
Yes or No
Question 3 Comment
Paragraph 673:
“direct the ERO to modify CIP-008 to require each responsible entity to contact
appropriate government authorities and industry participants in the event of a cyber
security incident as soon as possible, but in any event, within one hour of the event…”
For the remaining events, 24 hours should provide sufficient time to manage the
incident in real-time before having to report and is consistent with current in-force
standard EOP-004-1. Also, Attachment 1 provides the flexibility to make a verbal
report under adverse conditions. For the revised event category ‘A physical threat
that could impact the operability of a Facility’ the reporting timeline of 24 hours
starts when the situation has been determined as a threat, not when it may have first
occurred.
Response: Thank you for your comment. Please see response above.
Southwest Power Pool
Regional Entity
Yes
ZGlobal on behalf of City of
Ukiah, Alameda Municipal
Power, Salmen River Electric,
City of Lodi
Yes
MRO NSRF
Yes
Western Electricity
Coordinating Council
Yes
Imperial Irrigation District
Yes
152
�Organization
Yes or No
ACES Power Marketing
Standards Collaborators
Yes
Santee Cooper
Yes
Sacramento Municipal Utility
District (SMUD)
Yes
Electric Compliance
Yes
PacifiCorp
Yes
Arizona Public Service
Company
Yes
Westar Energy
Yes
Springfield Utility Board
Yes
Manitoba Hydro
Yes
Xcel Energy
Yes
Liberty Electric Power
Yes
Colorado Springs Utilities
Yes
Independent Electricity
System Operator
Yes
South Carolina Electric and
Yes
Question 3 Comment
153
�Organization
Yes or No
Question 3 Comment
Gas
ISO New England
Yes
American Transmission
Company, LLC
Yes
PSEG
Yes
American Electric Power
Yes
Georgia System Operations
Corporation
Yes
NV Energy
Yes
Occidental Power Services,
Inc. (OPSI)
Yes
Northeast Utilities
Yes
Great River Energy
Yes
Oncor Electric Delivery
Company LLC
Yes
PPL Electric Utilities and PPL
Supply Organizations`
Progress Energy
154
�Organization
Yes or No
Question 3 Comment
Texas Reliability Entity
ReliabilityFirst
NRECA
Entergy Services
Thompson Coburn LLP on
behalf of Miss. Delta Energy
Agency
155
�4.
Do you have any other comment, not expressed in questions above, for the DSR SDT?
Summary Consideration: The issues addressed in this question resulted in the DSR SDT reviewing and updating each requirement,
Attachment 1 and Attachment 2. The DSR SDT has removed ambiguous language such as “risk” and “potential” based on comments
received. All of the time frames in Attachment 1 have been moved to 24 hours upon recognition with the exception to reporting of CIP008 events that remains one hour per FERC Order 706. Attachment 2 has been rewritten to mirror Attachment 1 events for entities who
wish to use Attachment 2 in lieu of the DOE Form OE 417. VSLs have been reviewed to match the updated requirements.
Organization
Cleco Corporation, Cleco
Power, Cleco Power LLC
Yes or No
Abstain
Question 4 Comment
Cleco does not use the VSL or VRF.
Response: Thank you for your comment
Oklahoma Gas and Electric Co.
Abstain
Please see comments on SPP ballot
Response: Thank you for your comment. See response to those comments.
Alberta Electric System
Operator
Abstain
The Alberta Electric System Operator will need to modify parts of this standard to fit
the provincial model when it develops the Alberta Reliability Standard.
Response: Thank you for your comment.
Gainesville Regional Utilities
Affirmative
Looking forward to the added clarity.
Response: Thank you for your comment.
156
�Organization
Manitoba Hydro
Yes or No
Question 4 Comment
Affirmative
Manitoba Hydro is voting affirmative but would like to point out the following issues:
-Attachment 1: The term ‘Transmission Facilities’ used in Attachment 1 is capitalized,
but it is not a defined term in the NERC glossary. The drafting team should clarify
what is meant by ‘Transmission Facilities’ and remove the capitalization. –
The DSR SDT has reviewed the NERC Glossary of Terms and notes that Transmission
and Facilities are both defined. The combination of these two definitions are what
the DSR SDT has based the applicability of “Transmission Facilities” in Attachment 1.
Attachment 2: The inclusion of ‘fuel supply emergency’ in Attachment 2 creates
confusion as it infers that reporting a ‘fuel supply emergency’ may be required by the
standard even though it is not listed as a reportable event in Attachment 1. On a
similar note, it is not clear what the drafting team is hoping to capture by including a
checkbox for ‘other’ in Attachment 2.
The DSR SDT has removed both “fuel supply emergency” and “other” from
Attachment 2.
Response: Thank you for your comment. Please see response above.
Oncor Electric Delivery
Affirmative
NERC's Event Analysis Program tends to parallel many of the reporting requirements
as outlined in EOP-004 Version 2. Oncor recommends that NERC consider ways of
streamlining the reporting process by either incorporating the Event Analysis
obligations into EOP-004-2 or reducing the scope of the Event Analysis program as
currently designed to consist only of "exception" reporting.
The reporting of events as required in EOP-004 is the input to the Events Analysis
Program. Events are reported to the ERO and the EAP will follow up as per the EAP
processes and procedures.
157
�Organization
Yes or No
Question 4 Comment
Response: Thank you for your comment. Please see response above.
City Utilities of Springfield,
Missouri
Affirmative
SPRM supports the comments from SPP.
Response: Thank you for your comment. Please see response to comments from SPP.
Kootenai Electric Cooperative
Affirmative
The changes are an improvement over the existing standards.
Response: Thank you for your comment.
Empire District Electric Co.
Affirmative
We agree with the comments provided by SPP
Response: Thank you for your comment. Please see response to SPP comments.
Lakeland Electric
Negative
1. Further clarity is needed. For example the standard stipulates in R1.3 ". .as
appropriate." Who deems what is appropriate? Also in R1.4 ". .other circumstances"
is open to interpretation.
Requirement R1, Part 1.3 (now Part 1.2) was revised to add clarifying language by
eliminating the phrase “as appropriate” and indicating that the Responsible Entity is
to define its process for reporting and with whom to communicate events to as
stated in the entity’s Operating Plan.
Requirement R1, Part 1.4 was removed from the standard
2. Remove paragraph 1 of the data retention section as it parrots the Rules of
Procedure, Appendix 4C: Compliance Monitoring and Enforcement Program, Section
3.1.4.2. Possibly place a pointer to the CMEP in the data retention section.
The item in question is standard boilerplate language that is being placed in all NERC
standards.
158
�Organization
Yes or No
Question 4 Comment
Response: Thank you for your comment. Please see response above.
CPS Energy
Negative
oR1.4: CPS Energy believes that “updating the Operating Plan within 90 calendar
days of any change...” is a very burdensome compliance documentation
requirement.
Requirement R1, Part 1.4 was removed from the standard.
oAttachment 1: Events Table: In DOE OE-417 local electrical systems with less than
300MW are excluded from reporting certain events since they are not significant to
the BES. CPS Energy believes that the benefit of reporting certain events on systems
below this value would outweigh the compliance burden placed on these small
systems.
Upon review of the DOE OE 417, it states “Local Utilities in Alaska, Hawaii, Puerto
Rico, the U.S. Virgin Islands, and the U.S. Territories - If the local electrical system is
less than 300 MW, then only file if criteria 1, 2, 3 or 4 are met”. Please be advised
this exception applies to entities outside the continental USA.
Response: Thank you for your comment. Please see response above.
Lakeland Electric
Negative
An issue of possible differences in interpretation between entities and compliance
monitoring and enforcement is the phrase in 1.3 that states “the following as
appropriate”. Who has the authority to deem what is appropriate?
Requirement R1, Part 1.3 (now Part 1.2) was revised to add clarifying language by
eliminating the phrase “as appropriate” and indicating that the Responsible Entity is
to define its process for reporting and with whom to communicate events to as stated
in the entity’s Operating Plan
159
�Organization
Yes or No
Question 4 Comment
Response: Thank you for your comment. Please see response above.
Dynegy Inc.; Southern Illinois
Power Coop.; Louisville Gas
and Electric Co.
Negative
Comments submitted as part of the SERC OC; I agree with the comments of the SERC
OC Standards Review group that have been provided to NERC.; We are a signatory to
the SERC OC RRG comments filed last week.
Response: Thank you for your comment. Please see response to the SERC OC RRG comments.
Hydro One Networks, Inc.
Negative
First and foremost we are not supportive of continuance of standards that are not
"results based". Standards written to gather data, make reports etc. should not be
written. There should be other processes for reporting in place that will not be
subject to ERO oversight and further compliance burdens.
The DSR SDT has been following the guidance set by NERC to write a “results based”
standard. As with any process there may be many different ways to achieve the
same outcome. The NERC Quality Process has not indicated any request to update
this Standard, concerning the Results Based Standard format.
o We are disappointed that the standard does not appear to reduce reporting
requirements nor does it promote more efficient reporting. We encourage the SDT
to take a results based approach and coordinate and reduce reporting through
efficiencies between the various agencies and NERC.
The DSR SDT is staying within scope of the approved SAR and will be forwarding your
concern of efficiencies between various agencies and NERC
o The Purpose statement is very broad, and “...by requiring the reporting of events
with the potential to impact reliability and their causes...” on the Bulk Electric System
it can be said that every event occurring on the Bulk Electric System would have to
be reported. There is already an event analysis process in place. Could this reporting
160
�Organization
Yes or No
Question 4 Comment
be effectively performed in that effort?
The DSR SDT revised the purpose statement to remove ambiguous language “with the
potential to impact reliability”. The Purpose statement now reads:
“To improve the reliability of the Bulk Electric System by requiring the reporting
of events by Responsible Entities.”
o The standard prescribes different sets of criteria, and forms.
Attachment 1 is the basis for EOP-004-2; it contains the events and thresholds for
reporting. OE-417, as well as, the EAWG’s requirements were considered in creating
Attachment 1, but there remain differences for the following reasons:
•
EOP-004 requirements were designed to meet NERC and the industry’s needs;
accommodation of other reporting obligations was considered as an
opportunity not a ‘must-have’
•
OE-417 only applies to US entities, whereas EOP-004 requirements apply across
North America
•
NERC has no control over the criteria in OE-417, which can change at any time
•
Reports made under EOP-004 provide a minimum set of information, which may
trigger further information requests from EAWG as necessary
In an effort to minimize administrative burden, US entities may use OE-417 rather
than Attachment 2 to report under EOP-004. Note you may have to report the same
event more quickly to the DOE than is required by EOP-004, but this cannot be helped
due to bullet point 2 above.
o There should be one recipient of event information. That recipient should be a
161
�Organization
Yes or No
Question 4 Comment
“clearinghouse” to ensure the proper dissemination of information.
The DSR SDT is proposing revisions to the NERC Rules of Procedure that address your
comment:
812. NERC Reporting Clearinghouse
NERC will establish a system to collect report forms as established for this section or
standard, from any Registered Entities, pertaining to data requirements identified in
Section 800 of this Procedure. Upon receipt of the submitted report, the system shall
then forward the report to the appropriate NERC departments, applicable regional
entities, other designated registered entities, and to appropriate governmental, law
enforcement, regulatory agencies as necessary. This can include state, federal, and
provincial organizations.
o Why is this standard applicable to the ERO?
The ERO is applicable to CIP-008 and therefore is applicable to this proposed
Standard.
Response: Thank you for your comment. Please see response above.
FirstEnergy Corp., FirstEnergy
Energy Delivery, FirstEnergy
Solutions, Ohio Edison
Company
Negative
FirstEnergy appreciates the hard work of the drafting team and believes it has made
great improvements to the standards. However, we must vote negative at this time
until a few issues are clarified per our comments submitted through the formal
comment period.
Response: Thank you for your comment. Please see response to your other comments.
Lakeland Electric
Negative
In general; here has not been sufficient prudency review for the standard, especially
R1, to justify a performance based standard around a Frequency Response Measure
Based on your short comment, Requirement 1 has been modified as requested by
stakeholders. The DSR SDT cannot answer the issue of Frequency Response Measures
162
�Organization
Yes or No
Question 4 Comment
since it is not within the scope of the SAR.
Response: Thank you for your comment. Please see response above.
Northeast Power Coordinating
Council
Negative
NPCC believes that further revision of the standard is necessary so is not able to
support the VSLs at this time. Comments to the standard will be made in the formal
comment period.
Response: Thank you for your comment. Please see responses to your other comments.
Central Lincoln PUD; BlachlyLane Electric Co-op; Central
Electric Cooperative, Inc.
(Redmond, Oregon);
Clearwater Power Co.;
Consumers Power Inc.; CoosCurry Electric Cooperative,
Inc; Fall River Rural Electric
Cooperative; Lane Electric
Cooperative, Inc.; Northern
Lights Inc.; Pacific Northwest
Generating Cooperative; Raft
River Rural Electric
Cooperative; Umatilla Electric
Cooperative; West Oregon
Electric Cooperative, Inc.;
Cowlitz County PUD
Negative
Please see comments submitted by the Pacific Northwest Small Public Power Utility
Comment Group.
Response: Thank you for your comment. Please see responses to comments of the Pacific Northwest Small Public Power Utility
163
�Organization
Yes or No
Question 4 Comment
Comment Group.
Rochester Gas and Electric
Corp.
Negative
RG&E supports comments to be submitted to NPCC.
New Brunswick System
Operator
Negative
See comments submitted by the NPCC Reliability Standards Committee and the IRC
Standards Review Committee.
Florida Municipal Power Pool
Negative
See FMPA's comments
Response: Thank you for your comment. See responses to those comments.
Commonwealth of
Massachusetts Department of
Public Utilities
Negative
Standards written to gather data, make reports etc. should not be written. There
should be other processes for reporting in place that will not be subject to ERO
oversight and further compliance burdens.
FERC Order 693 section 617 states “…the Commission directs the ERO to develop a
modification to EOP-004-1 through the reliability Standards development process that
includes any Requirement necessary for users, owners, and operators of the BulkPower System to provide data…”. In order for entities to provide data they are
required to implement their Operating Plan. EOP-004-2 will satisfy this FERC directive.
Response: Thank you for your comment. Please see response above.
Hydro One Networks, Inc.
Negative
Suggested key concepts for the SDT consideration in this standard: ? Develop a single
form to report disturbances and events that threaten the reliability of the bulk
electric system ? Investigate other opportunities for efficiency, such as development
of an electronic form and possible inclusion of regional reporting requirements ?
Establish clear criteria for reporting ?
The DSR SDT has only provided one form within this proposed Standard, please see
164
�Organization
Yes or No
Question 4 Comment
Attachment 2. Based on stakeholder feedback, the DSR SDT has allowed
stakeholders to use the DOE Form OE 417. Please note that not every Stakeholder in
NERC wishes to use the DOE Form OE 417.
Establish consistent reporting timelines ?
All one hour reporting timelines have been changed to 24 hours with the exception of
a ‘Reportable Cyber Security Incident’. This is maintained due to FERC Order 706,
Paragraph 673:
“…direct the ERO to modify CIP-008 to require each responsible entity to contact
appropriate government authorities and industry participants in the event of a cyber
security incident as soon as possible, but in any event, within one hour of the event…”
For the remaining events, 24 hours should provide sufficient time to manage the
incident in real-time before having to report and is consistent with current in-force
standard EOP-004-1.
Provide clarity around who will receive the information and how it will be used ?
Explore other opportunities beside a standard to effectively achieve the same
outcome. Standards should be strictly results based, whose purpose is to achieve an
adequate level of reliability on the BES.
The DSR SDT has clearly stated who will receive the information: Part 1.3 (now Part 1.2)
was revised to add clarifying language by eliminating the phrase “as appropriate” and
indicating that the Responsible Entity is to define its process for reporting and with
whom to report events. Part 1.2 now reads:
“1.2 A process for communicating each of the applicable events listed in EOP004 Attachment 1 in accordance with the timeframes specified in EOP-004
Attachment 1 to the Electric Reliability Organization and other organizations
165
�Organization
Yes or No
Question 4 Comment
needed for the event type; i.e. the Regional Entity; company personnel; the
Responsible Entity’s Reliability Coordinator; law enforcement governmental or
provincial agencies.”
The information received will be mainly used for situational awareness and other
processes.
Response: Thank you for your comment. Please see response above.
Orlando Utilities Commission
Negative
The contemporaneous drafting efforts related to both the proposed Bulk Electric
System ("BES") definition changes, as well as the CIP standards Version 5, could
significantly impact the EOP-004-2 reporting requirements. Caution needs to be
exercised when referencing these definitions, as the definitions of a BES element
could change significantly and Critical Assets may no longer exist. As it relates to the
proposed reporting criteria, it is debatable as to whether or not the destruction of,
for example, one relay would be a reportable incident under this definition going
forward given the current drafting team efforts.
The ‘Damage or Destruction’ events specifically relating to Critical Assets and Critical
Cyber Assets were removed from Attachment 1, as these events are adequately
addressed through the CIP-008 and ‘Damage or Destruction of a Facility’ reporting
thresholds.
Response: Thank you for your comment. Please see response above.
James A Maenner
Negative
The information in section “5 Background” should be moved from the standard to a
supporting document.
The DSR SDT will refer to guidance within the Standards Development process on the
proper place to maintain Background information.
166
�Organization
Yes or No
Question 4 Comment
The reporting exemption language for weather in the Note on Attachment 1 - Events
Table should be included in R3, not just a note.
Most stakeholders believed that Requirements R2 and R3 were redundant and having
both in the standard was not necessary. Requirement R2 called for implementation of
Parts 1.1, 1.2, 1.4 and 1.5. Requirement R3 called for reporting events in accordance
with the Operating Plan. The DSR SDT deleted Requirement R2based on stakeholder
comments and revised R3 (now R2) to:
“R2. Each Responsible Entity shall implement its event reporting Operating Plan for
applicable events listed in EOP-004 Attachment 1, and in accordance with the
timeframe specified in EOP-004 Attachment 1.”
The “Guideline and Technical Basis”, last 3 pages, should be moved from the
standard to a supporting document.
The Guideline and Technical Basis section is a part of the Results-Based Standard
format and the information contained in it is in the correct place.
Response: Thank you for your comment. Please see response above.
Kansas City Power & Light Co.
Negative
The proposed Standard is in need of additional work to complete the Attachment 1,
complete the VSL's, and clarify language and content within the proposed standard.
The DSR SDT has reviewed and revamped all Requirements and both Attachments
based on stakeholders feedback. This will provide clarity for entities to follow.
Response: Thank you for your comment. Please see response above.
167
�Organization
Yes or No
SERC Reliability Corporation
Negative
Question 4 Comment
The purpose of the standard "To improve industry awareness and the reliability of
the Bulk Electric System by requiring the reporting of events with the potential to
impact reliability and their causes, if known, by the Responsible Entities" has not
been achieved as written. There is the potential for the information and data
contemplated by this standard to be useful in achieving the stated purpose through
follow-on activities of the industry, the regions, and NERC. However, as drafted,
Attachment 1 will inform the ERO of the existence of only a portion of the "events
with the potential to impact reliability and their causes, if known".
The DSR SDT revised the purpose statement to remove ambiguous language “with the
potential to impact reliability”. The Purpose statement now reads:
“To improve the reliability of the Bulk Electric System by requiring the reporting of
events by Responsible Entities.”
Events listed in Appendix E to the ERO Event Analysis Process document should be
incorporated into the standard instead of hardwiring inconsistency by requiring a
different set of events. Alternatively, the SDT should explore deleting Attachment 1
and instead referencing the ERO Event Analysis process (which as a learning
organization will have systematic changes to the reporting thresholds over time). At
first this may seem contrary to the SDT objective of eliminating fill-in-the-blank
aspects of the existing standard but the SDT should explore the Commission's
willingness to accept a reference document for reporting thresholds. Additionally, it
is unclear how NERC's role as the ES-ISAC is supported through the requirements of
this reliability standard. It appears to undermine the ability of NERC (ES-ISAC) to be
made timely aware of threats to the critical infrastructure--at odds with it's purpose.
Thus, this draft does not achieve the elimination of redundant reporting envisioned
in the SAR, nor does it achieve the objective of supporting NERC in the analysis of
disturbances or blackouts.
The DSR SDT is following NERC’s ANSI approved process for standards development.
168
�Organization
Yes or No
Question 4 Comment
The ERO Events Analysis process does not have the frame work as required by the
ANSI development process. Within this proposed Standard, when an Attachment 1
event is recognized, the ERO (which is the ES-ISAC) will be one of the first to be
notified, as will the entities Reliability Coordinator. This will enhance situational
awareness as per the entity’s Operation Plan and this Standard.
FERC Order 693 section 617 states “…the Commission directs the ERO to develop a
modification to EOP-004-1 through the reliability Standards development process
that includes any Requirement necessary for users, owners, and operators of the
Bulk-Power System to provide data…”. In order for entities to provide data they are
required to implement their Operating Plan. EOP-004-2 will satisfy this FERC
directive.
Response: Thank you for your comment. Please see response above.
Tucson Electric Power Co.
Negative
The tie between an Operating Plan and reportable disturbance events is not clear.
Being the exception, I feel that a reportable disturbance methodology should be part
of an Emergency Operating Plan.
EOP-004-2 provides Applicable Entities with the minimum report requirements for
events contained in Attachment 1. NERC has defined Operating Plan in part as: "A
document that identifies a group of activities that may be used to achieve some goal.
An Operating Plan may contain Operating Procedures and Operating Processes.” An
entity may include a reportable disturbance methodology within their Operating Plan
since this Standard does not preclude it.
Response: Thank you for your comment. Please see response above.
United Illuminating Co.
Negative
The VSL table is mistyped. R2 lists 1.1 and 1.5. R4 VRF should be lower.
169
�Organization
Yes or No
Question 4 Comment
Requirement R4 (now R3) calls for conducting an annual test of the communications
process in Requirement 1, Part 1.2. It is not strictly administrative in nature and
therefore does not meet the VRF guideline for a Lower VRF. .
Response: Thank you for your comment. Please see response above.
PSEG Energy Resources &
Trade LLC, PSEG Fossil LLC,
Public Service Electric and Gas
Co.
Negative
There are several items that need clarification. See PSEG's separately provided
comments.
Response: Thank you for your comment. Please see response to your other comments.
Kansas City Power & Light Co.
Negative
There is no VSL for R4.
The VSL for Requirement R4 was inadvertently redlined in the redline version of the
standard, but it was present in the clean version.
Response: Thank you for your comment. Please see response above.
Ameren Services
Negative
We believe that these [VRFs and VSLs] will change as we expect some changes in the
draft standard.
Response: Thank you for your comment.
New York State Department
of Public Service
Negative
While the proposed standard consolidates many reporting requirements, the
requirement that any event with the "potential to impact reliability" be reported is
overly broad and will prove to be burdensome and distracting to system operations.
The DSR SDT revised the purpose statement to remove ambiguous language “with the
potential to impact reliability”. The Purpose statement now reads:
170
�Organization
Yes or No
Question 4 Comment
“To improve the reliability of the Bulk Electric System by requiring the reporting of
events by Responsible Entities.”
Response: Thank you for your comment. Please see response above.
Springfield Utility Board
o The Draft 3 Version History still lists the term “Impact Event” instead of “Event”.
This has been corrected.
o Draft 3 of EOP-004-2 - Event Reporting does not provide a definition for the term
“Event” nor does the NERC Glossary of Terms Used in Reliability Standards. SUB
recommends that “Event” be listed and defined in “Definitions and Terms Used in
the Standard” as well as the NERC Glossary, providing a framework and giving
guidance to entities for how to determine what should be considered an “Event” (ex:
sabotage, unusual occurrence, metal theft, etc.).
The DSR SDT has reviewed this issue and has changed “Event” to “event”.
Attachment 1 contains each reportable ‘event”.
Response: Thank you for your comment. Please see response above.
Northeast Utilities
- Incorporate NERC Event Analysis Reporting into this standard. Make the
requirements more specific to functional registrations as opposed to having
requirements applicable to “Responsible Entities”.- The description of a Transmission
Loss Event in A
Attachment 1 is the basis for EOP-004-2; it contains the events and thresholds for
reporting. OE-417, as well as, the EAWG’s requirements were considered in creating
Attachment 1. The DSR SDT has reviewed and reworded “Entities with Reporting
Responsibilities” to require the minimum amount of entities who will be required to
report each event.
Response: Thank you for your comment. Please see response above.
171
�Organization
Progress Energy
Yes or No
Question 4 Comment
(1) Attachment 1 lists “Destruction of BES Equipment” as a reportable event but then
lists “equipment failure” as one of several thresholds for reporting, with a one hour
time limit for reporting. It is simply not common sense to think of the simple failure
of a single piece of equipment as “destruction of BES equipment”. Does the
standard really expect that every BES equipment failure must be reported within one
hour, regardless of cause or impact to BES reliability? What is the purpose of such
extensive reporting?
The DSR SDT has modified Attachment 1 to bring more clarity. The more subjective
events were rewritten as follows:
• The ‘Damage or Destruction’ event category has been revised to say ‘to a
Facility’, (a defined term) and thresholds have be modified to provide clarity.
The footnote was deleted
(2) The same comment as (1) above is applicable to the “Damage or destruction of
Critical Asset” because one threshold is simple “equipment failure” as well.
The ‘Damage or Destruction’ events specifically relating to Critical Assets and Critical
Cyber Assets were removed from Attachment 1, as these events are adequately
addressed through the CIP-008 and ‘Damage or Destruction of a Facility’ reporting
thresholds.
(3) Footnote 2 (page 20) says copper theft is not reportable “unless it effects the
reliability of the BES”, but footnote 1 on the same page says copper theft is
reportable if “it degrades the ability of equipment to operate properly”. In this
instance, the proposed standard provides two different criteria for reporting one of
the most common events on the same page.
The DSR SDT has removed all footnotes with the exception of the updated event within
Attachment 1 that states: “A physical threat that could impact the operability of a
Facility”. This event has the following footnote, which states: “Examples include a
172
�Organization
Yes or No
Question 4 Comment
train derailment adjacent to a Facility that either could have damaged a Facility
directly or could indirectly damage a Facility (e.g. flammable or toxic cargo that could
pose fire hazard or could cause evacuation of a control center). Also report any
suspicious device or activity at a Facility. Do not report copper theft unless it impacts
the operability of a Facility.”
(4) Forced Intrusion must be reported if “you cannot determine the likely
motivation”, and not based on a conclusion that the intent was to commit sabotage
or intentional damage. This would require reporting many theft related instances of
cut fences and forced doors (including aborted theft attempts where nothing is
stolen) which would consume a great deal of time and resources and accomplish
nothing. This criteria is exactly the opposite of the existing philosophy of only
reporting events if there is an indication of an intent to commit sabotage or cause
damage.
‘Forced intrusion’ and ‘Risk to BES Equipment’ have been combined under a new
event type called ‘A physical threat that could impact the operability of a Facility’.
Using judgment is unavoidable for this type of event. This language was chosen
because the Responsible Entity is the best position to exercise this judgment and
determine whether or not an event poses a threat to its Facilities. The DSR SDT
believes this revised event type will minimize administrative burden and ensure that
events meaningful to industry awareness are reported. Note that the reporting
timeline (now revised to 24 hours) starts when the situation has been determined as
a threat, not when it may have first occurred. Also, the footnote only contains
examples.
(5) “Risk to BES equipment...from a non-environmental physical threat” is reportable,
but this is an example of a vague, open ended reporting requirement that will either
173
�Organization
Yes or No
Question 4 Comment
generate a high volume of unproductive reports or will expose reporting entities to
audit risk for not reporting potential threats that could have been reported. The
standard helpfully lists train derailments and suspicious devices as examples of
reportable events.
‘Forced intrusion’ and ‘Risk to BES Equipment’ have been combined under a new
event type called ‘A physical threat that could impact the operability of a Facility’.
Using judgment is unavoidable for this type of event. This language was chosen
because the Responsible Entity is the best position to exercise this judgment and
determine whether or not an event poses a threat to its Facilities. The DSR SDT
believes this revised event type will minimize administrative burden and ensure that
events meaningful to industry awareness are reported. Note that the reporting
timeline (now revised to 24 hours) starts when the situation has been determined as
a threat, not when it may have first occurred. Also, the footnote only contains
examples.
The existing CAN for CIP-001 (CAN-0016) is already asking for a list of events that
were analyzed so the auditors can determine if a violation was committed due to
failure to report. I can envision the CAN for this new standard requiring a list of all
“non-environmental physical threats” that were analyzed during the audit period to
determine if applicable events were reported. This could generate a great deal of
work simply to provide audit documentation even if no events actually occur that are
reportable. It would also be easy for an audit team to second guess a decision that
was made by an entity not to report an event (what is risk?...how much risk was
present due to the event?...). Also, the reporting for this vague criteria must be
done within one hour. Any event with a one hour reporting requirement should be
crystal clear and unambiguous.
The DSR SDT has reworded and updated Attachment 1 per comments received and
believes that the language used obviates the need for CAN-016. CAN-0016 has been
174
�Organization
Yes or No
Question 4 Comment
remanded.
(6) Transmission Loss...of three or more Transmission Facilities” is reportable.
“Facility” is a defined term in the NERC Glossary, but “Transmission Facility” is not a
defined term, which will lead to confusion when this criteria is applied. This
requirement raises many confusing questions. What if three or more elements are
lost due to two separate or loosely related events - is this reportable or not? What
processes will need to be put in place to count elements that are lost for each event
and determine if reporting is required? Why must events be reported that fit an
arbitrary numerical criteria without regard to any material impact on BES reliability?
The DSR SDT used the defined term “Facility” to add clarity for several events listed in
Attachment 1. A Facility is defined as:
“A set of electrical equipment that operates as a single Bulk Electric System
Element (e.g., a line, a generator, a shunt compensator, transformer, etc.)”
The DSR SDT does not intend the use of the term Facility to mean a substation or any
other facility (not a defined term) that one might consider in everyday discussions
regarding the grid. This is intended to mean ONLY a Facility as defined above.
Both Transmission and Facilities are defined terms and the DSR SDT feels this gives
sufficient direction.
Response: Thank you for your comment. Please see response above.
MRO NSRF
: The MRO NSRF wishes to thank the SDT for incorporating changes that the industry
had with reporting time periods and aligning this with the Events Analysis Working
Group and Department of Energy’s OE 417 reporting form.
175
�Organization
Yes or No
Question 4 Comment
Response: Thank you for your comment.
FirstEnergy
1. Attachment 1 - Regarding the 1st event listed in the table, “Destruction of BES
Equipment” and its accompanying Footnote 1, we believe that this event should be
broken into two separate events that incorporate the specifics in the footnote as
follows: a. “Destruction of BES equipment that associated with an IROL per FAC014-2.” Regarding the 1st event we have proposed - We have proposed this be
made specific to IROL as stated in Footnote 1 part i. Also, we believe that only the RC
and TOP would have the ability to quickly determine and report within 1 hour if the
destruction is associated with an IROL. The other entities listed would not necessarily
know if the event affects and IROL. Therefore, we also propose that the Entities with
Reporting Responsibilities (column 2) be revised to only include the RC and TOP.
The DSR SDT agrees with your comment and made the following changes:
‘Threshold for Reporting’ column in the ‘Damage or Destruction’ event category. The
updated Threshold for Reporting now reads as:
“Damage or destruction of a Facility that:
• Affects an IROL (per FAC-014)
OR
• Results in the need for actions to avoid an Adverse Reliability Impact
OR
•
Results from intentional human action.”
b. "Destruction of BES equipment that removes the equipment from service.”
Regarding the 3rd event we have proposed - We have proposed this be made
specific to destruction of BES equipment that removes the equipment from service
as stated in Footnote 1 part iii. Also, the other part of footnote 1 part iii which states
“Damaged or destroyed due to intentional or unintentional human action” is not
176
�Organization
Yes or No
Question 4 Comment
required since it is covered in the threshold for reporting. Also the term “Damaged”
in this part iii is not appropriate since these events are limited to equipment that has
been destroyed. We also propose that the Entities with Reporting Responsibilities
(column 2) for this event would remain the same as it states now since any of those
entities may observe out of service BES equipment.Regarding part ii of footnote 1,
we do not believe that this event needs to be separated. Regarding the phrase
“significantly affects the reliability margin of the system be clarified so that it is not
left up to the entity to interpret a “significant” affect. Lastly, since we have
incorporated parts i and iii into the two separate events and removed part ii as
proposed above, the only statement that needs to be left in the Footnote 1 is: “Do
not report copper theft from BES equipment unless it degrades the ability of
equipment to operate correctly (e.g., removal of grounding straps rendering
protective relaying inoperative).”
The DSR SDT has removed all footnotes with the exception of the updated event within
Attachment 1 that states: “Any physical threat that could impact the operability of a
Facility”. This event has the following footnote, which states: “Examples include a
train derailment adjacent to a Facility that either could have damaged a Facility
directly or could indirectly damage a Facility (e.g. flammable or toxic cargo that could
pose fire hazard or could cause evacuation of a control center). Also report any
suspicious device or activity at a Facility. Do not report copper theft unless it impacts
the operability of a Facility.”
2. Attachment 1 - We ask that the team add an “Event #” column to the table so that
each of the events listed can be referred to by #, such as Event 1, Event 2, etc.
The DSR SDT believes that the minimum reporting attributes are contained in
Attachment 1.
3. Attachment 1 - Event titled “Damage or destruction of a Critical Cyber Asset per
177
�Organization
Yes or No
Question 4 Comment
CIP-002”, the proposed threshold for reporting seems incomplete. We suggest the
threshold for this event match the threshold for the Critical Asset event which states:
“Initial indication the event was due to operational error, equipment failure, external
cause, or intentional or unintentional human action.”4. Attachment 1 - Events titled
“Damage or destruction of a Critical Assets per CIP-002” and “Damage or destruction
of a Critical Cyber Asset per CIP-002” seem ambiguous due to the term “damage”.
We suggest removal of “damage” or clarity as to what is considered a damaged
asset.5. VSL Table - Instead of listing every entity, it may be more efficient to simply
say “The Responsible Entity” in the VSL for each requirement.6. Guideline and
Technical Basis section - This section does not provide guidance on each of the
requirements of the standard. We suggest the team consider adding guidance for the
requirements.
The ‘Damage or Destruction’ events specifically relating to Critical Assets and Critical
Cyber Assets were removed from Attachment 1, as these events are adequately
addressed through the CIP-008 and ‘Damage or Destruction of a Facility’ reporting
thresholds.
Response: Thank you for your comment. Please see response above.
Southwest Power Pool
Regional Entity
1. EOP-004-2 R1.4 states entities must update their Operating Plans within 90
calendar days of incorporating lessons learned pursuant to R3. However, neither R3
nor Attachment 1 include a timeline for incorporating lessons learned. It is unclear
when the “clock starts” on incorporating improvements or lessons learned. Within
90 days of what? 90 days of the event? 90 days from when management approved
the lesson learned? Auditors need to know the trigger for the 90-day clock.
Requirement R1, Part 1.4 was removed from the standard.
2. The Event Analysis classification includes Category 1C “failure or misoperation of
178
�Organization
Yes or No
Question 4 Comment
the BPS SPS/RAS”. This category is not included in EOP-004-2’s Attachment 1. This
event, “failure or misoperation of the BPS SPS/RAS”, needs to either be added to
Attachment 1 or removed from the Event Analysis classification. It is important that
EOP-004-2 Attachment 1 and the Event Analysis categories match up.Thank you for
your work on this standard.
Attachment 1 is the basis for EOP-004-2; it contains the events and thresholds for
reporting. OE-417, as well as, the EAWG’s requirements were considered in creating
Attachment 1, but there remain differences for the following reasons:
•
EOP-004 requirements were designed to meet NERC and the industry’s needs;
accommodation of other reporting obligations was considered as an
opportunity not a ‘must-have’
•
OE-417 only applies to US entities, whereas EOP-004 requirements apply across
North America
•
NERC has no control over the criteria in OE-417, which can change at any time
•
Reports made under EOP-004 provide a minimum set of information, which may
trigger further information requests from EAWG as necessary
In an effort to minimize administrative burden, US entities may use OE-417 rather
than Attachment 2 to report under EOP-004. Note you may have to report the same
event more quickly to the DOE than is required by EOP-004, but this cannot be helped
due to bullet point 2 above.
Response: Thank you for your comment. Please see response above.
Independent Electricity
System Operator
1. Measures M1, M2 and M3: Suggest to achieve consistent wording among them by
saying the leading part to “Each Responsible Entity shall provide....”
The DSR SDT is following the guidance within the Standards Development process on
179
�Organization
Yes or No
Question 4 Comment
the wording pertaining to items outside the realm of a requirement.
2. In our comments on the previous version, we suggested the SDT to review the
need to include IA, TSP and LSE for some of the reporting requirements in
Attachment 1. The SDT’s responded that it had to follow the requirements of the
standards as they currently apply. Since these entities are applicable to the
underlying standards identified in Attachment 1, they will be subject to reporting.
We accept this rationale. However, the revised Attachment 1 appears to be still
somewhat discriminative on who needs to report an event. For example, the event
of “Detection of a reportable Cyber Security Incident” (6th row in the table) requires
reporting by a list of responsible entities based on the underlying requirements in
CIP-008, but the list does not include the IA, TSP and LSE. We again suggest the SDT
to review the need for listing the specific entities versus leaving it general by saying:
“Applicable Entities under CIP-008” for this particular item, and review and establish
a consistent approach throughout Attachment 1.
The ‘Damage or Destruction’ events specifically relating to Critical Assets and Critical
Cyber Assets were removed from Attachment 1, as these events are adequately
addressed through the CIP-008.
3. VSLs: a. Suggest to not list all the specific entities, but replace them with “Each
Responsible Entity” to simplify the write-up which will allow readers to get to the
violation condition much more quickly. b. For R1, it is not clear whether the
conditions listed under the four columns are “OR” or “AND”. We believe it means
“OR”, but this needs to be clarified in the VSL table.4. The proposed implementation
plan conflicts with Ontario regulatory practice respecting the effective date of the
standard. It is suggested that this conflict be removed by appending to the
implementation plan wording, after “applicable regulatory approval” in the Effective
Dates Section on P. 2 of the draft standard and P. 1 of the draft implementation plan,
to the following effect: “, or as otherwise made effective pursuant to the laws
applicable to such ERO governmental authorities.”
The DSR SDT is following the guidance within the Standards Development process on
180
�Organization
Yes or No
Question 4 Comment
the wording pertaining to items outside the realm of a requirement.
Response: Thank you for your comment. Please see response above.
NRECA
1. Please ensure that the work of the SDT is done in close coordination with Events
Analysis Process (EAP) work being undertaken by the PC/OC and BOT, and with any
NERC ROP additions or modifications. NRECA is concerned that the EAP work being
done by these groups is not closely coordinated even though their respective work
products are closely linked -- especially since the EAP references information in EOP004.
Attachment 1 is the basis for EOP-004-2; it contains the events and thresholds for
reporting. OE-417, as well as, the EAWG’s requirements were considered in creating
Attachment 1, but there remain differences for the following reasons:
•
EOP-004 requirements were designed to meet NERC and the industry’s needs;
accommodation of other reporting obligations was considered as an
opportunity not a ‘must-have’
•
OE-417 only applies to US entities, whereas EOP-004 requirements apply across
North America
•
NERC has no control over the criteria in OE-417, which can change at any time
•
Reports made under EOP-004 provide a minimum set of information, which may
trigger further information requests from EAWG as necessary
In an effort to minimize administrative burden, US entities may use OE-417 rather
than Attachment 2 to report under EOP-004. Note you may have to report the same
event more quickly to the DOE than is required by EOP-004, but this cannot be helped
due to bullet point 2 above.
181
�Organization
Yes or No
Question 4 Comment
2. The SDT needs to be consistent in its use of "BES" and "BPS" - boths acronyms are
used throughout the SDT documents. NRECA strongly prefers the use of "BES" since
that is what NERC standards are written for.
The DSR SDT has used BES within EOP-004-2. All references to BPS have been
removed.
3. Under “Purpose” section of standard, 3rd line, add “BES” between “impact” and
“reliability.” Without making this change the "Purpose" section could be
misconstrued to refer to reliability beyond the BES.
The DSR SDT revised the purpose statement to remove ambiguous language “with the
potential to impact reliability”. The Purpose statement now reads:
“To improve the reliability of the Bulk Electric System by requiring the reporting of
events by Responsible Entities.”
4. In the Background section there is reference to the Events Analysis Program. Is
that the same thing as the Events Analysis Process? Is it something different? Is it
referring to a specific department at NERC? Please clarify in order to reduce
confusion. Also in the Background section there is reference to the Events Analysis
Program personnel. Who is this referring to -- NERC staff in a specific department?
Please clarify.
The DSR SDT was explaining that the DSR SDT and has been coordinating with the
“Events Analysis Working Group.
5. In M1 please be specific regarding what “dated” means.
This is a common term used with many NERC Standards and simply means that your
evidence is dated and time stamped.
6. In M3 please make it clear that if there wasn’t an event, this measure is not
applicable
182
�Organization
Yes or No
Question 4 Comment
The DSR SDT has not implied that Applicable Entities need to prove that something
did not happen.
7. In R4 it is not clear what “verify” means. Please clarify.
R4 (now R3) was revised to remove “verify”
R3. Each Responsible Entity shall conduct an annual test, not including notification to
the Electric Reliability Organization, of the communications process in Part 1.2.
8. In Attachment 1 there are references to Critical Asset and Critical Cyber Asset.
These terms will likely be eliminated from the NERC Glossary of Terms when CIP V5
moves forward and is ultimately approved by FERC. This could create future
problems with EOP-004 if CIP V5 is made effective as currently drafted.
The ‘Damage or Destruction’ events specifically relating to Critical Assets and Critical
Cyber Assets were removed from Attachment 1, as these events are adequately
addressed through the CIP-008.
9. In Attachment 1 the one hour timeframe for submitting data for the first 7 items
listed is very tight. Other than being required by the EOE )E-417 form, NRECA
requests that the SDT provide further support for this timeframe. If there are not
distinct reasons why 1 hour is the right timeframe for this, then other timeframes
should be explored with DOE.
The DSR SDT also received many comments regarding the various events of
Attachment 1. Many commenters questioned the reliability benefit of reporting
events to the ERO and their Reliability Coordinator within 1 hour. Most of the events
with a one hour reporting requirement were revised to 24 hours based on stakeholder
comments as well as those types of events are currently required to be reported
within 24 hours in the existing mandatory and enforceable standards. The only
remaining type of event that is to be reported within one hour is “A reportable Cyber
183
�Organization
Yes or No
Question 4 Comment
Security Incident” as it required by CIP-008.
FERC Order 706, paragraph 673 states: “…each responsible entity to contact
appropriate government authorities and industry participants in the event of a cyber
security incident as soon as possible, but, in any event within one hour of the event…”
Note that members of NRECA may be required to submit the DOE Form OE 417, and
this agency’s reporting requirements are not within scope of the project.
10. While including Footnote 1 is appreciated, NRECA is concerned that this footnote
will create confusion in the compliance and audit areas and request the SDT to
provide more definitive guidance to help explain what these "Events" refer to.
NRECA has the same comment on Footnote 2 and 3. Specifically in Footnote 3, how
do you clearly determine and audit from a factual standpoint something that “could
have damaged” or “has the potential to damage the equiment?”
The DSR SDT has removed all footnotes with the exception of the updated event within
Attachment 1 that states: “A physical threat that could impact the operability of a
Facility”. This event has the following footnote, which states: “Examples include a
train derailment adjacent to a Facility that either could have damaged a Facility
directly or could indirectly damage a Facility (e.g. flammable or toxic cargo that could
pose fire hazard or could cause evacuation of a control center). Also report any
suspicious device or activity at a Facility. Do not report copper theft unless it impacts
the operability of a Facility.”
11. In the Guideline and Technical Basis section, in the 1st bullet, how do you
determine, demonstrate and audit for something that “may impact” BES reliability?
This statement has been removed per comments received.
12. On p. 28, first line, this sentence seems to state that NERC, law enforcement and
other entities - not the responsible entity - will be doing event analysis. My
understanding of the current and future Event Analysis Process is that the
184
�Organization
Yes or No
Question 4 Comment
responsible entity does the event analysis. Please confirm and clarify.
EOP-004-2 requires Applicable Entities to “report “ and “communicate” as stated in
Requirement 1, Part 1.2: “A process for communicating each of the applicable events
listed in EOP-004 Attachment 1 in accordance with the timeframes specified in EOP004 Attachment 1 to the Electric Reliability Organization and other organizations
needed for the event type; i.e. the Regional Entity; company personnel; the
Responsible Entity’s Reliability Coordinator; law enforcement governmental or
provincial agencies.”
The Event Analysis Program may use a reported event as a basis to analyze an event.
The processes of the Event Analysis Program fall outside the scope of this project, but
the DSR SDT has collaborated with them of events contained in Attachment 1.
The Standard does not require the Applicable Entity to analyze a reported event.
Response: Thank you for your comment. Please see response above.
Exelon
1. Please replace the text “Operating Plan” with procedure(s). Many companies have
procedure(s) for the reporting and recognition of sabotage events. These
procedures extend beyond operating groups and provide guidance to the entire
company.
Thank you for your comment. The DSR SDT intends on keeping “Operating Plan”
within EOP-004-2 since NERC has it defined as:
“A document that identifies a group of activities that may be used to achieve some goal.
An Operating Plan may contain Operating Procedures and Operating Processes. A
company-specific system restoration plan that includes an Operating Procedure for
black-starting units, Operating Processes for communicating restoration progress with
other entities, etc., is an example of an Operating Plan”. As stated, the Operating Plan
may contain Operating procedures or Operating Processes. This will give Applicable
Entities the greatest flexibility in achieving compliance with this Standard.
185
�Organization
Yes or No
Question 4 Comment
2. The Loss of Off-site power event criteria is much improved from the last draft of
EOP 004-2; however, some clarification is needed to more accurately align with NERC
Standard NUC-001 in both nomenclature and intent. Specifically, as Exelon has
previously commented, there are many different configurations supplying offsite
power to a nuclear power plant and it is essential that all configurations be
accounted for. As identified in the applicability section of NUC-001 the applicable
transmission entities may include one or more of the following (TO, TOP, TP, TSP, BA,
RC, PC, DP, LSE, and other non-nuclear GO/GOPs). Based on the response to
previous comments submitted for Draft 2, Exelon understands that the DSR SDT
evaluated the use of the word “source” but dismissed the use in favor of “supply”
with the justification “[that] ‘supply’ encompasses all sources”. Exelon again
suggests that the word “source” is used as the event criteria in EOP-004-2 as this
nomenclature is commonly used in the licensing basis of a nuclear power plant. By
revising the threshold criteria to “one or more” Exelon believes the concern the DSR
SDT noted is addressed and ensures all sources are addressed. In addition, by
revising the threshold for reporting to a loss of “one or more” will ensure that all
potential events (regardless of configuration of off-site power supplies) will be
reported by any applicable transmission entity specifically identified in the nuclear
plant site specific NPIRs.As previously suggested, Exelon again proposes that the loss
of an off-site power source be revised to an “unplanned” loss to account for planned
maintenance that is coordinated in advance in accordance with the site specific
NPIRs and associated Agreements. This will also eliminate unnecessary reporting for
planned maintenance.Although the loss of one off-site power source may not result
in a nuclear generating unit trip, Exelon agrees that an unplanned loss of an off-site
power source regardless of impact should be reported within the 24 hour time limit
as proposed. Suggest that the Loss of Offsite power to a nuclear generating plant
event be revised as follows:Event: Unplanned loss of any off-site power source to a
Nuclear Power PlantEntity with Reporting Responsibility: The applicable
Transmission Entity that owns and/or operates the off-site power source to a
186
�Organization
Yes or No
Question 4 Comment
Nuclear Power Plant as defined in the applicable Nuclear Plant Interface
Requirements (NPIRs) and associated Agreements.Threshold for Reporting:
Unplanned loss of one or more off-site power sources to a Nuclear Power Plant per
the applicable NPIRs.
Based on comments received, this event has been updated within Attachment 1 to
read as:
“Complete loss of off-site power to a nuclear generating plant (grid supply)”.
3. Attachment 1 Generation loss event criteria Generation lossThe ≥ 2000
MW/≥ 1000 MW generation loss criteria do not provide a time threshold or
location criteria. If the 2000 MW/1000 MW is intended to be from a combination of
units in a single location, what is the time threshold for the combined unit loss? For
example, if a large two unit facility in the Eastern Interconnection with an aggregate
full power output of 2200 MW (1100 MW per unit) trips one unit (1100 MW) [T=0
loss of 1100 MW] and is ramping back the other unit from 100% power and 2 hours
later the other unit trips at 50% power [550 MW at time of trip]. The total loss is
2200 MW; however, the loss was sustained over a 2 hour period. Would this
scenario require reporting in accordance with Attachment 1? What if it happened in
15 minutes? 1 hour? 24 hours? Exelon suggests the criteria revised to include a time
threshold for the total loss at a single location to provide this additional guidance to
the GOP (e.g., within 15 minutes to align with other similar threshold conditions).
Threshold for Reporting ï€ â‰¥ 2,000 MW unplanned total loss at a single location
within 15 minutes for entities in the Eastern or Western Interconnection ≥ 1000
MW unplanned total loss at a single location within 15 minutes for entities in the
ERCOT or Quebec Interconnection
The DSR SDT has not modified this event since it is being maintained as it is presently
enforceable within EOP-004-1.
4. Exelon appreciates that the DSR SDT has added the NRC to the list of Stakeholders
in the Reporting Process, but does not agree with the SDT response to FirstEnergy’s
187
�Organization
Yes or No
Question 4 Comment
comment to Question 17 [page 206] that stated “NRC requirements or comments fall
outside the scope of this project.” Quite the contrary, this project should be
communicated and coordinated with the NRC to eliminate confusion and duplicative
reporting requirements. There are unique and specific reporting criteria and
coordination that is currently in place with the NRC, the FBI and the JTTF for all
nuclear power plants. If an event is in progress at a nuclear facility, consideration
should be given to coordinating such reporting as to not duplicate effort, introduce
conflicting reporting thresholds, or add unnecessary burden on the part of a nuclear
GO/GOP who’s primary focus is to protect the health and safety of the public during
a potential radiological sabotage event (as defined by the NRC) in conjunction with
potential impact to the reliability of the BES.
The DSR SDT has established a minimum amount of reporting for events listed in
Attachment 1. The NRC does not fall under the jurisdiction of NERC and so therefore
it is not within scope of this project.
5. Attachment 1 Detection of a reportable Cyber Security Incident event criteria.The
threshold for reporting is “that meets the criteria in CIP-008”. If an entity is exempt
from CIP-008, does that mean that this reportable event is therefore also not
applicable in accordance with EOP-004-2 Attachment 1?
If an entity is exempt from CIP-008, then they do not have to report this type of event.
Entities can report any situation at anytime to whomever they wish. If an entity is
responsible for items that fall under a Cyber Security Incident, then they would report
per this standard.
Response: Thank you for your comment. Please see response above.
Duke Energy
1. Reporting under EOP-004-2 should be more closely aligned with Events Analysis
Reporting.
Attachment 1 is the basis for EOP-004-2; it contains the events and thresholds for
reporting. OE-417, as well as, the EAWG’s requirements were considered in creating
188
�Organization
Yes or No
Question 4 Comment
Attachment 1, but there remain differences for the following reasons:
•
EOP-004 requirements were designed to meet NERC and the industry’s needs;
accommodation of other reporting obligations was considered as an
opportunity not a ‘must-have’
•
OE-417 only applies to US entities, whereas EOP-004 requirements apply across
North America
•
NERC has no control over the criteria in OE-417, which can change at any time
•
Reports made under EOP-004 provide a minimum set of information, which may
trigger further information requests from EAWG as necessary
In an effort to minimize administrative burden, US entities may use OE-417 rather
than Attachment 2 to report under EOP-004. Note you may have to report the same
event more quickly to the DOE than is required by EOP-004, but this cannot be helped
due to bullet point 2 above.
2. Attachment 1 - Under the column titled “Entity with Reporting Responsibility”,
several Events list multiple entities, using the phrase “Each RC, BA, TO, TOP, GO,
GOP, DP that experiences...” or a similar phrase requiring that multiple entities
report the same event. We believe these entries should be changed so that multiple
reports aren’t required for the same event.
The DSR SDT agrees that there may be some dual reporting for the same event. The
minimum Applicable Entities have been review and updated where updates could be
made. The DSR SDT believes that a dual report will provide a clearer picture of the
breadth and depth of an event the Electric Reliability Organization and the Applicable
Entities Reliability Coordinator.
3. Attachment 1 - The phrase “BES equipment” is used several times in the Events
Table and footnotes to the table. “Equipment” is not a defined term and lacks
clarity. “Element” and “Facility” are defined terms. Replace “BES equipment” with
189
�Organization
Yes or No
Question 4 Comment
“BES Element” or “BES Facility”.
The DST SDT has removed the term “equipment” from Attachment 1 per comments
received.
4. Attachment 1 - The Event “Risk to BES equipment” is unclear, since some amount
of risk is always present. Reword as follows: “Event that creates additional risk to a
BES Element or Facility.”
The DSR SDT has removed this event from Attachment 1. Several stakeholders
expressed concerns relating to the “Forced Intrusion” event. Their concerns related to
ambiguous language in the footnote. The SDR SDT discussed this event as well as the
event “Risk to BES equipment”. These two event types had overlap in the perceived
reporting requirements. The DSR SDT removed “Forced Intrusion” as a category and the
“Risk to BES equipment” event was revised to “A physical threat that could impact the
operability of a Facility”.
5. Attachment 1 - The Threshold for Reporting Voltage deviations on BES Facilities is
identified as “+ 10% sustained for > 15 continuous minutes.” Need to clarify + 10%
of what voltage? We think it should be nominal voltage.
A sustained voltage deviation of ± 10% on the BES is significant deviation and is
indicative of a shortfall of reactive resources either pre- or post-contingency. The DSR
SDT is indifferent to which of nominal, pre-contingency, or scheduled voltage, is used
as the baseline, but for simplicity and to promote a common understanding suggest
using nominal voltage.
6. Attachment 1 - Footnote 1 contains the phrase “has the potential to”. This phrase
should be struck because it creates an impossibly broad compliance responsibility.
Similarly, Footnote 3 contains the same phrase, as well as the word “could” several
times, which should be changed so that entities can reasonably comply.
190
�Organization
Yes or No
Question 4 Comment
The DSR SDT has removed all footnotes with the exception of the updated event within
Attachment 1 that states: “A physical threat that could impact the operability of a
Facility”. This event has the following footnote, which states: “Examples include a
train derailment adjacent to a Facility that either could have damaged a Facility
directly or could indirectly damage a Facility (e.g. flammable or toxic cargo that could
pose fire hazard or could cause evacuation of a control center). Also report any
suspicious device or activity at a Facility. Do not report copper theft unless it impacts
the operability of a Facility.”
7. Attachment 1 - The “Unplanned Control Center evacuation” Event has the word
“potential” in the column under “Entity with Reporting Responsibility”. The word
“potential” should be struck.8. Attachment 2 - Includes “fuel supply emergency”,
which is not listed on Attachment 1.
The DSR SDT has removed the word “potential” from this event. It now reads as:
“Each RC, BA, TOP that experiences the event”
Response: Thank you for your comment. Please see response above.
Energy Northwest - Columbia
1. The Loss of Off-site power event criteria is much improved from the last draft of
EOP 004-2; however, some clarification is needed to more accurately align with NERC
Standard NUC-001 in both nomenclature and intent. Specifically, there are many
different configurations supplying offsite power to a nuclear power plant and it is
essential that all configurations be accounted for. As identified in the applicability
section of NUC-001 the applicable transmission entities may include one or more of
the following (TO, TOP, TP, TSP, BA, RC, PC, DP, LSE, and other non-nuclear
GO/GOPs). Based on the response to previous comments submitted for Draft 2,
Energy Northwest understands that the DSR SDT evaluated the use of the word
“source” but dismissed the use in favor of “supply” with the justification “[that]
‘supply’ encompasses all sources”. Energy Northwest suggests that the word
191
�Organization
Yes or No
Question 4 Comment
“source” is used as the event criteria in EOP-004-2 as this nomenclature is commonly
used in the licensing basis of a nuclear power plant. By revising the threshold criteria
to “one or more” Energy Northwest believes the concern the DSR SDT noted is
addressed and ensures all sources are addressed. In addition, by revising the
threshold for reporting to a loss of “one or more” will ensure that all potential events
(regardless of configuration of off-site power supplies) will be reported by any
applicable transmission entity specifically identified in the nuclear plant site specific
NPIRs.Energy Northwest proposes that the loss of an off-site power source be
revised to an “unplanned” loss to account for planned maintenance that is
coordinated in advance in accordance with the site specific NPIRs and associated
Agreements. This will also eliminate unnecessary reporting for planned
maintenance.Although the loss of one off-site power source may not result in a
nuclear generating unit trip, Energy Northwest agrees that an unplanned loss of an
off-site power source regardless of impact should be reported within the 24 hour
time limit as proposed. Suggest that the Loss of Offsite power to a nuclear
generating plant event be revised as follows:Event: Unplanned loss of any off-site
power source to a Nuclear Power PlantEntity with Reporting Responsibility: The
applicable Transmission Entity that owns and/or operates the off-site power source
to a Nuclear Power Plant as defined in the applicable Nuclear Plant Interface
Requirements (NPIRs) and associated Agreements.Threshold for Reporting:
Unplanned loss of one or more off-site power sources to a Nuclear Power Plant per
the applicable NPIRs.
Based on comments received, this event has been updated within Attachment 1 to
read as:
“Complete loss of off-site power to a nuclear generating plant (grid supply)”.
2. Please consider changing "Operating Plan" with "Procedure(s)". Procedures extend
beyond operating groups and provide guidance to the entire company.
192
�Organization
Yes or No
Question 4 Comment
The DSR SDT intends on keeping “Operating Plan” within EOP-004-2 since NERC has it
defined as:
“A document that identifies a group of activities that may be used to achieve some goal.
An Operating Plan may contain Operating Procedures and Operating Processes. A
company-specific system restoration plan that includes an Operating Procedure for
black-starting units, Operating Processes for communicating restoration progress with
other entities, etc., is an example of an Operating Plan”. As stated, the Operating Plan
may contain Operating procedures or Operating Processes. This will give Applicable
Entities the greatest flexibility in achieving compliance with this Standard.
Response: Thank you for your comment. Please see response above.
Colorado Springs Utilities
Agree with concept to combine CIP-001 into EOP-004. Agree with elimination of
“sabotage” concept. Appreciate the attempt to combine reporting requirements, but
it seems that in practice will still have separate reporting to DOE and NERC/Regional
Entities. EOP-004-2 A.5. “Summary of Key Concepts” refers to Att. 1 Part A and Att. 1
Part B. I believe these have now been combined. EOP-004-2 A.5. “Summary of Key
Concepts” refers to development of an electronic reporting form and inclusion of
regional reporting requirements. It is unfortunate no progress was made on this
front.
Response: Thank you for your comment. The DSR SDT is providing a proposed revision to the NERC Rules of Procedure to address
the electronic reporting concept. These proposed revisions will be posted with the standard.
American Transmission
Company, LLC
ATC appreciates the work of the SDT in incorporating changes that the industry had
with reporting time periods and aligning this with the Events Analysis Working Group
and Department of Energy’s OE 417 reporting form.
Response: Thank you for your comment.
193
�Organization
Manitoba Hydro
Yes or No
Question 4 Comment
Attachment 1 - The term ‘Transmission Facilities’ used in Attachment 1 is capitalized,
but it is not a defined term in the NERC glossary. The drafting team should clarify this
issue.
Both Transmission and Facilities are defined terms and the DSR SDT feels this gives
sufficient direction.
Attachment 2 - The inclusion of ‘Fuel supply emergency’ in Attachment 2 creates
confusion as it infers that reporting a ‘fuel supply emergency’ may be required by the
standard even though ‘fuel supply emergency’ is not listed in Attachment 1. On a
similar note, it is not clear what the drafting team is hoping to capture by including a
checkbox for ‘other’ in Attachment 2.
The DSR SDT has removed both “fuel supply emergency” and “other” from
Attachment 2.
Response: Thank you for your comment. Please see response above.
NV Energy
Attachment 1 includes an item "Detection of a reportable cyber security incident."
The reporting requirement is a report via Attachment 2 or the OE417 report form
submittal. However, under CIP-008, to which this requirement is linked, the
reporting is accomplished via NERC's secure CIPIS reporting tool. This appears to be
a conflict in that the entity is directed to file reporting under CIP-008 that differs
from this subject standard.
CIP-008-4, Requirement 1, Part 1.3 states that an entity must have:
1.3 Process for reporting Cyber Security Incidents to the Electricity Sector
Information Sharing and Analysis Center (ES-ISAC). The Responsible Entity
must ensure that all reportable Cyber Security Incidents are reported to the ESISAC either directly or through an intermediary.
194
�Organization
Yes or No
Question 4 Comment
EOP-004-2 also allows for submittal of the report to the ESISAC.
Attachment 1 also includes a provision for reporting the "loss of firm load greater
than or equal to 15 minutes in an amount of 200MW (or 300MW for peaks greater
than 3000MW). This appears to be a rather low threshold, particularly in comparison
with the companion loss of generation reporting threshold elsewhere in the
attachment. The volume of reports triggered by this low threshold will likely lead to
an inordinate number of filed reports, sapping NERC staff time and deflecting
resources from more severe events that require attention. I suggest either an
increase in the threshold, or the addition of the qualifier "caused by interruption/loss
of BES facilities" in this reporting item. This qualifier would therefore exclude
distribution-only outages that are not indicative of a BES reliability issue.
The DSR SDT has not modified this event since it is being maintained as it is presently
enforceable within EOP-004-1.
Response: Thank you for your comment. Please see response above.
BC Hydro
Attachment 1: Reportable Events: BC Hydro recommends further defining “BES
equipment” for the events Destruction of BES equipment and Risk to BES equipment.
Attachment 1: Reportable Events: BC Hydro recommends defining the Forced
intrusion event as the wording is very broad and open to each entities interpretation.
What would be a forced intrusion ie entry or only if equipment damage occurs?
The DSR SDT has modified Attachment 1 to bring more clarity. The more subjective
events were rewritten as follows:
• The ‘Damage or Destruction’ event category has been revised to say ‘ to a
Facility’, (a defined term) and thresholds have be modified to provide clarity.
195
�Organization
Yes or No
Question 4 Comment
The footnote was deleted
• ‘Forced intrusion’ and ‘Risk to BES Equipment’ have been combined under a new
event type called ‘A physical threat that could impact the operability of a
Facility’. Using judgment is unavoidable for this type of event. This language
was chosen because the Responsible Entity is the best position to exercise this
judgment and determine whether or not an event poses a threat to its
Facilities. The DSR SDT believes this revised event type will minimize
administrative burden and ensure that events meaningful to industry
awareness are reported. Note that the reporting timeline (now revised to 24
hours) starts when the situation has been determined as a threat, not when it
may have first occurred. Also, the footnote only contains examples.
These two remaining event categories that aren’t related to power system phenomena
are essential as they effectively translate the intent of CIP-001 into EOP-004.
Response: Thank you for your comment. Please see response above.
ISO New England
Attachment 1should be revisited. “Equipment Damage” is overly vague and will also
potentially result in reporting on equipment failures which may simply be related to
the age and/or vintage of equipment.
The DSR SDT has revised this event based on comments received. The new event is
“Damage or destruction of a Facility” which has a threshold of “Damage or destruction
of a Facility that:
Affects an IROL (per FAC-014)
OR
Results in the need for actions to avoid an Adverse Reliability Impact
OR
196
�Organization
Yes or No
Question 4 Comment
Results from intentional human action.”
Response: Thank you for your comment. Please see response above.
Constellation Energy on
behalf of Baltimore Gas &
Electric, Constellation Power
Generation, Constellation
Energy Commodities Group,
Constellation Control and
Dispatch, Constellation
NewEnergy and Constellation
Energy Nuclear Group.
Background Section: The background section in this revision of EOP-004 reads more
like guidance than a background of the development of the event reporting
standard. Because of the background remains as part of the standard, the language
raises questions as to role it plays relative to the standard language. For instance,
the Law Enforcement Reporting section states:”Entities rely upon law enforcement
agencies to respond to and investigate those events which have the potential to
impact a wider area of the BES.” It’s not clear how “potential to impact to a wider
area of the BES” is defined and where it fits into the standard. As well, and perhaps
more problematic, is the Reporting Hierarchy for Reportable Events flow chart.
While the flow chart concept is quite useful as a guidance tool, the flow chart
currently in the Background raises questions. For instance, the Procedure to Report
to Law Enforcement sequence does not map to language in the requirements.
Further, Entities would not know about the interaction between law enforcement
agencies.
The DSR SDT included the flow chart as an example of how an entity might report and
communicate an event. For clarity, we have added the phrase “Example of Reporting
Process Including Law Enforcement” to the top of the page.
Please see additional recommended revisions to the requirement language and to
the Events Table in the Q2 and Q3 responses.
The DSR SDT has removed the wording of “potential” based on comments received.
Attachment 2: Event Reporting Form: The review of the form is one of the many
aspects to compare with the developments within the Events Analysis Process (EAP)
developments. We support the effort to create one form for submissions. The
197
�Organization
Yes or No
Question 4 Comment
recent draft EAP posted as part of Planning Committee and Operating Committee
agendas includes a form requiring a few bits of additional relevant information when
compared to the EOP-004 form. This may be a valuable approach to avoid follow up
inquiries that may result if the form is too limited. We suggest that consideration be
given to the proposed EAP form. One specific note on the Proposed EOP-004
Attachment 2: The “Potential event” box in item 3 should be eliminated to track with
the removal of the “Risk to the BES” category.
The DSR SDT has updated Attachment 2 to remove potential event and “Risk to the
BES” category based on comments received.
Response: Thank you for your comment. Please see response above.
Bonneville Power
Administration
BPA believes that Attachment 1 has too many added reportable items because
unintentional, equipment failure & operational errors are included in the first three
items.
A. Change to only “intentional human action”. Otherwise, the first item “destruction
of BES equipment” is too burdensome, along with its short time reporting time: i. - If
a single transformer fails that shouldn’t require a report. ii.- Emergency actions have
to be taken for any failure of equipment, e.g. a loss of line reduces a path SOL and
requires curtailments to reduce risk to the system.
The DSR SDT has modified Attachment 1 to bring more clarity. The more subjective
events were rewritten as follows:
• The ‘Damage or Destruction’ event category has been revised to say ‘to a
Facility’, (a defined term) and thresholds have be modified to provide clarity.
The footnote was deleted
B. The item for “risk to BES” is not necessary until the suspicious object has been
identified as a threat. If what turns out to be air impact wrench left next to BES
198
�Organization
Yes or No
Question 4 Comment
equipment, that should not be a reportable incident as this current table implies.
‘Forced intrusion’ and ‘Risk to BES Equipment’ have been combined under a new
event type called ‘A physical threat that could impact the operability of a Facility’.
Using judgment is unavoidable for this type of event. This language was chosen
because the Responsible Entity is the best position to exercise this judgment and
determine whether or not an event poses a threat to its Facilities. The DSR SDT
believes this revised event type will minimize administrative burden and ensure that
events meaningful to industry awareness are reported. Note that the reporting
timeline (now revised to 24 hours) starts when the situation has been determined as
a threat, not when it may have first occurred. Also, the footnote only contains
examples.
These two remaining event categories that aren’t related to power system phenomena
are essential as they effectively translate the intent of CIP-001 into EOP-004.
C. The nuclear “LOOP” should be only reported if total loss of offsite source (i.e. 2 of
2 or 3 of 3) when supplying the plants load. If lightning or insulator fails causing one
of the line sources to trip that’s not a system disturbance especially if it is just used
as a backup. It should only be a NRC process if they want to monitor that.
The DSR SDT has updated this event per your comment, it now reads as: “Complete
loss of off-site power to a nuclear generating plant (grid supply)”
The VRF/VSL: BPA believes that the VRF for R2 & R4 should be “Lower”. The DSR
SDT has reviewed and updated the two new requirements and believe the VRF’s
follow the NERC Standard development process.
Response: Thank you for your comment. Please see response above.
CenterPoint Energy
CenterPoint Energy appreciates the SDT’s consideration of comments and removal of
the term, Impact Event. However, the Company still suggests removing the phrase
“with the potential to impact” from the purpose as it is vast and vague. An
199
�Organization
Yes or No
Question 4 Comment
alternative purpose would be "To improve industry awareness and the reliability of
the Bulk Electric System by requiring the reporting of events that impact reliability
and their causes if known". The focus should remain on those events that truly
impact the reliability of the BES.
The DSR SDT revised the purpose statement to remove ambiguous language “with the
potential to impact reliability”. The Purpose statement now reads:
“To improve the reliability of the Bulk Electric System by requiring the reporting of
events by Responsible Entities.”
CenterPoint Energy remains very concerned about the types of events that the SDT
has retained in Attachment 1 as indicated in the following comments: Destruction of
BES Equipment - The loss of BES equipment should not be reportable unless the
reliability of the BES is impacted.
The DSR SDT has modified Attachment 1 to bring more clarity. The more subjective
events were rewritten as follows:
• The ‘Damage or Destruction’ event category has been revised to say ‘to a
Facility’, (a defined term) and thresholds have be modified to provide clarity.
The footnote was deleted
Footnote 5, iii should be modified to tie the removal of a piece of equipment from
service back to reliability of the BES. Risk to BES equipment: This Event is too vague
to be meaningful and should be deleted. The Event should be modified to “Detection
of an imminent physical threat to BES equipment”.
The SDR SDT discussed this event as well as the event “Risk to BES equipment”. These
two event types had overlap in the perceived reporting requirements. The DSR SDT
removed “Forced Intrusion” as a category and the “Risk to BES equipment” event was
revised to “A physical threat that could impact the operability of a Facility”.
200
�Organization
Yes or No
Question 4 Comment
Using judgment is unavoidable for this type of event. This language was chosen because
he Responsible Entity is the best position to exercise this judgment and determine
whether or not an event poses a threat to its Facilities. The DSR SDT believes this revised
event type will minimize administrative burden and ensure that events meaningful to
ndustry awareness are reported.
The footnote regarding this event type was expanded to provide additional guidance in:
“Examples include a train derailment adjacent to a Facility that either could have
damaged a Facility directly or could indirectly damage a Facility (e.g. flammable or
toxic cargo that could pose fire hazard or could cause evacuation of a control center).
Also report any suspicious device or activity at a Facility. Do not report copper theft
unless it impacts the operability of a Facility.”
Any reporting time frame of 1 hour is unreasonable; Entities will still be responding
to the Event and gathering information. A 24 hour reporting time frame would be
more reasonable and would still provide timely information.
All one hour reporting timelines have been changed to 24 hours with the exception of
a ‘Reportable Cyber Security Incident’. This is maintained due to FERC Order 706,
Paragraph 673:
“…direct the ERO to modify CIP-008 to require each responsible entity to contact
appropriate government authorities and industry participants in the event of a cyber
security incident as soon as possible, but in any event, within one hour of the event…”
For the remaining events, 24 hours should provide sufficient time to manage the
incident in real-time before having to report and is consistent with current in-force
standard EOP-004-1.
201
�Organization
Yes or No
Question 4 Comment
System Separation: The 100 MW threshold is too low for a reliability impact. A more
appropriate threshold is 500 MW.
The DSR SDT has reviewed your request and have determined the event as written
“Each separation resulting in an island of generation and load ≥ 100 MW” does
impact the reliability of the BES.
Loss of Monitoring or all voice communication capability: The two elements of this
Event should be separated for clarity as follows: “Loss of monitoring of Real-Time
conditions” and “Loss of all voice communication capability.”
The DSR SDT has broken this event down into two distinct events: “Loss of all voice
communication capability” and “Complete or partial loss of monitoring capability”,
per comments received.
Response: Thank you for your comment. Please see response above.
Orange and Rockland Utilities,
Inc./Consolidated Edison Co.
of NY, Inc.
Comments:
o Requirement 4 does not specifically state details necessary for an
entity to achieve compliance. Requirement 4 should provide more guidance as to
what is required in a drill. Audit / enforcement of any requirement language that is
too broad will potentially lead to Regional interpretation, inconsistency, and
additional CANs.
o R4 should be revised to delete the 15 month requirement. CAN-0010 recognizes
that entities may determine the definition of annual.
Requirement R4 has been revised as you suggested.
o The Purpose of the Standard should be revised because some of the events being
reported on have no impact on the BES. Revise Purpose as follows: To improve
industry awareness and the reliability of the Bulk Electric System by requiring the
reporting of [add] "major system events.” [delete - “with the potential to impact
202
�Organization
Yes or No
Question 4 Comment
reliability and their causes, if known, by the Responsible Entities.”]
The DSR SDT revised the purpose statement to remove ambiguous language “with the
potential to impact reliability”. The Purpose statement now reads:
“To improve the reliability of the Bulk Electric System by requiring the reporting of
events by Responsible Entities.”
Response: Thank you for your comment. Please see response above.
Entergy Services
Entergy agrees with and supports comments submitted by the SERC OC Standards
Review group.
Response: Thank you for your comment.
ITC
Footnote 1 and the corresponding Threshold For Reporting associated with the first
Event in Attachment 1 are not consistent and thus confusing. Qualifying the term
BES equipment through a footnote is inappropriate as it leads to this confusion. For
instance, does iii under Footnote 1 apply only to BES equipment that meet i and ii or
is it applicable to all BES equipment?
The SDR SDT discussed this event as well as the event “Risk to BES equipment”. These
two event types had overlap in the perceived reporting requirements. The DSR SDT
removed “Forced Intrusion” as a category and the “Risk to BES equipment” event was
revised to “A physical threat that could impact the operability of a Facility”.
Using judgment is unavoidable for this type of event. This language was chosen
because the Responsible Entity is the best position to exercise this judgment and
determine whether or not an event poses a threat to its Facilities. The DSR SDT believes
this revised event type will minimize administrative burden and ensure that events
meaningful to industry awareness are reported.
203
�Organization
Yes or No
Question 4 Comment
The footnote regarding this event type was expanded to provide additional guidance
in:
“Examples include a train derailment adjacent to a Facility that either could have
damaged a Facility directly or could indirectly damage a Facility (e.g. flammable or
toxic cargo that could pose fire hazard or could cause evacuation of a control center).
Also report any suspicious device or activity at a Facility. Do not report copper theft
unless it impacts the operability of a Facility.”
The inclusion of equipment failure, operational error and unintentional human
action within the threshold of reporting for “destruction” required in the first 3
Events listed in Attachment 1 is also not appropriate. It is clear through operational
history that the intent of the equipment applied to the system, the operating
practices and personnel training developed/delivered to operate the BES is to result
in reliable operation of the BES which has been accomplished exceedingly well given
past history. This is vastly different than for intentional actions and should be
excluded from the first 3 events listed in Attachment. To the extent these issues are
present in another event type they will be captured accordingly.
The DSR SDT has modified Attachment 1 to bring more clarity. The more subjective
events were rewritten as follows:
• The ‘Damage or Destruction’ event category has been revised to say ‘to a
Facility’, (a defined term) and thresholds have be modified to provide clarity.
The footnote was deleted
• ‘Forced intrusion’ and ‘Risk to BES Equipment’ have been combined under a new
event type called ‘A physical threat that could impact the operability of a
Facility’. Using judgment is unavoidable for this type of event. This language
was chosen because the Responsible Entity is the best position to exercise this
judgment and determine whether or not an event poses a threat to its
204
�Organization
Yes or No
Question 4 Comment
Facilities. The DSR SDT believes this revised event type will minimize
administrative burden and ensure that events meaningful to industry
awareness are reported. Note that the reporting timeline (now revised to 24
hours) starts when the situation has been determined as a threat, not when it
may have first occurred. Also, the footnote only contains examples.
These two remaining event categories that aren’t related to power system phenomena
are essential as they effectively translate the intent of CIP-001 into EOP-004.
Footnote 1 should be removed and the Threshold for Reporting associated with the
first three events in Attachment 1 should be updated only to include intentional
human action. This will also result in including all BES equipment that was
intentionally damaged in the reporting requirement and not just the small subset
qualified by the existing footnote 1. This provides a much better data sample for law
enforcement to make assessments from than the smaller subset qualified by what
we believe the intent of footnote 1 is.
The SDR SDT discussed this event as well as the event “Risk to BES equipment”. These
two event types had overlap in the perceived reporting requirements. The DSR SDT
removed “Forced Intrusion” as a category and the “Risk to BES equipment” event was
revised to “A physical threat that could impact the operability of a Facility”.
Using judgment is unavoidable for this type of event. This language was chosen
because the Responsible Entity is the best position to exercise this judgment and
determine whether or not an event poses a threat to its Facilities. The DSR SDT believes
this revised event type will minimize administrative burden and ensure that events
meaningful to industry awareness are reported.
The footnote regarding this event type was expanded to provide additional guidance
in:
205
�Organization
Yes or No
Question 4 Comment
“Examples include a train derailment adjacent to a Facility that either could have
damaged a Facility directly or could indirectly damage a Facility (e.g. flammable or
toxic cargo that could pose fire hazard or could cause evacuation of a control center).
Also report any suspicious device or activity at a Facility. Do not report copper theft
unless it impacts the operability of a Facility.”
Response: Thank you for your comment. Please see response above.
APX Power Markets (NCR11034)
For Attachment 1 and the events titled "Unplanned Control Center evacuation" and
"Loss of monitoring or all voice communication capabiliy".RC, BA, and TOP are the
only listed entity types listed for reporting responsibility. We are a GOP that offers a
SCADA service in several regions and those type of events could result in a loss of
situational awareness for the regions we provide services. I believe the requirement
for reporting should not be limited to Entity Type, but on their impact for situational
awareness to the BES based on the amount of generation they control (specific to
our case), or other criteria that would be critical to the BES (i.e. voltage, frequency).
Note that EOP-008-0 is only applicable to Balancing Authorities, Transmission
Operators and Reliability Coordinators, this is the basis for the “Entity with reporting
Responsibilities” and reads as” “Each RC, BA, TOP that experiences the event”.
Response: Thank you for your comment. Please see response above.
ACES Power Marketing
Standards Collaborators/
Great River Energy
For many of the events listed in Attachment 1, there would be duplicate reporting
the way it is written right now. For example, in the case of a fire in a substation
(Destruction of BES equipment), the RC, BA, TO, TOP and perhaps the GO and GOP
could all experience the event and each would have to report on it. This seems quite
excessive and redundant. We recommend eliminating this duplicate reporting.
The DSR SDT has tried to minimize duplicative reporting, but recognizes there may be
206
�Organization
Yes or No
Question 4 Comment
events that trigger more than one report. The current applicability ensures an event
that could affect just one of the entities with reporting responsibility isn’t missed.
Response: Thank you for your comment. Please see response above.
Intellibind
I do not see that the rewrite of this standard is meeting the goal of clear reliability
standards, and in fact the documents are looking more like legal documents. Though
the original EOP-004 and CIP-001 was problematic at times, this rewrite, and the
need to have such extensive guidance, attachments, and references for EOP-004-2
will create an even more difficult standard to properly meet to ensure compliance
during an audit. Though CIP-001 and EOP-004 were related, combining them in a
single standard is not resolving the issues, and is in fact complicating the
tasks.Requirements in this standard should deal with only one specific issue, not deal
with multiple tasks. I am not sure how an auditor will consistently audit against R2,
and how a violation will be categorized when an entity implements all portions of
their Operating Plan, however fails to fully address all the requirements in R1,
thereby not fully implementing R2, in strict interpretation.
The DSR SDT does not agree that the proposed EOP-004-2 “will create an even more
difficult standard to properly meet to ensure compliance during an audit”. The DSR SDT
main concern is the reporting of events per Attachment 1 is in-line with the Purpose of
this Standard that states: “To improve the reliability of the Bulk Electric System by
requiring the reporting of events by Responsible Entities.” The NERC Reliability
Standards are designed to support the reliability of the BES.
Requirement R2has been updated to read as: ““R2. Each Responsible Entity shall
implement its event reporting Operating Plan for applicable events listed in EOP-004
Attachment 1, and in accordance with the timeframe specified in EOP-004
Attachment1.” Based on comments received.
The drafting team should not set up a situation where an entity is in double jeopardy
for missing an element of a requirement.I also suggest that EOP-004-2 be given a
207
�Organization
Yes or No
Question 4 Comment
new EOP designation rather than calling it a revision. This way implementation can
be better controlled, since most companies have written specific CIP-001 and EOP004 document that will not simple transfer over to the new version. This standard is
a drastic departure from the oringial versions. I appreciate the level of work that is
going into EOP-004-2, it appears that significant time and effort has been going into
the supporting documentation. It is my opinion that if this much material has to be
created to state what the standard really requires, then the standard is flawed.
When there are 21 pages of explanation for five requirements, especially when we
have previously had 16 pages that originally covered 2 separate reliability standards,
we need to reevaluate what we are really doing.
The DSR SDT has revised EOP-004 and CIP-001 using the results based standard
development process. This process calls for the drafting team to develop
documentation regarding its thoughts during the development process. This allows
for a more robust standard which contains background material for an entity to have
sufficient guidance to show compliance with the standard.
Response: Thank you for your comment. Please see response above.
Imperial Irrigation District
IID strongly believes the reporting flowchart should not be part of a standard. The
suggestion is to replace it with a more clear, right to the point requirement.
The DSR SDT has discussed this issue and believes it would be too prescriptive to have
a flow chart as a requirement. If desired, an entity can have a flow chart as part of
the Operating Plan as stated in Requirement 1.
Response: Thank you for your comment. Please see response above.
Illinois Municipal Electric
Agency
IMEA appreciates this opportunity to comment. IMEA appreciates the SDT's efforts
to simplify reporting requirements by combining CIP-001 with EOP-004. [IMEA
encourages NERC to continue working towards a one-stop-shop to simplify reporting
on ES-ISAC.] IMEA supports, and encourages SDT consideration of, comments
208
�Organization
Yes or No
Question 4 Comment
submitted by APPA and Florida Municipal Power Agency.
Response: Thank you for your comment. Please see the responses to the other comments that you mention.
Westar Energy
In Requirement 1.3, the statement “and the following as appropriate” is vague and
subject to interpretation. Who determines what is appropriate? We feel it would be
better if the SDT would specify for each event, which party should be notified.
Requirement R1, Part 1.3 (now Part 1.2) was revised to add clarifying language by
eliminating the phrase “as appropriate” and indicating that the Responsible Entity is to
define its process for reporting and with whom to report events. Part 1.2 now reads:
“1.2 A process for communicating each of the applicable events listed in EOP-004
Attachment 1 in accordance with the timeframes specified in EOP-004 Attachment 1 to
the Electric Reliability Organization and other organizations needed for the event type;
i.e. the Regional Entity; company personnel; the Responsible Entity’s Reliability
Coordinator; law enforcement governmental or provincial agencies.”
Response: Thank you for your comment. Please see response above.
South Carolina Electric and
Gas
In terms of receiving reports, is it the drafting teams expectation that separate
reports be developed by both the RC and the TOP, GO, BA, etc. for an event that
occurs on a company's system that is within the RC's footprint? One by the RC and
one by the TOP, GO, BA, etc. In terms of meeting reporting thresholds, is it the
drafting teams expectation that the RC aggregate events within its RC Area to
determine whether a reporting threshold has been met within its area for the
quantitative thresholds?
The DSR SDT has tried to minimize duplicative reporting, but recognizes there may be
events that trigger more than one report. The current applicability ensures an event
209
�Organization
Yes or No
Question 4 Comment
that could affect just one of the entities with reporting responsibility isn’t missed.
It is possible for the Applicable Entities within the Reliability Coordinator’s area to be
part of a JRO/CFR but this is outside the scope of this Project.
Response: Thank you for your comment. Please see response above.
Occidental Power Services,
Inc. (OPSI)
Load Serving Entities that do not own or operate BES assets should not be included in
the Applicability. In current posting, the SDT states that it includes LSEs based on
CIP-002; however, if the LSE does not have any BES assets, CIP-002 should also not
be applicable, because the LSE could not have any Critical Assets or Critical Cyber
Assets. It is understood that the SDT is trying to comply with FERC Order 693,
Section 460 and 461; however, Section 461 also states “Further, when addressing
such applicability issues, the ERO should consider whether separate, less
burdensome requirements for smaller entities may be appropriate to address these
concerns.” A qualifier in the Applicability of EOP-004-2 that would include only LSEs
that own or operate BES assets would seem appropriate. The proposed CIP-002
Version V has such a qualifier in that it applies to a “Load-Serving Entity that owns
Facilities that are part of any of the following systems or programs designed,
installed, and operated for the protection or restoration of the BES: o A UFLS
program required by a NERC or Regional Reliability Standard o A UVLS program
required by a NERC or Regional Reliability Standard”The SDT should consider the
same wording in the Applicability section of EOP-004-2 on order to be consistent
with what will become the standing version of CIP-002 (Version 5).
The DSR SDT has “considered” section 460 and 461 of FERC Order 693 and has tried
to minimize duplicative reporting, but recognizes there may be events that trigger
more than one report. The current applicability ensures an event that could affect just
one of the entities with reporting responsibility isn’t missed.
The DSR SDT wishes to draw your attention to section 459 of FERC Order 693 which
states: “ … an adversary may target a small user, owner or operator because it may
210
�Organization
Yes or No
Question 4 Comment
have similar equipment or protections as a larger facility, that is, the adversary may
use an attack against a smaller facility as a training ‘exercise’”.
Response: Thank you for your comment. Please see response above.
American Electric Power
M4: Recommend removing the text “for events” so that it instead reads “The
Responsible Entity shall provide evidence that it verified the communication process
in its Operating Plan created pursuant to Requirement R1, Part 1.3.”R4: It is not clear
to what extent the verification needs to be applied if the process used is complex
and includes a variety of paths and/or tasks. The draft team may wish to consider
changing the wording to simply state “each Responsible Entity shall test each of the
communication paths in the operating plan”. We also recommend dropping “once
per calendar year” as it is inconstant with the measure itself which allows for 15
months.
The DSR SDT has revised R4 (now R3 and the associated measure M3:
M3. Each Responsible Entity will have dated and time-stamped records to show that
the annual test of Part 1.2 was conducted. Such evidence may include, but are not
limited to, dated and time stamped voice recordings and operating logs or other
communication documentation. The annual test requirement is considered to be met
if the responsible entity implements the communications process in Part 1.2 for an
actual event. (R3)
Response: Thank you for your comment. Please see response above.
Indiana Municipal Power
Agency
Many of the items listed in Attachment 1 are onerous and burdensome when it
comes to making judgments or determinations. What one may consider “Risk to BES
equipment” another person may not make the same determination. Clarity needs to
211
�Organization
Yes or No
Question 4 Comment
be added to make the events easier to determine and that will result in less issues
when it comes to compliance audits.
IMPA does not understand the usage of the terms Critical Asset and Critical Cyber
Asset as they will be retired with CIP version 5.IMPA believes the data retention
requirements are way too complicated and need to be simplified. It seems like it
would be less complicated if one data retention period applied to all data associated
with this standard.
The DSR has revised many of the events listed in Attachment 1 to provide clarity. We
have also removed the references to Critical Asset and Critical Cyber Asset.
On “public appeal”, in the threshold, the descriptor “each” should be deleted, e.g., if
a single event causes an entity to be short of capacity, do you really want that entity
reporting each time they issue an appeal via different types of media, e.g., radio, TV,
etc., or for a repeat appeal every several minutes for the same event?
The DSR SDT has updated the Public Appeal event to read as: “Public appeal for load
reduction event” based on comments received.
Response: Thank you for your comment. Please see response above.
MidAmerican Energy
MidAmerican proposes eliminating the phrase “with no more than 15 months
between reviews” from R1.5. While we agree this is best practice, it creates the need
to track two conditions for the review, eliminates flexibility for the responsible entity
and does not improve security to the Bulk Electric System. There has not been a
directive from FERC to specify the definition of annual within the standard itself. In
conjunction with this comment, the Violation Severity Levels for R4 should be revised
to remove the references to months.
The DSR SDT has removed this phrase from the requirement (now R3).
212
�Organization
Yes or No
Question 4 Comment
Response: Thank you for your comment. Please see response above.
Oncor Electric Delivery
Company LLC
NERC's Event Analysis Program tends to parallel many of the reporting requirements
as outlined in EOP-004 Version 2. Oncor recommends that NERC considers ways of
streamlining the reporting process by either incorporating the Event Analysis
obligations into EOP-004-2 or reducing the scope of the Event Analysis program as
currently designed to consist only of "exception" reporting.
The DSR SDT has reviewed the Event Analysis Programs criteria. The DSR SDT has
determined that Attachment 1 covers the minimum reporting requirements.
Response: Thank you for your comment. Please see response above.
Compliance & Responsbility
Office
NextEra Energy, Inc. (NextEra) appreciates the DSR SDT revising proposed EOP-004-2,
based on the previous comments of NextEra and the stakeholders. NextEra,
however, believes that EOP-004-2 needs additional refinement prior to approval.
R1.3In R1.3, NextEra is concerned that the term “internal company personnel” is
unclear and may be misinterpreted. For example, NextEra does not believe this term
should include all company or corporate personnel, or even all personnel in the
Responsible Entity’s company or business unit. Instead, the definition of personnel
should be limited to those who could be directly impacted by the event or are
working on the event. Thus, NextEra suggests that the language in R1.3 be revised to
read: “Internal Responsible Entity personnel whose tasks require them to take
specific actions to mitigate, stop the spread and/or normalize the event, or
personnel who are directly impacted by the event.” NextEra is concerned that R1.3,
as written, will be interpreted differently from company to company, region to
region, auditor to auditor, and, therefore, may result in considerable confusion
during actual events as well as during the audits/stop checks of EOP-004-2
compliance.
213
�Organization
Yes or No
Question 4 Comment
The DSR SDT has written Requirement R1, Part 1.2 in a way to allow the entity to
determine who should receive the communication within your company as stated in
your Operating Plan.
Also, in R1.3, NextEra is concerned that many of the events listed in Attachment A
already must be reported to NERC under its trial (soon to be final) Event Analysis
Reporting requirements (Event Analysis). NextEra believes duplicative and different
reporting requirements in EOP-004-2 and the Event Analysis rules will cause
confusion and inefficiencies during an actual event, which will likely be
counterproductive to promoting reliability of the bulk power system. Thus, NextEra
believes that any event already covered by NERC’s Event Analysis should be deleted
from Attachment 1. Events already covered include, for example, loss of monitoring
or all voice, loss of firm load and loss of generation. If this approach is not
acceptable, NextEra proposes, in the alternative, that the reporting requirements
between EOP-004-2 and Event Analysis be identical. For instance, in EOP-004-2,
there is a requirement to report any loss of firm load lasting for more than 15
minutes, while the Event Analysis only requires reporting the of loss of firm load
above 300 megawatts and lasting more than 15 minutes. Similarly, EOP-004-2
requires the reporting of any unplanned control center evacuation, while the Event
Analysis only requires reporting after the evacuation of the control center that lasted
30 minutes or more. Thus, NextEra requests that either EOP-004-2 not address
events that are already set forth in NERC’s Event Analysis, or, in the alternative, for
those duplicative events to be reconciled and made identical, so the thresholds set
forth in the Event Analysis are also used in EOP-004-2.
The DSR SDT has worked with the EAWG to develop Attachment 1. At one point they
matched. The event for loss of load matches and we revised the “unplanned control
center evacuation” event to be for 30 minutes or more.
In addition, NextEra believes that a reconciliation between the language “of
recognition” in Attachment 1 and “process to identify” in R1.1 is necessary. NextEra
prefers that the language in Attachment 1 be revised to read “ . . . of the
214
�Organization
Yes or No
Question 4 Comment
identification of the event under the Responsible Entity’s R1.1 process.” For
instance, the first event under the “Submit Attachment 2 . . . .” column should read:
“The parties identified pursuant to R1.3 within 1 hour of the identification of an
event under the Responsible Entity’s R1.1 process.” This change will help eliminate
confusion, and will also likely address (and possibly make moot) many of the
footnotes and qualifications in Attachment 1, because a Responsible Entity’s process
will likely require that possible events are properly vetted with subject matter
experts and law enforcement, as appropriate, prior to identifying them as “events”.
Thus, only after any such vetting and a formal identification of an event would the
one hour or twenty-four hour reporting clock start to run. R1.4, R1.5, R3 and
R4NextEra is concerned with the wording and purpose of R1.4, R1.5, R3 and R4.
The language was revised in Requirement 1, Part 1.1 to “recognize” based on other
comments received.
For example, R1.4 requires an update to the Operating Plan for “. . . any change in
assets, personnel, other circumstances . . . .” This language is much too broad to
understand what is required or its purpose. Further, R1.4 states that the Operating
Plan shall be updated for lessons learned pursuant to R3, but R3 does not address
lessons learned. Although there may be lessons learned during a post event
assessment, there is no requirement to conduct such an assessment. Stepping back,
it appears that the proposed EOP-004-2 has a mix of updates, reviews and
verifications, and the implication that there will be lessons learned. Given that EOP004-2 is a reporting Standard, and not an operational Standard, NextEra is not
inclined to agree that it needs the same testing and updating requirements like EOP005 (restoration) or EOP-008 (control centers). Thus, it is NextEra’s preference that
R1.4, R1.5 and R4 be deleted, and replaced with a new R1.4 as follows:R1.4 A
process for ensuring that the Responsibly Entity reviews, and updates, as appropriate
its Operating Plan at least annually (once each calendar year) with no more than 15
months between reviews.If the DSR SDT does not agree with this approach, NextEra,
in the alternative, proposes a second approach that consolidates R1.4, R1.5 and R4 in
a new R1.4 as follows:R1.4 A process for ensuring that the Responsibly Entity tests
215
�Organization
Yes or No
Question 4 Comment
and reviews its Operating Plan at least annually (once each calendar year) with no
more than 15 months between a test and review. Based on the test and review, the
Operating Plan shall be updated, as appropriate, within 90 calendar days. If an
actual event occurs, the Responsible Entity shall conduct a post event assessment to
identify any lessons learned within 90 calendar days of the event. If the Responsible
Entity identifies any lessons learned in post event assessment, the lessons learned
shall be incorporated in the Operating Plan within 90 calendar days of the date of the
final post event assessment. NextEra purposely did not add language regarding
“any change in assets, personnel etc,” because that language is not sufficiently clear
or understandable for purposes of a mandatory requirement. Although it may be
argued that it is a best practice to update an Operating Plan for certain changes,
unless the DST SDT can articulate specific, concrete and understandable issues that
require an updated Operating Plan prior to an annual review, NextEra recommends
that the concept be dropped.
Requirement 1, Part 1.4 was merged with Part 1.5 as well as R4. The resulting
requirement is now Requirement 3:
“Each Responsible Entity shall conduct an annual test, not including notification to
the Electric Reliability Organization, of the communications process in Part 1.2.
[Violation Risk Factor: Medium] [Time Horizon: Operations Planning]
Nuclear Specific ConcernsEOP-004-2 identifies the Nuclear Regulatory Commission
(NRC) as a stakeholder in the Reporting Process, but does not address the status of
reporting to the NRC in the Event Reporting flow diagram on page 9. Is the NRC
considered Law Enforcement as is presented in the diagram? Since nuclear stations
are under a federal license, some of the events that would trigger local/state law
enforcement at non-nuclear facilities would be under federal jurisdiction at a nuclear
site.
The process flowchart is an example of how an entity might operate. If an event
requires notification of the NRC, this would be an example of notification of a
regulatory authority. It is anticipated that the reporting entity would also notify law
216
�Organization
Yes or No
Question 4 Comment
enforcement if appropriate.
There are some events listed in Attachment 1 that seem redundant or out of place.
For example, a forced intrusion is a one hour report to NERC. However, if there is an
ongoing forced intrusion at a nuclear power plant, there are many actions taking
place, with the NRC Operations Center as the primary contact which will mobilize the
local law enforcement agency, etc.
The DSR SDT removed “Forced Intrusion” as a category and the “Risk to BES
equipment” event was revised to “Any physical threat that could impact the
operability of a Facility”.
It is unclear that reporting to NERC in one hour promotes reliability or the resolution
of an emergency in progress.
All one hour reporting timelines have been changed to 24 hours with the exception of
a ‘Reportable Cyber Security Incident’. This is maintained due to FERC Order 706,
Paragraph 673:
“…direct the ERO to modify CIP-008 to require each responsible entity to contact
appropriate government authorities and industry participants in the event of a cyber
security incident as soon as possible, but in any event, within one hour of the event…”
For the remaining events, 24 hours should provide sufficient time to manage the
incident in real-time before having to report and is consistent with current in-force
standard EOP-004-1.
Also, is there an ability to have the NRC in an emergency notify NERC? The same
concerns related to cyber security events.Procedures versus PlanNextEra also
suggests replacing "Operating Plan" with "procedures". Given that EOP-004-2 is a
reporting Standard and not an operational Standard, it is typical for procedures that
address this standard to reside in other departments, such as Information
Management and Security. In other words, the procedures needed to address the
requirements of EOP-004-2 are likely broader than the NERC-defined Operating Plan.
217
�Organization
Yes or No
Question 4 Comment
Within your Operating Plan you are required to “report” events to the ERO and your
RC and communicate this information (to others) as you define it within your
company’s Operating Plan. This will allow you to customize any events as you see fit.
Clean-Up ItemsIn Attachment 1, Control Centers should be capitalized in all columns
so as not to be confused with control rooms.
Since “control center” is not a defined term, it has been revised to lower case.
Also, the final product should clearly state that the process flow chart that is set
forth before the Standard is for illustrative purposes, so there is no implication that a
Registered Entity must implement multiple procedures versus one comprehensive
procedure to address different reporting requirements.
The introduction of the flow chart is clearly marked “Example of Reporting Process
including Law Enforcement”.
Response: Thank you for your comment. Please see response above.
PacifiCorp
No comment.
Arizona Public Service
Company
No comments
PPL Electric Utilities and PPL
Supply Organizations`
Our comments center around the footnotes and events 'Destruction of BES
equipment' and 'Loss of Off-site power to a nuclear generating plant'. We request
the SDT consider adding a statement to the standard that acknowledges that not all
registered entities have visibility to the information in the footnotes. E.G.
Destruction of BES equipment. A GO/GOP does not necessarily know if loss of
specific BES equipment would affect any IROL and therefore would not be able to
consider this criteria in its reporting decision. Loss of BES equipment would be
reported to the BA/RC and the BA/RC would know of an IROL impact and the BA/RC
218
�Organization
Yes or No
Question 4 Comment
is the appropriate entity to report. We request the SDT consider the information in
the footnotes for inclusion in the table directly. Consider Event 'Destruction of BES
equipment'. Is footnote 1 a scoping statement? Is it part of the threshold? Is it the
impact? Is it defining Destruction? If the BES equipment was destroyed by weather
and does not affect an IROL, then is no report is needed? Alternatively, do you still
apply the threshold and say it was external cause and therefore report?
Several event categories were removed or combined to improve Attachment 1. The
footnotes that you mention were removed and included in the threshold for reporting
column. If an entity does not experience an event, then they should not report on it.
As you suggest, most GO /GOPs do not see the transmission system. It is anticipated
that they will report for events on their Facilities.
We suggest including a flowchart on how to use Attachment 1 with an example. The
flowchart would explain the order in which to consider the event and the threshold,
and footnotes if they remain. Regarding Attachment 1 Footnote 1 'do not report
copper theft...unless it degrades the ability of equipment to operate correctly.', is
this defining destruction as not operating correctly ? or is the entirety of footnote 1 a
definition of destruction? Regarding Attachment 1 Footnote 1, iii, we request this be
changed for consistency with the Event and suggest removing damage from the
footnote. i.e. The event is 'destruction' whereas the footnote says 'damaged or
destroyed'. The standard does not provide guidance on damage vs destruction
which could lead to differing reporting conclusions. Is the reporting line out of
service, beyond repair, or is it timeframe based? Regarding Attachment 1 Footnote 2
' to steal copper... unless it affects the reliability of the BES', is affecting the reliability
of the BES a consideration in all the events? PPL believes this is the case and request
this statement be made. This could be included in the flowchart as a decision point.
Regarding Event 'Loss of Off-site power to a nuclear generating plant', the threshold
for reporting does not designate if the off-site loss is planned and/or unplanned - or
if the reporting threshold includes the loss of one source of off-site power or is the
reporting limited to when all off-site sources are unavailable. PPL recommends the
event be ‘Total unplanned loss of offsite power to a nuclear generating plant (grid
219
�Organization
Yes or No
Question 4 Comment
supply)’Thank you for considering our comments.
The SDR SDT discussed “Forced Intrusion” as well as the event “Risk to BES
equipment”. These two event types had overlap in the perceived reporting
requirements. The DSR SDT removed “Forced Intrusion” as a category and the “Risk to
BES equipment” event was revised to “A physical threat that could impact the
operability of a Facility”.
Using judgment is unavoidable for this type of event. This language was chosen
because the Responsible Entity is the best position to exercise this judgment and
determine whether or not an event poses a threat to its Facilities. The DSR SDT believes
this revised event type will minimize administrative burden and ensure that events
meaningful to industry awareness are reported.
The footnote regarding this event type was expanded to provide additional guidance
in:
“Examples include a train derailment adjacent to a Facility that either could have
damaged a Facility directly or could indirectly damage a Facility (e.g. flammable or
toxic cargo that could pose fire hazard or could cause evacuation of a control center).
Also report any suspicious device or activity at a Facility. Do not report copper theft
unless it impacts the operability of a Facility.”
The DSR SDT has updated the Requirements based on comments received along with
updating Attachment 1 and 2. Please review the updated standard for all your
concerns.
Response: Thank you for your comment. Please see response above.
City of Austin dba Austin
Overarching Concern related to EOP-004-2 draft:The contemporaneous drafting
efforts related to both the proposed Bulk Electric System ("BES") definition changes
220
�Organization
Energy
Yes or No
Question 4 Comment
and CIP Standards Version 5 could significantly impact the EOP-004-2 reporting
requirements. Caution needs to be exercised when referencing these definitions, as
the definition of a BES element could change significantly and the concepts of
“Critical Assets” and “Critical Cyber Assets” no longer exist in Version 5 of the CIP
Standards.
The ‘Damage or Destruction’ events specifically relating to Critical Assets and Critical
Cyber Assets were removed from Attachment 1, as these events are adequately
addressed through the CIP-008 and ‘Damage or Destruction of a Facility’ reporting
thresholds.
Additionally, it is debatable whether the destruction of, for example, one relay
would be a reportable incident given the proposed language. Related to “Reportable
Events” of Attachment 1:1. The “Purpose” section of the Standard indicates it is
designed to require the reporting of events “with the potential to impact reliability”
of the BES. Footnote 1 and the “Threshold for Reporting” associated with the Event
described as “Destruction of BES equipment” expand the reporting scope beyond
that intent. For example, a fan on a generation unit can be destroyed because a plant
employee drops a screwdriver into it. We believe such an event should not be
reportable under EOP-004-2. Yet, as written, a Responsible Entity could interpret
that event as reportable (because it would be “unintentional human action” that
destroyed a piece of equipment associated with the BES). If the goal of the SDT was
to include such events, we think the draft Standard goes too far in requiring
reporting. If the SDT did not intend to include such events, the draft Standard should
be revised to make that fact clear.
‘Forced intrusion’ and ‘Risk to BES Equipment’ have been combined under a new
event type called ‘A physical threat that could impact the operability of a Facility’.
Using judgment is unavoidable for this type of event. This language was chosen
because the Responsible Entity is the best position to exercise this judgment and
determine whether or not an event poses a threat to its Facilities. The DSR SDT
221
�Organization
Yes or No
Question 4 Comment
believes this revised event type will minimize administrative burden and ensure that
events meaningful to industry awareness are reported. Note that the reporting
timeline (now revised to 24 hours) starts when the situation has been determined as
a threat, not when it may have first occurred.
2. Item iii) in Footnote 1 seems redundant with the Threshold for Reporting.3. The
word “Significantly” in item ii) of footnote 1 introduces an element of subjectivity.
What is “significant” to one person may not be significant to someone else.4. The
word “unintentional” in Item iii) of footnote 1 may introduce nuisance reporting.
The SDT should consider: (1) changing the Event description to “Damage or
destruction of BES equipment” (2) removing the footnote and (3) replacing the
existing “Threshold for Reporting” with the following language:”Initial indication the
event: (i) was due to intentional human action, (ii) affects an IROL or (iii) in the
opinion of the Responsible Entity, jeopardizes the reliability margin of the system
(e.g., results in the need for emergency actions)”
The SDR SDT revised this event to “Damage or destruction of a Facility” and removed the
footnote. The threshold for reporting now reads:
Damage or destruction of a Facility that:
Affects an IROL (per FAC-014)
OR
Results in the need for actions to avoid an Adverse Reliability Impact
OR
Results from intentional human action.
5. One reportable event is “Risk to the BES” and the threshold for reporting is, “From
a non-environmental physical threat.” This appears to be intended as a catch-all
reportable event. Due to the subjectivity of this event description, we suggest
removing it from the list.
The ‘Damage or Destruction’ events specifically relating to Critical Assets and Critical
222
�Organization
Yes or No
Question 4 Comment
Cyber Assets were removed from Attachment 1, as these events are adequately
addressed through the CIP-008 and ‘Damage or Destruction of a Facility’ reporting
thresholds.
6. One reportable event is “Damage or destruction of Critical Asset per CIP-002.” The
SDT should define the term “Damage” in order for an entity to determine a threshold
for what qualifies as “Damage” to a CA. Normal “damage” can occur on a CA that
should not be reportable (e.g. the screwdriver example, above).
The ‘Damage or Destruction’ events specifically relating to Critical Assets and Critical
Cyber Assets were removed from Attachment 1, as these events are adequately
addressed through the CIP-008 and ‘Damage or Destruction of a Facility’ reporting
thresholds.
7. For the event called “BES Emergency requiring public appeal for load reduction,”
the SDT should make it clear who should report such an event. For example, in the
ERCOT Region, there is a requirement that ERCOT issue public appeals for load
reduction (See ERCOT Protocols Section 6.5.9.4). As the draft of EOP-004-2 is
currently written, every Registered Entity in the ERCOT Region would have to file a
report when ERCOT issues such an appeal. Such a requirement is overly burdensome
and does not enhance the reliability of the BES. The Standard should require that the
Reliability Coordinator file a report when it issues a public appeal to reduce load.
The DSR SDT has tried to minimize duplicative reporting, but recognizes there may be
events that trigger more than one report. The current applicability ensures an event
that could affect just one of the entities with reporting responsibility isn’t missed.
Reporting Thresholds1. See Paragraph 1 in the “Related to 'Reportable Events' of
Attachment 1” section, above. 2. We believe damage or destruction of Critical
223
�Organization
Yes or No
Question 4 Comment
Assets or CCAs resulting from operational error, equipment failure or unintentional
human action should not be reportable under this Standard. We recommend
changing the thresholds for “Damage or destruction of Critical Asset...” and “Damage
or destruction of a [CCA]” to “Initial Indication the event was due to external cause
or intentional human action.” 3. We support the SDT’s attempted to limit nuisance
reporting related to copper thefts. However, a number of the thresholds identified
in EOP-004-2 Attachment 1 are very low and could clog the reporting process with
nuisance reporting and reviewing. An example is the “BES Emergency requiring
manual firm load shedding” of ≥ 100 MW or “Loss of Firm load for ≥ 15
Minutes” that is ≥ 200 MW (300 MW if the manual demand is greater than 3000
MW). In many cases, those low thresholds would require reporting minor wind
events or other seasonal system issues on a local network used to provide
distribution service. Firm Load1. The use of the term “Firm load” in the context of
the draft Standard seems inappropriate. “Firm load” is not defined in the NERC
Glossary (although “Firm Demand” is defined). If the SDT intended to use “Firm
Demand,” they should revise the draft Standard to use that language. If the SDT
wishes to use the term “Firm load” they should define it. [For example, we
understand that some load agrees to be dropped in an emergency. In fact, in the
ERCOT Region, we have a paid service referred to as “Emergency Interruptible Load
Service” (EILS). If the SDT intends that “Firm load” means load other than load which
has agreed to be dropped, it should make that fact clear.]
The thresholds and events listed in Attachment 1 are currently required under DOE
OE-417 and NERC reporting requirements.
Comments to Attachment 21. The checkbox for “fuel supply emergency” should be
deleted because it is not listed as an Event on Attachment 1.
The DSR SDT has removed both “fuel supply emergency” and “other” from
Attachment 2.
224
�Organization
Yes or No
Question 4 Comment
2. There should be separation between “forced intrusion” and “Risk to BES
equipment.” They are separate Events on Attachment 1.
Several stakeholders expressed concerns relating to the “Forced Intrusion” event.
Their concerns related to ambiguous language in the footnote. The SDR SDT discussed
this event as well as the event “Risk to BES equipment”. These two event types had
overlap in the perceived reporting requirements. The DSR SDT removed “Forced
Intrusion” as a category and the “Risk to BES equipment” event was revised to “A
physical threat that could impact the operability of a Facility”.
Using judgment is unavoidable for this type of event. This language was chosen
because the Responsible Entity is the best position to exercise this judgment and
determine whether or not an event poses a threat to its Facilities. The DSR SDT believes
this revised event type will minimize administrative burden and ensure that events
meaningful to industry awareness are reported.
Comments to Guideline and Technical BasisThe last paragraph appears to state NERC
will accept an OE-417 form as long as it contains all of the information required by
the NERC form and goes on to state the DOE form “may be included or attached to
the NERC report.” If the intent is for NERC to accept the OE-417 in lieu of the NERC
report, this paragraph should be clarified.
The DSR SDT received many comments requesting consistency with DOE OE-417
thresholds and timelines. These items as well as the Events Analysis Working Group’s
(EAWG) requirements were considered in creating Attachment 1, but there remain
differences for the following reasons:
•
•
EOP-004 requirements were designed to meet NERC and the industry’s needs;
accommodation of other reporting obligations was considered as an opportunity
not a ‘must-have’
OE-417 only applies to US entities, whereas EOP-004 requirements apply across
225
�Organization
Yes or No
Question 4 Comment
•
•
North America
NERC has no control over the criteria in OE-417, which can change at any time
Reports made under EOP-004 provide a minimum set of information, which may
trigger further information requests from EAWG as necessary
In an effort to minimize administrative burden, US entities may use the OE-417 form
rather than Attachment 2 to report under EOP-004. The SDT was informed by the DOE
of its new online process coming later this year. In this process, entities may be able to
record email addresses associated with their Operating Plan so that when the report is
submitted to DOE, it will automatically be forwarded to the posted email addresses,
thereby eliminating some administrative burden to forward the report to multiple
organizations and agencies.
Response: Thank you for your comment. Please see response above.
Salt River Project/ Lower
Colorado River Authority
Overarching Concern related to EOP-004-2 draft:The contemporaneous drafting
efforts related to both the proposed Bulk Electric System ("BES") definition changes
and CIP Standards Version 5, could significantly impact the EOP-004-2 reporting
requirements. Caution needs to be exercised when referencing these definitions, as
the definition of a BES element could change significantly and the concepts of
“Critical Assets” and “Critical Cyber Assets” no longer exist in Version 5 of the CIP
Standards.
The ‘Damage or Destruction’ events specifically relating to Critical Assets and Critical
Cyber Assets were removed from Attachment 1, as these events are adequately
addressed through the CIP-008 and ‘Damage or Destruction of a Facility’ reporting
thresholds.
Additionally, it is debatable whether the destruction of, for example, one relay would
226
�Organization
Yes or No
Question 4 Comment
be a reportable incident given the proposed language. Related to “Reportable
Events” of Attachment 1:1. The “Purpose” section of the Standard indicates it is
designed to require the reporting of events “with the potential to impact reliability”
of the BES. Footnote 1 and the “Threshold for Reporting” associated with the Event
described as “Destruction of BES equipment” expand the reporting scope beyond
that intent. For example, a fan on a generation unit can be destroyed because a plant
employee drops a screwdriver into it. We believe such an event should not be
reportable under EOP-004-2. Yet, as written, a Responsible Entity could interpret
that event as reportable (because it would be “unintentional human action” that
destroyed a piece of equipment associated with the BES). If the goal of the SDT was
to include such events, we think the draft Standard goes too far in requiring
reporting. If the SDT did not intend to include such events, the draft Standard should
be revised to make that fact clear.
‘Forced intrusion’ and ‘Risk to BES Equipment’ have been combined under a new
event type called ‘A physical threat that could impact the operability of a Facility’.
Using judgment is unavoidable for this type of event. This language was chosen
because the Responsible Entity is the best position to exercise this judgment and
determine whether or not an event poses a threat to its Facilities. The DSR SDT
believes this revised event type will minimize administrative burden and ensure that
events meaningful to industry awareness are reported. Note that the reporting
timeline (now revised to 24 hours) starts when the situation has been determined as
a threat, not when it may have first occurred.
2. Item iii) in Footnote 1 seems redundant with the Threshold for Reporting.3. The
word “Significantly” in item ii) of footnote 1 introduces an element of subjectivity.
What is “significant” to one person may not be significant to someone else.4. The
word “unintentional” in Item iii) of footnote 1 may introduce nuisance reporting.
The SDT should consider: (1) changing the Event description to “Damage or
destruction of BES equipment” (2) removing the footnote and (3) replacing the
227
�Organization
Yes or No
Question 4 Comment
existing “Threshold for Reporting” with the following language:”Initial indication the
event: (i) was due to intentional human action, (ii) affects an IROL or (iii) in the
opinion of the Responsible Entity, jeopardizes the reliability margin of the system
(e.g., results in the need for emergency actions)”
The SDR SDT discussed this event as well as the event “Risk to BES equipment”. These
two event types had overlap in the perceived reporting requirements. The DSR SDT
removed “Forced Intrusion” as a category and the “Risk to BES equipment” event was
revised to “A physical threat that could impact the operability of a Facility”.
Using judgment is unavoidable for this type of event. This language was chosen
because the Responsible Entity is the best position to exercise this judgment and
determine whether or not an event poses a threat to its Facilities. The DSR SDT believes
this revised event type will minimize administrative burden and ensure that events
meaningful to industry awareness are reported.
The footnote regarding this event type was expanded to provide additional guidance
in:
“Examples include a train derailment adjacent to a Facility that either could have
damaged a Facility directly or could indirectly damage a Facility (e.g. flammable or
toxic cargo that could pose fire hazard or could cause evacuation of a control center).
Also report any suspicious device or activity at a Facility. Do not report copper theft
unless it impacts the operability of a Facility.”
5. One reportable event is, “Risk to the BES” and the threshold for reporting is,
“From a non-environmental physical threat.” This appears to be intended as a catchall reportable event. Due to the subjectivity of this event description, we suggest
removing it from the list.
The ‘Damage or Destruction’ events specifically relating to Critical Assets and Critical
228
�Organization
Yes or No
Question 4 Comment
Cyber Assets were removed from Attachment 1, as these events are adequately
addressed through the CIP-008 and ‘Damage or Destruction of a Facility’ reporting
thresholds.
6. One reportable event is, “Damage or destruction of Critical Asset per CIP-002.”
The SDT should define the term “Damage” in order for an entity to determine a
threshold for what qualifies as “Damage” to a CA. Normal “damage” can occur on a
CA that should not be reportable (e.g. the screwdriver example, above). Reporting
Thresholds1. We believe damage or destruction of Critical Assets or CCAs resulting
from operational error, equipment failure or unintentional human action should not
be reportable under this Standard. We recommend changing the thresholds for
“Damage or destruction to Critical Assets ...” and “Damage or destruction of a [CCA]”
to “Initial Indication the event was due to external cause or intentional human
action.”
The ‘Damage or Destruction’ events specifically relating to Critical Assets and Critical
Cyber Assets were removed from Attachment 1, as these events are adequately
addressed through the CIP-008 and ‘Damage or Destruction of a Facility’ reporting
thresholds.
2. We support the SDT’s attempted to limit nuisance reporting related to copper
thefts. However, a number of the thresholds identified in EOP-004-2 Attachment 1
are very low and could clog the reporting process with nuisance reporting and
reviewing. An example is the “BES Emergency requiring manual firm load shedding”
of ≥ 100 MW or “Loss of Firm load for ≥ 15 Minutes” that is ≥ 200 MW
(300 MW if the manual demand is greater than 3000 MW). In many cases, those low
thresholds would require reporting minor wind events or other seasonal system
issues on a local network used to provide distribution service. Firm Demand1. The
use of the term “Firm load” in the context of the draft Standard seems inappropriate.
229
�Organization
Yes or No
Question 4 Comment
“Firm load” is not defined in the NERC Glossary (although “Firm Demand” is defined).
If the SDT intended to use “Firm Demand,” they should revised the draft Standard. If
the SDT wishes to use the term “Firm load” they should define it. [For example, we
understand that some load agrees to be dropped in an emergency. In fact, in the
ERCOT Region, we have a paid service referred to as “Emergency Interruptible Load
Service” (EILS). If the SDT intends that “Firm load” means load other than load which
has agreed to be dropped, it should make that fact clear.]
The thresholds and event types in Attachment 1 are from current DOE OE-417 and
NERC reporting requirements.
Comments to Attachment 21. The checkbox for “fuel supply emergency” should be
deleted because it is not listed as an Event on Attachment 1.
The DSR SDT has removed both “fuel supply emergency” and “other” from
Attachment 2.
2. There should be separation between “forced intrusion” and “Risk to BES
equipment.” They are separate Events on Attachment 1.
Several stakeholders expressed concerns relating to the “Forced Intrusion” event. Their
concerns related to ambiguous language in the footnote. The SDR SDT discussed this
event as well as the event “Risk to BES equipment”. These two event types had overlap
in the perceived reporting requirements. The DSR SDT removed “Forced Intrusion” as a
category and the “Risk to BES equipment” event was revised to “A physical threat that
could impact the operability of a Facility”.
Using judgment is unavoidable for this type of event. This language was chosen
because the Responsible Entity is the best position to exercise this judgment and
determine whether or not an event poses a threat to its Facilities. The DSR SDT believes
this revised event type will minimize administrative burden and ensure that events
230
�Organization
Yes or No
Question 4 Comment
meaningful to industry awareness are reported.
Comments to Guideline and Technical BasisThe last paragraph appears to state NERC
will accept an OE-417 form as long as it contains all of the information required by
the NERC form and goes on to state the DOE form “may be included or attached to
the NERC report.” If the intent is for NERC to accept the OE-417 in lieu of the NERC
report, this paragraph should be clarified.
The DSR SDT received many comments requesting consistency with DOE OE-417
thresholds and timelines. These items as well as the Events Analysis Working Group’s
(EAWG) requirements were considered in creating Attachment 1, but there remain
differences for the following reasons:
•
•
•
•
EOP-004 requirements were designed to meet NERC and the industry’s needs;
accommodation of other reporting obligations was considered as an opportunity
not a ‘must-have’
OE-417 only applies to US entities, whereas EOP-004 requirements apply across
North America
NERC has no control over the criteria in OE-417, which can change at any time
Reports made under EOP-004 provide a minimum set of information, which may
trigger further information requests from EAWG as necessary
In an effort to minimize administrative burden, US entities may use the OE-417 form
rather than Attachment 2 to report under EOP-004. The SDT was informed by the DOE
of its new online process coming later this year. In this process, entities may be able to
record email addresses associated with their Operating Plan so that when the report is
submitted to DOE, it will automatically be forwarded to the posted email addresses,
thereby eliminating some administrative burden to forward the report to multiple
organizations and agencies.
231
�Organization
Yes or No
Question 4 Comment
Response: Thank you for your comment. Please see response above.
Public Utility District No. 1 of
Snohomish County/Seattle
City Light
Overarching Concern related to EOP-004-2 draft:The contemporaneous drafting
efforts related to both the proposed Bulk Electric System ("BES") definition changes,
as well as the CIP standards Version 5, could significantly impact the EOP-004-2
reporting requirements. Caution needs to be exercised when referencing these
definitions, as the definitions of a BES element could change significantly and Critical
Assets may no longer exist.
The ‘Damage or Destruction’ events specifically relating to Critical Assets and Critical
Cyber Assets were removed from Attachment 1, as these events are adequately
addressed through the CIP-008 and ‘Damage or Destruction of a Facility’ reporting
thresholds.
As it relates to the proposed reporting criteria, it is debatable as to whether or not
the destruction of, for example, one relay would be a reportable incident under this
definition going forward given the current drafting team efforts. Related to
“Reportable Events” of Attachment 1:1. A reportable event is stated as, “Risk to the
BES”, the threshold for reporting is, “From a non-environmental physical threat”.
This appears to be a catch-all event, and basically every other event in Attachment 1
should be reported because it is a risk to the BES. Due to the subjectivity of this
event, suggest removing it from the list.
‘Forced intrusion’ and ‘Risk to BES Equipment’ have been combined under a new
event type called ‘A physical threat that could impact the operability of a Facility’.
Using judgment is unavoidable for this type of event. This language was chosen
because the Responsible Entity is the best position to exercise this judgment and
determine whether or not an event poses a threat to its Facilities. The DSR SDT
believes this revised event type will minimize administrative burden and ensure that
232
�Organization
Yes or No
Question 4 Comment
events meaningful to industry awareness are reported. Note that the reporting
timeline (now revised to 24 hours) starts when the situation has been determined as
a threat, not when it may have first occurred.
2. A reportable event is stated as, “Damage or destruction of Critical Asset per CIP002”. The term “Damage” would have to be defined in order for an entity to
determine a threshold for what qualifies as “Damage” to a CA. One could argue that
normal “Damage” can occur on a CA that is not necessary to report. There should
also be caution here in adding CIP interpretation within this standard.
The ‘Damage or Destruction’ events specifically relating to Critical Assets and Critical
Cyber Assets were removed from Attachment 1, as these events are adequately
addressed through the CIP-008 and ‘Damage or Destruction of a Facility’ reporting
thresholds.
Reporting Thresholds1. The SDT made attempts to limit nuisance reporting related to
copper thefts and so on which is supported. However a number of the thresholds
identified in EOP-004-2 Attachment 1 are very low and could congest the reporting
process with nuisance reporting and reviewing. An example is the “BES Emergency
requiring manual firm load shedding of greater than or equal to 100 MW or the Loss
of Firm load for ≥ 15 Minutes that is greater than or equal to 200 MW (300 MW if
the manual demand is greater than 3000 MW). In many cases these low thresholds
represent reporting of minor wind events or other seasonal system issues on Local
Network used to provide distribution service. Firm Demand1. The use of Firm
Demand in the context of the draft Standards could be used to describe commercial
arrangements with a customer rather than a reliability issue. Clarification of Firm
Demand would be helpful
The DSR SDT has updated the requirements based on comments received along with
updating Attachment 1 and 2. Please review the updated standard for all your
233
�Organization
Yes or No
Question 4 Comment
concerns.
Response: Thank you for your comment. Please see response above.
Pacific Northwest Small Public
Power Utility Comment Group
Project 2008-06 proposes to withdraw the terms “Critical Asset” and “Critical Cyber
Asset” from the NERC Glossary. In order to avoid a reliability gap when this occurs,
we propose including High and Medium Impact BES Cyber Systems and Assets.
The ‘Damage or Destruction’ events specifically relating to Critical Assets and Critical
Cyber Assets were removed from Attachment 1, as these events are adequately
addressed through the CIP-008 and ‘Damage or Destruction of a Facility’ reporting
thresholds.
The revised wording to add, “as appropriate” to R1.3 is a concern. We understand
the SDT’s intent to not require all the bulleted parties to be notified for every event
type. But will a good faith effort on the part of the registered entity to deem
appropriateness be subject to second guessing and possible sanctions by the
Compliance Enforcement Authority if they disagree? We note that CIP-001 required
an interpretation to address this issue, but cannot assume that interpretation will
carry over. We suggest spelling out exactly who shall deem appropriateness.
The phrase “as appropriate” was removed and Requirement 1, Part 1.2 was revised
to:
A process for communicating each of the applicable events listed in EOP-004
Attachment 1 in accordance with the timeframes specified in EOP-004 Attachment 1
to the Electric Reliability Organization and other organizations needed for the event
type; i.e. the Regional Entity; company personnel; the Responsible Entity’s Reliability
Coordinator; law enforcement governmental or provincial agencies.
R4 continues to be an onerous requirement for smaller entities. Verification was not
234
�Organization
Yes or No
Question 4 Comment
part of the SAR and we are not convinced it is needed for reliability. We are unsure
how a DP with no generation, no BES assets, no Critical Cyber Assets, and less than
100 MW of load; would meet R4. Shall they drill for impossible events? We ask that
R4 be removed. At a minimum it should exclude entities that cannot experience the
events of Attachment 1.Entities that cannot experience the events of Attachment
1should likewise be exempt from R1.2, 1.3, R2, and R3.
Requirement R4 (now R3) was revised to :
Each Responsible Entity shall conduct an annual test, not including notification to the
Electric Reliability Organization, of the communications process in Part 1.2.
Requirement R1, Part 1.1 specifies that an entity must have a process for recognizing
“applicable events”. An entity is only required to have the Operating Plan as it relates
to events applicable to that entity. The DSR SDT envisions that the testing under
Requirement R3 will include verification of contact information contained in the
Operating Plan is correct. As an example, the annual review of the Operating Plan
could include calling “others as defined in the Responsible Entity’s Operating Plan”
(see Part 1.2) to verify that their contact information is up to date. If any
discrepancies are noted, the Operating Plan would be updated. This language does
not preclude the verification of contact information taking place during a training
event. The DSR SDT has updated the Requirements based on comments received
along with updating Attachment 1 and 2. Please review the updated Standard for all
your concerns.
Response: Thank you for your comment. Please see response above.
Clallam County PUD No.1
Project 2008-06 proposes to withdraw the terms “Critical Asset” and “Critical Cyber
Asset” from the NERC Glossary. In order to avoid a reliability gap when this occurs,
235
�Organization
Yes or No
Question 4 Comment
we propose including High and Medium Impact BES Cyber Systems and Assets.
The ‘Damage or Destruction’ events specifically relating to Critical Assets and Critical
Cyber Assets were removed from Attachment 1, as these events are adequately
addressed through the CIP-008 and ‘Damage or Destruction of a Facility’ reporting
thresholds.
The revised wording to add, “as appropriate” to R1.3 is a concern. We understand
the SDT’s intent to not require all the bulleted parties to be notified for every event
type. But will a good faith effort on the part of the registered entity to deem
appropriateness be subject to second guessing and possible sanctions by the
Compliance Enforcement Authority if they disagree? We note that CIP-001 required
an interpretation to address this issue, but cannot assume that interpretation will
carry over. We suggest spelling out exactly who shall deem appropriateness.
Part 1.3 (now Part 1.2 was revised to:
1.2 A process for communicating each of the applicable events listed in EOP-004
Attachment 1 in accordance with the timeframes specified in EOP-004 Attachment 1
to the Electric Reliability Organization and other organizations needed for the event
type; i.e. the Regional Entity; company personnel; the Responsible Entity’s Reliability
Coordinator; law enforcement governmental or provincial agencies.
R4 continues to be an onerous requirement for smaller entities. Verification was not
part of the SAR and we are not convinced it is needed for reliability. We are unsure
how a DP with no generation, no BES assets, no Critical Cyber Assets, and less than
100 MW of load; would meet R4. Shall they drill for impossible events? We ask that
R4 be removed. At a minimum it should exclude entities that cannot experience the
events of Attachment 1. Entities that cannot experience the events of Attachment
1should likewise be exempt from R1.2, 1.3, R2, and R3.
Part 1.1 has been revised to include “applicable events listed in EOP-004, Attachment
236
�Organization
Yes or No
Question 4 Comment
1.” If an entity cannot experience an event, then it would not be an applicable event.
Requirement R4 (now R3) has been revised to:
R3. Each Responsible Entity shall conduct an annual test, not including notification to
the Electric Reliability Organization, of the communications process in Part 1.2.
[Violation Risk Factor: Medium] [Time Horizon: Operations Planning]
The DSR SDT envisions that the testing under R3 will include verification of contact
information contained in the Operating Plan is correct. As an example, the annual
review of the Operating Plan could include calling “others as defined in the
Responsible Entity’s Operating Plan” (see Part 1.2) to verify that their contact
information is up to date. If any discrepancies are noted, the Operating Plan would
be updated. This language does not preclude the verification of contact information
taking place during a training event.
Response: Thank you for your comment. Please see response above.
FEUS
R4 requires verification through a drill or exercise the communication process
created as part of R1.3. Clarification of what a drill or exercise should be considered.
In order to show compliance to R4 would the entity have to send a pseudo event
report to Internal Personnel, the Regional Entity, NERC ES-ISAC, Law Enforcement,
and Governmental or provincial agencies listed in R1.3 to verify the communications
plan? It would not be a burden on the entity so much, however, I’m not sure the
external parties want to be the recipient of approximately 2000 psuedo event
reports annually.
Requirement R4 (now R3) related to an annual test of the communication portion of
Requirement R1 by a drill or exercise and this has been removed. Requirement R1, R3
now reads: “Each Responsible Entity shall conduct an annual test, not including
notification to the Electric Reliability Organization, of the communications process in
Part 1.2.”The DSR SDT envisions that the testing under Requirement 3 will include
237
�Organization
Yes or No
Question 4 Comment
verification of contact information contained in the Operating Plan is correct. As an
example, the annual review of the Operating Plan could include calling “others as
defined in the Responsible Entity’s Operating Plan” (see Part 1.2) to verify that their
contact information is up to date. If any discrepancies are noted, the Operating Plan
would be updated. This language does not preclude the verification of contact
information taking place during a training event.
Attachment 1: BES equipment is too vague - consider changing to BES facility and
including that reduces the reliability of the BES in the footnote. Is the footnote an
and or an or?Attachment 1: Version 5 of CIP Requirements remove the terms Critical
Asset and Critical Cyber Asset. The drafting team should consider revising the table
to include BES Cyber Systems. Clarify if Damage or Destruction is physical damage
(aka - cyber incidents would be part of CIP-008.)
The ‘Damage or Destruction’ events specifically relating to Critical Assets and Critical
Cyber Assets were removed from Attachment 1, as these events are adequately
addressed through the CIP-008 and ‘Damage or Destruction of a Facility’ reporting
thresholds.
Attachment 1: Unplanned Control Center evacuation - remove “potential” from the
reporting responsibility
The DSR SDT has removed both “fuel supply emergency” and “other” from
Attachment 2.
Attachment 2 - 3: change to, “Did the event originate in your system?” The
requirement only requires reporting for Events - not potential events.
The DSR SDT has streamlined Attachment 2, per comments received.
238
�Organization
Yes or No
Question 4 Comment
Attachment 2 4: “Damage or Destruction to BES equipment” should be “Destruction
of BES Equipment” like it is in Attachment 1 and “forced intrusion risk to BES
equipment” remove “risk”
The DSR SDT has streamlined Attachment 2 to reflect the events of Attachment 1, per
comments received.
Response: Thank you for your comment. Please see response above.
ReliabilityFirst
ReliabilityFirst thanks the SDT for their effort on this project. ReliabilityFirst has a
number of concerns/questions related to the draft EOP-004-2 standard which
include the following:1. General Comment - The SDT should consider any possible
impacts that could arise related to the applicability of Generator Owners that may or
may not own transmission facilities. This will help alleviate any potential or
unforeseen impacts on these Generator Owners
The DSR SDT cannot apply items such as GO/TO issues when NERC and the Regions
are not in agreement to what the issue and solution is.
2. General Comment - Though the rationale boxes contain useful editorial
information for each requirement, they should rather contain the technical rationale
or answer the question “why is this needed” for each requirement. The rationale
boxes currently seem to contain suggestions on how to meet the requirements.
ReliabilityFirst suggests possibly moving some of the statements in the “Guideline
and Technical Basis” into the rationale boxes, as some of the rationale seems to be
contained in that section.
The DSR SDT will continue to update rationale boxes per comments received.
3. General comment - The end of Measure M4 is incorrectly pointing to R3. This
should refer to R4.
Measurement 4 has been corrected.
4. General Comment - ReliabilityFirst recommends the “Reporting Hierarchy for
239
�Organization
Yes or No
Question 4 Comment
Reportable Events” flowchart should be removed from the “Background” section and
put into an appendix. ReliabilityFirst believes the flowchart is not really background
information, but an outline of the proposed process found in the new standard.
The DSR SDT provided a flow chart for stakeholders to use if desired. EOP-004-2 sets
a minimum level of reporting per the events described in Attachment 1. The DSR SDT
has received negative feedback in past drafts, the DSR SDT was too prescriptive.
5. Applicability Comment - ReliabilityFirst questions the newly added applicability for
both the Regional Entity (RE) and ERO. Standards, as outlined in many, if not all, the
FERC Orders, should have applicability to users, owners and operators of the BES and
not to the compliance monitoring entities (e.g. RE and ERO). Any requirements
regarding event reporting for the RE and ERO should be dealt with in the NERC Rules
of Procedure and/or Regional Delegation Agreements. It is also unclear who would
enforce compliance on the ERO if the ERO remains an applicable entity.
The ERO is an Applicable Entity under the current version of CIP-008 and therefore
they are held to EOP-004-2. Note, this proposed Standard has been through two
Quality Reviews and there has been no rejection from NERC .
6. Requirement Comment - ReliabilityFirst believes the process for communicating
events in Requirement R1, Part 1.3 should be all inclusive and therefore include the
bullet points. Bullet points are considered to be “OR” statements and thus
ReliabilityFirst believes they should be characterized as sub-parts. Listed below is an
example:1.3. A process for communicating events listed in Attachment 1 to the
following:1.3.1 Electric Reliability Organization, 1.3.2 Responsible Entity’s Reliability
Coordinator 1.3.3 Internal company personnel 1.3.4 The Responsible Entity’s
Regional Entity 1.3.5 Law enforcement 1.3.6 Governmental or provincial agencies
Requirement R4 related to an annual test of the communication portion of
Requirement R1 by a drill or exercise and this has been removed. Requirement R3
now reads: “Each Responsible Entity shall conduct an annual test, not including
notification to the Electric Reliability Organization, of the communications process in
240
�Organization
Yes or No
Question 4 Comment
Part 1.2. ”. The DSR SDT envisions that the testing under Requirement R3 will include
verification of contact information contained in the Operating Plan is correct. As an
example, the annual review of the Operating Plan could include calling “others as
defined in the Responsible Entity’s Operating Plan” (see Part 1.2) to verify that their
contact information is up to date. If any discrepancies are noted, the Operating Plan
would be updated.
7. Requirement Comment - ReliabilityFirst questions why Requirement R1, Part 1.1
and Part 1.2 are not required to be verified when performing a drill or exercise in
Requirement R4? ReliabilityFirst believes that performing a drill or exercise utilizing
the process for identifying events (Part 1.1) and the process for gathering
information (Part 1.2) are needed along with the verification of the process for
communicating events as listed in Part 1.3.
Requirement R4 related to an annual test of the communication portion of
Requirement R1 by a drill or exercise and this has been removed. Requirement R3
now reads: “Each Responsible Entity shall conduct an annual test, not including
notification to the Electric Reliability Organization, of the communications process in
Part 1.2. ”. The DSR SDT envisions that the testing under Requirement R3 will include
verification of contact information contained in the Operating Plan is correct. As an
example, the annual review of the Operating Plan could include calling “others as
defined in the Responsible Entity’s Operating Plan” (see Part 1.2) to verify that their
contact information is up to date. If any discrepancies are noted, the Operating Plan
would be updated.
8. Compliance Section Comment - Section 1.1 states “If the Responsible Entity works
for the Regional Entity...” and ReliabilityFirst questions the intent of this language.
ReliabilityFirst is unaware of any Responsible Entities who work for a Regional Entity.
Also, if the Regional Entity and ERO remain as applicable entities, in Section 1.1 of
241
�Organization
Yes or No
Question 4 Comment
the standard, it is unclear who will act as the Compliance Enforcement Authority
(CEA).
The DSR SDT has followed the guidance in the Standards Development process to
assure that “template” information is correct. The language included is directly from
NERC guideline documents
9. Compliance Section Comment - ReliabilityFirst recommends removing the second,
third and fourth paragraphs from Section 1.2 since ReliabilityFirst believes entities
should retain evidence for the entire time period since their last audit.
The DSR SDT has followed the guidance in the Standards Development process to
assure that “template” information is correct. The language included is directly from
NERC guideline documents
10. Compliance Section Comment - ReliabilityFirst recommends modifying the fifth
paragraph from Section 1.2 as follows: “If a Registered Entity is found non-compliant,
it shall keep information related to the non-compliance until found compliant or until
a data hold release is issued by the CEA.” ReliabilityFirst believes, as currently
stated, the CEA would be required to retain information for an indefinite period of
time.
The DSR SDT has followed the guidance in the Standards Development process to
assure that “template” information is correct. The language included is directly from
NERC guideline documents.
11. Compliance Section Comment - ReliabilityFirst recommends removing the sixth
paragraph from Section 1.2 since the requirement for the CEA to keep the last audit
records and all requested and submitted subsequent audit records is already covered
in the NERC ROP.
The DSR SDT has followed the guidance in the Standards Development process to
assure that “template” information is correct. The language included is directly from
242
�Organization
Yes or No
Question 4 Comment
NERC guideline documents
12. Attachment 1 Comment - It is unclear what the term/acronym “Tv” is referring
to. It may be beneficial to include a footnote clarifying what the term “Tv” stands
for.
Tv is based on FAC-010 and the DSR SDT believes that this is clear to affected
stakeholders.
13. VSL General Comment - although ReliabilityFirst believes that the applicability is
not appropriate, as the REs and ERO are not users, owners, or operators of the Bulk
Electric System, the Regional Entity and ERO are missing from all four sets of VSLs, if
the applicability as currently written stays as is. If the Regional Entity and ERO are
subject to compliance for all four requirements, they need to be included in the VSLs
as well. Furthermore, for consistency with other standards, each VSL should begin
with the phrase “The Responsible Entity...”
The DSR SDT will follow the guidance in the Standards Development process to assure
that “template” information is correct.
14. VSL 4 Comment - The second “OR” statement under the “Lower” VSL should be
removed. By not verifying the communication process in its Operating Plan within
the calendar year, the responsible entity completely missed the intent of the
requirement and is already covered under the “Severe” VSL category.
The DSR SDT will follow the guidance in the Standards Development process to assure
that “template” information is correct.
Response: Thank you for your comment. Please see response above.
Northeast Power Coordinating
Requirement 4 does not specifically state the details necessary for an entity to
243
�Organization
Council
Yes or No
Question 4 Comment
achieve compliance. Requirement 4 should provide more guidance as to what is
required in a drill. Audit/enforcement of any requirement language that is too broad
will potentially lead to Regional interpretation, inconsistency, and additional
CANs.R4 should be revised to delete the 15 month requirement. CAN-0010
recognizes that entities may determine the definition of annual.The standard is too
specific, and drills down into entity practices, when the results are all that should be
looked for.The standard is requiring multiple reports.
Requirement R4 related to an annual test of the communication portion of
Requirement R1 by a drill or exercise and this has been removed. Requirement R3
now reads: “Each Responsible Entity shall conduct an annual test, not including
notification to the Electric Reliability Organization, of the communications process in
Part 1.2. ”. The DSR SDT envisions that the testing under Requirement R3 will include
verification of contact information contained in the Operating Plan is correct. As an
example, the annual review of the Operating Plan could include calling “others as
defined in the Responsible Entity’s Operating Plan” (see Part 1.2) to verify that their
contact information is up to date. If any discrepancies are noted, the Operating Plan
would be updated.
The Purpose of the Standard is very broad and should be revised because some of
the events being reported on have no impact on the BES. Revise Purpose wording as
follows: To improve industry awareness and the reliability of the Bulk Electric System
“by requiring the reporting of major system events with the potential to impact
reliability and their causes...” on the Bulk Electric System it can be said that every
event occurring on the Bulk Electric System would have to be reported.
The DSR SDT revised the purpose statement to remove ambiguous language “with the
potential to impact reliability”. The Purpose statement now reads:
“To improve the reliability of the Bulk Electric System by requiring the reporting
of events by Responsible Entities.”
244
�Organization
Yes or No
Question 4 Comment
Referring to Requirement R4, the testing of the communication process is the
responsibility of the Responsible Entity. There is an event analysis process already in
place.The standard prescribes different sets of criteria, and forms.There should be
one recipient of event information. That recipient should be a “clearinghouse” to
ensure the proper dissemination of information.
EOP-004 is a standard that requires reporting of events to the ERO. The events
analysis program receives these reports and determines whether further analysis is
appropriate.
Why is this standard applicable to the ERO?
NERC as the ERO is currently a Responsible Entity under CIP-008, and therefore the
proposed EOP-004-2 has the ERO as a Responsible Entity.
Requirement R2 is not necessary. It states the obvious.Requirements R2 and R3 are
redundant.The standard mentions collecting information for Attachment 2, but
nowhere does it state what to do with Attachment 2.
Most stakeholders believed that Requirements R2 and R3 were redundant and having
both in the standard was not necessary. Requirement R2 called for implementation of
Parts 1.1, 1.2, 1.4 and 1.5. Requirement R3 called for reporting events in accordance
with the Operating Plan. The DSR SDT deleted Requirement R2 based on stakeholder
comments and revised R3 (now R2) to:
“Requirement R2. Each Responsible Entity shall implement its event reporting Operating
Plan for applicable events listed in EOP-004 Attachment 1, and in accordance with the
timeframe specified in EOP-004 Attachment 1.”
245
�Organization
Yes or No
Question 4 Comment
None of the key concepts identified on page 5 of the standard are clearly stated or
described in the requirements: o Develop a single form to report disturbances and
events that threaten the reliability of the bulk electric system.
OE-417, as well as, the EAWG’s requirements were considered in creating Attachment
1, but there remain differences for the following reasons:
•
EOP-004 requirements were designed to meet NERC and the industry’s needs;
accommodation of other reporting obligations was considered as an
opportunity not a ‘must-have’
•
OE-417 only applies to US entities, whereas EOP-004 requirements apply across
North America
•
NERC has no control over the criteria in OE-417, which can change at any time
•
Reports made under EOP-004 provide a minimum set of information, which may
trigger further information requests from EAWG as necessary
In an effort to minimize administrative burden, US entities may use OE-417 rather
than Attachment 2 to report under EOP-004. Note you may have to report the same
event more quickly to the DOE than is required by EOP-004, but this cannot be helped
due to bullet point 2 above.
o Investigate other opportunities for efficiency, such as development of an
electronic form and possible inclusion of regional reporting requirements. o
Establish clear criteria for reporting. o Establish consistent reporting timelines.
The DSR SDT does allow entities to use the DOE Form OE 417 in lieu of Attachment 2
to report an event. Attachment 1 has been updated to provide consistent criteria for
reporting as well as reporting timelines. All one hour reporting timelines have been
changed to 24 hours with the exception of a ‘Reportable Cyber Security Incident’.
This is maintained due to FERC Order 706, Paragraph 673:
246
�Organization
Yes or No
Question 4 Comment
“…direct the ERO to modify CIP-008 to require each responsible entity to contact
appropriate government authorities and industry participants in the event of a cyber
security incident as soon as possible, but in any event, within one hour of the event…”
For the remaining events, 24 hours should provide sufficient time to manage the
incident in real-time before having to report and is consistent with current in-force
standard EOP-004-1.
o Provide clarity for who will receive the information and how it will be used. The
standard’s requirements should be reviewed with an eye for deleting those that are
redundant, or do not address the Purpose or intent of the standard.
Requirement R1 has been updated and now reads as”
Each Responsible Entity shall have an Operating Plan that includes:
1.1. A process for recognizing each of the events listed in EOP-004 Attachment 1.
1.2. A process for communicating each of the applicable events listed in EOP-004
Attachment 1 in accordance with the timeframes specified in EOP-004
Attachment 1 to the Electric Reliability Organization and other organizations
needed for the event type; i.e. the Regional Entity; company personnel; the
Responsible Entity’s Reliability Coordinator; law enforcement governmental or
provincial agencies.
The Applicable Entity’s Operating Plan is to contain the process for reporting events
listed in Attachment 1 to the Electric Reliability Organization, the Responsible Entity’s
Reliability Coordinator and for communicating to others as defined in the Responsible
Entity’s Operating Plan. All events in Attachment 1 are required to be reported to the
Electric Reliability Organization and the Responsible Entity’s Reliability Coordinator.
The Operating Plan may include: internal company personnel, your Regional Entity, law
enforcement, and governmental or provisional agencies, as you identify within your
Operating Plan. This gives you the flexibility to tailor your Operating Plan to fit your
247
�Organization
Yes or No
Question 4 Comment
company’s needs and wants.
Response: Thank you for your comment. Please see response above.
American Public Power
Association
Requirement R1:1.3. A process for communicating events listed in Attachment 1 to
the Electric Reliability Organization, the Responsible Entity’s Reliability Coordinator
and the following as appropriate: o Internal company personnel o The Responsible
Entity’s Regional Entity o Law enforcement o Governmental or provincial agencies
APPA believes that including the list of other entities needing to be included in a
process for communicating events under 1.3 may open this requirement up for
interpretation. APPA requests that the SDT remove from the requirement the listing
of; “Internal company personnel, The Responsible Entity’s Regional Entity, Law
enforcement & Governmental or provincial agencies” and include these references in
a guidance document. The registered entities need to communicate with the ERO
and the RC if applicable for compliance with this standard and to maintain the
reliability of the BES. Communication with other entities such as internal company
personnel, law enforcement and the Regional Entity are expected, but do not impact
the reliability of the BES. This will simplify the reporting structure and will not be
burdensome to registered entities when documenting compliance. If this is not an
acceptable solution, APPA suggests revising 1.3 to remove the wording “the
following as appropriate” and add “other entities as determined by the Responsible
Entity. Examples of other entities may include, but are not limited to:” Then it is
clear that the list is examples and should not be enforced by the auditor.
Requirement R1 has been updated and now reads as
”Each Responsible Entity shall have an Operating Plan that includes:
1.1. A process for recognizing each of the events listed in EOP-004 Attachment 1.
1.2. A process for communicating each of the applicable events listed in EOP-004
Attachment 1 in accordance with the timeframes specified in EOP-004
248
�Organization
Yes or No
Question 4 Comment
Attachment 1 to the Electric Reliability Organization and other organizations
needed for the event type; i.e. the Regional Entity; company personnel; the
Responsible Entity’s Reliability Coordinator; law enforcement governmental or
provincial agencies.
The Applicable Entity’s Operating Plan is to contain the process for reporting events
listed in Attachment 1 to the Electric Reliability Organization, the Responsible Entity’s
Reliability Coordinator and for communicating to others as defined in the Responsible
Entity’s Operating Plan. All events in Attachment 1 are required to be reported to the
Electric Reliability Organization and the Responsible Entity’s Reliability Coordinator.
The Operating Plan may include: internal company personnel, your Regional Entity, law
enforcement, and governmental or provisional agencies, as you identify within your
Operating Plan. This gives you the flexibility to tailor your Operating Plan to fit your
company’s needs and wants.
1.4. Provision(s) for updating the Operating Plan within 90 calendar days of any
change in assets, personnel, other circumstances that may no longer align with the
Operating Plan; or incorporating lessons learned pursuant to Requirement R3. APPA
understands that the SDT is following the FERC order requiring a 90 day limit on
updates to any changes to the plan. However, APPA believes that “updating the
Operating Plan within 90 calendar days of any change...” is a very burdensome
compliance documentation requirement. APPA reminds the SDT that including DPs
in this combined standard has increased the number of small Responsible Entities
that will be required to document compliance. APPA requests that the SDT combine
requirement 1.4 and 1.5 so the Operating Plan will be reviewed and updated with
any changes on a yearly basis. If this is not an acceptable solution, APPA suggests
that the “Lower VSL” exclude a violation to 1.4. The thought being, a violation of 1.4
by itself is a documentation error and should not be levied a penalty.
Requirement 1, Part 1.4 has been removed from the standard.
Attachment 1: Events TableAPPA believes that the intent of the SDT was to mirror
the DOE OE-417 criteria in reporting requirements. With the inclusion of DP in the
249
�Organization
Yes or No
Question 4 Comment
Applicability, however, APPA believes the SDT created an unintended excessive
reporting requirement for DPs during insignificant events.
Attachment 1 is the basis for EOP-004-2; it contains the events and thresholds for
reporting. OE-417, as well as, the EAWG’s requirements were considered in creating
Attachment 1, but there remain differences for the following reasons:
•
EOP-004 requirements were designed to meet NERC and the industry’s needs;
accommodation of other reporting obligations was considered as an
opportunity not a ‘must-have’
•
OE-417 only applies to US entities, whereas EOP-004 requirements apply across
North America
•
NERC has no control over the criteria in OE-417, which can change at any time
•
Reports made under EOP-004 provide a minimum set of information, which may
trigger further information requests from EAWG as necessary
In an effort to minimize administrative burden, US entities may use OE-417 rather
than Attachment 2 to report under EOP-004. Note you may have to report the same
event more quickly to the DOE than is required by EOP-004, but this cannot be helped
due to bullet point 2 above.
APPA recommends that a qualifier be added to the events table. In DOE OE-417
local electrical systems with less than 300MW are excluded from reporting certain
events since they are not significant to the BES.
APPA believes that the benefit of reporting certain events on systems below this
value would not outweigh the compliance burden placed on these small systems.
Therefore, APPA requests that the standard drafting team add the following qualifier
to the Events Table of Attachment 1: “For systems with greater than 300MW peak
load.” This statement should be placed in the Threshold for Reporting column for
the following Events: BES Emergency requiring appeal for load reduction, BES
250
�Organization
Yes or No
Question 4 Comment
Emergency requiring system-wide voltage reduction, BES Emergency requiring
manual firm load shedding, BES Emergency resulting in automatic firm load
shedding. This will match the DOE OE-417 reporting criteria and relieve the burden
on small entities.
Upon review of the DOE OE 417, it states “Local Utilities in Alaska, Hawaii, Puerto
Rico, the U.S. Virgin Islands, and the U.S. Territories - If the local electrical system is
less than 300 MW, then only file if criteria 1, 2, 3 or 4 are met”. Please be advised
this exception applies to entities outside the continental USA.
The DSR SDT has tried to minimize duplicative reporting, but recognizes there may be
events that trigger more than one report. The current applicability ensures an event
that could affect just one of the entities with reporting responsibility isn’t missed.
Definition of “Risk to BES equipment”:The SDT attempted to give examples of the
Event category “Risk to BES equipment” in a footnote. This footnote gives the
Responsible Entity and the Auditor a lot of room for interpretation. APPA suggests
that the SDT either define this term or give a triggering mechanism that the industry
would understand. One suggestion would be “Risk to BES equipment: An event that
forces a Facility Owner to initiate an unplanned, non-standard or conservative
operating procedure.” Then list; “Examples include train derailment adjacent to BES
Facilities that either could have damaged the equipment directly or has the potential
to damage the equipment...” This will allow the entity to have an operating
procedure linked to the event. If this suggestion is taken by the SDT then the
Reporting column of Attachment 1 needs to be changed to: “The parties identified
pursuant to R1.3 within 1 hour of initiating conservative operating procedures.”
’Forced intrusion’ and ‘Risk to BES Equipment’ have been combined under a new
event type called ‘A physical threat that could impact the operability of a Facility’.
Using judgment is unavoidable for this type of event. This language was chosen
because the Responsible Entity is the best position to exercise this judgment and
251
�Organization
Yes or No
Question 4 Comment
determine whether or not an event poses a threat to its Facilities. The DSR SDT
believes this revised event type will minimize administrative burden and ensure
that events meaningful to industry awareness are reported. Note that the
reporting timeline (now revised to 24 hours) starts when the situation has been
determined as a threat, not when it may have first occurred. Also, the footnote
only contains examples.
Response: Thank you for your comment. Please see response above.
Western Electricity
Coordinating Council
Results-based standards should include, within each requirement, the purpose or
reason for the requirement. The requirements of this standard, while we support the
requirements, do not include the goal or proupose of meeting each stated
requirement. The Measures all include language stating “the responsible entity shall
provide...”. During a quality review of a WECC Regional Reliability Standard we were
told that the “shall provide” language is essentially another requirement to provide
something. If it is truly necessary to provide this it should be in the requirements. It
was suggested to us that we drop the “shall provide” language and just start each
Measure with the “Evidence may include but is not limited to...”.
The DSR SDT changed each instance of “shall” to “will” within the measures. We will
defer to NERC Quality Review comments for any additional revisions.
Response: Thank you for your comment. Please see response above.
Sacramento Municipal Utility
District (SMUD)
SMUD and BANC agree with the revised language in EOP-004-1 requirements, but we
have identified the following issues in A-1:We commend the SDT for properly
addressing the sabotage issue. However, additional confusion is caused by
introducing term "damage". As "damage" is not a defined term it would be
beneficial for the drafting team to provide clarification for what is meant by
"damage".
252
�Organization
Yes or No
Question 4 Comment
The DSR SDT has modified Attachment 1 to bring more clarity. The more subjective
events were rewritten as follows:
• The ‘Damage or Destruction’ event category has been revised to say ‘ to a
Facility’, (a defined term) and thresholds have be modified to provide clarity.
The footnote was deleted
• ‘Forced intrusion’ and ‘Risk to BES Equipment’ have been combined under a new
event type called ‘A physical threat that could impact the operability of a
Facility’. Using judgment is unavoidable for this type of event. This language
was chosen because the Responsible Entity is the best position to exercise this
judgment and determine whether or not an event poses a threat to its
Facilities. The DSR SDT believes this revised event type will minimize
administrative burden and ensure that events meaningful to industry
awareness are reported. Note that the reporting timeline (now revised to 24
hours) starts when the situation has been determined as a threat, not when it
may have first occurred. Also, the footnote only contains examples.
These two remaining event categories that aren’t related to power system phenomena
are essential as they effectively translate the intent of CIP-001 into EOP-004.
As discussed in prior comment forms, the DSR SDT has elected not to define
“sabotage”. As defined in an Entity’s operating Plan, the requirement is to report and
communicate an event as listed in Attachment 1. EOP-004-2 does not require
analysis of any event listed in Attachment 1.
The threshold for reporting "Each public Appeal for load reduction" should clearly
state the triggering is for the BES Emergency as routine "public appeal" for
conservation could be considered a threshold for the report triggering.
To clarify your point, the threshold has been changed to ‘Public appeal or load
reduction event’.
253
�Organization
Yes or No
Question 4 Comment
Regarding the SOL Violations in Attachment 1 the SOL Violations should only be
those that affect the WECC paths.
The DSR SDT has included the following language for WECC’s SOL violation in
Attachment 1:
“IROL Violation (all Interconnections) or SOL Violation for Major WECC Transfer Paths
(WECC only)”
The SDT made attempts to limit nuisance reporting related to copper thefts and so
on which is supported. However a number of the thresholds identified in EOP-004-2
Attachment 1 are very low and could congest the reporting process with nuisance
reporting and reviewing.
The DSR SDT made reports made under EOP-004 provide a minimum set of
information, which may trigger further information requests from EAWG as
necessary.
Response: Thank you for your comment. Please see response above.
Southern Comnpany
Southern has the following comments:(1) In Requirement R1.4, we request the SDT
to clarify what is meant by the term “assets”?
The DSR SDT has deleted Requirement R1, Part 1.4, thus “assets” is not contained in
EOP-004-2 based on comments received.
2) If requirement 4 is not deleted, should we have to test every possible event
described in our Operating Plan or each event listed in Attachment 1 to verify
communications?
The DSR SDT has deleted Requirement R4 based on comments received.
(3) In the last paragraph of the “Summary of Key Concepts” section on page 6 of
254
�Organization
Yes or No
Question 4 Comment
Draft 3, there is a statement that “Real-time reporting is achieved through the
RCIS...” The only reporting required on RCIS by the Standards is for EEAs and TLRs.
Please review and modify this language as needed.
The DSR SDT believes “The DSR SDT wishes to make clear that the proposed Standard
does not include any real-time operating notifications for the events listed in
Attachment 1. Real-time reporting is achieved through the RCIS and is covered in other
standards (e.g. the TOP family of standards). The proposed standard deals exclusively
with after-the-fact reporting” is correct.
(4) Evidence Retention (page 12 of Draft 3): The 3 calendar year reference has no
bearing on a Standard that may be audited on a cycle greater than 3 years.
The DSR SDT has updated the Evidence Retention section with standard language
provided by NERC staff.
(5) In the NOTE for Attachment 1 (page 20 of Draft 3), what is meant by “periodic
verbal updates” and to whom should the updates be made?
The DSR SDT has updated the note in question to remove the language of “periodic
verbal updates”, it now reads as:
“NOTE: Under certain adverse conditions (e.g. severe weather, multiple events) it may
not be possible to report the damage caused by an event and issue a written Event
Report within the timing in the table below. In such cases, the affected Responsible
Entity shall notify parties per R1 and provide as much information as is available at the
time of the notification. Reports to the ERO should be submitted to one of the following:
e-mail: esisac@nerc.com, Facsimile: 609-452-9550, Voice: 609-452-1422.”
(6) There are Prerequisite Approvals listed in the Implementation Plan. Is it
appropriate to ask industry to vote on this Standard Revision that has a prerequisite
approval of changes in the Rules of Procedure that have not been approved?
The proposed revisions to the Rules of Procedure should have been posted with the
255
�Organization
Yes or No
Question 4 Comment
standard. This posting will occur with the successive ballot of EOP-004-2.
(7) We believe the reporting of the events in Attachment 1 has no reliability benefit
to the Bulk Electric System. We suggest that Attachment 1 should be removed.
The DSR SDT disagrees with this comment. Attachment 1 is the minimum set of
events that will be required to report and communicate per your Operating Plan will
be aware of system conditions.
Response: Thank you for your comment. Please see response above.
Texas Reliability Entity
Substantive comments:1.ERO and Regional Entities should not be included in the
Applicability of this standard. Just because they may be subject to some CIP
requirements does not mean they also have to be included here. The ERO and
Regional Entities do not operate equipment or systems that are integral to the
operation of the BES. Also, none of the VSLs apply to the ERO or to Regional Entities.
The DSR SDT is following guidance that NERC has provided to the DSR SDT. The ERO
and the RE are applicable entities under CIP-008. Reporting of Cyber Security
Incidents is the responsibility of the ERO and the RE.
2.The first entry in the Events Table should say “Damage or destruction of BES
equipment.” Equipment may be rendered inoperable without being “destroyed,”
and entities should not have to determine within one hour whether damage is
sufficient to cause the equipment to be considered “destroyed.” Footnote 1 refers
to equipment that is “damaged or destroyed.”
The ‘Damage or Destruction’ event category has been revised to say ‘to a Facility’, (a
defined term) and thresholds have be modified to provide clarity.
The DSR SDT used the defined term “Facility” to add clarity for several events listed in
256
�Organization
Yes or No
Question 4 Comment
Attachment 1. A Facility is defined as:
“A set of electrical equipment that operates as a single Bulk Electric System
Element (e.g., a line, a generator, a shunt compensator, transformer, etc.)”
The DSR SDT does not intend the use of the term Facility to mean a substation or any
other facility (not a defined term) that one might consider in everyday discussions
regarding the grid. This is intended to mean ONLY a Facility as defined above.
3.In the Events Table, consider whether the item for “Voltage deviations on BES
facilities” should also be applicable to GOPs, because a loss of voltage control at a
generator (e.g. failure of an automatic voltage regulator and power system stabilizer)
could have a similar impact on the BES as other reportable items.
The DSR SDT disagrees with this comment. Attachment 1 is the minimum set of
events that will be required to report and communicate per your Operating Plan will
be aware of system conditions.
4.In the Events Table, under Transmission Loss, does this item require that at least
three Facilities owned by one entity must be lost to trigger the reporting
requirement, or is the reporting requirement also to be triggered by loss of three
Facilities during one event or occurrence that are owned by two or three different
entities?
The DSR SDT has stated in Attachment 1 that “Each TOP that experiences the
transmission loss”. This would mean per individual TOP.
5.In the Events Table, under Transmission Loss, it is unclear how Facilities are to be
counted to determine when “three or more” Facilities are lost. In the NERC Glossary,
Facility is ambiguously defined as “a set of electrical equipment that operates as a
single Bulk Electric System Element (e.g., a line, a generator, a shunt compensator,
transformer, etc.).” In many cases, a “set of electrical equipment” can be selected
and counted in different ways, which makes this item ambiguous.
257
�Organization
Yes or No
Question 4 Comment
Both Transmission and Facilities are defined terms and the DSR SDT feels this gives
sufficient direction.
6.In the Events Table, under Transmission Loss, it appears that a substation bus
failure would only count as a loss of one Facility, even though it might interrupt flow
between several transmission lines. We believe this type of event should be
reported under this standard, and appropriate revisions should be made to this
entry.
The DSR SDT used the defined term “Facility” to add clarity for this event as well as other
events in Attachment 1. A Facility is defined as:
“A set of electrical equipment that operates as a single Bulk Electric System
Element (e.g., a line, a generator, a shunt compensator, transformer, etc.)”
The DSR SDT does not intend the use of the term Facility to mean a substation or any
other facility (not a defined term) that one might consider in everyday discussions
regarding the grid. This is intended to mean ONLY a Facility as defined above.
7.In the Events Table, under Transmission Loss, consider including generators that
are lost as a result of transmission loss events when counting Facilities. For example,
if a transmission line and a transformer fail, resulting in a generator going off-line,
that should count as a loss of “three or more” facilities and be reportable under this
standard.
Attachment 1 is the minimum set of events that will be required to report and
communicate per your Operating Plan will be aware of system conditions.
8.In the Events Table, under “Unplanned Control Center evacuation” and “Loss of
monitoring or all voice communication capability,” GOPs should be included. GOPs
also operate control centers that would be subject to these kinds of occurrences.
Attachment 1 is the minimum set of events that will be required to report and
258
�Organization
Yes or No
Question 4 Comment
communicate per your Operating Plan will be aware of system conditions.
9.In the Events Table, under “Loss of monitoring or all voice communication
capability,” we suggest adding that if there is a failure at one control center, that
event is not reportable if there is a successful failover to a backup system or control
center.
The DSR SDT has split this event into two separate events based on comments
received, it now reads as: “Loss of all voice communication capability” and “Complete
or partial loss of monitoring capability”.
10.”Fuel supply emergency” is included in the Event Reporting Form, but not in
Attachment 1, so there is no reporting threshold or deadline provided for this type of
event.
Attachment 2 was updated to reflect the revisions to Attachment 1. The reference to
“actual or potential events” was removed. Also, the event type of “other” and “fuel
supply emergency” was removed as well.
Clean-up items:1.In R1.5, capitalize “Responsible Entity” and lower-case “process”.
The DSR SDT has deleted Requirement 1, part 1.5.
2.In footnote 1, add “or” before “iii)” to clarify that this event type applies to
equipment that satisfies any one of these three conditions.
All footnotes are deleted and appropriate content moved to ‘Thresholds for
Reporting’ with the exception of the footnote relating to the new event category ‘A
physical threat that could impact the operability of a Facility’. This remaining
footnote provides examples only.
3.In the Event Reporting Form, “forced intrusion” and “Risk to BES equipment” are
run together and should be separated.
‘Forced intrusion’ and ‘Risk to BES Equipment’ have been combined under a new
259
�Organization
Yes or No
Question 4 Comment
event type called ‘A physical threat that could impact the operability of a Facility’.
Using judgment is unavoidable for this type of event. This language was chosen
because the Responsible Entity is the best position to exercise this judgment and
determine whether or not an event poses a threat to its Facilities. The DSR SDT
believes this revised event type will minimize administrative burden and ensure that
events meaningful to industry awareness are reported. Note that the reporting
timeline (now revised to 24 hours) starts when the situation has been determined as
a threat, not when it may have first occurred.
VSLs:1.We support the substance of the VSLs, but the repeated long list of entities
makes the VSLs extremely difficult to read and decipher. The repeated list of entities
should be replaced by “Responsible Entities.” 2.If the ERO and Regional Entities are
to be subject to requirements in this standard (which we oppose), they need to be
added to the VSLs.
The DSR SDT has revised the VSLs to eliminate the list of entities and lead with
“Responsible Entity”.
Response: Thank you for your comment. Please see response above.
Suggest removing 1.4 since 1.5 ensures a annual review. . The implementation of the
plan should also include the necessary reporting.
Requirement R1, Part 1.4 has been removed.
Response: Thank you for your comment. Please see response above.
Electric Compliance
The concepts of “Critical Assets” and “Critical Cyber Assets” no longer exist in Version
5 of the CIP Standards and so this may cause confusion. Recommend modifying to
be in accordance with Version 5. Additionally, it is debatable whether the
260
�Organization
Yes or No
Question 4 Comment
destruction of, for example, one relay would be a reportable incident given the
proposed language. We recommend modifying the language to insure nuisance
reporting is minimized. One reportable event is, “Risk to the BES” and the threshold
for reporting is, “From a non-environmental physical threat.” This appears to be a
catch-all reportable event. Due to the subjectivity of this event description, we
suggest removing it from the list.
The ‘Damage or Destruction’ events specifically relating to Critical Assets and Critical
Cyber Assets were removed from Attachment 1, as stakeholders pointed out that these
events were adequately addressed through the CIP-008 and ‘Damage or Destruction of a
Facility “reporting thresholds. CIP-008 addresses Cyber Security Incidents which are
defined as:
“Any malicious act or suspicious event that:
• Compromises, or was an attempt to compromise, the Electronic Security
Perimeter or Physical Security Perimeter of a Critical Cyber Asset, or,
• Disrupts, or was an attempt to disrupt, the operation of a Critical Cyber
Asset.”
A Critical Asset is defined as:
“Facilities, systems, and equipment which, if destroyed, degraded, or otherwise
rendered unavailable, would affect the reliability or operability of the Bulk
Electric System.”
Since there is an existing event category for damage or destruction of Facilities, having a
separate event for “Damage or Destruction of a Critical Asset” is unnecessary.
Footnote 1 and the “Threshold for Reporting” associated with the Event described as
“Destruction of BES equipment” expand the reporting scope. For example, a fan on a
261
�Organization
Yes or No
Question 4 Comment
transformer can be destroyed because a technician drops a screwdriver into it. We
believe such an event should not be reportable under EOP-004-2. Yet, as written, a
Responsible Entity could interpret that event as reportable (because it would be
“unintentional human action” that destroyed a piece of equipment associated with
the BES). If the goal of the SDT was to include such events, we think the draft
Standard goes too far in requiring reporting. If the SDT did not intend to include such
events, the draft Standard should be revised to make that fact clear. Proposed
Footnote: BES equipment that become damaged or destroyed due to intentional or
unintentional human action which removes the BES equipment from service that i)
Affects an IROL; ii) Significantly affects the reliability margin of the system (e.g., has
the potential to result in the need for emergency actions); iii). Do not report copper
theft from BES equipment unless it degrades the ability of equipment to operate
correctly (e.g., removal of grounding straps rendering protective relaying
inoperative).
All footnotes are deleted and appropriate content moved to ‘Thresholds for
Reporting’ with the exception of the footnote relating to the new event category ‘A
physical threat that could impact the operability of a Facility’. This remaining
footnote provides examples only.
The word “Significantly” in item ii) of footnote 1 and “as appropriate” in section 1.3
introduces elements of subjectivity. What is “significant” or “appropriate” to one
person may not be to someone else.
All footnotes are deleted and appropriate content moved to ‘Thresholds for
Reporting’ with the exception of the footnote relating to the new event category ‘A
physical threat that could impact the operability of a Facility’. This remaining
footnote provides examples only.
In section 1.4, we believe that revising the plan within 90 days of “any” change
should be changed to 180 days or else classes of events should be made so that only
262
�Organization
Yes or No
Question 4 Comment
substantial changes are required to made within the 90 day timeframe.
Requirement R1, Part 1.4 was removed from the standard.
Response: Thank you for your comment. Please see response above.
Georgia System Operations
Corporation
The ERO and the Regional Entity should not be listed as Responsible Entities. The
ERO and the Regional Entity should not have to meet the requirements of this
standard, especially reporting to itself.
The ERO and the RE are applicable under the CIP-008 standard and are therefore
applicable under EOP-004.
Attachment 1 (all page numbers are from the clean draft):Page 20, destruction of
BES equipment: part iii) of the footnote adds damage as an event but the heading is
for destruction. Is it just for destruction? Or is it for damage or destruction?
The DSR SDT has modified Attachment 1 to bring more clarity. The ‘Destruction’ event
category has been revised to include damage or destruction of a Facility’, (a defined
term) and thresholds have be modified to provide clarity. The footnote was deleted
Page 21, Risk to BES equipment: Footnote 3 gives an example where there is
flammable or toxic cargo. These are environmental threats. However, the threshold
for reporting is for non-environmental threats. Which is it?
For this event, environmental threats are considered to be severe weather,
earthquakes, etc. rather than an external threat.
Page 21, BES emergency requiring public appeal for load reduction: A small deficient
263
�Organization
Yes or No
Question 4 Comment
entity within a BA may not initiate public appeals. The BA is typically the entity which
initiates public appeals when the entire BA is deficient. The initiating entity should be
the responsible entity not the deficient entity.
The DSR SDT revised this event to indicate the “initiating” entity is responsible for
reporting.
Page 21, BES emergency requiring manual firm load shedding: If a RC directs a DP to
shed load and the DP initiates manually shedding its load as directed, is the RC the
initiating entity? Or is it the DP?
The DSR SDT believes the wording of “initiating entity” provides enough clarity for
each applicable entity to understand. In this case, the RC made the call to shed load
and therefore should report.
Page 22, system separation (islanding): a DP does not have a view of the system to
see that the system separated or how much generation and load are in the island.
Remove DP.
The DSR SDT disagrees with your comment. DP’s may be the first to recognize that
they are islanded or separated from the system.
Attachment 2 (all page numbers are from the clean draft):Page 25: fuel supply
emergencies will no longer be reportable under the current draft.
The DSR SDT has removed both “fuel supply emergency” and “other” from
Attachment 2 based on comments received.
Miscellaneous typos and quality issues (all page numbers are from the clean
draft):Page 5, the last paragraph: There are two cases where Parts A or B are
referred to. Attachment 1 no longer has two parts (A & B).Page 27, Discussion of
Event Reporting: the second paragraph has a typo at the beginning of the sentence.
264
�Organization
Yes or No
Question 4 Comment
The DSR SDT has corrected these typos.
Response: Thank you for your comment. Please see response above.
Thompson Coburn LLP on
behalf of Miss. Delta Energy
Agency
The first three incident categories designated on Attachment 1 as reportable events
should be modified. As the Standard is current drafted, each incident category (i.e.,
destruction of BES equipment, damage or destruction of Critical Assets, and damage
or destruction of Critical Cyber Assets) requires reporting if the event was due to
unintentional human action. For example, under the reporting criteria as drafted,
inadvertently dropping and damaging a piece of computer equipment designated as
a Critical Cyber Asset while moving or installing it would appear to require an event
report within an hour of the incident.
The ‘Damage or Destruction’ events specifically relating to Critical Assets and Critical
Cyber Assets were removed from Attachment 1, as stakeholders pointed out that these
events were adequately addressed through the CIP-008 and ‘Damage or Destruction of a
Facility “reporting thresholds. CIP-008 addresses Cyber Security Incidents which are
defined as:
“Any malicious act or suspicious event that:
• Compromises, or was an attempt to compromise, the Electronic Security
Perimeter or Physical Security Perimeter of a Critical Cyber Asset, or,
• Disrupts, or was an attempt to disrupt, the operation of a Critical Cyber
Asset.”
A Critical Asset is defined as:
“Facilities, systems, and equipment which, if destroyed, degraded, or otherwise
rendered unavailable, would affect the reliability or operability of the Bulk
Electric System.”
265
�Organization
Yes or No
Question 4 Comment
Since there is an existing event category for damage or destruction of Facilities, having a
separate event for “Damage or Destruction of a Critical Asset” is unnecessary.
MDEA requests that the Drafting Team consider modifying footnote 1 and each of
the first three event categories to reflect that reportable events include only those
that (i) affect an IROL; (ii) significantly affect the reliability margin of the system; or
(iii) involve equipment damage or destruction due to intentional human action that
results in the removal of the BES equipment, Critical Assets, and/or Critical Cyber
Assets, as applicable, from service.
All footnotes are deleted and appropriate content moved to ‘Thresholds for
Reporting’ with the exception of the footnote relating to the new event category ‘A
physical threat that could impact the operability of a Facility’. This remaining
footnote provides examples only.
Footnote 2 (which now pertains only to the fourth incident category - forced
intrusions) should also apply to the first three event categories. Specifically,
responsible entities should report intentional damage or destruction of BES
equipment, damage or destruction of Critical Assets, and damage or destruction of
Critical Cyber Assets if either the damage/destruction was clearly intentional or if
motivation for the damage or destruction cannot reasonably be determined and the
damage or destruction affects the reliability of the BES.
All footnotes are deleted and appropriate content moved to ‘Thresholds for
Reporting’ with the exception of the footnote relating to the new event category ‘A
physical threat that could impact the operability of a Facility’. This remaining
footnote provides examples only.
Attachment 1 is also unclear to the extent that the incident category involving
reports for the detection of reportable Cyber Security Incidents includes a reference
to CIP-008 as the reporting threshold. While entities in various functional categories
266
�Organization
Yes or No
Question 4 Comment
(i.e., RCs, BAs, TOPs/TOs, GOPs/GOs, and DPs) are listed as being responsible for the
reporting of such events, some entities in these functional categories may not
currently be subject to CIP-008. If it is the Drafting Team’s intent to limit event
reports for Cyber Security Incidents to include only registered entities subject to CIP008, that clarification should be incorporated into the listing of entities with
reporting responsibility for this incident category in Attachment 1.
The “Entity with reporting responsibility” for the event “A reportable Cyber Security
Incident” has been revised to “Each Responsible Entity applicable under CIP-008-4 or
its successor that experiences the Cyber Security Incident”.
Response: Thank you for your comment. Please see response above.
Luminant Power
The following comments all apply to Attachment 1: o As a general comment, SDT
should specifically list the entities the reportable event applies to in the table for
clarity. Do not use general language referencing another standard or statements
such as “Deficient entity is responsible for reporting”, “Initiating entity is responsible
for reporting”, or other similar statements used currently in the table. This leaves
this open and subject to interpretation.
The DSR SDT disagrees with your comment. This language provides the most
flexibility for applicable entities and maintains a minimum level of who is required to
report or communicate events based an entity’s Operating Plan, as described in
Requirement 1.
Also, there are a number of events that do not apply to all entities. o Destruction of
BES equipment should be Intentional Damage or Destruction of BES equipment.
Unintentional actions occur and should not be a requirement for reporting under
disturbance reporting.
The event for “Destruction of BES equipment” has been revised to “Damage or
destruction of a Facility”. The threshold for reporting information was expanded for
267
�Organization
Yes or No
Question 4 Comment
clarity:
“Damage or destruction of a Facility that: affects an IROL
OR
Results in the need for actions to avoid an Adverse Reliability Impact
OR
Results from intentional human action.”
o Actions or situations affecting equipment or generation unit availability due to
human error, equipment failure, unintentional human action, external cause, etc. are
reported in real time to the BA and other entities as required by other NERC
Standards. Disturbance reporting should avoid the type of events that, for instance,
would cause the total or partial loss of a generating unit under normal operational
circumstances. There are a number of issues with the table in this regard.
The DSR SDT has removed such language based on comments received.
o For clarity, consider changing the table to identify for each event type “who”
should be notified. This appears to be missing from the table overall.
The DSR SDT has updated Requirement R1, Part 1.2 to read as: ““1.2 A process for
communicating each of the applicable events listed in EOP-004 Attachment 1 in
accordance with the timeframes specified in EOP-004 Attachment 1 to the Electric
Reliability Organization and other organizations needed for the event type; i.e. the
Regional Entity; company personnel; the Responsible Entity’s Reliability Coordinator;
law enforcement governmental or provincial agencies.”
o Reportable Events, the meaning for the Event labeled “Destruction of BES
equipment” is not clear. Footnote 1 adds the language “iii) Damaged or destroyed
due to intentional or unintentional human action which removes the BES equipment
268
�Organization
Yes or No
Question 4 Comment
from service.” This language can be interpreted to mean that any damage to any BES
equipment caused by human action, regardless of intention, must be reported within
1 hour of recognition of the event. This requirement will be overly burdensome. If
this is not the intent of the definition of “Destruction of BES equipment”, the
footnote should be re-worded. As such, it is subjective and left open to
interpretation. It should focus only on intentional actions to damage or interrupt
BES functionality. It should not be worded as such that every item that trips a unit or
every item that is damaged on a unit requires a report. That is where the language
right now is not clear. There are and will continue to be unintentional human error
that results in taking equipment out of service. This standard was meant to replace
sabotage reporting.
All footnotes are deleted and appropriate content moved to ‘Thresholds for
Reporting’ with the exception of the footnote relating to the new event category ‘A
physical threat that could impact the operability of a Facility’. This remaining
footnote provides examples only.
o Damage or destruction of Critical Asset per CIP-002 and Damage or destruction of a
Critical Cyber Asset per CIP-002 should be removed from the table as Intentional
Damage or Destruction of BES equipment would cover this as well.
The ‘Damage or Destruction’ events specifically relating to Critical Assets and Critical
Cyber Assets were removed from Attachment 1, as stakeholders pointed out that these
events were adequately addressed through the CIP-008 and ‘Damage or Destruction of a
Facility “reporting thresholds. CIP-008 addresses Cyber Security Incidents which are
defined as:
“Any malicious act or suspicious event that:
• Compromises, or was an attempt to compromise, the Electronic Security
Perimeter or Physical Security Perimeter of a Critical Cyber Asset, or,
• Disrupts, or was an attempt to disrupt, the operation of a Critical Cyber
269
�Organization
Yes or No
Question 4 Comment
Asset.”
A Critical Asset is defined as:
“Facilities, systems, and equipment which, if destroyed, degraded, or otherwise
rendered unavailable, would affect the reliability or operability of the Bulk
Electric System.”
Since there is an existing event category for damage or destruction of Facilities, having a
separate event for “Damage or Destruction of a Critical Asset” is unnecessary.
o Risk to BES equipment should be removed from the table as it is very subjective
and broad. At a minimum, the 1 hour reporting timeline should begin after
recognition and assessment of the incident. As an example, a fire close to BES
equipment may not truly be a threat to the equipment and will not be known until
an assessment can be made to determine the risk.
The DSR SDT has removed this event based on comments received.
o Detection of a Reportable Cyber Security incident should be removed from the
table as this is covered by CIP-008 requirements. Having this in two separate
standards is double jeopardy and confusing to entities.
The ‘Damage or Destruction’ events specifically relating to Critical Assets and Critical
Cyber Assets were removed from Attachment 1, as stakeholders pointed out that these
events were adequately addressed through the CIP-008 and ‘Damage or Destruction of a
Facility “reporting thresholds. CIP-008 addresses Cyber Security Incidents which are
defined as:
“Any malicious act or suspicious event that:
270
�Organization
Yes or No
Question 4 Comment
• Compromises, or was an attempt to compromise, the Electronic Security
Perimeter or Physical Security Perimeter of a Critical Cyber Asset, or,
• Disrupts, or was an attempt to disrupt, the operation of a Critical Cyber
Asset.”
A Critical Asset is defined as:
“Facilities, systems, and equipment which, if destroyed, degraded, or otherwise
rendered unavailable, would affect the reliability or operability of the Bulk
Electric System.”
Since there is an existing event category for damage or destruction of Facilities, having a
separate event for “Damage or Destruction of a Critical Asset” is unnecessary.
o Generation Loss event reporting should only apply to the BA. These authorities
have the ability and right to contact generation resources to supply necessary
information needed for reporting. This would also eliminate redundant reporting by
multiple entities for the same event.
The DSR SDT has tried to minimize duplicative reporting, but recognizes there may be
events that trigger more than one report. The current applicability ensures an event
that could affect just one of the entities with reporting responsibility isn’t missed.
o Suggest that Generation Loss MW loss would match up with the 1500 MW level
identified in CIP Version 4 or Version 5 for consistency between future CIP standards
and this disturbance reporting standard. This would then cover CIP and significant
MW losses that should be reported.
The DSR SDT disagrees as this threshold is based on the current EOP-004-1.
o The Generation Loss MW loss amount needs to have a time boundary. Luminant
271
�Organization
Yes or No
Question 4 Comment
would suggest a loss of 1500 MW within 15 minutes.
The DSR SDT disagrees as this threshold is based on the current EOP-004-1.
o Unplanned Control Center evacuation should not apply to entities that have
backup Control Centers where normal operations can continue without impact to the
BES.
The DSR SDT disagrees with your comment. By reporting and communicating per an
entity’s Operating Plan, you will provide situational awareness to entities per your
Operating Plan.
o Loss of monitoring or all voice communication capability should be separated. Also
the 24 hour reporting requirement may not be feasible if communications is down
for longer than 24 hours.
The DSR SDT has split this event into two separate events based on comments
received, it now reads as: “Loss of all voice communication capability” and “Complete
or partial loss of monitoring capability”.
Luminant would suggest removal of the communication reporting event as there are
a number of things that could cause this to occur for longer than the reporting
requirement allows, thus putting entities at jeopardy of a potential violation that is
out of their control. How does an entity report if all systems and communications are
down for more than 24 hours? What about in instances of a partial or total
blackout? These events could last much longer than 24 hours. All computer
communication would likely also be down thus rendering electronic reporting
unavailable.
EOP-004-2 only requires an entity to report and communicate per their Operating
Plan within the time frames set in Attachment 1.
Response: Thank you for your comment. Please see response above.
272
�Organization
Kansas City Power & Light
Yes or No
Question 4 Comment
The implementation plan indicates that much of CIP-008 is retained. The reporting
requirements in CIP-008 and the required reportable events outlined in Attachment
1 are an overlap with CIP-008-3 R1.1 which says “Procedures to characterize and
classify events as reportable Cyber Security Incidents” and CIP-008-3 R1.3 which
requires processes to address reporting to the ES-ISAC. There is also a NERC
document titled, Security Guideline for the Electricity Sector: Threat and Incident
Reporting, which is a guideline to “assist entities to identify and classify incidents for
reporting to the ES-ISAC”. The SDT should consider the content of the Security
Guideline for the Electricity Sector: Threat and Incident Reporting when considering
the reporting requirements proposed EOP-004. The efforts to incorporate CIP-008
into EOP-004 are insufficient and will result in serious confusion between proposed
EOP-004 and CIP-008 and reporting expectations. Considering the complexity CIP
incident reporting and the interests of ES-ISAC, it may be beneficial to leave CIP-008
out of the proposed EOP-004 and limit EOP-004 to the reporting interests of NERC.
Attachment 2 (or the DOE Form OE 417) is the reporting form to be used for reporting
a “Cyber Security Incident”.
The flowchart states, “Notification Protocol to State Agency Law Enforcement”.
Please correct this to, “Notification to State, Provincial, or Local Law Enforcement”,
to be consistent with the language in the background section part, “A Reporting
Process Solution - EOP-004”.
The DSR SDT has updated the “Example of reporting _Process including Law
Enforcement”, and please note that this is only an “example”.
Measure 4 is not clear enough regarding the extent to which drills should be
performed. Does the measure mean that all events in the events list need to be
drilled or is drilling a subset of the events list sufficient? Please clearly indicate the
extent of drilling that is required or clearly indicate in the requirement the extent of
the drills to be performed is the responsibility of the Responsible Entity to identify in
their “processes”.
273
�Organization
Yes or No
Question 4 Comment
Requirement R4 (now R3) has been revised and the measure now reads:
Each Responsible Entity will have dated and time-stamped records to show that the
annual test of Part 1.2 was conducted. Such evidence may include, but are not
limited to, dated and time stamped voice recordings and operating logs or other
communication documentation. (R3)
Evidence Retention - it is not clear what the phrase “prior 3 calendar years”
represents in the third paragraph of this section regarding data retention for
requirements and measures for R2, R3, R4 and M2, M3, M4 respectively. Please
clarify what this means. Is that different than the meaning of “since the last audit for
3 calendar years” for R1 and M1?
This has been revised for clarity and to be consistent with NERC Guidance documents.
The new evidence retention reads:
Each Responsible Entity shall retain the current, in force document plus the
‘date change page’ from each version issued since the last audit or the
current and previous version for Requirements R1, R4 and Measures M1, M4.
Each Responsible Entity shall retain evidence from prior 3 calendar years for
Requirements R2, R3 and Measures M2, M3.
VSL for R2 under Severe regarding R1.1 may require revision considering the
comment regarding R1.1 in item 2 previously stated. In addition, the VRF for R2 is
MEDIUM. R2 is administrative regarding the implementation of the requirements
specified in R1. Documentation and maintenance should be considered LOWER.
There is no VSL for R4 and a VSL for R4 needs to be proposed.
The DSR SDT reviewed and updated both VSL’s for the new requirements.
Response: Thank you for your comment. Please see response above.
274
�Organization
SPP Standards Review Group
Yes or No
Question 4 Comment
The inclusion of optional entities to which to report events in R1.3 introduces
ambiguity into the standard that we feel needs to be eliminated. We propose the
following replacement language for R1.3:A process for communicating events listed
in Attachment 1 to the Electric Reliability Organization, the Responsible Entity’s
Reliability Coordinator and the Responsible Entity’s Regional Entity.We would also
propose to incorporate the law enforcement and governmental or provincial
agencies mentioned in R1.3 in Attachment 1 by adding them to the existing language
for each of the event cells. For example, the first cell in that column would read:The
parties identified pursuant to R1.3 and applicable law enforcement and
governmental or provincial agencies within 1 hour of recognition of event.Similarly,
the phrase ‘...and applicable law enforcement and governmental or provincial
agencies...’ should be inserted in all the remaining cells in the 4th column.
Requirement R1, Part 1.3 (now Part 1.2) was revised to add clarifying language by
eliminating the phrase “as appropriate” and indicating that the Responsible Entity is to
define its process for reporting and with whom to report events. Requirement R1,Part
1.2 now reads:
“1.2
A process for communicating each of the applicable events listed in EOP-004
Attachment 1 in accordance with the timeframes specified in EOP-004
Attachment 1 to the Electric Reliability Organization and other organizations
needed for the event type; i.e. the Regional Entity; company personnel; the
Responsible Entity’s Reliability Coordinator; law enforcement governmental or
provincial agencies.”
Response: Thank you for your comment. Please see response above.
Santee Cooper
The on-going development of the definition of the BES could have significant impacts
on reporting requirements associated with this standard.The event titled “Risk to the
275
�Organization
Yes or No
Question 4 Comment
BES” appears to be a catch-all event and more guidance needs to be provided on this
category.
Several stakeholders expressed concerns relating to the “Forced Intrusion” event. Their
concerns related to ambiguous language in the footnote. The SDR SDT discussed this
event as well as the event “Risk to BES equipment”. These two event types had overlap
in the perceived reporting requirements. The DSR SDT removed “Forced Intrusion” as a
category and the “Risk to BES equipment” event was revised to “A physical threat that
could impact the operability of a Facility”.
Using judgment is unavoidable for this type of event. This language was chosen
because the Responsible Entity is the best position to exercise this judgment and
determine whether or not an event poses a threat to its Facilities. The DSR SDT believes
this revised event type will minimize administrative burden and ensure that events
meaningful to industry awareness are reported.
The event titled “Damage or Destruction of a Critical Asset or Critical Cyber Asset per
CIP-002” is ambiguous and further guidance is recommended. Ambiguity in a
standard leaves it open to interpretation for all involved.
The ‘Damage or Destruction’ events specifically relating to Critical Assets and Critical
Cyber Assets were removed from Attachment 1, as stakeholders pointed out that these
events were adequately addressed through the CIP-008 and ‘Damage or Destruction of a
Facility “reporting thresholds. CIP-008 addresses Cyber Security Incidents which are
defined as:
“Any malicious act or suspicious event that:
• Compromises, or was an attempt to compromise, the Electronic Security
Perimeter or Physical Security Perimeter of a Critical Cyber Asset, or,
276
�Organization
Yes or No
Question 4 Comment
• Disrupts, or was an attempt to disrupt, the operation of a Critical Cyber
Asset.”
A Critical Asset is defined as:
“Facilities, systems, and equipment which, if destroyed, degraded, or otherwise
rendered unavailable, would affect the reliability or operability of the Bulk
Electric System.”
Since there is an existing event category for damage or destruction of Facilities, having a
separate event for “Damage or Destruction of a Critical Asset” is unnecessary.
Response: Thank you for your comment. Please see response above.
Florida Municipal Power
Agency
The Rules of Procedure language for data retention (first paragraph of the Evidence
Retention section) should not be included in the standard, but instead referred to
within the standard (e.g., “Refer to Rules of Procedure, Appendix 4C: Compliance
Monitoring and Enforcement Program, Section 3.1.4.2 for more retention
requirements”) so that changes to the RoP do not necessitate changes to the
standard.
The language incorporated in this section of the standard is boilerplate language
provided by NERC staff for inclusion in each standard.
In R4, it might be worth clarifying that, in this case, implementation of the plan for an
event that does not meet the criteria of Attachment 1 and going beyond the
requirements R2 and R3 could be used as evidence. Consider adding a phrase as such
to M4, or a descriptive footnote that in this case, “actual event” may not be limited
to those in Attachment 1.
277
�Organization
Yes or No
Question 4 Comment
Most stakeholders believed that Requirements R2 and R3 were redundant and having
both in the standard was not necessary. Requirement R2 called for implementation of
Parts 1.1, 1.2, 1.4 and 1.5. Requirement R3 called for reporting events in accordance
with the Operating Plan. The DSR SDT deleted Requirement R2based on stakeholder
comments and revised R3 (now R2) to:
“Requirement R2. Each Responsible Entity shall implement its event reporting Operating
Plan for applicable events listed in EOP-004 Attachment 1, and in accordance with the
timeframe specified in EOP-004 Attachment 1.”
Comments to Attachment 1 table:On “Damage or destruction of Critical Asset” and
“... Critical Cyber Asset”, Version 5 of the CIP standards is moving away from the
binary critical/non-critical paradigm to a high/medium/low risk paradigm. Suggest
adding description that if version 5 is approved by FERC, that “critical” would be
replaced with “high or medium risk”, or include changing this standard to the scope
of the CIP SDT, or consider posting multiple versions of this standard depending on
the outcome of CIP v5 in a similar fashion to how FAC-003 was posted as part of the
GO/TO effort of Project 2010-07.
The ‘Damage or Destruction’ events specifically relating to Critical Assets and Critical
Cyber Assets were removed from Attachment 1, as stakeholders pointed out that these
events were adequately addressed through the CIP-008 and ‘Damage or Destruction of a
Facility “reporting thresholds. CIP-008 addresses Cyber Security Incidents which are
defined as:
“Any malicious act or suspicious event that:
• Compromises, or was an attempt to compromise, the Electronic Security
Perimeter or Physical Security Perimeter of a Critical Cyber Asset, or,
• Disrupts, or was an attempt to disrupt, the operation of a Critical Cyber
278
�Organization
Yes or No
Question 4 Comment
Asset.”
A Critical Asset is defined as:
“Facilities, systems, and equipment which, if destroyed, degraded, or otherwise
rendered unavailable, would affect the reliability or operability of the Bulk
Electric System.”
Since there is an existing event category for damage or destruction of Facilities, having a
separate event for “Damage or Destruction of a Critical Asset” is unnecessary.
On “forced intrusion”, the phrase “at BES facility” is open to interpretation as “BES
Facility” (e.g., controversy surrounding CAN-0016) which would exclude control
centers and other critical/high/medium cyber system Physical Security Perimeters
(PSPs). We suggest changing this to “BES Facility or the PSP or Defined Physical
Boundary of critical/high/medium cyber assets”. This change would cause a change
to the applicability of this reportable event to coincide with CIP standard
applicability.
The DSR SDT has modified Attachment 1 to bring more clarity. The more subjective
events were rewritten as follows:
• The ‘Damage or Destruction’ event category has been revised to say ‘ to a
Facility’, (a defined term) and thresholds have be modified to provide clarity.
The footnote was deleted
• ‘Forced intrusion’ and ‘Risk to BES Equipment’ have been combined under a new
event type called ‘A physical threat that could impact the operability of a
Facility’. Using judgment is unavoidable for this type of event. This language
was chosen because the Responsible Entity is the best position to exercise this
judgment and determine whether or not an event poses a threat to its
279
�Organization
Yes or No
Question 4 Comment
Facilities. The DSR SDT believes this revised event type will minimize
administrative burden and ensure that events meaningful to industry
awareness are reported. Note that the reporting timeline (now revised to 24
hours) starts when the situation has been determined as a threat, not when it
may have first occurred. Also, the footnote only contains examples.
These two remaining event categories that aren’t related to power system phenomena
are essential as they effectively translate the intent of CIP-001 into EOP-004.
On “Risk to BES equipment”, that phrase is open to too wide a range of
interpretation; we suggest adding the word “imminent” in front of it, i.e., “Imminent
risk to BES equipment”. For instance, heavy thermal loading puts equipment at risk,
but not imminent risk. Also, “non-environmental” used as the threshold criteria is
ambiguous. For instance, the example in the footnote, if the BES equipment is near
railroad tracks, then trains getting derailed can be interpreted as part of that BES
equipment’s “environment”, defined in Webster’s as “the circumstances, objects, or
conditions by which one is surrounded”. It seems that the SDT really means “nonweather related”, or “Not risks due to Acts of Nature”.
The DSR SDT has modified Attachment 1 to bring more clarity. The more subjective
events were rewritten as follows:
• The ‘Damage or Destruction’ event category has been revised to say ‘ to a
Facility’, (a defined term) and thresholds have be modified to provide clarity.
The footnote was deleted
• ‘Forced intrusion’ and ‘Risk to BES Equipment’ have been combined under a new
event type called ‘A physical threat that could impact the operability of a
Facility’. Using judgment is unavoidable for this type of event. This language
was chosen because the Responsible Entity is the best position to exercise this
judgment and determine whether or not an event poses a threat to its
280
�Organization
Yes or No
Question 4 Comment
Facilities. The DSR SDT believes this revised event type will minimize
administrative burden and ensure that events meaningful to industry
awareness are reported. Note that the reporting timeline (now revised to 24
hours) starts when the situation has been determined as a threat, not when it
may have first occurred. Also, the footnote only contains examples.
These two remaining event categories that aren’t related to power system phenomena
are essential as they effectively translate the intent of CIP-001 into EOP-004.
On “public appeal”, in the threshold, the descriptor “each” should be deleted, e.g., if
a single event causes an entity to be short of capacity, do you really want that entity
reporting each time they issue an appeal via different types of media, e.g., radio, TV,
etc., or for a repeat appeal every several minutes for the same event?
The DSR SDT has updated the event concerning “public appeals” based on comments
received and now reads as: “Public appeal for load reduction event”.
Should LSE be an applicable entity to “loss of firm load”? As proposed, the DP is but
the LSE is not. In an RTO market, will a DP know what is firm and what is non-firm
load? Suggest eliminating DP from the applicability of “system separation”. The
system separation we care about is separation of one part of the BES from another
which would not involve a DP.
The DSR SDT believes the “Entity with Reporting Responsibility” maintains the
minimum number and type of entities that will be required to report such an event.
On “Unplanned Control Center Evacuation”, CIP v5 might add GOP to the
applicability, another reason to add revision of EOP-004-2 to the scope of the CIP v5
drafting team, or in other ways coordinate this SDT with that SDT. Consider posting a
couple of versions of the standard depending on the outcome of CIP v5 in a similar
fashion to the multiple versions of FAC-003 posted with the Go/TO effort of Project
2010-07.
281
�Organization
Yes or No
Question 4 Comment
The DSR SDT can only provide information on approved standards, not yet to be
defined standards.
Response: Thank you for your comment. Please see response above.
Dominion
There is still inconsistency in Attachment 1 vs. the DOE OE-417 form; in future
changes, Dominion suggests align/rename events similar to that of the ‘criteria for
filing’ events listed in the DOE OE-417, by working in coordination with the DOE.
Thank you for your comment. Attachment 1 is the basis for EOP-004-2; it contains
the events and thresholds for reporting. OE-417, as well as, the EAWG’s requirements
were considered in creating Attachment 1, but there remain differences for the
following reasons:
•
EOP-004 requirements were designed to meet NERC and the industry’s needs;
accommodation of other reporting obligations was considered as an
opportunity not a ‘must-have’
•
OE-417 only applies to US entities, whereas EOP-004 requirements apply across
North America
•
NERC has no control over the criteria in OE-417, which can change at any time
•
Reports made under EOP-004 provide a minimum set of information, which may
trigger further information requests from EAWG as necessary
In an effort to minimize administrative burden, US entities may use OE-417 rather
than Attachment 2 to report under EOP-004. Note you may have to report the same
event more quickly to the DOE than is required by EOP-004, but this cannot be helped
due to bullet point 2 above.
Please note that not all entities in North America are required to submit the DOE
Form OE 417.
Minor comment; in the Background section, the drafting team refers to bulk power
282
�Organization
Yes or No
Question 4 Comment
system (redline page 5; 1st paragraph and page 7; 2nd paragraph) rather than bulk
electric system.
This has been revised to Bulk Electric System.
The note in Attachment 1 states in part that “the affected Responsible Entity shall
notify parties per R1 and ...” Dominion believes the correct reference to be R3. In
addition, capitalized terms “Event” and “Event Report” are used in this note.
Dominion believes the terms should be non-capitalized as they are not NERC defined
terms.
The DSR SDT has updated this note based on comments received and now reads as:
“NOTE: Under certain adverse conditions (e.g. severe weather, multiple events) it may
not be possible to report the damage caused by an event and issue a written event
report within the timing in the table below. In such cases, the affected Responsible
Entity shall notify parties per R1 and provide as much information as is available at the
time of the notification. Reports to the ERO should be submitted to one of the following:
e-mail: esisac@nerc.com, Facsimile: 609-452-9550, Voice: 609-452-1422.”
Attachment 1 - “Detection of a reportable Cyber Security Incident - That meets the
criteria in CIP-008”. This essentially equates the criteria to be defined by the entity
in its procedures as required by CIP-008 R1.1., additional clarification should be
added in Attachment 1 to make this clear.
The DSR SDT believes that this event language provides enough clarity by providing
the minimum events to be reported.
The last sentence in Attachment 2 instructions should clarify that the email, facsimile
and voice communication methods are for ERO notification only.
The DSR SDT agrees and has revised the sentence to include “to the ERO”.
Dominion continues to believe that the drill or exercise specified in R4 is
283
�Organization
Yes or No
Question 4 Comment
unnecessary. Dominion suggests deleting this activity in the requirement.
Requirement R4 related to an annual test of the communication portion of
Requirement R1 by a drill or exercise and this has been removed. Requirement R3
now reads: “Each Responsible Entity shall conduct an annual test, not including
notification to the Electric Reliability Organization, of the communications process in
Part 1.2. ”.
The DSR SDT envisions that the testing under Requirement R3 will include verification
of contact information contained in the Operating Plan is correct. As an example, the
annual review of the Operating Plan could include calling “others as defined in the
Responsible Entity’s Operating Plan” (see Part 1.2) to verify that their contact
information is up to date. If any discrepancies are noted, the Operating Plan would
be updated.
Response: Thank you for your comment. Please see response above.
Ingleside Cogeneration LP
We are encouraged that the 2009-01 project team has eliminated duplicate
reporting requirements from multiple organizations and governmental agencies.
Ingleside Cogeneration LP believes that there are further improvements that can be
made in this area - as the remaining overlap seem to be a result of legalities and
preferences, not technical issues. We would like to see an ongoing commitment by
NERC for a single process that will consolidate and automate data entry, submission,
and distribution.
Attachment 1 is the basis for EOP-004-2; it contains the events and thresholds for
reporting. OE-417, as well as, the EAWG’s requirements were considered in creating
Attachment 1, but there remain differences for the following reasons:
•
EOP-004 requirements were designed to meet NERC and the industry’s needs;
accommodation of other reporting obligations was considered as an
284
�Organization
Yes or No
Question 4 Comment
opportunity not a ‘must-have’
•
OE-417 only applies to US entities, whereas EOP-004 requirements apply across
North America
•
NERC has no control over the criteria in OE-417, which can change at any time
•
Reports made under EOP-004 provide a minimum set of information, which may
trigger further information requests from EAWG as necessary
In an effort to minimize administrative burden, US entities may use OE-417 rather
than Attachment 2 to report under EOP-004. Note you may have to report the same
event more quickly to the DOE than is required by EOP-004, but this cannot be helped
due to bullet point 2 above.
Please note that not all entities in North America are required to submit the DOE
Form OE 417.
Response: Thank you for your comment. Please see response above.
SERC OC Standards Review
Group
We believe that reporting of the events in Attachment 1 has no reliability benefit to
the bulk electric system. In addition, Attachment 1, in its current form, is likely to be
impossible to implement consistently across North America. A requirement, to be
considered a reliability requirement, must be implementable. We suggest that
Attachment 1 should be removed.
The DSR SDT disagrees with this comment. Attachment 1 is the minimum set of events
that will be required to report and communicate per your Operating Plan will be aware
of system conditions.
We have a question about what looks like a gap in this standard: Assuming one of
thedrivers for the standard is to protect against a coordinated physical or cyber
attack on the grid, what happens if the attack occurs in 3-4 geographically diverse
areas? State or provisional law enforcement officials are not accountable under the
standard, so we have no way of knowing if they report the attack to the FBI or the
285
�Organization
Yes or No
Question 4 Comment
RCMP. Even if one or two of them did, might not the FBI, in different parts of the
country, interpret it as vandalism, subject to local jurisdiction?It seems that NERC is
the focal point that would have all the reports and, ideally, some knowledge how the
pieces fit together. It looks like NERC’s role is to solely pass information on
“applicable” events to the FERC. Unless the FERC has a 24x7 role not shown in the
standard, should not NERC have some type of assessment responsibility to makes
inquiries at the FBI/RCMP on whether they are aware of the potential issue and are
working on it?”The comments expressed herein represent a consensus of the views
of the above named members of the SERC OC Standards Review group only and
should not be construed as the position of SERC Reliability Corporation, its board or
its officers.”
Requirement R1, Part 1.2 was updated and now reads as: “A process for communicating
each of the applicable events listed in EOP-004 Attachment 1 in accordance with the
timeframes specified in EOP-004 Attachment 1 to the Electric Reliability Organization
and other organizations needed for the event type; i.e. the Regional Entity; company
personnel; the Responsible Entity’s Reliability Coordinator; law enforcement
governmental or provincial agencies.”
By reporting to the ERO all events, this will allow the ERO to coordinate with other
agencies as they see fit.
Response: Thank you for your comment. Please see response above.
ZGlobal on behalf of City of
Ukiah, Alameda Municipal
Power, Salmen River Electric,
City of Lodi
We feel that the drafting team has done an excellent job of providing clarification
and reasonable reporting requirements to the right functional entity. However we
feel additional clarification should be made in the Attachment I Event Table. We
suggest the following modifications:For the Event: BES Emergency resulting in
automatic firm load sheddingModify the Entity with Reporting Responsibility to: Each
DP or TOP that experiences the automatic load shedding within their respective
distribution serving or Transmission Operating area.
The DSR SDT believes the “Entity with Reporting Responsibility” contains the minimum
286
�Organization
Yes or No
Question 4 Comment
entities that will be required to report and reads as: “Each DP or TOP that experiences
the automatic load shedding”
For the Event: Loss of Firm load for ≥ 15 MinutesModify the Entity with Reporting
Responsibility to: Each BA, TOP, DP that experiences the loss of firm load within their
respective balancing, Transmission operating, or distribution serving area.
The DSR SDT believes the “Entity with Reporting Responsibility” contains the minimum
entities that will be required to report and reads as: “Each BA, TOP, DP that experiences
the loss of firm load”
Response: Thank you for your comment. Please see response above.
PSEG
We have several comments:1. The “Law Enforcement Reporting” section on p. 6 is
unclearly written. The first three sentences are excerpted here: “The reliability
objective of EOP-004-2 is to prevent outages which could lead to Cascading by
effectively reporting events. Certain outages, such as those due to vandalism and
terrorism, may not be reasonably preventable. These are the types of events that
should be reported to law enforcement.”The outages described prior to the last
sentence are “vandalism and terrorism.” The next sentence states “Entities rely
upon law enforcement agencies to respond to and investigate those events which
have the potential to impact a wider area of the BES.” If the SDT intended to only
have events reported to law enforcement that could to Cascading, it should state so
clearly and succinctly. But other language implies otherwise.
The DSR SDT has updated the “Example of reporting _Process including Law
Enforcement”, and please note that this is only an “example”.
a. The footnote 1 on Attachment 1 (p. 20) states: “Do not report copper theft from
BES equipment unless it degrades the ability of equipment to operate correctly (e.g.,
287
�Organization
Yes or No
Question 4 Comment
removal of grounding straps rendering protective relaying inoperative).” Rendering
a relay inoperative may or may not lead to Cascading.
The DSR SDT has removed all footnotes with the exception of the updated event within
Attachment 1 that states: “A physical threat that could impact the operability of a
Facility”. This event has the following footnote, which states: “Examples include a
train derailment adjacent to a Facility that either could have damaged a Facility
directly or could indirectly damage a Facility (e.g. flammable or toxic cargo that could
pose fire hazard or could cause evacuation of a control center). Also report any
suspicious device or activity at a Facility. Do not report copper theft unless it impacts
the operability of a Facility.”
b. With regard to “forced intrusion,” footnote 2 on Attachment 1 states: “Report if
you cannot reasonably determine likely motivation (i.e., intrusion to steal copper or
spray graffiti is not reportable unless it effects (sic) the reliability of the BES.” The
criterion, or criteria, for reporting an event to law enforcement needs to be
unambiguous. The SDT needs to revise this “Law Enforcement Section” so that is
achieved. The “law enforcement reporting” criterion, or criteria, should also be
added to the flow chart on p. 9. We suggest the following as a starting point for the
team to discuss: there should be two criteria for reporting an event to law
enforcement: (1) BES equipment appears to have been deliberately damaged,
destroyed, or stolen, whether by physical or cyber means, or (2) someone has
gained, or attempted to gain, unauthorized access by forced or unauthorized entry
(e.g., via a stolen employee keycard badge) into BES facilities, including by physical or
cyber means.
The DSR SDT has modified Attachment 1 to bring more clarity. The more subjective
events were rewritten as follows:
The ‘Damage or Destruction’ event category has been revised to say ‘ to a Facility’, (a
defined term) and thresholds have be modified to provide clarity. The footnote was
288
�Organization
Yes or No
Question 4 Comment
deleted
‘Forced intrusion’ and ‘Risk to BES Equipment’ have been combined under a new event
type called ‘A physical threat that could impact the operability of a Facility’. Using
judgment is unavoidable for this type of event. This language was chosen because the
Responsible Entity is the best position to exercise this judgment and determine whether
or not an event poses a threat to its Facilities. The DSR SDT believes this revised event
type will minimize administrative burden and ensure that events meaningful to industry
awareness are reported. Note that the reporting timeline (now revised to 24 hours)
starts when the situation has been determined as a threat, not when it may have first
occurred. Also, the footnote only contains examples.
These two remaining event categories that aren’t related to power system phenomena
are essential as they effectively translate the intent of CIP-001 into EOP-004.
2. The use of the terms “communicating events” in R1.3, and the use of the term
“communication process” are confusing because in other places such as R3 the term
“reporting” is used. If the SDT intends “communicating” to mean “reporting” as that
later term is used in R3, it should use the same “reporting” term in lieu of
“communicating” or “communication” elsewhere. Inconsistent terminology causes
confusion. PSEG prefers the word “reporting” because it is better understood.
Requirement R1, Part 1.3 (now Part 1.2) was revised to add clarifying language by
eliminating the phrase “as appropriate” and indicating that the Responsible Entity is to
define its process for reporting and with whom to report events. Requirement R1, Part
1.2 now reads:
“1.2 A process for communicating each of the applicable events listed in EOP-004
Attachment 1 in accordance with the timeframes specified in EOP-004 Attachment 1 to
the Electric Reliability Organization and other organizations needed for the event type;
i.e. the Regional Entity; company personnel; the Responsible Entity’s Reliability
Coordinator; law enforcement governmental or provincial agencies.”
289
�Organization
Yes or No
Question 4 Comment
The SDT envisions that most entities will only need to slightly modify their existing CIP001 Sabotage Reporting procedures in order to comply with the Operating Plan
requirement in this proposed standard. As many of the features of both are
substantially similar, the SDT feels that some information may need to updated and
verified.
3. Attachment 1 needs to more clearly define what is meant by “recognition of an
event.”a. When equipment or a facility is involved, it would better state within “X”
time (e.g., 1 hour) of “of confirmation of an event by the entity that either owns or
operates the Element or Facility.”
Based on stakeholder comments, Requirement R1 was revised for clarity. Requirement
R1, Part 1.1 was revised to replace the word “identifying” with “recognizing” and Part
1.2 was eliminated. This also aligns the language of the standard with FERC Order 693,
Paragraph 471.
“(2) specify baseline requirements regarding what issues should be addressed in
the procedures for recognizing {emphasis added} sabotage events and making personnel
aware of such events;”
b. Other reports should have a different specification of the starting time of the
reporting deadline clock. For example, in the requirement for reporting a “BES
Emergency requiring public appeal for load reduction,” it is unclear what event is
required to be reported - the “BES Emergency requiring public appeal” or “public
appeal for load reduction.” If the later is intended, then the event should be
reported within “24 hours after a public appeal for load reduction is first issued.”
These statements need to be reviewed and customized for each event by the SDT so
they are unambiguous.
All one hour reporting timelines have been changed to 24 hours with the exception of a
290
�Organization
Yes or No
Question 4 Comment
‘Reportable Cyber Security Incident’. This is maintained due to FERC Order 706,
Paragraph 673:
“…direct the ERO to modify CIP-008 to require each responsible entity to contact
appropriate government authorities and industry participants in the event of a cyber
security incident as soon as possible, but in any event, within one hour of the event…”
For the remaining events, 24 hours should provide sufficient time to manage the
incident in real-time before having to report and is consistent with current in-force
standard EOP-004-1.
In summary, the starting time for the reporting clock to start running should be made
clear for each event. This will require that the SDT review each event and customize
the starting time appropriately. The phrase “recognition of an event” should not be
used because it is too vague.
Based on stakeholder comments, Requirement R1 was revised for clarity. Part 1.1 was
revised to replace the word “identifying” with “recognizing” and Part 1.2 was
eliminated. This also aligns the language of the standard with FERC Order 693,
Paragraph 471.
“(2) specify baseline requirements regarding what issues should be addressed in
the procedures for recognizing {emphasis added} sabotage events and making personnel
aware of such events;”
4. When EOP-004-2 refers to other standards, it frequently omits the version of the
standard. Example: see the second and third row of Attachment 1 that refers to
“CIP-002.” Include the version on all standards referenced.
References to CIP-002 have been removed from the standard. The intent of referencing
those standards is to prevent rewriting the standard within EOP-004-2. The threshold
for reporting CIP-008 events is written as “That meets the criteria in CIP-008-4 or its
successor.”
291
�Organization
Yes or No
Question 4 Comment
Response: Thank you for your comment. Please see response above.
Ameren
Yes. We have the other comments as follow:(1) The "EOP-004 Attachment 1: Events
Table" is quite lengthy and written in a manner that can be quite subjective in
interpretation when determining if an event is reportable. We believe this table
should be clear and unambiguous for consistent and repeatable application by both
reliability entities and a CEA.
The DSR SDT has reviewed and further revised Attachment 1 based on comments
received. We believe that it is both concise and easily interpreted.
The table should be divided into sections such as: 9a) Events that affect the BES that
are either clearly sabotage or suspected sabotage after review by an entity's security
department and local/state/federal law enforcement.(b) Events that pose a risk to
the BES and that clearly reach a defined threshold, such as load loss, generation loss,
public appeal, EEAs, etc. that entities are required to report by the end of the next
business day.(c) Other events that may prove valuable for lessons learned, but are
less definitive than required reporting events. These events should be reported
voluntarily and not be subject to a CEA for non-reporting.
The DSR SDT received many comments regarding the various entries of Attachment 1.
Many commenters questioned the reliability benefit of reporting events to the ERO
within 1 hour. Most of the events with a one hour reporting requirement were revised
to 24 hours based on stakeholder comments as well as those types of events are
currently required to be reported within 24 hours in the existing mandatory and
enforceable standards. The only remaining type of event that is to be reported within
one hour is “A reportable Cyber Security Incident” as it required by CIP-008 and FERC
Order 706, Paragraph 673:
“direct the ERO to modify CIP-008 to require each responsible entity to contact
appropriate government authorities and industry participants in the event of a
292
�Organization
Yes or No
Question 4 Comment
cyber security incident as soon as possible, but in any event, within one hour of
the event…”
The table was reformatted to separate one hour reporting and 24 hour reporting. The
last column of the table was also deleted and the information contained in it was
transferred to the sentence above each table. These sentences are:
“One Hour Reporting: Submit Attachment 2 or DOE-OE-417 report to the parties
identified pursuant to Requirement R1, Part 1.2 within one hour of recognition of
the event.”
“Twenty-four Hour Reporting: Submit Attachment 2 or DOE-OE-417 report to the
parties identified pursuant to Requirement R1, Part 1.2 within twenty-four hour
of recognition of the event.”
(d)Events identified through other means outside of entity reporting, but due to
their nature, could benefit the industry by an event report with lessons learned.
Requests to report and perform analysis on these type of events should be vetted
through a ERO/Functional Entity process to ensure resources provided to this effort
have an effective reliability benefit.
The DSR SDT has deleted the “lessons learned” language. Requirement R4 now only
requires an annual review of the Operating Plan - the '90 days' and ' other
circumstances' elements have been removed.
(2)Any event reporting shall not in any manner replace or inhibit an Entity's
responsibility to coordinate with other Reliability Entities (such as the RC, TOP, BA,
GOP as appropriate) as required by other Standards, and good utility practice to
operate the electric system in a safe and reliable manner.
The DSR SDT concurs with your comment.
293
�Organization
Yes or No
Question 4 Comment
(3) The 1 hour reporting maximum time limit for all GO events in Attachment 1
should be lengthened to something reasonable - at least 24 hours. Operators in our
energy centers are well-trained and if they have good reason to suspect an event
that might have serious impact on the BES will contact the TOP quickly. However,
constantly reporting events that turn out to have no serious BES impact and were
only reported for fear of a violation or self-report will quickly result in a cry wolf
syndrome and a great waste of resources and risk to the GO and the BES. The risk to
the GO will be potential fines, and the risk to the BES will be ignoring events that
truly have an impact of the BES.
The DSR SDT received many comments regarding the various entries of Attachment 1.
Many commenters questioned the reliability benefit of reporting events to the ERO
within 1 hour. Most of the events with a one hour reporting requirement were
revised to 24 hours based on stakeholder comments as well as those types of events
are currently required to be reported within 24 hours in the existing mandatory and
enforceable standards. The only remaining type of event that is to be reported within
one hour is “A reportable Cyber Security Incident” as it required by CIP-008 and FERC
Order 706, Paragraph 673:
“direct the ERO to modify CIP-008 to require each responsible entity to contact
appropriate government authorities and industry participants in the event of a cyber
security incident as soon as possible, but in any event, within one hour of the event…”
The table was reformatted to separate one hour reporting and 24 hour reporting.
The last column of the table was also deleted and the information contained in it was
transferred to the sentence above each table. These sentences are:
“One Hour Reporting: Submit Attachment 2 or DOE-OE-417 report to the parties
identified pursuant to Requirement R1, Part 1.2 within one hour of recognition of the
294
�Organization
Yes or No
Question 4 Comment
event.”
“Twenty-four Hour Reporting: Submit Attachment 2 or DOE-OE-417 report to the
parties identified pursuant to Requirement R1, Part 1.2 within twenty-four hour of
recognition of the event.”
(4)The 2nd and 3rd Events on Attachment 1 should be reworded so they do not use
terms that may have been deleted from the NERC Glossary by the time FERC
approves this Standard.
The ‘Damage or Destruction’ events specifically relating to Critical Assets and Critical
Cyber Assets were removed from Attachment 1, as these events are adequately
addressed through the CIP-008 and ‘Damage or Destruction of a Facility’ reporting
thresholds.
(5) The terms “destruction” and “damage” are key to identifying reportable events.
Neither has been defined in the Standard. The term destruction is usually defined as
100% unusable. However, the term damage can be anywhere from 1% to 99%
unusable and take anywhere from 5 minutes to 5 months to repair. How will we
know what the SDT intended, or an auditor will expect, without additional
information?
The DSR SDT has modified Attachment 1 to bring more clarity. The more subjective
events were rewritten as follows:
The ‘Damage or Destruction’ event category has been revised to say ‘ to a Facility’, (a
defined term) and thresholds have be modified to provide clarity. The footnote was
deleted
‘Forced intrusion’ and ‘Risk to BES Equipment’ have been combined under a new
295
�Organization
Yes or No
Question 4 Comment
event type called ‘A physical threat that could impact the operability of a Facility’.
Using judgment is unavoidable for this type of event. This language was chosen
because the Responsible Entity is the best position to exercise this judgment and
determine whether or not an event poses a threat to its Facilities. The DSR SDT
believes this revised event type will minimize administrative burden and ensure that
events meaningful to industry awareness are reported. Note that the reporting
timeline (now revised to 24 hours) starts when the situation has been determined as
a threat, not when it may have first occurred. Also, the footnote only contains
examples.
These two remaining event categories that aren’t related to power system
phenomena are essential as they effectively translate the intent of CIP-001 into EOP004.
(6)We also do not understand why “destruction of BES equipment” (first item
Attachment 1, first page) must be reported < 1 hour, but “system separation
(islanding) > 100 MW” (Attachment 1, page 3) does not need to be reported for 24
hours.
The DSR SDT has modified Attachment 1 to bring more clarity. The more subjective
events were rewritten as follows:
The ‘Damage or Destruction’ event category has been revised to say ‘to a Facility’, (a
defined term) and thresholds have be modified to provide clarity. The footnote was
deleted
‘Forced intrusion’ and ‘Risk to BES Equipment’ have been combined under a new
event type called ‘A physical threat that could impact the operability of a Facility’.
Using judgment is unavoidable for this type of event. This language was chosen
because the Responsible Entity is the best position to exercise this judgment and
determine whether or not an event poses a threat to its Facilities. The DSR SDT
believes this revised event type will minimize administrative burden and ensure that
events meaningful to industry awareness are reported. Note that the reporting
296
�Organization
Yes or No
Question 4 Comment
timeline (now revised to 24 hours) starts when the situation has been determined as
a threat, not when it may have first occurred. Also, the footnote only contains
examples.
These two remaining event categories that aren’t related to power system
phenomena are essential as they effectively translate the intent of CIP-001 into EOP004.
(7)The first 2 Events in Attachment 1 list criteria Threshold for Reporting as
“...operational error, equipment failure, external cause, or intentional or
unintentional human action.” The term “intentional or unintentional human action”
appears to cover “operational error” so these terms appear redundant and create
risk of misreporting. Can this be clarified?
The DSR SDT has updated this language based on comments received and now reads
as: ” Damage or destruction of a Facility that:
Affects an IROL (per FAC-014)
OR
Results in the need for actions to avoid an Adverse Reliability Impact
OR
Results from intentional human action.”
(8)The footnote of the first page of Attachment 1 includes the explanation “...ii)
Significantly affects the reliability margin of the system...” However, the GO is
prevented from seeing the system and has no idea what BES equipment can affect
the reliability margin of the system. Can this be clarified by the SDT?
The DSR SDT has removed all footnotes with the exception of the updated event within
Attachment 1 that states: “A physical threat that could impact the operability of a
Facility”. This event has the following footnote, which states: “Examples include a
297
�Organization
Yes or No
Question 4 Comment
train derailment adjacent to a Facility that either could have damaged a Facility
directly or could indirectly damage a Facility (e.g. flammable or toxic cargo that could
pose fire hazard or could cause evacuation of a control center). Also report any
suspicious device or activity at a Facility. Do not report copper theft unless it impacts
the operability of a Facility.”
(9) The use of the term “BES equipment” is problematic for a GO. NERC Team 201017 (BES Definition) has told the industry its next work phase will include identifying
the interface between the generator and the transmission system. The 2010-17
current effort at defining the BES still fails to clearly define whether or not generator
tie-lines are part of the BES. In addition, NERC Team 2010-07 may also be assigned
the task of defining the generator/transmission interface and possibly whether or
not these are BES facilities. Can the SDT clarify the use of this term? For example,
does it include the entire generator lead-line from the GSU high-side to the point of
interconnection? Does it include any station service transformer supplied from the
interconnected BES?
The DSR SDT has modified Attachment 1 to bring more clarity. The more subjective
events were rewritten as follows:
• The ‘Damage or Destruction’ event category has been revised to say ‘ to a
Facility’, (a defined term) and thresholds have be modified to provide clarity.
The footnote was deleted
• ‘Forced intrusion’ and ‘Risk to BES Equipment’ have been combined under a new
event type called ‘A physical threat that could impact the operability of a
Facility’. Using judgment is unavoidable for this type of event. This language
was chosen because the Responsible Entity is the best position to exercise this
judgment and determine whether or not an event poses a threat to its
Facilities. The DSR SDT believes this revised event type will minimize
administrative burden and ensure that events meaningful to industry
awareness are reported. Note that the reporting timeline (now revised to 24
hours) starts when the situation has been determined as a threat, not when it
298
�Organization
Yes or No
Question 4 Comment
may have first occurred. Also, the footnote only contains examples.
These two remaining event categories that aren’t related to power system phenomena
are essential as they effectively translate the intent of CIP-001 into EOP-004.
Response: Thank you for your comment. Please see response above.
Performance Analysis
Subcommittee
There continues to be some confusion regarding whether the loss of firm load was
consistent with the planned operation of the system or was an unintended
consequence. As such it might be helpful if instead of a single check box for loss of
firm load there were two check boxes 1) loss of firm load – consequential and 2) loss
of firm load non-consequential.
Thank you for your comment. The DSR SDT believes that Attachment 2 contains the
minimum amount of information under this standard. Any entity reporting an event
can add as much information as they see fit.
Response: Thank you for your comment. Please see response above.
Southwestern Power
Administration's
"Attachment 1 contains elements that do not need to be included, and redundant
elements such as:
Forced intrusion at BES Facility - A facility break-in does not necessarily mean that the
facility has been impacted or has undergone damage or destruction.
The DSR SDT discussed this event as well as the event “Risk to BES equipment”. These
two event types had overlap in the perceived reporting requirements. The DSR SDT
removed “Forced Intrusion” as a category and the “Risk to BES equipment” event was
299
�Organization
Yes or No
Question 4 Comment
revised to “Any physical threat that could impact the operability of a Facility”.
Using judgment is unavoidable for this type of event. This language was chosen
because the Responsible Entity is the best position to exercise this judgment and
determine whether or not an event poses a threat to its Facilities. The DSR SDT believes
this revised event type will minimize administrative burden and ensure that events
meaningful to industry awareness are reported.
The footnote regarding this event type was expanded to provide additional guidance
in:
“Examples include a train derailment adjacent to a Facility that either could have
damaged a Facility directly or could indirectly damage a Facility (e.g. flammable or
toxic cargo that could pose fire hazard or could cause evacuation of a control center).
Also report any suspicious device or activity at a Facility. Do not report copper theft
unless it impacts the operability of a Facility.”
Detection of a reportable Cyber Security Incident per CIP-008 - If entities are
addressing this requirement in CIP-008, why do so again in EOP-004 (Attachment 2EOP-004, Reporting Requirement number 5)?
The reporting aspects of CIP-008 have been removed from CIP-008 and are included in
EOP-004. Please see the Implementation Plan with regards to the retirement of CIP008, R1.3
Transmission Loss: Each TOP that experiences transmission loss of three or more
facilities - This element should be removed or rewritten so that it only applies when
the loss includes a contingent element of an IROL facility."
The DSR SDT disagrees with limiting this type of event to only “a contingent element
300
�Organization
Yes or No
Question 4 Comment
of an IROL facility.” It is important for situational awareness and trending analysis to
have these types of events reported.
Response: Thank you for your comment. Please see response above.
The Performance Analysis
Subcommittee
There continues to be some confusion regarding whether the loss of firm load was
consistent with the planned operation of the system or was an unintended
consequence. As such it might be helpful if instead of a single check box for loss of
firm load there were two check boxes 1) loss of firm load – consequential and 2) loss
of firm load non-consequential.
The DSR SDT believes that this information should be obtained in follow up through
the Events Analysis Program. The reporting entity may have concerns or difficulties in
determining if load is consequential or non-consequential in its initial analysis for the
report. Further investigation outside of the reporting time of 24 hours may be
needed to make this determination.
Response: Thank you for your comment. Please see response above.
Xcel Energy
Los Angeles Department of
Water and Power
Liberty Electric Power
Nebraska Public Power
District
Southwestern Power
Administration
301
�Organization
Yes or No
Question 4 Comment
Electric Reliability Council of
Texas, Inc.
END OF REPORT
302
�EOP-004-2 — Event Reporting
Standard Development Timeline
This section is maintained by the drafting team during the development of the standard and will
be removed when the standard becomes effective.
Development Steps Completed
1. SC approved SAR for initial posting (April, 2009).
2. SAR posted for comment (April 22 – May 21, 2009).
3. SC authorized moving the SAR forward to standard development (September 2009).
4. Concepts Paper posted for comment (March 17 – April 16, 2010).
5. Initial Informal Comment Period (September 15 – October 15, 2010)
6. Second Comment Period (Formal) (March 9 – April 8, 2011)
7. Third Comment Period and Initial Ballot (October 28 – December 12, 2011)
Proposed Action Plan and Description of Current Draft
This is the fourth posting of the proposed standard in accordance with Results-Based Criteria.
The drafting team requests posting for a 30-day formal comment period concurrent with the
formation of the ballot pool and the successive ballot.
Future Development Plan
Anticipated Actions
Drafting team considers comments, makes conforming changes on
third posting
Anticipated Date
January - March
2012
Fourth Comment/Ballot period
March – April 2012
Recirculation Ballot period
May 2012
Receive BOT approval
June 2012
File with regulatory authorities
August 2012
Draft 4: April 24, 2012
1
�EOP-004-2 — Event Reporting
Effective Dates
EOP-004-2 shall become effective on the first day of the third calendar quarter after applicable
regulatory approval. In those jurisdictions where no regulatory approval is required, this
standard shall become effective on the first day of the third calendar quarter after Board of
Trustees approval, or as otherwise made effective pursuant to the laws applicable to such ERO
governmental authorities.
Version History
Version
2
Date
Draft 4: April 24, 2012
Action
Merged CIP-001-2a Sabotage Reporting
and EOP-004-1 Disturbance Reporting
into EOP-004-2 Event Reporting; Retire
CIP-001-2a Sabotage Reporting and
Retired EOP-004-1 Disturbance
Reporting. Retire CIP-008-3,
Requirement 1, Part 1.3.
Change Tracking
Revision to entire
standard (Project 200901)
2
�EOP-004-2 — Event Reporting
Definitions of Terms Used in Standard
This section includes all newly defined or revised terms used in the proposed standard. Terms
already defined in the Reliability Standards Glossary of Terms are not repeated here. New or
revised definitions listed below become approved when the proposed standard is approved.
When the standard becomes effective, these defined terms will be removed from the individual
standard and added to the Glossary.
None
Draft 4: April 24, 2012
3
�EOP-004-2 — Event Reporting
When this standard has received ballot approval, the text boxes will be moved to the Guideline
and Technical Basis Section.
A.
Introduction
1. Title:
Event Reporting
2. Number:
EOP-004-2
3. Purpose:
To improve the reliability of the Bulk Electric System by requiring the
reporting of events by Responsible Entities.
4. Applicability
4.1.
Functional Entities: Within the context of EOP-004-2, the term “Responsible
Entity” shall include the following entities as shown in EOP-004 Attachment 1:
4.1.1. Reliability Coordinator
4.1.2. Balancing Authority
4.1.3. Interchange Coordinator
4.1.4. Transmission Service Provider
4.1.5. Transmission Owner
4.1.6. Transmission Operator
4.1.7. Generator Owner
4.1.8. Generator Operator
4.1.9. Distribution Provider
4.1.10. Load Serving Entity
4.1.11. Electric Reliability Organization
4.1.12. Regional Entity
5.
Background:
NERC established a SAR Team in 2009 to investigate and propose revisions to the CIP-001 and
EOP-004 Reliability Standards. The team was asked to consider the following:
1.
2.
3.
4.
CIP-001 could be merged with EOP-004 to eliminate redundancies.
Acts of sabotage have to be reported to the DOE as part of EOP-004.
Specific references to the DOE form need to be eliminated.
EOP-004 had some ‘fill-in-the-blank’ components to eliminate.
Draft 4: April 24, 2012
4
�EOP-004-2 — Event Reporting
The development included other improvements to the standards deemed appropriate by the
drafting team, with the consensus of stakeholders, consistent with establishing high quality,
enforceable and technically sufficient Bulk Electric System reliability standards.
The SAR for Project 2009-01, Disturbance and Sabotage Reporting was moved forward for
standard drafting by the NERC SC in August of 2009. The Disturbance and Sabotage Reporting
Standard Drafting Team (DSR SDT) was formed in late 2009.
The DSR SDT developed a concept paper to solicit stakeholder input regarding the proposed
reporting concepts that the DSR SDT had developed. The posting of the concept paper sought
comments from stakeholders on the “road map” that will be used by the DSR SDT in updating or
revising CIP-001 and EOP-004. The concept paper provided stakeholders the background
information and thought process of the DSR SDT. The DSR SDT has reviewed the existing
standards, the SAR, issues from the NERC issues database and FERC Order 693 Directives in
order to determine a prudent course of action with respect to revision of these standards.
Summary of Key Concepts
The DSRSDT identified the following principles to assist them in developing the standard:
• Develop a single form to report disturbances and events that threaten the reliability of the
Bulk Electric System
• Investigate other opportunities for efficiency, such as development of an electronic form
and possible inclusion of regional reporting requirements
• Establish clear criteria for reporting
• Establish consistent reporting timelines
• Provide clarity around who will receive the information and how it will be used
During the development of concepts, the DSR SDT considered the FERC directive to “further
define sabotage”. There was concern among stakeholders that a definition may be ambiguous
and subject to interpretation. Consequently, the DSR SDT decided to eliminate the term
sabotage from the standard. The team felt that it was almost impossible to determine if an act or
event was sabotage or vandalism without the intervention of law enforcement. The DSR SDT
felt that attempting to define sabotage would result in further ambiguity with respect to reporting
events. The term “sabotage” is no longer included in the standard. The events listed in EOP-004
Attachment 1 were developed to provide guidance for reporting both actual events as well as
events which may have an impact on the Bulk Electric System. The DSR SDT believes that this
is an equally effective and efficient means of addressing the FERC Directive.
The types of events that are required to be reported are contained within EOP-004 Attachment 1.
The DSR SDT has coordinated with the NERC Events Analysis Working Group to develop the
list of events that are to be reported under this standard. EOP-004 Attachment 1 pertains to those
actions or events that have impacted the Bulk Electric System. These events were previously
reported under EOP-004-1, CIP-001-1 or the Department of Energy form OE-417. EOP-004
Attachment 1 covers similar items that may have had an impact on the Bulk Electric System or
has the potential to have an impact and should be reported.
Draft 4: April 24, 2012
5
�EOP-004-2 — Event Reporting
The DSR SDT wishes to make clear that the proposed Standard does not include any real-time
operating notifications for the events listed in EOP-004 Attachment 1. Real-time reporting is
achieved through the RCIS and is covered in other standards (e.g. the TOP family of standards).
The proposed standard deals exclusively with after-the-fact reporting.
Data Gathering
The requirements of EOP-004-1 require that entities “promptly analyze Bulk Electric System
disturbances on its system or facilities” (Requirement R2). The requirements of EOP-004-2
specify that certain types of events are to be reported but do not include provisions to analyze
events. Events reported under EOP-004-2 may trigger further scrutiny by the ERO Events
Analysis Program. If warranted, the Events Analysis Program personnel may request that more
data for certain events be provided by the reporting entity or other entities that may have
experienced the event. Entities are encouraged to become familiar with the Events Analysis
Program and the NERC Rules of Procedure to learn more about with the expectations of the
program.
Law Enforcement Reporting
The reliability objective of EOP-004-2 is to prevent outages which could lead to Cascading by
effectively reporting events. Certain outages, such as those due to vandalism and terrorism, may
not be reasonably preventable. These are the types of events that should be reported to law
enforcement. Entities rely upon law enforcement agencies to respond to and investigate those
events which have the potential to impact a wider area of the BES. The inclusion of reporting to
law enforcement enables and supports reliability principles such as protection of Bulk Electric
System from malicious physical or cyber attack. The Standard is intended to reduce the risk of
Cascading events. The importance of BES awareness of the threat around them is essential to the
effective operation and planning to mitigate the potential risk to the BES.
Stakeholders in the Reporting Process
• Industry
• NERC (ERO), Regional Entity
• FERC
• DOE
• NRC
• DHS – Federal
• Homeland Security- State
• State Regulators
• Local Law Enforcement
• State or Provincial Law Enforcement
• FBI
• Royal Canadian Mounted Police (RCMP)
Draft 4: April 24, 2012
6
�EOP-004-2 — Event Reporting
The above stakeholders have an interest in the timely notification, communication and response
to an incident at an industry facility. The stakeholders have various levels of accountability and
have a vested interest in the protection and response to ensure the reliability of the BES.
Present expectations of the industry under CIP-001-1a:
It has been the understanding by industry participants that an occurrence of sabotage has to be
reported to the FBI. The FBI has the jurisdictional requirements to investigate acts of sabotage
and terrorism. The CIP-001-1-1a standard requires a liaison relationship on behalf of the
industry and the FBI or RCMP. Annual requirements, under the standard, of the industry have
not been clear and have lead to misunderstandings and confusion in the industry as to how to
demonstrate that the liaison is in place and effective. As an example of proof of compliance with
Requirement R4, responsible entities have asked FBI Office personnel to provide, on FBI
letterhead, confirmation of the existence of a working relationship to report acts of sabotage, the
number of years the liaison relationship has been in existence, and the validity of the telephone
numbers for the FBI.
Coordination of Local and State Law Enforcement Agencies with the FBI
The Joint Terrorism Task Force (JTTF) came into being with the first task force being
established in 1980. JTTFs are small cells of highly trained, locally based, committed
investigators, analysts, linguists, SWAT experts, and other specialists from dozens of U.S. law
enforcement and intelligence agencies. The JTTF is a multi-agency effort led by the Justice
Department and FBI designed to combine the resources of federal, state, and local law
enforcement. Coordination and communications largely through the interagency National Joint
Terrorism Task Force, working out of FBI Headquarters, which makes sure that information and
intelligence flows freely among the local JTTFs. This information flow can be most beneficial to
the industry in analytical intelligence, incident response and investigation. Historically, the most
immediate response to an industry incident has been local and state law enforcement agencies to
suspected vandalism and criminal damages at industry facilities. Relying upon the JTTF
coordination between local, state and FBI law enforcement would be beneficial to effective
communications and the appropriate level of investigative response.
Coordination of Local and Provincial Law Enforcement Agencies with the RCMP
A similar law enforcement coordination hierarchy exists in Canada. Local and Provincial law
enforcement coordinate to investigate suspected acts of vandalism and sabotage. The Provincial
law enforcement agency has a reporting relationship with the Royal Canadian Mounted Police
(RCMP).
Draft 4: April 24, 2012
7
�EOP-004-2 — Event Reporting
A Reporting Process Solution – EOP-004
A proposal discussed with the FBI, FERC Staff, NERC Standards Project Coordinator and the
SDT Chair is reflected in the flowchart below (Reporting Hierarchy for Reportable Events).
Essentially, reporting an event to law enforcement agencies will only require the industry to
notify the state or provincial or local level law enforcement agency. The state or provincial or
local level law enforcement agency will coordinate with law enforcement with jurisdiction to
investigate. If the state or provincial or local level law enforcement agency decides federal
agency law enforcement or the RCMP should respond and investigate, the state or provincial or
local level law enforcement agency will notify and coordinate with the FBI or the RCMP.
Draft 4: April 24, 2012
8
�EOP-004-2 — Event Reporting
Example of Reporting Process including Law
Enforcement
Entity Experiencing An Event in Attachment 1
Report to Law Enforcement ?
Refer to Ops Plan for Reporting
NO
YES
Refer to Ops Plan for communicating
Communicate to
to law enforcement
Law
Enforcement
Report Event to ERO,
Reliability Coordinator
Notification Protocol to
State Agency Law
Enforcement
ERO conducts
investigation
*
State Agency Law
Enforcement coordinates
as appropriate with FBI
ERO
Events Analysis
Criminal act
invoking
federal
jurisdiction ?
ERO Reports Applicable
Events to FERC Per Rules
of Procedure
NO
YES
State Agency Law
Enforcement
Investigates
State Agency Law
Enforcement
notifies FBI
FBI Responds and
makes notification
to DHS
*
Draft 4: April 24, 2012
Canadian entities will follow law enforcement protocols applicable in
their jurisdictions
9
�EOP-004-2 — Event Reporting
B.
Requirements and
Measures
R1. Each Responsible Entity shall
have an event reporting Operating
Plan that includes: [Violation Risk:
Factor: Lower] [Time Horizon:
Operations Planning]
1.1. A process for recognizing
each of the applicable events
listed in EOP-004
Attachment 1(except for
Cyber Security Incidents
characterized and classified
according to the
requirements in CIP-008-3 or
its successor).
1.2. A process for
communicating each of the
applicable events listed in
EOP-004 Attachment 1 in
accordance with the
timeframes specified in
EOP-004 Attachment 1 to
the Electric Reliability
Organization and other
organizations needed for the
event type; i.e. the Regional
Entity; company personnel;
the Responsible Entity’s
Reliability Coordinator; law
enforcement, governmental
or provincial agencies.
M1. Each Responsible Entity will
have a current, dated, event reporting
Operating Plan which includes Parts
1.1 – 1.2.
Draft 4: April 24, 2012
Rationale for R1
The requirement to have an Operating Plan for
reporting specific types of events provides the entity
with a method to have its operating personnel
recognize events that affect reliability and to be able
to report them to appropriate parties; i.e. Regional
Entities, applicable Reliability Coordinators, and
law enforcement and other jurisdictional agencies
when so recognized. In addition, these event reports
are an input to the NERC Events Analysis Program.
These other parties use this information to promote
reliability, develop a culture of reliability
excellence, provide industry collaboration and
promote a learning organization.
Every industry participant that owns or operates
elements or devices on the grid has a formal or
informal process, procedure, or steps it takes to
gather information regarding what happened when
events occur. This requirement has the Responsible
Entity establish documentation on how that
procedure, process, or plan is organized. This
documentation may be a single document or a
combination of various documents that achieve the
reliability objective.
Part 1.1 clarifies that entities must address each of
the “applicable” events listed in EOP-004
Attachment 1. Not all responsible entities must
address all events; e.g., some events are only
applicable to the Reliability Coordinator. Part 1.1
acknowledges that Cyber Security Incidents are
characterized and classified according to the
requirements in CIP-008-3.
Part 1.2 could include a process flowchart,
identification of internal and external personnel or
entities to be notified, or a list of personnel by name
and their associated contact information.
An existing procedure that meets the requirements
of CIP-001-2a may be included in this Operating
Plan along with other processes, procedures or plans
to meet this requirement.
10
�EOP-004-2 — Event Reporting
R2. Each Responsible Entity shall implement
its event reporting Operating Plan for
applicable events listed in EOP-004
Attachment 1, and in accordance with the
timeframe specified in EOP-004
Attachment 1. [Violation Risk Factor:
Medium] [Time Horizon: Operations
Assessment]
M2. Each Responsible Entity will have, for
each event experienced, a dated copy of
the completed EOP-004 Attachment 2
form or DOE form OE-417 report
submitted for that event; and dated and
time-stamped transmittal records to show
that the event was reported supplemented
by operator logs or other operating
documentation. Other forms of evidence
may include, but are not limited to, dated
and time stamped voice recordings and
operating logs or other operating
documentation for situations where filing
a written report was not possible. (R2)
R3. Each Responsible Entity shall conduct an
annual test, not including notification to
the Electric Reliability Organization, of
the communications process in Part 1.2.
[Violation Risk Factor: Medium] [Time
Horizon: Operations Planning]
M3. Each Responsible Entity will have dated
and time-stamped records to show that the
annual test of Part 1.2 was conducted.
Such evidence may include, but are not
limited to, dated and time stamped voice
recordings and operating logs or other
communication documentation. The
annual test requirement is considered to be
met if the responsible entity implements
the communications process in Part 1.2 for
an actual event. (R3)
Draft 4: April 24, 2012
Rationale for R2
Each Responsible Entity must report and
communicate events according to its
Operating Plan after the fact based on the
information in EOP-004 Attachment 1.
By implementing the event reporting
Operating Plan, the Responsible Entity
will assure situational awareness to the
Electric Reliability Organization and
other organizations needed for the event
type; i.e. the Regional Entity; company
personnel; the Responsible Entity’s
Reliability Coordinator; law
enforcement, governmental or provincial
agencies as deemed necessary by the
Registered Entity. By communicating
events per the Operating Plan, the
Responsible Entity will assure that
people/agencies are aware of the current
situation and they may prepare to
mitigate current and further events.
Rationale for R3 and R4
Requirements 3 and 4 call for annual test
of the communications process in Part
1.2 as well as an annual review of the
event reporting Operating Plan. These
two requirements help ensure that the
event reporting Operating Plan is up to
date and entities will be effective in
reporting events to assure situational
awareness to the Electric Reliability
Organization and their Reliability
Coordinator . This will assure that the
BES remains secure and stable by
mitigation actions that the Reliability
Coordinator has within its function.
11
�EOP-004-2 — Event Reporting
R4. Each Responsible Entity shall conduct an annual review of the event reporting Operating
Plan in Requirement R1. [Violation Risk Factor: Medium] [Time Horizon: Operations
Planning]
M4. Each Responsible Entity will have dated and time-stamped records to show that the annual
review of the event reporting Operating Plan was conducted. Such evidence may include,
but are not limited to, the current document plus the ‘date change page’ from each version
that was reviewed. (R4)
C.
Compliance
1. Compliance Monitoring Process
1.1
Compliance Enforcement Authority
The Regional Entity shall serve as the Compliance enforcement authority unless the
applicable entity is owned, operated, or controlled by the Regional Entity. In such
cases the ERO or a Regional entity approved by FERC or other applicable
governmental authority shall serve as the CEA.
For NERC, a third-party monitor without vested interest in the outcome for
NERC shall serve as the Compliance Enforcement Authority.
1.2
Evidence Retention
The following evidence retention periods identify the period of time an entity is
required to retain specific evidence to demonstrate compliance. For instances
where the evidence retention period specified below is shorter than the time since
the last audit, the Compliance Enforcement Authority may ask an entity to
provide other evidence to show that it was compliant for the full time period since
the last audit.
Each Responsible Entity shall retain the current, document plus the ‘date change
page’ from each version issued since the last audit for Requirements R1, R4 and
Measures M1, M4.
Each Responsible Entity shall retain evidence from prior 3 calendar years for
Requirements R2, R3 and Measure M2, M3.
If a Registered Entity is found non-compliant, it shall keep information related to
the non-compliance until mitigation is complete and approved or for the duration
specified above, whichever is longer.
The Compliance Enforcement Authority shall keep the last audit records and all
requested and submitted subsequent audit records.
Draft 4: April 24, 2012
12
�EOP-004-2 — Event Reporting
1.3
Compliance Monitoring and Enforcement Processes:
Compliance Audit
Self-Certification
Spot Checking
Compliance Investigation
Self-Reporting
Complaint
1.4
Additional Compliance Information
None
Draft 4: April 24, 2012
13
�EOP-004-2 — Event Reporting
Table of Compliance Elements
R#
Time
Horizon
VRF
Violation Severity Levels
Lower VSL
Moderate VSL
Severe VSL
R1
Operations
Planning
Lower
N/A
R2
Operations
Assessment
Medium
The Responsible Entity The Responsible Entity The Responsible Entity
submitted a report
submitted a report
submitted a report
more than 36 hours but more than 48 hours but more than 60 hours
less than or equal to 48 less than or equal to 60 after an event requiring
hours after an event
hours after an event
reporting within 24
requiring reporting
requiring reporting
hours in EOP-004
within 24 hours in
within 24 hours in
Attachment 1.
EOP-004 Attachment
EOP-004 Attachment
OR
1.
1.
The Responsible Entity
OR
OR
submitted a report
The Responsible Entity The Responsible Entity more than 3 hours after
OR
submitted a report
submitted a report in
an event requiring
more than 1 hour but
more than 2 hours but
reporting within 1 hour
The Responsible Entity less than 2 hours after
less than 3 hours after
in EOP-004
submitted a report in
an event requiring
an event requiring
Attachment 1.
the appropriate
reporting within 1 hour reporting within 1 hour OR
timeframe but failed to in EOP-004
in EOP-004
provide all of the
The Responsible Entity
Attachment 1.
Attachment 1.
required information.
failed to submit a
report for an event in
Draft 4: April 24, 2012
N/A
High VSL
The Responsible Entity The Responsible Entity
has an event reporting failed to include both
Operating Plan but
Parts 1.1 and 1.2.
failed to include one of
Parts 1.1 through 1.2.
The Responsible Entity
submitted a report
more than 24 hours but
less than or equal to 36
hours after an event
requiring reporting
within 24 hours in
EOP-004 Attachment
1.
14
�EOP-004-2 — Event Reporting
EOP-004 Attachment
1.
R3
Operations
Planning
Medium
The Responsible Entity
performed the annual
test of the
communications
process in Part 1.2 but
was late by less than
one calendar month.
The Responsible Entity The Responsible Entity The Responsible Entity
performed the annual
performed the annual
performed the annual
test of the
test of the
test of the
communications
communications
communications
process in Part 1.2 but process in Part 1.2 but process in Part 1.2 but
was late by one
was late by two
was late by three
calendar month or
calendar months or
calendar months or
more but less than two more but less than
more.
calendar months.
three calendar months. OR
The Responsible Entity
failed to perform the
annual test of the
communications
process in Part 1.2.
R4
Operations
Planning
Medium
The Responsible Entity
performed the annual
review of the event
reporting Operating
Plan but was late by
less than one calendar
month.
The Responsible Entity The Responsible Entity
performed the annual
performed the annual
review of the event
review of the event
reporting Operating
reporting Operating
Plan but was late by
Plan but was late by
one calendar month or two calendar months or
more but less than two more but less than
calendar months.
three calendar months.
The Responsible Entity
performed the annual
review of the event
reporting Operating
Plan but was late by
three calendar months
or more.
OR
The Responsible Entity
failed to perform the
annual review of the
event reporting
Operating Plan
Draft 4: April 24, 2012
15
�EOP-004-2 — Event Reporting
D.
Variances
None.
E.
Interpretations
None.
F.
Interpretations
Guideline and Technical Basis (attached).
Draft 4: April 24, 2012
16
�EOP-004-2 — Event Reporting
EOP-004 - Attachment 1: Reportable Events
NOTE: Under certain adverse conditions (e.g. severe weather, multiple events) it may not be possible to report the damage caused by
an event and issue a written Event Report within the timing in the table below. In such cases, the affected Responsible Entity shall
notify parties per Requirement R1 and provide as much information as is available at the time of the notification. Submit reports to
the ERO via one of the following: e-mail: esisac@nerc.com, Facsimile: 609-452-9550, Voice: 609-452-1422.
One Hour Reporting: Submit EOP-004 Attachment 2 or DOE-OE-417 report to the parties identified pursuant to
Requirement R1, Part 1.2 within one hour of recognition of the event.
Event
Entity with Reporting Responsibility
A reportable Cyber Security
Incident.
Each Responsible Entity applicable under
CIP-008-3 or its successor that experiences
the Cyber Security Incident
Threshold for Reporting
That meets the criteria in CIP-008-3 or its
successor
Rationale Box for EOP-004 Attachment 1:
The DSR SDT used the defined term “Facility” to add clarity for several events listed in Attachment 1.
A Facility is defined as:
“A set of electrical equipment that operates as a single Bulk Electric System Element (e.g., a
line, a generator, a shunt compensator, transformer, etc.)”
The DSR SDT does not intend the use of the term Facility to mean a substation or any other facility
(not a defined term) that one might consider in everyday discussions regarding the grid. This is
intended to mean ONLY a Facility as defined above.
Draft 4: April 24, 2012
17
�EOP-004-2 — Event Reporting
Twenty-four Hour Reporting: Submit EOP-004 Attachment 2 or DOE-OE-417 report to the parties identified pursuant to
Requirement R1, Part 1.2 within twenty-four hours of recognition of the event.
Event
Damage or destruction of a
Facility
Entity with Reporting Responsibility
Each BA, TO, TOP, GO, GOP, DP that
experiences the damage or destruction of a
Facility
Threshold for Reporting
Damage or destruction of a Facility that:
Affects an IROL (per FAC-014)
OR
Results in the need for actions to avoid an Adverse Reliability
Impact
OR
Results from actual or suspected intentional human action.
Threat to a Facility excluding weather related threats.
Any physical threat that
could impact the operability
of a Facility 1
Each RC, BA, TO, TOP, GO, GOP, DP that
experiences the event
BES Emergency requiring
public appeal for load
reduction
Initiating entity is responsible for reporting
Public appeal for load reduction event
BES Emergency requiring
system-wide voltage
reduction
Initiating entity is responsible for reporting
System wide voltage reduction of 3% or more
BES Emergency requiring
manual firm load shedding
Initiating entity is responsible for reporting
Manual firm load shedding ≥ 100 MW
1
Examples include a train derailment adjacent to a Facility that either could have damaged a Facility directly or could indirectly damage a Facility (e.g.
flammable or toxic cargo that could pose fire hazard or could cause evacuation of a control center). Also report any suspicious device or activity at a Facility.
Do not report copper theft unless it impacts the operability of a Facility.
Draft 4: April 24, 2012
18
�EOP-004-2 — Event Reporting
Event
Entity with Reporting Responsibility
Threshold for Reporting
BES Emergency resulting in
automatic firm load
shedding
Each DP or TOP that implements automatic
load shedding
Firm load shedding ≥ 100 MW (via automatic undervoltage or
underfrequency load shedding schemes, or SPS/RAS)
Voltage deviation on a
Facility
Each TOP that observes the voltage
deviation
± 10% sustained for ≥ 15 continuous minutes
IROL Violation (all
Interconnections) or SOL
Violation for Major WECC
Transfer Paths (WECC only)
Each RC that experiences the IROL
Violation (all Interconnections) or SOL
violation for Major WECC Transfer Paths
(WECC only)
Operate outside the IROL for time greater than IROL Tv (all
Interconnections) or Operate outside the SOL for more than 30
minutes for Major WECC Transfer Paths (WECC only).
Loss of firm load for ≥ 15
Minutes
Each BA, TOP, DP that experiences the loss
of firm load
•
•
System separation
(islanding)
Generation loss
Complete loss of off-site
power to a nuclear
generating plant (grid
supply)
Transmission loss
Each RC, BA, TOP, DP that experiences the Each separation resulting in an island of generation and load ≥ 100
system separation
MW
• ≥ 2,000 MW for entities in the Eastern or Western
Each BA, GOP that experiences the
Interconnection
generation loss
• ≥ 1,000 MW for entities in the ERCOT or Quebec
Interconnection
Affecting a nuclear generating station per the Nuclear Plant
Each TO, TOP that experiences the
complete loss of off-site power to a nuclear Interface Requirement
generating plant
Unplanned control center
evacuation
Each TOP that experiences the
transmission loss
Each RC, BA, TOP that experiences the
event
Loss of all voice
communication capability
Each RC, BA, TOP that experiences the
loss of all voice communication capability
Draft 4: April 24, 2012
≥ 300 MW for entities with previous year’s
demand ≥ 3,000 MW
≥ 200 MW for all other entities
Unintentional loss of three or more Transmission Facilities
(excluding successful automatic reclosing)
Unplanned evacuation from BES control center facility for 30
minutes or more.
Affecting a BES control center for ≥ 30 continuous minutes
19
�EOP-004-2 — Event Reporting
Event
Complete or partial loss of
monitoring capability
Draft 4: April 24, 2012
Entity with Reporting Responsibility
Each RC, BA, TOP that experiences the
complete or partial loss of monitoring
capability
Threshold for Reporting
Affecting a BES control center for ≥ 30 continuous minutes such
that analysis tools (State Estimator, Contingency Analysis) are
rendered inoperable.
20
�EOP-004-2 — Event Reporting
EOP-004 - Attachment 2: Event Reporting Form
EOP-004 Attachment 2: Event Reporting Form
Use this form to report events. The Electric Reliability Organization and the Responsible Entity’s
Reliability Coordinator will accept the DOE OE-417 form in lieu of this form if the entity is
required to submit an OE-417 report. Submit reports to the ERO via one of the following: e-mail:
esisac@nerc.com, Facsimile: 609-452-9550, voice: 609-452-1422.
Task
1.
2.
Comments
Entity filing the report include:
Company name:
Name of contact person:
Email address of contact person:
Telephone Number:
Submitted by (name):
Date and Time of recognized event.
Date: (mm/dd/yyyy)
Time: (hh:mm)
Time/Zone:
3.
4.
Did the event originate in your system?
Yes
No Unknown
Event Identification and Description:
(Check applicable box)
public appeal
voltage reduction
manual firm load shedding
firm load shedding(undervoltage,
underfrequency, SPS/RAS)
voltage deviation
IROL violation
loss of firm load
system separation (islanding)
generation loss
complete loss of off-site power to nuclear
generating plant
transmission loss
damage or destruction of Facility
unplanned control center evacuation
loss of all voice communication capability
complete or partial loss of monitoring
capability
physical threat that could impact the
operability of a Facility
reportable Cyber Security Incident
Draft 4: April 24, 2012
Written description (optional):
21
�EOP-004-2 — Event Reporting
Guideline and Technical Basis
Disturbance and Sabotage Reporting Standard Drafting Team (Project 2009-01) Reporting Concepts
Introduction
The SAR for Project 2009-01, Disturbance and Sabotage Reporting was moved forward for
standard drafting by the NERC Standards Committee in August of 2009. The Disturbance and
Sabotage Reporting Standard Drafting Team (DSR SDT) was formed in late 2009 and has
developed updated standards based on the SAR.
The standards listed under the SAR are:
• CIP-001 — Sabotage Reporting
• EOP-004 — Disturbance Reporting
The changes do not include any real-time operating notifications for the types of events covered
by CIP-001 and EOP-004. The real-time reporting requirements are achieved through the RCIS
and are covered in other standards (e.g. EOP-002-Capacity and Energy Emergencies). These
standard deals exclusively with after-the-fact reporting.
The DSR SDT has consolidated disturbance and sabotage event reporting under a single
standard. These two components and other key concepts are discussed in the following sections.
Summary of Concepts and Assumptions:
The Standard:
• Requires reporting of “events” that impact or may impact the reliability of the Bulk
Electric System
• Provides clear criteria for reporting
• Includes consistent reporting timelines
• Identifies appropriate applicability, including a reporting hierarchy in the case of
disturbance reporting
• Provides clarity around of who will receive the information
Discussion of Disturbance Reporting
Disturbance reporting requirements existed in the previous version of EOP-004. The current
approved definition of Disturbance from the NERC Glossary of Terms is:
1. An unplanned event that produces an abnormal system condition.
2. Any perturbation to the electric system.
Draft 4: April 24, 2012
22
�EOP-004-2 — Event Reporting
3. The unexpected change in ACE that is caused by the sudden failure of generation or
interruption of load.
Disturbance reporting requirements and criteria were in the previous EOP-004 standard and its
attachments. The DSR SDT discussed the reliability needs for disturbance reporting and
developed the list of events that are to be reported under this standard (EOP-004 Attachment 1).
Discussion of Event Reporting
There are situations worthy of reporting because they have the potential to impact reliability.
Event reporting facilitates industry awareness, which allows potentially impacted parties to
prepare for and possibly mitigate any associated reliability risk. It also provides the raw material,
in the case of certain potential reliability threats, to see emerging patterns.
Examples of such events include:
• Bolts removed from transmission line structures
• Detection of cyber intrusion that meets criteria of CIP-008-3 or its successor standard
• Forced intrusion attempt at a substation
• Train derailment near a transmission right-of-way
• Destruction of Bulk Electric System equipment
What about sabotage?
One thing became clear in the DSR SDT’s discussion concerning sabotage: everyone has a
different definition. The current standard CIP-001 elicited the following response from FERC in
FERC Order 693, paragraph 471 which states in part: “. . . the Commission directs the ERO to
develop the following modifications to the Reliability Standard through the Reliability Standards
development process: (1) further define sabotage and provide guidance as to the triggering
events that would cause an entity to report a sabotage event.”
Often, the underlying reason for an event is unknown or cannot be confirmed. The DSR SDT
believes that by reporting material risks to the Bulk Electric System using the event
categorization in this standard, it will be easier to get the relevant information for mitigation,
awareness, and tracking, while removing the distracting element of motivation.
Certain types of events should be reported to NERC, the Department of Homeland Security
(DHS), the Federal Bureau of Investigation (FBI), and/or Provincial or local law enforcement.
Other types of events may have different reporting requirements. For example, an event that is
related to copper theft may only need to be reported to the local law enforcement authorities.
Potential Uses of Reportable Information
Event analysis, correlation of data, and trend identification are a few potential uses for the
information reported under this standard. The standard requires Functional entities to report the
incidents and provide known information at the time of the report. Further data gathering
necessary for event analysis is provided for under the Events Analysis Program and the NERC
Rules of Procedure. Other entities (e.g. – NERC, Law Enforcement, etc) will be responsible for
Draft 4: April 24, 2012
23
�EOP-004-2 — Event Reporting
performing the analyses. The NERC Rules of Procedure (section 800) provide an overview of
the responsibilities of the ERO in regards to analysis and dissemination of information for
reliability. Jurisdictional agencies (which may include DHS, FBI, NERC, RE, FERC, Provincial
Regulators, and DOE) have other duties and responsibilities.
Collection of Reportable Information or “One stop shopping”
The DSR SDT recognizes that some regions require reporting of additional information beyond
what is in EOP-004. The DSR SDT has updated the listing of reportable events in EOP-004
Attachment 1 based on discussions with jurisdictional agencies, NERC, Regional Entities and
stakeholder input. There is a possibility that regional differences still exist.
The reporting required by this standard is intended to meet the uses and purposes of NERC. The
DSR SDT recognizes that other requirements for reporting exist (e.g., DOE-417 reporting),
which may duplicate or overlap the information required by NERC. To the extent that other
reporting is required, the DSR SDT envisions that duplicate entry of information should not be
necessary, and the submission of the alternate report will be acceptable to NERC so long as all
information required by NERC is submitted. For example, if the NERC Report duplicates
information from the DOE form, the DOE report may be included or attached to the NERC
report, in lieu of entering that information on the NERC report.
Draft 4: April 24, 2012
24
�EOP-004-2 — Event Reporting
Standard Development Timeline
This section is maintained by the drafting team during the development of the standard and will
be removed when the standard becomes effective.
Development Steps Completed
1. SC approved SAR for initial posting (April, 2009).
2. SAR posted for comment (April 22 – May 21, 2009).
3. SC authorized moving the SAR forward to standard development (September 2009).
4. Concepts Paper posted for comment (March 17 – April 16, 2010).
5. Initial Informal Comment Period (September 15 – October 15, 2010)
6. Second Comment Period (Formal) (March 9 – April 8, 2011)
7. Third Comment Period and Initial Ballot (October 28 – December 12, 2011)
Proposed Action Plan and Description of Current Draft
This is the thirdfourth posting of the proposed standard in accordance with Results-Based
Criteria. The drafting team requests posting for a 4530-day formal comment period concurrent
with the formation of the ballot pool and the initialsuccessive ballot.
Future Development Plan
Anticipated Actions
Drafting team considers comments, makes conforming changes on
secondthird posting
Receive BOT approval
Anticipated Date
April - October
2011January March 2012
NovemberDecember
2011March – April
2012
December 2011May
2012
FebruaryJune 2012
File with regulatory authorities
August 2012
ThirdFourth Comment/Ballot period
Recirculation Ballot period
Draft 3: October 25, 20114: March 15, 2012April 24, 2012
1
�EOP-004-2 — Event Reporting
Effective Dates
EOP-004-2 shall become effective on the first day of the third calendar quarter after applicable
regulatory approval. In those jurisdictions where no regulatory approval is required, this
standard shall become effective on the first day of the third calendar quarter after Board of
Trustees approval, or as otherwise made effective pursuant to the laws applicable to such ERO
governmental authorities.
Version History
Version
2
Date
Action
Merged CIP-001-2a Sabotage Reporting
and EOP-004-1 Disturbance Reporting
into EOP-004-2 Impact Event
Reporting; Retire CIP-001-2a Sabotage
Reporting and Retired EOP-004-1
Disturbance Reporting. Retire CIP-00843, Requirement 1, Part 1.3.
Draft 3: October 25, 20114: March 15, 2012April 24, 2012
Change Tracking
Revision to entire
standard (Project 200901)
2
�EOP-004-2 — Event Reporting
Definitions of Terms Used in Standard
This section includes all newly defined or revised terms used in the proposed standard. Terms
already defined in the Reliability Standards Glossary of Terms are not repeated here. New or
revised definitions listed below become approved when the proposed standard is approved.
When the standard becomes effective, these defined terms will be removed from the individual
standard and added to the Glossary.
None
Draft 3: October 25, 20114: March 15, 2012April 24, 2012
3
�EOP-004-2 — Event Reporting
When this standard has received ballot approval, the text boxes will be moved to the Guideline
and Technical Basis Section.
A.
Introduction
1. Title:
Event Reporting
2. Number:
EOP-004-2
3. Purpose:
To improve industry awareness and the reliability of the Bulk Electric
System by requiring the reporting of events with the potential to impact
reliability and their causes, if known, by theby Responsible Entities.
4. Applicability
4.1.
Functional Entities: Within the context of EOP-004-2, the term “Responsible
Entity” shall meaninclude the following entities as shown in EOP-004
Attachment 1:
4.1.1. Reliability Coordinator
4.1.2. Balancing Authority
4.1.3. Interchange Coordinator
4.1.4. Transmission Service Provider
4.1.5. Transmission Owner
4.1.6. Transmission Operator
4.1.7. Generator Owner
4.1.8. Generator Operator
4.1.9. Distribution Provider
4.1.10. Load Serving Entity
4.1.11. Electric Reliability Organization
4.1.12. Regional Entity
5.
Background:
NERC established a SAR Team in 2009 to investigate and propose revisions to the CIP-001 and
EOP-004 Reliability Standards. The team was asked to consider the following:
1.
2.
3.
4.
CIP-001 could be merged with EOP-004 to eliminate redundancies.
Acts of sabotage have to be reported to the DOE as part of EOP-004.
Specific references to the DOE form need to be eliminated.
EOP-004 had some ‘fill-in-the-blank’ components to eliminate.
Draft 3: October 25, 20114: March 15, 2012April 24, 2012
4
�EOP-004-2 — Event Reporting
The development included other improvements to the standards deemed appropriate by the
drafting team, with the consensus of stakeholders, consistent with establishing high quality,
enforceable and technically sufficient bulk power systemBulk Electric System reliability
standards.
The SAR for Project 2009-01, Disturbance and Sabotage Reporting was moved forward for
standard drafting by the NERC SC in August of 2009. The Disturbance and Sabotage Reporting
Standard Drafting Team (DSR SDT) was formed in late 2009.
The DSR SDT developed a concept paper to solicit stakeholder input regarding the proposed
reporting concepts that the DSR SDT had developed. The posting of the concept paper sought
comments from stakeholders on the “road map” that will be used by the DSR SDT in updating or
revising CIP-001 and EOP-004. The concept paper provided stakeholders the background
information and thought process of the DSR SDT. The DSR SDT has reviewed the existing
standards, the SAR, issues from the NERC issues database and FERC Order 693 Directives in
order to determine a prudent course of action with respect to revision of these standards.
Summary of Key Concepts
The DSRSDT identified the following principles to assist them in developing the standard:
• Develop a single form to report disturbances and events that threaten the reliability of the
bulk electric systemBulk Electric System
• Investigate other opportunities for efficiency, such as development of an electronic form
and possible inclusion of regional reporting requirements
• Establish clear criteria for reporting
• Establish consistent reporting timelines
• Provide clarity around who will receive the information and how it will be used
During the development of concepts, the DSR SDT considered the FERC directive to “further
define sabotage”. There was concern among stakeholders that a definition may be ambiguous
and subject to interpretation. Consequently, the DSR SDT decided to eliminate the term
sabotage from the standard. The team felt that it was almost impossible to determine if an act or
event was sabotage or vandalism without the intervention of law enforcement. The DSR SDT
felt that attempting to define sabotage would result in further ambiguity with respect to reporting
events. The term “sabotage” is no longer included in the standard. The events listed in EOP-004
Attachment 1 were developed to provide guidance for reporting both actual events as well as
events which may have an impact on the Bulk Electric System. The DSR SDT believes that this
is an equally effective and efficient means of addressing the FERC Directive.
The types of events that are required to be reported are contained within EOP-004 Attachment 1.
The DSR SDT has coordinated with the NERC Events Analysis Working Group to develop the
list of events that are to be reported under this standard. EOP-004 Attachment 1, Part A pertains
to those actions or events that have impacted the Bulk Electric System. These events were
previously reported under EOP-004-1, CIP-001-1 or the Department of Energy form OE-417.
Draft 3: October 25, 20114: March 15, 2012April 24, 2012
5
�EOP-004-2 — Event Reporting
EOP-004 Attachment 1, Part B covers similar items that may have had an impact on the Bulk
Electric System or has the potential to have an impact and should be reported.
The DSR SDT wishes to make clear that the proposed Standard does not include any real-time
operating notifications for the events listed in EOP-004 Attachment 1. Real-time reporting is
achieved through the RCIS and is covered in other standards (e.g. the TOP family of standards).
The proposed standard deals exclusively with after-the-fact reporting.
Data Gathering
The requirements of EOP-004-1 require that entities “promptly analyze Bulk Electric System
disturbances on its system or facilities” (Requirement R2). The requirements of EOP-004-2
specify that certain types of events are to be reported but do not include provisions to analyze
events. Events reported under EOP-004-2 may trigger further scrutiny by the ERO Events
Analysis Program. If warranted, the Events Analysis Program personnel may request that more
data for certain events be provided by the reporting entity or other entities that may have
experienced the event. Entities are encouraged to become familiar with the Events Analysis
Program and the NERC Rules of Procedure to learn more about with the expectations of the
program.
Law Enforcement Reporting
The reliability objective of EOP-004-2 is to prevent outages which could lead to Cascading by
effectively reporting events. Certain outages, such as those due to vandalism and terrorism, may
not be reasonably preventable. These are the types of events that should be reported to law
enforcement. Entities rely upon law enforcement agencies to respond to and investigate those
events which have the potential to impact a wider area of the BES. The inclusion of reporting to
law enforcement enables and supports reliability principles such as protection of bulk power
systemsBulk Electric System from malicious physical or cyber attack. The Standard is intended
to reduce the risk of Cascading events. The importance of BES awareness of the threat around
them is essential to the effective operation and planning to mitigate the potential risk to the BES.
Stakeholders in the Reporting Process
• Industry
• NERC (ERO), Regional Entity
• FERC
• DOE
• NRC
• DHS – Federal
• Homeland Security- State
• State Regulators
• Local Law Enforcement
• State or Provincial Law Enforcement
• FBI
• Royal Canadian Mounted Police (RCMP)
Draft 3: October 25, 20114: March 15, 2012April 24, 2012
6
�EOP-004-2 — Event Reporting
The above stakeholders have an interest in the timely notification, communication and response
to an incident at an industry facility. The stakeholders have various levels of accountability and
have a vested interest in the protection and response to ensure the reliability of the BES.
Present expectations of the industry under CIP-001-1a:
It has been the understanding by industry participants that an occurrence of sabotage has to be
reported to the FBI. The FBI has the jurisdictional requirements to investigate acts of sabotage
and terrorism. The CIP-001-1-1a standard requires a liaison relationship on behalf of the
industry and the FBI or RCMP. Annual requirements, under the standard, of the industry have
not been clear and have lead to misunderstandings and confusion in the industry as to how to
demonstrate that the liaison is in place and effective. As an example of proof of compliance with
Requirement R4, responsible entities have asked FBI Office personnel to provide, on FBI
letterhead, confirmation of the existence of a working relationship to report acts of sabotage, , the
number of years the liaison relationship has been in existence, and the validity of the telephone
numbers for the FBI.
Coordination of Local and State Law Enforcement Agencies with the FBI
The Joint Terrorism Task Force (JTTF) came into being with the first task force being
established in 1980. JTTFs are small cells of highly trained, locally based, committed
investigators, analysts, linguists, SWAT experts, and other specialists from dozens of U.S. law
enforcement and intelligence agencies. The JTTF is a multi-agency effort led by the Justice
Department and FBI designed to combine the resources of federal, state, and local law
enforcement. Coordination and communications largely through the interagency National Joint
Terrorism Task Force, working out of FBI Headquarters, which makes sure that information and
intelligence flows freely among the local JTTFs. This information flow can be most beneficial to
the industry in analytical intelligence, incident response and investigation. Historically, the most
immediate response to an industry incident has been local and state law enforcement agencies to
suspected vandalism and criminal damages at industry facilities. Relying upon the JTTF
coordination between local, state and FBI law enforcement would be beneficial to effective
communications and the appropriate level of investigative response.
Coordination of Local and Provincial Law Enforcement Agencies with the RCMP
A similar law enforcement coordination hierarchy exists in Canada. Local and Provincial law
enforcement coordinate to investigate suspected acts of vandalism and sabotage. The Provincial
law enforcement agency has a reporting relationship with the Royal Canadian Mounted Police
(RCMP).
Draft 3: October 25, 20114: March 15, 2012April 24, 2012
7
�EOP-004-2 — Event Reporting
A Reporting Process Solution – EOP-004
A proposal discussed with the FBI, FERC Staff, NERC Standards Project Coordinator and the
SDT Chair is reflected in the flowchart below (Reporting Hierarchy for Reportable Events).
Essentially, reporting an event to law enforcement agencies will only require the industry to
notify the state or provincial or local level law enforcement agency. The state or provincial or
local level law enforcement agency will coordinate with law enforcement with jurisdiction to
investigate. If the state or provincial or local level law enforcement agency decides federal
agency law enforcement or the RCMP should respond and investigate, the state or provincial or
local level law enforcement agency will notify and coordinate with the FBI or the RCMP.
Draft 3: October 25, 20114: March 15, 2012April 24, 2012
8
�EOP-004-2 — Event Reporting
Example of Reporting Process including Law
Enforcement
Entity Experiencing An Event in Attachment 1
Report to Law Enforcement ?
Refer to Ops Plan for Reporting
NO
YES
Refer to Ops Plan for communicating
Communicate to
to law enforcement
Law
Enforcement
Report Event to ERO,
Reliability Coordinator
Notification Protocol to
State Agency Law
Enforcement
ERO conducts
investigation
*
State Agency Law
Enforcement coordinates
as appropriate with FBI
ERO
Events Analysis
Criminal act
invoking
federal
jurisdiction ?
ERO Reports Applicable
Events to FERC Per Rules
of Procedure
NO
YES
State Agency Law
Enforcement
Investigates
State Agency Law
Enforcement
notifies FBI
FBI Responds and
makes notification
to DHS
*
Canadian entities will follow law enforcement protocols applicable in
their jurisdictions
Draft 3: October 25, 20114: March 15, 2012April 24, 2012
9
�EOP-004-2 — Event Reporting
B.
Requirements and
Measures
R1. Each Responsible Entity shall have
an event reporting Operating Plan that
includes: [Violation Risk: Factor:
Lower] [Time Horizon: Operations
Planning]
1.1. A process for
identifyingrecognizing each of
the applicable events listed in
EOP-004 Attachment 1(except
for Cyber Security Incidents
characterized and classified
according to the requirements in
CIP-008-3 or its successor).
1.2. A process for gathering
information for Attachment 2
regarding events listed in
Attachment 1.
1.3. A process for communicating
each of the applicable events
listed in EOP-004 Attachment 1
in accordance with the
timeframes specified in EOP004 Attachment 1 to the Electric
Reliability Organization, and
other organizations needed for
the event type; i.e. the Regional
Entity; company personnel; the
Responsible Entity’s Reliability
Coordinator and the following
as appropriate:
•
Internal company personnel
•
The Responsible Entity’s
Regional Entity
•
Law; law enforcement
•
Governmental,
governmental or provincial
agencies
Rationale for R1
The requirement to have an Operating Plan for
reporting specific types of events provides the
entity with a method to have its operating
personnel recognize events that affect reliability
and to be able to report them to appropriate
parties; i.e. Regional Entities, applicable
Reliability Coordinators, and law enforcement
and other jurisdictional agencies when so
recognized. In addition, these event reports are
an input to the NERC Events Analysis Program.
These other parties use this information to
promote reliability, develop a culture of
reliability excellence, provide industry
collaboration and promote a learning
organization.
Every industry participant that owns or operates
elements or devices on the grid has a formal or
informal process, procedure, or steps it takes to
gather information regarding what happened
when events occur. This requirement has the
Responsible Entity establish documentation on
how that procedure, process, or plan is organized.
This documentation may be a single document or
a combination of various documents that achieve
the reliability objective.
Part 1.1 clarifies that entities must address each
of the “applicable” events listed in EOP-004
Attachment 1. Not all responsible entities must
address all events; e.g., some events are only
applicable to the Reliability Coordinator. Part 1.1
acknowledges that Cyber Security Incidents are
characterized and classified according to the
requirements in CIP-008-3.
Part 1.2 could include a process flowchart,
identification of internal and external personnel
or entities to be notified, or a list of personnel by
name and their associated contact information.
An existing procedure that meets the
requirements of CIP-001-2a may be included in
this Operating Plan along with other processes,
procedures or plans to meet this requirement.
Draft 3: October 25, 20114: March 15, 2012April 24, 2012
10
�EOP-004-2 — Event Reporting
1.4. Provision(s) for updating the Operating Plan within 90 calendar days of any change in
assets, personnel, other circumstances that may no longer align with the Operating Plan;
or incorporating lessons learned pursuant to Requirement R3.
1.5.1.2.
A Process for ensuring the responsible entity reviews the Operating Plan at least
annually (once each calendar year) with no more than 15 months between reviews.
M1. Each Responsible Entity will provide thehave a current, dated, in forceevent reporting
Operating Plan which includes Parts 1.1 -– 1.5 as requested2.
Draft 3: October 25, 20114: March 15, 2012April 24, 2012
11
�EOP-004-2 — Event Reporting
R2. Each Responsible Entity shall implement the parts of its event reporting Operating Plan
that meet Requirement R1,
Rationale for R2
Partsfor applicable events listed in
Each Responsible Entity must implement the
EOP-004 Attachment 1.1, and 1.2
various parts of Requirement R1. Parts 1.1 and
for an actual event and Parts 1.4
1.2 call for identifying and gathering information
and 1.5 asin accordance with the
for actual events. Parts 1.4 and 1.5 require
timeframe specified. in EOP-004
updating and reviewing the Operating Plan.
Attachment 1. [Violation Risk
Each Responsible Entity must report and
Factor: Medium] [Time Horizon:
communicate events according to its Operating
Operations Assessment].]
Plan after the fact based on the information in
EOP-004 Attachment 1. By implementing the
M2. Responsible Entities shall provide
event reporting Operating Plan, the Responsible
evidence that it implemented the
Entity will assure situational awareness to the
parts of its Operating Plan to meet
Electric Reliability Organization and other
Requirement R1, Parts 1.1 and
organizations needed for the event type; i.e. the
1.2 for an actual event and Parts,
Regional Entity; company personnel; the
1.4 and 1.5 as specified. Evidence
Responsible Entity’s Reliability Coordinator; law
may include, but is not limited to,
enforcement, governmental or provincial
an event report form (Attachment
agencies as deemed necessary by the Registered
2) or the OE-417 report submitted,
Entity. By communicating events per the
operator logs, voice recordings, or
Operating Plan, the Responsible Entity will
dated documentation of review
assure that people/agencies are aware of the
and update of the Operating Plan.
current situation and they may prepare to
(R2)
mitigate current and further events.
R3. Each Responsible Entity shall report events in accordance with its Operating Plan
developed to address the events listed in Attachment 1. [Violation Risk Factor: Medium]
[Time Horizon: Operations Assessment].
M3. Responsible Entities shall provide a record of the type of Each Responsible Entity will
have, for each event experienced;, a dated copy of the completed EOP-004 Attachment 2
form or DOE form or OE-417 report submitted for that event; and dated and time-stamped
transmittal records to show that the event was reported. (R3 supplemented by operator logs
or other operating documentation. Other
forms of evidence may include, but are
Rationale for R3 and R4
not limited to, dated and time stamped
Requirements 3 and 4 call for annual test
voice recordings and operating logs or
of the communications process in Part
other operating documentation for
1.2 as well as an annual review of the
situations where filing a written report
event reporting Operating Plan. These
was not possible. (R2)
two requirements help ensure that the
event reporting Operating Plan is up to
date and entities will be effective in
R3. Each Responsible Entity shall conduct an
reporting events to assure situational
annual test, not including notification to
awareness to the Electric Reliability
Organization and their Reliability
Coordinator . This will assure that the
BES remains secure and stable by
12
Draft 3: October 25, 20114: March 15, 2012April 24, 2012
mitigation actions that the Reliability
Coordinator has within its function.
�EOP-004-2 — Event Reporting
the Electric Reliability Organization, of the communications process in Part 1.2. [Violation
Risk Factor: Medium] [Time Horizon: Operations Planning]
M3. Each Responsible Entity will have dated and time-stamped records to show that the annual
test of Part 1.2 was conducted. Such evidence may include, but are not limited to, dated
and time stamped voice recordings and operating logs or other communication
documentation. The annual test requirement is considered to be met if the responsible
entity implements the communications process in Part 1.2 for an actual event. (R3)
R4. Each Responsible Entity shall verify (through actual implementation for an event, or
through a drill or exercise) the communication process in its Operating Plan, created
pursuant to Requirement 1, Part 1.3, at least annually (once per calendar year), with no
more than 15 calendar months between verification or actual implementation. conduct an
annual review of the event reporting Operating Plan in Requirement R1. [Violation Risk
Factor: Medium] [Time Horizon: Operations Planning]
M4. The Responsible Entity shall provide evidence that it verified the communication process in
its Operating Plan for events created pursuant to Requirement R1, Part 1.3. Either
implementation of the communication process as documented in its Operating Plan for an
actual event or documented evidence of a drill or exercise may be used as evidence to meet
this requirement. The time period between an actual event or verification shall be no more
than 15 months. Evidence may include, but is not limited to, operator logs, voice
recordings, or dated documentation of a verification. (R3) Each Responsible Entity will
have dated and time-stamped records to show that the annual review of the event reporting
Operating Plan was conducted. Such evidence may include, but are not limited to, the
current document plus the ‘date change page’ from each version that was reviewed. (R4)
C.
Compliance
1. Compliance Monitoring Process
1.1
Compliance Enforcement Authority
The Regional Entity; or
If shall serve as the Responsible Entity works forCompliance enforcement authority
unless the Regional Entity, thenapplicable entity is owned, operated, or controlled by
the Regional Entity will establish an agreement with. In such cases the ERO or
anothera Regional entity approved by the ERO and FERC (i.e. another Regional
Entity) to be responsible for compliance enforcement; oror other applicable
governmental authority shall serve as the CEA.
Draft 3: October 25, 20114: March 15, 2012April 24, 2012
13
�EOP-004-2 — Event Reporting
ThirdFor NERC, a third-party monitor without vested interest in the outcome for
the ERONERC shall serve as the Compliance Enforcement Authority.
.
1.2
Evidence Retention
The following evidence retention periods identify the period of time an entity is
required to retain specific evidence to demonstrate compliance. For instances
where the evidence retention period specified below is shorter than the time since
the last audit, the Compliance Enforcement Authority may ask an entity to
provide other evidence to show that it was compliant for the full time period since
the last audit.
Each Responsible Entity shall retain the current, in force document plus the ‘dated
revision history’date change page’ from each version issued since the last audit
for 3 calendar years for RequirementRequirements R1, R4 and MeasureMeasures
M1, M4.
Each Responsible Entity shall retain evidence from prior 3 calendar years for
Requirements R2, R3, R4, and MeasuresMeasure M2, M3, M4.
Each Responsible Entity shall retain data or evidence for three calendar years or
for the duration of any regional or Compliance Enforcement Authority
investigation; whichever is longer.
If a Registered Entity is found non-compliant, it shall keep information related to
the non-compliance until found compliantmitigation is complete and approved or
for the duration specified above, whichever is longer.
The Compliance Enforcement Authority shall keep the last audit records and all
requested and submitted subsequent audit records.
1.3
Compliance Monitoring and Enforcement Processes:
Compliance AuditsAudit
Self-CertificationsCertification
Spot Checking
Compliance Violation InvestigationsInvestigation
Self-Reporting
ComplaintsComplaint
1.4
Additional Compliance Information
None
Draft 3: October 25, 20114: March 15, 2012April 24, 2012
14
�EOP-004-2 — Event Reporting
Table of Compliance Elements
R
#
Time Horizon
VRF
Violation Severity Levels
Lower VSL
R1
Long-termOperations
Planning
Lower
R2
Real-time Operations Medium 1.1: N/A
and Same-day
OperationsAssessmen
Moderate VSL
High VSL
Severe VSL
The Reliability
The Reliability
The Reliability
The Reliability
Coordinator,
Coordinator,
Coordinator,
Coordinator,
Balancing
Balancing
Balancing Authority, Balancing Authority,
Authority,
Authority,
Interchange
Interchange
Interchange
Interchange
Coordinator,
Coordinator,
Coordinator,
Coordinator,
Transmission Service Transmission Service
Transmission
Transmission
Provider,
Provider,
Service Provider,
Service Provider,
Transmission Owner, Transmission Owner,
Transmission
Transmission
Transmission
Transmission
Owner,
Owner,
Operator, Generator
Operator, Generator
Transmission
Transmission
Owner, Generator
Owner, Generator
Operator, Generator Operator, Generator Operator,
Operator,
Owner, Generator
Owner, Generator
Distribution Provider Distribution Provider
Operator,
Operator,
or Load
or Load
Distribution
Distribution
ServingResponsible
ServingResponsible
Provider or Load
Provider or Load
Entity has an event
Entity failed to
Serving Entity has
Serving Entity has
reporting Operating
include four or more
an Operating Plan
an Operating Plan
Plan but failed to
ofboth Parts 1.1
but failed to include but failed to include include threeone of
throughand 1.52.
one of Parts 1.1
two of Parts 1.1
Parts 1.1 through
through 1.5. N/A
through 1.5.N/A
1.52.
Draft 3: October 25, 20114: March 15, 2012April 24, 2012
The Responsible
Entity submitted a
report more than 36
The Responsible
Entity submitted a
report more than 48
15
1.1: The Reliability
Coordinator,
Balancing Authority,
�EOP-004-2 — Event Reporting
t
1.2: N/A
1.4: The Reliability
Coordinator,
Balancing
Authority,
Interchange
Coordinator,
Transmission
Service Provider,
Transmission
Owner,
Transmission
Operator, Generator
Owner, Generator
Operator,
Distribution
Provider or Load
Serving Entity
failed to update the
Operating Plan
more than 90 days
of a change, but not
more than 100 days
after a change.
1.5: The Reliability
Coordinator,
Balancing
Authority,
Interchange
Coordinator,
Draft 3: October 25, 20114: March 15, 2012April 24, 2012
hours but less than
or equal to 48 hours
after an event
requiring reporting
within 24 hours in
EOP-004
Attachment 1.
hours but less than or
equal to 60 hours
after an event
requiring reporting
within 24 hours in
EOP-004 Attachment
1.
OR
OR 1.1: N/A
1.1: N/A
1.2: N/A
1.2: N/A
Interchange
Coordinator,
Transmission Service
Provider,
Transmission Owner,
Transmission
Operator, Generator
Owner, Generator
Operator,
Distribution Provider
or Load Serving
Entity failed to
implement the
process for
identifying events.
1.4: The Reliability
1.4: The Reliability Coordinator,
Balancing Authority,
Coordinator,
Interchange
Balancing
1.2: The Reliability
Coordinator,
Authority,
Transmission Service Coordinator,
Interchange
Balancing Authority,
Provider,
Coordinator,
Transmission Owner, Interchange
Transmission
Coordinator,
Transmission
Service Provider,
Transmission Service
Operator, Generator
Transmission
Provider,
Owner, Generator
Owner,
Transmission Owner,
Operator,
Transmission
Transmission
Operator, Generator Distribution Provider Operator, Generator
or Load Serving
Owner, Generator
Owner, Generator
Entity failed to
Operator,
update the Operating Operator,
Distribution
Distribution Provider
Plan more than 110
Provider or Load
days of a change, but or Load Serving
Serving Entity
Entity failed to
failed to update the not more than 120
implement the
days after a change.
Operating Plan
16
�EOP-004-2 — Event Reporting
Transmission
more than 100 days
process for gathering
Service Provider,
of a change, but not 1.5: The Reliability
information for
Transmission
more than 110 days Coordinator,
Attachment 2.
Owner,
after a change.
Balancing Authority,
Transmission
Interchange
1.4: The Reliability
Operator, Generator
Coordinator,
1.5: The Reliability
Coordinator,
Owner, Generator
Transmission Service Balancing Authority,
Coordinator,
Operator,
Provider,
Balancing
Interchange
Distribution
Transmission
Owner,
Authority,
Coordinator,
Provider or Load
Transmission
Interchange
Transmission Service
Serving Entity
Operator,
Generator
Coordinator,
Provider,
reviewed the
Owner, Generator
Transmission
Transmission Owner,
Operating Plan,
Operator,
Service Provider,
Transmission
more than 15
Distribution Provider Operator, Generator
Transmission
calendar months
or Load Serving
Owner,
Owner, Generator
after its previous
Entity reviewed the
Transmission
Operator,
review, but not
Operating
Plan,
more
Operator, Generator
Distribution Provider
more than 18
than 21 calendar
Owner, Generator
or Load Serving
calendar months
months after its
Operator,
Entity failed to
after its previous
previous
review,
but
Distribution
update the Operating
review. The
not more than 24
Provider
or
Load
Plan more than 120
Responsible Entity
calendar
months
after
Serving Entity
days of a change.
submitted a report
its previous review.
reviewed
the
more than 24 hours
Operating Plan,
The Responsible
but less than or
1.5: The Reliability
more
than
18
Entity submitted a
equal to 36 hours
calendar months
report in more than 2 Coordinator,
after an event
after its previous
hours but less than 3 Balancing Authority,
requiring reporting
Interchange
review,
but
not
hours after an event
within 24 hours in
Coordinator,
more than 21
requiring reporting
EOP-004
Transmission Service
calendar months
within 1 hour in
Attachment 1.
after its previous
EOP-004 Attachment Provider,
Transmission Owner,
review.The
1.
Transmission
Draft 3: October 25, 20114: March 15, 2012April 24, 2012
17
�EOP-004-2 — Event Reporting
OR
Responsible Entity
submitted a report
more than 1 hour
The Responsible
but less than 2
Entity submitted a
hours after an event
report in the
requiring reporting
appropriate
within 1 hour in
timeframe but failed EOP-004
to provide all of the Attachment 1.
required
information.
Operator, Generator
Owner, Generator
Operator,
Distribution Provider
or Load Serving
Entity reviewed the
Operating Plan, more
than 24 calendar
months after its
previous review.The
Responsible Entity
submitted a report
more than 60 hours
after an event
requiring reporting
within 24 hours in
EOP-004 Attachment
1.
OR
The Responsible
Entity submitted a
report more than 3
hours after an event
requiring reporting
within 1 hour in
EOP-004 Attachment
1.
OR
The Responsible
Entity failed to
submit a report for an
event in EOP-004
Draft 3: October 25, 20114: March 15, 2012April 24, 2012
18
�EOP-004-2 — Event Reporting
Attachment 1.
R3
Real-time Operations
and Same-day
OperationsPlanning
Medium The Reliability
The Reliability
The Reliability
Coordinator,
Coordinator,
Coordinator,
Balancing
Balancing
Balancing Authority,
Authority,
Authority,
Interchange
Interchange
Interchange
Coordinator,
Coordinator,
Coordinator,
Transmission Service
Transmission
Transmission
Provider,
Service Provider,
Service Provider,
Transmission Owner,
Transmission
Transmission
Transmission
Owner,
Owner,
Operator, Generator
Transmission
Transmission
Owner, Generator
Operator, Generator Operator, Generator Operator,
Owner, Generator
Owner, Generator
Distribution Provider
Operator,
Operator,
or Load Serving
Distribution
Distribution
Entity submitted a
Provider or Load
Provider or Load
report more than 48
Serving Entity
Serving Entity
hours but less than or
submitted a report
submitted a report
equal to 60 hours
more than 24 hours more than 36 hours after an event
but less than or
but less than or
requiring reporting
equal to 36 hours
equal to 48 hours
within 24 hours in
after an event
after an event
Attachment 1. The
requiring reporting
requiring reporting
Responsible Entity
within 24 hours in
within 24 hours in
performed the annual
Attachment 1.
Attachment 1.
test of the
communications
The Responsible
OR
process in Part 1.2
Entity performed
The Reliability
but was late by two
the annual test of
Coordinator,
calendar months or
the communications Balancing
more but less than
process in Part 1.2
Authority,
three calendar
but was late by less Interchange
Draft 3: October 25, 20114: March 15, 2012April 24, 2012
19
The Reliability
Coordinator,
Balancing Authority,
Interchange
Coordinator,
Transmission Service
Provider,
Transmission Owner,
Transmission
Operator, Generator
Owner, Generator
Operator,
Distribution Provider
or Load Serving
Entity submitted a
report more than 60
hours after an event
requiring reporting
within 24 hours in
Attachment 1.
The Responsible
Entity performed the
annual test of the
communications
process in Part 1.2
but was late by three
calendar months or
more.
OR
The Reliability
�EOP-004-2 — Event Reporting
than one calendar
month.
Draft 3: October 25, 20114: March 15, 2012April 24, 2012
Coordinator,
months.
Coordinator,
Transmission
Balancing Authority,
OR
Service Provider,
Interchange
The
Reliability
Transmission
Coordinator,
Coordinator,
Owner,
Transmission Service
Balancing
Authority,
Transmission
Provider,
Operator, Generator Interchange
Transmission Owner,
Coordinator,
Owner, Generator
Transmission
Transmission
Service
Operator,
Operator, Generator
Provider,
Distribution
Owner, Generator
Transmission
Owner,
Provider or Load
Operator,
Transmission
Serving Entity
Distribution Provider
Operator,
Generator
submitted a report
or Load Serving
Owner, Generator
more than 1 hour
Entity submitted a
Operator,
but less than 2
report more than 3
hours after an event Distribution Provider hours after an event
or Load Serving
requiring reporting
requiring reporting
Entity submitted a
within 1 hour in
within 1 hour in
report in more than 2 Attachment
Attachment 1.The
Responsible Entity hours but less than 3 1.Responsible Entity
hours after an event
performed the
failed to perform the
requiring
reporting
annual test of the
annual test of the
within 1 hour in
communications
communications
Attachment
1.
process in Part 1.2
process in Part 1.2.
but was late by one
OR
calendar month or
The Reliability
more but less than
Coordinator,
two calendar
Balancing Authority,
months.
Interchange
Coordinator,
Transmission Service
Provider,
20
�EOP-004-2 — Event Reporting
Transmission Owner,
Transmission
Operator, Generator
Owner, Generator
Operator,
Distribution Provider
or Load Serving
Entity failed to
submit a report for an
event in Attachment
1.
R4
Operations Planning
Medium The Reliability
The Reliability
The Reliability
The Reliability
Coordinator,
Coordinator,
Coordinator,
Coordinator,
Balancing
Balancing
Balancing Authority, Balancing Authority,
Authority,
Authority,
Interchange
Interchange
Interchange
Interchange
Coordinator,
Coordinator,
Coordinator,
Coordinator,
Transmission Service Transmission Service
Transmission
Transmission
Provider,
Provider,
Service Provider,
Service Provider,
Transmission Owner, Transmission Owner,
Transmission
Transmission
Transmission
Transmission
Owner,
Owner,
Operator, Generator
Operator, Generator
Transmission
Transmission
Owner, Generator
Owner, Generator
Operator, Generator Operator, Generator Operator,
Operator,
Owner, Generator
Owner, Generator
Distribution Provider Distribution Provider
Operator,
Operator,
or Load Serving
or Load
Distribution
Distribution
Entity verified the
ServingResponsible
Provider or Load
Provider or Load
communication
Entity
Serving Entity
Serving Entity
process in its
verifiedperformed the
verified the
verified the
Operating Plan, more communication
communication
communication
than 21 calendar
process in itsannual
process in its
process in its
months after its
review of the event
Operating Plan,
Operating Plan,
previous test, but not reporting Operating
Draft 3: October 25, 20114: March 15, 2012April 24, 2012
21
�EOP-004-2 — Event Reporting
more than 15
calendar months
after its previous
test, but not more
than 18 calendar
months after its
previous test.
OR
The Reliability
Coordinator,
Balancing
Authority,
Interchange
Coordinator,
Transmission
Service Provider,
Transmission
Owner,
Transmission
Operator, Generator
Owner, Generator
Operator,
Distribution
Provider or Load
Serving Entity
failed to verify the
communication
process in its
Operating Plan
within the calendar
year.The
Responsible Entity
Draft 3: October 25, 20114: March 15, 2012April 24, 2012
more than 18
calendar months
after its previous
test, but not more
than 21 months
after its previous
test.The
Responsible Entity
performed the
annual review of the
event reporting
Operating Plan but
was late by one
calendar month or
more but less than
two calendar
months.
more than 24 months
after its previous
test.The Responsible
Entity performed the
annual review of the
event reporting
Operating Plan but
was late by two
calendar months or
more but less than
three calendar
months.
22
Plan, more than 24
but was late by three
calendar months after
its previous testor
more.
OR
The Reliability
Coordinator,
Balancing Authority,
Interchange
Coordinator,
Transmission Service
Provider,
Transmission Owner,
Transmission
Operator, Generator
Owner, Generator
Operator,
Distribution Provider
or Load Serving
Entity failed to verify
the communication
process in its
Operating Plan. The
Responsible Entity
failed to perform the
annual review of the
event reporting
Operating Plan
�EOP-004-2 — Event Reporting
performed the
annual review of the
event reporting
Operating Plan but
was late by less
than one calendar
month.
D.
Variances
None.
E.
Interpretations
None.
F.
Interpretations
Guideline and Technical Basis (attached).
Draft 3: October 25, 20114: March 15, 2012April 24, 2012
23
�EOP-004-2 — Event Reporting
EOP-004 - Attachment 1: Reportable Events Table
NOTE: Under certain adverse conditions (e.g. severe weather, multiple events) it may not be possible to report the damage caused by
an event and issue a written Event Report within the timing in the table below. In such cases, the affected Responsible Entity shall
notify parties per Requirement R1 and provide as much information as is available at the time of the notification. The affected
Responsible Entity shall provide periodic verbal updates until adequate information is available to issue a written Event report.
Reports Submit reports to the ERO should be submitted tovia one of the following: e-mail: esisac@nerc.comesisac@nerc.com,
Facsimile: 609-452-9550, Voice: 609-452-1422.
One Hour Reporting: Submit EOP-004 Attachment 2 or DOE-OE-417 report to the parties identified pursuant to
Requirement R1, Part 1.2 within one hour of recognition of the event.
Event
A reportable Cyber Security
Incident.
Entity with Reporting Responsibility
Threshold for Reporting
That meets the criteria in CIP-008-43 or its
Each Responsible Entity applicable under
CIP-008-43 or its successor that experiences successor
the Cyber Security Incident
Draft 3: October 25, 20114: March 15, 2012April 24, 2012
24
�EOP-004-2 — Event Reporting
Rationale Box for EOP-004 Attachment 1:
The DSR SDT used the defined term “Facility” to add clarity for several events listed in Attachment 1.
A Facility is defined as:
“A set of electrical equipment that operates as a single Bulk Electric System Element (e.g., a
line, a generator, a shunt compensator, transformer, etc.)”
The DSR SDT does not intend the use of the term Facility to mean a substation or any other facility
(not a defined term) that one might consider in everyday discussions regarding the grid. This is
intended to mean ONLY a Facility as defined above.
Draft 3: October 25, 20114: March 15, 2012April 24, 2012
25
�EOP-004-2 — Event Reporting
Twenty-four Hour Reporting: Submit EOP-004 Attachment 2 or DOE-OE-417 report to the parties identified pursuant to
Requirement R1, Part 1.2 within twenty-four hours of recognition of the event.
Event
DestructionDamage or
destruction of BES
equipment 1a Facility
Entity with Reporting Responsibility
Each RC, BA, TO, TOP, GO, GOP, DP that
experiences the damage or destruction of
BES equipmenta Facility
Threshold for Reporting
Initial indicationDamage or destruction of a Facility that:
Affects an IROL (per FAC-014)
OR
Results in the event was dueneed for actions to operational error,
equipment failure, external cause, or avoid an Adverse Reliability
Impact
OR
Damage or destruction of
Critical Asset per CIP-002
Applicable Entities under CIP-002
Damage or destruction of a
Critical Cyber Asset per
CIP-002
Applicable Entities under CIP-002.
Forced intrusion 2
Each RC, BA, TO, TOP, GO, GOP that
Results from actual or suspected intentional or unintentional human
action.
Initial indication the event was due to operational
error, equipment failure, external cause, or
intentional or unintentional human action.
Through intentional or unintentional human
action.
At a BES facility
1
BES equipment that: i) Affects an IROL; ii) Significantly affects the reliability margin of the system (e.g., has the potential to result in the need for emergency
actions); iii) Damaged or destroyed due to intentional or unintentional human action which removes the BES equipment from service. Do not report copper theft
from BES equipment unless it degrades the ability of equipment to operate correctly (e.g., removal of grounding straps rendering protective relaying inoperative).
2
Report if you cannot reasonably determine likely motivation (i.e., intrusion to steal copper or spray graffiti is not reportable unless it effects the reliability of the
BES).
Draft 3: October 25, 20114: March 15, 2012April 24, 2012
26
�EOP-004-2 — Event Reporting
Event
Entity with Reporting Responsibility
Threshold for Reporting
experiences the forced intrusion
Risk to BES equipment 3Any
physical threat that could
impact the operability of a
Facility 4
Each RC, BA, TO, TOP, GO, GOP, DP that
experiences the risk to BES
equipmentevent
From a non-environmental physical threatThreat to a Facility
excluding weather related threats.
Detection of a reportable
Cyber Security Incident.
Each RC, BA, TO, TOP, GO, GOP, DP,
ERO or RE that experiences the Cyber
Security Incident
DeficientInitiating entity is responsible for
reporting
That meets the criteria in CIP-008
BES Emergency requiring
system-wide voltage
reduction
Initiating entity is responsible for reporting
System wide voltage reduction of 3% or more
BES Emergency requiring
manual firm load shedding
Initiating entity is responsible for reporting
Manual firm load shedding ≥ 100 MW
BES Emergency resulting in
automatic firm load
shedding
Each DP or TOP that experiences
theimplements automatic load shedding
Firm load shedding ≥ 100 MW (via automatic undervoltage or
underfrequency load shedding schemes, or SPS/RAS)
Voltage deviationsdeviation
on BES Facilitiesa Facility
Each TOP that experiencesobserves the
voltage deviation
± 10% sustained for ≥ 15 continuous minutes
BES Emergency requiring
public appeal for load
reduction
Each publicPublic appeal for load reduction event
3
Examples include a train derailment adjacent to BES equipment that either could have damaged the equipment directly or has the potential to damage the
equipment (e.g. flammable or toxic cargo that could pose fire hazard or could cause evacuation of a BES facility control center) and report of suspicious device
near BES equipment.
4
Examples include a train derailment adjacent to a Facility that either could have damaged a Facility directly or could indirectly damage a Facility (e.g.
flammable or toxic cargo that could pose fire hazard or could cause evacuation of a control center). Also report any suspicious device or activity at a Facility.
Do not report copper theft unless it impacts the operability of a Facility.
Draft 3: October 25, 20114: March 15, 2012April 24, 2012
27
�EOP-004-2 — Event Reporting
Event
Entity with Reporting Responsibility
Threshold for Reporting
IROL Violation (all
Interconnections) or SOL
Violation for Major WECC
Transfer Paths (WECC only)
Each RC that experiences the IROL
Violation (all Interconnections) or SOL
violation for Major WECC Transfer Paths
(WECC only)
Operate outside the IROL for time greater than IROL Tv (all
Interconnections) or Operate outside the SOL for a time
greatermore than the SOL Tv30 minutes for Major WECC Transfer
Paths (WECC only).
Loss of Firmfirm load for ≥
15 Minutes
Each BA, TOP, DP that experiences the loss
of firm load
•
•
≥ 300 MW for entities with previous year’s
demand ≥ 30003,000 MW
≥ 200 MW for all other entities
System Separation
(Islandingseparation
(islanding)
Each RC, BA, TOP, DP that experiences the Each separation resulting in an island of generation and load ≥ 100
system separation
MW
Generation loss
Each BA, GOP that experiences the
generation loss
LossComplete loss of
Offoff-site power to a
nuclear generating plant
(grid supply)
Each TO, TOP that experiences the
complete loss of off-site power to a nuclear
generating plant
Transmission loss
Each TOP that experiences the
transmission loss
Each RC, BA, TOP that experiences the
potential event
Unplanned Control
Centercontrol center
evacuation
Loss of all voice
communication capability
Each RC, BA, TOP that experiences the
loss of all voice communication capability
LossComplete or partial loss
of monitoring or all voice
communication capability
Each RC, BA, TOP that experiences the
complete or partial loss of monitoring or all
voice communication capability
Draft 3: October 25, 20114: March 15, 2012April 24, 2012
≥ 2,000 MW for entities in the Eastern or Western
Interconnection
• ≥ 10001,000 MW for entities in the ERCOT or Quebec
Interconnection
Affecting a nuclear generating station per the Nuclear Plant
Interface Requirement
•
Unintentional loss of Threethree or more Transmission Facilities
(excluding successful automatic reclosing)
Unplanned evacuation from BES control center facility
for 30 minutes or more.
Affecting a BES control center for ≥ 30 continuous minutes
Voice Communications: Affecting a BES control center for ≥ 30
continuous minutes
Monitoring: Affecting a BES control center for ≥ 30 continuous
minutes such that analysis tools (State Estimator, Contingency
28
�EOP-004-2 — Event Reporting
Event
Entity with Reporting Responsibility
Threshold for Reporting
Analysis) are rendered inoperable.
Draft 3: October 25, 20114: March 15, 2012April 24, 2012
29
�EOP-004-2 — Event Reporting
EOP-004 - Attachment 2: Event Reporting Form
EOP-004, Attachment 2: Event Reporting Form
ThisUse this form is to be used to report events to parties listed in Attachment 1, column labeled
“Submit Attachment 2 or DOE OE-417 Report to:”. These parties. The Electric Reliability
Organization and the Responsible Entity’s Reliability Coordinator will accept the DOE OE-417
form in lieu of this form if the entity is required to submit an OE-417 report. Reports should be
submitted Submit reports to the ERO via one of the following: e-mail: esisac@nerc.com,
Facsimile: 609-452-9550, voice: 609-452-1422.
Task
1.
2.
Comments
Entity filing the report include:
Company name:
Name of contact person:
Email address of contact person:
Telephone Number:
Submitted by (name):
Date and Time of recognized event.
Date: (mm/dd/yyyy)
Time: (hh:mm)
Time/Zone:
3.
4.
Did the actual or potential event originate in
your system?
Actual event Potential event
Yes
No Unknown
Event Identification and Description:
(Check applicable box)
public appeal
voltage reduction
manual firm load shedding
firm load shedding(undervoltage,
underfrequency, SPS/RAS)
voltage deviation
IROL violation
loss of firm load
system separation (islanding)
generation loss
complete loss of off-site power to nuclear
generating plant
transmission loss
damage or destruction of BES
equipmentFacility
damage or destruction of Critical Asset
damage or destruction of Critical Cyber
Asset
unplanned control center evacuation
fuel supply emergency
loss of all monitoring or voice
communication capability
Written description (optional unless Other is
checked):
Draft 3: October 25, 20114: March 15, 2012April 24, 2012
30
�EOP-004-2 — Event Reporting
EOP-004, Attachment 2: Event Reporting Form
ThisUse this form is to be used to report events to parties listed in Attachment 1, column labeled
“Submit Attachment 2 or DOE OE-417 Report to:”. These parties. The Electric Reliability
Organization and the Responsible Entity’s Reliability Coordinator will accept the DOE OE-417
form in lieu of this form if the entity is required to submit an OE-417 report. Reports should be
submitted Submit reports to the ERO via one of the following: e-mail: esisac@nerc.com,
Facsimile: 609-452-9550, voice: 609-452-1422.
Task
Comments
forced intrusion Risk to BES
equipmentcomplete or partial loss of
monitoring capability
physical threat that could impact the
operability of a Facility
reportable Cyber Security Incident
other
Draft 3: October 25, 20114: March 15, 2012April 24, 2012
31
�EOP-004-2 — Event Reporting
Guideline and Technical Basis
Disturbance and Sabotage Reporting Standard Drafting Team (Project 2009-01) Reporting Concepts
Introduction
The SAR for Project 2009-01, Disturbance and Sabotage Reporting was moved forward for
standard drafting by the NERC Standards Committee in August of 2009. The Disturbance and
Sabotage Reporting Standard Drafting Team (DSR SDT) was formed in late 2009 and has
developed updated standards based on the SAR.
The standards listed under the SAR are:
• CIP-001 — Sabotage Reporting
• EOP-004 — Disturbance Reporting
The changes do not include any real-time operating notifications for the types of events covered
by CIP-001 and EOP-004. The real-time reporting requirements are achieved through the RCIS
and are covered in other standards (e.g. EOP-002-Capacity and Energy Emergencies). These
standard deals exclusively with after-the-fact reporting.
The DSR SDT has consolidated disturbance and sabotage event reporting under a single
standard. These two components and other key concepts are discussed in the following sections.
Summary of Concepts and Assumptions:
The Standard:
• Requires reporting of “events” that impact or may impact the reliability of the bulk
electric systemBulk Electric System
• Provides clear criteria for reporting
• Includes consistent reporting timelines
• Identifies appropriate applicability, including a reporting hierarchy in the case of
disturbance reporting
• Provides clarity around of who will receive the information
Discussion of Disturbance Reporting
Disturbance reporting requirements existed in the previous version of EOP-004. The current
approved definition of Disturbance from the NERC Glossary of Terms is:
1. An unplanned event that produces an abnormal system condition.
2. Any perturbation to the electric system.
Draft 3: October 25, 20114: March 15, 2012April 24, 2012
32
�EOP-004-2 — Event Reporting
3. The unexpected change in ACE that is caused by the sudden failure of generation or
interruption of load.
Disturbance reporting requirements and criteria were in the previous EOP-004 standard and its
attachments. The DSR SDT discussed the reliability needs for disturbance reporting and
developed the list of events that are to be reported under this standard (attachmentEOP-004
Attachment 1).
Discussion of Event Reporting
There are situations worthy of reporting because they have the potential to impact reliability.
t Event reporting facilitates industry awareness, which allows potentially impacted parties to
prepare for and possibly mitigate any associated reliability risk. It also provides the raw material,
in the case of certain potential reliability threats, to see emerging patterns.
Examples of such events include:
• Bolts removed from transmission line structures
• Detection of cyber intrusion that meets criteria of CIP-008-3 or its successor standard
• Forced intrusion attempt at a substation
• Train derailment near a transmission right-of-way
• Destruction of Bulk ElectricalElectric System equipment
What about sabotage?
One thing became clear in the DSR SDT’s discussion concerning sabotage: everyone has a
different definition. The current standard CIP-001 elicited the following response from FERC in
FERC Order 693, paragraph 471 which states in part: “. . . the Commission directs the ERO to
develop the following modifications to the Reliability Standard through the Reliability Standards
development process: (1) further define sabotage and provide guidance as to the triggering
events that would cause an entity to report a sabotage event.”
Often, the underlying reason for an event is unknown or cannot be confirmed. The DSR SDT
believes that by reporting material risks to the Bulk ElectricalElectric System using the event
categorization in this standard, it will be easier to get the relevant information for mitigation,
awareness, and tracking, while removing the distracting element of motivation.
Certain types of events should be reported to NERC, the Department of Homeland Security
(DHS), the Federal Bureau of Investigation (FBI), and/or Provincial or local law enforcement.
Other types of impact events may have different reporting requirements. For example, an event
that is related to copper theft may only need to be reported to the local law enforcement
authorities.
Potential Uses of Reportable Information
Event analysis, correlation of data, and trend identification are a few potential uses for the
information reported under this standard. The standard requires Functional entities to report the
incidents and provide known information at the time of the report. Further data gathering
Draft 3: October 25, 20114: March 15, 2012April 24, 2012
33
�EOP-004-2 — Event Reporting
necessary for event analysis is provided for under the Events Analysis Program and the NERC
Rules of Procedure. Other entities (e.g. – NERC, Law Enforcement, etc) will be responsible for
performing the analyses. The NERC Rules of Procedure (section 800) provide an overview of
the responsibilities of the ERO in regards to analysis and dissemination of information for
reliability. Jurisdictional agencies (which may include DHS, FBI, NERC, RE, FERC, Provincial
Regulators, and DOE) have other duties and responsibilities.
Collection of Reportable Information or “One stop shopping”
The DSR SDT recognizes that some regions require reporting of additional information beyond
what is in EOP-004. The DSR SDT has updated the listing of reportable events in EOP-004
Attachment 1 based on discussions with jurisdictional agencies, NERC, Regional Entities and
stakeholder input. There is a possibility that regional differences still exist.
The reporting required by this standard is intended to meet the uses and purposes of NERC. The
DSR SDT recognizes that other requirements for reporting exist (e.g., DOE-417 reporting),
which may duplicate or overlap the information required by NERC. To the extent that other
reporting is required, the DSR SDT envisions that duplicate entry of information should not be
necessary, and the submission of the alternate report will be acceptable to NERC so long as all
information required by NERC is submitted. For example, if the NERC Report duplicates
information from the DOE form, the DOE report may be included or attached to the NERC
report, in lieu of entering that information on the NERC report.
Draft 3: October 25, 20114: March 15, 2012April 24, 2012
34
�Comment Form
Project 2009-01 Disturbance and Sabotage Reporting
Please DO NOT use this form for submitting comments. Please use the electronic form to submit
comments on the draft standard EOP-004-2. Comments must be submitted by May 24, 2012. If you
have questions please contact Stephen Crutchfield by email or by telephone at (609) 651-9455.
Background Information
EOP-004-2 was posted for a 45-day formal comment period and initial ballot from October 28 through
December 12, 2011. The DSR SDT received comments from stakeholders to improve the readability
and clarity of the requirements of the standard. The revisions that were made to the standard are
summarized in the following paragraphs.
Purpose Statement
The DSR SDT revised the purpose statement to remove ambiguous language “with the potential to
impact reliability.” The Purpose statement now reads:
“To improve the reliability of the Bulk Electric System by requiring the reporting of events by
Responsible Entities.”
Operating Plan
Based on stakeholder comments, Requirement R1 was revised for clarity. Part 1.1 was revised to
replace the word “identifying” with “recognizing” and Part 1.2 was eliminated. This also aligns the
language of the standard with FERC Order 693, Paragraph 471.
“(2) specify baseline requirements regarding what issues should be addressed in the
procedures for recognizing {emphasis added} sabotage events and making personnel aware of
such events;”
Requirement R1, Part 1.3 (now Part 1.2) was revised by eliminating the phrase “as appropriate” and
adding language indicating that the Responsible Entity is to define its process for reporting and with
whom to report events. Part 1.2 now reads:
“1.2 A process for communicating each of the applicable events listed in EOP-004
Attachment 1 in accordance with the timeframes specified in EOP-004 Attachment 1 to the
Electric Reliability Organization and other organizations needed for the event type; i.e. the
Regional Entity; company personnel; the Responsible Entity’s Reliability Coordinator; law
enforcement, governmental or provincial agencies.”
�The SDT envisions that most entities will only need to slightly modify their existing CIP-001 Sabotage
Reporting procedures to comply with the Operating Plan requirement in this proposed standard. As
many of the features of both sabotage reporting procedures and the Operating Plan are substantially
similar, the SDT feels that some information in the sabotage reporting procedures may need to
updated and verified.
Operating Plan Review and Communications Testing
Requirement R1, Part 1.4 was removed and Requirement 1, Part, 1.5 was separated out as new
Requirement 4. Requirement R4 was revised and is now R3. FERC Order 693, Paragraph 466 includes
provisions for periodic review and update of the Operating Plan:
“466. The Commission affirms the NOPR directive and directs the ERO to incorporate a periodic
review or updating of the sabotage reporting procedures and for the periodic testing of the
sabotage reporting procedures.”
Requirement R3 requires an annual test of the communication portion of Requirement R1 while
Requirement R4 requires an annual review of the Operating Plan.:
“R3. Each Responsible Entity shall conduct an annual test, not including notification to the
Electric Reliability Organization, of the communications process in Part 1.2.”
“R4. Each Responsible Entity shall conduct an annual review of the event reporting Operating
Plan in Requirement R1.”
The DSR SDT envisions that the annual test will include verification that communication information
contained in the Operating Plan is correct. As an example, the annual update of the Operating Plan
could include calling “others as defined in the Responsibility Entity’s Operating Plan” (see Part 1.2) to
verify that their contact information is up to date. If any discrepancies are noted, the Operating Plan
would be updated. Note that there is no requirement to test the reporting of events to the Electric
Reliability Organization and the Responsible Entity’s Reliability Coordinator.
Operating Plan Implementation
Most stakeholders indicated that Requirements R2 and R3 were redundant and having both in the
standard was not necessary. Requirement R2 called for implementation of Parts 1.1, 1.2, 1.4 and 1.5.
Requirement R3 called for reporting events in accordance with the Operating Plan. The DSR SDT
deleted Requirement R2 based on stakeholder comments and revised R3 (now R2) to:
“R2. Each Responsible Entity shall implement its event reporting Operating Plan for applicable
events listed in EOP-004 Attachment 1, and in accordance with the timeframe specified in EOP004 Attachment1.”
Project 2009-01 – Disturbance and Sabotage Reporting
Comment Form – April 24, 2012
2
�Reporting Timelines
The DSR SDT received many comments regarding the various entries of Attachment 1. Many
commenters questioned the reliability benefit of reporting events to the ERO within 1 hour. Most of
the events with a one hour reporting requirement were revised to 24 hours based on stakeholder
comments; those types of events are currently required to be reported within 24 hours in the existing
mandatory and enforceable standards. The only remaining type of event that is to be reported within
one hour is “A reportable Cyber Security Incident” as it is required by CIP-008 and FERC Order 706,
Paragraph 673:
“direct the ERO to modify CIP-008 to require each responsible entity to contact appropriate
government authorities and industry participants in the event of a cyber security incident as
soon as possible, but in any event, within one hour of the event…”
The table was reformatted to separate one-hour reporting and 24-hour reporting. The last column of
the table was also deleted and the information contained in the table was transferred to the sentence
above each table. These sentences are:
“One Hour Reporting: Submit EOP-004 Attachment 2 or DOE-OE-417 report to the parties
identified pursuant to Requirement R1, Part 1.2 within one hour of recognition of the event.”
“Twenty-four Hour Reporting: Submit EOP-004 Attachment 2 or DOE-OE-417 report to the
parties identified pursuant to Requirement R1, Part 1.2 within twenty-four hour of recognition
of the event.”
Note that the reporting timeline of 24 hours starts when the situation has been determined as a
threat, not when it may have first occurred.
Cyber-Related Events
The ‘Damage or Destruction’ events specifically relating to Critical Assets and Critical Cyber Assets were
removed from Attachment 1. Stakeholders pointed out these events are adequately addressed
through the CIP-008 and “Damage or Destruction of a Facility”reporting thresholds.
Project 2009-01 – Disturbance and Sabotage Reporting
Comment Form – April 24, 2012
3
�CIP-008 addresses Cyber Security Incidents which are defined as:
“Any malicious act or suspicious event that:
• Compromises, or was an attempt to compromise, the Electronic Security Perimeter or
Physical Security Perimeter of a Critical Cyber Asset, or,
• Disrupts, or was an attempt to disrupt, the operation of a Critical Cyber Asset.”
A Critical Asset is defined as:
“Facilities, systems, and equipment which, if destroyed, degraded, or otherwise rendered
unavailable, would affect the reliability or operability of the Bulk Electric System.”
Since there is an existing event category for damage or destruction of Facilities, having a separate
event for “Damage or Destruction of a Critical Asset” is unnecessary.
Damage or Destruction
The event for “Destruction of BES equipment” has been revised to “Damage or destruction of a
Facility”. The threshold for reporting information was expanded for clarity:
“Damage or destruction of a Facility that:
Affects an IROL (per FAC-014)
OR
Results in the need for actions to avoid an Adverse Reliability Impact
OR
Results from actual or suspected intentional human action.”
Facility Definition
The DSR SDT used the defined term “Facility” to add clarity for this event as well as other events in
Attachment 1. A Facility is defined as:
“A set of electrical equipment that operates as a single Bulk Electric System Element (e.g., a
line, a generator, a shunt compensator, transformer, etc.)”
The DSR SDT did not intend the use of the term Facility to mean a substation or any other facility (not a
defined term) that one might consider in everyday discussions regarding the grid. This is intended to
mean ONLY a Facility as defined above.
Project 2009-01 – Disturbance and Sabotage Reporting
Comment Form – April 24, 2012
4
�Physical Threats
Several stakeholders expressed concerns relating to the “Forced Intrusion” event. Their concerns
related to ambiguous language in the footnote. The SDR SDT discussed this event as well as the event
“Risk to BES equipment”. These two event types had perceived overlap in the reporting requirements.
The DSR SDT removed “Forced Intrusion” as a category and the “Risk to BES equipment” event was
revised to “Any physical threat that could impact the operability of a Facility”.
Using judgment is unavoidable for this type of event. This language was chosen because the
Responsible Entity is the best position to exercise this judgment and determine whether or not an
event poses a threat to its Facilities. The DSR SDT believes this revised event type will minimize
administrative burden and ensure that events meaningful to industry awareness are reported.
The footnote regarding this event type was expanded to provide additional guidance in:
“Examples include a train derailment adjacent to a Facility that either could have damaged a
Facility directly or could indirectly damage a Facility (e.g. flammable or toxic cargo that could
pose fire hazard or could cause evacuation of a control center). Also, report any suspicious
device or activity at a Facility. Do not report copper theft unless it impacts the operability of a
Facility.”
Use of DOE Form OE-417
The DSR SDT received many comments requesting consistency with DOE OE-417 thresholds and
timelines. These items, as well as, the Events Analysis Working Group’s (EAWG) requirements were
considered in creating Attachment 1, but differences remain for the following reasons:
• EOP-004 requirements were designed to meet NERC and the industry’s needs; accommodation
of other reporting obligations was considered as an opportunity not a ‘must-have’
• OE-417 only applies to US entities, whereas EOP-004 requirements apply across North America
• NERC has no control over the criteria in OE-417, which can change at any time
• Reports made under EOP-004 provide a minimum set of information, which may trigger further
information requests from EAWG as necessary
In an effort to minimize administrative burden, US entities may use the OE-417 form rather than
Attachment 2 to report under EOP-004. The SDT was informed by the DOE of its new online process
coming later this year. In this process, entities may be able to record email addresses associated with
their Operating Plan so that when the report is submitted to DOE, it will automatically be forwarded to
the posted email addresses, thereby eliminating some administrative burden to forward the report to
multiple organizations and agencies.
Project 2009-01 – Disturbance and Sabotage Reporting
Comment Form – April 24, 2012
5
�Miscellaneous
Other minor edits were made to Attachment 1. Several words were capitalized that are not defined
terms. The DSR SDT did not intend for these terms to be capitalized (defined terms) and these words
were reverted to lower case. The event type “Loss of monitoring or all voice communication
capability” was divided into two separate events as “Loss of monitoring capability” and “Loss of all
voice communication capability”.
Attachment 2 was updated to reflect the revisions to Attachment 1. The reference to “actual or
potential events” was removed. Also, the event type of “other” and “fuel supply emergency” was
removed as well.
It was noted that ‘Transmission Facilities’ is not a defined term in the NERC Glossary. Transmission and
Facilities are separately defined terms. The combination of these two definitions are what the DSR SDT
has based the applicability of “Transmission Facilities” in Attachment 1.
You do not have to answer all questions.
1. The DSR SDT has revised EOP-004-2 by removing Requirement 1, Part 1.4 and separating Parts 1.3
and 1.5 into new Requirements R3 and R4. Requirement R3 calls for an annual test of the
communications portion of the Operating Plan and Requirement R4 requires an annual review of
the Operating Plan. Do you agree with this revision? If not, please explain in the comment area
below.
Yes
No
Comments:
2. The DSR SDT made clarifying revisions to Attachment 1 based on stakeholder feedback. Do you
agree with these revisions? If not, please explain in the comment area below.
Yes
No
Comments:
Project 2009-01 – Disturbance and Sabotage Reporting
Comment Form – April 24, 2012
6
�3. The DSR SDT has proposed a new Section 812 to be incorporated into the NERC Rules of
Procedure. Do you agree with the proposed addition? If not, please explain in the comment
area below.
Yes
No
Comments:
4. Do you have any other comment, not expressed in the questions above, for the DSR SDT?
Comments:
Project 2009-01 – Disturbance and Sabotage Reporting
Comment Form – April 24, 2012
7
�Implementation Plan
Project 2009-01 Disturbance and Sabotage Reporting
Implementation Plan for EOP-004-2 – Event Reporting
Approvals Required
EOP-004-2 – Event Reporting
Prerequisite Approvals
None
R evisions to Glossary Term s
None
Note: Project 2008-06 is currently developing Version 5 of the CIP Cyber Security Standards, and, in
conjunction with proposed CIP-008-5, the Project 2008-06 drafting team proposes to add the term,
“Reportable Cyber Security Incident” to the Glossary of Terms used in NERC Reliability Standards. The
proposed definition, as posted for formal comment and simultaneous successive ballot from April 12,
2012, through May 21, 2012, is, “Any Cyber Security Incident that has compromised or disrupted one or
more reliability tasks of a functional entity.” If the term “Reportable Cyber Security Incident” is added
to the Glossary of Terms used in NERC Reliability Standards, as posted or substantially similar to the
definition proposed in draft 2 of the CIP Cyber Security Standards by Project 2008-06, then the phrase
“reportable Cyber Security Incident” shall be changed to “Reportable Cyber Security Incident” wherever
that phrase occurs in EOP-004-2 upon the effective date of CIP-008-5.
Applicable Entities
Reliability Coordinator
Balancing Authority
Interchange Coordinator
Transmission Service provider
Transmission Owner
Transmission Operator
Generator Owner
Generator Operator
Distribution Provider
Load-Serving Entity
Electric Reliability Organization
�Regional Entity
Conform ing Changes to Other Standards
None
Effective Dates
EOP-004-2 shall become effective on the first day of the third calendar quarter after applicable
regulatory approval. In those jurisdictions where no regulatory approval is required, this standard shall
become effective on the first day of the third calendar quarter after Board of Trustees approval, or as
otherwise made effective pursuant to the laws applicable to such ERO governmental authorities.
EOP-004-1 is in effect until EOP-004-2 is accepted by all applicable regulatory authorities. Upon
acceptance by the applicable regulatory authorities, EOP-004-2 will be assigned an effective date. Until
such effective date is attained, EOP-004-1 will remain in effect.
R etirem ents
EOP-004-1 – Disturbance Reporting and CIP-001-2a – Sabotage Reporting should be retired at midnight
of the day immediately prior to the Effective Date of EOP-004-2 in the particular jurisdiction in which
the new standard is becoming effective.
CIP-008-3 – Cyber Security - Incident Reporting and Response Planning: Retire Requirement R1.3
which contains provisions for reporting Cyber Security Incidents. This is addressed in EOP-004-2,
Requirement R2 and Attachment 1. If any successor version of the CIP-008-3 standard contains
provisions for reporting Cyber Security Incidents, then those provisions should be retired upon the
effective date of EOP-004-2.
Project 2009-01 Disturbance and Sabotage Reporting
Implementation Plan
2
�Implementation Plan
Project 2009-01 Disturbance and Sabotage Reporting
Implementation Plan for EOP-004-2 – Event Reporting
Approvals Required
EOP-004-2 – Event Reporting
Prerequisite Approvals
Revisions to Sections 807 and 808 of the NERC Rules of Procedure
Addition of Section 812 to the NERC Rules of Procedure
None
R evisions to Glossary Term s
None
Note: Project 2008-06 is currently developing Version 5 of the CIP Cyber Security Standards, and, in
conjunction with proposed CIP-008-5, the Project 2008-06 drafting team proposes to add the term,
“Reportable Cyber Security Incident” to the Glossary of Terms used in NERC Reliability Standards. The
proposed definition, as posted for formal comment and simultaneous successive ballot from April 12,
2012, through May 21, 2012, is, “Any Cyber Security Incident that has compromised or disrupted one or
more reliability tasks of a functional entity.” If the term “Reportable Cyber Security Incident” is added
to the Glossary of Terms used in NERC Reliability Standards, as posted or substantially similar to the
definition proposed in draft 2 of the CIP Cyber Security Standards by Project 2008-06, then the phrase
“reportable Cyber Security Incident” shall be changed to “Reportable Cyber Security Incident” wherever
that phrase occurs in EOP-004-2 upon the effective date of CIP-008-5.
Applicable Entities
Reliability Coordinator
Balancing Authority
Interchange Coordinator
Transmission Service provider
Transmission Owner
Transmission Operator
Generator Owner
Generator Operator
Distribution Provider
�Load-Serving Entity
Electric Reliability Organization
Regional Entity
Conform ing Changes to Other Standards
None
Effective Dates
EOP-004-2 shall become effective on the first day of the third calendar quarter after applicable
regulatory approval. In those jurisdictions where no regulatory approval is required, this standard shall
become effective on the first day of the third calendar quarter after Board of Trustees approval, or as
otherwise made effective pursuant to the laws applicable to such ERO governmental authorities.
EOP-004-1 is in effect until EOP-004-2 is accepted by all applicable regulatory authorities. Upon
acceptance by the applicable regulatory authorities, EOP-004-2 will be assigned an effective date. Until
such effective date is attained, EOP-004-1 will remain in effect.
R etirem ents
EOP-004-1 – Disturbance Reporting and CIP-001-2a – Sabotage Reporting should be retired at midnight
of the day immediately prior to the Effective Date of EOP-004-2 in the particular jurisdiction in which
the new standard is becoming effective.
CIP-008-43 – Cyber Security - Incident Reporting and Response Planning: Retire Requirement R1.3
which contains provisions for reporting Cyber Security Incidents. This is addressed in EOP-004-2,
Requirement 1, Part 1.3R2 and Attachment 1. If any successor version of the CIP-008-3 standard
contains provisions for reporting Cyber Security Incidents, then those provisions should be retired upon
the effective date of EOP-004-2.
Project 2009-01 Disturbance and Sabotage Reporting
Implementation Plan
2
�Project 2009-01 Disturbance and Sabotage Reporting
Mapping Document
Translation of CIP-002-2a – Sabotage Reporting, EOP-004-1 – Disturbance Reporting and CIP-008-4 – Cyber Security – Incident
Reporting and Response Planning (R 1.3), into EOP-004-2 – Impact Event and Disturbance Assessment, Analysis, and Reporting
Requirement in Approved Standard
Standard: CIP-001-2a – Sabotage Reporting
Translation to
Proposed Language in EOP-004-2 - Impact Event and Disturbance
New Standard or
Assessment, Analysis, and Reporting
Other Action
Moved into EOP- R1. Each Responsible Entity shall have an Operating Plan that includes:
[Violation Risk: Factor: Lower] [Time Horizon: Operations Planning]
004-2, R1
R1. Each Reliability Coordinator, Balancing
Authority, Transmission Operator, Generator
Operator, and Load-Serving Entity shall have
procedures for the recognition of and for making
their operating personnel aware of sabotage events
on its facilities and multi site sabotage affecting
larger portions of the Interconnection.
1.1. A process for recognizing each of the applicable events listed in
EOP-004 Attachment 1.
1.2. A process for communicating each of the applicable events
listed in EOP-004 Attachment 1 in accordance with the
timeframes specified in EOP-004 Attachment 1 to the Electric
Reliability Organization and other organizations needed for the
event type; i.e. the Regional Entity; company personnel; the
Responsible Entity’s Reliability Coordinator; law enforcement,
governmental or provincial agencies.
�R2. Each Reliability Coordinator, Balancing
Authority, Transmission Operator, Generator
Operator, and Load-Serving Entity shall have
procedures for the communication of information
concerning sabotage events to appropriate parties
in the Interconnection.
Moved into EOP004-2, R1
R3. Each Reliability Coordinator, Balancing
Authority, Transmission Operator, Generator
Operator, and Load-Serving Entity shall provide its
operating personnel with sabotage response
guidelines, including personnel to contact, for
reporting disturbances due to sabotage events.
Moved into EOP004-2, R1
Project 2009-01 Disturbance and Sabotage Reporting
Mapping Document –March 15, 2012
R1. Each Responsible Entity shall have an Operating Plan that includes:
[Violation Risk: Factor: Lower] [Time Horizon: Operations Planning]
1.1. A process for recognizing each of the applicable events listed in
EOP-004 Attachment 1.
1.2. A process for communicating each of the applicable events
listed in EOP-004 Attachment 1 in accordance with the
timeframes specified in EOP-004 Attachment 1 to the Electric
Reliability Organization and other organizations needed for the
event type; i.e. the Regional Entity; company personnel; the
Responsible Entity’s Reliability Coordinator; law enforcement,
governmental or provincial agencies.
R1. Each Responsible Entity shall have an Operating Plan that includes:
[Violation Risk: Factor: Lower] [Time Horizon: Operations Planning]
1.1. A process for recognizing each of the applicable events listed in
EOP-004 Attachment 1.
1.2. A process for communicating each of the applicable events
listed in EOP-004 Attachment 1 in accordance with the
timeframes specified in EOP-004 Attachment 1 to the Electric
Reliability Organization and other organizations needed for the
event type; i.e. the Regional Entity; company personnel; the
Responsible Entity’s Reliability Coordinator; law enforcement,
governmental or provincial agencies.
2
�R4. Each Reliability Coordinator, Balancing
Authority, Transmission Operator, Generator
Operator, and Load-Serving Entity shall establish
communications contacts, as applicable, with local
Federal Bureau of Investigation (FBI) or Royal
Canadian Mounted Police (RCMP) officials and
develop reporting procedures as appropriate to
their circumstances.
Project 2009-01 Disturbance and Sabotage Reporting
Mapping Document –March 15, 2012
Moved into EOP004-2, R1
R1. Each Responsible Entity shall have an Operating Plan that includes:
[Violation Risk: Factor: Lower] [Time Horizon: Operations Planning]
1.1. A process for recognizing each of the applicable events listed in
EOP-004 Attachment 1.
1.2. A process for communicating each of the applicable events
listed in EOP-004 Attachment 1 in accordance with the
timeframes specified in EOP-004 Attachment 1 to the Electric
Reliability Organization and other organizations needed for the
event type; i.e. the Regional Entity; company personnel; the
Responsible Entity’s Reliability Coordinator; law enforcement,
governmental or provincial agencies.
3
�Requirement in Approved Standard
Standard: EOP-004-1 – Disturbance Reporting
Translation to
Proposed Language in EOP-004-2 - Impact Event and Disturbance
New Standard or
Assessment, Analysis, and Reporting Comments
Other Action
R1. Each Regional Reliability Organization shall
establish and maintain a Regional reporting
procedure to facilitate preparation of preliminary
and final disturbance reports.
Retire this fill-inthe-blank
requirement.
R2. A Reliability Coordinator, Balancing Authority,
Transmission Operator, Generator Operator or
Load-Serving Entity shall promptly analyze Bulk
Electric System disturbances on its system or
facilities.
Translated into
EOP-004-2, R1
and the NERC
Events Analysis
Process
The requirements of EOP-004-2 specify that an entity must report
certain types of impact events. The NERC EAWG is developing
continent wide reporting and analysis guidelines applicable under the
NERC Rules of Procedure.
R3. A Reliability Coordinator, Balancing Authority,
Transmission Operator, Generator Operator or
Load-Serving Entity experiencing a reportable
incident shall provide a preliminary written report
to its Regional Reliability Organization and NERC.
Translated into
EOP-004-2, R2
R2. Each Responsible Entity shall implement its event reporting
Operating Plan for applicable events listed in EOP-004 Attachment 1,
and in accordance with the timeframe specified in EOP-004
Attachment 1. [Violation Risk Factor: Medium] [Time Horizon:
Operations Assessment]
Project 2009-01 Disturbance and Sabotage Reporting
Mapping Document –March 15, 2012
Replace with new
reporting and
analysis
procedure
developed by
NERC EAWG.
The requirements of EOP-004-2 specify that an entity must report
certain types of impact events. The NERC EAWG is developing
continent wide reporting and analysis guidelines applicable under the
NERC Rules of Procedure.
4
�R3.1. The affected Reliability Coordinator, Balancing
Authority, Transmission Operator, Generator
Operator or Load-Serving Entity shall submit within
24 hours of the disturbance or unusual occurrence
either a copy of the report submitted to DOE, or, if
no DOE report is required, a copy of the NERC
Interconnection Reliability Operating Limit and
Preliminary Disturbance Report form. Events that
are not identified until sometime after they occur
shall be reported within 24 hours of being
recognized.
Translated into
EOP-004-2, R2
R3.2. Applicable reporting forms are provided in
Attachments 022-1 and 022-2.
Retire –
informational
statement
Project 2009-01 Disturbance and Sabotage Reporting
Mapping Document –March 15, 2012
R2. Each Responsible Entity shall implement its event reporting
Operating Plan for applicable events listed in EOP-004 Attachment 1,
and in accordance with the timeframe specified in EOP-004
Attachment 1. [Violation Risk Factor: Medium] [Time Horizon:
Operations Assessment]
5
�R3.3. Under certain adverse conditions, e.g., severe
weather, it may not be possible to assess the
damage caused by a disturbance and issue a written
Interconnection Reliability Operating Limit and
Preliminary Disturbance Report within 24 hours. In
such cases, the affected Reliability Coordinator,
Balancing Authority, Transmission Operator,
Generator Operator, or Load-Serving Entity shall
promptly notify its Regional Reliability
Organization(s) and NERC, and verbally provide as
much information as is available at that time. The
affected Reliability Coordinator, Balancing
Authority, Transmission Operator, Generator
Operator, or Load-Serving Entity shall then provide
timely, periodic verbal updates until adequate
information is available to issue a written
Preliminary Disturbance Report.
Project 2009-01 Disturbance and Sabotage Reporting
Mapping Document –March 15, 2012
Retire as a
requirement.
Added as a
“Note” to EOP004Attachment1Impact Events
Table
NOTE: Under certain adverse conditions (e.g. severe weather, multiple
events) it may not be possible to report the damage caused by an
event and issue a written Event Report within the timing in the table
below. In such cases, the affected Responsible Entity shall notify
parties per Requirement R1 and provide as much information as is
available at the time of the notification. Submit reports to the ERO via
one of the following: e-mail: esisac@nerc.com, Facsimile: 609-4529550, Voice: 609-452-1422.
6
�R3.4. If, in the judgment of the Regional Reliability
Organization, after consultation with the Reliability
Coordinator, Balancing Authority, Transmission
Operator, Generator Operator, or Load-Serving
Entity in which a disturbance occurred, a final
report is required, the affected Reliability
Coordinator, Balancing Authority, Transmission
Operator, Generator Operator, or Load-Serving
Entity shall prepare this report within 60 days. As a
minimum, the final report shall have a discussion of
the events and its cause, the conclusions reached,
and recommendations to prevent recurrence of this
type of event. The report shall be subject to
Regional Reliability Organization approval.
Retire this fill-inthe-blank
requirement.
R4. When a Bulk Electric System disturbance
occurs, the Regional Reliability Organization shall
make its representatives on the NERC Operating
Committee and Disturbance Analysis Working
Group available to the affected Reliability
Coordinator, Balancing Authority, Transmission
Operator, Generator Operator, or Load-Serving
Entity immediately affected by the disturbance for
the purpose of providing any needed assistance in
the investigation and to assist in the preparation of
a final report.
Retire this fill-inthe-blank
requirement.
Project 2009-01 Disturbance and Sabotage Reporting
Mapping Document –March 15, 2012
The requirements of EOP-004-2 specify that an entity must report
certain types of impact events. The NERC EAWG is developing
continent wide reporting and analysis guidelines applicable under the
NERC Rules of Procedure.
Replace with new
reporting
procedure
developed by
NERC EAWG.
The requirements of EOP-004-2 specify that an entity must report
certain types of impact events. The NERC EAWG is developing
continent wide reporting and analysis guidelines applicable under the
NERC Rules of Procedure.
Replace with new
reporting
procedure
developed by
NERC EAWG.
7
�R5. The Regional Reliability Organization shall track
and review the status of all final report
recommendations at least twice each year to
ensure they are being acted upon in a timely
manner. If any recommendation has not been
acted on within two years, or if Regional Reliability
Organization tracking and review indicates at any
time that any recommendation is not being acted
on with sufficient diligence, the Regional Reliability
Organization shall notify the NERC Planning
Committee and Operating Committee of the status
of the recommendation(s) and the steps the
Regional Reliability Organization has taken to
accelerate implementation.
Retire this fill-inthe-blank
requirement.
Request for Interpretation of CIP-001-2a, R2: Please
clarify what is meant by the term, “appropriate
parties.” Moreover, who within the Interconnection
hierarchy deems parties to be appropriate?
Retire the
interpretation
Project 2009-01 Disturbance and Sabotage Reporting
Mapping Document –March 15, 2012
The requirements of EOP-004-2 specify that an entity must report
certain types of impact events. The NERC EAWG is developing
continent wide reporting and analysis guidelines applicable under the
NERC Rules of Procedure.
Replace with new
reporting
procedure
developed by
NERC EAWG.
Addressed in EOP-004-2, R1 by replacing the term, ‘appropriate
parties’ with a broader, more specific list of specific entities to contact
in Part 1.2.
8
�Standard: CIP-008-4 – Cyber Security – Incident Reporting and Response Planning
Requirement in Approved Standard
Translation to New
Proposed Language in EOP-004-2 - Impact Event and
Standard or Other
Disturbance Assessment, Analysis, and Reporting Comments
Action
R1.3. Process for reporting Cyber Security
Incidents to the Electricity Sector Information
Sharing and Analysis Center (ES-ISAC). The
Responsible Entity must ensure that all
reportable Cyber Security Incidents are reported
to the ES-ISAC either directly or through an
intermediary.
Translated into EOP004-2 Requirement 1,
Part 1.2 and
Attachment 1.
Cyber Security Incidents are defined as:
Any malicious act or suspicious event that:
• Compromises, or was an attempt to compromise, the
Electronic Security Perimeter or Physical Security
Perimeter of a Critical Cyber Asset, or,
• Disrupts, or was an attempt to disrupt, the operation
of a Critical Cyber Asset.
Such events are listed in Attachment 1 as “Detection of a
reportable Cyber Security Incident” and are events that are
required to be reported under Reliability Standard EOP-004-2.
Requirement R1, Part 1.2 requires the Responsible Entity to
have “A process for reporting events listed in Attachment 1 to
the Electric Reliability Organization,...” The note at the top of
Attachment 1 includes the following:
“Reports to the ERO should be submitted to one of the
following: e-mail: esisac@nerc.com, Facsimile: 609-452-9550,
Voice: 609-452-1422.”
Project 2009-01 Disturbance and Sabotage Reporting
Mapping Document –March 15, 2012
9
�Project 2009-01 Disturbance and Sabotage Reporting
Consideration of Issues and Directives
Project 2009-01 Disturbance and Sabotage Reporting
Issue or Directive
Source
Consideration of Issue or Directive
CIP‐001‐1
NERC
The
DSR
SDT
has
been
in contact with FBI staff and developed a
"What is meant by: “establish contact with the
notification flow chart for law enforcement as it pertains to EOP-004.
FBI”? Is a phone number adequate? Many entities Audit
Observation
The “Background” section of the standard outlines the reporting
which call the FBI are referred back to the local
Team
hierarchy that exists between local, state, provincial and federal law
authority. The AOT noted that on the FBI website it
enforcement. The entity experiencing an event should notify the
states to contact the local authorities. Is this a
appropriate state or provincial law enforcement agency that will then
question for Homeland Security to deal with for
coordinate with local law enforcement for investigation. These local,
us?"
state and provincial agencies will coordinate with higher levels of law
Establish communications contacts, as applicable
enforcement or other governmental agencies.
with local FBI and RCMP officials. Some entities are
very remote and the sheriff is the only local
authority does the FBI still need to be contacted?
Registered Entities have sabotage reporting
processes and procedures in place but not all
personnel has been trained.
�Question: How do you “and make the operator aware”
CIP‐001‐1 NERC Audit
Observation Team
This has been removed from the standard.
Requirement R1, Part 1.1 requires that the
entity has a process for recognizing
events.
How does this standard pertain to Load Serving Entities, LSE's.
CIP‐001‐1 NERC Audit
Observation Team
LSE is an applicable entity since LSEs are
currently applicable under CIP-008.
We direct the ERO to explore ways to address these concerns –
including central coordination of sabotage reports and a uniform
reporting format – in developing modifications to the Reliability
Standard with the appropriate governmental agencies that have
levied the reporting requirements.
CIP‐001‐1; Order 693
See “Background” section of the standard.
Project 2009-01 Disturbance and Sabotage Reporting
Consideration of Issues and Directives – March 15, 2012
2
�"Define “sabotage” and provide guidance on triggering events that
would cause an entity to report an event. Paragraph 461. Several
commenters agree with the Commission’s concern that the term
“sabotage” should be defined. For the reasons stated in the NOPR,
we direct that the ERO further define the term and provide guidance
on triggering events that would cause an entity to report an event.
However, we disagree with those commenters that suggest the term
“sabotage” is so vague as to justify a delay in approval or the
application of monetary penalties. As explained in the NOPR, we
believe that the term sabotage is commonly understood and that
common understanding should suffice in most instances.
Project 2009-01 Disturbance and Sabotage Reporting
Consideration of Issues and Directives – March 15, 2012
CIP‐001‐1; Order 693
The DSR SDT has not proposed a definition
for inclusion in the NERC Glossary because
it is impractical to define every event that
should be reported without listing them in
the definition. Attachment 1 is the de
facto definition of “event”. The DSR SDT
considered the FERC directive to “further
define sabotage” and decided to eliminate
the term sabotage from the standard. The
team felt that without the intervention of
law enforcement after the fact, it was
almost impossible to determine if an act
or event was that of sabotage or merely
vandalism. The term “sabotage” is no
longer included in the standard and
therefore it is inappropriate to attempt to
define it. The events listed in Attachment
1 provide guidance for reporting both
actual events as well as events which may
have an impact on the Bulk Electric
System. The DSR SDT believes that this is
an equally effective and efficient means of
addressing the FERC Directive.
3
�The ERO should consider suggestions raised by commenters such as
FirstEnergy and Xcel to define the specified period for reporting an
incident beginning from when an event is discovered or suspected to
be sabotage, and APPA’s concerns regarding events at unstaffed or
remote facilities, and triggering events occurring outside staffed
hours at small entities.
Project 2009-01 Disturbance and Sabotage Reporting
Consideration of Issues and Directives – March 15, 2012
CIP‐001‐1; Order 693
Attachment 1 defines the timelines and
events which are to be reported under
this standard. The required reporting is
either one hour or 24 hours (depending on
the type of event) “of recognition of the
event.”
4
�Modify CIP-001-1 1 to require an applicable entity to contact
appropriate governmental authorities in the event of sabotage
within a specific period of time, even if it is a preliminary report.
Further, in the interim while the matter is being addressed by the
Reliability Standards development process, we direct the ERO to
provide advice to entities that have concerns about the reporting of
particular circumstances as they arise.
Project 2009-01 Disturbance and Sabotage Reporting
Consideration of Issues and Directives – March 15, 2012
CIP‐001‐1; Order 693
Per Requirement R1, the entity is to
develop procedure(s) that include event
reporting to law enforcement and
governmental agencies. The DSR SDT also
proposes revisions to the NERC Rules of
Procedure to report events to the FERC.
812. NERC will establish a system to
collect report forms as established
for this section or standard, from any
Registered Entities, pertaining to
data requirements identified in
Section 800 of this Procedure. Upon
receipt of the submitted report, the
system shall then forward the report
to the appropriate NERC
departments, applicable regional
entities, other designated registered
entities, and to appropriate
governmental, law enforcement,
regulatory agencies as necessary.
This can include state, federal, and
provincial organizations.
5
�Consider the need for wider application of the standard. Consider
CIP‐001‐1; Order 693
whether separate, less burdensome requirements for smaller entities
may be appropriate. Paragraph 458. The Commission acknowledges
the concerns of the commenters about the applicability of CIP-001-1
to small entities and has addressed the concerns of small entities
generally earlier in this Final Rule. Our approval of the ERO
Compliance Registry criteria to determine which users, owners and
operators are responsible for compliance addresses the concerns of
APPA and others. 459. However, the Commission believes that there
are specific reasons for applying this Reliability Standard to such
entities, as discussed in the NOPR. APPA indicates that some small
LSEs do not own or operate “hard assets” that are normally thought
of as “at risk” to sabotage. The Commission is concerned that, an
adversary might determine that a small LSE is the appropriate target
when the adversary aims at a particular population or facility. Or an
adversary may target a small user, owner or operator because it may
have similar equipment or protections as a larger facility, that is, the
adversary may use an attack against a smaller facility as a training
“exercise.” {continued below}
Project 2009-01 Disturbance and Sabotage Reporting
Consideration of Issues and Directives – March 15, 2012
Attachment 1 defines the timelines and
events which are to be reported under
this standard. The applicable entities are
also identified for each type of event.
6
�The knowledge of sabotage events that occur at any facility
(including small facilities) may be helpful to those facilities that are
traditionally considered to be the primary targets of adversaries as
well as to all members of the electric sector, the law enforcement
community and other critical infrastructures. 460. For these reasons,
the Commission remains concerned that a wider application of CIP001-1 may be appropriate for Bulk Power System reliability.
Balancing these concerns with our earlier discussion of the
applicability of Reliability Standards to smaller entities, we will not
direct the ERO to make any specific modification to CIP-001-1 to
address applicability. However, we direct the ERO, as part of its Work
Plan, to consider in the Reliability Standards development process,
possible revisions to CIP-001-1 that address our concerns. Regarding
the need for wider application of the Reliability Standard. Further,
when addressing such applicability issues, the ERO should consider
whether separate, less burdensome requirements for smaller entities
may be appropriate to address these concerns.
Project 2009-01 Disturbance and Sabotage Reporting
Consideration of Issues and Directives – March 15, 2012
7
�The Commission affirms the NOPR directive and directs the ERO to
incorporate a periodic review or updating of the sabotage reporting
procedures and for the periodic testing of the sabotage reporting
procedures. At this time, the commission does not specify a review
period as suggested by FirstEnergy and MRO and, rather, believes
that the appropriate period should be determined through the ERO’s
Reliability Standards development process. However, the
Commission directs that the ERO begin this process by considering a
staggered schedule of annual testing of the procedures with
modifications made when warranted formal review of the
procedures every two or three years.
Project 2009-01 Disturbance and Sabotage Reporting
Consideration of Issues and Directives – March 15, 2012
CIP‐001‐1; Order 693
The standard is responsive this directive
with the following language in
Requirement R3:
R3. Each Responsible Entity shall
conduct an annual test, not including
notification to the Electric Reliability
Organization, of the communications
process in Part 1.2.
The DSR SDT envisions that this will
include verification that contact
information contained in the Operating
Plan is correct. As an example, the annual
update of the Operating Plan could
include calling others as defined in the
Responsibility Entity’s Operating Plan (see
Part 1.2) to verify that their contact
information is correct and current. If any
discrepancies are noted, the Operating
Plan would be updated.
8
�Consider FirstEnergy’s suggestions to differentiate between cyber
and physical security sabotage and develop a threshold of
materiality. Paragraph 451. A number of commenters agree with the
Commission’s concern that the term sabotage” needs to be better
defined and guidance provided on the triggering events that would
cause an entity to report an event. FirstEnergy states that this
definition should differentiate between cyber and physical sabotage
and should exclude unintentional operator error. It advocates a
threshold of materiality to exclude acts that do not threaten to
reduce the ability to provide service or compromise safety and
security. SoCal Edison states that clarification regarding the
meaning of sabotage and the triggering event for reporting would be
helpful and prevent over reporting.
Project 2009-01 Disturbance and Sabotage Reporting
Consideration of Issues and Directives – March 15, 2012
CIP‐001‐1; Order 693
This addressed in Attachment 1. There
are specific event types for both cyber and
physical security with their respective
report submittal requirements.
9
�"Include a requirement to report a sabotage event to the proper
government authorities. Develop the language to specifically
implement this directive. Paragraph 467. CIP-001-1, Requirement
R4, requires that each applicable entity establish communications
contacts, as applicable, with the local FBI or Royal Canadian Mounted
Police officials and develop reporting procedures as appropriate to
its circumstances. The Commission in the NOPR expressed concern
that the Reliability Standard does not require an applicable entity to
actually contact the appropriate governmental or regulatory body in
the event of sabotage. Therefore, the Commission proposed that
NERC modify the Reliability Standard to require an applicable entity
to “contact appropriate federal authorities, such as the Department
of Homeland Security, in the event of sabotage within a specified
period of time.”212 468. As mentioned above, NERC and others
object to the wording of the proposed directive as overly prescriptive
and note that the reference to “appropriate federal authorities” fails
to recognize the international application of the Reliability Standard.
The example of the Department of Homeland Security as an
“appropriate federal authority” was not intended to be an exclusive
designation. Nonetheless, the Commission agrees that a reference to
“federal authorities” could create confusion. Accordingly, we modify
the direction in the NOPR and now direct the ERO to address our
underlying concern regarding mandatory reporting of a sabotage
event. The ERO’s Reliability Standards development process should
develop the language to implement this directive."
Project 2009-01 Disturbance and Sabotage Reporting
Consideration of Issues and Directives – March 15, 2012
See Background section of Standard.
A proposal discussed with FBI, FERC Staff,
NERC Standards Project Coordinator and
SDT Chair is reflected in the flowchart
below (Reporting Hierarchy for Event EOP004-2). Essentially, reporting an event to
law enforcement agencies will only
require the industry to notify the state or
provincial level law enforcement agency.
The state or provincial level law
enforcement agency will coordinate with
local law enforcement to investigate. If
the state or provincial level law
enforcement agency decides federal
agency law enforcement or the RCMP
should respond and investigate, the state
or provincial level law enforcement
agency will notify and coordinate with the
FBI or the RCMP.
10
�On March 4, 2008, NERC submitted a compliance filing in response to
a December 20, 2007 Order, in which the Commission reversed a
NERC decision to register three retail power marketers to comply
with Reliability Standards applicable to load serving entities (LSEs)
and directed NERC to submit a plan describing how it would address
a possible “reliability gap” that NERC asserted would result if the
LSEs were not registered. NERC’s compliance filing included the
following proposal for a short‐term plan and a long‐term plan to
address the potential gap:
CIP‐001‐1 and EOP-004
ORDER ON ELECTRIC
RELIABILITY ORGANIZATION
REGISTRY_DETERMINATIONS;
ORDER ON COMPLIANCE
FILING
The LSE is an applicable entity, since LSEs
are currently applicable under CIP-008. If
an entity owns distribution assets, that
entity will be registered as a Distribution
Provider. Attachment 1 defines the
timelines and events which are to be
reported under this standard. The
applicable entities are also identified for
each type of event.
∙ Short‐term: Using a posting and open comment process, NERC will
revise the registration criteria to define “Non ‐Asset Owning LSEs” as
a subset of Load Serving Entities and will specify the reliability
standards applicable to that subset.
∙ Longer‐term: NERC will determine the changes necessary to terms
and requirements in reliability standards to address the issues
surrounding accountability for loads served by retail
marketers/suppliers and process them through execution of the
three‐year Reliability Standards Development Plan. In this revised
Reliability Standards Development Plan, NERC is commencing the
implementation of its stated long‐term plan to address the issues
surrounding accountability for loads served by retail
marketers/suppliers.
The NERC Reliability Standards Development Procedure will be used
to identify the changes necessary to terms and requirements in
reliability standards to address the issues surrounding accountability
for loads served by retail marketers/suppliers. Specifically, the
following description has been incorporated into the scope for
Project 2009-01 Disturbance and Sabotage Reporting
Consideration of Issues and Directives – March 15, 2012
11
�affected projects in this revised Reliability Standards Development
Plan that includes a standard applicable to Load Serving Entities:
Source: FERC’s December 20, 2007 Order in Docket Nos.
RC07‐004‐000, RC07‐6‐000, and RC07‐7‐000.
Issue: In FERC’s December 20, 2007 Order, the Commission reversed
NERC’s Compliance Registry decisions with respect to three load
serving entities in the ReliabilityFirst (RFC) footprint. The
distinguishing feature of these three LSEs is that none own physical
assets. Both NERC and RFC assert that there will be a “reliability gap”
if retail marketers are not registered as LSEs. To avoid a possible gap,
a consistent, uniform approach to ensure that appropriate Reliability
Standards and associated requirements are applied to retail
marketers must be followed.
Each drafting team responsible for reliability standards that are
applicable to LSEs is to review and change as necessary,
requirements in the reliability standards to address the issues
surrounding accountability for loads served by retail
marketers/suppliers. For additional information see:
∙ FERC’s December 20, 2007 Order
(http://www.nerc.com/files/LSE_decision_order.pdf)
∙ NERC’s March 4, 2008
(http://www.nerc.com/files/FinalFiledLSE3408.pdf),
∙ FERC’s April 4, 2008 Order
(http://www.nerc.com/files/AcceptLSECompFiling‐040408.pdf), and
∙ NERC’s July 31, 2008
(http://www.nerc.com/files/FinalFiled‐compFiling‐LSE‐07312008.pdf)
compliance filings to FERC on this subject.
Project 2009-01 Disturbance and Sabotage Reporting
Consideration of Issues and Directives – March 15, 2012
12
�Object to multi‐site requirement
Version 0 Team
CIP-001-1
Definition of sabotage required
Version 0 Team
CIP-001-1
VRFs Team Adequate procedures will insure it is unlikely to lead to
bulk electric system instability, separation, or cascading failures.
Project 2009-01 Disturbance and Sabotage Reporting
Consideration of Issues and Directives – March 15, 2012
The Standard was revised for clarity.
Attachment 1 defines the timelines and
events which are to be reported under
this standard. The applicable entities are
also identified for each type of event.
No definition for sabotage was developed
The DSR SDT has not proposed a definition
for inclusion in the NERC Glossary because
it is impractical to define every event that
should be reported without listing them in
the definition. Attachment 1 is the de
facto definition of “event”. The DSR SDT
considered the FERC directive to “further
define sabotage” and decided to eliminate
the term sabotage from the standard. The
team felt that without the intervention of
law enforcement after the fact, it was
almost impossible to determine if an act
or event was that of sabotage or merely
vandalism. The term “sabotage” is no
longer included in the standard and
therefore it is inappropriate to attempt to
define it. The events listed in Attachment
1 provide guidance for reporting both
actual events as well as events which may
have an impact on the Bulk Electric
System. The DSR SDT believes that this is
an equally effective and efficient means of
addressing the FERC Directive.
13
�Coordination and follow up on lessons learned from event analyses
Consider adding to EOP‐004 – Disturbance Reporting Proposed
requirement: Regional Entities (REs) shall work together with
Reliability Coordinators, Transmission Owners, and Generation
Owners to develop an Event Analysis Process to prevent similar
events from happening and follow up with the recommendations.
This process shall be defined within the appropriate NERC Standard
Events Analysis Team
Reliability Issue
The DSR SDT envisions EOP-004-2 to be a
reporting standard. Any follow up
investigation or analysis falls under the
purview of the NERC Events Analysis
Program under the NERC Rules of
Procedure.
Consider changes to R1 and R3.4 to standardize the disturbance
reporting requirements (requirements for disturbance reporting
need to be added to this standard). Regions currently have
procedures, but not in the form of a standard. The drafting team will
need to review regional requirements to determine reporting
requirements for the North American standard.
Fill in the Blank Team
The DSR SDT envisions EOP-004-2 to be a
continent-wide reporting standard. Any
follow up investigation or analysis falls
under the purview of the NERC Events
Analysis Program under the NERC Rules of
Procedure.
Can there be a violation without an event?
NERC Audit Observation
Team
The DSR SDT envisions EOP-004-2 to be a
continent-wide reporting standard. In the
opinion of the DSR SDT, there cannot be a
violation of Requirement R2 without an
event. Since Requirement R1 calls for an
Operating Plan, there can be a violation of
R1 without an event.
Project 2009-01 Disturbance and Sabotage Reporting
Consideration of Issues and Directives – March 15, 2012
14
�Consider APPA’s concern about generator operators and LSEs
analyzing performance of their equipment and provide data and
information on the equipment to assist others with analysis.
Paragraph 607. APPA is concerned about the scope of Requirement
R2 because, in its opinion, Requirement R2 appears to impose an
open‐ended obligation on entities such as generation operators and
LSEs that may have neither the data nor the tools to promptly
analyze disturbances that could have originated elsewhere. APPA
proposes that Requirement R2 be modified to require affected
entities to promptly begin analyses to ensure timely reporting to
NERC and DOE.
Project 2009-01 Disturbance and Sabotage Reporting
Consideration of Issues and Directives – March 15, 2012
EOP‐004‐1 Order 693
The DSR SDT envisions EOP-004-2 to be a
continent-wide reporting standard. Any
follow up investigation or analysis falls
under the purview of the NERC Events
Analysis Program under the NERC Rules of
Procedure.
15
�From: David Cook
Sent: Wednesday, July 16, 2008 6:06 PM
To: Rick Sergel; Dave Nevius; David A. Whiteley; Management
Subject: RE: FERC request for DOE‐417s
I agree the real fix is to revise the EOP‐004 standard. I agree that we
can’t (and shouldn’t try) to do that by way of amendments to our
Rules of Procedure. So we should include that fix in the standards
work plan, do the best we can in the meantime to provide FERC with
the 417s, and I’ll have the conversation with Joe McClelland about
not being able to do what the Commission directed in Order 693 (i.e.,
change the standards by way of a change in the Rules of Procedure).
David
Project 2009-01 Disturbance and Sabotage Reporting
Consideration of Issues and Directives – March 15, 2012
EOP‐004‐1 Other
Per Requirement R1, the entity is to
develop procedure(s) that include event
reporting to law enforcement and
governmental agencies. The DSR SDT also
proposes revisions to the NERC Rules of
Procedure to report events to the FERC.
812. NERC will establish a system to
collect report forms as established
for this section or standard, from any
Registered Entities, pertaining to
data requirements identified in
Section 800 of this Procedure. Upon
receipt of the submitted report, the
system shall then forward the report
to the appropriate NERC
departments, applicable regional
entities, other designated registered
entities, and to appropriate
governmental, law enforcement,
regulatory agencies as necessary.
This can include state, federal, and
provincial organizations.
16
�In response to a SAR submitted by Glenn Kaht of ReliabilityFirst: As
part of a regional compliance violation investigation, a possible
reliability gap was identified related to EOP‐004‐1 — Disturbance
Reporting. The existing standard limits reporting of generation
outages to just those outages associated with loss of a bulk power
transmission component that significantly affects the integrity of
interconnected system operations. This requirement has been
interpreted as meaning that only generation outages that must be
reported are those that occur with the loss of a bulk power
transmission element. By not reporting large generation losses that
occur without the loss of a bulk power transmission element, the
industry is overlooking a potential opportunity to identify and learn
from these losses.
Standards Committee Action
From 01/13/2010
The DSR SDT has worked closely with the
NERC EAWG to develop the event
reporting requirements shown in
Attachment 1. The EAWG and the DSR
SDT considered this request and weighed
it against reliability needs for reporting.
Specifically, Item 1 of Attachment 1 of EOP‐004 requires the
reporting of events if “The loss of a bulk power transmission
component that significantly affects the integrity of interconnected
system operations. Generally, a disturbance report will be required
if the event results in actions such as:” The Standard then lists six
different actions that may occur as a result of the event in order to
be reportable. All six of these actions appear to be dependent on
“The loss of a bulk power transmission component that significantly
affects the integrity of interconnected system operations” in order
for the event to be reportable. Some of these events may
significantly impact the reliable operation of the bulk power system.
Consider a revision to EOP‐004‐1 — Disturbance Reporting requiring
a Generator Operator (GOP) that
Project 2009-01 Disturbance and Sabotage Reporting
Consideration of Issues and Directives – March 15, 2012
17
�experiences the loss of generation greater than 500 MW that results
in modification of equipment (e.g. control systems, or Power Load
Unbalancer (PLU)) to be a reportable event.
too many reports, narrow requirement to RC
Version 0 Team
How does this apply to generator operator?
Version 0 Team
Project 2009-01 Disturbance and Sabotage Reporting
Consideration of Issues and Directives – March 15, 2012
There is only one report required under
this standard. An entity may submit the
report using Attachment 2 or the DEO OE417 report form.
See attachment 1 for specific generator
operator applicability.
18
�Violation Risk Factor and Violation Severity Level Assignments
Project 2009-01 – Disturbance and Sabotage Reporting
This document provides the drafting team’s justification for assignment of violation risk factors (VRFs)
and violation severity levels (VSLs) for each requirement in
EOP-004-2 — Event Reporting
Each primary requirement is assigned a VRF and a set of one or more VSLs. These elements support the
determination of an initial value range for the Base Penalty Amount regarding violations of requirements
in FERC-approved Reliability Standards, as defined in the ERO Sanction Guidelines.
Justification for Assignment of Violation Risk Factors in EOP-004-2
The Disturbance and Sabotage Reporting Standard Drafting Team applied the following NERC criteria
when proposing VRFs for the requirements in EOP-004-2:
High Risk Requirement
A requirement that, if violated, could directly cause or contribute to bulk electric system
instability, separation, or a cascading sequence of failures, or could place the bulk electric system
at an unacceptable risk of instability, separation, or cascading failures; or, a requirement in a
planning time frame that, if violated, could, under emergency, abnormal, or restorative conditions
anticipated by the preparations, directly cause or contribute to bulk electric system instability,
separation, or a cascading sequence of failures, or could place the bulk electric system at an
unacceptable risk of instability, separation, or cascading failures, or could hinder restoration to a
normal condition.
Medium Risk Requirement
A requirement that, if violated, could directly affect the electrical state or the capability of the
bulk electric system, or the ability to effectively monitor and control the bulk electric system.
However, violation of a medium risk requirement is unlikely to lead to bulk electric system
instability, separation, or cascading failures; or, a requirement in a planning time frame that, if
violated, could, under emergency, abnormal, or restorative conditions anticipated by the
preparations, directly and adversely affect the electrical state or capability of the bulk electric
system, or the ability to effectively monitor, control, or restore the bulk electric system.
However, violation of a medium risk requirement is unlikely, under emergency, abnormal, or
restoration conditions anticipated by the preparations, to lead to bulk electric system instability,
separation, or cascading failures, nor to hinder restoration to a normal condition.
�Lower Risk Requirement
A requirement that is administrative in nature and a requirement that, if violated, would not be
expected to adversely affect the electrical state or capability of the bulk electric system, or the
ability to effectively monitor and control the bulk electric system; or, a requirement that is
administrative in nature and a requirement in a planning time frame that, if violated, would not,
under the emergency, abnormal, or restorative conditions anticipated by the preparations, be
expected to adversely affect the electrical state or capability of the bulk electric system, or the
ability to effectively monitor, control, or restore the bulk electric system. A planning requirement
that is administrative in nature.
The SDT also considered consistency with the FERC Violation Risk Factor Guidelines for setting
1
VRFs:
Guideline (1) — Consistency with the Conclusions of the Final Blackout Report
The Commission seeks to ensure that Violation Risk Factors assigned to Requirements of
Reliability Standards in these identified areas appropriately reflect their historical critical impact
on the reliability of the Bulk-Power System.
In the VSL Order, FERC listed critical areas (from the Final Blackout Report) where violations could
severely affect the reliability of the Bulk-Power System: 2
−
−
−
−
−
−
−
−
−
−
−
−
Emergency operations
Vegetation management
Operator personnel training
Protection systems and their coordination
Operating tools and backup facilities
Reactive power and voltage control
System modeling and data exchange
Communication protocol and facilities
Requirements to determine equipment ratings
Synchronized data recorders
Clearer criteria for operationally critical facilities
Appropriate use of transmission loading relief.
Guideline (2) — Consistency within a Reliability Standard
The Commission expects a rational connection between the sub-Requirement Violation Risk
Factor assignments and the main Requirement Violation Risk Factor assignment.
1
North American Electric Reliability Corp., 119 FERC ¶ 61,145, order on reh’g and compliance filing, 120 FERC ¶ 61,145
(2007) (“VRF Rehearing Order”).
2
Id. at footnote 15.
�Guideline (3) — Consistency among Reliability Standards
The Commission expects the assignment of Violation Risk Factors corresponding to
Requirements that address similar reliability goals in different Reliability Standards would be
treated comparably.
Guideline (4) — Consistency with NERC’s Definition of the Violation Risk Factor Level
Guideline (4) was developed to evaluate whether the assignment of a particular
Violation Risk Factor level conforms to NERC’s definition of that risk level.
Guideline (5) — Treatment of Requirements that Co-mingle More Than One Obligation
Where a single Requirement co-mingles a higher risk reliability objective and a lesser risk
reliability objective, the VRF assignment for such Requirements must not be watered down to
reflect the lower risk level associated with the less important objective of the Reliability
Standard.
The following discussion addresses how the SDT considered FERC’s VRF Guidelines 2 through 5. The
team did not address Guideline 1 directly because of an apparent conflict between Guidelines 1 and 4.
Whereas Guideline 1 identifies a list of topics that encompass nearly all topics within NERC’s
Reliability Standards and implies that these requirements should be assigned a “High” VRF, Guideline 4
directs assignment of VRFs based on the impact of a specific requirement to the reliability of the system.
The SDT believes that Guideline 4 is reflective of the intent of VRFs in the first instance and therefore
concentrated its approach on the reliability impact of the requirements.
VRF for EOP-004-2:
There are four requirements in EOP-004-2. Requirement R1 was assigned a Lower VRF while
Requirements R2, R3 and R4 were assigned a Medium VRF.
VRF for EOP-004-2, Requirements R1:
•
FERC’s Guideline 2 — Consistency within a Reliability Standard. The Requirement specifies which
entities are required to have processes for recognition of events and for communicating with other
entities. This Requirement is the only administrative Requirement within the Standard. The VRF is
only applied at the Requirement level. FERC’s Guideline 3 — Consistency among Reliability
Standards. This requirement calls for an entity to have processes for recognition of events and
communicating with other entities. This requirement is administrative in nature and deals with the
means to report events after the fact. Most event reporting requirements in Attachment 1 are for 24
hours after an event has occurred. The current approved VRFs for EOP-004-1 are all lower with the
VRF and VSL Assignments Project 2009-01
3
�exception of Requirement R2 which is a requirement to analyze events. This standard relates only to
reporting events. The analysis portion is addressed through the NERC Rules of Procedure and the
Events Analysis Program.
•
FERC’s Guideline 4 — Consistency with NERC’s Definition of a VRF. Failure to have an event
reporting Operating Plan is not likely to directly affect the electrical state or the capability of the bulk
electric system. , Development of the Operating Plan is a requirement that is administrative in nature
and is in a planning time frame that, if violated, would not, under emergency, abnormal, or
restorative conditions anticipated by the preparations, be expected to adversely affect the electrical
state or capability of the bulk electric system, or the ability to effectively monitor, control, or restore
the bulk electric system.. Therefore this requirement was assigned a Lower VRF.
•
FERC’s Guideline 5 — Treatment of Requirements that Co-mingle More Than One Objective.
EOP-004-2, Requirement R1 contains only one objective which is to have an Operating Plan with
two distinct processes. The content of the Operating Plan is specified in Parts 1.1-1.2. Since the
requirement is to have an Operating Plan, only one VRF was assigned.
VRF for EOP-004-2, Requirement R2:
•
FERC’s Guideline 2 — Consistency within a Reliability Standard. This Requirement calls for the
Responsible Entity to implements its Operating Plan and is assigned a Medium VRF. There are two
other Requirements in this Standard which specify an annual test of the Operating Plan (R3) and an
annual review of the Operating Plan (R4). Each of these Requirements is assigned a Medium VRF.
•
FERC’s Guideline 3 — Consistency among Reliability Standards. EOP-004-2, Requirement R2 is a
requirement for entities to report events using the process for recognition of events per Requirement
R1. Failure to report events is not likely to “directly affect the electrical state or the capability of the
bulk electric system, or the ability to effectively monitor and control the bulk electric system.”
However, violation of a medium risk requirement should also be “unlikely to lead to bulk electric
system instability, separation, or cascading failures…” Such an instance could occur if personnel do
not report events. Therefore, this requirement was assigned a Medium VRF.
•
FERC’s Guideline 4 — Consistency with NERC’s Definition of a VRF. EOP-004-2, Requirement
R2 mandates that Responsible Entities implement their Operating Plan. Bulk power system
instability, separation, or cascading failures are not likely to occur due to a failure to notify another
entity of the event failure, but there is a slight chance that it could occur. Therefore, this requirement
was assigned a Medium VRF.
•
FERC’s Guideline 5 - Treatment of Requirements that Co-mingle More Than One Objective. EOP004-2, Requirement R2 addresses a single objective and has a single VRF.
VRF and VSL Assignments Project 2009-01
4
�VRF for EOP-004-2, Requirement R3:
•
FERC’s Guideline 2 — Consistency within a Reliability Standard. This Requirement calls for the
Responsible Entity to perform an annual test of the Operating Plan and is assigned a Medium VRF.
There are two other Requirements in this Standard which specify that the Responsible Entity
implement its Operating Plan (R2) and perform an annual review of the Operating Plan (R4). Each
of these Requirements is assigned a Medium VRF.
•
FERC’s Guideline 3 — Consistency among Reliability Standards. EOP-004-2, Requirement R3 is a
requirement for entities to perform an annual test of the Operating Plan. Failure to perform an
annual test of the Operating Plan is not likely to “directly affect the electrical state or the capability
of the bulk electric system, or the ability to effectively monitor and control the bulk electric system.”
However, violation of a medium risk requirement should also be “unlikely to lead to bulk electric
system instability, separation, or cascading failures…” Such an instance could occur if personnel do
not perform an annual test of the Operating Plan and it is out of date or contains erroneous
information. Therefore, this requirement was assigned a Medium VRF.
•
FERC’s Guideline 4 — Consistency with NERC’s Definition of a VRF. EOP-004-2, Requirement
R3 mandates that Responsible Entities perform an annual test of the Operating Plan. Bulk power
system instability, separation, or cascading failures are not likely to occur due to a failure to perform
an annual test of the Operating Plan, but there is a slight chance that it could occur if the Operating
Plan is out of date or contains erroneous information. Therefore, this requirement was assigned a
Medium VRF.
•
FERC’s Guideline 5 - Treatment of Requirements that Co-mingle More Than One Objective. EOP004-2, Requirement R3 addresses a single objective and has a single VRF.
VRF for EOP-004-2, Requirement R4:
•
FERC’s Guideline 2 — Consistency within a Reliability Standard. This Requirement calls for the
Responsible Entity to perform an annual review of the Operating Plan and is assigned a Medium
VRF. There are two other Requirements in this Standard which specify that the Responsible Entity
implement its Operating Plan (R2) and perform an annual test of the Operating Plan (R3). Each of
these Requirements is assigned a Medium VRF.
•
FERC’s Guideline 3 — Consistency among Reliability Standards. EOP-004-2, Requirement R4 is a
requirement for entities to perform an annual test of the Operating Plan. Failure to perform an
annual review of the Operating Plan is not likely to “directly affect the electrical state or the
capability of the bulk electric system, or the ability to effectively monitor and control the bulk
electric system.” However, violation of a medium risk requirement should also be “unlikely to lead
to bulk electric system instability, separation, or cascading failures…” Such an instance could occur
if personnel do not perform an annual review of the Operating Plan and it is out of date or contains
erroneous information. Therefore, this requirement was assigned a Medium VRF.
VRF and VSL Assignments Project 2009-01
5
�•
FERC’s Guideline 4 — Consistency with NERC’s Definition of a VRF. EOP-004-2, Requirement
R4 mandates that Responsible Entities perform an annual review of the Operating Plan. Bulk power
system instability, separation, or cascading failures are not likely to occur due to a failure to notify
another entity of the event failure, but there is a slight chance that it could occur if the Operating Plan
is out of date or contains erroneous information. Therefore, this requirement was assigned a Medium
VRF.
•
FERC’s Guideline 5 - Treatment of Requirements that Co-mingle More Than One Objective. EOP004-2, Requirement R4 addresses a single objective and has a single VRF.
VRF and VSL Assignments Project 2009-01
6
�Justification for Assignment of Violation Severity Levels for EOP-004-2:
In developing the VSLs for the EOP-004-2 standard, the SDT anticipated the evidence that would be
reviewed during an audit, and developed its VSLs based on the noncompliance an auditor may find
during a typical audit. The SDT based its assignment of VSLs on the following NERC criteria:
Lower
Missing a minor
element (or a small
percentage) of the
required performance
The performance or
product measured has
significant value as it
almost meets the full
intent of the
requirement.
Moderate
High
Severe
Missing at least one
significant element (or a
moderate percentage)
of the required
performance.
The performance or
product measured still
has significant value in
meeting the intent of the
requirement.
Missing more than one
significant element (or is
missing a high
percentage) of the
required performance or
is missing a single vital
component.
The performance or
product has limited
value in meeting the
intent of the
requirement.
Missing most or all of
the significant elements
(or a significant
percentage) of the
required performance.
The performance
measured does not
meet the intent of the
requirement or the
product delivered
cannot be used in
meeting the intent of the
requirement.
FERC’s VSL guidelines are presented below, followed by an analysis of whether the VSLs proposed for
each requirement in EOP-004-2 meet the FERC Guidelines for assessing VSLs:
Guideline 1: Violation Severity Level Assignments Should Not Have the Unintended Consequence
of Lowering the Current Level of Compliance
Compare the VSLs to any prior levels of non-compliance and avoid significant changes that may
encourage a lower level of compliance than was required when levels of non-compliance were
used.
Guideline 2: Violation Severity Level Assignments Should Ensure Uniformity and Consistency in
the Determination of Penalties
A violation of a “binary” type requirement must be a “Severe” VSL.
Do not use ambiguous terms such as “minor” and “significant” to describe noncompliant
performance.
Guideline 3: Violation Severity Level Assignment Should Be Consistent with the Corresponding
Requirement
VRF and VSL Assignments Project 2009-01
7
�VSLs should not expand on what is required in the requirement.
Guideline 4: Violation Severity Level Assignment Should Be Based on A Single Violation, Not on A
Cumulative Number of Violations
. . . unless otherwise stated in the requirement, each instance of non-compliance with a
requirement is a separate violation. Section 4 of the Sanction Guidelines states that assessing
penalties on a per violation per day basis is the “default” for penalty calculations.
VRF and VSL Assignments Project 2009-01
8
�VSLs for EOP-004-2 Requirements R1:
Compliance with
NERC’s VSL
Guidelines
R#
Guideline 1
Guideline 2
Violation Severity Level
Assignments Should Not
Have the Unintended
Consequence of Lowering
the Current Level of
Compliance
Violation Severity Level
Assignments Should Ensure
Uniformity and Consistency in the
Determination of Penalties
Guideline 2a: The Single Violation
Severity Level Assignment
Category for "Binary"
Requirements Is Not Consistent
Guideline 3
Guideline 4
Violation Severity Level
Assignment Should Be
Consistent with the
Corresponding
Requirement
Violation Severity
Level Assignment
Should Be Based on
A Single Violation,
Not on A
Cumulative Number
of Violations
The proposed VSLs use the
same terminology as used
in the associated
requirement, and are,
therefore, consistent with
the requirement.
The VSLs are based
on a single violation
and not cumulative
violations.
Guideline 2b: Violation Severity
Level Assignments that Contain
Ambiguous Language
R1
Meets NERC’s
VSL guidelines.
There is an
incremental
aspect to the
violation and the
VSLs follow the
guidelines for
incremental
violations.
The proposed
requirement is a revision
of CIP-001-1, R1-R4, and
EOP-004-1, R2. Since the
Requirement has three
Parts, the VSLs were
developed to count a
violation of each Part
equally. Therefore, three
VSLs were developed.
The proposed VSLs do not use any
ambiguous terminology, thereby
supporting uniformity and
consistency in the determination
of similar penalties for similar
violations.
�VSLs for EOP-004-2 Requirement R2:
Compliance with
NERC’s VSL
Guidelines
Guideline 1
Guideline 2
Violation Severity Level
Assignments Should Not
Have the Unintended
Consequence of Lowering
the Current Level of
Compliance
Violation Severity Level
Assignments Should Ensure
Uniformity and Consistency in
the Determination of
Penalties
R#
Guideline 3
Guideline 4
Violation Severity Level
Assignment Should Be
Consistent with the
Corresponding
Requirement
Violation Severity
Level Assignment
Should Be Based on
A Single Violation,
Not on A
Cumulative Number
of Violations
The proposed VSLs use the
same terminology as used
in the associated
requirement, and are,
therefore, consistent with
the requirement.
The VSLs are based
on a single violation
and not cumulative
violations.
Guideline 2a: The Single
Violation Severity Level
Assignment Category for
"Binary" Requirements Is Not
Consistent
Guideline 2b: Violation
Severity Level Assignments
that Contain Ambiguous
Language
R2
Meets NERC’s VSL
guidelines. There
is an incremental
aspect to the
violation and the
VSLs follow the
guidelines for
incremental
violations.
The proposed requirement is
a revision of EOP-004-1, R3.
There is only a Severe VSL for
that requirement. However,
the reporting of events is
based on timing intervals
listed in EOP-004 Attachment
1. Based on the VSL
Guidance, the DSR SDT
developed four VSLs based
on tardiness of the submittal
of the report. If a report is
not submitted, then the VSL
is Severe. This maintains the
current VSL.
VRF and VSL Assignments Project 2009-01
The proposed VSLs do not use
any ambiguous terminology,
thereby supporting uniformity
and consistency in the
determination of similar
penalties for similar
violations.
10
�VSLs for EOP-004-2 Requirement R3:
Compliance with
NERC’s VSL
Guidelines
Guideline 1
Guideline 2
Violation Severity Level
Assignments Should Not
Have the Unintended
Consequence of Lowering
the Current Level of
Compliance
Violation Severity Level
Assignments Should Ensure
Uniformity and Consistency in
the Determination of
Penalties
R#
Guideline 3
Guideline 4
Violation Severity Level
Assignment Should Be
Consistent with the
Corresponding
Requirement
Violation Severity
Level Assignment
Should Be Based on
A Single Violation,
Not on A
Cumulative Number
of Violations
The proposed VSLs use the
same terminology as used
in the associated
requirement, and are,
therefore, consistent with
the requirement.
The VSLs are based
on a single violation
and not cumulative
violations.
Guideline 2a: The Single
Violation Severity Level
Assignment Category for
"Binary" Requirements Is Not
Consistent
Guideline 2b: Violation
Severity Level Assignments
that Contain Ambiguous
Language
R3
Meets NERC’s VSL
guidelines. There
is an incremental
aspect to the
violation and the
VSLs follow the
guidelines for
incremental
violations.
The proposed requirement is
a new Requirement. The
test of the Operating Plan is
based on the calendar year.
Based on the VSL Guidance,
the DSR SDT developed four
VSLs based on tardiness of
the submittal of the report.
If a test is not performed,
then the VSL is Severe.
VRF and VSL Assignments Project 2009-01
The proposed VSLs do not use
any ambiguous terminology,
thereby supporting uniformity
and consistency in the
determination of similar
penalties for similar
violations.
11
�VSLs for EOP-004-2 Requirement R4:
Compliance with
NERC’s VSL
Guidelines
Guideline 1
Guideline 2
Violation Severity Level
Assignments Should Not
Have the Unintended
Consequence of Lowering
the Current Level of
Compliance
Violation Severity Level
Assignments Should Ensure
Uniformity and Consistency in
the Determination of
Penalties
R#
Guideline 3
Guideline 4
Violation Severity Level
Assignment Should Be
Consistent with the
Corresponding
Requirement
Violation Severity
Level Assignment
Should Be Based on
A Single Violation,
Not on A
Cumulative Number
of Violations
The proposed VSLs use the
same terminology as used
in the associated
requirement, and are,
therefore, consistent with
the requirement.
The VSLs are based
on a single violation
and not cumulative
violations.
Guideline 2a: The Single
Violation Severity Level
Assignment Category for
"Binary" Requirements Is Not
Consistent
Guideline 2b: Violation
Severity Level Assignments
that Contain Ambiguous
Language
R3
Meets NERC’s VSL
guidelines. There
is an incremental
aspect to the
violation and the
VSLs follow the
guidelines for
incremental
violations.
The proposed requirement is
a new Requirement. The
review of the Operating Plan
is based on the calendar
year. Based on the VSL
Guidance, the DSR SDT
developed four VSLs based
on tardiness of the submittal
of the report. If a review is
not performed, then the VSL
is Severe.
VRF and VSL Assignments Project 2009-01
The proposed VSLs do not use
any ambiguous terminology,
thereby supporting uniformity
and consistency in the
determination of similar
penalties for similar
violations.
12
�The Project 2009-01 Disturbance and Sabotage
Reporting SDT has drafted the following
addition to the NERC Rules of Procedure to
support the reporting of events as required by
the directive in Order No. 693 P 470.
SECTION 800 — RELIABILITY ASSESSMENT AND
PERFORMANCE ANALYSIS
812.
NERC Reporting Clearinghouse
NERC will establish a system to collect report forms as established for this section or
standard, from any Registered Entities, pertaining to data requirements identified in
Section 800 of this Procedure. Upon receipt of the submitted report, the system shall
then forward the report to the appropriate NERC departments, applicable regional
entities, other designated registered entities, and to appropriate governmental, law
enforcement, regulatory agencies as necessary. This can include state, federal, and
provincial organizations.
�Standard CIP-001-2a— Sabotage Reporting
A. Introduction
1.
Title:
Sabotage Reporting
2.
Number:
CIP-001-2a
3.
Purpose:
Disturbances or unusual occurrences, suspected or determined to be caused by
sabotage, shall be reported to the appropriate systems, governmental agencies, and regulatory
bodies.
4.
Applicability
4.1. Reliability Coordinators.
4.2. Balancing Authorities.
4.3. Transmission Operators.
4.4. Generator Operators.
4.5. Load Serving Entities.
4.6. Transmission Owners (only in ERCOT Region).
4.7. Generator Owners (only in ERCOT Region).
5.
ERCOT Regional Variance will be effective the first day of
the first calendar quarter after applicable regulatory approval.
Effective Date:
B. Requirements
R1.
Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator, and Load Serving Entity shall have procedures for the recognition of and for making
their operating personnel aware of sabotage events on its facilities and multi-site sabotage
affecting larger portions of the Interconnection.
R2.
Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator, and Load Serving Entity shall have procedures for the communication of information
concerning sabotage events to appropriate parties in the Interconnection.
R3.
Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator, and Load Serving Entity shall provide its operating personnel with sabotage response
guidelines, including personnel to contact, for reporting disturbances due to sabotage events.
R4.
Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator, and Load Serving Entity shall establish communications contacts, as applicable, with
local Federal Bureau of Investigation (FBI) or Royal Canadian Mounted Police (RCMP)
officials and develop reporting procedures as appropriate to their circumstances.
C. Measures
M1. Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator, and Load Serving Entity shall have and provide upon request a procedure (either
electronic or hard copy) as defined in Requirement 1
M2. Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator, and Load Serving Entity shall have and provide upon request the procedures or
guidelines that will be used to confirm that it meets Requirements 2 and 3.
Page 1 of 6
�Standard CIP-001-2a— Sabotage Reporting
M3. Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator, and Load Serving Entity shall have and provide upon request evidence that could
include, but is not limited to procedures, policies, a letter of understanding, communication
records, or other equivalent evidence that will be used to confirm that it has established
communications contacts with the applicable, local FBI or RCMP officials to communicate
sabotage events (Requirement 4).
D. Compliance
1.
Compliance Monitoring Process
1.1. Compliance Monitoring Responsibility
Regional Reliability Organizations shall be responsible for compliance monitoring.
1.2. Compliance Monitoring and Reset Time Frame
One or more of the following methods will be used to verify compliance:
-
Self-certification (Conducted annually with submission according to schedule.)
-
Spot Check Audits (Conducted anytime with up to 30 days notice given to prepare.)
-
Periodic Audit (Conducted once every three years according to schedule.)
-
Triggered Investigations (Notification of an investigation must be made within 60
days of an event or complaint of noncompliance. The entity will have up to 30 days
to prepare for the investigation. An entity may request an extension of the
preparation period and the extension will be considered by the Compliance Monitor
on a case-by-case basis.)
The Performance-Reset Period shall be 12 months from the last finding of noncompliance.
1.3. Data Retention
Each Reliability Coordinator, Transmission Operator, Generator Operator, Distribution
Provider, and Load Serving Entity shall have current, in-force documents available as
evidence of compliance as specified in each of the Measures.
If an entity is found non-compliant the entity shall keep information related to the noncompliance until found compliant or for two years plus the current year, whichever is
longer.
Evidence used as part of a triggered investigation shall be retained by the entity being
investigated for one year from the date that the investigation is closed, as determined by
the Compliance Monitor,
The Compliance Monitor shall keep the last periodic audit report and all requested and
submitted subsequent compliance records.
1.4. Additional Compliance Information
None.
2.
Levels of Non-Compliance:
2.1. Level 1: There shall be a separate Level 1 non-compliance, for every one of the
following requirements that is in violation:
2.1.1
Does not have procedures for the recognition of and for making its operating
personnel aware of sabotage events (R1).
Page 2 of 6
�Standard CIP-001-2a— Sabotage Reporting
2.1.2
Does not have procedures or guidelines for the communication of information
concerning sabotage events to appropriate parties in the Interconnection (R2).
2.1.3
Has not established communications contacts, as specified in R4.
2.2. Level 2: Not applicable.
2.3. Level 3: Has not provided its operating personnel with sabotage response procedures or
guidelines (R3).
2.4. Level 4:.Not applicable.
E. ERCOT Interconnection-wide Regional Variance
Requirements
EA.1. Each Reliability Coordinator, Balancing Authority, Transmission Owner,
Transmission Operator, Generator Owner, Generator Operator, and Load Serving
Entity shall have procedures for the recognition of and for making their operating
personnel aware of sabotage events on its facilities and multi-site sabotage affecting
larger portions of the Interconnection.
EA.2. Each Reliability Coordinator, Balancing Authority, Transmission Owner,
Transmission Operator, Generator Owner, Generator Operator, and Load Serving
Entity shall have procedures for the communication of information concerning
sabotage events to appropriate parties in the Interconnection.
EA.3. Each Reliability Coordinator, Balancing Authority, Transmission Owner,
Transmission Operator, Generator Owner, Generator Operator, and Load Serving
Entity shall provide its operating personnel with sabotage response guidelines,
including personnel to contact, for reporting disturbances due to sabotage events.
EA.4. Each Reliability Coordinator, Balancing Authority, Transmission Owner,
Transmission Operator, Generator Owner, Generator Operator, and Load Serving
Entity shall establish communications contacts with local Federal Bureau of
Investigation (FBI) officials and develop reporting procedures as appropriate to their
circumstances.
Measures
M.A.1. Each Reliability Coordinator, Balancing Authority, Transmission Owner,
Transmission Operator, Generator Owner, Generator Operator, and Load Serving
Entity shall have and provide upon request a procedure (either electronic or hard
copy) as defined in Requirement EA1.
M.A.2. Each Reliability Coordinator, Balancing Authority, Transmission Owner,
Transmission Operator, Generator Owner, Generator Operator, and Load Serving
Entity shall have and provide upon request the procedures or guidelines that will be
used to confirm that it meets Requirements EA2 and EA3.
M.A.3. Each Reliability Coordinator, Balancing Authority, Transmission Owner,
Transmission Operator, Generator Owner, Generator Operator, and Load Serving
Entity shall have and provide upon request evidence that could include, but is not
limited to, procedures, policies, a letter of understanding, communication records,
Page 3 of 6
�Standard CIP-001-2a— Sabotage Reporting
or other equivalent evidence that will be used to confirm that it has established
communications contacts with the local FBI officials to communicate sabotage
events (Requirement EA4).
Compliance
1. Compliance Monitoring Process
1.1. Compliance Enforcement Authority
Regional Entity shall be responsible for compliance monitoring.
1.2. Data Retention
Each Reliability Coordinator, Balancing Authority, Transmission Owner,
Transmission Operator, Generator Owner, Generator Operator, and Load Serving
Entity shall have current, in-force documents available as evidence of compliance
as specified in each of the Measures.
If an entity is found non-compliant the entity shall keep information related to the
non-compliance until found compliant or for two years plus the current year,
whichever is longer.
Evidence used as part of a triggered investigation shall be retained by the entity
being investigated for one year from the date that the investigation is closed, as
determined by the Compliance Monitor,
The Compliance Monitor shall keep the last periodic audit report and all requested
and submitted subsequent compliance records.
Version History
Version
Date
Action
Change Tracking
0
April 1, 2005
Effective Date
New
0
August 8, 2005
Removed “Proposed” from Effective Date
Errata
1
November 1, 2006
Adopted by Board of Trustees
Amended
1
April 4, 2007
Regulatory Approval — Effective Date
New
1a
February 16, 2010
Added Appendix 1 — Interpretation of R2
approved by the NERC Board of Trustees
Addition
1a
February 2, 2011
Interpretation of R2 approved by FERC on
February 2, 2011
Same addition
June 10, 2010
TRE regional ballot approved variance
By Texas RE
August 24, 2010
Regional Variance Approved by Texas RE
Board of Directors
February 16, 2011
Approved by NERC Board of Trustees
2a
Page 4 of 6
�Standard CIP-001-2a— Sabotage Reporting
2a
August 2, 2011
FERC Order issued approving Texas RE
Regional Variance
Page 5 of 6
�Standard CIP-001-2a— Sabotage Reporting
Appendix 1
Requirement Number and Text of Requirement
CIP-001-1:
R2. Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator, and Load Serving Entity shall have procedures for the communication of information
concerning sabotage events to appropriate parties in the Interconnection.
Question
Please clarify what is meant by the term, “appropriate parties.” Moreover, who within the Interconnection
hierarchy deems parties to be appropriate?
Response
The drafting team interprets the phrase “appropriate parties in the Interconnection” to refer collectively to
entities with whom the reporting party has responsibilities and/or obligations for the communication of
physical or cyber security event information. For example, reporting responsibilities result from NERC
standards IRO-001 Reliability Coordination — Responsibilities and Authorities, COM-002-2
Communication and Coordination, and TOP-001 Reliability Responsibilities and Authorities, among
others. Obligations to report could also result from agreements, processes, or procedures with other
parties, such as may be found in operating agreements and interconnection agreements.
The drafting team asserts that those entities to which communicating sabotage events is appropriate would
be identified by the reporting entity and documented within the procedure required in CIP-001-1
Requirement R2.
Regarding “who within the Interconnection hierarchy deems parties to be appropriate,” the drafting team
knows of no interconnection authority that has such a role.
Page 6 of 6
�Standard CIP–008–3 — Cyber Security — Incident Reporting and Response Planning
A. Introduction
1.
Title:
Cyber Security — Incident Reporting and Response Planning
2.
Number:
CIP-008-3
3.
Purpose:
Standard CIP-008-3 ensures the identification, classification, response, and
reporting of Cyber Security Incidents related to Critical Cyber Assets. Standard CIP-008-23
should be read as part of a group of standards numbered Standards CIP-002-3 through CIP009-3.
4.
Applicability
4.1. Within the text of Standard CIP-008-3, “Responsible Entity” shall mean:
4.1.1
Reliability Coordinator.
4.1.2
Balancing Authority.
4.1.3
Interchange Authority.
4.1.4
Transmission Service Provider.
4.1.5
Transmission Owner.
4.1.6
Transmission Operator.
4.1.7
Generator Owner.
4.1.8
Generator Operator.
4.1.9
Load Serving Entity.
4.1.10 NERC.
4.1.11 Regional Entity.
4.2. The following are exempt from Standard CIP-008-3:
5.
4.2.1
Facilities regulated by the U.S. Nuclear Regulatory Commission or the Canadian
Nuclear Safety Commission.
4.2.2
Cyber Assets associated with communication networks and data communication
links between discrete Electronic Security Perimeters.
4.2.3
Responsible Entities that, in compliance with Standard CIP-002-3, identify that
they have no Critical Cyber Assets.
Effective Date: The first day of the third calendar quarter after applicable regulatory approvals
have been received (or the Reliability Standard otherwise becomes effective the first day of the
third calendar quarter after BOT adoption in those jurisdictions where regulatory approval is
not required).
B. Requirements
R1.
Cyber Security Incident Response Plan — The Responsible Entity shall develop and maintain a
Cyber Security Incident response plan and implement the plan in response to Cyber Security
Incidents. The Cyber Security Incident response plan shall address, at a minimum, the
following:
R1.1.
Procedures to characterize and classify events as reportable Cyber Security Incidents.
R1.2.
Response actions, including roles and responsibilities of Cyber Security Incident
response teams, Cyber Security Incident handling procedures, and communication
plans.
Approved by Board of Trustees: December 16, 2009
1
�Standard CIP–008–3 — Cyber Security — Incident Reporting and Response Planning
R2.
R1.3.
Process for reporting Cyber Security Incidents to the Electricity Sector Information
Sharing and Analysis Center (ES-ISAC). The Responsible Entity must ensure that all
reportable Cyber Security Incidents are reported to the ES-ISAC either directly or
through an intermediary.
R1.4.
Process for updating the Cyber Security Incident response plan within thirty calendar
days of any changes.
R1.5.
Process for ensuring that the Cyber Security Incident response plan is reviewed at
least annually.
R1.6.
Process for ensuring the Cyber Security Incident response plan is tested at least
annually. A test of the Cyber Security Incident response plan can range from a paper
drill, to a full operational exercise, to the response to an actual incident.
Cyber Security Incident Documentation — The Responsible Entity shall keep relevant
documentation related to Cyber Security Incidents reportable per Requirement R1.1 for three
calendar years.
C. Measures
M1. The Responsible Entity shall make available its Cyber Security Incident response plan as
indicated in Requirement R1 and documentation of the review, updating, and testing of the
plan.
M2. The Responsible Entity shall make available all documentation as specified in Requirement
R2.
D. Compliance
1.
Compliance Monitoring Process
1.1. Compliance Enforcement Authority
1.1.1
Regional Entity for Responsible Entities that do not perform delegated tasks for
their Regional Entity.
1.1.2
ERO for Regional Entity.
1.1.3
Third-party monitor without vested interest in the outcome for NERC.
1.2. Compliance Monitoring Period and Reset Time Frame
Not applicable.
1.3. Compliance Monitoring and Enforcement Processes
Compliance Audits
Self-Certifications
Spot Checking
Compliance Violation Investigations
Self-Reporting
Complaints
1.4. Data Retention
1.4.1
The Responsible Entity shall keep documentation other than that required for
reportable Cyber Security Incidents as specified in Standard CIP-008-3 for the
previous full calendar year unless directed by its Compliance Enforcement
Approved by Board of Trustees: December 16, 2009
2
�Standard CIP–008–3 — Cyber Security — Incident Reporting and Response Planning
Authority to retain specific evidence for a longer period of time as part of an
investigation.
1.4.2
The Compliance Enforcement Authority in conjunction with the Registered
Entity shall keep the last audit records and all requested and submitted
subsequent audit records.
1.5. Additional Compliance Information
2.
1.5.1
The Responsible Entity may not take exception in its cyber security policies to
the creation of a Cyber Security Incident response plan.
1.5.2
The Responsible Entity may not take exception in its cyber security policies to
reporting Cyber Security Incidents to the ES ISAC.
Violation Severity Levels (To be developed later.)
E. Regional Variances
None identified.
Version History
Version
Date
Action
2
Modifications to clarify the requirements
and to bring the compliance elements into
conformance with the latest guidelines for
developing compliance elements of
standards.
Removal of reasonable business judgment.
Replaced the RRO with the RE as a
responsible entity.
Rewording of Effective Date.
Changed compliance monitor to
Compliance Enforcement Authority.
3
Updated Version number from -2 to -3
In Requirement 1.6, deleted the sentence
pertaining to removing component or
system from service in order to perform
testing, in response to FERC order issued
September 30, 2009.
3
12/16/09
Approved by NERC Board of Trustees
Approved by Board of Trustees: December 16, 2009
Change Tracking
Update
3
�S ta n d a rd EOP -004-1 — Dis tu rb a n c e Re p o rtin g
A. Introduction
1.
Title:
Disturbance Reporting
2.
Number:
EOP-004-1
3.
Purpose: Disturbances or unusual occurrences that jeopardize the operation of the
Bulk Electric System, or result in system equipment damage or customer interruptions,
need to be studied and understood to minimize the likelihood of similar events in the
future.
4.
Applicability
4.1. Reliability Coordinators.
4.2. Balancing Authorities.
4.3. Transmission Operators.
4.4. Generator Operators.
4.5. Load Serving Entities.
4.6. Regional Reliability Organizations.
5.
Effective Date:
January 1, 2007
B. Requirements
R1.
Each Regional Reliability Organization shall establish and maintain a Regional
reporting procedure to facilitate preparation of preliminary and final disturbance
reports.
R2.
A Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator or Load Serving Entity shall promptly analyze Bulk Electric System
disturbances on its system or facilities.
R3.
A Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator or Load Serving Entity experiencing a reportable incident shall provide a
preliminary written report to its Regional Reliability Organization and NERC.
R3.1.
The affected Reliability Coordinator, Balancing Authority, Transmission
Operator, Generator Operator or Load Serving Entity shall submit within 24
hours of the disturbance or unusual occurrence either a copy of the report
submitted to DOE, or, if no DOE report is required, a copy of the NERC
Interconnection Reliability Operating Limit and Preliminary Disturbance
Report form. Events that are not identified until some time after they occur
shall be reported within 24 hours of being recognized.
R3.2.
Applicable reporting forms are provided in Attachments 1-EOP-004 and 2EOP-004.
R3.3.
Under certain adverse conditions, e.g., severe weather, it may not be possible
to assess the damage caused by a disturbance and issue a written
Interconnection Reliability Operating Limit and Preliminary Disturbance
Report within 24 hours. In such cases, the affected Reliability Coordinator,
Balancing Authority, Transmission Operator, Generator Operator, or Load
Serving Entity shall promptly notify its Regional Reliability Organization(s)
and NERC, and verbally provide as much information as is available at that
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 1 of 13
�S ta n d a rd EOP -004-1 — Dis tu rb a n c e Re p o rtin g
time. The affected Reliability Coordinator, Balancing Authority, Transmission
Operator, Generator Operator, or Load Serving Entity shall then provide
timely, periodic verbal updates until adequate information is available to issue
a written Preliminary Disturbance Report.
R3.4.
If, in the judgment of the Regional Reliability Organization, after consultation
with the Reliability Coordinator, Balancing Authority, Transmission Operator,
Generator Operator, or Load Serving Entity in which a disturbance occurred, a
final report is required, the affected Reliability Coordinator, Balancing
Authority, Transmission Operator, Generator Operator, or Load Serving Entity
shall prepare this report within 60 days. As a minimum, the final report shall
have a discussion of the events and its cause, the conclusions reached, and
recommendations to prevent recurrence of this type of event. The report shall
be subject to Regional Reliability Organization approval.
R4.
When a Bulk Electric System disturbance occurs, the Regional Reliability Organization
shall make its representatives on the NERC Operating Committee and Disturbance
Analysis Working Group available to the affected Reliability Coordinator, Balancing
Authority, Transmission Operator, Generator Operator, or Load Serving Entity
immediately affected by the disturbance for the purpose of providing any needed
assistance in the investigation and to assist in the preparation of a final report.
R5.
The Regional Reliability Organization shall track and review the status of all final
report recommendations at least twice each year to ensure they are being acted upon in
a timely manner. If any recommendation has not been acted on within two years, or if
Regional Reliability Organization tracking and review indicates at any time that any
recommendation is not being acted on with sufficient diligence, the Regional
Reliability Organization shall notify the NERC Planning Committee and Operating
Committee of the status of the recommendation(s) and the steps the Regional
Reliability Organization has taken to accelerate implementation.
C. Measures
M1. The Regional Reliability Organization shall have and provide upon request as
evidence, its current regional reporting procedure that is used to facilitate preparation
of preliminary and final disturbance reports. (Requirement 1)
M2. Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator, and Load-Serving Entity that has a reportable incident shall have and provide
upon request evidence that could include, but is not limited to, the preliminary report,
computer printouts, operator logs, or other equivalent evidence that will be used to
confirm that it prepared and delivered the NERC Interconnection Reliability Operating
Limit and Preliminary Disturbance Reports to NERC within 24 hours of its recognition
as specified in Requirement 3.1.
M3. Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator, and/or Load Serving Entity that has a reportable incident shall have and
provide upon request evidence that could include, but is not limited to, operator logs,
voice recordings or transcripts of voice recordings, electronic communications, or other
equivalent evidence that will be used to confirm that it provided information verbally
as time permitted, when system conditions precluded the preparation of a report in 24
hours. (Requirement 3.3)
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 2 of 13
�S ta n d a rd EOP -004-1 — Dis tu rb a n c e Re p o rtin g
D. Compliance
1.
Compliance Monitoring Process
1.1. Compliance Monitoring Responsibility
NERC shall be responsible for compliance monitoring of the Regional Reliability
Organizations.
Regional Reliability Organizations shall be responsible for compliance monitoring
of Reliability Coordinators, Balancing Authorities, Transmission Operators,
Generator Operators, and Load-serving Entities.
1.2. Compliance Monitoring and Reset Time Frame
One or more of the following methods will be used to assess compliance:
- Self-certification (Conducted annually with submission according to
schedule.)
- Spot Check Audits (Conducted anytime with up to 30 days notice given to
prepare.)
- Periodic Audit (Conducted once every three years according to schedule.)
- Triggered Investigations (Notification of an investigation must be made
within 60 days of an event or complaint of noncompliance. The entity will
have up to 30 days to prepare for the investigation. An entity may request an
extension of the preparation period and the extension will be considered by
the Compliance Monitor on a case-by-case basis.)
The Performance-Reset Period shall be 12 months from the last finding of noncompliance.
1.3. Data Retention
Each Regional Reliability Organization shall have its current, in-force, regional
reporting procedure as evidence of compliance. (Measure 1)
Each Reliability Coordinator, Balancing Authority, Transmission Operator,
Generator Operator, and/or Load Serving Entity that is either involved in a Bulk
Electric System disturbance or has a reportable incident shall keep data related to
the incident for a year from the event or for the duration of any regional
investigation, whichever is longer. (Measures 2 through 4)
If an entity is found non-compliant the entity shall keep information related to the
noncompliance until found compliant or for two years plus the current year,
whichever is longer.
Evidence used as part of a triggered investigation shall be retained by the entity
being investigated for one year from the date that the investigation is closed, as
determined by the Compliance Monitor,
The Compliance Monitor shall keep the last periodic audit report and all requested
and submitted subsequent compliance records.
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 3 of 13
�S ta n d a rd EOP -004-1 — Dis tu rb a n c e Re p o rtin g
1.4. Additional Compliance Information
See Attachments:
- EOP-004 Disturbance Reporting Form
- Table 1 EOP-004
Levels of Non-Compliance for a Regional Reliability Organization
2.
2.1. Level 1: Not applicable.
2.2. Level 2: Not applicable.
2.3. Level 3: Not applicable.
2.4. Level 4: No current procedure to facilitate preparation of preliminary and final
disturbance reports as specified in R1.
Levels of Non-Compliance for a Reliability Coordinator, Balancing Authority,
Transmission Operator, Generator Operator, and Load- Serving Entity:
3.
3.1. Level 1: There shall be a level one non-compliance if any of the following
conditions exist:
3.1.1
Failed to prepare and deliver the NERC Interconnection Reliability
Operating Limit and Preliminary Disturbance Reports to NERC within 24
hours of its recognition as specified in Requirement 3.1
3.1.2
Failed to provide disturbance information verbally as time permitted,
when system conditions precluded the preparation of a report in 24 hours
as specified in R3.3
3.1.3
Failed to prepare a final report within 60 days as specified in R3.4
3.2. Level 2: Not applicable.
3.3. Level 3: Not applicable
3.4. Level 4: Not applicable.
E. Regional Differences
None identified.
Version History
Version
Date
Action
Change Tracking
0
April 1, 2005
Effective Date
New
0
May 23, 2005
Fixed reference to attachments 1-EOP004-0 and 2-EOP-004-0, Changed chart
title 1-FAC-004-0 to 1-EOP-004-0,
Fixed title of Table 1 to read 1-EOP004-0, and fixed font.
Errata
0
July 6, 2005
Fixed email in Attachment 1-EOP-004-0 Errata
from info@nerc.com to
esisac@nerc.com.
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 4 of 13
�S ta n d a rd EOP -004-1 — Dis tu rb a n c e Re p o rtin g
0
July 26, 2005
Fixed Header on page 8 to read EOP004-0
Errata
0
August 8, 2005
Removed “Proposed” from Effective
Date
Errata
1
November 1,
2006
Adopted by Board of Trustees
Revised
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 5 of 13
�S ta n d a rd EOP -004-1 — Dis tu rb a n c e Re p o rtin g
Attachment 1-EOP-004
NERC Disturbance Report Form
Introduction
These disturbance reporting requirements apply to all Reliability Coordinators, Balancing
Authorities, Transmission Operators, Generator Operators, and Load Serving Entities, and
provide a common basis for all NERC disturbance reporting. The entity on whose system a
reportable disturbance occurs shall notify NERC and its Regional Reliability Organization of the
disturbance using the NERC Interconnection Reliability Operating Limit and Preliminary
Disturbance Report forms. Reports can be sent to NERC via email (esisac@nerc.com) by
facsimile (609-452-9550) using the NERC Interconnection Reliability Operating Limit and
Preliminary Disturbance Report forms. If a disturbance is to be reported to the U.S. Department
of Energy also, the responding entity may use the DOE reporting form when reporting to NERC.
Note: All Emergency Incident and Disturbance Reports (Schedules 1 and 2) sent to DOE shall be
simultaneously sent to NERC, preferably electronically at esisac@nerc.com.
The NERC Interconnection Reliability Operating Limit and Preliminary Disturbance Reports are
to be made for any of the following events:
1.
2.
3.
4.
5.
The loss of a bulk power transmission component that significantly affects the integrity of
interconnected system operations. Generally, a disturbance report will be required if the
event results in actions such as:
a.
Modification of operating procedures.
b.
Modification of equipment (e.g. control systems or special protection systems) to
prevent reoccurrence of the event.
c.
Identification of valuable lessons learned.
d.
Identification of non-compliance with NERC standards or policies.
e.
Identification of a disturbance that is beyond recognized criteria, i.e. three-phase fault
with breaker failure, etc.
f.
Frequency or voltage going below the under-frequency or under-voltage load shed
points.
The occurrence of an interconnected system separation or system islanding or both.
Loss of generation by a Generator Operator, Balancing Authority, or Load-Serving Entity
2,000 MW or more in the Eastern Interconnection or Western Interconnection and 1,000
MW or more in the ERCOT Interconnection.
Equipment failures/system operational actions which result in the loss of firm system
demands for more than 15 minutes, as described below:
a.
Entities with a previous year recorded peak demand of more than 3,000 MW are
required to report all such losses of firm demands totaling more than 300 MW.
b.
All other entities are required to report all such losses of firm demands totaling more
than 200 MW or 50% of the total customers being supplied immediately prior to the
incident, whichever is less.
Firm load shedding of 100 MW or more to maintain the continuity of the bulk electric
system.
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 6 of 13
�S ta n d a rd EOP -004-1 — Dis tu rb a n c e Re p o rtin g
6.
7.
8.
Any action taken by a Generator Operator, Transmission Operator, Balancing Authority, or
Load-Serving Entity that results in:
a.
Sustained voltage excursions equal to or greater than ±10%, or
b.
Major damage to power system components, or
c.
Failure, degradation, or misoperation of system protection, special protection schemes,
remedial action schemes, or other operating systems that do not require operator
intervention, which did result in, or could have resulted in, a system disturbance as
defined by steps 1 through 5 above.
An Interconnection Reliability Operating Limit (IROL) violation as required in reliability
standard TOP-007.
Any event that the Operating Committee requests to be submitted to Disturbance Analysis
Working Group (DAWG) for review because of the nature of the disturbance and the
insight and lessons the electricity supply and delivery industry could learn.
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 7 of 13
�S ta n d a rd EOP -004-1 — Dis tu rb a n c e Re p o rtin g
NERC Interconnection Reliability Operating Limit and Preliminary Disturbance
Report
Check here if this is an Interconnection Reliability Operating Limit (IROL) violation report.
1. Organization filing report.
2. Name of person filing report.
3. Telephone number.
4. Date and time of disturbance.
Date:(mm/dd/yy)
Time/Zone:
5. Did the disturbance originate in your
system?
Yes
No
6. Describe disturbance including: cause,
equipment damage, critical services
interrupted, system separation, key
scheduled and actual flows prior to
disturbance and in the case of a
disturbance involving a special
protection or remedial action scheme,
what action is being taken to prevent
recurrence.
7. Generation tripped.
MW Total
List generation tripped
8. Frequency.
Just prior to disturbance (Hz):
Immediately after disturbance (Hz
max.):
Immediately after disturbance (Hz
min.):
9. List transmission lines tripped (specify
voltage level of each line).
10.
FIRM
INTERRUPTIBLE
Demand tripped (MW):
Number of affected Customers:
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 8 of 13
�S ta n d a rd EOP -004-1 — Dis tu rb a n c e Re p o rtin g
Demand lost (MW-Minutes):
11. Restoration time.
INITIAL
FINAL
Transmission:
Generation:
Demand:
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 9 of 13
�S ta n d a rd EOP -004-1 — Dis tu rb a n c e Re p o rtin g
Attachment 2-EOP-004
U.S. Department of Energy Disturbance Reporting Requirements
Introduction
The U.S. Department of Energy (DOE), under its relevant authorities, has established mandatory
reporting requirements for electric emergency incidents and disturbances in the United States.
DOE collects this information from the electric power industry on Form EIA-417 to meet its
overall national security and Federal Energy Management Agency’s Federal Response Plan
(FRP) responsibilities. DOE will use the data from this form to obtain current information
regarding emergency situations on U.S. electric energy supply systems. DOE’s Energy
Information Administration (EIA) will use the data for reporting on electric power emergency
incidents and disturbances in monthly EIA reports. In addition, the data may be used to develop
legislative recommendations, reports to the Congress and as a basis for DOE investigations
following severe, prolonged, or repeated electric power reliability problems.
Every Reliability Coordinator, Balancing Authority, Transmission Operator, Generator Operator
or Load Serving Entity must use this form to submit mandatory reports of electric power system
incidents or disturbances to the DOE Operations Center, which operates on a 24-hour basis,
seven days a week. All other entities operating electric systems have filing responsibilities to
provide information to the Reliability Coordinator, Balancing Authority, Transmission Operator,
Generator Operator or Load Serving Entity when necessary for their reporting obligations and to
file form EIA-417 in cases where these entities will not be involved. EIA requests that it be
notified of those that plan to file jointly and of those electric entities that want to file separately.
Special reporting provisions exist for those electric utilities located within the United States, but
for whom Reliability Coordinator oversight responsibilities are handled by electrical systems
located across an international border. A foreign utility handling U.S. Balancing Authority
responsibilities, may wish to file this information voluntarily to the DOE. Any U.S.-based utility
in this international situation needs to inform DOE that these filings will come from a foreignbased electric system or file the required reports themselves.
Form EIA-417 must be submitted to the DOE Operations Center if any one of the following
applies (see Table 1-EOP-004-0 — Summary of NERC and DOE Reporting Requirements for
Major Electric System Emergencies):
1. Uncontrolled loss of 300 MW or more of firm system load for more than 15 minutes from a
2.
3.
4.
5.
single incident.
Load shedding of 100 MW or more implemented under emergency operational policy.
System-wide voltage reductions of 3 percent or more.
Public appeal to reduce the use of electricity for purposes of maintaining the continuity of the
electric power system.
Actual or suspected physical attacks that could impact electric power system adequacy or
reliability; or vandalism, which target components of any security system. Actual or
suspected cyber or communications attacks that could impact electric power system
adequacy or vulnerability.
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 10 of 13
�S ta n d a rd EOP -004-1 — Dis tu rb a n c e Re p o rtin g
6. Actual or suspected cyber or communications attacks that could impact electric power system
adequacy or vulnerability.
7. Fuel supply emergencies that could impact electric power system adequacy or reliability.
8. Loss of electric service to more than 50,000 customers for one hour or more.
9. Complete operational failure or shut-down of the transmission and/or distribution electrical
system.
The initial DOE Emergency Incident and Disturbance Report (form EIA-417 – Schedule 1) shall
be submitted to the DOE Operations Center within 60 minutes of the time of the system
disruption. Complete information may not be available at the time of the disruption. However,
provide as much information as is known or suspected at the time of the initial filing. If the
incident is having a critical impact on operations, a telephone notification to the DOE Operations
Center (202-586-8100) is acceptable, pending submission of the completed form EIA-417.
Electronic submission via an on-line web-based form is the preferred method of notification.
However, electronic submission by facsimile or email is acceptable.
An updated form EIA-417 (Schedule 1 and 2) is due within 48 hours of the event to provide
complete disruption information. Electronic submission via facsimile or email is the preferred
method of notification. Detailed DOE Incident and Disturbance reporting requirements can be
found at: http://www.eia.doe.gov/cneaf/electricity/page/form_417.html.
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 11 of 13
�S ta n d a rd EOP -004-1 — Dis tu rb a n c e Re p o rtin g
Table 1-EOP-004-0
Summary of NERC and DOE Reporting Requirements for Major Electric System
Emergencies
Incident
Report
Incident
Threshold
Time
No.
Required
EIA – SchUncontrolled loss
1 hour
1
of Firm System
≥ 300 MW – 15 minutes or more
48
1
EIA – SchLoad
hour
2
EIA – Sch1 hour
≥ 100 MW under emergency
1
Load Shedding
48
2
operational policy
EIA – Schhour
2
EIA – Sch1 hour
Voltage
1
3% or more – applied system-wide
48
3
EIA – SchReductions
hour
2
EIA – Sch1 hour
1
Emergency conditions to reduce
Public Appeals
48
4
EIA – Schdemand
hour
2
EIA – SchPhysical sabotage,
1 hour
On physical security systems –
1
terrorism or
48
5
suspected or real
EIA – Schvandalism
hour
2
EIA – SchCyber sabotage,
1 hour
If the attempt is believed to have or
1
terrorism or
48
6
did happen
EIA – Schvandalism
hour
2
EIA – Sch1 hour
Fuel supply
Fuel inventory or hydro storage levels 1
48
7
EIA – Schemergencies
≤ 50% of normal
hour
2
EIA – Sch1 hour
Loss of electric
1
≥
50,000
for
1
hour
or
more
48
8
service
EIA – Schhour
2
Complete
EIA – SchIf isolated or interconnected electrical
1 hour
operation failure
1
48
systems suffer total electrical system
9
of electrical
EIA – Schcollapse
hour
system
2
All DOE EIA-417 Schedule 1 reports are to be filed within 60-minutes after the start of an
incident or disturbance
All DOE EIA-417 Schedule 2 reports are to be filed within 48-hours after the start of an
incident or disturbance
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 12 of 13
�S ta n d a rd EOP -004-1 — Dis tu rb a n c e Re p o rtin g
All entities required to file a DOE EIA-417 report (Schedule 1 & 2) shall send a copy of these
reports to NERC simultaneously, but no later than 24 hours after the start of the incident or
disturbance.
Incident
Report
Incident
Threshold
Time
No.
Required
NERC
24
Loss of major
Significantly affects integrity of
Prelim
hour
1
system component
interconnected system operations
Final
60 day
report
Interconnected
NERC
Total system shutdown
24
system separation
Prelim
Partial shutdown, separation, or
hour
2
or system
Final
islanding
60 day
islanding
report
NERC
24
≥ 2,000 – Eastern Interconnection
Prelim
Loss of generation
≥ 2,000 – Western Interconnection
hour
3
Final
≥ 1,000 – ERCOT Interconnection
60 day
report
Entities with peak demand ≥3,000:
NERC
24
loss ≥300 MW
Prelim
Loss of firm load
hour
4
All others ≥200MW or 50% of total
Final
≥15-minutes
60 day
demand
report
NERC
24
Firm load
≥100 MW to maintain continuity of
Prelim
hour
5
shedding
bulk system
Final
60 day
report
• Voltage excursions ≥10%
System operation
NERC
24
• Major damage to system
or operation
Prelim
hour
6
components
actions resulting
Final
60 day
•
Failure,
degradation,
or
in:
report
misoperation of SPS
NERC
72
Prelim
IROL violation
Reliability standard TOP-007.
hour
7
Final
60 day
report
NERC
Due to nature of disturbance &
24
As requested by
Prelim
usefulness to industry (lessons
hour
8
ORS Chairman
Final
learned)
60 day
report
All NERC Operating Security Limit and Preliminary Disturbance reports will be filed within 24
hours after the start of the incident. If an entity must file a DOE EIA-417 report on an incident,
which requires a NERC Preliminary report, the Entity may use the DOE EIA-417 form for both
DOE and NERC reports.
Any entity reporting a DOE or NERC incident or disturbance has the responsibility to also
notify its Regional Reliability Organization.
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 13 of 13
�Standards Announcement
Project 2009-01 Disturbance and Sabotage Reporting
Ballot Windows Now Open: Successive Ballot and Non-binding
Poll: May 15 – May 24, 2012
Now Available
A successive ballot of EOP-004-2 – Event Reporting and a non-binding poll of the associated VRFs
and VSLs is open May 15, 2012 through 8 p.m. Eastern on Thursday, May 24, 2012.
The following documents have been posted for stakeholder review and comment:
•
EOP-004-2 (clean and redline showing changes to the last posting)
•
Implementation Plan (clean and redline showing changes to the last posting)
•
Consideration of Comments Report – Provides a summary of the modifications made to the
proposed standard and supporting documents based on comments submitted during the
formal comment period that ended December 12, 2011
•
Mapping Document - Identifies each requirement in the two already-approved standards that
are being consolidated into EOP-004-2 (EOP-004-1 and CIP-001-2a), and identifies how the
requirement has been treated in the proposed Draft 4 of EOP-004-2
•
VRF/VSL Justification – Explains how the VRFs and VSLs the drafting team has proposed for
EOP-004-2 comply with guidelines that FERC and NERC have established for VRFs and VSLs
•
Unofficial comment form in Word format for informal use when compiling responses – the
final must be submitted electronically
Instructions
Members of the ballot pools associated with this project may log in and submit their vote for the
Standard and opinion in the non-binding poll of the associated VRFs and VSLs by clicking here.
Due to modifications to NERC’s balloting software, voters will no longer be able to submit
commits via the balloting software.
Next Steps
The drafting team will consider all comments submitted during this formal comment and ballot
period to determine whether to make additional revisions to the standard.
�Background
Stakeholders have indicated that identifying potential acts of “sabotage” is difficult to do in real
time, and additional clarity is needed to identify thresholds for reporting potential acts of
sabotage in CIP-001-1. Stakeholders have also reported that EOP-004-1 has some requirements
that reference out-of-date Department of Energy forms, making the requirements ambiguous.
EOP-004-1 also has some ‘fill-in-the-blank’ components to eliminate.
This project combines CIP-001-1 and EOP-004-1 into a single standard, EOP-004-2, that requires
after-the-fact reporting of various types of events.
Additional information is available on the project webpage.
A stakeholder interested in following the Disturbance and Sabotage Reporting Drafting Team’s
development of EOP-004-2 may monitor meeting agendas and notes on the team’s “Related Files”
web page or may submit a request to join the team’s “plus” email list to receive meeting agendas
and meeting notes as they are distributed to the team. To join the team’s “plus” email list, send
an email request to: sarcomm@nerc.net. Please indicate the drafting team’s name in the subject
line of the email.
Standards Process
The Standard Processes Manual contains all the procedures governing the standards development
process. The success of the NERC standards development process depends on stakeholder
participation. We extend our thanks to all those who participate.
For more information or assistance, please contact Monica Benson,
Standards Process Administrator, at monica.benson@nerc.net or at 404-446-2560.
North American Electric Reliability Corporation
3353 Peachtree Rd.NE
Suite 600, North Tower
Atlanta, GA 30326
404-446-2560 | www.nerc.com
Standards Announcement: Project 2009-01 DSR
2
�Standards Announcement
Project 2009-01 Disturbance and Sabotage Reporting
Formal Comment Period Open: April 25 – May 24, 2012
Ballot Windows Open: Successive Ballot and Non-binding
Poll: May 15 – May 24, 2012
Now Available
EOP-004-2 – Event Reporting (clean and redline showing changes to the last posting), an
implementation plan (clean and redline to the last posting), and several associated documents
(listed below) have been posted for a formal comment period and successive ballot and nonbinding poll of associated VRFs and VSLs that will end at 8 p.m. Eastern on Thursday, May 24,
2012.
The following associated documents have been posted for stakeholder review and comment:
•
Consideration of Comments Report – Provides a summary of the modifications made to the
proposed standard and supporting documents based on comments submitted during the
formal comment period that ended December 12, 2011
•
Mapping Document - Identifies each requirement in the two already-approved standards that
are being consolidated into EOP-004-2 (EOP-004-1 and CIP-001-2a, and identifies how the
requirement has been treated in the proposed Draft 4 of EOP-004-2
•
VRF/VSL Justification – Explains how the VRFs and VSLs the drafting team has proposed for
EOP-004-2 comply with guidelines that FERC and NERC have established for VRFs and VSLs
•
Unofficial comment form in Word format – This is for informal use when compiling responses
– the final must be submitted electronically
Instructions
All members of the ballot pool must cast a new ballot since the votes and comments from the last
ballot will not be carried over. In addition, members of the ballot pool will need to cast a new
opinion on the VRFs and VSLs. Members of the ballot pools associated with this project may log in
and submit their vote for the Standard and non-binding poll of the associated VRFs and VSLs by
clicking here.
�Special Instructions for Submitting Comments with a Ballot
Please note that comments submitted during the formal comment period, the ballot and the nonbinding poll use the same electronic form. Therefore, it is NOT necessary for ballot pool members
to submit more than one set of comments. Companies or entities with representatives in multiple
segments of the ballot pool may submit a single set of comments by identifying themselves as a
“group” on the comment form. Likewise, it is preferable for a group of separate entities that
develop comments jointly to submit the comments as a “group.” The drafting team requests
that all stakeholders (ballot pool members as well as other stakeholders) submit all comments
through the electronic comment form, and that companies in multiple segments as well as
individual entities that develop joint comments with other entities submit their comments as a
“group,” with the list of group members and their associated Industry Segments.
Next Steps
A successive ballot and non-binding poll of the associated VRFs and VSLs of EOP-004-2 will be
conducted beginning on Tuesday, May 15, 2012 through 8 p.m. Eastern on Thursday, May 24,
2012.
Background
Stakeholders have indicated that identifying potential acts of “sabotage” is difficult to do in real
time, and additional clarity is needed to identify thresholds for reporting potential acts of
sabotage in CIP-001-1. Stakeholders have also reported that EOP-004-1 has some requirements
that reference out-of-date Department of Energy forms, making the requirements ambiguous.
EOP-004-1 also has some ‘fill-in-the-blank’ components to eliminate.
The project will include addressing previously identified stakeholder concerns and FERC directives;
will bring the standards into conformance with the latest approved version of the ERO Rules of
Procedure; and may include other improvements to the standards deemed appropriate by the
drafting team, with the consensus of stakeholders, consistent with establishing high quality,
enforceable and technically sufficient bulk power system reliability standards.
Additional information is available on the project webpage.
A stakeholder interested in following the Disturbance and Sabotage Reporting Drafting Team’s
development of EOP-004-2 may monitor meeting agendas and notes on the team’s “Related Files”
webpage or may submit a request to join the team’s “plus” email list to receive meeting agendas
and meeting notes as they are distributed to the team. To join the team’s “plus” email list, send
an email request to: sarcomm@nerc.net. Please indicate the drafting team’s name in the subject
line of the email.
Standards Announcement: Project 2009-01 DSR
2
�Standards Process
The Standard Processes Manual contains all the procedures governing the standards development
process. The success of the NERC standards development process depends on stakeholder
participation. We extend our thanks to all those who participate.
For more information or assistance, please contact Monica Benson,
Standards Process Administrator, at monica.benson@nerc.net or at 404-446-2560.
North American Electric Reliability Corporation
3353 Peachtree Rd.NE
Suite 600, North Tower
Atlanta, GA 30326
404-446-2560 | www.nerc.com
Standards Announcement: Project 2009-01 DSR
3
�Standards Announcement
Project 2009-01 Disturbance and Sabotage Reporting
Formal Comment Period Open: April 25 – May 24, 2012
Ballot Windows Open: Successive Ballot and Non-binding
Poll: May 15 – May 24, 2012
Now Available
EOP-004-2 – Event Reporting (clean and redline showing changes to the last posting), an
implementation plan (clean and redline to the last posting), and several associated documents
(listed below) have been posted for a formal comment period and successive ballot and nonbinding poll of associated VRFs and VSLs that will end at 8 p.m. Eastern on Thursday, May 24,
2012.
The following associated documents have been posted for stakeholder review and comment:
•
Consideration of Comments Report – Provides a summary of the modifications made to the
proposed standard and supporting documents based on comments submitted during the
formal comment period that ended December 12, 2011
•
Mapping Document - Identifies each requirement in the two already-approved standards that
are being consolidated into EOP-004-2 (EOP-004-1 and CIP-001-2a, and identifies how the
requirement has been treated in the proposed Draft 4 of EOP-004-2
•
VRF/VSL Justification – Explains how the VRFs and VSLs the drafting team has proposed for
EOP-004-2 comply with guidelines that FERC and NERC have established for VRFs and VSLs
•
Unofficial comment form in Word format – This is for informal use when compiling responses
– the final must be submitted electronically
Instructions
All members of the ballot pool must cast a new ballot since the votes and comments from the last
ballot will not be carried over. In addition, members of the ballot pool will need to cast a new
opinion on the VRFs and VSLs. Members of the ballot pools associated with this project may log in
and submit their vote for the Standard and non-binding poll of the associated VRFs and VSLs by
clicking here.
�Special Instructions for Submitting Comments with a Ballot
Please note that comments submitted during the formal comment period, the ballot and the nonbinding poll use the same electronic form. Therefore, it is NOT necessary for ballot pool members
to submit more than one set of comments. Companies or entities with representatives in multiple
segments of the ballot pool may submit a single set of comments by identifying themselves as a
“group” on the comment form. Likewise, it is preferable for a group of separate entities that
develop comments jointly to submit the comments as a “group.” The drafting team requests
that all stakeholders (ballot pool members as well as other stakeholders) submit all comments
through the electronic comment form, and that companies in multiple segments as well as
individual entities that develop joint comments with other entities submit their comments as a
“group,” with the list of group members and their associated Industry Segments.
Next Steps
A successive ballot and non-binding poll of the associated VRFs and VSLs of EOP-004-2 will be
conducted beginning on Tuesday, May 15, 2012 through 8 p.m. Eastern on Thursday, May 24,
2012.
Background
Stakeholders have indicated that identifying potential acts of “sabotage” is difficult to do in real
time, and additional clarity is needed to identify thresholds for reporting potential acts of
sabotage in CIP-001-1. Stakeholders have also reported that EOP-004-1 has some requirements
that reference out-of-date Department of Energy forms, making the requirements ambiguous.
EOP-004-1 also has some ‘fill-in-the-blank’ components to eliminate.
The project will include addressing previously identified stakeholder concerns and FERC directives;
will bring the standards into conformance with the latest approved version of the ERO Rules of
Procedure; and may include other improvements to the standards deemed appropriate by the
drafting team, with the consensus of stakeholders, consistent with establishing high quality,
enforceable and technically sufficient bulk power system reliability standards.
Additional information is available on the project webpage.
A stakeholder interested in following the Disturbance and Sabotage Reporting Drafting Team’s
development of EOP-004-2 may monitor meeting agendas and notes on the team’s “Related Files”
webpage or may submit a request to join the team’s “plus” email list to receive meeting agendas
and meeting notes as they are distributed to the team. To join the team’s “plus” email list, send
an email request to: sarcomm@nerc.net. Please indicate the drafting team’s name in the subject
line of the email.
Standards Announcement: Project 2009-01 DSR
2
�Standards Process
The Standard Processes Manual contains all the procedures governing the standards development
process. The success of the NERC standards development process depends on stakeholder
participation. We extend our thanks to all those who participate.
For more information or assistance, please contact Monica Benson,
Standards Process Administrator, at monica.benson@nerc.net or at 404-446-2560.
North American Electric Reliability Corporation
3353 Peachtree Rd.NE
Suite 600, North Tower
Atlanta, GA 30326
404-446-2560 | www.nerc.com
Standards Announcement: Project 2009-01 DSR
3
�Standards Announcement
Project 2009-01 Disturbance and Sabotage Reporting
Successive Ballot Results
Now Available
A successive ballot of EOP-004-2 – Event Reporting, and non-binding pools of the associated VRFs and
VSLs, concluded on Thursday, May 24, 2012. Voting statistics are listed below, and the Ballot Results
page provides a link to the detailed results.
Successive Ballot Results for Project 2009-01
Ballot Results
Non-binding Poll Results
Quorum: 84.43%
Quorum:
79.95%
Approval: 46.18%
Supportive Opinions: 52.67%
Next Steps
The drafting team will consider all comments submitted during the comment period and ballot, and
based on the comments will determine whether to make additional changes.
Background
EOP-004-2 – Event Reporting consolidates requirements from CIP-001-2a – Sabotage Report and EOP004-1 – Disturbance Reporting.
Standards Development Process
The Standards Processes Manual contains all the procedures governing the standards development
process. The success of the NERC standards development process depends on stakeholder
participation. We extend out thanks to all those who participate.
For more information or assistance, please contact Monica Benson,
Standards Process Administrator, at monica.benson@nerc.net or at 404-446-2560.
�NERC Standards
Newsroom • Site Map • Contact NERC
Advanced Search
User Name
Ballot Results
Ballot Name: Project 2009-01 Disturbance and Sabotage Reporting EOP-004-2 _in
Password
Ballot Period: 5/15/2012 - 5/24/2012
Ballot Type: Initial
Log in
Total # Votes: 358
Register
Total Ballot Pool: 424
Quorum: 84.43 % The Quorum has been reached
-Ballot Pools
-Current Ballots
-Ballot Results
-Registered Ballot Body
-Proxy Voters
Weighted Segment
46.18 %
Vote:
Ballot Results: The standard will proceed to recirculation ballot.
Home Page
Summary of Ballot Results
Affirmative
Segment
1 - Segment 1.
2 - Segment 2.
3 - Segment 3.
4 - Segment 4.
5 - Segment 5.
6 - Segment 6.
7 - Segment 7.
8 - Segment 8.
9 - Segment 9.
10 - Segment 10.
Totals
Ballot Segment
Pool
Weight
104
11
108
37
91
53
0
8
4
8
424
#
Votes
1
0.9
1
1
1
1
0
0.6
0.2
0.5
7.2
#
Votes
Fraction
41
2
35
15
39
18
0
4
0
3
157
Negative
Fraction
0.5
0.2
0.393
0.484
0.574
0.474
0
0.4
0
0.3
3.325
Abstain
No
# Votes Vote
41
7
54
16
29
20
0
2
2
2
173
0.5
0.7
0.607
0.516
0.426
0.526
0
0.2
0.2
0.2
3.875
6
2
6
2
7
3
0
0
1
1
28
16
0
13
4
16
12
0
2
1
2
66
Individual Ballot Pool Results
Segment
1
1
1
1
1
1
1
1
Organization
Ameren Services
American Electric Power
American Transmission Company, LLC
Arizona Public Service Co.
Associated Electric Cooperative, Inc.
Austin Energy
Avista Corp.
Balancing Authority of Northern California
Member
Ballot
Kirit Shah
Paul B. Johnson
Andrew Z Pusztai
Robert Smith
John Bussman
James Armke
Scott J Kinney
Kevin Smith
https://standards.nerc.net/BallotResults.aspx?BallotGUID=b54d543e-5de4-49ab-8356-cb983ee6a624[5/25/2012 12:51:59 PM]
Negative
Negative
Affirmative
Affirmative
Affirmative
Affirmative
Affirmative
Comments
�NERC Standards
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
Baltimore Gas & Electric Company
BC Hydro and Power Authority
Beaches Energy Services
Black Hills Corp
Bonneville Power Administration
Brazos Electric Power Cooperative, Inc.
CenterPoint Energy Houston Electric, LLC
Central Maine Power Company
City of Tacoma, Department of Public
Utilities, Light Division, dba Tacoma Power
Clark Public Utilities
Colorado Springs Utilities
Consolidated Edison Co. of New York
CPS Energy
Dairyland Power Coop.
Dayton Power & Light Co.
Deseret Power
Dominion Virginia Power
Duke Energy Carolina
East Kentucky Power Coop.
Empire District Electric Co.
Entergy Services, Inc.
FirstEnergy Corp.
Florida Keys Electric Cooperative Assoc.
Florida Power & Light Co.
Gainesville Regional Utilities
Georgia Transmission Corporation
Grand River Dam Authority
Great River Energy
Hoosier Energy Rural Electric Cooperative,
Inc.
Hydro One Networks, Inc.
Hydro-Quebec TransEnergie
Idaho Power Company
Imperial Irrigation District
International Transmission Company Holdings
Corp
JEA
Kansas City Power & Light Co.
Keys Energy Services
Lakeland Electric
Lee County Electric Cooperative
Lincoln Electric System
Los Angeles Department of Water & Power
Lower Colorado River Authority
Manitoba Hydro
MEAG Power
MidAmerican Energy Co.
Minnkota Power Coop. Inc.
National Grid
Nebraska Public Power District
New Brunswick Power Transmission
Corporation
New York Power Authority
New York State Electric & Gas Corp.
Northeast Utilities
Northern Indiana Public Service Co.
NorthWestern Energy
Ohio Valley Electric Corp.
Oklahoma Gas and Electric Co.
Omaha Public Power District
Oncor Electric Delivery
Orlando Utilities Commission
PacifiCorp
PECO Energy
Platte River Power Authority
Portland General Electric Co.
Potomac Electric Power Co.
Gregory S Miller
Patricia Robertson
Joseph S Stonecipher
Eric Egge
Donald S. Watkins
Tony Kroskey
John Brockhan
Joseph Turano Jr.
Abstain
Negative
Negative
Chang G Choi
Negative
Jack Stamper
Paul Morland
Christopher L de Graffenried
Richard Castrejana
Robert W. Roddy
Hertzel Shamash
James Tucker
Michael S Crowley
Douglas E. Hils
George S. Carruba
Ralph F Meyer
Edward J Davis
William J Smith
Dennis Minton
Mike O'Neil
Luther E. Fair
Jason Snodgrass
James M Stafford
Gordon Pietsch
Negative
Negative
Negative
Negative
Negative
Affirmative
Negative
Affirmative
Affirmative
Affirmative
Negative
Affirmative
Negative
Abstain
Affirmative
Negative
Affirmative
Affirmative
Negative
Negative
Negative
Bob Solomon
Negative
Ajay Garg
Bernard Pelletier
Ronald D Schellberg
Tino Zaragoza
Negative
Affirmative
Michael Moltane
Affirmative
Ted Hobson
Michael Gammon
Stanley T Rzad
Larry E Watt
John W Delucca
Doug Bantam
Ly M Le
Martyn Turner
Joe D Petaski
Danny Dees
Terry Harbour
Richard Burt
Saurabh Saksena
Cole C Brodine
Affirmative
Affirmative
Affirmative
Negative
Affirmative
Negative
Negative
Negative
Randy MacDonald
Arnold J. Schuff
Raymond P Kinney
David Boguslawski
Kevin M Largura
John Canavan
Robert Mattey
Marvin E VanBebber
Doug Peterchuck
Brenda Pulis
Brad Chase
Ryan Millard
Ronald Schloendorn
John C. Collins
John T Walker
David Thorne
https://standards.nerc.net/BallotResults.aspx?BallotGUID=b54d543e-5de4-49ab-8356-cb983ee6a624[5/25/2012 12:51:59 PM]
Affirmative
Abstain
Negative
Affirmative
Affirmative
Negative
Negative
Affirmative
Affirmative
Affirmative
Affirmative
Negative
Affirmative
Affirmative
Affirmative
�NERC Standards
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
2
PowerSouth Energy Cooperative
PPL Electric Utilities Corp.
Progress Energy Carolinas
Public Service Company of New Mexico
Public Service Electric and Gas Co.
Public Utility District No. 1 of Okanogan
County
Public Utility District No. 2 of Grant County
Puget Sound Energy, Inc.
Raj Rana
Rochester Gas and Electric Corp.
Sacramento Municipal Utility District
Salmon River Electric Cooperative
Salt River Project
Santee Cooper
SCE&G
Seattle City Light
Sho-Me Power Electric Cooperative
Sierra Pacific Power Co.
Snohomish County PUD No. 1
South California Edison Company
Southern Company Services, Inc.
Southern Illinois Power Coop.
Southwest Transmission Cooperative, Inc.
Sunflower Electric Power Corporation
Tampa Electric Co.
Tennessee Valley Authority
Tri-State G & T Association, Inc.
Tucson Electric Power Co.
United Illuminating Co.
Westar Energy
Western Area Power Administration
Xcel Energy, Inc.
Alberta Electric System Operator
2
BC Hydro
2
2
2
2
2
2
2
2
2
3
3
3
3
3
3
3
3
3
3
3
3
California ISO
Electric Reliability Council of Texas, Inc.
Independent Electricity System Operator
ISO New England, Inc.
Midwest ISO, Inc.
New Brunswick System Operator
New York Independent System Operator
PJM Interconnection, L.L.C.
Southwest Power Pool, Inc.
AEP
Alabama Power Company
Alameda Municipal Power
Ameren Services
American Public Power Association
Anaheim Public Utilities Dept.
APS
Arkansas Electric Cooperative Corporation
Atlantic City Electric Company
BC Hydro and Power Authority
Blachly-Lane Electric Co-op
Bonneville Power Administration
Central Electric Cooperative, Inc. (Redmond,
Oregon)
Central Lincoln PUD
City of Alexandria
City of Austin dba Austin Energy
City of Bartow, Florida
City of Clewiston
City of Farmington
City of Garland
City of Green Cove Springs
City of Palo Alto
3
3
3
3
3
3
3
3
3
3
Larry D Avery
Brenda L Truhe
Brett A Koelsch
Laurie Williams
Kenneth D. Brown
Negative
Affirmative
Negative
Affirmative
Negative
Dale Dunckel
Affirmative
Kyle M. Hussey
Denise M Lietz
Rajendrasinh D Rana
John C. Allen
Tim Kelley
Kathryn Spence
Robert Kondziolka
Terry L Blackwell
Henry Delk, Jr.
Pawel Krupa
Denise Stevens
Rich Salgo
Long T Duong
Steven Mavis
Robert A. Schaffeld
William Hutchison
James Jones
Noman Lee Williams
Beth Young
Larry Akens
Tracy Sliman
John Tolo
Jonathan Appelbaum
Allen Klassen
Brandy A Dunn
Gregory L Pieper
Mark B Thompson
Venkataramakrishnan
Vinnakota
Rich Vine
Charles B Manning
Barbara Constantinescu
Kathleen Goodman
Marie Knox
Alden Briggs
Gregory Campoli
Tom Bowe
Charles H. Yeung
Michael E Deloach
Richard J. Mandes
Douglas Draeger
Mark Peters
Nathan Mitchell
Kelly Nguyen
Steven Norris
Philip Huff
NICOLE BUCKMAN
Pat G. Harrington
Bud Tracy
Rebecca Berdahl
Negative
Abstain
Negative
Affirmative
Affirmative
Affirmative
Negative
Affirmative
Abstain
Affirmative
Affirmative
Negative
Negative
Negative
Negative
Affirmative
Abstain
Affirmative
Negative
Negative
Negative
Affirmative
Negative
Affirmative
Negative
Negative
Abstain
Affirmative
Negative
Negative
Negative
Abstain
Negative
Negative
Negative
Negative
Affirmative
Negative
Abstain
Affirmative
Negative
Affirmative
Negative
Negative
Negative
Dave Markham
Negative
Steve Alexanderson
Michael Marcotte
Andrew Gallo
Matt Culverhouse
Lynne Mila
Linda R Jacobson
Ronnie C Hoeinghaus
Gregg R Griffin
Eric R Scott
Negative
https://standards.nerc.net/BallotResults.aspx?BallotGUID=b54d543e-5de4-49ab-8356-cb983ee6a624[5/25/2012 12:51:59 PM]
Affirmative
Abstain
Negative
Negative
Affirmative
Affirmative
�NERC Standards
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
City of Redding
Clatskanie People's Utility District
Clearwater Power Co.
Cleco Corporation
Colorado Springs Utilities
ComEd
Consolidated Edison Co. of New York
Constellation Energy
Consumers Energy
Consumers Power Inc.
Coos-Curry Electric Cooperative, Inc
Cowlitz County PUD
CPS Energy
Delmarva Power & Light Co.
Detroit Edison Company
Dominion Resources Services
Duke Energy Carolina
Entergy
Fall River Rural Electric Cooperative
FirstEnergy Energy Delivery
Florida Municipal Power Agency
Florida Power Corporation
Georgia Power Company
Georgia Systems Operations Corporation
Grays Harbor PUD
Great River Energy
Gulf Power Company
Hydro One Networks, Inc.
Imperial Irrigation District
JEA
Kansas City Power & Light Co.
Kissimmee Utility Authority
Kootenai Electric Cooperative
Lakeland Electric
Lane Electric Cooperative, Inc.
Lincoln Electric System
Los Angeles Department of Water & Power
Louisville Gas and Electric Co.
Manitoba Hydro
Manitowoc Public Utilities
MidAmerican Energy Co.
Mississippi Power
Modesto Irrigation District
Municipal Electric Authority of Georgia
Muscatine Power & Water
Nebraska Public Power District
New York Power Authority
Niagara Mohawk (National Grid Company)
North Carolina Electric Membership Corp.
Northern Indiana Public Service Co.
Northern Lights Inc.
Ocala Electric Utility
Old Dominion Electric Coop.
Orange and Rockland Utilities, Inc.
Orlando Utilities Commission
Owensboro Municipal Utilities
Pacific Gas and Electric Company
PacifiCorp
Platte River Power Authority
PNM Resources
Potomac Electric Power Co.
Progress Energy Carolinas
Public Service Electric and Gas Co.
Public Utility District No. 1 of Benton County
Public Utility District No. 1 of Clallam County
Puget Sound Energy, Inc.
Raft River Rural Electric Cooperative
Bill Hughes
Brian Fawcett
Dave Hagen
Michelle A Corley
Charles Morgan
Bruce Krawczyk
Peter T Yost
CJ Ingersoll
Richard Blumenstock
Roman Gillen
Roger Meader
Russell A Noble
Jose Escamilla
Michael R. Mayer
Kent Kujala
Michael F. Gildea
Henry Ernst-Jr
Joel T Plessinger
Bryan Case
Stephan Kern
Joe McKinney
Lee Schuster
Anthony L Wilson
William N. Phinney
Wesley W Gray
Brian Glover
Paul C Caldwell
David Kiguel
Jesus S. Alcaraz
Garry Baker
Charles Locke
Gregory D Woessner
Dave Kahly
Norman D Harryhill
Rick Crinklaw
Jason Fortik
Daniel D Kurowski
Charles A. Freibert
Greg C. Parent
Thomas E Reed
Thomas C. Mielnik
Jeff Franklin
Jack W Savage
Steven M. Jackson
John S Bos
Tony Eddleman
Marilyn Brown
Michael Schiavone
Doug White
William SeDoris
Jon Shelby
David Anderson
Bill Watson
David Burke
Ballard K Mutters
Thomas T Lyons
John H Hagen
Dan Zollner
Terry L Baker
Michael Mertz
Robert Reuter
Sam Waters
Jeffrey Mueller
Gloria Bender
David Proebstel
Erin Apperson
Heber Carpenter
https://standards.nerc.net/BallotResults.aspx?BallotGUID=b54d543e-5de4-49ab-8356-cb983ee6a624[5/25/2012 12:51:59 PM]
Affirmative
Negative
Negative
Affirmative
Negative
Negative
Abstain
Negative
Negative
Negative
Affirmative
Affirmative
Affirmative
Negative
Affirmative
Negative
Negative
Negative
Affirmative
Negative
Negative
Negative
Negative
Negative
Negative
Negative
Affirmative
Affirmative
Negative
Affirmative
Negative
Negative
Affirmative
Affirmative
Negative
Negative
Negative
Negative
Affirmative
Affirmative
Negative
Negative
Affirmative
Negative
Negative
Affirmative
Negative
Negative
Negative
Abstain
Affirmative
Affirmative
Affirmative
Affirmative
Affirmative
Affirmative
Negative
Negative
Affirmative
Negative
�NERC Standards
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
5
5
5
5
5
5
5
5
5
Rutherford EMC
Sacramento Municipal Utility District
Salt River Project
Santee Cooper
Seattle City Light
Seminole Electric Cooperative, Inc.
Snohomish County PUD No. 1
South Carolina Electric & Gas Co.
Southern California Edison Co.
Southern Maryland Electric Coop.
Tacoma Public Utilities
Tampa Electric Co.
Tennessee Valley Authority
Tri-State G & T Association, Inc.
Umatilla Electric Cooperative
Westar Energy
Wisconsin Electric Power Marketing
Wisconsin Public Service Corp.
Xcel Energy, Inc.
Alliant Energy Corp. Services, Inc.
American Municipal Power
Arkansas Electric Cooperative Corporation
Blue Ridge Power Agency
Central Lincoln PUD
City of Austin dba Austin Energy
City of Clewiston
City of New Smyrna Beach Utilities
Commission
City of Redding
City Utilities of Springfield, Missouri
Consumers Energy
Cowlitz County PUD
Detroit Edison Company
Flathead Electric Cooperative
Florida Municipal Power Agency
Fort Pierce Utilities Authority
Georgia System Operations Corporation
Illinois Municipal Electric Agency
Imperial Irrigation District
Indiana Municipal Power Agency
Integrys Energy Group, Inc.
LaGen
Madison Gas and Electric Co.
North Carolina Electric Membership Corp.
Northern California Power Agency
Ohio Edison Company
Oklahoma Municipal Power Authority
Pacific Northwest Generating Cooperative
Public Utility District No. 1 of Douglas County
Public Utility District No. 1 of Snohomish
County
Sacramento Municipal Utility District
Seattle City Light
South Mississippi Electric Power Association
Tacoma Public Utilities
West Oregon Electric Cooperative, Inc.
White River Electric Association Inc.
Wisconsin Energy Corp.
AEP Service Corp.
AES Corporation
Amerenue
Arizona Public Service Co.
Avista Corp.
BC Hydro and Power Authority
Black Hills Corp
Boise-Kuna Irrigation District/dba Lucky peak
power plant project
Bonneville Power Administration
Thomas M Haire
James Leigh-Kendall
John T. Underhill
James M Poston
Dana Wheelock
James R Frauen
Mark Oens
Hubert C Young
David B Coher
Mark R Jones
Travis Metcalfe
Ronald L. Donahey
Ian S Grant
Janelle Marriott
Steve Eldrige
Bo Jones
James R Keller
Gregory J Le Grave
Michael Ibold
Kenneth Goldsmith
Kevin Koloini
Ronnie Frizzell
Duane S Dahlquist
Shamus J Gamache
Reza Ebrahimian
Kevin McCarthy
Negative
Affirmative
Affirmative
Negative
Affirmative
Affirmative
Abstain
Negative
Negative
Affirmative
Abstain
Affirmative
Negative
Negative
Negative
Negative
Affirmative
Negative
Negative
Affirmative
Negative
Affirmative
Negative
Tim Beyrle
Nicholas Zettel
John Allen
David Frank Ronk
Rick Syring
Daniel Herring
Russ Schneider
Frank Gaffney
Thomas Richards
Guy Andrews
Bob C. Thomas
Diana U Torres
Jack Alvey
Christopher Plante
Richard Comeaux
Joseph DePoorter
Bob Beadle
Tracy R Bibb
Douglas Hohlbaugh
Ashley Stringer
Aleka K Scott
Henry E. LuBean
Affirmative
Affirmative
Negative
Affirmative
Affirmative
Negative
Negative
Negative
Negative
Affirmative
Negative
Abstain
Abstain
Affirmative
Negative
Affirmative
Affirmative
Negative
Negative
Affirmative
John D Martinsen
Affirmative
Mike Ramirez
Hao Li
Steven McElhaney
Keith Morisette
Marc M Farmer
Frank L. Sampson
Anthony Jankowski
Brock Ondayko
Leo Bernier
Sam Dwyer
Edward Cambridge
Edward F. Groce
Clement Ma
George Tatar
Affirmative
Affirmative
Negative
Negative
Negative
Negative
Affirmative
Negative
Affirmative
Affirmative
Negative
Affirmative
Mike D Kukla
Negative
Francis J. Halpin
Negative
https://standards.nerc.net/BallotResults.aspx?BallotGUID=b54d543e-5de4-49ab-8356-cb983ee6a624[5/25/2012 12:51:59 PM]
�NERC Standards
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
BrightSource Energy, Inc.
Caithness Long Island, LLC
Chelan County Public Utility District #1
City and County of San Francisco
City of Austin dba Austin Energy
City of Redding
City of Tacoma, Department of Public
Utilities, Light Division, dba Tacoma Power
City of Tallahassee
City Water, Light & Power of Springfield
Cogentrix Energy, Inc.
Colorado Springs Utilities
Consolidated Edison Co. of New York
Constellation Power Source Generation, Inc.
Consumers Energy Company
Cowlitz County PUD
CPS Energy
Detroit Edison Company
Dominion Resources, Inc.
Duke Energy
Dynegy Inc.
E.ON Climate & Renewables North America,
LLC
Edison Mission Energy
Electric Power Supply Association
Exelon Nuclear
ExxonMobil Research and Engineering
FirstEnergy Solutions
Florida Municipal Power Agency
Great River Energy
Green Country Energy
Imperial Irrigation District
Indeck Energy Services, Inc.
JEA
Kissimmee Utility Authority
Lakeland Electric
Liberty Electric Power LLC
Lincoln Electric System
Los Angeles Department of Water & Power
Lower Colorado River Authority
Luminant Generation Company LLC
Manitoba Hydro
Massachusetts Municipal Wholesale Electric
Company
MEAG Power
MidAmerican Energy Co.
Muscatine Power & Water
Nebraska Public Power District
New York Power Authority
NextEra Energy
North Carolina Electric Membership Corp.
Northern California Power Agency
Northern Indiana Public Service Co.
Occidental Chemical
Omaha Public Power District
Orlando Utilities Commission
Pacific Gas and Electric Company
PacifiCorp
Platte River Power Authority
Portland General Electric Co.
PowerSouth Energy Cooperative
PPL Generation LLC
Progress Energy Carolinas
PSEG Fossil LLC
Public Utility District No. 1 of Lewis County
Puget Sound Energy, Inc.
Sacramento Municipal Utility District
Salt River Project
Chifong Thomas
Jason M Moore
John Yale
Daniel Mason
Jeanie Doty
Paul Cummings
Max Emrick
Brian Horton
Steve Rose
Mike D Hirst
Jennifer Eckels
Wilket (Jack) Ng
Amir Y Hammad
David C Greyerbiehl
Bob Essex
Robert Stevens
Christy Wicke
Mike Garton
Dale Q Goodwine
Dan Roethemeyer
Abstain
Abstain
Abstain
Affirmative
Affirmative
Negative
Affirmative
Affirmative
Affirmative
Negative
Abstain
Affirmative
Affirmative
Affirmative
Affirmative
Negative
Affirmative
Dana Showalter
Ellen Oswald
John R Cashin
Michael Korchynsky
Martin Kaufman
Kenneth Dresner
David Schumann
Preston L Walsh
Greg Froehling
Marcela Y Caballero
Rex A Roehl
John J Babik
Mike Blough
James M Howard
Daniel Duff
Dennis Florom
Kenneth Silver
Tom Foreman
Mike Laney
S N Fernando
David Gordon
Steven Grego
Christopher Schneider
Mike Avesing
Don Schmit
Gerald Mannarino
Allen D Schriver
Jeffrey S Brame
Hari Modi
William O. Thompson
Michelle R DAntuono
Mahmood Z. Safi
Richard Kinas
Richard J. Padilla
Sandra L. Shaffer
Roland Thiel
Gary L Tingley
Tim Hattaway
Annette M Bannon
Wayne Lewis
Tim Kucey
Steven Grega
Tom Flynn
Bethany Hunter
William Alkema
https://standards.nerc.net/BallotResults.aspx?BallotGUID=b54d543e-5de4-49ab-8356-cb983ee6a624[5/25/2012 12:51:59 PM]
Abstain
Negative
Negative
Affirmative
Negative
Negative
Affirmative
Affirmative
Negative
Affirmative
Negative
Affirmative
Negative
Negative
Abstain
Affirmative
Negative
Negative
Negative
Affirmative
Negative
Negative
Affirmative
Affirmative
Affirmative
Affirmative
Affirmative
Affirmative
Affirmative
Affirmative
Affirmative
Affirmative
Negative
Negative
Negative
Negative
Affirmative
Affirmative
�NERC Standards
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
Santee Cooper
Seattle City Light
Seminole Electric Cooperative, Inc.
Siemens PTI
Snohomish County PUD No. 1
South Mississippi Electric Power Association
Southern California Edison Co.
Southern Company Generation
Tampa Electric Co.
Tenaska, Inc.
Tennessee Valley Authority
Tri-State G & T Association, Inc.
U.S. Army Corps of Engineers
Vandolah Power Company L.L.C.
Wisconsin Electric Power Co.
Wisconsin Public Service Corp.
Xcel Energy, Inc.
ACES Power Marketing
AEP Marketing
Ameren Energy Marketing Co.
APS
Arkansas Electric Cooperative Corporation
Bonneville Power Administration
City of Austin dba Austin Energy
City of Redding
Cleco Power LLC
Colorado Springs Utilities
Consolidated Edison Co. of New York
Constellation Energy Commodities Group
Dominion Resources, Inc.
Duke Energy Carolina
Entergy Services, Inc.
Exelon Power Team
FirstEnergy Solutions
Florida Municipal Power Agency
Florida Municipal Power Pool
Florida Power & Light Co.
Imperial Irrigation District
Kansas City Power & Light Co.
Lakeland Electric
Lincoln Electric System
Los Angeles Department of Water & Power
Luminant Energy
Manitoba Hydro
MidAmerican Energy Co.
New York Power Authority
North Carolina Municipal Power Agency #1
Northern Indiana Public Service Co.
Omaha Public Power District
Orlando Utilities Commission
PacifiCorp
Platte River Power Authority
PPL EnergyPlus LLC
Progress Energy
PSEG Energy Resources & Trade LLC
Public Utility District No. 1 of Chelan County
Sacramento Municipal Utility District
Salt River Project
Santee Cooper
Seattle City Light
Seminole Electric Cooperative, Inc.
Snohomish County PUD No. 1
South California Edison Company
Southern Company Generation and Energy
Marketing
Tacoma Public Utilities
Tampa Electric Co.
Lewis P Pierce
Michael J. Haynes
Brenda K. Atkins
Edwin Cano
Sam Nietfeld
Jerry W Johnson
Denise Yaffe
William D Shultz
RJames Rocha
Scott M. Helyer
David Thompson
Barry Ingold
Melissa Kurtz
Douglas A. Jensen
Linda Horn
Leonard Rentmeester
Liam Noailles
Jason L Marshall
Edward P. Cox
Jennifer Richardson
RANDY A YOUNG
Keith Sugg
Brenda S. Anderson
Lisa L Martin
Marvin Briggs
Robert Hirchak
Lisa C Rosintoski
Nickesha P Carrol
Brenda L Powell
Louis S. Slade
Walter Yeager
Terri F Benoit
Pulin Shah
Kevin Querry
Richard L. Montgomery
Thomas Washburn
Silvia P. Mitchell
Cathy Bretz
Jessica L Klinghoffer
Paul Shipps
Eric Ruskamp
Brad Packer
Brad Jones
Daniel Prowse
Dennis Kimm
William Palazzo
Matthew Schull
Joseph O'Brien
David Ried
Claston Augustus Sunanon
Scott L Smith
Carol Ballantine
Mark A Heimbach
John T Sturgeon
Peter Dolan
Hugh A. Owen
Diane Enderby
Steven J Hulet
Michael Brown
Dennis Sismaet
Trudy S. Novak
William T Moojen
Lujuanna Medina
John J. Ciza
Michael C Hill
Benjamin F Smith II
https://standards.nerc.net/BallotResults.aspx?BallotGUID=b54d543e-5de4-49ab-8356-cb983ee6a624[5/25/2012 12:51:59 PM]
Negative
Affirmative
Affirmative
Affirmative
Negative
Affirmative
Affirmative
Abstain
Affirmative
Negative
Negative
Abstain
Negative
Negative
Affirmative
Negative
Affirmative
Affirmative
Negative
Affirmative
Negative
Negative
Affirmative
Negative
Abstain
Affirmative
Negative
Negative
Negative
Affirmative
Negative
Negative
Negative
Negative
Negative
Affirmative
Affirmative
Affirmative
Affirmative
Affirmative
Affirmative
Affirmative
Negative
Negative
Affirmative
Affirmative
Negative
Affirmative
Negative
�NERC Standards
6
6
6
6
8
8
8
8
8
8
8
8
9
9
9
9
10
10
10
10
10
10
10
10
Tennessee Valley Authority
Westar Energy
Western Area Power Administration - UGP
Marketing
Xcel Energy, Inc.
JDRJC Associates
Pacific Northwest Generating Cooperative
Power Energy Group LLC
Utility Services, Inc.
Volkmann Consulting, Inc.
California Energy Commission
Commonwealth of Massachusetts Department
of Public Utilities
National Association of Regulatory Utility
Commissioners
New York State Department of Public Service
Midwest Reliability Organization
New York State Reliability Council
Northeast Power Coordinating Council
ReliabilityFirst Corporation
SERC Reliability Corporation
Southwest Power Pool RE
Texas Reliability Entity, Inc.
Western Electricity Coordinating Council
Marjorie S. Parsons
Grant L Wilkerson
Abstain
Negative
Peter H Kinney
Affirmative
David F. Lemmons
Edward C Stein
Roger C Zaklukiewicz
James A Maenner
Jim Cyrulewski
Margaret Ryan
Peggy Abbadini
Brian Evans-Mongeon
Terry Volkmann
William M Chamberlain
Affirmative
Affirmative
Affirmative
Negative
Affirmative
Negative
Abstain
Donald Nelson
Negative
Diane J. Barney
Negative
Thomas Dvorsky
James D Burley
Alan Adamson
Guy V. Zito
Anthony E Jablonski
Carter B. Edge
Emily Pennel
Donald G Jones
Steven L. Rueckert
Negative
Abstain
Affirmative
Affirmative
Negative
Affirmative
Legal and Privacy : 609.452.8060 voice : 609.452.9550 fax : 116-390 Village Boulevard : Princeton, NJ 08540-5721
Washington Office: 1120 G Street, N.W. : Suite 990 : Washington, DC 20005-3801
Copyright © 2010 by the North American Electric Reliability Corporation. : All rights reserved.
A New Jersey Nonprofit Corporation
https://standards.nerc.net/BallotResults.aspx?BallotGUID=b54d543e-5de4-49ab-8356-cb983ee6a624[5/25/2012 12:51:59 PM]
�Non-binding Poll Results
Project 2009-01: Disturbance and Sabotage Reporting
Non-binding Poll Results
Non-binding Poll
Project 2009-01 DSR Non-binding Poll
Name:
Poll Period: 5/15/2012 - 5/24/2012
Total # Opinions: 315
Total Ballot Pool: 394
79.95% of those who registered to participate provided an opinion or an abstention;
Summary Results: 52.67% of those who provided an opinion indicated support for the VRFs and VSLs.
Individual Ballot Pool Results
Segment
Organization
1
1
1
1
1
1
Ameren Services
American Electric Power
American Transmission Company, LLC
Arizona Public Service Co.
Associated Electric Cooperative, Inc.
Avista Corp.
Balancing Authority of Northern
California
Baltimore Gas & Electric Company
BC Hydro and Power Authority
Beaches Energy Services
Black Hills Corp
Bonneville Power Administration
Brazos Electric Power Cooperative, Inc.
CenterPoint Energy Houston Electric, LLC
Central Maine Power Company
City of Tacoma, Department of Public
Utilities, Light Division, dba Tacoma
Power
Clark Public Utilities
Colorado Springs Utilities
Consolidated Edison Co. of New York
CPS Energy
Dairyland Power Coop.
Dayton Power & Light Co.
Deseret Power
Dominion Virginia Power
Duke Energy Carolina
East Kentucky Power Coop.
Empire District Electric Co.
Entergy Services, Inc.
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
Non-binding Poll Results: Project 2009-01
Member
Kirit Shah
Paul B. Johnson
Andrew Z Pusztai
Robert Smith
John Bussman
Scott J Kinney
Kevin Smith
Opinions
Negative
Abstain
Affirmative
Affirmative
Affirmative
Abstain
Gregory S Miller
Patricia Robertson
Joseph S Stonecipher
Eric Egge
Donald S. Watkins
Tony Kroskey
John Brockhan
Joseph Turano Jr.
Abstain
Abstain
Negative
Chang G Choi
Negative
Jack Stamper
Paul Morland
Christopher L de Graffenried
Richard Castrejana
Robert W. Roddy
Hertzel Shamash
James Tucker
Michael S Crowley
Douglas E. Hils
George S. Carruba
Ralph F Meyer
Edward J Davis
Negative
Negative
Negative
Negative
Affirmative
Affirmative
Negative
Affirmative
Affirmative
Abstain
Abstain
Negative
Abstain
Affirmative
Negative
1
�1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
FirstEnergy Corp.
Florida Keys Electric Cooperative Assoc.
Florida Power & Light Co.
Gainesville Regional Utilities
Georgia Transmission Corporation
Grand River Dam Authority
Great River Energy
Hoosier Energy Rural Electric
Cooperative, Inc.
Hydro One Networks, Inc.
Hydro-Quebec TransEnergie
Idaho Power Company
Imperial Irrigation District
International Transmission Company
Holdings Corp
JEA
Kansas City Power & Light Co.
Keys Energy Services
Lakeland Electric
Lee County Electric Cooperative
Lincoln Electric System
Los Angeles Department of Water &
Power
Lower Colorado River Authority
Manitoba Hydro
MEAG Power
MidAmerican Energy Co.
Minnkota Power Coop. Inc.
National Grid
Nebraska Public Power District
New Brunswick Power Transmission
Corporation
New York Power Authority
New York State Electric & Gas Corp.
Northeast Utilities
Northern Indiana Public Service Co.
NorthWestern Energy
Ohio Valley Electric Corp.
Oklahoma Gas and Electric Co.
Omaha Public Power District
Oncor Electric Delivery
Orlando Utilities Commission
PacifiCorp
PECO Energy
Platte River Power Authority
Portland General Electric Co.
PowerSouth Energy Cooperative
PPL Electric Utilities Corp.
Non-binding Poll Results: Project 2009-01
William J Smith
Dennis Minton
Mike O'Neil
Luther E. Fair
Jason Snodgrass
James M Stafford
Gordon Pietsch
Bob Solomon
Ajay Garg
Bernard Pelletier
Ronald D. Schellberg
Tino Zaragoza
Michael Moltane
Ted Hobson
Michael Gammon
Stanley T Rzad
Larry E Watt
John W Delucca
Doug Bantam
Affirmative
Affirmative
Negative
Abstain
Negative
Abstain
Negative
Affirmative
Abstain
Affirmative
Affirmative
Affirmative
Ly M Le
Martyn Turner
Joe D Petaski
Danny Dees
Terry Harbour
Richard Burt
Saurabh Saksena
Cole C Brodine
Affirmative
Negative
Affirmative
Negative
Affirmative
Negative
Randy MacDonald
Arnold J. Schuff
Raymond P Kinney
David Boguslawski
Kevin M Largura
John Canavan
Robert Mattey
Marvin E VanBebber
Doug Peterchuck
Brenda Pulis
Brad Chase
Ryan Millard
Ronald Schloendorn
John C. Collins
John T Walker
Larry D Avery
Brenda L Truhe
Affirmative
Abstain
Abstain
Affirmative
Abstain
Negative
Affirmative
Affirmative
Affirmative
Abstain
Negative
Abstain
Affirmative
Negative
Abstain
2
�1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
2
2
2
2
2
2
2
2
2
2
3
3
3
3
3
3
Progress Energy Carolinas
Public Service Company of New Mexico
Public Service Electric and Gas Co.
Public Utility District No. 1 of Okanogan
County
Puget Sound Energy, Inc.
Rochester Gas and Electric Corp.
Sacramento Municipal Utility District
Salmon River Electric Cooperative
Salt River Project
Santee Cooper
SCE&G
Seattle City Light
Sho-Me Power Electric Cooperative
Sierra Pacific Power Co.
Snohomish County PUD No. 1
South California Edison Company
Southern Company Services, Inc.
Southern Illinois Power Coop.
Southwest Transmission Cooperative,
Inc.
Southwestern Power Administration
Sunflower Electric Power Corporation
Tampa Electric Co.
Tennessee Valley Authority
Tri-State G & T Association, Inc.
Tucson Electric Power Co.
United Illuminating Co.
Westar Energy
Western Area Power Administration
Xcel Energy, Inc.
Alberta Electric System Operator
Brett A Koelsch
Laurie Williams
Kenneth D. Brown
Dale Dunckel
Denise M Lietz
John C. Allen
Tim Kelley
Kathryn Spence
Robert Kondziolka
Terry L Blackwell
Henry Delk, Jr.
Pawel Krupa
Denise Stevens
Rich Salgo
Long T Duong
Steven Mavis
Robert A. Schaffeld
William Hutchison
Abstain
Negative
Affirmative
Abstain
Affirmative
Negative
Affirmative
Abstain
Abstain
Affirmative
Negative
Negative
Negative
James Jones
Angela L Summer
Noman Lee Williams
Beth Young
Larry Akens
Tracy Sliman
John Tolo
Jonathan Appelbaum
Allen Klassen
Brandy A Dunn
Gregory L Pieper
Mark B Thompson
Venkataramakrishnan
BC Hydro
Vinnakota
California ISO
Rich Vine
Electric Reliability Council of Texas, Inc. Charles B Manning
Independent Electricity System Operator Barbara Constantinescu
Midwest ISO, Inc.
Marie Knox
New Brunswick System Operator
Alden Briggs
New York Independent System Operator Gregory Campoli
PJM Interconnection, L.L.C.
Tom Bowe
Southwest Power Pool, Inc.
Charles H. Yeung
AEP
Michael E Deloach
Alabama Power Company
Richard J. Mandes
Ameren Services
Mark Peters
Anaheim Public Utilities Dept.
Kelly Nguyen
APS
Steven Norris
Arkansas Electric Cooperative
Philip Huff
Non-binding Poll Results: Project 2009-01
Negative
Affirmative
Abstain
Abstain
Abstain
Affirmative
Negative
Negative
Negative
Affirmative
Abstain
Abstain
Negative
Negative
Negative
Abstain
Abstain
Abstain
Abstain
Negative
Negative
Affirmative
Affirmative
3
�3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
Corporation
BC Hydro and Power Authority
Bonneville Power Administration
Central Lincoln PUD
City of Austin dba Austin Energy
City of Bartow, Florida
City of Clewiston
City of Farmington
City of Garland
City of Green Cove Springs
City of Redding
Clatskanie People's Utility District
Cleco Corporation
Colorado Springs Utilities
ComEd
Consolidated Edison Co. of New York
Constellation Energy
Consumers Energy
Cowlitz County PUD
CPS Energy
Detroit Edison Company
Dominion Resources Services
Duke Energy Carolina
Entergy
FirstEnergy Energy Delivery
Florida Municipal Power Agency
Florida Power Corporation
Georgia Power Company
Georgia Systems Operations Corporation
Grays Harbor PUD
Great River Energy
Gulf Power Company
Hydro One Networks, Inc.
Imperial Irrigation District
JEA
Kansas City Power & Light Co.
Kissimmee Utility Authority
Kootenai Electric Cooperative
Lakeland Electric
Lincoln Electric System
Los Angeles Department of Water &
Power
Louisville Gas and Electric Co.
Manitoba Hydro
Manitowoc Public Utilities
MidAmerican Energy Co.
Mississippi Power
Modesto Irrigation District
Non-binding Poll Results: Project 2009-01
Pat G. Harrington
Rebecca Berdahl
Steve Alexanderson
Andrew Gallo
Matt Culverhouse
Lynne Mila
Linda R Jacobson
Ronnie C Hoeinghaus
Gregg R Griffin
Bill Hughes
Brian Fawcett
Michelle A Corley
Charles Morgan
Bruce Krawczyk
Peter T Yost
CJ Ingersoll
Richard Blumenstock
Russell A Noble
Jose Escamilla
Kent Kujala
Michael F. Gildea
Henry Ernst-Jr
Joel T Plessinger
Stephan Kern
Joe McKinney
Lee Schuster
Anthony L Wilson
William N. Phinney
Wesley W Gray
Brian Glover
Paul C Caldwell
David Kiguel
Jesus S. Alcaraz
Garry Baker
Charles Locke
Gregory D Woessner
Dave Kahly
Norman D Harryhill
Jason Fortik
Abstain
Negative
Abstain
Affirmative
Abstain
Negative
Abstain
Affirmative
Affirmative
Negative
Affirmative
Negative
Negative
Abstain
Negative
Affirmative
Negative
Negative
Negative
Affirmative
Negative
Negative
Negative
Negative
Negative
Negative
Affirmative
Affirmative
Abstain
Abstain
Affirmative
Daniel D Kurowski
Abstain
Charles A. Freibert
Greg C. Parent
Thomas E Reed
Thomas C. Mielnik
Jeff Franklin
Jack W Savage
Negative
Negative
Abstain
Negative
Affirmative
4
�3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
4
4
4
4
4
4
4
4
Municipal Electric Authority of Georgia
Muscatine Power & Water
Nebraska Public Power District
New York Power Authority
Niagara Mohawk (National Grid
Company)
North Carolina Electric Membership Corp.
Northern Indiana Public Service Co.
Ocala Electric Utility
Old Dominion Electric Coop.
Orange and Rockland Utilities, Inc.
Orlando Utilities Commission
Owensboro Municipal Utilities
Pacific Gas and Electric Company
PacifiCorp
Platte River Power Authority
PNM Resources
Potomac Electric Power Co.
Progress Energy Carolinas
Public Service Electric and Gas Co.
Public Utility District No. 1 of Clallam
County
Puget Sound Energy, Inc.
Rutherford EMC
Sacramento Municipal Utility District
Salt River Project
Santee Cooper
Seattle City Light
Seminole Electric Cooperative, Inc.
Snohomish County PUD No. 1
South Carolina Electric & Gas Co.
Southern Maryland Electric Coop.
Tacoma Public Utilities
Tampa Electric Co.
Tennessee Valley Authority
Tri-State G & T Association, Inc.
Westar Energy
Xcel Energy, Inc.
Alliant Energy Corp. Services, Inc.
American Municipal Power
Arkansas Electric Cooperative
Corporation
Blue Ridge Power Agency
Central Lincoln PUD
City of Austin dba Austin Energy
City of Clewiston
City of New Smyrna Beach Utilities
Commission
Non-binding Poll Results: Project 2009-01
Steven M. Jackson
John S Bos
Tony Eddleman
Marilyn Brown
Affirmative
Negative
Abstain
Affirmative
Michael Schiavone
Affirmative
Doug White
William SeDoris
David Anderson
Bill Watson
David Burke
Ballard K Mutters
Thomas T Lyons
John H Hagen
Dan Zollner
Terry L Baker
Michael Mertz
Robert Reuter
Sam Waters
Jeffrey Mueller
Affirmative
Negative
Negative
Abstain
Affirmative
Affirmative
Affirmative
Abstain
Affirmative
Abstain
Negative
Abstain
David Proebstel
Erin Apperson
Thomas M Haire
James Leigh-Kendall
John T. Underhill
James M Poston
Dana Wheelock
James R Frauen
Mark Oens
Hubert C Young
Mark R Jones
Travis Metcalfe
Ronald L Donahey
Ian S Grant
Janelle Marriott
Bo Jones
Michael Ibold
Kenneth Goldsmith
Kevin Koloini
Ronnie Frizzell
Duane S Dahlquist
Shamus J Gamache
Reza Ebrahimian
Kevin McCarthy
Negative
Abstain
Affirmative
Negative
Affirmative
Affirmative
Abstain
Negative
Abstain
Affirmative
Negative
Abstain
Affirmative
Negative
Abstain
Affirmative
Negative
Negative
Tim Beyrle
5
�4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
City of Redding
City Utilities of Springfield, Missouri
Consumers Energy
Cowlitz County PUD
Detroit Edison Company
Flathead Electric Cooperative
Florida Municipal Power Agency
Fort Pierce Utilities Authority
Georgia System Operations Corporation
Illinois Municipal Electric Agency
Imperial Irrigation District
Indiana Municipal Power Agency
Integrys Energy Group, Inc.
LaGen
Madison Gas and Electric Co.
Northern California Power Agency
Ohio Edison Company
Public Utility District No. 1 of Douglas
County
Public Utility District No. 1 of Snohomish
County
Sacramento Municipal Utility District
Seattle City Light
South Mississippi Electric Power
Association
Tacoma Public Utilities
Wisconsin Energy Corp.
AEP Service Corp.
AES Corporation
Amerenue
Arizona Public Service Co.
Avista Corp.
BC Hydro and Power Authority
Black Hills Corp
Boise-Kuna Irrigation District/dba Lucky
peak power plant project
Bonneville Power Administration
BrightSource Energy, Inc.
Caithness Long Island, LLC
Chelan County Public Utility District #1
City and County of San Francisco
City of Austin dba Austin Energy
City of Redding
City of Tacoma, Department of Public
Utilities, Light Division, dba Tacoma
Power
City of Tallahassee
City Water, Light & Power of Springfield
Cleco Power
Non-binding Poll Results: Project 2009-01
Nicholas Zettel
John Allen
David Frank Ronk
Rick Syring
Daniel Herring
Russ Schneider
Frank Gaffney
Thomas Richards
Guy Andrews
Bob C. Thomas
Diana U Torres
Jack Alvey
Christopher Plante
Richard Comeaux
Joseph DePoorter
Tracy R Bibb
Douglas Hohlbaugh
Negative
Abstain
Affirmative
Abstain
Negative
Abstain
Abstain
Affirmative
Affirmative
Henry E. LuBean
Affirmative
John D Martinsen
Abstain
Mike Ramirez
Hao Li
Affirmative
Affirmative
Negative
Affirmative
Affirmative
Abstain
Negative
Abstain
Affirmative
Steven McElhaney
Keith Morisette
Anthony Jankowski
Brock Ondayko
Leo Bernier
Sam Dwyer
Edward Cambridge
Edward F. Groce
Clement Ma
George Tatar
Negative
Negative
Abstain
Affirmative
Negative
Affirmative
Affirmative
Abstain
Affirmative
Mike D Kukla
Francis J. Halpin
Chifong Thomas
Jason M Moore
John Yale
Daniel Mason
Jeanie Doty
Paul Cummings
Max Emrick
Brian Horton
Steve Rose
Stephanie Huffman
Negative
Abstain
Abstain
Abstain
Abstain
Affirmative
Affirmative
Negative
Affirmative
Negative
6
�5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
Cogentrix Energy, Inc.
Colorado Springs Utilities
Consolidated Edison Co. of New York
Constellation Power Source Generation,
Inc.
Consumers Energy Company
Cowlitz County PUD
CPS Energy
Detroit Edison Company
Dominion Resources, Inc.
Duke Energy
Dynegy Inc.
E.ON Climate & Renewables North
America, LLC
Edison Mission Energy
Electric Power Supply Association
Exelon Nuclear
ExxonMobil Research and Engineering
FirstEnergy Solutions
Florida Municipal Power Agency
Gainesville Regional Utilities
Great River Energy
Green Country Energy
Imperial Irrigation District
Indeck Energy Services, Inc.
JEA
Kissimmee Utility Authority
Lakeland Electric
Liberty Electric Power LLC
Lincoln Electric System
Los Angeles Department of Water &
Power
Lower Colorado River Authority
Luminant Generation Company LLC
Manitoba Hydro
Massachusetts Municipal Wholesale
Electric Company
MEAG Power
MidAmerican Energy Co.
Muscatine Power & Water
Nebraska Public Power District
New York Power Authority
NextEra Energy
North Carolina Electric Membership Corp.
Northern California Power Agency
Northern Indiana Public Service Co.
Occidental Chemical
Omaha Public Power District
Non-binding Poll Results: Project 2009-01
Mike D Hirst
Jennifer Eckels
Wilket (Jack) Ng
Affirmative
Affirmative
Negative
Amir Y Hammad
Abstain
David C Greyerbiehl
Bob Essex
Robert Stevens
Christy Wicke
Mike Garton
Dale Q Goodwine
Dan Roethemeyer
Affirmative
Affirmative
Abstain
Negative
Abstain
Dana Showalter
Ellen Oswald
John R Cashin
Michael Korchynsky
Martin Kaufman
Kenneth Dresner
David Schumann
Karen C Alford
Preston L Walsh
Greg Froehling
Marcela Y Caballero
Rex A Roehl
John J Babik
Mike Blough
James M Howard
Daniel Duff
Dennis Florom
Affirmative
Kenneth Silver
Affirmative
Tom Foreman
Mike Laney
S N Fernando
Affirmative
Negative
David Gordon
Abstain
Steven Grego
Christopher Schneider
Mike Avesing
Don Schmit
Gerald Mannarino
Allen D Schriver
Jeffrey S Brame
Hari Modi
William O. Thompson
Michelle R DAntuono
Mahmood Z. Safi
Negative
Negative
Affirmative
Negative
Negative
Affirmative
Affirmative
Negative
Affirmative
Negative
Negative
Abstain
Affirmative
Negative
Negative
Affirmative
Affirmative
Affirmative
Affirmative
7
�5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
Orlando Utilities Commission
Pacific Gas and Electric Company
PacifiCorp
Platte River Power Authority
Portland General Electric Co.
PowerSouth Energy Cooperative
PPL Generation LLC
Progress Energy Carolinas
PSEG Fossil LLC
Public Utility District No. 1 of Lewis
County
Puget Sound Energy, Inc.
Sacramento Municipal Utility District
Salt River Project
Santee Cooper
Seattle City Light
Seminole Electric Cooperative, Inc.
Siemens PTI
Snohomish County PUD No. 1
South Mississippi Electric Power
Association
Southern California Edison Co.
Southern Company Generation
Tampa Electric Co.
Tenaska, Inc.
Tennessee Valley Authority
Tri-State G & T Association, Inc.
U.S. Army Corps of Engineers
Vandolah Power Company L.L.C.
Xcel Energy, Inc.
ACES Power Marketing
AEP Marketing
Ameren Energy Marketing Co.
APS
Arkansas Electric Cooperative
Corporation
Bonneville Power Administration
City of Austin dba Austin Energy
City of Redding
Cleco Power LLC
Colorado Springs Utilities
Consolidated Edison Co. of New York
Constellation Energy Commodities Group
Dominion Resources, Inc.
Duke Energy Carolina
Entergy Services, Inc.
Exelon Power Team
FirstEnergy Solutions
Non-binding Poll Results: Project 2009-01
Richard Kinas
Richard J. Padilla
Sandra L. Shaffer
Roland Thiel
Gary L Tingley
Tim Hattaway
Annette M Bannon
Wayne Lewis
Tim Kucey
Steven Grega
Tom Flynn
Bethany Hunter
William Alkema
Lewis P Pierce
Michael J. Haynes
Brenda K. Atkins
Edwin Cano
Sam Nietfeld
Affirmative
Abstain
Abstain
Affirmative
Abstain
Affirmative
Negative
Abstain
Negative
Negative
Abstain
Affirmative
Negative
Abstain
Affirmative
Affirmative
Jerry W Johnson
Denise Yaffe
William D Shultz
RJames Rocha
Scott M. Helyer
David Thompson
Barry Ingold
Melissa Kurtz
Douglas A. Jensen
Liam Noailles
Jason L Marshall
Edward P. Cox
Jennifer Richardson
RANDY A YOUNG
Negative
Affirmative
Abstain
Abstain
Affirmative
Abstain
Abstain
Negative
Affirmative
Keith Sugg
Brenda S. Anderson
Lisa L Martin
Marvin Briggs
Robert Hirchak
Lisa C Rosintoski
Nickesha P Carrol
Brenda Powell
Louis S. Slade
Walter Yeager
Terri F Benoit
Pulin Shah
Kevin Querry
Negative
Affirmative
Affirmative
Negative
Affirmative
Negative
Abstain
Negative
Affirmative
8
�6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
8
8
8
8
8
8
8
Florida Municipal Power Agency
Florida Municipal Power Pool
Florida Power & Light Co.
Imperial Irrigation District
Kansas City Power & Light Co.
Lakeland Electric
Lincoln Electric System
Los Angeles Department of Water &
Power
Luminant Energy
Manitoba Hydro
MidAmerican Energy Co.
New York Power Authority
North Carolina Municipal Power Agency
#1
Northern Indiana Public Service Co.
Omaha Public Power District
Orlando Utilities Commission
PacifiCorp
Platte River Power Authority
PPL EnergyPlus LLC
Progress Energy
PSEG Energy Resources & Trade LLC
Public Utility District No. 1 of Chelan
County
Sacramento Municipal Utility District
Salt River Project
Santee Cooper
Seattle City Light
Seminole Electric Cooperative, Inc.
Snohomish County PUD No. 1
South California Edison Company
Southern Company Generation and
Energy Marketing
Tacoma Public Utilities
Tampa Electric Co.
Tennessee Valley Authority
Westar Energy
Western Area Power Administration UGP Marketing
Xcel Energy, Inc.
APX
JDRJC Associates
Power Energy Group LLC
Utility Services, Inc.
Non-binding Poll Results: Project 2009-01
Richard L. Montgomery
Thomas Washburn
Silvia P. Mitchell
Cathy Bretz
Jessica L Klinghoffer
Paul Shipps
Eric Ruskamp
Negative
Negative
Abstain
Affirmative
Negative
Affirmative
Brad Packer
Brad Jones
Daniel Prowse
Dennis Kimm
William Palazzo
Affirmative
Negative
Abstain
Affirmative
Matthew Schull
Abstain
Joseph O'Brien
David Ried
Claston Augustus Sunanon
Scott L Smith
Carol Ballantine
Mark A Heimbach
John T Sturgeon
Peter Dolan
Hugh A. Owen
Diane Enderby
Steven J Hulet
Michael Brown
Dennis Sismaet
Trudy S. Novak
William T Moojen
Lujuanna Medina
Affirmative
Affirmative
Abstain
Abstain
Affirmative
Negative
Abstain
Abstain
Abstain
Affirmative
Negative
Affirmative
John J. Ciza
Negative
Michael C Hill
Benjamin F Smith II
Marjorie S. Parsons
Grant L Wilkerson
Abstain
Negative
Peter H Kinney
David F. Lemmons
Edward C Stein
Roger C Zaklukiewicz
James A Maenner
Michael Johnson
Jim Cyrulewski
Peggy Abbadini
Brian Evans-Mongeon
Affirmative
Affirmative
Affirmative
Affirmative
Affirmative
Abstain
9
�8
9
9
9
10
10
10
10
10
10
10
10
Volkmann Consulting, Inc.
California Energy Commission
Central Lincoln PUD
Commonwealth of Massachusetts
Department of Public Utilities
Midwest Reliability Organization
New York State Reliability Council
Northeast Power Coordinating Council
ReliabilityFirst Corporation
SERC Reliability Corporation
Southwest Power Pool RE
Texas Reliability Entity, Inc.
Western Electricity Coordinating Council
Non-binding Poll Results: Project 2009-01
Terry Volkmann
William M Chamberlain
Bruce Lovelin
Donald Nelson
James D Burley
Alan Adamson
Guy V. Zito
Anthony E Jablonski
Carter B Edge
Emily Pennel
Donald G Jones
Steven L. Rueckert
Negative
Abstain
Affirmative
Negative
Negative
Abstain
Negative
Abstain
Affirmative
Affirmative
Abstain
10
�Name (59 Responses)
Organization (59 Responses)
Group Name (28 Responses)
Lead Contact (28 Responses)
Question 1 (76 Responses)
Question 1 Comments (87 Responses)
Question 2 (77 Responses)
Question 2 Comments (87 Responses)
Question 3 (62 Responses)
Question 3 Comments (87 Responses)
Question 4 (0 Responses)
Question 4 Comments (87 Responses)
Individual
Brian Evans-Mongeon
Utility Services
Yes
While agreeing with the change, confusion may exist with the CAN that exists for the term "Annual".
Utility Services suggests that the language be changed to "Every calendar year" or something
equivalent. Given everything that transpired in the discussion on the term annual, using a different
phrase may be advantageous.
Yes
Yes
There are no other comments at this time.
Individual
E Hahn
MWDSC
No
Tranmsission Owners (TO) should not be included as a "Responsible Entity" for this or other
requirements because the Operating Plan is usually prepared by the Transmission Operator (TOP). For
TOs who are not also TOPs, there are usually delegation agreements. CIP-001 never directly applied
to TOs.
No
See comment for question 1
Individual
Scott McGough
Georgia System Operations Corporation
Yes
No
See comments under no. 4 below.
Yes
a) Reporting most of these items … • Does not "provide for reliable operation of the BES" • Does not
include "requirements for the operation of existing BES facilities" • Is not necessary to "provide for
reliable operation of the BES" … and is therefore not in accordance with the statutory and regulatory
definitions of a Reliability Standard. They should not be in a Reliability Standard. Most of this is an
�administrative activity to provide information for NERC to perform some mandated analysis. b) A
reportable Cyber Security Incident: Delete this item from the table. It is covered in another standard
and does not need to be duplicated in another standard. c) Damage or destruction of a Facility:
Entities MAY only need to slightly modify their existing CIP-001 Sabotage Reporting procedures from
a compliance perspective of HAVING an Operating Plan but not from a perspective of complying with
the Plan. A change from an entity reporting "sabotage" on "its" facilities (especially when the common
understanding of CIP-001 is to report sabotage on facilities as "one might consider facilities in
everyday discussions") to reporting "damage on its Facilities" (as defined in the Glossary) is a
significant change. An operator does not know off the top of his head the definition of Facility or
Element. He will not know for any particular electrical device whether or not reporting is required.
Although the term is useful for legal and regulatory needs, it is problematic for practical operational
needs. This creates the need for a big change in guidance, training, and tools for an operator to know
which pieces of equipment this applies to. There is the need to translate from NERC-ese to Operatorese. Much more time is needed to implement. The third threshold ("Results from actual or suspected
intentional human action") perpetuates the problem of knowing the human's intention. Also, what if
the action was intended but the result was not intended? The third threshold is ambiguous and
subject to interpretation. The original intent of this project was to get away from the problem of the
term sabotage due to its ambiguity and subjectivity. This latest change reverses all of the work so far
toward that original goal. Instead of the drafted language, change this item to reporting "Damage or
destruction of a Facility and any involved human action" and use only the first two threshold criteria.
d) Any physical threat that could impact the operability of a Facility: See comment above about the
term "Facility" and the need for a much longer implementation time. e) Transmission loss: This item
is very unclear. What is meant by "loss?" Above, it says to report damage or destruction of a Facility.
This says to report the loss of 3 Facilities. Is the intent here to report when there are 3 or more
Facilities that are unintentionally and concurrently out of service for longer than a certain threshold of
time? The intent should not be to include equipment failure? Three is very arbitrary. An entity with a
very large footprint with a very large number of electrical devices is highly likely to have 3 out of
service at one time. An entity with very few electrical devices is less likely to have 3. Delete the word
Transmission. It is somewhat redundant. A Facility is BES Element. I believe all BES Elements are
Transmission Facilities. A Facility operates as a single "electrical device." What if more than 3
downstream electrical devices are all concurrently out of service due to the failure of one upstream
device? Would that meet the criteria? A situation meeting the criteria will be difficult to detect. Need
better operator tools, specific procedures for this, training, and more implementation time. f) The
implementation plan says current version stays in effect until accepted by ALL regulatory authorities
but it also says that the new version takes effect 12 months after the BOT or the APPLICABLE
authorities accept it. It is possible that ONE regulatory authority will not accept it for 13 months and
both versions will be in effect. It is also possible for ALL regulatory authorities to accept it at the same
time, the current version to no longer be in effect, but the new version will not be in effect for 12
months.
Group
Northeast Power Coordinating Council
Guy Zito
No
Regarding Requirement R3, add the following wording from Measure M3 to the end of R3 after the
wording “in Part 1.2.”: The annual test requirement is considered to be met if the responsible entity
implements the communications process in Part 1.2 for an actual event. This language must be in the
Requirement to be considered during an audit. Measures are not auditable. Regarding Requirement
R4, replace the words “an annual review” with the words “a periodic review.” Add the following to R4:
The frequency of such periodic reviews shall be specified in the Operating Plan and the time between
periodic reviews shall not exceed five (5) years. This does not preclude an annual review in an Entity’s
operating plan. The Entity will then be audited to its plan. If the industry approves a five (5) year
periodic review ‘cap’, and FERC disagrees, then FERC will have to issue a directive, state it reasons
and provide justification for an annual review that is not arbitrary or capricious. Adding the one year
“test” requirement adds to the administrative tracking burden and adds no reliability value.
No
Regarding Attachment 1, language identical to event descriptions in the NERC Event Analysis Process
and FERC OE-417 should be used. Creating a third set of event descriptions is not helpful to system
�operators. Recommend aligning the Attachment 1 wording with that contained in Attachment 2, DOE
Form OE-417 and the EAP whenever possible. The following pertains to Attachment 1: Replace the
Attachment 1 “NOTE” with the following clarifying wording: NOTE: The Electric Reliability Organization
and the Responsible Entity’s Reliability Coordinator will accept the DOE OE-417 form in lieu of
Attachment 2 if the entity is required to submit an OE-417 report. Submit reports to the ERO via one
of the following: e-mail: esisac@nerc.com, Facsimile: 609-452-9550, Voice: 609-452-1422. Initial
submittal by Voice within the reporting time frame is acceptable for all events when followed by a
hardcopy submittal by Facsimile or e-mail as and if required. The proposed “events” are subjective
and will lead to confusion and questions as to what has to be reported. Event: A reportable Cyber
Security Incident. All reportable Cyber Security Incidents may not require “One Hour Reporting.” A
“one-size fits all” approach may not be appropriate for the reporting of all Cyber Security Incidents.
The NERC “Security Guideline for the Electricity Sector: Threat and Incident Reporting” document
provides time-frames for Cyber Security Incident Reporting. For example, a Cyber Security
Compromise is recommended to be reported within one hour of detection, however, Information Theft
or Loss is recommended to be reported within 48 hours. Recommend listing the Event as “A
confirmed reportable Cyber Security Incident. The existing NERC “Security Guideline for the Electricity
Sector: Threat and Incident Reporting” document uses reporting time-frames based on “detection”
and “discovery.” Recommend using the word confirmed because of the investigation time that may be
required from the point of initial “detection” or “discovery” to the point of confirmation, when the
compliance “time-clock” would start for the reporting requirement in EOP-004-2. Event: Damage or
destruction of a Facility Threshold for Reporting: revise language on third item to read: Results from
actual or suspected intentional human action, excluding unintentional human errors. Event: Any
physical threat that could impact the operability of a Facility This Event category should be deleted.
The word “could” is hypothetical and therefore unverifiable and un-auditable. The word “impact” is
undefined. Please delete this reporting requirement, or provide a list of hypothetical “could impact”
events, as well as a specific definition and method for determining a specific physical impact threshold
for “could impact” events other than “any.” Event: BES Emergency requiring public appeal for load
reduction. Replace wording in the Event column with language from #8 on the OE-417 Reporting
Form to eliminate reporting confusion. Following this sentence add, “This shall exclude other public
appeals, e.g., made for weather, air quality and power market-related conditions, which are not made
in response to a specific BES event.” Event: Complete or partial loss of monitoring capability Event
wording: Delete the words “or partial” to conform the wording to the NERC Event Analysis Process.
Event: Transmission Loss Revise to BES Transmission Loss Event: Generation Loss Revise to BES
Generation Loss
No
The proposed new section does not contain specifics of the proposed system nor the interfacing
outside of the system to support the report collecting.
The proposed standard is not consistent with NERC’s new Risk Based Compliance Monitoring. a. The
performance based action to “implement its event reporting Operating Plan” on defined events, as
required in R2, could be considered a valid requirement. However, the concern is that this
requirement could be superseded by the NERC Events Analysis Process and existing OE-417
Reporting. b. The requirements laid out in R1, R3 and R4 are specific controls to ensure that the
proposed requirement to report (R2) is carried out. However, controls should not be part of a
compliance requirement. The only requirement proposed in this standard that is not a control is R2.
NERC does not need to duplicate the enforcement of reporting already imposed by the DOE. DOE-417
is a well established process that has regulatory obligations. NERC enforcement of reporting is
redundant. NERC has the ability to request copies of these reports without making them part of the
Reliability Rules. Form EOP-004, Attachment 2: Event Reporting Form: Delete from the Task column
the words “or partial”. Delete from the Task column the words “physical threat that could impact the
operability of a Facility”. VSL’s may have to be revised to reflect revised wording.
Individual
Don Jones
Texas Reliability Entity
Yes
No
�(1) In the Events Table, consider whether the item for “Voltage deviation on Facility” should also be
applicable to GOPs, because a loss of voltage control at a generator (e.g. failure of an automatic
voltage regulator or power system stabilizer) could have a similar impact on the BES as other
reportable items. Note: We made this comment last time, and the SDT’s posted response was nonresponsive to this concern. (2) In the Events Table, under Transmission Loss, the SDT indicated that
reporting is triggered only if three or more Transmission Facilities operated by a single TOP are lost.
What if four Facilities are lost, with two Facilities operated by each of two TOPs? That is a larger event
than three Facilities lost by one TOP, but there is no reporting requirement? Determining event status
by facility ownership is not an appropriate measure. The reporting requirements should be based on
the magnitude, duration, or impact of the event, and not on what entities own or operate the
facilities. (3) In the Events Table, under Transmission Loss, the criteria “loss of three or more
Transmission Facilities” is very indefinite and ambiguous. For example, how will bus outages be
considered? Many entities consider a bus as a single “Facility,” but loss of a single bus may impact as
many as six 345kV transmission lines and cause a major event. It is not clear if this type of event
would be reportable under the listed event threshold? Is the single-end opening of a transmission line
considered as a loss of a Facility under the reporting criteria? (4) Combinations of events should be
reportable. For example, a single event resulting in the loss of two Transmission Facilities (line and
transformer) and a 950 MW generator would not be reportable under this standard. But loss of two
lines and a transformer, or a 1000 MW generator, would be reportable. It is important to capture all
events that have significant impacts. (5) In the Events Table, under “Unplanned control center
evacuation,” “Loss of all voice communication capability” and “Complete or partial loss of monitoring
capability,” GOPs should be included. GOPs also operate control centers that are subject to these
kinds of occurrences, with potentially major impacts to the BES. Note that large GOP control centers
are classified as “High Impact” facilities in the CIP Version 5 standards, and a single facility can
control more than 10,000 MW of generation. (6) The “BES Emergency resulting in automatic firm load
shedding” event row within Attachment 1 should include the BA as a responsible entity for reporting.
Note that EOP-003-1 requires the BA to shed load in emergency situations (R1, R5 as examples), and
any such occurrence should be reported.
(1) The ERO and Regional Entities should not be included in the Applicability of this standard. The
only justification given for including them was they are required to comply with CIP-008. CIP-008
contains its own reporting requirements, and no additional reliability benefit is provided by including
ERO and Regional Entities in EOP-004. Furthermore, stated NERC policy is to avoid writing
requirements that apply to the ERO and Regional Entities, and we do not believe there is any
sufficient reason to deviate from that policy in this standard. (2) Under Compliance, in section 1.1, all
the words in “Compliance Enforcement Authority” should be capitalized. (3) Under Evidence
Retention, it is not sufficient to retain only the “date change page” from prior versions of the Plan. It
is not unduly burdensome for the entity to retain all prior versions of its “event reporting Operating
Plan” since the last audit, and it should be required to do so. (What purpose is supposed to be served
by retaining only the “date change pages”?) (4) The title of part F, “Interpretations,” is incorrect on
page 23. Should perhaps be “Associated Documents.”
Group
Arizona Public Service Company
Janet Smith, Regulatory Affairs Supervisor
Yes
Yes
Yes
None
Individual
Jonathan Appelbaum
United Illuminating Company
Yes
�R3 should be clear that the annual test of the plan does not mean each communication path for each
applicable event on an annual basis.
Yes
The phrasing of the event labeled as Event Damage or Destruction of a Facility may be improved in
the Threshold for Reporting Column. Suggest the introduction sentence for this event should be
phrased as Where the Damage or Destruction of a Facility: etc. The rationale for the change is that as
written it is unclear if the list that follows is meant to modify the word Facilities or the overall
introductory sentence. The confusion being caused by the word That. What is important to be
reported is if a Facility is damaged and then an IROL is affected it should be reported, not that if a
Facility is comprising an IROL Facility is damaged but there is no impact on the IROL. Second, the top
of each table is the phrase Submit EOP-004 Attachment 2 or DOE-OE-417 report to the parties
identified pursuant to Requirement R1, Part 1.2 within one hour of recognition of the event. This
creates the requirement that the actual form is required to be transmitted to parties other than
NERC/DOE. The suggested revision is Submit EOP-004 Attachment 2 or DOE-OE-417 report to NERC
and/or DOE, and complete notification to other organizations identified pursuant to Requirement R1
Part 1.2 within one hour etc..
The measures M3 and M4 require evidence to be dated and time stamped. The time stamp is
excessive and provides no benefit. A dated document is sufficient. The measure M2 requires in
addition to a record of the transmittal of the EOP-004 Attachment 2 form or DOE-417 form that an
operator log or other operating documentation is provided. It is unclear why this supplemental
evidence of operator logs is required. We are assuming that the additional operator logs or
documentation is required to demonstrate that the communication was completed to organizations
other than NERC and DOE of the event. If true then the measure should be clear on this topic. For
communication to NERC and DOE use the EOP-004 Form or OE-417 form and retain the transmittal
record. For communication to other organizations pursuant to R1 Part 1.2 evidence may include but
not limited to, operator logs, transmittal record, attestations, or voice recordings.
Individual
Dan Roethemeyer
Dynegy Inc.
Yes
Yes
Use of the term "Part x.x" throughout the Standard is somewhat confusing. I can't recall other
Standards using that type of term. Suggest using the term "Requirement" instead.
Individual
Anthony Jablonski
ReliabilityFirst
ReliabilityFirst votes in the Affirmative for this standard because the standard further enhances
reliability by clearing up confusion and ambiguity of reporting events which were previously reported
under the EOP-004-1 and CIP-001-1 standards. Even though ReliabilityFirst votes in the Affirmative,
we offer the following comments for consideration: 1. Requirement R1, Part 1.2 a. ReliabilityFirst
recommends further prescribing whom the Responsible Entity needs to communicate with. The phrase
“… and other organizations needed for the event type…” in Part 1.2 essentially leaves it up to the
Responsible Entity to determine (include in their process) whom they should communicate each
applicable event to. ReliabilityFirst recommends added a fourth column under Attachment 1, which
lists whom the Responsible Entity is required to communicate with, for each applicable event. 2. VSL
for Requirement R2 a. Requirement R2 requires the Responsible Entity to “implement its event
reporting Operating Plan” and does not require the entity to submit a report. For consistency with the
requirement, ReliabilityFirst recommends modifying the VSLs to begin with the following type of
�language: “The Responsible Entity implemented its event reporting Operating Plan more than 24
hours but…” This recommendation is based on the FERC Guideline 3, VSL assignment should be
consistent with the corresponding requirement and should not expand on, nor detract from, what is
required in the requirement.
Individual
Joe Petaski
Manitoba Hydro
No
(R1.1 and 1.2) It is unclear whether or not R1.1 and R1.2 require a separate recognition and
communication process for each of the event types listed in Attachment 1 or if event types can be
grouped as determined appropriate by the responsible entity given that identical processes will apply
for multiple types of events. Manitoba Hydro suggests that wording is revised so that multiple event
types can be addressed by a single process as deemed appropriate by the Responsible Entity. (R3) It
is unclear whether or not R3 requires the testing of the communications process for each separate
event type identified in Attachment 1. If so, this would be extremely onerous. Manitoba Hydro
suggests that only unique communication processes (as identified by the Responsible Entity in R1.2)
require an annual test and that testing should not be required for each type of event listed in
Attachment 1. As well, Manitoba Hydro believes that testing the communications process alone is not
as effective as also providing training to applicable personnel on the communications process.
Manitoba Hydro suggests that R3 be revised to require annual training to applicable personnel on the
communications process and that only 1 test per unique communications process be required
annually.
Yes
Yes
Manitoba Hydro is voting negative on EOP-004-2 for the reasons identified in our response to
Question 1. In addition, Manitoba Hydro has the following comments: (Background section) - The
section has inconsistent references to EOP-004 (eg. EOP-004 and EOP-004-2 are used). Wording
should be made consistent. (Background section) – The section references entities, and responsible
entities. Suggest wording is made consistent and changed to Responsible Entities. (General comment)
– References in the standard to ‘Part 1.2’ should be changed to R1.2 as it is unclear if Part 1.2 refers
to, for example, R1.2 or part 1.2 ‘Evidence Retention’. (M4) –Please clarify what is meant by ‘date
change page’.
Individual
Michelle R. D'Antuono
Ingleside Cogeneration LP
Yes
Ingleside Cogeneration LP agrees that it is appropriate to test reporting communications on an annual
basis, primarily to validate that phone numbers, email ids, and contact information is current. We
appreciate the project team’s elimination of the terms “exercise” and “drill”, which we believe
connotates a formalized planning and assessment process. An annual review of the Operating Plan
implies a confirmation that linkages to sub-processes remain intact and that new learnings are
captured. We also agree that it is appropriate only to require an updated Revision Level Control chart
entry as evidence of compliance – it is very likely that no updates are required after the review is
complete. In our view, both of these requirements are sufficient to assure an effective assessment of
all facets of the Operating Plan. As such, we fully agree with the project team’s decision to delete the
requirement to update the plan within 90 days of a change. In most cases, our internal processes will
address the updates much sooner, but there is no compelling reason to include it as an enforceable
requirement.
Yes
Ingleside Cogeneration LP agrees with the removal of nearly all one hour reporting requirements. In
our view there must be a valid contribution expected of the recipients of any reporting that takes
place this early in the process. Any non-essential communications will impede the progress of the
�front-line personnel attempting to resolve the issue at hand – which has to be the priority. Secondly,
there is a risk that early reporting may include some speculation of the cause, which may be found to
be incorrect as more information becomes available. Recipients must temper their reactions to
account for this uncertainty. In fact, Ingleside Cogeneration LP recommends that the single remaining
one-hour reporting scenario be eliminated. It essentially defers the reporting of a cyber security
incident to CIP-008 anyways, and may even lead to a multiple violation of both Standards if
exceeded.
Yes
Ingleside Cogeneration is encouraged by NERC’s willingness to act as central data gathering point for
event information. However, we see this only as a starting point. There are still multiple internal and
external reporting demands that are similar to those captured in EOP-004-2 – examples include the
DOE, RAPA (misoperations), EAWG (events analysis), and ES-ISAC (cyber security). Although we
appreciate the difference in reporting needs expressed by each of these organizations, there are very
powerful reporting applications available which capture a basic set of data and publish them in
multiple desirable formats. We ask that NERC spearhead this initiative – as it is a natural part of the
ERO function.
Ingleside Cogeneration LP strongyly believes that LSEs that do not own BES assets should be
excluded from the Applicability section of this standard.
Group
DECo
Kent Kujala
No
Should only have annual "review" requirement rather than test.
No
On pg 17 in the Rationale Box for EOP-004 Attachment 1: The set of terms is specific then includes
the word ETC. Then further lists areas to exclude. Then on Pg 23 of document it includes train
derailment near a transmission right of way and forced entry attempt into a substation facility as
reportable. These conflict. Also see conflict when in pg 21 states the DOE OE417 would be excepted in
lieu of the NERC form, but on the last pg it states the DOE OE417 should be attached to the NERC
report indicating the NERC report is still required.
Yes
Requirement R3 for annual test specifically states that ERO is not included during test. Implies that
local law enforcement or state law enforcement will be included in test. Hard to coordinate with many
Local organizations in our area.
Individual
Tim Soles
Occidental Power Services, Inc.
No
There should be an exception for LSEs with no BES assets from having an Operating Plan and,
therefore, from testing and review of such plan. These LSEs have no reporting responsibilities under
Attachment 1 and, if they have nothing ever to report, why would they have to have an Operating
Plan and have to test and review it? This places an undue burden on small entities that cannot impact
the BES.
No
There are no requirements in Attachment 1 for LSEs without BES assets so these entities should not
be in the Applicability section.
No
This section should reference the confidentiality requirements in the ROP and should have a
statement about the system for collection and dissemination of disturbance reports being “subject to
the confidentiality requirements of the NERC ROP.”
OPSI continues to believe that LSEs that do not own BES assets should be excluded from the
Applicability section of this standard. It is disingenuous of both the SDT and FERC to promote an
�argument to support this inclusion such as that stated in Section 459 of Order 693 (and referred to by
the SDT in their Consideration of Comments in the last posting). The fact is that no reportable
disturbance can be caused by an “attack” on an LSE that does not own BES assets. The SDT has yet
to point out such an event.
Individual
Alice Ireland
Xcel Energy
No
1) In R1.2, We understand what the drafting team had intended here. However, we are concerned
that the way this requirement is drafted, using i.e., it could easily be interpreted to mean that you
must notify all of those entities listed. Instead, we are suggesting that the requirement be rewritten
to require entities to define in their Operating Plan the minimum organizations/entities that would
need to be notified for applicable events. We believe this would remove any ambiguity and make it
clear for both the registered entity and regional staff. We recommend the requirement read
something like this: 1.2. A process for communicating each of the applicable events listed in EOP-004
Attachment 1 in accordance with the timeframes specified in EOP-004 Attachment 1 to applicable
internal and external organizations needed for the event type, as defined in the Responsible Entity’s
Operating Plan. 2) We also suggest that R3 be clarified as to whether communications to all
organizations must be tested or just those applicable to the test event type/scenario.
No
1) The event Damage or destruction of a Facility appears to need ‘qualifying’. Is this intended for only
malicious intent? Otherwise, weather related or other operational events will often meet this criteria.
For example adjustment in generation or changes in line limits to “avoid an Adverse Reliability
Impact” could occur during a weather related outage. We suggest adjusting this event and criteria to
clearly exclude certain items or identify what is included. 2) Also recommend placing the information
in footnote 1 into the associated Threshold for Reporting column, and removing the footnote.
We believe such a tool would be useful, however we are indifferent as to if it is required to be
established by the Rules of Procedure.
Xcel Energy appreciates the work of the drafting team and believes the current draft is an
improvement over the existing standard. However, we would like to see the comments provided here
and above addressed prior to submitting an AFFIRMATIVE vote. 1) Suggest enhancing the “Example
of Reporting Process…” flowchart as follows: EVENT > Refer to Ops Plan for Event Reporting > Refer
to Law Enforcement? > Yes/No > …. 2) Attachment 1 – in both the 1 hour and the 24 hour reporting
they are qualified with “within x hours of recognition of the event”. Is this the intent, so that if an
entity recognizes at some point after an event that the time clock starts? 3) VSLs – R3 & R4 “Severe”
should remove the “OR….”, as this is redundant. Once an entity has exceeded the 3 calendar months,
the Severe VSL is triggered. 4) The Guideline and Technical Basis page 22 should be corrected to read
“The changes do not include any real-time operating notifications for the types of events covered by
CIP-001 and EOP-004. The real-time reporting requirements are achieved through the RCIS and are
covered in other standards (e.g. EOP-002-Capacity and Energy Emergencies). These standards deal
exclusively with after-the-fact reporting.” 5) Also in the following section of the Guideline and
Technical Basis (page 23) the third bullet item should be qualified to exclude copper theft: Examples
of such events include: • Bolts removed from transmission line structures • Detection of cyber
intrusion that meets criteria of CIP-008-3 or its successor standard • Forced intrusion attempt at a
substation (excluding copper theft) • Train derailment near a transmission right-of-way • Destruction
of Bulk Electric System equipment
Group
Duke Energy
Greg Rowland
No
Under R3, we agree with testing communications internally. Just as the ERO is excluded under R3,
other external entities should also be excluded. External communications should be verified under R4.
No
(1)We disagree with reporting CIP-008 incidents under this standard. We agree with the one-hour
notification timeframe, but believe it should be in CIP-008 to avoid double jeopardy. (2)Damage or
�destruction of a Facility – Need clarity on how a vertically integrated entity must report. For example
a GOP probably won’t know if an IROL will be affected. Also, there shouldn’t be multiple reports from
different functional entities for the same event. Suggest splitting this table so that GO, GOP, DP only
reports “Results from actual or suspected intentional human action”. (3)Generation Loss – Need more
clarity on the threshold for reporting. For example if we lose one 1000 MW generator at 6:00 am and
another 1000 MW generator at 4:00 pm, is that a reportable event?
Yes
Group
Luminant
Brenda Hampton
Yes
No
Luminant appreciates the work of the DSR SDT to modify Attachment 1 to address the concerns of
the stakeholders. However, we are concerned that the threshold for reporting a Generation Loss in
the ERCOT interconnection established by this revision is set at ≥ 1,000MW, which is not consistent
with the level of single generation contingency used in ERCOT planning and operating studies. That
level of contingency is currently set at the size of the largest generating unit in ERCOT, which is
1,375MW. For this reason, Luminant believes that the minimum threshold for reporting of a
disturbance should be > 1,375MW for the ERCOT Interconnection.
Yes
Group
BC Hydro
Patricia Robertson
Yes
No
BC Hydro supports the revisions to EOP-004 and would vote Affirmative with the following change.
Attachment 1 has a One Hour Reporting requirement. BC Hydro proposes a One Hour Notification with
the Report submitted within a specified timeframe afterward.
Individual
Andrew Gallo
City of Austin dba Austin Energy
Yes
Austin Energy (AE) supports the requirements for (1) an annual test of the communications portion of
the Operating Plan (R3) and (2) an annual review of the Operating Plan (R4); however, we offer a
slight modification to the measures associated with those requirements. AE does not believe that
records evidencing such test and reviews need to be time-stamped to adequately demonstrate
compliance with the requirements. In each case, we recommend that the first sentence of M3 and M4
start with “Each Responsible Entity will have dated records to show that the annual …”
Yes
Austin Energy makes the following comments: (1) Comment on the Background section titled “A
Reporting Process Solution – EOP-004”: This section includes the sentence, “Essentially, reporting an
event to law enforcement agencies will only require the industry to notify the state OR PROVINCIAL
�OR LOCAL level law enforcement agency.” (emphasis added) The corresponding flowchart includes a
step, “Notification Protocol to State Agency Law Enforcement.” Austin Energy requests that the SDT
update the flowchart to match the language of the associated paragraph and include “state or
provincial or local” agencies. (2) Comments on VSLs: Austin Energy recommends that the SDT amend
the VSLs for R2 to include the "recognition of" events throughout. That is, update the R2 VSLs to
state “… X hours after "recognizing" an event …” in all locations where the phrase occurs. (3) Austin
Energy has a concern with the inclusion of the word "damage" to the phrase "damage or destruction
of a Facility." We agree that any "destruction" of a facility that meets any of the three criteria be a
reportable event. However, if the Standard is going to include "damage," some objective definition for
"damage" (that sets a floor) ought to be included. Much like the copper theft issue, we do not see the
benefit of reporting to NERC vandalism that does not rise to a certain threshold (e.g. someone who
takes a pot shot at an insulator) unless the damage has some tangible impact on the reliability of the
BES or is an act of an orchestrated sabotage (e.g. removal of a bolt in a transmission structure). (4)
Austin Energy voted to approve the revised Standard because it is an improvement over the existing
Standard. In light of FERC's comments in Paragraph 81 of the Order approving the Find, Fix, Track
and Report initiative, however, Austin Energy would propose that this Standard is the type of
Standard that does not truly enhance reliability of the BES and is, instead, an administrative activity.
As such, we recommend that NERC consider whether EOP-004-2 ought to be retired.
Group
Bonneville Power Administration
Chris Higgins
Yes
BPA believes that the annual testing and review as described in R3 is too cumbersome and
unnecessary for entities with large footprints to inundate federal and local enforcement bodies such as
the FBI for “only” testing and the documenting for auditing purposes. BPA suggests that testing be
performed on a bi-annual or longer basis.
No
BPA believes that clarifying language should be added to transmission loss event. (Page 19) [a report
should not be required if the number of elements is forced because of pre-designed or planned
configuration. System studies have to take such a configuration into account possible wording could
be. Unintentional loss of three or more Transmission Facilities (excluding successful automatic
reclosing or planned operating configuration)] In addition, under the “Event” of Complete or partial
loss of monitoring capability, BPA believes that “partial loss” is not sufficiently specific for BPA to write
compliance operating procedures and suggest defining partial loss or removing it from the standard.
Should the drafting team add clarifying language to remove “or partial loss” and address BPA’s
concerns on over emphasis on software tool to the operation of the system. BPA would change its
negative position to affirmative.
Yes
BPA believes that the VSL should allow for amending the form after a NERC specified time period
without penalty and suggests that a window of 48 hours be given to amend the form to make
adjustments without needing to file a self report. Should the standard be revised to allow a time
period for amending the form without having to file a self report, BPA would change its negative
position to affirmative.
Individual
Thad Ness
American Electric Power
No
R3: How many different scenarios need to be tested? For example, reporting sabotage-related events
might well be different than reporting reliability-related events such as those regarding loss of
Transmission. While these examples might vary a great deal, other such scenarios may be very
similar in nature in terms of communication procedures. Perhaps solely testing the most complex
procedure would be sufficient. AEP agrees with the changes with R3 calling for an annual test
provided the requirement R2 is modified to include the measure language “The annual test
requirement is considered to be met if the responsible entity implements the communications process
�in Part 1.2 for an actual event.” M3: While we agree that “the annual test requirement is considered
to be met if the responsible entity implements the communications process in Part 1.2 for an actual
event”, we believe it would be preferable to include this text in R3 in addition to M3. Measures
included in earlier standards (some of which are still enforced today) had little correlation to the
requirement itself, and as a result, those measures were seldom referenced. M3: It would be unfair to
assume that every piece of evidence required to prove compliance would be dated and time-stamped,
so we recommend removing the text “dated and time-stamped“ from the first sentence so that it
reads “Each Responsible Entity will have records to show that the annual test of Part 1.2 was
conducted.” The language regarding dating and time stamps in regards to “voice recordings and
operating logs or other communication” is sufficient.
No
If CIP-008 is now out of scope within the requirements of this standard, any references to it should
also be removed from Attachment 1. The Threshold for Reporting column on page 26 includes
“Results from actual or suspected intentional human action.” This wording is too vague as many
actions by their very nature are intentional. In addition, it should actually be used as a qualifying
event rather than a threshold. We recommend removing it entirely from the Threshold column, and
placing it in the Events column and also replacing the first row as follows: “Actual or suspected
intentional human action with the goal of damage to, or destruction of, the Facility.” On page 27, the
event “Any physical threat that could impact the operability of a Facility” is too vague and broad.
Using the phrases “any physical threat” and “could impact” sets too high a bar on what would need to
be reported. On page 28, for the event “Complete loss of off-site power to a nuclear generating plant
(grid supply)”, TO and TOP should be removed and replaced by GOP.
Yes
While we have no objections at this point, we would like specific details on what our obligations would
be as a result of these changes. For example, would the clearinghouse tool provide verifications that
the report(s) had been received as well as forwarded? In addition, if DOE OE-417 is the form being
submitted, would the NERC Reporting Clearinghouse forward that report to the DOE?
While we do not necessarily disagree with modifying this standard, we do have serious concerns with
the possibility that Form OE-417 form would not also be modified to match any changes made to this
standard. To the degree they would be different, this would create unnecessary confusion and burden
on operators. If CIP-008 is now out of scope within the requirements of this standard, the task
“reportable Cyber Security Incident” should be removed from Attachment 2.
Individual
Ed Davis
Entergy
No
The requirement for a “time stamped record” of annual review is unreasonable and unnecessary. A
dated document showing that a review was performed should be sufficient.
Yes
Entergy does not agree with the Time Horizon for R2. The rationale for R2 contains phrases related to
situational awareness and keeping people/agencies aware of the “current situation.” However, this
standard is related to after the fact event reporting, not real-time reporting via RCIS, as discussed on
page 6 of the red-lined standard. Therefore the time horizon for R2 should indicate that this is an
after the fact requirement expected to be performed either in 1 hour or 24 hours after an event
occurs, not in the operations assessment time frame. This change should also be made on page 15 of
the redline in the Table of compliance elements for R2. Page 18 of the redline document contains a
VSL for R2 which states that it will be considered a violation if the Responsible Entity submitted a
report in the appropriate timeframe but failed to provide all of the required information. It has long
been the practice to submit an initial report and provide additional information as it becomes
available. On page 24 of the redlined document, this is included in the following “…and provide as
much information as is available at the time of the notification to the ERO…” But the compliance
elements table now imposes that if the entity fails to provide ALL required information at the time the
initial report is required, the entity will be non compliant with the standard. This imposes an
�unreasonable burden to the Reliability Entity. This language should be removed. The compliance
element table for R3 and R4 make it a high or severe violation to be late on either the annual test or
the annual review of the Operating plan for communication. While Entergy supports that periodically
verifying the information in the plan and having a test of the operating plan have value, it does not
necessarily impose additional risk to the BES to have a plan that exceeds its testing or review period
by two to three months. This is an administrative requirement and the failure to test or review should
be a lower or moderate VSL, which would be consistent with the actual risk imposed by a late test or
review. On page 24 of the redlined draft, there is a statement that says “In such cases, the affected
Responsible Entity shall notify parties per Requirement R1 and provide as much information as if
available at the time of the notification…” Since R1 is the requirement to have a plan, and R2 is the
requirement to implement the plan for applicable events, it seems that the reference in this section
should be to Requirement R2, not Requirement R1.
Individual
Jack Stamper
Clark Public Utilities
Yes
No
I agree with all but one. The event is "Damage or destruction of a Facility" and the threshhold for
reportin is "Results from actual or suspected intentional human action." I understand and agree that
destruction of a facility due to actual or suspected intentional human action should always be
reported. However, I do not know what level of damage should be reported. Obviously the term
"damage" is meant to signify and event that is less than destruction. As a result, damage could be
extensive, minimal, or hardly noticeable. There needs to be some measure of what the damage
entails if the standard is to contain a broad requirement for the reporting of damage intentionally
caused by human action. Whether that measure is based on the actual impacts to the BES from the
damage or whether the measure is based on the ability of the damaged equipment to continue to
function at 100%, 50% or some capability would be acceptable but currently it is too open ended.
Yes
Individual
Tracy Richardson
Springfield Utility Board
Yes
• SUB supports the removal of Requirement 1, Part 1.4, as well the separation of Parts 1.3 and 1.5,
agreeing that they are their own separate actions. • The Draft 4 Version History still lists the term
“Impact Event” rather than “Event”.
Yes
• Spell out Requirement 1, rather than “parties per R1” in NOTE. • On page 44, “Examples of such
events include” should say, “include, but are not limited to”. • SUB appreciates clarification regarding
events, particularly the discussion regarding “sabotage”, and recommends listing and defining “Event”
in Definitions and Terms Used in NERC Standards. • The Guideline and Technical Basis provides
clarity, and SUB agrees with the removal of “NERC Guideline: Threat and Incident Reporting”. • In the
flow chart on page 9 there are parallel paths going from “Refer to Ops Plan for Reporting” to the
‘Report Event to ERO, Reliability Coordinator’ via both the Yes and No response. It seems like the
yes/no decision should follow after “Refer to Ops Plan” for communication to law enforcement.
Yes
• SUB supports the new Section 812 being incorporated into the NERC ROP. This addition provides
clarity for what is required by whom and takes away any possible ambiguity.
SUB appreciates the opportunity to provide comments. While Staff was concerned with the
consolidation of CIP and non-CIP NERC Reliability Standards (as to how they’ll be audited), the Project
2009-01 SDT has done an excellent job in providing clarification around identifying and reporting
events, particularly related to the varying definitions of “sabotage”.
�Individual
Wayne Sipperly
New York Power Authority
No
Please see comments submitted by NPCC Regional Standards Committee (RSC).
No
Please see comments submitted by NPCC Regional Standards Committee (RSC).
Yes
Please see comments submitted by NPCC Regional Standards Committee (RSC).
Individual
David Thorne
Pepco Holdings Inc
Yes
Yes
No
This could create confusion. This new ROP section states that “… the system shall then forward the
report to the appropriate NERC departments, applicable regional entities, other designated registered
entities, and to appropriate governmental, law enforcement, regulatory agencies as necessary.”
Standard Section R1.2 states “A process for communicating each of the applicable events listed in
EOP-004 Attachment 1 in accordance with the timeframes specified in EOP-004 Attachment 1 to the
Electric Reliability Organization and other organizations needed for the event type; i.e. the Regional
Entity; company personnel; the Responsible Entity’s Reliability Coordinator; law enforcement,
governmental or provincial agencies.” If NERC is going to be the “clearinghouse” forwarding reports to
the RE and DOE, does that mean that the reporting entity only needs to make a single submission to
NERC for distribution? If the reporting entity is required to make all notifications, per R1.2, what is
the purpose of NERC’s duplication of sending out reports? It would be very helpful to the reporting
entities if R1.2 was revised to state that NERC would forward the event form to the RE and DOE and
the reporting entity would only be responsible for providing notice verbally to its associated BA, TOP,
RC, etc. as appropriate and for notifying appropriate law enforcement as required.
The SDT's efforts have resulted in a very good draft.
Group
Imperial Irrigation District (IID)
Jesus Sammy Alcaraz
Yes
Yes
Yes
Individual
Chris de Graffenried
Consolidated Edison Co. of NY, Inc.
No
Requirement R3: Following the sentence ending “in Part 1.2” add the following wording from the
Measure to R3: The annual test requirement is considered to be met if the responsible entity
implements the communications process in Part 1.2 for an actual event. This language must be in the
Requirement to be considered during an audit. Measures are not auditable. Requirement R4: Replace
�the words “an annual review” with the words “a periodic review.” Following the first sentence in R4
add: The frequency of such periodic reviews shall be specified in the Operating Plan and the time
between periodic reviews shall not exceed five (5) years.
No
General comment regarding Attachment 1: SDT should strive to use identical language to event
descriptions in the NERC Event Analysis Process and FERC OE-417. Creating a third set of event
descriptions is not helpful to system operators. We recommend aligning the Attachment 1 wording
with that contained in Attachment 2, DOE Form OE-417 and the EAP whenever possible. Replace the
Attachment 1 “NOTE” with the following clarifying wording: NOTE: The Electric Reliability Organization
and the Responsible Entity’s Reliability Coordinator will accept the DOE OE-417 form in lieu of
Attachment 2 if the entity is required to submit an OE-417 report. Submit reports to the ERO via one
of the following: e-mail: esisac@nerc.com, Facsimile: 609-452-9550, Voice: 609-452-1422. Initial
submittal by Voice within the reporting time frame is acceptable for all events when followed by a
hardcopy submittal by Facsimile or e-mail as and if required. Event: Damage or destruction of a
Facility Threshold for Reporting: revise language on third item to read, Results from actual or
suspected intentional human action, excluding unintentional human errors. Event: Any physical threat
that could impact the operability of a Facility This Event category should be deleted. The word “could”
is hypothetical and therefore unverifiable and un-auditable. The word “impact” is undefined. Please
delete this reporting requirement, or please provide a list of hypothetical “could impact” events, as
well as a specific definition and method for determining a specific physical impact threshold for “could
impact” events other than “any.” Event: BES Emergency requiring public appeal for load reduction.
Replace Event wording with language from #8 on OE-417 reporting form to eliminate reporting
confusion. Following this sentence add, “This shall exclude other public appeals, e.g., made for
weather, air quality and power market-related conditions, which are not made in response to a
specific BES event.” Event: Complete or partial loss of monitoring capability Event wording: Delete
the words “or partial” to conform the wording to NERC Event Analysis Process. Event: Transmission
Loss Modify to BES Transmission Loss Event Generation Loss Modify to BES Generation Loss
Yes
Form EOP-004, Attachment 2: Event Reporting Form: Delete the Task words “or partial.” Delete the
Task words “physical threat that could impact the operability of a Facility.” Make any changes to the
VSL’s necessary to align them with the reviewed wording provided above.
Individual
David Burke
Orange and Rockland Utilities, Inc.
No
Requirement R3: Following the sentence ending “in Part 1.2” add the following wording from the
Measure to R3: The annual test requirement is considered to be met if the responsible entity
implements the communications process in Part 1.2 for an actual event. This language must be in the
Requirement to be considered during an audit. Measures are not auditable. Requirement R4: Replace
the words “an annual review” with the words “a periodic review.” Following the first sentence in R4
add: The frequency of such periodic reviews shall be specified in the Operating Plan and the time
between periodic reviews shall not exceed five (5) years.
No
General comment regarding Attachment 1: SDT should strive to use identical language to event
descriptions in the NERC Event Analysis Process and FERC OE-417. Creating a third set of event
descriptions is not helpful to system operators. We recommend aligning the Attachment 1 wording
with that contained in Attachment 2, DOE Form OE-417 and the EAP whenever possible. Replace the
Attachment 1 “NOTE” with the following clarifying wording: NOTE: The Electric Reliability Organization
and the Responsible Entity’s Reliability Coordinator will accept the DOE OE-417 form in lieu of
Attachment 2 if the entity is required to submit an OE-417 report. Submit reports to the ERO via one
of the following: e-mail: esisac@nerc.com, Facsimile: 609-452-9550, Voice: 609-452-1422. Initial
submittal by Voice within the reporting time frame is acceptable for all events when followed by a
hardcopy submittal by Facsimile or e-mail as and if required. Event: Damage or destruction of a
Facility Threshold for Reporting: revise language on third item to read, Results from actual or
suspected intentional human action, excluding unintentional human errors. Event: Any physical threat
�that could impact the operability of a Facility This Event category should be deleted. The word “could”
is hypothetical and therefore unverifiable and un-auditable. The word “impact” is undefined. Please
delete this reporting requirement, or please provide a list of hypothetical “could impact” events, as
well as a specific definition and method for determining a specific physical impact threshold for “could
impact” events other than “any.” Event: BES Emergency requiring public appeal for load reduction.
Replace Event wording with language from #8 on OE-417 reporting form to eliminate reporting
confusion. Following this sentence add, “This shall exclude other public appeals, e.g., made for
weather, air quality and power market-related conditions, which are not made in response to a
specific BES event.” Event: Complete or partial loss of monitoring capability Event wording: Delete
the words “or partial” to conform the wording to NERC Event Analysis Process. Event: Transmission
Loss Modify to BES Transmission Loss Event Generation Loss Modify to BES Generation Loss
Yes
Form EOP-004, Attachment 2: Event Reporting Form: Delete the Task words “or partial.” Delete the
Task words “physical threat that could impact the operability of a Facility.” Make any changes to the
VSL’s necessary to align them with the reviewed wording provided above.
Individual
Larry Raczkowski
FirstEnergy Corp
Yes
FE agrees with the revision but has the following comments and suggestions: 1. We request clarity
and guidance on R3 (See our comments in Question 4 for further consideration). Also, we suggest a
change in the phrase “shall conduct an annual test” to “shall conduct a test each calendar year, not to
exceed 15 calendar months between tests”. This wording is consistent with other standards in
development such as CIP Version 5. 2.In R4 we suggest a change in the phrase “shall conduct an
annual review” to “shall conduct a review each calendar year, not to exceed 15 calendar months
between reviews”. This wording is consistent with other standards in development such as CIP
Version 5.
No
FE requests the following changes be made to Attachment 1: 1. Pg. 19 / Event: “Voltage deviation on
a Facility”. The term “observes” for Entity with Reporting Responsibility be changed to “experiences”.
The burden should rest with the initiating entity in consistency with other Reporting Responsibilities.
2. In “Threshold for Reporting”, the language should be expanded to – plus or minus 10% ”of nominal
voltage” for greater than or equal to 15 continuous minutes. 3. Pg.20 /Event: “Complete or partial
loss of monitoring capability”. The term “partial” should be deleted from the event description to read
as follows: Complete loss of monitoring capability and the reporting responsibility requirements to
read “Each RC, BA, and TOP that experiences the complete loss of monitoring capability.”
Yes
FE agrees but asks that the defined term “registered entities” in the second sentence be capitalized.
FE supports the standard and has the following additional comments and suggestions: 1.
Guideline/Technical Basis Section – FE requests the SDT add specific guidance for each requirement.
Much of the information in this section is either included, or should be included in the Background
section of the standard. One example of guidance that would help is for Requirement R3 on how an
entity could perform the annual test. The comment form for this posting has the following paragraph
on pg. 2 which could be used as guidance for R3: “the annual test will include verification that
communication information contained in the Operating Plan is correct. As an example, the annual
update of the Operating Plan could include calling “others as defined in the Responsibility Entity’s
Operating Plan” (see Part 1.2) to verify that their contact information is up to date. If any
discrepancies are noted, the Operating Plan would be updated. Note that there is no requirement to
test the reporting of events to the Electric Reliability Organization and the Responsible Entity’s
Reliability Coordinator.” 2. With regard to the statement in the comment form (pg 2 paragraph
7)“Note that there is no requirement to test the reporting of events to the Electric Reliability
Organization and the Responsible Entity’s Reliability Coordinator.”, requirement R3 only includes the
ERO as an entity and should also include the Reliability Coordinator. 3. The measure M3 says that an
entity can use an actual event as a test to meet R3. Does this mean just 1 actual event will meet R3,
�or is the intent that all possible events per 1.2 are tested? Would like some clarity on this measure.
Individual
Linda Jacobson-Quinn
Farmington Electric Utility System
Yes
No
The reporting threshold for “Complete or partial loss of monitoring capability” should be modified to
include the loss of additional equipment and not be limited to State Estimator and Contingency
Analysis. Some options have been included: Affecting a BES control center for ≥ 30 continuous
minutes such that Real-Time monitoring tools are rendered inoperable. Affecting a BES control center
for ≥ 30 continuous minutes to the extent a Constrained Facility would not be identified or an Adverse
Reliability Impact event could occur due to lack of monitoring capability. Affecting a BES control
center for ≥ 30 continuous minutes such that an Emergency would not be identified or ma
Yes
Individual
Michael Falvo
Independent Electricity System Operator
Yes
We concur with the changes as they provide better streamlining of the four key requirements, with
enhanced clarity. However, we are unclear on the intent of Requirement R3, in particular the phrase
“not including notification to the Electric Reliability Organization” which begs the question on whether
or not the test requires notifying all the other entities as if it were a real event. This may create
confusion in ensuring compliance and during audits. Suggest the SDT to review and modify this
requirement as appropriate.
Yes
No
We are unable to comment on the proposed new section as the section does not contain any
description of the proposed process or the interface requirements to support the report collecting
system. We reserve judgment on this proposal and our right to comment on the proposal when the
proposed addition is posted.
We do not agree with the MEDIUM VRF assigned to Requirement R4. Re stipulates a requirement to
conduct an annual review of the event reporting Operating Plan in Requirement R1, which itself is
assigned a VRF of LOWER. We are unable to rationalize why a subsequent review of a plan should
have a higher reliability risk impact than the development of the plan itself. Hypothetically, if an entity
doesn’t develop a plan to begin with, then it will be assigned a LOWER VRF, and the entity will have
no plan to review annually and hence it will not be deemed non-compliant with requirement R4. The
entity can avoid being assessed violating a requirement with a MEDIUM VRF by not having the plan to
begin with, for which the entity will be assessed violating a requirement with a LOWER VRF. We
suggest changing the R4 VRF to LOWER.
Group
Southern Company Services
Antonio Grayson
No
There are approximately 17 event types for which Responsible Entities must have a process for
communicating such events to the appropriate entities and R3 states that “The Responsible Entity
shall conduct an annual test of the communications process”. It is likely that the same
communications process will be used to report multiple event types, so Southern suggest that the
Responsible Entities conduct an annual test for each unique communications process. Southern
suggest that this requirement be revised to state “Each Responsible Entity shall conduct an annual
�test of each unique communications process addressed in R1.2”. • In Attachment 1, for Event:
“Damage or destruction of a Facility”, SDT should consider removing “Results from actual or
suspected intentional human action” from the “Threshold for Reporting” column. The basis for this
suggestion is as follows: o The actual threshold should be measurable, similar to the thresholds
specified for other events in Attachment 1. [Note: The first two thresholds identified (i.e., “Affects and
IROL” and “Results in the need for actions to avoid an Adverse Reliability Impact”) are measurable
and sufficiently qualify which types of Facility damage should be reported.] o The determination of
human intent is too subjective. Including this as a threshold will cause many events to be reported
that otherwise may not need to be reported. (e.g., Vandalism and copper theft, while addressed
under physical threats, is more appropriately classified as damage. These are generally intentional
human acts and would qualify for reporting under the current guidance in Attachment 1. They may be
excluded from reporting by the threshold criteria regarding IROLs and Adverse Reliability Impact, if
the human intent threshold is removed.) o It may be more appropriate to address human intent in
the event description as follows: “Damage or destruction of a Facility, whether from natural or human
causes”. Let the thresholds related to BES impact dictate the reporting requirement. • In Attachment
1, for Event: “Complete or partial loss of monitoring capability”, SDT should consider changing the
threshold criteria to state: “Affecting a BES control center for ≥ 30 continuous minutes such that
analysis capability (State Estimator, Contingency Analysis) is rendered inoperable.” There may be
instances where the tools themselves are out of commission, but the control center personnel have
sufficiently accurate models and alternate methods of performing the required analyses.
No
It appears that the SDT has incorporated the reporting requirements for CIP-008 “reportable Cyber
Security Incidents”; however, the “recognition” requirements remain in CIP-008 Reliability Standard.
Southern understands the desire to consolidate reporting requirements into a single standard, but it
would be clearer for Cyber Security Incidents if both the recognition and reporting requirements were
in one reliability standard and not spread across multiple standards. As it relates to the event type
“Loss of Firm Load for > 15 minutes”, Southern suggests that the SDT clarify if weather related loss
of firm load is excluded from the reporting requirement. As it relates to the event type “Loss of all
voice communication capability”, Southern suggest that the SDT clarify if this means both primary
and backup voice communication systems or just primary voice communication systems. Referring to
“CIP-008-3 or its successor” in Requirement R1.1 is problematic. This arrangement results in a
variable requirement for EOP-004-2 R1. The requirements in a particular version of a standard should
be fixed and not variable. If exceptions to applicable events change, a revision should be made to
EOP-004 to reflect the modified requirement.
Yes
Move the Background Section (pages 4-9) to the Guideline and Technical Basis section. They are not
needed in the main body of the standard. Each “Entity with Reporting Responsibility” in the one-hour
reporting table (p. 17) should be explicitly listed in the table, not pointed to another variable location.
The criterion for “Threshold for Reporting” in the one-hour reporting table (p. 17) should be explicitly
listed in the table, not pointed to another variable location. Please specify the voltage base against
which the +/- 10% voltage deviation on a Facility is to be measured in the twenty-four hour reporting
table (p. 19).
Individual
John Seelke
Public Service Enterprise Group
Yes
No
We agreed with most of the revisions. However, for the 24-hour reporting time frame portion of the
EOP-004 Attachment 1: Reportable Event that starts on p. 18, we have these concerns: a. Why was
“RC” left out in the first row? RC is in the second row that also addresses a “Facility.” We believe that
“RC” was inadvertently left out. b. In the first row, entities such as a BA, TO, GO, GOP, or DP would
not know whether damage or destruction of one of its Facilities either “Affects an IROL (per FAC-014)”
or “Results in the need for actions to avoid an Adverse Reliability Impact.” FAC-014-2, R5.1.1 requires
Reliability Coordinators provide information for each IROL on the “Identification and status of the
�associated Facility (or group of Facilities) that is (are) critical to the derivation of the IROL” to entities
that do NOT include the entities listed above. And frankly, those entities would not need to know. The
reporting requirements associated with “Damage or destruction of a Facility” need to be changed so
that the criteria for reporting by an entity whose Facilities experience damage or destruction does not
rely upon information that the entity does not possess. c. A possible route to achieve the results in b.
above is described below: i. All Facilities that are damaged or destroyed that “Results from actual or
suspected intentional human action” would be reported to the ERO by the entity experiencing the
damage or destruction. ii. All Facilities that are damaged or destroyed OTHER THAN THAT due to an
“actual or suspected intentional human action” would be reported to the RC by the entity experiencing
the damage or destruction. Based upon those reports, the RC would be required to report whether the
reported damage or destruction of a Facility “Affects an IROL (per FAC-010)” or “Results in the need
for actions to Avoid an Adverse Reliability Consequence.” (The RC may need to modify its data
specifications in IRO-010-1a - Reliability Coordinator Data Specification and Collection - to specify
outages due to “damage or destruction of a Facility.” We also note that “DP” is not included in IRO010-1a, but “LSE” is included. DPs are required to also register as LSEs if they meet certain criteria.
See the “Statement of Compliance Registry Criteria, Rev. 5.0”, p.7. For this reason, we suggest that
DP be replaced with LSE in EOP-004-2.) d. To implement the changes in c. above, we suggest that
the first row be divided into two rows: i. FIRST ROW: This would be like the existing first row on page
18, except “RC” would be added to the column for “Entity with Reporting Responsibility” and the only
reporting threshold would be ““Results from actual or suspected intentional human action.” ii.
SECOND ROW: The Event would be “Damage or destruction of a Facility of a BA, TO, TOP, GO, GOP,
or LSE,” the Entity, the Reporting Responsibility would be “The RC that has the BA, TOP, GO, GOP, or
LSE experiencing the damage or destruction in its area,” and the Threshold for Reporting would be
“Affects an IROL (per FAC-010)” or “Results in the need for actions to avoid an Adverse Reliability
Consequence.”
Yes
Group
Dominion
Connie Lowe
No
While Dominion believes these are positive changes, we are concerned that placing actual calls to
each of the “other organizations needed for the event type; i.e. the Regional Entity; company
personnel; the Responsible Entity’s Reliability Coordinator; law enforcement, governmental or
provincial agencies” may be seen by one or more of those called as a ‘nuisance call’. Given the intent
is to insure validity of the contact information (phone number, email, etc), we suggest revising the
standard language to support various forms of validation to include, documented send/receipt of
email, documented verification of phone number (use of phone book, directory assistance, etc).
Yes
Comments: While Dominion agrees that the revisions are a much appreciated improvement, we are
concerned that Attachment 1 does not explicitly contain the ‘entities which must be, at a minimum,
notified. Attachment 2 appears to indicate that only the ERO and the Reliability Coordinator for the
Entity with Reporting Responsibility need be informed. However, the background section indicates
that the Entity with Reporting Responsibility is also expected to contact local law enforcement. We
therefore suggest that Attachment 2 be modified to include local law enforcement. Page 26 redline;
Attachment 1; Event – Damage or destruction of a Facility; Threshold for Reporting – Results from
actual or suspected intentional human action; Dominion is concerned with the ambugity that this
could be interpreted as applying to distribution. Page 27 redline; Attachment 1; Event – Any physical
threat that could impact the operability of a Facility; Dominion is concerned the word “could” is
hypothetical and therefore unverifiable and un-auditable. The SDT could provide a list of hypothetical
“could impact” events, as well as a specific definition and method for determining a specific physical
impact threshold for “could impact” events other than “any.”
Yes
While Dominion supports this addition, we suggest adding to the sentence “NERC will establish a
system to collect report forms as established for this section or reliability standard…..”
�Dominion believes that the reporting of “Any physical threat that could impact the operability of a
Facility4” may overwhelm the Reliability Coordinator staff with little to no value since the event may
have already passed. This specific event uses the phrase “operability of a Facility” yet “operability” is
not defined and is therefore ambiguous. We do support the reporting to law enforcement and the ERO
but do not generally support reporting events that have passed to the Reliability Coordinator.
Attachment 2; section 4 Event Identification and Description: The type of events listed should match
the events as they are exactly written in Attachment 1. As it is currently written, it leaves room for
ambiguity. M3 – Dominion objects to having to provide additional supplemental evidence (i.e.
operator logs), and the SDT maybe want to include a requirement for NERC to provide a confirmation
that the report has been received.
Individual
Terry Harbour
MidAmerican Energy
No
See the NSRF comments. The real purpose of this requirement appears to be to assure operators are
trained in the use of the procedure, process, or plan that assures proper notification. PER-005 already
requires a systematic approach to training. Reporting to other affected entities is a PER-005 system
operator task. Therefore this requirement already covered by PER-005 and is not required.
Organizations are also required to test their response to events in accordance with CIP-008 R1.6.
Therefore this requirement is covered by other standards and is not needed. Inclusion of this standard
would place entities in a double or possible triple jeopardy. The SDT may need to expand M3
reporting options, by stating “… that the annual test of the communication process of 1.2 (e.g.
communication via e-mail, fax, phone, ect) was conducted”. R4 is an administrative requirement with
little reliability value and should be deleted. It would likely be identified as a requirement that that
should be eliminated as part of the request by FERC to identify strictly administrative requirements in
FERC’s recent order on FFTR.
No
Several modifications need to be made to Table 1 to enhance clarity and delete unnecessary or
duplicate items. The stated reliability objective of EOP-004 and the drafting team is to reduce and
prevent outages which could lead to cascading through reporting. It is understood that the EOP-004
Attachment 1 is to cover similar items to the DOE OE-417 form. Last, remember that FERC recently
asked the question of what standards did not provide system reliability benefits. Those reports that
cannot show a direct threat to a potential cascade need to be eliminated. Table 1 should always align
with the cascade risk objectives and OE-417 where possible. Therefore Table 1 should be modified as
follows: 1. Completely divorce CIP-008 from EOP-004. Constant changes, the introduction of new
players such as DOE and DHS, and repeated congressional bills, make coordination with CIP-008
nearly impossible. Cyber security and operational performance under EOP-004 remain separate and
different despite best efforts to combine the two concepts. 2. Modify R1.2 to state that ERO
notification only is required for Table 1. This is similar to the DOE OE-417 notification. Notification of
other entities is a best practice, not a mandatory NERC standard. If entities want to notify
neighboring entities, they may do so as a best practice guideline. 3. Better clarity for communicating
each of the applicable events listed in the EOP-004 Attachment 1 in accordance with the timeframes
specified are needed. MidAmerican suggests a forth column be added to the table to clearly identify
who must be notified within the specified time period or at a minimum, that R1.2 be revised to clearly
state that only the ERO must be notified to comply with the standard. 4. Consolidate OE-417 concepts
on physical attack and cyber events by consolidating OE-417 items 1, 2, 9 and 10 to: Verifiable,
credible, and malicious physical damage (excluding natural weather events) to a BES generator, line,
transformer, or bus that when reported requires an appropriate Reliability Coordinator or Balancing
Authority to issue an Energy Emergency Alert Level 2 or higher. The whole attempt to discuss a NERC
Facility and avoid adverse reliability impacts overreaches the fundamental principal or reporting for an
emergency that could result in a cascade. 5. The wording “affects an IROL (per FAC-014),” is too
vague and not measurable. Many facilities could affect an IROL, but fewer facilities if lost would cause
an IROL. Change “affects” to “results in” 6. Recommend that Adverse Reliability Impact be deleted
and be replaced with actual EEA 2 or EEA 3 level events. 7. The phrase “results from actual or
suspected intentional human action” is vague and not measurable. This line item used the term
“suspected” which relates to “sabotage”. MidAmerican recommends that “Results from actual or
suspected intentional human action” be deleted. If not deleted the phrase should be replaced with
�“Results from verifiable, credible, and malicious human action intended to damage the BES.” 8. Delete
“Any physical threat…” as vague, and difficult to measure in a “perfect” zero defect audit
environment, and as already covered by item 1 above. If not deleted, at a minimum replace “Any
physical threat”, with “physical attack” as being measureable and consistent with DOE OE-417. 9.
With the use of “i.e.” the SDT is mandating that each other entity must be contacted. The NSRF
believes that the SDT meant that “e.g.” should be used to provide examples. The SDT may wish to
add another column to Attachment 1 to provide clarity. 10. The phrase “or partial loss of monitoring
capability” is too vague and should be deleted. In addition, the 30 minute window is too short for EMS
and IT staff to effectively be notified and troubleshoot systems before being subjected to a federal law
requiring reporting and potential violations. The time frame should be consistent with the EOP-008
standard. If not deleted, replace with “Complete loss of SCADA affecting a BES control center for ≥ 60
continuous minutes such that analysis tools of State Estimator and/or Contingency Analysis are
rendered inoperable. 11. Transmission loss should be deleted. The number of transmission elements
out does not directly correlate to BES stability and cascading. For that reason alone, this item should
be deleted or it would have already been included in the past EOP-004 standard. In addition, large
footprints can have multiple storms or weather events resulting in normal system outages. This
should not be a reportable event that deals with potential cascading. 12. Modify the threshold of “BES
emergency requiring a public appeal…” to include, “Public appeal for a load reduction event resulting
from a RC or BA implementing its emergency energy and capcity plans documented in EOP-001.”
Public appeals for conservation that aren't used to avoid capacity and energy emergencies should be
clearly excluded. 13. Add a time threshold to complete loss of off-site power to a nuclear plant.
Nuclear plants are to have backup diesel generation that last for a minimum amount of time. A
threshold recognizing this 4 hour or longer window needs to be added such as complete loss of offsite power to a nuclear plant for more than 4 hours. Also see the NSRF comments.
No
See the NSRF comments. The NERC Rules of Procedure Section 807 already addresses the
dissemination of Disturbance data, as does Appendix 8 Phase 1 with the activation of NERC’s crisis
communication plan, and the ESISAC Concept of Operations. The addition of proposed Section 812 is
not necessary. The Reliability Coordinator, through the use of the RCIS, would disseminate reliability
notifications if it is in turn notified per R1.2. (As stated in the in the Clean copy of EOP-004-2)
See the NSRF comments.
Individual
Brenda Lyn Truhe
PPL Electric Utilities
Yes
Yes
PPL EU thanks the SDT for the changes made in this latest proposal. We feel our prior comments were
addressed. Regarding the event 'Transmission Loss': For your consideration, please consider adding a
footnote to the event ‘Transmission Loss’ such that weather events do not need to be reported. Also
please consider including 'operation contrary to design' in the threshold language. E.g. consistent with
the NERC Event Analysis table, the threshold would be, ‘Unintentional loss, contrary to design, of
three or more BES Transmission Facilities.’
Yes
We appreciate the inclusion of the Process Flowchart on Page 9 of the draft standard. We submit for
your consideration, removing the line from the NO decision box to the ‘Report Event to ERO,
Reliability Coordinator’ box. It seems if the event does not need reporting per the decision box, this
line is not needed. For clarity in needed actions, please consider using a decision box following
flowcharting standards such as, a decision box containing a question with a Yes and a No path. The
decision box on ‘Report to Law Enforcement ?’ does not have a Yes or No. Perhaps, this decision box
is misplaced, or is it intended to occur always and not have a different path with different actions? Ie.
should it be a process box? Thank you for your work on this standard.
Individual
John Martinsen
�Public Utility District No. 1 of Snohomish County
Yes
This is an excellent improvement over the prior CIP and EOP versions. However, please see #4 for
overall comment.
This is an excellent improvement over the prior CIP and EOP versions. However, please see #4 for
overall comment.
No
This type of activity and process is better suited to NAESBE than it is to NERC Compliance.
SNPD suggest moving these administrative activities to NAESB. R1: There is merit in having a plan as
identified in R1, but is this a need to support reliability or is it a business practice? Should it be in
NAESB’s domain? R2, R3 & R4: These are not appropriate for a Standard. If you don’t annually review
the plan, will reliability be reduced and the BES be subject to instability, separation and cascading? If
DOE needs a form filled out, fill it out and send it to DOE. NERC doesn’t need to pile on. Gerry Cauley
and Mike Moon have been stressing results and risk based, actual performance based, event analysis,
lessons learned and situational awareness. EOP-004 is primarily a business preparedness topic and
identifies administrative procedures that belong in the NAESB domain.
Individual
Russell A. Noble
Cowlitz County PUD
Yes
Yes
Yes
Cowlitz is pleased with changes made to account for the difficulties small entities have in regard to
reporting time frames. Although Cowlitz is confident that the current draft is manageable for small
entities, we propose that the resulting reports this Standard will generate will contain many
insignificant events from the event types “Damage or destruction of a Facility,” and “Any physical
threat that could impact the operability of a Facility.” In particular, examples would be limited target
practice on insulators, car-pole accidents, and accidental contact from tree trimming or construction
activities. Cowlitz suggests that at least a >= 100 MW (200 MW would be better) and/or >= N-2
impact threshold be established for these event types. Also, Cowlitz suggests the statement “results
from actual or suspected intentional human action” be changed to “results from actual or suspected
intentional human action to damage or destroy a Facility.” A human action may be intentional which
can result in damage to a facility, but the intent may have been of good standing, and not directed at
the Facility. For example, the intent may have been to legally harvest a tree, or move equipment
under a line. Cowlitz believes the above proposed changes would benefit the ERO, both in reduction of
nuisance reports and possible violations over minimal to no impact BES events.
Group
SPP Standards Review Group
Robert Rhodes
No
There needs to be a more granular definition of which entities should be included in the annual testing
requirement in R3. To clarify what must be tested we propose the following language to replace the
last sentence in M3. The annual test requirement is considered to be met if the responsible entity
implements any communications process in the Operating Plan during an actual event. If no actual
event was reported during the year, at least one of the communication processes in the Operating
Plan must be tested to satisfy the requirement. We do not believe the time-stamping requirement in
M3 and M4 contribute to the reliability of the BES. A dated review should be sufficient.
No
To obtain an understanding of the drivers behind the events in Attachment 1, we would like to see
where these events come from. If the events are required in standards, refer to them. If they are in
�the existing event reporting list, indicate so. If they are coming from the EAP, let us know. We have a
concern that, as it currently exists, Attachment 1 can increase our reporting requirements
considerably. We also have concerns about what appears to be a lack of coordination between EAP
reporting requirements and those contained in Attachment 1. For example, the EAP reporting
requirement is for the complete loss of monitoring capability whereas Attachment 1 adds the
requirement for reporting a partial loss of monitoring capability. It appears that some of the EAP
reporting requirements are contained in Attachment 1. We have concerns that this is beyond the
scope of the SAR and should not be incorporated in this standard. We have concern with several of
the specific event descriptions as contained in Attachment 1: Damage or destruction of a Facility – We
are comfortable with the proposed definition of Adverse Reliability Impact but have concerns with the
existing definition of ARI. Any physical threat that could impact the operability of a Facility1 – We take
exception to this event in that is goes beyond what is currently required in EOP-004-1, including DOE
reporting requirements, and the EAP reporting requirements. We do not understand the need for this
event type and object to the potential for excessive reporting required by such an event type.
Additionally, we are concerned about the potential for multiple reporting of a single event. This same
concern applies to several other events including Damage or destruction of a Facility, Loss of firm load
for ≥ 15 minutes, System separation, etc. When multiple entities are listed as the Entity with
Reporting Responsibility, Attachment 1 appears to require each entity in the hierarchy to submit a
report. There should only be one report and it should be filed by the entity owning the event. The SDT
addressed this issue in its last posting but the issue still remains and should be reviewed again. BES
Emergency resulting in automatic firm load shedding – For some reason, not stipulated in the
Consideration of Comments, the action word in the Entity with Reporting Responsibility was changed
from ‘experiences’ to ‘implements’. We recommend changing it back to ‘experiences’. Automatic load
shedding is not implemented. It does not require human intervention. It’s automatic. Voltage
deviation on a Facility – Similar to the comment on automatic load shedding above, the action word
was changed from ‘experiences’ to ‘observes’. We again recommend that it be changed back to
‘experiences’. Using observes obligates a TOP, who is able to see a portion of a neighboring TOP’s
area, to submit a report if that TOP observed a voltage deviation in the neighboring TOP’s area. The
only reporting entity in this event should be the TOP within whose area the voltage deviation
occurred. Complete or partial loss of monitoring capability – Clarification on partial loss of monitoring
capability and inoperable are needed. Also, the way the Threshold is written, it implies that a State
Estimator and Contingency Analysis are required. To tone this down, insert the qualifier ‘such as’ in
front of State Estimator.
No
We have two concerns about the proposed change to the RoP. One, we have concerns that our
information and data will be circulated to an as yet undetermined audience which appears to be solely
under NERC’s control. Secondly, there isn’t sufficient detail in the clearinghouse concept to support
comments at this time.
The VRF for R1 is Lower which is fine. The issue is that R4, which is the review of the plan contained
in R1, has a Medium VRF. We recommend moving the VRF of R4 to Lower. We recommend deleting
the phrase ‘…supplemented by operator logs or other operating documentation…’ as found in the first
sentence of M2. A much clearer reference is made to operator logs and other operating
documentation in the second sentence. The duplication is unnecessary. What will happen with the
accompanying information contained in the Background section in the draft standard? Will it be
moved to the Guideline and Technical Basis at the end of the standard as the information contained in
the text boxes? This is valuable information and should not be lost.
Group
Florida Municipal Power Agency
Frank Gaffney
No
First, FMPA believes the standard is much improved from the last posting and we thank the SDT or
their hard work. Having said that, there are still a number of issues, mostly due to ambiguity in
terms, which cause us to vote Negative. R3 and R4 should be combined into a single requirement with
two subparts, one for annual testing, and another to incorporate lessons learned from the annual
testing into the plan (as opposed to an annual review). The word “test” is ambiguous as used in R3,
e.g., does a table top drill count as a “test”? Is the intent to “test” the plan, or “test” the phone
�numbers, or what?
No
The bullet on “any physical threat” is un-measurable. What constitutes a “threat”? FMPA likes the
language used in the comment form discussing this item concerning the judgment of the Responsible
Entity, but, the way it is worded in Attachment 1 will mean the judgment of the Compliance
Enforcement Authority, not the Responsible Entity. Presumably, the Responsible Entity will need to
develop methods to identify physical threats in accordance with R1; hence, FMPA suggests rewording
to: “Any physical threat recognized by the Responsible Entity through processes established in R1
bullet 1.1”. We understand this introduces circular logic, but, it also introduces the “judgment of the
Responsible Entity” into the bullet. On the row of the table on voltage deviation, replace the word
“observes” with “experiences”. It is possible for one TOP to “observe” a voltage deviation on another
TOP’s system. It should be the responsibility of the TOP experiencing the voltage deviation on its
system to report, not the one who “observes”. One the row on islanding, it does not make sense to
report islanding for a system with load less than the loss of load metrics and we suggest using the
same 300 MW threshold for a reporting threshold. One the row on generation loss, some clarification
on what type of generation loss (especially in the time domain) would help it be more measurable,
e.g., concurrent forced outages. One the row on transmission loss, the same clarity is important, e.g.,
three or more concurrent forced outages. On the row on loss of monitoring, while FMPA likes the
threshold for “partial loss of monitoring capability” for those systems that have State Estimators,
small BAs and TOPs will not need or have State Estimators and the reporting threshold becomes
ambiguous. We suggest adding something like loss of monitoring for 25% of monitored points for
those BAs and TOPs that do not have State Estimators.
Yes
In R1, bullet, it is a bit ambiguous whether the list of organizations to be communicated with is an
exhaustive list (i.e.) or a list of examples (e.g.). The list is preceded by an “i.e.” which indicates the
former, but includes an “or” which indicates the latter. We are interpreting this as meaning the list is
exhaustive as separated by semi-colons, but that the last phrase separated by commas is a list of
examples. Is this the correct interpretation? The Rules of Procedure language for data retention (first
paragraph of the Evidence Retention section) should not be included in the standard, but instead
referred to within the standard (e.g., “Refer to Rules of Procedure, Appendix 4C: Compliance
Monitoring and Enforcement Program, Section 3.1.4.2 for more retention requirements”) so that
changes to the RoP do not necessitate changes to the standard.
Group
LG&E and KU Services
Brent Ingebrigtson
Yes
No
The SDT should consider more clearly defining the Threshold for Reporting for the Event: “Any
physical threat that could impact the operability of a Facility” to only address those events that have
an Adverse Reliability Impact. Some proposed language might be: “Threat to a Facility excluding
weather related threats that could result in an Adverse Reliability Impact.” For those events
specifically defined in the ERO Events Analysis Process, the SDT should consider revising the language
to be more consistent with the language included in the ERO Events Analysis Process. Here is some
recommended language: 1. EVENT: Transmission loss THRESHOLD FOR REPORTING: “Unintentional
loss, contrary to design, of three or more BES Transmission Facilities (excluding successful automatic
reclosing) caused by a common disturbance. 2. EVENT: “Complete or partial loss of monitoring
capability” – could be revised to read “Complete loss of SCADA control or monitoring functionality”
THRESHOLD FOR REPORTING: “Affecting a BES control center for ≥ 30 continuous minutes such that
analysis tools (e.g. State Estimator, Contingency Analysis) are rendered inoperable”.
Yes
The Violation Severity Level for Requirement R2 should be revised to read “...hours after recognizing
an event requiring reporting…” This will make the language in the VSL consistent with the language in
�Attachment 1.
Individual
Thomas Washburn
FMPP
See FMPA's comments
Group
MRO NSRF
WILL SMITH
No
R3 states: Each Responsible Entity shall conduct an annual test, not including notification to the
Electric Reliability Organization, of the communications process in Part 1.2. R1.2 states: A process for
communicating each of the applicable events listed in EOP-004 Attachment 1 in accordance with the
timeframes specified in EOP-004 Attachment 1 to the Electric Reliability Organization and other
organizations needed for the event type; i.e. the Regional Entity; company personnel; the
Responsible Entity’s Reliability Coordinator; law enforcement, governmental or provincial agencies.
With the use of “i.e.” the SDT is mandating that each other entity must be contacted. The NSRF
believes that the SDT meant that “e.g.” should be used to provide examples. The SDT may wish to
add another column to Attachment 1 to provide clarity. R3 requires and annual test that would include
notification of: “other organizations needed for the event type; i.e. the Regional Entity; company
personnel; the Responsible Entity’s Reliability Coordinator; law enforcement, governmental or
provincial agencies.” Since NERC see no value in receiving these test notification we are doubtful
other entities identified in R1.2 would find them of value. The real purpose of this requirement
appears to be to assure operators are trained in the use of the procedure, process, or plan that
assures proper notification. PER-005 already requires a systematic approach to training. It is hard to
comprehend an organization not identifying this as a Critical Task, and if they failed to identify it as a
Critical Task that this would not be a violation. Therefore this requirement is not required.
Furthermore organizations test their response to events in accordance with CIP-008 R1.6. Therefore
this requirement is covered by other standards and is not needed. The SDT may need to address this
within M3, by stating “… that the annual test of the communication process of 1.2 (e.g.
communication via e-mail, fax, phone, ect) was conducted”. R4 states: Each Responsible Entity shall
conduct an annual review of the event reporting Operating Plan in Requirement R1. We question the
value of requiring an annual review. If the Standard does not change, there seems little value in
requiring an annual review. This appears to be an administrative requirement with little reliability
value. It would likely be identified as a requirement that that should be eliminated as part of the
request by FERC to identify strictly administrative requirements in FERC’s recent order on FFTR. We
suggest it be eliminated.
No
R1.2 states: A process for communicating each of the applicable events listed in EOP-004 Attachment
1 in accordance with the timeframes specified in EOP-004 Attachment 1 to the Electric Reliability
Organization and other organizations needed for the event type; i.e. the Regional Entity; company
personnel; the Responsible Entity’s Reliability Coordinator; law enforcement, governmental or
provincial agencies. This implies not only does NERC need to be notified within the specified time
period but that: “other organizations needed for the event type; i.e. the Regional Entity; company
personnel; the Responsible Entity’s Reliability Coordinator; law enforcement, governmental or
provincial agencies.” are also required to be notified within in the time periods specified. We suggest a
forth column be added to the table to clearly identify who must be notified within the specified time
period or that R1.2 be revised to clearly state that only NERC must be notified to comply with the
standard. With the use of “i.e.” the SDT is mandating that each other entity must be contacted. The
NSRF believes that the SDT meant that “e.g.” should be used to provide examples. The SDT may wish
to add another column to Attachment 1 to provide clarity. Also with regards to Attachment 1, the
following comments are provided: 1. Instead of referring to CIP-008 (in the 1 hour reporting section),
quote the words from CIP-008, this will require coordination of future revisions but will assure clarity
�in reporting requirements. 2 Under “Damage or destruction of a Facility” a. The wording “affects an
IROL (per FAC-014),” is too vague. Many facilities could affect an IROL, not as many if lost would
cause an IROL. b. Adverse Reliability Impact is defined as: “The impact of an event that results in
frequency-related instability; unplanned tripping of load or generation; or uncontrolled separation or
cascading outages that affects a widespread area of the Interconnection.” There are an infinite
number of routine events that result in the loss of generation plants due to inadvertent actions that
somehow also damaged equipment. Any maintenance activity that damaged a piece of equipment
that causes a unit to trip or results in a unit being taken off line in a controlled manner would now be
reportable. This seems to be an excessive reporting requirement. Recommend that Adverse Reliability
Impact be deleted and be replaced with actual EEA 2 or EEA 3 level events. c. The phrase “Results
from actual or suspected intentional human action.” This line item used the term “suspected” which
relates to “sabotage”. Recommend the following: Results from actual or malicious human action
intended to damage the BES. 3. “Any physical threat that could impact the operability of a Facility1”
The example provided by the drafting team of a train derailment exemplifies why this requirement
should be deleted. A train derailment of a load of banana’s more than likely would not threaten a
nearby BES Facility. However a train carrying propane that derails carrying propane could even if it
were 10 miles away. Whose calculation will be used to determine if an event could have impacted the
asset? As worded there is too much ambiguity left to the auditor. We suggest the drafting team clarify
by saying “Any event that requires the a BES site be evacuated for safety reasons” Furthermore if
weather events are excluded, we are hard pressed to understand why this information is important
enough to report to NERC. So barring an explanation of the purpose of this requirement, including
why weather events would be excluded, we suggest the requirement be deleted. Please note that if
you align this with “Physical attack” with #1 of the OE-417. This clearly states what the SDT is
looking for. 4. The phrase “or partial loss of monitoring capability” is too vague. Further definitions of
“inoperable” are required to assure consistent application of this requirement. Recommend that
“Complete loss of SCADA affecting a BES control center for ≥ 30 continuous minutes such that
analysis tools of State Estimator and/or Contingency Analysis are rendered inoperable. Or, Complete
loss of the ability to perform a State Estimator or Contingency Analysis function, the threshold of 30
mins is too short. A 60 min threshold will align with EOP-008-1, R1.8. Since this is the time to
implement the contingency back up control center plan. 5. Event: Voltage deviation on a Facility. ATC
believes that the term “observes” for Entity with Reporting Responsibility be changed back to
“experiences” as originally written. The burden should rest with the initiating entity in consistency
with other Reporting Responsibilities. Also, for Threshold for Reporting, ATC believes the language
should be expanded to - plus or minus 10% ”of target voltage” for greater than or equal to 15
continuous minutes. 6. Event: Transmission loss. ATC recommends that Threshold for Reporting be
changed to read “Unintentional loss of four, or more Transmission Facilities, excluding successful
automatic reclosing, within 30 seconds of the first loss experienced and for 30 continuous minutes.
Technical justification or Discussion for this recommended change: In the instance of a transformerline-transformer, scenario commonly found close-in to Generating stations, consisting of 3 defined
“facilities”, 1 lightning strike can cause automatic unintentional loss by design. Increase the number
of facilities to 4. In a normal shoulder season day, an entity may experience the unintentional loss of
a 138kv line from storm activity, at point A in the morning, a loss of a 115kv line from a different
storm 300 miles from point A in the afternoon, and a loss of 161kv line in the evening 500 miles from
point A due to a failed component, if it is an entity of significant size. Propose some type of time
constraint. Add time constraint as proposed, 30 seconds, other than automatic reclosing. In the event
of dense lightning occurrence, the loss of multiple transmission facilities may occur over several
minutes to several hours with no significant detrimental effect to the BES, as load will most certainly
be affected (lost due to breaker activity on the much more exposed Distribution system) as well. Any
additional loss after 30 seconds must take into account supplemental devices with intentional relay
time delays, such as shunt capacitors, reactors, or load tap changers on transformers activating as
designed, arresting system decay. In addition, Generator response after this time has significant
impact. Please clarify or completely delete why this is included within this version when no basis has
been give and it is not contained w3ithin the current enforceable version. 7. Modify the threshold of
“BES emergency requiring a public appeal…” to include, “Public appear for a load reduction event
resulting for a RC or BA implementing its emergency operators plans documented in EOP-001.” The
reason is that normal public appeals for conservation should be clearly excluded. 8. Add a time
threshold to complete loss of off-site power to a nuclear plant. Nuclear plants are to have backup
diesel generation that last for a minimum amount of time. A threshold recognizing this 4 hour or
�longer window needs to be added such as complete loss of off-site power to a nuclear plant for more
than 4 hours. 9. Delete “Transmission loss”. The loss of a specific number of elements has no direct
bearing on the risk of a system cascade. Faults and storms can easily result in “unintentional” the loss
of multiple elements. This is a flawed concept and needs to be deleted
Yes
ATC believes that the NERC Rules of Procedure Section 807 already addresses the dissemination of
Disturbance data, as does Appendix 8 Phase 1 with the activation of NERC’s crisis communication
plan, and the ESISAC Concept of Operations. The addition of proposed Section 812 is not necessary.
The Reliability Coordinator, through the use of the RCIS, would disseminate reliability notifications if it
is in turn notified per R1.2. (As stated in the in the Clean copy of EOP-004-2)
R1 states: “Each Responsible Entity shall have an event reporting Operating Plan that includes:” The
definition of Operating Plan is: “A document that identifies a group of activities that may be used to
achieve some goal. An Operating Plan may contain Operating Procedures and Operating Processes. A
company-specific system restoration plan that includes an Operating Procedure for black-starting
units, Operating Processes for communicating restoration progress with other entities, etc., is an
example of an Operating Plan.” This appears to us to be too prescriptive and could be interpreted to
require a series of documents to for reporting issues to NERC. We suggest the following wording: R1.
Each Responsible Entity shall have document methodology(ies) or process(es) for: 1.1. Recognizing
each of the applicable events listed in EOP-004 Attachment 1. 1.2. Reporting each of the applicable
events listed in EOP-004 Attachment 1 in accordance with the timeframes specified in EOP-004
Attachment 1 to the Electric Reliability Organization. LES Comment: [R1] We are concerned by the
significant amount of detail an entity would be required to contain within the Operating Plan as part of
Requirement R1. Rather than specifying an entity must have a documented process for recognizing
each of the events listed in EOP-004-2 Attachment 1, at a minimum, consider removing the term
“process” in R1.1 and replacing with “guideline” to ensure operating personnel are not forced to
adhere to a specific sequence of steps and still have the flexibility to exercise their own judgment.
Section 5 of the standard (Background) should be moved to the Guideline and Technical Basis
document. A background that long does not belong in the standard piece as it detracts from the intent
of the standard itself.
Group
Progress Energy
Jim Eckelkamp
No
It should be clear that the Operating Plan can be multiple procedures. It is an unnecessary burden to
have entities create a new document outlining the Operating Plan. Having to create a new Operating
Plan would not improve reliability and would further burden limited resources. The annual testing
required by R3 should be clarified. Do all communication paths need to be annually tested or just one
path? An actual event may only utilize one communication 'leg' or 'path' and leave others untested
and untilized. Entities may have a corporate level procedure that 'hand-shakes' with more localized
procedures that make up the entire Operating Plan. Must all communications processes be tested to
fulfill the requirement? If an entity has 'an actual event' it is not necessarily true that their Operating
Plan has been exercised completely, yet this one 'actual event' would satisfy M3 as written.
Within attachment 1 (Reportable Events) an exclusion is allowed for weather related threats. PGN
recommends a more generic approach to include natural events such as forest fires, sink holes, etc.
This would alleviate some reporting burdens in areas that are prone to these types of events.
Individual
Bob Thomas
Illinois Municipal Electric Agency
No
IMEA reluctantly (in recognition of the SDT's efforts and accomplishments to date) cast a Negative
vote for this project primarily based on R3 because it is attempting to fix a problem that does not
exist and impacts small entity resources in particular. IMEA is not aware of seeing any information
regarding a trend, or even a single occurance for that matter, in a failure to report an event due to
�failure in reporting procedures. A small entity is less likely to experience a reportable event, and
therefore is less likely to be able to take advantage of the provision in M3 to satisfy the annual testing
through imiplementation of an actual event. If there is a problem that needs to be fixed, it would
make much more sense to replace the language in R3 with a simple requirement for the RC, BA, IC,
TSP, TOP, etc. to inform the TO, DP, LSE if there is a change in contact information for reporting an
event. It is hard to believe that an RC, BA, IC, TSP, TOP, etc. is going to want to be annually handling
numerous inquiries from entities regarding the accuracy of contact information. The impact of
unnecessary requiements on entity resources, particularly small entities', is finally starting to get
some meaningful attention at NERC and FERC. It would be a mistake to adopt another unnecessary
requirement as currently specified in R3.
No
Illinois Municipal Electric Agency supports comments submitted by Florida Municipal Power Agency.
No
Illinois Municipal Electric Agency supports comments submitted by ATC.
Illinois Municipal Electric Agency supports comments submitted by Florida Municipal Power Agency.
Individual
Andrew Z. Pusztai
Amercican Transmission Company, LLC
No
ATC recommends eliminating R4 altogether. If R3, the annual test, is conducted as part of the
Operating Plan, R4 is merely administrative, and does not add value to reliability.
No
ATC is proposing changes to the following Events in Attachment 1: (Reference Clean Copy of the
Standard) 1) Pg. 18/ Event: Any Physical threat that could impact the operability of a Facility. ATC is
proposing a language change to the Threshold- “Meets Registered Entities criteria stated in its Event
Reporting Operating Plan, in addition to excluding weather.” 2) Pg. 19 / Event: Voltage deviation on a
Facility. ATC believes that the term “observes” for Entity with Reporting Responsibility be changed
back to “experiences” as originally written. The burden should rest with the initiating entity in
consistency with other Reporting Responsibilities. Also, for Threshold for Reporting, ATC believes the
language should be expanded to - plus or minus 10% ”of target voltage” for greater than or equal to
15 continuous minutes. 3) Pg. 19/ Event: Transmission loss. ATC recommends that Threshold for
Reporting be changed to read “Unintentional loss of four, or more Transmission Facilities, excluding
successful automatic reclosing, within 30 seconds of the first loss experienced and for 30 continuous
minutes. Technical justification or Discussion for this recommended change: In the instance of a
transformer-line-transformer, scenario commonly found close-in to Generating stations, consisting of
3 defined “facilities”, 1 lightning strike can cause automatic unintentional loss by design. Increase the
number of facilities to 4. In a normal shoulder season day, an entity may experience the unintentional
loss of a 138kv line from storm activity, at point A in the morning, a loss of a 115kv line from a
different storm 300 miles from point A in the afternoon, and a loss of 161kv line in the evening 500
miles from point A due to a failed component, if it is an entity of significant size. Propose some type
of time constraint. Add time constraint as proposed, 30 seconds, other than automatic reclosing. In
the event of dense lightning occurrence, the loss of multiple transmission facilities may occur over
several minutes to several hours with no significant detrimental effect to the BES, as load will most
certainly be affected (lost due to breaker activity on the much more exposed Distribution system) as
well. Any additional loss after 30 seconds must take into account supplemental devices with
intentional relay time delays, such as shunt capacitors, reactors, or load tap changers on transformers
activating as designed, arresting system decay. In addition, Generator response after this time has
significant impact. 4) Pg.20 /Event: Complete or partial loss of monitoring capability. ATC
recommends that the term “partial” be deleted from the event description. ATC recommends that the
term “partial” be deleted for the Entity with Reporting Responsibility and changed to read: Each RC,
BA, and TOP that experiences the complete loss of monitoring capability.
No
ATC believes that the NERC Rules of Procedure Section 807 already addresses the dissemination of
Disturbance data, as does Appendix 8 Phase 1 with the activation of NERC’s crisis communication
plan, and the ESISAC Concept of Operations. The addition of proposed Section 812 is not necessary.
�The Reliability Coordinator, through the use of the RCIS, would disseminate reliability notifications if it
is in turn notified per R1.2. (As stated in the in the Clean copy of EOP-004-2)
Individual
Brenda Frazer
Edison Mission Marketing & Trading, Inc.
Yes
Yes
Yes
No
Group
PPL Corporation NERC Registered Affiliates
Stephen J. Berger
Yes
No
1.) PPL Generation thanks the SDT for the changes made in this latest proposal. We feel our previous
comments were addressed. PPL Generation offers the following additional comments. Regarding the
event ‘Transmission Loss’: For your consideration, please consider adding a footnote to the event
‘Transmission Loss’ such that weather events do not need to be reported. Also please consider
including operation contrary to design in the language and not just in the example. E.g. consistent
with the NERC Event Analysis table, the threshold would be, ‘Unintentional loss, contrary to design, of
three or more BES Transmission Facilities.’ 2.) PPL Generation proposes the following changes in
Attachment 1 to the first entry in the “Threshold for Reporting” column to make it clear that
independent GO/GOPs are required to act only within their sphere of operation and based on the
information that is available to the GO/GOPs: Damage or destruction of a Facility that: Affects an
IROL (per FAC-014, not applicable to GOs and GOPs) OR Results in the need for actions to avoid an
Adverse Reliability Impact (not applicable to GOs and GOPs) OR Results from actual or suspected
intentional human action (applicable to all).
Yes
We appreciate the inclusion of the Process Flowchart on Page 9 of the draft standard. We submit for
your consideration, removing the line from the NO decision box to the ‘Report Event to ERO,
Reliability Coordinator’ box. It seems if the event does not need reporting per the decision box, this
line is not needed. The decision box on ‘Report to Law Enforcement ?’ does not have a Yes or No.
Perhaps, this decision box is misplaced, or is it intended to occur always and not have a different path
with different actions? Ie. should it be a process box? Thank you for your work on this standard.
Individual
Kenneth A Goldsmith
Alliant Energy
No
In the first Event for twenty four hour reporting, the last item in “Threshold for Reporting” should be
revised to “Results from actual or suspected intentional malicious human action.” An employee may
be performing maintenance and make a mistake, which could impact the BES. In the second Event for
twenty four hour reporting the event should be revised to “Any physical attack that could impact the
operability of a Facility.” Alliant Energy believes this is clearer and easier to measure.
Section 5 of the standard (Background) should be moved to the Guideline and Technical Basis
�document. A background that long does not belong in the standard piece as it detracts from the intent
of the standard itself.
Individual
Eric Salsbury
Consumers Energy
No
The term "Facility" seems to be much more broad and even more vague than the use of BES
equipment. We recommend reverting back to use of BES equipment.
Group
Hydro One
Sasa Maljukan
No
In the Requirement R3, we suggest adding the following wording from Measure M3 to the end of R3
after the wording “in Part 1.2.”: The annual test requirement is considered to be met if the
responsible entity implements the communications process in Part 1.2 for an actual event. This
language must be in the Requirement to be considered during an audit. Measures are not auditable.
Statement “... not including notification to the ERO...” as it stands now is confusing. We suggest that
this statement is either reworded (and explained in the Rational for this requirement) or outright
removed for clarity purposes In the requirement R4, we suggest replacing the words “an annual
review” with the words “a periodic review.” Add the following to R4: The frequency of such periodic
reviews shall be specified in the Operating Plan and the time between periodic reviews shall not
exceed five (5) years. This does not preclude an annual review in an Entity’s operating plan. The
Entity will then be audited to its plan. If the industry approves a five (5) year periodic review ‘cap,’
and FERC disagrees, then FERC will have to issue a directive, state it reasons and provide justification
for an annual review that is not arbitrary or capricious. Adding the one year “test” requirement adds
to the administrative tracking burden and adds no reliability value. The table in the standard is clear
regarding what events need to be reported. An auditor may want to see a test for "each" of the
applicable events listed in EOP-004 Attachment 1.If the requirement for "an" annual test remains in
the standard in R3, then it should be made clear that a test is not required for "each" of the applicable
events listed in Attachment 1 (reference to R1.2.)
No
In the Attachment 1, language identical to event descriptions in the NERC Event Analysis Process and
FERC OE-417 should be used. Creating a third set of event descriptions is not helpful to system
operators. Recommend aligning the Attachment 1 wording with that contained in Attachment 2, DOE
Form OE-417 and the EAP whenever possible. The proposed “events” are subjective and will lead to
confusion and questions as to what has to be reported. - Event: A reportable Cyber Security Incident.
All reportable Cyber Security Incidents may not require “One Hour Reporting.” A “one-size fits all”
approach may not be appropriate for the reporting of all Cyber Security Incidents. The NERC “Security
Guideline for the Electricity Sector: Threat and Incident Reporting” document provides time-frames
for Cyber Security Incident Reporting. For example, a Cyber Security Compromise is recommended to
be reported within one hour of detection, however, Information Theft or Loss is recommended to be
reported within 48 hours. Recommend listing the Event as “A confirmed reportable Cyber Security
Incident. The existing NERC “Security Guideline for the Electricity Sector: Threat and Incident
Reporting” document uses reporting time-frames based on “detection” and “discovery.” Recommend
using the word confirmed because of the investigation time that may be required from the point of
initial “detection” or “discovery” to the point of confirmation, when the compliance “time-clock” would
start for the reporting requirement in EOP-004-2. - Event: Damage or destruction of a Facility
Threshold for Reporting: revise language on third item to read: “Results from actual or suspected
intentional human action, excluding unintentional human errors”. - Event: Any physical threat that
could impact the operability of a Facility This Event category should be deleted. The word “could” is
hypothetical and therefore unverifiable and un-auditable. The word “impact” is undefined. Please
delete this reporting requirement, or provide a list of hypothetical “could impact” events, as well as a
�specific definition and method for determining a specific physical impact threshold for “could impact”
events other than “any.” - Event: BES Emergency requiring public appeal for load reduction. Replace
wording in the Event column with language from #8 on the OE-417 Reporting Form to eliminate
reporting confusion. Following this sentence add, “This shall exclude other public appeals, e.g., made
for weather, air quality and power market-related conditions, which are not made in response to a
specific BES event.” - Event: Complete or partial loss of monitoring capability Event wording: Delete
the words “or partial” to conform the wording to the NERC Event Analysis Process. - Event:
Transmission Loss Revise to BES Transmission Loss - Event: Generation Loss Revise to BES
Generation Loss
No
The proposed new section does not contain specifics of the proposed system nor the interfacing
outside of the system to support the report collecting.
The proposed standard is not consistent with NERC’s new Risk Based Compliance Monitoring. - The
performance based action to “implement its event reporting Operating Plan” on defined events, as
required in R2, could be considered a valid requirement. However, the concern is that this
requirement could be superseded by the NERC Events Analysis Process and existing OE-417
Reporting. - The requirements laid out in R1, R3 and R4 are specific controls to ensure that the
proposed requirement to report (R2) is carried out. However, controls should not be part of a
compliance requirement. The only requirement proposed in this standard that is not a control is R2.
NERC does not need to duplicate the enforcement of reporting already imposed by the DOE. DOE-417
is a well-established process that has regulatory obligations. NERC enforcement of reporting is
redundant. NERC has the ability to request copies of these reports without making them part of the
Reliability Rules. Form EOP-004, Attachment 2: Event Reporting Form: - Delete from the Task column
the words “or partial”. - Delete from the Task column the words “physical threat that could impact the
operability of a Facility”. VSL’s may have to be revised to reflect revised wording. The standard as
proposed is not supportive of Gerry Cauley’s performance based standard initiative
Group
CenterPoint Energy
John Brockhan
No
CenterPoint Energy recommends that “and implement” be added after “Each Responsible Entity shall
have” in Requirement R1. After such revision, Requirement R2 will not be needed as noted in previous
comments submitted by the Company. CenterPoint Energy also believes that Requirement R3 is not
needed as an annual review encompassing the elements of the test described in the draft is sufficient.
No
CenterPoint Energy appreciates the revisions made to Attachment 1 based on stakeholder feedback;
however, the Company continues to have concerns regarding certain events and thresholds for
reporting and offers the following recommendations. (1) CenterPoint Energy recommends the deletion
of "per Requirement R1" in the “Note” under Attachment 1 as it contains a circular reference back to
R1 which includes timeframes. (2) CenterPoint Energy maintains that a required 1 hour threshold for
reporting of any event is unreasonable. CenterPoint Energy is confident that given dire circumstances
Responsible Entities will act quickly on responding to and communication of any impending threat to
the reliability of the Bulk Electric System. (3) For the event of “Damage or destruction of a Facility”,
CenterPoint Energy is concerned that the use of the term “suspected” is too broad and proposes that
the SDT delete "suspected" and add "that causes an Adverse Reliability Impact…" to the threshold for
reporting regarding human action. (4) CenterPoint Energy believes that the event, “Any physical
threat that could impact the operability of a Facility” is too broad and should be deleted. Alternatively,
CenterPoint Energy recommends that the SDT delete "could” or change the event description to "A
physical incident that causes an Adverse Reliability Impact". Additionally, in footnote 1, the example
of a train derailment uses the phrase “could have damaged”. CenterPoint Energy is concerned that as
beauty is the eye of the beholder, this phrase is open to interpretation and therefore recommends
that the phrase, “causes an Adverse Reliability Impact” be incorporated into the description. (5) The
Company proposes that the threshold for reporting the event, “BES Emergency requiring manual firm
load shedding” is too low. It appears the SDT was attempting to align this threshold with the DOE
reporting requirement. However, as the SDT stated above, there are several valid reasons why this
should not be done;therefore, CenterPoint Energy recommends the threshold be revised to “Manual
�firm load shedding ≥ 300 MW”. (6) CenterPoint Energy also recommends a similar revision to the
threshold for reporting associated with the “BES Emergency resulting in automatic firm load shedding”
event. (“Firm load shedding ≥ 300 MW (via automatic under voltage or under frequency load
shedding schemes, or SPS/RAS”) (7) CenterPoint Energy is uncertain of the event, “Loss of firm load
for ≥ 15 minutes” and its fit with BES Emergency requiring manual firm load shedding or BES
Emergency resulting in automatic firm load shedding. The Company believes that this event is already
covered with manual firm load shedding and automatic firm load shedding and should therefore be
deleted. (8) For the event of “System separation (islanding)”, CenterPoint Energy believes that 100
MW is inconsequential and proposes 300 MW instead. (9) For “Generation loss”, CenterPoint Energy
suggests that the SDT add "only if multiple units” to the criteria of “1,000 MW for entities in the
ERCOT or Quebec Interconnection”. (10) Finally, CenterPoint Energy recommends that the SDT delete
the term “partial” under the “Entity with Reporting Responsibility” for “Complete or partial loss of
monitoring capability”. The Company proposes revising the event description to "Loss of monitoring
capability for > 30 minutes that causes system analysis tools to be inoperable”.
No
CenterPoint Energy does not agree with the SDT’s proposed section 812. The proposal for NERC to
establish a system that will “…forward the report to the appropriate NERC departments, applicable
regional entities, other designated registered entities, and to appropriate governmental, law
enforcement, regulatory agencies as necessary. This can include state, federal, and provincial
organizations.” is redundant with the draft Standard. Responsible entities are already required to
report applicable events to NERC, applicable regional entities, registered entities, and appropriate
governmental, law enforcement, and regulatory agencies. CenterPoint Energy believes if the SDT’s
intent is to require NERC to distribute these system event reports, then EOP-004-2 should be revised
to require responsible entities to only report the event to NERC. As far as distribution to appropriate
NERC departments, CenterPoint Energy believes that is an internal NERC matter and does not need to
be included in the Rules of Procedure.
CenterPoint Energy proposes that the purpose be enhanced to reflect risk and response. For example,
the purpose could read “To sustain and improve reliability of the Bulk Electric System by identifying
common risks reported by Responsible Entities as a source of lessons learned.” In the Background
section under Law Enforcement Reporting, “the” should be added in front of “Bulk Electric System”.
Also under the Background section - “Present expectations of the industry under CIP-001-1a”,
CenterPoint Energy is not aware of any current annual requirements for CIP-001 and suggests that
this section be revised to reflect that fact. CenterPoint Energy strongly believes that the Violation
Severity Levels (VSL) should not be high or severe unless an Adverse Reliability Impact occurred.
CenterPoint Energy is requesting that Requirement R2 be deleted and the phrase, "as a result of not
implementing the plan/insufficient or untimely report, an Adverse Reliability Impact occurred” be
added to the Requirement R1 VSL. Regarding the VSL for Requirement R4, the Violation Risk Factor
should be "Lower" and read “the entity did not perform the annual test of the operating plan” as
annual is to be defined by the entity or according to the CAN-0010.
Individual
Kirit Shah
Ameren
Yes
No
We appreciate the efforts of the DSR SDT and believe this latest Draft is greatly improved over the
previous version. However, we propose the following suggestions: (1) The first Event category in
Attachment 1 under 24 Hour Reporting is Applicable to GO and GOP entities. Yet the first 2 of 3
Thresholds for Reporting require data that is unobtainable for GO and GOP entities. Specifically,
Events that “Affects an IROL (per FAC-014)” and “Results in the need for actions to avoid an Adverse
Reliability Impact”. We believe these thresholds, and the use of the NERC Glossary term Adverse
Reliability Impact, clearly show the SDT’s intent to limit reporting only to Events that have a major
and significant reliability impact on the BES. GO or GOP does not have access to the wide-area view
of the transmission system, making them to make this determination is impossible. As a result, we do
not believe GO and GOP entities should have Reporting Responsibility for these types of Events. (2)
For GO and GOP entities, the third Threshold is confusing as to which facilities in the plant it would be
�applicable to; because the definition of "Facility" does not provide a clear guidance in that respect. For
example, would a damage to ID fan qualify as a reportable event? (3) The second Event category in
Attachment 1 under 24 Hour Reporting, "Any physical threat that could impact the operability of a
Facility" is wide open to interpretation and thus impracticable to comply with. For example, a simple
car accident that threatens any transmission circuit, whether it impacts the BES (as listed in the
Threshold for the previous event in the table or any other measure) or not, is reportable. This list
could become endless without the events having any substantial impact on the system. To continue
this point, the Footnote 1 can also include, among many other examples, the following: (a) A wild fire
near a generating plant, (b) Low river levels that might shut down a generating plant, (c) A crane that
has partially collapsed near a generator switchyard, (d) Damage to a rail line into a coal plant, and/or
(v) low gas pressure that might limit or stop operation of a natural gas generating plant. (4) The
category, "Transmission Loss" is a concern also. If the meaning of Transmission Facility is included in
the meaning of Facility as described in the event list, it may be acceptable; but, we still have a
question how would a loss of a bus and the multiple radial element that may be connected to that bus
would be treated? Also, how would a breaker failure affect this type of an event? The loss of a circuit
is “intentional” (as opposed to Unintentional as listed in the threshold) for the failure of breaker, how
will it be treated in counting three or more? We suggest a clarification for such types of scenarios. (5)
Requirement R1.: 1.1 includes an exception from compliance with this Standard if there is a Cyber
Security Incident according to CIP-008-3. However, note that the CIP-008-3 may not apply to all GO
and GOP facilities. While the exception is warranted to eliminate duplicative event reporting plans, the
language of this requirement is confusing as it does not clearly provides that message. (6) The
second paragraph in Section C.1.1.2. Includes the phrases “…shall retain the current, document…”
and “…the “date change page” from each version…” Is the “document” intended to be the Operating
Plan? We do not see a defining reference in the text around this phrase; also, is a “date change page”
mandatory for compliance with this Standard? We request additional clarification of wording in the
Evidence Retention section of the Standard. (7) Page 19 / Event: Voltage deviation on a Facility: We
believe that the term “observes” for Entity with Reporting Responsibility be changed back to
“experiences” as originally written. The burden should rest with the initiating entity in consistency
with other Reporting Responsibilities. In addition, for Threshold for Reporting, We believe the
language should be expanded to - plus or minus 10%”of nominal voltage” for greater than or equal to
15 continuous minutes. (8) Page 20 /Event: Complete or partial loss of monitoring capability. We
suggest to the SDT that the term “partial” be deleted from the event description. (9) We suggest to
the SDT that the term “partial” be deleted for the Entity with Reporting Responsibility and changed to
read: Each RC, BA, and TOP that experiences the complete loss of monitoring capability.
No
If the SDT keeps new Section 812 we suggest to the SDT a wording change for the second sentence,
underlined: “Upon receipt of the submitted report, the system shall then forward the report to the
appropriate NERC department for review. After review, the report will be forwarded to the applicable
regional entities, other designated registered entities, and to appropriate governmental, law
enforcement, regulatory agencies as necessary.”
Individual
Howard Rulf
We Energies
Yes
No
Submitting reports to the ERO: NERC and all of the Regional Entities are the ERO. If I send a report to
any Regional Entity (and not NERC), I have sent it to the ERO. Damage or Distruction of a Facility: A
DP may not have a Facility by the NERC Glossary definition. All distribution is not a Facility. Did you
mean to exclude all distribution? Any Physical threat that could impact the operability of a Facility: An
RC does not have Facilities by the NERC Glossary definition. An RC will not have to report this. BES
Emergency... Reporting Responsibility: If meeting the Reporting Threshold was due to a directive
from the RC, who is the Initiating entity? Voltage deviation on a Facility Threshold for Reporting: 10%
of what voltage? Nominal, rated, scheduled, design, actual at an instant?
No
�Section 812 refers to the section as a standard and as a Procedure. That is not correct. Section 812
reads to me as if NERC (the system) will be forwarding everything specified anywhere in RoP 800.
Applicability: Change Electric Reliability Organisation to NERC or delete Regional Entity. The ERO is
NERC and all the Regional Entities. R1.2: The ERO is NERC and all the REs. If I report to any one on
the REs (only and not to NERC), I have reported to the ERO. Change ERO to NERC. M1 refers to R1.1
and R1.2 as Parts. It would be clearer to refer to them as requirements or sub-requirements. M2: Add
a comma after "that the event was reported" and "supplemented by operator logs". It will be easier to
read. R3: This should be clarified to state that no reporting will be done for the annual test, not just
exclude the ERO. M4: An annual review will not be time stamped.
Group
SMUD & BANC
Joe Tarantino
We feel issues were addressed, but still have concern with ‘damage’. We certainly support that any
‘destruction’ of a facility that meets any of the three criteria be a reportable issue. But ‘damage’, if it’s
going to be included should have some objective definition that sets a floor. Much like the copper
theft issue, we don’t see the benefit of reporting plain vandalism (gun-shot insulators results from
actual or suspected intentional human action) to NERC unless the ‘damage’ has some tangible impact
on the reliability of the system or are acts of an orchestrated sabotage (i.e. removal of bolt in a
transmission structure).
Individual
Brian J Murphy
NextEra Energy Inc
No
NextEra Energy, Inc. (NextEra) does not agree that annual reviews and annual tests should be
mandated via Reliability Standards; instead, NextEra believes it is more appropriate to require that
the Operating Plan be up-to-date and reviewed/tested as the Responsible Entity deems necessary.
These enhancements provide for a robust Operating Plan, without arbitrary deadlines for a review and
testing. It also provides Responsible Entities of different sizes and configurations the flexibility to
efficiently and effectively integrate compliance with operations. Thus, NextEra requests that R1 be
revised to read: “Each Responsible Entity shall have an up-to-date event reporting Operating Plan
that is tested and reviewed as the Responsible Entity deems necessary and includes: …”. Consistent
with these changes NextEra also requests that R3 and R4 be deleted.
No
As stated in NextEra’s past comments, we continue to be concerned that EOP-004-2 does not
appropriately address actual sabotage that threatens the Bulk Electric System (BES) versus random
acts that are isolated and pose no risk to the BES. Therefore, NextEra repeats a portion of its past
comments below in the hope that the next revision of EOP-004-2 will more adequately address
NextEra’s concerns. Specifically, NextEra’s requests that its definition of sabotage set forth below
replace Attachment 1’s “Damage and Destruction of Equipment” and “Any physical threat that could
impact the operability of a Facility.” In Order No. 693, FERC stated its interest in NERC revising CIP001 to better define sabotage and requiring notification to the certain appropriate federal authorities,
such as the Department of Homeland Security. FERC Order No. 693 at PP 461, 462, 467, 468, 471.
NextEra has provided an approach that accomplishes FERC’s objectives and remains within the
framework of the drafting team, but also focuses the process of determining and reporting on only
those sabotage acts that could affect other BES systems. Today, there are too many events that are
being reported as sabotage to all parties in the Interconnection, when in reality these acts have no
material affect or potential impact to other BES systems other than the one that experienced it. For
example, while the drafting team notes the issue of copper theft is a localized act, there are other
localized acts of sabotage that are committed by an individual, and these acts pose little, if any,
impact or threat to other BES systems. Reporting sabotage that does not need to be sent to everyone
does not add to the security or reliability of the BES. Relatedly, there is a need to clarify some of the
current industry confusion on who should (and has the capabilities to) be reporting to a broader
�audience of entities. Hence, the NextEra approach provides a clear definition of sabotage, as well as
the process for determining and reporting sabotage. New Definition for Sabotage. Attempted or Actual
Sabotage: an intentional act that attempts to or does destroy or damage BES equipment for the
purpose of disrupting the operations of BES equipment, or the BES, and has a potential to materially
threaten or impact the reliability of one or more BES systems (i.e., one act of sabotage on BES
equipment is only reportable if it is determined to be part of a larger conspiracy to threaten the
reliability of the Interconnection or more than one BES system).
Given that Responsible Entities are already required by other Reliability Standards to communicate
threats to reliability to their Reliability Coordinator (RC), NextEra does not believe that EOP-004-2 is a
Reliability Standard that promotes the reliability of the bulk power system, as envisioned by Section
215 of the Federal Power Act. Because an RC reporting requirement is already covered in other
Standards, EOP-004-2 essentially is a reporting out requirement to the Regional Reliability
Organization (RRO). NextEra does not agree that the reporting of events to the RROs should be
subject to fines under the Reliability Standard regulatory framework. The reporting to RROs, as
required by EOP-004-2, while informative and helpful for lessons learned, etc., is not necessary to
address an immediate threat to reliability. In addition, NextEra does not believe it would be
constructive to fine Responsible Entities for failure to report to a RRO within a mandated deadline
during times when these entities are attempting to address potential sabotage on their system.
NextEra would, therefore, prefer that the EOP-004-2 Standards Drafting Team be disbanded, and
instead that EOP-004-2’s reporting requirements be folded in to the event analysis reporting
requirements. Therefore, NextEra requests that the new Section 812 be revised to include EOP-004-2
as a data request for lessons learn or for informational purposes only, and, also, for EOP-004-2
project to be disbanded.
Individual
Kathleen Goodman
ISO New England Inc
No
Due to the FERC mandate to assign VRFs/VSLs, we do not support using subrequirements and,
instead, favor the use of bullets when the subrequirements are not standalone but rely on the partent
requirement.
No
We unable to comment on the proposed new section as the section does not contain any description
of the proposed process or the interface requirements to support the report collecting system. We
reserve judgment on this proposal and our right to comment on the proposal when the proposed
addition is posted.
We requests that the SDT post the following Alternative Proposal for Industry comments as required
by the Standards Process to obtain Industry consensus and as permitted by FERC: An equally
effective alternative is to withdraw this standard and to make the contents of the SDT’s posted
standard a NERC Guideline. a. This alternative is more in line with new NERC and FERC proposals b.
This alternative retains the reporting format Comments 1. The FERC Order 693 directives regarding
“sabotage” have already been addressed by the SDT (i.e. the concept was found outside the scope of
NERC standards) 2. Current Industry actions already address the needs cited in the Order: a.
Approved Reporting Processes already exists i. The Operating Committee’s Event Analysis Process ii.
Alert Reporting b. The Data already exists i. Reliability Coordinators Information System (which
creates hundred if not thousands of “reports” per year) ii. The DOE’s OE 417 Report itself provides
part of the FERC discussed data 3. The proposed standard is not supportive of Gerry Cauley’s
performance based standard initiative or of FERC’s offer to reduce procedural standards a. The
proposed requirement is a process not an outcome i. The proposal is more focused on reporting and
could divert the attention of reliability entities from addressing a situation to collecting data for a
report b. The proposed “events” are subjective and if followed will create an unmanageable burden on
NERC staff i. Reporting “damage” to facilities can be interpreted as anything from a dent in a
generator to the total destruction of a transformer ii. The reporting requirements on all applicable
entities will create more questions about differences between the reports of the various entities –
rather than leading to conclusions about patterns among events that indicate a global threat iii.
�Reporting any “physical threat” is too vague and subjective iv. Reporting “damage to a facility that
affects an IROL” is subjective and can be seen to require reporting of damage on every facility in an
interconnected area. v. Reporting “Partial loss of monitoring” is a data quality issue that can be
anything from the loss of a single data point to the loss of an entire SCADA system vi. Testing the
filling out of a Report does not make it easier to fill out the report later (moreover the reporting is
already done often enough –see 2.b.i) c. The proposed requirements will create a disincentive to
improving current Reporting practices (the more an entity designs into its own system the more it will
be expected to do and the more likely it will be penalized for failing to comply) i. Annual reviews of
the reporting practices fall into the same category, why have a detailed process to review when a
simple one will suffice? 4. The proposed standard does not provide a feedback loop to either the data
suppliers or to potentially impacted functional entities a. If the “wide area” data analysis indicates a
threat, there is no requirement to inform the impacted entities b. As a BES reliability issue there is no
performance indicators or metrics to show the value of this standard i. We recognize that specific
incidents cannot be identified but if this is to be a reliability standard some information must be
provided. A Guideline could be designed to address this concern. 5. The proposed standard is not
consistent with NERC’s new Risk Based Compliance Monitoring. a. The performance based action to
report on defined events, as required in R2, could be considered a valid requirement. However we
have concerns as noted in Bullet 3 above. The requirements laid out in R1, R3 and R4 are specific
controls to ensure that the proposed requirement to report (R2) is carried out. NERC is moving in the
direction to assess entities’ controls, outside of the compliance enforcement arm. The industry is
being informed that NERC Audit staff will conduct compliance audits based on the controls that the
entity has implemented to ensure compliance. We are interested in supporting this effort and making
it successful. However, if this is the direction NERC is moving, we should not be making controls part
of a compliance requirement. The only requirement proposed in this standard that is not a control is
R2. 6. For FERC-jurisdictional entities, NERC does not need to duplicate the enforcement of reporting
already imposed by the DOE. DOE-417 is a well established process that has regulatory obligations.
NERC enforcement of reporting would be redundant. NERC has the ability to request copies of these
reports without making them part of the Reliability Rules.
Group
ISO/RTO Standards Review Committee
Albert DiCaprio
No
The SRC offers comments regarding the posted draft requirements; however, by so doing, the SRC
does not indicate support of the proposed requirements. Following these comments, please see the
latter part of the SRC’s response to Question 4 below for an SRC proposed alternative approach:
Regarding the proposed posted requirements, without indicating support of those requirements, the
SRC concurs with the changes as they provide better streamlining of the four key requirements, with
enhanced clarity. However, we are unclear on the intent of Requirement R3, in particular the phrase
“not including notification to the Electric Reliability Organization” which begs the question on whether
or not the test requires notifying all the other entities as if it were a real event. This may create
confusion in ensuring compliance and during audits. Suggest the SDT to review and modify this
requirement as appropriate. Regarding part 1.2, the SRC requests that the text be terminated after
the word “type” and before “i.e.” As written, the requirement does not allow for the entity to
add/remove others as necessary. Please consider combining R3 and R4. These can be accomplished
at the same time. The process should be evaluated to determine effectiveness when an exercise or
test is conducted. The SDT is asked to review the proposal and to address the issue of requirements
vs. bullets vs. sub-requirements. It is suggested that each requirement be listed independently, and
that each sub-step be bulleted.
No
The SRC response to this question does not indicate support of the proposed requirement. Please see
the latter part of the SRC’s response to Question 4 below for an SRC proposed alternative approach:
No
The SRC offers comments regarding the posted draft requirements; however, by so doing, the SRC
does not indicate support of the proposed requirements. Following these comments, please see the
latter part of the SRC’s response to Question 4 below for an SRC proposed alternative approach: The
SRC is unable to comment on the proposed new section as the section does not contain any
�description of the proposed process or the interface requirements to support the report collecting
system. We reserve judgment on this proposal and our right to comment on the proposal when the
proposed addition is posted.
The SRC offers some other comments regarding the posted draft requirements; however, by so doing,
the SRC does not indicate support of the proposed requirements. Following these comments, please
see below for an SRC proposed alternative approach: The SRC does not agree with the MEDIUM VRF
assigned to Requirement R4. R4 is a requirement to conduct an annual review of the Event Reporting
Operating Plan mandated in Requirement R1. R1 however is assigned a VRF of LOWER. We are unable
to rationalize why a subsequent review of a plan should have a higher reliability risk impact than the
development of the plan itself. Hypothetically, if an entity doesn’t develop a plan to begin with, then it
will be assigned a LOWER VRF, and the entity will have no plan to review annually and hence it will
not be deemed non-compliant with requirement R4. The entity can avoid being assessed violating a
requirement with a MEDIUM VRF by not having the plan to begin with, for which the entity will be
assessed violating a requirement with a LOWER VRF. We suggest changing the R4 VRF to LOWER.
************************************************************* The SRC requests that
the SDT post the following Alternative Proposal for Industry comments as required by the Standards
Process to obtain Industry consensus and as permitted by FERC: An equally effective alternative is to
withdraw this standard and to make the contents of the SDT’s posted standard a NERC Guideline. a.
This alternative is more in line with new NERC and FERC proposals b. This alternative retains the
reporting format Comments 1. The FERC Order 693 directives regarding “sabotage” have already
been addressed by the SDT (i.e. the concept was found outside the scope of NERC standards) 2.
Current Industry actions already address the needs cited in the Order: a. Approved Reporting
Processes already exists i. The Operating Committee’s Event Analysis Process ii. Alert Reporting b.
The Data already exists i. Reliability Coordinators Information System (which creates hundred if not
thousands of “reports” per year) ii. The DOE’s OE 417 Report itself provides part of the FERC
discussed data 3. The proposed standard is not supportive of Gerry Cauley’s performance based
standard initiative or of FERC’s offer to reduce procedural standards a. The proposed requirement is a
process not an outcome i. The proposal is more focused on reporting and could divert the attention of
reliability entities from addressing a situation to collecting data for a report b. The proposed “events”
are subjective and if followed will create an unmanageable burden on NERC staff i. Reporting
“damage” to facilities can be interpreted as anything from a dent in a generator to the total
destruction of a transformer ii. The reporting requirements on all applicable entities will create more
questions about differences between the reports of the various entities – rather than leading to
conclusions about patterns among events that indicate a global threat iii. Reporting any “physical
threat” is too vague and subjective iv. Reporting “damage to a facility that affects an IROL” is
subjective and can be seen to require reporting of damage on every facility in an interconnected area.
v. Reporting “Partial loss of monitoring” is a data quality issue that can be anything from the loss of a
single data point to the loss of an entire SCADA system vi. Testing the filling out of a Report does not
make it easier to fill out the report later (moreover the reporting is already done often enough –see
2.b.i) c. The proposed requirements will create a disincentive to improving current Reporting practices
(the more an entity designs into its own system the more it will be expected to do and the more likely
it will be penalized for failing to comply) i. Annual reviews of the reporting practices fall into the same
category, why have a detailed process to review when a simple one will suffice? 4. The proposed
standard does not provide a feedback loop to either the data suppliers or to potentially impacted
functional entities a. If the “wide area” data analysis indicates a threat, there is no requirement to
inform the impacted entities b. As a BES reliability issue there is no performance indicators or metrics
to show the value of this standard i. The SRC recognizes that specific incidents cannot be identified
but if this is to be a reliability standard some information must be provided. A Guideline could be
designed to address this concern. 5. The proposed standard is not consistent with NERC’s new Risk
Based Compliance Monitoring. a. The performance based action to report on defined events, as
required in R2, could be considered a valid requirement. However we have concerns as noted in Bullet
3 above. The requirements laid out in R1, R3 and R4 are specific controls to ensure that the proposed
requirement to report (R2) is carried out. NERC is moving in the direction to assess entities’ controls,
outside of the compliance enforcement arm. The industry is being informed that NERC Audit staff will
conduct compliance audits based on the controls that the entity has implemented to ensure
compliance. The SRC is interested in supporting this effort and making it successful. However, if this
is the direction NERC is moving, we should not be making controls part of a compliance requirement.
The only requirement proposed in this standard that is not a control is R2. 6. For FERC-jurisdictional
�entities, NERC does not need to duplicate the enforcement of reporting already imposed by the DOE.
DOE-417 is a well established process that has regulatory obligations. NERC enforcement of reporting
would be redundant. NERC has the ability to request copies of these reports without making them
part of the Reliability Rules.
Individual
Mark B Thompson
Alberta Electric System Operator
The Alberta Electric System Operator will need to modify parts of this standard to fit the provincial
model and current legislation when it develops the Alberta Reliability Standard.
Individual
Maggy Powell
Exelon Corporation and its affiliates
No
It’s not clear that R3 and R4 need to be separated. Consider revising R3 to read: “Through use or
testing, verify the operability of the plan on an annual basis” and dropping R4.
Yes
No
While we don’t have any immediate objection to revising the Rules of Procedures (ROP) to allow for
report collecting under Section 800 relative to the EOP-004 standard, the proposed language is
unclear and confusing. Please consider the following revision: "812. NERC Reporting Clearinghouse
NERC will establish a system to collect reporting forms as required for Section 800 or per FERC
approved standards from any Registered Entities. NERC shall distribute the reports to the appropriate
governmental, law enforcement, regulatory agencies as required per Section 800 or the applicable
standard." Further, NERC should post ROP revisions along with a discussion justifying the revision for
industry comment specific to the ROP. There may be significant implications to this revision beyond
the efforts relative to EOP-004.
Thanks to the SDT. Significant progress was made in revising the proposed standard language. We
appreciate the effort and have only a few remaining requests: • We understand that CIP-008 dictates
the 1-hour reporting obligation for Cyber Security Incidents and this iteration of EOP-004 delineates
the CIP-008 requirements. Please confirm that per the exemption language in the CIP standards (as
consistent with the March 10, 2011 FERC Order (docket # RM06-22-014) nuclear generating units are
not subject to this reporting requirement. • EOP-004 still lists “Generation Loss” as a 24 hour
reporting criteria without any time threshold guidance for the generation loss. Exelon previously
commented to the SDT (without the comment being addressed) that Generation Loss should provide
some type of time threshold. If the 2000 MW is from a combination of units in a single location, what
is the time threshold for the combined unit loss? In considering clarification language, the SDT should
review the BAL standards on the disturbance recovery period for appropriate timing for closeness of
trips. • The “physical threat that could impact” requirement remains vague and it’s not clear the
relevance of such information to NERC or the Regions. If a train derailment occurred near a
generation facility (as stated in the footnote), are we to expect that NERC is going to send out a
lesson learned with suggested corrective actions to protect generators from that occurring? The value
in that event reporting criteria seems low. The requirement should be removed. • The event
concerning voltage deviation of +/- 10% does not specify which type of voltage. In response to this
comment in the previous comment period, the SDT indicated that the entity could determine the type
of voltage. It would be clearer to specify in the standard and avoid future interpretation at the audit
level. • As requested previously, for nuclear facilities, EOP-004 reporting should be coordinated with
existing required notifications to the NRC and FBI as to not duplicate effort or add unnecessary
burden on the part of a nuclear GO/GOP during a potential security or cyber event. Please contact the
NRC about this project to ensure that required communication and reporting in response to a
radiological sabotage event (as defined by the NRC) or any incident that has impacted or has the
�potential to impact the BES does not create duplicate reporting, conflicting reporting thresholds or
confusion on the part of the nuclear generator operator. Each nuclear generating site licensee must
have an NRC approved Security Plan that outlines applicable notifications to the FBI. Depending on
the severity of the security event, the nuclear licensee may initiate the Emergency Plan (E-Plan).
Exelon again asks that the proposed reporting process and flow chart be coordinated with the NRC to
ensure it does not conflict with existing expected NRC requirements and protocol associated with site
specific Emergency and Security Plans. In the alternative, the EOP-004 language should include
acceptance of NRC required reporting to meet the EOP-004 requirements. • The proposed standard
notes that the text boxes will be moved to the Guideline and Technical Basis Section which we
support. However, it’s not clear whether all the information in the background section will remain part
of the standard. If this section is to remain as proposed concerted revision is needed to ensure that
the discussion language matches the requirement language. At present, it does not. For instance, the
flow chart on page 9 indicates when to report to law enforcement while the requirements merely state
that communications to law enforcement be addressed within the operating plan. • Exelon voted
negative vote on this ballot due to the need for further clarification and reconciliation between NERC
EOP-004 and the NRC.
Individual
Keith Morisette
Tacoma Power
Yes
Tacoma Power agrees with the requirement but would suggest removing all instances the word
“Operating” from the Standard. The requirements should read, “ Each Responsible Entity shall have
an “Event Reporting Plan…”. The term Operating in this context is confusing as there are many other
“Operating Plans” for other defined emergencies. This standard is about “Reporting” and should be
confined to that.
Yes
Tacoma Power supports the revisions. It appears that all agencies and entities are willing to support
the use of the DOE Form OE-417 as the initial notification form (although EOP-004 does include their
own reporting form as an attachment to the Standard). Tacoma is already using the OE-417 and
distributing it to all applicable Entities and Agencies.
No
Tacoma Power disagrees with the requirement to perform annual testing of each communication plan.
We do not see any added value in performing annual testing of each communication plan. There are
already other Standard requirements to performing routine testing of communications equipment and
emergency communications with other agencies. The “proof of compliance” to the Standard should be
in the documentation of the reports filed for any qualifying event, within the specified timelines and
logs or phone records that it was communicated per each specified communication plan.
Tacoma Power disagrees with the requirement to perform annual testing of each communication plan.
We do not see any added value in performing annual testing of each communication plan. There are
already other Standard requirements to performing routine testing of communications equipment and
emergency communications with other agencies. The “proof of compliance” to the Standard should be
in the documentation of the reports filed for any qualifying event, within the specified timelines and
logs or phone records that it was communicated per each specified communication plan. Tacoma
Power has none at this time. Thank you for considering our comments.
Individual
Dennis Sismaet
Seattle City Light
Yes
This is a great improvement over the prior CIP and EOP versions. However, please see #4 for overall
comment.
Yes
This is a great improvement over the prior CIP and EOP versions. However, please see #4 for overall
comment.
No
�Seattle City Light follows MEAG and believes this type of activity and process is better suited to
NAESBE than it is to NERC Compliance.
1) Seattle City Light follows MEAG and questions if these administrative activities better should be
sent over to NAESB? R1: There is merit in having a plan as identified in R1, but is this a need to
support reliability or is it a business practice? Should it be in NAESB’s domain? R2, R3 & R4: These
are not appropriate for a Standard. If you don’t annually review the plan, will reliability be reduced
and the BES be subject to instability, separation and cascading? If DOE needs a form filled out, fill it
out and send it to DOE. NERC doesn’t need to pile on. Mike Moon and Jim Merlo have been stressing
results and risk based, actual performance based, event analysis, lessons learned and situational
awareness. EOP-004 is primarily a business preparedness topic and identifies administrative
procedures that belong in the NAESB domain. 2) Seattle City Light finds that even though efforts were
made to differentiate between sabotage vs. criminal damage, the difference still appears to be
confusing. Sabotage clearly requires FBI notification, but criminal damage (i.e. copper theft,
trespassing, equipment theft) is best handled by local law agencies. A key point on how to determine
the difference is to always go with the evidence. If you have a hole in the fence and cut grounding
wires, this would only require local law enforcement notification. If there is a deliberate attack on a
utility’s BES infrastructure for intent of sabotage and or terrorism--this is a FBI notification event. One
area where a potential for confusion arises is with the term “intentional human action” in defining
damage. Shooting insulators on a rural transmission tower is not generally sabotage, but removing
bolts from the tower may well be. Seattle understands the difficulty in differentiating these two cases,
for example, and supports the proposed Standard, but would encourage additional clarification in this
one area.
Individual
Scott Miller
MEAG Power
Yes
This is a great improvement over the prior CIP and EOP versions. However, please see #4 for overall
comment.
Yes
This is a great improvement over the prior CIP and EOP versions. However, please see #4 for overall
comment.
No
This type of activity and process is better suited to NAESBE than it is to NERC Compliance.
Should these administrative activities be sent over to NAESB? R1: There is merit in having a plan as
identified in R1, but is this a need to support reliability or is it a business practice? Should it be in
NAESB’s domain? R2, R3 & R4: These are not appropriate for a Standard. If you don’t annually review
the plan, will reliability be reduced and the BES be subject to instability, separation and cascading? If
DOE needs a form filled out, fill it out and send it to DOE. NERC doesn’t need to pile on. Mike Moon
and Jim Merlo have been stressing results and risk based, actual performance based, event analysis,
lessons learned and situational awareness. EOP-004 is primarily a business preparedness topic and
identifies administrative procedures that belong in the NAESB domain.
Group
FirstEnergy
Sam Ciccone
While FE voted affirmative on this draft, upon further review we request clarification be made in the
next draft of the standard regarding the applicability of the Nuclear Generator Operator. Per FE's
previous comments, nuclear generator operators already have specific regulatory requirements to
notify the NRC for certain notifications to other governmental agencies in accordance with 10 CFR
50.72(b)(s)(xi). We had asked that the DSR SDT contact the NRC about this project to ensure that
existing communication and reporting that a licensee is required to perform in response to a
radiological sabotage event (as defined by the NRC) or any incident that has impacted or has the
�potential to impact the BES does not create either duplicate reporting, conflicting reporting thresholds
or confusion on the part of the nuclear generator operator. In addition, EOP-004 must acknowledge
that there may be NRC reporting forms that have the equivalent information contained in their
Attachment 2. For what the NRC considers a Reportable Event, Nuclear plants are required to fill out
NRC form 361 and/or form 366. We do not agree with the drafting team's response to ours and
Exelon's comments that "The NRC does not fall under the jurisdiction of NERC and so therefore it is
not within scope of this project." While the statement is correct, we believe that requirements should
not conflict with or duplicate other regulatory requirements. We remain concerned that the standard
with regard to Nuclear GOP applicability causes duplicative regulatory reporting with existing
reporting requirements of the NRC. Therefore, we ask: 1. That NERC and the drafting team please
investigate these issues further and revise the standard to clarify the scope for nuclear GOPs, and 2.
For any reporting deemed in the scope for nuclear GOP after NERC's and the SDT's investigation per
our request in #1 above, that the SDT consider the ability to utilize information from NRC reports as
meeting the EOP-004-2 requirements similar to the allowance of using the DOE form as presently
proposed.
Individual
Patrick Brown
Essential Power, LLC
1. As this Standard does not deal with real-time reporting or analysis, and is simply considered an
after the fact reporting process, I question the need for the Standard at all. This is a process that
could be handled through a change to the Rules of Procedure rather than through a Standard.
Developing this process as a Reliability Standard is, in my opinion, contrary to the shift toward
Reliability-Based Standards Development. 2. I do not believe that establishing a reporting
requirement improves the reliability of the BES, as stated in the purpose statement. The reporting
requirement, however, would improve situational awareness. I recommend the purpose statement be
changed to reflect this, and included with the process in the NERC Rules of Procedure.
Individual
Gregory Campoli
New York Independent System Operator
The NYISO is part of and supports comments submitted by NPCC Reliability Standards Committee and
the IRC Strandards Review Committee. However the NYISO would also like to comment on the
following items: o NERC has been proposing the future development of performance based standards,
which is directly related to reliability performance. Requirement 2 of this standard is simply a
reporting requirement. We believe that this does not fall into a category of a performance based
standard. NERC has the ability to ask for reports on events through ROP provisions and now the new
Event Analysis Process. It does not have to make it part of the compliance program. Some have
indicated that need for timely reporting of cyber or sabotage events. The counter argument is that the
requirement is reporting when confirmed which would delay any useful information to fend off a
simultaneous threat. Also NERC has not provided any records of how previous timely (1 hour)
reporting has mitigated reliability risks. o The NERC Event Analysis Process was recently approved by
the NERC OC and is in place. This was the model program for reporting outside the compliance
program that the industry was asking for. This should replace the need for EOP-004. o NERC has
presented Risk Based Compliance Monitoring (RBCM) to the CCC, MRC, BOT and at Workshops. This
involves audit teams monitoring an entities controls to ensure they have things in place to maintain
compliance with reliability rules. The proposed EOP-004 has created requirements that are controls to
requirement R2, which is to file a report on predefined incidents. The RBCM is being presented as the
auditor will make determinations on the detail of the sampling for compliance based on the
assessment of controls an entity has in place to maintain compliance. It is also noted that compliance
will not be assessed against these controls. As the APS example for COM-002 is presented in the
�Workshop slides, the issue is that EOP-004 R1, R3 and R4 are controls for reporting; 1) have a plan,
2) test the plan, and 3) review the plan. While R2 is the only actionable requirement. The NYISO
believes that all reporting requirements have been met by OE-417 and EAP reporting requirements
and that EOP-004 has served its time. At a minimum, the NYISO would suggest that EOP-004 be
simplified to just R2 (reporting requirement) and the other requirements be placed at the end of the
RSAW to demonstrate a culture of compliane as presented by NERC.
Individual
Don Schmit
Nebraska Public Power District
No
1. The following comments are in regard to Attachment 1: A. The row [Event] titled “Damage or
destruction of Facility”: 1. In column 3 [Threshold for Reporting], the word “Affect” is vague note the
following concerns: i. Does “Affect” include a broken crossarm damaged without the Facility relaying
out of service. This could be considered to have an “Affect” on the IROL. ii. Would the answer be
different if the line relayed out of service and auto-reclosed (short interuption) for the same damaged
crossarm? We need clarity from the SDT in order to know when a report is due. 2. For clarification:
Who initiates the report when the IROL interfaces spans between multiple entities? We know of an
IROL that has no less that four entities that oparate Facilities within the interface. Who initiates the
report of the IROL is affected? All? B. The row [Event] titled “Any physical threat that could impact
the operability of a Facility”: 1. In Column 1 [Event] change the word “threat” to “attack”, this aligns
with the OE-417 report. 2. In Column 3 [Threshold for Reporting], align the threshold with the OE417 form. C. The row [Event] titled “Transmission loss”, in column 3 [Threshold for Reporting], the
defined term “Transmission Facilities” is too vague. There needs to be a more description such that an
entity clearly understands when an event is reportable and for what equipment. We would
recommend the definition used in the Event Reporting Field Trial: An unexpected outage, contrary to
design, of three or more BES elements caused by a common disturbance. Excluding successful
automatic reclosing. For example: a. The loss of a combination of NERC-defined Facilities. b. The loss
of an entire generation station of three or more generators (aggregate generation of 500 MW to 1,999
MW); combined cycle units are represented as one unit. D. The row [Event] titled “Complete or partial
loss of monitoring”: 1. In column 1 [Event], delete the words “or partial”. This is subjective without
definition, delete. 2. Also in column 1 [Event], delete the word “monitoring” and replace with
Supervisory Control and Data Acquisition (SCADA). SCADA is defined term that explicitly calls out in
the definition “monitoring and control” and is understood by the industry as such. 3. In column 2
[Entity with Reporting Responsibility], delete the words “or partial”; also delete the word “monitoring”
and replace with SCADA. 4. In column 3 [Threshold for Reporting], reword to state “Complete loss of
SCADA affecting a BES control center for >/= 30 continuous minutes”.
Individual
David Revill
GTC
Yes
No
Page 17 & 18, One Hour Reporting and Twenty-four Hour Reporting: append the introductory
statements with the following: “meeting the threshold for reporting” after recognition of the event.
Example: Submit EOP-004 Attachment 2 or DOE-OE-417 report to the parties identified pursuant to
Requirement R1, Part 1.2 within twenty-four hours of recognition of the event meeting the threshold
for reporting. Page 19, system separation (islanding); Clarify the intent of this threshold for reporting:
Load >= 100 MW and any generation; or Load >= 100 MW and Generation >= 100 MW, or some
combination of load and generation totaling 100 MW.
Yes
With the exception of the RC and company personnel, it appears this proposed section captures the
�same reporting obligations and to the same entities via R1.2. Recommend adjustments to R1.2 such
that reportable events are submitted to NERC, RC, and company personnel.
For R2, please clarify how an entity can demonstrate that no reportable events were experienced.
GTC recommends an allowance for a letter of attestation within M2.
Individual
Scott Berry
Indiana Municipal Power Agency
No
IMPA does not believe that both R3 and R4 are necessary and they are redundant to a degree.
Generally, when performing an annual review of a process or procedure, the call numbers for
agencies or entities are verified to be up to date. Also, in R3, what does “test” mean. It could mean
have different meanings to registered entities and to auditors which does not promote consistency
among the industry. IMPA recommends going with an annual review of the process and having the
telephone numbers verified that are in the event reporting Operating Plan. IMPA also believes that the
local and federal law enforcement agencies would rather go with a verification of contact information
over being besieged by "test" reports. The way R3 is written gives the appearance that the SDT did
not want to overwhelm the ERO with all of the "test" reports from the registered entities (by
excluding them from the test notification).
No
The event "any physical threat that could impact the operability of a Facility" is not measurable and
can be interpreted many ways by entities or auditors. IMPA recommend incorporating language that
let's this be the judgment of the registered entity only. On the "voltage deviation on a Facility", IMPA
recommends that only the TOP the experiences a voltage deviation be the one responsible for
reporting. For generation loss and transmission loss, IMPA believes that the amount of loss needs to
be associated with a time period or event (concurrent forced outages).
no comment
For 1.2 under R1, is the SDT leaving it up to the registered entities do decide which organizations will
be contacted for each event listed in attachment 1 or do all of those organization need to be
contacted for each event listed in attachment 1? The requirement needs to clearly communicate this
clarification and be independent of the rationale language. Auditors will go by the requirement and
not the rationale for the requirement. For 1.1 under R1, does each event need its own process of
recognition or can one process be used to cover all the applicable events? The requirement needs to
clearly communicate this clarification and be independent of the rationale language. Auditors will go
by the requirement and not the rationale for the requirement. For 1.2 under R1, company personnel
is used as an example but in the rationale for R1, the third line uses operating personnel. IMPA
recommends changing the example in 1.2 to operating personnel which is used in the current version
of CIP-001.
Individual
Christine Hasha
ERCOT
No
ERCOT has joined the IRC comments on this project and offers these additional comments. ERCOT
requests that the measure be updated to say “acceptable evidence may include”. As written, the
measure reads that there is only one way to comply with the requirement. The Standards should note
"what" an entity is required to do and not prescribe the "how".
Yes
No
ERCOT has joined the IRC comments on this project.
ERCOT has joined the IRC comments on this project and offers these additional comments. ERCOT
supports the alternative approach submitted by the IRC. ERCOT requests that time horizons be added
for each of the requirements as have been with other recent Reliability Standards projects. With
regards to Attachment 1, ERCOT requests the following changes: • Modify “Generation loss” from “≥
1,000 MW for entities in the ERCOT or Quebec Interconnection” to “≥ 1,100 MW for entities in the
�ERCOT Interconnection” and “≥ 1,000 MW for entities in the Quebec Interconnection”. This is
consistent with the DCS threshold and eliminates possible operator confusion since DCSs event are
reported in the ERCOT interconnection at 80% of single largest contingency which equates to 1100
MW. • Modify “Transmission loss” from “Unintentional loss of three or more Transmission Facilities
(excluding successful automatic reclosing)” to “Inconsequential loss of three or more Transmission
Facilities not part of a single rated transmission path (excluding successful automatic reclosing).” If a
single line is comprised of 3 or more sections, this should not be part of what is reported here as it is
intended to be when you have a single event trip of 3 or more transmission facilities that is not part
of its intended design. • ERCOT requests review of footnote 1. The footnote does not seem
appropriate in including an example of a control center as the definition of a BES facility does not
include control centers.
Individual
Molly Devine
Idaho Power Co.
Yes
But this is going to require that we create a new Operating Plan with test procedures and revision
history.
No
I think that the category “Damage or destruction of a Facility” is too ambiguous, and the Threshold
for Reporting creteria does not help to clarify the question. Any loss of a facility may result in the
need for actions to get to the new operating point, would this be a reportable disturbance?
No
No opinion
No
Individual
Rebecca Moore Darrah
MISO
Yes
No
No
MISO agrees with and adopts the Comments of the IRC on this issue.
Individual
Nathan Mitchell
American Public Power Association
Yes
APPA appreciates the SDT making these requirements clearer as requested in our comments on the
previous draft standard.
No
APPA in our comments on the previous draft of EOP-004-2 requested relief for small entities from this
reporting/documentation standard. APPA suggested setting a 300 MW threshold for some of the
criteria in Attachment 1. This suggestion was not accepted by the SDT. However, the SDT is still
directed by FERC to “consider whether separate, less burdensome requirements for smaller entities
may be appropriate. Therefore, APPA requests that the SDT provide relief to small entities by
providing separate requirements for small entities by requiring reporting only when one of the four
criteria in DOE-OE-417 are met: 1. Actual physical attack, 2. Actual cyber attack, 3. Complete
operational failure, or 4. Electrical System Separation. APPA recommends this information should be
reported to the small entity’s BA as allowed in the DOE-OE-417 joint filling process.
Yes
�The SDT needs to provide some relief for the small entities in regards to the VSL in the compliance
section. APPA believes there should be no High or Severe VSLs for this standard. This is a
reporting/documentation standard and does not affect BES reliability at all. It is APPA’s opinion that
this standard should be removed from the mandatory and enforceable NERC Reliability Standards and
turned over to a working group within the NERC technical committees. Timely reporting of this outage
data is already mandatory under Section 13(b) of the Federal Energy Administration Act of 1974.
There are already civil and criminal penalties for violation of that Act. This standard is a duplicative
mandatory reporting requirement with multiple monetary penalties for US registered entities. If this
standard is approved, NERC must address this duplication in their filing with FERC. This duplicative
reporting and the differences in requirements between DOE-OE-417 and NERC EOP-004-2 require an
analysis by FERC of the small entity impact as required by the Regulatory Flexibility of Act of 1980
Group
ACES Power Marketing Standards Collaborators
Jason Marshall
No
(1) We agree with removing Part 1.4 and we agree with a requirement to periodically review the
event reporting Operating Plan. However we are not convinced the review of the Operating Plan needs
to be conducted annually. The event reporting Operating Plan likely will not change frequently so a
biannual review seems more appropriate. (2) We also do not believe that Requirement R3 is needed
at all. Requirement R3 compels the responsible entity to test their Operating Plan annually. We do not
see how testing an Operating Plan that is largely administrative in nature contributes to reliability.
Given that the drafting team is obligated to address the FERC directive regarding periodic testing, we
suggest the Operating Plan should be tested biannually. This would still meet the FERC directive
requiring periodic testing.
No
The drafting team made a number of positive changes to Attachment 1. However, there are a few
changes that have introduced new issues and there are a number of existing issues that have yet to
be fully addressed. One of the existing issues is that the reporting requirements will result in duplicate
reporting. Considering that one of the stated purposes is to eliminate redundancy, we do not see how
the scope of the SAR can be considered to be met until all duplicate reporting is eliminated. More
specifics on our concerns are provided in the following discussion. (1) In the “Damage or destruction
of a Facility” event, the statement “Affects an IROL (per FAC-014)” in the “Threshold for Reporting” is
ambiguous. What does it mean? If the loss of a Facility will have a 1 MW flow change on the Facilities
to which the IROL applies, is this considered to have affected the IROL? We suggest a more direct
statement that damage or destruction occurred on a Facility to which the IROL applies or to one of
the Facilities that comprise an IROL contingency as identified in FAC-014-2 R5.1.3. Otherwise, there
will continue to be ambiguity over what constitutes “affects”. (2) In the “Damage or destruction of a
Facility” event, the threshold regarding “intentional human action” is ambiguous and suffers from the
same difficulties as defining sabotage. What constitutes intentional? How do we know something was
intentional without a law enforcement investigation? This is the same issue that prevented the
drafting team from defining sabotage. (3) In the “Damage or destruction of a Facility” and “Any
physical threat that could impact the operability of a Facility” events, Distribution Provider should be
removed. Per the Function Model, the Distribution Provider does not have any Facilities (line,
generator, shunt compensator, transformer). The only Distribution Provider equipment that even
resembles a Facility would be capacitors (i.e. shunt compensator) but they do not qualify because
they are not Bulk Electric System Elements. (4) The “Any physical threat that could impact the
operability of a Facility” event requires duplicate reporting. For example, if a large generating plant
experiences such a threat, who should report the event? What if loss of the plant could cause capacity
and energy shortages as well as transmission limits? The end result is that the RC, BA, TOP, GO and
GOP could all end up submitting a report for the same event. For a given operating area, only one
report should be required from one registered entity for each event. (5) The “Any physical threat that
could impact the operability of a Facility” event should not apply to a single Facility but rather multiple
Facilities which if lost would impact BES reliability. As written now, a train derailment near a single
138 kV transmission line or small generator with minimal reliability impact would require reporting.
(6) The “BES Emergency resulting in automatic firm load shedding” should not apply to the DP. In the
existing EOP-004 standard, Distribution Provider is not included and the load shed information still
gets reported. (7) The “Voltage deviation on a Facility” event needs to be clarified that the TOP only
�reports voltage deviations in its Transmission Operator Area. Because TOPs may view into other
Transmission Operator Areas, it could technically be required to report another TOP’s voltage
deviation because one of its System Operators observed the neighboring TOP’s voltage deviation. (8)
For the “Loss of firm load greater than 15 minutes” event, the potential for duplicate reporting needs
to be eliminated. Every time a DP experiences this event, the DP, TOP and BA all appear to be
required to report since the DP is within both the Balancing Authority Area and Transmission Operator
Area. Only one report is necessary and should be sent. Given that the existing EOP-004 standard does
not include the DP, we suggest eliminating the DP to eliminate one level of duplicate reporting. (9)
For the “System separation (islanding)” event, please remove DP. As long as any island remains
viable, the Distribution Provider will not even be aware that an island occurred. It is not responsible
for monitoring frequency or having a wide area view. (10) For the “System separation (islanding)”
event, please remove BA. Because islanding and system separation, involve Transmission Facilities
automatically being removed from service, this is largely a Transmission Operator issue. This position
is further supported by the approval of system restoration standard (EOP-005-2) that gives the
responsibility to restore the system to the TOP. (11) For the “System separation (islanding)” event,
please eliminate duplicate reporting by clarifying that the RC should submit the report when more
than one TOP is involved. If only one TOP is involved, then the single TOP can submit the report or
the RC could agree to do it on their behalf. Only one report is necessary. (12) For the “Generation
loss” event, duplicate reporting should be eliminated. It is not necessary for both the BA and GOP to
submit two separate reports with nearly identical information. Only one entity should be responsible
for reporting. (13) For the “Complete loss of off-site power to a nuclear generating plant”, the
associated GO or GOP should be required to report rather than the TO or TOP. Maintaining power to
cooling systems is ultimately the responsibility of the nuclear plant operator. At the very least, TO
should be removed because it is not an operating entity and loss of off-site power is an operational
issue. If the TOP remains in the reporting responsibility, it should be clarified that it is only a TOP with
an agreement pursuant to NUC-001. All of this is further complicated because NUC-001 was written
for a non-specific transmission entity because there was no one functional entity from which the
nuclear plant operator gets it off-site power. (14) For the “Complete or partial loss of monitoring
capability”, partial loss needs to be further clarified. Is loss of a single RTU a partial loss of monitoring
capability? For a large RC is loss of ICCP to a single small TOP, considered a partial loss? We suggest
as long as the entity has the ability to monitor their system through other means that the event
should not be reported. For the loss of a single RTU, if the entity has a solving state estimator that
provides estimates for the area impacted, the partial threshold loss would not be considered. If the
entity has another entity (i.e. perhaps the RC is still receiving data for its TOP area, the RC can
monitor for the TOP) that can monitor their system as a backup, the partial loss has not been met.
No
(1) It is not clear to us what is the driving the need for the Rules of Procedure proposal. NERC is
already collecting event and disturbance reports without memorializing the change in the Rules of
Procedure. (2) The language potentially conflicts with other subsections in Section 800. For instance,
the proposal says that the system will apply to collect report forms “for this section”. This section
would refer to Section 800. Section 800 covers NERC alerts and GADS. Electronic GADS (eGADS)
already has been established to collect GADS data? Will this section cause NERC to have to
incorporate eGADS into this report collection system? Incorporating NERC Alerts is also problematic
because when reports are required as a result of a NERC alert, the report must be submitted through
the NERC Alert system. (3) The statement that “a system to collect report forms as established for
this section or standard” causes additional confusion regarding to which standards it applies. Does it
only apply to this new EOP-004-2 or to all standards? If it applies to all standards, does this create a
potential issue for CIP-008-3 R1.3 which requires reporting to the ES-ISAC and not this
clearinghouse?
(1) IC, TSP, TO, GO, and DP should be all removed from the applicability of the standard. Previous
versions of the standard did not apply to them and we see no reason to expand applicability to them.
IC and TSP are not even mentioned in any of the “Entity with Reporting Responsibility” sections. For
the sections that do not mention specific entities, IC and TSP would have no responsibility for any of
the events. The TO and GO are not operating entities so the reporting should not apply to them. DP
was not included in any previous versions of CIP-001 or EOP-004. Any information (such as load) that
was necessary regarding DPs was always gathered by the BA or TOP and included in their reports.
There is no indication that this process was not working and, therefore, it should not be changed.
�Furthermore, including the DP potentially expands the standard outside of the Bulk Electric System
which is contrary to recent statements that NERC Legal has made at the April 11 and 12, 2012 SC
meeting. Their comments indicated the standards are written for the Bulk Electric System. What
information does a DP have to report except load loss which can easily be reported by the BA or TOP?
(2) Measure M2 needs to clarify an attestation is an acceptable form of evidence if there are no
events. (3) The rationale box for R3 and R4 should be modified. It in essence states that updating the
event reporting Operating Plan and testing it will assure that the BES remains secure. While these
requirements might contribute to reliability, these two requirements collectively will not assure BES
security and stability. (4) We disagree with the VSLs for Requirement R2. While the VSLs associated
with late reporting for a 24-hour reporting requirement include four VSLs, the one-hour reporting
requirement only includes three VSLs. There seems to be no justification for this inconsistency. Four
VSLs should be written for the one-hour reporting requirement. (5) Reporting of reportable Cyber
Security Incidents does not appear to be fully coordinated with version 5 of the CIP standards. For
instance, EOP-004-2 R1, Part 1.2 requires a process for reporting events to external entities and CIP008-5 Part 1.5 requires identifying external groups to which to communicate Reportable Cyber
Security Incidents. Thus, it appears the Cyber Security Incident response plan in CIP-008-5 R1 and
the event reporting Operating Plan in EOP-004-2 R1 will compel duplication of external reporting at
least in the document of the Operating Plain and Reportable Cyber Security Incident response plan.
This needs to be resolved. (6) In the effective date section of the implementation plan, the statement
that the prior version of the standard remains in effect until the new version is accepted by all
applicable regulatory authorities is not correct. In areas where regulatory approval is required, it will
only remain in effect in the areas where the regulator has not approved it. (7) On page 6 in the
background section, the statement attributing RCIS reporting to the TOP standards is not accurate.
There is no requirement in the TOP standards to report events across RCIS. In fact, the only mention
of RCIS in the standards occurs in EOP-002-3 and COM-001-1.1. (8) On page 6 in the background
section, the first sentence of the third paragraph is not completely aligned with the purpose statement
of the standard. The statement in the background section indicates that the reliability objective “is to
prevent outages which could lead to Cascading by effectively reporting events”. However, the purpose
states that the goal is to improve reliability. We think it would make more sense for the reliability
objective to match the purpose statement more closely. (9) On page 7 in the first paragraph,
“industry facility” should be changed to “Facility”.
Group
Seattle City Light
Pawel Krupa
Yes
This is a great improvement over the prior CIP and EOP versions. However, please see #4 for overall
comment.
Yes
This is a great improvement over the prior CIP and EOP versions. However, please see #4 for overall
comment.
No
Seattle City Light follows MEAG and believes this type of activity and process is better suited to
NAESBE than it is to NERC Compliance.
1) Seattle City Light follows MEAG and questions if these administrative activities better should be
sent over to NAESB? R1: There is merit in having a plan as identified in R1, but is this a need to
support reliability or is it a business practice? Should it be in NAESB’s domain? R2, R3 & R4: These
are not appropriate for a Standard. If you don’t annually review the plan, will reliability be reduced
and the BES be subject to instability, separation and cascading? If DOE needs a form filled out, fill it
out and send it to DOE. NERC doesn’t need to pile on. Mike Moon and Jim Merlo have been stressing
results and risk based, actual performance based, event analysis, lessons learned and situational
awareness. EOP-004 is primarily a business preparedness topic and identifies administrative
procedures that belong in the NAESB domain. 2) Seattle City Light finds that even though efforts were
made to differentiate between sabotage vs. criminal damage, the difference still appears to be
confusing. Sabotage clearly requires FBI notification, but criminal damage (i.e. copper theft,
trespassing, equipment theft) is best handled by local law agencies. A key point on how to determine
the difference is to always go with the evidence. If you have a hole in the fence and cut grounding
�wires, this would only require local law enforcement notification. If there is a deliberate attack on a
utility’s BES infrastructure for intent of sabotage and or terrorism--this is a FBI notification event. One
area where a potential for confusion arises is with the term “intentional human action” in defining
damage. Shooting insulators on a rural transmission tower is not generally sabotage, but removing
bolts from the tower may well be. Seattle understands the difficulty in differentiating these two cases,
for example, and supports the proposed Standard, but would encourage additional clarification in this
one area.
Individual
Tony Kroskey
Brazos Electric Power Cooperative
No
Please see the comments submitted by ACES Power Marketing.
No
Please see the comments submitted by ACES Power Marketing.
No
Please see the comments submitted by ACES Power Marketing.
We thank the work of the SDT on this project. However, additional improvements should be made as
described in the comments submitted by ACES Power Marketing.
Individual
Darryl Curtis
Oncor Electric Delivery
Yes
Yes
Yes
Oncor takes the position that the proposed objectives as prescribed in Project 2009-01 – Disturbance
and Sabotage Reporting, is a “good” step forward. Currently, NERC reporting obligations related to
disturbances occurs over multiple standards including CIP-001, EOP-004-1, TOP-007-0, CIP-008-3
and Event Analysis (EA). Oncor is especially pleased that the Event Analysis Working Group (EAWG) is
actively working to find ways of streamlining the disturbance reporting process especially to agencies
outside of NERC such as FERC, and state agencies. Oncor is in agreement that an addition to the
NERC Rules of Procedure in section 800 to develop a Reporting Clearinghouse for disturbance events
by the establishment of a system to collect report and then forward completed forms to various
requesting agencies, is also a very positive step."
Individual
Denise Lietz
Puget Sound Energy, Inc.
Yes
This draft is a considerable improvement on the previous draft in terms of clarity and will be much
easier for Responsible Entities to implement. Puget Sound Energy appreciates the drafting team’s
responsiveness to stakeholder’s concerns and the opportunity to comment on the current draft. The
drafting team should revise Requirement R2 to state that the “activation” of the Operating Plan is
required only when an event occurs, instead of using the term “implement”. “Implementation” could
also refer to the activities such as distributing the plan to operating personnel and training operating
personnel on the use of the plan. These activities are not triggered by any event and, since it is clear
from the measure that this requirement is intended to apply only when there has been a reportable
event, the requirement should be revised to state that as well. The drafting team should revise
measure M2 to require reports to be “supplemented by operator logs or other reporting
documentation” only “as necessary”. In many cases, the report itself and time-stamped record of
transmittal will be the only documents necessary to demonstrate compliance with requirement R2.
Under Requirement R3, using an actual event as sufficient for meeting the requirement for conducting
�an annual test would likely fall short of demonstrating compliance with the entire scope of the
Operating Plan. R1.2 requires "a process for communicating EACH of the applicable events listed....".
If the actual event is only one of many "applicable" events, is it sufficient to only exercise one process
flow? If there is no actual event during the annual time-frame, do all the process flows then have to
be exercised?
No
The Note at the beginning of Attachment 1 references notifying parties per Requirement R1; however,
notification occurs in conjunction with Requirement R2. The term “Adverse Reliability Impact” is used
in the threshold section of the event “Damage or destruction of a Facility”. At this time, there are two
definitions for that term in the NERC Glossary. The FERC-approved definition for this term is “The
impact of an event that results in frequency-related instability; unplanned tripping of load or
generation; or uncontrolled separation or cascading outages that affects a widespread area of the
Interconnection.” If the drafting team instead means to use the definition that NERC approved on
8/4/2011 (as seems likely, since that definition more closely aligns with the severity level indicated by
the other two threshold statements) then the definition should be included in the Implementation Plan
as a prerequisite approval. In addition, would the threshold of “Results from actual or suspected
intentional human action” include results from actual intentional human action which produced an
accidental result, meaning, someone was intentionally doing some authorized action but
unintentionally made a mistake, leading to damage of a facility? The event “Any physical threat that
could impact the operability of a Facility” will require reporting for many events that have little or no
significance to reliable operation of the Bulk Electric System. For example, a balloon lodged in a 115
kV transmission line is a “physical threat” that could definitely “impact the operability” of that Facility
and, yet, will probably have little reliability impact. So, too, could a car-pole accident that causes a
pole to lean, a leaning tree, or an unfortunately-located bird’s nest. The drafting team should develop
appropriate threshold language so that reporting is required only for events that do threaten the
reliability of the Bulk Electric System. With respect to the event “Unplanned control center
evacuation”, the standard drafting team should include the term “complete” in the description and/or
threshold statement to avoid having partial evacuations trigger the need to report.
The effective date language in the Implementation Plan is inconsistent with the effective date
language in the proposed standard. In addition, the statement of effective date in the Implementation
Plan is ambiguous – will EOP-004-2 be effective in accordance with the first paragraph or when it is
“assigned an effective date” as stated in the second paragraph? All requirements should be assigned a
Lower Violation Risk Factor. Medium risk factors require direct impact on the Bulk Electric System and
the language there regarding “instability, separation, or cascading failures” is present to distinguish
the Medium risk factor from the High risk factor. Since all of the requirements address after-the-fact
reporting, there can be no direct impact on the Bulk Electric System. In addition, if having an
Operating Plan under Requirement R1 is a Lower risk factor, then it does not make sense that
reviewing that Operating Plan annually under Requirement R4 has a higher risk factor. The shift away
from "the distracting element of motivation", i.e., removing "Sabotage" from the equation, runs the
risk of focusing solely on what happened, how to fix it, and waiting for the next event to occur. That
speaks to a reactive approach rather than a proactive one. There is a concern with the removal of the
FBI from the reporting mix. Basically, the new standard will involve reporting a suspicious event or
attack to local law enforcement and leaving it up to them to decide on reporting to the FBI.
Depending on their evaluation, an event which is significant for a responsible entity might not rise to
the priority level of the local law enforcement agency for them to report it to the FBI. While this might
reduce the reporting requirements a bit, it might do so to the responsible entity’s detriment. In
Attachment 2 - item 4, would it be possible for the boxes be either alpha-sorted or sorted by priority?
There is a disconnect between footnote 1 on page 18 (Don't report copper theft) and the Guideline
section, which suggests reporting forced intrusion attempt at a substation. Also, in the section
discussing the removal of sabotage, the Guideline mentions certain types of events that should be
reported to NERC, DHS, FBI, etc., while that specificity with respect to entities has been removed
from the reporting requirement.
Individual
Steve Alexanderson
Central Lincoln
�No
The new language of R3 and R4 provide nothing to clarify the word “annual.” We note that while a
Compliance Application Notice was written on this, Central Lincoln believes that standards should be
written so they do not rely on the continually changing CANs. CAN-0010 itself implies that “annual”
should be defined within the standards themselves. We suggest: R3 Each Responsible Entity shall
conduct a test of the communications process in R1 Part 1.2, not including notification to the Electric
Reliability Organization, at least once per calendar year with no more than 15 calendar months
between tests. R4 Each Responsible Entity shall conduct a review of the event reporting Operating
Plan in Requirement R1. at least at least once per calendar year with no more than 15 calendar
months between reviews.
No
1) We appreciate the changes made to reduce the short time reporting requirements. 2) We would
like to point out that the 24 hour reporting threshold for “Damage or destruction of a Facility”
resulting from intentional human action will still be non-proportional BES risk for certain events. The
discovery of a gunshot 115 kV insulator will start the 24 hour clock running, no matter how busy the
discoverer is performing restoration or other duties that are more important. The damage may have
been done a year earlier, but upon discovery the report suddenly becomes the priority task. To hit the
insulator, the shooter likely had to take aim and pull the trigger, so intent is at least suspected if not
actual. And the voltage level ensures the insulator is part of a Facility. 3) We also note that the theft
of in service copper is not a physical threat, it is actual damage. The reference to Footnote 1 should
be relocated or copied to the cell above the one it resides in now. 4) We support the APPA comments
regarding small entities.
Yes
Thank you for minimizing the number of necessary reports.
We agree with the comments provided by both PNGC and APPA.
We agree with the comments provided by both PNGC and APPA.
We agree with the comments provided by both PNGC and APPA.
Individual
Mauricio Guardado
Los Angeles Department of Water and Power
Yes
No
LADWP has the following comments: #1 - “Any physical threat that could impact the operability of a
Facility” is still vague and “operability” is too low a threshold. There needs to be a potential impact to
BES reliability. #2 – “Voltage Deviation on a Facility” I think the threshold definition needs to be more
specific: Is it 10% from nominal? 10% from normal min/max operating tables/schedules? Another
entities 10% might be different than mine. #3 – “Transmission Loss” The threshold of three facilities
is still too vague. A generator and a transformer and a gen-tie are likely to have overlapping zones of
protection that could routinely take out all three. The prospect of penalties would likely cause
unneeded reporting.
LADWP does not have a comment on this question at this time
LADWP does not have any other comments at this time
Group
Arkansas Electric Cooperative Corporation
Philip Huff
No
AECC supports the comments submitted by ACES Power Marketing.
No
AECC supports the comments submitted by ACES Power Marketing.
No
AECC supports the comments submitted by ACES Power Marketing.
�Group
Avista
Scott Kinney
Yes
Yes
In general the SDT has made significant improvements to Attachment 1. Avista does have a
suggestion to further improve Attachment 1. In Attachment 1 under the 24 hour Reporting Matrix, the
second event states "Any physical threat that could impact the operability of a Facility" and the
Threshold for Reporting states "Threat to a Facility excluding weather related threats". This is
extremely open ended. We suggest adding the following language to the Threshold for Reporting for
Any Physical Threat: Threat to a facility that: Could affect an IROL (per FAC-014) OR Could result in
the need for actions to avoid and Adverse Reliability Impact This new language would be consistent
with the reporting threshold for a Damage event.
Group
PNGC Comment Group
Ron Sporseen
Yes
Yes
We agree with reservations. Our comments are below and we are seeking clarification of the
Applicability section of the standard. We are voting "no" but if slight changes are made to the
applicability section we will change our votes to "yes". NERC and FERC have expressed a willingness
to address the compliance burden on smaller entities that pose minimal risk to the Bulk Electric
System. The PNGC Comment Group understands the SDT’s intent to categorize reportable events and
achieve an Adequate Level of Reliability while also understanding the costs associated. Given the
changes made by the SDT to Attachment 1, we believe you have gone a long way in alleviating the
potential for needless reporting from small entities that does not support reliability. One remaining
concern we have are potential reporting requirements in the Event types; “Damage or destruction of
a Facility” and “Any physical threat that could impact the operability of a Facility”. These two event
types have the following threshold language; “Results from actual or suspected intentional human
action” and “Threat to a Facility excluding weather related threats” respectively. We believe these two
thresholds could lead to very small entities filing reports for events that really are not a threat to the
BES or Reliability. Note: For vandalism, sabotage or suspected terrorism, even the smallest entities
will file a police report and at that point local law enforcement will follow their terrorism reporting
procedures if necessary, as you’ve rightly indicated in your “Law Enforcement Reporting” section. We
believe extraneous reporting could be alleviated with a small tweak to the Applicability section for
4.1.9 to exclude the smallest Distribution Providers. As stated before, even if these very small entities
are excluded from filing reports under EOP-004-2, threats to Facilities that they may have will still be
reported to local law enforcement while not cluttering up the NERC/DOE reporting process for real
threats to the BES. Our suggested change: 4.1.9. Distribution Provider: with peak load >= 200 MWs
The PNGC Comment Group arrived at the 200 MWs threshold after reviewing Attachment 1, Event
“Loss of firm load for >= 15 Minutes”. We agree with the SDT’s intent to exclude these small firm load
losses from reporting through EOP-004-2. Another approach we could support is that taken by the
Project 2008-06 SDT with respect to Distribution Provider Facilities: 4.2.2 Distribution Provider: One
or more of the Systems or programs designed, installed, and operated for the protection or
restoration of the BES: • A UFLS or UVLS System that is part of a Load shedding program required by
a NERC or Regional Reliability Standard and that performs automatic Load shedding under a common
control system, without human operator initiation, of 300 MW or more • A Special Protection System
or Remedial Action Scheme where the Special Protection System or Remedial Action Scheme is
required by a NERC or Regional Reliability Standard • A Protection System that applies to
Transmission where the Protection System is required by a NERC or Regional Reliability Standard •
�Each Cranking Path and group of Elements meeting the initial switching requirements from a
Blackstart Resource up to and including the first interconnection point of the starting station service of
the next generation unit(s) to be started. We’re not advocating this exact language but rather the
approach that narrows the focus to what is truly impactful to reliability while minimizing costs and
needless compliance burden. One last issue we have is with the language in Attachment 1, Event
“BES Emergency resulting in automatic firm load shedding.” Under “Entity with Reporting
Responsibility”, you state that the DP or TOP that “implements” automatic load shedding of >= 100
MWs must report (Also please review the CIP threshold of 300 MWs as this may be a more
appropriate threshold). We believe rather than specifying a DP or TOP report, it would be appropriate
for the UFLS Program Owner to file the report per EOP-004-2. In our situation we have DPs that own
UFLS relays that are part of the TOP’s program and this could lead to confusing reporting
requirements. Also we don’t believe that an entity can “Implement” “Automatic” load shedding but
this is purely a semantic issue.
Yes
We appreciate the hard work of the SDT.
Group
Colorado Springs Utilities
Jennifer Eckels
Yes
Yes
Yes
CSU is concerned with the word ‘damage’. We support any ‘destruction’ of a facility that meets any of
the three criteria be a reportable issue, but ‘damage’, if it’s going to be included should have some
objective definition that sets a baseline.
Individual
James Tucker
Deseret Power
Yes
No
The threshold for reporting is way too low. A gun shot insulator is not an act of terrorism... vandalism
yes... and a car hit pole would be reportable on a 138 kv line. these seem to be too aggressive in
reporting.
Yes
Group
National Rural Electric Cooperative Association (NRECA)
Barry Lawson
No
NRECA is concerned with the drafting team's proposal to add a new Section 812 to the NERC ROP.
NRECA does not see the need for the drafting team to make such a proposal as it relates to the new
EOP-004 that the drafting team is working on. The requirements in the draft standard clearly require
what is necessary for this Event Reporting standard. NRECA requests that the drafting team withdraw
its proposed ROP Section 812 from consideration. The proposed language is unclear to the point of
not being able to understand who is being required to do what. Further, the language is styled in
�more of a proposal, and not in the style of what would appropriately be included in the NERC ROP.
Finally, the SDT has not adequately supported the need for such a modification to the NERC ROP.
Without that support, NRECA is not able to agree with the need for this addition to the ROP. Again,
NRECA requests that the drafting team withdraw its proposed ROP Section 812 from consideration.
Individual
Michael Gammon
Kansas City Power & Light
No
Requirement 3 requires a test of the communications in the operating plan. A test implies a
simulation of the communications part of the operating plan by actual communications being
conducted pursuant to the plan. It is not appropriate to burden agencies with testing of
communications under a test environment. Recommend the drafting team consider a confirmation of
the contact information with various agencies as the operations plan dictates.
No
For the event, “Damage or destruction of a Facility”, the “Threshold for reporting” includes “Results
from actual or suspected intentional human action”. This is too broad and could include events such
as damage to equipment resulting from stealing cooper or wire which has no intentional motivation to
disrupt the reliability of the bulk electric system. Reports of this type to law enforcement and
governmental agencies will quickly appear as noise and begin to be treated as noise. This may result
in overlooking a report that deserves attention. Recommend the drafting team consider making this
threshold conditional on the judgment by the entity on the human action intended to be a potential
threat to the reliability of the bulk electric system. For the event, “Any physical threat that could
impact the operability of a Facility”, the same comment as above applies. The footnote states to
include copper theft if the Facility operation is impacted. Again, it is recommended to make a report
of this nature conditional on the judgment of the entity on the intent to be a potential threat to the
reliability of the bulk electric system.
No
Rules stipulating the extent of how reported information will be treated by NERC is an important
consideration, however, the proposed section 812 proposes to provide reports to other governmental
agencies and regulatory bodies beyond that of NERC and FERC. NERC should be treating the event
information reported to NERC as confidential and should not take it upon itself to distribute such
information beyond the boundaries of the national interest at NERC and FERC.
The flowchart states, “Notification Protocol to State Agency Law Enforcement”. Please correct this to,
“Notification to State, Provincial, or Local Law Enforcement”, to be consistent with the language in the
background section part, “A Reporting Process Solution – EOP-004”. Evidence Retention – it is not
clear what the phrase “prior 3 calendar years” represents in the third paragraph of this section
regarding data retention for requirements and measures for R2, R3, R4 and M2, M3, M4 respectively.
Please clarify what this means. Is that different than the meaning of “since the last audit for 3
calendar years” for R1 and M1?
�Consideration of Comments
Disturbance and Sabotage Reporting – Project 2009-01
The Disturbance and Sabotage Reporting Drafting Team thanks all commenters who submitted comments on the
draft standard EOP-004-2. This standard was posted for a 30-day public comment period from April 25, 2012
through May 24, 2012. Stakeholders were asked to provide feedback on the standards and associated
documents through a special electronic comment form. There were 87 sets of comments, including comments
from approximately 210 different people from approximately 135 companies representing 9 of the 10 Industry
Segments as shown in the table on the following pages.
All comments submitted may be reviewed in their original format on the standard’s project page:
http://www.nerc.com/filez/standards/Project2009-01_Disturbance_Sabotage_Reporting.html
If you feel that your comment has been overlooked, please let us know immediately. Our goal is to give every
comment serious consideration in this process! If you feel there has been an error or omission, you can contact
the Vice President of Standards and Training, Herb Schrayshuen, at 404-446-2560 or at
herb.schrayshuen@nerc.net. In addition, there is a NERC Reliability Standards Appeals Process. 1
1
The appeals process is in the Standard Processes Manual:
http://www.nerc.com/files/Appendix_3A_Standard_Processes_Manual_Rev%201_20110825.pdf
�Summary Consideration: The DSR SDT received several suggestions for improvement to the standard.
As a result of these revisions, the DSR SDT is posting the standard for a second successive ballot period.
The DSR SDT has removed reporting of Cyber Security Incidents from EOP-004 and have asked the team
developing CIP-008-5 to retain this reporting. With this revision, the Interchange Coordinator,
Transmission Service Providers, Load-Serving Entity, Electric Reliability Organization and Regional Entity
were removed as Responsible Entities.
Most of the language contained in the “Background” Section was moved to the “Guidelines and
Technical Basis” Section. Minor language changes were made to the measures and the data retention
section. Attachment 2 was revised to list events in the same order in which they appear in Attachment
1.
Requirement R1 was revised to include the Parts in the main body of the Requirement. The Measure
and VSLs were updated accordingly.
Following review of the industry’s comments, the SDT has re-examined the FERC Directive in Order 693
and has dropped both R3 and R4, as they were written and established a new Requirement R3 to have
the Registered Entity “validate” the contact information in the contact list(s) they may have for the
events applicable to them. This validation needs to be performed each calendar year to ensure that the
list(s) have current and up-to-date contact data.
R3.
Each Responsible Entity shall validate all contact information contained in the Operating
Plan per Requirement R1each calendar year. [Violation Risk Factor: Medium] [Time
Horizon: Operations Planning]
The SDT reviewed, discussed and updated Attachment 1 based on comments received for commenters,
FERC directives and what is required for combining CIP-001 and EOP-004 into EOP-004-2. Under the
Event Column, the SDT starts to classify each type of an event by assigning an “Event” title. The DSRSDT
then updated the “Entity with Reporting Responsibilities” column to simply state which entity has the
responsibility to report if they experience an event. The last column, “Threshold for Reporting” is a
bright line that, if reached, the entity needs to report that they experienced the applicable event per
Requirement 1.
The DSR SDT proposed a revision to the NERC Rules of Procedure (Section 812). The SDT has learned
that NERC has started a new effort to forward event reports to applicable government authorities. As
such, Section 812 is no longer needed and will be removed from this project.
2
�Index to Questions, Comments, and Responses
1.
The DSR SDT has revised EOP-004-2 by removing Requirement 1, Part 1.4 and separating Parts 1.3
and 1.5 into new Requirements R3 and R4. Requirement R3 calls for an annual test of the
communications portion of the Operating Plan and Requirement R4 requires an annual review of
the Operating Plan. Do you agree with this revision? If not, please explain in the comment area
below. …. ...................................................................................................................19
2.
The DSR SDT made clarifying revisions to Attachment 1 based on stakeholder feedback. Do you
agree with these revisions? If not, please explain in the comment area below. …. ....................46
3.
The DSR SDT has proposed a new Section 812 to be incorporated into the NERC Rules of
Procedure. Do you agree with the proposed addition? If not, please explain in the comment area
below. …. ................................................................................................................. 169
4.
Do you have any other comment, not expressed in the questions above, for the DSR SDT? …. . 183
3
�The Industry Segments are:
1 — Transmission Owners
2 — RTOs, ISOs
3 — Load-serving Entities
4 — Transmission-dependent Utilities
5 — Electric Generators
6 — Electricity Brokers, Aggregators, and Marketers
7 — Large Electricity End Users
8 — Small Electricity End Users
9 — Federal, State, Provincial Regulatory or other Government Entities
10 — Regional Reliability Organizations, Regional Entities
Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
1.
Group
Guy Zito
Additional Member Additional Organization
1.
Alan Adamson
Northeast Power Coordinating Council
Region
New York State Reliability Council, LLC
2
3
4
5
6
7
8
9
10
X
Segment
Selection
NPCC
10
4
�Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
2.
Greg Campoli
NewYorkl Independent System Operator
NPCC
2
3.
Sylvain Clermont
Hydro-Quebec TransEnergie
NPCC
1
4.
Chris de Graffenried
Consolidated Edison Co. of New York, Inc. NPCC
1
5.
Gerry Dunbar
Northeast Power Coordinating Council
NPCC
10
6.
Mike Garton
Dominion Resources Services, Inc.
NPCC
5
7.
Kathleen Goodman
ISO - New England
NPCC
2
8.
Michael Jones
National Grid
NPCC
1
9.
David Kiguel
Hydro One Networks Inc.
NPCC
1
10.
Michael Lombardi
Northeast Utilities
NPCC
1
11.
Randy MacDonald
New Brunswick Power Transmission
NPCC
9
12.
Bruce Metruck
New York Power Authority
NPCC
6
13.
Silvia Parada Mitchell
NextEra Energy, LLC
NPCC
5
14.
Lee Pedowicz
Northeast Power Coordinating Council
NPCC
10
15.
Robert Pellegrini
The United Illuminating Company
NPCC
1
16.
Si Truc Phan
Hydro-Quebec TransEnergie
NPCC
1
17.
David Ramkalawan
Ontario Power Generation, Inc.
NPCC
5
2
3
4
5
6
7
8
9
10
5
�Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
18.
Peter Yost
Consolidated Edison Co. of New York, Inc. NPCC
3
19.
Michael Schiavone
National Grid
NPCC
1
20.
Wayne Sipperly
New York Power Authority
NPCC
5
21.
Tina Teng
Independent Electricity System Operator
NPCC
2
22.
Donald Weaver
New Brunswick System Operator
NPCC
2
23.
Ben Wu
Orange and Rockland Utilities
NPCC
1
2.
Group
Kent Kujala
DECo
2
3
X
4
X
5
6
7
8
9
10
X
Additional Member Additional Organization Region Segment Selection
1. Barbara Holland
RFC
3, 4, 5
2. Alexander Eizans
RFC
3, 4, 5
3.
Group
Greg Rowland
Duke Energy
X
X
X
X
Additional Member Additional Organization Region Segment Selection
1. Doug Hils
Duke Energy
RFC
1
2. Ed Ernst
Duke Energy
SERC
3
3. Dale Goodwine
Duke Energy
SERC
5
4. Greg Cecil
Duke Energy
RFC
6
4.
Group
Brenda Hampton
Luminant
X
6
�Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
Additional Member
1. Mike Laney
5.
Group
Additional Organization
Patricia Robertson
5
6
7
8
9
10
BC Hydro
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Additional Organization Region Segment Selection
WECC 2
2. Pat G. Harrington
BC Hydro
WECC 3
3. Clement Ma
BC Hydro
WECC 5
Group
4
5
1. Venkatarmakrishnan Vinnakota BC Hydro
6.
3
Region Segment Selection
Luminant Generation Company, LLC
Additional Member
2
Chris Higgins
Bonneville Power Administration
Additional Member Additional Organization Region Segment Selection
1. James
Burns
WECC 1
2. John
Wylder
WECC 1
3. Kristy
Humphrey
WECC 1
7.
Group
Jesus Sammy Alcaraz
Imperial Irrigation District (IID)
X
Additional Member Additional Organization Region Segment Selection
1. Joel Fugett
IID
WECC 1, 3, 4, 5, 6
2. Cathy Bretz
IID
WECC 1, 3, 4, 5, 6
8.
Group
Connie Lowe
Dominion
7
�Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
2
3
4
5
6
7
8
9
10
Additional Member Additional Organization Region Segment Selection
1. Michael Crowley
SERC
2. Mike Garton
NPCC 5, 6
3. Randi Heise
MRO
5
4. Louis Slade
RFC
5
9.
Group
Robert Rhodes
Additional Member
1, 3, 5, 6
SPP Standards Review Group
Additional Organization
X
Region Segment Selection
1.
Matt Bordelon
CLECO Power
SPP
1, 3, 5
2.
Michelle Corley
CLECO Power
SPP
1, 3, 5
3.
Gary Cox
Southwestern Power Administration
SPP
1, 5
4.
Dan Lusk
Xcel Energy
SPP
1, 3, 5, 6
5.
Stephen McGie
City of Coffeyville
SPP
NA
6.
John Payne
KEPCO
SPP
4
7.
Terri Pyle
Oklahoma Gas & Electric
SPP
1, 3, 5
8.
Sean Simpson
Board of Public Utilities, City of McPherson, KS SPP
NA
9.
Ashley Stringer
Oklahoma Municipal Power Authority
4
SPP
8
�Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
10. Mike Swearingen
Tri-County Electric Cooperative
SPP
4
11. Michael Veillon
CLECO Power
SPP
1, 3, 5
12. Mark Wurm
Board of Public Utilities, City of McPherson, KS SPP
NA
13. Jonathan Hayes
Southwest Power Pool
SPP
2
14. Julie Lux
Westar Energy
SPP
1, 3, 5, 6
15. Greg McAuley
Oklahoma Gas & Electric
SPP
1, 3, 5
10.
Frank Gaffney
Group
Florida Municipal Power Agency
2
3
X
X
X
X
4
X
5
6
X
X
X
X
7
8
9
10
Additional Member Additional Organization Region Segment Selection
1. Timothy Beyrle
City of New Smyrna Beach FRCC
4
2. Jim Howard
Lakeland Electric
FRCC
3
3. Greg Woessner
Kissimmee Utility Authority FRCC
3
4. Lynne Mila
City of Clewiston
FRCC
3
5. Joe Stonecipher
Beaches Energy Services FRCC
1
6. Cairo Vanegas
Fort Pierce Utility Authority FRCC
4
7. Randy Hahn
Ocala Utility Services
3
11.
Group
Brent Ingebrigtson
No additional members listed.
FRCC
LG&E and KU Services
9
�Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
12.
Group
WILL SMITH
MRO NSRF
X
2
X
3
X
4
X
5
X
6
X
7
8
9
10
X
Additional Member Additional Organization Region Segment Selection
1.
MAHMOOD SAFI
2.
OPPD
MRO
1, 3, 5, 6
CHUCK LAWRENCE ATC
MRO
1
3.
TOM WEBB
WPS
MRO
3, 4, 5, 6
4.
JODI JENSON
WAPA
MRO
1, 6
5.
KEN GOLDSMITH
ALTW
MRO
4
6.
ALICE IRELAND
XCEL
MRO
1, 3, 5, 6
7.
DAVE RUDOLPH
BEPC
MRO
1, 3, 5, 6
8.
ERIC RUSKAMP
LES
MRO
1, 3, 5, 6
9.
JOE DEPOORTER
MGE
MRO
3, 4, 5, 6
10. SCOTT NICKELS
RPU
MRO
4
11. TERRY HARBOUR
MEC
MRO
3, 5, 6, 1
12. MARIE KNOX
MISO
MRO
2
13. LEE KITTELSON
OTP
MRO
1, 3, 4, 5
14. SCOTT BOS
MPW
MRO
1, 3, 5, 6
10
�Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
15. TONY EDDLEMAN
NPPD
MRO
1, 3, 5
16. MIKE BRYTOWSKI
GRE
MRO
1, 3, 5, 6
17. THERESA ALLARD
MPC
MRO
1, 3, 5, 6
13.
Stephen J. Berger
Group
Additional
Member
1.
3
Region
PPL Generation, LLC on Behalf of its NERC Registered
Entities
5
WECC
5
MRO
6
4.
NPCC
6
5.
SERC
6
6.
SPP
6
7.
RFC
6
8.
WECC
6
2.
Mark Heimbach
14.
Group
Joe Tarantino
PPL EnergyPlus, LLC
SMUD & BANC
5
6
X
X
X
X
7
8
9
10
Segment
Selection
RFC
3.
4
PPL Corporation NERC Registered Affiliates
Additional
Organization
Annette Bannon
2
X
X
X
Additional Member Additional Organization Region Segment Selection
11
�Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
1. Kevin Smith
15.
Group
BANC
2
3
4
5
6
7
8
9
10
WECC 1
Albert DiCaprio
ISO/RTO Standards Review Committee
X
Additional Member Additional Organization Region Segment Selection
1.
Terry Bilke
MISO
RFC
2
2.
Greg Campoli
NY ISO
NPCC
2
3.
Gary DeShazo
CAISO
WECC 2
4.
Matt Goldberg
ISO NE
NPCC
2
5.
Kathleen Goodman ISO NE
NPCC
2
6.
Stephanie Monzon
PJM
RFC
2
7.
Steve Myers
ERCOT
ERCOT 2
8.
Bill Phillips
MSO
RFC
2
9.
Don Weaver
NBSO
NPCC
2
10. Charles Yeung
SPP
SPP
2
16.
Sam Ciccone
Group
FirstEnergy
X
X
X
X
X
Additional Member Additional Organization Region Segment Selection
1. Bill Duge
FE
RFC
12
�Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
2. Doug Hohlbaugh
17.
FE
Group
Additional Member
1.
Bill Hutchison
2.
2
3
4
5
6
7
8
9
10
RFC
Jason Marshall
ACES Power Marketing Standards
Collaborators
Additional Organization
Southern Illinois Power Cooperative
Region Segment Selection
SERC
1
Robert A. Thomasson Big Rivers Electric Corporation
SERC
1
3.
Shari Heino
Brazos Electric Power Cooperative
ERCOT 1
4.
John Shaver
Arizona Electric Power Cooperative
WECC 4, 5
5.
John Shaver
Southwest Transmission Cooperative
WECC 1
6.
Michael Brytowski
Great River Energy
MRO
7.
Scott Brame
North Carolina Electric Membership Corporation SERC
18.
Group
Pawel Krupa
X
Seattle City Light
1, 3, 5, 6
1, 3, 4, 5
X
X
X
X
X
Additional Member Additional Organization Region Segment Selection
1.
Pawel Krupa
Seattle City Light
WECC 1
2.
Dana Wheelock
Seattle City Light
WECC 3
3.
Hao Li
Seattle City Light
WECC 4
19.
Group
Scott Kinney
Avista
X
13
�Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
2
3
4
5
6
7
8
9
10
Additional Member Additional Organization Region Segment Selection
1.
Ed Groce
Avista Corp
WECC 5
2.
Bob Lafferty
Avista Corp
WECC 3
20.
Group
Additional Member
Ron Sporseen
PNGC Comment Group
Additional Organization
X
X
X
X
Region Segment Selection
1.
Joe Jarvis
Blachly-Lane Electric Cooperative
WECC 3
2.
Dave Markham
Central Electric Cooperative
WECC 3
3.
Dave Hagen
Clearwater Power Company
WECC 3
4.
Roman Gillen
Consumers Power Inc.
WECC 1, 3
5.
Roger Meader
Coos-Curry Electric Cooperative
WECC 3
6.
Bryan Case
Fall River Electric Cooperative
WECC 3
7.
Rick Crinklaw
Lane Electric Cooperative
WECC 3
8.
Annie Terracciano
Northern Lights Inc.
WECC 3
9.
Aleka Scott
PNGC Power
WECC 4
10. Heber Carpenter
Raft River Rural Electric Cooperative WECC 3
11. Steve Eldrige
Umatilla Electric Cooperative
WECC 1, 3
14
�Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
12. Marc Farmer
West Oregon Electric Cooperative
WECC 4
13. Margaret Ryan
PNGC Power
WECC 8
14. Stuart Sloan
Consumers Power Inc.
WECC 1
21.
Jennifer Eckels
Group
Colorado Springs Utilities
2
3
4
5
6
X
X
X
X
X
X
X
X
7
8
9
10
Additional Member Additional Organization Region Segment Selection
1. Lisa Rosintoski
WECC 6
2. Charlie Morgan
WECC 3
3. Paul Morland
WECC 1
Individual
Janet Smith, Regulatory
Affairs Supervisor
Arizona Public Service Company
23.
Individual
Antonio Grayson
Southern Company Services
X
X
X
X
24.
Individual
Jim Eckelkamp
Progress Energy
X
X
X
X
25.
Individual
Sasa Maljukan
Hydro One
X
26.
Individual
John Brockhan
CenterPoint Energy
X
27.
Individual
Philip Huff
22.
Individual
Barry Lawson
Arkansas Electric Cooperative Corporation
National Rural Electric Cooperative
Association (NRECA)
29.
Individual
Brian Evans-Mongeon
Utility Services
30.
Individual
E Hahn
MWDSC
31.
Individual
Scott McGough
Georgia System Operations Corporation
32.
Individual
Don Jones
Texas Reliability Entity
28.
X
X
X
X
X
X
X
X
X
X
15
�Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
2
3
Individual
Jonathan Appelbaum
United Illuminating Company
34.
Individual
Dan Roethemeyer
Dynegy Inc.
35.
Individual
Anthony Jablonski
ReliabilityFirst
36.
Individual
Joe Petaski
Manitoba Hydro
37.
Individual
Michelle R. D'Antuono
Ingleside Cogeneration LP
38.
Individual
Tim Soles
Occidental Power Services, Inc.
39.
Individual
Alice Ireland
Xcel Energy
X
X
40.
Individual
Andrew Gallo
City of Austin dba Austin Energy
X
X
41.
Individual
Thad Ness
American Electric Power
X
42.
Individual
Ed Davis
Entergy
X
43.
Individual
Jack Stamper
Clark Public Utilities
X
Individual
45. Individual
Tracy Richardson
Wayne Sipperly
Springfield Utility Board
New York Power Authority
X
X
46.
Individual
David Thorne
Pepco Holdings Inc
X
X
47.
Individual
Chris de Graffenried
Consolidated Edison Co. of NY, Inc.
X
X
48.
Individual
David Burke
Orange and Rockland Utilities, Inc.
X
X
49.
Individual
Larry Raczkowski
FirstEnergy Corp
X
X
50.
Individual
Linda Jacobson-Quinn
Farmington Electric Utility System
51.
Individual
Michael Falvo
Independent Electricity System Operator
52.
Individual
John Seelke
Public Service Enterprise Group
X
53.
Individual
Terry Harbour
MidAmerican Energy
X
54.
Individual
Brenda Lyn Truhe
X
Individual
John Martinsen
PPL Electric Utilities
Public Utility District No. 1 of Snohomish
County
55.
5
6
7
8
9
10
X
33.
44.
4
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
16
�Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
2
X
56.
Individual
Russell A. Noble
Cowlitz County PUD
57.
Individual
Thomas Washburn
FMPP
58.
Individual
Bob Thomas
Illinois Municipal Electric Agency
59.
Individual
Andrew Z. Pusztai
Amercican Transmission Company, LLC
X
60.
Individual
Brenda Frazer
Edison Mission Marketing & Trading, Inc.
X
61.
Individual
Kenneth A Goldsmith
Alliant Energy
62.
Individual
Eric Salsbury
Consumers Energy
63.
Individual
Kirit Shah
Ameren
64.
Individual
Howard Rulf
We Energies
65.
Individual
Brian J Murphy
NextEra Energy Inc
66.
Individual
Kathleen Goodman
ISO New England Inc
X
Individual
68. Individual
Mark B Thompson
Maggy Powell
Alberta Electric System Operator
Exelon Corporation and its affiliates
X
69.
Individual
Keith Morisette
Tacoma Power
70.
Individual
Dennis Sismaet
Seattle City Light
71.
Individual
Scott Miller
MEAG Power
72.
Individual
Patrick Brown
Essential Power, LLC
73.
Individual
Gregory Campoli
New York Independent System Operator
74.
Individual
Don Schmit
Nebraska Public Power District
X
75.
Individual
David Revill
GTC
X
76.
Individual
Scott Berry
Indiana Municipal Power Agency
77.
Individual
Christine Hasha
ERCOT
78.
Individual
Molly Devine
Idaho Power Co.
79.
Individual
Rebecca Moore Darrah
MISO
67.
3
4
X
5
6
7
8
9
10
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
17
�Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
3
4
5
6
7
8
9
10
X
80.
Individual
Nathan Mitchell
American Public Power Association
81.
Individual
Tony Kroskey
Brazos Electric Power Cooperative
X
82.
Individual
Darryl Curtis
Oncor Electric Delivery
X
83.
Individual
Denise Lietz
Puget Sound Energy, Inc.
X
84.
Individual
Steve Alexanderson
X
Individual
Mauricio Guardado
Central Lincoln
Los Angeles Department of Water and
Power
86.
Individual
James Tucker
Deseret Power
X
87.
Individual
Michael Gammon
Kansas City Power & Light
X
85.
2
X
X
X
X
X
X
X
X
X
X
X
18
�1. The SDT has revised EOP-004-2 by removing Requirement 1, Part 1.4 and separating Parts 1.3 and 1.5 into new
Requirements R3 and R4. Requirement R3 calls for an annual test of the communications portion of the Operating
Plan and Requirement R4 requires an annual review of the Operating Plan. Do you agree with this revision? If not,
please explain in the comment area below.
Summary Consideration: Following review of the industry’s comments, the SDT has re-examined the FERC Directive in Order 693
and has dropped both R3 and R4, as they were written and established a new Requirement R3 to have the Registered Entity
“validate” the contact information in the contact list(s) they may have for the applicable events to their functional registration(s).
This validation needs to be performed on a calendar year period to ensure that the list(s) have current and up-to-date contact
data.
Organization
Northeast Power Coordinating
Council
Yes or No
Question 1 Comment
No
Regarding Requirement R3, add the following wording from Measure M3 to
the end of R3 after the wording “in Part 1.2.”: The annual test requirement
is considered to be met if the responsible entity implements the
communications process in Part 1.2 for an actual event. This language must
be in the Requirement to be considered during an audit. Measures are not
auditable.
Regarding Requirement R4, replace the words “an annual review” with the
words “a periodic review. “Add the following to R4: The frequency of such
periodic reviews shall be specified in the Operating Plan and the time
between periodic reviews shall not exceed five (5) years. This does not
preclude an annual review in an Entity’s operating plan. The Entity will then
be audited to its plan. If the industry approves a five (5) year periodic
review ‘cap’, and FERC disagrees, then FERC will have to issue a directive,
state its reasons and provide justification for an annual review that is not
arbitrary or capricious. Adding the one year “test” requirement adds to the
administrative tracking burden and adds no reliability value.
19
�Organization
Yes or No
Question 1 Comment
Response: The SDT thanks you for your comment. The SDT has removed R4 and revised R3 that calls for the responsible entity
to validate contact information contain in the Operating Plan each calendar year as described in Requirement R1. The “Annual
review” is used to ensure that the event reporting Operating Plan is up to date. If an entity experiences an event,
communication evidence from the event may be used to show compliance.
DECo
No
Should only have annual "review" requirement rather than test.
Response: The SDT thanks you for your comment. The SDT has made changes to the requirements highlighted in your comment.
Duke Energy
No
Under R3, we agree with testing communications internally. Just as the ERO
is excluded under R3, other external entities should also be excluded.
External communications should be verified under R4.
Response: The SDT thanks you for your comment. Due to industry opposition, the SDT revised Requirement R3 to remove test
to “validate” contact information contained in the Operating Plan. If an entity experiences an actual event, communication
evidence from the event may be used to show compliance with the validation requirement for the specific contacts used for the
event.
Dominion
No
While Dominion believes these are positive changes, we are concerned that
placing actual calls to each of the “other organizations needed for the event
type; i.e. the Regional Entity; company personnel; the Responsible Entity’s
Reliability Coordinator; law enforcement, governmental or provincial
agencies” may be seen by one or more of those called as a ‘nuisance call’.
Given the intent is to insure validity of the contact information (phone
number, email, etc), we suggest revising the standard language to support
various forms of validation to include, documented send/receipt of email,
documented verification of phone number (use of phone book, directory
assistance, etc).
Response: The SDT thanks you for your comment. The SDT has made changes to the requirement highlighted in your comment.
20
�Organization
SPP Standards Review Group
Yes or No
Question 1 Comment
No
There needs to be a more granular definition of which entities should be
included in the annual testing requirement in R3. To clarify what must be
tested we propose the following language to replace the last sentence in
M3. The annual test requirement is considered to be met if the responsible
entity implements any communications process in the Operating Plan during
an actual event. If no actual event was reported during the year, at least one
of the communication processes in the Operating Plan must be tested to
satisfy the requirement. We do not believe the time-stamping requirement
in M3 and M4 contribute to the reliability of the BES. A dated review should
be sufficient.
Response: The SDT thanks you for your comment. The SDT has made changes to the requirement highlighted in your
comments. The Responsible Entity shall validate all contact information contained in the Operating Plan per Requirement R1
each calendar year. If an entity experiences an actual event, communication evidence from the event may be used to show
compliance with the validation requirement for the specific contacts used for the event. Time-stamping has been removed.
Florida Municipal Power Agency
No
First, FMPA believes the standard is much improved from the last posting
and we thank the SDT or their hard work. Having said that, there are still a
number of issues, mostly due to ambiguity in terms, which cause us to vote
Negative. R3 and R4 should be combined into a single requirement with two
subparts, one for annual testing, and another to incorporate lessons learned
from the annual testing into the plan (as opposed to an annual review).The
word “test” is ambiguous as used in R3, e.g., does a table top drill count as a
“test”? Is the intent to “test” the plan, or “test” the phone numbers, or
what?
Response: The SDT thanks you for your comment. The SDT has made changes to the requirement highlighted in your comment.
MRO NSRF
No
R3 states: Each Responsible Entity shall conduct an annual test, not including
notification to the Electric Reliability Organization, of the communications
process in Part 1.2. R1.2 states: A process for communicating each of the
21
�Organization
Yes or No
Question 1 Comment
applicable events listed in EOP-004 Attachment 1 in accordance with the
timeframes specified in EOP-004 Attachment 1 to the Electric Reliability
Organization and other organizations needed for the event type; i.e. the
Regional Entity; company personnel; the Responsible Entity’s Reliability
Coordinator; law enforcement, governmental or provincial agencies. With
the use of “i.e.” the SDT is mandating that each other entity must be
contacted. The NSRF believes that the SDT meant that “e.g.” should be used
to provide examples. The SDT may wish to add another column to
Attachment 1 to provide clarity. R3 requires and annual test that would
include notification of:”other organizations needed for the event type; i.e.
the Regional Entity; company personnel; the Responsible Entity’s Reliability
Coordinator; law enforcement, governmental or provincial agencies.”Since
NERC see no value in receiving these test notification we are doubtful other
entities identified in R1.2 would find them of value. The real purpose of this
requirement appears to be to assure operators are trained in the use of the
procedure, process, or plan that assures proper notification. PER-005
already requires a systematic approach to training. It is hard to comprehend
an organization not identifying this as a Critical Task, and if they failed to
identify it as a Critical Task that this would not be a violation. Therefore this
requirement is not required. Furthermore organizations test their response
to events in accordance with CIP-008 R1.6. Therefore this requirement is
covered by other standards and is not needed.
The SDT may need to
address this within M3, by stating “... that the annual test of the
communication process of 1.2 (e.g. communication via e-mail, fax, phone,
etc) was conducted”.
R4 states: Each Responsible Entity shall conduct an annual review of the
event reporting Operating Plan in Requirement R1. We question the value of
requiring an annual review. If the Standard does not change, there seems
little value in requiring an annual review. This appears to be an
administrative requirement with little reliability value. It would likely be
identified as a requirement that that should be eliminated as part of the
22
�Organization
Yes or No
Question 1 Comment
request by FERC to identify strictly administrative requirements in FERC’s
recent order on FFTR. We suggest it be eliminated.
Response: The SDT thanks you for your comment. Requirement R3 called for test of all contact information contain. The SDT
deleted Requirement R4 based on stakeholder comments and revised R3 so that each Responsible Entity shall validate all
contact information contained in the Operating Plan per Requirement R1 each calendar year. Requirement R3 will help ensure
that the event reporting Operating Plan is up to date and entities will be able to effectively report events to assure situational
awareness to the Electric Reliability Organization.
The annual review requirement was maintained to meet the intent of NERC Order 693, Paragraph 466. The Commission does
not specify a review period, as suggested; rather, believes that the appropriate period should be determined through the ERO’s
Reliability Standards.
“The Commission affirms the NOPR directive and directs the ERO to incorporate a periodic review or updating of the sabotage
reporting procedures and for the periodic testing of the sabotage reporting procedures.”
ISO/RTO Standards Review
Committee
No
The SRC offers comments regarding the posted draft requirements;
however, by so doing, the SRC does not indicate support of the proposed
requirements. Following these comments, please see the latter part of the
SRC’s response to Question 4 below for an SRC proposed alternative
approach: Regarding the proposed posted requirements, without indicating
support of those requirements, the SRC concurs with the changes as they
provide better streamlining of the four key requirements, with enhanced
clarity. However, we are unclear on the intent of Requirement R3, in
particular the phrase “not including notification to the Electric Reliability
Organization” which begs the question on whether or not the test requires
notifying all the other entities as if it were a real event. This may create
confusion in ensuring compliance and during audits. Suggest the SDT to
review and modify this requirement as appropriate. Regarding part 1.2, the
SRC requests that the text be terminated after the word “type” and before
“i.e.” As written, the requirement does not allow for the entity to
add/remove others as necessary. Please consider combining R3 and R4.
23
�Organization
Yes or No
Question 1 Comment
These can be accomplished at the same time. The process should be
evaluated to determine effectiveness when an exercise or test is conducted.
The SDT is asked to review the proposal and to address the issue of
requirements vs. bullets vs. sub-requirements. It is suggested that each
requirement be listed independently, and that each sub-step be bulleted.
Response: The SDT thanks you for your comment. The SDT has made changes to the requirement highlighted in your comment.
ACES Power Marketing Standards
Collaborators
No
(1) We agree with removing Part 1.4 and we agree with a requirement to
periodically review the event reporting Operating Plan. However we are not
convinced the review of the Operating Plan needs to be conducted annually.
The event reporting Operating Plan likely will not change frequently so a
biannual review seems more appropriate.
(2) We also do not believe that Requirement R3 is needed at all.
Requirement R3 compels the responsible entity to test their Operating Plan
annually. We do not see how testing an Operating Plan that is largely
administrative in nature contributes to reliability. Given that the drafting
team is obligated to address the FERC directive regarding periodic testing,
we suggest the Operating Plan should be tested biannually. This would still
meet the FERC directive requiring periodic testing.
Response: The SDT thanks you for your comment. The SDT deleted Requirement R4 based on stakeholder comments and
revised R3 so that each Responsible Entity shall validate all contact information contained in the Operating Plan per
Requirement R1 each calendar year. Requirement R3 will help ensure that the event reporting Operating Plan is up to date and
entities will be able to effectively report events to assure situational awareness to the Electric Reliability Organization.
Southern Company Services
No
There are approximately 17 event types for which Responsible Entities must
have a process for communicating such events to the appropriate entities
and R3 states that “The Responsible Entity shall conduct an annual test of
the communications process”. It is likely that the same communications
process will be used to report multiple event types, so Southern suggest that
24
�Organization
Yes or No
Question 1 Comment
the Responsible Entities conduct an annual test for each unique
communications process. Southern suggest that this requirement be revised
to state “Each Responsible Entity shall conduct an annual test of each unique
communications process addressed in R1.2”.
o In Attachment 1, for Event: “Damage or destruction of a Facility”, SDT
should consider removing “Results from actual or suspected intentional
human action” from the “Threshold for Reporting” column. The basis for this
suggestion is as follows:
o The actual threshold should be measurable, similar to the thresholds
specified for other events in Attachment 1. [Note: The first two thresholds
identified (i.e., “Affects and IROL” and “Results in the need for actions to
avoid an Adverse Reliability Impact”) are measurable and sufficiently qualify
which types of Facility damage should be reported.]
o The determination of human intent is too subjective. Including this as a
threshold will cause many events to be reported that otherwise may not
need to be reported. (e.g., Vandalism and copper theft, while addressed
under physical threats, is more appropriately classified as damage. These are
generally intentional human acts and would qualify for reporting under the
current guidance in Attachment 1. They may be excluded from reporting by
the threshold criteria regarding IROLs and Adverse Reliability Impact, if the
human intent threshold is removed.)
o It may be more appropriate to address human intent in the event
description as follows: “Damage or destruction of a Facility, whether from
natural or human causes”. Let the thresholds related to BES impact dictate
the reporting requirement.
o In Attachment 1, for Event: “Complete or partial loss of monitoring
capability”, SDT should consider changing the threshold criteria to state:
“Affecting a BES control center for ≥ 30 continuous minutes such that
analysis capability (State Estimator, Contingency Analysis) is rendered
25
�Organization
Yes or No
Question 1 Comment
inoperable.” There may be instances where the tools themselves are out of
commission, but the control center personnel have sufficiently accurate
models and alternate methods of performing the required analyses.
Response: The SDT thanks you for your comment. The SDT has made changes to the requirement highlighted in your initial
comment.
The SDT reviewed, discussed and updated Attachment 1 based on comments received, FERC directives and what is required for
combining CIP-001 and EOP-004 into EOP-004-2. Under the Event Column, the SDT starts to classify each type of an event by
assigning an “Event” title. The DSR SDT then updated the “Entity with Reporting Responsibilities” column to simply state what
entity has the responsibility to report if they experience an event. The last column, “Threshold for Reporting” is a bright line
that, if reached, the entity needs to report that they experienced the applicable event per Requirement 1.
Damage or destruction of a Facility:
The SDT removed all language under “Entity with Reporting Responsibility,” with the exception of entity(s) that are required to
report an applicable event. The SDT removed this language so the entities within this column are clearly stated and identified.
Under the “Threshold for Reporting” column, a bright line was updated based on currently enforced Reliability Standards, FERC
directives and industry comments to state;
Damage or destruction of a Facility within its Reliability Coordinator Area, Balancing Authority Area or Transmission Operator
Area that results in the need for actions to avoid a BES Emergency.
This language gives the required guidance of who has to report within its Area that results in need for actions to avoid a BES
Emergency (as defined by NERC: Any abnormal system condition that requires automatic or immediate manual action to
prevent or limit the failure of transmission facilities or generation supply that could adversely affect the reliability of the Bulk
Electric System).
This relates to either a completely destroyed Facility where an action is required to avoid a BES Emergency, or a Facility that is
damaged to a point that actions are required to avoid a BES Emergency. By reporting either a “damaged or destroyed” Facility,
within 24 hours, it will give the ERO (and whoever else the entity wishes to inform per R1) the situational awareness that the
electrical system has been reconfigured or may need to be reconfigured, thus supporting reliable operations of each
interconnection.
26
�Organization
Progress Energy
Yes or No
Question 1 Comment
No
It should be clear that the Operating Plan can be multiple procedures. It is
an unnecessary burden to have entities create a new document outlining
the Operating Plan. Having to create a new Operating Plan would not
improve reliability and would further burden limited resources. The annual
testing required by R3 should be clarified. Do all communication paths need
to be annually tested or just one path? An actual event may only utilize one
communication 'leg' or 'path' and leave others untested and utilized.
Entities may have a corporate level procedure that 'hand-shakes' with more
localized procedures that make up the entire Operating Plan. Must all
communications processes be tested to fulfill the requirement? If an entity
has 'an actual event' it is not necessarily true that their Operating Plan has
been exercised completely, yet this one 'actual event' would satisfy M3 as
written.
Response: The SDT thanks you for your comment. Regarding your initial comment on the need to create a new document, the
SDT believes that a Registered Entity with a procedure under CIP-001 will be able to utilize that document as the starting point
for the Operating Plan here. The SDT feels that many of the necessary components will already exist in that document and the
Registered Entity should only need to edit it accordingly for the types of Events applicable to them. The SDT has made changes
to the standard highlighted in your comment.
Hydro One
No
In the Requirement R3, we suggest adding the following wording from
Measure M3 to the end of R3 after the wording “in Part 1.2.”: The annual
test requirement is considered to be met if the responsible entity
implements the communications process in Part 1.2 for an actual event. This
language must be in the Requirement to be considered during an audit.
Measures are not auditable.
Statement “... not including notification to the ERO...” as it stands now is
confusing. We suggest that this statement is either reworded (and explained
in the Rational for this requirement) or outright removed for clarity
purposes In the requirement R4, we suggest replacing the words “an annual
27
�Organization
Yes or No
Question 1 Comment
review” with the words “a periodic review.” Add the following to R4: The
frequency of such periodic reviews shall be specified in the Operating Plan
and the time between periodic reviews shall not exceed five (5) years. This
does not preclude an annual review in an Entity’s operating plan. The Entity
will then be audited to its plan. If the industry approves a five (5) year
periodic review ‘cap,’ and FERC disagrees, then FERC will have to issue a
directive, state it reasons and provide justification for an annual review that
is not arbitrary or capricious. Adding the one year “test” requirement adds
to the administrative tracking burden and adds no reliability value.
The table in the standard is clear regarding what events need to be
reported. An auditor may want to see a test for "each" of the applicable
events listed in EOP-004 Attachment 1.If the requirement for "an" annual
test remains in the standard in R3, then it should be made clear that a test is
not required for "each" of the applicable events listed in Attachment 1
(reference to R1.2.)
Response: The SDT thanks you for your comment. Each Responsible Entity must report and communicate events according to
its Operating Plan based on the information in EOP-004 Attachment 1. The SDT removed the Operating Plan Process from
Requirement 1 and revised the measure to meet the communications of Requirement R1, “to implement an operating plan
within the time frames specified in Attachment 1.” Requirement R3 called for test of all contact information contained. The
SDT deleted Requirement R4 based on stakeholder comments and revised R3 so that each Responsible Entity shall validate all
contact information contained in the Operating Plan per Requirement R1 each calendar year. Requirement R3 will help ensure
that the event reporting Operating Plan is up to date and entities will be able to effectively report events to assure situational
awareness to the Electric Reliability Organization.
CenterPoint Energy
No
CenterPoint Energy recommends that “and implement” be added after
“Each Responsible Entity shall have” in Requirement R1. After such revision,
Requirement R2 will not be needed as noted in previous comments
submitted by the Company.
28
�Organization
Yes or No
Question 1 Comment
CenterPoint Energy also believes that Requirement R3 is not needed as an
annual review encompassing the elements of the test described in the draft
is sufficient.
Response: The SDT thanks you for your comment. The SDT considered the consolidation of the first and second requirements.
However, since the requirements have the Registered Entity perform two distinct steps, a single requirement cannot be written
to achieve multiple tasks. Each task must stand on its own and be judged singly.
The annual review helps ensure that the event reporting Operating Plan is up to date and entities will be able to effectively
report events to assure situational awareness to the Electric Reliability Organization.
Arkansas Electric Cooperative
Corporation
No
AECC supports the comments submitted by ACES Power Marketing.
Response: The SDT thanks you for your comment. Please review the response directed to them.
MWDSC
No
Transmission Owners (TO) should not be included as a "Responsible Entity"
for this or other requirements because the Operating Plan is usually
prepared by the Transmission Operator (TOP). For TOs who are not also
TOPs, there are usually delegation agreements. CIP-001 never directly
applied to TOs.
Response: The SDT thanks you for your comment. The SDT disagrees with your assessment, as the TOs are physical owners of
the equipment that would be affected by this standard. As Owners of the equipment, they need to be reporting on what is
happening to their equipment.
Manitoba Hydro
No
(R1.1 and 1.2) It is unclear whether or not R1.1 and R1.2 require a separate
recognition and communication process for each of the event types listed in
Attachment 1 or if event types can be grouped as determined appropriate
by the responsible entity given that identical processes will apply for
multiple types of events. Manitoba Hydro suggests that wording is revised so
29
�Organization
Yes or No
Question 1 Comment
that multiple event types can be addressed by a single process as deemed
appropriate by the Responsible Entity.
(R3) It is unclear whether or not R3 requires the testing of the
communications process for each separate event type identified in
Attachment 1. If so, this would be extremely onerous. Manitoba Hydro
suggests that only unique communication processes (as identified by the
Responsible Entity in R1.2) require an annual test and that testing should not
be required for each type of event listed in Attachment 1. As well, Manitoba
Hydro believes that testing the communications process alone is not as
effective as also providing training to applicable personnel on the
communications process. Manitoba Hydro suggests that R3 be revised to
require annual training to applicable personnel on the communications
process and that only 1 test per unique communications process be required
annually.
Response: The SDT thanks you for your comment. The SDT has made changes to the requirements highlighted in your
comments. Each Responsible Entity must report and communicate events according to its Operating Plan based on the
information in EOP-004 Attachment 1. The SDT has attempted to clarify that it is the choice of the Registered Entity on whether
one, or more than one, contact list(s) is needed for the differing types applicable to them. Depending upon your needs of who
you have an obligation to report, you can elect to have one or multiple lists.
Requirement R3 called for test of all contact information contained. The SDT deleted Requirement R4 based on stakeholder
comments and revised R3 so that each Responsible Entity shall validate all contact information contained in the Operating Plan
per Requirement R1 each calendar year. Requirement R3 will help ensure that the event reporting Operating Plan is up to date
and entities will be able to effectively report events to assure situational awareness to the Electric Reliability Organization.
Occidental Power Services, Inc.
No
There should be an exception for LSEs with no BES assets from having an
Operating Plan and, therefore, from testing and review of such plan. These
LSEs have no reporting responsibilities under Attachment 1 and, if they have
nothing ever to report, why would they have to have an Operating Plan and
have to test and review it? This places an undue burden on small entities
30
�Organization
Yes or No
Question 1 Comment
that cannot impact the BES.
Response: The SDT thanks you for your comment. LSEs, as being applicable under the Cyber Security standards, were included
in the applicability of this standard. Since the SDT is proposing to keep the Cyber Security reporting requirements in CIP-008,
LSEs have been removed from the applicability of this standard. This action will not negate the LSE responsibilities under that
standard and your comments will need to be addressed there.
Xcel Energy
No
1) In R1.2, We understand what the drafting team had intended here.
However, we are concerned that the way this requirement is drafted, using
i.e., it could easily be interpreted to mean that you must notify all of those
entities listed. Instead, we are suggesting that the requirement be rewritten
to require entities to define in their Operating Plan the minimum
organizations/entities that would need to be notified for applicable events.
We believe this would remove any ambiguity and make it clear for both the
registered entity and regional staff. We recommend the requirement read
something like this: 1.2. A process for communicating each of the applicable
events listed in EOP-004 Attachment 1 in accordance with the timeframes
specified in EOP-004 Attachment 1 to applicable internal and external
organizations needed for the event type, as defined in the Responsible
Entity’s Operating Plan.
2) We also suggest that R3 be clarified as to whether communications to all
organizations must be tested or just those applicable to the test event
type/scenario.
Response: The SDT thanks you for your comment. The SDT has made changes to the requirements highlighted in your
comments.
American Electric Power
No
R3: How many different scenarios need to be tested? For example, reporting
sabotage-related events might well be different than reporting reliabilityrelated events such as those regarding loss of Transmission. While these
31
�Organization
Yes or No
Question 1 Comment
examples might vary a great deal, other such scenarios may be very similar
in nature in terms of communication procedures. Perhaps solely testing the
most complex procedure would be sufficient. AEP agrees with the changes
with R3 calling for an annual test provided the requirement R2 is modified to
include the measure language “The annual test requirement is considered to
be met if the responsible entity implements the communications process in
Part 1.2 for an actual event.”
M3: While we agree that “the annual test requirement is considered to be
met if the responsible entity implements the communications process in
Part 1.2 for an actual event”, we believe it would be preferable to include
this text in R3 in addition to M3. Measures included in earlier standards
(some of which are still enforced today) had little correlation to the
requirement itself, and as a result, those measures were seldom referenced.
M3: It would be unfair to assume that every piece of evidence required to
prove compliance would be dated and time-stamped, so we recommend
removing the text “dated and time-stamped” from the first sentence so that
it reads “Each Responsible Entity will have records to show that the annual
test of Part 1.2 was conducted.” The language regarding dating and time
stamps in regards to “voice recordings and operating logs or other
communication” is sufficient.
Response: The SDT thanks you for your comment. Based on stakeholder comments the SDT revised R3 so that each Responsible
Entity shall validate all contact information contained in the Operating Plan per Requirement R1 each calendar year.
Requirement R3 will help ensure that the event reporting Operating Plan is up to date and entities will be able to effectively
report events to assure situational awareness to the Electric Reliability Organization. The SDT agrees with the point raised on
time-stamping and has removed it from the standard.
Entergy
No
The requirement for a “time stamped record” of annual review is
unreasonable and unnecessary. A dated document showing that a review
was performed should be sufficient.
32
�Organization
Yes or No
Question 1 Comment
Response: The SDT thanks you for your comment. The SDT has made changes to the requirements highlighted in your
comment. The SDT has removed time-stamping from the standard.
New York Power Authority
No
Please see comments submitted by NPCC Regional Standards Committee
(RSC).
Response: The SDT thanks you for your comment. Please review the response to the commenter.
Consolidated Edison Co. of NY, Inc.
No
Requirement R3: Following the sentence ending “in Part 1.2” add the
following wording from the Measure to R3: The annual test requirement is
considered to be met if the responsible entity implements the
communications process in Part 1.2 for an actual event. This language must
be in the Requirement to be considered during an audit. Measures are not
auditable. Requirement R4: Replace the words “an annual review” with the
words “a periodic review.”Following the first sentence in R4 add: The
frequency of such periodic reviews shall be specified in the Operating Plan
and the time between periodic reviews shall not exceed five (5) years.
Orange and Rockland Utilities, Inc.
No
Requirement R3: Following the sentence ending “in Part 1.2” add the
following wording from the Measure to R3: The annual test requirement is
considered to be met if the responsible entity implements the
communications process in Part 1.2 for an actual event. This language
must be in the Requirement to be considered during an audit. Measures are
not auditable.
Requirement R4: Replace the words “an annual review”
with the words “a periodic review.” Following the first sentence in R4 add:
The frequency of such periodic reviews shall be specified in the Operating
Plan and the time between periodic reviews shall not exceed five (5) years.
Response: The SDT thanks you for your comment. Based on stakeholder comments the SDT revised R3 so that each Responsible
Entity shall validate all contact information contained in the Operating Plan per Requirement R1 each calendar year.
Requirement R3 will help ensure that the event reporting Operating Plan is up to date and entities will be able to effectively
33
�Organization
Yes or No
Question 1 Comment
report events to assure situational awareness to the Electric Reliability Organization. The SDT considered various time frames
for the action needed and felt that a calendar year was necessary due to the FERC Directive in Order 693 and to ensure that
contact information remained useful in a timely manner.
MidAmerican Energy
No
See the NSRF comments. The real purpose of this requirement appears to
be to assure operators are trained in the use of the procedure, process, or
plan that assures proper notification. PER-005 already requires a systematic
approach to training. Reporting to other affected entities is a PER-005
system operator task. Therefore this requirement already covered by PER005 and is not required. Organizations are also required to test their
response to events in accordance with CIP-008 R1.6. Therefore this
requirement is covered by other standards and is not needed. Inclusion of
this standard would place entities in a double or possible triple jeopardy.
The SDT may need to expand M3 reporting options, by stating “... that the
annual test of the communication process of 1.2 (e.g. communication via email, fax, phone, ect) was conducted”.
R4 is an administrative requirement with little reliability value and should be
deleted. It would likely be identified as a requirement that that should be
eliminated as part of the request by FERC to identify strictly administrative
requirements in FERC’s recent order on FFTR.
Response: The SDT thanks you for your comment. The SDT asks you to review the response to that commenter. The SDT
disagrees with your understanding of the real purpose. Reporting of events listed in Attachment 1 is necessary for personnel
beyond the operators.
The SDT deleted Requirement R4 based on stakeholder comments and revised Requirement R3 so that each Responsible Entity
shall validate all contact information contained in the Operating Plan per Requirement R1 each calendar year. Requirement R3
will help ensure that the event reporting Operating Plan is up to date and entities will be able to effectively report events to
assure situational awareness to the Electric Reliability Organization.
Illinois Municipal Electric Agency
No
IMEA reluctantly (in recognition of the SDT's efforts and accomplishments to
date) cast a Negative vote for this project primarily based on R3 because it is
34
�Organization
Yes or No
Question 1 Comment
attempting to fix a problem that does not exist and impacts small entity
resources in particular. IMEA is not aware of seeing any information
regarding a trend, or even a single occurrence for that matter, in a failure to
report an event due to failure in reporting procedures. A small entity is less
likely to experience a reportable event, and therefore is less likely to be able
to take advantage of the provision in M3 to satisfy the annual testing
through implementation of an actual event. If there is a problem that needs
to be fixed, it would make much more sense to replace the language in R3
with a simple requirement for the RC, BA, IC, TSP, TOP, etc. to inform the TO,
DP, LSE if there is a change in contact information for reporting an event. It
is hard to believe that an RC, BA, IC, TSP, TOP, etc. is going to want to be
annually handling numerous inquiries from entities regarding the accuracy
of contact information. The impact of unnecessary requirements on entity
resources, particularly small entities', is finally starting to get some
meaningful attention at NERC and FERC. It would be a mistake to adopt
another unnecessary requirement as currently specified in R3.
Response: The SDT thanks you for your comment. The SDT has revised Requirement R3 to help ensure that the event reporting
Operating Plan is up to date and entities will be able to effectively report events to assure situational awareness to the Electric
Reliability Organization.
Amercican Transmission Company,
LLC
No
ATC recommends eliminating R4 altogether. If R3, the annual test, is
conducted as part of the Operating Plan, R4 is merely administrative, and
does not add value to reliability.
Response: The SDT thanks you for your comment. The SDT deleted Requirement R4 based on stakeholder comments and
revised Requirement R3 so that each Responsible Entity shall validate all contact information contained in the Operating Plan
per Requirement R1 each calendar year. Requirement R3 will help ensure that the event reporting Operating Plan is up to date
and entities will be able to effectively report events to assure situational awareness to the Electric Reliability Organization.
NextEra Energy Inc
No
NextEra Energy, Inc. (NextEra) does not agree that annual reviews and
35
�Organization
Yes or No
Question 1 Comment
annual tests should be mandated via Reliability Standards; instead, NextEra
believes it is more appropriate to require that the Operating Plan be up-todate and reviewed/tested as the Responsible Entity deems necessary. These
enhancements provide for a robust Operating Plan, without arbitrary
deadlines for a review and testing. It also provides Responsible Entities of
different sizes and configurations the flexibility to efficiently and effectively
integrate compliance with operations.
Thus, NextEra requests that R1 be revised to read: “Each Responsible Entity
shall have an up-to-date event reporting Operating Plan that is tested and
reviewed as the Responsible Entity deems necessary and includes: ...”.
Consistent with these changes NextEra also requests that R3 and R4 be
deleted.
Response: The SDT thanks you for your comment. While the SDT recognizes the simplicity that your comment would bring, it
cannot be implemented in that manner. For auditability reasons, each task must be separate and distinct in order for the
performance to be assessed. Alternatively, the SDT has re-constructed three distinct requirements that can be judged and
evaluated on their own with compromising the others.
ISO New England Inc
No
Due to the FERC mandate to assign VRFs/VSLs, we do not support using
subrequirements and, instead, favor the use of bullets when the
subrequirements are not standalone but rely on the partent requirement.
Response: The SDT thanks you for your comment. The SDT has revised the language and removed all subrequirements.
Exelon Corporation and its affiliates
No
It’s not clear that R3 and R4 need to be separated. Consider revising R3 to
read: “Through use or testing, verify the operability of the plan on an annual
basis” and dropping R4.
Response: The SDT thanks you for your comment. The SDT has made changes to the requirements highlighted in your
comment.
36
�Organization
Indiana Municipal Power Agency
Yes or No
Question 1 Comment
No
IMPA does not believe that both R3 and R4 are necessary and they are
redundant to a degree. Generally, when performing an annual review of a
process or procedure, the call numbers for agencies or entities are verified
to be up to date. Also, in R3, what does “test” mean. It could mean have
different meanings to registered entities and to auditors which does not
promote consistency among the industry. IMPA recommends going with an
annual review of the process and having the telephone numbers verified
that are in the event reporting Operating Plan. IMPA also believes that the
local and federal law enforcement agencies would rather go with a
verification of contact information over being besieged by "test" reports.
The way R3 is written gives the appearance that the SDT did not want to
overwhelm the ERO with all of the "test" reports from the registered entities
(by excluding them from the test notification).
Response: The SDT thanks you for your comment. The SDT has made changes to the requirements highlighted in your
comment.
ERCOT
No
ERCOT has joined the IRC comments on this project and offers these
additional comments. ERCOT requests that the measure be updated to say
“acceptable evidence may include”. As written, the measure reads that
there is only one way to comply with the requirement. The Standards should
note "what" an entity is required to do and not prescribe the "how".
Response: The SDT thanks you for your comment. The SDT has made changes to the standard highlighted in your comment.
Brazos Electric Power Cooperative
No
Please see the comments submitted by ACES Power Marketing.
Response: The SDT thanks you for your comment. Please review the response to that commenter.
Central Lincoln
No
The new language of R3 and R4 provide nothing to clarify the word “annual.”
We note that while a Compliance Application Notice was written on this,
37
�Organization
Yes or No
Question 1 Comment
Central Lincoln believes that standards should be written so they do not rely
on the continually changing CANs. CAN-0010 itself implies that “annual”
should be defined within the standards themselves. We suggest: R3 Each
Responsible Entity shall conduct a test of the communications process in R1
Part 1.2, not including notification to the Electric Reliability Organization, at
least once per calendar year with no more than 15 calendar months
between tests.R4 Each Responsible Entity shall conduct a review of the
event reporting Operating Plan in Requirement R1. at least at least once per
calendar year with no more than 15 calendar months between reviews.
Response: The SDT thanks you for your comment. The SDT has made changes to the requirements highlighted in your
comment.
Kansas City Power & Light
No
Requirement 3 requires a test of the communications in the operating plan.
A test implies a simulation of the communications part of the operating plan
by actual communications being conducted pursuant to the plan. It is not
appropriate to burden agencies with testing of communications under a test
environment. Recommend the drafting team consider a confirmation of the
contact information with various agencies as the operations plan dictates.
Response: The SDT thanks you for your comment. SDT has made changes to the requirements highlighted in your comment.
Bonneville Power Administration
Yes
BPA believes that the annual testing and review as described in R3 is too
cumbersome and unnecessary for entities with large footprints to inundate
federal and local enforcement bodies such as the FBI for “only” testing and
the documenting for auditing purposes. BPA suggests that testing be
performed on a bi-annual or longer basis.
Response: The SDT thanks you for your comment. The SDT has made changes to the requirements highlighted in your
comment; however, the SDT has decided that the period will be shorter than your suggestion based upon comments received
from all parties.
38
�Organization
Seattle City Light
Yes or No
Yes
Question 1 Comment
This is a great improvement over the prior CIP and EOP versions. However,
please see #4 for overall comment.
Response: The SDT thanks you for your comment. Please review the response to Question 4.
Utility Services
Yes
While agreeing with the change, confusion may exist with the CAN that
exists for the term "Annual". Utility Services suggests that the language be
changed to "Every calendar year" or something equivalent. Given
everything that transpired in the discussion on the term annual, using a
different phrase may be advantageous.
Response: The SDT thanks you for your comment. The SDT has made changes to the requirement highlighted in your comment.
United Illuminating Company
Yes
R3 should be clear that the annual test of the plan does not mean each
communication path for each applicable event on an annual basis.
Response: The SDT thanks you for your comment. Requirement R3 has been rewritten to address comments like yours and
other industry members. While testing is no longer a part of the requirement, validating the contact information associated
with each contact list for each applicable event type is.
Ingleside Cogeneration LP
Yes
Ingleside Cogeneration LP agrees that it is appropriate to test reporting
communications on an annual basis, primarily to validate that phone
numbers, email ids, and contact information is current. We appreciate the
project team’s elimination of the terms “exercise” and “drill”, which we
believe connotates a formalized planning and assessment process. An
annual review of the Operating Plan implies a confirmation that linkages to
sub-processes remain intact and that new learnings are captured. We also
agree that it is appropriate only to require an updated Revision Level Control
chart entry as evidence of compliance - it is very likely that no updates are
required after the review is complete. In our view, both of these
requirements are sufficient to assure an effective assessment of all facets of
39
�Organization
Yes or No
Question 1 Comment
the Operating Plan. As such, we fully agree with the project team’s decision
to delete the requirement to update the plan within 90 days of a change. In
most cases, our internal processes will address the updates much sooner,
but there is no compelling reason to include it as an enforceable
requirement.
Response: The SDT thanks you for your comment.
City of Austin dba Austin Energy
Yes
Austin Energy (AE) supports the requirements for (1) an annual test of the
communications portion of the Operating Plan (R3) and (2) an annual review
of the Operating Plan (R4); however, we offer a slight modification to the
measures associated with those requirements. AE does not believe that
records evidencing such test and reviews need to be time-stamped to
adequately demonstrate compliance with the requirements. In each case,
we recommend that the first sentence of M3 and M4 start with “Each
Responsible Entity will have dated records to show that the annual ...”
Response: The SDT thanks you for your comment. The SDT has removed the time-stamping provision in the standard.
Springfield Utility Board
Yes
o SUB supports the removal of Requirement 1, Part 1.4, as well the
separation of Parts 1.3 and 1.5, agreeing that they are their own separate
actions. o The Draft 4 Version History still lists the term “Impact Event”
rather than “Event”.
Response: The SDT thanks you for your comment. The SDT has made changes highlighted in your comment.
FirstEnergy Corp
Yes
FE agrees with the revision but has the following comments and suggestions:
1. We request clarity and guidance on R3 (See our comments in Question 4 for
further consideration). Also, we suggest a change in the phrase “shall conduct
an annual test” to “shall conduct a test each calendar year, not to exceed 15
calendar months between tests”. This wording is consistent with other
40
�Organization
Yes or No
Question 1 Comment
standards in development such as CIP Version 5.2.
2. In R4 we suggest a change in the phrase “shall conduct an annual review” to
“shall conduct a review each calendar year, not to exceed 15 calendar months
between reviews”. This wording is consistent with other standards in
development such as CIP Version 5.
Response: The SDT thanks you for your comment. The SDT deleted Requirement R4 based on stakeholder comments and
revised Requirement R3 so that each Responsible Entity shall validate all contact information contained in the Operating Plan
per Requirement R1 each calendar year. Requirement R3 will help ensure that the event reporting Operating Plan is up to date
and entities will be able to effectively report events to assure situational awareness to the Electric Reliability Organization.
Independent Electricity System
Operator
Yes
We concur with the changes as they provide better streamlining of the four
key requirements, with enhanced clarity. However, we are unclear on the
intent of Requirement R3, in particular the phrase “not including notification
to the Electric Reliability Organization” which begs the question on whether
or not the test requires notifying all the other entities as if it were a real
event. This may create confusion in ensuring compliance and during audits.
Suggest the SDT to review and modify this requirement as appropriate.
Response: The SDT thanks you for your comment. The SDT has revised the standard’s language to address this concern.
Public Utility District No. 1 of
Snohomish County
Yes
This is an excellent improvement over the prior CIP and EOP versions.
However, please see #4 for overall comment.
Seattle City Light
Yes
This is a great improvement over the prior CIP and EOP versions. However,
please see #4 for overall comment.
MEAG Power
Yes
This is a great improvement over the prior CIP and EOP versions. However,
please see #4 for overall comment.
Response: The SDT thanks you for your comment. Please review the response to Question 4.
41
�Organization
Tacoma Power
Yes or No
Question 1 Comment
Yes
Tacoma Power agrees with the requirement but would suggest removing all
instances the word “Operating” from the Standard. The requirements
should read, “ Each Responsible Entity shall have an “Event Reporting
Plan...”.The term Operating in this context is confusing as there are many
other “Operating Plans” for other defined emergencies. This standard is
about “Reporting” and should be confined to that.
Response: The SDT thanks you for your comment. The SDT has chosen to include “Operating” due to the definition in the NERC
Glossary. The SDT believes Operating Plan clearly defines what is needed in this standard.
Idaho Power Co.
Yes
But this is going to require that we create a new Operating Plan with test
procedures and revision history.
Response: The SDT thanks you for your comment. The SDT believes that an existing procedure, that meets the requirements of
CIP-001-2a, may well be the starting point for the Operating Plan in this standard, or could go a long way towards achieving the
requirements in this standard. The SDT revised Requirement R3 to remove test to “validate” contact information contained in
the Operating Plan. If an entity experiences an actual event, communication evidence from the event may be used to show
compliance with the validation requirement for the specific contacts used for the event.
American Public Power Association
Yes
APPA appreciates the SDT making these requirements clearer as requested
in our comments on the previous draft standard.
Response: The SDT thanks you for your comment.
Puget Sound Energy, Inc.
Yes
This draft is a considerable improvement on the previous draft in terms of
clarity and will be much easier for Responsible Entities to implement. Puget
Sound Energy appreciates the drafting team’s responsiveness to
stakeholder’s concerns and the opportunity to comment on the current
draft. The drafting team should revise Requirement R2 to state that the
“activation” of the Operating Plan is required only when an event occurs,
instead of using the term “implement”. “Implementation” could also refer
42
�Organization
Yes or No
Question 1 Comment
to the activities such as distributing the plan to operating personnel and
training operating personnel on the use of the plan. These activities are not
triggered by any event and, since it is clear from the measure that this
requirement is intended to apply only when there has been a reportable
event, the requirement should be revised to state that as well.
The drafting team should revise measure M2 to require reports to be
“supplemented by operator logs or other reporting documentation” only “as
necessary”. In many cases, the report itself and time-stamped record of
transmittal will be the only documents necessary to demonstrate
compliance with requirement R2.Under Requirement R3, using an actual
event as sufficient for meeting the requirement for conducting an annual
test would likely fall short of demonstrating compliance with the entire
scope of the Operating Plan. R1.2 requires "a process for communicating
EACH of the applicable events listed....". If the actual event is only one of
many "applicable" events, is it sufficient to only exercise one process flow?
If there is no actual event during the annual time-frame, do all the process
flows then have to be exercised?
Response: The SDT thanks you for your comment. The SDT appreciates the suggestion; however, to be consistent with other
reliability standards, the SDT has elected to continue to use the word “Implement.” Your suggestion could end up creating
confusion and misunderstandings since the context is not used elsewhere.
The SDT has revised the language the requirements and measures as a result of your and other commenter’s remarks.
FMPP
See FMPA's comments
Response: The SDT thanks you for your comment. Please review the response to the FMPA comments.
43
�Organization
Yes or No
Luminant
Yes
BC Hydro
Yes
Imperial Irrigation District (IID)
Yes
LG&E and KU Services
Yes
PPL Corporation NERC Registered
Affiliates
Yes
Avista
Yes
PNGC Comment Group
Yes
Colorado Springs Utilities
Yes
Arizona Public Service Company
Yes
Georgia System Operations
Corporation
Yes
Texas Reliability Entity
Yes
Dynegy Inc.
Yes
Clark Public Utilities
Yes
Pepco Holdings Inc
Yes
Farmington Electric Utility System
Yes
Question 1 Comment
44
�Organization
Yes or No
Public Service Enterprise Group
Yes
PPL Electric Utilities
Yes
Cowlitz County PUD
Yes
Edison Mission Marketing & Trading,
Inc.
Yes
Ameren
Yes
We Energies
Yes
GTC
Yes
MISO
Yes
Oncor Electric Delivery
Yes
Los Angeles Department of Water
and Power
Yes
Deseret Power
Yes
Question 1 Comment
45
�2. The SDT made clarifying revisions to Attachment 1 based on stakeholder feedback. Do you agree with these revisions? If not,
please explain in the comment area below.
Summary Consideration:
The SDT reviewed, discussed and updated Attachment 1 based on comments received for commenters, FERC directives and what is
required for combining CIP-001 and EOP-004 into EOP-004-2. Under the Event Column, the SDT starts to classify each type of an event
by assigning an “Event” title. The DSR SDT then updated the “Entity with Reporting Responsibilities” column to simply state which
entity has the responsibility to report if they experience an event. The last column, “Threshold for Reporting” is a bright line that, if
reached, the entity needs to report that they experienced the applicable event per Requirement 1.
Organization
Northeast Power Coordinating
Council
Yes or No
Question 2 Comment
No
Regarding Attachment 1, language identical to event descriptions in the NERC Event
Analysis Process and FERC OE-417 should be used. Creating a third set of event
descriptions is not helpful to system operators. Recommend aligning the Attachment
1 wording with that contained in Attachment 2, DOE Form OE-417 and the EAP
whenever possible.
The SDT reviewed, discussed and updated Attachment 1 based on comments
received, FERC directives and what is required for combining CIP-001 and EOP-004
into EOP-004-2. Using identical terminology will be difficult to achieve as the DOE
form and EAP have differing processes for identification of the reportable
incidences. The SDT has tried to set up the reportable events in the standard to be
as similar as possible to the other organizations without being tied to their specific
language. Attachment 2 has been modified to match the events types listed in
Attachment 1.
The following pertains to Attachment 1:Replace the Attachment 1 “NOTE” with the
following clarifying wording: NOTE: The Electric Reliability Organization and the
Responsible Entity’s Reliability Coordinator will accept the DOE OE-417 form in lieu of
Attachment 2 if the entity is required to submit an OE-417 report. Submit reports to
46
�Organization
Yes or No
Question 2 Comment
the ERO via one of the following: e-mail: esisac@nerc.com, Facsimile: 609-452-9550,
Voice: 609-452-1422. Initial submittal by Voice within the reporting time frame is
acceptable for all events when followed by a hardcopy submittal by Facsimile or email as and if required.
The SDT thanks you with your comment. First, the SDT believes that you intended
the comment to address the “Note” on Attachment 2, not Attachment 1. The SDT
does not believe that a hardcopy report is necessary if the organization has made
voice contact.
The proposed “events” are subjective and will lead to confusion and questions as to
what has to be reported.
The SDT disagrees and has established “events” to be reported based on bright line
criteria. The events are consistent with previous versions of the CIP-001 and EOP004 standards, as well as incidences being reporting to the DOE and EAP.
Event: A reportable Cyber Security Incident. All reportable Cyber Security Incidents
may not require “One Hour Reporting.” A “one-size fits all” approach may not be
appropriate for the reporting of all Cyber Security Incidents. The NERC “Security
Guideline for the Electricity Sector: Threat and Incident Reporting” document
provides time-frames for Cyber Security Incident Reporting. For example, a Cyber
Security Compromise is recommended to be reported within one hour of detection,
however, Information Theft or Loss is recommended to be reported within 48 hours.
Recommend listing the Event as “A confirmed reportable Cyber Security Incident.
The existing NERC “Security Guideline for the Electricity Sector: Threat and Incident
Reporting” document uses reporting time-frames based on “detection” and
“discovery.” Recommend using the word confirmed because of the investigation
time that may be required from the point of initial “detection” or “discovery” to the
point of confirmation, when the compliance “time-clock” would start for the
reporting requirement in EOP-004-2.
The SDT is revising the standard to not contain reporting for Cyber Security
incidents. Under the revisions, CIP-008-3 and successive versions will retain the
47
�Organization
Yes or No
Question 2 Comment
reporting requirements.
Event: Damage or destruction of a Facility Threshold for Reporting: revise language
on third item to read: Results from actual or suspected intentional human action,
excluding unintentional human errors.
The SDT reviewed, discussed and updated “Damage and destruction of a Facility”
based on comments received, FERC directives and what is required for combining
CIP-001 and EOP-004 into EOP-004-2. The new “threshold” now states:
“Damage or destruction of a Facility within its Reliability Coordinator Area,
Balancing Authority Area or Transmission Operator Area that results in the need for
actions to avoid a BES Emergency.”
This language gives the required guidance of who has to report within its Area that
results in need for actions to avoid a BES Emergency (as defined by NERC: Any
abnormal system condition that requires automatic or immediate manual action to
prevent or limit the failure of transmission facilities or generation supply that could
adversely affect the reliability of the Bulk Electric System).
This relates to either a completely destroyed Facility where an action is required to
avoid a BES Emergency, or a Facility that is damaged to a point that actions are
required to avoid a BES Emergency. By reporting either a “damaged or destroyed”
Facility, within 24 hours, it will give the ERO (and whoever else the entity wishes to
inform per Requirement R1) the situational awareness that the electrical system
has been reconfigured or may need to be reconfigured, thus supporting reliable
operations of each interconnection.
Event: Any physical threat that could impact the operability of a Facility This Event
category should be deleted. The word “could” is hypothetical and therefore
48
�Organization
Yes or No
Question 2 Comment
unverifiable and un-auditable. The word “impact” is undefined. Please delete this
reporting requirement, or provide a list of hypothetical “could impact” events, as well
as a specific definition and method for determining a specific physical impact
threshold for “could impact” events other than “any.”
The SDT removed all language under “Entity with Reporting Responsibility” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Physical threat to its Facility excluding weather related threat, which has the
potential to degrade the normal operation of the Facility
Or
Suspicious device or activity at a Facility
Do not report copper theft unless it degrades normal operations of a Facility.”
This language gives the required guidance that if there is a physical threat that has
the potential to degrade a Facility’s normal operation or a suspicious device or
activity is discovered at a Facility, it is required to be reported within 24 hours, this
will give the ERO (and whomever else the entity wishes to inform per Requirement
R1) the situational awareness that the Facility has a potential of not being able to
operate as it is designed. The SDT also states that copper theft is not a reportable
event unless it degrades the normal operation of a Facility.
Event: BES Emergency requiring public appeal for load reduction. Replace wording in
the Event column with language from #8 on the OE-417 Reporting Form to eliminate
reporting confusion. Following this sentence add, “This shall exclude other public
49
�Organization
Yes or No
Question 2 Comment
appeals, e.g., made for weather, air quality and power market-related conditions,
which are not made in response to a specific BES event.”
The SDT disagrees with quantifying a use of public appeals reporting for different
types of events. The important item here is that a public appeal was issued for load
reduction. A report is required to inform the ERO (and whoever else the entity
wishes to inform per Requirement R1) of your current status and provide them with
the situational awareness of the status of your system.
Event: Complete or partial loss of monitoring capability Event wording: Delete the
words “or partial” to conform the wording to the NERC Event Analysis Process.
The SDT reviewed, discussed and updated Attachment 1 based on comments
received, FERC directives and what is required for combining CIP-001 and EOP-004
into EOP-004-2. This event now only applies to “Complete loss of monitoring
capability affecting a BES control center for 30 continuous minutes or more such
that analysis capability (State Estimator, Contingency Analysis) is rendered
inoperable.” This will only apply to an RC, BA, or TOP who have this capability to
start with.
Event: Transmission Loss Revise to BES Transmission Loss
The SDT removed all language under “Entity with Reporting Responsibility” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Unexpected loss, contrary to design, of three or more BES Elements caused by a
common disturbance (excluding successful automatic reclosing).”
Event: Generation Loss Revise to BES Generation Loss
The SDT removed all language under “Entity with Reporting Responsibility” with
the exception of entity(s) that are required to report an applicable event. The SDT
50
�Organization
Yes or No
Question 2 Comment
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Total generation loss, within one minute, of ≥ 2,000 MW for entities in the Eastern
or Western Interconnection
OR
≥ 1,000 MW for entities in the ERCOT or Quebec Interconnection.”
The SDT believes that if an entity reaches this threshold, it needs to be reported
and most likely this will be BES connected generation assets.
Response: The SDT thanks you for your comment.
DECo
No
On pg 17 in the Rationale Box for EOP-004 Attachment 1: The set of terms is specific
then includes the word ETC. Then further lists areas to exclude. Then on Pg 23 of
document it includes train derailment near a transmission right of way and forced
entry attempt into a substation facility as reportable. These conflict. Also see conflict
when in pg 21 states the DOE OE417 would be excepted in lieu of the NERC form, but
on the last pg it states the DOE OE417 should be attached to the NERC report
indicating the NERC report is still required.
Response: The SDT thanks you for your comment. While the SDT would like to point out the “etc.” is the last word in the
definition of Facility; the SDT has removed footnote 1 and the forced intrusion statement has been removed. The SDT has
updated to remove the conflict of “attached to the NERC report…” The SDT agrees with your comments and have revised the
standard to address these discrepancies.
Duke Energy
No
(1)We disagree with reporting CIP-008 incidents under this standard. We agree with
the one-hour notification timeframe, but believe it should be in CIP-008 to avoid
double jeopardy.
The SDT has discussed this issue with Project 2008-06, Cyber Security SDT and we
have remanded the one-hour event back to CIP-008. The next version of EOP-004-2
will not contain a one hour reporting requirement.
(2)Damage or destruction of a Facility - Need clarity on how a vertically integrated
51
�Organization
Yes or No
Question 2 Comment
entity must report. For example a GOP probably won’t know if an IROL will be
affected. Also, there shouldn’t be multiple reports from different functional entities
for the same event. Suggest splitting this table so that GO, GOP, DP only reports
“Results from actual or suspected intentional human action”.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Damage or destruction of its Facility that results from actual or suspected
intentional human action.
This language gives the required guidance that if there is actual intentional human
action that damages or destroys a Facility, it is required to be reported within 24
hours, this will give the ERO (and whoever else the entity wishes to inform per R1)
the situational awareness that the Facility was ’damaged or destroyed‘
intentionally by a human.”
This event was written to cover the increase of “Entity with Reporting
Responsibility,” and removing the RC since they do not own Facility(s).
The SDT also included a second part of this event being “suspected intentional
human action.” This language was required to give an entity the reporting
responsibility to report to the ERO (and whoever else the entity wishes to inform
per Requirement R1) the situational awareness that they suspect that their Facility
was damaged or destroyed by intentional human action. The SDT envisions that
entities could further define what a suspected intentional human action is within
their Operating Plan.
(3)Generation Loss - Need more clarity on the threshold for reporting. For example if
52
�Organization
Yes or No
Question 2 Comment
we lose one 1000 MW generator at 6:00 am and another 1000 MW generator at 4:00
pm, is that a reportable event?
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Total generation loss, within one minute, of ≥ 2,000 MW for entities in the Eastern
or Western Interconnection
OR
≥ 1,000 MW for entities in the ERCOT or Quebec Interconnection.”
Response: The SDT thanks you for your comment.
Luminant
No
Luminant appreciates the work of the SDT to modify Attachment 1 to address the
concerns of the stakeholders. However, we are concerned that the threshold for
reporting a Generation Loss in the ERCOT interconnection established by this revision
is set at ≥ 1,000MW, which is not consistent with the level of single generation
contingency used in ERCOT planning and operating studies. That level of contingency
is currently set at the size of the largest generating unit in ERCOT, which is 1,375MW.
For this reason, Luminant believes that the minimum threshold for reporting of a
disturbance should be > 1,375MW for the ERCOT Interconnection.
Response: The SDT thanks you for your comment. The SDT removed all language under “Entity with Reporting Responsibility,”
with the exception of entity(s) that are required to report an applicable event. The SDT removed this language so the entities
within this column are clearly stated and identified. Under the “Threshold for Reporting” column, a bright line was updated based
on currently enforced Reliability Standards, FERC directives and industry comments to state:
“Total generation loss, within one minute, of ≥ 2,000 MW for entities in the Eastern or Western Interconnection
OR
≥ 1,000 MW for entities in the ERCOT or Quebec Interconnection.”
The SDT discussed this issue and believes that ERCOT could change contingency level in the future, and this event is also applicable
to the Quebec Interconnection.
53
�Organization
BC Hydro
Yes or No
No
Question 2 Comment
BC Hydro supports the revisions to EOP-004 and would vote Affirmative with the
following change. Attachment 1 has a One Hour Reporting requirement. BC Hydro
proposes a One Hour Notification with the Report submitted within a specified
timeframe afterward.
Response: The SDT thanks you for your comment. The SDT has removed all incidences involving one-hour reporting threshold;
therefore, the SDT does not see the need to make this change.
Bonneville Power
Administration
No
BPA believes that clarifying language should be added to transmission loss event.
(Page 19) [a report should not be required if the number of elements is forced
because of pre-designed or planned configuration. System studies have to take such
a configuration into account possible wording could be. Unintentional loss of three
or more Transmission Facilities (excluding successful automatic reclosing or planned
operating configuration)]
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Unexpected loss, contrary to design, of three or more BES Elements caused by a
common disturbance (excluding successful automatic reclosing).”
In addition, under the “Event” of Complete or partial loss of monitoring capability,
BPA believes that “partial loss” is not sufficiently specific for BPA to write compliance
operating procedures and suggest defining partial loss or removing it from the
standard. Should the drafting team add clarifying language to remove “or partial
loss” and address BPA’s concerns on over emphasis on software tool to the operation
of the system. BPA would change its negative position to affirmative.
The SDT has revised the language on this point in Attachment 1.
Response: The SDT thanks you for your comment.
54
�Organization
SPP Standards Review Group
Yes or No
Question 2 Comment
No
To obtain an understanding of the drivers behind the events in Attachment 1, we
would like to see where these events come from. If the events are required in
standards, refer to them. If they are in the existing event reporting list, indicate so. If
they are coming from the EAP, let us know. We have a concern that, as it currently
exists, Attachment 1 can increase our reporting requirements considerably.
The SDT reviewed, discussed and updated Attachment 1 based on comments
received, FERC directives and what is required for combining CIP-001 and EOP-004
into EOP-004-2. Reportable events should be similar, but not identical to the
events reported to DOE or EAP.
We also have concerns about what appears to be a lack of coordination between EAP
reporting requirements and those contained in Attachment 1. For example, the EAP
reporting requirement is for the complete loss of monitoring capability whereas
Attachment 1 adds the requirement for reporting a partial loss of monitoring
capability. It appears that some of the EAP reporting requirements are contained in
Attachment 1. We have concerns that this is beyond the scope of the SAR and should
not be incorporated in this standard.
The SDT has revised the language on this point in Attachment 1. It should be noted
that the EAP can use reports submitted under EOP-004-2 as the initial notification
of an event that could be further addressed in the EAP.
We have concern with several of the specific event descriptions as contained in
Attachment 1:
Damage or destruction of a Facility - We are comfortable with the proposed
definition of Adverse Reliability Impact but have concerns with the existing definition
of ARI.
Any physical threat that could impact the operability of a Facility1 - We take
exception to this event in that is goes beyond what is currently required in EOP-0041, including DOE reporting requirements, and the EAP reporting requirements. We do
not understand the need for this event type and object to the potential for excessive
55
�Organization
Yes or No
Question 2 Comment
reporting required by such an event type. Additionally, we are concerned about the
potential for multiple reporting of a single event. This same concern applies to
several other events including Damage or destruction of a Facility, Loss of firm load
for ≥ 15 minutes, System separation, etc. When multiple entities are listed as the
Entity with Reporting Responsibility, Attachment 1 appears to require each entity in
the hierarchy to submit a report. There should only be one report and it should be
filed by the entity owning the event. The SDT addressed this issue in its last posting
but the issue still remains and should be reviewed again.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Damage or destruction of a Facility within its Reliability Coordinator Area,
Balancing Authority Area or Transmission Operator Area that results in the need for
actions to avoid a BES Emergency.”
This language gives the required guidance of who has to report within its Area that
results in need for actions to avoid a BES Emergency (as defined by NERC: Any
abnormal system condition that requires automatic or immediate manual action to
prevent or limit the failure of transmission facilities or generation supply that could
adversely affect the reliability of the Bulk Electric System).
This relates to either a completely destroyed Facility where an action is required to
avoid a BES Emergency, or a Facility that is damaged to a point that actions are
required to avoid a BES Emergency. By reporting either a “damaged or destroyed”
Facility, within 24 hours, it will give the ERO (and whoever else the entity wishes to
inform per Requirement R1) the situational awareness that the electrical system
has been reconfigured or may need to be reconfigured, thus supporting reliable
operations of each interconnection.
The SDT understands that there may be several reports of a single event; and as the
SDT has stated before, that this will give the ERO a better understanding of the
56
�Organization
Yes or No
Question 2 Comment
depth and breathe of system conditions based on the given event.
BES Emergency resulting in automatic firm load shedding - For some reason, not
stipulated in the Consideration of Comments, the action word in the Entity with
Reporting Responsibility was changed from ‘experiences’ to ‘implements’. We
recommend changing it back to ‘experiences’. Automatic load shedding is not
implemented. It does not require human intervention. It’s automatic. Voltage
deviation on a Facility - Similar to the comment on automatic load shedding above,
the action word was changed from ‘experiences’ to ‘observes’. We again recommend
that it be changed back to ‘experiences’. Using observes obligates a TOP, who is able
to see a portion of a neighboring TOP’s area, to submit a report if that TOP observed
a voltage deviation in the neighboring TOP’s area. The only reporting entity in this
event should be the TOP within whose area the voltage deviation occurred.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Automatic firm load shedding ≥ 100 MW (via automatic undervoltage or
underfrequency load shedding schemes, or SPS/RAS).”
This language clearly states that an entity reports if the threshold is reached.
Complete or partial loss of monitoring capability - Clarification on partial loss of
monitoring capability and inoperable are needed. Also, the way the Threshold is
written, it implies that a State Estimator and Contingency Analysis are required. To
tone this down, insert the qualifier ‘such as’ in front of State Estimator.
The SDT reviewed, discussed and updated Attachment 1 based on comments
received, FERC directives and what is required for combining CIP-001 and EOP-004
into EOP-004-2. This event now only applies to “Complete loss of monitoring
capabilities” for a RC, BA, or TOP when there is a complete loss of monitoring
57
�Organization
Yes or No
Question 2 Comment
capabilities for 30 continuous minutes where their State Estimator or Contingency
Analysis is inoperable. This will only apply to an RC, BA, or TOP who have this
capability to start with.
Response: The SDT thanks you for your comment.
Florida Municipal Power
Agency
No
The bullet on “any physical threat” is un-measurable. What constitutes a “threat”?
FMPA likes the language used in the comment form discussing this item concerning
the judgment of the Responsible Entity, but, the way it is worded in Attachment 1 will
mean the judgment of the Compliance Enforcement Authority, not the Responsible
Entity. Presumably, the Responsible Entity will need to develop methods to identify
physical threats in accordance with R1; hence, FMPA suggests rewording to: “Any
physical threat recognized by the Responsible Entity through processes established in
R1 bullet 1.1”. We understand this introduces circular logic, but, it also introduces the
“judgment of the Responsible Entity” into the bullet.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Physical threat to its Facility excluding weather related threat, which has the
potential to degrade the normal operation of the Facility
Or
Suspicious device or activity at a Facility
Do not report copper theft unless it degrades normal operations of a Facility.”
This language gives the required guidance that if there is a physical threat that has
the potential to degrade a Facility’s normal operation or a suspicious device or
58
�Organization
Yes or No
Question 2 Comment
activity is discovered at a Facility, it is required to be reported within 24 hours, this
will give the ERO (and whoever else the entity wishes to inform per Requirement
R1) the situational awareness that the Facility has a potential of not being able to
operate as it is designed. The SDT also states that copper theft is not a reportable
event, unless it degrades the normal operation of a Facility.
On the row of the table on voltage deviation, replace the word “observes” with
“experiences”. It is possible for one TOP to “observe” a voltage deviation on another
TOP’s system. It should be the responsibility of the TOP experiencing the voltage
deviation on its system to report, not the one who “observes”. On the row on
islanding, it does not make sense to report islanding for a system with load less than
the loss of load metrics and we suggest using the same 300 MW threshold for a
reporting threshold. On the row on generation loss, some clarification on what type
of generation loss (especially in the time domain) would help it be more measurable,
e.g., concurrent forced outages. One the row on transmission loss, the same clarity is
important, e.g., three or more concurrent forced outages.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Automatic firm load shedding ≥ 100 MW (via automatic undervoltage or
underfrequency load shedding schemes, or SPS/RAS).”
This language clearly states that an entity reports if the threshold is reached.
On the row on loss of monitoring, while FMPA likes the threshold for “partial loss of
monitoring capability” for those systems that have State Estimators, small BAs and
TOPs will not need or have State Estimators and the reporting threshold becomes
ambiguous. We suggest adding something like loss of monitoring for 25% of
monitored points for those BAs and TOPs that do not have State Estimators.
59
�Organization
Yes or No
Question 2 Comment
The SDT reviewed, discussed and updated Attachment 1 based on comments
received, FERC directives and what is required for combining CIP-001 and EOP-004
into EOP-004-2. This event now only applies to “Complete loss of monitoring
capabilities” for a RC, BA, or TOP when there is a complete loss of monitoring
capabilities for 30 continuous minutes where their State Estimator or Contingency
Analysis is inoperable. This will only apply to an RC, BA, or TOP who have this
capability to start with.
Response: The SDT thanks you for your comment.
LG&E and KU Services
No
The SDT should consider more clearly defining the Threshold for Reporting for the
Event: “Any physical threat that could impact the operability of a Facility” to only
address those events that have an Adverse Reliability Impact. Some proposed
language might be: “Threat to a Facility excluding weather related threats that could
result in an Adverse Reliability Impact.”For those events specifically defined in the
ERO Events Analysis Process, the SDT should consider revising the language to be
more consistent with the language included in the ERO Events Analysis Process. Here
is some recommended language:
1. EVENT: Transmission loss THRESHOLD FOR REPORTING: “Unintentional loss,
contrary to design, of three or more BES Transmission Facilities (excluding successful
automatic reclosing) caused by a common disturbance.
The SDT has taken your comment into consideration and this threshold for
reporting now states:
“Unexpected loss, contrary to design, of three or more BES Elements caused by a
common disturbance (excluding successful automatic reclosing).”
2. EVENT: “Complete or partial loss of monitoring capability” - could be revised to
read “Complete loss of SCADA control or monitoring functionality” THRESHOLD FOR
REPORTING: “Affecting a BES control center for ≥ 30 continuous minutes such
that analysis tools (e.g. State Estimator, Contingency Analysis) are rendered
inoperable”.
The SDT reviewed, discussed and updated Attachment 1 based on comments
60
�Organization
Yes or No
Question 2 Comment
received, FERC directives and what is required for combining CIP-001 and EOP-004
into EOP-004-2. This event now only applies to:
“Complete loss of monitoring capability affecting a BES control center for 30
continuous minutes or more such that analysis capability (State Estimator,
Contingency Analysis) is rendered inoperable.” This will only apply to an RC, BA, or
TOP who have this capability to start with.
Response: The SDT thanks you for your comment.
MRO NSRF
No
R1.2 states: A process for communicating each of the applicable events listed in EOP004 Attachment 1 in accordance with the timeframes specified in EOP-004
Attachment 1 to the Electric Reliability Organization and other organizations needed
for the event type; i.e. the Regional Entity; company personnel; the Responsible
Entity’s Reliability Coordinator; law enforcement, governmental or provincial
agencies. This implies not only does NERC need to be notified within the specified
time period but that: “other organizations needed for the event type; i.e. the
Regional Entity; company personnel; the Responsible Entity’s Reliability Coordinator;
law enforcement, governmental or provincial agencies.” are also required to be
notified within in the time periods specified. We suggest a forth column be added to
the table to clearly identify who must be notified within the specified time period or
that R1.2 be revised to clearly state that only NERC must be notified to comply with
the standard. With the use of “i.e.” the SDT is mandating that each other entity must
be contacted. The NSRF believes that the SDT meant that “e.g.” should be used to
provide examples. The SDT may wish to add another column to Attachment 1 to
provide clarity.
The SDT has made the required change concerning replacing “i.e.” with “e.g.”
Also with regards to Attachment 1, the following comments are provided:
1. Instead of referring to CIP-008 (in the 1 hour reporting section), quote the words
from CIP-008, this will require coordination of future revisions but will assure clarity
in reporting requirements.
The SDT has discussed this issue with Project 2008-06, Cyber Security SDT and we
61
�Organization
Yes or No
Question 2 Comment
have remanded the one-hour event back to CIP-008. The next version of EOP-004-2
will not contain a one hour reporting requirement.
2. Under “Damage or destruction of a Facility” a. The wording “affects an IROL (per
FAC-014),” is too vague. Many facilities could affect an IROL, not as many if lost
would cause an IROL. b. Adverse Reliability Impact is defined as:”The impact of an
event that results in frequency-related instability; unplanned tripping of load or
generation; or uncontrolled separation or cascading outages that affects a
widespread area of the Interconnection.”There are an infinite number of routine
events that result in the loss of generation plants due to inadvertent actions that
somehow also damaged equipment. Any maintenance activity that damaged a piece
of equipment that causes a unit to trip or results in a unit being taken off line in a
controlled manner would now be reportable. This seems to be an excessive
reporting requirement. Recommend that Adverse Reliability Impact be deleted and
be replaced with actual EEA 2 or EEA 3 level events. c. The phrase “Results from
actual or suspected intentional human action.” This line item used the term
“suspected” which relates to “sabotage”. Recommend the following: Results from
actual or malicious human action intended to damage the BES.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
Damage or destruction of a Facility within its Reliability Coordinator Area,
Balancing Authority Area or Transmission Operator Area that results in the need for
actions to avoid a BES Emergency.
This language gives the required guidance of who has to report within its Area that
results in need for actions to avoid a BES Emergency (as defined by NERC: Any
62
�Organization
Yes or No
Question 2 Comment
abnormal system condition that requires automatic or immediate manual action to
prevent or limit the failure of transmission facilities or generation supply that could
adversely affect the reliability of the Bulk Electric System).
This relates to either a completely destroyed Facility where an action is required to
avoid a BES Emergency, or a Facility that is damaged to a point that actions are
required to avoid a BES Emergency. By reporting either a “damaged or destroyed”
Facility, within 24 hours, it will give the ERO (and whoever else the entity wishes to
inform per R1) the situational awareness that the electrical system has been
reconfigured or may need to be reconfigured, thus supporting reliable operations of
each interconnection.
3. “Any physical threat that could impact the operability of a Facility1”The example
provided by the drafting team of a train derailment exemplifies why this requirement
should be deleted. A train derailment of a load of banana’s more than likely would
not threaten a nearby BES Facility. However a train carrying propane that derails
carrying propane could even if it were 10 miles away. Whose calculation will be used
to determine if an event could have impacted the asset? As worded there is too
much ambiguity left to the auditor. We suggest the drafting team clarify by saying
“Any event that requires the a BES site be evacuated for safety reasons”
Furthermore if weather events are excluded, we are hard pressed to understand why
this information is important enough to report to NERC. So barring an explanation of
the purpose of this requirement, including why weather events would be excluded,
we suggest the requirement be deleted. Please note that if you align this with
“Physical attack” with #1 of the OE-417. This clearly states what the SDT is looking
for.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
63
�Organization
Yes or No
Question 2 Comment
comments to state:
“Physical threat to its Facility excluding weather related threat, which has the
potential to degrade the normal operation of the Facility
Or
Suspicious device or activity at a Facility
Do not report copper theft unless it degrades normal operations of a Facility.”
This language gives the required guidance that if there is a physical threat that has
the potential to degrade a Facility’s normal operation or a suspicious device or
activity is discovered at a Facility, it is required to be reported within 24 hours, this
will give the ERO (and whoever else the entity wishes to inform per Requirement
R1) the situational awareness that the Facility has a potential of not being able to
operate as it is designed. The SDT also states that copper theft is not a reportable
event unless it degrades the normal operation of a Facility.
4. The phrase “or partial loss of monitoring capability” is too vague. Further
definitions of “inoperable” are required to assure consistent application of this
requirement. Recommend that “Complete loss of SCADA affecting a BES control
center for ≥ 30 continuous minutes such that analysis tools of State Estimator
and/or Contingency Analysis are rendered inoperable. Or, Complete loss of the
ability to perform a State Estimator or Contingency Analysis function, the threshold of
30 mins is too short. A 60 min threshold will align with EOP-008-1, R1.8. Since this is
the time to implement the contingency back up control center plan.
The SDT reviewed, discussed and updated Attachment 1 based on comments
received, FERC directives and what is required for combining CIP-001 and EOP-004
into EOP-004-2. This event now only applies to:
“Complete loss of monitoring capability affecting a BES control center for 30
64
�Organization
Yes or No
Question 2 Comment
continuous minutes or more such that analysis capability (State Estimator,
Contingency Analysis) is rendered inoperable.” This will only apply to an RC, BA, or
TOP who have this capability to start with.
5. Event: Voltage deviation on a Facility. ATC believes that the term “observes” for
Entity with Reporting Responsibility be changed back to “experiences” as originally
written. The burden should rest with the initiating entity in consistency with other
Reporting Responsibilities. Also, for Threshold for Reporting, ATC believes the
language should be expanded to - plus or minus 10% “of target voltage” for greater
than or equal to 15 continuous minutes.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Observed voltage deviation of ± 10% of nominal voltage sustained for ≥ 15
continuous minutes.”
This language clearly states that if the threshold is met, the entity needs to submit a
report within 24 hours.
6. Event: Transmission loss. ATC recommends that Threshold for Reporting be
changed to read “Unintentional loss of four, or more Transmission Facilities,
excluding successful automatic reclosing, within 30 seconds of the first loss
experienced and for 30 continuous minutes. Technical justification or Discussion for
this recommended change: In the instance of a transformer-line-transformer,
scenario commonly found close-in to Generating stations, consisting of 3 defined
“facilities”, 1 lightning strike can cause automatic unintentional loss by design.
Increase the number of facilities to 4. In a normal shoulder season day, an entity may
experience the unintentional loss of a 138kv line from storm activity, at point A in the
morning, a loss of a 115kv line from a different storm 300 miles from point A in the
afternoon, and a loss of 161kv line in the evening 500 miles from point A due to a
65
�Organization
Yes or No
Question 2 Comment
failed component, if it is an entity of significant size. Propose some type of time
constraint. Add time constraint as proposed, 30 seconds, other than automatic
reclosing. In the event of dense lightning occurrence, the loss of multiple
transmission facilities may occur over several minutes to several hours with no
significant detrimental effect to the BES, as load will most certainly be affected (lost
due to breaker activity on the much more exposed Distribution system) as well. Any
additional loss after 30 seconds must take into account supplemental devices with
intentional relay time delays, such as shunt capacitors, reactors, or load tap changers
on transformers activating as designed, arresting system decay. In addition,
Generator response after this time has significant impact. Please clarify or completely
delete why this is included within this version when no basis has been give and it is
not contained within the current enforceable version.
The SDT reviewed, discussed and updated Attachment 1 based on comments
received, FERC directives and what is required for combining CIP-001 and EOP-004
into EOP-004-2.
The SDT has taken your comment into consideration and this threshold for
reporting now states:
“Unexpected loss, contrary to design, of three or more BES Elements caused by a
common disturbance (excluding successful automatic reclosing).”
7. Modify the threshold of “BES emergency requiring a public appeal...” to include,
“Public appear for a load reduction event resulting for a RC or BA implementing its
emergency operators plans documented in EOP-001.” The reason is that normal
public appeals for conservation should be clearly excluded.
The SDT disagrees since it is clearly stated that a report is required for “Public
appeal for load reduction event.” The SDT has not discussed a reporting
mechanism for “conservation.”
8. Add a time threshold to complete loss of off-site power to a nuclear plant.
Nuclear plants are to have backup diesel generation that last for a minimum amount
of time. A threshold recognizing this 4 hour or longer window needs to be added
66
�Organization
Yes or No
Question 2 Comment
such as complete loss of off-site power to a nuclear plant for more than 4 hours.
The SDT reviewed, discussed and updated Attachment 1 based on comments
received, FERC directives and what is required for combining CIP-001 and EOP-004
into EOP-004-2.
The SDT has taken your comment into consideration and this threshold for
reporting now states:
“Complete loss of off-site power affecting a nuclear generating station per the
Nuclear Plant Interface Requirement.” As stated in this event Threshold, the TOP’s
NIPR may have additional guidance concerning the complete loss of offsite power
affecting a nuclear plant.
9. Delete “Transmission loss”. The loss of a specific number of elements has no
direct bearing on the risk of a system cascade. Faults and storms can easily result in
“unintentional” the loss of multiple elements. This is a flawed concept and needs to
be deleted
The SDT reviewed, discussed and updated Attachment 1 based on comments
received, FERC directives and what is required for combining CIP-001 and EOP-004
into EOP-004-2.
The SDT has taken your comment into consideration and this threshold for
reporting now states:
“Unexpected loss, contrary to design, of three or more BES Elements caused by a
common disturbance (excluding successful automatic reclosing).”
Response: The SDT thanks you for your comment.
PPL Corporation NERC
Registered Affiliates
No
1.) PPL Generation thanks the SDT for the changes made in this latest proposal. We feel our
previous comments were addressed. PPL Generation offers the following additional
comments. Regarding the event ‘Transmission Loss’: For your consideration, please
consider adding a footnote to the event ‘Transmission Loss’ such that weather events do
not need to be reported. Also please consider including operation contrary to design in
the language and not just in the example. E.g. consistent with the NERC Event Analysis
table, the threshold would be, ‘Unintentional loss, contrary to design, of three or more
67
�Organization
Yes or No
Question 2 Comment
BES Transmission Facilities.’
The SDT reviewed, discussed and updated Attachment 1 based on comments
received, FERC directives and what is required for combining CIP-001 and EOP-004
into EOP-004-2.
The SDT has taken your comment into consideration and this threshold for
reporting now states:
“Unexpected loss, contrary to design, of three or more BES Elements caused by a
common disturbance (excluding successful automatic reclosing).” The SDT has
removed all footnotes within Attachment 1.
2.) PPL Generation proposes the following changes in Attachment 1 to the first entry in the
“Threshold for Reporting” column to make it clear that independent GO/GOPs are
required to act only within their sphere of operation and based on the information that is
available to the GO/GOPs: Damage or destruction of a Facility that: Affects an IROL (per
FAC-014, not applicable to GOs and GOPs) OR Results in the need for actions to avoid an
Adverse Reliability Impact (not applicable to GOs and GOPs) OR Results from actual or
suspected intentional human action (applicable to all).
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Damage or destruction of a Facility within its Reliability Coordinator Area,
Balancing Authority Area or Transmission Operator Area that results in the need for
actions to avoid a BES Emergency.”
This language gives the required guidance of who has to report within its Area that
results in need for actions to avoid a BES Emergency (as defined by NERC: Any
68
�Organization
Yes or No
Question 2 Comment
abnormal system condition that requires automatic or immediate manual action to
prevent or limit the failure of transmission facilities or generation supply that could
adversely affect the reliability of the Bulk Electric System).
This relates to either a completely destroyed Facility where an action is required to
avoid a BES Emergency, or a Facility that is damaged to a point that actions are
required to avoid a BES Emergency. By reporting either a “damaged or destroyed”
Facility, within 24 hours, it will give the ERO (and whoever else the entity wishes to
inform per Requirement R1) the situational awareness that the electrical system
has been reconfigured or may need to be reconfigured, thus supporting reliable
operations of each interconnection.
The SDT also developed another to read:
“Damage or destruction of its Facility that results from actual or suspected
intentional human action.”
This language gives the required guidance that if there is actual intentional human
action that damages or destroys a Facility, it is required to be reported within 24
hours, this will give the ERO (and whoever else the entity wishes to inform per
Requirement R1) the situational awareness that the Facility was “damaged or
destroyed” intentionally by a human.
This event was written to cover the increase of “Entity with Reporting
Responsibility” and removing the RC since they do not own Facility(s).
The SDT also included a second part of this event being “suspected intentional
human action.” This language was required to give an entity the reporting
responsibility to report to the ERO (and whoever else the entity wishes to inform
per Requirement R1) the situational awareness that they suspect that their Facility
was damaged or destroyed by intentional human action. The SDT envisions that
entities could further define what a suspected intentional human action is within
69
�Organization
Yes or No
Question 2 Comment
their Operating Plan.
Response: The SDT thanks you for your comment.
ISO/RTO Standards Review
Committee
No
The SRC response to this question does not indicate support of the proposed
requirement. Please see the latter part of the SRC’s response to Question 4 below for
an SRC proposed alternative approach:
Response: The SDT thanks you for your comment. Please review response to Question 4 comment.
ACES Power Marketing
Standards Collaborators
No
The drafting team made a number of positive changes to Attachment 1. However,
there are a few changes that have introduced new issues and there are a number of
existing issues that have yet to be fully addressed. One of the existing issues is that
the reporting requirements will result in duplicate reporting. Considering that one of
the stated purposes is to eliminate redundancy, we do not see how the scope of the
SAR can be considered to be met until all duplicate reporting is eliminated.
The SDT acknowledges that reporting of the same event will come from multiple
parties. However, as the industry has learned from recent events, NERC needs to
have perspectives from a variety of entities instead of just one party’s viewpoint.
Reliability can be improved from learning how the differing parties see or
experience the event. Sometimes, the differing perspectives have provided
valuable insight on the true nature of the event. Therefore, the SDT believes that
having multiple reports will aid reliability as we can learn from everyone’s
experiences.
70
�Organization
Yes or No
Question 2 Comment
More specifics on our concerns are provided in the following discussion.
(1) In the “Damage or destruction of a Facility” event, the statement “Affects an IROL
(per FAC-014)” in the “Threshold for Reporting” is ambiguous. What does it mean? If
the loss of a Facility will have a 1 MW flow change on the Facilities to which the IROL
applies, is this considered to have affected the IROL? We suggest a more direct
statement that damage or destruction occurred on a Facility to which the IROL
applies or to one of the Facilities that comprise an IROL contingency as identified in
FAC-014-2 R5.1.3. Otherwise, there will continue to be ambiguity over what
constitutes “affects”.
(2) In the “Damage or destruction of a Facility” event, the threshold regarding
“intentional human action” is ambiguous and suffers from the same difficulties as
defining sabotage. What constitutes intentional? How do we know something was
intentional without a law enforcement investigation? This is the same issue that
prevented the drafting team from defining sabotage.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
Damage or destruction of a Facility within its Reliability Coordinator Area,
Balancing Authority Area or Transmission Operator Area that results in the need for
actions to avoid a BES Emergency.
This language gives the required guidance of who has to report within its Area that
results in need for actions to avoid a BES Emergency (as defined by NERC: Any
abnormal system condition that requires automatic or immediate manual action to
71
�Organization
Yes or No
Question 2 Comment
prevent or limit the failure of transmission facilities or generation supply that could
adversely affect the reliability of the Bulk Electric System).
This relates to either a completely destroyed Facility where an action is required to
avoid a BES Emergency, or a Facility that is damaged to a point that actions are
required to avoid a BES Emergency. By reporting either a “damaged or destroyed”
Facility, within 24 hours, it will give the ERO (and whoever else the entity wishes to
inform per Requirement R1) the situational awareness that the electrical system
has been reconfigured or may need to be reconfigured, thus supporting reliable
operations of each interconnection.
The SDT also developed another to read:
“Damage or destruction of its Facility that results from actual or suspected
intentional human action.”
This language gives the required guidance that if there is actual intentional human
action that damages or destroys a Facility, it is required to be reported within 24
hours, this will give the ERO (and whoever else the entity wishes to inform per
Requirement R1) the situational awareness that the Facility was “damaged or
destroyed” intentionally by a human.
This event was written to cover the increase of “Entity with Reporting
Responsibility” and removing the RC since they do not own Facility(s).
The SDT also included a second part of this event being “suspected intentional
human action.” This language was required to give an entity the reporting
responsibility to report to the ERO (and whoever else the entity wishes to inform
per Requirement R1) the situational awareness that they suspect that their Facility
was damaged or destroyed by intentional human action. The SDT envisions that
entities could further define what a suspected intentional human action is within
72
�Organization
Yes or No
Question 2 Comment
their Operating Plan.
(3) In the “Damage or destruction of a Facility” and “Any physical threat that could
impact the operability of a Facility” events, Distribution Provider should be removed.
Per the Function Model, the Distribution Provider does not have any Facilities (line,
generator, shunt compensator, transformer). The only Distribution Provider
equipment that even resembles a Facility would be capacitors (i.e. shunt
compensator) but they do not qualify because they are not Bulk Electric System
Elements.
The SDT agrees that if a DP does not own or operate a Facility then this event would
not be applicable to them. However, if a DP does experience an event such as
those listed, then it is a reportable incident under this standard.
(4) The “Any physical threat that could impact the operability of a Facility” event
requires duplicate reporting. For example, if a large generating plant experiences
such a threat, who should report the event? What if loss of the plant could cause
capacity and energy shortages as well as transmission limits? The end result is that
the RC, BA, TOP, GO and GOP could all end up submitting a report for the same
event. For a given operating area, only one report should be required from one
registered entity for each event.
The SDT acknowledges that multiple reports could result from an event. If an entity
experiences an applicable event type, then they required to report it. As previously
stated, the industry can benefit from having such differing perspectives when
events occur.
(5) The “Any physical threat that could impact the operability of a Facility” event
should not apply to a single Facility but rather multiple Facilities which if lost would
impact BES reliability. As written now, a train derailment near a single 138 kV
transmission line or small generator with minimal reliability impact would require
reporting.
The SDT removed all language under “Entity with Reporting Responsibility,” with
73
�Organization
Yes or No
Question 2 Comment
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Physical threat to its Facility excluding weather related threat, which has the
potential to degrade the normal operation of the Facility
Or
Suspicious device or activity at a Facility
Do not report copper theft unless it degrades normal operations of a Facility.”
This language gives the required guidance that if there is a physical threat that has
the potential to degrade a Facility’s normal operation or a suspicious device or
activity is discovered at a Facility, it is required to be reported within 24 hours, this
will give the ERO (and whoever else the entity wishes to inform per Requirement
R1) the situational awareness that the Facility has a potential of not being able to
operate as it is designed. The SDT also states that copper theft is not a reportable
event unless it degrades the normal operation of a Facility.
(6) The “BES Emergency resulting in automatic firm load shedding” should not apply
to the DP. In the existing EOP-004 standard, Distribution Provider is not included and
the load shed information still gets reported.
The SDT believes that the DP should be required to report “automatic firm load
shedding…” to the ERO (and whoever else the entity wishes to inform per
Requirement R1).
(7) The “Voltage deviation on a Facility” event needs to be clarified that the TOP only
reports voltage deviations in its Transmission Operator Area. Because TOPs may view
74
�Organization
Yes or No
Question 2 Comment
into other Transmission Operator Areas, it could technically be required to report
another TOP’s voltage deviation because one of its System Operators observed the
neighboring TOP’s voltage deviation.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Observed voltage deviation of ± 10% of nominal voltage sustained for ≥ 15
continuous minutes .”
This language clearly states that if the threshold is met, the entity needs to submit a
report within 24 hours.
The SDT understands that there may be several reports of a single event; and as the
SDT has stated before, that this will give the ERO a better understanding of the
depth and breathe of system conditions based on the given event.
(8) For the “Loss of firm load greater than 15 minutes” event, the potential for
duplicate reporting needs to be eliminated. Every time a DP experiences this event,
the DP, TOP and BA all appear to be required to report since the DP is within both the
Balancing Authority Area and Transmission Operator Area. Only one report is
necessary and should be sent. Given that the existing EOP-004 standard does not
include the DP, we suggest eliminating the DP to eliminate one level of duplicate
reporting.
The SDT understands that there may be several reports of a single event; and as the
SDT has stated before, that this will give the ERO a better understanding of the
depth and breathe of system conditions based on the given event.
(9) For the “System separation (islanding)” event, please remove DP. As long as any
island remains viable, the Distribution Provider will not even be aware that an island
occurred. It is not responsible for monitoring frequency or having a wide area view.
75
�Organization
Yes or No
Question 2 Comment
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified.
This event is now only applicable to RC, BA, and TOP.
(10) For the “System separation (islanding)” event, please remove BA. Because
islanding and system separation, involve Transmission Facilities automatically being
removed from service, this is largely a Transmission Operator issue. This position is
further supported by the approval of system restoration standard (EOP-005-2) that
gives the responsibility to restore the system to the TOP. (11) For the “System
separation (islanding)” event, please eliminate duplicate reporting by clarifying that
the RC should submit the report when more than one TOP is involved. If only one
TOP is involved, then the single TOP can submit the report or the RC could agree to
do it on their behalf. Only one report is necessary.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified.
This event is now only applicable to RC, BA, and TOP. The SDT understands that
there may be several reports of a single event; and as the SDT has stated before,
that this will give the ERO a better understanding of the depth and breathe of
system conditions based on the given event.
(12) For the “Generation loss” event, duplicate reporting should be eliminated. It is
not necessary for both the BA and GOP to submit two separate reports with nearly
identical information. Only one entity should be responsible for reporting.
The SDT understands that there may be several reports of a single event; and as the
SDT has stated before, that this will give the ERO a better understanding of the
depth and breathe of system conditions based on the given event.
(13) For the “Complete loss of off-site power to a nuclear generating plant”, the
76
�Organization
Yes or No
Question 2 Comment
associated GO or GOP should be required to report rather than the TO or TOP.
Maintaining power to cooling systems is ultimately the responsibility of the nuclear
plant operator. At the very least, TO should be removed because it is not an
operating entity and loss of off-site power is an operational issue. If the TOP remains
in the reporting responsibility, it should be clarified that it is only a TOP with an
agreement pursuant to NUC-001. All of this is further complicated because NUC-001
was written for a non-specific transmission entity because there was no one
functional entity from which the nuclear plant operator gets it off-site power.
The SDT reviewed, discussed and updated Attachment 1 based on comments
received, FERC directives and what is required for combining CIP-001 and EOP-004
into EOP-004-2.
The SDT has taken your comment into consideration and this threshold for
reporting now states:
“Complete loss of off-site power affecting a nuclear generating station per the
Nuclear Plant Interface Requirement.” As stated in this event Threshold, the TOP’s
NIPR may have additional guidance concerning the complete loss of offsite power
affecting a nuclear plant.
(14) For the “Complete or partial loss of monitoring capability”, partial loss needs to
be further clarified. Is loss of a single RTU a partial loss of monitoring capability? For
a large RC is loss of ICCP to a single small TOP, considered a partial loss? We suggest
as long as the entity has the ability to monitor their system through other means that
the event should not be reported. For the loss of a single RTU, if the entity has a
solving state estimator that provides estimates for the area impacted, the partial
threshold loss would not be considered. If the entity has another entity (i.e. perhaps
the RC is still receiving data for its TOP area, the RC can monitor for the TOP) that can
monitor their system as a backup, the partial loss has not been met.
The SDT reviewed, discussed and updated Attachment 1 based on comments
received, FERC directives and what is required for combining CIP-001 and EOP-004
into EOP-004-2. This event now only applies to:
“Complete loss of monitoring capability affecting a BES control center for 30
77
�Organization
Yes or No
Question 2 Comment
continuous minutes or more such that analysis capability (State Estimator,
Contingency Analysis) is rendered inoperable.” This will only apply to an RC, BA, or
TOP who have this capability to start with.
Response: The SDT thanks you for your comment.
Southern Company Services
No
It appears that the SDT has incorporated the reporting requirements for CIP-008
“reportable Cyber Security Incidents”; however, the “recognition” requirements
remain in CIP-008 Reliability Standard. Southern understands the desire to
consolidate reporting requirements into a single standard, but it would be clearer for
Cyber Security Incidents if both the recognition and reporting requirements were in
one reliability standard and not spread across multiple standards.
The SDT has discussed this issue with Project 2008-06, Cyber Security SDT and we
have remanded the one hour event back to CIP-008. The next version of EOP-004-2
will not contain a one hour reporting requirement.
As it relates to the event type “Loss of Firm Load for > 15 minutes”, Southern
suggests that the SDT clarify if weather related loss of firm load is excluded from the
reporting requirement.
The SDT believes that it is important to report this event based on the threshold
regardless of the cause. This will give the ERO (and whoever else the entity wishes
to inform per Requirement R1) a better understanding of the depth and breathe of
system conditions based on the given event.
As it relates to the event type “Loss of all voice communication capability”, Southern
suggest that the SDT clarify if this means both primary and backup voice
communication systems or just primary voice communication systems.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
78
�Organization
Yes or No
Question 2 Comment
comments to state:
“Complete loss of voice communications capabilities affecting a BES control center
for 30 continuous minutes or more.” The SDT intends “complete” to mean all
capabilities, including back up capabilities.
Referring to “CIP-008-3 or its successor” in Requirement R1.1 is problematic. This
arrangement results in a variable requirement for EOP-004-2 R1. The requirements
in a particular version of a standard should be fixed and not variable. If exceptions to
applicable events change, a revision should be made to EOP-004 to reflect the
modified requirement.
The SDT has discussed this issue with Project 2008-06, Cyber Security SDT and we
have remanded the one hour event back to CIP-008.
Response: The SDT thanks you for your comment.
Hydro One
No
In the Attachment 1, language identical to event descriptions in the NERC Event
Analysis Process and FERC OE-417 should be used. Creating a third set of event
descriptions is not helpful to system operators. Recommend aligning the Attachment
1 wording with that contained in Attachment 2, DOE Form OE-417 and the EAP
whenever possible.
The SDT reviewed, discussed and updated Attachment 1 based on comments
received, FERC directives and what is required for combining CIP-001 and EOP-004
into EOP-004-2. Using identical terminology will be difficult to achieve as the DOE
form and EAP have differing processes for identification of the reportable
incidences. The SDT has tried to set up the reportable events in the standard to be
as similar as possible to the other organizations without being tied to their specific
language. Attachment 2 has been modified to match the events types listed in
Attachment 1.
The proposed “events” are subjective and will lead to confusion and questions as to
what has to be reported. - Event: A reportable Cyber Security Incident. All
reportable Cyber Security Incidents may not require “One Hour Reporting.” A “onesize fits all” approach may not be appropriate for the reporting of all Cyber Security
79
�Organization
Yes or No
Question 2 Comment
Incidents. The NERC “Security Guideline for the Electricity Sector: Threat and Incident
Reporting” document provides time-frames for Cyber Security Incident Reporting.
For example, a Cyber Security Compromise is recommended to be reported within
one hour of detection, however, Information Theft or Loss is recommended to be
reported within 48 hours. Recommend listing the Event as “A confirmed reportable
Cyber Security Incident. The existing NERC “Security Guideline for the Electricity
Sector: Threat and Incident Reporting” document uses reporting time-frames based
on “detection” and “discovery.” Recommend using the word confirmed because of
the investigation time that may be required from the point of initial “detection” or
“discovery” to the point of confirmation, when the compliance “time-clock” would
start for the reporting requirement in EOP-004-2.
The SDT has discussed this issue with Project 2008-06, Cyber Security SDT and we
have remanded the one hour event back to CIP-008. The next version of EOP-004-2
will not contain a one hour reporting requirement. Note that the existing NERC
“Security Guideline for the Electricity Sector: Threat and Incident Reporting”
document is a “guideline” to assist entities. It should not be confused with a
mandatory and enforceable Reliability Standard.
- Event: Damage or destruction of a Facility Threshold for Reporting: revise language
on third item to read: “Results from actual or suspected intentional human action,
excluding unintentional human errors”.
The SDT reviewed, discussed and updated “Damage and destruction of a Facility”
based on comments received, FERC directives and what is required for combining
CIP-001 and EOP-004 into EOP-004-2. The new “threshold” not states:
“Damage or destruction of a Facility within its Reliability Coordinator Area,
Balancing Authority Area or Transmission Operator Area that results in the need for
actions to avoid a BES Emergency.”
This language gives the required guidance of who has to report within its Area that
results in need for actions to avoid a BES Emergency (as defined by NERC: Any
80
�Organization
Yes or No
Question 2 Comment
abnormal system condition that requires automatic or immediate manual action to
prevent or limit the failure of transmission facilities or generation supply that could
adversely affect the reliability of the Bulk Electric System).
This relates to either a completely destroyed Facility where an action is required to
avoid a BES Emergency, or a Facility that is damaged to a point that actions are
required to avoid a BES Emergency. By reporting either a “damaged or destroyed”
Facility, within 24 hours, it will give the ERO (and whoever else the entity wishes to
inform per Requirement R1) the situational awareness that the electrical system
has been reconfigured or may need to be reconfigured, thus supporting reliable
operations of each interconnection.
- Event: Any physical threat that could impact the operability of a Facility This Event
category should be deleted. The word “could” is hypothetical and therefore
unverifiable and un-auditable. The word “impact” is undefined. Please delete this
reporting requirement, or provide a list of hypothetical “could impact” events, as well
as a specific definition and method for determining a specific physical impact
threshold for “could impact” events other than “any.”
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Physical threat to its Facility excluding weather related threat, which has the
potential to degrade the normal operation of the Facility
Or
Suspicious device or activity at a Facility
81
�Organization
Yes or No
Question 2 Comment
Do not report copper theft unless it degrades normal operations of a Facility.”
This language gives the required guidance that if there is a physical threat that has
the potential to degrade a Facility’s normal operation or a suspicious device or
activity is discovered at a Facility, it is required to be reported within 24 hours, this
will give the ERO (and whoever else the entity wishes to inform per Requirement
R1) the situational awareness that the Facility has a potential of not being able to
operate as it is designed. The SDT also states that copper theft is not a reportable
event unless it degrades the normal operation of a Facility.
- Event: BES Emergency requiring public appeal for load reduction. Replace wording
in the Event column with language from #8 on the OE-417 Reporting Form to
eliminate reporting confusion. Following this sentence add, “This shall exclude other
public appeals, e.g., made for weather, air quality and power market-related
conditions, which are not made in response to a specific BES event.”
The SDT disagrees with quantifying a use of public appeals reporting for different
types of events. The important item here is that a public appeal was issued for load
reduction. A report is require to inform the ERO (and whoever else the entity
wishes to inform per Requirement R1) of your current status and provide them with
the situational awareness of the status of your system.
- Event: Complete or partial loss of monitoring capability Event wording: Delete the
words “or partial” to conform the wording to the NERC Event Analysis Process.
The SDT reviewed, discussed and updated Attachment 1 based on comments
received, FERC directives and what is required for combining CIP-001 and EOP-004
into EOP-004-2. This event now only applies to:
“Complete loss of monitoring capability affecting a BES control center for 30
continuous minutes or more such that analysis capability (State Estimator,
Contingency Analysis) is rendered inoperable.” This will only apply to an RC, BA, or
TOP who have this capability to start with.
82
�Organization
Yes or No
Question 2 Comment
Event: Transmission Loss Revise to BES Transmission Loss
The SDT removed all language under “Entity with Reporting Responsibility” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Unexpected loss, contrary to design, of three or more BES Elements caused by a
common disturbance (excluding successful automatic reclosing).”
Event: Generation Loss Revise to BES Generation Loss
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Total generation loss, within one minute, of ≥ 2,000 MW for entities in the Eastern
or Western Interconnection
OR
≥ 1,000 MW for entities in the ERCOT or Quebec Interconnection.”
The SDT believes that if an entity reaches this threshold, it needs to be reported.
Response: The SDT thanks you for your comment.
CenterPoint Energy
No
CenterPoint Energy appreciates the revisions made to Attachment 1 based on
stakeholder feedback; however, the Company continues to have concerns regarding
certain events and thresholds for reporting and offers the following
recommendations. (1) CenterPoint Energy recommends the deletion of "per
Requirement R1" in the “Note” under Attachment 1 as it contains a circular reference
back to R1 which includes timeframes.
83
�Organization
Yes or No
Question 2 Comment
The SDT has updated Requirement R1 due to industry comments to read:
“R1. Each Responsible Entity shall have an event reporting Operating Plan that
includes communication protocol(s) for applicable events listed in, and within the
time frames specified in EOP-004 Attachment 1 to the Electric Reliability
Organization and other organizations based on the event type (e.g. the Regional
Entity, company personnel, the Responsible Entity’s Reliability Coordinator, law
enforcement, governmental or provincial agencies).”
(2) CenterPoint Energy maintains that a required 1 hour threshold for reporting of
any event is unreasonable. CenterPoint Energy is confident that given dire
circumstances Responsible Entities will act quickly on responding to and
communication of any impending threat to the reliability of the Bulk Electric System.
The SDT has discussed this issue with Project 2008-06, Cyber Security SDT and we
have remanded the one hour event back to CIP-008. The next version of EOP-004-2
will not contain a one hour reporting requirement.
(3) For the event of “Damage or destruction of a Facility”, CenterPoint Energy is
concerned that the use of the term “suspected” is too broad and proposes that the
SDT delete "suspected" and add "that causes an Adverse Reliability Impact..." to the
threshold for reporting regarding human action.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Damage or destruction of a Facility within its Reliability Coordinator Area,
Balancing Authority Area or Transmission Operator Area that results in the need for
actions to avoid a BES Emergency.”
84
�Organization
Yes or No
Question 2 Comment
This language gives the required guidance of who has to report within its Area that
results in need for actions to avoid a BES Emergency (as defined by NERC: Any
abnormal system condition that requires automatic or immediate manual action to
prevent or limit the failure of transmission facilities or generation supply that could
adversely affect the reliability of the Bulk Electric System).
This relates to either a completely destroyed Facility where an action is required to
avoid a BES Emergency, or a Facility that is damaged to a point that actions are
required to avoid a BES Emergency. By reporting either a “damaged or destroyed”
Facility, within 24 hours, it will give the ERO (and whoever else the entity wishes to
inform per Requirement R1) the situational awareness that the electrical system
has been reconfigured or may need to be reconfigured, thus supporting reliable
operations of each interconnection.
The SDT also developed another to read:
“Damage or destruction of its Facility that results from actual or suspected
intentional human action.”
This language gives the required guidance that if there is actual intentional human
action that damages or destroys a Facility, it is required to be reported within 24
hours, this will give the ERO (and whoever else the entity wishes to inform per
Requirement R1) the situational awareness that the Facility was “damaged or
destroyed” intentionally by a human.
This event was written to cover the increase of “Entity with Reporting
Responsibility” and removing the RC since they do not own Facility(s).
The SDT also included a second part of this event being “suspected intentional
human action.” This language was required to give an entity the reporting
responsibility to report to the ERO (and whoever else the entity wishes to inform
per Requirement R1) the situational awareness that they suspect that their Facility
85
�Organization
Yes or No
Question 2 Comment
was damaged or destroyed by intentional human action. The SDT envisions that
entities could further define what a suspected intentional human action is within
their Operating Plan.
(4) CenterPoint Energy believes that the event, “Any physical threat that could impact
the operability of a Facility” is too broad and should be deleted. Alternatively,
CenterPoint Energy recommends that the SDT delete "could” or change the event
description to "A physical incident that causes an Adverse Reliability Impact".
Additionally, in footnote 1, the example of a train derailment uses the phrase “could
have damaged”. CenterPoint Energy is concerned that as beauty is the eye of the
beholder, this phrase is open to interpretation and therefore recommends that the
phrase, “causes an Adverse Reliability Impact” be incorporated into the description.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event and
footnote 1. The SDT removed this language so the entities within this column are
clearly stated and identified. Under the “Threshold for Reporting” column, a bright
line was updated based on currently enforced Reliability Standards, FERC directives
and industry comments to state:
“Physical threat to its Facility excluding weather related threat, which has the
potential to degrade the normal operation of the Facility
Or
Suspicious device or activity at a Facility
Do not report copper theft unless it degrades normal operations of a Facility.”
This language gives the required guidance that if there is a physical threat that has
the potential to degrade a Facility’s normal operation or a suspicious device or
activity is discovered at a Facility, it is required to be reported within 24 hours, this
86
�Organization
Yes or No
Question 2 Comment
will give the ERO (and whoever else the entity wishes to inform per Requirement
R1) the situational awareness that the Facility has a potential of not being able to
operate as it is designed. The SDT also states that copper theft is not a reportable
event unless it degrades the normal operation of a Facility.
(5) The Company proposes that the threshold for reporting the event, “BES
Emergency requiring manual firm load shedding” is too low. It appears the SDT was
attempting to align this threshold with the DOE reporting requirement. However, as
the SDT stated above, there are several valid reasons why this should not be done;
therefore, CenterPoint Energy recommends the threshold be revised to “Manual firm
load shedding ≥ 300 MW”.
The SDT disagrees as this is currently enforceable within EOP-004-1.
(6) CenterPoint Energy also recommends a similar revision to the threshold for
reporting associated with the “BES Emergency resulting in automatic firm load
shedding” event. (“Firm load shedding ≥ 300 MW (via automatic under voltage or
under frequency load shedding schemes, or SPS/RAS”)
The SDT disagrees as we have aligned this with “manual firm load shedding.” As
written a report will be required for load shedding of 100MW for automatic or
manual actions.
(7) CenterPoint Energy is uncertain of the event, “Loss of firm load for ≥ 15
minutes” and its fit with BES Emergency requiring manual firm load shedding or BES
Emergency resulting in automatic firm load shedding. The Company believes that this
event is already covered with manual firm load shedding and automatic firm load
shedding and should therefore be deleted.
The SDT disagrees, as “Loss of firm load” is due to an action other than loss of load
due to “automatic” or “manual” actions by the BA, TOP, or DP. The intent is to
capture that load was loss by some other action. Note that this is a currently
enforceable item within EOP-004-1.
87
�Organization
Yes or No
Question 2 Comment
(8) For the event of “System separation (islanding)”, CenterPoint Energy believes that
100 MW is inconsequential and proposes 300 MW instead.
The SDT disagrees, as this has been vetted through the industry with very little
negative feedback.
(9) For “Generation loss”, CenterPoint Energy suggests that the SDT add "only if
multiple units” to the criteria of “1,000 MW for entities in the ERCOT or Quebec
Interconnection”.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Total generation loss, within one minute, of ≥ 2,000 MW for entities in the Eastern
or Western Interconnection
OR
≥ 1,000 MW for entities in the ERCOT or Quebec Interconnection.”
(10) Finally, CenterPoint Energy recommends that the SDT delete the term “partial”
under the “Entity with Reporting Responsibility” for “Complete or partial loss of
monitoring capability”. The Company proposes revising the event description to "Loss
of monitoring capability for > 30 minutes that causes system analysis tools to be
inoperable”.
The SDT reviewed, discussed and updated Attachment 1 based on comments
received, FERC directives and what is required for combining CIP-001 and EOP-004
into EOP-004-2. This event is now written to state:
“Complete loss of monitoring capability affecting a BES control center for 30
continuous minutes or more such that analysis capability (State Estimator,
Contingency Analysis) is rendered inoperable.” This will only apply to an RC, BA, or
88
�Organization
Yes or No
Question 2 Comment
TOP who have this capability to start with.
Response: The SDT thanks you for your comment.
Arkansas Electric Cooperative
Corporation
No
AECC supports the comments submitted by ACES Power Marketing.
Response: The SDT thanks you for your comment. Please review the response to that commenter.
MWDSC
No
See comment for question 1
Response: The SDT thanks you for your comment. Please review the response to Question 1.
Georgia System Operations
Corporation
No
See comments under no. 4 below.
Response: The SDT thanks you for your comment. Please review the response to Question 4.
Texas Reliability Entity
No
(1) In the Events Table, consider whether the item for “Voltage deviation on Facility”
should also be applicable to GOPs, because a loss of voltage control at a generator
(e.g. failure of an automatic voltage regulator or power system stabilizer) could have
a similar impact on the BES as other reportable items. Note: We made this comment
last time, and the SDT’s posted response was non-responsive to this concern.
The SDT reviewed TRE’s comment and believe that our consideration of comments
during that last posting clearly stated the SDT view correctly. We stated “The SDT
disagrees with this comment. Attachment 1 is the minimum set of events that will
be required to report and communicate per your Operating Plan will be aware of
system conditions.” Further, we note that such events do not rise to the level of
notification to the ERO. When events like the ones you mention occur, then entity
has obligations to notify other parties according to reliability standards relating to
that equipment. The NERC Standards Process Manual does allow TRE to apply for a
variance if they have special concerns that GOPs should submit a report to the ERO.
(2) In the Events Table, under Transmission Loss, the SDT indicated that reporting is
triggered only if three or more Transmission Facilities operated by a single TOP are
lost. What if four Facilities are lost, with two Facilities operated by each of two TOPs?
89
�Organization
Yes or No
Question 2 Comment
That is a larger event than three Facilities lost by one TOP, but there is no reporting
requirement? Determining event status by facility ownership is not an appropriate
measure. The reporting requirements should be based on the magnitude, duration,
or impact of the event, and not on what entities own or operate the facilities.
(3) In the Events Table, under Transmission Loss, the criteria “loss of three or more
Transmission Facilities” is very indefinite and ambiguous. For example, how will bus
outages be considered? Many entities consider a bus as a single “Facility,” but loss of
a single bus may impact as many as six 345kV transmission lines and cause a major
event. It is not clear if this type of event would be reportable under the listed event
threshold? Is the single-end opening of a transmission line considered as a loss of a
Facility under the reporting criteria?
(4) Combinations of events should be reportable. For example, a single event
resulting in the loss of two Transmission Facilities (line and transformer) and a 950
MW generator would not be reportable under this standard. But loss of two lines
and a transformer, or a 1000 MW generator, would be reportable. It is important to
capture all events that have significant impacts.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Unexpected loss, contrary to design, of three or more BES Elements caused by a
common disturbance (excluding successful automatic reclosing).”
The SDT has reviewed Attachment 1 as a minimum level of reporting thresholds.
There may be times where an entity may wish to report when a threshold has not
been reached because of their experience with their system. EOP-004-2 does not
prevent any entity from reporting any type of situation (event) at anytime. Note
that the SDT has received industry feedback and it is not within scope of a results
90
�Organization
Yes or No
Question 2 Comment
based Standards concept to be very prescriptive in nature.
(5) In the Events Table, under “Unplanned control center evacuation,” “Loss of all
voice communication capability” and “Complete or partial loss of monitoring
capability,” GOPs should be included. GOPs also operate control centers that are
subject to these kinds of occurrences, with potentially major impacts to the BES.
Note that large GOP control centers are classified as “High Impact” facilities in the CIP
Version 5 standards, and a single facility can control more than 10,000 MW of
generation.
The SDT appreciates your suggestion; however, as we understand the point, it
doesn’t apply continent-wide. The SDT has applied these events to RCs, BAs, and
TOPs.
(6) The “BES Emergency resulting in automatic firm load shedding” event row within
Attachment 1 should include the BA as a responsible entity for reporting. Note that
EOP-003-1 requires the BA to shed load in emergency situations (R1, R5 as examples),
and any such occurrence should be reported.
The SDT has reviewed your comment and would like to note that manual load
shedding is only reportable if 100 MW or more is activated. Automatic load
shedding is intended to be when a “relay” performs a breaker action that sheds
load without human interaction and achieves a level of 100 MW or more.
Response: The SDT thanks you for your comment.
Occidental Power Services,
Inc.
No
There are no requirements in Attachment 1 for LSEs without BES assets so these
entities should not be in the Applicability section.
Response: The SDT thanks you for your comment. The LSE obligation in this standard was tied to applicability in CIP-008 for cyber
incident reporting. Reporting under CIP-008 is no longer proposed to be a part of EOP-004-2 so this applicability has been
removed. Please note that LSEs will be obligated to report under CIP-008 until that standard has been changed.
Xcel Energy
No
1) The event Damage or destruction of a Facility appears to need ‘qualifying’. Is this
intended for only malicious intent? Otherwise, weather related or other operational
events will often meet this criteria. For example adjustment in generation or changes
91
�Organization
Yes or No
Question 2 Comment
in line limits to “avoid an Adverse Reliability Impact” could occur during a weather
related outage. We suggest adjusting this event and criteria to clearly exclude certain
items or identify what is included.
The SDT removed all language under “Entity with Reporting Responsibility” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Damage or destruction of a Facility within its Reliability Coordinator Area,
Balancing Authority Area or Transmission Operator Area that results in the need for
actions to avoid a BES Emergency.”
This language gives the required guidance of who has to report within its Area that
results in need for actions to avoid a BES Emergency (as defined by NERC: Any
abnormal system condition that requires automatic or immediate manual action to
prevent or limit the failure of transmission facilities or generation supply that could
adversely affect the reliability of the Bulk Electric System).
This relates to either a completely destroyed Facility where an action is required to
avoid a BES Emergency, or a Facility that is damaged to a point that actions are
required to avoid a BES Emergency. By reporting either a “damaged or destroyed”
Facility, within 24 hours, it will give the ERO (and whoever else the entity wishes to
inform per Requirement R1) the situational awareness that the electrical system
has been reconfigured or may need to be reconfigured, thus supporting reliable
operations of each interconnection.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
92
�Organization
Yes or No
Question 2 Comment
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Damage or destruction of its Facility that results from actual or suspected
intentional human action.”
This language gives the required guidance that if there is actual intentional human
action that damages or destroys a Facility, it is required to be reported within 24
hours, this will give the ERO (and whoever else the entity wishes to inform per
Requirement R1) the situational awareness that the Facility was “damaged or
destroyed” intentionally by a human.
This event was written to cover the increase of “Entity with Reporting
Responsibility” and removing the RC since they do not own Facility(s).
The SDT also included a second part of this event being “suspected intentional
human action.” This language was required to give an entity the reporting
responsibility to report to the ERO (and whoever else the entity wishes to inform
per Requirement R1) the situational awareness that they suspect that their Facility
was damaged or destroyed by intentional human action. The SDT envisions that
entities could further define what a suspected intentional human action is within
their Operating Plan.
2) Also recommend placing the information in footnote 1 into the associated
Threshold for Reporting column, and removing the footnote.
The SDT has removed the footnote per industry comments and concerns.
Response: The SDT thanks you for your comment.
American Electric Power
No
If CIP-008 is now out of scope within the requirements of this standard, any
references to it should also be removed from Attachment 1.
The SDT has removed the one-hour reporting requirement as requested within
93
�Organization
Yes or No
Question 2 Comment
comments received.
The Threshold for Reporting column on page 26 includes “Results from actual or
suspected intentional human action.” This wording is too vague as many actions by
their very nature are intentional. In addition, it should actually be used as a qualifying
event rather than a threshold. We recommend removing it entirely from the
Threshold column, and placing it in the Events column and also replacing the first row
as follows: “Actual or suspected intentional human action with the goal of damage to,
or destruction of, the Facility.”
On page 27, the event “Any physical threat that could impact the operability of a
Facility” is too vague and broad. Using the phrases “any physical threat” and “could
impact” sets too high a bar on what would need to be reported. On page 28, for the
event “Complete loss of off-site power to a nuclear generating plant (grid supply)”,
TO and TOP should be removed and replaced by GOP.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Physical threat to its Facility excluding weather related threat, which has the
potential to degrade the normal operation of the Facility
Or
Suspicious device or activity at a Facility
Do not report copper theft unless it degrades normal operations of a Facility.”
This language gives the required guidance that if there is a physical threat that has
94
�Organization
Yes or No
Question 2 Comment
the potential to degrade a Facility’s normal operation or a suspicious device or
activity is discovered at a Facility, it is required to be reported within 24 hours, this
will give the ERO (and whoever else the entity wishes to inform per Requirement
R1) the situational awareness that the Facility has a potential of not being able to
operate as it is designed. The SDT also states that copper theft is not a reportable
event unless it degrades the normal operation of a Facility.
Response: The SDT thanks you for your comment.
Clark Public Utilities
No
I agree with all but one. The event is "Damage or destruction of a Facility" and the
threshold for reporting is "Results from actual or suspected intentional human
action." I understand and agree that destruction of a facility due to actual or
suspected intentional human action should always be reported. However, I do not
know what level of damage should be reported. Obviously the term "damage" is
meant to signify and event that is less than destruction. As a result, damage could be
extensive, minimal, or hardly noticeable. There needs to be some measure of what
the damage entails if the standard is to contain a broad requirement for the reporting
of damage intentionally caused by human action. Whether that measure is based on
the actual impacts to the BES from the damage or whether the measure is based on
the ability of the damaged equipment to continue to function at 100%, 50% or some
capability would be acceptable but currently it is too open ended.
Response: The SDT thanks you for your comment. The SDT removed all language under “Entity with Reporting Responsibility,”
with the exception of entity(s) that are required to report an applicable event. The SDT removed this language so the entities
within this column are clearly stated and identified. Under the “Threshold for Reporting” column, a bright line was updated based
on currently enforced Reliability Standards, FERC directives and industry comments to state:
“Damage or destruction of its Facility that results from actual or suspected intentional human action.”
This language gives the required guidance that if there is actual intentional human action that damages or destroys a Facility, it is
required to be reported within 24 hours, this will give the ERO (and whoever else the entity wishes to inform per Requirement R1)
the situational awareness that the Facility was “damaged or destroyed” intentionally by a human.
95
�Organization
Yes or No
Question 2 Comment
This event was written to cover the increase of “Entity with Reporting Responsibility” and removing the RC since they do not own
Facility(s).
The SDT also included a second part of this event being “suspected intentional human action.” This language was required to give
an entity the reporting responsibility to report to the ERO (and whoever else the entity wishes to inform per Requirement R1) the
situational awareness that they suspect that their Facility was damaged or destroyed by intentional human action. The SDT
envisions that entities could further define what a suspected intentional human action is within their Operating Plan.
New York Power Authority
No
Please see comments submitted by NPCC Regional Standards Committee (RSC).
Response: Thank you for your comment. Please see response to the comments.
Consolidated Edison Co. of NY,
Inc.
No
General comment regarding Attachment 1:SDT should strive to use identical language
to event descriptions in the NERC Event Analysis Process and FERC OE-417. Creating
a third set of event descriptions is not helpful to system operators. We recommend
aligning the Attachment 1 wording with that contained in Attachment 2, DOE Form
OE-417 and the EAP whenever possible.
The SDT reviewed, discussed and updated Attachment 1 based on comments
received, FERC directives and what is required for combining CIP-001 and EOP-004
into EOP-004-2. Using identical terminology will be difficult to achieve as the DOE
form and EAP have differing processes for identification of the reportable
incidences. The SDT has tried to set up the reportable events in the standard to be
as similar as possible to the other organizations without being tied to their specific
language. Attachment 2 has been modified to match the events types listed in
Attachment 1.
Replace the Attachment 1 “NOTE” with the following clarifying wording: NOTE: The
Electric Reliability Organization and the Responsible Entity’s Reliability Coordinator
will accept the DOE OE-417 form in lieu of Attachment 2 if the entity is required to
submit an OE-417 report. Submit reports to the ERO via one of the following: e-mail:
esisac@nerc.com, Facsimile: 609-452-9550, Voice: 609-452-1422. Initial submittal by
Voice within the reporting time frame is acceptable for all events when followed by a
hardcopy submittal by Facsimile or e-mail as and if required.
96
�Organization
Yes or No
Question 2 Comment
The SDT thanks you with your comment. First, the SDT believes that you intended
the comment to address the “Note” on Attachment 2, not Attachment 1. The SDT
does not believe that a hardcopy report is necessary if the organization has made
voice contact.
Event: Damage or destruction of a Facility Threshold for Reporting: revise language
on third item to read, Results from actual or suspected intentional human action,
excluding unintentional human errors.
The SDT reviewed, discussed and updated “Damage and destruction of a Facility”
based on comments received, FERC directives and what is required for combining
CIP-001 and EOP-004 into EOP-004-2. The new “threshold” not states:
“Damage or destruction of a Facility within its Reliability Coordinator Area,
Balancing Authority Area or Transmission Operator Area that results in the need for
actions to avoid a BES Emergency.”
This language gives the required guidance of who has to report within its Area that
results in need for actions to avoid a BES Emergency (as defined by NERC: Any
abnormal system condition that requires automatic or immediate manual action to
prevent or limit the failure of transmission facilities or generation supply that could
adversely affect the reliability of the Bulk Electric System).
This relates to either a completely destroyed Facility where an action is required to
avoid a BES Emergency, or a Facility that is damaged to a point that actions are
required to avoid a BES Emergency. By reporting either a “damaged or destroyed”
Facility, within 24 hours, it will give the ERO (and whoever else the entity wishes to
inform per Requirement R1) the situational awareness that the electrical system
has been reconfigured or may need to be reconfigured, thus supporting reliable
97
�Organization
Yes or No
Question 2 Comment
operations of each interconnection.
Event: Any physical threat that could impact the operability of a Facility This Event
category should be deleted. The word “could” is hypothetical and therefore
unverifiable and un-auditable. The word “impact” is undefined. Please delete this
reporting requirement, or please provide a list of hypothetical “could impact” events,
as well as a specific definition and method for determining a specific physical impact
threshold for “could impact” events other than “any.”
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Physical threat to its Facility excluding weather related threat, which has the
potential to degrade the normal operation of the Facility
Or
Suspicious device or activity at a Facility
Do not report copper theft unless it degrades normal operations of a Facility.”
This language gives the required guidance that if there is a physical threat that has
the potential to degrade a Facility’s normal operation or a suspicious device or
activity is discovered at a Facility, it is required to be reported within 24 hours, this
will give the ERO (and whoever else the entity wishes to inform per Requirement
98
�Organization
Yes or No
Question 2 Comment
R1) the situational awareness that the Facility has a potential of not being able to
operate as it is designed. The SDT also states that copper theft is not a reportable
event unless it degrades the normal operation of a Facility.
Event: BES Emergency requiring public appeal for load reduction. Replace Event
wording with language from #8 on OE-417 reporting form to eliminate reporting
confusion. Following this sentence add, “This shall exclude other public appeals, e.g.,
made for weather, air quality and power market-related conditions, which are not
made in response to a specific BES event.
The SDT disagrees with quantifying a use of public appeals reporting for different
types of events. The important item here is that a public appeal was issued for load
reduction. A report is require to inform the ERO (and whoever else the entity
wishes to inform per Requirement R1) of your current status and provide them with
the situational awareness of the status of your system.
”Event: Complete or partial loss of monitoring capability Event wording: Delete the
words “or partial” to conform the wording to NERC Event Analysis Process. Event:
Transmission Loss Modify to BES Transmission Loss Event Generation Loss Modify to
BES Generation Loss
Orange and Rockland Utilities,
Inc.
No
General comment regarding Attachment 1: SDT should strive to use identical
language to event descriptions in the NERC Event Analysis Process and FERC OE-417.
Creating a third set of event descriptions is not helpful to system operators. We
recommend aligning the Attachment 1 wording with that contained in Attachment 2,
DOE Form OE-417 and the EAP whenever possible.
The SDT reviewed, discussed and updated Attachment 1 based on comments
received, FERC directives and what is required for combining CIP-001 and EOP-004
into EOP-004-2. Using identical terminology will be difficult to achieve as the DOE
form and EAP have differing processes for identification of the reportable
incidences. The SDT has tried to set up the reportable events in the standard to be
as similar as possible to the other organizations without being tied to their specific
99
�Organization
Yes or No
Question 2 Comment
language. Attachment 2 has been modified to match the events types listed in
Attachment 1.
Replace the Attachment 1 “NOTE” with the following clarifying wording: NOTE: The
Electric Reliability Organization and the Responsible Entity’s Reliability Coordinator
will accept the DOE OE-417 form in lieu of Attachment 2 if the entity is required to
submit an OE-417 report. Submit reports to the ERO via one of the following: e-mail:
esisac@nerc.com, Facsimile: 609-452-9550, Voice: 609-452-1422. Initial submittal by
Voice within the reporting time frame is acceptable for all events when followed by a
hardcopy submittal by Facsimile or e-mail as and if required.
The SDT thanks you for your comment. First, the SDT believes that you intended
the comment to address the “Note” on Attachment 2, not Attachment 1. The SDT
does not believe that a hardcopy report is necessary if the organization has made
voice contact.
Event: Damage or destruction of a Facility Threshold for Reporting: revise language
on third item to read, Results from actual or suspected intentional human action,
excluding unintentional human errors.
The SDT reviewed, discussed and updated “Damage and destruction of a Facility”
based on comments received, FERC directives and what is required for combining
CIP-001 and EOP-004 into EOP-004-2. The new “threshold” not states:
“Damage or destruction of a Facility within its Reliability Coordinator Area,
Balancing Authority Area or Transmission Operator Area that results in the need for
actions to avoid a BES Emergency.”
This language gives the required guidance of who has to report within its Area that
results in need for actions to avoid a BES Emergency (as defined by NERC: Any
abnormal system condition that requires automatic or immediate manual action to
prevent or limit the failure of transmission facilities or generation supply that could
100
�Organization
Yes or No
Question 2 Comment
adversely affect the reliability of the Bulk Electric System).
This relates to either a completely destroyed Facility where an action is required to
avoid a BES Emergency, or a Facility that is damaged to a point that actions are
required to avoid a BES Emergency. By reporting either a “damaged or destroyed”
Facility, within 24 hours, it will give the ERO (and whoever else the entity wishes to
inform per Requirement R1) the situational awareness that the electrical system
has been reconfigured or may need to be reconfigured, thus supporting reliable
operations of each interconnection.
Event: Any physical threat that could impact the operability of a Facility This Event
category should be deleted. The word “could” is hypothetical and therefore
unverifiable and un-auditable. The word “impact” is undefined. Please delete this
reporting requirement, or please provide a list of hypothetical “could impact” events,
as well as a specific definition and method for determining a specific physical impact
threshold for “could impact” events other than “any.”
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Physical threat to its Facility excluding weather related threat, which has the
potential to degrade the normal operation of the Facility
Or
101
�Organization
Yes or No
Question 2 Comment
Suspicious device or activity at a Facility
Do not report copper theft unless it degrades normal operations of a Facility.”
This language gives the required guidance that if there is a physical threat that has
the potential to degrade a Facility’s normal operation or a suspicious device or
activity is discovered at a Facility, it is required to be reported within 24 hours, this
will give the ERO (and whoever else the entity wishes to inform per Requirement
R1) the situational awareness that the Facility has a potential of not being able to
operate as it is designed. The SDT also states that copper theft is not a reportable
event unless it degrades the normal operation of a Facility.
Event: BES Emergency requiring public appeal for load reduction. Replace Event
wording with language from #8 on OE-417 reporting form to eliminate reporting
confusion. Following this sentence add, “This shall exclude other public appeals, e.g.,
made for weather, air quality and power market-related conditions, which are not
made in response to a specific BES event.”
The SDT disagrees with quantifying a use of public appeals reporting for different
types of events. The important item here is that a public appeal was issued for load
reduction. A report is require to inform the ERO (and whoever else the entity
wishes to inform per Requirement R1) of your current status and provide them with
the situational awareness of the status of your system.
Event: Complete or partial loss of monitoring capability Event wording: Delete the
words “or partial” to conform the wording to NERC Event Analysis Process.
The SDT reviewed, discussed and updated Attachment 1 based on comments
received, FERC directives and what is required for combining CIP-001 and EOP-004
into EOP-004-2. This event is now written to state:
“Complete loss of monitoring capability affecting a BES control center for 30
continuous minutes or more such that analysis capability (State Estimator,
Contingency Analysis) is rendered inoperable.” This will only apply to an RC, BA, or
102
�Organization
Yes or No
Question 2 Comment
TOP who have this capability to start with.
Event: Transmission Loss Modify to BES Transmission Loss
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Unexpected loss, contrary to design, of three or more BES Elements caused by a
common disturbance (excluding successful automatic reclosing).”
Event Generation Loss Modify to BES Generation Loss
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Total generation loss, within one minute, of ≥ 2,000 MW for entities in the Eastern
or Western Interconnection
OR
≥ 1,000 MW for entities in the ERCOT or Quebec Interconnection.”
Response: The SDT thanks you for your comment.
FirstEnergy Corp
No
FE requests the following changes be made to Attachment 1:1. Pg. 19 / Event:
“Voltage deviation on a Facility”. The term “observes” for Entity with Reporting
Responsibility be changed to “experiences”. The burden should rest with the
103
�Organization
Yes or No
Question 2 Comment
initiating entity in consistency with other Reporting Responsibilities.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Observed voltage deviation of ± 10% of nominal voltage sustained for ≥ 15
continuous minutes.”
2. In “Threshold for Reporting”, the language should be expanded to - plus or minus
10% “of nominal voltage” for greater than or equal to 15 continuous minutes.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Observed voltage deviation of ± 10% of nominal voltage sustained for ≥ 15
continuous minutes.”
This language clearly states that if the threshold is met, the entity needs to submit a
report within 24 hours.
3. Pg.20 /Event: “Complete or partial loss of monitoring capability”. The term
“partial” should be deleted from the event description to read as follows: Complete
loss of monitoring capability and the reporting responsibility requirements to read
“Each RC, BA, and TOP that experiences the complete loss of monitoring capability.”
The SDT reviewed, discussed and updated Attachment 1 based on comments
received, FERC directives and what is required for combining CIP-001 and EOP-004
104
�Organization
Yes or No
Question 2 Comment
into EOP-004-2. This event is now written to state:
“Complete loss of monitoring capability affecting a BES control center for 30
continuous minutes or more such that analysis capability (State Estimator,
Contingency Analysis) is rendered inoperable.” This will only apply to an RC, BA, or
TOP who have this capability to start with.
Response: The SDT thanks you for your comment.
Farmington Electric Utility
System
No
The reporting threshold for “Complete or partial loss of monitoring capability” should
be modified to include the loss of additional equipment and not be limited to State
Estimator and Contingency Analysis. Some options have been included: Affecting a
BES control center for ≥ 30 continuous minutes such that Real-Time monitoring
tools are rendered inoperable. Affecting a BES control center for ≥ 30 continuous
minutes to the extent a Constrained Facility would not be identified or an Adverse
Reliability Impact event could occur due to lack of monitoring capability. Affecting a
BES control center for ≥ 30 continuous minutes such that an Emergency would
not be identified or ma
Response: The SDT thanks you for your comment. The SDT reviewed, discussed and updated Attachment 1 based on comments
received, FERC directives and what is required for combining CIP-001 and EOP-004 into EOP-004-2. This event is now written to
state:
“Complete loss of monitoring capability affecting a BES control center for 30 continuous minutes or more such that analysis
capability (State Estimator, Contingency Analysis) is rendered inoperable.” This will only apply to an RC, BA, or TOP who have this
capability to start with.
Public Service Enterprise
Group
No
We agreed with most of the revisions. However, for the 24-hour reporting time
frame portion of the EOP-004 Attachment 1: Reportable Event that starts on p. 18,
we have these concerns: a. Why was “RC” left out in the first row? RC is in the
second row that also addresses a “Facility.” We believe that “RC” was inadvertently
105
�Organization
Yes or No
Question 2 Comment
left out.
b. In the first row, entities such as a BA, TO, GO, GOP, or DP would not know whether
damage or destruction of one of its Facilities either “Affects an IROL (per FAC-014)” or
“Results in the need for actions to avoid an Adverse Reliability Impact.” FAC-014-2,
R5.1.1 requires Reliability Coordinators provide information for each IROL on the
“Identification and status of the associated Facility (or group of Facilities) that is (are)
critical to the derivation of the IROL” to entities that do NOT include the entities
listed above. And frankly, those entities would not need to know. The reporting
requirements associated with “Damage or destruction of a Facility” need to be
changed so that the criteria for reporting by an entity whose Facilities experience
damage or destruction does not rely upon information that the entity does not
possess. c. A possible route to achieve the results in b. above is described below: i. All
Facilities that are damaged or destroyed that “Results from actual or suspected
intentional human action” would be reported to the ERO by the entity experiencing
the damage or destruction. ii. All Facilities that are damaged or destroyed OTHER
THAN THAT due to an “actual or suspected intentional human action” would be
reported to the RC by the entity experiencing the damage or destruction. Based
upon those reports, the RC would be required to report whether the reported
damage or destruction of a Facility “Affects an IROL (per FAC-010)” or “Results in the
need for actions to Avoid an Adverse Reliability Consequence.” (The RC may need to
modify its data specifications in IRO-010-1a - Reliability Coordinator Data
Specification and Collection - to specify outages due to “damage or destruction of a
Facility.” We also note that “DP” is not included in IRO-010-1a, but “LSE” is included.
DPs are required to also register as LSEs if they meet certain criteria. See the
“Statement of Compliance Registry Criteria, Rev. 5.0”, p.7. For this reason, we
suggest that DP be replaced with LSE in EOP-004-2.) d. To implement the changes in
c. above, we suggest that the first row be divided into two rows: i. FIRST ROW: This
would be like the existing first row on page 18, except “RC” would be added to the
column for “Entity with Reporting Responsibility” and the only reporting threshold
would be ““Results from actual or suspected intentional human action.” ii. SECOND
ROW: The Event would be “Damage or destruction of a Facility of a BA, TO, TOP, GO,
106
�Organization
Yes or No
Question 2 Comment
GOP, or LSE,” the Entity, the Reporting Responsibility would be “The RC that has the
BA, TOP, GO, GOP, or LSE experiencing the damage or destruction in its area,” and
the Threshold for Reporting would be “Affects an IROL (per FAC-010)” or “Results in
the need for actions to avoid an Adverse Reliability Consequence.”
Response: The SDT thanks you for your comment. The SDT removed all language under “Entity with Reporting Responsibility,”
with the exception of entity(s) that are required to report an applicable event. The SDT removed this language so the entities
within this column are clearly stated and identified. Under the “Threshold for Reporting” column, a bright line was updated based
on currently enforced Reliability Standards, FERC directives and industry comments to state:
“Damage or destruction of a Facility within its Reliability Coordinator Area, Balancing Authority Area or Transmission Operator
Area that results in the need for actions to avoid a BES Emergency.”
This language gives the required guidance of who has to report within its Area that results in need for actions to avoid a BES
Emergency (as defined by NERC: Any abnormal system condition that requires automatic or immediate manual action to prevent
or limit the failure of transmission facilities or generation supply that could adversely affect the reliability of the Bulk Electric
System).
This relates to either a completely destroyed Facility where an action is required to avoid a BES Emergency, or a Facility that is
damaged to a point that actions are required to avoid a BES Emergency. By reporting either a “damaged or destroyed” Facility,
within 24 hours, it will give the ERO (and whoever else the entity wishes to inform per Requirement R1) the situational awareness
that the electrical system has been reconfigured or may need to be reconfigured, thus supporting reliable operations of each
interconnection.
The SDT also developed another to read:
107
�Organization
Yes or No
Question 2 Comment
“Damage or destruction of its Facility that results from actual or suspected intentional human action.”
This language gives the required guidance that if there is actual intentional human action that damages or destroys a Facility, it is
required to be reported within 24 hours, this will give the ERO (and whoever else the entity wishes to inform per Requirement R1)
the situational awareness that the Facility was “damaged or destroyed” intentionally by a human.
This event was written to cover the increase of “Entity with Reporting Responsibility” and removing the RC since they do not own
Facility(s).
The SDT also included a second part of this event being “suspected intentional human action.” This language was required to give
an entity the reporting responsibility to report to the ERO (and whoever else the entity wishes to inform per Requirement R1) the
situational awareness that they suspect that their Facility was damaged or destroyed by intentional human action. The SDT
envisions that entities could further define what a suspected intentional human action is within their Operating Plan.
MidAmerican Energy
No
Several modifications need to be made to Table 1 to enhance clarity and delete
unnecessary or duplicate items. The stated reliability objective of EOP-004 and the
drafting team is to reduce and prevent outages which could lead to cascading
through reporting. It is understood that the EOP-004 Attachment 1 is to cover similar
items to the DOE OE-417 form. Last, remember that FERC recently asked the
question of what standards did not provide system reliability benefits. Those reports
that cannot show a direct threat to a potential cascade need to be eliminated. Table
1 should always align with the cascade risk objectives and OE-417 where possible.
Therefore Table 1 should be modified as follows:
1. Completely divorce CIP-008 from EOP-004. Constant changes, the introduction of
new players such as DOE and DHS, and repeated congressional bills, make
coordination with CIP-008 nearly impossible. Cyber security and operational
performance under EOP-004 remain separate and different despite best efforts to
combine the two concepts.
The SDT has discussed this issue with Project 2008-06, Cyber Security SDT and we
108
�Organization
Yes or No
Question 2 Comment
have remanded the one hour event back to CIP-008. The next version of EOP-004-2
will not contain a one hour reporting requirement.
2. Modify R1.2 to state that ERO notification only is required for Table 1. This is
similar to the DOE OE-417 notification. Notification of other entities is a best
practice, not a mandatory NERC standard. If entities want to notify neighboring
entities, they may do so as a best practice guideline.
The SDT has updated R1 based on comments received to read as:
“R1. Each Responsible Entity shall have an event reporting Operating Plan that
includes communication protocol(s) for applicable events listed in, and within the
timeframes specified in EOP-004 Attachment 1 to the Electric Reliability
Organization and other organizations based on the event type (e.g. the Regional
Entity, company personnel, the Responsible Entity’s Reliability Coordinator, law
enforcement, governmental or provincial agencies).”
3. Better clarity for communicating each of the applicable events listed in the EOP004 Attachment 1 in accordance with the timeframes specified are needed.
MidAmerican suggests a forth column be added to the table to clearly identify who
must be notified within the specified time period or at a minimum, that R1.2 be
revised to clearly state that only the ERO must be notified to comply with the
standard.
The SDT disagrees but believes that per your Operating Plan contained in
Requirement R1, an entity could take Attachment 1 and insert another column to
assist whoever is designated to report an event within your company. The SDT
does not want to be too prescriptive within Attachment 1.
4. Consolidate OE-417 concepts on physical attack and cyber events by consolidating
OE-417 items 1, 2, 9 and 10 to: Verifiable, credible, and malicious physical damage
(excluding natural weather events) to a BES generator, line, transformer, or bus that
when reported requires an appropriate Reliability Coordinator or Balancing Authority
to issue an Energy Emergency Alert Level 2 or higher. The whole attempt to discuss a
109
�Organization
Yes or No
Question 2 Comment
NERC Facility and avoid adverse reliability impacts overreaches the fundamental
principal or reporting for an emergency that could result in a cascade.
The SDT disagrees since the OE-417 (and EAP) does not follow the ANSI process as
NERC does in the Standards Development Process.
5. The wording “affects an IROL (per FAC-014),” is too vague and not measurable.
Many facilities could affect an IROL, but fewer facilities if lost would cause an IROL.
Change “affects” to “results in”
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Damage or destruction of a Facility within its Reliability Coordinator Area,
Balancing Authority Area or Transmission Operator Area that results in the need for
actions to avoid a BES Emergency.”
This language gives the required guidance of who has to report within its Area that
results in need for actions to avoid a BES Emergency (as defined by NERC: Any
abnormal system condition that requires automatic or immediate manual action to
prevent or limit the failure of transmission facilities or generation supply that could
adversely affect the reliability of the Bulk Electric System).
This relates to either a completely destroyed Facility where an action is required to
avoid a BES Emergency, or a Facility that is damaged to a point that actions are
required to avoid a BES Emergency. By reporting either a “damaged or destroyed”
110
�Organization
Yes or No
Question 2 Comment
Facility, within 24 hours, it will give the ERO (and whoever else the entity wishes to
inform per Requirement R1) the situational awareness that the electrical system
has been reconfigured or may need to be reconfigured, thus supporting reliable
operations of each interconnection.
6. Recommend that Adverse Reliability Impact be deleted and be replaced with actual
EEA 2 or EEA 3 level events.
The SDT has removed Adverse Reliability Impact based on industry feedback and
rewrote the event:
The SDT removed all language under “Entity with Reporting Responsibility” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Damage or destruction of a Facility within its Reliability Coordinator Area,
Balancing Authority Area or Transmission Operator Area that results in the need for
actions to avoid a BES Emergency.”
This language gives the required guidance of who has to report within its Area that
results in need for actions to avoid a BES Emergency (as defined by NERC: Any
abnormal system condition that requires automatic or immediate manual action to
prevent or limit the failure of transmission facilities or generation supply that could
adversely affect the reliability of the Bulk Electric System).
This relates to either a completely destroyed Facility where an action is required to
avoid a BES Emergency, or a Facility that is damaged to a point that actions are
111
�Organization
Yes or No
Question 2 Comment
required to avoid a BES Emergency. By reporting either a “damaged or destroyed”
Facility, within 24 hours, it will give the ERO (and whoever else the entity wishes to
inform per Requirement R1) the situational awareness that the electrical system
has been reconfigured or may need to be reconfigured, thus supporting reliable
operations of each interconnection.
The SDT also developed another to read:
“Damage or destruction of its Facility that results from actual or suspected
intentional human action.”
This language gives the required guidance that if there is actual intentional human
action that damages or destroys a Facility, it is required to be reported within 24
hours, this will give the ERO (and whoever else the entity wishes to inform per R1)
the situational awareness that the Facility was “damaged or destroyed”
intentionally by a human.
This event was written to cover the increase of “Entity with Reporting
Responsibility” and removing the RC since they do not own Facility(s).
The SDT also included a second part of this event being “suspected intentional
human action.” This language was required to give an entity the reporting
responsibility to report to the ERO (and whoever else the entity wishes to inform
per Requirement R1) the situational awareness that they suspect that their Facility
was damaged or destroyed by intentional human action. The SDT envisions that
entities could further define what a suspected intentional human action is within
their Operating Plan.
7. The phrase “results from actual or suspected intentional human action” is vague
112
�Organization
Yes or No
Question 2 Comment
and not measurable. This line item used the term “suspected” which relates to
“sabotage”. MidAmerican recommends that “Results from actual or suspected
intentional human action” be deleted. If not deleted the phrase should be replaced
with “Results from verifiable, credible, and malicious human action intended to
damage the BES.”
8. Delete “Any physical threat...” as vague, and difficult to measure in a “perfect” zero
defect audit environment, and as already covered by item 1 above. If not deleted, at
a minimum replace “Any physical threat”, with “physical attack” as being
measureable and consistent with DOE OE-417.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Damage or destruction of its Facility that results from actual or suspected
intentional human action.”
This language gives the required guidance that if there is actual intentional human
action that damages or destroys a Facility, it is required to be reported within 24
hours, this will give the ERO (and whoever else the entity wishes to inform per
Requirement R1) the situational awareness that the Facility was “damaged or
destroyed” intentionally by a human.
This event was written to cover the increase of “Entity with Reporting
Responsibility” and removing the RC since they do not own Facility(s).
113
�Organization
Yes or No
Question 2 Comment
The SDT also included a second part of this event being “suspected intentional
human action.” This language was required to give an entity the reporting
responsibility to report to the ERO (and whoever else the entity wishes to inform
per Requirement R1) the situational awareness that they suspect that their Facility
was damaged or destroyed by intentional human action. The SDT envisions that
entities could further define what a suspected intentional human action is within
their Operating Plan.
9. With the use of “i.e.” the SDT is mandating that each other entity must be
contacted. The NSRF believes that the SDT meant that “e.g.” should be used to
provide examples. The SDT may wish to add another column to Attachment 1 to
provide clarity.
The SDT has made the required change concerning replacing “i.e.” with “e.g.”
10. The phrase “or partial loss of monitoring capability” is too vague and should be
deleted. In addition, the 30 minute window is too short for EMS and IT staff to
effectively be notified and troubleshoot systems before being subjected to a federal
law requiring reporting and potential violations. The time frame should be consistent
with the EOP-008 standard. If not deleted, replace with “Complete loss of SCADA
affecting a BES control center for ≥ 60 continuous minutes such that analysis tools
of State Estimator and/or Contingency Analysis are rendered inoperable.
The SDT reviewed, discussed and updated Attachment 1 based on comments
received, FERC directives and what is required for combining CIP-001 and EOP-004
into EOP-004-2. This event is now written to state:
“Complete loss of monitoring capability affecting a BES control center for 30
continuous minutes or more such that analysis capability (State Estimator,
Contingency Analysis) is rendered inoperable.” This will only apply to an RC, BA, or
TOP who have this capability to start with.
11. Transmission loss should be deleted. The number of transmission elements out
does not directly correlate to BES stability and cascading. For that reason alone, this
114
�Organization
Yes or No
Question 2 Comment
item should be deleted or it would have already been included in the past EOP-004
standard. In addition, large footprints can have multiple storms or weather events
resulting in normal system outages. This should not be a reportable event that deals
with potential cascading.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Unexpected loss, contrary to design, of three or more BES Elements caused by a
common disturbance (excluding successful automatic reclosing).”
12. Modify the threshold of “BES emergency requiring a public appeal...” to include,
“Public appeal for a load reduction event resulting from a RC or BA implementing its
emergency energy and capacity plans documented in EOP-001.” Public appeals for
conservation that aren't used to avoid capacity and energy emergencies should be
clearly excluded.
The SDT disagrees as your request makes the event very prescriptive. The
threshold is written to state: “Public appeal for load reduction event.” The SDT
understands that there may be several reports of a single event and as the SDT has
stated before, that this will give the ERO a better understanding of the depth and
breathe of system conditions based on the given event.
13. Add a time threshold to complete loss of off-site power to a nuclear plant.
Nuclear plants are to have backup diesel generation that last for a minimum amount
of time. A threshold recognizing this 4 hour or longer window needs to be added
such as complete loss of off-site power to a nuclear plant for more than 4 hours.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
115
�Organization
Yes or No
Question 2 Comment
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Complete loss of off-site power affecting a nuclear generating station per the
Nuclear Plant Interface Requirement.”
As stated in this event Threshold, the TOP’s NIPR may have additional guidance
concerning the complete loss of offsite power affecting a nuclear plant.
Also see the NSRF comments.
Please review the responses to that commenter.
Response: The SDT thanks you for your comment.
Illinois Municipal Electric
Agency
No
Illinois Municipal Electric Agency supports comments submitted by Florida Municipal
Power Agency.
Response: The SDT thanks you for your comment. Please review the responses to that commenter.
Amercican Transmission
Company, LLC
No
ATC is proposing changes to the following Events in Attachment 1: (Reference Clean
Copy of the Standard)
1) Pg. 18/ Event: Any Physical threat that could impact the operability of a Facility.
ATC is proposing a language change to the Threshold- “Meets Registered Entities
criteria stated in its Event Reporting Operating Plan, in addition to excluding
weather.”
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
116
�Organization
Yes or No
Question 2 Comment
comments to state:
“Physical threat to its Facility excluding weather related threat, which has the
potential to degrade the normal operation of the Facility
Or
Suspicious device or activity at a Facility
Do not report copper theft unless it degrades normal operations of a Facility.”
This language gives the required guidance that if there is a physical threat that has
the potential to degrade a Facility’s normal operation or a suspicious device or
activity is discovered at a Facility, it is required to be reported within 24 hours, this
will give the ERO (and whoever else the entity wishes to inform per Requirement
R1) the situational awareness that the Facility has a potential of not being able to
operate as it is designed. The SDT also states that copper theft is not a reportable
event unless it degrades the normal operation of a Facility.
2) Pg. 19 / Event: Voltage deviation on a Facility. ATC believes that the term
“observes” for Entity with Reporting Responsibility be changed back to “experiences”
as originally written. The burden should rest with the initiating entity in consistency
with other Reporting Responsibilities. Also, for Threshold for Reporting, ATC believes
the language should be expanded to - plus or minus 10% “of target voltage” for
greater than or equal to 15 continuous minutes.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
117
�Organization
Yes or No
Question 2 Comment
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Observed voltage deviation of ± 10% of nominal voltage sustained for ≥ 15
continuous minutes .”
This language clearly states that if the threshold is met, the entity needs to submit a
report within 24 hours.
3) Pg. 19/ Event: Transmission loss. ATC recommends that Threshold for Reporting
be changed to read “Unintentional loss of four, or more Transmission Facilities,
excluding successful automatic reclosing, within 30 seconds of the first loss
experienced and for 30 continuous minutes. Technical justification or Discussion for
this recommended change: In the instance of a transformer-line-transformer,
scenario commonly found close-in to Generating stations, consisting of 3 defined
“facilities”, 1 lightning strike can cause automatic unintentional loss by design.
Increase the number of facilities to 4.In a normal shoulder season day, an entity may
experience the unintentional loss of a 138kv line from storm activity, at point A in the
morning, a loss of a 115kv line from a different storm 300 miles from point A in the
afternoon, and a loss of 161kv line in the evening 500 miles from point A due to a
failed component, if it is an entity of significant size. Propose some type of time
constraint. Add time constraint as proposed, 30 seconds, other than automatic
reclosing. In the event of dense lightning occurrence, the loss of multiple
transmission facilities may occur over several minutes to several hours with no
significant detrimental effect to the BES, as load will most certainly be affected (lost
due to breaker activity on the much more exposed Distribution system) as well. Any
additional loss after 30 seconds must take into account supplemental devices with
intentional relay time delays, such as shunt capacitors, reactors, or load tap changers
on transformers activating as designed, arresting system decay. In addition,
Generator response after this time has significant impact.
The SDT removed all language under “Entity with Reporting Responsibility,” with
118
�Organization
Yes or No
Question 2 Comment
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Unexpected loss, contrary to design, of three or more BES Elements caused by a
common disturbance (excluding successful automatic reclosing).”
4) Pg.20 /Event: Complete or partial loss of monitoring capability. ATC recommends
that the term “partial” be deleted from the event description.ATC recommends that
the term “partial” be deleted for the Entity with Reporting Responsibility and
changed to read: Each RC, BA, and TOP that experiences the complete loss of
monitoring capability.
The SDT reviewed, discussed and updated Attachment 1 based on comments
received, FERC directives and what is required for combining CIP-001 and EOP-004
into EOP-004-2. This event is now written to state:
“Complete loss of monitoring capability affecting a BES control center for 30
continuous minutes or more such that analysis capability (State Estimator,
Contingency Analysis) is rendered inoperable.” This will only apply to an RC, BA, or
TOP who have this capability to start with.
Response: The SDT thanks you for your comment.
Alliant Energy
No
In the first Event for twenty four hour reporting, the last item in “Threshold for
Reporting” should be revised to “Results from actual or suspected intentional
malicious human action.” An employee may be performing maintenance and make a
mistake, which could impact the BES. In the second Event for twenty four hour
reporting the event should be revised to “Any physical attack that could impact the
operability of a Facility.” Alliant Energy believes this is clearer and easier to measure.
119
�Organization
Yes or No
Question 2 Comment
Response: The SDT thanks you for your comment. The SDT removed all language under “Entity with Reporting Responsibility,”
with the exception of entity(s) that are required to report an applicable event. The SDT removed this language so the entities
within this column are clearly stated and identified. Under the “Threshold for Reporting” column, a bright line was updated based
on currently enforced Reliability Standards, FERC directives and industry comments to state:
“Damage or destruction of a Facility within its Reliability Coordinator Area, Balancing Authority Area or Transmission Operator
Area that results in the need for actions to avoid a BES Emergency.”
This language gives the required guidance of who has to report within its Area that results in need for actions to avoid a BES
Emergency (as defined by NERC: Any abnormal system condition that requires automatic or immediate manual action to prevent
or limit the failure of transmission facilities or generation supply that could adversely affect the reliability of the Bulk Electric
System).
This relates to either a completely destroyed Facility where an action is required to avoid a BES Emergency, or a Facility that is
damaged to a point that actions are required to avoid a BES Emergency. By reporting either a “damaged or destroyed” Facility,
within 24 hours, it will give the ERO (and whoever else the entity wishes to inform per Requirement R1) the situational awareness
that the electrical system has been reconfigured or may need to be reconfigured, thus supporting reliable operations of each
interconnection.
The SDT also developed another to read:
“Damage or destruction of its Facility that results from actual or suspected intentional human action.”
This language gives the required guidance that if there is actual intentional human action that damages or destroys a Facility, it is
required to be reported within 24 hours, this will give the ERO (and whoever else the entity wishes to inform per Requirement R1)
the situational awareness that the Facility was “damaged or destroyed” intentionally by a human.
This event was written to cover the increase of “Entity with Reporting Responsibility” and removing the RC since they do not own
Facility(s).
The SDT also included a second part of this event being “suspected intentional human action.” This language was required to give
an entity the reporting responsibility to report to the ERO (and whoever else the entity wishes to inform per Requirement R1) the
120
�Organization
Yes or No
Question 2 Comment
situational awareness that they suspect that their Facility was damaged or destroyed by intentional human action. The SDT
envisions that entities could further define what a suspected intentional human action is within their Operating Plan.
Consumers Energy
No
The term "Facility" seems to be much more broad and even more vague than the use
of BES equipment. We recommend reverting back to use of BES equipment.
Response: The SDT thanks you for your comment. The SDT disagrees since BES is used within the definition of Facility. NERC
defines Facility as: “A set of electrical equipment that operates as a single Bulk Electric System Element (e.g., a line, a generator, a
shunt compensator, transformer, etc.).“
Ameren
No
We appreciate the efforts of the SDT and believe this latest Draft is greatly improved
over the previous version. However, we propose the following suggestions: (1) The
first Event category in Attachment 1 under 24 Hour Reporting is Applicable to GO and
GOP entities. Yet the first 2 of 3 Thresholds for Reporting require data that is
unobtainable for GO and GOP entities. Specifically, Events that “Affects an IROL (per
FAC-014)” and “Results in the need for actions to avoid an Adverse Reliability
Impact”. We believe these thresholds, and the use of the NERC Glossary term
Adverse Reliability Impact, clearly show the SDT’s intent to limit reporting only to
Events that have a major and significant reliability impact on the BES. GO or GOP
does not have access to the wide-area view of the transmission system, making them
to make this determination is impossible. As a result, we do not believe GO and GOP
entities should have Reporting Responsibility for these types of Events.
(2) For GO and GOP entities, the third Threshold is confusing as to which facilities in
the plant it would be applicable to; because the definition of "Facility" does not
provide a clear guidance in that respect. For example, would a damage to ID fan
qualify as a reportable event?
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
121
�Organization
Yes or No
Question 2 Comment
comments to state:
“Damage or destruction of a Facility within its Reliability Coordinator Area,
Balancing Authority Area or Transmission Operator Area that results in the need for
actions to avoid a BES Emergency.”
This language gives the required guidance of who has to report within its Area that
results in need for actions to avoid a BES Emergency (as defined by NERC: Any
abnormal system condition that requires automatic or immediate manual action to
prevent or limit the failure of transmission facilities or generation supply that could
adversely affect the reliability of the Bulk Electric System).
This relates to either a completely destroyed Facility where an action is required to
avoid a BES Emergency, or a Facility that is damaged to a point that actions are
required to avoid a BES Emergency. By reporting either a “damaged or destroyed”
Facility, within 24 hours, it will give the ERO (and whoever else the entity wishes to
inform per Requirement R1) the situational awareness that the electrical system
has been reconfigured or may need to be reconfigured, thus supporting reliable
operations of each interconnection.
The SDT also developed another to read:
“Damage or destruction of its Facility that results from actual or suspected
intentional human action.”
This language gives the required guidance that if there is actual intentional human
action that damages or destroys a Facility, it is required to be reported within 24
122
�Organization
Yes or No
Question 2 Comment
hours, this will give the ERO (and whoever else the entity wishes to inform per
Requirement R1) the situational awareness that the Facility was “damaged or
destroyed” intentionally by a human.
This event was written to cover the increase of “Entity with Reporting
Responsibility” and removing the RC since they do not own Facility(s).
The SDT also included a second part of this event being “suspected intentional
human action.” This language was required to give an entity the reporting
responsibility to report to the ERO (and whoever else the entity wishes to inform
per Requirement R1) the situational awareness that they suspect that their Facility
was damaged or destroyed by intentional human action. The SDT envisions that
entities could further define what a suspected intentional human action is within
their Operating Plan.
(3) The second Event category in Attachment 1 under 24 Hour Reporting, "Any
physical threat that could impact the operability of a Facility" is wide open to
interpretation and thus impracticable to comply with. For example, a simple car
accident that threatens any transmission circuit, whether it impacts the BES (as listed
in the Threshold for the previous event in the table or any other measure) or not, is
reportable. This list could become endless without the events having any substantial
impact on the system. To continue this point, the Footnote 1 can also include, among
many other examples, the following:(a) A wild fire near a generating plant, (b) Low
river levels that might shut down a generating plant, (c) A crane that has partially
collapsed near a generator switchyard, (d) Damage to a rail line into a coal plant,
and/or (v) low gas pressure that might limit or stop operation of a natural gas
generating plant.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
123
�Organization
Yes or No
Question 2 Comment
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Physical threat to its Facility excluding weather related threat, which has the
potential to degrade the normal operation of the Facility
Or
Suspicious device or activity at a Facility
Do not report copper theft unless it degrades normal operations of a Facility.”
This language gives the required guidance that if there is a physical threat that has
the potential to degrade a Facility’s normal operation or a suspicious device or
activity is discovered at a Facility, it is required to be reported within 24 hours, this
will give the ERO (and whoever else the entity wishes to inform per Requirement
R1) the situational awareness that the Facility has a potential of not being able to
operate as it is designed. The SDT also states that copper theft is not a reportable
event unless it degrades the normal operation of a Facility.
(4) The category, "Transmission Loss" is a concern also. If the meaning of
Transmission Facility is included in the meaning of Facility as described in the event
list, it may be acceptable; but, we still have a question how would a loss of a bus and
the multiple radial element that may be connected to that bus would be treated?
Also, how would a breaker failure affect this type of an event? The loss of a circuit is
124
�Organization
Yes or No
Question 2 Comment
“intentional” (as opposed to Unintentional as listed in the threshold) for the failure of
breaker, how will it be treated in counting three or more? We suggest a clarification
for such types of scenarios.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Unexpected loss, contrary to design, of three or more BES Elements caused by a
common disturbance (excluding successful automatic reclosing).”
(5) Requirement R1.: 1.1 includes an exception from compliance with this Standard if
there is a Cyber Security Incident according to CIP-008-3. However, note that the CIP008-3 may not apply to all GO and GOP facilities. While the exception is warranted to
eliminate duplicative event reporting plans, the language of this requirement is
confusing as it does not clearly provides that message.
The SDT has discussed this issue with Project 2008-06, Cyber Security SDT and we
have proposed remanding the one hour event back to CIP-008.
(6) The second paragraph in Section C.1.1.2. Includes the phrases “...shall retain the
current, document...” and “...the “date change page” from each version...” Is the
“document” intended to be the Operating Plan? We do not see a defining reference
in the text around this phrase; also, is a “date change page” mandatory for
compliance with this Standard? We request additional clarification of wording in the
Evidence Retention section of the Standard.
(7) Page 19 / Event: Voltage deviation on a Facility: We believe that the term
“observes” for Entity with Reporting Responsibility be changed back to “experiences”
as originally written. The burden should rest with the initiating entity in consistency
with other Reporting Responsibilities. In addition, for Threshold for Reporting, We
125
�Organization
Yes or No
Question 2 Comment
believe the language should be expanded to - plus or minus 10%”of nominal voltage”
for greater than or equal to 15 continuous minutes.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Observed voltage deviation of ± 10% of nominal voltage sustained for ≥ 15
continuous minutes .”
This language clearly states that if the threshold is met, the entity needs to submit a
report within 24 hours.
(8) Page 20 /Event: Complete or partial loss of monitoring capability. We suggest to
the SDT that the term “partial” be deleted from the event description.
(9) We suggest to the SDT that the term “partial” be deleted for the Entity with
Reporting Responsibility and changed to read: Each RC, BA, and TOP that experiences
the complete loss of monitoring capability.
The SDT reviewed, discussed and updated Attachment 1 based on comments
received, FERC directives and what is required for combining CIP-001 and EOP-004
into EOP-004-2. This event is now written to state:
“Complete loss of monitoring capability affecting a BES control center for 30
continuous minutes or more such that analysis capability (State Estimator,
Contingency Analysis) is rendered inoperable.” This will only apply to an RC, BA, or
TOP who have this capability to start with.
Response: The SDT thanks you for your comment.
We Energies
No
Submitting reports to the ERO: NERC and all of the Regional Entities are the ERO. If I
126
�Organization
Yes or No
Question 2 Comment
send a report to any Regional Entity (and not NERC), I have sent it to the ERO.
The SDT would like to point out the FERC has approved NERC to be the ERO. And
the NERC has a delegation agreement with each Regional Entities. This
Requirement R1 requires you send a report to the ERO (and whoever else the entity
wishes to inform per Requirement R1 including the applicable regions if you are so
obligated or its’ your desire).
Damage or Destruction of a Facility: A DP may not have a Facility by the NERC
Glossary definition. All distribution is not a Facility. Did you mean to exclude all
distribution?
The SDT agrees that if a DP does not own or operate a Facility then this event would
not be applicable to them.
Any Physical threat that could impact the operability of a Facility: An RC does not
have Facilities by the NERC Glossary definition. An RC will not have to report this. BES
Emergency... Reporting Responsibility: If meeting the Reporting Threshold was due
to a directive from the RC, who is the Initiating entity?
The SDT agrees concerning the RC does not own a Facility and has removed all
language under “Entity with Reporting Responsibility,” with the exception of
entity(s) that are required to report an applicable event. The SDT removed this
language so the entities within this column are clearly stated and identified. Under
the “Threshold for Reporting” column, a bright line was updated based on currently
enforced Reliability Standards, FERC directives and industry comments to state:
“Physical threat to its Facility excluding weather related threat, which has the
potential to degrade the normal operation of the Facility
Or
127
�Organization
Yes or No
Question 2 Comment
Suspicious device or activity at a Facility
Do not report copper theft unless it degrades normal operations of a Facility.”
This language gives the required guidance that if there is a physical threat that has
the potential to degrade a Facility’s normal operation or a suspicious device or
activity is discovered at a Facility, it is required to be reported within 24 hours, this
will give the ERO (and whoever else the entity wishes to inform per Requirement
R1) the situational awareness that the Facility has a potential of not being able to
operate as it is designed. The SDT also states that copper theft is not a reportable
event unless it degrades the normal operation of a Facility.
Voltage deviation on a Facility Threshold for Reporting: 10% of what voltage?
Nominal, rated, scheduled, design, actual at an instant?
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Observed voltage deviation of ± 10% of nominal voltage sustained for ≥ 15
continuous minutes.”
This language clearly states that if the threshold is met, the entity needs to submit a
report within 24 hours.
Response: The SDT thanks you for your comment.
NextEra Energy Inc
No
As stated in NextEra’s past comments, we continue to be concerned that EOP-004-2
does not appropriately address actual sabotage that threatens the Bulk Electric
128
�Organization
Yes or No
Question 2 Comment
System (BES) versus random acts that are isolated and pose no risk to the BES.
Therefore, NextEra repeats a portion of its past comments below in the hope that the
next revision of EOP-004-2 will more adequately address NextEra’s concerns.
Specifically, NextEra’s requests that its definition of sabotage set forth below replace
Attachment 1’s “Damage and Destruction of Equipment” and “Any physical threat
that could impact the operability of a Facility.” In Order No. 693, FERC stated its
interest in NERC revising CIP-001 to better define sabotage and requiring notification
to the certain appropriate federal authorities, such as the Department of Homeland
Security. FERC Order No. 693 at PP 461, 462, 467, 468, 471. NextEra has provided an
approach that accomplishes FERC’s objectives and remains within the framework of
the drafting team, but also focuses the process of determining and reporting on only
those sabotage acts that could affect other BES systems. Today, there are too many
events that are being reported as sabotage to all parties in the Interconnection, when
in reality these acts have no material affect or potential impact to other BES systems
other than the one that experienced it. For example, while the drafting team notes
the issue of copper theft is a localized act, there are other localized acts of sabotage
that are committed by an individual, and these acts pose little, if any, impact or
threat to other BES systems. Reporting sabotage that does not need to be sent to
everyone does not add to the security or reliability of the BES. Relatedly, there is a
need to clarify some of the current industry confusion on who should (and has the
capabilities to) be reporting to a broader audience of entities. Hence, the NextEra
approach provides a clear definition of sabotage, as well as the process for
determining and reporting sabotage. New Definition for Sabotage. Attempted or
Actual Sabotage: an intentional act that attempts to or does destroy or damage BES
equipment for the purpose of disrupting the operations of BES equipment, or the
BES, and has a potential to materially threaten or impact the reliability of one or
more BES systems (i.e., one act of sabotage on BES equipment is only reportable if it
is determined to be part of a larger conspiracy to threaten the reliability of the
Interconnection or more than one BES system).
Response: The SDT thanks you for your comment. The SDT has stated in our “Consideration of Issues and Directives – March 15,
129
�Organization
Yes or No
Question 2 Comment
2012” that was posted with the last posting stated:
The SDT has not proposed a definition for inclusion in the NERC Glossary because it is impractical to define every event that
should be reported without listing them in the definition. Attachment 1 is the de facto definition of “event”. The SDT considered
the FERC directive to “further define sabotage” and decided to eliminate the term sabotage from the standard. The team felt that
without the intervention of law enforcement after the fact, it was almost impossible to determine if an act or event was that of
sabotage or merely vandalism. The term “sabotage” is no longer included in the standard and therefore it is inappropriate to
attempt to define it. The events listed in Attachment 1 provide guidance for reporting both actual events as well as events which
may have an impact on the Bulk Electric System. The SDT believes that this is an equally effective and efficient means of
addressing the FERC Directive.
The SDT has discussed this with FERC Staff and we agree that sabotage could be a state of mind; and, therefore, the real issue:
Was there an event or not?
ISO New England Inc
No
Response: The SDT thanks you for your participation.
Nebraska Public Power District
No
1. The following comments are in regard to Attachment 1:A. The row [Event] titled
“Damage or destruction of Facility”: 1. In column 3 [Threshold for Reporting], the
word “Affect” is vague note the following concerns: i. Does “Affect” include a broken
crossarm damaged without the Facility relaying out of service. This could be
considered to have an “Affect” on the IROL. ii. Would the answer be different if the
line relayed out of service and auto-reclosed (short interruption) for the same
damaged crossarm? We need clarity from the SDT in order to know when a report is
due.
2. For clarification: Who initiates the report when the IROL interfaces spans between
multiple entities? We know of an IROL that has no less that four entities that operate
Facilities within the interface. Who initiates the report of the IROL is affected? All?
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
130
�Organization
Yes or No
Question 2 Comment
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Damage or destruction of a Facility within its Reliability Coordinator Area,
Balancing Authority Area or Transmission Operator Area that results in the need for
actions to avoid a BES Emergency.”
This language gives the required guidance of who has to report within its Area that
results in need for actions to avoid a BES Emergency (as defined by NERC: Any
abnormal system condition that requires automatic or immediate manual action to
prevent or limit the failure of transmission facilities or generation supply that could
adversely affect the reliability of the Bulk Electric System).
This relates to either a completely destroyed Facility where an action is required to
avoid a BES Emergency, or a Facility that is damaged to a point that actions are
required to avoid a BES Emergency. By reporting either a “damaged or destroyed”
Facility, within 24 hours, it will give the ERO (and whoever else the entity wishes to
inform per Requirement R1) the situational awareness that the electrical system
has been reconfigured or may need to be reconfigured, thus supporting reliable
operations of each interconnection.
The SDT also developed another to read:
“Damage or destruction of its Facility that results from actual or suspected
intentional human action.”
131
�Organization
Yes or No
Question 2 Comment
This language gives the required guidance that if there is actual intentional human
action that damages or destroys a Facility, it is required to be reported within 24
hours, this will give the ERO (and whoever else the entity wishes to inform per
Requirement R1) the situational awareness that the Facility was “damaged or
destroyed” intentionally by a human.
This event was written to cover the increase of “Entity with Reporting
Responsibility” and removing the RC since they do not own Facility(s).
The SDT also included a second part of this event being “suspected intentional
human action.” This language was required to give an entity the reporting
responsibility to report to the ERO (and whoever else the entity wishes to inform
per Requirement R1) the situational awareness that they suspect that their Facility
was damaged or destroyed by intentional human action. The SDT envisions that
entities could further define what a suspected intentional human action is within
their Operating Plan.
B. The row [Event] titled “Any physical threat that could impact the operability of a
Facility”:1. In Column 1 [Event] change the word “threat” to “attack”, this aligns with
the OE-417 report.2. In Column 3 [Threshold for Reporting], align the threshold with
the OE-417 form.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Physical threat to its Facility excluding weather related threat, which has the
potential to degrade the normal operation of the Facility
132
�Organization
Yes or No
Question 2 Comment
Or
Suspicious device or activity at a Facility
Do not report copper theft unless it degrades normal operations of a Facility.”
This language gives the required guidance that if there is a physical threat that has
the potential to degrade a Facility’s normal operation or a suspicious device or
activity is discovered at a Facility, it is required to be reported within 24 hours, this
will give the ERO (and whoever else the entity wishes to inform per Requirement
R1) the situational awareness that the Facility has a potential of not being able to
operate as it is designed. The SDT also states that copper theft is not a reportable
event unless it degrades the normal operation of a Facility.
C. The row [Event] titled “Transmission loss”, in column 3 [Threshold for Reporting],
the defined term “Transmission Facilities” is too vague. There needs to be a more
description such that an entity clearly understands when an event is reportable and
for what equipment. We would recommend the definition used in the Event
Reporting Field Trial: An unexpected outage, contrary to design, of three or more BES
elements caused by a common disturbance. Excluding successful automatic
reclosing. For example: a. The loss of a combination of NERC-defined Facilities. b. The
loss of an entire generation station of three or more generators (aggregate
generation of 500 MW to 1,999 MW); combined cycle units are represented as one
unit.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
133
�Organization
Yes or No
Question 2 Comment
comments to state:
“Unexpected loss, contrary to design, of three or more BES Elements caused by a
common disturbance (excluding successful automatic reclosing).”
D. The row [Event] titled “Complete or partial loss of monitoring”: 1. In column 1
[Event], delete the words “or partial”. This is subjective without definition, delete. 2.
Also in column 1 [Event], delete the word “monitoring” and replace with Supervisory
Control and Data Acquisition (SCADA). SCADA is defined term that explicitly calls out
in the definition “monitoring and control” and is understood by the industry as such.
3. In column 2 [Entity with Reporting Responsibility], delete the words “or partial”;
also delete the word “monitoring” and replace with SCADA. 4. In column 3 [Threshold
for Reporting], reword to state “Complete loss of SCADA affecting a BES control
center for >/= 30 continuous minutes”.
The SDT reviewed, discussed and updated Attachment 1 based on comments
received, FERC directives and what is required for combining CIP-001 and EOP-004
into EOP-004-2. This event is now written to state:
“Complete loss of monitoring capability affecting a BES control center for 30
continuous minutes or more such that analysis capability (State Estimator,
Contingency Analysis) is rendered inoperable.” This will only apply to an RC, BA, or
TOP who have this capability to start with.
Response: The SDT thanks you for your comment.
GTC
No
Page 17 & 18, One Hour Reporting and Twenty-four Hour Reporting: append the
introductory statements with the following: “meeting the threshold for reporting”
after recognition of the event. Example: Submit EOP-004 Attachment 2 or DOE-OE417 report to the parties identified pursuant to Requirement R1, Part 1.2 within
twenty-four hours of recognition of the event meeting the threshold for reporting.
Page 19, system separation (islanding); Clarify the intent of this threshold for
reporting: Load >= 100 MW and any generation; or Load >= 100 MW and Generation
134
�Organization
Yes or No
Question 2 Comment
>= 100 MW, or some combination of load and generation totaling 100 MW.
Response: The SDT thanks you for your comment. The SDT has chosen not add the requested language as we believe the intent is
understood that the time frames means from “meeting the threshold for reporting.” The SDT has revised the language regarding
islanding and we believe it addresses your concern.
Indiana Municipal Power
Agency
No
The event "any physical threat that could impact the operability of a Facility" is not
measurable and can be interpreted many ways by entities or auditors. IMPA
recommend incorporating language that let's this be the judgment of the registered
entity only.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Physical threat to its Facility excluding weather related threat, which has the
potential to degrade the normal operation of the Facility
Or
Suspicious device or activity at a Facility
Do not report copper theft unless it degrades normal operations of a Facility.”
This language gives the required guidance that if there is a physical threat that has
the potential to degrade a Facility’s normal operation or a suspicious device or
135
�Organization
Yes or No
Question 2 Comment
activity is discovered at a Facility, it is required to be reported within 24 hours, this
will give the ERO (and whoever else the entity wishes to inform per Requirement
R1) the situational awareness that the Facility has a potential of not being able to
operate as it is designed. The SDT also states that copper theft is not a reportable
event unless it degrades the normal operation of a Facility.
On the "voltage deviation on a Facility", IMPA recommends that only the TOP the
experiences a voltage deviation be the one responsible for reporting.
The SDT has made this change per comments received from the industry.
For generation loss and transmission loss, IMPA believes that the amount of loss
needs to be associated with a time period or event (concurrent forced outages).
Response: The SDT thanks you for your comment.
Idaho Power Co.
No
I think that the category “Damage or destruction of a Facility” is too ambiguous, and
the Threshold for Reporting criteria does not help to clarify the question. Any loss of
a facility may result in the need for actions to get to the new operating point, would
this be a reportable disturbance?
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Damage or destruction of a Facility within its Reliability Coordinator Area,
Balancing Authority Area or Transmission Operator Area that results in the need for
actions to avoid a BES Emergency.”
136
�Organization
Yes or No
Question 2 Comment
This language gives the required guidance of who has to report within its Area that
results in need for actions to avoid a BES Emergency (as defined by NERC: Any
abnormal system condition that requires automatic or immediate manual action to
prevent or limit the failure of transmission facilities or generation supply that could
adversely affect the reliability of the Bulk Electric System).
This relates to either a completely destroyed Facility where an action is required to
avoid a BES Emergency, or a Facility that is damaged to a point that actions are
required to avoid a BES Emergency. By reporting either a “damaged or destroyed”
Facility, within 24 hours, it will give the ERO (and whoever else the entity wishes to
inform per Requirement R1) the situational awareness that the electrical system
has been reconfigured or may need to be reconfigured, thus supporting reliable
operations of each interconnection.
The SDT also developed another to read:
“Damage or destruction of its Facility that results from actual or suspected
intentional human action.”
This language gives the required guidance that if there is actual intentional human
action that damages or destroys a Facility, it is required to be reported within 24
hours, this will give the ERO (and whoever else the entity wishes to inform per
Requirement R1) the situational awareness that the Facility was “damaged or
destroyed” intentionally by a human.
This event was written to cover the increase of “Entity with Reporting
Responsibility” and removing the RC since they do not own Facility(s).
137
�Organization
Yes or No
Question 2 Comment
The SDT also included a second part of this event being “suspected intentional
human action.” This language was required to give an entity the reporting
responsibility to report to the ERO (and whoever else the entity wishes to inform
per Requirement R1) the situational awareness that they suspect that their Facility
was damaged or destroyed by intentional human action. The SDT envisions that
entities could further define what a suspected intentional human action is within
their Operating Plan.
Response: The SDT thanks you for your comment.
MISO
No
American Public Power
Association
No
APPA in our comments on the previous draft of EOP-004-2 requested relief for small
entities from this reporting/documentation standard. APPA suggested setting a 300
MW threshold for some of the criteria in Attachment 1. This suggestion was not
accepted by the SDT. However, the SDT is still directed by FERC to “consider whether
separate, less burdensome requirements for smaller entities may be appropriate.
Therefore, APPA requests that the SDT provide relief to small entities by providing
separate requirements for small entities by requiring reporting only when one of the
four criteria in DOE-OE-417 are met: 1. Actual physical attack, 2. Actual cyber attack,
3. Complete operational failure, or 4. Electrical System Separation. APPA
recommends this information should be reported to the small entity’s BA as allowed
in the DOE-OE-417 joint filling process.
Response: The SDT thanks you for your comment. The SDT has taken your concerns into consideration (as directed by FERC) and
believes that “small entities” will most likely not meet the thresholds for reporting since items are predicated on “Facilities” or
they don’t meet the Threshold for reporting.
Brazos Electric Power
Cooperative
No
Please see the comments submitted by ACES Power Marketing.
138
�Organization
Yes or No
Question 2 Comment
Response: The SDT thanks you for your comment. Please review the response to those comments.
Puget Sound Energy, Inc.
No
The Note at the beginning of Attachment 1 references notifying parties per
Requirement R1; however, notification occurs in conjunction with Requirement
R2.The term “Adverse Reliability Impact” is used in the threshold section of the event
“Damage or destruction of a Facility”. At this time, there are two definitions for that
term in the NERC Glossary. The FERC-approved definition for this term is “The impact
of an event that results in frequency-related instability; unplanned tripping of load or
generation; or uncontrolled separation or cascading outages that affects a
widespread area of the Interconnection.” If the drafting team instead means to use
the definition that NERC approved on 8/4/2011 (as seems likely, since that definition
more closely aligns with the severity level indicated by the other two threshold
statements) then the definition should be included in the Implementation Plan as a
prerequisite approval.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Damage or destruction of a Facility within its Reliability Coordinator Area,
Balancing Authority Area or Transmission Operator Area that results in the need for
actions to avoid a BES Emergency.”
This language gives the required guidance of who has to report within its Area that
results in need for actions to avoid a BES Emergency (as defined by NERC: Any
abnormal system condition that requires automatic or immediate manual action to
prevent or limit the failure of transmission facilities or generation supply that could
139
�Organization
Yes or No
Question 2 Comment
adversely affect the reliability of the Bulk Electric System).
This relates to either a completely destroyed Facility where an action is required to
avoid a BES Emergency, or a Facility that is damaged to a point that actions are
required to avoid a BES Emergency. By reporting either a “damaged or destroyed”
Facility, within 24 hours, it will give the ERO (and whoever else the entity wishes to
inform per Requirement R1) the situational awareness that the electrical system
has been reconfigured or may need to be reconfigured, thus supporting reliable
operations of each interconnection.
In addition, would the threshold of “Results from actual or suspected intentional
human action” include results from actual intentional human action which produced
an accidental result, meaning, someone was intentionally doing some authorized
action but unintentionally made a mistake, leading to damage of a facility? The event
“Any physical threat that could impact the operability of a Facility” will require
reporting for many events that have little or no significance to reliable operation of
the Bulk Electric System. For example, a balloon lodged in a 115 kV transmission line
is a “physical threat” that could definitely “impact the operability” of that Facility and,
yet, will probably have little reliability impact. So, too, could a car-pole accident that
causes a pole to lean, a leaning tree, or an unfortunately-located bird’s nest. The
drafting team should develop appropriate threshold language so that reporting is
required only for events that do threaten the reliability of the Bulk Electric System.
The SDT also developed another to read:
“Damage or destruction of its Facility that results from actual or suspected
intentional human action.”
This language gives the required guidance that if there is actual intentional human
action that damages or destroys a Facility, it is required to be reported within 24
hours, this will give the ERO (and whoever else the entity wishes to inform per
140
�Organization
Yes or No
Question 2 Comment
Requirement R1) the situational awareness that the Facility was “damaged or
destroyed” intentionally by a human.
This event was written to cover the increase of “Entity with Reporting
Responsibility” and removing the RC since they do not own Facility(s).
The SDT also included a second part of this event being “suspected intentional
human action.” This language was required to give an entity the reporting
responsibility to report to the ERO (and whoever else the entity wishes to inform
per Requirement R1) the situational awareness that they suspect that their Facility
was damaged or destroyed by intentional human action. The SDT envisions that
entities could further define what a suspected intentional human action is within
their Operating Plan.
With respect to the event “Unplanned control center evacuation”, the standard
drafting team should include the term “complete” in the description and/or threshold
statement to avoid having partial evacuations trigger the need to report.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Unplanned evacuation from BES control center facility for 30 continuous minutes
or more.” The SDT does not believe the word “complete” needs to be added.
Response: The SDT thanks you for your comment.
Central Lincoln
No
1) We appreciate the changes made to reduce the short time reporting requirements.
141
�Organization
Yes or No
Question 2 Comment
The SDT has removed the one-hour reporting time frame, and all events are to be
reported within 24 hours of recognition of the event.
2) We would like to point out that the 24 hour reporting threshold for “Damage or
destruction of a Facility” resulting from intentional human action will still be nonproportional BES risk for certain events. The discovery of a gunshot 115 kV insulator
will start the 24 hour clock running, no matter how busy the discoverer is performing
restoration or other duties that are more important. The damage may have been
done a year earlier, but upon discovery the report suddenly becomes the priority
task. To hit the insulator, the shooter likely had to take aim and pull the trigger, so
intent is at least suspected if not actual. And the voltage level ensures the insulator is
part of a Facility.
The SDT has updated Damage or destruction of a facility into 2 different thresholds:
The SDT removed all language under “Entity with Reporting Responsibility” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Damage or destruction of a Facility within its Reliability Coordinator Area,
Balancing Authority Area or Transmission Operator Area that results in the need for
actions to avoid a BES Emergency.”
This language gives the required guidance of who has to report within its Area that
results in need for actions to avoid a BES Emergency (as defined by NERC: Any
abnormal system condition that requires automatic or immediate manual action to
prevent or limit the failure of transmission facilities or generation supply that could
adversely affect the reliability of the Bulk Electric System).
142
�Organization
Yes or No
Question 2 Comment
This relates to either a completely destroyed Facility where an action is required to
avoid a BES Emergency, or a Facility that is damaged to a point that actions are
required to avoid a BES Emergency. By reporting either a “damaged or destroyed”
Facility, within 24 hours, it will give the ERO (and whoever else the entity wishes to
inform per Requirement R1) the situational awareness that the electrical system
has been reconfigured or may need to be reconfigured, thus supporting reliable
operations of each interconnection.
The SDT also developed another to read:
“Damage or destruction of its Facility that results from actual or suspected
intentional human action.”
This language gives the required guidance that if there is actual intentional human
action that damages or destroys a Facility, it is required to be reported within 24
hours, this will give the ERO (and whoever else the entity wishes to inform per
Requirement R1) the situational awareness that the Facility was “damaged or
destroyed” intentionally by a human.
This event was written to cover the increase of “Entity with Reporting
Responsibility” and removing the RC since they do not own Facility(s).
The SDT also included a second part of this event being “suspected intentional
human action.” This language was required to give an entity the reporting
responsibility to report to the ERO (and whoever else the entity wishes to inform
per R1) the situational awareness that they suspect that their Facility was damaged
or destroyed by intentional human action. The SDT envisions that entities could
143
�Organization
Yes or No
Question 2 Comment
further define what a suspected intentional human action is within their Operating
Plan.
3) We also note that the theft of in service copper is not a physical threat, it is actual
damage. The reference to Footnote 1 should be relocated or copied to the cell above
the one it resides in now.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Physical threat to its Facility excluding weather related threat, which has the
potential to degrade the normal operation of the Facility
Or
Suspicious device or activity at a Facility
Do not report copper theft unless it degrades normal operations of a Facility.”
This language gives the required guidance that if there is a physical threat that has
the potential to degrade a Facility’s normal operation or a suspicious device or
activity is discovered at a Facility, it is required to be reported within 24 hours, this
will give the ERO (and whoever else the entity wishes to inform per Requirement
R1) the situational awareness that the Facility has a potential of not being able to
operate as it is designed. The SDT also states that copper theft is not a reportable
event unless it degrades the normal operation of a Facility.
4) We support the APPA comments regarding small entities.
The SDT has taken your concerns into consideration (as directed by FERC) and
believes that “small entities” will most likely not meet the thresholds for reporting
144
�Organization
Yes or No
Question 2 Comment
since items are predicated on “Facilities.”
Response: The SDT thanks you for your comment.
Los Angeles Department of
Water and Power
No
LADWP has the following comments:#1 - “Any physical threat that could impact the
operability of a Facility” is still vague and “operability” is too low a threshold. There
needs to be a potential impact to BES reliability.
The SDT has updated Damage or destruction of a facility into 2 different thresholds:
The SDT removed all language under “Entity with Reporting Responsibility” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Damage or destruction of a Facility within its Reliability Coordinator Area,
Balancing Authority Area or Transmission Operator Area that results in the need for
actions to avoid a BES Emergency.”
This language gives the required guidance of who has to report within its Area that
results in need for actions to avoid a BES Emergency (as defined by NERC: Any
abnormal system condition that requires automatic or immediate manual action to
prevent or limit the failure of transmission facilities or generation supply that could
adversely affect the reliability of the Bulk Electric System).
This relates to either a completely destroyed Facility where an action is required to
avoid a BES Emergency, or a Facility that is damaged to a point that actions are
required to avoid a BES Emergency. By reporting either a “damaged or destroyed”
145
�Organization
Yes or No
Question 2 Comment
Facility, within 24 hours, it will give the ERO (and whoever else the entity wishes to
inform per Requirement R1) the situational awareness that the electrical system
has been reconfigured or may need to be reconfigured, thus supporting reliable
operations of each interconnection.
The SDT also developed another to read:
“Damage or destruction of its Facility that results from actual or suspected
intentional human action.”
This language gives the required guidance that if there is actual intentional human
action that damages or destroys a Facility, it is required to be reported within 24
hours, this will give the ERO (and whoever else the entity wishes to inform per
Requirement R1) the situational awareness that the Facility was “damaged or
destroyed” intentionally by a human.
This event was written to cover the increase of “Entity with Reporting
Responsibility” and removing the RC since they do not own Facility(s).
The SDT also included a second part of this event being “suspected intentional
human action.” This language was required to give an entity the reporting
responsibility to report to the ERO (and whoever else the entity wishes to inform
per Requirement R1) the situational awareness that they suspect that their Facility
was damaged or destroyed by intentional human action. The SDT envisions that
entities could further define what a suspected intentional human action is within
their Operating Plan.
#2 - “Voltage Deviation on a Facility” I think the threshold definition needs to be
more specific: Is it 10% from nominal? 10% from normal min/max operating
146
�Organization
Yes or No
Question 2 Comment
tables/schedules? Another entities 10% might be different than mine.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Observed voltage deviation of ± 10% of nominal voltage sustained for ≥ 15
continuous minutes .”
This language clearly states that if the threshold is met, the entity needs to submit a
report within 24 hours.
#3 - “Transmission Loss” The threshold of three facilities is still too vague. A generator
and a transformer and a gen-tie are likely to have overlapping zones of protection
that could routinely take out all three. The prospect of penalties would likely cause
unneeded reporting.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Unexpected loss, contrary to design, of three or more BES Elements caused by a
common disturbance (excluding successful automatic reclosing).”
Response: The SDT thanks you for your comment.
Deseret Power
No
The threshold for reporting is way too low. A gun shot insulator is not an act of
147
�Organization
Yes or No
Question 2 Comment
terrorism... vandalism yes... and a car hit pole would be reportable on a 138 kv line.
these seem to be too aggressive in reporting.
Response: The SDT thanks you for your comment. The SDT removed all language under “Entity with Reporting Responsibility,”
with the exception of entity(s) that are required to report an applicable event. The SDT removed this language so the entities
within this column are clearly stated and identified. Under the “Threshold for Reporting” column, a bright line was updated based
on currently enforced Reliability Standards, FERC directives and industry comments to state:
“Physical threat to its Facility excluding weather related threat, which has the potential to degrade the normal operation of the
Facility
Or
Suspicious device or activity at a Facility
Do not report copper theft unless it degrades normal operations of a Facility.”
This language gives the required guidance that if there is a physical threat that has the potential to degrade a Facility’s normal
operation or a suspicious device or activity is discovered at a Facility, it is required to be reported within 24 hours, this will give the
ERO (and whoever else the entity wishes to inform per Requirement R1) the situational awareness that the Facility has a potential
of not being able to operate as it is designed. The SDT also states that copper theft is not a reportable event unless it degrades the
normal operation of a Facility.
Kansas City Power & Light
No
For the event, “Damage or destruction of a Facility”, the “Threshold for reporting”
includes “Results from actual or suspected intentional human action”. This is too
broad and could include events such as damage to equipment resulting from stealing
cooper or wire which has no intentional motivation to disrupt the reliability of the
bulk electric system. Reports of this type to law enforcement and governmental
agencies will quickly appear as noise and begin to be treated as noise. This may
result in overlooking a report that deserves attention. Recommend the drafting team
consider making this threshold conditional on the judgment by the entity on the
148
�Organization
Yes or No
Question 2 Comment
human action intended to be a potential threat to the reliability of the bulk electric
system. For the event, “Any physical threat that could impact the operability of a
Facility”, the same comment as above applies. The footnote states to include copper
theft if the Facility operation is impacted. Again, it is recommended to make a report
of this nature conditional on the judgment of the entity on the intent to be a
potential threat to the reliability of the bulk electric system.
Response: The SDT thanks you for your comment. The SDT has updated Damage or destruction of a facility into 2 different
thresholds:
The SDT removed all language under “Entity with Reporting Responsibility,” with the exception of entity(s) that are required to
report an applicable event. The SDT removed this language so the entities within this column are clearly stated and identified.
Under the “Threshold for Reporting” column, a bright line was updated based on currently enforced Reliability Standards, FERC
directives and industry comments to state:
“Damage or destruction of a Facility within its Reliability Coordinator Area, Balancing Authority Area or Transmission Operator
Area that results in the need for actions to avoid a BES Emergency.”
This language gives the required guidance of who has to report within its Area that results in need for actions to avoid a BES
Emergency (as defined by NERC: Any abnormal system condition that requires automatic or immediate manual action to prevent
or limit the failure of transmission facilities or generation supply that could adversely affect the reliability of the Bulk Electric
System).
This relates to either a completely destroyed Facility where an action is required to avoid a BES Emergency, or a Facility that is
damaged to a point that actions are required to avoid a BES Emergency. By reporting either a “damaged or destroyed” Facility,
within 24 hours, it will give the ERO (and whoever else the entity wishes to inform per Requirement R1) the situational awareness
that the electrical system has been reconfigured or may need to be reconfigured, thus supporting reliable operations of each
149
�Organization
Yes or No
Question 2 Comment
interconnection.
The SDT also developed another to read:
“Damage or destruction of its Facility that results from actual or suspected intentional human action.”
This language gives the required guidance that if there is actual intentional human action that damages or destroys a Facility, it is
required to be reported within 24 hours, this will give the ERO (and whoever else the entity wishes to inform per Requirement R1)
the situational awareness that the Facility was “damaged or destroyed” intentionally by a human.
This event was written to cover the increase of “Entity with Reporting Responsibility” and removing the RC since they do not own
Facility(s).
The SDT also included a second part of this event being “suspected intentional human action.” This language was required to give
an entity the reporting responsibility to report to the ERO (and whoever else the entity wishes to inform per Requirement R1) the
situational awareness that they suspect that their Facility was damaged or destroyed by intentional human action. The SDT
envisions that entities could further define what a suspected intentional human action is within their Operating Plan.
Dominion
Yes
Comments: While Dominion agrees that the revisions are a much appreciated
improvement, we are concerned that Attachment 1 does not explicitly contain the
‘entities which must be, at a minimum, notified.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified.
Attachment 2 appears to indicate that only the ERO and the Reliability Coordinator
for the Entity with Reporting Responsibility need be informed. However, the
background section indicates that the Entity with Reporting Responsibility is also
150
�Organization
Yes or No
Question 2 Comment
expected to contact local law enforcement. We therefore suggest that Attachment 2
be modified to include local law enforcement.
The SDT has adapted the language in Attachment 2 along the lines of your concern.
Page 26 redline; Attachment 1; Event - Damage or destruction of a Facility; Threshold
for Reporting - Results from actual or suspected intentional human action; Dominion
is concerned with the ambiguity that this could be interpreted as applying to
distribution. Page 27 redline; Attachment 1; Event - Any physical threat that could
impact the operability of a Facility; Dominion is concerned the word “could” is
hypothetical and therefore unverifiable and un-auditable.
The SDT has updated Damage or destruction of a facility into 2 different thresholds:
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Damage or destruction of a Facility within its Reliability Coordinator Area,
Balancing Authority Area or Transmission Operator Area that results in the need for
actions to avoid a BES Emergency.”
This language gives the required guidance of who has to report within its Area that
results in need for actions to avoid a BES Emergency (as defined by NERC: Any
abnormal system condition that requires automatic or immediate manual action to
prevent or limit the failure of transmission facilities or generation supply that could
adversely affect the reliability of the Bulk Electric System).
151
�Organization
Yes or No
Question 2 Comment
This relates to either a completely destroyed Facility where an action is required to
avoid a BES Emergency, or a Facility that is damaged to a point that actions are
required to avoid a BES Emergency. By reporting either a “damaged or destroyed”
Facility, within 24 hours, it will give the ERO (and whoever else the entity wishes to
inform per Requirement R1) the situational awareness that the electrical system
has been reconfigured or may need to be reconfigured, thus supporting reliable
operations of each interconnection.
The SDT also developed another to read:
“Damage or destruction of its Facility that results from actual or suspected
intentional human action.”
This language gives the required guidance that if there is actual intentional human
action that damages or destroys a Facility, it is required to be reported within 24
hours, this will give the ERO (and whoever else the entity wishes to inform per
Requirement R1) the situational awareness that the Facility was “damaged or
destroyed” intentionally by a human.
This event was written to cover the increase of “Entity with Reporting
Responsibility” and removing the RC since they do not own Facility(s).
The SDT also included a second part of this event being “suspected intentional
human action.” This language was required to give an entity the reporting
responsibility to report to the ERO (and whoever else the entity wishes to inform
per Requirement R1) the situational awareness that they suspect that their Facility
was damaged or destroyed by intentional human action. The SDT envisions that
entities could further define what a suspected intentional human action is within
152
�Organization
Yes or No
Question 2 Comment
their Operating Plan.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Physical threat to its Facility excluding weather related threat, which has the
potential to degrade the normal operation of the Facility
Or
Suspicious device or activity at a Facility
Do not report copper theft unless it degrades normal operations of a Facility.”
This language gives the required guidance that if there is a physical threat that has
the potential to degrade a Facility’s normal operation or a suspicious device or
activity is discovered at a Facility, it is required to be reported within 24 hours, this
will give the ERO (and whoever else the entity wishes to inform per Requirement
R1) the situational awareness that the Facility has a potential of not being able to
operate as it is designed. The SDT also states that copper theft is not a reportable
event unless it degrades the normal operation of a Facility.
The SDT could provide a list of hypothetical “could impact” events, as well as a
specific definition and method for determining a specific physical impact threshold
for “could impact” events other than “any.”
153
�Organization
Yes or No
Question 2 Comment
The SDT cannot provide a list of hypothetical events, but will remind the entity that
the Operating Plan that is required per Requirement R1 could contain a basis to
report concerning your unique system equipment or configuration of your system.
Response: The SDT thanks you for your comment.
Seattle City Light
Yes
This is a great improvement over the prior CIP and EOP versions. However, please
see #4 for overall comment.
Response: The SDT thanks you for your comment. Please review the response to Question 4.
Avista
Yes
In general the SDT has made significant improvements to Attachment 1. Avista does
have a suggestion to further improve Attachment 1.In Attachment 1 under the 24
hour Reporting Matrix, the second event states "Any physical threat that could
impact the operability of a Facility" and the Threshold for Reporting states "Threat to
a Facility excluding weather related threats". This is extremely open ended. We
suggest adding the following language to the Threshold for Reporting for Any Physical
Threat: Threat to a facility that: Could affect an IROL (per FAC-014) OR Could result in
the need for actions to avoid and Adverse Reliability Impact This new language would
be consistent with the reporting threshold for a Damage event.
Response: The SDT thanks you for your comment. The SDT has updated Damage or destruction of a facility into 2 different
thresholds:
The SDT removed all language under “Entity with Reporting Responsibility,” with the exception of entity(s) that are required to
report an applicable event. The SDT removed this language so the entities within this column are clearly stated and identified.
Under the “Threshold for Reporting” column, a bright line was updated based on currently enforced Reliability Standards, FERC
directives and industry comments to state:
“Damage or destruction of a Facility within its Reliability Coordinator Area, Balancing Authority Area or Transmission Operator
154
�Organization
Yes or No
Question 2 Comment
Area that results in the need for actions to avoid a BES Emergency.”
This language gives the required guidance of who has to report within its Area that results in need for actions to avoid a BES
Emergency (as defined by NERC: Any abnormal system condition that requires automatic or immediate manual action to prevent
or limit the failure of transmission facilities or generation supply that could adversely affect the reliability of the Bulk Electric
System).
This relates to either a completely destroyed Facility where an action is required to avoid a BES Emergency, or a Facility that is
damaged to a point that actions are required to avoid a BES Emergency. By reporting either a “damaged or destroyed” Facility,
within 24 hours, it will give the ERO (and whoever else the entity wishes to inform per Requirement R1) the situational awareness
that the electrical system has been reconfigured or may need to be reconfigured, thus supporting reliable operations of each
interconnection.
The SDT also developed another to read:
“Damage or destruction of its Facility that results from actual or suspected intentional human action.”
This language gives the required guidance that if there is actual intentional human action that damages or destroys a Facility, it is
required to be reported within 24 hours, this will give the ERO (and whoever else the entity wishes to inform per Requirement R1)
the situational awareness that the Facility was “damaged or destroyed” intentionally by a human.
This event was written to cover the increase of “Entity with Reporting Responsibility” and removing the RC since they do not own
Facility(s).
The SDT also included a second part of this event being “suspected intentional human action.” This language was required to give
an entity the reporting responsibility to report to the ERO (and whoever else the entity wishes to inform per Requirement R1) the
situational awareness that they suspect that their Facility was damaged or destroyed by intentional human action. The SDT
155
�Organization
Yes or No
Question 2 Comment
envisions that entities could further define what a suspected intentional human action is within their Operating Plan.
PNGC Comment Group
Yes
We agree with reservations. Our comments are below and we are seeking
clarification of the Applicability section of the standard. We are voting "no" but if
slight changes are made to the applicability section we will change our votes to "yes".
NERC and FERC have expressed a willingness to address the compliance burden on
smaller entities that pose minimal risk to the Bulk Electric System. The PNGC
Comment Group understands the SDT’s intent to categorize reportable events and
achieve an Adequate Level of Reliability while also understanding the costs
associated. Given the changes made by the SDT to Attachment 1, we believe you
have gone a long way in alleviating the potential for needless reporting from small
entities that does not support reliability.
The SDT has taken your concerns into consideration (as directed by FERC) and
believes that “small entities” will most likely not meet the thresholds for reporting
since items are predicated on “Facilities.”
One remaining concern we have are potential reporting requirements in the Event
types; “Damage or destruction of a Facility” and “Any physical threat that could
impact the operability of a Facility”. These two event types have the following
threshold language; “Results from actual or suspected intentional human action” and
“Threat to a Facility excluding weather related threats” respectively. We believe
these two thresholds could lead to very small entities filing reports for events that
really are not a threat to the BES or Reliability.
The SDT has updated Damage or destruction of a facility into 2 different thresholds:
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
156
�Organization
Yes or No
Question 2 Comment
“Damage or destruction of a Facility within its Reliability Coordinator Area,
Balancing Authority Area or Transmission Operator Area that results in the need for
actions to avoid a BES Emergency.”
This language gives the required guidance of who has to report within its Area that
results in need for actions to avoid a BES Emergency (as defined by NERC: Any
abnormal system condition that requires automatic or immediate manual action to
prevent or limit the failure of transmission facilities or generation supply that could
adversely affect the reliability of the Bulk Electric System).
This relates to either a completely destroyed Facility where an action is required to
avoid a BES Emergency, or a Facility that is damaged to a point that actions are
required to avoid a BES Emergency. By reporting either a “damaged or destroyed”
Facility, within 24 hours, it will give the ERO (and whoever else the entity wishes to
inform per Requirement R1) the situational awareness that the electrical system
has been reconfigured or may need to be reconfigured, thus supporting reliable
operations of each interconnection.
The SDT also developed another to read:
“Damage or destruction of its Facility that results from actual or suspected
intentional human action.”
This language gives the required guidance that if there is actual intentional human
action that damages or destroys a Facility, it is required to be reported within 24
hours, this will give the ERO (and whoever else the entity wishes to inform per
Requirement R1) the situational awareness that the Facility was “damaged or
157
�Organization
Yes or No
Question 2 Comment
destroyed” intentionally by a human.
This event was written to cover the increase of “Entity with Reporting
Responsibility” and removing the RC since they do not own Facility(s).
The SDT also included a second part of this event being “suspected intentional
human action.” This language was required to give an entity the reporting
responsibility to report to the ERO (and whoever else the entity wishes to inform
per Requirement R1) the situational awareness that they suspect that their Facility
was damaged or destroyed by intentional human action. The SDT envisions that
entities could further define what a suspected intentional human action is within
their Operating Plan.
Note: For vandalism, sabotage or suspected terrorism, even the smallest entities will
file a police report and at that point local law enforcement will follow their terrorism
reporting procedures if necessary, as you’ve rightly indicated in your “Law
Enforcement Reporting” section. We believe extraneous reporting could be
alleviated with a small tweak to the Applicability section for 4.1.9 to exclude the
smallest Distribution Providers. As stated before, even if these very small entities are
excluded from filing reports under EOP-004-2, threats to Facilities that they may have
will still be reported to local law enforcement while not cluttering up the NERC/DOE
reporting process for real threats to the BES. Our suggested change:4.1.9.
Distribution Provider: with peak load >= 200 MWs. The PNGC Comment Group
arrived at the 200 MWs threshold after reviewing Attachment 1, Event “Loss of firm
load for >= 15 Minutes”. We agree with the SDT’s intent to exclude these small firm
load losses from reporting through EOP-004-2.Another approach we could support is
that taken by the Project 2008-06 SDT with respect to Distribution Provider
Facilities:4.2.2 Distribution Provider: One or more of the Systems or programs
designed, installed, and operated for the protection or restoration of the BES:
158
�Organization
Yes or No
Question 2 Comment
The SDT has discussed this very issue and would like to point out that the Threshold
for Reporting limits are the same as in the enforceable Reliability Standard, EOP004-1. The SDT believes that small entities (200mw or less) would not be applicable
to this event. The SDT has attempted to place these types of limits to reduce small
entities from having these applicable reporting requirements.
o A UFLS or UVLS System that is part of a Load shedding program required by a NERC
or Regional Reliability Standard and that performs automatic Load shedding under a
common control system, without human operator initiation, of 300 MW or more
o A Special Protection System or Remedial Action Scheme where the Special
Protection System or Remedial Action Scheme is required by a NERC or Regional
Reliability Standard o A Protection System that applies to Transmission where the
Protection System is required by a NERC or Regional Reliability Standard o Each
Cranking Path and group of Elements meeting the initial switching requirements from
a Blackstart Resource up to and including the first interconnection point of the
starting station service of the next generation unit(s) to be started. We’re not
advocating this exact language but rather the approach that narrows the focus to
what is truly impactful to reliability while minimizing costs and needless compliance
burden. One last issue we have is with the language in Attachment 1, Event “BES
Emergency resulting in automatic firm load shedding.” Under “Entity with Reporting
Responsibility”, you state that the DP or TOP that “implements” automatic load
shedding of >= 100 MWs must report (Also please review the CIP threshold of 300
MWs as this may be a more appropriate threshold). We believe rather than
specifying a DP or TOP report, it would be appropriate for the UFLS Program Owner
to file the report per EOP-004-2. In our situation we have DPs that own UFLS relays
that are part of the TOP’s program and this could lead to confusing reporting
requirements. Also we don’t believe that an entity can “Implement” “Automatic”
load shedding but this is purely a semantic issue.
The SDT has updated Damage or destruction of a facility into 2 different thresholds:
The SDT removed all language under “Entity with Reporting Responsibility” with
159
�Organization
Yes or No
Question 2 Comment
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Damage or destruction of a Facility within its Reliability Coordinator Area,
Balancing Authority Area or Transmission Operator Area that results in the need for
actions to avoid a BES Emergency.”
This language gives the required guidance of who has to report within its Area that
results in need for actions to avoid a BES Emergency (as defined by NERC: Any
abnormal system condition that requires automatic or immediate manual action to
prevent or limit the failure of transmission facilities or generation supply that could
adversely affect the reliability of the Bulk Electric System).
This relates to either a completely destroyed Facility where an action is required to
avoid a BES Emergency, or a Facility that is damaged to a point that actions are
required to avoid a BES Emergency. By reporting either a “damaged or destroyed”
Facility, within 24 hours, it will give the ERO (and whoever else the entity wishes to
inform per Requirement R1) the situational awareness that the electrical system
has been reconfigured or may need to be reconfigured, thus supporting reliable
operations of each interconnection.
The SDT also developed another to read:
“Damage or destruction of its Facility that results from actual or suspected
160
�Organization
Yes or No
Question 2 Comment
intentional human action.”
This language gives the required guidance that if there is actual intentional human
action that damages or destroys a Facility, it is required to be reported within 24
hours, this will give the ERO (and whoever else the entity wishes to inform per
Requirement R1) the situational awareness that the Facility was “damaged or
destroyed” intentionally by a human.
This event was written to cover the increase of “Entity with Reporting
Responsibility” and removing the RC since they do not own Facility(s).
The SDT also included a second part of this event being “suspected intentional
human action.” This language was required to give an entity the reporting
responsibility to report to the ERO (and whoever else the entity wishes to inform
per Requirement R1) the situational awareness that they suspect that their Facility
was damaged or destroyed by intentional human action. The SDT envisions that
entities could further define what a suspected intentional human action is within
their Operating Plan.
Response: The SDT thanks you for your comment.
United Illuminating Company
Yes
The phrasing of the event labeled as Event Damage or Destruction of a Facility may
be improved in the Threshold for Reporting Column. Suggest the introduction
sentence for this event should be phrased as Where the Damage or Destruction of a
Facility: etc. The rationale for the change is that as written it is unclear if the list that
follows is meant to modify the word Facilities or the overall introductory sentence.
The confusion being caused by the word That. What is important to be reported is if
a Facility is damaged and then an IROL is affected it should be reported, not that if a
Facility is comprising an IROL Facility is damaged but there is no impact on the IROL.
161
�Organization
Yes or No
Question 2 Comment
The SDT has updated Damage or destruction of a facility into 2 different thresholds:
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
Damage or destruction of a Facility within its Reliability Coordinator Area, Balancing
Authority Area or Transmission Operator Area that results in the need for actions to
avoid a BES Emergency.
This language gives the required guidance of who has to report within its Area that
results in need for actions to avoid a BES Emergency (as defined by NERC: Any
abnormal system condition that requires automatic or immediate manual action to
prevent or limit the failure of transmission facilities or generation supply that could
adversely affect the reliability of the Bulk Electric System).
This relates to either a completely destroyed Facility where an action is required to
avoid a BES Emergency, or a Facility that is damaged to a point that actions are
required to avoid a BES Emergency. By reporting either a “damaged or destroyed”
Facility, within 24 hours, it will give the ERO (and whoever else the entity wishes to
inform per Requirement R1) the situational awareness that the electrical system
has been reconfigured or may need to be reconfigured, thus supporting reliable
operations of each interconnection.
The SDT also developed another to read:
162
�Organization
Yes or No
Question 2 Comment
“Damage or destruction of its Facility that results from actual or suspected
intentional human action.”
This language gives the required guidance that if there is actual intentional human
action that damages or destroys a Facility, it is required to be reported within 24
hours, this will give the ERO (and whoever else the entity wishes to inform per
Requirement R1) the situational awareness that the Facility was “damaged or
destroyed” intentionally by a human.
This event was written to cover the increase of “Entity with Reporting
Responsibility” and removing the RC since they do not own Facility(s).
The SDT also included a second part of this event being “suspected intentional
human action.” This language was required to give an entity the reporting
responsibility to report to the ERO (and whoever else the entity wishes to inform
per Requirement R1) the situational awareness that they suspect that their Facility
was damaged or destroyed by intentional human action. The SDT envisions that
entities could further define what a suspected intentional human action is within
their Operating Plan.
Second, the top of each table is the phrase Submit EOP-004 Attachment 2 or DOE-OE417 report to the parties identified pursuant to Requirement R1, Part 1.2 within one
hour of recognition of the event. This creates the requirement that the actual form is
required to be transmitted to parties other than NERC/DOE. The suggested revision
is Submit EOP-004 Attachment 2 or DOE-OE-417 report to NERC and/or DOE, and
complete notification to other organizations identified pursuant to Requirement R1
Part 1.2 within one hour etc..
The SDT has revised Attachment 2 heading to read “Use this form to report events.
The Electric Reliability Organization will accept the DOE OE-417 form in lieu of this
163
�Organization
Yes or No
Question 2 Comment
form if the entity is required to submit an OE-417 report. Submit reports to the
ERO via one of the following: e-mail: systemawareness@nerc.net voice: 404-4469780.” Based on industry comments.
Response: The SDT thanks you for your comment.
Ingleside Cogeneration LP
Yes
Ingleside Cogeneration LP agrees with the removal of nearly all one hour reporting
requirements. In our view there must be a valid contribution expected of the
recipients of any reporting that takes place this early in the process. Any nonessential communications will impede the progress of the front-line personnel
attempting to resolve the issue at hand - which has to be the priority. Secondly,
there is a risk that early reporting may include some speculation of the cause, which
may be found to be incorrect as more information becomes available. Recipients
must temper their reactions to account for this uncertainty. In fact, Ingleside
Cogeneration LP recommends that the single remaining one-hour reporting scenario
be eliminated. It essentially defers the reporting of a cyber security incident to CIP008 anyways, and may even lead to a multiple violation of both Standards if
exceeded.
Response: The SDT thanks you for your comment. The SDT agrees and has removed the one-hour reporting requirement based on
comments received.
Springfield Utility Board
Yes
o Spell out Requirement 1, rather than “parties per R1” in NOTE. o On page 44,
“Examples of such events include” should say, “include, but are not limited to”. o
SUB appreciates clarification regarding events, particularly the discussion regarding
“sabotage”, and recommends listing and defining “Event” in Definitions and Terms
Used in NERC Standards.
The SDT has stated in our “Consideration of Issues and Directives – March 15, 2012”
that was posted with the last posting stated:
The SDT has not proposed a definition for inclusion in the NERC Glossary because it
is impractical to define every event that should be reported without listing them in
164
�Organization
Yes or No
Question 2 Comment
the definition. Attachment 1 is the de facto definition of “event.” The SDT
considered the FERC directive to “further define sabotage” and decided to
eliminate the term sabotage from the standard. The team felt that without the
intervention of law enforcement after the fact, it was almost impossible to
determine if an act or event was that of sabotage or merely vandalism. The term
“sabotage” is no longer included in the standard and therefore it is inappropriate to
attempt to define it. The events listed in Attachment 1 provide guidance for
reporting both actual events as well as events which may have an impact on the
Bulk Electric System. The SDT believes that this is an equally effective and efficient
means of addressing the FERC Directive.
The SDT has discussed this with FERC Staff and we agree that sabotage could be a
state of mind and therefore the real issue was there an event or not.
o The Guideline and Technical Basis provides clarity, and SUB agrees with the removal
of “NERC Guideline: Threat and Incident Reporting”.
o In the flow chart on page 9 there are parallel paths going from “Refer to Ops Plan
for Reporting” to the ‘Report Event to ERO, Reliability Coordinator’ via both the Yes
and No response. It seems like the yes/no decision should follow after “Refer to Ops
Plan” for communication to law enforcement.
The SDT has offered the flowchart as an example of how an entity could handle the
notification to law enforcement agencies. There is no requirement to follow the
flowchart. Entities are free to develop their own procedures based upon their
needs to report.
Response: The SDT thanks you for your comment.
PPL Electric Utilities
Yes
PPL EU thanks the SDT for the changes made in this latest proposal. We feel our prior
comments were addressed. Regarding the event 'Transmission Loss': For your
consideration, please consider adding a footnote to the event ‘Transmission Loss’
such that weather events do not need to be reported. Also please consider including
'operation contrary to design' in the threshold language. E.g. consistent with the
165
�Organization
Yes or No
Question 2 Comment
NERC Event Analysis table, the threshold would be, ‘Unintentional loss, contrary to
design, of three or more BES Transmission Facilities.’
Response: The SDT thanks you for your comment. The SDT removed all language under “Entity with Reporting Responsibility,”
with the exception of entity(s) that are required to report an applicable event. The SDT removed this language so the entities
within this column are clearly stated and identified. Under the “Threshold for Reporting” column, a bright line was updated based
on currently enforced Reliability Standards, FERC directives and industry comments to state:
“Unexpected loss, contrary to design, of three or more BES Elements caused by a common disturbance (excluding successful
automatic reclosing).”
Tacoma Power
Yes
Tacoma Power supports the revisions. It appears that all agencies and entities are
willing to support the use of the DOE Form OE-417 as the initial notification form
(although EOP-004 does include their own reporting form as an attachment to the
Standard). Tacoma is already using the OE-417 and distributing it to all applicable
Entities and Agencies.
Response: The SDT thanks you for your comment.
Seattle City Light
Yes
This is a great improvement over the prior CIP and EOP versions. However, please
see #4 for overall comment.
Response: The SDT thanks you for your comment. Please review the response to Question 4.
MEAG Power
Yes
This is a great improvement over the prior CIP and EOP versions. However, please
see #4 for overall comment.
Response: The SDT thanks you for your comment. Please review the response to Question 4.
Public Utility District No. 1 of
Snohomish County
This is an excellent improvement over the prior CIP and EOP versions. However,
please see #4 for overall comment.
166
�Organization
Yes or No
Question 2 Comment
Response: The SDT thanks you for your comment. Please review the response to Question 4.
Imperial Irrigation District (IID)
Yes
Colorado Springs Utilities
Yes
Arizona Public Service
Company
Yes
Utility Services
Yes
Dynegy Inc.
Yes
Manitoba Hydro
Yes
City of Austin dba Austin
Energy
Yes
Entergy
Yes
Pepco Holdings Inc
Yes
Independent Electricity
System Operator
Yes
Cowlitz County PUD
Yes
Edison Mission Marketing &
Trading, Inc.
Yes
Exelon Corporation and its
affiliates
Yes
167
�Organization
Yes or No
ERCOT
Yes
Oncor Electric Delivery
Yes
Question 2 Comment
168
�3.
The SDT has proposed a new Section 812 to be incorporated into the NERC Rules of Procedure. Do you agree with the proposed
addition? If not, please explain in the comment area below.
Summary Consideration: The DSR SDT proposed a revision to the NERC Rules of Procedure (Section 812). The SDT has learned that
NERC has started a new effort to forward event reports to applicable government authorities. As such, Section 812 is no longer
needed and will be removed from this project.
Organization
Northeast Power Coordinating
Council
Yes or No
Question 3 Comment
No
The proposed new section does not contain specifics of the proposed system nor the
interfacing outside of the system to support the report collecting.
Response: The SDT thanks you for your comment. The SDT has learned that NERC has started a new effort to forward event
reports to applicable government authorities. As such, Section 812 is no longer needed and will be removed from this project.
SPP Standards Review Group
No
We have two concerns about the proposed change to the RoP. One, we have
concerns that our information and data will be circulated to an as yet undetermined
audience which appears to be solely under NERC’s control. Secondly, there isn’t
sufficient detail in the clearinghouse concept to support comments at this time.
Response: The SDT thanks you for your comment. The SDT has learned that NERC has started a new effort to forward event
reports to applicable government authorities. As such, Section 812 is no longer needed and will be removed from this project.
ISO/RTO Standards Review
Committee
No
The SRC offers comments regarding the posted draft requirements; however, by so
doing, the SRC does not indicate support of the proposed requirements. Following
these comments, please see the latter part of the SRC’s response to Question 4 below
for an SRC proposed alternative approach: The SRC is unable to comment on the
proposed new section as the section does not contain any description of the
proposed process or the interface requirements to support the report collecting
system. We reserve judgment on this proposal and our right to comment on the
169
�Organization
Yes or No
Question 3 Comment
proposal when the proposed addition is posted.
Response: The SDT thanks you for your comment. The SDT has learned that NERC has started a new effort to forward event
reports to applicable government authorities. As such, Section 812 is no longer needed and will be removed from this project.
ACES Power Marketing
Standards Collaborators
No
(1) It is not clear to us what is the driving the need for the Rules of Procedure
proposal. NERC is already collecting event and disturbance reports without
memorializing the change in the Rules of Procedure. (2) The language potentially
conflicts with other subsections in Section 800. For instance, the proposal says that
the system will apply to collect report forms “for this section”. This section would
refer to Section 800. Section 800 covers NERC alerts and GADS. Electronic GADS
(eGADS) already has been established to collect GADS data? Will this section cause
NERC to have to incorporate eGADS into this report collection system? Incorporating
NERC Alerts is also problematic because when reports are required as a result of a
NERC alert, the report must be submitted through the NERC Alert system.(3) The
statement that “a system to collect report forms as established for this section or
standard” causes additional confusion regarding to which standards it applies. Does
it only apply to this new EOP-004-2 or to all standards? If it applies to all standards,
does this create a potential issue for CIP-008-3 R1.3 which requires reporting to the
ES-ISAC and not this clearinghouse?
Response: The SDT thanks you for your comment. The SDT has learned that NERC has started a new effort to forward event reports
to applicable government authorities. As such, Section 812 is no longer needed and will be removed from this project.
Seattle City Light
No
Seattle City Light follows MEAG and believes this type of activity and process is better
suited to NAESBE than it is to NERC Compliance.
Response: The SDT thanks you for your comment. The SDT has learned that NERC has started a new effort to forward event reports
to applicable government authorities. As such, Section 812 is no longer needed and will be removed from this project.
Hydro One
No
The proposed new section does not contain specifics of the proposed system nor the
170
�Organization
Yes or No
Question 3 Comment
interfacing outside of the system to support the report collecting.
Response: The SDT thanks you for your comment. The SDT has learned that NERC has started a new effort to forward event reports
to applicable government authorities. As such, Section 812 is no longer needed and will be removed from this project.
CenterPoint Energy
No
CenterPoint Energy does not agree with the SDT’s proposed section 812. The
proposal for NERC to establish a system that will “...forward the report to the
appropriate NERC departments, applicable regional entities, other designated
registered entities, and to appropriate governmental, law enforcement, regulatory
agencies as necessary. This can include state, federal, and provincial organizations.” is
redundant with the draft Standard. Responsible entities are already required to
report applicable events to NERC, applicable regional entities, registered entities, and
appropriate governmental, law enforcement, and regulatory agencies. CenterPoint
Energy believes if the SDT’s intent is to require NERC to distribute these system event
reports, then EOP-004-2 should be revised to require responsible entities to only
report the event to NERC. As far as distribution to appropriate NERC departments,
CenterPoint Energy believes that is an internal NERC matter and does not need to be
included in the Rules of Procedure.
Response: The SDT thanks you for your comment. The SDT has learned that NERC has started a new effort to forward event reports
to applicable government authorities. As such, Section 812 is no longer needed and will be removed from this project.
Arkansas Electric Cooperative
Corporation
No
AECC supports the comments submitted by ACES Power Marketing.
Response: The SDT thanks you for your comment. The SDT has learned that NERC has started a new effort to forward event reports
to applicable government authorities. As such, Section 812 is no longer needed and will be removed from this project.
National Rural Electric
Cooperative Association
(NRECA)
No
NRECA is concerned with the drafting team's proposal to add a new Section 812 to
the NERC ROP. NRECA does not see the need for the drafting team to make such a
proposal as it relates to the new EOP-004 that the drafting team is working on. The
171
�Organization
Yes or No
Question 3 Comment
requirements in the draft standard clearly require what is necessary for this Event
Reporting standard. NRECA requests that the drafting team withdraw its proposed
ROP Section 812 from consideration. The proposed language is unclear to the point
of not being able to understand who is being required to do what. Further, the
language is styled in more of a proposal, and not in the style of what would
appropriately be included in the NERC ROP. Finally, the SDT has not adequately
supported the need for such a modification to the NERC ROP. Without that support,
NRECA is not able to agree with the need for this addition to the ROP. Again, NRECA
requests that the drafting team withdraw its proposed ROP Section 812 from
consideration.
Response: The SDT thanks you for your comment. The SDT has learned that NERC has started a new effort to forward event reports
to applicable government authorities. As such, Section 812 is no longer needed and will be removed from this project.
Occidental Power Services,
Inc.
No
This section should reference the confidentiality requirements in the ROP and should
have a statement about the system for collection and dissemination of disturbance
reports being “subject to the confidentiality requirements of the NERC ROP.”
Response: The SDT thanks you for your comment. The SDT has learned that NERC has started a new effort to forward event reports
to applicable government authorities. As such, Section 812 is no longer needed and will be removed from this project.
Pepco Holdings Inc
No
This could create confusion.This new ROP section states that “... the system shall then
forward the report to the appropriate NERC departments, applicable regional
entities, other designated registered entities, and to appropriate governmental, law
enforcement, regulatory agencies as necessary.” Standard Section R1.2 states “A
process for communicating each of the applicable events listed in EOP-004
Attachment 1 in accordance with the timeframes specified in EOP-004 Attachment 1
to the Electric Reliability Organization and other organizations needed for the event
type; i.e. the Regional Entity; company personnel; the Responsible Entity’s Reliability
Coordinator; law enforcement, governmental or provincial agencies.” If NERC is going
to be the “clearinghouse” forwarding reports to the RE and DOE, does that mean that
172
�Organization
Yes or No
Question 3 Comment
the reporting entity only needs to make a single submission to NERC for distribution?
If the reporting entity is required to make all notifications, per R1.2, what is the
purpose of NERC’s duplication of sending out reports? It would be very helpful to the
reporting entities if R1.2 was revised to state that NERC would forward the event
form to the RE and DOE and the reporting entity would only be responsible for
providing notice verbally to its associated BA, TOP, RC, etc. as appropriate and for
notifying appropriate law enforcement as required.
Response: The SDT thanks you for your comment. The SDT has learned that NERC has started a new effort to forward event reports
to applicable government authorities. As such, Section 812 is no longer needed and will be removed from this project.
Independent Electricity
System Operator
No
We are unable to comment on the proposed new section as the section does not
contain any description of the proposed process or the interface requirements to
support the report collecting system. We reserve judgment on this proposal and our
right to comment on the proposal when the proposed addition is posted.
Response: The SDT thanks you for your comment. The SDT has learned that NERC has started a new effort to forward event reports
to applicable government authorities. As such, Section 812 is no longer needed and will be removed from this project.
MidAmerican Energy
No
See the NSRF comments. The NERC Rules of Procedure Section 807 already
addresses the dissemination of Disturbance data, as does Appendix 8 Phase 1 with
the activation of NERC’s crisis communication plan, and the ESISAC Concept of
Operations. The addition of proposed Section 812 is not necessary. The Reliability
Coordinator, through the use of the RCIS, would disseminate reliability notifications if
it is in turn notified per R1.2. (As stated in the in the Clean copy of EOP-004-2)
Response: The SDT thanks you for your comment. The SDT has learned that NERC has started a new effort to forward event reports
to applicable government authorities. As such, Section 812 is no longer needed and will be removed from this project.
Public Utility District No. 1 of
Snohomish County
No
This type of activity and process is better suited to NAESBE than it is to NERC
Compliance.
173
�Organization
Yes or No
Question 3 Comment
Response: The SDT thanks you for your comment. The SDT has learned that NERC has started a new effort to forward event reports
to applicable government authorities. As such, Section 812 is no longer needed and will be removed from this project.
Illinois Municipal Electric
Agency
No
Illinois Municipal Electric Agency supports comments submitted by ATC.
Response: The SDT thanks you for your comment. The SDT has learned that NERC has started a new effort to forward event reports
to applicable government authorities. As such, Section 812 is no longer needed and will be removed from this project.
Amercican Transmission
Company, LLC
No
ATC believes that the NERC Rules of Procedure Section 807 already addresses the
dissemination of Disturbance data, as does Appendix 8 Phase 1 with the activation of
NERC’s crisis communication plan, and the ESISAC Concept of Operations. The
addition of proposed Section 812 is not necessary. The Reliability Coordinator,
through the use of the RCIS, would disseminate reliability notifications if it is in turn
notified per R1.2. (As stated in the in the Clean copy of EOP-004-2)
Response: The SDT thanks you for your comment. The SDT has learned that NERC has started a new effort to forward event reports
to applicable government authorities. As such, Section 812 is no longer needed and will be removed from this project.
Ameren
No
If the SDT keeps new Section 812 we suggest to the SDT a wording change for the
second sentence, underlined: “Upon receipt of the submitted report, the system shall
then forward the report to the appropriate NERC department for review. After
review, the report will be forwarded to the applicable regional entities, other
designated registered entities, and to appropriate governmental, law enforcement,
regulatory agencies as necessary.”
Response: The SDT thanks you for your comment. The SDT has learned that NERC has started a new effort to forward event reports
to applicable government authorities. As such, Section 812 is no longer needed and will be removed from this project.
We Energies
No
Section 812 refers to the section as a standard and as a Procedure. That is not
correct.Section 812 reads to me as if NERC (the system) will be forwarding everything
174
�Organization
Yes or No
Question 3 Comment
specified anywhere in RoP 800.
Response: The SDT thanks you for your comment. The SDT has learned that NERC has started a new effort to forward event reports
to applicable government authorities. As such, Section 812 is no longer needed and will be removed from this project.
Exelon Corporation and its
affiliates
No
While we don’t have any immediate objection to revising the Rules of Procedures
(ROP) to allow for report collecting under Section 800 relative to the EOP-004
standard, the proposed language is unclear and confusing. Please consider the
following revision:"812. NERC Reporting Clearinghouse NERC will establish a system
to collect reporting forms as required for Section 800 or per FERC approved standards
from any Registered Entities. NERC shall distribute the reports to the appropriate
governmental, law enforcement, regulatory agencies as required per Section 800 or
the applicable standard."Further, NERC should post ROP revisions along with a
discussion justifying the revision for industry comment specific to the ROP. There
may be significant implications to this revision beyond the efforts relative to EOP-004.
Response: The SDT thanks you for your comment. The SDT has learned that NERC has started a new effort to forward event reports
to applicable government authorities. As such, Section 812 is no longer needed and will be removed from this project.
Tacoma Power
No
Tacoma Power disagrees with the requirement to perform annual testing of each
communication plan. We do not see any added value in performing annual testing of
each communication plan. There are already other Standard requirements to
performing routine testing of communications equipment and emergency
communications with other agencies.The “proof of compliance” to the Standard
should be in the documentation of the reports filed for any qualifying event, within
the specified timelines and logs or phone records that it was communicated per each
specified communication plan.
Response: The SDT thanks you for your comment. The SDT has learned that NERC has started a new effort to forward event reports
to applicable government authorities. As such, Section 812 is no longer needed and will be removed from this project.
175
�Organization
Seattle City Light
Yes or No
Question 3 Comment
No
Seattle City Light follows MEAG and believes this type of activity and process is better
suited to NAESBE than it is to NERC Compliance.
Response: The SDT thanks you for your comment. The SDT has learned that NERC has started a new effort to forward event reports
to applicable government authorities. As such, Section 812 is no longer needed and will be removed from this project.
MEAG Power
No
This type of activity and process is better suited to NAESBE than it is to NERC
Compliance.
Response: The SDT thanks you for your comment. The SDT has learned that NERC has started a new effort to forward event reports
to applicable government authorities. As such, Section 812 is no longer needed and will be removed from this project.
ERCOT
No
ERCOT has joined the IRC comments on this project.
Response: The SDT thanks you for your comment. The SDT has learned that NERC has started a new effort to forward event reports
to applicable government authorities. As such, Section 812 is no longer needed and will be removed from this project.
Idaho Power Co.
No
No opinion
Response: The SDT thanks you for your comment. The SDT has learned that NERC has started a new effort to forward event reports
to applicable government authorities. As such, Section 812 is no longer needed and will be removed from this project.
MISO
No
MISO agrees with and adopts the Comments of the IRC on this issue.
Response: The SDT thanks you for your comment. The SDT has learned that NERC has started a new effort to forward event reports
to applicable government authorities. As such, Section 812 is no longer needed and will be removed from this project.
Brazos Electric Power
Cooperative
No
Please see the comments submitted by ACES Power Marketing.
Response: The SDT thanks you for your comment. The SDT has learned that NERC has started a new effort to forward event reports
176
�Organization
Yes or No
Question 3 Comment
to applicable government authorities. As such, Section 812 is no longer needed and will be removed from this project.
Kansas City Power & Light
No
Rules stipulating the extent of how reported information will be treated by NERC is
an important consideration, however, the proposed section 812 proposes to provide
reports to other governmental agencies and regulatory bodies beyond that of NERC
and FERC. NERC should be treating the event information reported to NERC as
confidential and should not take it upon itself to distribute such information beyond
the boundaries of the national interest at NERC and FERC.
Response: The SDT thanks you for your comment. The SDT has learned that NERC has started a new effort to forward event reports
to applicable government authorities. As such, Section 812 is no longer needed and will be removed from this project.
Dominion
Yes
While Dominion supports this addition, we suggest adding to the sentence “NERC will
establish a system to collect report forms as established for this section or reliability
standard.....”
Response: The SDT thanks you for your comment. The SDT has learned that NERC has started a new effort to forward event reports
to applicable government authorities. As such, Section 812 is no longer needed and will be removed from this project.
MRO NSRF
Yes
ATC believes that the NERC Rules of Procedure Section 807 already addresses the
dissemination of Disturbance data, as does Appendix 8 Phase 1 with the activation of
NERC’s crisis communication plan, and the ESISAC Concept of Operations. The
addition of proposed Section 812 is not necessary. The Reliability Coordinator,
through the use of the RCIS, would disseminate reliability notifications if it is in turn
notified per R1.2. (As stated in the in the Clean copy of EOP-004-2)
Response: The SDT thanks you for your comment. The SDT has learned that NERC has started a new effort to forward event reports
to applicable government authorities. As such, Section 812 is no longer needed and will be removed from this project.
Ingleside Cogeneration LP
Yes
Ingleside Cogeneration is encouraged by NERC’s willingness to act as central data
gathering point for event information. However, we see this only as a starting point.
177
�Organization
Yes or No
Question 3 Comment
There are still multiple internal and external reporting demands that are similar to
those captured in EOP-004-2 - examples include the DOE, RAPA (misoperations),
EAWG (events analysis), and ES-ISAC (cyber security). Although we appreciate the
difference in reporting needs expressed by each of these organizations, there are
very powerful reporting applications available which capture a basic set of data and
publish them in multiple desirable formats. We ask that NERC spearhead this
initiative - as it is a natural part of the ERO function.
Response: The SDT thanks you for your comment. The SDT has learned that NERC has started a new effort to forward event reports
to applicable government authorities. As such, Section 812 is no longer needed and will be removed from this project.
American Electric Power
Yes
While we have no objections at this point, we would like specific details on what our
obligations would be as a result of these changes. For example, would the
clearinghouse tool provide verifications that the report(s) had been received as well
as forwarded? In addition, if DOE OE-417 is the form being submitted, would the
NERC Reporting Clearinghouse forward that report to the DOE?
Response: The SDT thanks you for your comment. The SDT has learned that NERC has started a new effort to forward event reports
to applicable government authorities. As such, Section 812 is no longer needed and will be removed from this project.
Springfield Utility Board
Yes
o SUB supports the new Section 812 being incorporated into the NERC ROP. This
addition provides clarity for what is required by whom and takes away any possible
ambiguity.
Response: The SDT thanks you for your comment. The SDT has learned that NERC has started a new effort to forward event reports
to applicable government authorities. As such, Section 812 is no longer needed and will be removed from this project.
FirstEnergy Corp
Yes
FE agrees but asks that the defined term “registered entities” in the second sentence
be capitalized.
Response: The SDT thanks you for your comment. The SDT has learned that NERC has started a new effort to forward event reports
178
�Organization
Yes or No
Question 3 Comment
to applicable government authorities. As such, Section 812 is no longer needed and will be removed from this project.
GTC
Yes
With the exception of the RC and company personnel, it appears this proposed
section captures the same reporting obligations and to the same entities via R1.2.
Recommend adjustments to R1.2 such that reportable events are submitted to NERC,
RC, and company personnel.
Response: The SDT thanks you for your comment. The SDT has learned that NERC has started a new effort to forward event reports
to applicable government authorities. As such, Section 812 is no longer needed and will be removed from this project.
Central Lincoln
Yes
Thank you for minimizing the number of necessary reports.
Response: The SDT thanks you for your comment. The SDT has learned that NERC has started a new effort to forward event reports
to applicable government authorities. As such, Section 812 is no longer needed and will be removed from this project.
Xcel Energy
We believe such a tool would be useful, however we are indifferent as to if it is
required to be established by the Rules of Procedure.
Response: The SDT thanks you for your comment. The SDT has learned that NERC has started a new effort to forward event reports
to applicable government authorities. As such, Section 812 is no longer needed and will be removed from this project.
ISO New England Inc
We unable to comment on the proposed new section as the section does not contain
any description of the proposed process or the interface requirements to support the
report collecting system. We reserve judgment on this proposal and our right to
comment on the proposal when the proposed addition is posted.
Response: The SDT thanks you for your comment. The SDT has learned that NERC has started a new effort to forward event reports
to applicable government authorities. As such, Section 812 is no longer needed and will be removed from this project.
Indiana Municipal Power
Agency
no comment
179
�Organization
Yes or No
Los Angeles Department of
Water and Power
Question 3 Comment
LADWP does not have a comment on this question at this time
Response: The SDT thanks you for your comment. The SDT has learned that NERC has started a new effort to forward event reports
to applicable government authorities. As such, Section 812 is no longer needed and will be removed from this project.
DECo
Yes
Duke Energy
Yes
Luminant
Yes
Bonneville Power
Administration
Yes
Imperial Irrigation District (IID)
Yes
Florida Municipal Power
Agency
Yes
LG&E and KU Services
Yes
PPL Corporation NERC
Registered Affiliates
Yes
PNGC Comment Group
Yes
Colorado Springs Utilities
Yes
Arizona Public Service
Company
Yes
180
�Organization
Yes or No
Southern Company Services
Yes
Utility Services
Yes
Georgia System Operations
Corporation
Yes
Manitoba Hydro
Yes
Clark Public Utilities
Yes
New York Power Authority
Yes
Consolidated Edison Co. of NY,
Inc.
Yes
Orange and Rockland Utilities,
Inc.
Yes
Farmington Electric Utility
System
Yes
Public Service Enterprise
Group
Yes
PPL Electric Utilities
Yes
Cowlitz County PUD
Yes
Edison Mission Marketing &
Trading, Inc.
Yes
Question 3 Comment
181
�Organization
Yes or No
American Public Power
Association
Yes
Oncor Electric Delivery
Yes
Deseret Power
Yes
Question 3 Comment
182
�4. Do you have any other comment, not expressed in the questions above, for the SDT?
Summary Consideration: The DSR SDT received several suggestions for improvement to the standard. The DSR SDT has removed
reporting of Cyber Security Incidents from EOP-004 and have asked the team developing CIP-008-5 to retain this reporting. Most of
the language contained in the “Background” Section was moved to the “Guidelines and Technical Basis” Section. Minor language
changes were made to the measures and the data retention section. Attachment 2 was revised to list events in the same order in
which they appear in Attachment 1.
Organization
Texas Reliability Entity
Yes or No
Question 4 Comment
(1) The ERO and Regional Entities should not be included in the Applicability of this
standard. The only justification given for including them was they are required to
comply with CIP-008. CIP-008 contains its own reporting requirements, and no
additional reliability benefit is provided by including ERO and Regional Entities in
EOP-004. Furthermore, stated NERC policy is to avoid writing requirements that
apply to the ERO and Regional Entities, and we do not believe there is any sufficient
reason to deviate from that policy in this standard.
The SDT is revising the standard to not contain reporting for Cyber Security
Incidences. Under the revisions, CIP-008-3 and successive versions will retain the
reporting requirements. The Applicability section has been revised to address this
situation.
(2) Under Compliance, in section 1.1, all the words in “Compliance Enforcement
Authority” should be capitalized.
The SDT agrees and has adopted this suggestion.
(3) Under Evidence Retention, it is not sufficient to retain only the “date change
page” from prior versions of the Plan. It is not unduly burdensome for the entity to
retain all prior versions of its “event reporting Operating Plan” since the last audit,
and it should be required to do so. (What purpose is supposed to be served by
183
�Organization
Yes or No
Question 4 Comment
retaining only the “date change pages”?)
The SDT has revised the standard to require the retention of previous versions, not
just the date change page.
(4) The title of part F, “Interpretations,” is incorrect on page 23. Should perhaps be
“Associated Documents.”
The SDT has revised Part F and it now contains the Guidelines and Technical Basis.
Response: The SDT thanks you for your comment.
ACES Power Marketing
Standards Collaborators
(1) IC, TSP, TO, GO, and DP should be all removed from the applicability of the
standard. Previous versions of the standard did not apply to them and we see no
reason to expand applicability to them. IC and TSP are not even mentioned in any of
the “Entity with Reporting Responsibility” sections. For the sections that do not
mention specific entities, IC and TSP would have no responsibility for any of the
events. The TO and GO are not operating entities so the reporting should not apply
to them. DP was not included in any previous versions of CIP-001 or EOP-004. Any
information (such as load) that was necessary regarding DPs was always gathered by
the BA or TOP and included in their reports. There is no indication that this process
was not working and, therefore, it should not be changed. Furthermore, including
the DP potentially expands the standard outside of the Bulk Electric System which is
contrary to recent statements that NERC Legal has made at the April 11 and 12, 2012
SC meeting. Their comments indicated the standards are written for the Bulk Electric
System. What information does a DP have to report except load loss which can easily
be reported by the BA or TOP?
The SDT disagrees with some of your suggestions. As the standard is to report
events associated with physical assets, it is incumbent for the asset owners to file
the reports associated with any events. Thus DP, TO, and GO were added to the
Applicability of this standard. Their perspectives on events can be useful in
evaluating situational awareness and providing NERC with information on lessons
learned. Further, this standard limits reporting to BES Elements except where
184
�Organization
Yes or No
Question 4 Comment
noted. This is consistent with NERC and SC Standard Process design. Where this
standard had included other functional registrations associated with the inclusion
of CIP-008; those registrations have been removed from the standard.
(2) Measure M2 needs to clarify an attestation is an acceptable form of evidence if
there are no events.
Registered Entities must determine how to best demonstrate they have met the
performance obligation of a requirement. The use of an attestation statement is
already permitted and recognized with the NERC Compliance Program if that is the
best means of demonstrating your performance under the requirement. Auditors
will then assess whether or not an attestation meets the requirement in one's
audit. Attestations cannot be specifically permitted for use.
(3) The rationale box for R3 and R4 should be modified. It in essence states that
updating the event reporting Operating Plan and testing it will assure that the BES
remains secure. While these requirements might contribute to reliability, these two
requirements collectively will not assure BES security and stability.
The SDT has revised the rationale box language based upon the changes it has
made to the requirements. It should be noted that upon acceptance of the
standard, the language in the rationale boxes are removed from the standard.
(4) We disagree with the VSLs for Requirement R2. While the VSLs associated with
late reporting for a 24-hour reporting requirement include four VSLs, the one-hour
reporting requirement only includes three VSLs. There seems to be no justification
for this inconsistency. Four VSLs should be written for the one-hour reporting
requirement.
As the standard has been revised to remove the one-hour reporting provision, your
suggestion is moot.
(5) Reporting of reportable Cyber Security Incidents does not appear to be fully
coordinated with version 5 of the CIP standards. For instance, EOP-004-2 R1, Part 1.2
requires a process for reporting events to external entities and CIP-008-5 Part 1.5
185
�Organization
Yes or No
Question 4 Comment
requires identifying external groups to which to communicate Reportable Cyber
Security Incidents. Thus, it appears the Cyber Security Incident response plan in CIP008-5 R1 and the event reporting Operating Plan in EOP-004-2 R1 will compel
duplication of external reporting at least in the document of the Operating Plain and
Reportable Cyber Security Incident response plan. This needs to be resolved.
While the SDT had worked this through with the other standard team to resolve
this concern; it is now irrelevant, as reporting of Cyber Security Incidences are no
longer part of EOP-004-2.
(6) In the effective date section of the implementation plan, the statement that the
prior version of the standard remains in effect until the new version is accepted by all
applicable regulatory authorities is not correct. In areas where regulatory approval is
required, it will only remain in effect in the areas where the regulator has not
approved it.
The SDT finds that the two statements are making the same point; that the new
standard does not become enforceable until all regulatory authorities have
approved it.
(7) On page 6 in the background section, the statement attributing RCIS reporting to
the TOP standards is not accurate. There is no requirement in the TOP standards to
report events across RCIS. In fact, the only mention of RCIS in the standards occurs in
EOP-002-3 and COM-001-1.1.
The SDT agrees and adopts your suggestion.
(8) On page 6 in the background section, the first sentence of the third paragraph is
not completely aligned with the purpose statement of the standard. The statement
in the background section indicates that the reliability objective “is to prevent
outages which could lead to Cascading by effectively reporting events”. However,
the purpose states that the goal is to improve reliability. We think it would make
more sense for the reliability objective to match the purpose statement more closely.
The SDT has revised the Background section to match the standard’s purpose
186
�Organization
Yes or No
Question 4 Comment
statement.
(9) On page 7 in the first paragraph, “industry facility” should be changed to
“Facility”.
The SDT agrees and adopts your suggestion.
Response: The SDT thanks you for your comment.
Seattle City Light
1) Seattle City Light follows MEAG and questions if these administrative activities
better should be sent over to NAESB? R1: There is merit in having a plan as identified
in R1, but is this a need to support reliability or is it a business practice? Should it be
in NAESB’s domain? R2, R3 & R4: These are not appropriate for a Standard. If you
don’t annually review the plan, will reliability be reduced and the BES be subject to
instability, separation and cascading? If DOE needs a form filled out, fill it out and
send it to DOE. NERC doesn’t need to pile on. Mike Moon and Jim Merlo have been
stressing results and risk based, actual performance based, event analysis, lessons
learned and situational awareness. EOP-004 is primarily a business preparedness
topic and identifies administrative procedures that belong in the NAESB domain.
The SDT believes this standard is needed to provide Situational Awareness and can
help in providing lessons learned to the industry. The SDT has revised the
requirements to address this need. While it may be appropriate to have NAESB to
adopt this obligation at some in the future, the SDT was charged with addressing
deficiencies at this time. The SDT has removed all references to filing reports to
DOE from the earlier versions. Today’s only reference provides for NERC’s
acceptance of the use of their form when it is appropriate.
2) Seattle City Light finds that even though efforts were made to differentiate
between sabotage vs. criminal damage, the difference still appears to be confusing.
Sabotage clearly requires FBI notification, but criminal damage (i.e. copper theft,
trespassing, equipment theft) is best handled by local law agencies. A key point on
how to determine the difference is to always go with the evidence. If you have a hole
in the fence and cut grounding wires, this would only require local law enforcement
187
�Organization
Yes or No
Question 4 Comment
notification. If there is a deliberate attack on a utility’s BES infrastructure for intent
of sabotage and or terrorism--this is a FBI notification event. One area where a
potential for confusion arises is with the term “intentional human action” in defining
damage. Shooting insulators on a rural transmission tower is not generally sabotage,
but removing bolts from the tower may well be. Seattle understands the difficulty in
differentiating these two cases, for example, and supports the proposed Standard,
but would encourage additional clarification in this one area.
The SDT appreciates the concern you raise. The SDT decided early that trying to set
a definition for sabotage across the continent would be impossible as there are
many differing viewpoints; particularly within the law enforcement agencies. There
was consensus that even if we were able to set a definition, it may be consistent or
recognized by other agencies. Therefore, the SDT decided to set event types that
warranted reporting. Entities best know who they have to report to and under
what considerations those reports need to be submitted. This is basis for this
standard. The SDT wanted to provide entities with the result that was necessary
but not prescribe how to do it. This concept has been embraced throughout this
project. We believe that entities can create a single or multiple contact lists that
have the right people being notified when an event type occurs. The SDT has
revised the language on “intentional human action” in Attachment 1 in an attempt
to provide you the clarification you requested.
Response: Thank you for your comment.
Essential Power, LLC
1. As this Standard does not deal with real-time reporting or analysis, and is simply
considered an after the fact reporting process, I question the need for the Standard
at all. This is a process that could be handled through a change to the Rules of
Procedure rather than through a Standard. Developing this process as a Reliability
Standard is, in my opinion, contrary to the shift toward Reliability-Based Standards
Development.2. I do not believe that establishing a reporting requirement improves
the reliability of the BES, as stated in the purpose statement. The reporting
requirement, however, would improve situational awareness. I recommend the
188
�Organization
Yes or No
Question 4 Comment
purpose statement be changed to reflect this, and included with the process in the
NERC Rules of Procedure.
Response: The SDT thanks you for your comment. The SDT believes this standard is needed to provide Situational Awareness and
can help in providing lessons learned to the industry. The SDT has revised the requirements to address this need. The vast
majority of commenters support the Purpose statement as written.
Georgia System Operations
Corporation
a) Reporting most of these items ... o Does not "provide for reliable operation of the
BES" o Does not include "requirements for the operation of existing BES facilities" o
Is not necessary to "provide for reliable operation of the BES"... and is therefore not
in accordance with the statutory and regulatory definitions of a Reliability Standard.
They should not be in a Reliability Standard. Most of this is an administrative activity
to provide information for NERC to perform some mandated analysis.
The SDT believes this standard is needed to provide Situational Awareness and can
help in providing lessons learned to the industry. The SDT has revised the
requirements to address this need.
b) A reportable Cyber Security Incident: Delete this item from the table. It is covered
in another standard and does not need to be duplicated in another standard.
The SDT has discussed this issue with Project 2008-06, Cyber Security SDT and we
have remanded the one hour event back to CIP-008. The next version of EOP-004-2
will not contain a one hour reporting requirement.
c) Damage or destruction of a Facility: Entities MAY only need to slightly modify their
existing CIP-001 Sabotage Reporting procedures from a compliance perspective of
HAVING an Operating Plan but not from a perspective of complying with the Plan. A
change from an entity reporting "sabotage" on "its" facilities (especially when the
common understanding of CIP-001 is to report sabotage on facilities as "one might
consider facilities in everyday discussions") to reporting "damage on its Facilities" (as
defined in the Glossary) is a significant change. An operator does not know off the
top of his head the definition of Facility or Element. He will not know for any
particular electrical device whether or not reporting is required. Although the term is
189
�Organization
Yes or No
Question 4 Comment
useful for legal and regulatory needs, it is problematic for practical operational needs.
This creates the need for a big change in guidance, training, and tools for an operator
to know which pieces of equipment this applies to. There is the need to translate
from NERC-ese to Operator-ese. Much more time is needed to implement. The third
threshold ("Results from actual or suspected intentional human action") perpetuates
the problem of knowing the human's intention. Also, what if the action was intended
but the result was not intended? The third threshold is ambiguous and subject to
interpretation. The original intent of this project was to get away from the problem of
the term sabotage due to its ambiguity and subjectivity. This latest change reverses
all of the work so far toward that original goal. Instead of the drafted language,
change this item to reporting "Damage or destruction of a Facility and any involved
human action" and use only the first two threshold criteria.
The SDT has stated in our “Consideration of Issues and Directives – March 15, 2012”
that was posted with the last posting stated:
The SDT has not proposed a definition for inclusion in the NERC Glossary because it
is impractical to define every event that should be reported without listing them in
the definition. Attachment 1 is the de facto definition of “event.” The SDT
considered the FERC directive to “further define sabotage” and decided to
eliminate the term sabotage from the standard. The team felt that without the
intervention of law enforcement after the fact, it was almost impossible to
determine if an act or event was that of sabotage or merely vandalism. The term
“sabotage” is no longer included in the standard and therefore it is inappropriate to
attempt to define it. The events listed in Attachment 1 provide guidance for
reporting both actual events as well as events which may have an impact on the
Bulk Electric System. The SDT believes that this is an equally effective and efficient
means of addressing the FERC Directive.
The SDT has discussed this with FERC Staff and we agree that sabotage could be a
190
�Organization
Yes or No
Question 4 Comment
state of mind and therefore the real issue was there an event or not.
The SDT also uses the NERC defined term of “Facility: A set of electrical equipment
that operates as a single Bulk Electric System Element (e.g., a line, a generator, a
shunt compensator, transformer, etc.).”
d) Any physical threat that could impact the operability of a Facility: See comment
above about the term "Facility" and the need for a much longer implementation
time.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Physical threat to its Facility excluding weather related threat, which has the
potential to degrade the normal operation of the Facility
Or
Suspicious device or activity at a Facility
Do not report copper theft unless it degrades normal operations of a Facility.”
This language gives the required guidance that if there is a physical threat that has
the potential to degrade a Facility’s normal operation or a suspicious device or
activity is discovered at a Facility, it is required to be reported within 24 hours, this
will give the ERO (and whoever else the entity wishes to inform per Requirement
R1) the situational awareness that the Facility has a potential of not being able to
191
�Organization
Yes or No
Question 4 Comment
operate as it is designed. The SDT also states that copper theft is not a reportable
event unless it degrades the normal operation of a Facility.
e) Transmission loss: This item is very unclear. What is meant by "loss?" Above, it says
to report damage or destruction of a Facility. This says to report the loss of 3
Facilities. Is the intent here to report when there are 3 or more Facilities that are
unintentionally and concurrently out of service for longer than a certain threshold of
time? The intent should not be to include equipment failure? Three is very arbitrary.
An entity with a very large footprint with a very large number of electrical devices is
highly likely to have 3 out of service at one time. An entity with very few electrical
devices is less likely to have 3. Delete the word Transmission. It is somewhat
redundant. A Facility is BES Element. I believe all BES Elements are Transmission
Facilities. A Facility operates as a single "electrical device." What if more than 3
downstream electrical devices are all concurrently out of service due to the failure of
one upstream device? Would that meet the criteria? A situation meeting the criteria
will be difficult to detect. Need better operator tools, specific procedures for this,
training, and more implementation time.
The SDT removed all language under “Entity with Reporting Responsibility,” with the
exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state”
“Unexpected loss, contrary to design, of three or more BES Elements caused by a
common disturbance (excluding successful automatic reclosing).”
f) The implementation plan says current version stays in effect until accepted by ALL
regulatory authorities but it also says that the new version takes effect 12 months
after the BOT or the APPLICABLE authorities accept it. It is possible that ONE
regulatory authority will not accept it for 13 months and both versions will be in
192
�Organization
Yes or No
Question 4 Comment
effect. It is also possible for ALL regulatory authorities to accept it at the same time,
the current version to no longer be in effect, but the new version will not be in effect
for 12 months.
The SDT intends for this standard to not become enforceable until all regulatory
authorities have approved it. The SDT will work with NERC and others to ensure a
timely enforcement period without overlap.
Response: Thank you for your comment.
We Energies
Applicability: Change Electric Reliability Organization to NERC or delete Regional
Entity. The ERO is NERC and all the Regional Entities.R1.2: The ERO is NERC and all
the REs. If I report to any one on the REs (only and not to NERC), I have reported to
the ERO. Change ERO to NERC. M1 refers to R1.1 and R1.2 as Parts. It would be
clearer to refer to them as requirements or sub-requirements.
The SDT is limited to listing functional registrations in the Applicability section. The
applicable entities are the ERO and Regional Entity, not NERC. The SDT notes that
the Applicability section has nothing to do with the reporting obligations. The
Applicability section denotes who has obligations within the standard to report.
The Applicability section has been revised in accordance with comments received
on who needs to report on event types.
M2: Add a comma after "that the event was reported" and "supplemented by
operator logs". It will be easier to read.
The SDT has revised the requirement and associated language.
R3: This should be clarified to state that no reporting will be done for the annual test,
not just exclude the ERO.
The SDT has revised the requirement.
M4: An annual review will not be time stamped.
The SDT has removed the time-stamp provision.
193
�Organization
Yes or No
Question 4 Comment
Response: The SDT thanks you for your comment.
City of Austin dba Austin
Energy
Austin Energy makes the following comments:
(1) Comment on the Background section titled “A Reporting Process Solution - EOP004”: This section includes the sentence, “Essentially, reporting an event to law
enforcement agencies will only require the industry to notify the state OR
PROVINCIAL OR LOCAL level law enforcement agency.” (emphasis added) The
corresponding flowchart includes a step, “Notification Protocol to State Agency Law
Enforcement.” Austin Energy requests that the SDT update the flowchart to match
the language of the associated paragraph and include “state or provincial or local”
agencies.
The SDT wishes to point out that the flowchart is an example only – it was not
meant to show every permutation. The entity can choose to use the flowchart or
develop one for their own use.
(2) Comments on VSLs: Austin Energy recommends that the SDT amend the VSLs for
R2 to include the "recognition of" events throughout. That is, update the R2 VSLs to
state “... X hours after "recognizing" an event ...” in all locations where the phrase
occurs.
The DSR SDT believes the current language is sufficient as Table 1 clearly states that
the reporting ‘clock’ starts after recognition of the event.
(3) Austin Energy has a concern with the inclusion of the word "damage" to the
phrase "damage or destruction of a Facility." We agree that any "destruction" of a
facility that meets any of the three criteria be a reportable event. However, if the
Standard is going to include "damage," some objective definition for "damage" (that
sets a floor) ought to be included. Much like the copper theft issue, we do not see the
benefit of reporting to NERC vandalism that does not rise to a certain threshold (e.g.
someone who takes a pot shot at an insulator) unless the damage has some tangible
impact on the reliability of the BES or is an act of an orchestrated sabotage (e.g.
194
�Organization
Yes or No
Question 4 Comment
removal of a bolt in a transmission structure).
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Damage or destruction of a Facility within its Reliability Coordinator Area,
Balancing Authority Area or Transmission Operator Area that results in the need for
actions to avoid a BES Emergency.”
This language gives the required guidance of who has to report within its Area that
results in need for actions to avoid a BES Emergency (as defined by NERC: Any
abnormal system condition that requires automatic or immediate manual action to
prevent or limit the failure of transmission facilities or generation supply that could
adversely affect the reliability of the Bulk Electric System).
This relates to either a completely destroyed Facility where an action is required to
avoid a BES Emergency, or a Facility that is damaged to a point that actions are
required to avoid a BES Emergency. By reporting either a “damaged or destroyed”
Facility, within 24 hours, it will give the ERO (and whoever else the entity wishes to
inform per Requirement R1) the situational awareness that the electrical system
has been reconfigured or may need to be reconfigured, thus supporting reliable
operations of each interconnection.
The SDT removed all language under “Entity with Reporting Responsibility,” with
195
�Organization
Yes or No
Question 4 Comment
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Damage or destruction of its Facility that results from actual or suspected
intentional human action.”
This language gives the required guidance that if there is actual intentional human
action that damages or destroys a Facility, it is required to be reported within 24
hours, this will give the ERO (and whoever else the entity wishes to inform per
Requirement R1) the situational awareness that the Facility was “damaged or
destroyed” intentionally by a human.
This event was written to cover the increase of “Entity with Reporting
Responsibility” and removing the RC since they do not own Facility(s).
The SDT also included a second part of this event being “suspected intentional
human action.” This language was required to give an entity the reporting
responsibility to report to the ERO (and whoever else the entity wishes to inform
per Requirement R1) the situational awareness that they suspect that their Facility
was damaged or destroyed by intentional human action. The SDT envisions that
entities could further define what a suspected intentional human action is within
their Operating Plan.
(4) Austin Energy voted to approve the revised Standard because it is an
improvement over the existing Standard. In light of FERC's comments in Paragraph 81
of the Order approving the Find, Fix, Track and Report initiative, however, Austin
Energy would propose that this Standard is the type of Standard that does not truly
196
�Organization
Yes or No
Question 4 Comment
enhance reliability of the BES and is, instead, an administrative activity. As such, we
recommend that NERC consider whether EOP-004-2 ought to be retired.
The SDT appreciates the suggestion; however, we note that a standard cannot be
retired prior to its effective and enforcement dates. Further, the SDT has been
charged with addressing deficiencies that are present in current standards which
the industry has determined to be needed through approval of the SAR. If the P81
process should ultimately decide to retire this standard, then the process will have
made that decision. The SDT cannot presume that the P81 effort will become
effective.
Response: The SDT thanks you for your comment.
Bonneville Power
Administration
BPA believes that the VSL should allow for amending the form after a NERC specified
time period without penalty and suggests that a window of 48 hours be given to
amend the form to make adjustments without needing to file a self report. Should
the standard be revised to allow a time period for amending the form without having
to file a self report, BPA would change its negative position to affirmative.
Response: The SDT thanks you for your comment. The SDT would like to point that a window is not needed as the standard
requires a report at a 24-hour time frame which provides information on what is known at the time. The standard does not
require any follow up or update report. If the entity wishes to file a follow up report, it can do so on its own. A self report should
only be needed if the 24-hour report was not filed.
CenterPoint Energy
CenterPoint Energy proposes that the purpose be enhanced to reflect risk and
response. For example, the purpose could read “To sustain and improve reliability of
the Bulk Electric System by identifying common risks reported by Responsible Entities
as a source of lessons learned.”In the Background section under Law Enforcement
Reporting, “the” should be added in front of “Bulk Electric System”. Also under the
Background section - “Present expectations of the industry under CIP-001-1a”,
CenterPoint Energy is not aware of any current annual requirements for CIP-001 and
suggests that this section be revised to reflect that fact. CenterPoint Energy strongly
197
�Organization
Yes or No
Question 4 Comment
believes that the Violation Severity Levels (VSL) should not be high or severe unless
an Adverse Reliability Impact occurred. CenterPoint Energy is requesting that
Requirement R2 be deleted and the phrase, "as a result of not implementing the
plan/insufficient or untimely report, an Adverse Reliability Impact occurred” be
added to the Requirement R1 VSL. Regarding the VSL for Requirement R4, the
Violation Risk Factor should be "Lower" and read “the entity did not perform the
annual test of the operating plan” as annual is to be defined by the entity or
according to the CAN-0010.
Response: The SDT thanks you for your comment. The vast majority of commenters support the Purpose statement as written.
The missing ‘the’ has been added to the background section under ‘Law Enforcement Reporting.’ ‘Annual’ has been changed to
‘These’. VSLs refer to how closely the entity met the requirements of the standard; it is the VRF that measures impact to
reliability. The DSR SDT believes use of the high and severe VSLs is appropriate. R4 has been deleted along with its VRF/VSLs.
Cowlitz County PUD
Cowlitz is pleased with changes made to account for the difficulties small entities
have in regard to reporting time frames. Although Cowlitz is confident that the
current draft is manageable for small entities, we propose that the resulting reports
this Standard will generate will contain many insignificant events from the event
types “Damage or destruction of a Facility,” and “Any physical threat that could
impact the operability of a Facility.” In particular, examples would be limited target
practice on insulators, car-pole accidents, and accidental contact from tree trimming
or construction activities.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Damage or destruction of a Facility within its Reliability Coordinator Area,
198
�Organization
Yes or No
Question 4 Comment
Balancing Authority Area or Transmission Operator Area that results in the need for
actions to avoid a BES Emergency.”
This language gives the required guidance of who has to report within its Area that
results in need for actions to avoid a BES Emergency (as defined by NERC: Any
abnormal system condition that requires automatic or immediate manual action to
prevent or limit the failure of transmission facilities or generation supply that could
adversely affect the reliability of the Bulk Electric System).
This relates to either a completely destroyed Facility where an action is required to
avoid a BES Emergency, or a Facility that is damaged to a point that actions are
required to avoid a BES Emergency. By reporting either a “damaged or destroyed”
Facility, within 24 hours, it will give the ERO (and whoever else the entity wishes to
inform per Requirement R1) the situational awareness that the electrical system
has been reconfigured or may need to be reconfigured, thus supporting reliable
operations of each interconnection.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Damage or destruction of its Facility that results from actual or suspected
intentional human action.”
This language gives the required guidance that if there is actual intentional human
199
�Organization
Yes or No
Question 4 Comment
action that damages or destroys a Facility, it is required to be reported within 24
hours, this will give the ERO (and whoever else the entity wishes to inform per
Requirement R1) the situational awareness that the Facility was “damaged or
destroyed” intentionally by a human.
This event was written to cover the increase of “Entity with Reporting
Responsibility” and removing the RC since they do not own Facility(s).
The SDT also included a second part of this event being “suspected intentional
human action.” This language was required to give an entity the reporting
responsibility to report to the ERO (and whoever else the entity wishes to inform
per Requirement R1) the situational awareness that they suspect that their Facility
was damaged or destroyed by intentional human action. The SDT envisions that
entities could further define what a suspected intentional human action is within
their Operating Plan.
Cowlitz suggests that at least a >= 100 MW (200 MW would be better) and/or >= N-2
impact threshold be established for these event types. Also, Cowlitz suggests the
statement “results from actual or suspected intentional human action” be changed to
“results from actual or suspected intentional human action to damage or destroy a
Facility.” A human action may be intentional which can result in damage to a facility,
but the intent may have been of good standing, and not directed at the Facility. For
example, the intent may have been to legally harvest a tree, or move equipment
under a line. Cowlitz believes the above proposed changes would benefit the ERO,
both in reduction of nuisance reports and possible violations over minimal to no
impact BES events.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
200
�Organization
Yes or No
Question 4 Comment
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Physical threat to its Facility excluding weather related threat, which has the
potential to degrade the normal operation of the Facility
Or
Suspicious device or activity at a Facility
Do not report copper theft unless it degrades normal operations of a Facility.”
This language gives the required guidance that if there is a physical threat that has
the potential to degrade a Facility’s normal operation or a suspicious device or
activity is discovered at a Facility, it is required to be reported within 24 hours, this
will give the ERO (and whoever else the entity wishes to inform per Requirement
R1) the situational awareness that the Facility has a potential of not being able to
operate as it is designed. The SDT also states that copper theft is not a reportable
event unless it degrades the normal operation of a Facility.
Response: The SDT thanks you for your comment.
Colorado Springs Utilities
CSU is concerned with the word ‘damage’. We support any ‘destruction’ of a facility
that meets any of the three criteria be a reportable issue, but ‘damage’, if it’s going to
be included should have some objective definition that sets a baseline.
Response: The SDT thanks you for your comment. The SDT removed all language under “Entity with Reporting Responsibility,”
201
�Organization
Yes or No
Question 4 Comment
with the exception of entity(s) that are required to report an applicable event. The SDT removed this language so the entities
within this column are clearly stated and identified. Under the “Threshold for Reporting” column, a bright line was updated based
on currently enforced Reliability Standards, FERC directives and industry comments to state:
“Damage or destruction of a Facility within its Reliability Coordinator Area, Balancing Authority Area or Transmission Operator
Area that results in the need for actions to avoid a BES Emergency.”
This language gives the required guidance of who has to report within its Area that results in need for actions to avoid a BES
Emergency (as defined by NERC: Any abnormal system condition that requires automatic or immediate manual action to prevent
or limit the failure of transmission facilities or generation supply that could adversely affect the reliability of the Bulk Electric
System).
This relates to either a completely destroyed Facility where an action is required to avoid a BES Emergency, or a Facility that is
damaged to a point that actions are required to avoid a BES Emergency. By reporting either a “damaged or destroyed” Facility,
within 24 hours, it will give the ERO (and whoever else the entity wishes to inform per Requirement R1) the situational awareness
that the electrical system has been reconfigured or may need to be reconfigured, thus supporting reliable operations of each
interconnection.
The SDT removed all language under “Entity with Reporting Responsibility,” with the exception of entity(s) that are required to
report an applicable event. The SDT removed this language so the entities within this column are clearly stated and identified.
Under the “Threshold for Reporting” column, a bright line was updated based on currently enforced Reliability Standards, FERC
directives and industry comments to state:
“Damage or destruction of its Facility that results from actual or suspected intentional human action.”
This language gives the required guidance that if there is actual intentional human action that damages or destroys a Facility, it is
required to be reported within 24 hours, this will give the ERO (and whoever else the entity wishes to inform per Requirement R1)
202
�Organization
Yes or No
Question 4 Comment
the situational awareness that the Facility was “damaged or destroyed” intentionally by a human.
This event was written to cover the increase of “Entity with Reporting Responsibility” and removing the RC since they do not own
Facility(s).
The SDT also included a second part of this event being “suspected intentional human action.” This language was required to give
an entity the reporting responsibility to report to the ERO (and whoever else the entity wishes to inform per Requirement R1) the
situational awareness that they suspect that their Facility was damaged or destroyed by intentional human action. The SDT
envisions that entities could further define what a suspected intentional human action is within their Operating Plan.
Dominion
Dominion believes that the reporting of “Any physical threat that could impact the
operability of a Facility4” may overwhelm the Reliability Coordinator staff with little
to no value since the event may have already passed. This specific event uses the
phrase “operability of a Facility” yet “operability” is not defined and is therefore
ambiguous. We do support the reporting to law enforcement and the ERO but do not
generally support reporting events that have passed to the Reliability Coordinator.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Physical threat to its Facility excluding weather related threat, which has the
potential to degrade the normal operation of the Facility
Or
Suspicious device or activity at a Facility
203
�Organization
Yes or No
Question 4 Comment
Do not report copper theft unless it degrades normal operations of a Facility.”
This language gives the required guidance that if there is a physical threat that has
the potential to degrade a Facility’s normal operation or a suspicious device or
activity is discovered at a Facility, it is required to be reported within 24 hours, this
will give the ERO (and whoever else the entity wishes to inform per Requirement
R1) the situational awareness that the Facility has a potential of not being able to
operate as it is designed. The SDT also states that copper theft is not a reportable
event unless it degrades the normal operation of a Facility.
Attachment 2; section 4 Event Identification and Description: The type of events
listed should match the events as they are exactly written in Attachment 1. As it is
currently written, it leaves room for ambiguity.
The SDT agrees and has adopted your suggestion.
M3 - Dominion objects to having to provide additional supplemental evidence (i.e.
operator logs), and the SDT maybe want to include a requirement for NERC to
provide a confirmation that the report has been received.
The SDT believes that you are referring to M2. We have added “which may be”
prior to “supplemented by operator logs,” indicating that this is optional. The SDT
has opted not to develop a requirement for the ERO to provide receipt
conformation of a report.
Response: The SDT thanks you for your comment.
Entergy
Entergy does not agree with the Time Horizon for R2. The rationale for R2 contains
phrases related to situational awareness and keeping people/agencies aware of the
“current situation.” However, this standard is related to after the fact event
reporting, not real-time reporting via RCIS, as discussed on page 6 of the red-lined
standard. Therefore the time horizon for R2 should indicate that this is an after the
204
�Organization
Yes or No
Question 4 Comment
fact requirement expected to be performed either in 1 hour or 24 hours after an
event occurs, not in the operations assessment time frame. This change should also
be made on page 15 of the redline in the Table of compliance elements for R2. Page
18 of the redline document contains a VSL for R2 which states that it will be
considered a violation if the Responsible Entity submitted a report in the appropriate
timeframe but failed to provide all of the required information. It has long been the
practice to submit an initial report and provide additional information as it becomes
available. On page 24 of the redlined document, this is included in the following
“...and provide as much information as is available at the time of the notification to
the ERO...” But the compliance elements table now imposes that if the entity fails to
provide ALL required information at the time the initial report is required, the entity
will be non compliant with the standard. This imposes an unreasonable burden to
the Reliability Entity. This language should be removed. The compliance element
table for R3 and R4 make it a high or severe violation to be late on either the annual
test or the annual review of the Operating plan for communication. While Entergy
supports that periodically verifying the information in the plan and having a test of
the operating plan have value, it does not necessarily impose additional risk to the
BES to have a plan that exceeds its testing or review period by two to three months.
This is an administrative requirement and the failure to test or review should be a
lower or moderate VSL, which would be consistent with the actual risk imposed by a
late test or review. On page 24 of the redlined draft, there is a statement that says “In
such cases, the affected Responsible Entity shall notify parties per Requirement R1
and provide as much information as if available at the time of the notification...”
Since R1 is the requirement to have a plan, and R2 is the requirement to implement
the plan for applicable events, it seems that the reference in this section should be to
Requirement R2, not Requirement R1.
Response: The SDT thanks you for your comment. There is no longer a requirement for this ‘two-step’ reporting. The initial report
is the only report an entity must make. The note at the top of Attachment 1 is to give entities the flexibility to make a quick
‘something big just happened, but I don’t know the extent’ phone call, but realistically the reporting time frame is 24 hours which
should give ample time to make one written report using OE-417 or Attachment 2. You will also notice that the amount of
205
�Organization
Yes or No
Question 4 Comment
information you must provide is minimal – the idea is that this is a trigger for NERC or the Event Analysis process and they will
contact you if further details are required.
VSLs refer to how closely the entity met the requirements of the standard; it is the VRF that measures impact to reliability. The
DSRSDT believes use of the high and severe VSLs is appropriate. Also, R4 has been deleted along with its VRF/VSLs.
ERCOT
ERCOT has joined the IRC comments on this project and offers these additional
comments. ERCOT supports the alternative approach submitted by the IRC. ERCOT
requests that time horizons be added for each of the requirements as have been with
other recent Reliability Standards projects. With regards to Attachment 1, ERCOT
requests the following changes:
o Modify “Generation loss” from “≥ 1,000 MW for entities in the ERCOT or
Quebec Interconnection” to “≥ 1,100 MW for entities in the ERCOT
Interconnection” and “≥ 1,000 MW for entities in the Quebec Interconnection”.
This is consistent with the DCS threshold and eliminates possible operator confusion
since DCSs event are reported in the ERCOT interconnection at 80% of single largest
contingency which equates to 1100 MW.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Total generation loss, within one minute, of ≥ 2,000 MW for entities in the Eastern
or Western Interconnection
OR
≥ 1,000 MW for entities in the ERCOT or Quebec Interconnection.”
The NERC SPM does allow TRE to apply for a variance if they have special concerns
that GOPs should submit a report to the ERO.
206
�Organization
Yes or No
Question 4 Comment
o Modify “Transmission loss” from “Unintentional loss of three or more Transmission
Facilities (excluding successful automatic reclosing)” to “Inconsequential loss of three
or more Transmission Facilities not part of a single rated transmission path (excluding
successful automatic reclosing).” If a single line is comprised of 3 or more sections,
this should not be part of what is reported here as it is intended to be when you have
a single event trip of 3 or more transmission facilities that is not part of its intended
design.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Unexpected loss, contrary to design, of three or more BES Elements caused by a
common disturbance (excluding successful automatic reclosing).”
The NERC SPM does allow TRE to apply for a variance if they have special concerns
that GOPs should submit a report to the ERO.
o ERCOT requests review of footnote 1. The footnote does not seem appropriate in
including an example of a control center as the definition of a BES facility does not
include control centers.
The SDT removed all foot notes within Attachment based on comments received.
Response: The SDT thanks you for your comment.
FirstEnergy Corp
FE supports the standard and has the following additional comments and
suggestions:1. Guideline/Technical Basis Section - FE requests the SDT add specific
guidance for each requirement. Much of the information in this section is either
included, or should be included in the Background section of the standard. One
example of guidance that would help is for Requirement R3 on how an entity could
207
�Organization
Yes or No
Question 4 Comment
perform the annual test. The comment form for this posting has the following
paragraph on pg. 2 which could be used as guidance for R3: “the annual test will
include verification that communication information contained in the Operating Plan
is correct. As an example, the annual update of the Operating Plan could include
calling “others as defined in the Responsibility Entity’s Operating Plan” (see Part 1.2)
to verify that their contact information is up to date. If any discrepancies are noted,
the Operating Plan would be updated. Note that there is no requirement to test the
reporting of events to the Electric Reliability Organization and the Responsible
Entity’s Reliability Coordinator.”2. With regard to the statement in the comment form
(pg 2 paragraph 7)”Note that there is no requirement to test the reporting of events
to the Electric Reliability Organization and the Responsible Entity’s Reliability
Coordinator.”, requirement R3 only includes the ERO as an entity and should also
include the Reliability Coordinator.
3. The measure M3 says that an entity can use an actual event as a test to meet R3.
Does this mean just 1 actual event will meet R3, or is the intent that all possible
events per 1.2 are tested? Would like some clarity on this measure.
Response: The SDT thanks you for your comment. The requirements have been revised and these revisions along with the
‘Rationale’ boxes should provide the clarity you seek.
Indiana Municipal Power
Agency
For 1.2 under R1, is the SDT leaving it up to the registered entities do decide which
organizations will be contacted for each event listed in attachment 1 or do all of
those organization need to be contacted for each event listed in attachment 1? The
requirement needs to clearly communicate this clarification and be independent of
the rationale language. Auditors will go by the requirement and not the rationale for
the requirement. For 1.1 under R1, does each event need its own process of
recognition or can one process be used to cover all the applicable events? The
requirement needs to clearly communicate this clarification and be independent of
the rationale language. Auditors will go by the requirement and not the rationale for
the requirement. For 1.2 under R1, company personnel is used as an example but in
the rationale for R1, the third line uses operating personnel. IMPA recommends
208
�Organization
Yes or No
Question 4 Comment
changing the example in 1.2 to operating personnel which is used in the current
version of CIP-001.
Response: The SDT thanks you for your comment. The SDT does not believe that it has the ability (or desire) to programmatically
prescribe whether entities have a single or multiple contact lists. Entities themselves know best who and under what conditions
do reports need to be provided. Further, the industry in past comment periods, clearly indicated that they did not wish to have
the SDT provide the “how.”
GTC
For R2, please clarify how an entity can demonstrate that no reportable events were
experienced. GTC recommends an allowance for a letter of attestation within M2.
Response: Thank you for your comment. Registered Entities must determine how to best demonstrate they have met the
performance obligation of a requirement. The use of an attestation statement is already permitted and recognized with the NERC
Compliance Program if that is the best means of demonstrating your performance under the requirement. Auditors will then
assess whether or not an attestation meets the requirement in one's audit. Attestations cannot be specifically permitted for use.
Orange and Rockland Utilities,
Inc.
Form EOP-004, Attachment 2: Event Reporting Form: Delete the Task words “or
partial.” Delete the Task words “physical threat that could impact the operability of
a Facility.” Make any changes to the VSL’s necessary to align them with the reviewed
wording provided above.
Consolidated Edison Co. of NY,
Inc.
Form EOP-004, Attachment 2: Event Reporting Form: Delete the Task words “or
partial.” Delete the Task words “physical threat that could impact the operability of a
Facility.” Make any changes to the VSL’s necessary to align them with the reviewed
wording provided above.
Response: The SDT thanks you for your comment. The SDT has updated Attachment 2 to reflect the events listed in Attachment 1.
NextEra Energy Inc
Given that Responsible Entities are already required by other Reliability Standards to
communicate threats to reliability to their Reliability Coordinator (RC), NextEra does
not believe that EOP-004-2 is a Reliability Standard that promotes the reliability of
the bulk power system, as envisioned by Section 215 of the Federal Power Act.
209
�Organization
Yes or No
Question 4 Comment
Because an RC reporting requirement is already covered in other Standards, EOP-0042 essentially is a reporting out requirement to the Regional Reliability Organization
(RRO). NextEra does not agree that the reporting of events to the RROs should be
subject to fines under the Reliability Standard regulatory framework. The reporting
to RROs, as required by EOP-004-2, while informative and helpful for lessons learned,
etc., is not necessary to address an immediate threat to reliability. In addition,
NextEra does not believe it would be constructive to fine Responsible Entities for
failure to report to a RRO within a mandated deadline during times when these
entities are attempting to address potential sabotage on their system. NextEra
would, therefore, prefer that the EOP-004-2 Standards Drafting Team be disbanded,
and instead that EOP-004-2’s reporting requirements be folded in to the event
analysis reporting requirements. Therefore, NextEra requests that the new Section
812 be revised to include EOP-004-2 as a data request for lessons learn or for
informational purposes only, and, also, for EOP-004-2 project to be disbanded.
Response: The SDT thanks you for your comment. While the SDT appreciates your viewpoint, the SDT has been charged with
addressing deficiencies identified in current standards. The SDT believes that the standard will provide NERC with the situational
awareness it needs as well as providing the industry valuable information through lessons learned.
Illinois Municipal Electric
Agency
Illinois Municipal Electric Agency supports comments submitted by Florida Municipal
Power Agency.
Response: The SDT thanks you for your comment. Please review the response to that commenter.
Florida Municipal Power
Agency
In R1, bullet, it is a bit ambiguous whether the list of organizations to be
communicated with is an exhaustive list (i.e.) or a list of examples (e.g.). The list is
preceded by an “i.e.” which indicates the former, but includes an “or” which indicates
the latter. We are interpreting this as meaning the list is exhaustive as separated by
semi-colons, but that the last phrase separated by commas is a list of examples. Is
this the correct interpretation?
The SDT has made the required change concerning replacing “i.e.” with “e.g.”
210
�Organization
Yes or No
Question 4 Comment
The Rules of Procedure language for data retention (first paragraph of the Evidence
Retention section) should not be included in the standard, but instead referred to
within the standard (e.g., “Refer to Rules of Procedure, Appendix 4C: Compliance
Monitoring and Enforcement Program, Section 3.1.4.2 for more retention
requirements”) so that changes to the RoP do not necessitate changes to the
standard.
The language that you mention is part of the standard boilerplate and is included in
all standards. The SDT has chosen to keep the language as is at this time.
Response: The SDT thanks you for your comment.
Ingleside Cogeneration LP
Ingleside Cogeneration LP strongyly believes that LSEs that do not own BES assets
should be excluded from the Applicability section of this standard.
Response: The SDT thanks you for your comment. The LSE obligation in this standard was tied to applicability in CIP-008 for cyber
incident reporting. Reporting under CIP-008 is no longer part of EOP-004-2 so this applicability has been removed.
Los Angeles Department of
Water and Power
LADWP does not have any other comments at this time
Response: The SDT thanks you for your participation.
Manitoba Hydro
Manitoba Hydro is voting negative on EOP-004-2 for the reasons identified in our
response to Question 1. In addition, Manitoba Hydro has the following
comments:(Background section) - The section has inconsistent references to EOP-004
(eg. EOP-004 and EOP-004-2 are used). Wording should be made consistent.
(Background section) - The section references entities, and responsible entities.
Suggest wording is made consistent and changed to Responsible Entities. (General
comment) - References in the standard to ‘Part 1.2’ should be changed to R1.2 as it is
unclear if Part 1.2 refers to, for example, R1.2 or part 1.2 ‘Evidence Retention’.
211
�Organization
Yes or No
Question 4 Comment
(M4) -Please clarify what is meant by ‘date change page’.
Response: The SDT thanks you for your comment. The SDT appreciates the points you raise and we continually review the
document to make sure the language is consistent and unambiguous.
Southern Company Services
Move the Background Section (pages 4-9) to the Guideline and Technical Basis
section. They are not needed in the main body of the standard.
The SDT agrees and adopts your suggestion.
Each “Entity with Reporting Responsibility” in the one-hour reporting table (p. 17)
should be explicitly listed in the table, not pointed to another variable location. The
criterion for “Threshold for Reporting” in the one-hour reporting table (p. 17) should
be explicitly listed in the table, not pointed to another variable location.
Please specify the voltage base against which the +/- 10% voltage deviation on a
Facility is to be measured in the twenty-four hour reporting table (p. 19).
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Observed voltage deviation of ± 10% of nominal voltage sustained for ≥ 15
continuous minutes .”
This language clearly states that if the threshold is met, the entity needs to submit a
report within 24 hours.
Response: The SDT thanks you for your comment.
Oncor Electric Delivery
Oncor takes the position that the proposed objectives as prescribed in Project 200901 - Disturbance and Sabotage Reporting, is a “good” step forward. Currently, NERC
212
�Organization
Yes or No
Question 4 Comment
reporting obligations related to disturbances occurs over multiple standards including
CIP-001, EOP-004-1, TOP-007-0, CIP-008-3 and Event Analysis (EA). Oncor is especially
pleased that the Event Analysis Working Group (EAWG) is actively working to find
ways of streamlining the disturbance reporting process especially to agencies outside
of NERC such as FERC, and state agencies. Oncor is in agreement that an addition to
the NERC Rules of Procedure in section 800 to develop a Reporting Clearinghouse for
disturbance events by the establishment of a system to collect report and then
forward completed forms to various requesting agencies, is also a very positive step."
Response: The SDT thanks you for your comment. The SDT would like to point out that the EAP is a voluntary program where the
entity analyzes an issue or system condition. EOP-004-2 is a Reporting Standard where an entity informs the ERO (and whoever
else per Requirement R1) of a current event. This will give other the situational awareness that their system may be degraded.
Please refer to the Southwest Outage Report for more situational awareness issues that failed.
Occidental Power Services,
Inc.
OPSI continues to believe that LSEs that do not own BES assets should be excluded
from the Applicability section of this standard.
It is disingenuous of both the SDT and FERC to promote an argument to support this
inclusion such as that stated in Section 459 of Order 693 (and referred to by the SDT
in their Consideration of Comments in the last posting). The fact is that no reportable
disturbance can be caused by an “attack” on an LSE that does not own BES assets.
The SDT has yet to point out such an event.
Response: The SDT thanks you for your comment. The LSE obligation in this standard was tied to applicability in CIP-008 for cyber
incident reporting. Reporting under CIP-008 is no longer part of EOP-004-2 so this applicability has been removed. The SDT notes
that LSEs will still be subject to reporting under CIP-008 until such time they are removed from that standard.
New York Power Authority
Please see comments submitted by NPCC Regional Standards Committee (RSC).
Response: The SDT thanks you for your comment. Please review the response to that commenter.
MRO NSRF
R1 states: “Each Responsible Entity shall have an event reporting Operating Plan that
213
�Organization
Yes or No
Question 4 Comment
includes:”The definition of Operating Plan is:”A document that identifies a group of
activities that may be used to achieve some goal. An Operating Plan may contain
Operating Procedures and Operating Processes. A company-specific system
restoration plan that includes an Operating Procedure for black-starting units,
Operating Processes for communicating restoration progress with other entities, etc.,
is an example of an Operating Plan.” This appears to us to be too prescriptive and
could be interpreted to require a series of documents to for reporting issues to NERC.
We suggest the following wording: R1. Each Responsible Entity shall have document
methodology(ies) or process(es) for: 1.1. Recognizing each of the applicable events
listed in EOP-004 Attachment 1.1.2. Reporting each of the applicable events listed in
EOP-004 Attachment 1 in accordance with the time framess specified in EOP-004
Attachment 1 to the Electric Reliability Organization. LES Comment: [R1] We are
concerned by the significant amount of detail an entity would be required to contain
within the Operating Plan as part of Requirement R1. Rather than specifying an
entity must have a documented process for recognizing each of the events listed in
EOP-004-2 Attachment 1, at a minimum, consider removing the term “process” in
R1.1 and replacing with “guideline” to ensure operating personnel are not forced to
adhere to a specific sequence of steps and still have the flexibility to exercise their
own judgment. Section 5 of the standard (Background) should be moved to the
Guideline and Technical Basis document. A background that long does not belong in
the standard piece as it detracts from the intent of the standard itself.
Response: The SDT thanks you for your comment. The background and Guidelines and Technical Basis sections have been
combined.
ReliabilityFirst
ReliabilityFirst votes in the Affirmative for this standard because the standard further
enhances reliability by clearing up confusion and ambiguity of reporting events which
were previously reported under the EOP-004-1 and CIP-001-1 standards. Even
though ReliabilityFirst votes in the Affirmative, we offer the following comments for
consideration: 1. Requirement R1, Part 1.2a. ReliabilityFirst recommends further
prescribing whom the Responsible Entity needs to communicate with. The phrase “...
214
�Organization
Yes or No
Question 4 Comment
and other organizations needed for the event type...” in Part 1.2 essentially leaves it
up to the Responsible Entity to determine (include in their process) whom they
should communicate each applicable event to. ReliabilityFirst recommends added a
fourth column under Attachment 1, which lists whom the Responsible Entity is
required to communicate with, for each applicable event. 2. VSL for Requirement
R2a. Requirement R2 requires the Responsible Entity to “implement its event
reporting Operating Plan” and does not require the entity to submit a report. For
consistency with the requirement, ReliabilityFirst recommends modifying the VSLs to
begin with the following type of language: “The Responsible Entity implemented its
event reporting Operating Plan more than 24 hours but...” This recommendation is
based on the FERC Guideline 3, VSL assignment should be consistent with the
corresponding requirement and should not expand on, nor detract from, what is
required in the requirement.
Response: The SDT thanks you for your comment. The SDT believes that implementing your Operating Plan means that you report
an event. Therefore the VSLs are entirely consistent with the requirement.
DECo
Requirement R3 for annual test specifically states that ERO is not included during
test. Implies that local law enforcement or state law enforcement will be included in
test. Hard to coordinate with many Local organizations in our area.
Response: The SDT thanks you for your comment. The SDT has revised the language in Requirement R3 and believes that the
changes will address your suggestion.
Alliant Energy
Section 5 of the standard (Background) should be moved to the Guideline and
Technical Basis document. A background that long does not belong in the standard
piece as it detracts from the intent of the standard itself.
Response: The SDT thanks you for your comment. The background and Guidelines and Technical Basis sections have been
combined.
215
�Organization
MidAmerican Energy
Yes or No
Question 4 Comment
See the NSRF comments.
Response: The SDT thanks you for your participation. Please review the response to that commenter.
MEAG Power
Should these administrative activities be sent over to NAESB? R1: There is merit in
having a plan as identified in R1, but is this a need to support reliability or is it a
business practice? Should it be in NAESB’s domain? R2, R3 & R4: These are not
appropriate for a Standard. If you don’t annually review the plan, will reliability be
reduced and the BES be subject to instability, separation and cascading? If DOE
needs a form filled out, fill it out and send it to DOE. NERC doesn’t need to pile on.
Mike Moon and Jim Merlo have been stressing results and risk based, actual
performance based, event analysis, lessons learned and situational awareness. EOP004 is primarily a business preparedness topic and identifies administrative
procedures that belong in the NAESB domain.
Public Utility District No. 1 of
Snohomish County
SNPD suggest moving these administrative activities to NAESB. R1: There is merit in
having a plan as identified in R1, but is this a need to support reliability or is it a
business practice? Should it be in NAESB’s domain? R2, R3 & R4: These are not
appropriate for a Standard. If you don’t annually review the plan, will reliability be
reduced and the BES be subject to instability, separation and cascading? If DOE
needs a form filled out, fill it out and send it to DOE. NERC doesn’t need to pile on.
Gerry Cauley and Mike Moon have been stressing results and risk based, actual
performance based, event analysis, lessons learned and situational awareness. EOP004 is primarily a business preparedness topic and identifies administrative
procedures that belong in the NAESB domain.
Response: The SDT thanks you for your comment. SDT believes this standard is needed to provide Situational Awareness and can
help in providing lessons learned to the industry. The SDT has revised the requirements to address this need. While it may be
appropriate to have NAESB to adopt this obligation at some in the future, the SDT was charged with addressing deficiencies at this
time. The SDT has removed all references to filing reports to DOE from the earlier versions. Today’s only reference provides for
NERC’s acceptance of the use of their form when it is appropriate.
216
�Organization
Springfield Utility Board
Yes or No
Question 4 Comment
SUB appreciates the opportunity to provide comments. While Staff was concerned
with the consolidation of CIP and non-CIP NERC Reliability Standards (as to how
they’ll be audited), the Project 2009-01 SDT has done an excellent job in providing
clarification around identifying and reporting events, particularly related to the
varying definitions of “sabotage”.
Response: The SDT thanks you for your support.
Tacoma Power
Tacoma Power disagrees with the requirement to perform annual testing of each
communication plan. We do not see any added value in performing annual testing of
each communication plan. There are already other Standard requirements to
performing routine testing of communications equipment and emergency
communications with other agencies. The “proof of compliance” to the Standard
should be in the documentation of the reports filed for any qualifying event, within
the specified timelines and logs or phone records that it was communicated per each
specified communication plan. Tacoma Power has none at this time. Thank you for
considering our comments.
Response: The SDT thanks you for your comment. The SDT has revised Requirement R3 and we believe that our changes address
your suggestion.
Exelon Corporation and its
affiliates
Thanks to the SDT. Significant progress was made in revising the proposed standard
language. We appreciate the effort and have only a few remaining requests:
o We understand that CIP-008 dictates the 1-hour reporting obligation for Cyber
Security Incidents and this iteration of EOP-004 delineates the CIP-008 requirements.
Please confirm that per the exemption language in the CIP standards (as consistent
with the March 10, 2011 FERC Order (docket # RM06-22-014) nuclear generating
units are not subject to this reporting requirement.
The SDT has discussed this issue with Project 2008-06, Cyber Security SDT and we
have remanded the one hour event back to CIP-008. The next version of EOP-004-2
217
�Organization
Yes or No
Question 4 Comment
will not contain a one-hour reporting requirement.
o EOP-004 still lists “Generation Loss” as a 24 hour reporting criteria without any time
threshold guidance for the generation loss. Exelon previously commented to the SDT
(without the comment being addressed) that Generation Loss should provide some
type of time threshold. If the 2000 MW is from a combination of units in a single
location, what is the time threshold for the combined unit loss? In considering
clarification language, the SDT should review the BAL standards on the disturbance
recovery period for appropriate timing for closeness of trips.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Total generation loss, within one minute, of ≥ 2,000 MW for entities in the Eastern
or Western Interconnection
OR
≥ 1,000 MW for entities in the ERCOT or Quebec Interconnection.”
o The “physical threat that could impact” requirement remains vague and it’s not
clear the relevance of such information to NERC or the Regions. If a train derailment
occurred near a generation facility (as stated in the footnote), are we to expect that
NERC is going to send out a lesson learned with suggested corrective actions to
protect generators from that occurring? The value in that event reporting criteria
seems low. The requirement should be removed.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
218
�Organization
Yes or No
Question 4 Comment
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Physical threat to its Facility excluding weather related threat, which has the
potential to degrade the normal operation of the Facility
Or
Suspicious device or activity at a Facility
Do not report copper theft unless it degrades normal operations of a Facility.”
This language gives the required guidance that if there is a physical threat that has
the potential to degrade a Facility’s normal operation or a suspicious device or
activity is discovered at a Facility, it is required to be reported within 24 hours, this
will give the ERO (and whoever else the entity wishes to inform per Requirement
R1) the situational awareness that the Facility has a potential of not being able to
operate as it is designed. The SDT also states that copper theft is not a reportable
event unless it degrades the normal operation of a Facility.
o The event concerning voltage deviation of +/- 10% does not specify which type of
voltage. In response to this comment in the previous comment period, the SDT
indicated that the entity could determine the type of voltage. It would be clearer to
specify in the standard and avoid future interpretation at the audit level.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
219
�Organization
Yes or No
Question 4 Comment
“Observed voltage deviation of ± 10% of nominal voltage sustained for ≥ 15
continuous minutes .”
This language clearly states that if the threshold is met, the entity needs to submit a
report within 24 hours.
o As requested previously, for nuclear facilities, EOP-004 reporting should be
coordinated with existing required notifications to the NRC and FBI as to not
duplicate effort or add unnecessary burden on the part of a nuclear GO/GOP during a
potential security or cyber event. Please contact the NRC about this project to
ensure that required communication and reporting in response to a radiological
sabotage event (as defined by the NRC) or any incident that has impacted or has the
potential to impact the BES does not create duplicate reporting, conflicting reporting
thresholds or confusion on the part of the nuclear generator operator. Each nuclear
generating site licensee must have an NRC approved Security Plan that outlines
applicable notifications to the FBI. Depending on the severity of the security event,
the nuclear licensee may initiate the Emergency Plan (E-Plan). Exelon again asks that
the proposed reporting process and flow chart be coordinated with the NRC to
ensure it does not conflict with existing expected NRC requirements and protocol
associated with site specific Emergency and Security Plans. In the alternative, the
EOP-004 language should include acceptance of NRC required reporting to meet the
EOP-004 requirements.
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Complete loss of off-site power affecting a nuclear generating station per the
Nuclear Plant Interface Requirement.”
As stated in this event Threshold, the TOP’s NIPR may have additional guidance
concerning the complete loss of offsite power affecting a nuclear plant.
220
�Organization
Yes or No
Question 4 Comment
o The proposed standard notes that the text boxes will be moved to the Guideline
and Technical Basis Section which we support. However, it’s not clear whether all the
information in the background section will remain part of the standard. If this section
is to remain as proposed concerted revision is needed to ensure that the discussion
language matches the requirement language. At present, it does not. For instance,
the flow chart on page 9 indicates when to report to law enforcement while the
requirements merely state that communications to law enforcement be addressed
within the operating plan.
The background sections will remain in the standard. The flowchart on Page 9 is an
example only and may differ from your Operating Plan.
o Exelon voted negative vote on this ballot due to the need for further clarification
and reconciliation between NERC EOP-004 and the NRC.
The SDT team does not believe that reporting under EOP-004 can in anyway
‘conflicts’ with any other reporting obligations that nuclear or any other type of
GO/GOP may have. By allowing applicable entities to use the OE-417 form, the
drafting team believes it has given industry reasonable accommodation to reduce
duplicative reporting. The same is true for other agencies as well. If an entity
submits to NERC the same that was submitted to the other regulatory agency, then
this submission will be acceptable. Based on the historical frequency with which
GO/GOPs report under the current EOP-004-1 the drafting team does not believe
this places and inordinate burden on the applicable entities.
Response: The SDT thanks you for your comment.
Alberta Electric System
Operator
The Alberta Electric System Operator will need to modify parts of this standard to fit
the provincial model and current legislation when it develops the Alberta Reliability
Standard.
Response: The SDT thanks you for your comment.
221
�Organization
Puget Sound Energy, Inc.
Yes or No
Question 4 Comment
The effective date language in the Implementation Plan is inconsistent with the
effective date language in the proposed standard.
The SDT checked the language and found both to be identical.
In addition, the statement of effective date in the Implementation Plan is ambiguous
- will EOP-004-2 be effective in accordance with the first paragraph or when it is
“assigned an effective date” as stated in the second paragraph?
The second paragraph deals with EOP-004-1, the currently mandatory and
enforceable standard.
All requirements should be assigned a Lower Violation Risk Factor. Medium risk
factors require direct impact on the Bulk Electric System and the language there
regarding “instability, separation, or cascading failures” is present to distinguish the
Medium risk factor from the High risk factor. Since all of the requirements address
after-the-fact reporting, there can be no direct impact on the Bulk Electric System. In
addition, if having an Operating Plan under Requirement R1 is a Lower risk factor,
then it does not make sense that reviewing that Operating Plan annually under
Requirement R4 has a higher risk factor.
The SDT disagrees. Please review the VRF documentation that was posted with the
standard for the analysis of the requirements.
The shift away from "the distracting element of motivation", i.e., removing
"Sabotage" from the equation, runs the risk of focusing solely on what happened,
how to fix it, and waiting for the next event to occur. That speaks to a reactive
approach rather than a proactive one. There is a concern with the removal of the FBI
from the reporting mix. Basically, the new standard will involve reporting a suspicious
event or attack to local law enforcement and leaving it up to them to decide on
reporting to the FBI. Depending on their evaluation, an event which is significant for a
responsible entity might not rise to the priority level of the local law enforcement
agency for them to report it to the FBI. While this might reduce the reporting
requirements a bit, it might do so to the responsible entity’s detriment.
222
�Organization
Yes or No
Question 4 Comment
The Operating Plan developed by each responsible entity may indeed have certain
event types reported directly to the FBI. It is up the entity to determine the
appropriate notifications. Entities in Canada would not report anything to the FBI.
In Attachment 2 - item 4, would it be possible for the boxes be either alpha-sorted or
sorted by priority?
The SDT has made changes to Attachment 2 to list the Events in order of their
listing in Attachment 1.
There is a disconnect between footnote 1 on page 18 (Don't report copper theft) and
the Guideline section, which suggests reporting forced intrusion attempt at a
substation.
Forced Intrusion was removed from the Guidelines section. The SDT has deleted
footnote 1 based on comments received from the industry, however, retained the
concept in the event type “Physical threats to a Facility” as:
“Do not report copper theft unless it degrades normal operation of a Facility.”
Also, in the section discussing the removal of sabotage, the Guideline mentions
certain types of events that should be reported to NERC, DHS, FBI, etc., while that
specificity with respect to entities has been removed from the reporting requirement.
The SDT disagrees with your assessment on reporting. Entities know best to whom
and what reporting obligations they have on the applicable event types. The SDT
has learned that states vary in organization of their law enforcement agencies. As
such it is impossible for the SDT to outline those obligations in a consistent and
uniform manner. Entities can establish a single or multiple contact lists as needed
for the different event types.
Response: The SDT thanks you for your comments.
Kansas City Power & Light
The flowchart states, “Notification Protocol to State Agency Law Enforcement”.
223
�Organization
Yes or No
Question 4 Comment
Please correct this to, “Notification to State, Provincial, or Local Law Enforcement”, to
be consistent with the language in the background section part, “A Reporting Process
Solution - EOP-004”.
Evidence Retention - it is not clear what the phrase “prior 3 calendar years”
represents in the third paragraph of this section regarding data retention for
requirements and measures for R2, R3, R4 and M2, M3, M4 respectively. Please
clarify what this means. Is that different than the meaning of “since the last audit for
3 calendar years” for R1 and M1?
Response: The SDT thanks you for your comment. The flowchart is an example only and was not meant to show every
permutation. The evidence retention paragraph has been revised to reflect the ‘since last audit’ language.
United Illuminating Company
The measures M3 and M4 require evidence to be dated and time stamped. The time
stamp is excessive and provides no benefit. A dated document is sufficient. The
measure M2 requires in addition to a record of the transmittal of the EOP-004
Attachment 2 form or DOE-417 form that an operator log or other operating
documentation is provided. It is unclear why this supplemental evidence of operator
logs is required. We are assuming that the additional operator logs or
documentation is required to demonstrate that the communication was completed
to organizations other than NERC and DOE of the event. If true then the measure
should be clear on this topic. For communication to NERC and DOE use the EOP-004
Form or OE-417 form and retain the transmittal record. For communication to other
organizations pursuant to R1 Part 1.2 evidence may include but not limited to,
operator logs, transmittal record, attestations, or voice recordings.
Response: The SDT thanks you for your comment. The SDT has removed the time-stamp provision. The SDT agrees and adopts
your suggestion.
New York Independent
System Operator
The NYISO is part of and supports comments submitted by NPCC Reliability Standards
Committee and the IRC Standards Review Committee. However the NYISO would also
like to comment on the following items: o NERC has been proposing the future
224
�Organization
Yes or No
Question 4 Comment
development of performance based standards, which is directly related to reliability
performance. Requirement 2 of this standard is simply a reporting requirement. We
believe that this does not fall into a category of a performance based standard. NERC
has the ability to ask for reports on events through ROP provisions and now the new
Event Analysis Process. It does not have to make it part of the compliance program.
Some have indicated that need for timely reporting of cyber or sabotage events. The
counter argument is that the requirement is reporting when confirmed which would
delay any useful information to fend off a simultaneous threat. Also NERC has not
provided any records of how previous timely (1 hour) reporting has mitigated
reliability risks. o The NERC Event Analysis Process was recently approved by the
NERC OC and is in place. This was the model program for reporting outside the
compliance program that the industry was asking for. This should replace the need
for EOP-004.o NERC has presented Risk Based Compliance Monitoring (RBCM) to the
CCC, MRC, BOT and at Workshops. This involves audit teams monitoring an entities
controls to ensure they have things in place to maintain compliance with reliability
rules. The proposed EOP-004 has created requirements that are controls to
requirement R2, which is to file a report on predefined incidents. The RBCM is being
presented as the auditor will make determinations on the detail of the sampling for
compliance based on the assessment of controls an entity has in place to maintain
compliance. It is also noted that compliance will not be assessed against these
controls. As the APS example for COM-002 is presented in the Workshop slides, the
issue is that EOP-004 R1, R3 and R4 are controls for reporting; 1) have a plan, 2) test
the plan, and 3) review the plan. While R2 is the only actionable requirement. The
NYISO believes that all reporting requirements have been met by OE-417 and EAP
reporting requirements and that EOP-004 has served its time. At a minimum, the
NYISO would suggest that EOP-004 be simplified to just R2 (reporting requirement)
and the other requirements be placed at the end of the RSAW to demonstrate a
culture of compliance as presented by NERC.
Response: The SDT thanks you for your comment. Please review the responses to those commenters. The SDT appreciates your
suggestion, however, most of your comment is beyond the scope of the SDT’s charge. The SDT would like to note your statement
225
�Organization
Yes or No
Question 4 Comment
on reporting requirements having been met by the OE-417 and EAP requirements. The SDT fails to see how NERC gains situational
awareness and the opportunity to pass along lessons learned when the aforementioned reports are not forwarded to the
appropriate ERO group. The SDT would also note that the ERO does not have access to the OE-417 filings unless they are provided
and the EAP does not include reporting for some of the event types listed in Attachment 1. The SDT will forward your comment to
appropriate officials for their consideration.
Hydro One
The proposed standard is not consistent with NERC’s new Risk Based Compliance
Monitoring. - The performance based action to “implement its event reporting
Operating Plan” on defined events, as required in R2, could be considered a valid
requirement. However, the concern is that this requirement could be superseded by
the NERC Events Analysis Process and existing OE-417 Reporting.- The requirements
laid out in R1, R3 and R4 are specific controls to ensure that the proposed
requirement to report (R2) is carried out. However, controls should not be part of a
compliance requirement. The only requirement proposed in this standard that is not
a control is R2.NERC does not need to duplicate the enforcement of reporting already
imposed by the DOE. DOE-417 is a well-established process that has regulatory
obligations. NERC enforcement of reporting is redundant. NERC has the ability to
request copies of these reports without making them part of the Reliability Rules.
The SDT appreciates your suggestion, however, most of your comment is beyond
the scope of the SDT’s charge. The SDT would like to note your statement on
reporting requirements having been met by the OE-417 and EAP requirements. This
statement is not true for Canadian entities. The SDT fails to see how NERC gains
situational awareness and the opportunity to pass along lessons learned when the
aforementioned reports are not forwarded to the appropriate ERO group. The SDT
would also note that the ERO does not have access to the OE-417 filings unless they
are provided and the EAP does not include reporting for some of the event types
listed in Attachment 1. The SDT will forward your comment to appropriate officials
for their consideration.
Form EOP-004, Attachment 2: Event Reporting Form: - Delete from the Task column
226
�Organization
Yes or No
Question 4 Comment
the words “or partial”.- Delete from the Task column the words “physical threat that
could impact the operability of a Facility”.
The SDT has proposed changes to the language within Attachment 2 which we
believe corrects the point made.
VSL’s may have to be revised to reflect revised wording. The standard as proposed is
not supportive of Gerry Cauley’s performance based standard initiative
The SDT removed all language under “Entity with Reporting Responsibility,” with
the exception of entity(s) that are required to report an applicable event. The SDT
removed this language so the entities within this column are clearly stated and
identified. Under the “Threshold for Reporting” column, a bright line was updated
based on currently enforced Reliability Standards, FERC directives and industry
comments to state:
“Physical threat to its Facility excluding weather related threat, which has the
potential to degrade the normal operation of the Facility
Or
Suspicious device or activity at a Facility
Do not report copper theft unless it degrades normal operations of a Facility.”
This language gives the required guidance that if there is a physical threat that has
the potential to degrade a Facility’s normal operation or a suspicious device or
activity is discovered at a Facility, it is required to be reported within 24 hours, this
will give the ERO (and whoever else the entity wishes to inform per Requirement
R1) the situational awareness that the Facility has a potential of not being able to
operate as it is designed. The SDT also states that copper theft is not a reportable
event unless it degrades the normal operation of a Facility.
227
�Organization
Yes or No
Question 4 Comment
Response: The SDT thanks you for your comment.
Northeast Power Coordinating
Council
The proposed standard is not consistent with NERC’s new Risk Based Compliance
Monitoring. a. The performance based action to “implement its event reporting
Operating Plan” on defined events, as required in R2, could be considered a valid
requirement. However, the concern is that this requirement could be superseded by
the NERC Events Analysis Process and existing OE-417 Reporting. b. The
requirements laid out in R1, R3 and R4 are specific controls to ensure that the
proposed requirement to report (R2) is carried out. However, controls should not be
part of a compliance requirement. The only requirement proposed in this standard
that is not a control is R2.NERC does not need to duplicate the enforcement of
reporting already imposed by the DOE. DOE-417 is a well established process that has
regulatory obligations. NERC enforcement of reporting is redundant. NERC has the
ability to request copies of these reports without making them part of the Reliability
Rules.
The SDT appreciates your suggestion however; most of your comment is beyond
the scope of the SDT’s charge. The SDT would like to note your statement on
reporting requirements having been met by the OE-417 and EAP requirements. This
statement is not true for Canadian entities. The SDT fails to see how NERC gains
situational awareness and the opportunity to pass along lessons learned when the
aforementioned reports are not forwarded to the appropriate ERO group. The SDT
would also note that the ERO does not have access to the OE-417 filings unless they
are provided and the EAP does not include reporting for some of the event types
listed in Attachment 1. The SDT will forward your comment to appropriate officials
for their consideration.
Form EOP-004, Attachment 2: Event Reporting Form: Delete from the Task column
the words “or partial”. Delete from the Task column the words “physical threat that
228
�Organization
Yes or No
Question 4 Comment
could impact the operability of a Facility”.
The SDT has proposed changes to the language within Attachment 2 which we
believe corrects the point made.
VSL’s may have to be revised to reflect revised wording.
The SDT agrees and adopts your suggestion.
Response: The SDT thanks you for your comment.
American Public Power
Association
The SDT needs to provide some relief for the small entities in regards to the VSL in
the compliance section. APPA believes there should be no High or Severe VSLs for
this standard. This is a reporting/documentation standard and does not affect BES
reliability at all. It is APPA’s opinion that this standard should be removed from the
mandatory and enforceable NERC Reliability Standards and turned over to a working
group within the NERC technical committees. Timely reporting of this outage data is
already mandatory under Section 13(b) of the Federal Energy Administration Act of
1974. There are already civil and criminal penalties for violation of that Act. This
standard is a duplicative mandatory reporting requirement with multiple monetary
penalties for US registered entities. If this standard is approved, NERC must address
this duplication in their filing with FERC. This duplicative reporting and the
differences in requirements between DOE-OE-417 and NERC EOP-004-2 require an
analysis by FERC of the small entity impact as required by the Regulatory Flexibility of
Act of 1980
Response: The SDT thanks you for your comment. VSLs refer to how closely the entity met the requirements of the standard; it is
the VRF that measures impact to reliability. The SDT believes use of the high and severe VSLs is appropriate. The SDT believes that
size is not the important criteria in determining an impact on reliability. The reporting thresholds are based on the BES. No entity,
including small entities is required to report on equipment that is not categorized as BES, which should give small entities relief
from reporting on non-impactive assets.
Pepco Holdings Inc
The SDT's efforts have resulted in a very good draft.
229
�Organization
Yes or No
Question 4 Comment
Response: The SDT thanks you for your support.
ISO/RTO Standards Review
Committee
The SRC offers some other comments regarding the posted draft requirements;
however, by so doing, the SRC does not indicate support of the proposed
requirements. Following these comments, please see below for an SRC proposed
alternative approach: The SRC does not agree with the MEDIUM VRF assigned to
Requirement R4. R4 is a requirement to conduct an annual review of the Event
Reporting Operating Plan mandated in Requirement R1. R1 however is assigned a VRF
of LOWER. We are unable to rationalize why a subsequent review of a plan should
have a higher reliability risk impact than the development of the plan itself.
Hypothetically, if an entity doesn’t develop a plan to begin with, then it will be
assigned a LOWER VRF, and the entity will have no plan to review annually and hence
it will not be deemed non-compliant with requirement R4. The entity can avoid being
assessed violating a requirement with a MEDIUM VRF by not having the plan to begin
with, for which the entity will be assessed violating a requirement with a LOWER VRF.
We suggest changing the R4 VRF to LOWER.
The SDT has revised the requirements and R4 has been deleted along with its
VRF/VSL.
The SRC requests that the SDT post the following Alternative Proposal for Industry
comments as required by the Standards Process to obtain Industry consensus and as
permitted by FERC: An equally effective alternative is to withdraw this standard and
to make the contents of the SDT’s posted standard a NERC Guideline.
a. This alternative is more in line with new NERC and FERC proposals
b. This alternative retains the reporting format
Comments 1. The FERC Order 693 directives regarding “sabotage” have already been
addressed by the SDT (i.e. the concept was found outside the scope of NERC
standards)
2. Current Industry actions already address the needs cited in the Order:
230
�Organization
Yes or No
Question 4 Comment
a. Approved Reporting Processes already exists i. The Operating Committee’s Event
Analysis Process ii. Alert Reporting
b. The Data already exists i. Reliability Coordinators Information System (which
creates hundred if not thousands of “reports” per year) ii. The DOE’s OE 417 Report
itself provides part of the FERC discussed data
3. The proposed standard is not supportive of Gerry Cauley’s performance based
standard initiative or of FERC’s offer to reduce procedural standards
a. The proposed requirement is a process not an outcome i. The proposal is more
focused on reporting and could divert the attention of reliability entities from
addressing a situation to collecting data for a report
b. The proposed “events” are subjective and if followed will create an unmanageable
burden on NERC staff i. Reporting “damage” to facilities can be interpreted as
anything from a dent in a generator to the total destruction of a transformer ii. The
reporting requirements on all applicable entities will create more questions about
differences between the reports of the various entities - rather than leading to
conclusions about patterns among events that indicate a global threat iii. Reporting
any “physical threat” is too vague and subjective iv. Reporting “damage to a facility
that affects an IROL” is subjective and can be seen to require reporting of damage on
every facility in an interconnected area.
v. Reporting “Partial loss of monitoring” is a data quality issue that can be anything
from the loss of a single data point to the loss of an entire SCADA system vi. Testing
the filling out of a Report does not make it easier to fill out the report later (moreover
the reporting is already done often enough -see 2.b.i)c. The proposed requirements
will create a disincentive to improving current Reporting practices (the more an entity
designs into its own system the more it will be expected to do and the more likely it
will be penalized for failing to comply)i. Annual reviews of the reporting practices fall
into the same category, why have a detailed process to review when a simple one will
suffice?
231
�Organization
Yes or No
Question 4 Comment
4. The proposed standard does not provide a feedback loop to either the data
suppliers or to potentially impacted functional entities a. If the “wide area” data
analysis indicates a threat, there is no requirement to inform the impacted entities b.
As a BES reliability issue there is no performance indicators or metrics to show the
value of this standard i. The SRC recognizes that specific incidents cannot be
identified but if this is to be a reliability standard some information must be provided.
A Guideline could be designed to address this concern.
5. The proposed standard is not consistent with NERC’s new Risk Based Compliance
Monitoring.
a. The performance based action to report on defined events, as required in R2, could
be considered a valid requirement. However we have concerns as noted in Bullet 3
above. The requirements laid out in R1, R3 and R4 are specific controls to ensure that
the proposed requirement to report (R2) is carried out. NERC is moving in the
direction to assess entities’ controls, outside of the compliance enforcement arm.
The industry is being informed that NERC Audit staff will conduct compliance audits
based on the controls that the entity has implemented to ensure compliance. The
SRC is interested in supporting this effort and making it successful. However, if this is
the direction NERC is moving, we should not be making controls part of a compliance
requirement. The only requirement proposed in this standard that is not a control is
R2.
6. For FERC-jurisdictional entities, NERC does not need to duplicate the enforcement
of reporting already imposed by the DOE. DOE-417 is a well established process that
has regulatory obligations. NERC enforcement of reporting would be redundant.
NERC has the ability to request copies of these reports without making them part of
the Reliability Rules.
Response: The SDT thanks you for your comment. The SDT will bring this request to the attention of the SC for consideration as
this request is beyond the scope of work identified in this project.
LG&E and KU Services
The Violation Severity Level for Requirement R2 should be revised to read “...hours
232
�Organization
Yes or No
Question 4 Comment
after recognizing an event requiring reporting...” This will make the language in the
VSL consistent with the language in Attachment 1.
Response: The SDT thanks you for your comment. The VSLs have been reviewed and revised based upon the revisions to the
requirements.
SPP Standards Review Group
The VRF for R1 is Lower which is fine. The issue is that R4, which is the review of the
plan contained in R1, has a Medium VRF. We recommend moving the VRF of R4 to
Lower.We recommend deleting the phrase ‘...supplemented by operator logs or
other operating documentation...’ as found in the first sentence of M2. A much
clearer reference is made to operator logs and other operating documentation in the
second sentence. The duplication is unnecessary.What will happen with the
accompanying information contained in the Background section in the draft
standard? Will it be moved to the Guideline and Technical Basis at the end of the
standard as the information contained in the text boxes? This is valuable information
and should not be lost.
Response: The SDT thanks you for your comment. The SDT has revised the requirements and R4 has been deleted along with its
VRF/VSL. The background has been moved to the Guidelines and Technical Basis section.
Utility Services
There are no other comments at this time.
Response: The SDT thanks you for your participation.
Dynegy Inc.
Use of the term "Part x.x" throughout the Standard is somewhat confusing. I can't
recall other Standards using that type of term. Suggest using the term
"Requirement" instead.
Response: The SDT thanks you for your comment. The standard has been rewritten and revised in accordance with your
suggestion.
Central Lincoln
We agree with the comments provided by both PNGC and APPA.
233
�Organization
Yes or No
Question 4 Comment
Response: The SDT thanks you for your comment. Please review the responses to those commenters.
PNGC Comment Group
We appreciate the hard work of the SDT.
Response: The SDT thanks you for your support.
PPL Corporation NERC
Registered Affiliates
We appreciate the inclusion of the Process Flowchart on Page 9 of the draft standard.
We submit for your consideration, removing the line from the NO decision box to the
‘Report Event to ERO, Reliability Coordinator’ box. It seems if the event does not
need reporting per the decision box, this line is not needed.The decision box on
‘Report to Law Enforcement ?’ does not have a Yes or No. Perhaps, this decision box
is misplaced, or is it intended to occur always and not have a different path with
different actions? Ie. should it be a process box? Thank you for your work on this
standard.
PPL Electric Utilities
We appreciate the inclusion of the Process Flowchart on Page 9 of the draft standard.
We submit for your consideration, removing the line from the NO decision box to the
‘Report Event to ERO, Reliability Coordinator’ box. It seems if the event does not
need reporting per the decision box, this line is not needed.For clarity in needed
actions, please consider using a decision box following flowcharting standards such
as, a decision box containing a question with a Yes and a No path. The decision box
on ‘Report to Law Enforcement ?’ does not have a Yes or No. Perhaps, this decision
box is misplaced, or is it intended to occur always and not have a different path with
different actions? Ie. should it be a process box?Thank you for your work on this
standard.
Response: The SDT thanks you for your comment. The flowchart was provided as an example and guidance for entities to use if
they so choose. Entities can elect to create their own flowchart based upon their needs.
Independent Electricity
System Operator
We do not agree with the MEDIUM VRF assigned to Requirement R4. Re stipulates a
requirement to conduct an annual review of the event reporting Operating Plan in
234
�Organization
Yes or No
Question 4 Comment
Requirement R1, which itself is assigned a VRF of LOWER. We are unable to
rationalize why a subsequent review of a plan should have a higher reliability risk
impact than the development of the plan itself. Hypothetically, if an entity doesn’t
develop a plan to begin with, then it will be assigned a LOWER VRF, and the entity will
have no plan to review annually and hence it will not be deemed non-compliant with
requirement R4. The entity can avoid being assessed violating a requirement with a
MEDIUM VRF by not having the plan to begin with, for which the entity will be
assessed violating a requirement with a LOWER VRF. We suggest changing the R4
VRF to LOWER.
Response: The SDT thanks you for your comment. The SDT has revised the requirements and R4 has been deleted along with its
VRF/VSL.
SMUD & BANC
We feel issues were addressed, but still have concern with ‘damage’. We certainly
support that any ‘destruction’ of a facility that meets any of the three criteria be a
reportable issue. But ‘damage’, if it’s going to be included should have some
objective definition that sets a floor. Much like the copper theft issue, we don’t see
the benefit of reporting plain vandalism (gun-shot insulators results from actual or
suspected intentional human action) to NERC unless the ‘damage’ has some tangible
impact on the reliability of the system or are acts of an orchestrated sabotage (i.e.
removal of bolt in a transmission structure).
Response: The SDT thanks you for comment. The SDT removed all language under “Entity with Reporting Responsibility,” with the
exception of entity(s) that are required to report an applicable event. The SDT removed this language so the entities within this
column are clearly stated and identified. Under the “Threshold for Reporting” column, a bright line was updated based on
currently enforced Reliability Standards, FERC directives and industry comments to state:
235
�Organization
Yes or No
Question 4 Comment
“Damage or destruction of a Facility within its Reliability Coordinator Area, Balancing Authority Area or Transmission Operator
Area that results in the need for actions to avoid a BES Emergency.”
This language gives the required guidance of who has to report within its Area that results in need for actions to avoid a BES
Emergency (as defined by NERC: Any abnormal system condition that requires automatic or immediate manual action to prevent
or limit the failure of transmission facilities or generation supply that could adversely affect the reliability of the Bulk Electric
System).
This relates to either a completely destroyed Facility where an action is required to avoid a BES Emergency, or a Facility that is
damaged to a point that actions are required to avoid a BES Emergency. By reporting either a “damaged or destroyed” Facility,
within 24 hours, it will give the ERO (and whoever else the entity wishes to inform per R1) the situational awareness that the
electrical system has been reconfigured or may need to be reconfigured, thus supporting reliable operations of each
interconnection.
The SDT removed all language under “Entity with Reporting Responsibility,” with the exception of entity(s) that are required to
report an applicable event. The SDT removed this language so the entities within this column are clearly stated and identified.
Under the “Threshold for Reporting” column, a bright line was updated based on currently enforced Reliability Standards, FERC
directives and industry comments to state;
Damage or destruction of its Facility that results from actual or suspected intentional human action.
This language gives the required guidance that if there is actual intentional human action that damages or destroys a Facility, it is
required to be reported within 24 hours, this will give the ERO (and whoever else the entity wishes to inform per Requirement R1)
the situational awareness that the Facility was “damaged or destroyed” intentionally by a human.
This event was written to cover the increase of “Entity with Reporting Responsibility” and removing the RC since they do not own
Facility(s).
The SDT also included a second part of this event being “suspected intentional human action.” This language was required to give
an entity the reporting responsibility to report to the ERO (and whoever else the entity wishes to inform per Requirement R1) the
situational awareness that they suspect that their Facility was damaged or destroyed by intentional human action. The SDT
envisions that entities could further define what a suspected intentional human action is within their Operating Plan.
ISO New England Inc
We requests that the SDT post the following Alternative Proposal for Industry
236
�Organization
Yes or No
Question 4 Comment
comments as required by the Standards Process to obtain Industry consensus and as
permitted by FERC: An equally effective alternative is to withdraw this standard and
to make the contents of the SDT’s posted standard a NERC Guideline.a. This
alternative is more in line with new NERC and FERC proposalsb. This alternative
retains the reporting formatComments1. The FERC Order 693 directives regarding
“sabotage” have already been addressed by the SDT (i.e. the concept was found
outside the scope of NERC standards)2. Current Industry actions already address the
needs cited in the Order:a. Approved Reporting Processes already existsi. The
Operating Committee’s Event Analysis Processii. Alert Reporting b. The Data already
existsi. Reliability Coordinators Information System (which creates hundred if not
thousands of “reports” per year)ii. The DOE’s OE 417 Report itself provides part of
the FERC discussed data3. The proposed standard is not supportive of Gerry Cauley’s
performance based standard initiative or of FERC’s offer to reduce procedural
standardsa. The proposed requirement is a process not an outcomei. The proposal is
more focused on reporting and could divert the attention of reliability entities from
addressing a situation to collecting data for a reportb. The proposed “events” are
subjective and if followed will create an unmanageable burden on NERC staffi.
Reporting “damage” to facilities can be interpreted as anything from a dent in a
generator to the total destruction of a transformerii. The reporting requirements on
all applicable entities will create more questions about differences between the
reports of the various entities - rather than leading to conclusions about patterns
among events that indicate a global threatiii. Reporting any “physical threat” is too
vague and subjective iv. Reporting “damage to a facility that affects an IROL” is
subjective and can be seen to require reporting of damage on every facility in an
interconnected area.
v. Reporting “Partial loss of monitoring” is a data quality issue that can be anything
from the loss of a single data point to the loss of an entire SCADA system
vi. Testing the filling out of a Report does not make it easier to fill out the report later
(moreover the reporting is already done often enough -see 2.b.i)c. The proposed
requirements will create a disincentive to improving current Reporting practices (the
237
�Organization
Yes or No
Question 4 Comment
more an entity designs into its own system the more it will be expected to do and the
more likely it will be penalized for failing to comply)i. Annual reviews of the reporting
practices fall into the same category, why have a detailed process to review when a
simple one will suffice?4. The proposed standard does not provide a feedback loop to
either the data suppliers or to potentially impacted functional entitiesa. If the “wide
area” data analysis indicates a threat, there is no requirement to inform the impacted
entitiesb. As a BES reliability issue there is no performance indicators or metrics to
show the value of this standardi. We recognize that specific incidents cannot be
identified but if this is to be a reliability standard some information must be provided.
A Guideline could be designed to address this concern. 5. The proposed standard is
not consistent with NERC’s new Risk Based Compliance Monitoring. a. The
performance based action to report on defined events, as required in R2, could be
considered a valid requirement. However we have concerns as noted in Bullet 3
above.The requirements laid out in R1, R3 and R4 are specific controls to ensure that
the proposed requirement to report (R2) is carried out. NERC is moving in the
direction to assess entities’ controls, outside of the compliance enforcement arm.
The industry is being informed that NERC Audit staff will conduct compliance audits
based on the controls that the entity has implemented to ensure compliance. We are
interested in supporting this effort and making it successful. However, if this is the
direction NERC is moving, we should not be making controls part of a compliance
requirement. The only requirement proposed in this standard that is not a control is
R2. 6. For FERC-jurisdictional entities, NERC does not need to duplicate the
enforcement of reporting already imposed by the DOE. DOE-417 is a well established
process that has regulatory obligations. NERC enforcement of reporting would be
redundant. NERC has the ability to request copies of these reports without making
them part of the Reliability Rules.
Response: The SDT thanks you for your comment. The SDT will bring this request to the attention of the SC for consideration as
this request is beyond the scope of work identified in this project.
Brazos Electric Power
We thank the work of the SDT on this project. However, additional improvements
238
�Organization
Cooperative
Yes or No
Question 4 Comment
should be made as described in the comments submitted by ACES Power Marketing.
Response: The SDT thanks you for your comment. Please review the responses to that commenter.
FirstEnergy
While FE voted affirmative on this draft, upon further review we request clarification
be made in the next draft of the standard regarding the applicability of the Nuclear
Generator Operator. Per FE's previous comments, nuclear generator operators
already have specific regulatory requirements to notify the NRC for certain
notifications to other governmental agencies in accordance with 10 CFR
50.72(b)(s)(xi). We had asked that the SDT contact the NRC about this project to
ensure that existing communication and reporting that a licensee is required to
perform in response to a radiological sabotage event (as defined by the NRC) or any
incident that has impacted or has the potential to impact the BES does not create
either duplicate reporting, conflicting reporting thresholds or confusion on the part of
the nuclear generator operator. In addition, EOP-004 must acknowledge that there
may be NRC reporting forms that have the equivalent information contained in their
Attachment 2. For what the NRC considers a Reportable Event, Nuclear plants are
required to fill out NRC form 361 and/or form 366. We do not agree with the
drafting team's response to ours and Exelon's comments that "The NRC does not fall
under the jurisdiction of NERC and so therefore it is not within scope of this project."
While the statement is correct, we believe that requirements should not conflict with
or duplicate other regulatory requirements. We remain concerned that the standard
with regard to Nuclear GOP applicability causes duplicative regulatory reporting with
existing reporting requirements of the NRC. Therefore, we ask:1. That NERC and the
drafting team please investigate these issues further and revise the standard to
clarify the scope for nuclear GOPs, and2. For any reporting deemed in the scope for
nuclear GOP after NERC's and the SDT's investigation per our request in #1 above,
that the SDT consider the ability to utilize information from NRC reports as meeting
the EOP-004-2 requirements similar to the allowance of using the DOE form as
presently proposed.
239
�Organization
Yes or No
Question 4 Comment
Response: The SDT thanks you for your comment. The SDT team does not believe that reporting under EOP-004 can in anyway
‘conflicts’ with any other reporting obligations that nuclear or any other type of GO/GOP may have. By allowing applicable entities
to use the OE-417 form, the drafting team believes it has given industry reasonable accommodation to reduce duplicative
reporting. The same is true for other agencies as well. If an entity submits to NERC the same that was submitted to the other
regulatory agency, then this submission will be acceptable. Based on the historical frequency with which GO/GOPs report under
the current EOP-004-1 the drafting team does not believe this places and inordinate burden on the applicable entities.
American Electric Power
While we do not necessarily disagree with modifying this standard, we do have
serious concerns with the possibility that Form OE-417 form would not also be
modified to match any changes made to this standard. To the degree they would be
different, this would create unnecessary confusion and burden on operators.
While we appreciate the point raised, the SDT does have any authority with regard
to the language contained within the DOE OE-417 form. The Department of Energy
is responsible for the design and contents of the 417 form. As a part of the SDT’s
work in this proposal, we met with and collaborated with the DOE staff responsible
for the 417 form establish a common understanding of reportable events. We hope
that if the DOE desires to make further changes, they will pass along information
for consideration in a future NERC SAR.
If CIP-008 is now out of scope within the requirements of this standard, the task
“reportable Cyber Security Incident” should be removed from Attachment 2.
The SDT has discussed this issue with Project 2008-06, Cyber Security SDT and we
have remanded the one hour event back to CIP-008. The next version of EOP-004-2
will not contain a one hour reporting requirement.
Response: The SDT thanks you for your comment.
Progress Energy
Within attachment 1 (Reportable Events) an exclusion is allowed for weather related
threats. PGN recommends a more generic approach to include natural events such as
forest fires, sink holes, etc. This would alleviate some reporting burdens in areas that
240
�Organization
Yes or No
Question 4 Comment
are prone to these types of events.
Response: The SDT thanks you for your comment. The SDT has revised the language in accordance with your suggestion to
“weather or natural disaster related threats”.
Xcel Energy
Xcel Energy appreciates the work of the drafting team and believes the current draft
is an improvement over the existing standard. However, we would like to see the
comments provided here and above addressed prior to submitting an AFFIRMATIVE
vote.1) Suggest enhancing the “Example of Reporting Process...” flowchart as follows:
EVENT > Refer to Ops Plan for Event Reporting > Refer to Law Enforcement? > Yes/No
> ....
The SDT has provided the flowchart as an example and guidance for entities.
Entities can choose to create their own version of the flowchart for use in their
Operating Plan.
2) Attachment 1 - in both the 1 hour and the 24 hour reporting they are qualified
with “within x hours of recognition of the event”. Is this the intent, so that if an entity
recognizes at some point after an event that the time clock starts?
The SDT has discussed this issue with Project 2008-06, Cyber Security SDT and we
have remanded the one hour event back to CIP-008. The next version of EOP-004-2
will not contain a one hour reporting requirement.
The SDT envisions when the entity is made aware of an applicable event contained
in Attachment 1, that they would report the event within 24 hours. Any entity
could enhance their Operating Plan to describe as much detail as they wanted to
provide to their employees as they see fit.
3) VSLs - R3 & R4 “Severe” should remove the “OR....”, as this is redundant. Once an
entity has exceeded the 3 calendar months, the Severe VSL is triggered.
The SDT has revised the requirements and accordingly the VSLs.
4) The Guideline and Technical Basis page 22 should be corrected to read “The
241
�Organization
Yes or No
Question 4 Comment
changes do not include any real-time operating notifications for the types of events
covered by CIP-001 and EOP-004. The real-time reporting requirements are achieved
through the RCIS and are covered in other standards (e.g. EOP-002-Capacity and
Energy Emergencies). These standards deal exclusively with after-the-fact reporting.”
Response: Thank you for the grammatical correction.
5) Also in the following section of the Guideline and Technical Basis (page 23) the
third bullet item should be qualified to exclude copper theft: Examples of such events
include: o Bolts removed from transmission line structures o Detection of cyber
intrusion that meets criteria of CIP-008-3 or its successor standard o Forced intrusion
attempt at a substation (excluding copper theft) o Train derailment near a
transmission right-of-way o Destruction of Bulk Electric System equipment
Response: Thank you for the correction; however, as a result of other changes
made to the standard, the SDT is proposing to remove the third bulleted item from
this list.
Response: The SDT thanks you for your comment.
Edison Mission Marketing &
Trading, Inc.
No
Idaho Power Co.
No
Arizona Public Service
Company
None
END OF REPORT
242
�EOP-004-2 — Event Reporting
Standard Development Timeline
This section is maintained by the drafting team during the development of the standard and will
be removed when the standard becomes effective.
Development Steps Completed
1. SC approved SAR for initial posting (April 2009).
2. SAR posted for comment (April 22 – May 21, 2009).
3. SC authorized moving the SAR forward to standard development (September 2009).
4. Concepts Paper posted for comment (March 17 – April 16, 2010).
5. Initial Informal Comment Period (September 15 – October 15, 2010).
6. Second Comment Period (Formal) (March 9 – April 8, 2011).
7. Third Comment Period and Initial Ballot (October 28 – December 12, 2011).
8. Fourth Comment Period and Successive Ballot (April 25 – May 24, 2012).
Proposed Action Plan and Description of Current Draft
This is the fifth posting of the proposed standard in accordance with Results-Based Standards
(RBS) criteria. The drafting team requests posting for a 30-day formal comment period
concurrent with the formation of the ballot pool and the successive ballot.
Future Development Plan
Anticipated Actions
Drafting team considers comments, makes conforming changes on
fourth posting
Anticipated Date
June - August 2012
Fifth Comment/Ballot period
Recirculation Ballot period
August –
September 2012
October 2012
Receive BOT approval
November 2012
File with regulatory authorities
December 2012
Draft 5: August 2, 2012
1 of 23
�EOP-004-2 — Event Reporting
Effective Dates
The first day of the first calendar quarter that is six months beyond the date that this standard is
approved by applicable regulatory authorities. In those jurisdictions where regulatory approval
is not required, the standard shall become effective on the first day of the first calendar quarter
that is six months beyond the date this standard is approved by the NERC Board of Trustees, or
as otherwise made effective pursuant to the laws applicable to such ERO governmental
authorities.
Version History
Version
2
Date
Draft 5: August 2, 2012
Action
Merged CIP-001-2a Sabotage Reporting
and EOP-004-1 Disturbance Reporting
into EOP-004-2 Event Reporting; Retire
CIP-001-2a Sabotage Reporting and
Retired EOP-004-1 Disturbance
Reporting.
Change Tracking
Revision to entire
standard (Project 200901)
2 of 23
�EOP-004-2 — Event Reporting
Definitions of Terms Used in Standard
This section includes all newly defined or revised terms used in the proposed standard. Terms
already defined in the Reliability Standards Glossary of Terms are not repeated here. New or
revised definitions listed below become approved when the proposed standard is approved.
When the standard becomes effective, these defined terms will be removed from the individual
standard and added to the Glossary.
None
Draft 5: August 2, 2012
3 of 23
�EOP-004-2 — Event Reporting
When this standard has received ballot approval, the text boxes will be moved to the Guideline
and Technical Basis Section.
A.
Introduction
1. Title:
Event Reporting
2. Number:
EOP-004-2
3. Purpose: To improve the reliability of the Bulk Electric System by requiring the reporting
of events by Responsible Entities.
4. Applicability
4.1.
Functional Entities: For the purpose of the Requirements and the EOP-004
Attachment 1 contained herein, the following functional entities will be collectively
referred to as “Responsible Entity.”
4.1.1. Reliability Coordinator
4.1.2. Balancing Authority
4.1.3. Transmission Owner
4.1.4. Transmission Operator
4.1.5. Generator Owner
4.1.6. Generator Operator
4.1.7. Distribution Provider
5. Background:
NERC established a SAR Team in 2009 to investigate and propose revisions to the CIP-001
and EOP-004 Reliability Standards. The team was asked to consider the following:
1.
2.
3.
4.
CIP-001 could be merged with EOP-004 to eliminate redundancies.
Acts of sabotage have to be reported to the DOE as part of EOP-004.
Specific references to the DOE form need to be eliminated.
EOP-004 had some ‘fill-in-the-blank’ components to eliminate.
The development included other improvements to the standards deemed appropriate by the
drafting team, with the consensus of stakeholders, consistent with establishing high quality,
enforceable and technically sufficient Bulk Electric System reliability standards.
The SAR for Project 2009-01, Disturbance and Sabotage Reporting was moved forward for
standard drafting by the NERC Standards Committee in August of 2009. The Disturbance
and Sabotage Reporting Standard Drafting Team (DSR SDT) was formed in late 2009.
Draft 5: August 2, 2012
4 of 23
�EOP-004-2 — Event Reporting
The DSR SDT developed a concept paper to solicit stakeholder input regarding the proposed
reporting concepts that the DSR SDT had developed. The posting of the concept paper
sought comments from stakeholders on the “road map” that will be used by the DSR SDT in
updating or revising CIP-001 and EOP-004. The concept paper provided stakeholders the
background information and thought process of the DSR SDT. The DSR SDT has reviewed
the existing standards, the SAR, issues from the NERC issues database and FERC Order 693
Directives in order to determine a prudent course of action with respect to revision of these
standards.
Draft 5: August 2, 2012
5 of 23
�EOP-004-2 — Event Reporting
B.
Requirements and Measures
R1. Each Responsible Entity shall have
an event reporting Operating Plan in
accordance with EOP-004-2
Attachment 1 that includes the
protocol(s) for reporting to the
Electric Reliability Organization
and other organizations (e.g., the
regional entity, company personnel,
the Responsible Entity’s Reliability
Coordinator, law enforcement, or
governmental authority). [Violation
Risk Factor: Lower] [Time
Horizon: Operations Planning]
M1. Each Responsible Entity will have a
dated event reporting Operating
Plan that includes, but is not limited
to the protocol(s) and each
organization identified to receive an
event report for event types
specified in EOP-004-2 Attachment
1 and in accordance with the entity
responsible for reporting.
Draft 5: August 2, 2012
Rationale for R1
The requirement to have an Operating Plan for
reporting specific types of events provides the
entity with a method to have its operating
personnel recognize events that affect reliability
and to be able to report them to appropriate
parties; e.g., Regional Entities, applicable
Reliability Coordinators, and law enforcement
and other jurisdictional agencies when so
recognized. In addition, these event reports are
an input to the NERC Events Analysis Program.
These other parties use this information to
promote reliability, develop a culture of
reliability excellence, provide industry
collaboration and promote a learning
organization.
Every industry participant that owns or operates
elements or devices on the grid has a formal or
informal process, procedure, or steps it takes to
gather information regarding what happened
when events occur. This requirement has the
Responsible Entity establish documentation on
how that procedure, process, or plan is organized.
This documentation may be a single document or
a combination of various documents that achieve
the reliability objective.
The communication protocol(s) could include a
process flowchart, identification of internal and
external personnel or entities to be notified, or a
list of personnel by name and their associated
contact information. An existing procedure that
meets the requirements of CIP-001-2a may be
included in this Operating Plan along with other
processes, procedures or plans to meet this
requirement.
6 of 23
�EOP-004-2 — Event Reporting
R2. Each Responsible Entity shall report
events per their Operating Plan within
24 hours of meeting an event type
threshold for reporting. [Violation Risk
Factor: Medium] [Time Horizon:
Operations Assessment]
M2. Each Responsible Entity will have as
evidence of reporting an event, copy of
the completed EOP-004-2 Attachment
2 form or a DOE-OE-417 form; and
evidence of submittal (e.g., operator log
or other operating documentation,
voice recording, electronic mail
message, or confirmation of facsimile)
demonstrating the event report was
submitted within 24 hours of meeting
the threshold for reporting. (R2)
R3. Each Responsible Entity shall validate all
contact information contained in the
Operating Plan pursuant to Requirement
R1 each calendar year. [Violation Risk
Factor: Medium] [Time Horizon:
Operations Planning]
M3. Each Responsible Entity will have dated
records to show that it validated all
contact information contained in the
Operating Plan each calendar year. Such
evidence may include, but are not limited
to, dated voice recordings and operating
logs or other communication
documentation. (R3)
Draft 5: August 2, 2012
Rationale for R2
Each Responsible Entity must report and
communicate events according to its
Operating Plan based on the information in
EOP-004-2 Attachment 1. By
implementing the event reporting Operating
Plan the Responsible Entity will assure
situational awareness to the Electric
Reliability Organization so that they may
develop trends and prepare for a possible
next event and mitigate the current event.
This will assure that the BES remains
secure and stable by mitigation actions that
the Responsible Entity has within its
function. By communicating events per the
Operating Plan, the Responsible Entity will
assure that people/agencies are aware of the
current situation and they may prepare to
mitigate current and further events.
Rationale for R3
Requirement 3 calls for the Responsible
Entity to validate the contact information
contained in the Operating Plan each
calendar year. This requirement helps
ensure that the event reporting Operating
Plan is up to date and entities will be
able to effectively report events to assure
situational awareness to the Electric
Reliability Organization. If an entity
experiences an actual event,
communication evidence from the event
may be used to show compliance with
the validation requirement for the
specific contacts used for the event.
7 of 23
�EOP-004-2 — Event Reporting
C.
Compliance
1. Compliance Monitoring Process
1.1
Compliance Enforcement Authority
The Regional Entity shall serve as the Compliance Enforcement Authority (CEA)
unless the applicable entity is owned, operated, or controlled by the Regional Entity.
In such cases the ERO or a Regional Entity approved by FERC or other applicable
governmental authority shall serve as the CEA.
1.2
Evidence Retention
The Responsible Entity shall keep data or evidence to show compliance as
identified below unless directed by its Compliance Enforcement Authority to
retain specific evidence for a longer period of time as part of an investigation:
The following evidence retention periods identify the period of time an entity is
required to retain specific evidence to demonstrate compliance. For instances
where the evidence retention period specified below is shorter than the time since
the last audit, the Compliance Enforcement Authority may ask an entity to
provide other evidence to show that it was compliant for the full time period since
the last audit.
•
•
Each Responsible Entity shall retain the current Operating Plan plus each
version issued since the last audit for Requirements R1, and Measure M1.
Each Responsible Entity shall retain evidence of compliance since the last
audit for Requirements R2, R3 and Measure M2, M3.
If a Responsible Entity is found non-compliant, it shall keep information related
to the non-compliance until mitigation is complete and approved or for the duration
specified above, whichever is longer.
The Compliance Enforcement Authority shall keep the last audit records and all
requested and submitted subsequent audit records.
1.3
Compliance Monitoring and Enforcement Processes:
Compliance Audit
Self-Certification
Spot Checking
Compliance Investigation
Self-Reporting
Complaint
1.4
Additional Compliance Information
None
Draft 5: August 2, 2012
8 of 23
�EOP-004-2 — Event Reporting
Table of Compliance Elements
R#
Time
Horizon
VRF
Violation Severity Levels
Lower VSL
R1
Operations
Planning
Lower
Draft 5: August 2, 2012
N/A
Moderate VSL
N/A
High VSL
N/A
Severe VSL
The Responsible Entity
failed to have an event
reporting Operating
Plan.
9 of 23
�EOP-004-2 — Event Reporting
R#
R2
Time
Horizon
Operations
Assessment
VRF
Medium
Violation Severity Levels
Lower VSL
Moderate VSL
High VSL
Severe VSL
The Responsible Entity
submitted an event
report (e.g., written or
verbal) to all required
recipients more than
24 hours but less than
or equal to 36 hours
after meeting an event
threshold for reporting.
The Responsible Entity
submitted an event
report (e.g., written or
verbal) to all required
recipients more than
36 hours but less than
or equal to 48 hours
after meeting an event
threshold for reporting.
The Responsible Entity
submitted an event
report (e.g., written or
verbal) to all required
recipients more than 48
hours but less than or
equal to 60 hours after
meeting an event
threshold for reporting.
The Responsible Entity
submitted an event
report (e.g., written or
verbal) to all required
recipients more than
60 hours after meeting
an event threshold for
reporting.
OR
OR
OR
The Responsible Entity
failed to submit an
event report (e.g.,
written or verbal) to
one entity identified in
its event reporting
Operating Plan within
24 hours.
The Responsible Entity
failed to submit an
event report (e.g.,
written or verbal) to
two entities identified
in its event reporting
Operating Plan within
24 hours.
The Responsible Entity
failed to submit an
event report (e.g.,
written or verbal) to
three entities identified
in its event reporting
Operating Plan within
24 hours.
OR
The Responsible Entity
failed to submit an
event report (e.g.,
written or verbal) to
four or more entities
identified in its event
reporting Operating
Plan within 24 hours.
OR
The Responsible Entity
failed to submit a
report for an event in
EOP-004 Attachment
1.
Draft 5: August 2, 2012
10 of 23
�EOP-004-2 — Event Reporting
R#
R3
Time
Horizon
Operations
Planning
VRF
Medium
Violation Severity Levels
Lower VSL
Moderate VSL
High VSL
Severe VSL
The Responsible Entity
validated all contact
information contained
in the Operating Plan
but was late by less
than one calendar
month.
The Responsible Entity
validated all contact
information contained
in the Operating Plan
but was late by one
calendar month or
more but less than two
calendar months.
The Responsible Entity
validated all contact
information contained
in the Operating Plan
but was late by two
calendar months or
more but less than
three calendar months.
The Responsible Entity
validated all contact
information contained
in the Operating Plan
but was late by three
calendar months or
more.
OR
The Responsible Entity
validated less than
25% of contact
information contained
in the Operating Plan.
OR
The Responsible Entity OR
validated 75% or more The Responsible Entity
of the contact
validated 50% and less
information contained than 75% of the
in the Operating Plan.
contact information
contained in the
Operating Plan.
D.
The Responsible Entity
validated 25% and less
than 50% of the
contact information
contained in the
Operating Plan.
OR
Variances
None.
E.
Interpretations
None.
F.
References
Guideline and Technical Basis (attached)
Draft 5: August 2, 2012
11 of 23
�EOP-004-2 — Event Reporting
EOP-004 - Attachment 1: Reportable Events
NOTE: Under certain adverse conditions (e.g. severe weather, multiple events) it may not be possible to report the damage caused by
an event and issue a written Event Report within the timing in the table below. In such cases, the affected Responsible Entity shall
notify parties per Requirement R2 and provide as much information as is available at the time of the notification. Submit reports to
the ERO via one of the following: e-mail: systemawareness@nerc.net or Voice: 404-446-9780.
Rationale Box for EOP-004 Attachment 1:
The DSR SDT used the defined term “Facility” to add clarity for several events listed in Attachment 1.
A Facility is defined as:
“A set of electrical equipment that operates as a single Bulk Electric System Element (e.g., a
line, a generator, a shunt compensator, transformer, etc.)”
The DSR SDT does not intend the use of the term Facility to mean a substation or any other facility
(not a defined term) that one might consider in everyday discussions regarding the grid. This is
intended to mean ONLY a Facility as defined above.
Draft 5: August 2, 2012
12 of 23
�EOP-004-2 — Event Reporting
Submit EOP-004 Attachment 2 (or DOE-OE-417) pursuant to Requirements R1 and R2.
Event Type
Entity with Reporting Responsibility
Threshold for Reporting
Damage or destruction of a Facility within its Reliability Coordinator
Area, Balancing Authority Area or Transmission Operator Area that
results in actions to avoid a BES Emergency.
Damage or destruction of a
Facility
RC, BA, TOP
Damage or destruction of a
Facility
BA, TO, TOP, GO, GOP, DP
Physical threats to a Facility
BA, TO, TOP, GO, GOP, DP
Physical threats to a BES
control center
RC, BA, TOP
BES Emergency requiring
public appeal for load
reduction
Initiating entity is responsible for
reporting
Public appeal for load reduction event.
BES Emergency requiring
system-wide voltage
reduction
Initiating entity is responsible for
reporting
System wide voltage reduction of 3% or more.
BES Emergency requiring
manual firm load shedding
Initiating entity is responsible for
reporting
Manual firm load shedding ≥ 100 MW.
Draft 5: August 2, 2012
Damage or destruction of its Facility that results from actual or
suspected intentional human action.
Physical threat to its Facility excluding weather or natural disaster
related threats, which has the potential to degrade the normal operation
of the Facility.
OR
Suspicious device or activity at a Facility.
Do not report theft unless it degrades normal operation of a Facility.
Physical threat to its BES control center, excluding weather or natural
disaster related threats, which has the potential to degrade the normal
operation of the control center.
OR
Suspicious device or activity at a BES control center.
13 of 23
�EOP-004-2 — Event Reporting
Event Type
Entity with Reporting Responsibility
Threshold for Reporting
BES Emergency resulting in
automatic firm load
shedding
DP, TOP
Automatic firm load shedding ≥ 100 MW (via automatic undervoltage or
underfrequency load shedding schemes, or SPS/RAS).
Voltage deviation on a
Facility
TOP
Observed within its area a voltage deviation of ± 10% of nominal
voltage sustained for ≥ 15 continuous minutes.
IROL Violation (all
Interconnections) or SOL
Violation for Major WECC
Transfer Paths (WECC only)
RC
Operate outside the IROL for time greater than IROL Tv (all
Interconnections) or Operate outside the SOL for more than 30 minutes
for Major WECC Transfer Paths (WECC only).
Loss of firm load
BA, TOP, DP
Loss of firm load for ≥ 15 Minutes:
≥ 300 MW for entities with previous year’s demand ≥ 3,000 MW
OR
≥ 200 MW for all other entities
System separation
(islanding)
RC, BA, TOP
Each separation resulting in an island ≥ 100 MW
Generation loss
BA, GOP
Total generation loss, within one minute, of ≥ 2,000 MW for entities in
the Eastern or Western Interconnection
OR
≥ 1,000 MW for entities in the ERCOT or Quebec Interconnection
Complete loss of off-site
power to a nuclear
generating plant (grid
supply)
Draft 5: August 2, 2012
TO, TOP
Complete loss of off-site power affecting a nuclear generating station
per the Nuclear Plant Interface Requirement
14 of 23
�EOP-004-2 — Event Reporting
Event Type
Entity with Reporting Responsibility
Threshold for Reporting
Unexpected loss, contrary to design, of three or more BES Elements
caused by a common disturbance (excluding successful automatic
reclosing).
Transmission loss
TOP
Unplanned BES control
center evacuation
RC, BA, TOP
Unplanned evacuation from BES control center facility for 30
continuous minutes or more.
Complete loss of voice
communication capability
RC, BA, TOP
Complete loss of voice communication capability affecting a BES
control center for 30 continuous minutes or more.
Complete loss of monitoring
capability
RC, BA, TOP
Draft 5: August 2, 2012
Complete loss of monitoring capability affecting a BES control center
for 30 continuous minutes or more such that analysis capability (i.e.,
State Estimator or Contingency Analysis) is rendered inoperable.
15 of 23
�EOP-004-2 — Event Reporting
EOP-004 - Attachment 2: Event Reporting Form
EOP-004 Attachment 2: Event Reporting Form
Use this form to report events. The Electric Reliability Organization will accept the DOE OE-417
form in lieu of this form if the entity is required to submit an OE-417 report. Submit reports to
the ERO via one of the following: e-mail: systemawareness@nerc.net voice: 404-446-9780.
Task
1.
2.
Comments
Entity filing the report include:
Company name:
Name of contact person:
Email address of contact person:
Telephone Number:
Submitted by (name):
Date and Time of recognized event.
Date: (mm/dd/yyyy)
Time: (hh:mm)
Time/Zone:
3.
4.
Did the event originate in your system?
Yes
No
Unknown
Event Identification and Description:
(Check applicable box)
Damage or destruction of a Facility
Physical Threat to a Facility
Physical Threat to a control center
BES Emergency:
public appeal for load reduction
system-wide voltage reduction
manual firm load shedding
automatic firm load shedding
Voltage deviation on a Facility
IROL Violation (all Interconnections) or
SOL Violation for Major WECC Transfer
Paths (WECC only)
Loss of firm load
System separation
Generation loss
Complete loss of off-site power to a
nuclear generating plant (grid supply)
Transmission loss
unplanned control center evacuation
Complete loss of voice communication
capability
Complete loss of monitoring capability
Draft 5: August 2, 2012
Written description (optional):
16 of 23
�EOP-004-2 — Event Reporting
Guideline and Technical Basis
Summary of Key Concepts
The DSRSDT identified the following principles to assist them in developing the standard:
• Develop a single form to report disturbances and events that threaten the reliability of the
Bulk Electric System
• Investigate other opportunities for efficiency, such as development of an electronic form
and possible inclusion of regional reporting requirements
• Establish clear criteria for reporting
• Establish consistent reporting timelines
• Provide clarity around who will receive the information and how it will be used
During the development of concepts, the DSR SDT considered the FERC directive to “further
define sabotage”. There was concern among stakeholders that a definition may be ambiguous
and subject to interpretation. Consequently, the DSR SDT decided to eliminate the term
sabotage from the standard. The team felt that it was almost impossible to determine if an act or
event was sabotage or vandalism without the intervention of law enforcement. The DSR SDT
felt that attempting to define sabotage would result in further ambiguity with respect to reporting
events. The term “sabotage” is no longer included in the standard. The events listed in EOP-004
Attachment 1 were developed to provide guidance for reporting both actual events as well as
events which may have an impact on the Bulk Electric System. The DSR SDT believes that this
is an equally effective and efficient means of addressing the FERC Directive.
The types of events that are required to be reported are contained within EOP-004 Attachment 1.
The DSR SDT has coordinated with the NERC Events Analysis Working Group to develop the
list of events that are to be reported under this standard. EOP-004 Attachment 1 pertains to those
actions or events that have impacted the Bulk Electric System. These events were previously
reported under EOP-004-1, CIP-001-1 or the Department of Energy form OE-417. EOP-004
Attachment 1 covers similar items that may have had an impact on the Bulk Electric System or
has the potential to have an impact and should be reported.
The DSR SDT wishes to make clear that the proposed Standard does not include any real-time
operating notifications for the events listed in EOP-004 Attachment 1. Real-time communication
is achieved is covered in other standards. The proposed standard deals exclusively with afterthe-fact reporting.
Data Gathering
The requirements of EOP-004-1 require that entities “promptly analyze Bulk Electric System
disturbances on its system or facilities” (Requirement R2). The requirements of EOP-004-2
specify that certain types of events are to be reported but do not include provisions to analyze
events. Events reported under EOP-004-2 may trigger further scrutiny by the ERO Events
Analysis Program. If warranted, the Events Analysis Program personnel may request that more
data for certain events be provided by the reporting entity or other entities that may have
Draft 5: August 2, 2012
17 of 23
�EOP-004-2 — Event Reporting
experienced the event. Entities are encouraged to become familiar with the Events Analysis
Program and the NERC Rules of Procedure to learn more about with the expectations of the
program.
Law Enforcement Reporting
The reliability objective of EOP-004-2 is to improve the reliability of the Bulk Electric System
by requiring the reporting of events by Responsible Entities. Certain outages, such as those due
to vandalism and terrorism, may not be reasonably preventable. These are the types of events
that should be reported to law enforcement. Entities rely upon law enforcement agencies to
respond to and investigate those events which have the potential to impact a wider area of the
BES. The inclusion of reporting to law enforcement enables and supports reliability principles
such as protection of Bulk Electric System from malicious physical or cyber attack. The
Standard is intended to reduce the risk of Cascading events. The importance of BES awareness
of the threat around them is essential to the effective operation and planning to mitigate the
potential risk to the BES.
Stakeholders in the Reporting Process
• Industry
• NERC (ERO), Regional Entity
• FERC
• DOE
• NRC
• DHS – Federal
• Homeland Security- State
• State Regulators
• Local Law Enforcement
• State or Provincial Law Enforcement
• FBI
• Royal Canadian Mounted Police (RCMP)
The above stakeholders have an interest in the timely notification, communication and response
to an incident at a Facility. The stakeholders have various levels of accountability and have a
vested interest in the protection and response to ensure the reliability of the BES.
Present expectations of the industry under CIP-001-1a:
It has been the understanding by industry participants that an occurrence of sabotage has to be
reported to the FBI. The FBI has the jurisdictional requirements to investigate acts of sabotage
and terrorism. The CIP-001-1-1a standard requires a liaison relationship on behalf of the
industry and the FBI or RCMP. These requirements, under the standard, of the industry have not
been clear and have lead to misunderstandings and confusion in the industry as to how to
demonstrate that the liaison is in place and effective. As an example of proof of compliance with
Requirement R4, Responsible Entities have asked FBI Office personnel to provide, on FBI
letterhead, confirmation of the existence of a working relationship to report acts of sabotage, the
Draft 5: August 2, 2012
18 of 23
�EOP-004-2 — Event Reporting
number of years the liaison relationship has been in existence, and the validity of the telephone
numbers for the FBI.
Coordination of Local and State Law Enforcement Agencies with the FBI
The Joint Terrorism Task Force (JTTF) came into being with the first task force being
established in 1980. JTTFs are small cells of highly trained, locally based, committed
investigators, analysts, linguists, SWAT experts, and other specialists from dozens of U.S. law
enforcement and intelligence agencies. The JTTF is a multi-agency effort led by the Justice
Department and FBI designed to combine the resources of federal, state, and local law
enforcement. Coordination and communications largely through the interagency National Joint
Terrorism Task Force, working out of FBI Headquarters, which makes sure that information and
intelligence flows freely among the local JTTFs. This information flow can be most beneficial to
the industry in analytical intelligence, incident response and investigation. Historically, the most
immediate response to an industry incident has been local and state law enforcement agencies to
suspected vandalism and criminal damages at industry facilities. Relying upon the JTTF
coordination between local, state and FBI law enforcement would be beneficial to effective
communications and the appropriate level of investigative response.
Coordination of Local and Provincial Law Enforcement Agencies with the RCMP
A similar law enforcement coordination hierarchy exists in Canada. Local and Provincial law
enforcement coordinate to investigate suspected acts of vandalism and sabotage. The Provincial
law enforcement agency has a reporting relationship with the Royal Canadian Mounted Police
(RCMP).
A Reporting Process Solution – EOP-004
A proposal discussed with the FBI, FERC Staff, NERC Standards Project Coordinator and the
SDT Chair is reflected in the flowchart below (Reporting Hierarchy for Reportable Events).
Essentially, reporting an event to law enforcement agencies will only require the industry to
notify the state or provincial or local level law enforcement agency. The state or provincial or
local level law enforcement agency will coordinate with law enforcement with jurisdiction to
investigate. If the state or provincial or local level law enforcement agency decides federal
agency law enforcement or the RCMP should respond and investigate, the state or provincial or
local level law enforcement agency will notify and coordinate with the FBI or the RCMP.
Draft 5: August 2, 2012
19 of 23
�EOP-004-2 — Event Reporting
Example of Reporting Process including Law
Enforcement
Entity Experiencing An Event in Attachment 1
Report to Law Enforcement ?
Refer to Ops Plan for Reporting
NO
YES
Refer to Ops Plan for communicating
Communicate to
to law enforcement
Law
Enforcement
Report Event to ERO,
Reliability Coordinator
Notification Protocol to
State Agency Law
Enforcement
ERO conducts
investigation
*
State Agency Law
Enforcement coordinates
as appropriate with FBI
ERO
Events Analysis
Criminal act
invoking
federal
jurisdiction ?
ERO Reports Applicable
Events to FERC Per Rules
of Procedure
NO
YES
State Agency Law
Enforcement
Investigates
State Agency Law
Enforcement
notifies FBI
FBI Responds and
makes notification
to DHS
*
Draft 5: August 2, 2012
Canadian entities will follow law enforcement protocols applicable in
their jurisdictions
20 of 23
�EOP-004-2 — Event Reporting
Disturbance and Sabotage Reporting Standard Drafting Team (Project 2009-01) Reporting Concepts
Introduction
The SAR for Project 2009-01, Disturbance and Sabotage Reporting was moved forward for
standard drafting by the NERC Standards Committee in August of 2009. The Disturbance and
Sabotage Reporting Standard Drafting Team (DSR SDT) was formed in late 2009 and has
developed updated standards based on the SAR.
The standards listed under the SAR are:
• CIP-001 — Sabotage Reporting
• EOP-004 — Disturbance Reporting
The changes do not include any real-time operating notifications for the types of events covered
by CIP-001 and EOP-004. The real-time reporting requirements are achieved through the RCIS
and are covered in other standards (e.g. EOP-002-Capacity and Energy Emergencies). These
standards deal exclusively with after-the-fact reporting.
The DSR SDT has consolidated disturbance and sabotage event reporting under a single
standard. These two components and other key concepts are discussed in the following sections.
Summary of Concepts and Assumptions:
The Standard:
• Requires reporting of “events” that impact or may impact the reliability of the Bulk
Electric System
• Provides clear criteria for reporting
• Includes consistent reporting timelines
• Identifies appropriate applicability, including a reporting hierarchy in the case of
disturbance reporting
• Provides clarity around of who will receive the information
Discussion of Disturbance Reporting
Disturbance reporting requirements existed in the previous version of EOP-004. The current
approved definition of Disturbance from the NERC Glossary of Terms is:
1. An unplanned event that produces an abnormal system condition.
2. Any perturbation to the electric system.
3. The unexpected change in ACE that is caused by the sudden failure of generation or
interruption of load.
Draft 5: August 2, 2012
21 of 23
�EOP-004-2 — Event Reporting
Disturbance reporting requirements and criteria were in the previous EOP-004 standard and its
attachments. The DSR SDT discussed the reliability needs for disturbance reporting and
developed the list of events that are to be reported under this standard (EOP-004 Attachment 1).
Discussion of Event Reporting
There are situations worthy of reporting because they have the potential to impact reliability.
Event reporting facilitates industry awareness, which allows potentially impacted parties to
prepare for and possibly mitigate any associated reliability risk. It also provides the raw material,
in the case of certain potential reliability threats, to see emerging patterns.
Examples of such events include:
• Bolts removed from transmission line structures
• Train derailment adjacent to a Facility that either could have damaged a Facility directly
or could indirectly damage a Facility (e.g. flammable or toxic cargo that could pose fire
hazard or could cause evacuation of a control center)
• Destruction of Bulk Electric System equipment
What about sabotage?
One thing became clear in the DSR SDT’s discussion concerning sabotage: everyone has a
different definition. The current standard CIP-001 elicited the following response from FERC in
FERC Order 693, paragraph 471 which states in part: “. . . the Commission directs the ERO to
develop the following modifications to the Reliability Standard through the Reliability Standards
development process: (1) further define sabotage and provide guidance as to the triggering
events that would cause an entity to report a sabotage event.”
Often, the underlying reason for an event is unknown or cannot be confirmed. The DSR SDT
believes that by reporting material risks to the Bulk Electric System using the event
categorization in this standard, it will be easier to get the relevant information for mitigation,
awareness, and tracking, while removing the distracting element of motivation.
Certain types of events should be reported to NERC, the Department of Homeland Security
(DHS), the Federal Bureau of Investigation (FBI), and/or Provincial or local law enforcement.
Other types of events may have different reporting requirements. For example, an event that is
related to copper theft may only need to be reported to the local law enforcement authorities.
Potential Uses of Reportable Information
Event analysis, correlation of data, and trend identification are a few potential uses for the
information reported under this standard. The standard requires Functional entities to report the
incidents and provide known information at the time of the report. Further data gathering
necessary for event analysis is provided for under the Events Analysis Program and the NERC
Rules of Procedure. Other entities (e.g. – NERC, Law Enforcement, etc) will be responsible for
performing the analyses. The NERC Rules of Procedure (section 800) provide an overview of
the responsibilities of the ERO in regards to analysis and dissemination of information for
Draft 5: August 2, 2012
22 of 23
�EOP-004-2 — Event Reporting
reliability. Jurisdictional agencies (which may include DHS, FBI, NERC, RE, FERC, Provincial
Regulators, and DOE) have other duties and responsibilities.
Collection of Reportable Information or “One stop shopping”
The DSR SDT recognizes that some regions require reporting of additional information beyond
what is in EOP-004. The DSR SDT has updated the listing of reportable events in EOP-004
Attachment 1 based on discussions with jurisdictional agencies, NERC, Regional Entities and
stakeholder input. There is a possibility that regional differences still exist.
The reporting required by this standard is intended to meet the uses and purposes of NERC. The
DSR SDT recognizes that other requirements for reporting exist (e.g., DOE-417 reporting),
which may duplicate or overlap the information required by NERC. To the extent that other
reporting is required, the DSR SDT envisions that duplicate entry of information should not be
necessary, and the submission of the alternate report will be acceptable to NERC so long as all
information required by NERC is submitted. For example, if the NERC Report duplicates
information from the DOE form, the DOE report may be sent to the NERC in lieu of entering
that information on the NERC report.
Draft 5: August 2, 2012
23 of 23
�EOP-004-2 — Event Reporting
Standard Development Timeline
This section is maintained by the drafting team during the development of the standard and will
be removed when the standard becomes effective.
Development Steps Completed
1. SC approved SAR for initial posting (April, 2009).
2. SAR posted for comment (April 22 – May 21, 2009).
3. SC authorized moving the SAR forward to standard development (September 2009).
4. Concepts Paper posted for comment (March 17 – April 16, 2010).
5. Initial Informal Comment Period (September 15 – October 15, 2010)
6. Second Comment Period (Formal) (March 9 – April 8, 2011)
7. Third Comment Period and Initial Ballot (October 28 – December 12, 2011)
7.8.Fourth Comment Period and Successive Ballot (April 25 – May 24, 2012).
Proposed Action Plan and Description of Current Draft
This is the fifthourth posting of the proposed standard in accordance with Results-Based Criteria.
The drafting team requests posting for a 30-day formal comment period concurrent with the
formation of the ballot pool and the successive ballot.
Future Development Plan
Anticipated Actions
Drafting team considers comments, makes conforming changes on
fourththird posting
Anticipated Date
Juneanuary AugustMarch 2012
Fourth Comment/Ballot period
March –
AprilAugust September 2012
OctoberMay 2012
Recirculation Ballot period
Receive BOT approval
File with regulatory authorities
Draft 54: August 2pril 24, 2012
NovemberJune
2012
DecemberAugust
2012
1
�EOP-004-2 — Event Reporting
Effective Dates
EOP-004-2 shall become effective on tThe first day of the first third calendar quarter that is six
months beyond the date that this standard is approved by after applicable regulatory
authoritiespproval. In those jurisdictions where no regulatory approval is required, this standard
shall become effective on the first day of the first third calendar quarter that is six months
beyond the date this standard is approved by the after NERC Board of Trustees approval, or as
otherwise made effective pursuant to the laws applicable to such ERO governmental authorities.
Version History
Version
2
Date
Action
Merged CIP-001-2a Sabotage Reporting
and EOP-004-1 Disturbance Reporting
into EOP-004-2 Event Reporting; Retire
CIP-001-2a Sabotage Reporting and
Retired EOP-004-1 Disturbance
Reporting. Retire CIP-008-3,
Requirement 1, Part 1.3.
Draft 54: August 2pril 24, 2012
Change Tracking
Revision to entire
standard (Project 200901)
2
�EOP-004-2 — Event Reporting
Definitions of Terms Used in Standard
This section includes all newly defined or revised terms used in the proposed standard. Terms
already defined in the Reliability Standards Glossary of Terms are not repeated here. New or
revised definitions listed below become approved when the proposed standard is approved.
When the standard becomes effective, these defined terms will be removed from the individual
standard and added to the Glossary.
None
Draft 54: August 2pril 24, 2012
3
�EOP-004-2 — Event Reporting
When this standard has received ballot approval, the text boxes will be moved to the Guideline
and Technical Basis Section.
A.
Introduction
1. Title:
Event Reporting
2. Number:
EOP-004-2
3. Purpose:
To improve the reliability of the Bulk Electric System by requiring the
reporting of events by Responsible Entities.
4. Applicability
4.1.
Functional Entities: Within the context of EOP-004-2, the term “Responsible
Entity” shall include the following entities as shown in EOP-004 Attachment 1:
4.1.1. Reliability Coordinator
4.1.2. Balancing Authority
4.1.3. Interchange Coordinator
4.1.4. Transmission Service Provider
4.1.5.4.1.3.
Transmission Owner
4.1.6.4.1.4.
Transmission Operator
4.1.7.4.1.5.
Generator Owner
4.1.8.4.1.6.
Generator Operator
4.1.9.4.1.7.
Distribution Provider
4.1.10. Load Serving Entity
4.1.11. Electric Reliability Organization
4.1.12. Regional Entity
5.
Background:
NERC established a SAR Team in 2009 to investigate and propose revisions to the CIP-001 and
EOP-004 Reliability Standards. The team was asked to consider the following:
1.
2.
3.
4.
CIP-001 could be merged with EOP-004 to eliminate redundancies.
Acts of sabotage have to be reported to the DOE as part of EOP-004.
Specific references to the DOE form need to be eliminated.
EOP-004 had some ‘fill-in-the-blank’ components to eliminate.
Draft 54: August 2pril 24, 2012
4
�EOP-004-2 — Event Reporting
The development included other improvements to the standards deemed appropriate by the
drafting team, with the consensus of stakeholders, consistent with establishing high quality,
enforceable and technically sufficient Bulk Electric System reliability standards.
The SAR for Project 2009-01, Disturbance and Sabotage Reporting was moved forward for
standard drafting by the NERC SC in August of 2009. The Disturbance and Sabotage Reporting
Standard Drafting Team (DSR SDT) was formed in late 2009.
The DSR SDT developed a concept paper to solicit stakeholder input regarding the proposed
reporting concepts that the DSR SDT had developed. The posting of the concept paper sought
comments from stakeholders on the “road map” that will be used by the DSR SDT in updating or
revising CIP-001 and EOP-004. The concept paper provided stakeholders the background
information and thought process of the DSR SDT. The DSR SDT has reviewed the existing
standards, the SAR, issues from the NERC issues database and FERC Order 693 Directives in
order to determine a prudent course of action with respect to revision of these standards.
Summary of Key Concepts
The DSRSDT identified the following principles to assist them in developing the standard:
• Develop a single form to report disturbances and events that threaten the reliability of the
Bulk Electric System
• Investigate other opportunities for efficiency, such as development of an electronic form
and possible inclusion of regional reporting requirements
• Establish clear criteria for reporting
• Establish consistent reporting timelines
• Provide clarity around who will receive the information and how it will be used
During the development of concepts, the DSR SDT considered the FERC directive to “further
define sabotage”. There was concern among stakeholders that a definition may be ambiguous
and subject to interpretation. Consequently, the DSR SDT decided to eliminate the term
sabotage from the standard. The team felt that it was almost impossible to determine if an act or
event was sabotage or vandalism without the intervention of law enforcement. The DSR SDT
felt that attempting to define sabotage would result in further ambiguity with respect to reporting
events. The term “sabotage” is no longer included in the standard. The events listed in EOP-004
Attachment 1 were developed to provide guidance for reporting both actual events as well as
events which may have an impact on the Bulk Electric System. The DSR SDT believes that this
is an equally effective and efficient means of addressing the FERC Directive.
The types of events that are required to be reported are contained within EOP-004 Attachment 1.
The DSR SDT has coordinated with the NERC Events Analysis Working Group to develop the
list of events that are to be reported under this standard. EOP-004 Attachment 1 pertains to those
actions or events that have impacted the Bulk Electric System. These events were previously
reported under EOP-004-1, CIP-001-1 or the Department of Energy form OE-417. EOP-004
Attachment 1 covers similar items that may have had an impact on the Bulk Electric System or
has the potential to have an impact and should be reported.
Draft 54: August 2pril 24, 2012
5
�EOP-004-2 — Event Reporting
The DSR SDT wishes to make clear that the proposed Standard does not include any real-time
operating notifications for the events listed in EOP-004 Attachment 1. Real-time reporting is
achieved through the RCIS and is covered in other standards (e.g. the TOP family of standards).
The proposed standard deals exclusively with after-the-fact reporting.
Data Gathering
The requirements of EOP-004-1 require that entities “promptly analyze Bulk Electric System
disturbances on its system or facilities” (Requirement R2). The requirements of EOP-004-2
specify that certain types of events are to be reported but do not include provisions to analyze
events. Events reported under EOP-004-2 may trigger further scrutiny by the ERO Events
Analysis Program. If warranted, the Events Analysis Program personnel may request that more
data for certain events be provided by the reporting entity or other entities that may have
experienced the event. Entities are encouraged to become familiar with the Events Analysis
Program and the NERC Rules of Procedure to learn more about with the expectations of the
program.
Law Enforcement Reporting
The reliability objective of EOP-004-2 is to prevent outages which could lead to Cascading by
effectively reporting events. Certain outages, such as those due to vandalism and terrorism, may
not be reasonably preventable. These are the types of events that should be reported to law
enforcement. Entities rely upon law enforcement agencies to respond to and investigate those
events which have the potential to impact a wider area of the BES. The inclusion of reporting to
law enforcement enables and supports reliability principles such as protection of Bulk Electric
System from malicious physical or cyber attack. The Standard is intended to reduce the risk of
Cascading events. The importance of BES awareness of the threat around them is essential to the
effective operation and planning to mitigate the potential risk to the BES.
Stakeholders in the Reporting Process
• Industry
• NERC (ERO), Regional Entity
• FERC
• DOE
• NRC
• DHS – Federal
• Homeland Security- State
• State Regulators
• Local Law Enforcement
• State or Provincial Law Enforcement
• FBI
• Royal Canadian Mounted Police (RCMP)
Draft 54: August 2pril 24, 2012
6
�EOP-004-2 — Event Reporting
The above stakeholders have an interest in the timely notification, communication and response
to an incident at an industry facility. The stakeholders have various levels of accountability and
have a vested interest in the protection and response to ensure the reliability of the BES.
Present expectations of the industry under CIP-001-1a:
It has been the understanding by industry participants that an occurrence of sabotage has to be
reported to the FBI. The FBI has the jurisdictional requirements to investigate acts of sabotage
and terrorism. The CIP-001-1-1a standard requires a liaison relationship on behalf of the
industry and the FBI or RCMP. Annual requirements, under the standard, of the industry have
not been clear and have lead to misunderstandings and confusion in the industry as to how to
demonstrate that the liaison is in place and effective. As an example of proof of compliance with
Requirement R4, responsible entities have asked FBI Office personnel to provide, on FBI
letterhead, confirmation of the existence of a working relationship to report acts of sabotage, the
number of years the liaison relationship has been in existence, and the validity of the telephone
numbers for the FBI.
Coordination of Local and State Law Enforcement Agencies with the FBI
The Joint Terrorism Task Force (JTTF) came into being with the first task force being
established in 1980. JTTFs are small cells of highly trained, locally based, committed
investigators, analysts, linguists, SWAT experts, and other specialists from dozens of U.S. law
enforcement and intelligence agencies. The JTTF is a multi-agency effort led by the Justice
Department and FBI designed to combine the resources of federal, state, and local law
enforcement. Coordination and communications largely through the interagency National Joint
Terrorism Task Force, working out of FBI Headquarters, which makes sure that information and
intelligence flows freely among the local JTTFs. This information flow can be most beneficial to
the industry in analytical intelligence, incident response and investigation. Historically, the most
immediate response to an industry incident has been local and state law enforcement agencies to
suspected vandalism and criminal damages at industry facilities. Relying upon the JTTF
coordination between local, state and FBI law enforcement would be beneficial to effective
communications and the appropriate level of investigative response.
Coordination of Local and Provincial Law Enforcement Agencies with the RCMP
A similar law enforcement coordination hierarchy exists in Canada. Local and Provincial law
enforcement coordinate to investigate suspected acts of vandalism and sabotage. The Provincial
law enforcement agency has a reporting relationship with the Royal Canadian Mounted Police
(RCMP).
Draft 54: August 2pril 24, 2012
7
�EOP-004-2 — Event Reporting
A Reporting Process Solution – EOP-004
A proposal discussed with the FBI, FERC Staff, NERC Standards Project Coordinator and the
SDT Chair is reflected in the flowchart below (Reporting Hierarchy for Reportable Events).
Essentially, reporting an event to law enforcement agencies will only require the industry to
notify the state or provincial or local level law enforcement agency. The state or provincial or
local level law enforcement agency will coordinate with law enforcement with jurisdiction to
investigate. If the state or provincial or local level law enforcement agency decides federal
agency law enforcement or the RCMP should respond and investigate, the state or provincial or
local level law enforcement agency will notify and coordinate with the FBI or the RCMP.
Draft 54: August 2pril 24, 2012
8
�EOP-004-2 — Event Reporting
Example of Reporting Process including Law
Enforcement
Entity Experiencing An Event in Attachment 1
Report to Law Enforcement ?
Refer to Ops Plan for Reporting
NO
YES
Refer to Ops Plan for communicating
Communicate to
to law enforcement
Law
Enforcement
Report Event to ERO,
Reliability Coordinator
Notification Protocol to
State Agency Law
Enforcement
ERO conducts
investigation
*
State Agency Law
Enforcement coordinates
as appropriate with FBI
ERO
Events Analysis
Criminal act
invoking
federal
jurisdiction ?
ERO Reports Applicable
Events to FERC Per Rules
of Procedure
NO
YES
State Agency Law
Enforcement
Investigates
State Agency Law
Enforcement
notifies FBI
FBI Responds and
makes notification
to DHS
*
Draft 54: August 2pril 24, 2012
Canadian entities will follow law enforcement protocols applicable in
their jurisdictions
9
�EOP-004-2 — Event Reporting
B.
Requirements and
Measures
R1. Each Responsible Entity shall
have an event reporting Operating
Plan in accordance with EOP-004-2
Attachment 1 that includes the
protocol(s) for reporting to the
Electric Reliability Organization and
other organizations (e.g., the regional
entity, company personnel, the
Responsible Entity’s Reliability
Coordinator, law enforcement, or
governmental authority).that
includes: [Violation Risk: Factor:
Lower] [Time Horizon: Operations
Planning]
1.1. A process for recognizing
each of the applicable events
listed in EOP-004
Attachment 1(except for
Cyber Security Incidents
characterized and classified
according to the
requirements in CIP-008-3 or
its successor).
1.2. A process for
communicating each of the
applicable events listed in
EOP-004 Attachment 1 in
accordance with the
timeframes specified in
EOP-004 Attachment 1 to
the Electric Reliability
Organization and other
organizations needed for the
event type; i.e. the Regional
Entity; company personnel;
the Responsible Entity’s
Reliability Coordinator; law
enforcement, governmental
or provincial agencies.
Draft 54: August 2pril 24, 2012
Rationale for R1
The requirement to have an Operating Plan for
reporting specific types of events provides the entity
with a method to have its operating personnel
recognize events that affect reliability and to be able
to report them to appropriate parties; i.e. Regional
Entities, applicable Reliability Coordinators, and
law enforcement and other jurisdictional agencies
when so recognized. In addition, these event reports
are an input to the NERC Events Analysis Program.
These other parties use this information to promote
reliability, develop a culture of reliability
excellence, provide industry collaboration and
promote a learning organization.
Every industry participant that owns or operates
elements or devices on the grid has a formal or
informal process, procedure, or steps it takes to
gather information regarding what happened when
events occur. This requirement has the Responsible
Entity establish documentation on how that
procedure, process, or plan is organized. This
documentation may be a single document or a
combination of various documents that achieve the
reliability objective.
Part 1.1 clarifies that entities must address each of
the “applicable” events listed in EOP-004
Attachment 1. Not all responsible entities must
address all events; e.g., some events are only
applicable to the Reliability Coordinator. Part 1.1
acknowledges that Cyber Security Incidents are
characterized and classified according to the
requirements in CIP-008-3.
Part 1.2The protocol(s) could include a process
flowchart, identification of internal and external
personnel or entities to be notified, or a list of
personnel by name and their associated contact
information.
An existing procedure that meets the requirements
of CIP-001-2a may be included in this Operating
Plan along with other processes, procedures or plans
to meet this requirement.
10
�EOP-004-2 — Event Reporting
M1. Each Responsible Entity will have a current, dated, event reporting Operating Plan that
includes, but is not limited to the protocol(s), thresholds for reporting, and each organization
identified to receive an event report for event types specified in EOP-004-2 Attachment 1 and in
accordance with the entity responsible for reportingwhich includes Parts 1.1 – 1.2.
Draft 54: August 2pril 24, 2012
11
�EOP-004-2 — Event Reporting
R2. Each Responsible Entity shall report
implement its events per their reporting
Operating Plan within 24 hours of meeting
an event type threshold for reportingfor
applicable events listed in EOP-004
Attachment 1, and in accordance with the
timeframe specified in EOP-004
Attachment 1. [Violation Risk Factor:
Medium] [Time Horizon: Operations
Assessment]
M2. Each Responsible Entity will have as
evidence of reporting an event, copy of
the completed EOP-004-2 Attachment 2
form or a DOE-OE-417 form; and
evidence of submittal (e.g., operator log or
other operating documentation, voice
recording, electronic mail message, or
confirmation of facsimile) demonstrating
the event report was submitted within 24
hours of meeting the threshold for
reporting, for each event experienced, a
dated copy of the completed EOP-004
Attachment 2 form or DOE form OE-417
report submitted for that event; and dated
and time-stamped transmittal records to
show that the event was reported
supplemented by operator logs or other
operating documentation. Other forms of
evidence may include, but are not limited
to, dated and time stamped voice
recordings and operating logs or other
operating documentation for situations
where filing a written report was not
possible. (R2)
R3. Each Responsible Entity shall validate all
contact information contained in the
Operating Plan pursuant to Requirement
R1 each calendar yearconduct an annual
test, not including notification to the
Electric Reliability Organization, of the
communications process in Part 1.2.
[Violation Risk Factor: Medium] [Time
Horizon: Operations Planning]
Draft 54: August 2pril 24, 2012
Rationale for R2
Each Responsible Entity must report and
communicate events according to its
Operating Plan after the fact based on the
information in EOP-004 Attachment 1.
By implementing the event reporting
Operating Plan, the Responsible Entity
will assure situational awareness to the
Electric Reliability Organization and
other organizations needed for the event
type; i.e. the Regional Entity; company
personnel; the Responsible Entity’s
Reliability Coordinator; law
enforcement, governmental or provincial
agencies as deemed necessary by the
Registered Entity. By communicating
events per the Operating Plan, the
Responsible Entity will assure that
people/agencies are aware of the current
situation and they may prepare to
mitigate current and further events.
Rationale for R3 and R4
Requirements 3 and 4 calls for the
Responsible Entity to validate the
contact information contained in the
Operating Plan each calendar year. This
requirement helps ensure that the event
reporting Operating Plan is up to date
and entities will be able to effectively
report events to assure situational
awareness to the Electric Reliability
Organization. If an entity experiences an
actual event, communication evidence
from the event may be used to show
compliance with the validation
requirement for the specific contacts
used for the eventannual test of the
communications process in Part 1.2 as
well as an annual review of the event
reporting Operating Plan. These two
requirements help ensure that the event
reporting Operating Plan is up to date
and entities will be effective in reporting
events to assure situational awareness to
the Electric Reliability Organization and
their Reliability Coordinator . This will
assure that the BES remains secure and
stable by mitigation actions that the
12
Reliability Coordinator has within its
function.
�EOP-004-2 — Event Reporting
M3. Each Responsible Entity will have dated records to show that it validated all contact
information contained in the Operating Plan each calendar year. Such evidence may
include, but are not limited to, dated voice recordings and operating logs or other
communication documentationand time-stamped records to show that the annual test of
Part 1.2 was conducted. Such evidence may include, but are not limited to, dated and time
stamped voice recordings and operating logs or other communication documentation. The
annual test requirement is considered to be met if the responsible entity implements the
communications process in Part 1.2 for an actual event. (R3)
R4. Each Responsible Entity shall conduct an annual review of the event reporting Operating
Plan in Requirement R1. [Violation Risk Factor: Medium] [Time Horizon: Operations
Planning]
M4. Each Responsible Entity will have dated and time-stamped records to show that the annual
review of the event reporting Operating Plan was conducted. Such evidence may include,
but are not limited to, the current document plus the ‘date change page’ from each version
that was reviewed. (R4)
C.
Compliance
1. Compliance Monitoring Process
1.1
Compliance Enforcement Authority
The Regional Entity shall serve as the Compliance Eenforcement Aauthority (CEA)
unless the applicable entity is owned, operated, or controlled by the Regional Entity.
In such cases the ERO or a Regional eEntity approved by FERC or other applicable
governmental authority shall serve as the CEA.
For NERC, a third-party monitor without vested interest in the outcome for
NERC shall serve as the Compliance Enforcement Authority.
1.2
Evidence Retention
The [responsible entity] shall keep data or evidence to show compliance as
identified below unless directed by its Compliance Enforcement Authority to
retain specific evidence for a longer period of time as part of an investigation:
The following evidence retention periods identify the period of time an entity is
required to retain specific evidence to demonstrate compliance. For instances
where the evidence retention period specified below is shorter than the time since
the last audit, the Compliance Enforcement Authority may ask an entity to
Draft 54: August 2pril 24, 2012
13
�EOP-004-2 — Event Reporting
provide other evidence to show that it was compliant for the full time period since
the last audit.
•
•
Each Responsible Entity shall retain the current Operating Plan plus each
version issued since the last audit for Requirements R1, and Measure M1.
Each Responsible Entity shall retain evidence of compliance since the last
audit for Requirements R2, R3 and Measure M2, M3.
Each Responsible Entity shall retain the current, document plus the ‘date change
page’ from each version issued since the last audit for Requirements R1, R4 and
Measures M1, M4.
Each Responsible Entity shall retain evidence from prior 3 calendar years for
Requirements R2, R3 and Measure M2, M3.
If a Registered Entity is found non-compliant, it shall keep information related to
the non-compliance until mitigation is complete and approved or for the duration
specified above, whichever is longer.
The Compliance Enforcement Authority shall keep the last audit records and all
requested and submitted subsequent audit records.
1.3
Compliance Monitoring and Enforcement Processes:
Compliance Audit
Self-Certification
Spot Checking
Compliance Investigation
Self-Reporting
Complaint
1.4
Additional Compliance Information
None
Draft 54: August 2pril 24, 2012
14
�EOP-004-2 — Event Reporting
Table of Compliance Elements
R#
Time
Horizon
VRF
Violation Severity Levels
Lower VSL
Moderate VSL
High VSL
Severe VSL
R1
Operations
Planning
Lower
N/A
N/A
The Responsible Entity The Responsible Entity
has an event reporting failed to include both
Operating Plan but
Parts 1.1 and 1.2.
failed to include one of
Parts 1.1 through
1.2.N/A
R2
Operations
Assessment
Medium
The Responsible Entity
submitted a report
(e.g., written or verbal)
to all required
recipients more than
24 hours but less than
or equal to 36 hours
after meeting an event
threshold for
reportingan event
requiring reporting
within 24 hours in
EOP-004 Attachment
1.
The Responsible Entity
submitted a report
(e.g., written or verbal)
to all required
recipients more than
36 hours but less than
or equal to 48 hours
after meeting an event
threshold for
reportingan event
requiring reporting
within 24 hours in
EOP-004 Attachment
1.
The Responsible Entity
submitted a report
(e.g., written or verbal)
to all required
recipients more than 48
hours but less than or
equal to 60 hours after
meeting an event
threshold for reporting
an event requiring
reporting within 24
hours in EOP-004
Attachment 1.
The Responsible Entity
submitted a report
(e.g., written or verbal)
to all required
recipients more than
60 hours after meeting
an event threshold for
reportingan event
requiring reporting
within 24 hours in
EOP-004 Attachment
1.
OR
The Responsible Entity
failed to submit an
event report (e.g.,
written or verbal) to
four or more entities
identified in its event
OR
The Responsible Entity
OR
The Responsible Entity failed to submit an
failed to submit an
event report (e.g.,
event report (e.g.,
written or verbal) to
The Responsible Entity written or verbal) to
three entities identified
Draft 54: August 2pril 24, 2012
15
OR
�EOP-004-2 — Event Reporting
R3
Operations
Planning
Medium
submitted an event
report (e.g., written or
verbal) to one entity
identified in the event
report Operating Plan
within 24 hours. in the
appropriate timeframe
but failed to provide all
of the required
information.
two entities identified
in its event reporting
Operating Plan within
24 hours..The
Responsible Entity
submitted a report
more than 1 hour but
less than 2 hours after
an event requiring
reporting within 1 hour
in EOP-004
Attachment 1.
in its event reporting
reporting Operating
Operating Plan within Plan within 24
24 hours.The
hours.The Responsible
Responsible Entity
Entity submitted a
submitted a report in
report more than 3
more than 2 hours but
hours after an event
less than 3 hours after
requiring reporting
an event requiring
within 1 hour in EOPreporting within 1 hour 004 Attachment 1.
in EOP-004
OR
Attachment 1.
The Responsible Entity
failed to submit a
report for an event in
EOP-004 Attachment
1.
The Responsible Entity
validated all contact
information contained
in the Operating Plan
but was late by less
than one calendar
month.
The Responsible Entity
validated all contact
information contained
in the Operating Plan
but was late by one
calendar month or
more but less than two
calendar months.
OR
The Responsible Entity The Responsible Entity
validated all contact
validated all contact
information contained information contained
in the Operating Plan
in the Operating Plan
but was late by two
but was late by three
calendar months or
calendar months or
more but less than
more.
three calendar months. OR
OR
The Responsible Entity
The Responsible Entity
validated 50% and less
than 75% of the
contact information
contained in the
Operating Plan.The
Responsible Entity
The Responsible Entity
validated 25% and less
than 50% of the
contact information
contained in the
Operating Plan. The
Responsible Entity
OR
The Responsible Entity
validated 75% or more
of the contact
information contained
in the Operating Plan.
The Responsible Entity
performed the annual
test of the
Draft 54: August 2pril 24, 2012
16
validated less than
25% of contact
information contained
in the Operating Plan.
The Responsible Entity
performed the annual
test of the
�EOP-004-2 — Event Reporting
communications
process in Part 1.2 but
was late by less than
one calendar month.
R4
Operations
Planning
Medium
The Responsible Entity
performed the annual
review of the event
reporting Operating
Plan but was late by
less than one calendar
month.
performed the annual
test of the
communications
process in Part 1.2 but
was late by one
calendar month or
more but less than two
calendar months.
performed the annual
test of the
communications
process in Part 1.2 but
was late by two
calendar months or
more but less than
three calendar months.
The Responsible Entity
performed the annual
review of the event
reporting Operating
Plan but was late by
one calendar month or
more but less than two
calendar months.
The Responsible Entity
performed the annual
review of the event
reporting Operating
Plan but was late by
two calendar months or
more but less than
three calendar months.
communications
process in Part 1.2 but
was late by three
calendar months or
more.
OR
The Responsible Entity
failed to perform the
annual test of the
communications
process in Part 1.2.
The Responsible Entity
performed the annual
review of the event
reporting Operating
Plan but was late by
three calendar months
or more.
OR
The Responsible Entity
failed to perform the
annual review of the
event reporting
Operating Plan
D.
Variances
None.
E.
Interpretations
None.
Draft 54: August 2pril 24, 2012
17
�EOP-004-2 — Event Reporting
F.
ReferencesInterpretations
Guideline and Technical Basis (attached).
Draft 54: August 2pril 24, 2012
18
�EOP-004-2 — Event Reporting
EOP-004 - Attachment 1: Reportable Events
NOTE: Under certain adverse conditions (e.g. severe weather, multiple events) it may not be possible to report the damage caused by
an event and issue a written Event Report within the timing in the table below. In such cases, the affected Responsible Entity shall
notify parties per Requirement R1 and provide as much information as is available at the time of the notification. Submit reports to
the ERO via one of the following: e-mail: systemawareness@nerc.net or Voice: 404-446-9780.esisac@nerc.com, Facsimile: 609-4529550, Voice: 609-452-1422.
One Hour Reporting: Submit EOP-004 Attachment 2 or DOE-OE-417 report to the parties identified pursuant to
Requirement R1, Part 1.2 within one hour of recognition of the event.
Event
Entity with Reporting Responsibility
A reportable Cyber Security
Incident.
Each Responsible Entity applicable under
CIP-008-3 or its successor that experiences
the Cyber Security Incident
Threshold for Reporting
That meets the criteria in CIP-008-3 or its
successor
Rationale Box for EOP-004 Attachment 1:
The DSR SDT used the defined term “Facility” to add clarity for several events listed in Attachment 1.
A Facility is defined as:
“A set of electrical equipment that operates as a single Bulk Electric System Element (e.g., a
line, a generator, a shunt compensator, transformer, etc.)”
The DSR SDT does not intend the use of the term Facility to mean a substation or any other facility
(not a defined term) that one might consider in everyday discussions regarding the grid. This is
intended to mean ONLY a Facility as defined above.
Draft 54: August 2pril 24, 2012
19
�EOP-004-2 — Event Reporting
Twenty-four Hour Reporting: Submit EOP-004 Attachment 2 or DOE-OE-417 report to the parties identified pursuant to
Requirements R1 and R2, Part 1.2 within twenty-four hours of recognition of the event.
Event
Damage or destruction of a
Facility
Entity with Reporting Responsibility
Each RC, BA, TO, TOP, GO, GOP, DP that
experiences the damage or destruction of a
Facility
Threshold for Reporting
Damage or destruction of a Facility within its Reliability
Coordinator Area, Balancing Authority Area or Transmission
Operator Area that results in actions to avoid a BES
Emergency.Damage or destruction of a Facility that:
Affects an IROL (per FAC-014)
OR
Results in the need for actions to avoid an Adverse Reliability
Impact
OR
Damage or destruction of a
Facility
BA, TO, TOP, GO, GOP, DP
Any pPhysical threats to that
could impact the operability
of a Facility 1
Each RC, BA, TO, TOP, GO, GOP, DP that
experiences the event
Results from actual or suspected intentional human action.
Damage or destruction of its Facility that results from actual or
suspected intentional human action.
Physical threat to its Facility excluding weather or natural disaster
related threats, which has the potential to degrade the normal
operation of the Facility.
OR
Suspicious device or activity at a Facility.
Do not report theft unless it degrades normal operation of a
1
Examples include a train derailment adjacent to a Facility that either could have damaged a Facility directly or could indirectly damage a Facility (e.g.
flammable or toxic cargo that could pose fire hazard or could cause evacuation of a control center). Also report any suspicious device or activity at a Facility.
Do not report copper theft unless it impacts the operability of a Facility.
Draft 54: August 2pril 24, 2012
20
�EOP-004-2 — Event Reporting
Event
Entity with Reporting Responsibility
Threshold for Reporting
Facility.Threat to a Facility excluding weather related threats.
Physical threat to its BES control center, excluding weather or
natural disaster related threats, which has the potential to degrade the
normal operation of the control center.
OR
Suspicious device or activity at a BES control center.
Physical threats to a BES
control center
RC, BA, TOP
BES Emergency requiring
public appeal for load
reduction
Initiating entity is responsible for reporting
Public appeal for load reduction event
BES Emergency requiring
system-wide voltage
reduction
Initiating entity is responsible for reporting
System wide voltage reduction of 3% or more
BES Emergency requiring
manual firm load shedding
Initiating entity is responsible for reporting
Manual firm load shedding ≥ 100 MW
BES Emergency resulting in
automatic firm load
shedding
Each DP, or TOP that implements
automatic load shedding
Automatic fFirm load shedding ≥ 100 MW (via automatic
undervoltage or underfrequency load shedding schemes, or
SPS/RAS)
Voltage deviation on a
Facility
Each TOP that observes the voltage
deviation
Observed within its area a voltage deviation of ± 10% sustained for
≥ 15 continuous minutes
IROL Violation (all
Interconnections) or SOL
Violation for Major WECC
Transfer Paths (WECC only)
Each RC that experiences the IROL
Violation (all Interconnections) or SOL
violation for Major WECC Transfer Paths
(WECC only)
Operate outside the IROL for time greater than IROL Tv (all
Interconnections) or Operate outside the SOL for more than 30
minutes for Major WECC Transfer Paths (WECC only).
Loss of firm load for ≥ 15
Minutes
Each BA, TOP, DP that experiences the loss
of firm load
Loss of firm load for ≥ 15 Minutes:
•
•
Draft 54: August 2pril 24, 2012
≥ 300 MW for entities with previous year’s
demand ≥ 3,000 MW
≥ 200 MW for all other entities
21
�EOP-004-2 — Event Reporting
Event
System separation
(islanding)
Generation loss
Entity with Reporting Responsibility
Threshold for Reporting
Each RC, BA, TOP, DP that experiences the Each separation resulting in an island of generation and load ≥ 100
system separation
MW
Total generation loss, within one minute, of ≥ 2,000 MW for
Each BA, GOP that experiences the
entities in the Eastern or Western Interconnection
generation loss
OR
≥ 1,000 MW for entities in the ERCOT or Quebec
Interconnection
Complete loss of off-site
power to a nuclear
generating plant (grid
supply)
Each TO, TOP that experiences the
complete loss of off-site power to a nuclear
generating plant
Complete loss of off-site power aAffecting a nuclear generating
station per the Nuclear Plant Interface Requirement
Transmission loss
Each TOP that experiences the
transmission loss
Unplanned control center
evacuation
Each RC, BA, TOP that experiences the
event
Unexpected loss, contrary to design, of three or more BES
Elements caused by a common disturbance Unintentional loss of
three or more Transmission Facilities (excluding successful
automatic reclosing)
Unplanned evacuation from BES control center facility for 30
minutes or more.
Complete Lloss of all voice
communication capability
Each RC, BA, TOP that experiences the
loss of all voice communication capability
Complete loss of voice communication capability aAffecting a BES
control center for ≥ 30 continuous minutes
Complete or partial loss of
monitoring capability
Each RC, BA, TOP that experiences the
complete or partial loss of monitoring
capability
Complete loss of monitoring capability aAffecting a BES control
center for ≥ 30 continuous minutes such that analysis tools (i.e.,
State Estimator or, Contingency Analysis) are rendered inoperable.
Draft 54: August 2pril 24, 2012
22
�EOP-004-2 — Event Reporting
EOP-004 - Attachment 2: Event Reporting Form
EOP-004 Attachment 2: Event Reporting Form
Use this form to report events. The Electric Reliability Organization and the Responsible Entity’s
Reliability Coordinator will accept the DOE OE-417 form in lieu of this form if the entity is
required to submit an OE-417 report. Submit reports to the ERO via one of the following: e-mail:
systemawareness@nerc.net voice: 404-446-9780esisac@nerc.com, Facsimile: 609-452-9550,
voice: 609-452-1422.
Task
1.
2.
Comments
Entity filing the report include:
Company name:
Name of contact person:
Email address of contact person:
Telephone Number:
Submitted by (name):
Date and Time of recognized event.
Date: (mm/dd/yyyy)
Time: (hh:mm)
Time/Zone:
3.
4.
Did the event originate in your system?
Yes
No Unknown
Event Identification and Description:
(Check applicable box)
Damage or destruction of a Facility
Physical Threat to a Facility
Physical Threat to a control center
BES Emergency:
public appeal for load reduction
system-wide voltage reduction
manual firm load shedding
automatic firm load shedding
Voltage deviation on a Facility
IROL Violation (all Interconnections) or
SOL Violation for Major WECC Transfer
Paths (WECC only)
Loss of firm load
System separation
Generation loss
Complete loss of off-site power to a
nuclear generating plant (grid supply)
Transmission loss
unplanned control center evacuation
Complete loss of voice communication
capability
Complete loss of monitoring
capability (Check applicable box)
public appeal
Draft 54: August 2pril 24, 2012
Written description (optional):
23
�EOP-004-2 — Event Reporting
EOP-004 Attachment 2: Event Reporting Form
Use this form to report events. The Electric Reliability Organization and the Responsible Entity’s
Reliability Coordinator will accept the DOE OE-417 form in lieu of this form if the entity is
required to submit an OE-417 report. Submit reports to the ERO via one of the following: e-mail:
systemawareness@nerc.net voice: 404-446-9780esisac@nerc.com, Facsimile: 609-452-9550,
voice: 609-452-1422.
Task
Comments
voltage reduction
manual firm load shedding
firm load shedding(undervoltage,
underfrequency, SPS/RAS)
voltage deviation
IROL violation
loss of firm load
system separation (islanding)
generation loss
complete loss of off-site power to nuclear
generating plant
transmission loss
damage or destruction of Facility
unplanned control center evacuation
loss of all voice communication capability
complete or partial loss of monitoring
capability
physical threat that could impact the
operability of a Facility
reportable Cyber Security Incident
Draft 54: August 2pril 24, 2012
24
�EOP-004-2 — Event Reporting
Guideline and Technical Basis
Summary of Key Concepts
The DSRSDT identified the following principles to assist them in developing the standard:
• Develop a single form to report disturbances and events that threaten the reliability of the
Bulk Electric System
• Investigate other opportunities for efficiency, such as development of an electronic form
and possible inclusion of regional reporting requirements
• Establish clear criteria for reporting
• Establish consistent reporting timelines
• Provide clarity around who will receive the information and how it will be used
During the development of concepts, the DSR SDT considered the FERC directive to “further
define sabotage”. There was concern among stakeholders that a definition may be ambiguous
and subject to interpretation. Consequently, the DSR SDT decided to eliminate the term
sabotage from the standard. The team felt that it was almost impossible to determine if an act or
event was sabotage or vandalism without the intervention of law enforcement. The DSR SDT
felt that attempting to define sabotage would result in further ambiguity with respect to reporting
events. The term “sabotage” is no longer included in the standard. The events listed in EOP-004
Attachment 1 were developed to provide guidance for reporting both actual events as well as
events which may have an impact on the Bulk Electric System. The DSR SDT believes that this
is an equally effective and efficient means of addressing the FERC Directive.
The types of events that are required to be reported are contained within EOP-004 Attachment 1.
The DSR SDT has coordinated with the NERC Events Analysis Working Group to develop the
list of events that are to be reported under this standard. EOP-004 Attachment 1 pertains to those
actions or events that have impacted the Bulk Electric System. These events were previously
reported under EOP-004-1, CIP-001-1 or the Department of Energy form OE-417. EOP-004
Attachment 1 covers similar items that may have had an impact on the Bulk Electric System or
has the potential to have an impact and should be reported.
The DSR SDT wishes to make clear that the proposed Standard does not include any real-time
operating notifications for the events listed in EOP-004 Attachment 1. Real-time reporting is
achieved through the RCIS and is covered in other standards (e.g. the TOP family of standards).
The proposed standard deals exclusively with after-the-fact reporting.
Data Gathering
The requirements of EOP-004-1 require that entities “promptly analyze Bulk Electric System
disturbances on its system or facilities” (Requirement R2). The requirements of EOP-004-2
specify that certain types of events are to be reported but do not include provisions to analyze
events. Events reported under EOP-004-2 may trigger further scrutiny by the ERO Events
Analysis Program. If warranted, the Events Analysis Program personnel may request that more
data for certain events be provided by the reporting entity or other entities that may have
Draft 54: August 2pril 24, 2012
25
�EOP-004-2 — Event Reporting
experienced the event. Entities are encouraged to become familiar with the Events Analysis
Program and the NERC Rules of Procedure to learn more about with the expectations of the
program.
Law Enforcement Reporting
The reliability objective of EOP-004-2 is to prevent outages which could lead to Cascading by
effectively reporting events. Certain outages, such as those due to vandalism and terrorism, may
not be reasonably preventable. These are the types of events that should be reported to law
enforcement. Entities rely upon law enforcement agencies to respond to and investigate those
events which have the potential to impact a wider area of the BES. The inclusion of reporting to
law enforcement enables and supports reliability principles such as protection of Bulk Electric
System from malicious physical or cyber attack. The Standard is intended to reduce the risk of
Cascading events. The importance of BES awareness of the threat around them is essential to the
effective operation and planning to mitigate the potential risk to the BES.
Stakeholders in the Reporting Process
• Industry
• NERC (ERO), Regional Entity
• FERC
• DOE
• NRC
• DHS – Federal
• Homeland Security- State
• State Regulators
• Local Law Enforcement
• State or Provincial Law Enforcement
• FBI
• Royal Canadian Mounted Police (RCMP)
The above stakeholders have an interest in the timely notification, communication and response
to an incident at an industry facility. The stakeholders have various levels of accountability and
have a vested interest in the protection and response to ensure the reliability of the BES.
Present expectations of the industry under CIP-001-1a:
It has been the understanding by industry participants that an occurrence of sabotage has to be
reported to the FBI. The FBI has the jurisdictional requirements to investigate acts of sabotage
and terrorism. The CIP-001-1-1a standard requires a liaison relationship on behalf of the
industry and the FBI or RCMP. Annual requirements, under the standard, of the industry have
not been clear and have lead to misunderstandings and confusion in the industry as to how to
demonstrate that the liaison is in place and effective. As an example of proof of compliance with
Requirement R4, responsible entities have asked FBI Office personnel to provide, on FBI
letterhead, confirmation of the existence of a working relationship to report acts of sabotage, the
Draft 54: August 2pril 24, 2012
26
�EOP-004-2 — Event Reporting
number of years the liaison relationship has been in existence, and the validity of the telephone
numbers for the FBI.
Coordination of Local and State Law Enforcement Agencies with the FBI
The Joint Terrorism Task Force (JTTF) came into being with the first task force being
established in 1980. JTTFs are small cells of highly trained, locally based, committed
investigators, analysts, linguists, SWAT experts, and other specialists from dozens of U.S. law
enforcement and intelligence agencies. The JTTF is a multi-agency effort led by the Justice
Department and FBI designed to combine the resources of federal, state, and local law
enforcement. Coordination and communications largely through the interagency National Joint
Terrorism Task Force, working out of FBI Headquarters, which makes sure that information and
intelligence flows freely among the local JTTFs. This information flow can be most beneficial to
the industry in analytical intelligence, incident response and investigation. Historically, the most
immediate response to an industry incident has been local and state law enforcement agencies to
suspected vandalism and criminal damages at industry facilities. Relying upon the JTTF
coordination between local, state and FBI law enforcement would be beneficial to effective
communications and the appropriate level of investigative response.
Coordination of Local and Provincial Law Enforcement Agencies with the RCMP
A similar law enforcement coordination hierarchy exists in Canada. Local and Provincial law
enforcement coordinate to investigate suspected acts of vandalism and sabotage. The Provincial
law enforcement agency has a reporting relationship with the Royal Canadian Mounted Police
(RCMP).
Draft 54: August 2pril 24, 2012
27
�EOP-004-2 — Event Reporting
A Reporting Process Solution – EOP-004
A proposal discussed with the FBI, FERC Staff, NERC Standards Project Coordinator and the
SDT Chair is reflected in the flowchart below (Reporting Hierarchy for Reportable Events).
Essentially, reporting an event to law enforcement agencies will only require the industry to
notify the state or provincial or local level law enforcement agency. The state or provincial or
local level law enforcement agency will coordinate with law enforcement with jurisdiction to
investigate. If the state or provincial or local level law enforcement agency decides federal
agency law enforcement or the RCMP should respond and investigate, the state or provincial or
local level law enforcement agency will notify and coordinate with the FBI or the RCMP.
Draft 54: August 2pril 24, 2012
28
�EOP-004-2 — Event Reporting
Example of Reporting Process including Law
Enforcement
Entity Experiencing An Event in Attachment 1
Report to Law Enforcement ?
Refer to Ops Plan for Reporting
NO
YES
Refer to Ops Plan for communicating
Communicate to
to law enforcement
Law
Enforcement
Report Event to ERO,
Reliability Coordinator
Notification Protocol to
State Agency Law
Enforcement
ERO conducts
investigation
*
State Agency Law
Enforcement coordinates
as appropriate with FBI
ERO
Events Analysis
Criminal act
invoking
federal
jurisdiction ?
ERO Reports Applicable
Events to FERC Per Rules
of Procedure
NO
YES
State Agency Law
Enforcement
Investigates
State Agency Law
Enforcement
notifies FBI
FBI Responds and
makes notification
to DHS
*
Draft 54: August 2pril 24, 2012
Canadian entities will follow law enforcement protocols applicable in
their jurisdictions
29
�EOP-004-2 — Event Reporting
Disturbance and Sabotage Reporting Standard Drafting Team (Project 2009-01) Reporting Concepts
Introduction
The SAR for Project 2009-01, Disturbance and Sabotage Reporting was moved forward for
standard drafting by the NERC Standards Committee in August of 2009. The Disturbance and
Sabotage Reporting Standard Drafting Team (DSR SDT) was formed in late 2009 and has
developed updated standards based on the SAR.
The standards listed under the SAR are:
• CIP-001 — Sabotage Reporting
• EOP-004 — Disturbance Reporting
The changes do not include any real-time operating notifications for the types of events covered
by CIP-001 and EOP-004. The real-time reporting requirements are achieved through the RCIS
and are covered in other standards (e.g. EOP-002-Capacity and Energy Emergencies). These
standard deals exclusively with after-the-fact reporting.
The DSR SDT has consolidated disturbance and sabotage event reporting under a single
standard. These two components and other key concepts are discussed in the following sections.
Summary of Concepts and Assumptions:
The Standard:
• Requires reporting of “events” that impact or may impact the reliability of the Bulk
Electric System
• Provides clear criteria for reporting
• Includes consistent reporting timelines
• Identifies appropriate applicability, including a reporting hierarchy in the case of
disturbance reporting
• Provides clarity around of who will receive the information
Discussion of Disturbance Reporting
Disturbance reporting requirements existed in the previous version of EOP-004. The current
approved definition of Disturbance from the NERC Glossary of Terms is:
1. An unplanned event that produces an abnormal system condition.
2. Any perturbation to the electric system.
3. The unexpected change in ACE that is caused by the sudden failure of generation or
interruption of load.
Draft 54: August 2pril 24, 2012
30
�EOP-004-2 — Event Reporting
Disturbance reporting requirements and criteria were in the previous EOP-004 standard and its
attachments. The DSR SDT discussed the reliability needs for disturbance reporting and
developed the list of events that are to be reported under this standard (EOP-004 Attachment 1).
Discussion of Event Reporting
There are situations worthy of reporting because they have the potential to impact reliability.
Event reporting facilitates industry awareness, which allows potentially impacted parties to
prepare for and possibly mitigate any associated reliability risk. It also provides the raw material,
in the case of certain potential reliability threats, to see emerging patterns.
Examples of such events include:
• Bolts removed from transmission line structures
• Detection of cyber intrusion that meets criteria of CIP-008-3 or its successor standard
• Forced intrusion attempt at a substation
• Train derailment adjacent to a Facility that either could have damaged a Facility directly
or could indirectly damage a Facility (e.g. flammable or toxic cargo that could pose fire
hazard or could cause evacuation of a control center)near a transmission right-of-way
• Destruction of Bulk Electric System equipment
What about sabotage?
One thing became clear in the DSR SDT’s discussion concerning sabotage: everyone has a
different definition. The current standard CIP-001 elicited the following response from FERC in
FERC Order 693, paragraph 471 which states in part: “. . . the Commission directs the ERO to
develop the following modifications to the Reliability Standard through the Reliability Standards
development process: (1) further define sabotage and provide guidance as to the triggering
events that would cause an entity to report a sabotage event.”
Often, the underlying reason for an event is unknown or cannot be confirmed. The DSR SDT
believes that by reporting material risks to the Bulk Electric System using the event
categorization in this standard, it will be easier to get the relevant information for mitigation,
awareness, and tracking, while removing the distracting element of motivation.
Certain types of events should be reported to NERC, the Department of Homeland Security
(DHS), the Federal Bureau of Investigation (FBI), and/or Provincial or local law enforcement.
Other types of events may have different reporting requirements. For example, an event that is
related to copper theft may only need to be reported to the local law enforcement authorities.
Potential Uses of Reportable Information
Event analysis, correlation of data, and trend identification are a few potential uses for the
information reported under this standard. The standard requires Functional entities to report the
incidents and provide known information at the time of the report. Further data gathering
necessary for event analysis is provided for under the Events Analysis Program and the NERC
Rules of Procedure. Other entities (e.g. – NERC, Law Enforcement, etc) will be responsible for
Draft 54: August 2pril 24, 2012
31
�EOP-004-2 — Event Reporting
performing the analyses. The NERC Rules of Procedure (section 800) provide an overview of
the responsibilities of the ERO in regards to analysis and dissemination of information for
reliability. Jurisdictional agencies (which may include DHS, FBI, NERC, RE, FERC, Provincial
Regulators, and DOE) have other duties and responsibilities.
Collection of Reportable Information or “One stop shopping”
The DSR SDT recognizes that some regions require reporting of additional information beyond
what is in EOP-004. The DSR SDT has updated the listing of reportable events in EOP-004
Attachment 1 based on discussions with jurisdictional agencies, NERC, Regional Entities and
stakeholder input. There is a possibility that regional differences still exist.
The reporting required by this standard is intended to meet the uses and purposes of NERC. The
DSR SDT recognizes that other requirements for reporting exist (e.g., DOE-417 reporting),
which may duplicate or overlap the information required by NERC. To the extent that other
reporting is required, the DSR SDT envisions that duplicate entry of information should not be
necessary, and the submission of the alternate report will be acceptable to NERC so long as all
information required by NERC is submitted. For example, if the NERC Report duplicates
information from the DOE form, the DOE report may be included or attached to the NERC
report, in lieu of entering that information on the NERC report.
Draft 54: August 2pril 24, 2012
32
�Implementation Plan
Project 2009-01 Disturbance and Sabotage Reporting
Implementation Plan for EOP-004-2 – Event Reporting
Approvals Required
EOP-004-2 – Event Reporting
Prerequisite Approvals
None
R evisions to Glossary Term s
None
Applicable Entities
Reliability Coordinator
Balancing Authority
Transmission Owner
Transmission Operator
Generator Owner
Generator Operator
Distribution Provider
Conform ing Changes to Other Standards
None
Effective Dates
In those jurisdictions where regulatory approval is required, this standard shall become effective on the
first day of the first calendar quarter that is six months after applicable regulatory approval or as
otherwise made effective pursuant to the laws applicable to such ERO governmental authorities. In
those jurisdictions where no regulatory approval is required, this standard shall become effective on the
first day of the first calendar quarter that is six months beyond the date this standard is approved by the
Board of Trustees, or as otherwise made effective pursuant to the laws applicable to such ERO
governmental authorities.
�R etirem ents
EOP-004-1 – Disturbance Reporting and CIP-001-2a – Sabotage Reporting should be retired at midnight
of the day immediately prior to the Effective Date of EOP-004-2 in the particular jurisdiction in which
the new standard is becoming effective.
Project 2009-01 Disturbance and Sabotage Reporting
Implementation Plan
2
�Implementation Plan
Project 2009-01 Disturbance and Sabotage Reporting
Implementation Plan for EOP-004-2 – Event Reporting
Approvals Required
EOP-004-2 – Event Reporting
Prerequisite Approvals
None
R evisions to Glossary Term s
None
Applicable Entities
Reliability Coordinator
Balancing Authority
Transmission Owner
Transmission Operator
Generator Owner
Generator Operator
Distribution Provider
Conform ing Changes to Other Standards
None
Effective Dates
In those jurisdictions where regulatory approval is required, this standard shall become effective on
Tthe first day of the first calendar quarter that is six months after applicable regulatory approval or as
otherwise made effective pursuant to the laws applicable to such ERO governmental authorities.beyond
the date that this standard is approved by applicable regulatory approval. In those jurisdictions where
no regulatory approval is required, this standard shall become effective on the first day of the first
calendar quarter that is six months beyond the date this standard is approved by the Board of Trustees,
or as otherwise made effective pursuant to the laws applicable to such ERO governmental authorities.
�R etirem ents
EOP-004-1 – Disturbance Reporting and CIP-001-2a – Sabotage Reporting should be retired at midnight
of the day immediately prior to the Effective Date of EOP-004-2 in the particular jurisdiction in which
the new standard is becoming effective.
Project 2009-01 Disturbance and Sabotage Reporting
Implementation Plan
2
�Unofficial Comment Form
Project 2009-01 Disturbance and Sabotage Reporting
Please DO NOT use this form for submitting comments. Please use the electronic form to submit
comments on the draft standard EOP-004-2. Comments must be submitted by September 27, 2012. If
you have questions please contact Stephen Crutchfield by email or by telephone at (609) 651-9455.
Background Information
EOP-004-2 was posted for a 30-day formal comment period and successive ballot from April 25
through May 24, 2011. The DSR SDT received suggestions from stakeholders to improve the
readability and clarity of the requirements of the standard. The revisions that were made to the
standard are summarized in the following paragraphs. As a result of these revisions, the DSR SDT is
posting the standard for a second successive ballot period.
The DSR SDT has developed EOP-004-2 to replace the current mandatory and enforceable EOP-004-1
and CIP-001-2a standards, therefore, retiring both EOP-004-1 and CIP-002-2a. The reporting
obligations under EOP-004-2 serve to provide input to the NERC Events Analysis Program. Analysis of
events is not required under the proposed standard and any analysis or investigation will fall under the
Event Analysis Program under the NERC Rules of Procedure.
The following changes were made as a result of comment received in the last formal comment period
and successive ballot:
1. The DSR SDT has removed reporting of Cyber Security Incidents from EOP-004 and has asked
the team developing CIP-008-5 to retain this reporting. With this revision, the Interchange
Coordinator, Transmission Service Provides, Load-Serving Entity, Electric Reliability Organization
and Regional Entity were removed as Responsible Entities.
2. Most of the language contained in the “Background” Section was moved to the “Guidelines and
Technical Basis” Section. Minor language changes were made to the measures and the data
retention section. Attachment 2 was revised to list events in the same order in which they
appear in Attachment 1.
3. Requirement R1 was revised to include the Parts in the main body of the Requirement. The
Measure and VSLs were updated accordingly.
4. Following review of the industry’s comments, the SDT has re-examined the FERC Directive in
Order 693 and has dropped both Requirement R4 and Requirement R5, and updated
Requirement R3 to have the Registered Entity “validate” the contact information in the contact
list(s) that they may have for the events applicable to them. This validation needs to be
�performed each calendar year to ensure that the list(s) have current and up-to-date contact
data.
R3.
Each Responsible Entity shall validate all contact information contained in the Operating
Plan pursuant to Requirement R1 each calendar year. [Violation Risk Factor: Medium]
[Time Horizon: Operations Planning]"
5. The SDT has also updated Attachment 1 based on comments received, FERC directives, and in
consideration of what is required for combining CIP-001-2a and EOP-004-1 into EOP-004-2.
Under the Event Column, the SDT starts to classify each type of an event by assigning an “Event
Type” title. The DSR SDT then updated the “Entity with Reporting Responsibilities” column to
simply state which entity has the responsibility to report if they experience an event. The last
column, “Threshold for Reporting,” is a bright line that, if reached, the entity needs to report
that they experienced the applicable event per Requirement 1.
6. The DSR SDT had previously proposed a revision to the NERC Rules of Procedure (Section 812).
The SDT has learned that NERC has started a new effort to forward event reports to applicable
government authorities. As such, Section 812 is no longer needed and will be removed from
this project.
Project 2009-01 – Disturbance and Sabotage Reporting
Unofficial Comment Form – August 28, 2012
2
�Questions
You do not have to answer all questions.
1. The DSR SDT has revised EOP-004-2 by combining Requirements R3 and R4 into a single
requirement (Requirement R3) to, “… validate all contact information contained in the Operating
Plan pursuant to Requirement R1 each calendar year.” Do you agree with this revision? If not,
please explain in the comment area below.
Yes
No
Comments:
2. The DSR SDT has revised the VSLs to reflect the language in the revised requirements. Do you
agree with the proposed VRFs and VSLs? If not, please explain in the comment area below.
Yes
No
Comments:
3. Do you have any other comment, not expressed in the questions above, for the DSR SDT?
Comments:
Project 2009-01 – Disturbance and Sabotage Reporting
Unofficial Comment Form – August 28, 2012
3
�Project 2009-01 Disturbance and Sabotage Reporting
Mapping Document
Translation of CIP-001-2a – Sabotage Reporting and EOP-004-1 – Disturbance Reporting into EOP-004-2 – Event Reporting
Standard: CIP-001-2a – Sabotage Reporting
Requirement in Approved Standard
Translation to
Proposed Language in EOP-004-2 - Impact Event and Disturbance
New Standard or
Assessment, Analysis, and Reporting
Other Action
R1. Each Reliability Coordinator, Balancing
Moved into EOP- R1. Each Responsible Entity shall have an event reporting Operating
Plan in accordance with EOP-004-2 Attachment 1 that includes the
Authority, Transmission Operator, Generator
004-2, R1
protocol(s) for reporting to the Electric Reliability Organization and
Operator, and Load-Serving Entity shall have
other organizations (e.g., the regional entity, company personnel, the
procedures for the recognition of and for making
Responsible Entity’s Reliability Coordinator, law enforcement, or
their operating personnel aware of sabotage events
governmental authority). [Violation Risk Factor: Lower] [Time Horizon:
on its facilities and multi site sabotage affecting
Operations Planning]
larger portions of the Interconnection.
R2. Each Reliability Coordinator, Balancing
Authority, Transmission Operator, Generator
Operator, and Load-Serving Entity shall have
procedures for the communication of information
concerning sabotage events to appropriate parties
in the Interconnection.
Moved into EOP004-2, R1
R1. Each Responsible Entity shall have an event reporting Operating
Plan in accordance with EOP-004-2 Attachment 1 that includes the
protocol(s) for reporting to the Electric Reliability Organization and
other organizations (e.g., the regional entity, company personnel, the
Responsible Entity’s Reliability Coordinator, law enforcement, or
governmental authority). [Violation Risk Factor: Lower] [Time Horizon:
Operations Planning]
�Standard: CIP-001-2a – Sabotage Reporting
Requirement in Approved Standard
Translation to
Proposed Language in EOP-004-2 - Impact Event and Disturbance
New Standard or
Assessment, Analysis, and Reporting
Other Action
R3. Each Reliability Coordinator, Balancing
Moved into EOP- R1. Each Responsible Entity shall have an event reporting Operating
Plan in accordance with EOP-004-2 Attachment 1 that includes the
Authority, Transmission Operator, Generator
004-2, R1
protocol(s) for reporting to the Electric Reliability Organization and
Operator, and Load-Serving Entity shall provide its
other organizations (e.g., the regional entity, company personnel, the
operating personnel with sabotage response
Responsible Entity’s Reliability Coordinator, law enforcement, or
guidelines, including personnel to contact, for
governmental authority). [Violation Risk Factor: Lower] [Time Horizon:
reporting disturbances due to sabotage events.
Operations Planning]
R4. Each Reliability Coordinator, Balancing
Authority, Transmission Operator, Generator
Operator, and Load-Serving Entity shall establish
communications contacts, as applicable, with local
Federal Bureau of Investigation (FBI) or Royal
Canadian Mounted Police (RCMP) officials and
develop reporting procedures as appropriate to
their circumstances.
Project 2009-01 Disturbance and Sabotage Reporting
Mapping Document –July 8, 2012
Moved into EOP004-2, R1
R1. Each Responsible Entity shall have an event reporting Operating
Plan in accordance with EOP-004-2 Attachment 1 that includes the
protocol(s) for reporting to the Electric Reliability Organization and
other organizations (e.g., the regional entity, company personnel, the
Responsible Entity’s Reliability Coordinator, law enforcement, or
governmental authority). [Violation Risk Factor: Lower] [Time Horizon:
Operations Planning]
2
�Requirement in Approved Standard
Standard: EOP-004-1 – Disturbance Reporting
Translation to
Proposed Language in EOP-004-2 - Impact Event and Disturbance
New Standard or
Assessment, Analysis, and Reporting Comments
Other Action
R1. Each Regional Reliability Organization shall
establish and maintain a Regional reporting
procedure to facilitate preparation of preliminary
and final disturbance reports.
Retire this fill-inthe-blank
requirement.
R2. A Reliability Coordinator, Balancing Authority,
Transmission Operator, Generator Operator or
Load-Serving Entity shall promptly analyze Bulk
Electric System disturbances on its system or
facilities.
Translated into
EOP-004-2, R1
and the NERC
Events Analysis
Process
The requirements of EOP-004-2 specify that an entity must report
certain types of impact events. The NERC EAWG is developing
continent wide reporting and analysis guidelines applicable under the
NERC Rules of Procedure.
R3. A Reliability Coordinator, Balancing Authority,
Transmission Operator, Generator Operator or
Load-Serving Entity experiencing a reportable
incident shall provide a preliminary written report
to its Regional Reliability Organization and NERC.
Translated into
EOP-004-2, R2
R2. Each Responsible Entity shall report events per their Operating
Plan within 24 hours of meeting an event type threshold for reporting.
[Violation Risk Factor: Medium] [Time Horizon: Operations
Assessment]
Project 2009-01 Disturbance and Sabotage Reporting
Mapping Document –July 8, 2012
Replace with new
reporting and
analysis
procedure
developed by
NERC EAWG.
The requirements of EOP-004-2 specify that an entity must report
certain types of impact events. The NERC EAWG is developing
continent wide reporting and analysis guidelines applicable under the
NERC Rules of Procedure.
3
�Requirement in Approved Standard
Standard: EOP-004-1 – Disturbance Reporting
Translation to
Proposed Language in EOP-004-2 - Impact Event and Disturbance
New Standard or
Assessment, Analysis, and Reporting Comments
Other Action
R3.1. The affected Reliability Coordinator, Balancing
Authority, Transmission Operator, Generator
Operator or Load-Serving Entity shall submit within
24 hours of the disturbance or unusual occurrence
either a copy of the report submitted to DOE, or, if
no DOE report is required, a copy of the NERC
Interconnection Reliability Operating Limit and
Preliminary Disturbance Report form. Events that
are not identified until sometime after they occur
shall be reported within 24 hours of being
recognized.
Translated into
EOP-004-2, R2
R3.2. Applicable reporting forms are provided in
Attachments 022-1 and 022-2.
Retire –
informational
statement
Project 2009-01 Disturbance and Sabotage Reporting
Mapping Document –July 8, 2012
R2. Each Responsible Entity shall report events per their Operating
Plan within 24 hours of meeting an event type threshold for reporting.
[Violation Risk Factor: Medium] [Time Horizon: Operations
Assessment]
4
�Requirement in Approved Standard
Standard: EOP-004-1 – Disturbance Reporting
Translation to
Proposed Language in EOP-004-2 - Impact Event and Disturbance
New Standard or
Assessment, Analysis, and Reporting Comments
Other Action
R3.3. Under certain adverse conditions, e.g., severe
weather, it may not be possible to assess the
damage caused by a disturbance and issue a written
Interconnection Reliability Operating Limit and
Preliminary Disturbance Report within 24 hours. In
such cases, the affected Reliability Coordinator,
Balancing Authority, Transmission Operator,
Generator Operator, or Load-Serving Entity shall
promptly notify its Regional Reliability
Organization(s) and NERC, and verbally provide as
much information as is available at that time. The
affected Reliability Coordinator, Balancing
Authority, Transmission Operator, Generator
Operator, or Load-Serving Entity shall then provide
timely, periodic verbal updates until adequate
information is available to issue a written
Preliminary Disturbance Report.
Project 2009-01 Disturbance and Sabotage Reporting
Mapping Document –July 8, 2012
Retire as a
requirement.
Added as a
“Note” to EOP004Attachment1Impact Events
Table
NOTE: Under certain adverse conditions (e.g. severe weather, multiple
events) it may not be possible to report the damage caused by an
event and issue a written Event Report within the timing in the table
below. In such cases, the affected Responsible Entity shall notify
parties per Requirement R2 and provide as much information as is
available at the time of the notification. Submit reports to the ERO via
one of the following: e-mail: systemawareness@nerc.net or Voice:
404-446-9780.
5
�Requirement in Approved Standard
Standard: EOP-004-1 – Disturbance Reporting
Translation to
Proposed Language in EOP-004-2 - Impact Event and Disturbance
New Standard or
Assessment, Analysis, and Reporting Comments
Other Action
R3.4. If, in the judgment of the Regional Reliability
Organization, after consultation with the Reliability
Coordinator, Balancing Authority, Transmission
Operator, Generator Operator, or Load-Serving
Entity in which a disturbance occurred, a final
report is required, the affected Reliability
Coordinator, Balancing Authority, Transmission
Operator, Generator Operator, or Load-Serving
Entity shall prepare this report within 60 days. As a
minimum, the final report shall have a discussion of
the events and its cause, the conclusions reached,
and recommendations to prevent recurrence of this
type of event. The report shall be subject to
Regional Reliability Organization approval.
Project 2009-01 Disturbance and Sabotage Reporting
Mapping Document –July 8, 2012
Retire this fill-inthe-blank
requirement.
The requirements of EOP-004-2 specify that an entity must report
certain types of impact events. The NERC EAWG is developing
continent wide reporting and analysis guidelines applicable under the
NERC Rules of Procedure.
Replace with new
reporting
procedure
developed by
NERC EAWG.
6
�Requirement in Approved Standard
Standard: EOP-004-1 – Disturbance Reporting
Translation to
Proposed Language in EOP-004-2 - Impact Event and Disturbance
New Standard or
Assessment, Analysis, and Reporting Comments
Other Action
R4. When a Bulk Electric System disturbance
occurs, the Regional Reliability Organization shall
make its representatives on the NERC Operating
Committee and Disturbance Analysis Working
Group available to the affected Reliability
Coordinator, Balancing Authority, Transmission
Operator, Generator Operator, or Load-Serving
Entity immediately affected by the disturbance for
the purpose of providing any needed assistance in
the investigation and to assist in the preparation of
a final report.
Project 2009-01 Disturbance and Sabotage Reporting
Mapping Document –July 8, 2012
Retire this fill-inthe-blank
requirement.
The requirements of EOP-004-2 specify that an entity must report
certain types of impact events. The NERC EAWG is developing
continent wide reporting and analysis guidelines applicable under the
NERC Rules of Procedure.
Replace with new
reporting
procedure
developed by
NERC EAWG.
7
�Requirement in Approved Standard
Standard: EOP-004-1 – Disturbance Reporting
Translation to
Proposed Language in EOP-004-2 - Impact Event and Disturbance
New Standard or
Assessment, Analysis, and Reporting Comments
Other Action
R5. The Regional Reliability Organization shall track
and review the status of all final report
recommendations at least twice each year to
ensure they are being acted upon in a timely
manner. If any recommendation has not been
acted on within two years, or if Regional Reliability
Organization tracking and review indicates at any
time that any recommendation is not being acted
on with sufficient diligence, the Regional Reliability
Organization shall notify the NERC Planning
Committee and Operating Committee of the status
of the recommendation(s) and the steps the
Regional Reliability Organization has taken to
accelerate implementation.
Retire this fill-inthe-blank
requirement.
Request for Interpretation of CIP-001-2a, R2: Please
clarify what is meant by the term, “appropriate
parties.” Moreover, who within the Interconnection
hierarchy deems parties to be appropriate?
Retire the
interpretation
Project 2009-01 Disturbance and Sabotage Reporting
Mapping Document –July 8, 2012
The requirements of EOP-004-2 specify that an entity must report
certain types of impact events. The NERC EAWG is developing
continent wide reporting and analysis guidelines applicable under the
NERC Rules of Procedure.
Replace with new
reporting
procedure
developed by
NERC EAWG.
Addressed in EOP-004-2, R1 by replacing the term, ‘appropriate parties’
with a broader, more specific list of specific entities to contact in
Requirement R1.
8
�Project 2009-01 Disturbance and Sabotage Reporting
Consideration of Issues and Directives
Project 2009-01 Disturbance and Sabotage Reporting
Issue or Directive
Source
Consideration of Issue or Directive
CIP‐001‐1
NERC
The
DSR
SDT
has
been
in contact with FBI staff and developed a
"What is meant by: “establish contact with the
notification flow chart for law enforcement as it pertains to EOP-004.
FBI”? Is a phone number adequate? Many entities Audit
Observation
The “Background” section of the standard outlines the reporting
which call the FBI are referred back to the local
Team
hierarchy that exists between local, state, provincial and federal law
authority. The AOT noted that on the FBI website it
enforcement. The entity experiencing an event should notify the
states to contact the local authorities. Is this a
appropriate state or provincial law enforcement agency that will then
question for Homeland Security to deal with for
coordinate with local law enforcement for investigation. These local,
us?"
state and provincial agencies will coordinate with higher levels of law
Establish communications contacts, as applicable
enforcement or other governmental agencies.
with local FBI and RCMP officials. Some entities are
very remote and the sheriff is the only local
authority does the FBI still need to be contacted?
Registered Entities have sabotage reporting
processes and procedures in place but not all
personnel has been trained.
�Question: How do you “and make the operator aware”
CIP‐001‐1 NERC
Audit
Observation
Team
This has been removed from the standard.
Requirement R1 requires that the entity has an
Operating Plan for applicable events listed in
Attachment 1.
How does this standard pertain to Load Serving Entities, LSE's.
CIP‐001‐1 NERC
Audit
Observation
Team
CIP‐001‐1;
Order 693
LSE has been removed as an applicable entity as there
are no applicable events.
We direct the ERO to explore ways to address these concerns –
including central coordination of sabotage reports and a uniform
reporting format – in developing modifications to the Reliability
Standard with the appropriate governmental agencies that have
levied the reporting requirements.
Project 2009-01 Disturbance and Sabotage Reporting
Consideration of Issues and Directives – August 2, 2012
See “Background” section of the standard as well as the
“Guidelines and Technical Basis” section.
2
�"Define “sabotage” and provide guidance on triggering events that
would cause an entity to report an event. Paragraph 461. Several
commenters agree with the Commission’s concern that the term
“sabotage” should be defined. For the reasons stated in the NOPR,
we direct that the ERO further define the term and provide guidance
on triggering events that would cause an entity to report an event.
However, we disagree with those commenters that suggest the term
“sabotage” is so vague as to justify a delay in approval or the
application of monetary penalties. As explained in the NOPR, we
believe that the term sabotage is commonly understood and that
common understanding should suffice in most instances.
CIP‐001‐1;
Order 693
The DSR SDT has not proposed a definition for inclusion
in the NERC Glossary because it is impractical to define
every event that should be reported without listing
them in the definition. Attachment 1 is the de facto
definition of “event”. The DSR SDT considered the
FERC directive to “further define sabotage” and
decided to eliminate the term sabotage from the
standard. The team felt that without the intervention
of law enforcement after the fact, it was almost
impossible to determine if an act or event was that of
sabotage or merely vandalism. The term “sabotage” is
no longer included in the standard and therefore it is
inappropriate to attempt to define it. The events listed
in Attachment 1 provide guidance for reporting both
actual events as well as events which may have an
impact on the Bulk Electric System. The DSR SDT
believes that this is an equally effective and efficient
means of addressing the FERC Directive.
The ERO should consider suggestions raised by commenters such as
FirstEnergy and Xcel to define the specified period for reporting an
incident beginning from when an event is discovered or suspected to
be sabotage, and APPA’s concerns regarding events at unstaffed or
remote facilities, and triggering events occurring outside staffed
hours at small entities.
CIP‐001‐1;
Order 693
Attachment 1 defines the events which are to be
reported under this standard. The required reporting is
within 24 hours “of recognition of the event.”
Project 2009-01 Disturbance and Sabotage Reporting
Consideration of Issues and Directives – August 2, 2012
3
�Modify CIP-001-1 1 to require an applicable entity to contact
appropriate governmental authorities in the event of sabotage
within a specific period of time, even if it is a preliminary report.
Further, in the interim while the matter is being addressed by the
Reliability Standards development process, we direct the ERO to
provide advice to entities that have concerns about the reporting of
particular circumstances as they arise.
CIP‐001‐1;
Order 693
Per Requirement R1, the entity is to develop an
Operating Plan which includes event reporting to law
enforcement and governmental agencies. The DSR SDT
has been in contact with NERC Situational Awareness
and has been informed that all event reports received
by NERC are being forwarded to FERC.
Consider the need for wider application of the standard. Consider
CIP‐001‐1;
whether separate, less burdensome requirements for smaller entities Order 693
may be appropriate. Paragraph 458. The Commission acknowledges
the concerns of the commenters about the applicability of CIP-001-1
to small entities and has addressed the concerns of small entities
generally earlier in this Final Rule. Our approval of the ERO
Compliance Registry criteria to determine which users, owners and
operators are responsible for compliance addresses the concerns of
APPA and others. 459. However, the Commission believes that there
are specific reasons for applying this Reliability Standard to such
entities, as discussed in the NOPR. APPA indicates that some small
LSEs do not own or operate “hard assets” that are normally thought
of as “at risk” to sabotage. The Commission is concerned that, an
adversary might determine that a small LSE is the appropriate target
when the adversary aims at a particular population or facility. Or an
adversary may target a small user, owner or operator because it may
have similar equipment or protections as a larger facility, that is, the
adversary may use an attack against a smaller facility as a training
“exercise.” {continued below}
Attachment 1 defines the events which are to be
reported under this standard. The applicable entities
are also identified for each type of event. Each event is
to be reported within 24 hours of recognition of the
event.
Project 2009-01 Disturbance and Sabotage Reporting
Consideration of Issues and Directives – August 2, 2012
4
�The knowledge of sabotage events that occur at any facility
(including small facilities) may be helpful to those facilities that are
traditionally considered to be the primary targets of adversaries as
well as to all members of the electric sector, the law enforcement
community and other critical infrastructures. 460. For these reasons,
the Commission remains concerned that a wider application of CIP001-1 may be appropriate for Bulk Power System reliability.
Balancing these concerns with our earlier discussion of the
applicability of Reliability Standards to smaller entities, we will not
direct the ERO to make any specific modification to CIP-001-1 to
address applicability. However, we direct the ERO, as part of its Work
Plan, to consider in the Reliability Standards development process,
possible revisions to CIP-001-1 that address our concerns. Regarding
the need for wider application of the Reliability Standard. Further,
when addressing such applicability issues, the ERO should consider
whether separate, less burdensome requirements for smaller entities
may be appropriate to address these concerns.
Project 2009-01 Disturbance and Sabotage Reporting
Consideration of Issues and Directives – August 2, 2012
5
�The Commission affirms the NOPR directive and directs the ERO to
incorporate a periodic review or updating of the sabotage reporting
procedures and for the periodic testing of the sabotage reporting
procedures. At this time, the commission does not specify a review
period as suggested by FirstEnergy and MRO and, rather, believes
that the appropriate period should be determined through the ERO’s
Reliability Standards development process. However, the
Commission directs that the ERO begin this process by considering a
staggered schedule of annual testing of the procedures with
modifications made when warranted formal review of the
procedures every two or three years.
Project 2009-01 Disturbance and Sabotage Reporting
Consideration of Issues and Directives – August 2, 2012
CIP‐001‐1;
Order 693
The standard is responsive this directive with the
following language in Requirement R3:
R3. Each Responsible Entity shall validate all
contact information contained in the Operating
Plan pursuant to Requirement R1 each calendar
year. [Violation Risk Factor: Medium] [Time
Horizon: Operations Planning]
The DSR SDT envisions that this will include verification
that contact information contained in the Operating
Plan is correct. As an example, the annual validation
could include calling others as defined in the
Responsibility Entity’s Operating Plan to verify that
their contact information is correct and current. If any
discrepancies are noted, the Operating Plan would be
updated.
6
�Consider FirstEnergy’s suggestions to differentiate between cyber
and physical security sabotage and develop a threshold of
materiality. Paragraph 451. A number of commenters agree with the
Commission’s concern that the term sabotage” needs to be better
defined and guidance provided on the triggering events that would
cause an entity to report an event. FirstEnergy states that this
definition should differentiate between cyber and physical sabotage
and should exclude unintentional operator error. It advocates a
threshold of materiality to exclude acts that do not threaten to
reduce the ability to provide service or compromise safety and
security. SoCal Edison states that clarification regarding the
meaning of sabotage and the triggering event for reporting would be
helpful and prevent over reporting.
Project 2009-01 Disturbance and Sabotage Reporting
Consideration of Issues and Directives – August 2, 2012
CIP‐001‐1;
Order 693
This addressed in Attachment 1. There are specific
event types for both cyber and physical security with
their respective report submittal requirements.
7
�"Include a requirement to report a sabotage event to the proper
government authorities. Develop the language to specifically
implement this directive. Paragraph 467. CIP-001-1, Requirement
R4, requires that each applicable entity establish communications
contacts, as applicable, with the local FBI or Royal Canadian Mounted
Police officials and develop reporting procedures as appropriate to
its circumstances. The Commission in the NOPR expressed concern
that the Reliability Standard does not require an applicable entity to
actually contact the appropriate governmental or regulatory body in
the event of sabotage. Therefore, the Commission proposed that
NERC modify the Reliability Standard to require an applicable entity
to “contact appropriate federal authorities, such as the Department
of Homeland Security, in the event of sabotage within a specified
period of time.”212 468. As mentioned above, NERC and others
object to the wording of the proposed directive as overly prescriptive
and note that the reference to “appropriate federal authorities” fails
to recognize the international application of the Reliability Standard.
The example of the Department of Homeland Security as an
“appropriate federal authority” was not intended to be an exclusive
designation. Nonetheless, the Commission agrees that a reference to
“federal authorities” could create confusion. Accordingly, we modify
the direction in the NOPR and now direct the ERO to address our
underlying concern regarding mandatory reporting of a sabotage
event. The ERO’s Reliability Standards development process should
develop the language to implement this directive."
Project 2009-01 Disturbance and Sabotage Reporting
Consideration of Issues and Directives – August 2, 2012
See “Guidelines and Technical Basis” section of
Standard.
“A proposal discussed with FBI, FERC Staff, NERC
Standards Project Coordinator and SDT Chair is
reflected in the flowchart below (Reporting Hierarchy
for Event EOP-004-2). Essentially, reporting an event to
law enforcement agencies will only require the industry
to notify the state or provincial level law enforcement
agency. The state or provincial level law enforcement
agency will coordinate with local law enforcement to
investigate. If the state or provincial level law
enforcement agency decides federal agency law
enforcement or the RCMP should respond and
investigate, the state or provincial level law
enforcement agency will notify and coordinate with the
FBI or the RCMP.”
8
�On March 4, 2008, NERC submitted a compliance filing in response to
a December 20, 2007 Order, in which the Commission reversed a
NERC decision to register three retail power marketers to comply
with Reliability Standards applicable to load serving entities (LSEs)
and directed NERC to submit a plan describing how it would address
a possible “reliability gap” that NERC asserted would result if the
LSEs were not registered. NERC’s compliance filing included the
following proposal for a short‐term plan and a long‐term plan to
address the potential gap:
∙ Short‐term: Using a posting and open comment process, NERC will
revise the registration criteria to define “Non ‐Asset Owning LSEs” as
a subset of Load Serving Entities and will specify the reliability
standards applicable to that subset.
CIP‐001‐1 and
EOP-004 ORDER
ON ELECTRIC
RELIABILITY
ORGANIZATION
REGISTRY_DETE
RMINATIONS;
ORDER ON
COMPLIANCE
FILING
The LSE is no longer an applicable entity, since no
reportable event types in Attachment apply to an LSE.
If an entity owns distribution assets, that entity will be
registered as a Distribution Provider. Attachment 1
defines the timelines and events which are to be
reported under this standard. The applicable entities
are also identified for each type of event.
∙ Longer‐term: NERC will determine the changes necessary to terms
and requirements in reliability standards to address the issues
surrounding accountability for loads served by retail
marketers/suppliers and process them through execution of the
three‐year Reliability Standards Development Plan. In this revised
Reliability Standards Development Plan, NERC is commencing the
implementation of its stated long‐term plan to address the issues
surrounding accountability for loads served by retail
marketers/suppliers.
The NERC Reliability Standards Development Procedure will be used
to identify the changes necessary to terms and requirements in
reliability standards to address the issues surrounding accountability
for loads served by retail marketers/suppliers. Specifically, the
following description has been incorporated into the scope for
Project 2009-01 Disturbance and Sabotage Reporting
Consideration of Issues and Directives – August 2, 2012
9
�affected projects in this revised Reliability Standards Development
Plan that includes a standard applicable to Load Serving Entities:
Source: FERC’s December 20, 2007 Order in Docket Nos.
RC07‐004‐000, RC07‐6‐000, and RC07‐7‐000.
Issue: In FERC’s December 20, 2007 Order, the Commission reversed
NERC’s Compliance Registry decisions with respect to three load
serving entities in the ReliabilityFirst (RFC) footprint. The
distinguishing feature of these three LSEs is that none own physical
assets. Both NERC and RFC assert that there will be a “reliability gap”
if retail marketers are not registered as LSEs. To avoid a possible gap,
a consistent, uniform approach to ensure that appropriate Reliability
Standards and associated requirements are applied to retail
marketers must be followed.
Each drafting team responsible for reliability standards that are
applicable to LSEs is to review and change as necessary,
requirements in the reliability standards to address the issues
surrounding accountability for loads served by retail
marketers/suppliers. For additional information see:
∙ FERC’s December 20, 2007 Order
(http://www.nerc.com/files/LSE_decision_order.pdf)
∙ NERC’s March 4, 2008
(http://www.nerc.com/files/FinalFiledLSE3408.pdf),
∙ FERC’s April 4, 2008 Order
(http://www.nerc.com/files/AcceptLSECompFiling‐040408.pdf), and
∙ NERC’s July 31, 2008
(http://www.nerc.com/files/FinalFiled‐compFiling‐LSE‐07312008.pdf)
compliance filings to FERC on this subject.
Project 2009-01 Disturbance and Sabotage Reporting
Consideration of Issues and Directives – August 2, 2012
10
�Object to multi‐site requirement
Version 0 Team
CIP-001-1
Definition of sabotage required
Version 0 Team
CIP-001-1
VRFs Team Adequate procedures will insure it is unlikely to lead to
bulk electric system instability, separation, or cascading failures.
Project 2009-01 Disturbance and Sabotage Reporting
Consideration of Issues and Directives – August 2, 2012
The Standard was revised for clarity. Attachment 1
defines the timelines and events which are to be
reported under this standard. The applicable entities
are also identified for each type of event.
No definition for sabotage was developed. The DSR SDT
has not proposed a definition for inclusion in the NERC
Glossary because it is impractical to define every event
that should be reported without listing them in the
definition. Attachment 1 is the de facto definition of
“event”. The DSR SDT considered the FERC directive to
“further define sabotage” and decided to eliminate the
term sabotage from the standard. The team felt that
without the intervention of law enforcement after the
fact, it was almost impossible to determine if an act or
event was that of sabotage or merely vandalism. The
term “sabotage” is no longer included in the standard
and therefore it is inappropriate to attempt to define it.
The events listed in Attachment 1 provide guidance for
reporting both actual events as well as events which
may have an impact on the Bulk Electric System. The
DSR SDT believes that this is an equally effective and
efficient means of addressing the FERC Directive.
11
�Coordination and follow up on lessons learned from event analyses
Consider adding to EOP‐004 – Disturbance Reporting Proposed
requirement: Regional Entities (REs) shall work together with
Reliability Coordinators, Transmission Owners, and Generation
Owners to develop an Event Analysis Process to prevent similar
events from happening and follow up with the recommendations.
This process shall be defined within the appropriate NERC Standard
Events Analysis
Team Reliability
Issue
The DSR SDT envisions EOP-004-2 to be a reporting
standard. Any follow up investigation or analysis falls
under the purview of the NERC Events Analysis
Program under the NERC Rules of Procedure.
Consider changes to R1 and R3.4 to standardize the disturbance
reporting requirements (requirements for disturbance reporting
need to be added to this standard). Regions currently have
procedures, but not in the form of a standard. The drafting team will
need to review regional requirements to determine reporting
requirements for the North American standard.
Fill in the Blank
Team
The DSR SDT envisions EOP-004-2 to be a continentwide reporting standard. Any follow up investigation or
analysis falls under the purview of the NERC Events
Analysis Program under the NERC Rules of Procedure.
Can there be a violation without an event?
NERC Audit
Observation
Team
The DSR SDT envisions EOP-004-2 to be a continentwide reporting standard. In the opinion of the DSR
SDT, there cannot be a violation of Requirement R2
without an event. Since Requirement R1 calls for an
Operating Plan, there can be a violation of R1 without
an event.
Project 2009-01 Disturbance and Sabotage Reporting
Consideration of Issues and Directives – August 2, 2012
12
�Consider APPA’s concern about generator operators and LSEs
analyzing performance of their equipment and provide data and
information on the equipment to assist others with analysis.
Paragraph 607. APPA is concerned about the scope of Requirement
R2 because, in its opinion, Requirement R2 appears to impose an
open‐ended obligation on entities such as generation operators and
LSEs that may have neither the data nor the tools to promptly
analyze disturbances that could have originated elsewhere. APPA
proposes that Requirement R2 be modified to require affected
entities to promptly begin analyses to ensure timely reporting to
NERC and DOE.
EOP‐004‐1
Order 693
The DSR SDT envisions EOP-004-2 to be a continentwide reporting standard. Any follow up investigation or
analysis falls under the purview of the NERC Events
Analysis Program under the NERC Rules of Procedure.
From: David Cook
EOP‐004‐1
Other
Per Requirement R1, the entity is to develop an
Operating Plan which includes event reporting to law
enforcement and governmental agencies. The DSR SDT
has been in contact with NERC Situational Awareness
and has been informed that all event reports received
by NERC are being forwarded to FERC.
Sent: Wednesday, July 16, 2008 6:06 PM
To: Rick Sergel; Dave Nevius; David A. Whiteley; Management
Subject: RE: FERC request for DOE‐417s
I agree the real fix is to revise the EOP‐004 standard. I agree that we
can’t (and shouldn’t try) to do that by way of amendments to our
Rules of Procedure. So we should include that fix in the standards
work plan, do the best we can in the meantime to provide FERC with
the 417s, and I’ll have the conversation with Joe McClelland about
not being able to do what the Commission directed in Order 693 (i.e.,
change the standards by way of a change in the Rules of Procedure).
David
Project 2009-01 Disturbance and Sabotage Reporting
Consideration of Issues and Directives – August 2, 2012
13
�In response to a SAR submitted by Glenn Kaht of ReliabilityFirst: As
part of a regional compliance violation investigation, a possible
reliability gap was identified related to EOP‐004‐1 — Disturbance
Reporting. The existing standard limits reporting of generation
outages to just those outages associated with loss of a bulk power
transmission component that significantly affects the integrity of
interconnected system operations. This requirement has been
interpreted as meaning that only generation outages that must be
reported are those that occur with the loss of a bulk power
transmission element. By not reporting large generation losses that
occur without the loss of a bulk power transmission element, the
industry is overlooking a potential opportunity to identify and learn
from these losses.
Standards
Committee
Action
From
01/13/2010
The DSR SDT has worked closely with the NERC EAWG
to develop the event reporting requirements shown in
Attachment 1. The EAWG and the DSR SDT considered
this request and weighed it against reliability needs for
reporting.
Specifically, Item 1 of Attachment 1 of EOP‐004 requires the
reporting of events if “The loss of a bulk power transmission
component that significantly affects the integrity of interconnected
system operations. Generally, a disturbance report will be required
if the event results in actions such as:” The Standard then lists six
different actions that may occur as a result of the event in order to
be reportable. All six of these actions appear to be dependent on
“The loss of a bulk power transmission component that significantly
affects the integrity of interconnected system operations” in order
for the event to be reportable. Some of these events may
significantly impact the reliable operation of the bulk power system.
Consider a revision to EOP‐004‐1 — Disturbance Reporting requiring
a Generator Operator (GOP) that
Project 2009-01 Disturbance and Sabotage Reporting
Consideration of Issues and Directives – August 2, 2012
14
�experiences the loss of generation greater than 500 MW that results
in modification of equipment (e.g. control systems, or Power Load
Unbalancer (PLU)) to be a reportable event.
too many reports, narrow requirement to RC
Version 0 Team
How does this apply to generator operator?
Version 0 Team
Project 2009-01 Disturbance and Sabotage Reporting
Consideration of Issues and Directives – August 2, 2012
There is only one report required under this standard.
An entity may submit the report using Attachment 2 or
the DEO OE-417 report form.
See attachment 1 for specific generator operator
applicability.
15
�Violation Risk Factor and Violation Severity Level Assignments
Project 2009-01 – Disturbance and Sabotage Reporting
This document provides the drafting team’s justification for assignment of violation risk factors (VRFs)
and violation severity levels (VSLs) for each requirement in
EOP-004-2 — Event Reporting
Each primary requirement is assigned a VRF and a set of one or more VSLs. These elements support the
determination of an initial value range for the Base Penalty Amount regarding violations of requirements
in FERC-approved Reliability Standards, as defined in the ERO Sanction Guidelines.
Justification for Assignment of Violation Risk Factors in EOP-004-2
The Disturbance and Sabotage Reporting Standard Drafting Team applied the following NERC criteria
when proposing VRFs for the requirements in EOP-004-2:
High Risk Requirement
A requirement that, if violated, could directly cause or contribute to bulk electric system
instability, separation, or a cascading sequence of failures, or could place the bulk electric system
at an unacceptable risk of instability, separation, or cascading failures; or, a requirement in a
planning time frame that, if violated, could, under emergency, abnormal, or restorative conditions
anticipated by the preparations, directly cause or contribute to bulk electric system instability,
separation, or a cascading sequence of failures, or could place the bulk electric system at an
unacceptable risk of instability, separation, or cascading failures, or could hinder restoration to a
normal condition.
Medium Risk Requirement
A requirement that, if violated, could directly affect the electrical state or the capability of the
bulk electric system, or the ability to effectively monitor and control the bulk electric system.
However, violation of a medium risk requirement is unlikely to lead to bulk electric system
instability, separation, or cascading failures; or, a requirement in a planning time frame that, if
violated, could, under emergency, abnormal, or restorative conditions anticipated by the
preparations, directly and adversely affect the electrical state or capability of the bulk electric
system, or the ability to effectively monitor, control, or restore the bulk electric system.
However, violation of a medium risk requirement is unlikely, under emergency, abnormal, or
restoration conditions anticipated by the preparations, to lead to bulk electric system instability,
separation, or cascading failures, nor to hinder restoration to a normal condition.
�Lower Risk Requirement
A requirement that is administrative in nature and a requirement that, if violated, would not be
expected to adversely affect the electrical state or capability of the bulk electric system, or the
ability to effectively monitor and control the bulk electric system; or, a requirement that is
administrative in nature and a requirement in a planning time frame that, if violated, would not,
under the emergency, abnormal, or restorative conditions anticipated by the preparations, be
expected to adversely affect the electrical state or capability of the bulk electric system, or the
ability to effectively monitor, control, or restore the bulk electric system. A planning requirement
that is administrative in nature.
The SDT also considered consistency with the FERC Violation Risk Factor Guidelines for setting
1
VRFs:
Guideline (1) — Consistency with the Conclusions of the Final Blackout Report
The Commission seeks to ensure that Violation Risk Factors assigned to Requirements of
Reliability Standards in these identified areas appropriately reflect their historical critical impact
on the reliability of the Bulk-Power System.
In the VSL Order, FERC listed critical areas (from the Final Blackout Report) where violations could
severely affect the reliability of the Bulk-Power System: 2
−
−
−
−
−
−
−
−
−
−
−
−
Emergency operations
Vegetation management
Operator personnel training
Protection systems and their coordination
Operating tools and backup facilities
Reactive power and voltage control
System modeling and data exchange
Communication protocol and facilities
Requirements to determine equipment ratings
Synchronized data recorders
Clearer criteria for operationally critical facilities
Appropriate use of transmission loading relief.
Guideline (2) — Consistency within a Reliability Standard
The Commission expects a rational connection between the sub-Requirement Violation Risk
Factor assignments and the main Requirement Violation Risk Factor assignment.
1
North American Electric Reliability Corp., 119 FERC ¶ 61,145, order on reh’g and compliance filing, 120 FERC ¶ 61,145
(2007) (“VRF Rehearing Order”).
2
Id. at footnote 15.
VRF and VSL Assignments – Project 2009-01 (August 2, 2012)
2
�Guideline (3) — Consistency among Reliability Standards
The Commission expects the assignment of Violation Risk Factors corresponding to
Requirements that address similar reliability goals in different Reliability Standards would be
treated comparably.
Guideline (4) — Consistency with NERC’s Definition of the Violation Risk Factor Level
Guideline (4) was developed to evaluate whether the assignment of a particular
Violation Risk Factor level conforms to NERC’s definition of that risk level.
Guideline (5) — Treatment of Requirements that Co-mingle More Than One Obligation
Where a single Requirement co-mingles a higher risk reliability objective and a lesser risk
reliability objective, the VRF assignment for such Requirements must not be watered down to
reflect the lower risk level associated with the less important objective of the Reliability
Standard.
The following discussion addresses how the SDT considered FERC’s VRF Guidelines 2 through 5. The
team did not address Guideline 1 directly because of an apparent conflict between Guidelines 1 and 4.
Whereas Guideline 1 identifies a list of topics that encompass nearly all topics within NERC’s
Reliability Standards and implies that these requirements should be assigned a “High” VRF, Guideline 4
directs assignment of VRFs based on the impact of a specific requirement to the reliability of the system.
The SDT believes that Guideline 4 is reflective of the intent of VRFs in the first instance and therefore
concentrated its approach on the reliability impact of the requirements.
VRF for EOP-004-2:
There are three requirements in EOP-004-2. Requirement R1 was assigned a Lower VRF while
Requirements R2 and R3 were assigned a Medium VRF.
VRF for EOP-004-2, Requirements R1:
•
FERC’s Guideline 2 — Consistency within a Reliability Standard. The Requirement specifies which
entities are required to have processes for recognition of events and for communicating with other
entities. This Requirement is the only administrative Requirement within the Standard. The VRF is
only applied at the Requirement level. FERC’s Guideline 3 — Consistency among Reliability
Standards. This requirement calls for an entity to have processes for recognition of events and
communicating with other entities. This requirement is administrative in nature and deals with the
means to report events after the fact. All event reporting requirements in Attachment 1 are for 24
hours after recognition that an event has occurred. The current approved VRFs for EOP-004-1 are
VRF and VSL Assignments – Project 2009-01 (August 2, 2012)
3
�all lower with the exception of Requirement R2 which is a requirement to analyze events. This
standard relates only to reporting events. The analysis portion is addressed through the NERC Rules
of Procedure and the Events Analysis Program.
•
FERC’s Guideline 4 — Consistency with NERC’s Definition of a VRF. Failure to have an event
reporting Operating Plan is not likely to directly affect the electrical state or the capability of the bulk
electric system. Development of the Operating Plan is a requirement that is administrative in nature
and is in a planning time frame that, if violated, would not, under emergency, abnormal, or
restorative conditions anticipated by the preparations, be expected to adversely affect the electrical
state or capability of the bulk electric system, or the ability to effectively monitor, control, or restore
the bulk electric system.. Therefore this requirement was assigned a Lower VRF.
•
FERC’s Guideline 5 — Treatment of Requirements that Co-mingle More Than One Objective.
EOP-004-2, Requirement R1 contains only one objective which is to have an Operating Plan with
two distinct processes. Since the requirement is to have an Operating Plan, only one VRF was
assigned.
VRF for EOP-004-2, Requirement R2:
•
FERC’s Guideline 2 — Consistency within a Reliability Standard. This Requirement calls for the
Responsible Entity to implements its Operating Plan and is assigned a Medium VRF. There is one
other similar Requirement in this Standard which specify an annual validation of the information
contained in the Operating Plan (R3). Both of these Requirements are assigned a Medium VRF.
•
FERC’s Guideline 3 — Consistency among Reliability Standards. EOP-004-2, Requirement R2 is a
requirement for entities to report events using the process for recognition of events per Attachment 1.
Failure to report events within 24 hours is not likely to “directly affect the electrical state or the
capability of the bulk electric system, or the ability to effectively monitor and control the bulk
electric system.” However, violation of a medium risk requirement should also be “unlikely to lead
to bulk electric system instability, separation, or cascading failures…” Such an instance could occur
if personnel do not report events. Therefore, this requirement was assigned a Medium VRF.
•
FERC’s Guideline 4 — Consistency with NERC’s Definition of a VRF. EOP-004-2, Requirement
R2 mandates that Responsible Entities implement their Operating Plan. Bulk power system
instability, separation, or cascading failures are not likely to occur due to a failure to notify another
entity of the event failure, but there is a slight chance that it could occur. Therefore, this requirement
was assigned a Medium VRF.
•
FERC’s Guideline 5 - Treatment of Requirements that Co-mingle More Than One Objective. EOP004-2, Requirement R2 addresses a single objective and has a single VRF.
VRF and VSL Assignments – Project 2009-01 (August 2, 2012)
4
�VRF for EOP-004-2, Requirement R3:
•
FERC’s Guideline 2 — Consistency within a Reliability Standard. This Requirement calls for the
Responsible Entity to perform an annual validation of the information contained in the Operating
Plan and is assigned a Medium VRF. There is one other similar Requirement in this Standard which
specifies that the Responsible Entity implement its Operating Plan (R2).. Both of these
Requirements is assigned a Medium VRF.
•
FERC’s Guideline 3 — Consistency among Reliability Standards. EOP-004-2, Requirement R3 is a
requirement for entities to perform an annual validation of the information contained of the
information in the Operating Plan. Failure to perform an annual validation of the information
contained in the Operating Plan is not likely to “directly affect the electrical state or the capability of
the bulk electric system, or the ability to effectively monitor and control the bulk electric system.”
However, violation of a medium risk requirement should also be “unlikely to lead to bulk electric
system instability, separation, or cascading failures…” Such an instance could occur if personnel do
not perform an annual test of the Operating Plan and it is out of date or contains erroneous
information. Therefore, this requirement was assigned a Medium VRF.
•
FERC’s Guideline 4 — Consistency with NERC’s Definition of a VRF. EOP-004-2, Requirement
R3 mandates that Responsible Entities perform an annual validation of the information contained of
the information in the Operating Plan. Bulk power system instability, separation, or cascading
failures are not likely to occur due to a failure to perform an annual test of the Operating Plan, but
there is a slight chance that it could occur if the Operating Plan is out of date or contains erroneous
information. Therefore, this requirement was assigned a Medium VRF.
•
FERC’s Guideline 5 - Treatment of Requirements that Co-mingle More Than One Objective. EOP004-2, Requirement R3 addresses a single objective and has a single VRF.
VRF and VSL Assignments – Project 2009-01 (August 2, 2012)
5
�Justification for Assignment of Violation Severity Levels for EOP-004-2:
In developing the VSLs for the EOP-004-2 standard, the SDT anticipated the evidence that would be
reviewed during an audit, and developed its VSLs based on the noncompliance an auditor may find
during a typical audit. The SDT based its assignment of VSLs on the following NERC criteria:
Lower
Missing a minor
element (or a small
percentage) of the
required performance
The performance or
product measured has
significant value as it
almost meets the full
intent of the
requirement.
Moderate
High
Severe
Missing at least one
significant element (or a
moderate percentage)
of the required
performance.
The performance or
product measured still
has significant value in
meeting the intent of the
requirement.
Missing more than one
significant element (or is
missing a high
percentage) of the
required performance or
is missing a single vital
component.
The performance or
product has limited
value in meeting the
intent of the
requirement.
Missing most or all of
the significant elements
(or a significant
percentage) of the
required performance.
The performance
measured does not
meet the intent of the
requirement or the
product delivered
cannot be used in
meeting the intent of the
requirement.
FERC’s VSL guidelines are presented below, followed by an analysis of whether the VSLs proposed for
each requirement in EOP-004-2 meet the FERC Guidelines for assessing VSLs:
Guideline 1: Violation Severity Level Assignments Should Not Have the Unintended Consequence
of Lowering the Current Level of Compliance
Compare the VSLs to any prior levels of non-compliance and avoid significant changes that may
encourage a lower level of compliance than was required when levels of non-compliance were
used.
Guideline 2: Violation Severity Level Assignments Should Ensure Uniformity and Consistency in
the Determination of Penalties
A violation of a “binary” type requirement must be a “Severe” VSL.
Do not use ambiguous terms such as “minor” and “significant” to describe noncompliant
performance.
Guideline 3: Violation Severity Level Assignment Should Be Consistent with the Corresponding
Requirement
VRF and VSL Assignments – Project 2009-01 (August 2, 2012)
6
�VSLs should not expand on what is required in the requirement.
Guideline 4: Violation Severity Level Assignment Should Be Based on A Single Violation, Not on A
Cumulative Number of Violations
. . . unless otherwise stated in the requirement, each instance of non-compliance with a
requirement is a separate violation. Section 4 of the Sanction Guidelines states that assessing
penalties on a per violation per day basis is the “default” for penalty calculations.
VRF and VSL Assignments – Project 2009-01 (August 2, 2012)
7
�VSLs for EOP-004-2 Requirements R1:
Compliance with
NERC’s VSL
Guidelines
R#
Guideline 1
Guideline 2
Violation Severity Level
Assignments Should Not
Have the Unintended
Consequence of Lowering
the Current Level of
Compliance
Violation Severity Level
Assignments Should Ensure
Uniformity and Consistency in the
Determination of Penalties
Guideline 2a: The Single Violation
Severity Level Assignment
Category for "Binary"
Requirements Is Not Consistent
Guideline 3
Guideline 4
Violation Severity Level
Assignment Should Be
Consistent with the
Corresponding
Requirement
Violation Severity
Level Assignment
Should Be Based on
A Single Violation,
Not on A
Cumulative Number
of Violations
The proposed binary VSL
uses the same terminology
as used in the associated
requirement, and is,
therefore, consistent with
the requirement.
The VSLs are based
on a single violation
and not cumulative
violations.
Guideline 2b: Violation Severity
Level Assignments that Contain
Ambiguous Language
R1
Meets NERC’s
VSL guidelines.
The requirement
calls for the
entity to have an
Operating Plan
and is binary in
nature. The VSL
is therefore set
to “Severe”.
The proposed
requirement is a revision
of CIP-001-1, R1-R4, and
EOP-004-1, R2. The
Requirement has no Parts
and is binary in nature.
The binary VSL does not
lower the current level of
Compliance.
The proposed VSL does not use
any ambiguous terminology,
thereby supporting uniformity and
consistency in the determination
of similar penalties for similar
violations.
VRF and VSL Assignments – Project 2009-01 (August 2, 2012)
8
�VSLs for EOP-004-2 Requirement R2:
Compliance with
NERC’s VSL
Guidelines
Guideline 1
Guideline 2
Violation Severity Level
Assignments Should Not
Have the Unintended
Consequence of Lowering
the Current Level of
Compliance
Violation Severity Level
Assignments Should Ensure
Uniformity and Consistency in
the Determination of
Penalties
R#
Guideline 3
Guideline 4
Violation Severity Level
Assignment Should Be
Consistent with the
Corresponding
Requirement
Violation Severity
Level Assignment
Should Be Based on
A Single Violation,
Not on A
Cumulative Number
of Violations
The proposed VSLs use the
same terminology as used
in the associated
requirement, and are,
therefore, consistent with
the requirement.
The VSLs are based
on a single violation
and not cumulative
violations.
Guideline 2a: The Single
Violation Severity Level
Assignment Category for
"Binary" Requirements Is Not
Consistent
Guideline 2b: Violation
Severity Level Assignments
that Contain Ambiguous
Language
R2
Meets NERC’s VSL
guidelines. There
is an incremental
aspect to the
violation and the
VSLs follow the
guidelines for
incremental
violations.
The proposed requirement is
a revision of EOP-004-1, R3.
There is only a Severe VSL for
that requirement. However,
the reporting of events is
based on timing intervals
listed in EOP-004 Attachment
1. Based on the VSL
Guidance, the DSR SDT
developed four VSLs based
on tardiness of the submittal
of the report. If a report is
not submitted, then the VSL
is Severe. This maintains the
current VSL.
The proposed VSLs do not use
any ambiguous terminology,
thereby supporting uniformity
and consistency in the
determination of similar
penalties for similar
violations.
VRF and VSL Assignments – Project 2009-01 (August 2, 2012)
9
�VSLs for EOP-004-2 Requirement R3:
Compliance with
NERC’s VSL
Guidelines
Guideline 1
Guideline 2
Violation Severity Level
Assignments Should Not
Have the Unintended
Consequence of Lowering
the Current Level of
Compliance
Violation Severity Level
Assignments Should Ensure
Uniformity and Consistency in
the Determination of
Penalties
R#
Guideline 3
Guideline 4
Violation Severity Level
Assignment Should Be
Consistent with the
Corresponding
Requirement
Violation Severity
Level Assignment
Should Be Based on
A Single Violation,
Not on A
Cumulative Number
of Violations
The proposed VSLs use the
same terminology as used
in the associated
requirement, and are,
therefore, consistent with
the requirement.
The VSLs are based
on a single violation
and not cumulative
violations.
Guideline 2a: The Single
Violation Severity Level
Assignment Category for
"Binary" Requirements Is Not
Consistent
Guideline 2b: Violation
Severity Level Assignments
that Contain Ambiguous
Language
R3
Meets NERC’s VSL
guidelines. There
is an incremental
aspect to the
violation and the
VSLs follow the
guidelines for
incremental
violations.
The proposed requirement is
a new Requirement. The
test of the Operating Plan is
based on the calendar year.
Based on the VSL Guidance,
the DSR SDT developed four
VSLs based on tardiness of
the submittal of the report.
If a test is not performed,
then the VSL is Severe.
The proposed VSLs do not use
any ambiguous terminology,
thereby supporting uniformity
and consistency in the
determination of similar
penalties for similar
violations.
VRF and VSL Assignments – Project 2009-01 (August 2, 2012)
10
�Standard CIP-001-2a— Sabotage Reporting
A. Introduction
1.
Title:
Sabotage Reporting
2.
Number:
CIP-001-2a
3.
Purpose:
Disturbances or unusual occurrences, suspected or determined to be caused by
sabotage, shall be reported to the appropriate systems, governmental agencies, and regulatory
bodies.
4.
Applicability
4.1. Reliability Coordinators.
4.2. Balancing Authorities.
4.3. Transmission Operators.
4.4. Generator Operators.
4.5. Load Serving Entities.
4.6. Transmission Owners (only in ERCOT Region).
4.7. Generator Owners (only in ERCOT Region).
5.
ERCOT Regional Variance will be effective the first day of
the first calendar quarter after applicable regulatory approval.
Effective Date:
B. Requirements
R1.
Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator, and Load Serving Entity shall have procedures for the recognition of and for making
their operating personnel aware of sabotage events on its facilities and multi-site sabotage
affecting larger portions of the Interconnection.
R2.
Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator, and Load Serving Entity shall have procedures for the communication of information
concerning sabotage events to appropriate parties in the Interconnection.
R3.
Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator, and Load Serving Entity shall provide its operating personnel with sabotage response
guidelines, including personnel to contact, for reporting disturbances due to sabotage events.
R4.
Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator, and Load Serving Entity shall establish communications contacts, as applicable, with
local Federal Bureau of Investigation (FBI) or Royal Canadian Mounted Police (RCMP)
officials and develop reporting procedures as appropriate to their circumstances.
C. Measures
M1. Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator, and Load Serving Entity shall have and provide upon request a procedure (either
electronic or hard copy) as defined in Requirement 1
M2. Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator, and Load Serving Entity shall have and provide upon request the procedures or
guidelines that will be used to confirm that it meets Requirements 2 and 3.
Page 1 of 6
�Standard CIP-001-2a— Sabotage Reporting
M3. Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator, and Load Serving Entity shall have and provide upon request evidence that could
include, but is not limited to procedures, policies, a letter of understanding, communication
records, or other equivalent evidence that will be used to confirm that it has established
communications contacts with the applicable, local FBI or RCMP officials to communicate
sabotage events (Requirement 4).
D. Compliance
1.
Compliance Monitoring Process
1.1. Compliance Monitoring Responsibility
Regional Reliability Organizations shall be responsible for compliance monitoring.
1.2. Compliance Monitoring and Reset Time Frame
One or more of the following methods will be used to verify compliance:
-
Self-certification (Conducted annually with submission according to schedule.)
-
Spot Check Audits (Conducted anytime with up to 30 days notice given to prepare.)
-
Periodic Audit (Conducted once every three years according to schedule.)
-
Triggered Investigations (Notification of an investigation must be made within 60
days of an event or complaint of noncompliance. The entity will have up to 30 days
to prepare for the investigation. An entity may request an extension of the
preparation period and the extension will be considered by the Compliance Monitor
on a case-by-case basis.)
The Performance-Reset Period shall be 12 months from the last finding of noncompliance.
1.3. Data Retention
Each Reliability Coordinator, Transmission Operator, Generator Operator, Distribution
Provider, and Load Serving Entity shall have current, in-force documents available as
evidence of compliance as specified in each of the Measures.
If an entity is found non-compliant the entity shall keep information related to the noncompliance until found compliant or for two years plus the current year, whichever is
longer.
Evidence used as part of a triggered investigation shall be retained by the entity being
investigated for one year from the date that the investigation is closed, as determined by
the Compliance Monitor,
The Compliance Monitor shall keep the last periodic audit report and all requested and
submitted subsequent compliance records.
1.4. Additional Compliance Information
None.
2.
Levels of Non-Compliance:
2.1. Level 1: There shall be a separate Level 1 non-compliance, for every one of the
following requirements that is in violation:
2.1.1
Does not have procedures for the recognition of and for making its operating
personnel aware of sabotage events (R1).
Page 2 of 6
�Standard CIP-001-2a— Sabotage Reporting
2.1.2
Does not have procedures or guidelines for the communication of information
concerning sabotage events to appropriate parties in the Interconnection (R2).
2.1.3
Has not established communications contacts, as specified in R4.
2.2. Level 2: Not applicable.
2.3. Level 3: Has not provided its operating personnel with sabotage response procedures or
guidelines (R3).
2.4. Level 4:.Not applicable.
E. ERCOT Interconnection-wide Regional Variance
Requirements
EA.1. Each Reliability Coordinator, Balancing Authority, Transmission Owner,
Transmission Operator, Generator Owner, Generator Operator, and Load Serving
Entity shall have procedures for the recognition of and for making their operating
personnel aware of sabotage events on its facilities and multi-site sabotage affecting
larger portions of the Interconnection.
EA.2. Each Reliability Coordinator, Balancing Authority, Transmission Owner,
Transmission Operator, Generator Owner, Generator Operator, and Load Serving
Entity shall have procedures for the communication of information concerning
sabotage events to appropriate parties in the Interconnection.
EA.3. Each Reliability Coordinator, Balancing Authority, Transmission Owner,
Transmission Operator, Generator Owner, Generator Operator, and Load Serving
Entity shall provide its operating personnel with sabotage response guidelines,
including personnel to contact, for reporting disturbances due to sabotage events.
EA.4. Each Reliability Coordinator, Balancing Authority, Transmission Owner,
Transmission Operator, Generator Owner, Generator Operator, and Load Serving
Entity shall establish communications contacts with local Federal Bureau of
Investigation (FBI) officials and develop reporting procedures as appropriate to their
circumstances.
Measures
M.A.1. Each Reliability Coordinator, Balancing Authority, Transmission Owner,
Transmission Operator, Generator Owner, Generator Operator, and Load Serving
Entity shall have and provide upon request a procedure (either electronic or hard
copy) as defined in Requirement EA1.
M.A.2. Each Reliability Coordinator, Balancing Authority, Transmission Owner,
Transmission Operator, Generator Owner, Generator Operator, and Load Serving
Entity shall have and provide upon request the procedures or guidelines that will be
used to confirm that it meets Requirements EA2 and EA3.
M.A.3. Each Reliability Coordinator, Balancing Authority, Transmission Owner,
Transmission Operator, Generator Owner, Generator Operator, and Load Serving
Entity shall have and provide upon request evidence that could include, but is not
limited to, procedures, policies, a letter of understanding, communication records,
Page 3 of 6
�Standard CIP-001-2a— Sabotage Reporting
or other equivalent evidence that will be used to confirm that it has established
communications contacts with the local FBI officials to communicate sabotage
events (Requirement EA4).
Compliance
1. Compliance Monitoring Process
1.1. Compliance Enforcement Authority
Regional Entity shall be responsible for compliance monitoring.
1.2. Data Retention
Each Reliability Coordinator, Balancing Authority, Transmission Owner,
Transmission Operator, Generator Owner, Generator Operator, and Load Serving
Entity shall have current, in-force documents available as evidence of compliance
as specified in each of the Measures.
If an entity is found non-compliant the entity shall keep information related to the
non-compliance until found compliant or for two years plus the current year,
whichever is longer.
Evidence used as part of a triggered investigation shall be retained by the entity
being investigated for one year from the date that the investigation is closed, as
determined by the Compliance Monitor,
The Compliance Monitor shall keep the last periodic audit report and all requested
and submitted subsequent compliance records.
Version History
Version
Date
Action
Change Tracking
0
April 1, 2005
Effective Date
New
0
August 8, 2005
Removed “Proposed” from Effective Date
Errata
1
November 1, 2006
Adopted by Board of Trustees
Amended
1
April 4, 2007
Regulatory Approval — Effective Date
New
1a
February 16, 2010
Added Appendix 1 — Interpretation of R2
approved by the NERC Board of Trustees
Addition
1a
February 2, 2011
Interpretation of R2 approved by FERC on
February 2, 2011
Same addition
June 10, 2010
TRE regional ballot approved variance
By Texas RE
August 24, 2010
Regional Variance Approved by Texas RE
Board of Directors
February 16, 2011
Approved by NERC Board of Trustees
2a
Page 4 of 6
�Standard CIP-001-2a— Sabotage Reporting
2a
August 2, 2011
FERC Order issued approving Texas RE
Regional Variance
Page 5 of 6
�Standard CIP-001-2a— Sabotage Reporting
Appendix 1
Requirement Number and Text of Requirement
CIP-001-1:
R2. Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator, and Load Serving Entity shall have procedures for the communication of information
concerning sabotage events to appropriate parties in the Interconnection.
Question
Please clarify what is meant by the term, “appropriate parties.” Moreover, who within the Interconnection
hierarchy deems parties to be appropriate?
Response
The drafting team interprets the phrase “appropriate parties in the Interconnection” to refer collectively to
entities with whom the reporting party has responsibilities and/or obligations for the communication of
physical or cyber security event information. For example, reporting responsibilities result from NERC
standards IRO-001 Reliability Coordination — Responsibilities and Authorities, COM-002-2
Communication and Coordination, and TOP-001 Reliability Responsibilities and Authorities, among
others. Obligations to report could also result from agreements, processes, or procedures with other
parties, such as may be found in operating agreements and interconnection agreements.
The drafting team asserts that those entities to which communicating sabotage events is appropriate would
be identified by the reporting entity and documented within the procedure required in CIP-001-1
Requirement R2.
Regarding “who within the Interconnection hierarchy deems parties to be appropriate,” the drafting team
knows of no interconnection authority that has such a role.
Page 6 of 6
�S ta n d a rd EOP -004-1 — Dis tu rb a n c e Re p o rtin g
A. Introduction
1.
Title:
Disturbance Reporting
2.
Number:
EOP-004-1
3.
Purpose: Disturbances or unusual occurrences that jeopardize the operation of the
Bulk Electric System, or result in system equipment damage or customer interruptions,
need to be studied and understood to minimize the likelihood of similar events in the
future.
4.
Applicability
4.1. Reliability Coordinators.
4.2. Balancing Authorities.
4.3. Transmission Operators.
4.4. Generator Operators.
4.5. Load Serving Entities.
4.6. Regional Reliability Organizations.
5.
Effective Date:
January 1, 2007
B. Requirements
R1.
Each Regional Reliability Organization shall establish and maintain a Regional
reporting procedure to facilitate preparation of preliminary and final disturbance
reports.
R2.
A Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator or Load Serving Entity shall promptly analyze Bulk Electric System
disturbances on its system or facilities.
R3.
A Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator or Load Serving Entity experiencing a reportable incident shall provide a
preliminary written report to its Regional Reliability Organization and NERC.
R3.1.
The affected Reliability Coordinator, Balancing Authority, Transmission
Operator, Generator Operator or Load Serving Entity shall submit within 24
hours of the disturbance or unusual occurrence either a copy of the report
submitted to DOE, or, if no DOE report is required, a copy of the NERC
Interconnection Reliability Operating Limit and Preliminary Disturbance
Report form. Events that are not identified until some time after they occur
shall be reported within 24 hours of being recognized.
R3.2.
Applicable reporting forms are provided in Attachments 1-EOP-004 and 2EOP-004.
R3.3.
Under certain adverse conditions, e.g., severe weather, it may not be possible
to assess the damage caused by a disturbance and issue a written
Interconnection Reliability Operating Limit and Preliminary Disturbance
Report within 24 hours. In such cases, the affected Reliability Coordinator,
Balancing Authority, Transmission Operator, Generator Operator, or Load
Serving Entity shall promptly notify its Regional Reliability Organization(s)
and NERC, and verbally provide as much information as is available at that
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 1 of 13
�S ta n d a rd EOP -004-1 — Dis tu rb a n c e Re p o rtin g
time. The affected Reliability Coordinator, Balancing Authority, Transmission
Operator, Generator Operator, or Load Serving Entity shall then provide
timely, periodic verbal updates until adequate information is available to issue
a written Preliminary Disturbance Report.
R3.4.
If, in the judgment of the Regional Reliability Organization, after consultation
with the Reliability Coordinator, Balancing Authority, Transmission Operator,
Generator Operator, or Load Serving Entity in which a disturbance occurred, a
final report is required, the affected Reliability Coordinator, Balancing
Authority, Transmission Operator, Generator Operator, or Load Serving Entity
shall prepare this report within 60 days. As a minimum, the final report shall
have a discussion of the events and its cause, the conclusions reached, and
recommendations to prevent recurrence of this type of event. The report shall
be subject to Regional Reliability Organization approval.
R4.
When a Bulk Electric System disturbance occurs, the Regional Reliability Organization
shall make its representatives on the NERC Operating Committee and Disturbance
Analysis Working Group available to the affected Reliability Coordinator, Balancing
Authority, Transmission Operator, Generator Operator, or Load Serving Entity
immediately affected by the disturbance for the purpose of providing any needed
assistance in the investigation and to assist in the preparation of a final report.
R5.
The Regional Reliability Organization shall track and review the status of all final
report recommendations at least twice each year to ensure they are being acted upon in
a timely manner. If any recommendation has not been acted on within two years, or if
Regional Reliability Organization tracking and review indicates at any time that any
recommendation is not being acted on with sufficient diligence, the Regional
Reliability Organization shall notify the NERC Planning Committee and Operating
Committee of the status of the recommendation(s) and the steps the Regional
Reliability Organization has taken to accelerate implementation.
C. Measures
M1. The Regional Reliability Organization shall have and provide upon request as
evidence, its current regional reporting procedure that is used to facilitate preparation
of preliminary and final disturbance reports. (Requirement 1)
M2. Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator, and Load-Serving Entity that has a reportable incident shall have and provide
upon request evidence that could include, but is not limited to, the preliminary report,
computer printouts, operator logs, or other equivalent evidence that will be used to
confirm that it prepared and delivered the NERC Interconnection Reliability Operating
Limit and Preliminary Disturbance Reports to NERC within 24 hours of its recognition
as specified in Requirement 3.1.
M3. Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator, and/or Load Serving Entity that has a reportable incident shall have and
provide upon request evidence that could include, but is not limited to, operator logs,
voice recordings or transcripts of voice recordings, electronic communications, or other
equivalent evidence that will be used to confirm that it provided information verbally
as time permitted, when system conditions precluded the preparation of a report in 24
hours. (Requirement 3.3)
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 2 of 13
�S ta n d a rd EOP -004-1 — Dis tu rb a n c e Re p o rtin g
D. Compliance
1.
Compliance Monitoring Process
1.1. Compliance Monitoring Responsibility
NERC shall be responsible for compliance monitoring of the Regional Reliability
Organizations.
Regional Reliability Organizations shall be responsible for compliance monitoring
of Reliability Coordinators, Balancing Authorities, Transmission Operators,
Generator Operators, and Load-serving Entities.
1.2. Compliance Monitoring and Reset Time Frame
One or more of the following methods will be used to assess compliance:
- Self-certification (Conducted annually with submission according to
schedule.)
- Spot Check Audits (Conducted anytime with up to 30 days notice given to
prepare.)
- Periodic Audit (Conducted once every three years according to schedule.)
- Triggered Investigations (Notification of an investigation must be made
within 60 days of an event or complaint of noncompliance. The entity will
have up to 30 days to prepare for the investigation. An entity may request an
extension of the preparation period and the extension will be considered by
the Compliance Monitor on a case-by-case basis.)
The Performance-Reset Period shall be 12 months from the last finding of noncompliance.
1.3. Data Retention
Each Regional Reliability Organization shall have its current, in-force, regional
reporting procedure as evidence of compliance. (Measure 1)
Each Reliability Coordinator, Balancing Authority, Transmission Operator,
Generator Operator, and/or Load Serving Entity that is either involved in a Bulk
Electric System disturbance or has a reportable incident shall keep data related to
the incident for a year from the event or for the duration of any regional
investigation, whichever is longer. (Measures 2 through 4)
If an entity is found non-compliant the entity shall keep information related to the
noncompliance until found compliant or for two years plus the current year,
whichever is longer.
Evidence used as part of a triggered investigation shall be retained by the entity
being investigated for one year from the date that the investigation is closed, as
determined by the Compliance Monitor,
The Compliance Monitor shall keep the last periodic audit report and all requested
and submitted subsequent compliance records.
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 3 of 13
�S ta n d a rd EOP -004-1 — Dis tu rb a n c e Re p o rtin g
1.4. Additional Compliance Information
See Attachments:
- EOP-004 Disturbance Reporting Form
- Table 1 EOP-004
Levels of Non-Compliance for a Regional Reliability Organization
2.
2.1. Level 1: Not applicable.
2.2. Level 2: Not applicable.
2.3. Level 3: Not applicable.
2.4. Level 4: No current procedure to facilitate preparation of preliminary and final
disturbance reports as specified in R1.
Levels of Non-Compliance for a Reliability Coordinator, Balancing Authority,
Transmission Operator, Generator Operator, and Load- Serving Entity:
3.
3.1. Level 1: There shall be a level one non-compliance if any of the following
conditions exist:
3.1.1
Failed to prepare and deliver the NERC Interconnection Reliability
Operating Limit and Preliminary Disturbance Reports to NERC within 24
hours of its recognition as specified in Requirement 3.1
3.1.2
Failed to provide disturbance information verbally as time permitted,
when system conditions precluded the preparation of a report in 24 hours
as specified in R3.3
3.1.3
Failed to prepare a final report within 60 days as specified in R3.4
3.2. Level 2: Not applicable.
3.3. Level 3: Not applicable
3.4. Level 4: Not applicable.
E. Regional Differences
None identified.
Version History
Version
Date
Action
Change Tracking
0
April 1, 2005
Effective Date
New
0
May 23, 2005
Fixed reference to attachments 1-EOP004-0 and 2-EOP-004-0, Changed chart
title 1-FAC-004-0 to 1-EOP-004-0,
Fixed title of Table 1 to read 1-EOP004-0, and fixed font.
Errata
0
July 6, 2005
Fixed email in Attachment 1-EOP-004-0 Errata
from info@nerc.com to
esisac@nerc.com.
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 4 of 13
�S ta n d a rd EOP -004-1 — Dis tu rb a n c e Re p o rtin g
0
July 26, 2005
Fixed Header on page 8 to read EOP004-0
Errata
0
August 8, 2005
Removed “Proposed” from Effective
Date
Errata
1
November 1,
2006
Adopted by Board of Trustees
Revised
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 5 of 13
�S ta n d a rd EOP -004-1 — Dis tu rb a n c e Re p o rtin g
Attachment 1-EOP-004
NERC Disturbance Report Form
Introduction
These disturbance reporting requirements apply to all Reliability Coordinators, Balancing
Authorities, Transmission Operators, Generator Operators, and Load Serving Entities, and
provide a common basis for all NERC disturbance reporting. The entity on whose system a
reportable disturbance occurs shall notify NERC and its Regional Reliability Organization of the
disturbance using the NERC Interconnection Reliability Operating Limit and Preliminary
Disturbance Report forms. Reports can be sent to NERC via email (esisac@nerc.com) by
facsimile (609-452-9550) using the NERC Interconnection Reliability Operating Limit and
Preliminary Disturbance Report forms. If a disturbance is to be reported to the U.S. Department
of Energy also, the responding entity may use the DOE reporting form when reporting to NERC.
Note: All Emergency Incident and Disturbance Reports (Schedules 1 and 2) sent to DOE shall be
simultaneously sent to NERC, preferably electronically at esisac@nerc.com.
The NERC Interconnection Reliability Operating Limit and Preliminary Disturbance Reports are
to be made for any of the following events:
1.
2.
3.
4.
5.
The loss of a bulk power transmission component that significantly affects the integrity of
interconnected system operations. Generally, a disturbance report will be required if the
event results in actions such as:
a.
Modification of operating procedures.
b.
Modification of equipment (e.g. control systems or special protection systems) to
prevent reoccurrence of the event.
c.
Identification of valuable lessons learned.
d.
Identification of non-compliance with NERC standards or policies.
e.
Identification of a disturbance that is beyond recognized criteria, i.e. three-phase fault
with breaker failure, etc.
f.
Frequency or voltage going below the under-frequency or under-voltage load shed
points.
The occurrence of an interconnected system separation or system islanding or both.
Loss of generation by a Generator Operator, Balancing Authority, or Load-Serving Entity
2,000 MW or more in the Eastern Interconnection or Western Interconnection and 1,000
MW or more in the ERCOT Interconnection.
Equipment failures/system operational actions which result in the loss of firm system
demands for more than 15 minutes, as described below:
a.
Entities with a previous year recorded peak demand of more than 3,000 MW are
required to report all such losses of firm demands totaling more than 300 MW.
b.
All other entities are required to report all such losses of firm demands totaling more
than 200 MW or 50% of the total customers being supplied immediately prior to the
incident, whichever is less.
Firm load shedding of 100 MW or more to maintain the continuity of the bulk electric
system.
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 6 of 13
�S ta n d a rd EOP -004-1 — Dis tu rb a n c e Re p o rtin g
6.
7.
8.
Any action taken by a Generator Operator, Transmission Operator, Balancing Authority, or
Load-Serving Entity that results in:
a.
Sustained voltage excursions equal to or greater than ±10%, or
b.
Major damage to power system components, or
c.
Failure, degradation, or misoperation of system protection, special protection schemes,
remedial action schemes, or other operating systems that do not require operator
intervention, which did result in, or could have resulted in, a system disturbance as
defined by steps 1 through 5 above.
An Interconnection Reliability Operating Limit (IROL) violation as required in reliability
standard TOP-007.
Any event that the Operating Committee requests to be submitted to Disturbance Analysis
Working Group (DAWG) for review because of the nature of the disturbance and the
insight and lessons the electricity supply and delivery industry could learn.
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 7 of 13
�S ta n d a rd EOP -004-1 — Dis tu rb a n c e Re p o rtin g
NERC Interconnection Reliability Operating Limit and Preliminary Disturbance
Report
Check here if this is an Interconnection Reliability Operating Limit (IROL) violation report.
1. Organization filing report.
2. Name of person filing report.
3. Telephone number.
4. Date and time of disturbance.
Date:(mm/dd/yy)
Time/Zone:
5. Did the disturbance originate in your
system?
Yes
No
6. Describe disturbance including: cause,
equipment damage, critical services
interrupted, system separation, key
scheduled and actual flows prior to
disturbance and in the case of a
disturbance involving a special
protection or remedial action scheme,
what action is being taken to prevent
recurrence.
7. Generation tripped.
MW Total
List generation tripped
8. Frequency.
Just prior to disturbance (Hz):
Immediately after disturbance (Hz
max.):
Immediately after disturbance (Hz
min.):
9. List transmission lines tripped (specify
voltage level of each line).
10.
FIRM
INTERRUPTIBLE
Demand tripped (MW):
Number of affected Customers:
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 8 of 13
�S ta n d a rd EOP -004-1 — Dis tu rb a n c e Re p o rtin g
Demand lost (MW-Minutes):
11. Restoration time.
INITIAL
FINAL
Transmission:
Generation:
Demand:
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 9 of 13
�S ta n d a rd EOP -004-1 — Dis tu rb a n c e Re p o rtin g
Attachment 2-EOP-004
U.S. Department of Energy Disturbance Reporting Requirements
Introduction
The U.S. Department of Energy (DOE), under its relevant authorities, has established mandatory
reporting requirements for electric emergency incidents and disturbances in the United States.
DOE collects this information from the electric power industry on Form EIA-417 to meet its
overall national security and Federal Energy Management Agency’s Federal Response Plan
(FRP) responsibilities. DOE will use the data from this form to obtain current information
regarding emergency situations on U.S. electric energy supply systems. DOE’s Energy
Information Administration (EIA) will use the data for reporting on electric power emergency
incidents and disturbances in monthly EIA reports. In addition, the data may be used to develop
legislative recommendations, reports to the Congress and as a basis for DOE investigations
following severe, prolonged, or repeated electric power reliability problems.
Every Reliability Coordinator, Balancing Authority, Transmission Operator, Generator Operator
or Load Serving Entity must use this form to submit mandatory reports of electric power system
incidents or disturbances to the DOE Operations Center, which operates on a 24-hour basis,
seven days a week. All other entities operating electric systems have filing responsibilities to
provide information to the Reliability Coordinator, Balancing Authority, Transmission Operator,
Generator Operator or Load Serving Entity when necessary for their reporting obligations and to
file form EIA-417 in cases where these entities will not be involved. EIA requests that it be
notified of those that plan to file jointly and of those electric entities that want to file separately.
Special reporting provisions exist for those electric utilities located within the United States, but
for whom Reliability Coordinator oversight responsibilities are handled by electrical systems
located across an international border. A foreign utility handling U.S. Balancing Authority
responsibilities, may wish to file this information voluntarily to the DOE. Any U.S.-based utility
in this international situation needs to inform DOE that these filings will come from a foreignbased electric system or file the required reports themselves.
Form EIA-417 must be submitted to the DOE Operations Center if any one of the following
applies (see Table 1-EOP-004-0 — Summary of NERC and DOE Reporting Requirements for
Major Electric System Emergencies):
1. Uncontrolled loss of 300 MW or more of firm system load for more than 15 minutes from a
2.
3.
4.
5.
single incident.
Load shedding of 100 MW or more implemented under emergency operational policy.
System-wide voltage reductions of 3 percent or more.
Public appeal to reduce the use of electricity for purposes of maintaining the continuity of the
electric power system.
Actual or suspected physical attacks that could impact electric power system adequacy or
reliability; or vandalism, which target components of any security system. Actual or
suspected cyber or communications attacks that could impact electric power system
adequacy or vulnerability.
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 10 of 13
�S ta n d a rd EOP -004-1 — Dis tu rb a n c e Re p o rtin g
6. Actual or suspected cyber or communications attacks that could impact electric power system
adequacy or vulnerability.
7. Fuel supply emergencies that could impact electric power system adequacy or reliability.
8. Loss of electric service to more than 50,000 customers for one hour or more.
9. Complete operational failure or shut-down of the transmission and/or distribution electrical
system.
The initial DOE Emergency Incident and Disturbance Report (form EIA-417 – Schedule 1) shall
be submitted to the DOE Operations Center within 60 minutes of the time of the system
disruption. Complete information may not be available at the time of the disruption. However,
provide as much information as is known or suspected at the time of the initial filing. If the
incident is having a critical impact on operations, a telephone notification to the DOE Operations
Center (202-586-8100) is acceptable, pending submission of the completed form EIA-417.
Electronic submission via an on-line web-based form is the preferred method of notification.
However, electronic submission by facsimile or email is acceptable.
An updated form EIA-417 (Schedule 1 and 2) is due within 48 hours of the event to provide
complete disruption information. Electronic submission via facsimile or email is the preferred
method of notification. Detailed DOE Incident and Disturbance reporting requirements can be
found at: http://www.eia.doe.gov/cneaf/electricity/page/form_417.html.
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 11 of 13
�S ta n d a rd EOP -004-1 — Dis tu rb a n c e Re p o rtin g
Table 1-EOP-004-0
Summary of NERC and DOE Reporting Requirements for Major Electric System
Emergencies
Incident
Report
Incident
Threshold
Time
No.
Required
EIA – SchUncontrolled loss
1 hour
1
of Firm System
≥ 300 MW – 15 minutes or more
48
1
EIA – SchLoad
hour
2
EIA – Sch1 hour
≥ 100 MW under emergency
1
Load Shedding
48
2
operational policy
EIA – Schhour
2
EIA – Sch1 hour
Voltage
1
3% or more – applied system-wide
48
3
EIA – SchReductions
hour
2
EIA – Sch1 hour
1
Emergency conditions to reduce
Public Appeals
48
4
EIA – Schdemand
hour
2
EIA – SchPhysical sabotage,
1 hour
On physical security systems –
1
terrorism or
48
5
suspected or real
EIA – Schvandalism
hour
2
EIA – SchCyber sabotage,
1 hour
If the attempt is believed to have or
1
terrorism or
48
6
did happen
EIA – Schvandalism
hour
2
EIA – Sch1 hour
Fuel supply
Fuel inventory or hydro storage levels 1
48
7
EIA – Schemergencies
≤ 50% of normal
hour
2
EIA – Sch1 hour
Loss of electric
1
≥
50,000
for
1
hour
or
more
48
8
service
EIA – Schhour
2
Complete
EIA – SchIf isolated or interconnected electrical
1 hour
operation failure
1
48
systems suffer total electrical system
9
of electrical
EIA – Schcollapse
hour
system
2
All DOE EIA-417 Schedule 1 reports are to be filed within 60-minutes after the start of an
incident or disturbance
All DOE EIA-417 Schedule 2 reports are to be filed within 48-hours after the start of an
incident or disturbance
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 12 of 13
�S ta n d a rd EOP -004-1 — Dis tu rb a n c e Re p o rtin g
All entities required to file a DOE EIA-417 report (Schedule 1 & 2) shall send a copy of these
reports to NERC simultaneously, but no later than 24 hours after the start of the incident or
disturbance.
Incident
Report
Incident
Threshold
Time
No.
Required
NERC
24
Loss of major
Significantly affects integrity of
Prelim
hour
1
system component
interconnected system operations
Final
60 day
report
Interconnected
NERC
Total system shutdown
24
system separation
Prelim
Partial shutdown, separation, or
hour
2
or system
Final
islanding
60 day
islanding
report
NERC
24
≥ 2,000 – Eastern Interconnection
Prelim
Loss of generation
≥ 2,000 – Western Interconnection
hour
3
Final
≥ 1,000 – ERCOT Interconnection
60 day
report
Entities with peak demand ≥3,000:
NERC
24
loss ≥300 MW
Prelim
Loss of firm load
hour
4
All others ≥200MW or 50% of total
Final
≥15-minutes
60 day
demand
report
NERC
24
Firm load
≥100 MW to maintain continuity of
Prelim
hour
5
shedding
bulk system
Final
60 day
report
• Voltage excursions ≥10%
System operation
NERC
24
• Major damage to system
or operation
Prelim
hour
6
components
actions resulting
Final
60 day
•
Failure,
degradation,
or
in:
report
misoperation of SPS
NERC
72
Prelim
IROL violation
Reliability standard TOP-007.
hour
7
Final
60 day
report
NERC
Due to nature of disturbance &
24
As requested by
Prelim
usefulness to industry (lessons
hour
8
ORS Chairman
Final
learned)
60 day
report
All NERC Operating Security Limit and Preliminary Disturbance reports will be filed within 24
hours after the start of the incident. If an entity must file a DOE EIA-417 report on an incident,
which requires a NERC Preliminary report, the Entity may use the DOE EIA-417 form for both
DOE and NERC reports.
Any entity reporting a DOE or NERC incident or disturbance has the responsibility to also
notify its Regional Reliability Organization.
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 13 of 13
�Standards Announcement
Project 2009-01 Disturbance and Sabotage Reporting
Formal Comment Period Open: August 29 – September 27, 2012
Upcoming:
Successive Ballot and Non-binding Poll: September 18 – September 27, 2012
Now Available
A formal comment period for EOP-004-2 – Event Reporting is open through 8 p.m. Eastern on
Thursday, September 27, 2012
The drafting team has made the following changes to the standard:
Most of the language contained in the “Background” Section was moved to the “Guidelines and
Technical Basis” Section. Minor language changes were made to the measures and the data
retention section. Attachment 2 was revised to list events in the same order in which they
appear in Attachment 1.
Requirement R1 was revised to include the Parts in the main body of the Requirement. The
Measure and VSLs were updated accordingly.
Following review of the industry’s comments, the SDT has re-examined the FERC Directive in
Order 693 and has dropped both R3 and R4 as they were written and established a new
Requirement R3 to have the Registered Entity “validate” the contact information in the contact
list(s) they may have for the events applicable to them. This validation needs to be performed
each calendar year to ensure that the list(s) have current and up-to-date contact data.
A redline version of EOP-004-2 is not posted because EOP-004-2 is a consolidation of CIP-001-2a and
EOP-004-1. A redline version of EOP-004-2 would be difficult to follow so clean versions of CIP-001-2a
and EOP-004-1 have been posted as a convenience.
Instructions for Commenting
A formal comment period is open through 8 p.m. Eastern on Thursday, September 27, 2012. Please
use this electronic form to submit comments. If you experience any difficulties in using the electronic
form, please contact Monica Benson at monica.benson@nerc.net. An off-line, unofficial copy of the
comment form is posted on the project page.
�Please read carefully: All stakeholders with comments (both members of the ballot pool as well as
other stakeholders, including groups such as trade associations and committees) must submit
comments through the electronic comment form. During the ballot window, balloters who wish to
submit comments with their ballot may no longer enter comments on the balloting screen, but may still
enter the comments through the electronic comment form. Balloters who wish to express support for
comments submitted by another entity or group will have an opportunity to enter that information and
are not required to answer any other questions.
Next Steps
A successive ballot of EOP-004-2 and non-binding poll of the associated VRFs and VSLs will be
conducted beginning on Tuesday, September 18, 2012 through 8 p.m. Eastern on Thursday, September
27, 2012.
Background
The DSR SDT has developed EOP-004-2 to replace the current mandatory and enforceable EOP-004-1
and CIP-001-1a standards. The reporting obligations under EOP-004-2 serve to provide input to the
NERC Events Analysis Program. Analysis of events is not required under the proposed standard and any
analysis or investigation will fall under the Event Analysis Program under the NERC Rules of Procedure.
Additional information is available on the project page.
Standards Process
The Standard Processes Manual contains all the procedures governing the standards development
process. The success of the NERC standards development process depends on stakeholder
participation. We extend our thanks to all those who participate.
For more information or assistance, please contact Monica Benson,
Standards Process Administrator, at monica.benson@nerc.net or at 404-446-2560.
North American Electric Reliability Corporation
3353 Peachtree Rd.NE
Suite 600, North Tower
Atlanta, GA 30326
404-446-2560 | www.nerc.com
Standards Announcement: Project 2009-01 DSR
2
�Standards Announcement
Project 2009-01 Disturbance and Sabotage Reporting
Formal Comment Period Open: August 29 – September 27, 2012
Upcoming:
Successive Ballot and Non-binding Poll: September 18 – September 27, 2012
Now Available
A formal comment period for EOP-004-2 – Event Reporting is open through 8 p.m. Eastern on
Thursday, September 27, 2012
The drafting team has made the following changes to the standard:
Most of the language contained in the “Background” Section was moved to the “Guidelines and
Technical Basis” Section. Minor language changes were made to the measures and the data
retention section. Attachment 2 was revised to list events in the same order in which they
appear in Attachment 1.
Requirement R1 was revised to include the Parts in the main body of the Requirement. The
Measure and VSLs were updated accordingly.
Following review of the industry’s comments, the SDT has re-examined the FERC Directive in
Order 693 and has dropped both R3 and R4 as they were written and established a new
Requirement R3 to have the Registered Entity “validate” the contact information in the contact
list(s) they may have for the events applicable to them. This validation needs to be performed
each calendar year to ensure that the list(s) have current and up-to-date contact data.
A redline version of EOP-004-2 is not posted because EOP-004-2 is a consolidation of CIP-001-2a and
EOP-004-1. A redline version of EOP-004-2 would be difficult to follow so clean versions of CIP-001-2a
and EOP-004-1 have been posted as a convenience.
Instructions for Commenting
A formal comment period is open through 8 p.m. Eastern on Thursday, September 27, 2012. Please
use this electronic form to submit comments. If you experience any difficulties in using the electronic
form, please contact Monica Benson at monica.benson@nerc.net. An off-line, unofficial copy of the
comment form is posted on the project page.
�Please read carefully: All stakeholders with comments (both members of the ballot pool as well as
other stakeholders, including groups such as trade associations and committees) must submit
comments through the electronic comment form. During the ballot window, balloters who wish to
submit comments with their ballot may no longer enter comments on the balloting screen, but may still
enter the comments through the electronic comment form. Balloters who wish to express support for
comments submitted by another entity or group will have an opportunity to enter that information and
are not required to answer any other questions.
Next Steps
A successive ballot of EOP-004-2 and non-binding poll of the associated VRFs and VSLs will be
conducted beginning on Tuesday, September 18, 2012 through 8 p.m. Eastern on Thursday, September
27, 2012.
Background
The DSR SDT has developed EOP-004-2 to replace the current mandatory and enforceable EOP-004-1
and CIP-001-1a standards. The reporting obligations under EOP-004-2 serve to provide input to the
NERC Events Analysis Program. Analysis of events is not required under the proposed standard and any
analysis or investigation will fall under the Event Analysis Program under the NERC Rules of Procedure.
Additional information is available on the project page.
Standards Process
The Standard Processes Manual contains all the procedures governing the standards development
process. The success of the NERC standards development process depends on stakeholder
participation. We extend our thanks to all those who participate.
For more information or assistance, please contact Monica Benson,
Standards Process Administrator, at monica.benson@nerc.net or at 404-446-2560.
North American Electric Reliability Corporation
3353 Peachtree Rd.NE
Suite 600, North Tower
Atlanta, GA 30326
404-446-2560 | www.nerc.com
Standards Announcement: Project 2009-01 DSR
2
�Standards Announcement
Project 2009-01 Disturbance and Sabotage Reporting
Successive Ballot and Non-Binding Poll Results
Now Available
A successive ballot of EOP-004-2 – Event Reporting and a non-binding poll of the associated VRFs/VSLs
concluded on Thursday, September 27, 2012.
Voting statistics for each ballot are listed below, and the Ballots Results page provides a link to the
detailed results.
Updated Results
Ballot Results
Non-binding Poll Results
Quorum: 78.54%
Quorum:
72.59%
Approval: 63.40%
Supportive Opinions: 63.05%
Next Steps
The drafting team is considering the comments received from the comment and ballot periods.
Background
The DSR SDT has developed EOP-004-2 to replace the current mandatory and enforceable EOP-004-1
and CIP-001-1a standards. The reporting obligations under EOP-004-2 serve to provide input to the
NERC Events Analysis Program. Analysis of events is not required under the proposed standard and any
analysis or investigation will fall under the Event Analysis Program under the NERC Rules of Procedure.
Additional information is available on the project page.
�Standards Process
The Standard Processes Manual contains all the procedures governing the standards development
process. The success of the NERC standards development process depends on stakeholder
participation. We extend our thanks to all those who participate.
For more information or assistance, please contact Monica Benson,
Standards Process Administrator, at monica.benson@nerc.net or at 404-446-2560.
North American Electric Reliability Corporation
3353 Peachtree Rd.NE
Suite 600, North Tower
Atlanta, GA 30326
404-446-2560 | www.nerc.com
Standards Announcement: Project 2009-01 DSR
2
�NERC Standards
Newsroom • Site Map • Contact NERC
Advanced Search
User Name
Ballot Results
Ballot Name: Project 2009 -01 Successive Ballot DSR
Password
Ballot Period: 9/18/2012 - 9/27/2012
Ballot Type: Initial
Log in
Total # Votes: 333
Register
Total Ballot Pool: 424
Quorum: 78.54 % The Quorum has been reached
-Ballot Pools
-Current Ballots
-Ballot Results
-Registered Ballot Body
-Proxy Voters
Weighted Segment
63.40 %
Vote:
Ballot Results: The drafting team will review comments received.
Home Page
Summary of Ballot Results
Affirmative
Segment
1 - Segment 1.
2 - Segment 2.
3 - Segment 3.
4 - Segment 4.
5 - Segment 5.
6 - Segment 6.
7 - Segment 7.
8 - Segment 8.
9 - Segment 9.
10 - Segment 10.
Totals
Ballot Segment
Pool
Weight
104
11
108
37
91
53
0
8
4
8
424
#
Votes
1
0.7
1
1
1
1
0
0.6
0.2
0.6
7.1
#
Votes
Fraction
46
3
45
20
44
23
0
5
0
4
190
Negative
Fraction
0.622
0.3
0.57
0.714
0.698
0.697
0
0.5
0
0.4
4.501
Abstain
No
# Votes Vote
28
4
34
8
19
10
0
1
2
2
108
0.378
0.4
0.43
0.286
0.302
0.303
0
0.1
0.2
0.2
2.599
10
2
8
3
7
4
0
1
0
0
35
20
2
21
6
21
16
0
1
2
2
91
Individual Ballot Pool Results
Segment
1
1
1
1
1
1
1
1
Organization
Ameren Services
American Electric Power
American Transmission Company, LLC
Arizona Public Service Co.
Associated Electric Cooperative, Inc.
Austin Energy
Avista Corp.
Balancing Authority of Northern California
Member
Kirit Shah
Paul B. Johnson
Andrew Z Pusztai
Robert Smith
John Bussman
James Armke
Scott J Kinney
Kevin Smith
https://standards.nerc.net/BallotResults.aspx?BallotGUID=79bd4900-c37f-43f6-a2a9-417960949685[10/10/2012 9:59:34 AM]
Ballot
Affirmative
Negative
Affirmative
Affirmative
Affirmative
Abstain
Affirmative
Comments
�NERC Standards
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
Baltimore Gas & Electric Company
BC Hydro and Power Authority
Beaches Energy Services
Black Hills Corp
Bonneville Power Administration
Brazos Electric Power Cooperative, Inc.
CenterPoint Energy Houston Electric, LLC
Central Maine Power Company
City of Tacoma, Department of Public
Utilities, Light Division, dba Tacoma Power
Clark Public Utilities
Colorado Springs Utilities
Consolidated Edison Co. of New York
CPS Energy
Dairyland Power Coop.
Dayton Power & Light Co.
Deseret Power
Dominion Virginia Power
Duke Energy Carolina
East Kentucky Power Coop.
Empire District Electric Co.
Entergy Services, Inc.
FirstEnergy Corp.
Florida Keys Electric Cooperative Assoc.
Florida Power & Light Co.
Gainesville Regional Utilities
Georgia Transmission Corporation
Grand River Dam Authority
Great River Energy
Hoosier Energy Rural Electric Cooperative,
Inc.
Hydro One Networks, Inc.
Hydro-Quebec TransEnergie
Idaho Power Company
Imperial Irrigation District
International Transmission Company Holdings
Corp
JEA
Kansas City Power & Light Co.
Keys Energy Services
Lakeland Electric
Lee County Electric Cooperative
Lincoln Electric System
Los Angeles Department of Water & Power
Lower Colorado River Authority
Manitoba Hydro
MEAG Power
MidAmerican Energy Co.
Minnkota Power Coop. Inc.
National Grid
Nebraska Public Power District
New Brunswick Power Transmission
Corporation
New York Power Authority
New York State Electric & Gas Corp.
Northeast Utilities
Northern Indiana Public Service Co.
NorthWestern Energy
Ohio Valley Electric Corp.
Oklahoma Gas and Electric Co.
Omaha Public Power District
Oncor Electric Delivery
Orlando Utilities Commission
PacifiCorp
PECO Energy
Platte River Power Authority
Portland General Electric Co.
Potomac Electric Power Co.
Gregory S Miller
Patricia Robertson
Joseph S Stonecipher
Eric Egge
Donald S. Watkins
Tony Kroskey
John Brockhan
Joseph Turano Jr.
Chang G Choi
Jack Stamper
Paul Morland
Christopher L de Graffenried
Richard Castrejana
Robert W. Roddy
Hertzel Shamash
James Tucker
Michael S Crowley
Douglas E. Hils
George S. Carruba
Ralph F Meyer
Edward J Davis
William J Smith
Dennis Minton
Mike O'Neil
Luther E. Fair
Jason Snodgrass
James M Stafford
Gordon Pietsch
Affirmative
Abstain
Negative
Negative
Negative
Negative
Affirmative
Negative
Negative
Affirmative
Affirmative
Affirmative
Affirmative
Negative
Negative
Negative
Negative
Affirmative
Affirmative
Negative
Affirmative
Affirmative
Bob Solomon
Negative
Ajay Garg
Bernard Pelletier
Ronald D Schellberg
Tino Zaragoza
Negative
Abstain
Michael Moltane
Affirmative
Ted Hobson
Michael Gammon
Stanley T Rzad
Larry E Watt
John W Delucca
Doug Bantam
Ly M Le
Martyn Turner
Joe D Petaski
Danny Dees
Terry Harbour
Richard Burt
Saurabh Saksena
Cole C Brodine
Affirmative
Affirmative
Affirmative
Affirmative
Affirmative
Negative
Randy MacDonald
Negative
Arnold J. Schuff
Raymond P Kinney
David Boguslawski
Kevin M Largura
John Canavan
Robert Mattey
Marvin E VanBebber
Doug Peterchuck
Brenda Pulis
Brad Chase
Ryan Millard
Ronald Schloendorn
John C. Collins
John T Walker
David Thorne
https://standards.nerc.net/BallotResults.aspx?BallotGUID=79bd4900-c37f-43f6-a2a9-417960949685[10/10/2012 9:59:34 AM]
Affirmative
Affirmative
Affirmative
Affirmative
Abstain
Affirmative
Abstain
Negative
Negative
Affirmative
Negative
Abstain
Affirmative
Abstain
Affirmative
Affirmative
Affirmative
�NERC Standards
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
2
PowerSouth Energy Cooperative
PPL Electric Utilities Corp.
Progress Energy Carolinas
Public Service Company of New Mexico
Public Service Electric and Gas Co.
Public Utility District No. 1 of Okanogan
County
Public Utility District No. 2 of Grant County
Puget Sound Energy, Inc.
Raj Rana
Rochester Gas and Electric Corp.
Sacramento Municipal Utility District
Salmon River Electric Cooperative
Salt River Project
Santee Cooper
SCE&G
Seattle City Light
Sho-Me Power Electric Cooperative
Sierra Pacific Power Co.
Snohomish County PUD No. 1
South California Edison Company
Southern Company Services, Inc.
Southern Illinois Power Coop.
Southwest Transmission Cooperative, Inc.
Sunflower Electric Power Corporation
Tampa Electric Co.
Tennessee Valley Authority
Tri-State G & T Association, Inc.
Tucson Electric Power Co.
United Illuminating Co.
Westar Energy
Western Area Power Administration
Xcel Energy, Inc.
Alberta Electric System Operator
2
BC Hydro
2
2
2
2
2
2
2
2
2
3
3
3
3
3
3
3
3
3
3
3
3
California ISO
Electric Reliability Council of Texas, Inc.
Independent Electricity System Operator
ISO New England, Inc.
Midwest ISO, Inc.
New Brunswick System Operator
New York Independent System Operator
PJM Interconnection, L.L.C.
Southwest Power Pool, Inc.
AEP
Alabama Power Company
Alameda Municipal Power
Ameren Services
American Public Power Association
Anaheim Public Utilities Dept.
APS
Arkansas Electric Cooperative Corporation
Atlantic City Electric Company
BC Hydro and Power Authority
Blachly-Lane Electric Co-op
Bonneville Power Administration
Central Electric Cooperative, Inc. (Redmond,
Oregon)
Central Lincoln PUD
City of Alexandria
City of Austin dba Austin Energy
City of Bartow, Florida
City of Clewiston
City of Farmington
City of Garland
City of Green Cove Springs
City of Palo Alto
1
3
3
3
3
3
3
3
3
3
3
Larry D Avery
Brenda L Truhe
Brett A. Koelsch
Laurie Williams
Kenneth D. Brown
Affirmative
Affirmative
Abstain
Abstain
Affirmative
Dale Dunckel
Affirmative
Kyle M. Hussey
Denise M Lietz
Rajendrasinh D Rana
John C. Allen
Tim Kelley
Kathryn J Spence
Robert Kondziolka
Terry L Blackwell
Henry Delk, Jr.
Pawel Krupa
Denise Stevens
Rich Salgo
Long T Duong
Steven Mavis
Robert A. Schaffeld
William Hutchison
James Jones
Noman Lee Williams
Beth Young
Larry G Akens
Tracy Sliman
John Tolo
Jonathan Appelbaum
Allen Klassen
Brandy A Dunn
Gregory L Pieper
Mark B Thompson
Venkataramakrishnan
Vinnakota
Rich Vine
Charles B Manning
Barbara Constantinescu
Kathleen Goodman
Marie Knox
Alden Briggs
Gregory Campoli
Tom Bowe
Charles H. Yeung
Michael E Deloach
Richard J. Mandes
Douglas Draeger
Mark Peters
Nathan Mitchell
Kelly Nguyen
Steven Norris
Philip Huff
NICOLE BUCKMAN
Pat G. Harrington
Bud Tracy
Rebecca Berdahl
Negative
Abstain
Affirmative
Affirmative
Affirmative
Affirmative
Negative
Affirmative
Affirmative
Affirmative
Affirmative
Negative
Negative
Negative
Negative
Negative
Affirmative
Affirmative
Negative
Affirmative
Negative
Affirmative
Abstain
Abstain
Affirmative
Affirmative
Negative
Negative
Negative
Negative
Negative
Negative
Affirmative
Affirmative
Abstain
Affirmative
Affirmative
Affirmative
Abstain
Negative
Negative
Dave Markham
Negative
Steve Alexanderson
Michael Marcotte
Andrew Gallo
Matt Culverhouse
Lynne Mila
Linda R Jacobson
Ronnie C Hoeinghaus
Gregg R Griffin
Eric R Scott
Negative
https://standards.nerc.net/BallotResults.aspx?BallotGUID=79bd4900-c37f-43f6-a2a9-417960949685[10/10/2012 9:59:34 AM]
Affirmative
Affirmative
Affirmative
Abstain
Abstain
Affirmative
�NERC Standards
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
City of Redding
Clatskanie People's Utility District
Clearwater Power Co.
Cleco Corporation
Colorado Springs Utilities
ComEd
Consolidated Edison Co. of New York
Constellation Energy
Consumers Energy
Consumers Power Inc.
Coos-Curry Electric Cooperative, Inc
Cowlitz County PUD
CPS Energy
Delmarva Power & Light Co.
Detroit Edison Company
Dominion Resources Services
Duke Energy Carolina
Entergy
Fall River Rural Electric Cooperative
FirstEnergy Energy Delivery
Florida Municipal Power Agency
Florida Power Corporation
Georgia Power Company
Georgia Systems Operations Corporation
Grays Harbor PUD
Great River Energy
Gulf Power Company
Hydro One Networks, Inc.
Imperial Irrigation District
JEA
Kansas City Power & Light Co.
Kissimmee Utility Authority
Kootenai Electric Cooperative
Lakeland Electric
Lane Electric Cooperative, Inc.
Lincoln Electric System
Los Angeles Department of Water & Power
Louisville Gas and Electric Co.
Manitoba Hydro
Manitowoc Public Utilities
MidAmerican Energy Co.
Mississippi Power
Modesto Irrigation District
Municipal Electric Authority of Georgia
Muscatine Power & Water
Nebraska Public Power District
New York Power Authority
Niagara Mohawk (National Grid Company)
North Carolina Electric Membership Corp.
Northern Indiana Public Service Co.
Northern Lights Inc.
Ocala Electric Utility
Old Dominion Electric Coop.
Orange and Rockland Utilities, Inc.
Orlando Utilities Commission
Owensboro Municipal Utilities
Pacific Gas and Electric Company
PacifiCorp
Platte River Power Authority
PNM Resources
Potomac Electric Power Co.
Progress Energy Carolinas
Public Service Electric and Gas Co.
Public Utility District No. 1 of Benton County
Public Utility District No. 1 of Clallam County
Puget Sound Energy, Inc.
Raft River Rural Electric Cooperative
Bill Hughes
Brian Fawcett
Dave Hagen
Michelle A Corley
Charles Morgan
Bruce Krawczyk
Peter T Yost
CJ Ingersoll
Richard Blumenstock
Roman Gillen
Roger Meader
Russell A Noble
Jose Escamilla
Michael R. Mayer
Kent Kujala
Michael F. Gildea
Henry Ernst-Jr
Joel T Plessinger
Bryan Case
Stephan Kern
Joe McKinney
Lee Schuster
Anthony L Wilson
William N. Phinney
Wesley W Gray
Brian Glover
Paul C Caldwell
David Kiguel
Jesus S. Alcaraz
Garry Baker
Charles Locke
Gregory D Woessner
Dave Kahly
Norman D Harryhill
Rick Crinklaw
Jason Fortik
Daniel D Kurowski
Charles A. Freibert
Greg C. Parent
Thomas E Reed
Thomas C. Mielnik
Jeff Franklin
Jack W Savage
Steven M. Jackson
John S Bos
Tony Eddleman
Marilyn Brown
Michael Schiavone
Doug White
William SeDoris
Jon Shelby
David Anderson
Bill Watson
David Burke
Ballard K Mutters
Thomas T Lyons
John H Hagen
Dan Zollner
Terry L Baker
Michael Mertz
Robert Reuter
Sam Waters
Jeffrey Mueller
Gloria Bender
David Proebstel
Erin Apperson
Heber Carpenter
https://standards.nerc.net/BallotResults.aspx?BallotGUID=79bd4900-c37f-43f6-a2a9-417960949685[10/10/2012 9:59:34 AM]
Affirmative
Negative
Affirmative
Affirmative
Affirmative
Affirmative
Abstain
Affirmative
Negative
Negative
Negative
Affirmative
Affirmative
Negative
Negative
Abstain
Affirmative
Negative
Affirmative
Affirmative
Negative
Negative
Affirmative
Affirmative
Negative
Negative
Negative
Abstain
Abstain
Negative
Affirmative
Affirmative
Affirmative
Negative
Affirmative
Affirmative
Negative
Affirmative
Negative
Negative
Affirmative
Affirmative
Negative
Affirmative
Affirmative
Affirmative
Negative
Affirmative
Affirmative
Affirmative
Affirmative
Affirmative
Negative
Negative
�NERC Standards
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
5
5
5
5
5
5
5
5
5
Rutherford EMC
Sacramento Municipal Utility District
Salt River Project
Santee Cooper
Seattle City Light
Seminole Electric Cooperative, Inc.
Snohomish County PUD No. 1
South Carolina Electric & Gas Co.
Southern California Edison Co.
Southern Maryland Electric Coop.
Tacoma Public Utilities
Tampa Electric Co.
Tennessee Valley Authority
Tri-State G & T Association, Inc.
Umatilla Electric Cooperative
Westar Energy
Wisconsin Electric Power Marketing
Wisconsin Public Service Corp.
Xcel Energy, Inc.
Alliant Energy Corp. Services, Inc.
American Municipal Power
Arkansas Electric Cooperative Corporation
Blue Ridge Power Agency
Central Lincoln PUD
City of Austin dba Austin Energy
City of Clewiston
City of New Smyrna Beach Utilities
Commission
City of Redding
City Utilities of Springfield, Missouri
Consumers Energy
Cowlitz County PUD
Detroit Edison Company
Flathead Electric Cooperative
Florida Municipal Power Agency
Fort Pierce Utilities Authority
Georgia System Operations Corporation
Illinois Municipal Electric Agency
Imperial Irrigation District
Indiana Municipal Power Agency
Integrys Energy Group, Inc.
LaGen
Madison Gas and Electric Co.
North Carolina Electric Membership Corp.
Northern California Power Agency
Ohio Edison Company
Oklahoma Municipal Power Authority
Pacific Northwest Generating Cooperative
Public Utility District No. 1 of Douglas County
Public Utility District No. 1 of Snohomish
County
Sacramento Municipal Utility District
Seattle City Light
South Mississippi Electric Power Association
Tacoma Public Utilities
West Oregon Electric Cooperative, Inc.
White River Electric Association Inc.
Wisconsin Energy Corp.
AEP Service Corp.
AES Corporation
Amerenue
Arizona Public Service Co.
Avista Corp.
BC Hydro and Power Authority
Black Hills Corp
Boise-Kuna Irrigation District/dba Lucky peak
power plant project
Bonneville Power Administration
Thomas M Haire
James Leigh-Kendall
John T. Underhill
James M Poston
Dana Wheelock
James R Frauen
Mark Oens
Hubert C Young
David B Coher
Mark R Jones
Travis Metcalfe
Ronald L. Donahey
Ian S Grant
Janelle Marriott
Steve Eldrige
Bo Jones
James R Keller
Gregory J Le Grave
Michael Ibold
Kenneth Goldsmith
Kevin Koloini
Ronnie Frizzell
Duane S Dahlquist
Shamus J Gamache
Reza Ebrahimian
Kevin McCarthy
Negative
Affirmative
Affirmative
Negative
Affirmative
Affirmative
Affirmative
Affirmative
Negative
Affirmative
Affirmative
Tim Beyrle
Affirmative
Nicholas Zettel
John Allen
David Frank Ronk
Rick Syring
Daniel Herring
Russ Schneider
Frank Gaffney
Thomas Richards
Guy Andrews
Bob C. Thomas
Diana U Torres
Jack Alvey
Christopher Plante
Richard Comeaux
Joseph DePoorter
Bob Beadle
Tracy R Bibb
Douglas Hohlbaugh
Ashley Stringer
Aleka K Scott
Henry E. LuBean
Affirmative
Affirmative
Affirmative
Negative
Negative
Negative
Affirmative
Negative
Negative
Affirmative
Negative
Negative
Affirmative
Negative
Affirmative
Negative
Affirmative
Affirmative
Affirmative
Abstain
Abstain
Affirmative
Affirmative
Affirmative
Negative
Affirmative
John D Martinsen
Affirmative
Mike Ramirez
Hao Li
Steven McElhaney
Keith Morisette
Marc M Farmer
Frank L. Sampson
Anthony Jankowski
Brock Ondayko
Leo Bernier
Sam Dwyer
Edward Cambridge
Edward F. Groce
Clement Ma
George Tatar
Affirmative
Affirmative
Mike D Kukla
Francis J. Halpin
https://standards.nerc.net/BallotResults.aspx?BallotGUID=79bd4900-c37f-43f6-a2a9-417960949685[10/10/2012 9:59:34 AM]
Negative
Negative
Abstain
Affirmative
Negative
Affirmative
Affirmative
Affirmative
Abstain
Abstain
Abstain
Abstain
Negative
�NERC Standards
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
BrightSource Energy, Inc.
Caithness Long Island, LLC
Chelan County Public Utility District #1
City and County of San Francisco
City of Austin dba Austin Energy
City of Redding
City of Tacoma, Department of Public
Utilities, Light Division, dba Tacoma Power
City of Tallahassee
City Water, Light & Power of Springfield
Cogentrix Energy, Inc.
Colorado Springs Utilities
Consolidated Edison Co. of New York
Constellation Power Source Generation, Inc.
Consumers Energy Company
Cowlitz County PUD
CPS Energy
Detroit Edison Company
Dominion Resources, Inc.
Duke Energy
Dynegy Inc.
E.ON Climate & Renewables North America,
LLC
Edison Mission Energy
Electric Power Supply Association
Exelon Nuclear
ExxonMobil Research and Engineering
FirstEnergy Solutions
Florida Municipal Power Agency
Great River Energy
Green Country Energy
Imperial Irrigation District
Indeck Energy Services, Inc.
JEA
Kissimmee Utility Authority
Lakeland Electric
Liberty Electric Power LLC
Lincoln Electric System
Los Angeles Department of Water & Power
Lower Colorado River Authority
Luminant Generation Company LLC
Manitoba Hydro
Massachusetts Municipal Wholesale Electric
Company
MEAG Power
MidAmerican Energy Co.
Muscatine Power & Water
Nebraska Public Power District
New York Power Authority
NextEra Energy
North Carolina Electric Membership Corp.
Northern California Power Agency
Northern Indiana Public Service Co.
Occidental Chemical
Omaha Public Power District
Orlando Utilities Commission
Pacific Gas and Electric Company
PacifiCorp
Platte River Power Authority
Portland General Electric Co.
PowerSouth Energy Cooperative
PPL Generation LLC
Progress Energy Carolinas
PSEG Fossil LLC
Public Utility District No. 1 of Lewis County
Puget Sound Energy, Inc.
Sacramento Municipal Utility District
Salt River Project
Chifong Thomas
Jason M Moore
John Yale
Daniel Mason
Jeanie Doty
Paul A. Cummings
Abstain
Negative
Affirmative
Affirmative
Max Emrick
Brian Horton
Steve Rose
Mike D Hirst
Jennifer Eckels
Wilket (Jack) Ng
Amir Y Hammad
David C Greyerbiehl
Bob Essex
Robert Stevens
Christy Wicke
Mike Garton
Dale Q Goodwine
Dan Roethemeyer
Affirmative
Affirmative
Affirmative
Affirmative
Affirmative
Negative
Affirmative
Negative
Negative
Negative
Affirmative
Dana Showalter
Ellen Oswald
John R Cashin
Michael Korchynsky
Martin Kaufman
Kenneth Dresner
David Schumann
Preston L Walsh
Greg Froehling
Marcela Y Caballero
Rex A Roehl
John J Babik
Mike Blough
James M Howard
Daniel Duff
Dennis Florom
Kenneth Silver
Tom Foreman
Mike Laney
S N Fernando
Affirmative
Affirmative
Affirmative
Affirmative
Affirmative
Affirmative
Affirmative
Affirmative
Negative
David Gordon
Affirmative
Steven Grego
Christopher Schneider
Mike Avesing
Don Schmit
Gerald Mannarino
Allen D Schriver
Jeffrey S Brame
Hari Modi
William O. Thompson
Michelle R DAntuono
Mahmood Z. Safi
Richard K Kinas
Richard J. Padilla
Sandra L. Shaffer
Roland Thiel
Gary L Tingley
Tim Hattaway
Annette M Bannon
Wayne Lewis
Tim Kucey
Steven Grega
Tom Flynn
Bethany Hunter
William Alkema
Affirmative
https://standards.nerc.net/BallotResults.aspx?BallotGUID=79bd4900-c37f-43f6-a2a9-417960949685[10/10/2012 9:59:34 AM]
Abstain
Abstain
Affirmative
Affirmative
Negative
Negative
Negative
Negative
Affirmative
Affirmative
Affirmative
Affirmative
Affirmative
Affirmative
Affirmative
Negative
Affirmative
Affirmative
Negative
Affirmative
Affirmative
Affirmative
�NERC Standards
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
Santee Cooper
Seattle City Light
Seminole Electric Cooperative, Inc.
Siemens PTI
Snohomish County PUD No. 1
South Mississippi Electric Power Association
Southern California Edison Co.
Southern Company Generation
Tampa Electric Co.
Tenaska, Inc.
Tennessee Valley Authority
Tri-State G & T Association, Inc.
U.S. Army Corps of Engineers
Vandolah Power Company L.L.C.
Wisconsin Electric Power Co.
Wisconsin Public Service Corp.
Xcel Energy, Inc.
ACES Power Marketing
AEP Marketing
Ameren Energy Marketing Co.
APS
Arkansas Electric Cooperative Corporation
Bonneville Power Administration
City of Austin dba Austin Energy
City of Redding
Cleco Power LLC
Colorado Springs Utilities
Consolidated Edison Co. of New York
Constellation Energy Commodities Group
Dominion Resources, Inc.
Duke Energy Carolina
Entergy Services, Inc.
Exelon Power Team
FirstEnergy Solutions
Florida Municipal Power Agency
Florida Municipal Power Pool
Florida Power & Light Co.
Imperial Irrigation District
Kansas City Power & Light Co.
Lakeland Electric
Lincoln Electric System
Los Angeles Department of Water & Power
Luminant Energy
Manitoba Hydro
MidAmerican Energy Co.
New York Power Authority
North Carolina Municipal Power Agency #1
Northern Indiana Public Service Co.
Omaha Public Power District
Orlando Utilities Commission
PacifiCorp
Platte River Power Authority
PPL EnergyPlus LLC
Progress Energy
PSEG Energy Resources & Trade LLC
Public Utility District No. 1 of Chelan County
Sacramento Municipal Utility District
Salt River Project
Santee Cooper
Seattle City Light
Seminole Electric Cooperative, Inc.
Snohomish County PUD No. 1
South California Edison Company
Southern Company Generation and Energy
Marketing
Tacoma Public Utilities
Tampa Electric Co.
Lewis P Pierce
Michael J. Haynes
Brenda K. Atkins
Edwin Cano
Sam Nietfeld
Jerry W Johnson
Denise Yaffe
William D Shultz
RJames Rocha
Scott M. Helyer
David Thompson
Barry Ingold
Melissa Kurtz
Douglas A. Jensen
Linda Horn
Leonard Rentmeester
Liam Noailles
Jason L Marshall
Edward P. Cox
Jennifer Richardson
Randy A. Young
Keith Sugg
Brenda S. Anderson
Lisa L Martin
Marvin Briggs
Robert Hirchak
Lisa C Rosintoski
Nickesha P Carrol
Brenda L Powell
Louis S. Slade
Walter Yeager
Terri F Benoit
Pulin Shah
Kevin Querry
Richard L. Montgomery
Thomas Washburn
Silvia P. Mitchell
Cathy Bretz
Jessica L Klinghoffer
Paul Shipps
Eric Ruskamp
Brad Packer
Brad Jones
Daniel Prowse
Dennis Kimm
William Palazzo
Matthew Schull
Joseph O'Brien
David Ried
Claston Augustus Sunanon
Scott L Smith
Carol Ballantine
Mark A Heimbach
John T Sturgeon
Peter Dolan
Hugh A. Owen
Diane Enderby
Steven J Hulet
Michael Brown
Dennis Sismaet
Trudy S. Novak
William T Moojen
Lujuanna Medina
Negative
Affirmative
Affirmative
Affirmative
Negative
Negative
Affirmative
Affirmative
Negative
Affirmative
Affirmative
Affirmative
Negative
Abstain
Negative
Affirmative
Affirmative
Negative
Affirmative
Affirmative
Affirmative
Affirmative
Affirmative
Negative
Affirmative
Abstain
Affirmative
Affirmative
Abstain
Abstain
Affirmative
Affirmative
Negative
Negative
Affirmative
Affirmative
Affirmative
Affirmative
Affirmative
Affirmative
Affirmative
Affirmative
Negative
Affirmative
Affirmative
John J. Ciza
Negative
Michael C Hill
Benjamin F Smith II
Negative
https://standards.nerc.net/BallotResults.aspx?BallotGUID=79bd4900-c37f-43f6-a2a9-417960949685[10/10/2012 9:59:34 AM]
�NERC Standards
6
6
6
6
8
8
8
8
8
8
8
8
9
9
9
9
10
10
10
10
10
10
10
10
Tennessee Valley Authority
Westar Energy
Western Area Power Administration - UGP
Marketing
Xcel Energy, Inc.
JDRJC Associates
Pacific Northwest Generating Cooperative
Power Energy Group LLC
Utility Services, Inc.
Volkmann Consulting, Inc.
California Energy Commission
Commonwealth of Massachusetts Department
of Public Utilities
National Association of Regulatory Utility
Commissioners
New York State Department of Public Service
Midwest Reliability Organization
New York State Reliability Council
Northeast Power Coordinating Council
ReliabilityFirst Corporation
SERC Reliability Corporation
Southwest Power Pool RE
Texas Reliability Entity, Inc.
Western Electricity Coordinating Council
Marjorie S. Parsons
Grant L Wilkerson
Negative
Negative
Peter H Kinney
Affirmative
David F. Lemmons
James A Maenner
Roger C Zaklukiewicz
Edward C Stein
Jim Cyrulewski
Margaret Ryan
Peggy Abbadini
Brian Evans-Mongeon
Terry Volkmann
William M Chamberlain
Affirmative
Abstain
Affirmative
Affirmative
Negative
Affirmative
Affirmative
Donald Nelson
Negative
Diane J. Barney
Negative
Thomas Dvorsky
James D Burley
Alan Adamson
Guy V. Zito
Anthony E Jablonski
Carter B. Edge
Emily Pennel
Donald G Jones
Steven L. Rueckert
Legal and Privacy
404.446.2560 voice : 404.446.2595 fax
Atlanta Office: 3353 Peachtree Road, N.E. : Suite 600, North Tower : Atlanta, GA 30326
Washington Office: 1325 G Street, N.W. : Suite 600 : Washington, DC 20005-3801
Copyright © 2012 by the North American Electric Reliability Corporation. : All rights reserved.
A New Jersey Nonprofit Corporation
https://standards.nerc.net/BallotResults.aspx?BallotGUID=79bd4900-c37f-43f6-a2a9-417960949685[10/10/2012 9:59:34 AM]
Negative
Affirmative
Affirmative
Negative
Affirmative
Affirmative
�Non-binding Poll Results
Project 2009-01: Disturbance and Sabotage Reporting
Non-binding Poll Results
Non-binding Poll
Project 2009-01 DSR Non-binding Poll
Name:
Poll Period: 9/18/2012 - 9/27/2012
Total # Opinions: 286
Total Ballot Pool: 394
72.59% of those who registered to participate provided an opinion or an abstention;
Summary Results: 63.05% of those who provided an opinion indicated support for the VRFs and VSLs.
Individual Ballot Pool Results
Segment
Organization
1
1
1
1
1
1
1
1
Ameren Services
American Electric Power
American Transmission Company, LLC
Arizona Public Service Co.
Associated Electric Cooperative, Inc.
Avista Corp.
Balancing Authority of Northern
California
Baltimore Gas & Electric Company
BC Hydro and Power Authority
Beaches Energy Services
Black Hills Corp
Bonneville Power Administration
Brazos Electric Power Cooperative, Inc.
CenterPoint Energy Houston Electric,
LLC
Central Maine Power Company
City of Tacoma, Department of Public
Utilities, Light Division, dba Tacoma
Power
Clark Public Utilities
Colorado Springs Utilities
1
Consolidated Edison Co. of New York
1
1
1
1
1
CPS Energy
Dairyland Power Coop.
Dayton Power & Light Co.
Deseret Power
Dominion Virginia Power
1
1
1
1
1
1
1
1
1
1
Non-binding Poll Results: Project 2009-01
Member
Kirit Shah
Paul B. Johnson
Andrew Z Pusztai
Robert Smith
John Bussman
Scott J Kinney
Kevin Smith
Gregory S Miller
Patricia Robertson
Joseph S Stonecipher
Eric Egge
Donald S. Watkins
Tony Kroskey
John Brockhan
Joseph Turano Jr.
Chang G Choi
Jack Stamper
Paul Morland
Christopher L de
Graffenried
Richard Castrejana
Robert W. Roddy
Hertzel Shamash
James Tucker
Michael S Crowley
Ballot
Comments
Affirmative
Abstain
Affirmative
Affirmative
Abstain
Abstain
Negative
Negative
Negative
Abstain
Affirmative
Negative
Negative
Affirmative
Affirmative
Affirmative
Affirmative
Negative
1
�1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
Duke Energy Carolina
East Kentucky Power Coop.
Empire District Electric Co.
Entergy Services, Inc.
FirstEnergy Corp.
Florida Keys Electric Cooperative Assoc.
Florida Power & Light Co.
Gainesville Regional Utilities
Georgia Transmission Corporation
Grand River Dam Authority
Great River Energy
Hoosier Energy Rural Electric
Cooperative, Inc.
Hydro One Networks, Inc.
Hydro-Quebec TransEnergie
Idaho Power Company
Imperial Irrigation District
International Transmission Company
Holdings Corp
JEA
Kansas City Power & Light Co.
Keys Energy Services
Lakeland Electric
Lee County Electric Cooperative
Lincoln Electric System
Los Angeles Department of Water &
Power
Lower Colorado River Authority
Manitoba Hydro
MEAG Power
MidAmerican Energy Co.
Minnkota Power Coop. Inc.
National Grid
Nebraska Public Power District
New Brunswick Power Transmission
Corporation
New York Power Authority
New York State Electric & Gas Corp.
Northeast Utilities
Northern Indiana Public Service Co.
NorthWestern Energy
Ohio Valley Electric Corp.
Oklahoma Gas and Electric Co.
Omaha Public Power District
Oncor Electric Delivery
Orlando Utilities Commission
PacifiCorp
PECO Energy
Non-binding Poll Results: Project 2009-01
Douglas E. Hils
George S. Carruba
Ralph F Meyer
Edward J Davis
William J Smith
Dennis Minton
Mike O'Neil
Luther E. Fair
Jason Snodgrass
James M Stafford
Gordon Pietsch
Bob Solomon
Negative
Negative
Negative
Affirmative
Negative
Negative
Affirmative
Affirmative
Negative
Ajay Garg
Bernard Pelletier
Ronald D. Schellberg
Tino Zaragoza
Abstain
Michael Moltane
Abstain
Ted Hobson
Michael Gammon
Stanley T Rzad
Larry E Watt
John W Delucca
Doug Bantam
Abstain
Affirmative
Affirmative
Affirmative
Affirmative
Ly M Le
Martyn Turner
Joe D Petaski
Danny Dees
Terry Harbour
Richard Burt
Saurabh Saksena
Cole C Brodine
Affirmative
Negative
Affirmative
Affirmative
Negative
Randy MacDonald
Abstain
Arnold J. Schuff
Raymond P Kinney
David Boguslawski
Kevin M Largura
John Canavan
Robert Mattey
Marvin E VanBebber
Doug Peterchuck
Brenda Pulis
Brad Chase
Ryan Millard
Ronald Schloendorn
Affirmative
Abstain
Affirmative
Abstain
Negative
Negative
Affirmative
Abstain
Abstain
2
�1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
2
2
2
2
2
2
2
2
2
2
3
Platte River Power Authority
Portland General Electric Co.
PowerSouth Energy Cooperative
PPL Electric Utilities Corp.
Progress Energy Carolinas
Public Service Company of New Mexico
Public Service Electric and Gas Co.
Public Utility District No. 1 of Okanogan
County
Puget Sound Energy, Inc.
Rochester Gas and Electric Corp.
Sacramento Municipal Utility District
Salmon River Electric Cooperative
Salt River Project
Santee Cooper
SCE&G
Seattle City Light
Sho-Me Power Electric Cooperative
Sierra Pacific Power Co.
Snohomish County PUD No. 1
South California Edison Company
Southern Company Services, Inc.
Southern Illinois Power Coop.
Southwest Transmission Cooperative,
Inc.
Southwestern Power Administration
Sunflower Electric Power Corporation
Tampa Electric Co.
Tennessee Valley Authority
Tri-State G & T Association, Inc.
Tucson Electric Power Co.
United Illuminating Co.
Westar Energy
Western Area Power Administration
Xcel Energy, Inc.
Alberta Electric System Operator
John C. Collins
John T Walker
Larry D Avery
Brenda L Truhe
Brett A. Koelsch
Laurie Williams
Kenneth D. Brown
Abstain
Affirmative
Negative
Affirmative
Abstain
Abstain
Abstain
Dale Dunckel
Affirmative
Denise M Lietz
John C. Allen
Tim Kelley
Kathryn J Spence
Robert Kondziolka
Terry L Blackwell
Henry Delk, Jr.
Pawel Krupa
Denise Stevens
Rich Salgo
Long T Duong
Steven Mavis
Robert A. Schaffeld
William Hutchison
Negative
Affirmative
Abstain
Affirmative
Affirmative
Negative
James Jones
Angela L Summer
Noman Lee Williams
Beth Young
Larry G Akens
Tracy Sliman
John Tolo
Jonathan Appelbaum
Allen Klassen
Brandy A Dunn
Gregory L Pieper
Mark B Thompson
Venkataramakrishnan
BC Hydro
Vinnakota
California ISO
Rich Vine
Electric Reliability Council of Texas, Inc. Charles B Manning
Independent Electricity System
Barbara Constantinescu
Operator
Midwest ISO, Inc.
Marie Knox
New Brunswick System Operator
Alden Briggs
New York Independent System Operator Gregory Campoli
PJM Interconnection, L.L.C.
Tom Bowe
Southwest Power Pool, Inc.
Charles H. Yeung
AEP
Michael E Deloach
Non-binding Poll Results: Project 2009-01
Abstain
Affirmative
Abstain
Affirmative
Negative
Negative
Negative
Abstain
Negative
Abstain
Affirmative
Affirmative
Negative
Affirmative
Abstain
Abstain
Abstain
Negative
Abstain
Abstain
Negative
3
�3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
Alabama Power Company
Ameren Services
Anaheim Public Utilities Dept.
APS
Arkansas Electric Cooperative
Corporation
BC Hydro and Power Authority
Bonneville Power Administration
Central Lincoln PUD
City of Austin dba Austin Energy
City of Bartow, Florida
City of Clewiston
City of Farmington
City of Garland
City of Green Cove Springs
City of Redding
Clatskanie People's Utility District
Cleco Corporation
Colorado Springs Utilities
ComEd
Consolidated Edison Co. of New York
Constellation Energy
Consumers Energy
Cowlitz County PUD
CPS Energy
Detroit Edison Company
Dominion Resources Services
Duke Energy Carolina
Entergy
FirstEnergy Energy Delivery
Florida Municipal Power Agency
Florida Power Corporation
Georgia Power Company
Georgia Systems Operations
Corporation
Grays Harbor PUD
Great River Energy
Gulf Power Company
Hydro One Networks, Inc.
Imperial Irrigation District
JEA
Kansas City Power & Light Co.
Kissimmee Utility Authority
Kootenai Electric Cooperative
Lakeland Electric
Lincoln Electric System
Los Angeles Department of Water &
Power
Non-binding Poll Results: Project 2009-01
Richard J. Mandes
Mark Peters
Kelly Nguyen
Steven Norris
Philip Huff
Pat G. Harrington
Rebecca Berdahl
Steve Alexanderson
Andrew Gallo
Matt Culverhouse
Lynne Mila
Linda R Jacobson
Ronnie C Hoeinghaus
Gregg R Griffin
Bill Hughes
Brian Fawcett
Michelle A Corley
Charles Morgan
Bruce Krawczyk
Peter T Yost
CJ Ingersoll
Richard Blumenstock
Russell A Noble
Jose Escamilla
Kent Kujala
Michael F. Gildea
Henry Ernst-Jr
Joel T Plessinger
Stephan Kern
Joe McKinney
Lee Schuster
Anthony L Wilson
Affirmative
Affirmative
Abstain
Abstain
Negative
Abstain
Affirmative
Affirmative
Affirmative
Abstain
Abstain
Affirmative
Abstain
Affirmative
Affirmative
Abstain
Affirmative
Negative
Affirmative
Negative
Abstain
Affirmative
Affirmative
Affirmative
Negative
William N. Phinney
Affirmative
Wesley W Gray
Brian Glover
Paul C Caldwell
David Kiguel
Jesus S. Alcaraz
Garry Baker
Charles Locke
Gregory D Woessner
Dave Kahly
Norman D Harryhill
Jason Fortik
Affirmative
Negative
Negative
Abstain
Abstain
Affirmative
Daniel D Kurowski
Affirmative
Abstain
4
�3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
4
4
4
Louisville Gas and Electric Co.
Manitoba Hydro
Manitowoc Public Utilities
MidAmerican Energy Co.
Mississippi Power
Modesto Irrigation District
Municipal Electric Authority of Georgia
Muscatine Power & Water
Nebraska Public Power District
New York Power Authority
Niagara Mohawk (National Grid
Company)
North Carolina Electric Membership
Corp.
Northern Indiana Public Service Co.
Ocala Electric Utility
Old Dominion Electric Coop.
Orange and Rockland Utilities, Inc.
Orlando Utilities Commission
Owensboro Municipal Utilities
Pacific Gas and Electric Company
PacifiCorp
Platte River Power Authority
PNM Resources
Potomac Electric Power Co.
Progress Energy Carolinas
Public Service Electric and Gas Co.
Public Utility District No. 1 of Clallam
County
Puget Sound Energy, Inc.
Rutherford EMC
Sacramento Municipal Utility District
Salt River Project
Santee Cooper
Seattle City Light
Seminole Electric Cooperative, Inc.
Snohomish County PUD No. 1
South Carolina Electric & Gas Co.
Southern Maryland Electric Coop.
Tacoma Public Utilities
Tampa Electric Co.
Tennessee Valley Authority
Tri-State G & T Association, Inc.
Westar Energy
Xcel Energy, Inc.
Alliant Energy Corp. Services, Inc.
American Municipal Power
Arkansas Electric Cooperative
Non-binding Poll Results: Project 2009-01
Charles A. Freibert
Greg C. Parent
Thomas E Reed
Thomas C. Mielnik
Jeff Franklin
Jack W Savage
Steven M. Jackson
John S Bos
Tony Eddleman
Marilyn Brown
Michael Schiavone
Negative
Affirmative
Negative
Negative
Affirmative
Negative
Abstain
Affirmative
Doug White
William SeDoris
David Anderson
Bill Watson
David Burke
Ballard K Mutters
Thomas T Lyons
John H Hagen
Dan Zollner
Terry L Baker
Michael Mertz
Robert Reuter
Sam Waters
Jeffrey Mueller
Affirmative
Affirmative
Affirmative
Abstain
Negative
Affirmative
Abstain
Abstain
David Proebstel
Erin Apperson
Thomas M Haire
James Leigh-Kendall
John T. Underhill
James M Poston
Dana Wheelock
James R Frauen
Mark Oens
Hubert C Young
Mark R Jones
Travis Metcalfe
Ronald L Donahey
Ian S Grant
Janelle Marriott
Bo Jones
Michael Ibold
Kenneth Goldsmith
Kevin Koloini
Ronnie Frizzell
Negative
Negative
Abstain
Affirmative
Negative
Abstain
Affirmative
Affirmative
Negative
Abstain
Affirmative
Negative
Abstain
Affirmative
Negative
5
�4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
5
5
5
5
5
5
5
5
5
5
5
5
5
Corporation
Blue Ridge Power Agency
Duane S Dahlquist
Central Lincoln PUD
Shamus J Gamache
City of Austin dba Austin Energy
Reza Ebrahimian
City of Clewiston
Kevin McCarthy
City of New Smyrna Beach Utilities
Tim Beyrle
Commission
City of Redding
Nicholas Zettel
City Utilities of Springfield, Missouri
John Allen
Consumers Energy
David Frank Ronk
Cowlitz County PUD
Rick Syring
Detroit Edison Company
Daniel Herring
Flathead Electric Cooperative
Russ Schneider
Florida Municipal Power Agency
Frank Gaffney
Fort Pierce Utilities Authority
Thomas Richards
Georgia System Operations Corporation Guy Andrews
Illinois Municipal Electric Agency
Bob C. Thomas
Imperial Irrigation District
Diana U Torres
Indiana Municipal Power Agency
Jack Alvey
Integrys Energy Group, Inc.
Christopher Plante
LaGen
Richard Comeaux
Madison Gas and Electric Co.
Joseph DePoorter
Northern California Power Agency
Tracy R Bibb
Ohio Edison Company
Douglas Hohlbaugh
Public Utility District No. 1 of Douglas
Henry E. LuBean
County
Public Utility District No. 1 of Snohomish
John D Martinsen
County
Sacramento Municipal Utility District
Mike Ramirez
Seattle City Light
Hao Li
South Mississippi Electric Power
Steven McElhaney
Association
Tacoma Public Utilities
Keith Morisette
Wisconsin Energy Corp.
Anthony Jankowski
AEP Service Corp.
Brock Ondayko
AES Corporation
Leo Bernier
Amerenue
Sam Dwyer
Arizona Public Service Co.
Edward Cambridge
Avista Corp.
Edward F. Groce
BC Hydro and Power Authority
Clement Ma
Black Hills Corp
George Tatar
Boise-Kuna Irrigation District/dba Lucky
Mike D Kukla
peak power plant project
Bonneville Power Administration
Francis J. Halpin
BrightSource Energy, Inc.
Chifong Thomas
Caithness Long Island, LLC
Jason M Moore
Chelan County Public Utility District #1 John Yale
City and County of San Francisco
Daniel Mason
Non-binding Poll Results: Project 2009-01
Affirmative
Abstain
Affirmative
Affirmative
Affirmative
Affirmative
Affirmative
Affirmative
Negative
Negative
Negative
Affirmative
Affirmative
Abstain
Abstain
Abstain
Abstain
Affirmative
Affirmative
Affirmative
Affirmative
Abstain
Abstain
Negative
Affirmative
Negative
Affirmative
Affirmative
Affirmative
Abstain
Abstain
Abstain
Abstain
Negative
Abstain
6
�5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
City of Austin dba Austin Energy
City of Redding
City of Tacoma, Department of Public
Utilities, Light Division, dba Tacoma
Power
City of Tallahassee
City Water, Light & Power of Springfield
Cleco Power
Cogentrix Energy, Inc.
Colorado Springs Utilities
Consolidated Edison Co. of New York
Constellation Power Source Generation,
Inc.
Consumers Energy Company
Cowlitz County PUD
CPS Energy
Detroit Edison Company
Dominion Resources, Inc.
Duke Energy
Dynegy Inc.
E.ON Climate & Renewables North
America, LLC
Edison Mission Energy
Electric Power Supply Association
Exelon Nuclear
ExxonMobil Research and Engineering
FirstEnergy Solutions
Florida Municipal Power Agency
Gainesville Regional Utilities
Great River Energy
Green Country Energy
Imperial Irrigation District
Indeck Energy Services, Inc.
JEA
Kissimmee Utility Authority
Lakeland Electric
Liberty Electric Power LLC
Lincoln Electric System
Los Angeles Department of Water &
Power
Lower Colorado River Authority
Luminant Generation Company LLC
Manitoba Hydro
Massachusetts Municipal Wholesale
Electric Company
MEAG Power
MidAmerican Energy Co.
Muscatine Power & Water
Nebraska Public Power District
Non-binding Poll Results: Project 2009-01
Jeanie Doty
Paul A. Cummings
Affirmative
Affirmative
Max Emrick
Brian Horton
Steve Rose
Stephanie Huffman
Mike D Hirst
Jennifer Eckels
Wilket (Jack) Ng
Affirmative
Abstain
Negative
Affirmative
Affirmative
Amir Y Hammad
David C Greyerbiehl
Bob Essex
Robert Stevens
Christy Wicke
Mike Garton
Dale Q Goodwine
Dan Roethemeyer
Negative
Affirmative
Negative
Negative
Affirmative
Dana Showalter
Ellen Oswald
John R Cashin
Michael Korchynsky
Martin Kaufman
Kenneth Dresner
David Schumann
Karen C Alford
Preston L Walsh
Greg Froehling
Marcela Y Caballero
Rex A Roehl
John J Babik
Mike Blough
James M Howard
Daniel Duff
Dennis Florom
Negative
Affirmative
Kenneth Silver
Affirmative
Tom Foreman
Mike Laney
S N Fernando
Abstain
Affirmative
Negative
David Gordon
Abstain
Steven Grego
Christopher Schneider
Mike Avesing
Don Schmit
Abstain
Affirmative
Affirmative
Affirmative
Affirmative
Affirmative
Negative
Negative
7
�5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
6
6
6
6
6
6
6
6
6
New York Power Authority
NextEra Energy
North Carolina Electric Membership
Corp.
Northern California Power Agency
Northern Indiana Public Service Co.
Occidental Chemical
Omaha Public Power District
Orlando Utilities Commission
Pacific Gas and Electric Company
PacifiCorp
Platte River Power Authority
Portland General Electric Co.
PowerSouth Energy Cooperative
PPL Generation LLC
Progress Energy Carolinas
PSEG Fossil LLC
Public Utility District No. 1 of Lewis
County
Puget Sound Energy, Inc.
Sacramento Municipal Utility District
Salt River Project
Santee Cooper
Seattle City Light
Seminole Electric Cooperative, Inc.
Siemens PTI
Snohomish County PUD No. 1
South Mississippi Electric Power
Association
Southern California Edison Co.
Southern Company Generation
Tampa Electric Co.
Tenaska, Inc.
Tennessee Valley Authority
Tri-State G & T Association, Inc.
U.S. Army Corps of Engineers
Vandolah Power Company L.L.C.
Xcel Energy, Inc.
ACES Power Marketing
AEP Marketing
Ameren Energy Marketing Co.
APS
Arkansas Electric Cooperative
Corporation
Bonneville Power Administration
City of Austin dba Austin Energy
City of Redding
Cleco Power LLC
Non-binding Poll Results: Project 2009-01
Gerald Mannarino
Allen D Schriver
Negative
Jeffrey S Brame
Negative
Hari Modi
William O. Thompson
Michelle R DAntuono
Mahmood Z. Safi
Richard K Kinas
Richard J. Padilla
Sandra L. Shaffer
Roland Thiel
Gary L Tingley
Tim Hattaway
Annette M Bannon
Wayne Lewis
Tim Kucey
Steven Grega
Tom Flynn
Bethany Hunter
William Alkema
Lewis P Pierce
Michael J. Haynes
Brenda K. Atkins
Edwin Cano
Sam Nietfeld
Affirmative
Affirmative
Affirmative
Negative
Abstain
Abstain
Affirmative
Negative
Affirmative
Abstain
Negative
Affirmative
Abstain
Affirmative
Negative
Abstain
Affirmative
Affirmative
Jerry W Johnson
Denise Yaffe
William D Shultz
RJames Rocha
Scott M. Helyer
David Thompson
Barry Ingold
Melissa Kurtz
Douglas A. Jensen
Liam Noailles
Jason L Marshall
Edward P. Cox
Jennifer Richardson
Randy A. Young
Negative
Negative
Affirmative
Abstain
Abstain
Affirmative
Abstain
Negative
Affirmative
Affirmative
Keith Sugg
Brenda S. Anderson
Lisa L Martin
Marvin Briggs
Robert Hirchak
Negative
Affirmative
Affirmative
Abstain
8
�6
6
6
6
Colorado Springs Utilities
Consolidated Edison Co. of New York
Constellation Energy Commodities
Group
Dominion Resources, Inc.
Duke Energy Carolina
Entergy Services, Inc.
Exelon Power Team
FirstEnergy Solutions
Florida Municipal Power Agency
Florida Municipal Power Pool
Florida Power & Light Co.
Imperial Irrigation District
Kansas City Power & Light Co.
Lakeland Electric
Lincoln Electric System
Los Angeles Department of Water &
Power
Luminant Energy
Manitoba Hydro
MidAmerican Energy Co.
New York Power Authority
North Carolina Municipal Power Agency
#1
Northern Indiana Public Service Co.
Omaha Public Power District
6
Orlando Utilities Commission
6
6
6
6
6
PacifiCorp
Platte River Power Authority
PPL EnergyPlus LLC
Progress Energy
PSEG Energy Resources & Trade LLC
Public Utility District No. 1 of Chelan
County
Sacramento Municipal Utility District
Salt River Project
Santee Cooper
Seattle City Light
Seminole Electric Cooperative, Inc.
Snohomish County PUD No. 1
South California Edison Company
Southern Company Generation and
Energy Marketing
Tacoma Public Utilities
Tampa Electric Co.
Tennessee Valley Authority
Westar Energy
Western Area Power Administration -
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
Non-binding Poll Results: Project 2009-01
Lisa C Rosintoski
Nickesha P Carrol
Affirmative
Brenda Powell
Louis S. Slade
Walter Yeager
Terri F Benoit
Pulin Shah
Kevin Querry
Richard L. Montgomery
Thomas Washburn
Silvia P. Mitchell
Cathy Bretz
Jessica L Klinghoffer
Paul Shipps
Eric Ruskamp
Abstain
Affirmative
Affirmative
Affirmative
Abstain
Abstain
Affirmative
Affirmative
Brad Packer
Brad Jones
Daniel Prowse
Dennis Kimm
William Palazzo
Negative
Negative
Matthew Schull
Affirmative
Joseph O'Brien
David Ried
Claston Augustus
Sunanon
Scott L Smith
Carol Ballantine
Mark A Heimbach
John T Sturgeon
Peter Dolan
Affirmative
Affirmative
Abstain
Abstain
Abstain
Hugh A. Owen
Diane Enderby
Steven J Hulet
Michael Brown
Dennis Sismaet
Trudy S. Novak
William T Moojen
Lujuanna Medina
Abstain
Affirmative
Negative
Affirmative
Affirmative
John J. Ciza
Negative
Michael C Hill
Benjamin F Smith II
Marjorie S. Parsons
Grant L Wilkerson
Peter H Kinney
Negative
Abstain
Negative
Affirmative
9
�6
8
8
8
8
8
8
8
8
9
9
9
10
10
10
10
10
10
10
10
UGP Marketing
Xcel Energy, Inc.
APX
JDRJC Associates
Power Energy Group LLC
Utility Services, Inc.
Volkmann Consulting, Inc.
California Energy Commission
Central Lincoln PUD
Commonwealth of Massachusetts
Department of Public Utilities
Midwest Reliability Organization
New York State Reliability Council
Northeast Power Coordinating Council
ReliabilityFirst Corporation
SERC Reliability Corporation
Southwest Power Pool RE
Texas Reliability Entity, Inc.
Western Electricity Coordinating Council
Non-binding Poll Results: Project 2009-01
David F. Lemmons
Roger C Zaklukiewicz
Edward C Stein
James A Maenner
Michael Johnson
Jim Cyrulewski
Peggy Abbadini
Brian Evans-Mongeon
Terry Volkmann
William M Chamberlain
Bruce Lovelin
Donald Nelson
James D Burley
Alan Adamson
Guy V. Zito
Anthony E Jablonski
Carter B. Edge
Emily Pennel
Donald G Jones
Steven L. Rueckert
Abstain
Affirmative
Affirmative
Affirmative
Affirmative
Abstain
Affirmative
Abstain
Negative
Affirmative
Abstain
Negative
Affirmative
Abstain
10
�Individual or group. (56 Responses)
Name (40 Responses)
Organization (40 Responses)
Group Name (16 Responses)
Lead Contact (16 Responses)
Question 1 (50 Responses)
Question 1 Comments (51 Responses)
Question 2 (41 Responses)
Question 2 Comments (51 Responses)
Question 3 (0 Responses)
Question 3 Comments (51 Responses)
Group
Northeast Power Coordinating Council
Guy Zito
Paragraph 81 efforts are underway to eliminate requirements that have little or no reliability benefit. This Standard
only addresses documentation and has no impact on reliability.
Individual
Lee Layton
Blue Ridge EMC
No
See previous comments
No
R3 VSLs are silly.
Group
Arizona Public Service Company
Janet Smith, Regulatory Affairs Supervisor
Yes
Yes
No Additional Comments
Individual
Anthony Jablonski
ReliabilityFirst
Yes
Even though ReliabilityFirst votes in the Affirmative, we offer the following comment regarding Requirement R3 for
consideration. ReliabilityFirst recommends changing the word “validate” to “verify” in Requirement R3.
ReliabilityFirst believes not only does the entity need to validate contact information is correct, they should verify
(i.e. authenticate though test) that the contact information is correct.
Yes
Even though ReliabilityFirst votes in the Affirmative, we offer the following comments for consideration regarding
the VSLs: VSL for Requirement R2 – ReliabilityFirst questions whether there is justification for the gradation of
VSLs out to 60 hours for the reporting an event. Without justification, ReliabilityFirst believes the timeframe should
be shortened to eight hour increments with a severe VSL being more than 48 hours late. ReliabilityFirst believes
that being more than a day late (24 hours) falls within the entity completely not meeting the intent of submitting
the report with the required 24 hour timeframe.
Group
Southwest Power Pool Regional Entity
Emily Pennel
Yes
�No
In R2, SPP RE does not understand why the VSLs are based on who was or was not contacted rather than when it
was reported. An entity could decide to put only two entities in its Event Reporting Operating Plan. If the entity
fails to submit an appropriate event report, it is open to a Severe VSL on the top set of VSLs but only a moderate
on the lower set of VSLs. This seems to be a disconnect for applying the VSLs for the same facts and
circumstances.
(1) SPP RE thinks the following Generation reporting threshold is unclear: "Total generation loss, within one
minute, of ≥ 2,000 MW for entities in the Eastern or Western Interconnection". What has to happen within one
minute? It reads as if you have to make a report within one minute. If the intent is that a report has to be made
within 24 hours if the loss is for more than one minute it should read, "Total generation loss ≥ 2,000 MW for more
than one minute for entities in the Eastern or Western Interconnection". What is the intent of the one minute
requirement? (2) It appears per R1 that entities are no longer required to include Regional Entities in their
reporting chains. SPP RE believes Regional Entities must be included in the reporting chain so they can fulfill their
obligations under their delegation agreements. (3) SPP RE thinks this standard was changed substantially enough
that it should have been opened for a new ballot pool.
Individual
Jonathan Appelbaum
The United Illuminating Company
Yes
No
Do not agree that the VRF for R3 is medium. Failure to Validate contact information will not likely lead to instability
and Cascade. Reporting under EOP-004 is not an immediate action, and given a 24 hour reporting window a
proper contact point can be identified on-the-fly. R2 is properly identified as the Medium VRF since a failure to
report whether due to an improper Operating plan or improper cantact list may lead to an BES cascade.
Group
PNGC Comment Group
Ron Sporseen
Yes
Yes
Comments: The PNGC Comment group remains concerned that the “Applicability” section will inadvertently subject
Distribution Providers to requirements that they should be excluded from. Please consider the two examples below
and note that we’re talking about probably hundreds of small DPs being subject to these unnecessary
requirements without any increase to the reliability of the BES. Example 1: Small DP with a peak load of 50 MWs.
They have no BES Facilities and their system is radial. Even though this utility will never have a reporting
requirement per Attachment A, they are still subject to R1 and R3 plus the associated compliance (read financial)
risk for non-conformance. An easy fix to this issue would be for DPs without BES Facilities and with less than 200
MW annual peak load to be excluded in the Applicability section. Example 2: Small DP with a peak load of 50 MWs.
Their only BES Facilities are two Automatic UFLS relays that are capable of shedding 15 MWs. DP’s Host Balance
Authority (HBA) has a peak load of 10,000 MWs, meaning their UFLS plan requires them to have the capacity to
shed 3000 MWs should system conditions warrant. Is it the SDT’s intent for this DP to have an Operating Plan in
place for “damage”, “destruction”, or “physical threat” for these two relays that are capable of shedding only 15
MWs out of a 3000 MW HBA UFLS plan? The SDT set a 100 MW threshold for reporting of automatic UFLS load
shedding so why have reporting requirements for the threat to 15 MWs worth of UFLS relays? Once again the easy
fix is to modify the Applicability section. We suggest: 4.1.7. Distribution Provider: with >= 200 MW annual peak
load, or; >= 100 MW Automatic firm load shedding
Individual
Russ Schneider
Flathead Electric Cooperative, Inc.
Individual
Oliver Burke
Entergy Services, Inc. (Transmission)
Yes
Yes
�Individual
Nazra Gladu
Manitoba Hydro
No
This seems like an administrative only requirement. It would be too difficult to validate or measure.
No
This seems like an administrative only requirement. It would be too difficult to validate or measure.
Does the Background, Guidelines and Technical Basis form part of the standard itself once published? Or are these
just parts of the package that accompany the standard during circulation for comment? Compliance 1.2: The
reference to Responsible Entity is bracketed and in lowercase. We are not clear why. VSLs, R1, Severe VSL: The
words "in the event reporting Operating Plan” are missing from the end of this sentence. VSLS, R2, Lower VSL:
The violation occurs if the Responsible Entity has submitted an event report to one entity whereas Moderate VSL,
High VSL and Severe VSL, the level of severity of the VSL increases depending on the number of entities that the
Responsible Entity fails to submit an event report to. The drafting here is not as precise as it should be. The way
the Lower VSL is written, it will also be triggered when the Responsible Entity has complied with the requirement.
For example, if the Responsible Entity is required to report an event to 5 entities, and it does, it will still mean that
it has "submitted an event report to one entity identified in the event reporting (also, the ‘ing’ is missing on the
Lower VSL reference)Operating Plan". It is also duplicative. For example, if the Responsible Entity submitted a
report to only one entity, and failed to submit a report to 4 others, they fall under the Lower VSL and the Higher
VSL (we are assuming in this case, the violation will be found to be the higher VSL). Perhaps what the drafting
team intended to do was to make the Lower VSL, which the Responsible Entity failed to submit an event report…to
one entity identified…. The Guidelines and Technical Basis contain a reference to R4 which no longer exists in the
standard.
Individual
Steve Grega
Lewis County PUD
Yes
No
We are a small utility with little impact to the BES with a small hydro on the end of a 230kV line. CIP-001 requires
us to contact the FBI who has repeatedly instructed us to call the local sheriff office. The sheriff office has
instructed us to call 911 and they will contact the FBI as needed. Therefore, 911 is our only contact number and
our plan if vandalism, property destruction or sabotage is to have a supervisor call 911 and report. I do not think
calling 911 to confirm the contact number serves any propose. Our plan will be simple with not a lot detail. The
drafting team should recognize the reality of small utilities and state the required plan may be simple and not
follow the flowchart in the draft standard.
Individual
Steve Alexanderson P.E.
Central Lincoln
Yes
1) Central Lincoln must again point out the lack of proportionality for gunshot insulators and similar events under
“Damage or destruction of a Facility.” Please see our last set of comments. These incidents are fairly common in
the west, and typically do not cause an immediate outage. They are generally discovered months after the fact,
yet the discovery starts the 24 hour clock running as if the situation had suddenly changed. Prior SDT response:
“… this will give the ERO (and whoever else the entity wishes to inform per Requirement R1) the situational
awareness that the Facility was “damaged or destroyed” intentionally by a human.” There is already a great lag in
awareness regarding the damaged insulator. Months or more can pass prior to discovery by the entity. We fail to
see how it becomes so urgent upon discovery. Prior SDT response: “The SDT envisions that entities could further
define what a suspected intentional human action is within their Operating Plan.” We do not share the SDT’s
vision. If an Operating Plan redefined suspected intentional human action so the act of preparing a gun for firing,
aligning the sights on an insulator and pulling the trigger was not included, we believe the entity that operates
under that plan would be found non-compliant under the language of this standard. We do not offer a simple
change in text that will fix the problem, we are only pointing out the problem exists. Murphy dictates discovery will
occur at the most inopportune time, which will be during an after hours outage on a stormy holiday weekend night
when many employees are out of town and those that are available are already fully engaged. The entity is then
faced with choosing to delay restoration or violating the standard. When proposing a zero defect event driven
�requirement event driven such as this one, we ask the SDT to consider all possible scenarios in which the event
may occur. 2) We note that Distribution Providers are listed in the Applicability Section. We also note that there is
no requirement in the Statement of Compliance Registry Criteria for Distribution Providers to own or operate BES
Facilities, own or operate UFLS or UVLS of 100 MW, or to have load exceeding 200 MW. DP’s that cannot meet any
of the thresholds of Attachment 1 would still need an Operating Plan under R1 and annually validate the possibly
null contact list in its OP under R3. We suggest that DPs that cannot meet the thresholds of Attachment 1 be
removed from the Applicability Section.
Group
Duke Energy
Greg Rowland
Yes
Duke Energy commends the excellent work of the Standard Drafting Team in incorporating previous comments
into the current posted draft of the standard.
No
The Lower VSL for R3 should be clarified. The phrase “validated 75% or more” should be modified to say
“validated at least 75% but less than 100%”.
1) There are discrepancies between the red-lined EOP-004-2 and the Clean EOP-004-2 that were posted for this
project. Our comments are based upon the Clean EOP-004-2. 2) Attachment 1 and Attachment 2 have the ERO
email and phone number listed. If these ever change, does the standard have to go through the revision and
balloting process again, or is there an easier way to incorporate such changes? 3) Attachment 1 – When an event
occurs that meets the Threshold for Reporting, it’s not clear whether all listed entities have to report or not.
Several Event Types need this clarity added. For example, if a TOP loses voice communication capability, do both
the TOP and RC have to report? 4) Attachment 1 – Damage or destruction of a Facility, applicable to BA, TO, TOP,
GO, GOP, DP. The Threshold for Reporting should be further clarified by adding the sentence “Do not report theft
or damage unless it degrades normal operation of a Facility.” This would eliminate unnecessary reporting of copper
theft or vandalism. 5) Attachment 1 – Physical threats to a Facility. The Threshold for Reporting should be
modified by deleting the sentence “Do not report theft unless it degrades normal operation of a Facility”. This
sentence isn’t needed here, and fits better with “Damage or destruction of a Facility” as noted in 4) above. 6)
Attachment 1 – Transmission loss. This event type should be deleted because it is duplicated under TADS reporting
and PRC-004 Protection System Misoperations reporting. 7) Attachment 1 – Unplanned BES control center
evacuation, Complete loss of voice communication capability, and Complete loss of monitoring capability. The
Threshold for Reporting on all three of these Event Types is 30 minutes, and should be extended to 2 hours,
consistent with the transition time identified in EOP-008 “Loss of Control Center Functionality”.
Individual
Jack Stamper
Clark Public Utilities
Yes
Yes
The SDT has not adequately addressed my comments from the last draft regarding damage or destruction of its
facility that results from actual or suspected intentional human action. The SDT needs to limit what it means by
damage. As an example, if someone breaks into a substation and paints graffiti on a breaker that is part of the
BES, the breaker has been "damaged." However, the breaker's ability to function has not been compromised and
there are no emergency actions that need to be taken. There is no reason for an emergency reporting procedure
to require this to be reported. The SDT needs to add the same modifier for damage that it added in the previous
event threshold for reporting. The reference for this type of damage should be as follows: Event: Damage or
destruction of a Facility. Entity with Reporting Responsibility: BA, TO, TOP, GO, GOP, DP. Threshold for Reporting:
Damage or destruction of its Facility that results from actual or suspected intentional human action that results in
actions to avoid a BES Emergency.
Individual
Russell A. Noble
Cowlitz PUD
Yes
Cowlitz approves of the improvement efforts on Attachment 1. However, Cowlitz must again point out the fallacy
of potentially inundating the ERO with nuisance reporting of minor vandalism and accidental damage. For example,
gunshot “target practice” of insulators and structures will apply under “Damage or destruction of a Facility.” Such
incidents are fairly common in the west, and typically do not cause an immediate outage. They are generally
�discovered months or years after the fact, yet the discovery starts the 24 hour compliance clock running as if the
urgency is just as important as a recent event. If there is already a great lag in awareness regarding the damaged
Facility, Cowlitz fails to see how it becomes so urgent upon discovery.------------ Again, Cowlitz points out the
sentence structure “Damage or destruction of its Facility that results from actual or suspected intentional human
action” does not restrict the human action as malicious or sabotage. “Intentional human action” could be innocent,
such as a land owner attempting to fall a tree for fire wood. The intent was not to damage the Facility, but the
“intentional human action” to obtain fire wood resulted in the damage of the Facility. This does not comport with
prior SDT response: “… this will give the ERO (and whoever else the entity wishes to inform per Requirement R1)
the situational awareness that the Facility was ‘damaged or destroyed’ intentionally by a human.” Therefore, if this
is the SDT’s intent Cowlitz suggests this change: Damage or destruction of its Facility that causes immediate
impaired operation or loss of the Facility from suspected or actual malicious human intent. Do not report
mischievous vandalism, as defined in the Operating Plan, where immediate loss of, or immediate impaired
operation of the Facility has not occurred. -------------- Prior SDT response: “The SDT envisions that entities could
further define what a suspected intentional human action is within their Operating Plan.” Cowlitz does not share
the SDT’s vision. The Standard as written does not specifically address the ability to “further define” terms used in
the Attachment. Past allowance of audit teams to allow registered entity definitions, e.g. “annual,” was to address
gaps in standards until the standards could be revised. If this is truly the intent of the SDT, then requirement R1
would need revision such as: “The Operating plan shall define what a suspected intentional human action is.”
Cowlitz respectfully requests that ambiguity be avoided.------------------ Cowlitz notes that Distribution Providers
are listed in the Applicability Section with no qualifiers. Cowlitz points out that there is no requirement in the
Statement of Compliance Registry Criteria for Distribution Providers to own or operate BES Facilities, own or
operate UFLS or UVLS of 100 MW, or to have load exceeding 200 MW. DP’s that cannot meet any of the thresholds
of Attachment 1 would still need an Operating Plan under R1 and annually validate the possibly null contact list in
its OP under R3. Cowlitz requests that DPs that cannot meet the thresholds of Attachment 1 be removed from the
Applicability Section. Not doing so will increase compliance risk without any reliability return.
Group
Tacoma Public Utilities
Chang Choi
Yes
No
Regarding the Severe VSL for R1, the reference to “Parts 1.1 and 1.2” appears to be outdated. For R2, change
“the Responsible Entity failed to submit an event report…to X entity(ies) within 24 hours” to “the Responsible
Entity failed to submit an event report…to only X entity(ies) within 24 hours.” (Add ‘only.’)
Why does the text “…but is not limited to…” in M1 have to be included? Does this mean that there are unwritten
requirements that an auditor might look for? What if, in trying to validate contact information, contacts do not
confirm their information? Regarding the Loss of firm load row in Attachment 1, an exception should be made for
weather or natural disaster related threats in the Threshold for Reporting. Regarding the Transmission loss row in
Attachment 1, it is not quite clear which types of BES Elements would meet the Threshold for Reporting. Is it just
lines, buses, and transformers? What about reactive resources? What about generators that unexpectedly trip
offline during a fault on the transmission system?
Individual
Chantel Haswell
Public Service Enterprise Group
Yes
Yes
None additional
Individual
Mike Hirst
Cogentrix Energy
Yes
No
The VRF for R2 should be “Lower” instead of “Medium” since it is administrative which involves reporting events to
entities not identified in the Functional Model that have operating responsibilities listed. The VRF for R3 should also
be “Lower” instead of “Medium” since it is an administrative requirement.
Overall: The standard makes good stride in eliminating the redundancy of CIP-001 and EOP-004. M1 States: “…
and each organization identified to receive an event report for event types specified in EOP-004-2 Attachment 1”.
�It is an unclear in the statement that the protocols go with Attachment 1 and entities to receive report are part of
Attachment 2 While this draft is an improvement on the previous draft, the proposed R2 is unacceptable, and
should be amended to, at a minimum, require reporting by the end of the next business day, instead of within 24
hours. Events or situations affecting real time reliability to the system already are required to be reported to
appropriate Functional Entities that have the responsibility to take action. Adding one more responsibility to
system operators increases the operator’s burden, which reduces the operator’s effectiveness when operating the
system. Care should be given when placing additional responsibility on the system operators. Allowing reporting at
the end of the next business day gives operators the flexibility to allow support staff to assist with after-the-fact
reporting requirements. For some event types where in order to provide real time situational awareness over a
wide area (for example coordinated sabotage event) it may be appropriate to have more timely reporting. If the
intent of this standard is to address sabotage reporting there needs to be an understanding of the actions to be
taken by those receiving the reports so the reporting entities can incorporate those actions into their plan. As a
minimum, NERC should have a process in place to assess the reports and take appropriate actions. Attachment 1:
Threshold for reporting should not be defined such that multiple reports would be required for the same event. For
example, both the TOP and RC being required to report the outage of a transmission line. 2nd event type (Damage
or destruction of a Facility): Add the following sentence to the Threshold for Reporting: “Do not report theft or
damage unless it degrades normal operation of a Facility.” 4th event type (Physical threats to a BES control
center): The term “BES control center” needs to be clarified. 5th, 6th, and 7th event types: In instances where a
reliability directive is issued, is the “initiating entity” the entity that issues the directive or the entity that carried
out the directive. 9th event type (Voltage deviation on a Facility): Change “nominal” to “expected or scheduled.”
15th event type (Transmission loss): It is not clear what is meant by “contrary to design.” This is so broad that it
could be interpreted as requiring reporting misoperations within the reporting time frame before even an initial
investigation can begin. This needs to be clarified and tied to the impact on the reliability of the BES.
Individual
Dave Willis
Idaho Power Co.
Yes
Yes
Individual
Michelle R D'Antuono
Ingelside Cogeneration LP
Yes
Ingleside Cogeneration believes that an annual validation of contact information is sufficient for a reporting
procedure. R2 provides sufficient impetus for Responsible Entities to keep their Operating plan current – as a
missed report will lead to a violation. Furthermore, external agencies and law enforcement officials will be
reluctant to participate in validation tests, as dozens of nearby BES entities will overwhelm them with such
requests.
Yes
Individual
Howard Rulf
Wisconsin Electric Power company dba We Energies
Yes
Yes
Damage or destruction of a Facility, Damage or destruction of its Facility that results from actual or suspected
intentional human action.: By the Functional Model, I do not believe the BA function has Facilities by the NERC
Glossary definition.. This would not apply to a BA. The line above this would adequately cover BA reporting.
Remove a BA from applicability for this line. Physical threats to a Facility: The BA function does not have Facilities.
Remove a BA from applicability for this line. There could be a separate line for Physical Threats to a Facility within
an RC, FOP, BA Area as there is for Damage or Destruction of a Facility. Voltage deviation on a Facility: Please
specify what voltage this is, nominal, rated, etc. This should also be > 10% deviation. Exactly at 10% could be at
the edge of an allowed range.
Group
�Detroit Edison
Kent Kujala
No
The requirement is too prescriptive and difficult to document. Requirement should be for annual review of
Operating Plan. This allows for entity to review plan and document this the same as other Standards that require
annual review (i.e. annual review blocks on documents). The requirement as written is vague and difficult to
document. Annual review of reporting process is already a requirement.
No
Under VSLs for R2- We disagree with the reporting time frames. Making the time requirement as soon as 24 hours
puts this reporting requirment on the real time operators. Many of the situations listed in the EOP-004 attachment
are not included in the OE-417 report. The Unofficial Comment Form states the reporting obligations serve to
provide input to the NERC Event Analysis Program. This program has removed the 24 hour reporting requirement
and changed it to 5 business days.
"Suspicious activity" and "suspicious device" should be eliminated from Attachment 1, Event types: 'Physical
threats to a Facility' and 'Physical threat to a BES Control Center'. By including 'suspicious activity' in the standard,
I believe the project team went outside of the scope of the project, which was intended to be a merger of the two
standards. Regarding standard CIP 001, the threshold for reporting is “Disturbances or unusual occurrences,
suspected or determined to be caused by sabotage….”, as its title suggested: Sabotage Reporting. Suspicious
activity, which is not defined by the standard, clearly has a much lower threshold than sabotage, or even
suspected sabotage. The reporting requirement of 24 hours, also increases the burden on the entity to either rush
to investigate and make a determination regarding suspicious activity in less than 24 hours, or not perform due
diligence and report uninvestigated “suspicious” activity, which normally turns out to not be a "Physical Threat”.
Suspicious activity should be duly investigated by the entity, local law enforcement, or the FBI as appropriate; and
then reported if it has been determined to be a physical threat, or cannot be explained. Reporting within 24 hours
will devalue the information inputted, as most cases of suspicious activity are innocuous, and the standard lacks a
process of follow up, which would remove the those incidents from intelligence databases. Regarding suspicious
devices, determination is usually immediate, (in less than 24 hours), and then the device would be classified as
either "sabotage" or "no threat". The standard is not clear whether suspicious devices still have to be reported,
even if they are immediately determined as not a "Physical Threat to a Facility or BES Control Center." Disturbance
and Sabotage Reporting Standard Drafting Team (Project 2009-01) - Reporting Concepts states: The changes do
not include any real-time operating notifications for the types of events covered by CIP-001 and EOP-004. The
real-time reporting requirements are achieved through the RCIS and are covered in other standards (e.g. EOP002-Capacity and Energy Emergencies). These standards deal exclusively with after-the-fact reporting."
Attachment 1 in existing EOP-004-1 is much easier to follow (specifies time requirement to file). Also R2 states
DOE OE-417 may be utilized to file reports, however Standard time requirement for update report is 48 hours, OE417 has changed time requirement on updated filing to 72 hours. Difference can cause confussion and possible
penalties. The real time operator must focus on maintaining system reliability. Putting unnecessary reporting
obligations on RT puts more importance on the reporting structure than on maintaining reliability. Let 8/5 support
personnel perform the reporting tasks and keep the 24/7 on shift operators focusing on the BES.
Individual
Melissa Kurtz
US Army Corps of Engineers
Individual
David Jendras
Ameren Services
Yes
Yes
(1) This draft refers to a number of activities in the Operations Plan that each entity is to have on hand as the
primary guide of actions to be taken when an event occurs. Although there is information related to the
requirements that should be included in the Operations Plan, the drafting team has not defined a structure on the
format, the minimum information to be included or the direct audience for the Operations Plan. In addition, there
is no guidance on the disposition, distribution of the Operations Plan which is left to the entity to determine. We
request that the drafting team provide a defined structure for entities concerning the development and
implementation of the Operations Plan. (2) Page 14 (Attachment 2) – Voltage Deviation of a Facility – This appears
to be a contradiction to VAR-001-2 R10 for TOP which states IROL events will be corrected within 30 minutes. We
request the 15 minute reporting criteria be changed to also state 30 minutes. (3) Throughout Document – "Report
to the ERO and Regional Entity" – NERC and DHS established the ES-ISAC as a confidential location to report all
events that happen on the BES. As these events are of a Sabotage / Disturbance nature, they should all go
through the ES-ISAC both as a single location for distribution, and as a best practice that the industry has started.
�(4) There seems to be some differences between the red-line and clean versions which may need some
clarification. For example, (a) In the redline version, the revision history box appears to indicate the inclusion of
parts of CIP-008, and in the “Clean” version this has been removed from the revision history box. (b) The red-line
version includes a drawing at two places versus once in the clean version. (c) The correlation between the clean
and redline documents is not very clear and there appears to be gaps in the reporting and tracking framework
structure.
Individual
Michael Falvo
Independent Electricity System Operator
Yes
IESO agrees that the intent of Requirement R3 to have the Registered Entities validate the contact information in
the contact lists that they may have for the events applicable to them is achieved. IESO also agrees that the
elimination of conducting an annual test of the communications process and review of the event reporting
Operating Plan in merging the previous R3 and R4 into this new R3 will give entities an opportunity to develop a
plan that suits its business needs.
No
We agree with the VRF for R2, but have a concern over the VRFs assigned to R1 (Lower) and R3 (Medium). Having
an event reporting operating plan (R1) is a first step toward meeting the intent of this standard, annually
validating it (R3) is a maintenance requirement which arguably can be regarded as equally important but its
reliability risk impact for failure to comply should be no higher than having no plan to begin with. We therefore
suggest that the VRFs for R1 and R3 be at least the same, or that R1’s VRF be higher than that for R3.
The proposed implementation plan may conflict with Ontario regulatory practice respecting the effective date of
the standard. It is suggested that this conflict be removed by: Moving the last part “, or as otherwise made
effective pursuant to the laws applicable to such ERO governmental authorities.” to right after “this standard is
approved by applicable regulatory approval” in the Effective Dates Section on P.2 of the draft standard, and the
proposed Implementation Plan.
Individual
RoLynda Shumpert
South Carolina Electric and Gas
Yes
Yes
Has the drafting team considered how reports from R2 tie in with reports required by the NERC Event Analysis
process? It appears that reporting deadlines conflict between the two. The SDT should clarify that the event types
"Damage or Destruction" listed in attachment 1 do not pertain to "cyber events", to avoid duplication of the CIP008 requirements.
Individual
David Revill
Georgia Transmission Corporation
Yes
Yes
GTC recommends a minor change to Attachment 2 associated with the complete loss of off-site power to nuclear
generating plant. NUC-001-2 R9.3.5 describes provisions for restoration of off-site power and applies to both the
Nuclear Plant Generator Operator and the applicable Transmission Entities. To maintain consistency, GTC
recommends modification to this row in EOP-004-2 Attachment 2 such that the “Nuclear Plant Generator Operator”
is the Responsible Entity with reporting responsibility. (A TO may not have visibility to all off-site power resources
for a nuclear generating plant if multiple TO’s are providing off-site power.) At a minimum, GTC recommends if the
SDT believes the TO and TOP should remain involved, these entities should be limited to “TO and TOP that are
responsible for providing services related to Nuclear Plant Interface Requirements (NPIRs)” which is also consistent
with NUC-001-2.
Group
Southern Company
Antonio Grayson
Yes
�No
The VRF for R2 should be “Lower” instead of “Medium” since it is administrative which involves reporting events to
entities not identified in the Functional Model that have operating responsibilities listed. The VRF for R3 should also
be “Lower” instead of “Medium” since it is an administrative requirement. In addition we suggest that the VSL for
R1 should have a lower level VSL for an Operating Plan that may have one event type missing from the Operating
Plan.
Event Type Entity with Reporting Responsibility Threshold for Reporting SOCO Comment Damage or destruction of
a Facility RC, BA, TOP Damage or destruction of a Facility within its Reliability Coordinator Area, Balancing
Authority Area or Transmission Operator Area, excluding weather or natural disaster related threats, that results in
actions to avoid a BES Emergency. Damage or destruction of a Facility BA, TO, TOP, GO, GOP, DP Damage or
destruction of its Facility that results from actual or suspected intentional human action. Do not report damage
unless it degrades normal operation of a Facility. How does the SDT define “intentional human action?” Further,
how is the phrase “suspected intentional human action” defined? This phrase is very broad. Is “intentional human
action” identified as actions intended to damage facilities or does it include accidental actions by individuals? For
example, if a person accidentally shot insulators off of a 230 kV line resulting in damage, would that be considered
reportable “intentional human action?” In addition, what is that actual trigger for reporting? Does it require that
the action has been discovered or is it from the time the event occurs? Further, 24 hours is a very brief time
period -- how is an entity to conduct an investigation within that time period to determine if damage or destruction
could have resulted from “actual or suspected” human action and also determine if it could have been
“intentional”? In Southern’s cases, and likely in other entities case, operating personnel submit the reports to the
regulatory entities for events that fall under this standard. Southern is concerned, that the threshold for reporting
for “Damage or destruction of a Facility” and “Physical threats to a Facility” is so broad that numerous reports
would need to be filed that 1) may be a result of something that does not pose harm to reliability and should not
be of interest to the regulators, and 2) would introduce additional burden to operating personnel that are
monitoring the system every moment of the day. With the current proposed “Threshold for Reporting”, the
reporting requirement would hamper the ability of system operating personnel to perform their core real-time
system operator tasks which would harm reliability. Physical threats to a Facility BA, TO, TOP, GO, GOP, DP
Physical threat to its Facility excluding weather or natural disaster related threats, which has the potential to
degrade the normal operation of the Facility. OR Suspicious device or activity at a Facility. Do not report theft
unless it degrades normal operation of a Facility. Please provide some clarity as to what is considered suspicious
activity. For example, would someone taking a photo of a BES substation fall into this category? Please provide
examples of what may be considered suspicious activity and how NERC and others may use this information and
what actions they would take as a result of receiving this information. In addition, what is that actual trigger for
reporting? Is it when the threat is discovered or from when it should have or could have been discovered? Further,
24 hours is a very brief time period -- how is an entity to conduct an investigation within that time period in order
to determine if the physical threat has the potential to degrade the normal operation of the Facility or that the
“suspicious activity”? Physical threats to a BES control center RC, BA, TOP Physical threat to its BES control center,
excluding weather or natural disaster related threats, which has the potential to degrade the normal operation of
the control center. OR Suspicious device or activity at a BES control center. BES Emergency requiring public appeal
for load reduction Initiating entity is responsible for reporting. Public appeal for load reduction event. It is unclear
which entity would be responsible for reporting this event. For example, if the RC/TOP/BA were to identify the
need to do this and instruct an LSE to issue the public appeal, who would report the event? BES Emergency
requiring system-wide voltage reduction Initiating entity is responsible for reporting System wide voltage reduction
of 3% or more. It is unclear which entity would be responsible for reporting this event. For example, if the RC
were to identify the need to do this and instruct a TOP to reduce voltage, who would report the event? BES
Emergency requiring manual firm load shedding Initiating entity is responsible for reporting Manual firm load
shedding ≥ 100 MW. BES Emergency resulting in automatic firm load shedding DP, TOP Automatic firm load
shedding ≥ 100 MW (via automatic undervoltage or underfrequency load shedding schemes, or SPS/RAS). Voltage
deviation on a Facility TOP Observed within its area a voltage deviation of ± 10% of nominal voltage sustained for
≥ 15 continuous minutes. Please change “nominal” to “expected” or “scheduled” IROL Violation (all
Interconnections) or SOL Violation for Major WECC Transfer Paths (WECC only) RC Operate outside the IROL for
time greater than IROL Tv (all Interconnections) or Operate outside the SOL for more than 30 minutes for Major
WECC Transfer Paths (WECC only). Loss of firm load BA, TOP, DP Loss of firm load due to equipment
failures/system operational actions for ≥ 15 Minutes: ≥ 300 MW for entities with previous year’s demand ≥ 3,000
MW OR ≥ 200 MW for all other entities This should not be as a result of weather or natural disasters. System
separation (islanding) RC, BA, TOP Each separation resulting in an island ≥ 100 MW Generation loss BA, GOP Total
generation loss, within one minute, of ≥ 2,000 MW for entities in the Eastern or Western Interconnection OR ≥
1,000 MW for entities in the ERCOT or Quebec Interconnection Complete loss of off-site power to a nuclear
generating plant (grid supply) TO, TOP Complete loss of off-site power affecting a nuclear generating station per
the Nuclear Plant Interface Requirement Transmission loss TOP Unexpected loss, contrary to design, of three or
more BES Elements caused by a common disturbance (excluding successful automatic reclosing). Unplanned BES
control center evacuation RC, BA, TOP Unplanned evacuation from BES control center facility for 30 continuous
minutes or more. Complete loss of voice communication capability RC, BA, TOP Complete loss of voice
communication capability affecting a BES control center for 30 continuous minutes or more. Complete loss of
monitoring capability RC, BA, TOP Complete loss of monitoring capability affecting a BES control center for 30
�continuous minutes or more such that analysis capability (i.e., State Estimator or Contingency Analysis) is
rendered inoperable. Guideline and Technical Basis Comments In the Summary of Key Concepts section of the
Guideline and Technical Basis, the DSR SDT explains that the proposed Standard does not include any real-time
operating notifications for events listed in Attachment 1. The DSR SDT should consider language in the Standard
which codifies this approach. Southern Company notes that the proposed standard does not mention any exclusion
of real-time notification. The Law Enforcement Reporting section of the Guideline and Technical Basis
unintentionally expands on the purpose of the Standard by stating that “The Standard is intended to reduce the
risk of Cascading events.” The stated purpose of the Standard is “To improve the reliability of the Bulk Electric
System by requiring the reporting of events by Responsible Entities.” The phrase in the Guideline should be
removed or modified in order to avoid any uncertainty about the Standard’s purpose. The DSR SDT should
consider integrating the content of the Concept Paper into the Guideline and Technical Basis. Presently, the
Concept Paper appears as an add-on at the end of the document. When the Concept Paper existed as a standalone document, various segments such as “Introduction” and “Summary of Concepts and Assumptions” were
helpful to stakeholders and standards developers. The revised merged document in the present draft does not
need two separate sections addressing concepts nor does it need an introduction at the midway point. Additionally,
two other areas are either duplicative or contribute to ambiguity within the supplemental information. First, it is
not clear that the segment on Concepts and Assumptions includes any actual assumptions. The section should be
modified or deleted to address this concern. Second, the segment entitled ‘What about sabotage?’ seems to
contain topics similar to those on the first page of the Guideline. Again, the DSR SDT should consider integrating
all of the necessary information into a more comprehensive document.
Individual
Andrew Gallo
City of Austin dba Austin Energy
Yes
Yes
(1) City of Austin dba Austin Energy (AE) requests that the SDT clarify whether R3 requires that each Registered
Entity subject to EOP-004-2 verify NERC’s contact information each year. It appears this would be overly
burdensome for NERC to respond to individual requests. (2) AE also asks that NERC’s fax number be included in
the contact information at the beginning of Attachment 1 and at the Event Reporting Form in Attachment 2. NERC
included the fax number as a viable contact method in its recent NERC Alert notifying the industry of the changed
information. (3) AE requests that the SDT increase the threshold for reporting loss of firm load to ≥ 300 MW for all
entities to align the reporting threshold with the OE-417 threshold. Otherwise, smaller entities would have to
report firm load losses between 200 and 299 MW to NERC but not to the DOE. This could be administratively
confusing to those responsible for reporting. (4) Attachment 1 lists the threshold for reporting generation loss at ≥
1,000MW for the ERCOT Interconnection. ERCOT planning is based on a single contingency of 1,375MW. For this
reason, AE believes the minimum threshold for a disturbance should be greater than the single contingency
amount of >1,375MW for the ERCOT Interconnection.
Individual
Andrew Z.Pusztai
american Transmission Company
Yes
Yes A. ATC requests that the Standards Drafting Team address the following concerns and clarifications in
Attachment 1: a.) Reporting event #14 in Attachment 1, is duplicative with respect to Nuclear Reliability Standard
NUC-001-2.1 R 9.4.4. Reporting event #14 requires entities to report to NERC a “Complete loss of off-site power
to a nuclear generating plant” while Nuclear Reliability Standard NUC-001-2.1 R9.4.4., i.e. includes ”Provisions for
supplying information necessary to report to government agencies, as related to Nuclear Plant Interface
Requirements (NPIRs)”. In addition, ATC believes the reporting related to event #14 in Attachment 1 is not a
“reliability” issue, and more appropriately covered under Standard NUC-001 as a “Nuclear Safety Shutdown” issue.
Therefore, ATC recommends that Item #14 in Attachment 1 of EOP-004-2 be deleted. b.) In Attachment 1,
reporting event #2, i.e. Damage or destruction of a Facility” could obligate an entity to report any loss of copper
grounds either on a T-Line or grounds associated with a transformer or breakers. ATC believes this does not rise to
a reporting level such as NERC. ATC believes that additional qualifying language similar to reporting item #1 be
incorporated into the threshold and read as follows: “Damage or destruction of its Facility that results from actual
or suspected intentional human action that results in actions to avoid a BES Emergency.” c.) In Attachment 1,
reporting event #3 i.e. “Physical threats to a Facility” needs clarification since a physical threat needs to be actual
and confirmed so that the TO or TOP repositions the system. In addition, the SDT needs to clarify what the phrase
“normal operations” means. Is this a ratings issue? Or a result in how the Operator operates the system. d.) In
Attachment 1, reporting event #3 threshold i.e. “Suspicious device or activity at a Facility“ needs clarification to
�determine when it raises to the level of reporting. These words could be interpreted in several different ways. In
addition, ATC believe that language needs to be added that the threat causes the reporting entity to change to an
abnormal operating state. ATC recommends the threshold be revised to read: “Suspicious device or activity at a
Facility with the potential to degrade the normal operation of the Facility”. e.) In Attachment 1, the term “Initiating
entity” is used three times for reporting events and needs to be clearly defined or reworded. Is it the entity that
identifies the needs of a Public Appeal or the entity that makes the public appeal the initiating entity? The
Standard needs to be clear on who has the responsibility as the “initiating” party, especially when multiple parties
may be involved. ATC recommends the following: 1) For public appeal, under Entity with Reporting Responsibility;
it is the “entity that issues a public appeal to the public” 2) For system wide voltage reduction, under Entity with
Reporting Responsibility; it is the “entity that activates a voltage reduction” 3) For manual load shedding, under
Entity with Reporting Responsibility; it is the “entity that activates manual load shedding” f.) In Attachment 1,
reporting event #15 i.e. “Transmission Loss”, the threshold includes the phrase “contrary to design”. ATC
recommends this be clarified to read “contrary to protection system design”. B. In EOP-004-2 Requirement 2/
Measure 2 both have the following language: “Each Responsible Entity shall report events per their Operating Plan
within 24 hours of meeting an event type threshold for reporting.” ATC recommends adding “upon recognition” as
a starting point to the 24 hour reporting requirement. This would be revised to read: “Each Responsible Entity
shall report events per their Operating Plan within 24 hours of recognition of an event type threshold”
Group
SERC OC Standards Review Group
Gerry Beckerle
Yes
No
The VRF for R2 should be “Lower” instead of “Medium” since it is administrative which involves reporting events to
entities not identified in the Functional Model that have operating responsibilities listed. The VRF for R3 should also
be “Lower” instead of “Medium” since it is an administrative requirement.
While this draft is an improvement on the previous draft, the proposed R2 is unacceptable, and should be
amended to, at a minimum, require reporting by the end of the next business day, instead of within 24 hours.
Events or situations affecting real time reliability to the system already are required to be reported to appropriate
Functional Entities that have the responsibility to take action. Adding one more responsibility to system operators
increases the operator’s burden, which reduces the operator’s effectiveness when operating the system. Care
should be given when placing additional responsibility on the system operators. Allowing reporting at the end of
the next business day gives operators the flexibility to allow support staff to assist with after-the-fact reporting
requirements. For some event types where in order to provide real time situational awareness over a wide area
(for example coordinated sabotage event) it may be appropriate to have more timely reporting. If the intent of this
standard is to address sabotage reporting there needs to be an understanding of the actions to be taken by those
receiving the reports so the reporting entities can incorporate those actions into their plan. As a minimum, NERC
should have a process in place to assess the reports and take appropriate actions. Attachment 1: Threshold for
reporting should not be defined such that multiple reports would be required for the same event. For example,
both the TOP and RC being required to report the outage of a transmission line. 2nd event type (Damage or
destruction of a Facility): Add the following sentence to the Threshold for Reporting: “Do not report theft or
damage unless it degrades normal operation of a Facility.” 4th event type (Physical threats to a BES control
center): The term “BES control center” needs to be clarified. 5th, 6th, and 7th event types: In instances where a
reliability directive is issued, is the “initiating entity” the entity that issues the directive or the entity that carried
out the directive. 9th event type (Voltage deviation on a Facility): Change “nominal” to “expected or scheduled.”
15th event type (Transmission loss): It is not clear what is meant by “contrary to design.” This is so broad that it
could be interpreted as requiring reporting misoperations within the reporting time frame before even an initial
investigation can begin. This needs to be clarified and tied to the impact on the reliability of the BES. The
comments expressed herein represent a consensus of the views of the above named members of the SERC OC
Standards Review Group only and should not be construed as the position of SERC Reliability Corporation, its
board, or its officers.
Group
FirstEnergy
Larry Raczkowski
Yes
Yes
FirstEnergy Corp (FE) appreciates the work done by the SDT by incorporating the comments and revisions from
the previous draft. FE would like to see the time parameters in Requirement 3 and Measure 3 to be changed from
“each calendar year” to “at least once every 12 months”. This is similar to the wording that is being used in the
CIP standards
�Individual
Don Schmit
Nebraska Public Power Disstrict
Group
Dominion
Mike Garton
Yes
Dominion supports the combination of Requirements R3 and R4 into a single requirement (Requirement R3),
although we remain concerned that validation requiring a phone call could be perceived as a nuisance by that
entity.
Dominion reads Requirement R1 as explicitly requiring only the inclusion of reporting to the ERO in the Operating
Plan. We acknowledge that the requirement also contains additional entities in parenthesis which infers the
inclusion of a larger group (and which appears to be supported by the rationale box). Dominion suggests the SDT
explicitly state which entities, at a minimum, be included, for reporting, in the Operating Plan. We suggest adding
a column to Attachment 1 and including entities to which the event must be reported. As an examples; • All event
types should include local law enforcement • Events for which the BA, RC, TOP bear responsibility should probably
also be reported to the regional entity • Events for which the Facility Owner bears responsibility should probably
also be reported to the respective BA and TOP, who would in turn determine whether to notify their respective RC.
The RC would in turn determine if additional entities need to be contacted Requirement R2 establishes a 24 hour
reporting threshold; however, the “NOTE” provided on Attachment 1 seems to contradict Requirement 2 and could
therefore lead to compliance issues. Dominion suggests that Requirement R2 be revised to agree with the “NOTE”
on Attachment 1. For example, Requirement R2 could be reworded as: Except as noted on Attachment 1, Each
Responsible Entity shall… Also under the “NOTE” in Attachment 1, why has the facsimile number for the ERO been
removed? The DOE still provides a facsimile number for reporting. Attachment 2: Event Reporting Form #4; need
to update the below to reflect the same naming convention of the events in Attachment 1, the “t” should not be
capitalized in Physical Threat and add an ‘s’ behind threat. Add (islanding) behind System separation and capitalize
the ‘U’ in unplanned control center evacuation.
Group
MRO NSRF
WILL SMITH
Yes
The NSRF requests that the SDT address the following concerns and clarifications in Attachment 1; 1) Please
explore redundancy reporting event Item #14; Complete loss of off-site power to a nuclear generating plant with
obligations of NUC-001-2.1 R9.4.4.”Provisions for supplying information necessary to report to government
agencies, as related to NPIRs.” The NSRF understands the importance concerning safety issues with a nuclear
plant. A multiple unit coal facility may have a larger reliability impact to the BES than a nuclear plant. The SDT is
stating that the fuel source is a reporting issue, not the reliability of a plant loosing off sight power. Recommend
that this item be deleted. 2) Item 2 in Attachment 1 would obligate an entity to report any loss of (copper)
grounds either on a T-Line or grounds associated with a transformer or breakers and that this level of reporting
should not rise to the NERC level. Believes that additional qualifying language similar to Item 1 be incorporated
into the threshold and read as follows: “Damage or destruction of its Facility that results from actual or suspected
intentional human action that results in actions to avoid a BES Emergency.” 3) Item 3 Attachment 1 needs
clarification since a physical threat needs to be actual and confirmed so that the TO or TOP repositions the system.
In addition, the SDT needs to clarify what the phrase “normal operations” means. (Is this a ratings issue? or a
result in how the System Operator operates the system.) 4) Item 3 should provide clarification as to “Suspicious
device or activity at a Facility“ to determine when threshold raises to the level of reporting. We are concerned that,
based on an Auditors perception, these words could be interpreted in several different ways. In addition, we
believe that language needs to be included that the threat causes the reporting entity to change to an abnormal
operating state. This situation could be interpreted differently by the auditor or the entity at the time of the event.
Recommend the following language: “Suspicious device or activity at a Facility with the potential to degrade the
normal operation of the Facility”. This language is similar to the first threshold. 5) The term Initiating entity is used
three times within Attachment 1 and needs to be more clearly defined or reworded. Is it the entity that identifies
the needs of a Public Appeal or the entity that makes the public appeal the initiating entity? The word “initiating”
does not provide clarity but only provides uncertainty to the industry. The Standard needs to be clear on who has
the responsibility as the “initiating”. Recommend the following: a. For public appeal, under Entity with Reporting
Responsibility; “entity that issues a public appeal to the public” b. For system wide voltage reduction, under Entity
with Reporting Responsibility; “entity that activates a voltage reduction” c. For manual load shedding, under Entity
with Reporting Responsibility; “entity that activates manual load shedding” 6) The NSRF recommends transmission
loss to read as : “contrary to protection system design” found in threshold for reporting within the Attachment for
�a Transmission loss event. In Requirement 2/ Measure 2, recommend adding “upon recognition of ” as a starting
point to the 24 hour reporting requirement, within the threshold of reporting where perceived threats are the
threshold, or transmission loss, when contrary to design is determined.
Individual
Terry Harbour
MidAmerican Energy
Yes
No
Change the VRFs / VSLs to match suggested changes in Question 3
Yes. 1) MidAmerican Energy agrees with and supports MRO NSRF comments. 2) Add additional wording to clearly
provide for compliance when events are found more than 24 hours after an event. Add the following to the end of
R2. Add, Events not identified until sometime later after they occurred shall be reported within 24 hours. 3) In R3
add "external" for R3 to read Validate "external" contact information. 4) In EOP-004-2 Attachment 1 – the wording
“Damage or destruction of its Facility that results from actual or suspected intentional human action that results in
actions to avoid a BES Emergency” is not specific or measureable and therefore ambiguous. Zero defect standards
which carry penalties must be specific. Please reword to "Intentional human action to destroy a NERC BES facility
whose loss could result in actions to avoid a BES Emergency". This clearly aligns with the EOP-004 intent of
sabotage and emergency reporting. EOP-004 should not report on unexpected conditions such as when a system
operator attempts to reclose a line during a storm believing the line tripped for a temporary fault due to debris,
when in fact the fault was permanent and damaged a transformer.
Individual
Kathleen Goodman
ISO New England Inc.
Individual
d mason
City and County of San Francisco - Hetch Hetchy Water and Power
No
Measure M3 specifically identifies two types of acceptable compliance evidence: Voice Recording and Log entries.
Specifying only these two forms of evidence creates a risk that some auditors will reject other forms of R3
compliance evidence which are equally valid, such as emails or written call records. Although M3 states that
acceptable evidence is not limited to Voice Recordings or Log Entries, we have concern that other methods of
complying with R3 may not be accepted.
Individual
Tracy Richardson
Springfield Utility Board
Yes
Yes
Individual
Rich Salgo
NV Energy
No
Without further clarification of what is expected by "validate all contact information" I cannot support this
requirement. On the surface, "validate" appears to be acceptable terminology, as it means to me a review of the
contact names and contact information (perhaps cell #, home phone, text address, email address, etc) that would
be evidenced through an attestation of completion of review along with records showing the updates made to the
contact information pursuant to the review. However, when the Measure is considered, it refers to evidence such
as operator logs, voice recordings, etc. This seems to indicate that the expectation is that each contact is tested,
by dialing, texting, emailing, etc with some sort of confirmation that each contact was successful. If this is what is
necessary to satisfy the "validate" requirement, I believe it is excessive, burdensome and unnecessary. I suggest
modification of the Measure language to clearly allow for an entity to demonstrate compliance by a showinig that it
reviewed the contact information and made changes as deemed necessary by its review, and to remove the
reference to operator logs and voice recordings as the evidence of measure.
�Aside from the comment referring to the new R3 and the term "validate", I applaud the SDT for the improvements
made in the remainder of the Standard. This is a much simpler and straightforward approach to meeting the
directives in this project and greatly simplifies the processes necessary on the part of the registered entities.
Individual
Thad Ness
American Electric Power
No
In the spirit of Paragraph 81 efforts, we request the removal of R3 as it is solely administrative in nature, existing
only to support R2. This is more of an internal control and does not appear to rise to the level of being an
industry-wide requirement. In addition, having two requirements rather than one increases the likelihood of being
found non-compliant for multiple requirements rather than a single requirement.
No
In the spirit of Paragraph 81 efforts, we request the removal of R1. R1 is administrative in nature, existing only to
support R2. Reporting an event externally might necessitate the need for a plan/procedure/policy/job aide, but
requiring it is an overreach. Having two requirements rather than one increases the likelihood of being found noncompliant for multiple requirements rather than a single requirement. The Paragraph 81 project team has already
recommended removing the requirement to have contact information with law enforcement from CIP-001 R4.
Notwithstanding our comments above, we recommend removing the phrase “and other organizations…” from R1.
If this requirement is to remain, it needs to be very specific regarding who needs to be included in the reporting.
R2 – We recommend removing “per their Operating Plan” from R2 so it reads “Each Responsible Entity shall report
events within 24 hours of meeting an event type threshold for reporting.” If an entity deviates from its plan but
still meets the intent of the requirement (e.g. reporting to NERC with 24 hours), this could be viewed as a finding
of non-compliance. We need to get away from “compliance for compliance’s sake”, and focus solely on those
efforts which will benefit the reliability of the BES. Attachment 1 Page 13, Row 1 (Clean Version): This is too openended and would likely lead to voluminous reporting. As it currently reads, “Damage or destruction of a Facility
within its Reliability Coordinator Area, Balancing Authority Area or Transmission Operator Area that results in
actions to avoid a BES Emergency” could bring all copper thefts into scope. Thefts should not need to be reported
unless the theft results in reliability concerns as specified by other criteria or parameters in Attachment 1.
Attachment 1 Page 13, Row 2 (Clean Version): The threshold “Damage or destruction of its Facility that results
from actual or suspected intentional human action” should be eliminated entirely. For the event Damage or
destruction of a Facility, the threshold for reporting is set too low. Attachment 1 Page 13, Row 3 (Clean Version):
We suggest modifying the text to read “Do not report theft… unless the theft results in reliability concerns as
specified by other criteria or parameters in Attachment 1.” Attachment 1 Page 14, Row 4 (Clean Version):
Regarding “Loss of Firm Load”, we suggest making it clear that the MW threshold is an aggregate value for those
entities whose TOP is responsible for multiple operating companies or legal entities. In addition, is it necessary to
include the DP as an entity with reporting responsibility? Its inclusion could create confusion by further segmenting
the established threshold. Attachment 1 Page 15, Row 1 (Clean Version): Including “Transmission loss” as
currently drafted would result in much more reporting than is necessary or warranted. As currently drafted, it
could bring more events into scope than intended, especially for larger entities. EOP-004 Attachment 2: Event
Reporting Form: AEP remains concerned that industry would be required to report similar information to multiple
Federal entities, in this case to both NERC (Attachment 2) and the DOE (OE-417). In addition, the reporting
requirement are not clear for every kind of event as to which entity the reports must be forwarded to, and it is
unclear how information would be passed to other entities as necessary. EOP-004 Attachment 2: Event Reporting
Form: This form is a further example of mixing security concepts with operational concepts. Not only is not
advisable, it does not serve the interests of either concept.
Individual
Charles Yeung
Southwest Power Pool RTO
Yes
No
We quesstion the reliability benefits of this requirement.
Individual
Nathan Mitchell
American Public Power Association
Yes
�Yes
As stated in our comments on the previous draft: It is APPA’s opinion that this standard should be removed from
the mandatory and enforceable NERC Reliability Standards and turned over to a working group within the NERC
technical committees. Timely reporting of this outage data is already mandatory under Section 13(b) of the
Federal Energy Administration Act of 1974. There are already civil and criminal penalties for violation of that Act.
This standard is a duplicative mandatory reporting requirement with multiple monetary penalties for US registered
entities. If this standard is approved, NERC must address this duplication in their filing with FERC. This duplicative
reporting and the differences in requirements between DOE-OE-417 and NERC EOP-004-2 require an analysis by
FERC of the small entity impact as required by the Regulatory Flexibility of Act of 1980
Group
Bonneville Power Administration
Chris Higgins
Yes
BPA agrees with the reviision and recognizes that it will involve a large amount of validation workload for entities
with a large footprint.
No
BPA does not agree with the VRFs and VSLs. BPA believes that the violation levels for administrative errors are too
high. For more information, please reference comments to question #3.
The proposed standard does not have any oral reporting option for system operators and thus appears to be
administrative in nature. Due to this and the fact that administrative staff are not available on weekends, the “24
hour” reporting requirements should be modified to “Next Business Day” to allow for weekend delays in reporting.
BPA believes that there are too many minor events that have to be reported within 24 hours. Reporting during the
next business day would suffice. Some examples include: A 115 shunt capacitor bank failure for the first event
type does not seem important enough to require reporting within 24 hours just because action has to be taken to
raise generation or switching of line. A failure of a line tower that has proper protective action to clear the line and
also has automatic (SPS) to properly protect as designed the BES system (a good normal practice) from overloads
or voltage issues does not seem important enough to require reporting within 24 hours either.
Individual
Don Jones
Texas Reliability Entity
Yes
No
(1) VSLs for R1 should have a lower level VSL if the event reporting Operating Plan fails to include one or more of
the event types listed in Attachment 1. (2) VSL for R1 is incorrectly stated as there are no “parts” to R1.
(A) Regional Entity should be capitalized in R1. (B) COMMENTS ON ATTACHMENT 1: In the previous comment
period on this Standard, Texas RE submitted comments that we feel were not adequately addressed. There were
several responses to comments regarding the Events Table that need deeper review and consideration: (1) In the
Events Table, under Transmission Loss, the SDT indicated that reporting is triggered only if three or more
Transmission Facilities operated by a single TOP are lost. Also, generators that are lost as a result of transmission
loss events must be included when counting Facilities. As Texas RE indicated in previous comments to this
Standard, determining event reporting requirements by the entity that owns/operates the facility is not an
appropriate measure. If the industry wants to learn from events, these types of issues must be addressed.
Including the RC as one of the Entity(s) with Reporting Responsibility may alleviate this concern. The RC would
have overall view of the system and could provide the reports on multi-element events where the elements are
owned/operated by different entities. For the SDT to believe that “There may be times where an entity may wish
to report when a threshold has not been reached because of their experience with their system” is worthy to note
but falls short of the reliability implications caused by those entities that will not report. The industry needs to
learn from events and failure to report will facilitate failure to learn. (2) In the Events Table, under Transmission
Loss, there has been considerable discussion recently within the Events Analysis Subcommittee (EAS) regarding
the definition of the phrase “contrary to design.” The EAS is currently working on possible guidelines to interpret
this event type. The SDT may want to consider including the EAS language into the Guidelines and Technical Basis
for this Standard. (3) In the Events Table, under “Unplanned BES Control Center evacuation” and “Complete loss
of voice communication capability,” and “Complete loss of monitoring capability,” GOPs should be included. GOPs
also operate control centers that would be subject to these kinds of occurrences. As Texas RE indicated in previous
comments to this Standard, in CIP-002-5 Attachment 1 there is a “High Impact Rating” for the following: “1.4
Each Control Center, backup Control Center, and associated data centers used to perform the functional
obligations of the Generation Operator that includes control 1) for generation equal to or greater than an
aggregate of 1500 MW in a single Interconnection or 2) that includes control of one or more of the generation
assets that meet criteria 2.3, 2.6, and 2.9.” In the ERCOT Region, we experienced an event where a GOP control
�center lost an ICCP link that carried real-time information regarding its generation fleet (over 10,000 MWs).
Without inclusion of the GOP here the event may not get recorded. While it was a “virtual” loss, the impact to the
BES through generation control actions could be significant and the event should be reported and analyzed. For
the GOP control centers that do exist, the reporting of such events should be a requirement. Based on the
minimum of these two examples, why would the SDT NOT include GOP as being applicable? (4) In the Events
Table, under “BES Emergency requiring public appeal for load reduction,” the definition of Emergency is “Any
abnormal system condition that requires automatic or immediate manual action to prevent or limit the failure of
transmission facilities….” Is it the intent of the SDT to exclude public appeals issued in anticipation of a possible
emergency, before a BES Emergency is officially declared? (5) In the Events Table, under “BES Emergency
resulting in automatic firm load shedding,” the SDT may want to consider including the RC as one of the Entity(s)
with Reporting Responsibility. The RC would have overall view of the system and should provide the reports on
events where the multiple entities may be involved. We have UVLS schemes in our region where the total MW
shed is greater than 100 MW, but the individual TOP MW shed is less than 100 MW. (6) In the Events Table,
consider whether the item for “Voltage deviation on Facility” should also be applicable to GOPs, because a loss of
voltage control at a generator (e.g. failure of an automatic voltage regulator or power system stabilizer) could
have a similar impact on the BES as other reportable items. Note: We made this comment last time, and the SDT’s
posted response was non-responsive to this concern. The SDT noted “Further, we note that such events do not
rise to the level of notification to the ERO” but the SDT failed to recognize that “Voltage deviation on a Facility”
does exactly that – notifies the ERO but from a TOP perspective only. Texas RE is trying to establish the correct
Responsible Entity for reporting “Voltage deviation on a Facility” (in this case a generator regardless of the cause
and other obligations the owner may have with other Reliability Standards).
Individual
Christine Hasha
ERCOT
Yes
ERCOT considers replacing R3 and R4 with the new R3 is an improvement and we thank the drafting team for
making the change.
No
Since EOP-004 is related to ex-post reporting, which has nothing to do with operational or planning risk, this is an
administrative requirement and, accordingly, the VRFs should all be Low. This would mean lowering the VRF for R2
and R3 to Low. The third component of the Severe VSL for R2 is more severe than the other two components. In
an attempt to be more consistent across all the VSLs, we propose the following for the High VSL for R2: The
Responsible Entity submitted an event report (e.g., written or verbal) to all required recipients more than 48 hours
after meeting an event threshold for reporting. OR The Responsible Entity failed to submit an event report (e.g.,
written or verbal) to three or more entities identified in its event reporting Operating Plan within 24 hours. ERCOT
proposes that the first two components of the Severe VSL for R2 be deleted and replaced with: The Responsible
Entity failed to submit a report for an event in EOP-004 Attachment 1.
As a general matter, this standard imposes an ex-post reporting obligation. Consistent with the ongoing P 81
standard review/elimination effort, this standard is arguably a candidate for elimination under the principles
guiding that effort. The obligation proposed in the standards are better suited for inclusion in the Rules of
Procedure or as a guideline because they are strictly administrative in nature. To the extent the SDT continues to
pursue this effort, ERCOT offers the following additional comments. ERCOT has commented on the listing in the
Entity with Reporting Responsibility column of Attachment 1. Consistent with those prior comments, the current
version still fails to adequately create a bright line threshold for particular events. For example, in the
Transmission loss event, although the TOP is listed, there is no direction regarding which TOP is required to file the
event report. Is it the TOP in whose TOP area the loss occurred or is it a neighboring TOP who observes the loss?
Clearly, the responsibility for reporting lies with the host system, but that responsibility is not clearly designated.
There are several other similar events where there is no bright line. We suggest that the drafting team return the
deleted language to the Entity with Reporting Responsibility column in those instances where the current version
fails to provide a bright line in the Threshold column. Regarding multiple reports for a single event, that aspect of
the proposed draft should be revised to only require a single report. While additional information may be available
from others, let the Event Analysis team perform their function. This would eliminate the redundant reporting that
is currently required as the standard is written. ERCOT requests that the reference to “cyber attack” be removed
from the Guideline and Technical Basis section of the document since all reporting of cyber events has been
removed from the standard and retained in CIP-008.
Individual
Denise M. Lietz
Puget Sound Energy Inc.
Yes
Puget Sound Energy appreciates the Standard Drafting Team's work to streamline and clarify the proposed
�standard. In addition, we understand that the Standard Drafting Team faces a significant challenge in developing
workable thresholds for reporting under this standard. Unfortunately, Puget Sound Energy cannot support the
proposed standard because the reporting thresholds remain too vague and, thus, too broad - especially those
related to damage or destruction of a Facility and those related to physical threats. The first four events listed on
Attachment 1 are not brightline rules, because they each involve significant elements of judgment and
interpretation. An example of our concern relates to the phrase "... that results from actual or suspected
intentional human action." Puget Sound Energy, like many regulated entities, is staffed only with System
Operators at night and on weekends. As a result, the 24-hour reporting requirement necessarily requires the
System Operators to submit the required reports. So, how is a System Operator going to judge whether a human
action is "intentional"? As a result, it will be necessary to report any event in which human action is involved
because there is no way for a System Operator to know for sure whether the action is intentional or not. And,
regulated entities will need to instruct their System Operators to make such reports, because the failure to submit
a report of even one event listed in EOP-004 Attachment 1 is assigned a severe VSL under the proposed standard.
We believe that the proposed threshold language will likely result in a flood of event reports that will not improve
situation awareness.
Group
CenterPoint Energy
Daniela Hammons
No
CenterPoint Energy supports the concept of combining Requirements R3 and R4; however, the Company still
prefers an annual review requirement which would include validating the contact information and content of the
Operating Plan overall. Therefore, CenterPoint Energy recommends the following revised language for Requirement
R3: “Each Responsible Entity shall review and update the Operating Plan at least every 15 months.” The Company
also suggests that the Measure be worded as follows: “Evidence may include, but is not limited to dated
documentation reflecting changes to the Operating Plan including updated contact information if necessary.”
No
CenterPoint Energy suggests that the phrase “which caused a negative impact to the Bulk Electric System” be
added to each Violation Severity Level. For example, the wording would appear as follows: “The Responsible Entity
submitted an event report (e.g., written or verbal) to all required recipients more than 24 hours but less than or
equal to 36 hours after meeting an event threshold for reporting which caused a negative impact to the Bulk
Electric System”. Additionally or alternatively, the Company proposes that the above phrase be added to the
Threshold(s) for Reporting in Attachment 1 to focus on events that have an impact or effect on the Bulk Electric
System.
CenterPoint Energy appreciates the revisions made to the draft Standard based on stakeholder feedback and
believes that the changes made are positive overall. However, the Company recommends the additional changes
noted below for a favorable vote. In the Rationale for R1, CenterPoint Energy recommends that the 2nd sentence
in the 1st paragraph be revised as follows, “In addition, these event reports may serve as input to the NERC
Events Analysis Program.”, as not all events listed in Attachment 1 will serve as input in to the NERC Events
Analysis Program. CenterPoint Energy also proposes that the Standard Drafting Team (SDT) add "There cannot be
a violation of Requirement R2 without an event." as noted in the Consideration of Issues and Directives to the
Requirement. For Attachment 1, CenterPoint Energy recommends the following revisions: CenterPoint Energy
continues to be concerned that the uses of the terms “suspicious” and “suspected” are too broad. The Company
proposes that the SDT remove the terms from the Thresholds for Reporting or add “which caused a negative
impact to the Bulk Electric System” or “that causes an Adverse Reliability Impact…" to each phrase where the
terms are used. CenterPoint Energy proposes that the threshold for reporting the event, “BES Emergency requiring
manual firm load shedding” is too low. It appears the SDT was attempting to align this threshold with the DOE
reporting requirement. However, as the SDT has stated, there are several valid reasons why this should not be
done. Therefore, CenterPoint Energy recommends the threshold be revised to “Manual firm load shedding ≥ 300
MW”. CenterPoint Energy also recommends a similar revision to the threshold for reporting associated with the
“BES Emergency resulting in automatic firm load shedding” event. (“Firm load shedding ≥ 300 MW (via automatic
under voltage or under frequency load shedding schemes, or SPS/RAS”) For the event of “System separation
(islanding)”, CenterPoint Energy believes that 100 MW is inconsequential and proposes 300 MW instead. For
“Generation loss”, CenterPoint Energy suggests that the SDT add "only if multiple units” to the criteria of “1,000
MW for entities in the ERCOT or Quebec Interconnection”.
Individual
Maggy Powell
Exelon Corporation and its affiliates
Yes
No
R2 VSLs – By measuring the amount of time taken to report and the number of entities to receive the report, the
VSLs track more with size and location than with a failure to report. For instance, an entity failing to report at all to
�one entity would be deemed a lower VSL while an entity reporting to many, but failing to report to three entities
would be deemed a high VSL. R3 VSL – The severe VSLs do not seem commensurate to oversight. A three month
delay in validating that phone numbers are correct, for phone numbers that are accurate, does not track with a
severe infraction.
Thanks to the drafting team for all the work on this revision. Significant progress was made, though Exelon has
some remaining comments: • It’s not clear why the team separated ‘Damage or destruction of a Facility’ into two
rows. Please advise. • Damage or destruction of a Facility - The threshold for "damage or destruction of a Facility”
is too open-ended without qualifying the device or activity as “confirmed”. Event reporting for nuclear generating
units are initiated when an incident such as tampering is "confirmed". EOP-004 should include some threshold of
proof for a reason to believe that no other possibility exists for "damage or destruction of a facility" event other
than actual or suspected intentional human action. • Physical threats to a Facility – Reporting of every “suspicious
activity” such as photographing equipment or site could result in an unwieldy volume of reports and dilute the data
from depicting quality insight. For example, nuclear generating units are required to report all unauthorized and/or
suspicious activity to the NRC. Please confirm that the intent of this threshold for notification would include all
unauthorized and/or suspicious activity. • Physical threats to a BES control center – please confirm that reporting
responsibility falls to the RC, BA, TOP and not GOs. In addition, please confirm that by use of the lower case
“control center” other definitions in development through other standards development projects (e.g. CIP version
5) and that may be added to the NERC Glossary will not apply until formally vetted in a future EOP-004 standards
development project. • Loss of firm load – “Loss of firm load for ≥ 15 Minutes: ≥ 300 MW for entities with previous
year’s demand ≥ 3,000 MW”. Please clarify whether the team intends for this to apply to a single event a loss of
more than 300 MW due to non-concurrent multiple distribution outages that total > 300MW. • Generation loss –
Exelon appreciates the timing clarification added to the generation loss threshold. The phrase “within one minute”
should also be included in the threshold for the ERCOT and Quebec Interconnections to read: “Total generation
loss, within one minute, of ≥ 2,000 MW for entities in the Eastern or Western Interconnection OR Total generation
loss, within one minute, of ≥ 1,000 MW for entities in the ERCOT or Quebec Interconnection” • The Law
Enforcement Reporting section in the Guideline and Technical Basis states: "The inclusion of reporting to law
enforcement enables and supports reliability principles such as protection of the BES from malicious physical or
cyber attack." Since CIP-008 now covers reporting of cyber incidents the reference to cyber should be removed.
Group
SPP Standards Review Group
Robert Rhodes
Yes
We feel that replacing R3 and R4 with the new R3 is an improvement and we thank the drafting team for making
the change.
No
Since EOP-004 is about after-the-fact reporting, we suggest that all the VRFs be Lower. This would mean lowering
R2 and R3 from Medium. The third component of the Severe VSL for R2 is more severe than the other two
components. In an attempt to be more consistent across all the VSLs, we propose the following for the High VSL
for R2: The Responsible Entity submitted an event report (e.g., written or verbal) to all required recipients more
than 48 hours after meeting an event threshold for reporting. OR The Responsible Entity failed to submit an event
report (e.g., written or verbal) to three or more entities identified in its event reporting Operating Plan within 24
hours. We propose the following, deleting the first two components as shown in the current draft, for the Severe
VSL for R2: The Responsible Entity failed to submit a report for an event in EOP-004 Attachment 1.
We have made previous comments in the past regarding the listing in the Entity with Reporting Responsibility
column of Attachment 1. While we concur with some of the changes that the drafting team has made regarding
the addition of a bright line in the Threshold for Reporting column, there remain events where there is no line at
all. For example, in the Transmission loss event, the TOP is listed and there is no distinction regarding which TOP
is required to file the event report. Is it the TOP in whose TOP area the loss occurred or is it a neighboring TOP
who observes the loss. Clearly, the responsibility for reporting lies with the host system. There are several other
similar events where the bright line is non-existent and needs to be added. We suggest that the drafting team
return the deleted language to the Entity with Reporting Responsibility column in those instances where the bright
line has not been added in the Threshold column. Regarding multiple reports for a single event, we again believe
that only a single report should be required. While additional information may be available from others, let the
Event Analysis personnel do their job investigating an event and eliminate any redundant reporting that is
currently required as the standard is written. If not, this standard, if approved, would then appear to be a likely
candidate for Phase 2 of the Paragraph 81 project.
Individual
Christina Bigelow
Midwest Independent Transmission System Operator, Inc.
Yes
No
�MISO agrees with the comments submitted by the SERC Operating Committee that the VRFs for R2 and R3 should
be “Lower” instead of “Medium,” since these are administrative requirements. MISO further respectfully suggests
that implementing another standard that requires reporting every incident identified in a plan within 24 hours and
that classifies failure to do so a “Severe” violation, will likely cause entities to limit the scope of their plans. NERC,
therefore, would not receive information that appears unimportant to a single entity but could be important in the
context of similar events across the country.
MISO respectfully submits that several of the thresholds for reporting in EOP-004 – Attachment 1 should be
modified to clarify when the reporting obligation is triggered, and to ensure that entities are reporting events of
the type and significance intended. In particular, MISO focuses on the following draft thresholds in EOP-004 –
Attachment 1: • The requirement that an entity report when “[d]amage or destruction of a Facility within its
Reliability Coordinator Area, Balancing Authority Area or Transmission Operator Area that results in actions to
avoid a BES Emergency.” A BES Emergency is defined as “Any abnormal system condition that requires automatic
or immediate manual action to prevent or limit the failure of transmission facilities or generation supply that could
adversely affect the reliability of the Bulk Electric System.” RCs and BAs take actions each and every day to “avoid
a BES Emergency.” At the time of those actions, they are reacting to conditions that their operating personnel are
observing on the BES. There is no way for an RC or a BA to discern whether the conditions to which they reacted
resulted from the “damage or destruction of a Facility” and there is no requirement for Transmission Operators
and/or Owners to report “damage or destruction of a Facility” to their BA or RC. Accordingly, RCs and BAs will
likely, often not be sufficiently informed to determine if their actions require them to submit a report. Responsible
entities are likely to expend significant time and resources reporting daily operations and actions routinely taken to
respond to observed BES conditions as they present themselves. These actions may be in response to congestion,
equipment outages, relay malfunctions, etc. Whether or not the initiating factor was “damage to or destruction of
a Facility” will often be an unknown factor and – even if such is known – the genesis of that damage and/or what
constitutes damage (as discussed below) present further potential for confusion and over-reporting, Nonetheless,
the lack of clarity in the standard is likely to result in some RCs and BAs preparing reports whether or not they
definitely ascertain the underlying cause for the system conditions that prompted them to take actions “to avoid a
BES Emergency.” The preparation and submission of such reports, in many cases, will not facilitate the stated
objective of this standard, which is the improvement of the reliability of the Bulk Electric System. In addition, with
respect to damage or destruction of a Facility, it is debatable as to what would be considered “damage.” For
example, would an improper repair or outage that results in damage to a Facility that requires a more extended
repair or outage be deemed “damage” to that Facility under this standard? These ambiguities will likely result in
significant over-reporting, over-burdening responsible entities, and inundating Regional Entities and NERC with
information that is not useful for the purpose of facilitating the reliable operation of the Bulk Electric System.
These effects would undermine the express purpose of the standard and the potential value of information if the
reporting obligations are appropriately defined, assigned, and scoped. For these reasons, MISO recommends that
the SDT revise the standard to: (1) remove the requirement for RCs and BAs to report the “damage or destruction
of a Facility” as it is redundant of the immediately subsequent requirement, (2) to remove reporting responsibility
from BAs to report the “damage or destruction of a Facility” as this obligation is more properly placed with the TO,
TOP, GO , GOP, and DP, and (3) provide guidance to the remaining responsible entities, TO, TOP, GO , GOP, and
DP, regarding when “damage” to a Facility should be reported, e.g., an illustrative list of the types of “damage”
that would yield information and/or trends that would facilitate the improvement of the reliability of the BES. • The
requirement to report “[p]hysical threats to a Facility” and/or “[p]hysical threats to a BES Control Center” With
respect to physical threats to Facilities or BES Control Centers, what is considered a “physical threat” and/or a
“suspicious device or activity”? Is a crank call count that the building is on fire a physical threat? Is the return of a
disgruntled employee suspicious? MISO understands and supports the reporting and analysis of threats and even
certain types of suspicious activities, etc. It is merely concerned that the reporting threshold expressed in this
standard will result in the reporting of substantial amounts of data that will not facilitate the improvement of the
reliability of the BES and that the volume of reports may delay or otherwise obscure the detection of notable
trends. Accordingly, MISO recommends that the SDT revise the standard to: (1) require the reporting only of
substantial physical threats that are likely to have an adverse impact on the reliable operation of the Bulk Electric
System, and (2) to provide an illustrative list of the types of “suspicious activity or devices” as guidance to
responsible entities. • Timing of reports Finally, MISO respectfully suggests that NERC re-assess the timing
requirements as related to the objectives expressed within this standard. MISO believes that NERC should clarify
that its “situational awareness” staff will review submitted information to determine whether there are indications
of possible coordinated attack and to quickly inform responsible entities that there are signals of possible
coordinated attack. This clarification could be made in the standard, or the standard could describe the process
that NERC staff will use. Unless such review and information is provided, the need that the standard attempts to
address will not be fully met. Conversely, many of the events listed in Attachment A that require reporting do not
need to be reported within 24 hours and would not offer significant benefit or value if reported within that time
period as NERC and Regional Entities primarily utilize such information to capture metrics or perform after-the-fact
events analysis. Accordingly, MISO respectfully suggests that, while performing analysis to determine clarifications
that would result in the appropriate definition, assignment, and scope of reporting obligations, NERC should also
examine the events and identify those events for which a longer time period for reporting would be suitable. This
would significantly reduce the administrative burden on responsible entities and likely result in more
comprehensive, rigorous, and beneficial reporting.
�Group
ACES Power Marketing Standards Collaborators
Jason Marshall
No
We believe that the revision to R3 and elimination of R4 are great improvements to the standard as a lot of the
unnecessary burdens have been removed. However, Requirement R3 is still not needed, has several issues with it
and should be eliminated. (1) While validating contact information annually in a reporting plan makes sense, it
does not rise to level of importance of requiring sanctions for failure to do so. Furthermore, it does nothing to
assure reliability. Shortly after the contact information has been updated, it could change. This does not mean that
validation should be more frequent but simply that is an unnecessary administrative burden. If contact information
changes, the registered entity will have to find it. For reliability purposes, why does it matter if they do this in the
24-hour reporting period after the event or annually before the event? (2) Requirement R3 is administrative and is
not consistent with the recent direction that NERC and FERC have taken toward compliance. Violations of this
requirement are likely to be candidates for FFT treatment and this is exactly the kind of requirement that FERC
invited NERC to propose for retirement in Paragraph 81 of the order approving the FFT process. Furthermore, it
appears to meet at least two criteria (Administrative and periodic updates) that the Paragraph 81 drafting team
has proposed to use to identify candidate requirements for retirement. The requirement is also not consistent with
the direction NERC has taken on internal controls. How is an auditor reviewing that contact information has been
updated in an Operating Plan forward looking or for that matter beneficial to reliability? Imagine a registered entity
fails to update their contact information but still reports an event within the 24 hour reporting time frame to the
appropriate parties. They are in technical violation of R3 but have met the spirit of the standard. (3) Requirement
R3 is not a results-based requirement. It simply compels a registered entity “how to” meet reporting deadlines.
Certainly, if a registered entity has current contact information on hand, it will be easier to notify appropriate
parties of events quickly. However, it does limit a registered entity’s ability to identify its own unique and possibly
better way to meet a requirement. “How to” requirements prevent unique and superior solutions.
No
Because R3 is administrative, the VRF should be Lower. The requirement simply compels that that registered
entity update a document which is purely administrative.
(1) For the first “Damage or destruction of a Facility” event in Attachment 1, the threshold for reporting should be
modified. The threshold for reporting would only include damage or destruction that necessitates the need for
action to prevent an Emergency. It does not include if an Emergency actually occurs. Based on the definition of
Emergency which states that it is an “abnormal system condition that requires… action to prevent or limit”, we
think the threshold should be changed to “Damage or destruction of a Facility… that results in a BES Emergency”.
Per the definition, the Emergency is what necessitates action which is what the threshold appeared to be focused
on. (2) In the second “Damage or destruction of a Facility” event in Attachment 1, the threshold regarding
“intentional human action” is ambiguous and suffers from the same difficulties as defining sabotage. What
constitutes intentional? How do we know something was intentional without a law enforcement investigation? If a
car runs into a transmission tower, was this an accident or intentional human action? It could be either. This
appears to be the same issue that prevented the drafting team from defining sabotage. (3) Under the “Physical
threats to a BES control center” event in Attachment 1, the event should very clearly define if this applies to
backup control centers or not. (4) Under the “Complete loss of off-site power to a nuclear generating plant (grid
supply)” event” in Attachment 1, the entity with reporting responsibility is not coordinated with NUC-001. NUC-001
used the term transmission entity to mean an entity that is responsible for providing NPIR services. They did not
use only TOP because there are other entities that provide this service. Please coordinate the “Entity with
Reporting Responsibility” with that standard. (5) We continue to believe that the draft standard has not satisfied
the complete scope of the SAR regarding elimination of redundancy. The draft standard will continue to require
redundant reporting by various entities. For instance, under the event “Loss of Firm Load” in Attachment 1, the
DP, TOP, and BA all are required to report. The response to our last set of comments regarding this issue was that
“the industry can benefit from having such differing perspectives when events occur”. This response seems to
confuse event analysis with event reporting. The purpose of the standard is to simply report that an event
happened. In fact, the reporting form only requires the submitting entity to report the type of event. The
description of what happened is optional. What additional perspectives could be gained from having multiple
registered entities in the same electrical footprint report that an event happened. If the purpose is to analyze the
event, this is covered in the events analysis process. Furthermore, once NERC becomes aware of the event they
have the authority to request data and information from other registered entities. Please eliminate the duplicate
reporting requirements. Other events that may require duplicate reporting include: Damage or destruction of a
Facility, Physical threats to a Facility, BES Emergency resulting in automatic firm load shedding, Loss of firm load,
System separation, Generation loss, and Complete loss of off-site power to a nuclear generating plant. (6) In the
second “Damage or destruction of a Facility” event and “Physical Threats to a Facility” events, Distribution Provider
should be removed. The Distribution Provider does not have any Facilities which is defined as “a set of electrical
equipment that operates as a single Bulk Electric System Element”. The DP’s transformers interconnecting to the
BES are not Facilities and the latest NERC BOT definition explicitly does not include them in Inclusion I1. If a DP
did own Facilities, it would be registered as a TO or GO. Inclusion of the DP will compel the DP to provide evidence
that it does not have Facilities which is an unnecessary compliance burden that does not support reliability. (7)
�The “BES Emergency resulting in automatic firm load shedding” should not apply to the DP. In the existing EOP004 standard, Distribution Provider is not included and the load shed information still gets reported. (8) For the
“Voltage deviation on a Facility” event in Attachment 1, we suggest changing “area” in the threshold for reporting
to “Transmission Operator Area” as it is a defined term. (9) For the “System separation (islanding)” event, please
remove BA. Because islanding and system separation, involve Transmission Facilities automatically being removed
from service, this is largely a Transmission Operator issue. This position is further supported by the approval of
system restoration standard (EOP-005-2) that gives the responsibility to restore the system to the TOP. (10) The
response to our comments requesting that Measure 2 specifically identify that attestations are acceptable forms of
evidence to indicate that no events have occurred indicated that the measure cannot permit use of attestations.
Other standards that have been recently approved by the board specifically permit the use of attestations. FAC003-2 M1 and M2, TOP-001-2 M1-M11 and TOP-003-2 M5 all permit the use of attestations. We ask that the
drafting team to reconsider including a specific reference that an attestation is acceptable to indicate no event has
occurred given these new facts. (11) In requirement R1, we suggest changing “in accordance with EOP-004-2
Attachment 1” to “to report events identified in EOP-004-2 Attachment 1”. It makes more sense since the
attachment is a list of events that require reporting. The other language sounds like additional requirements will
be established in Attachment 1.
Individual
Scott Berry
Indiana Municipal Power Agency
Yes
IMPA agrees with the removal of a “test” and going with a validation requirement for the contact information in the
Operating Plan.
no comment
On page 6 of 23 of the draft standard document, second paragraph under Rationale for R1, the SDT uses the
words “Every industry participant that owns or operates elements or devices on the grid has a formal or informal
process…” The use of these words implies that this requirement and others in this standard may apply to every
industry entity regardless if they are a registered entity or not. IMPA understands that standards can only apply to
entities that are registered with NERC, but we still prefer to see different wording in this sentence. IMPA
recommends using “Every registered entity that owns or operates elements or devices on the grid has a formal or
informal process…” Another concern is on pages 18, 19, and 20 of 23. It is not clear what exactly is required of a
registered entity and the law enforcement reporting process. IMPA understands it is up to the entity to decide just
how its event reporting Operating Plan is made up and who is contacted for the events in attachment 1. These
pages are confusing when it comes to the listing of stakeholders in the reporting process on page 18 of 23 and
then when the SDT states that an entity may just notify the state or provincial or local level law enforcement
agency. The SDT needs to clarify that the listing of stakeholders on page 18 of 23 is just a suggestive listing and
that if the entity so decides per its reporting Operating Plan that notification of the local law enforcement agency is
sufficient (the thought that the local law enforcement agency can coordinate with additional law enforcement
agencies if it sees the need). The requirement to contact the FBI in CIP-001 is not a requirement in EOP-004-2
unless the registered entity puts that requirement in its event reporting Operating Plan. As a clarification, in the
Background section’s second paragraph, it should read “retiring both EOP-004-1 and CIP-001-2a” as opposed to
CIP-002-2a as written above in this comment document.
Individual
Darryl Curtis
Oncor Electric Delivery
Yes
No
Oncor suggest the following additions to VSL language for R1 to align more closely with the measures described in
M1 Lower VSL - Entity has one applicable event type not properly identified in its event reporting Operating Plan
High VSL - Entity has more than one applicable event type not properly identified in its event reporting Operating
Plan Severe VSL - The Responsible Entity failed to have an event reporting Operating Plan
For reporting consistency, under the Event Type labeled “Generation Loss”, in Appendix 1 of EOP-004-2, Oncor
recommends that the reporting threshold of 1,000 KW for the ERCOT Interconnection be raised to 1,400 MW to
match the 1,000 MW level in the current version of the ERO Event Analysis Program. Under the Event Type labeled
“Damage or Destruction of a “Facility”, Appendix 1, with the threshold that states,“ Damage or destruction of its
Facility that results from actual or suspected intentional human action”, Oncor suggest the addition of the following
language to address intentional human action that is theft in nature but is not intended to disrupt the normal
operation of the BES: “Do not report theft unless it degrades the normal operation of a Facility.”
Individual
Tony Kroskey
Brazos Electric Power Cooperative, Inc.
�Individual
Alice Ireland
Xcel Energy
Yes
No
The VSLs for column for R2 provide a range of severity based on the number of contacts made (or not made) but
this seems to be arbitrarily defined. A smaller entity may only have two or three contacts so missing one or more
here may be a much higher risk than for a larger utility that may have ten or more contacts. The VSLs should be
drafted to include percentages instead of whole numbers. The Lower VSL column for R3 states, “…OR The
Responsible Entity validated 75% or more of the contact information contained in the operating plan.” This could
be interpreted that even someone completed 100% (which is more than 75%) a low VSL could be assigned. This
VSL should be drafted in similar fashion to the Moderate, High and Severe VSLs and include a range (i.e. less than
100% but more than 75%).
In attachment one, the “Threshold for Reporting” under Damage or Destruction of a Facility appears to closely
follow the definition of sabotage that EOP-004-2 says it is trying to do away with. This definition should be drafted
to better correlate with the other physical threats and include the language, “which has the potential to degrade
the normal operation of the Facility”. Additionally in Attachment 1, both the Physical threats to a Facility and
Physical threats to a BES control center include the wording, “Suspicious device or activity…”. What constitutes
suspicious activity? With no definition this interpretation is left to the Entity which is again something the DSR SDT
says they would like to eliminate. Lastly, in the Guideline and Technical Basis section, under A Reporting Process
Solution – EOP-004 it states, “A proposal discussed with the FBI, FERC Staff, NERC Standards Project Coordinator
and the SDT Chair is reflected in the flowchart below (Reporting Hierarchy for Reportable Events). Essentially,
reporting an event to law enforcement agencies will only require the industry to notify the state or provincial or
local level law enforcement agency. The state or provincial or local level law enforcement agency will coordinate
with law enforcement with jurisdiction to investigate. If the state or provincial or local level law enforcement
agency decides federal agency law enforcement or the RCMP should respond and investigate, the state or
provincial or local level law enforcement agency will notify and coordinate with the FBI or the RCMP.” This appears
to be in direct conflict with the Rationale for R1 which states, “An existing procedure that meets the requirements
of CIP-001-2a may be included in this Operating Plan along with other processes, procedures or plans to meet this
requirement.” CIP-001-2a required “communication contacts, as applicable, with local Federal Bureau of
Investigation (FBI)…” so if the CIP-001-2a procedure is included this does not seem to meet the requirements of
the operating plan required under EOP-004-2. Also, if the intent of the Operating Plan is to include all local law
enforcement and not FBI the operating plan would become very detailed and when validated annually as required
in R3, this becomes very burdensome on an entity.
�Meeting Results
Project 2009-01
Memo to NERC Project Ballot Body for Recirculation Ballot
October 15, 2012
The Disturbance and Sabotage Reporting standard drafting team has opted to pursue a recirculation
ballot for EOP-004-2 after making a few clarifications to the Guidelines and Technical Basis section to
address stakeholder concerns raised during the second successive ballot.
Distribution Providers – Some concerns were raised with respect to applicability of the
standard to all Distribution Providers. The concerns relate to DPs that do not own BES
Facilities. While these entities would not have any events to report under R2, they would still
be applicable under R1 and R3. The team discussed this issue and has addressed this concern
with additional language in the Guidelines and Technical Basis section of the standard.
Duplicative Reporting – If an entity is registered as an RC, BA and TOP, they should only have to
submit a single report. The team discussed and has addressed this concern with additional
language in the Guidelines and Technical Basis section of the standard. With regards to the
concern regarding multiple entities submitting a report for the same event, the team does not
see this as being an issue for industry and will not make any further revisions to address this.
Other issues were raised by stakeholders and a discussion of those is below:
Paragraph 81 – On March 15, 2012, FERC issued an order on NERC’s Find, Fix and Track process,
and in Paragraph 81 (“P81”), invited NERC and other entities to propose to remove from
Commission-approved Reliability Standards unnecessary or redundant requirements. In
response to P81 and the Commission’s request for comments to be coordinated, during June
and July 2012, various industry stakeholders, Trade Associations, staff from NERC and staff from
the NERC Regions jointly discussed consensus criteria and an initial list of Reliability Standard
requirements that appeared to easily satisfy the criteria, and, thus, could be retired.
In Phase 1 of the Paragraph 81 effort, only two of the requirements (in total) from CIP-001 and
EOP-004 met the initial threshold for being included in the P81 Project. Both of these
requirements will also be retired by EOP-004-2.
Phase 2 of the Paragraph 81 project will evaluate all NERC Reliability Standards, including any
modifications to EOP-004-2. Until such time, CIP-001-2a and EOP-004-1 are mandatory and
enforceable NERC Reliability Standards. If EOP-004-2 is not approved by the industry, those
standards will remain as is, and subject to the Compliance Monitoring and Enforcement
Program.
Project 2009-01 Meeting Results
October 15, 2012
1
�Reporting – Some comments were submitted regarding the reporting burden of this standard.
The revised standard combines two standards into one and removes the analysis portion of the
current mandatory and enforceable standards (EOP-004-1 and CIP-001-2a). The analysis
provisions will be addressed in the NERC Events Analysis Program upon approval of EOP-004-2.
This revised standard involves notification only and does not require any investigation or
analysis.
Attachment 1 comments – Many suggestions were made regarding the events listed in Attachment 1.
The team has reviewed all of these comments and determined that they would be substantive changes
by definition. The team has elected to move forward to recirculation ballot (which precludes
substantive revisions to the standard) therefore, these suggestions cannot be incorporated at this time.
These comments will be entered into the NERC Issues data base for consideration when the standard is
reviewed during the required periodic review cycle.
Project 2009-01 Meeting Results
October 15, 2012
2
�Consideration of Comments
Project 2009-01 Disturbance Sabotage and Reporting
The Project 2009-01 Drafting Team thanks all commenters who submitted comments on Draft 5 of
EOP-004-2. The standard was posted for a 30-day public comment period from August 29, through
September 27, 2012. Stakeholders were asked to provide feedback on the standard and associated
documents through a special electronic comment form. There were 56 sets of comments, including
comments from approximately 181 different people from approximately 125 companies, representing
9 of the 10 Industry Segments as shown in the table on the following pages.
All comments submitted may be reviewed in their original format on the standard’s project page.
If you feel that your comment has been overlooked, please let us know immediately. Our goal is to give
every comment serious consideration in this process! If you feel there has been an error or omission,
you can contact the Vice President and Director of Standards, Mark Lauby, at 404-446-2560 or at
mark.lauby@nerc.net. In addition, there is a NERC Reliability Standards Appeals Process.1
Summary Consideration:
The Disturbance and Sabotage Reporting standard drafting team has opted to pursue a recirculation
ballot for EOP-004-2 after making a few clarifications to the Guidelines and Technical Basis section to
address stakeholder concerns raised during the second successive ballot:
•
Distribution Providers – Some concerns were raised with respect to applicability of the standard to
all Distribution Providers. The concerns relate to DPs that do not own BES Facilities. While these
entities would not have any events to report under R2, they would still be applicable under R1 and
R3. The team discussed this issue and has addressed this concern with additional language in the
Guidelines and Technical Basis Section of the standard as follows:
“Distribution Provider Applicability Discussion
The DSR SDT has included Distribution Providers (DP) as an applicable entity under this
standard. The team realizes that not all DPs will own BES Facilities and will not meet the
“Threshold for Reporting” for any event listed in Attachment 1. These DPs will not have
1
The appeals process is in the Standard Processes Manual: http://www.nerc.com/files/Appendix_3A_StandardsProcessesManual_20120131.pdf
�any reports to submit under Requirement R2. However, these DPs will be responsible
for meeting Requirements R1 and R3. The DSR SDT does not intend for these entities to
have a detailed Operating Plan to address events that are not applicable to them. In this
instance, the DSR SDT intends for the DP to have a very simple Operating Plan that
includes a statement that there are no applicable events in Attachment 1 (to meet R1)
and that the DP will review the list of events in Attachment 1 each year (to meet R3).
The team does not think this will be a burden on any entity as the development and
annual validation of the Operating Plan should not take more that 30 minutes on an
annual basis. If a DP discovers applicable events during the annual review, it is expected
that the DP will develop a more detailed Operating Plan to comply with the
requirements of the standard.”
•
Duplicative Reporting – If an entity is registered as an RC, BA and TOP, they should only have to
submit a single report. The team discussed and has addressed this concern with additional
language in the Guidelines and Technical Basis Section of the standard as follows:
“Multiple Reports for a Single Organization
For entities that have multiple registrations, the DSR SDT intends that these entities will
only have to submit one report for any individual event. For example, if an entity is
registered as a Reliability Coordinator, Balancing Authority and Transmission Operator,
the entity would only submit one report for a particular event rather submitting three
reports as each individual registered entity.”
With regards to the concern regarding multiple entities submitting a report for the same event, the
team does not see this as being an issue for industry and will not make any further revisions to
address this.
Other issues were raised by stakeholders and a discussion of those is below:
•
24 Hour Reporting – Several stakeholders had concerns regarding the 24 hour reporting
requirement. Commenters suggest that events or situations affecting real time reliability to the
system already are required to be reported to appropriate Functional Entities that have the
responsibility to take action. Adding one more responsibility to system operators increases the
operator’s burden, which reduces the operator’s effectiveness when operating the system. Care
should be given when placing additional responsibility on the system operators. Allowing reporting
at the end of the next business day gives operators the flexibility to allow support staff to assist
with after-the-fact reporting requirements. To this end, the DSR SDT has added clarifying language
to R2 as follows:
Consideration of Comments: Project 2009-01
2
�R2. Each Responsible Entity shall report events per their Operating Plan within 24 hours
of recognition of meeting an event type threshold for reporting or by the end of the next
business day if the event occurs on a weekend (which is recognized to be 4 PM local
time on Friday to 8 AM Monday local time). [Violation Risk Factor: Medium] [Time
Horizon: Operations Assessment]
•
Paragraph 81 – On March 15, 2012, FERC issued an order on NERC’s Find, Fix and Track process and
in paragraph 81 of that order (“P81”), invited NERC and other entities to propose to remove from
Commission-approved Reliability Standards unnecessary or redundant requirements. In response
to P81 and the Commission’s request for comments to be coordinated, during June and July 2012,
various industry stakeholders, Trade Associations, staff from NERC and staff from the NERC Regions
jointly discussed consensus criteria and an initial list of Reliability Standard requirements that
appeared to easily satisfy the criteria, and, thus, could be retired. In Phase 1 of the Paragraph 81
effort, only two of the requirements (in total) from CIP-001 and EOP-004 met the initial threshold
for being included in the P81 Project. Both of these requirements will also be retired by EOP-004-2.
Phase 2 of the Paragraph 81 Project will evaluate all NERC Reliability Standards, including any
modifications to EOP-004-2. CIP-001-2a and EOP-004-1 are mandatory and enforceable NERC
Reliability Standards. If EOP-004-2 is not approved by the industry, those standards will remain as
is and subject to the Compliance Monitoring and Enforcement Program.
•
Reporting – Some comments were submitted regarding the reporting burden of this standard. The
revised standard combines two standards into one and removes the analysis portion of the current
mandatory and enforceable standards (EOP-004-1 and CIP-001-2a). The analysis provisions will be
addressed in the NERC Events Analysis Program upon approval of EOP-004-2. This revised standard
involves notification only and does not require any investigation or analysis.
•
Attachment 1 comments – Many suggestions were made regarding the language of certain events
listed in Attachment 1. Most of these comments are about a single event type and were made by
only one stakeholder. The team has reviewed all of these comments. In several cases, the same or
a similar suggestion was made on an earlier draft, and the team considered it at that time. The SDT
believes that stakeholder consensus has been achieved regarding these event types. . The team
has elected to move forward to recirculation ballot.
•
Violation Risk Factors - Many stakeholders had concerns with the VRFs for R2 and R3 being
assigned as “medium”. The SDT developed the VRFs based on existing, FERC Approved VRFs and
NERC Guidelines for establishment of VRFs. EOP-004-2 is a result of merging CIP-001-2a and EOP004-1. Each requirement in CIP-001-2a is assigned a “Medium” VRF. The requirements of CIP-0012a map to EOP-004-2 Requirements R1 and R2. Having an Operating Plan (EOP-004-2, R1) merits a
“Lower” VRF. The reporting of events contained in the Operating Plan required under Requirement
R1 is mandated under Requirement R2 (which maps from CIP-001-2a, R2). The SDT cannot “lower
Consideration of Comments: Project 2009-01
3
�the bar” on an existing VRF per NERC and FERC guidelines. Further, since R3 requires validation of
the contact information in the Operating Plan, it is also assigned a “Medium” VRF.
•
Violation Severity Levels - Other stakeholders suggested revision to the VSLs for Requirement R1
based on if the event reporting Operating Plan fails to include one or more of the event types listed
in Attachment 1. The SDT agrees and has revised the VSLs for R1 as follows:
Lower: The Responsible Entity had an Operating Plan, but failed to include one
applicable event type.
Moderate: The Responsible Entity had an Operating Plan, but failed to include two
applicable event types.
High: The Responsible Entity had an Operating Plan, but failed to include three
applicable event types.
Severe: The Responsible Entity had an Operating Plan, but failed to include four or more
applicable event types OR the Responsible Entity failed to have an event reporting
Operating Plan.
Consideration of Comments: Project 2009-01
4
�Index to Questions, Comments, and Responses
1.
The DSR SDT has revised EOP-004-2 by combining Requirements R3 and R4 into a single
requirement (Requirement R3) to, “… validate all contact information contained in the Operating
Plan pursuant to Requirement R1 each calendar year.” Do you agree with this revision? If not,
please explain in the comment area below. ....................................................................................15
2.
The DSR SDT has revised the VSLs to reflect the language in the revised requirements. Do you
agree with the proposed VRFs and VSLs? If not, please explain in the comment area below. .......25
3.
Do you have any other comment, not expressed in the questions above, for the DSR SDT? .........37
Consideration of Comments: Project 2009-01
5
�The Industry Segments are:
1 — Transmission Owners
2 — RTOs, ISOs
3 — Load-serving Entities
4 — Transmission-dependent Utilities
5 — Electric Generators
6 — Electricity Brokers, Aggregators, and Marketers
7 — Large Electricity End Users
8 — Small Electricity End Users
9 — Federal, State, Provincial Regulatory or other Government Entities
10 — Regional Reliability Organizations, Regional Entities
Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
1.
Group
Additional Member
Guy Zito
Northeast Power Coordinating Council
Additional Organization
Region
Segment
Selection
1.
Alan Adamson
New York State Reliability Council, LLC
NPCC
10
2.
Carmen Agavriloai
Independent Electricity System Operator
NPCC
2
3.
Greg Campoli
New York Independent System Operator
NPCC
2
4.
Sylvain Clermont
Hydro-Quebec TransEnergie
NPCC
1
5.
Chris de Graffenried
Consolidated Edison Co. of New York,
Inc.
NPCC
1
6.
Gerry Dunbar
Northeast Power Coordinating Council
NPCC
10
7.
Mike Garton
Dominion Resources Services, Inc.
NPCC
5
8.
Kathleen Goodman
ISO - New England
NPCC
2
2
3
4
5
6
7
8
9
10
X
�Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
9.
National Grid
NPCC
1
10. David Kiguel
Hydro One Networks Inc.
NPCC
1
11. Michael Lombardi
Northeast Utilities
NPCC
1
12. Randy MacDonald
New Brunswick Power Transmission
NPCC
9
13. Bruce Metruck
New York Power Authority
NPCC
6
14. Silvia Parada Mitchell NextEra Energy, LLC
NPCC
5
15. Lee Pedowicz
Northeast Power Coordinating Council
NPCC
10
16. Robert Pellegrini
The United Illuminating Company
NPCC
1
17. Si-Truc Phan
Hydro-Quebec TransEnergie
NPCC
1
18. David Ramkalawan
Ontario Power Generation, Inc.
NPCC
5
19. Brian Robinson
Utility Services
NPCC
8
20. Michael Schiavone
National Grid
NPCC
1
21. Wayne Sipperly
New York Power Authority
NPCC
5
22. Donald Weaver
New Brunswick System Operator
NPCC
2
23. Ben Wu
Orange and Rockland Utilities
NPCC
1
24. Peter Yost
Consolidated Edison Co. of New York,
Inc.
NPCC
3
2.
Michael Jones
Group
Ron Sporseen
Additional Member
PNGC Comment Group
Additional Organization
Region
3
X
4
5
6
7
X
Joe Jarvis
Blachly-Lane Electric Cooperative
WECC
3
2.
Dave Markham
Central Electric Cooperative
WECC
3
3.
Dave Hagen
Clearwater Power Company
WECC
3
4.
Roman Gillen
Consumer's Power Inc.
WECC
1, 3
5.
Roger Meader
Coos-Curry Electric Cooperative
WECC
3
6.
Bryan Case
Fall River Electric Cooperative
WECC
3
7.
Rick Crinklaw
Lane Electric Cooperative
WECC
3
8.
Annie Terracciano
Northern Lights Inc.
WECC
3
9.
Aleka Scott
PNGC Power
WECC
4
10. Heber Carpenter
Raft River Electric Cooperative
WECC
3
11. Steve Eldrige
Umatilla Electric Cooperative
WECC
1, 3
12. Marc Farmer
West Oregon Electric Cooperative
WECC
4
8
X
Segment
Selection
1.
Consideration of Comments: Project 2009-01
X
2
7
9
10
�Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
13. Margaret Ryan
PNGC Power
WECC
8
14. Rick Paschall
PNGC Power
WECC
3
3.
Group
Greg Rowland
Additional Member
Duke Energy
Additional Organization
Region
Doug Hils
Duke Energy
RFC
1
2.
Lee Schuster
Duke Energy
FRCC
3
3.
Dale Goodwine
Duke Energy
SERC
5
4.
Greg Cecil
Duke Energy
RFC
6
Group
Chang Choi
Additional Member
Tacoma Public Utilities
Additional Organization
Region
Chang Choi
City of Tacoma
WECC
1
2.
Travis Metcalfe
Tacoma Public Utilities
WECC
3
3.
Keith Morisette
Tacoma Public Utilities
WECC
4
4.
Chris Mattson
Tacoma Power
WECC
5
5.
Michael Hill
Tacoma Public Utilities
WECC
6
5.
Group
Additional Member
Additional Organization
Region
RFC
3, 4, 5
2.
Barbara Holland
RFC
3, 4, 5
3.
Jeffrey DePriest
RFC
3, 4, 5
Group
Gerry Beckerle
X
X
X
SERC OC Standards Review Group
Additional Organization
Region
6
X
X
X
X
X
X
X
7
X
X
Segment
Selection
1.
Roger Powers
City of Springfield, IL - CWLP
SERC
1, 3
2.
Dan Roethemeyer
Dynegy
SERC
5
3.
Melinda Montgomery
Entergy
SERC
1, 3, 6
4.
Terry Bilke
MISO
SERC
2
5.
Scott Brame
NCEMC
SERC
4, 1, 3, 5
6.
William Berry
OMU
SERC
3, 5
Consideration of Comments: Project 2009-01
5
Segment
Selection
Alexander Eizans
Additional Member
X
Detroit Edison
1.
6.
X
4
Segment
Selection
1.
Kent Kujala
3
Segment
Selection
1.
4.
2
8
8
9
10
�Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
7.
Tim Hattaway
PowerSouth
SERC
1, 5
8.
Brett Koelsch
Progress Energy Carolinas
SERC
1, 3, 5, 6
9.
Vicky Budreau
SCPSA
SERC
1, 3, 5, 6
10. Gary Hutson
SMEPA
SERC
1, 3, 5, 6
11. Marsha Morgan
Southern Co. Services
SERC
1, 5
12. Randy Hubbert
Southern Co. Services
SERC
1, 5
13. Joel Wise
TVA
SERC
1, 3, 5, 6
14. Stuart Goza
TVA
SERC
1, 3, 5, 6
15. Jim Case
Entergy
SERC
1, 3, 6
16. Mike Bryson
PJM
SERC
2
17. Mike Hirst
Cogentrix
SERC
5
7.
Group
Larry Raczkowski
Additional Member
FirstEnergy
Additional Organization
Region
FirstEnergy Corp
RFC
1
2. Stephan Kern
FirstEnergy Energy Delivery
RFC
3
3. Douglas Hohlbaugh
Ohio Edison Company
RFC
4
4. Kenneth Dresner
FirstEnergy Solutions
RFC
5
5. Kevin Querry
FirstEnergy Solutions
RFC
6
Group
Mike Garton
Additional Member
Dominion
Additional Organization
Region
Dominion Resources Services, Inc.
RFC
5, 6
2. Randi Heise
Dominion Resources Services, Inc.
MRO
5, 6
3. Connie Lowe
Dominion Resources Services, Inc.
NPCC
5, 6
4. Mike Crowley
Virginia Electric and Power Company
SERC
1, 3, 5, 6
Group
WILL SMITH
Additional Member
MRO NSRF
Additional Organization
Consideration of Comments: Project 2009-01
5
X
X
X
X
X
X
X
X
X
X
X
X
Region
4
6
7
X
Segment
Selection
1. Louis Slade
9.
3
Segment
Selection
1. William J Smith
8.
2
X
X
Segment
Selection
9
8
9
10
�Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
1.
CHUCK LAWRENCE
ATC
MRO
1
2.
TOM BREENE
WPS
MRO
3, 4, 5, 6
3.
JODI JENSON
WAPA
MRO
1, 6
4.
KEN GOLDSMITH
ALTW
MRO
4
5.
ALICE IRELAND
XCEL/NSP
MRO
1, 3, 5, 6
6.
DAVE RUDOLPH
BEPC
MRO
1, 3, 5, 6
7.
ERIC RUSKAMP
LES
MRO
1, 3, 5, 6
8.
JOE DEPOORTER
MGE
MRO
3, 4, 5, 6
9.
SCOTT NICKELS
RPU
MRO
4
10. TERRY HARBOUR
MEC
MRO
1, 3, 5, 6
11. MARIE KNOX
MISO
MRO
2
12. LEE KITTELSON
OTP
MRO
1, 3, 5
13. SCOTT BOS
MPW
MRO
1, 3, 5
14. TONY EDDLEMAN
NPPD
MRO
1, 3, 5
15. MIKE BRYTOWSKI
GRE
MRO
1, 3, 5, 6
16. DAN INMAN
MPC
MRO
1, 3, 5, 6
10.
Group
Chris Higgins
Additional Member
Bonneville Power Administration
Additional Organization
Region
BPA, Technical Operations
WECC
1
2. Fran Halpin
BPA, Duty Scheduling
WECC
5
3. Erika Doot
BPA, Generation Support
WECC
3, 5, 6
4. John Wylder
BPA, Transmission
WECC
1
5. Deanna Phillips
BPA, FERC Compliance
WECC
1, 3, 5, 6
6. Russell Funk
BPA, Transmission
WECC
1
Group
Robert Rhodes
Additional Member
SPP Standards Review Group
Additional Organization
Region
X
4
5
X
6
X
X
Segment
Selection
1.
John Allen
City Utilities of Springfield
SPP
1, 4
2.
Doug Callison
Grand River Dam Authority
SPP
1, 3, 5
3.
Jonathan Hayes
Southwest Power Pool
SPP
2
4.
Bo Jones
Westar Energy
SPP
1, 3, 5, 6
Consideration of Comments: Project 2009-01
X
3
Segment
Selection
1. Jim Burns
11.
2
10
7
8
9
10
�Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
5.
Allen Klassen
Westar Energy
SPP
1, 3, 5, 6
6.
Tiffany Lake
Westar Energy
SPP
1, 3, 5, 6
7.
Tara Lightner
Sunflower Electric Power Corporation
SPP
1
8.
Kyle McMenamin
Xcel Energy
SPP
1, 3, 5, 6
9.
Jerry McVey
Sunflower Electric Power Corporation
SPP
1
10. Fred Meyer
Empire District Electric Company
SPP
1
11. Terri Pyle
Oklahoma Gas & Electric Company
SPP
1, 3, 5
12. Don Schmit
Nebraska Publlic Power District
MRO
1, 3, 5
13. Katie Shea
Westar Energy
SPP
1, 3, 5, 6
14. Sean Simpson
Board of Public Utilities, City of
McPherson
SPP
NA
15. Bryan Taggart
Westar Energy
SPP
1, 3, 5, 6
16. Mark Wurm
Board of Public Utilities, City of
McPherson
SPP
NA
12.
Group
Jason Marshall
Additional Member
Additional Organization
Region
4
5
Susan Sosbe
Wabash Valley Power Association
RFC
3
Clem Cassmeyer
Western Farmers Electric Cooperative
SPP
1, 5
3.
Megan Wagner
Sunflower Electric Power Corporation
SPP
1
4.
Scott Brame
North Carolina Electric Membership
Corporation
SERC
1, 3, 4, 5
5.
Bob Solomon
Hoosier Energy
RFC
1
6.
Robert Thomasson
Big Rivers Electric Corporation
SERC
7.
Shari Heino
Brazos Electric Power Cooperative
ERCOT
1, 5
8.
John Shaver
Arizona Electric Power Cooperative
WECC
4, 5
9.
John Shaver
Southwest Transmission Cooperative
WECC
1
10. Mohan Sachdeva
Buckeye Power
RFC
3, 4
11. Michael Brytowski
Great River Energy
MRO
1, 3, 5, 6
Individual
Janet Smith, Regulatory
Affairs Supervisor
Arizona Public Service Company
Individual
Emily Pennel
Southwest Power Pool Regional Entity
Consideration of Comments: Project 2009-01
6
7
8
9
10
X
Segment
Selection
2.
14.
3
ACES Power Marketing Standards
Collaborators
1.
13.
2
X
X
X
X
X
11
�Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
15.
Individual
Antonio Grayson
Southern Company
X
16.
Individual
Daniela Hammons
CenterPoint Energy
X
17.
Individual
Lee Layton
Blue Ridge EMC
X
18.
Individual
Anthony Jablonski
ReliabilityFirst
19.
Individual
Jonathan Appelbaum
The United Illuminating Company
20.
Individual
Russ Schneider
Flathead Electric Cooperative, Inc.
21.
Individual
Oliver Burke
Entergy Services, Inc. (Transmission)
X
22.
Individual
Nazra Gladu
Manitoba Hydro
X
23.
Individual
Lewis County PUD
X
Individual
Steve Grega
Steve Alexanderson
P.E.
25.
Individual
Jack Stamper
Clark Public Utilities
26.
Individual
Russell A. Noble
Cowlitz PUD
27.
Individual
Chantel Haswell
Public Service Enterprise Group
28.
Individual
Mike Hirst
Cogentrix Energy
29.
Individual
Dave Willis
Idaho Power Co.
30.
Individual
Michelle R D'Antuono
Individual
Howard Rulf
Ingelside Cogeneration LP
Wisconsin Electric Power company dba We
Energies
32.
Individual
Melissa Kurtz
US Army Corps of Engineers
33.
Individual
David Jendras
Ameren Services
Individual
35. Individual
Michael Falvo
RoLynda Shumpert
Independent Electricity System Operator
South Carolina Electric and Gas
X
36.
Individual
David Revill
Georgia Transmission Corporation
X
37.
Individual
Andrew Gallo
City of Austin dba Austin Energy
X
38.
Individual
Andrew Z.Pusztai
american Transmission Company
X
24.
31.
34.
2
4
X
5
X
6
7
8
9
10
X
X
X
X
X
X
X
X
X
X
Central Lincoln
Consideration of Comments: Project 2009-01
3
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
12
�Group/Individual
Commenter
Organization
Registered Ballot Body Segment
1
2
3
4
5
6
39.
Individual
Don Schmit
Nebraska Public Power Disstrict
X
X
X
40.
Individual
Terry Harbour
MidAmerican Energy
X
X
X
41.
Individual
Kathleen Goodman
Individual
d mason
ISO New England Inc.
City and County of San Francisco - Hetch
Hetchy Water and Power
43.
Individual
Tracy Richardson
Springfield Utility Board
44.
Individual
Rich Salgo
NV Energy
X
X
X
45.
Individual
Thad Ness
American Electric Power
X
X
X
46.
Individual
Charles Yeung
Southwest Power Pool RTO
47.
Individual
Nathan Mitchell
American Public Power Association
48.
Individual
Don Jones
Texas Reliability Entity
49.
Individual
Christine Hasha
ERCOT
50.
Individual
Denise M. Lietz
Puget Sound Energy Inc.
X
X
X
51.
Individual
Maggy Powell
X
X
X
X
Individual
Christina Bigelow
Exelon Corporation and its affiliates
Midwest Independent Transmission System
Operator, Inc.
53.
Individual
Scott Berry
Indiana Municipal Power Agency
54.
Individual
Darryl Curtis
Oncor Electric Delivery
X
55.
Individual
Tony Kroskey
Brazos Electric Power Cooperative, Inc.
X
56.
Individual
Alice Ireland
Xcel Energy
X
X
X
42.
52.
Consideration of Comments: Project 2009-01
7
8
9
10
X
X
X
X
X
X
X
X
X
X
X
X
X
13
�If you wish to express support for another entity’s comments without entering any additional comments, you may do so here.
Organization
Supporting Comments of “Entity Name”
PNGC Comment Group
Central Lincoln PUD
Blue Ridge EMC
R3 is another example of a "paper chase", creating (or rather continuing) an
administrative burden for the utility. The standard should only require that the entity
have a plan and the accountability should be "did the entity follow the plan when
needed, including proving that the appropriate contacts were made?"
Response: Thank you for your comment. Requirement R3 is in direct response to a FERC directive in Order 693 and as such, the
SDT included this provision. Also, if the information in the plan is out of date, then the plan will not be effective.
Flathead Electric Cooperative, Inc.
Central Lincoln
US Army Corps of Engineers
MRO NSRF
Nebraska Public Power District
Midwest Reliability Organization (MRO) NERC Standards Review Forum (NSRF); AND
Southwest Power Pool RTO
MidAmerican Energy
MidAmerican supports the MRO NSRF comments
ISO New England Inc.
NPCC
Consideration of Comments: Project 2009-01
14
�1.
The DSR SDT has revised EOP-004-2 by combining Requirements R3 and R4 into a single requirement (Requirement R3) to, “…
validate all contact information contained in the Operating Plan pursuant to Requirement R1 each calendar year.” Do you agree
with this revision? If not, please explain in the comment area below.
Summary Consideration: The majority of stakeholders agree with the combination of R3 and R4 and with the new language of R3 to
“validate” the contact information. A few commenters suggested that Requirement R3 is administrative and should be removed
under the provisions of “Paragraph 81”. On March 15, 2012, FERC issued an order on NERC’s Find, Fix and Track process and in
paragraph 81 (“P81”) invited NERC and other entities to propose to remove from Commission-approved Reliability Standards
unnecessary or redundant requirements. In response to P81 and the Commission’s request for comments to be coordinated, during
June and July 2012, various industry stakeholders, Trade Associations, staff from NERC and staff from the NERC Regions jointly
discussed consensus criteria and an initial list of Reliability Standard requirements that appeared to easily satisfy the criteria, and,
thus, could be retired. In Phase 1 of the Paragraph 81 effort, only two of the requirements (in total) from CIP-001 and EOP-004 met
the initial threshold for being included in the P81 Project. Both of these requirements will also be retired by EOP-004-2. Phase 2 of
the Paragraph 81 Project will evaluate all NERC Reliability Standards, including any modifications to EOP-004-2. CIP-001-2a and EOP004-1 are mandatory and enforceable NERC Reliability Standards. If EOP-004-2 is not approved by the industry, those standards will
remain as is and subject to the Compliance Monitoring and Enforcement Program.
Organization
Yes or No
CenterPoint Energy
No
Consideration of Comments: Project 2009-01
Question 1 Comment
CenterPoint Energy supports the concept of combining Requirements R3
and R4; however, the Company still prefers an annual review requirement
which would include validating the contact information and content of
the Operating Plan overall. Therefore, CenterPoint Energy recommends
the following revised language for Requirement R3: “Each Responsible
Entity shall review and update the Operating Plan at least every 15
months.” The Company also suggests that the Measure be worded as
follows: “Evidence may include, but is not limited to dated documentation
reflecting changes to the Operating Plan including updated contact
information if necessary.”
15
�Organization
Yes or No
Question 1 Comment
Response: Thank you for your comment. The SDT appreciates the suggestion on validating the content of the Operating Plan, but
at this time, we feel that the step is not necessary to meet the directive from FERC Order 693. As to the comment on extending
the review period to 15 months, following much discussion and review of the industry comments, we are staying with the
language as proposed.
American Electric Power
No
In the spirit of Paragraph 81 efforts, we request the removal of R3 as it is
solely administrative in nature, existing only to support R2. This is more of
an internal control and does not appear to rise to the level of being an
industry-wide requirement. In addition, having two requirements rather
than one increases the likelihood of being found non-compliant for
multiple requirements rather than a single requirement.
Response: Thank you for your comment. Requirement R3 is in direct response to a FERC directive in Order 693 and as such, the
SDT included this provision. On March 15, 2012, FERC issued an order on NERC’s Find, Fix and Track process and in paragraph 81
(“P81”) invited NERC and other entities to propose to remove from Commission-approved Reliability Standards unnecessary or
redundant requirements. In response to P81 and the Commission’s request for comments to be coordinated, during June and July
2012, various industry stakeholders, Trade Associations, staff from NERC and staff from the NERC Regions jointly discussed
consensus criteria and an initial list of Reliability Standard requirements that appeared to easily satisfy the criteria, and, thus,
could be retired. In Phase 1 of the Paragraph 81 effort, only two of the requirements (in total) from CIP-001 and EOP-004 met the
initial threshold for being included in the P81 Project. Both of these requirements will also be retired by EOP-004-2. Phase 2 of
the Paragraph 81 Project will evaluate all NERC Reliability Standards, including any modifications to EOP-004-2. , CIP-001-2a and
EOP-004-1 are mandatory and enforceable NERC Reliability Standards. If EOP-004-2 is not approved by the industry, those
standards will remain as is and subject to the Compliance Monitoring and Enforcement Program. As the SDT is moving forward
with a Recirculation Ballot, your suggestions will be forwarded to NERC for future consideration.
City and County of San Francisco - Hetch
Hetchy Water and Power
No
Consideration of Comments: Project 2009-01
Measure M3 specifically identifies two types of acceptable compliance
evidence: Voice Recording and Log entries. Specifying only these two
forms of evidence creates a risk that some auditors will reject other forms
of R3 compliance evidence which are equally valid, such as emails or
written call records. Although M3 states that acceptable evidence is not
limited to Voice Recordings or Log Entries, we have concern that other
16
�Organization
Yes or No
Question 1 Comment
methods of complying with R3 may not be accepted.
Response: Thank you for your comment. The SDT believes that the phrase “may include, but are not limited to” addresses your
concern. The SDT will present your comment to the NERC Compliance staff in an effort to inform audit staffs on what evidence is
permissible.
Blue Ridge EMC
No
See previous comments
Response: Thank you for previous comments. Requirement R3 is in direct response to a FERC directive in Order 693 and as such,
the SDT included this provision. Also, if the information in the plan is out of date, then the plan will not be effective.
Detroit Edison
No
The requirement is too prescriptive and difficult to document.
Requirement should be for annual review of Operating Plan. This allows
for entity to review plan and document this the same as other Standards
that require annual review (i.e. annual review blocks on documents).The
requirement as written is vague and difficult to document. Annual review
of reporting process is already a requirement.
Response: Thank you for your comments. While the SDT appreciates the view that the Operating Plan should be reviewed
annually, the SDT feels that the requirement only needs to address the validity of the contact information contained within the
Operating Plan in order to meet the FERC directive in Order 693. If the entity is aware of changes within its operations that would
make a more extensive review advisable, it can choose to do so; but where there have been no significant changes to an entity’s
operations in the last year, ensuring the validity of the contact information should be sufficient.
Manitoba Hydro
No
This seems like an administrative only requirement. It would be too
difficult to validate or measure.
Response: Thank you for your comment. Requirement R3 is in direct response to a FERC directive in Order 693 and as such, the
SDT included this provision. The measure calls for an entity to have “dated records to show that it validated all contact
information contained in the Operating Plan each calendar year. Such evidence may include, but are not limited to, dated voice
recordings and operating logs or other communication documentation.” The SDT does not believe that this is an administrative
Consideration of Comments: Project 2009-01
17
�Organization
Yes or No
Question 1 Comment
requirement because, if the information in the Operating Plan is out of date, then the plan will not be effective.
ACES Power Marketing Standards
Collaborators
No
Consideration of Comments: Project 2009-01
We believe that the revision to R3 and elimination of R4 are great
improvements to the standard as a lot of the unnecessary burdens have
been removed. However, Requirement R3 is still not needed, has several
issues with it and should be eliminated. (1) While validating contact
information annually in a reporting plan makes sense, it does not rise to
level of importance of requiring sanctions for failure to do so.
Furthermore, it does nothing to assure reliability. Shortly after the contact
information has been updated, it could change. This does not mean that
validation should be more frequent but simply that is an unnecessary
administrative burden. If contact information changes, the registered
entity will have to find it. For reliability purposes, why does it matter if
they do this in the 24-hour reporting period after the event or annually
before the event? (2) Requirement R3 is administrative and is not
consistent with the recent direction that NERC and FERC have taken
toward compliance. Violations of this requirement are likely to be
candidates for FFT treatment and this is exactly the kind of requirement
that FERC invited NERC to propose for retirement in Paragraph 81 of the
order approving the FFT process. Furthermore, it appears to meet at least
two criteria (Administrative and periodic updates) that the Paragraph 81
drafting team has proposed to use to identify candidate requirements for
retirement. The requirement is also not consistent with the direction
NERC has taken on internal controls. How is an auditor reviewing that
contact information has been updated in an Operating Plan forward
looking or for that matter beneficial to reliability? Imagine a registered
entity fails to update their contact information but still reports an event
within the 24 hour reporting time frame to the appropriate parties. They
are in technical violation of R3 but have met the spirit of the standard. (3)
Requirement R3 is not a results-based requirement. It simply compels a
registered entity “how to” meet reporting deadlines. Certainly, if a
18
�Organization
Yes or No
Question 1 Comment
registered entity has current contact information on hand, it will be easier
to notify appropriate parties of events quickly. However, it does limit a
registered entity’s ability to identify its own unique and possibly better
way to meet a requirement. “How to” requirements prevent unique and
superior solutions.
Response: Thank you for your comment. Requirement R3 is in direct response to a FERC directive in Order 693 and as such, the
SDT included this provision. The SDT does not believe that this is an administrative requirement because, if the information in the
Operating Plan is out of date, then the plan will not be effective.
On March 15, 2012, FERC issued an order on NERC’s Find, Fix and Track process and in paragraph 81 (“P81”) invited NERC and
other entities to propose to remove from Commission-approved Reliability Standards unnecessary or redundant requirements. In
response to P81 and the Commission’s request for comments to be coordinated, during June and July 2012, various industry
stakeholders, Trade Associations, staff from NERC and staff from the NERC Regions jointly discussed consensus criteria and an
initial list of Reliability Standard requirements that appeared to easily satisfy the criteria, and, thus, could be retired. In Phase 1 of
the Paragraph 81 effort, only two of the requirements (in total) from CIP-001 and EOP-004 met the initial threshold for being
included in the P81 Project. Both of these requirements will also be retired by EOP-004-2. Phase 2 of the Paragraph 81 Project
will evaluate all NERC Reliability Standards, including any modifications to EOP-004-2. CIP-001-2a and EOP-004-1 are mandatory
and enforceable NERC Reliability Standards. If EOP-004-2 is not approved by the industry, those standards will remain as is and
subject to the Compliance Monitoring and Enforcement Program. As the SDT is moving forward with a Recirculation Ballot, your
suggestions will be forwarded to NERC for future consideration.
NV Energy
No
Consideration of Comments: Project 2009-01
Without further clarification of what is expected by "validate all contact
information" I cannot support this requirement. On the surface, "validate"
appears to be acceptable terminology, as it means to me a review of the
contact names and contact information (perhaps cell #, home phone, text
address, email address, etc) that would be evidenced through an
attestation of completion of review along with records showing the
updates made to the contact information pursuant to the review.
However, when the Measure is considered, it refers to evidence such as
operator logs, voice recordings, etc. This seems to indicate that the
19
�Organization
Yes or No
Question 1 Comment
expectation is that each contact is tested, by dialing, texting, emailing, etc
with some sort of confirmation that each contact was successful. If this is
what is necessary to satisfy the "validate" requirement, I believe it is
excessive, burdensome and unnecessary. I suggest modification of the
Measure language to clearly allow for an entity to demonstrate
compliance by a showing that it reviewed the contact information and
made changes as deemed necessary by its review, and to remove the
reference to operator logs and voice recordings as the evidence of
measure.
Response: Thank you for your comment. The SDT agrees with your comment and views your direction as being consistent with
the standard’s intent. The SDT will submit your comment to NERC Compliance staff for their consideration. The SDT intends for
operator logs and voice recordings to be acceptable as evidence, but not the only acceptable evidence. The use of the language
“such as” in the measure indicates this.
Bonneville Power Administration
Yes
BPA agrees with the revision and recognizes that it will involve a large
amount of validation workload for entities with a large footprint.
Yes
Dominion supports the combination of Requirements R3 and R4 into a
single requirement (Requirement R3), although we remain concerned that
validation requiring a phone call could be perceived as a nuisance by that
entity.
Response: Thank you for your comment.
Dominion
Response: Thank you for your comment. The SDT appreciates this concern but feels that the requirement is necessary to address
the FERC directive in the Order 693. The SDT does not believe that validation of the contact information will be a nuisance. If the
information in the Operating Plan is out of date, then the plan will not be effective.
Duke Energy
Yes
Consideration of Comments: Project 2009-01
Duke Energy commends the excellent work of the Standard Drafting Team
in incorporating previous comments into the current posted draft of the
20
�Organization
Yes or No
Question 1 Comment
standard.
Response: Thank you for your comment.
ERCOT
Yes
ERCOT considers replacing R3 and R4 with the new R3 is an improvement
and we thank the drafting team for making the change.
Yes
Even though ReliabilityFirst votes in the Affirmative, we offer the following
comment regarding Requirement R3 for consideration. ReliabilityFirst
recommends changing the word “validate” to “verify” in Requirement R3.
ReliabilityFirst believes not only does the entity need to validate contact
information is correct, they should verify (i.e. authenticate though test)
that the contact information is correct.
Response: Thank you for your comment.
ReliabilityFirst
Response: Thank you for your comment. The SDT feels that the action you define is consistent with our intent.
Independent Electricity System Operator
Yes
IESO agrees that the intent of Requirement R3 to have the Registered
Entities validate the contact information in the contact lists that they may
have for the events applicable to them is achieved. IESO also agrees that
the elimination of conducting an annual test of the communications
process and review of the event reporting Operating Plan in merging the
previous R3 and R4 into this new R3 will give entities an opportunity to
develop a plan that suits its business needs.
Yes
IMPA agrees with the removal of a “test” and going with a validation
requirement for the contact information in the Operating Plan.
Response: Thank you for your comment.
Indiana Municipal Power Agency
Consideration of Comments: Project 2009-01
21
�Organization
Yes or No
Question 1 Comment
Response: Thank you for your comment.
Ingelside Cogeneration LP
Yes
Ingleside Cogeneration believes that an annual validation of contact
information is sufficient for a reporting procedure. R2 provides sufficient
impetus for Responsible Entities to keep their Operating plan current - as a
missed report will lead to a violation. Furthermore, external agencies and
law enforcement officials will be reluctant to participate in validation
tests, as dozens of nearby BES entities will overwhelm them with such
requests.
Response: Thank you for your comment. Requirement R3 is in direct response to a FERC directive in Order 693 and as such, the
SDT included this provision. If the information in the Operating Plan is out of date, then the plan will not be effective.
SPP Standards Review Group
Yes
We feel that replacing R3 and R4 with the new R3 is an improvement and
we thank the drafting team for making the change.
Response: Thank you for your support.
PNGC Comment Group
Yes
Tacoma Public Utilities
Yes
SERC OC Standards Review Group
Yes
FirstEnergy
Yes
MRO NSRF
Yes
Arizona Public Service Company
Yes
Southwest Power Pool Regional Entity
Yes
Consideration of Comments: Project 2009-01
22
�Organization
Yes or No
Southern Company
Yes
The United Illuminating Company
Yes
Entergy Services, Inc. (Transmission)
Yes
Lewis County PUD
Yes
Central Lincoln
Yes
Clark Public Utilities
Yes
Cowlitz PUD
Yes
Public Service Enterprise Group
Yes
Cogentrix Energy
Yes
Idaho Power Co.
Yes
Wisconsin Electric Power company dba We
Energies
Yes
Ameren Services
Yes
South Carolina Electric and Gas
Yes
Georgia Transmission Corporation
Yes
City of Austin dba Austin Energy
Yes
american Transmission Company
Yes
Consideration of Comments: Project 2009-01
Question 1 Comment
23
�Organization
Yes or No
MidAmerican Energy
Yes
Springfield Utility Board
Yes
Southwest Power Pool RTO
Yes
American Public Power Association
Yes
Texas Reliability Entity
Yes
Puget Sound Energy Inc.
Yes
Exelon Corporation and its affiliates
Yes
Midwest Independent Transmission
System Operator, Inc.
Yes
Oncor Electric Delivery
Yes
Xcel Energy
Yes
Consideration of Comments: Project 2009-01
Question 1 Comment
24
�2.
The DSR SDT has revised the VSLs to reflect the language in the revised requirements. Do you agree with the proposed VRFs and
VSLs? If not, please explain in the comment area below.
Summary Consideration: Many stakeholders had concerns with the VRFs for R2 and R3 being assigned as “medium”. The SDT
developed the VRFs based on existing, FERC Approved VRFs and NERC Guidelines for establishment of VRFs. EOP-004-2 is a result of
merging CIP-001-2a and EOP-004-1. Each requirement in CIP-001-2a is assigned a “Medium” VRF. The requirements of CIP-001-2a
map to EOP-004-2 Requirements R1 and R2. Having an Operating Plan (EOP-004-2, R1) merits a “Lower” VRF. The reporting of
events contained in the Operating Plan required under Requirement R1 is mandated under Requirement R2 (which maps from CIP001-2a, R2). The SDT cannot “lower the bar” on an existing VRF per NERC and FERC guidelines. Further, since R3 requires validation
of the contact information in the Operating Plan, it is also assigned a “Medium” VRF.
Other stakeholders suggested revision to the VSLs for Requirement R1 based on if the event reporting Operating Plan fails to include
one or more of the event types listed in Attachment 1. The SDT agrees and has added the following VSLs to R1, in addition to the
language that was previously included in the “Severe” VSL:
Lower: The Responsible Entity had an Operating Plan, but failed to include one applicable event type.
Moderate: The Responsible Entity had an Operating Plan, but failed to include two applicable event types.
High: The Responsible Entity had an Operating Plan, but failed to include three applicable event types.
Severe: The Responsible Entity had an Operating Plan, but failed to include four or more applicable event types.
Organization
Yes or No
Detroit Edison
No
Question 2 Comment
Under VSLs for R2- We disagree with the reporting time frames. Making the
time requirement as soon as 24 hours puts this reporting requirement on the
real time operators. Many of the situations listed in the EOP-004 attachment
are not included in the OE-417 report. The Unofficial Comment Form states the
reporting obligations serve to provide input to the NERC Event Analysis
Program. This program has removed the 24 hour reporting requirement and
Consideration of Comments: Project 2009-01
25
�Organization
Yes or No
Question 2 Comment
changed it to 5 business days.
Response: Thank you for your comments. The reporting obligation under this standard is to provide notification of events to
NERC Situation Awareness group. The SDT, in consultation with the DOE and NERC Events Analysis group, have recognized the
where there is duplication of reporting and provided for the common use of the different group’s forms. This standard is not a
replacement or substitution for any other obligations to other agencies. However, the SDT recognizes the concern with having
real time operations staff submitting the report. To this end, the DSR SDT has added clarifying language to R2 as follows:
R2. Each Responsible Entity shall report events per their Operating Plan within 24 hours of meeting an event type threshold
for reporting or by the end of the next business day if the event occurs on a weekend (which is recognized to be 4 PM local
time on Friday to 8 AM Monday local time). [Violation Risk Factor: Medium] [Time Horizon: Operations Assessment]
Texas Reliability Entity
No
(1) VSLs for R1 should have a lower level VSL if the event reporting Operating
Plan fails to include one or more of the event types listed in Attachment 1. (2)
VSL for R1 is incorrectly stated as there are no “parts” to R1.
Response: Thank you for your comment. 1) The SDT agrees and has added the following VSLs for R1, in addition to the language
that was previously included in the “Severe” VSL:
Lower: The Responsible Entity had an Operating Plan, but failed to include one applicable event type.
Moderate: The Responsible Entity had an Operating Plan, but failed to include two applicable event types.
High: The Responsible Entity had an Operating Plan, but failed to include three applicable event types.
Severe: The Responsible Entity had an Operating Plan, but failed to include four or more applicable event types.
2) This was correct in the clean version of the standard.
ACES Power Marketing Standards
Collaborators
No
Because R3 is administrative, the VRF should be Lower. The requirement
simply compels that that registered entity update a document which is purely
administrative.
Response: Thank you for your comment. The SDT developed the VRFs based on existing, FERC Approved VRFs and NERC
Guidelines for establishment of VRFs. EOP-004-2 is a result of merging CIP-001-2a and EOP-004-1. Each requirement in CIP-001-2a
Consideration of Comments: Project 2009-01
26
�Organization
Yes or No
Question 2 Comment
is assigned a “Medium” VRF. The requirements of CIP-001-2a map to EOP-004-2 Requirements R1 and R2. Having an Operating
Plan (EOP-004-2, R1) merits a “Lower” VRF. The reporting of events contained in the Operating Plan required under Requirement
R1 is mandated under Requirement R2 (which maps from CIP-001-2a, R2). The SDT cannot “lower the bar” on an existing VRF per
NERC and FERC guidelines. Further, since R3 requires validation of the contact information in the Operating Plan, it is also
assigned a “Medium” VRF.
Bonneville Power Administration
No
BPA does not agree with the VRFs and VSLs. BPA believes that the violation
levels for administrative errors are too high. For more information, please
reference comments to question #3.
Response: Thank you for your comment. The SDT developed the VRFs based on existing, FERC Approved VRFs and NERC
Guidelines for establishment of VRFs. EOP-004-2 is a result of merging CIP-001-2a and EOP-004-1. Each requirement in CIP-001-2a
is assigned a “Medium” VRF. The requirements of CIP-001-2a map to EOP-004-2 Requirements R1 and R2. Having an Operating
Plan (EOP-004-2, R1) merits a “Lower” VRF. The reporting of events contained in the Operating Plan required under Requirement
R1 is mandated under Requirement R2 (which maps from CIP-001-2a, R2). The SDT cannot “lower the bar” on an existing VRF per
NERC and FERC guidelines. Further, since R3 requires validation of the contact information in the Operating Plan, it is also
assigned a “Medium” VRF. Please see the response to your question 3 comments.
CenterPoint Energy
No
CenterPoint Energy suggests that the phrase “which caused a negative impact
to the Bulk Electric System” be added to each Violation Severity Level. For
example, the wording would appear as follows: “The Responsible Entity
submitted an event report (e.g., written or verbal) to all required recipients
more than 24 hours but less than or equal to 36 hours after meeting an event
threshold for reporting which caused a negative impact to the Bulk Electric
System”. Additionally or alternatively, the Company proposes that the above
phrase be added to the Threshold(s) for Reporting in Attachment 1 to focus on
events that have an impact or effect on the Bulk Electric System.
Response: Thank you for your comment. The SDT does not believe such a change is necessary. Each event type listed is
applicable to BES reliability.
Consideration of Comments: Project 2009-01
27
�Organization
Yes or No
MidAmerican Energy
No
Question 2 Comment
Change the VRFs / VSLs to match suggested changes in Question 3
Response: Thank you for your comment. The SDT followed the NERC guidelines for VSLs in setting the appropriate levels. Please
see the response to your question 3 comments.
The United Illuminating Company
No
Do not agree that the VRF for R3 is medium. Failure to Validate contact
information will not likely lead to instability and Cascade. Reporting under
EOP-004 is not an immediate action, and given a 24 hour reporting window a
proper contact point can be identified on-the-fly. R2 is properly identified as
the Medium VRF since a failure to report whether due to an improper
Operating plan or improper contact list may lead to a BES cascade.
Response: Thank you for your comment. The SDT developed the VRFs based on existing, FERC Approved VRFs and NERC
Guidelines for establishment of VRFs. EOP-004-2 is a result of merging CIP-001-2a and EOP-004-1. Each requirement in CIP-001-2a
is assigned a “Medium” VRF. The requirements of CIP-001-2a map to EOP-004-2 Requirements R1 and R2. Having an Operating
Plan (EOP-004-2, R1) merits a “Lower” VRF. The reporting of events contained in the Operating Plan required under Requirement
R1 is mandated under Requirement R2 (which maps from CIP-001-2a, R2). The SDT cannot “lower the bar” on an existing VRF per
NERC and FERC guidelines. Further, since R3 requires validation of the contact information in the Operating Plan, it is also
assigned a “Medium” VRF.
Southwest Power Pool Regional Entity
No
In R2, SPP RE does not understand why the VSLs are based on who was or was
not contacted rather than when it was reported. An entity could decide to put
only two entities in its Event Reporting Operating Plan. If the entity fails to
submit an appropriate event report, it is open to a Severe VSL on the top set of
VSLs but only a moderate on the lower set of VSLs. This seems to be a
disconnect for applying the VSLs for the same facts and circumstances.
Response: Thank you for your comment. The SDT followed the NERC guidelines for VSLs in setting the appropriate levels. The
VSLs were written based on two potential failures to meet the requirement. The first is based on the time the report was
submitted while the second was based on the entity submitting the report within 24 hours but not to all applicable entities.
Consideration of Comments: Project 2009-01
28
�Organization
Yes or No
Midwest Independent Transmission
System Operator, Inc.
No
Question 2 Comment
MISO agrees with the comments submitted by the SERC Operating Committee
that the VRFs for R2 and R3 should be “Lower” instead of “Medium,” since
these are administrative requirements. MISO further respectfully suggests that
implementing another standard that requires reporting every incident
identified in a plan within 24 hours and that classifies failure to do so a
“Severe” violation, will likely cause entities to limit the scope of their plans.
NERC, therefore, would not receive information that appears unimportant to a
single entity but could be important in the context of similar events across the
country.
Response: Thank you for your comment. The SDT developed the VRFs based on existing, FERC Approved VRFs and NERC
Guidelines for establishment of VRFs. EOP-004-2 is a result of merging CIP-001-2a and EOP-004-1. Each requirement in CIP-001-2a
is assigned a “Medium” VRF. The requirements of CIP-001-2a map to EOP-004-2 Requirements R1 and R2. Having an Operating
Plan (EOP-004-2, R1) merits a “Lower” VRF. The reporting of events contained in the Operating Plan required under Requirement
R1 is mandated under Requirement R2 (which maps from CIP-001-2a, R2). The SDT cannot “lower the bar” on an existing VRF per
NERC and FERC guidelines. Further, since R3 requires validation of the contact information in the Operating Plan, it is also
assigned a “Medium” VRF.
The SDT does not agree with your second comment and believes that entities will report the appropriate events.
Oncor Electric Delivery
No
Oncor suggest the following additions to VSL language for R1 to align more
closely with the measures described in M1Lower VSL - Entity has one applicable
event type not properly identified in its event reporting Operating Plan. High
VSL - Entity has more than one applicable event type not properly identified in
its event reporting Operating Plan. Severe VSL - The Responsible Entity failed to
have an event reporting Operating Plan
Response: Thank you for your comment. Based on comments from you and others, we have added the following VSLs for R1, in
addition to the language that was previously included in the “Severe” VSL:
Lower: The Responsible Entity had an Operating Plan, but failed to include one applicable event type.
Consideration of Comments: Project 2009-01
29
�Organization
Yes or No
Question 2 Comment
Moderate: The Responsible Entity had an Operating Plan, but failed to include two applicable event types.
High: The Responsible Entity had an Operating Plan, but failed to include three applicable event types.
Severe: The Responsible Entity had an Operating Plan, but failed to include four or more applicable event types.
Exelon Corporation and its affiliates
No
R2 VSLs - By measuring the amount of time taken to report and the number of
entities to receive the report, the VSLs track more with size and location than
with a failure to report. For instance, an entity failing to report at all to one
entity would be deemed a lower VSL while an entity reporting to many, but
failing to report to three entities would be deemed a high VSL.
R3 VSL - The severe VSLs do not seem commensurate to oversight. A three
month delay in validating that phone numbers are correct, for phone numbers
that are accurate, does not track with a severe infraction.
Response: Thank you for your comment. The SDT followed the NERC guidelines for VSLs in setting the appropriate levels. The SDT
will forward your suggestions to NERC for future consideration of the VSL language.
Blue Ridge EMC
No
R3 VSLs are silly.
Response: Thank you for your comment. The SDT followed the NERC guidelines for setting the appropriate VSLs.
Tacoma Public Utilities
No
Regarding the Severe VSL for R1, the reference to “Parts 1.1 and 1.2” appears
to be outdated. For R2, change “the Responsible Entity failed to submit an
event report...to X entity(ies) within 24 hours” to “the Responsible Entity failed
to submit an event report...to only X entity(ies) within 24 hours.” (Add ‘only.’)
Response: Thank you for your comment. The SDT agrees with your first suggestion and this was correct in the clean version of the
standard that was posted. Your second suggestion will be forwarded to NERC for future consideration.
Consideration of Comments: Project 2009-01
30
�Organization
Yes or No
SPP Standards Review Group
No
Question 2 Comment
Since EOP-004 is about after-the-fact reporting, we suggest that all the VRFs be
Lower. This would mean lowering R2 and R3 from Medium.
The third component of the Severe VSL for R2 is more severe than the other
two components. In an attempt to be more consistent across all the VSLs, we
propose the following for the High VSL for R2: The Responsible Entity
submitted an event report (e.g., written or verbal) to all required recipients
more than 48 hours after meeting an event threshold for reporting. OR The
Responsible Entity failed to submit an event report (e.g., written or verbal) to
three or more entities identified in its event reporting Operating Plan within 24
hours. We propose the following, deleting the first two components as shown
in the current draft, for the Severe VSL for R2: The Responsible Entity failed to
submit a report for an event in EOP-004 Attachment 1.
Response: Thank you for your comment. The SDT developed the VRFs based on existing, FERC Approved VRFs and NERC
Guidelines for establishment of VRFs. EOP-004-2 is a result of merging CIP-001-2a and EOP-004-1. Each requirement in CIP-001-2a
is assigned a “Medium” VRF. The requirements of CIP-001-2a map to EOP-004-2 Requirements R1 and R2. Having an Operating
Plan (EOP-004-2, R1) merits a “Lower” VRF. The reporting of events contained in the Operating Plan required under Requirement
R1 is mandated under Requirement R2 (which maps from CIP-001-2a, R2). The SDT cannot “lower the bar” on an existing VRF per
NERC and FERC guidelines. Further, since R3 requires validation of the contact information in the Operating Plan, it is also
assigned a “Medium” VRF.
The VSLs were written to account for tardiness of reports, for failing to report to certain entities and for not submitting a report at
all. The investigators will apply the appropriate VSL based on the type of violation found.
ERCOT
No
Since EOP-004 is related to ex-post reporting, which has nothing to do with
operational or planning risk, this is an administrative requirement and,
accordingly, the VRFs should all be Low. This would mean lowering the VRF for
R2 and R3 to Low.
The third component of the Severe VSL for R2 is more severe than the other
two components. In an attempt to be more consistent across all the VSLs, we
Consideration of Comments: Project 2009-01
31
�Organization
Yes or No
Question 2 Comment
propose the following for the High VSL for R2: The Responsible Entity
submitted an event report (e.g., written or verbal) to all required recipients
more than 48 hours after meeting an event threshold for reporting. OR The
Responsible Entity failed to submit an event report (e.g., written or verbal) to
three or more entities identified in its event reporting Operating Plan within 24
hours. ERCOT proposes that the first two components of the Severe VSL for R2
be deleted and replaced with: The Responsible Entity failed to submit a report
for an event in EOP-004 Attachment 1.
Response: Thank you for your comment. The SDT developed the VRFs based on existing, FERC Approved VRFs and NERC
Guidelines for establishment of VRFs. EOP-004-2 is a result of merging CIP-001-2a and EOP-004-1. Each requirement in CIP-001-2a
is assigned a “Medium” VRF. The requirements of CIP-001-2a map to EOP-004-2 Requirements R1 and R2. Having an Operating
Plan (EOP-004-2, R1) merits a “Lower” VRF. The reporting of events contained in the Operating Plan required under Requirement
R1 is mandated under Requirement R2 (which maps from CIP-001-2a, R2). The SDT cannot “lower the bar” on an existing VRF per
NERC and FERC guidelines. Further, since R3 requires validation of the contact information in the Operating Plan, it is also
assigned a “Medium” VRF.
The VSLs were written to account for tardiness of reports, for failing to report to certain entities and for not submitting a report at
all. The investigators will apply the appropriate VSL based on the type of violation found.
Duke Energy
No
The Lower VSL for R3 should be clarified. The phrase “validated 75% or more”
should be modified to say “validated at least 75% but less than 100%”.
Response: Thank you for your comment. The SDT agrees and has made the correction.
SERC OC Standards Review Group
No
The VRF for R2 should be “Lower” instead of “Medium” since it is
administrative which involves reporting events to entities not identified in the
Functional Model that have operating responsibilities listed. The VRF for R3
should also be “Lower” instead of “Medium” since it is an administrative
requirement.
Response: Thank you for your comment. The SDT developed the VRFs based on existing, FERC Approved VRFs and NERC
Consideration of Comments: Project 2009-01
32
�Organization
Yes or No
Question 2 Comment
Guidelines for establishment of VRFs. EOP-004-2 is a result of merging CIP-001-2a and EOP-004-1. Each requirement in CIP-001-2a
is assigned a “Medium” VRF. The requirements of CIP-001-2a map to EOP-004-2 Requirements R1 and R2. Having an Operating
Plan (EOP-004-2, R1) merits a “Lower” VRF. The reporting of events contained in the Operating Plan required under Requirement
R1 is mandated under Requirement R2 (which maps from CIP-001-2a, R2). The SDT cannot “lower the bar” on an existing VRF per
NERC and FERC guidelines. Further, since R3 requires validation of the contact information in the Operating Plan, it is also
assigned a “Medium” VRF.
Southern Company
No
The VRF for R2 should be “Lower” instead of “Medium” since it is
administrative which involves reporting events to entities not identified in the
Functional Model that have operating responsibilities listed. The VRF for R3
should also be “Lower” instead of “Medium” since it is an administrative
requirement. In addition we suggest that the VSL for R1 should have a lower
level VSL for an Operating Plan that may have one event type missing from the
Operating Plan.
Response: Thank you for your comment. The SDT developed the VRFs based on existing, FERC Approved VRFs and NERC
Guidelines for establishment of VRFs. EOP-004-2 is a result of merging CIP-001-2a and EOP-004-1. Each requirement in CIP-001-2a
is assigned a “Medium” VRF. The requirements of CIP-001-2a map to EOP-004-2 Requirements R1 and R2. Having an Operating
Plan (EOP-004-2, R1) merits a “Lower” VRF. The reporting of events contained in the Operating Plan required under Requirement
R1 is mandated under Requirement R2 (which maps from CIP-001-2a, R2). The SDT cannot “lower the bar” on an existing VRF per
NERC and FERC guidelines. Further, since R3 requires validation of the contact information in the Operating Plan, it is also
assigned a “Medium” VRF.
Cogentrix Energy
No
The VRF for R2 should be “Lower” instead of “Medium” since it is
administrative which involves reporting events to entities not identified in the
Functional Model that have operating responsibilities listed. The VRF for R3
should also be “Lower” instead of “Medium” since it is an administrative
requirement.
Response: Thank you for your comment. The SDT developed the VRFs based on existing, FERC Approved VRFs and NERC
Guidelines for establishment of VRFs. EOP-004-2 is a result of merging CIP-001-2a and EOP-004-1. Each requirement in CIP-001-2a
Consideration of Comments: Project 2009-01
33
�Organization
Yes or No
Question 2 Comment
is assigned a “Medium” VRF. The requirements of CIP-001-2a map to EOP-004-2 Requirements R1 and R2. Having an Operating
Plan (EOP-004-2, R1) merits a “Lower” VRF. The reporting of events contained in the Operating Plan required under Requirement
R1 is mandated under Requirement R2 (which maps from CIP-001-2a, R2). The SDT cannot “lower the bar” on an existing VRF per
NERC and FERC guidelines. Further, since R3 requires validation of the contact information in the Operating Plan, it is also
assigned a “Medium” VRF.
Xcel Energy
No
The VSLs for column for R2 provide a range of severity based on the number of
contacts made (or not made) but this seems to be arbitrarily defined. A smaller
entity may only have two or three contacts so missing one or more here may
be a much higher risk than for a larger utility that may have ten or more
contacts. The VSLs should be drafted to include percentages instead of whole
numbers. The Lower VSL column for R3 states,”...OR The Responsible Entity
validated 75% or more of the contact information contained in the operating
plan.” This could be interpreted that even someone completed 100% (which is
more than 75%) a low VSL could be assigned. This VSL should be drafted in
similar fashion to the Moderate, High and Severe VSLs and include a range (i.e.
less than 100% but more than 75%).
Response: Thank you for your comment. The SDT followed the NERC guidelines for VRFs and VSLs in setting the appropriate
levels. The SDT will forward your suggestions to NERC for future consideration.
Manitoba Hydro
No
This seems like an administrative only requirement. It would be too difficult to
validate or measure.
Response: Thank you for your comment. Please see the response to your comment in question 1.
Independent Electricity System
Operator
No
We agree with the VRF for R2, but have a concern over the VRFs assigned to R1
(Lower) and R3 (Medium).Having an event reporting operating plan (R1) is a
first step toward meeting the intent of this standard, annually validating it (R3)
is a maintenance requirement which arguably can be regarded as equally
important but its reliability risk impact for failure to comply should be no higher
Consideration of Comments: Project 2009-01
34
�Organization
Yes or No
Question 2 Comment
than having no plan to begin with. We therefore suggest that the VRFs for R1
and R3 be at least the same, or that R1’s VRF be higher than that for R3.
Response: Thank you for your comment. The SDT developed the VRFs based on existing, FERC Approved VRFs and NERC
Guidelines for establishment of VRFs. EOP-004-2 is a result of merging CIP-001-2a and EOP-004-1. Each requirement in CIP-001-2a
is assigned a “Medium” VRF. The requirements of CIP-001-2a map to EOP-004-2 Requirements R1 and R2. Having an Operating
Plan (EOP-004-2, R1) merits a “Lower” VRF. The reporting of events contained in the Operating Plan required under Requirement
R1 is mandated under Requirement R2 (which maps from CIP-001-2a, R2). The SDT cannot “lower the bar” on an existing VRF per
NERC and FERC guidelines. Further, since R3 requires validation of the contact information in the Operating Plan, it is also
assigned a “Medium” VRF.
Southwest Power Pool RTO
No
We question the reliability benefits of this requirement.
Response: Thank you for your comment. Requirement R3 is in direct response to a FERC directive in Order 693 and as such, the
SDT included this provision. If the information in the Operating Plan is out of date, then the plan will not be effective.
Lewis County PUD
No
American Electric Power
No
Response: Thank you for your participation.
ReliabilityFirst
Yes
Even though ReliabilityFirst votes in the Affirmative, we offer the following
comments for consideration regarding the VSLs: VSL for Requirement R2 ReliabilityFirst questions whether there is justification for the gradation of VSLs
out to 60 hours for the reporting an event. Without justification, ReliabilityFirst
believes the timeframe should be shortened to eight hour increments with a
severe VSL being more than 48 hours late. ReliabilityFirst believes that being
more than a day late (24 hours) falls within the entity completely not meeting
the intent of submitting the report with the required 24 hour timeframe.
Response: Response: Thank you for your comment. The SDT followed the NERC guidelines for VRFs and VSLs in setting the
Consideration of Comments: Project 2009-01
35
�Organization
Yes or No
Question 2 Comment
appropriate levels.
PNGC Comment Group
Yes
FirstEnergy
Yes
Arizona Public Service Company
Yes
Entergy Services, Inc. (Transmission)
Yes
Clark Public Utilities
Yes
Public Service Enterprise Group
Yes
Idaho Power Co.
Yes
Ingelside Cogeneration LP
Yes
Wisconsin Electric Power company
dba We Energies
Yes
Ameren Services
Yes
South Carolina Electric and Gas
Yes
Georgia Transmission Corporation
Yes
City of Austin dba Austin Energy
Yes
Springfield Utility Board
Yes
American Public Power Association
Yes
Consideration of Comments: Project 2009-01
36
�3.
Do you have any other comment, not expressed in the questions above, for the DSR SDT?
Summary Consideration: Most stakeholders who responded to this question provide comments suggesting specific revisions to the
requirements or to the event types listed in Attachment 1. Most of these comments are about a single event type and were made
by only one stakeholder. The team has reviewed all of these comments. In several cases, the same or a similar suggestion was made
on an earlier draft, and the team considered it at that time. The SDT believes that stakeholder consensus has been achieved
regarding these event types. The team has elected to move forward to recirculation ballot.
Organization
Question 3 Comment
Detroit Edison
"Suspicious activity" and "suspicious device" should be eliminated from Attachment 1, Event
types: 'Physical threats to a Facility' and 'Physical threat to a BES Control Center'. By including
'suspicious activity' in the standard, I believe the project team went outside of the scope of the
project, which was intended to be a merger of the two standards. Regarding standard CIP 001,
the threshold for reporting is “Disturbances or unusual occurrences, suspected or determined
to be caused by sabotage....”, as its title suggested: Sabotage Reporting. Suspicious activity,
which is not defined by the standard, clearly has a much lower threshold than sabotage, or
even suspected sabotage. The reporting requirement of 24 hours, also increases the burden on
the entity to either rush to investigate and make a determination regarding suspicious activity
in less than 24 hours, or not perform due diligence and report uninvestigated “suspicious”
activity, which normally turns out to not be a "Physical Threat”. Suspicious activity should be
duly investigated by the entity, local law enforcement, or the FBI as appropriate; and then
reported if it has been determined to be a physical threat, or cannot be explained. Reporting
within 24 hours will devalue the information inputted, as most cases of suspicious activity are
innocuous, and the standard lacks a process of follow up, which would remove the those
incidents from intelligence databases. Regarding suspicious devices, determination is usually
immediate, (in less than 24 hours), and then the device would be classified as either
"sabotage" or "no threat". The standard is not clear whether suspicious devices still have to be
reported, even if they are immediately determined as not a "Physical Threat to a Facility or BES
Control Center." Disturbance and Sabotage Reporting Standard Drafting Team (Project 2009-
Consideration of Comments: Project 2009-01
37
�Organization
Question 3 Comment
01) - Reporting Concepts states: The changes do not include any real-time operating
notifications for the types of events covered by CIP-001 and EOP-004. The real-time reporting
requirements are achieved through the RCIS and are covered in other standards (e.g. EOP-002Capacity and Energy Emergencies). These standards deal exclusively with after-the-fact
reporting." Attachment 1 in existing EOP-004-1 is much easier to follow (specifies time
requirement to file). Also R2 states DOE OE-417 may be utilized to file reports, however
Standard time requirement for update report is 48 hours, OE-417 has changed time
requirement on updated filing to 72 hours. Difference can cause confusion and possible
penalties. The real time operator must focus on maintaining system reliability. Putting
unnecessary reporting obligations on RT puts more importance on the reporting structure than
on maintaining reliability. Let 8/5 support personnel perform the reporting tasks and keep the
24/7 on shift operators focusing on the BES.
Response: Thank you for the comment. The SDT disagrees with your position on the inclusion of suspicious activities. Suspicious
activities are events and notification of such events is a part of the existing and CIP-001 and EOP-004 standards. Reporting under
EOP-004 is for notification purposes only. The standard does not require any analysis of events and does not require any follow
up reports as you suggest.
City of Austin dba Austin Energy
(1) City of Austin dba Austin Energy (AE) requests that the SDT clarify whether R3 requires that
each Registered Entity subject to EOP-004-2 verify NERC’s contact information each year. It
appears this would be overly burdensome for NERC to respond to individual requests. (2) AE
also asks that NERC’s fax number be included in the contact information at the beginning of
Attachment 1 and at the Event Reporting Form in Attachment 2. NERC included the fax
number as a viable contact method in its recent NERC Alert notifying the industry of the
changed information. (3) AE requests that the SDT increase the threshold for reporting loss of
firm load to ≥ 300 MW for all entities to align the reporting threshold with the OE-417
threshold. Otherwise, smaller entities would have to report firm load losses between 200 and
299 MW to NERC but not to the DOE. This could be administratively confusing to those
responsible for reporting. (4) Attachment 1 lists the threshold for reporting generation loss at
≥ 1,000MW for the ERCOT Interconnection. ERCOT planning is based on a single
contingency of 1,375MW. For this reason, AE believes the minimum threshold for a
Consideration of Comments: Project 2009-01
38
�Organization
Question 3 Comment
disturbance should be greater than the single contingency amount of >1,375MW for the
ERCOT Interconnection.
Response: Thank you for your comment. The SDT does not feel it is necessary to specific how the validation occurs and has left
this to the entity to determine how to do this. The SDT agrees with the inclusion of the fax number. The SDT will forward the
other suggestions to NERC for future consideration. However, it should be noted that these suggestions have not been adopted
due to consistency with other standards.
ACES Power Marketing Standards
Collaborators
(1) For the first “Damage or destruction of a Facility” event in Attachment 1, the threshold for
reporting should be modified. The threshold for reporting would only include damage or
destruction that necessitates the need for action to prevent an Emergency. It does not include
if an Emergency actually occurs. Based on the definition of Emergency which states that it is
an “abnormal system condition that requires... action to prevent or limit”, we think the
threshold should be changed to “Damage or destruction of a Facility... that results in a BES
Emergency”. Per the definition, the Emergency is what necessitates action which is what the
threshold appeared to be focused on. (2) In the second “Damage or destruction of a Facility”
event in Attachment 1, the threshold regarding “intentional human action” is ambiguous and
suffers from the same difficulties as defining sabotage. What constitutes intentional? How do
we know something was intentional without a law enforcement investigation? If a car runs
into a transmission tower, was this an accident or intentional human action? It could be
either. This appears to be the same issue that prevented the drafting team from defining
sabotage.(3) Under the “Physical threats to a BES control center” event in Attachment 1, the
event should very clearly define if this applies to backup control centers or not. (4) Under the
“Complete loss of off-site power to a nuclear generating plant (grid supply)” event” in
Attachment 1, the entity with reporting responsibility is not coordinated with NUC-001. NUC001 used the term transmission entity to mean an entity that is responsible for providing NPIR
services. They did not use only TOP because there are other entities that provide this service.
Please coordinate the “Entity with Reporting Responsibility” with that standard. (5) We
continue to believe that the draft standard has not satisfied the complete scope of the SAR
regarding elimination of redundancy. The draft standard will continue to require redundant
reporting by various entities. For instance, under the event “Loss of Firm Load” in Attachment
Consideration of Comments: Project 2009-01
39
�Organization
Question 3 Comment
1, the DP, TOP, and BA all are required to report. The response to our last set of comments
regarding this issue was that “the industry can benefit from having such differing perspectives
when events occur”. This response seems to confuse event analysis with event reporting. The
purpose of the standard is to simply report that an event happened. In fact, the reporting
form only requires the submitting entity to report the type of event. The description of what
happened is optional. What additional perspectives could be gained from having multiple
registered entities in the same electrical footprint report that an event happened. If the
purpose is to analyze the event, this is covered in the events analysis process. Furthermore,
once NERC becomes aware of the event they have the authority to request data and
information from other registered entities. Please eliminate the duplicate reporting
requirements. Other events that may require duplicate reporting include: Damage or
destruction of a Facility, Physical threats to a Facility, BES Emergency resulting in automatic
firm load shedding, Loss of firm load, System separation, Generation loss, and Complete loss of
off-site power to a nuclear generating plant.(6) In the second “Damage or destruction of a
Facility” event and “Physical Threats to a Facility” events, Distribution Provider should be
removed. The Distribution Provider does not have any Facilities which is defined as “a set of
electrical equipment that operates as a single Bulk Electric System Element”. The DP’s
transformers interconnecting to the BES are not Facilities and the latest NERC BOT definition
explicitly does not include them in Inclusion I1. If a DP did own Facilities, it would be
registered as a TO or GO. Inclusion of the DP will compel the DP to provide evidence that it
does not have Facilities which is an unnecessary compliance burden that does not support
reliability. (7) The “BES Emergency resulting in automatic firm load shedding” should not
apply to the DP. In the existing EOP-004 standard, Distribution Provider is not included and
the load shed information still gets reported. (8) For the “Voltage deviation on a Facility”
event in Attachment 1, we suggest changing “area” in the threshold for reporting to
“Transmission Operator Area” as it is a defined term. (9) For the “System separation
(islanding)” event, please remove BA. Because islanding and system separation, involve
Transmission Facilities automatically being removed from service, this is largely a Transmission
Operator issue. This position is further supported by the approval of system restoration
standard (EOP-005-2) that gives the responsibility to restore the system to the TOP. (10) The
response to our comments requesting that Measure 2 specifically identify that attestations are
Consideration of Comments: Project 2009-01
40
�Organization
Question 3 Comment
acceptable forms of evidence to indicate that no events have occurred indicated that the
measure cannot permit use of attestations. Other standards that have been recently approved
by the board specifically permit the use of attestations. FAC-003-2 M1 and M2, TOP-001-2
M1-M11 and TOP-003-2 M5 all permit the use of attestations. We ask that the drafting team
to reconsider including a specific reference that an attestation is acceptable to indicate no
event has occurred given these new facts. (11) In requirement R1, we suggest changing “in
accordance with EOP-004-2 Attachment 1” to “to report events identified in EOP-004-2
Attachment 1”. It makes more sense since the attachment is a list of events that require
reporting. The other language sounds like additional requirements will be established in
Attachment 1.
Response: Thank you for comment. Many suggestions were made regarding the language of certain events listed in Attachment
1. Most of these comments are about a single event type and were made by only one stakeholder. The team has reviewed all of
these comments. In several cases, the same or a similar suggestion was made on an earlier draft, and the team considered it at
that time. The SDT believes that stakeholder consensus has been achieved regarding these event types. The team has elected to
move forward to recirculation ballot.
Southwest Power Pool Regional
Entity
(1) SPP RE thinks the following Generation reporting threshold is unclear: "Total generation
loss, within one minute, of ≥ 2,000 MW for entities in the Eastern or Western
Interconnection". What has to happen within one minute? It reads as if you have to make a
report within one minute. If the intent is that a report has to be made within 24 hours if the
loss is for more than one minute it should read, "Total generation loss ≥ 2,000 MW for
more than one minute for entities in the Eastern or Western Interconnection". What is the
intent of the one minute requirement?
(2) It appears per R1 that entities are no longer required to include Regional Entities in their
reporting chains. SPP RE believes Regional Entities must be included in the reporting chain so
they can fulfill their obligations under their delegation agreements.
(3) SPP RE thinks this standard was changed substantially enough that it should have been
opened for a new ballot pool.
Consideration of Comments: Project 2009-01
41
�Organization
Question 3 Comment
Response: Thank you for comment. 1) The intent of the “one minute” language is to avoid having to report when a generator has
a slow run back rather than a sudden loss. Typically, a unit will trip instantly and the loss will be clear. Other times, the
generation will slowly decline and the SDT does not intend for this to be reported. The reporting requirement is to submit a
report for an applicable event within 24 hours. 2) Entities are required to report to the ERO only and may submit reports to
others, including the RE. The SDT envisions the reports generated through EOP-004-2 act as an input to the Events Analysis
Process which includes participation by the Regional Entity. 3) The SDT followed the standards development process which allows
significant revision to the standards a long as it proceeds to a successive ballot. The NERC Standard Processes Manual clearly
states that a ballot pool stays in place until balloting is completed on a standard. On occasion, the Standards Committee has
determined that it is necessary to form a new ballot pool for a project because the ballot pool has been in place for several years
and many of the original ballot pool members are no longer available to vote, but this is not the normal practice.
Ameren Services
(1) This draft refers to a number of activities in the Operations Plan that each entity is to have
on hand as the primary guide of actions to be taken when an event occurs. Although there is
information related to the requirements that should be included in the Operations Plan, the
drafting team has not defined a structure on the format, the minimum information to be
included or the direct audience for the Operations Plan. In addition, there is no guidance on
the disposition, distribution of the Operations Plan which is left to the entity to determine. We
request that the drafting team provide a defined structure for entities concerning the
development and implementation of the Operations Plan.
(2) Page 14 (Attachment 2) - Voltage Deviation of a Facility - This appears to be a contradiction
to VAR-001-2 R10 for TOP which states IROL events will be corrected within 30 minutes. We
request the 15 minute reporting criteria be changed to also state 30 minutes.
(3) Throughout Document - "Report to the ERO and Regional Entity" - NERC and DHS
established the ES-ISAC as a confidential location to report all events that happen on the BES.
As these events are of a Sabotage / Disturbance nature, they should all go through the ES-ISAC
both as a single location for distribution, and as a best practice that the industry has started.
(4) There seems to be some differences between the red-line and clean versions which may
need some clarification. For example, (a) In the redline version, the revision history box
appears to indicate the inclusion of parts of CIP-008, and in the “Clean” version this has been
Consideration of Comments: Project 2009-01
42
�Organization
Question 3 Comment
removed from the revision history box. (b) The red-line version includes a drawing at two
places versus once in the clean version. (c) The correlation between the clean and redline
documents is not very clear and there appears to be gaps in the reporting and tracking
framework structure.
Response: Thank you for comment. 1)-3) Many suggestions were made regarding the language of certain events listed in
Attachment 1. Most of these comments are about a single event type and were made by only one stakeholder. The team has
reviewed all of these comments. In several cases, the same or a similar suggestion was made on an earlier draft, and the team
considered it at that time. The SDT believes that stakeholder consensus has been achieved regarding these event types. The team
has elected to move forward to recirculation ballot. 4) In removing tables and diagrams, the redline version tends to show both
the old and new with only a red line down the side of the page. The clean version of the standard is the final version.
Texas Reliability Entity
(A) Regional Entity should be capitalized in R1. (B) COMMENTS ON ATTACHMENT 1:In the
previous comment period on this Standard, Texas RE submitted comments that we feel were
not adequately addressed. There were several responses to comments regarding the Events
Table that need deeper review and consideration:(1) In the Events Table, under Transmission
Loss, the SDT indicated that reporting is triggered only if three or more Transmission Facilities
operated by a single TOP are lost. Also, generators that are lost as a result of transmission loss
events must be included when counting Facilities. As Texas RE indicated in previous comments
to this Standard, determining event reporting requirements by the entity that owns/operates
the facility is not an appropriate measure. If the industry wants to learn from events, these
types of issues must be addressed. Including the RC as one of the Entity(s) with Reporting
Responsibility may alleviate this concern. The RC would have overall view of the system and
could provide the reports on multi-element events where the elements are owned/operated
by different entities. For the SDT to believe that “There may be times where an entity may
wish to report when a threshold has not been reached because of their experience with their
system” is worthy to note but falls short of the reliability implications caused by those entities
that will not report. The industry needs to learn from events and failure to report will facilitate
failure to learn.
(2) In the Events Table, under Transmission Loss, there has been considerable discussion
Consideration of Comments: Project 2009-01
43
�Organization
Question 3 Comment
recently within the Events Analysis Subcommittee (EAS) regarding the definition of the phrase
“contrary to design.” The EAS is currently working on possible guidelines to interpret this
event type. The SDT may want to consider including the EAS language into the Guidelines and
Technical Basis for this Standard.
(3) In the Events Table, under “Unplanned BES Control Center evacuation” and “Complete loss
of voice communication capability,” and “Complete loss of monitoring capability,” GOPs
should be included. GOPs also operate control centers that would be subject to these kinds of
occurrences. As Texas RE indicated in previous comments to this Standard, in CIP-002-5
Attachment 1 there is a “High Impact Rating” for the following: “1.4 Each Control Center,
backup Control Center, and associated data centers used to perform the functional obligations
of the Generation Operator that includes control 1) for generation equal to or greater than an
aggregate of 1500 MW in a single Interconnection or 2) that includes control of one or more of
the generation assets that meet criteria 2.3, 2.6, and 2.9.” In the ERCOT Region, we
experienced an event where a GOP control center lost an ICCP link that carried real-time
information regarding its generation fleet (over 10,000 MWs). Without inclusion of the GOP
here the event may not get recorded. While it was a “virtual” loss, the impact to the BES
through generation control actions could be significant and the event should be reported and
analyzed. For the GOP control centers that do exist, the reporting of such events should be a
requirement. Based on the minimum of these two examples, why would the SDT NOT include
GOP as being applicable?
(4) In the Events Table, under “BES Emergency requiring public appeal for load reduction,” the
definition of Emergency is “Any abnormal system condition that requires automatic or
immediate manual action to prevent or limit the failure of transmission facilities....” Is it the
intent of the SDT to exclude public appeals issued in anticipation of a possible emergency,
before a BES Emergency is officially declared?
(5) In the Events Table, under “BES Emergency resulting in automatic firm load shedding,” the
SDT may want to consider including the RC as one of the Entity(s) with Reporting
Responsibility. The RC would have overall view of the system and should provide the reports
on events where the multiple entities may be involved. We have UVLS schemes in our region
Consideration of Comments: Project 2009-01
44
�Organization
Question 3 Comment
where the total MW shed is greater than 100 MW, but the individual TOP MW shed is less than
100 MW.
(6) In the Events Table, consider whether the item for “Voltage deviation on Facility” should
also be applicable to GOPs, because a loss of voltage control at a generator (e.g. failure of an
automatic voltage regulator or power system stabilizer) could have a similar impact on the BES
as other reportable items. Note: We made this comment last time, and the SDT’s posted
response was non-responsive to this concern. The SDT noted “Further, we note that such
events do not rise to the level of notification to the ERO” but the SDT failed to recognize that
“Voltage deviation on a Facility” does exactly that - notifies the ERO but from a TOP
perspective only. Texas RE is trying to establish the correct Responsible Entity for reporting
“Voltage deviation on a Facility” (in this case a generator regardless of the cause and other
obligations the owner may have with other Reliability Standards).
Response: Thank you for comment. A) The SDT agrees and has made the correction. B) Many suggestions were made regarding
the language of certain events listed in Attachment 1. Most of these comments are about a single event type and were made by
only one stakeholder. The team has reviewed all of these comments. In several cases, the same or a similar suggestion was made
on an earlier draft, and the team considered it at that time. The SDT believes that stakeholder consensus has been achieved
regarding these event types. The team has elected to move forward to recirculation ballot.
Central Lincoln
1) Central Lincoln must again point out the lack of proportionality for gunshot insulators and
similar events under “Damage or destruction of a Facility.” Please see our last set of
comments. These incidents are fairly common in the west, and typically do not cause an
immediate outage. They are generally discovered months after the fact, yet the discovery
starts the 24 hour clock running as if the situation had suddenly changed. Prior SDT response:
“... this will give the ERO (and whoever else the entity wishes to inform per Requirement R1)
the situational awareness that the Facility was “damaged or destroyed” intentionally by a
human.” There is already a great lag in awareness regarding the damaged insulator. Months or
more can pass prior to discovery by the entity. We fail to see how it becomes so urgent upon
discovery. Prior SDT response: “The SDT envisions that entities could further define what a
suspected intentional human action is within their Operating Plan.”We do not share the SDT’s
Consideration of Comments: Project 2009-01
45
�Organization
Question 3 Comment
vision. If an Operating Plan redefined suspected intentional human action so the act of
preparing a gun for firing, aligning the sights on an insulator and pulling the trigger was not
included, we believe the entity that operates under that plan would be found non-compliant
under the language of this standard. We do not offer a simple change in text that will fix the
problem, we are only pointing out the problem exists. Murphy dictates discovery will occur at
the most inopportune time, which will be during an after hours outage on a stormy holiday
weekend night when many employees are out of town and those that are available are already
fully engaged. The entity is then faced with choosing to delay restoration or violating the
standard. When proposing a zero defect event driven requirement event driven such as this
one, we ask the SDT to consider all possible scenarios in which the event may occur.
2) We note that Distribution Providers are listed in the Applicability Section. We also note that
there is no requirement in the Statement of Compliance Registry Criteria for Distribution
Providers to own or operate BES Facilities, own or operate UFLS or UVLS of 100 MW, or to
have load exceeding 200 MW. DP’s that cannot meet any of the thresholds of Attachment 1
would still need an Operating Plan under R1 and annually validate the possibly null contact list
in its OP under R3. We suggest that DPs that cannot meet the thresholds of Attachment 1 be
removed from the Applicability Section.
Response: Thank you for comment. 1) Many suggestions were made regarding the language of certain events listed in
Attachment 1. Most of these comments are about a single event type and were made by only one stakeholder. The team has
reviewed all of these comments. In several cases, the same or a similar suggestion was made on an earlier draft, and the team
considered it at that time. The SDT believes that stakeholder consensus has been achieved regarding these event types. The team
has elected to move forward to recirculation ballot.
2) To your suggestion on DPs, the SDT has clarified, in the Guidelines and Technical Basis Section of the standard, that DPs who do
not meet the threshold reporting requirements can conduct an annual review of the threshold requirements and be exempted
from R1 and R3 for that period. Once the DP has met the threshold reporting requirements, they will then have to comply with
the standard.
“Distribution Provider Applicability Discussion
The DSR SDT has included Distribution Providers (DP) as an applicable entity under this standard. The team realizes that not
Consideration of Comments: Project 2009-01
46
�Organization
Question 3 Comment
all DPs will own BES Facilities and will not meet the “Threshold for Reporting” for any event listed in Attachment 1. These
DPs will not have any reports to submit under Requirement R2. However, these DPs will be responsible for meeting
Requirements R1 and R3. The DSR SDT does not intend for these entities to have a detailed Operating Plan to address
events that are not applicable to them. In this instance, the DSR SDT intends for the DP to have a very simple Operating Plan
that includes a statement that there are no applicable events in Attachment 1 (to meet R1) and that the DP will review the
list of events in Attachment 1 each year (to meet R3). The team does not think this will be a burden on any entity as the
development and annual validation of the Operating Plan should not take more that 30 minutes on an annual basis. If a DP
discovers applicable events during the annual review, it is expected that the DP will develop a more detailed Operating Plan
to comply with the requirements of the standard.”
Duke Energy
1) There are discrepancies between the red-lined EOP-004-2 and the Clean EOP-004-2 that
were posted for this project. Our comments are based upon the Clean EOP-004-2.
2) Attachment 1 and Attachment 2 have the ERO email and phone number listed. If these ever
change, does the standard have to go through the revision and balloting process again, or is
there an easier way to incorporate such changes?
3) Attachment 1 - When an event occurs that meets the Threshold for Reporting, it’s not clear
whether all listed entities have to report or not. Several Event Types need this clarity added.
For example, if a TOP loses voice communication capability, do both the TOP and RC have to
report?
4) Attachment 1 - Damage or destruction of a Facility, applicable to BA, TO, TOP, GO, GOP, DP.
The Threshold for Reporting should be further clarified by adding the sentence “Do not report
theft or damage unless it degrades normal operation of a Facility.” This would eliminate
unnecessary reporting of copper theft or vandalism.
5) Attachment 1 - Physical threats to a Facility. The Threshold for Reporting should be
modified by deleting the sentence “Do not report theft unless it degrades normal operation of
a Facility”. This sentence isn’t needed here, and fits better with “Damage or destruction of a
Facility” as noted in 4) above.
6) Attachment 1 - Transmission loss. This event type should be deleted because it is duplicated
Consideration of Comments: Project 2009-01
47
�Organization
Question 3 Comment
under TADS reporting and PRC-004 Protection System Misoperations reporting.
7) Attachment 1 - Unplanned BES control center evacuation, Complete loss of voice
communication capability, and Complete loss of monitoring capability. The Threshold for
Reporting on all three of these Event Types is 30 minutes, and should be extended to 2 hours,
consistent with the transition time identified in EOP-008 “Loss of Control Center
Functionality”.
Response: Thank you for comment. Many suggestions were made regarding the language of certain events listed in Attachment
1. Most of these comments are about a single event type and were made by only one stakeholder. The team has reviewed all of
these comments. In several cases, the same or a similar suggestion was made on an earlier draft, and the team considered it at
that time. The SDT believes that stakeholder consensus has been achieved regarding these event types. The team has elected to
move forward to recirculation ballot.
ERCOT
As a general matter, this standard imposes an ex-post reporting obligation. Consistent with
the ongoing P 81 standard review/elimination effort, this standard is arguably a candidate for
elimination under the principles guiding that effort. The obligation proposed in the standards
are better suited for inclusion in the Rules of Procedure or as a guideline because they are
strictly administrative in nature.
Response: On March 15, 2012, FERC issued an order on NERC’s Find, Fix and Track process
and in paragraph 81 (“P81”) invited NERC and other entities to propose to remove from
Commission-approved Reliability Standards unnecessary or redundant requirements. In
response to P81 and the Commission’s request for comments to be coordinated, during June
and July 2012, various industry stakeholders, Trade Associations, staff from NERC and staff
from the NERC Regions jointly discussed consensus criteria and an initial list of Reliability
Standard requirements that appeared to easily satisfy the criteria, and, thus, could be
retired. In Phase 1 of the Paragraph 81 effort, only two of the requirements (in total) from
CIP-001 and EOP-004 met the initial threshold for being included in the P81 Project. Both of
these requirements will also be retired by EOP-004-2. Phase 2 of the Paragraph 81 Project
will evaluate all NERC Reliability Standards, including any modifications to EOP-004-2. CIP001-2a and EOP-004-1 are mandatory and enforceable NERC Reliability Standards. If EOP-
Consideration of Comments: Project 2009-01
48
�Organization
Question 3 Comment
004-2 is not approved by the industry, those standards will remain as is and subject to the
Compliance Monitoring and Enforcement Program. As the SDT is moving forward with a
Recirculation Ballot, your suggestions will be forwarded to NERC for future consideration.
To the extent the SDT continues to pursue this effort, ERCOT offers the following additional
comments. ERCOT has commented on the listing in the Entity with Reporting Responsibility
column of Attachment 1. Consistent with those prior comments, the current version still fails
to adequately create a bright line threshold for particular events. For example, in the
Transmission loss event, although the TOP is listed, there is no direction regarding which TOP
is required to file the event report. Is it the TOP in whose TOP area the loss occurred or is it a
neighboring TOP who observes the loss? Clearly, the responsibility for reporting lies with the
host system, but that responsibility is not clearly designated. There are several other similar
events where there is no bright line. We suggest that the drafting team return the deleted
language to the Entity with Reporting Responsibility column in those instances where the
current version fails to provide a bright line in the Threshold column. Regarding multiple
reports for a single event, that aspect of the proposed draft should be revised to only require a
single report. While additional information may be available from others, let the Event Analysis
team perform their function. This would eliminate the redundant reporting that is currently
required as the standard is written.
Response: Many suggestions were made regarding the language of certain events listed in
Attachment 1. Most of these comments are about a single event type and were made by
only one stakeholder. The team has reviewed all of these comments. In several cases, the
same or a similar suggestion was made on an earlier draft, and the team considered it at
that time. The SDT believes that stakeholder consensus has been achieved regarding these
event types. The team has elected to move forward to recirculation ballot.
ERCOT requests that the reference to “cyber attack” be removed from the Guideline and
Technical Basis section of the document since all reporting of cyber events has been removed
from the standard and retained in CIP-008.
Response: This correction has been made.
Consideration of Comments: Project 2009-01
49
�Organization
Question 3 Comment
Response: Thank you for comment. Please see responses above.
American Public Power Association
As stated in our comments on the previous draft: It is APPA’s opinion that this standard should
be removed from the mandatory and enforceable NERC Reliability Standards and turned over
to a working group within the NERC technical committees. Timely reporting of this outage
data is already mandatory under Section 13(b) of the Federal Energy Administration Act of
1974. There are already civil and criminal penalties for violation of that Act. This standard is a
duplicative mandatory reporting requirement with multiple monetary penalties for US
registered entities. If this standard is approved, NERC must address this duplication in their
filing with FERC. This duplicative reporting and the differences in requirements between DOEOE-417 and NERC EOP-004-2 require an analysis by FERC of the small entity impact as required
by the Regulatory Flexibility of Act of 1980
Response: Thank you for the comment. The SDT does not believe that there is duplicative reporting. The reports that you
mention do not go to NERC under the FPA. We will forward your suggestion to NERC for consideration in the preparation of the
filing for approval.
NV Energy
Aside from the comment referring to the new R3 and the term "validate", I applaud the SDT
for the improvements made in the remainder of the Standard. This is a much simpler and
straightforward approach to meeting the directives in this project and greatly simplifies the
processes necessary on the part of the registered entities.
Response: Thank you for your comment.
CenterPoint Energy
CenterPoint Energy appreciates the revisions made to the draft Standard based on stakeholder
feedback and believes that the changes made are positive overall. However, the Company
recommends the additional changes noted below for a favorable vote. In the Rationale for R1,
CenterPoint Energy recommends that the 2nd sentence in the 1st paragraph be revised as
follows, “In addition, these event reports may serve as input to the NERC Events Analysis
Program.”, as not all events listed in Attachment 1 will serve as input in to the NERC Events
Analysis Program. CenterPoint Energy also proposes that the Standard Drafting Team (SDT)
Consideration of Comments: Project 2009-01
50
�Organization
Question 3 Comment
add "There cannot be a violation of Requirement R2 without an event." as noted in the
Consideration of Issues and Directives to the Requirement. For Attachment 1, CenterPoint
Energy recommends the following revisions: CenterPoint Energy continues to be concerned
that the uses of the terms “suspicious” and “suspected” are too broad. The Company proposes
that the SDT remove the terms from the Thresholds for Reporting or add “which caused a
negative impact to the Bulk Electric System” or “that causes an Adverse Reliability Impact..." to
each phrase where the terms are used. CenterPoint Energy proposes that the threshold for
reporting the event, “BES Emergency requiring manual firm load shedding” is too low. It
appears the SDT was attempting to align this threshold with the DOE reporting requirement.
However, as the SDT has stated, there are several valid reasons why this should not be done.
Therefore, CenterPoint Energy recommends the threshold be revised to “Manual firm load
shedding ≥ 300 MW”. CenterPoint Energy also recommends a similar revision to the
threshold for reporting associated with the “BES Emergency resulting in automatic firm load
shedding” event. (“Firm load shedding ≥ 300 MW (via automatic under voltage or under
frequency load shedding schemes, or SPS/RAS”) For the event of “System separation
(islanding)”, CenterPoint Energy believes that 100 MW is inconsequential and proposes 300
MW instead. For “Generation loss”, CenterPoint Energy suggests that the SDT add "only if
multiple units” to the criteria of “1,000 MW for entities in the ERCOT or Quebec
Interconnection”.
Response: Thank you for comment. Many suggestions were made regarding the language of certain events listed in Attachment
1. Most of these comments are about a single event type and were made by only one stakeholder. The team has reviewed all of
these comments. In several cases, the same or a similar suggestion was made on an earlier draft, and the team considered it at
that time. The SDT believes that stakeholder consensus has been achieved regarding these event types. The team has elected to
move forward to recirculation ballot.
PNGC Comment Group
Comments: The PNGC Comment group remains concerned that the “Applicability” section will
inadvertently subject Distribution Providers to requirements that they should be excluded
from. Please consider the two examples below and note that we’re talking about probably
hundreds of small DPs being subject to these unnecessary requirements without any increase
to the reliability of the BES. Example 1: Small DP with a peak load of 50 MWs. They have no
Consideration of Comments: Project 2009-01
51
�Organization
Question 3 Comment
BES Facilities and their system is radial. Even though this utility will never have a reporting
requirement per Attachment A, they are still subject to R1 and R3 plus the associated
compliance (read financial) risk for non-conformance. An easy fix to this issue would be for
DPs without BES Facilities and with less than 200 MW annual peak load to be excluded in the
Applicability section. Example 2: Small DP with a peak load of 50 MWs. Their only BES
Facilities are two Automatic UFLS relays that are capable of shedding 15 MWs. DP’s Host
Balance Authority (HBA) has a peak load of 10,000 MWs, meaning their UFLS plan requires
them to have the capacity to shed 3000 MWs should system conditions warrant. Is it the SDT’s
intent for this DP to have an Operating Plan in place for “damage”, “destruction”, or “physical
threat” for these two relays that are capable of shedding only 15 MWs out of a 3000 MW HBA
UFLS plan? The SDT set a 100 MW threshold for reporting of automatic UFLS load shedding so
why have reporting requirements for the threat to 15 MWs worth of UFLS relays? Once again
the easy fix is to modify the Applicability section. We suggest: 4.1.7. Distribution Provider: with
>= 200 MW annual peak load, or;>= 100 MW Automatic firm load shedding
Response: Thank you for comment. To your suggestion on DPs, the SDT has clarified, in the Guidelines and Technical Basis of the
Standard, that DPs who do not meet the threshold reporting requirements can conduct an annual review of the threshold
requirements and be exempted from R1 and R3 for that period. Once the DP has met the threshold reporting requirements, they
will then have to comply with the standard.
“Distribution Provider Applicability Discussion
The DSR SDT has included Distribution Providers (DP) as an applicable entity under this standard. The team realizes that not
all DPs will own BES Facilities and will not meet the “Threshold for Reporting” for any event listed in Attachment 1. These
DPs will not have any reports to submit under Requirement R2. However, these DPs will be responsible for meeting
Requirements R1 and R3. The DSR SDT does not intend for these entities to have a detailed Operating Plan to address
events that are not applicable to them. In this instance, the DSR SDT intends for the DP to have a very simple Operating Plan
that includes a statement that there are no applicable events in Attachment 1 (to meet R1) and that the DP will review the
list of events in Attachment 1 each year (to meet R3). The team does not think this will be a burden on any entity as the
development and annual validation of the Operating Plan should not take more that 30 minutes on an annual basis. If a DP
discovers applicable events during the annual review, it is expected that the DP will develop a more detailed Operating Plan
Consideration of Comments: Project 2009-01
52
�Organization
Question 3 Comment
to comply with the requirements of the standard.”
Cowlitz PUD
Cowlitz approves of the improvement efforts on Attachment 1. However, Cowlitz must again
point out the fallacy of potentially inundating the ERO with nuisance reporting of minor
vandalism and accidental damage. For example, gunshot “target practice” of insulators and
structures will apply under “Damage or destruction of a Facility.” Such incidents are fairly
common in the west, and typically do not cause an immediate outage. They are generally
discovered months or years after the fact, yet the discovery starts the 24 hour compliance
clock running as if the urgency is just as important as a recent event. If there is already a great
lag in awareness regarding the damaged Facility, Cowlitz fails to see how it becomes so urgent
upon discovery.------------Again, Cowlitz points out the sentence structure “Damage or
destruction of its Facility that results from actual or suspected intentional human action” does
not restrict the human action as malicious or sabotage. “Intentional human action” could be
innocent, such as a land owner attempting to fall a tree for fire wood. The intent was not to
damage the Facility, but the “intentional human action” to obtain fire wood resulted in the
damage of the Facility. This does not comport with prior SDT response: “... this will give the
ERO (and whoever else the entity wishes to inform per Requirement R1) the situational
awareness that the Facility was ‘damaged or destroyed’ intentionally by a human.” Therefore,
if this is the SDT’s intent Cowlitz suggests this change: Damage or destruction of its Facility
that causes immediate impaired operation or loss of the Facility from suspected or actual
malicious human intent. Do not report mischievous vandalism, as defined in the Operating
Plan, where immediate loss of, or immediate impaired operation of the Facility has not
occurred. --------------Prior SDT response: “The SDT envisions that entities could further define
what a suspected intentional human action is within their Operating Plan.” Cowlitz does not
share the SDT’s vision. The Standard as written does not specifically address the ability to
“further define” terms used in the Attachment. Past allowance of audit teams to allow
registered entity definitions, e.g. “annual,” was to address gaps in standards until the
standards could be revised. If this is truly the intent of the SDT, then requirement R1 would
need revision such as: “The Operating plan shall define what a suspected intentional human
action is.” Cowlitz respectfully requests that ambiguity be avoided.------------------ Cowlitz notes
that Distribution Providers are listed in the Applicability Section with no qualifiers. Cowlitz
Consideration of Comments: Project 2009-01
53
�Organization
Question 3 Comment
points out that there is no requirement in the Statement of Compliance Registry Criteria for
Distribution Providers to own or operate BES Facilities, own or operate UFLS or UVLS of 100
MW, or to have load exceeding 200 MW. DP’s that cannot meet any of the thresholds of
Attachment 1 would still need an Operating Plan under R1 and annually validate the possibly
null contact list in its OP under R3. Cowlitz requests that DPs that cannot meet the thresholds
of Attachment 1 be removed from the Applicability Section. Not doing so will increase
compliance risk without any reliability return.
Response: Thank you for comment. Many suggestions were made regarding the language of certain events listed in Attachment
1. Most of these comments are about a single event type and were made by only one stakeholder. The team has reviewed all of
these comments. In several cases, the same or a similar suggestion was made on an earlier draft, and the team considered it at
that time. The SDT believes that stakeholder consensus has been achieved regarding these event types. The team has elected to
move forward to recirculation ballot.
To your suggestion on DPs, the SDT has clarified, in the Guidelines and Technical Basis Section of the Standard, that DPs who do
not meet the threshold reporting requirements can conduct an annual review of the threshold requirements and be exempted
from R1 and R3 for that period. Once the DP has met the threshold reporting requirements, they will then have to comply with
the standard.
“Distribution Provider Applicability Discussion
The DSR SDT has included Distribution Providers (DP) as an applicable entity under this standard. The team realizes that not
all DPs will own BES Facilities and will not meet the “Threshold for Reporting” for any event listed in Attachment 1. These
DPs will not have any reports to submit under Requirement R2. However, these DPs will be responsible for meeting
Requirements R1 and R3. The DSR SDT does not intend for these entities to have a detailed Operating Plan to address
events that are not applicable to them. In this instance, the DSR SDT intends for the DP to have a very simple Operating Plan
that includes a statement that there are no applicable events in Attachment 1 (to meet R1) and that the DP will review the
list of events in Attachment 1 each year (to meet R3). The team does not think this will be a burden on any entity as the
development and annual validation of the Operating Plan should not take more that 30 minutes on an annual basis. If a DP
discovers applicable events during the annual review, it is expected that the DP will develop a more detailed Operating Plan
to comply with the requirements of the standard.”
Wisconsin Electric Power company
Damage or destruction of a Facility, Damage or destruction of its Facility that results from
Consideration of Comments: Project 2009-01
54
�Organization
Question 3 Comment
dba We Energies
actual or suspected intentional human action.: By the Functional Model, I do not believe the
BA function has Facilities by the NERC Glossary definition. This would not apply to a BA. The
line above this would adequately cover BA reporting. Remove a BA from applicability for this
line.
Physical threats to a Facility: The BA function does not have Facilities. Remove a BA from
applicability for this line. There could be a separate line for Physical Threats to a Facility within
an RC, FOP, BA Area as there is for Damage or Destruction of a Facility. Voltage deviation on a
Facility: Please specify what voltage this is, nominal, rated, etc. This should also be > 10%
deviation. Exactly at 10% could be at the edge of an allowed range.
Response: Thank you for comment. Many suggestions were made regarding the language of certain events listed in Attachment
1. Most of these comments are about a single event type and were made by only one stakeholder. The team has reviewed all of
these comments. In several cases, the same or a similar suggestion was made on an earlier draft, and the team considered it at
that time. The SDT believes that stakeholder consensus has been achieved regarding these event types. The team has elected to
move forward to recirculation ballot.
Manitoba Hydro
Does the Background, Guidelines and Technical Basis form part of the standard itself once
published? Or are these just parts of the package that accompany the standard during
circulation for comment?
The background, guidance and technical basis will remain with the standard and provides
clarification on the SDT’s intent and direction
Compliance 1.2: The reference to Responsible Entity is bracketed and in lowercase. We are
not clear why.
This was corrected in the clean version.
VSLs, R1, Severe VSL: The words "in the event reporting Operating Plan” are missing from the
end of this sentence.
This was corrected in the clean version.
Consideration of Comments: Project 2009-01
55
�Organization
Question 3 Comment
VSLS, R2, Lower VSL: The violation occurs if the Responsible Entity has submitted an event
report to one entity whereas Moderate VSL, High VSL and Severe VSL, the level of severity of
the VSL increases depending on the number of entities that the Responsible Entity fails to
submit an event report to. The drafting here is not as precise as it should be. The way the
Lower VSL is written, it will also be triggered when the Responsible Entity has complied with
the requirement. For example, if the Responsible Entity is required to report an event to 5
entities, and it does, it will still mean that it has "submitted an event report to one entity
identified in the event reporting (also, the ‘ing’ is missing on the Lower VSL
reference)Operating Plan". It is also duplicative. For example, if the Responsible Entity
submitted a report to only one entity, and failed to submit a report to 4 others, they fall under
the Lower VSL and the Higher VSL (we are assuming in this case, the violation will be found to
be the higher VSL). Perhaps what the drafting team intended to do was to make the Lower
VSL, which the Responsible Entity failed to submit an event report...to one entity identified....
The SDT followed the NERC guidelines for VSLs in setting the appropriate levels. The VSLs
were written based on two potential failures to meet the requirement. The first is based on
the time the report was submitted while the second was based on the entity submitting the
report within 24 hours but not to all applicable entities. If a violation is determined, it will
be for either being late with the report or for not submitting the report to everyone. The
appropriate VSL will be applied ONLY if a violation is found.
The Guidelines and Technical Basis contain a reference to R4 which no longer exists in the
standard.
This reference has been removed.
Response: Thank you for comment. Please see responses above.
Dominion
Dominion reads Requirement R1 as explicitly requiring only the inclusion of reporting to the
ERO in the Operating Plan. We acknowledge that the requirement also contains additional
entities in parenthesis which infers the inclusion of a larger group (and which appears to be
supported by the rationale box). Dominion suggests the SDT explicitly state which entities, at a
minimum, be included, for reporting, in the Operating Plan. We suggest adding a column to
Consideration of Comments: Project 2009-01
56
�Organization
Question 3 Comment
Attachment 1 and including entities to which the event must be reported. As an examples; o
All event types should include local law enforcement o Events for which the BA, RC, TOP bear
responsibility should probably also be reported to the regional entity o Events for which the
Facility Owner bears responsibility should probably also be reported to the respective BA and
TOP, who would in turn determine whether to notify their respective RC. The RC would in turn
determine if additional entities need to be contacted. Requirement R2 establishes a 24 hour
reporting threshold; however, the “NOTE” provided on Attachment 1 seems to contradict
Requirement 2 and could therefore lead to compliance issues. Dominion suggests that
Requirement R2 be revised to agree with the “NOTE” on Attachment 1. For example,
Requirement R2 could be reworded as: Except as noted on Attachment 1, Each Responsible
Entity shall...Also under the “NOTE” in Attachment 1, why has the facsimile number for the
ERO been removed? The DOE still provides a facsimile number for reporting. Attachment 2:
Event Reporting Form #4; need to update the below to reflect the same naming convention of
the events in Attachment 1, the “t” should not be capitalized in Physical Threat and add an ‘s’
behind threat. Add (islanding) behind System separation and capitalize the ‘U’ in unplanned
control center evacuation.
Response: Thank you for comment. Many suggestions were made regarding the language of certain events listed in Attachment
1. Most of these comments are about a single event type and were made by only one stakeholder. The team has reviewed all of
these comments. In several cases, the same or a similar suggestion was made on an earlier draft, and the team considered it at
that time. The SDT believes that stakeholder consensus has been achieved regarding these event types. The team has elected to
move forward to recirculation ballot.
Southern Company
NOTE: The SDT received assistance from Southern Company personnel in parsing these
comments as show below. As submitted, the formatting of the original comments was lost
and very difficult for the SDT to read and understand.
Event Type Entity with Reporting Responsibility Threshold for Reporting SOCO Comment:
Damage or destruction of a Facility RC, BA, TOP Damage or destruction of a Facility within its
Reliability Coordinator Area, Balancing Authority Area or Transmission Operator Area,
excluding weather or natural disaster related threats, that results in actions to avoid a BES
Consideration of Comments: Project 2009-01
57
�Organization
Question 3 Comment
Emergency. – No Comment
Damage or destruction of a Facility BA, TO, TOP, GO, GOP, DP Damage or destruction of its
Facility that results from actual or suspected intentional human action.:
Do not report damage unless it degrades normal operation of a Facility.
How does the SDT define “intentional human action?” Further, how is the phrase
“suspected intentional human action” defined? This phrase is very broad. Is
“intentional human action” identified as actions intended to damage facilities or does it
include accidental actions by individuals? For example, if a person accidentally shot
insulators off of a 230 kV line resulting in damage, would that be considered reportable
“intentional human action?”
In addition, what is that actual trigger for reporting? Does it require that the action has
been discovered or is it from the time the event occurs? Further, 24 hours is a very
brief time period -- how is an entity to conduct an investigation within that time period
to determine if damage or destruction could have resulted from “actual or suspected”
human action and also determine if it could have been “intentional”?
In Southern’s cases, and likely in other entities case, operating personnel submit the
reports to the regulatory entities for events that fall under this standard. Southern is
concerned, that the threshold for reporting for “Damage or destruction of a Facility”
and “Physical threats to a Facility” is so broad that numerous reports would need to be
filed that 1) may be a result of something that does not pose harm to reliability and
should not be of interest to the regulators, and 2) would introduce additional burden to
operating personnel that are monitoring the system every moment of the day. With
the current proposed “Threshold for Reporting”, the reporting requirement would
hamper the ability of system operating personnel to perform their core real-time
system operator tasks which would harm reliability.
Physical threats to a Facility BA, TO, TOP, GO, GOP, DP Physical threat to its Facility excluding
weather or natural disaster related threats, which has the potential to degrade the normal
operation of the Facility. OR Suspicious device or activity at a Facility. Do not report theft
Consideration of Comments: Project 2009-01
58
�Organization
Question 3 Comment
unless it degrades normal operation of a Facility.
Please provide some clarity as to what is considered suspicious activity. For example,
would someone taking a photo of a BES substation fall into this category? Please
provide examples of what may be considered suspicious activity and how NERC and
others may use this information and what actions they would take as a result of
receiving this information.
In addition, what is that actual trigger for reporting? Is it when the threat is discovered
or from when it should have or could have been discovered? Further, 24 hours is a
very brief time period -- how is an entity to conduct an investigation within that time
period in order to determine if the physical threat has the potential to degrade the
normal operation of the Facility or that the “suspicious activity”?
Physical threats to a BES control center RC, BA, TOP Physical threat to its BES control center,
excluding weather or natural disaster related threats, which has the potential to degrade the
normal operation of the control center. OR Suspicious device or activity at a BES control
center. – No Comment
BES Emergency requiring public appeal for load reduction Initiating entity is responsible for
reporting. Public appeal for load reduction event.
It is unclear which entity would be responsible for reporting this event. For example, if
the RC/TOP/BA were to identify the need to do this and instruct an LSE to issue the
public appeal, who would report the event?
BES Emergency requiring system-wide voltage reduction Initiating entity is responsible for
reporting System wide voltage reduction of 3% or more.
It is unclear which entity would be responsible for reporting this event. For example, if
the RC were to identify the need to do this and instruct a TOP to reduce voltage, who
would report the event?
BES Emergency requiring manual firm load shedding Initiating entity is responsible for
reporting Manual firm load shedding ≥ 100 MW. – No Comment
Consideration of Comments: Project 2009-01
59
�Organization
Question 3 Comment
BES Emergency resulting in automatic firm load shedding DP, TOP Automatic firm load
shedding ≥ 100 MW (via automatic undervoltage or underfrequency load shedding
schemes, or SPS/RAS). – No Comment
Voltage deviation on a Facility TOP Observed within its area a voltage deviation of ± 10% of
nominal voltage sustained for >or= 15 continuous minutes.
Please change “nominal” to “expected” or “scheduled”
IROL Violation (all Interconnections) or SOL Violation for Major WECC Transfer Paths (WECC
only) RC Operate outside the IROL for time greater than IROL Tv (all Interconnections) or
Operate outside the SOL for more than 30 minutes for Major WECC Transfer Paths (WECC
only). – No Comment
Loss of firm load BA, TOP, DP Loss of firm load due to equipment failures/system operational
actions for >or= 15 Minutes: >or= 300 MW for entities with previous year’s demand >or= 3,000
MW OR >or= 200 MW for all other entities
This should not be as a result of weather or natural disasters.
System separation(islanding) RC, BA, TOP Each separation resulting in an island ≥ 100 MW
– No Comment
Generation loss BA, GOP Total generation loss, within one minute, of ≥ 2,000 MW for
entities in the Eastern or Western Interconnection OR ≥ 1,000 MW for entities in the
ERCOT or Quebec Interconnection – No Comment
Complete loss of off-site power to a nuclear generating plant (grid supply) TO, TOP Complete
loss of off-site power affecting a nuclear generating station per the Nuclear Plant Interface
Requirement – No Comment
Transmission loss TOP Unexpected loss, contrary to design, of three or more BES Elements
caused by a common disturbance (excluding successful automatic reclosing). – No Comment
Unplanned BES control center evacuation RC, BA, TOP Unplanned evacuation from BES
control center facility for 30 continuous minutes or more. – No Comment
Consideration of Comments: Project 2009-01
60
�Organization
Question 3 Comment
Complete loss of voice communication capability RC, BA, TOP Complete loss of voice
communication capability affecting a BES control center for 30 continuous minutes or more. –
No Comment
Complete loss of monitoring capability RC, BA, TOP Complete loss of monitoring capability
affecting a BES control center for 30 continuous minutes or more such that analysis capability
(i.e., State Estimator or Contingency Analysis) is rendered inoperable. – No Comment
Many suggestions were made regarding the language of certain events listed in Attachment
1. Most of these comments are about a single event type and were made by only one
stakeholder. The team has reviewed all of these comments. In several cases, the same or a
similar suggestion was made on an earlier draft, and the team considered it at that time.
The SDT believes that stakeholder consensus has been achieved regarding these event types.
The team has elected to move forward to recirculation ballot.Guideline and Technical Basis
Comments
In the Summary of Key Concepts section of the Guideline and Technical Basis, the DSR SDT
explains that the proposed Standard does not include any real-time operating notifications for
events listed in Attachment 1. The DSR SDT should consider language in the Standard which
codifies this approach. Southern Company notes that the proposed standard does not
mention any exclusion of real-time notification.
Response: The SDT does not believe that this revision is necessary as the requirement R2
clearly states that events are to be reported within 24 hours.
The Law Enforcement Reporting section of the Guideline and Technical Basis unintentionally
expands on the purpose of the Standard by stating that “The Standard is intended to reduce
the risk of Cascading events.” The stated purpose of the Standard is “To improve the
reliability of the Bulk Electric System by requiring the reporting of events by Responsible
Entities.” The phrase in the Guideline should be removed or modified in order to avoid any
uncertainty about the Standard’s purpose.
Response: The SDT has made the requested clarification to the Guidelines and Technical
Basis section.
Consideration of Comments: Project 2009-01
61
�Organization
Question 3 Comment
The DSR SDT should consider integrating the content of the Concept Paper into the Guideline
and Technical Basis. Presently, the Concept Paper appears as an add-on at the end of the
document. When the Concept Paper existed as a stand-alone document, various segments
such as “Introduction” and “Summary of Concepts and Assumptions” were helpful to
stakeholders and standards developers. The revised merged document in the present draft
does not need two separate sections addressing concepts nor does it need an introduction at
the midway point. Additionally, two other areas are either duplicative or contribute to
ambiguity within the supplemental information. First, it is not clear that the segment on
Concepts and Assumptions includes any actual assumptions. The section should be modified or
deleted to address this concern. Second, the segment entitled ‘What about sabotage?’ seems
to contain topics similar to those on the first page of the Guideline. Again, the DSR SDT should
consider integrating all of the necessary information into a more comprehensive document.
Response: The SDT has chosen to leave these sections in tact because it helps convey the
development process as well as the information about the team’s insights.
Response: Thank you for comment. Please see responses above.
FirstEnergy
FirstEnergy Corp (FE) appreciates the work done by the SDT by incorporating the comments
and revisions from the previous draft. FE would like to see the time parameters in
Requirement 3 and Measure 3 to be changed from “each calendar year” to “at least once
every 12 months”. This is similar to the wording that is being used in the CIP standards
Response: Thank you for comment. Many suggestions were made regarding the language of certain events listed in Attachment
1. Most of these comments are about a single event type and were made by only one stakeholder. The team has reviewed all of
these comments. In several cases, the same or a similar suggestion was made on an earlier draft, and the team considered it at
that time. The SDT believes that stakeholder consensus has been achieved regarding these event types. The team has elected to
move forward to recirculation ballot.
Oncor Electric Delivery
For reporting consistency, under the Event Type labeled “Generation Loss”, in Appendix 1 of
EOP-004-2, Oncor recommends that the reporting threshold of 1,000 KW for the ERCOT
Interconnection be raised to 1,400 MW to match the 1,000 MW level in the current version of
Consideration of Comments: Project 2009-01
62
�Organization
Question 3 Comment
the ERO Event Analysis Program.
Under the Event Type labeled “Damage or Destruction of a “Facility”, Appendix 1, with the
threshold that states,” Damage or destruction of its Facility that results from actual or
suspected intentional human action”, Oncor suggest the addition of the following language to
address intentional human action that is theft in nature but is not intended to disrupt the
normal operation of the BES: “Do not report theft unless it degrades the normal operation of a
Facility.”
Response: Thank you for comment. Many suggestions were made regarding the language of certain events listed in Attachment
1. Most of these comments are about a single event type and were made by only one stakeholder. The team has reviewed all of
these comments. In several cases, the same or a similar suggestion was made on an earlier draft, and the team considered it at
that time. The SDT believes that stakeholder consensus has been achieved regarding these event types. The team has elected to
move forward to recirculation ballot.
Georgia Transmission Corporation
GTC recommends a minor change to Attachment 2 associated with the complete loss of offsite power to nuclear generating plant. NUC-001-2 R9.3.5 describes provisions for restoration
of off-site power and applies to both the Nuclear Plant Generator Operator and the applicable
Transmission Entities. To maintain consistency, GTC recommends modification to this row in
EOP-004-2 Attachment 2 such that the “Nuclear Plant Generator Operator” is the Responsible
Entity with reporting responsibility. (A TO may not have visibility to all off-site power
resources for a nuclear generating plant if multiple TO’s are providing off-site power.)At a
minimum, GTC recommends if the SDT believes the TO and TOP should remain involved, these
entities should be limited to “TO and TOP that are responsible for providing services related to
Nuclear Plant Interface Requirements (NPIRs)” which is also consistent with NUC-001-2.
Response: Thank you for comment. Many suggestions were made regarding the language of certain events listed in Attachment
1. Most of these comments are about a single event type and were made by only one stakeholder. The team has reviewed all of
these comments. In several cases, the same or a similar suggestion was made on an earlier draft, and the team considered it at
that time. The SDT believes that stakeholder consensus has been achieved regarding these event types. The team has elected to
move forward to recirculation ballot.
Consideration of Comments: Project 2009-01
63
�Organization
Question 3 Comment
South Carolina Electric and Gas
Has the drafting team considered how reports from R2 tie in with reports required by the
NERC Event Analysis process? It appears that reporting deadlines conflict between the two.
The SDT should clarify that the event types "Damage or Destruction" listed in attachment 1 do
not pertain to "cyber events", to avoid duplication of the CIP-008 requirements.
Response: Thank you for comment. Reporting under this standard is for the notification of events to the NERC Situation
Awareness Group. Reports in this standard can be the initial reports for the EA group, but are not designed to address the balance
of the EA program. The SDT had removed the cyber security obligations in this draft.
Xcel Energy
In attachment one, the “Threshold for Reporting” under Damage or Destruction of a Facility
appears to closely follow the definition of sabotage that EOP-004-2 says it is trying to do away
with. This definition should be drafted to better correlate with the other physical threats and
include the language, “which has the potential to degrade the normal operation of the
Facility”.
Additionally in Attachment 1, both the Physical threats to a Facility and Physical threats to a
BES control center include the wording, “Suspicious device or activity...”. What constitutes
suspicious activity? With no definition this interpretation is left to the Entity which is again
something the DSR SDT says they would like to eliminate.
Lastly, in the Guideline and Technical Basis section, under A Reporting Process Solution - EOP004 it states, “A proposal discussed with the FBI, FERC Staff, NERC Standards Project
Coordinator and the SDT Chair is reflected in the flowchart below (Reporting Hierarchy for
Reportable Events). Essentially, reporting an event to law enforcement agencies will only
require the industry to notify the state or provincial or local level law enforcement agency. The
state or provincial or local level law enforcement agency will coordinate with law enforcement
with jurisdiction to investigate. If the state or provincial or local level law enforcement agency
decides federal agency law enforcement or the RCMP should respond and investigate, the
state or provincial or local level law enforcement agency will notify and coordinate with the
FBI or the RCMP.” This appears to be in direct conflict with the Rationale for R1 which states,
“An existing procedure that meets the requirements of CIP-001-2a may be included in this
Operating Plan along with other processes, procedures or plans to meet this requirement.”
Consideration of Comments: Project 2009-01
64
�Organization
Question 3 Comment
CIP-001-2a required “communication contacts, as applicable, with local Federal Bureau of
Investigation (FBI)...” so if the CIP-001-2a procedure is included this does not seem to meet
the requirements of the operating plan required under EOP-004-2. Also, if the intent of the
Operating Plan is to include all local law enforcement and not FBI the operating plan would
become very detailed and when validated annually as required in R3, this becomes very
burdensome on an entity.
Response: Thank you for comment. Many suggestions were made regarding the language of certain events listed in Attachment
1. Most of these comments are about a single event type and were made by only one stakeholder. The team has reviewed all of
these comments. In several cases, the same or a similar suggestion was made on an earlier draft, and the team considered it at
that time. The SDT believes that stakeholder consensus has been achieved regarding these event types. The team has elected to
move forward to recirculation ballot.
American Electric Power
In the spirit of Paragraph 81 efforts, we request the removal of R1. R1 is administrative in
nature, existing only to support R2. Reporting an event externally might necessitate the need
for a plan/procedure/policy/job aide, but requiring it is an overreach. Having two
requirements rather than one increases the likelihood of being found non-compliant for
multiple requirements rather than a single requirement. The Paragraph 81 project team has
already recommended removing the requirement to have contact information with law
enforcement from CIP-001 R4. Notwithstanding our comments above, we recommend
removing the phrase “and other organizations...” from R1. If this requirement is to remain, it
needs to be very specific regarding who needs to be included in the reporting.R2 –
We recommend removing “per their Operating Plan” from R2 so it reads “Each Responsible
Entity shall report events within 24 hours of meeting an event type threshold for reporting.” If
an entity deviates from its plan but still meets the intent of the requirement (e.g. reporting to
NERC with 24 hours), this could be viewed as a finding of non-compliance. We need to get
away from “compliance for compliance’s sake”, and focus solely on those efforts which will
benefit the reliability of the BES.
Attachment 1 Page 13, Row 1 (Clean Version): This is too open-ended and would likely lead to
voluminous reporting. As it currently reads, “Damage or destruction of a Facility within its
Consideration of Comments: Project 2009-01
65
�Organization
Question 3 Comment
Reliability Coordinator Area, Balancing Authority Area or Transmission Operator Area that
results in actions to avoid a BES Emergency” could bring all copper thefts into scope. Thefts
should not need to be reported unless the theft results in reliability concerns as specified by
other criteria or parameters in Attachment 1.
Attachment 1 Page 13, Row 2 (Clean Version): The threshold “Damage or destruction of its
Facility that results from actual or suspected intentional human action” should be eliminated
entirely. For the event Damage or destruction of a Facility, the threshold for reporting is set
too low.
Attachment 1 Page 13, Row 3 (Clean Version): We suggest modifying the text to read “Do not
report theft... unless the theft results in reliability concerns as specified by other criteria or
parameters in Attachment 1.”
Attachment 1 Page 14, Row 4 (Clean Version): Regarding “Loss of Firm Load”, we suggest
making it clear that the MW threshold is an aggregate value for those entities whose TOP is
responsible for multiple operating companies or legal entities. In addition, is it necessary to
include the DP as an entity with reporting responsibility? Its inclusion could create confusion
by further segmenting the established threshold.
Attachment 1 Page 15, Row 1 (Clean Version): Including “Transmission loss” as currently
drafted would result in much more reporting than is necessary or warranted. As currently
drafted, it could bring more events into scope than intended, especially for larger entities.
EOP-004 Attachment 2: Event Reporting Form: AEP remains concerned that industry would be
required to report similar information to multiple Federal entities, in this case to both NERC
(Attachment 2) and the DOE (OE-417). In addition, the reporting requirement are not clear for
every kind of event as to which entity the reports must be forwarded to, and it is unclear how
information would be passed to other entities as necessary.
EOP-004 Attachment 2: Event Reporting Form: This form is a further example of mixing
security concepts with operational concepts. Not only is not advisable, it does not serve the
interests of either concept.
Consideration of Comments: Project 2009-01
66
�Organization
Question 3 Comment
Response: Thank you for your comment. On March 15, 2012, FERC issued an order on NERC’s Find, Fix and Track process and in
paragraph 81 (“P81”) invited NERC and other entities to propose to remove from Commission-approved Reliability Standards
unnecessary or redundant requirements. In response to P81 and the Commission’s request for comments to be coordinated,
during June and July 2012, various industry stakeholders, Trade Associations, staff from NERC and staff from the NERC Regions
jointly discussed consensus criteria and an initial list of Reliability Standard requirements that appeared to easily satisfy the
criteria, and, thus, could be retired. In Phase 1 of the Paragraph 81 effort, only two of the requirements (in total) from CIP-001
and EOP-004 met the initial threshold for being included in the P81 Project. Both of these requirements will also be retired by
EOP-004-2. Phase 2 of the Paragraph 81 Project will evaluate all NERC Reliability Standards, including any modifications to EOP004-2. CIP-001-2a and EOP-004-1 are mandatory and enforceable NERC Reliability Standards. If EOP-004-2 is not approved by the
industry, those standards will remain as is and subject to the Compliance Monitoring and Enforcement Program. As the SDT is
moving forward with a Recirculation Ballot, your suggestions will be forwarded to NERC for future consideration. As the
Paragraph 81 efforts are beyond the scope of this project, the SDT can only pass along your suggestion to that project team for
action there.
Many suggestions were made regarding the language of certain events listed in Attachment 1. Most of these comments are about
a single event type and were made by only one stakeholder. The team has reviewed all of these comments. In several cases, the
same or a similar suggestion was made on an earlier draft, and the team considered it at that time. The SDT believes that
stakeholder consensus has been achieved regarding these event types. The team has elected to move forward to recirculation
ballot.
Midwest Independent Transmission
System Operator, Inc.
MISO respectfully submits that several of the thresholds for reporting in EOP-004 - Attachment
1 should be modified to clarify when the reporting obligation is triggered, and to ensure that
entities are reporting events of the type and significance intended. In particular, MISO focuses
on the following draft thresholds in EOP-004 - Attachment 1: o The requirement that an entity
report when “[d]amage or destruction of a Facility within its Reliability Coordinator Area,
Balancing Authority Area or Transmission Operator Area that results in actions to avoid a BES
Emergency.” A BES Emergency is defined as “Any abnormal system condition that requires
automatic or immediate manual action to prevent or limit the failure of transmission facilities
or generation supply that could adversely affect the reliability of the Bulk Electric System.”RCs
and BAs take actions each and every day to “avoid a BES Emergency.” At the time of those
actions, they are reacting to conditions that their operating personnel are observing on the
Consideration of Comments: Project 2009-01
67
�Organization
Question 3 Comment
BES. There is no way for an RC or a BA to discern whether the conditions to which they
reacted resulted from the “damage or destruction of a Facility” and there is no requirement
for Transmission Operators and/or Owners to report “damage or destruction of a Facility” to
their BA or RC. Accordingly, RCs and BAs will likely, often not be sufficiently informed to
determine if their actions require them to submit a report. Responsible entities are likely to
expend significant time and resources reporting daily operations and actions routinely taken to
respond to observed BES conditions as they present themselves. These actions may be in
response to congestion, equipment outages, relay malfunctions, etc. Whether or not the
initiating factor was “damage to or destruction of a Facility” will often be an unknown factor
and - even if such is known - the genesis of that damage and/or what constitutes damage (as
discussed below) present further potential for confusion and over-reporting, Nonetheless, the
lack of clarity in the standard is likely to result in some RCs and BAs preparing reports whether
or not they definitely ascertain the underlying cause for the system conditions that prompted
them to take actions “to avoid a BES Emergency.” The preparation and submission of such
reports, in many cases, will not facilitate the stated objective of this standard, which is the
improvement of the reliability of the Bulk Electric System. In addition, with respect to damage
or destruction of a Facility, it is debatable as to what would be considered “damage.” For
example, would an improper repair or outage that results in damage to a Facility that requires
a more extended repair or outage be deemed “damage” to that Facility under this standard?
These ambiguities will likely result in significant over-reporting, over-burdening responsible
entities, and inundating Regional Entities and NERC with information that is not useful for the
purpose of facilitating the reliable operation of the Bulk Electric System. These effects would
undermine the express purpose of the standard and the potential value of information if the
reporting obligations are appropriately defined, assigned, and scoped. For these reasons,
MISO recommends that the SDT revise the standard to: (1) remove the requirement for RCs
and BAs to report the “damage or destruction of a Facility” as it is redundant of the
immediately subsequent requirement, (2) to remove reporting responsibility from BAs to
report the “damage or destruction of a Facility” as this obligation is more properly placed with
the TO, TOP, GO , GOP, and DP, and (3) provide guidance to the remaining responsible entities,
TO, TOP, GO , GOP, and DP, regarding when “damage” to a Facility should be reported, e.g.,
an illustrative list of the types of “damage” that would yield information and/or trends that
Consideration of Comments: Project 2009-01
68
�Organization
Question 3 Comment
would facilitate the improvement of the reliability of the BES.
o The requirement to report “[p]hysical threats to a Facility” and/or “[p]hysical threats to a BES
Control Center”With respect to physical threats to Facilities or BES Control Centers, what is
considered a “physical threat” and/or a “suspicious device or activity”? Is a crank call count
that the building is on fire a physical threat? Is the return of a disgruntled employee
suspicious? MISO understands and supports the reporting and analysis of threats and even
certain types of suspicious activities, etc. It is merely concerned that the reporting threshold
expressed in this standard will result in the reporting of substantial amounts of data that will
not facilitate the improvement of the reliability of the BES and that the volume of reports may
delay or otherwise obscure the detection of notable trends. Accordingly, MISO recommends
that the SDT revise the standard to: (1) require the reporting only of substantial physical
threats that are likely to have an adverse impact on the reliable operation of the Bulk Electric
System, and (2) to provide an illustrative list of the types of “suspicious activity or devices” as
guidance to responsible entities.
o Timing of reports Finally, MISO respectfully suggests that NERC re-assess the timing
requirements as related to the objectives expressed within this standard. MISO believes that
NERC should clarify that its “situational awareness” staff will review submitted information to
determine whether there are indications of possible coordinated attack and to quickly inform
responsible entities that there are signals of possible coordinated attack. This clarification
could be made in the standard, or the standard could describe the process that NERC staff will
use. Unless such review and information is provided, the need that the standard attempts to
address will not be fully met. Conversely, many of the events listed in Attachment A that
require reporting do not need to be reported within 24 hours and would not offer significant
benefit or value if reported within that time period as NERC and Regional Entities primarily
utilize such information to capture metrics or perform after-the-fact events analysis.
Accordingly, MISO respectfully suggests that, while performing analysis to determine
clarifications that would result in the appropriate definition, assignment, and scope of
reporting obligations, NERC should also examine the events and identify those events for
which a longer time period for reporting would be suitable. This would significantly reduce the
administrative burden on responsible entities and likely result in more comprehensive,
Consideration of Comments: Project 2009-01
69
�Organization
Question 3 Comment
rigorous, and beneficial reporting.
Response: Thank you for your comment. Many suggestions were made regarding the language of certain events listed in
Attachment 1. Most of these comments are about a single event type and were made by only one stakeholder. The team has
reviewed all of these comments. In several cases, the same or a similar suggestion was made on an earlier draft, and the team
considered it at that time. The SDT believes that stakeholder consensus has been achieved regarding these event types. The team
has elected to move forward to recirculation ballot.
Indiana Municipal Power Agency
On page 6 of 23 of the draft standard document, second paragraph under Rationale for R1, the
SDT uses the words “Every industry participant that owns or operates elements or devices on
the grid has a formal or informal process...” The use of these words implies that this
requirement and others in this standard may apply to every industry entity regardless if they
are a registered entity or not. IMPA understands that standards can only apply to entities that
are registered with NERC, but we still prefer to see different wording in this sentence. IMPA
recommends using “Every registered entity that owns or operates elements or devices on the
grid has a formal or informal process...”
We have revised “industry participants” to Registered Entity”.
Another concern is on pages 18, 19, and 20 of 23. It is not clear what exactly is required of a
registered entity and the law enforcement reporting process. IMPA understands it is up to the
entity to decide just how its event reporting Operating Plan is made up and who is contacted
for the events in attachment 1. These pages are confusing when it comes to the listing of
stakeholders in the reporting process on page 18 of 23 and then when the SDT states that an
entity may just notify the state or provincial or local level law enforcement agency. The SDT
needs to clarify that the listing of stakeholders on page 18 of 23 is just a suggestive listing and
that if the entity so decides per its reporting Operating Plan that notification of the local law
enforcement agency is sufficient (the thought that the local law enforcement agency can
coordinate with additional law enforcement agencies if it sees the need). The requirement to
contact the FBI in CIP-001 is not a requirement in EOP-004-2 unless the registered entity puts
that requirement in its event reporting Operating Plan.
The information on law enforcement in the Guidelines and Technical Basis section is
Consideration of Comments: Project 2009-01
70
�Organization
Question 3 Comment
designed to provide one example of how an entity could report to law enforcement. It is not
intended to be the only possible way.
As a clarification, in the Background section’s second paragraph, it should read “retiring both
EOP-004-1 and CIP-001-2a” as opposed to CIP-002-2a as written above in this comment
document.
We have searched the comment form and cannot find this.
Response: Thank you for your comment. Please see responses above.
Cogentrix Energy
Overall: The standard makes good stride in eliminating the redundancy of CIP-001 and EOP004. M1 States: “... and each organization identified to receive an event report for event types
specified in EOP-004-2 Attachment 1”. It is an unclear in the statement that the protocols go
with Attachment 1 and entities to receive report are part of Attachment 2While this draft is an
improvement on the previous draft, the proposed R2 is unacceptable, and should be amended
to, at a minimum, require reporting by the end of the next business day, instead of within 24
hours. Events or situations affecting real time reliability to the system already are required to
be reported to appropriate Functional Entities that have the responsibility to take action.
Adding one more responsibility to system operators increases the operator’s burden, which
reduces the operator’s effectiveness when operating the system. Care should be given when
placing additional responsibility on the system operators. Allowing reporting at the end of the
next business day gives operators the flexibility to allow support staff to assist with after-thefact reporting requirements. For some event types where in order to provide real time
situational awareness over a wide area (for example coordinated sabotage event) it may be
appropriate to have more timely reporting. If the intent of this standard is to address sabotage
reporting there needs to be an understanding of the actions to be taken by those receiving the
reports so the reporting entities can incorporate those actions into their plan. As a minimum,
NERC should have a process in place to assess the reports and take appropriate actions.
Attachment 1: Threshold for reporting should not be defined such that multiple reports would
be required for the same event. For example, both the TOP and RC being required to report
Consideration of Comments: Project 2009-01
71
�Organization
Question 3 Comment
the outage of a transmission line.
2nd event type (Damage or destruction of a Facility): Add the following sentence to the
Threshold for Reporting: “Do not report theft or damage unless it degrades normal operation
of a Facility.”
4th event type (Physical threats to a BES control center): The term “BES control center” needs
to be clarified.
5th, 6th, and 7th event types: In instances where a reliability directive is issued, is the
“initiating entity” the entity that issues the directive or the entity that carried out the directive.
9th event type (Voltage deviation on a Facility): Change “nominal” to “expected or scheduled.”
15th event type (Transmission loss): It is not clear what is meant by “contrary to design.” This
is so broad that it could be interpreted as requiring reporting misoperations within the
reporting time frame before even an initial investigation can begin. This needs to be clarified
and tied to the impact on the reliability of the BES.
Response: Thank you for your comment. The full Measure M1 states: “Each Responsible Entity will have a dated event reporting
Operating Plan that includes, but is not limited to the protocol(s) and each organization identified to receive an event report for
event types specified in EOP-004-2 Attachment 1 and in accordance with the entity responsible for reporting.” It is expected that the
Operating Plan will contain the entities to which a report will be submitted. The Measure indicates evidence needs to be provided
showing that these entities received the event report. The protocol(s) refer to the Operating Plan and could include any procedures
for identification of events as well as communicating to other entities.
In response to your suggestion on Requirement R2, the DSR SDT has added clarifying language to R2 as follows:
R2. Each Responsible Entity shall report events per their Operating Plan within 24 hours of meeting an event type threshold for
reporting or by the end of the next business day if the event occurs on a weekend (which is recognized to be 4 PM local time on
Friday to 8 AM Monday local time). [Violation Risk Factor: Medium] [Time Horizon: Operations Assessment]
Many suggestions were made regarding the language of certain events listed in Attachment 1. Most of these comments are about
a single event type and were made by only one stakeholder. The team has reviewed all of these comments. In several cases, the
same or a similar suggestion was made on an earlier draft, and the team considered it at that time. The SDT believes that
stakeholder consensus has been achieved regarding these event types. The team has elected to move forward to recirculation
Consideration of Comments: Project 2009-01
72
�Organization
Question 3 Comment
ballot.
Northeast Power Coordinating
Council
Paragraph 81 efforts are underway to eliminate requirements that have little or no reliability
benefit. This Standard only addresses documentation and has no impact on reliability.
Response: Thank you for your comment. On March 15, 2012, FERC issued an order on NERC’s Find, Fix and Track process and in
paragraph 81 (“P81”) invited NERC and other entities to propose to remove from Commission-approved Reliability Standards
unnecessary or redundant requirements. In response to P81 and the Commission’s request for comments to be coordinated,
during June and July 2012, various industry stakeholders, Trade Associations, staff from NERC and staff from the NERC Regions
jointly discussed consensus criteria and an initial list of Reliability Standard requirements that appeared to easily satisfy the
criteria, and, thus, could be retired. In Phase 1 of the Paragraph 81 effort, only two of the requirements (in total) from CIP-001
and EOP-004 met the initial threshold for being included in the P81 Project. Both of these requirements will also be retired by
EOP-004-2. Phase 2 of the Paragraph 81 Project will evaluate all NERC Reliability Standards, including any modifications to EOP004-2. CIP-001-2a and EOP-004-1 are mandatory and enforceable NERC Reliability Standards. If EOP-004-2 is not approved by the
industry, those standards will remain as is and subject to the Compliance Monitoring and Enforcement Program. As the
Paragraph 81 efforts are beyond the scope of this project, the SDT can only pass along your suggestion to that project team for
action there.
Puget Sound Energy Inc.
Puget Sound Energy appreciates the Standard Drafting Team's work to streamline and clarify
the proposed standard. In addition, we understand that the Standard Drafting Team faces a
significant challenge in developing workable thresholds for reporting under this standard.
Unfortunately, Puget Sound Energy cannot support the proposed standard because the
reporting thresholds remain too vague and, thus, too broad - especially those related to
damage or destruction of a Facility and those related to physical threats. The first four events
listed on Attachment 1 are not brightline rules, because they each involve significant elements
of judgment and interpretation. An example of our concern relates to the phrase "... that
results from actual or suspected intentional human action." Puget Sound Energy, like many
regulated entities, is staffed only with System Operators at night and on weekends. As a
result, the 24-hour reporting requirement necessarily requires the System Operators to submit
the required reports. So, how is a System Operator going to judge whether a human action is
"intentional"? As a result, it will be necessary to report any event in which human action is
Consideration of Comments: Project 2009-01
73
�Organization
Question 3 Comment
involved because there is no way for a System Operator to know for sure whether the action is
intentional or not. And, regulated entities will need to instruct their System Operators to
make such reports, because the failure to submit a report of even one event listed in EOP-004
Attachment 1 is assigned a severe VSL under the proposed standard. We believe that the
proposed threshold language will likely result in a flood of event reports that will not improve
situation awareness.
Response: Thank you for your comment. Many suggestions were made regarding the language of certain events listed in
Attachment 1. Most of these comments are about a single event type and were made by only one stakeholder. The team has
reviewed all of these comments. In several cases, the same or a similar suggestion was made on an earlier draft, and the team
considered it at that time. The SDT believes that stakeholder consensus has been achieved regarding these event types. The team
has elected to move forward to recirculation ballot.
In response to your concern on the 24-hour reporting requirement, the DSR SDT has added clarifying language to R2 as follows:
R2. Each Responsible Entity shall report events per their Operating Plan within 24 hours of recognition of meeting an event type
threshold for reporting or by the end of the next business day if the event occurs on a weekend (which is recognized to be 4 PM
local time on Friday to 8 AM Monday local time). [Violation Risk Factor: Medium] [Time Horizon: Operations Assessment]
Exelon Corporation and its affiliates
Thanks to the drafting team for all the work on this revision. Significant progress was made,
though Exelon has some remaining comments:
o It’s not clear why the team separated ‘Damage or destruction of a Facility’ into two rows.
Please advise.
Response: The first row applies to the RC, which may not own any Facilities but has them
under their operational control. This event applies to damage or destruction whereby the
RC, TOP or BA has to take action to avoid a BES Emergency. The second row is simply
damage or destruction of a Facility. It is expected that this second type of event would not
be severe enough to have to take action to avoid a BES Emergency.
o Damage or destruction of a Facility - The threshold for "damage or destruction of a Facility”
Consideration of Comments: Project 2009-01
74
�Organization
Question 3 Comment
is too open-ended without qualifying the device or activity as “confirmed”. Event reporting for
nuclear generating units are initiated when an incident such as tampering is "confirmed". EOP004 should include some threshold of proof for a reason to believe that no other possibility
exists for "damage or destruction of a facility" event other than actual or suspected intentional
human action.
Many suggestions were made regarding the language of certain events listed in Attachment
1. Most of these comments are about a single event type and were made by only one
stakeholder. The team has reviewed all of these comments. In several cases, the same or a
similar suggestion was made on an earlier draft, and the team considered it at that time.
The SDT believes that stakeholder consensus has been achieved regarding these event types.
The team has elected to move forward to recirculation ballot.
o Physical threats to a Facility - Reporting of every “suspicious activity” such as photographing
equipment or site could result in an unwieldy volume of reports and dilute the data from
depicting quality insight. For example, nuclear generating units are required to report all
unauthorized and/or suspicious activity to the NRC. Please confirm that the intent of this
threshold for notification would include all unauthorized and/or suspicious activity.
The SDT concurs that the intent of the threshold for notification would include all
unauthorized and/or suspicious activity.
o Physical threats to a BES control center - please confirm that reporting responsibility falls to
the RC, BA, TOP and not GOs. In addition, please confirm that by use of the lower case
“control center” other definitions in development through other standards development
projects (e.g. CIP version 5) and that may be added to the NERC Glossary will not apply until
formally vetted in a future EOP-004 standards development project.
The entities listed for this event type are the RC, BA and TOP only. No other entities are
applicable for this event type. If the lower case “control center” is replaced by a definition
developed in future standards actions, a change to EOP-004-2 to use the defined term would
require notice to the industry and a ballot of the revised standard in some manner. The DSR
Consideration of Comments: Project 2009-01
75
�Organization
Question 3 Comment
SDT does not have control over how that would be accomplished.
o Loss of firm load - “Loss of firm load for ≥ 15 Minutes: ≥ 300 MW for entities with
previous year’s demand ≥ 3,000 MW”. Please clarify whether the team intends for this to
apply to a single event a loss of more than 300 MW due to non-concurrent multiple
distribution outages that total > 300MW.
This event relates to a single incident of the loss of firm load.
o Generation loss - Exelon appreciates the timing clarification added to the generation loss
threshold. The phrase “within one minute” should also be included in the threshold for the
ERCOT and Quebec Interconnections to read: “Total generation loss, within one minute, of
≥ 2,000 MW for entities in the Eastern or Western Interconnection OR Total generation
loss, within one minute, of ≥ 1,000 MW for entities in the ERCOT or Quebec
Interconnection”
The phrase “within one minute” applies to everything listed in the event. To clarify this, we
have inserted a colon after the word “of” and moved “≥ 2,000 MW for entities in the Eastern
or Western Interconnection” down one line.
o The Law Enforcement Reporting section in the Guideline and Technical Basis states: "The
inclusion of reporting to law enforcement enables and supports reliability principles such as
protection of the BES from malicious physical or cyber attack." Since CIP-008 now covers
reporting of cyber incidents the reference to cyber should be removed.
We have made the correction in your last point regarding “cyber attacks” and have removed
it from the Guidelines and Technical Basis section.
Response: Thank you for your comment. Please see responses embedded above.
MRO NSRF
The NSRF requests that the SDT address the following concerns and clarifications in
Attachment 1;
1) Please explore redundancy reporting event Item #14; Complete loss of off-site power to a
Consideration of Comments: Project 2009-01
76
�Organization
Question 3 Comment
nuclear generating plant with obligations of NUC-001-2.1 R9.4.4.”Provisions for supplying
information necessary to report to government agencies, as related to NPIRs.” The NSRF
understands the importance concerning safety issues with a nuclear plant. A multiple unit coal
facility may have a larger reliability impact to the BES than a nuclear plant. The SDT is stating
that the fuel source is a reporting issue, not the reliability of a plant loosing off sight power.
Recommend that this item be deleted.
2) Item 2 in Attachment 1 would obligate an entity to report any loss of (copper) grounds
either on a T-Line or grounds associated with a transformer or breakers and that this level of
reporting should not rise to the NERC level. Believes that additional qualifying language similar
to Item 1 be incorporated into the threshold and read as follows:”Damage or destruction of its
Facility that results from actual or suspected intentional human action that results in actions to
avoid a BES Emergency.”
3) Item 3 Attachment 1 needs clarification since a physical threat needs to be actual and
confirmed so that the TO or TOP repositions the system. In addition, the SDT needs to clarify
what the phrase “normal operations” means. (Is this a ratings issue? or a result in how the
System Operator operates the system.)
4) Item 3 should provide clarification as to “Suspicious device or activity at a Facility” to
determine when threshold raises to the level of reporting. We are concerned that, based on
an Auditors perception, these words could be interpreted in several different ways. In
addition, we believe that language needs to be included that the threat causes the reporting
entity to change to an abnormal operating state. This situation could be interpreted
differently by the auditor or the entity at the time of the event. Recommend the following
language: “Suspicious device or activity at a Facility with the potential to degrade the normal
operation of the Facility”. This language is similar to the first threshold.
5) The term Initiating entity is used three times within Attachment 1 and needs to be more
clearly defined or reworded. Is it the entity that identifies the needs of a Public Appeal or the
entity that makes the public appeal the initiating entity? The word “initiating” does not
provide clarity but only provides uncertainty to the industry. The Standard needs to be clear
on who has the responsibility as the “initiating”. Recommend the following: a. For public
Consideration of Comments: Project 2009-01
77
�Organization
Question 3 Comment
appeal, under Entity with Reporting Responsibility; “entity that issues a public appeal to the
public” b. For system wide voltage reduction, under Entity with Reporting Responsibility;
“entity that activates a voltage reduction” c. For manual load shedding, under Entity with
Reporting Responsibility; “entity that activates manual load shedding”
6) The NSRF recommends transmission loss to read as: “contrary to protection system design”
found in threshold for reporting within the Attachment for a Transmission loss event.
7) In Requirement 2/ Measure 2, recommend adding “upon recognition of “ as a starting point
to the 24 hour reporting requirement, within the threshold of reporting where perceived
threats are the threshold, or transmission loss, when contrary to design is determined.
Response: Thank you for your comment. Many suggestions were made regarding the language of certain events listed in
Attachment 1. Most of these comments are about a single event type and were made by only one stakeholder. The team has
reviewed all of these comments. In several cases, the same or a similar suggestion was made on an earlier draft, and the team
considered it at that time. The SDT believes that stakeholder consensus has been achieved regarding these event types. The team
has elected to move forward to recirculation ballot.
7) This was the intent of the drafting team and we have made this clarification to R2 and M2.
Independent Electricity System
Operator
The proposed implementation plan may conflict with Ontario regulatory practice respecting
the effective date of the standard. It is suggested that this conflict be removed by: Moving the
last part “, or as otherwise made effective pursuant to the laws applicable to such ERO
governmental authorities.” to right after “this standard is approved by applicable regulatory
approval” in the Effective Dates Section on P.2 of the draft standard, and the proposed
Implementation Plan.
Response: Thank you for your comment. The SDT used the standard language provide by NERC Legal and intended to address all
of the jurisdictions in which the standard may become enforceable. We will refer your suggestion to NERC Legal for consideration
in the preparation of the filing.
Bonneville Power Administration
The proposed standard does not have any oral reporting option for system operators and thus
appears to be administrative in nature. Due to this and the fact that administrative staff are
Consideration of Comments: Project 2009-01
78
�Organization
Question 3 Comment
not available on weekends, the “24 hour” reporting requirements should be modified to “Next
Business Day” to allow for weekend delays in reporting.BPA believes that there are too many
minor events that have to be reported within 24 hours. Reporting during the next business
day would suffice. Some examples include: A 115 shunt capacitor bank failure for the first
event type does not seem important enough to require reporting within 24 hours just because
action has to be taken to raise generation or switching of line. A failure of a line tower that has
proper protective action to clear the line and also has automatic (SPS) to properly protect as
designed the BES system (a good normal practice) from overloads or voltage issues does not
seem important enough to require reporting within 24 hours either.
Response: Thank you for your comment. Many suggestions were made regarding the language of certain events listed in
Attachment 1. Most of these comments are about a single event type and were made by only one stakeholder. The team has
reviewed all of these comments. In several cases, the same or a similar suggestion was made on an earlier draft, and the team
considered it at that time. The SDT believes that stakeholder consensus has been achieved regarding these event types. The team
has elected to move forward to recirculation ballot.
Clark Public Utilities
The SDT has not adequately addressed my comments from the last draft regarding damage or
destruction of its facility that results from actual or suspected intentional human action. The
SDT needs to limit what it means by damage. As an example, if someone breaks into a
substation and paints graffiti on a breaker that is part of the BES, the breaker has been
"damaged." However, the breaker's ability to function has not been compromised and there
are no emergency actions that need to be taken. There is no reason for an emergency
reporting procedure to require this to be reported. The SDT needs to add the same modifier
for damage that it added in the previous event threshold for reporting. The reference for this
type of damage should be as follows:Event: Damage or destruction of a Facility.Entity with
Reporting Responsibility: BA, TO, TOP, GO, GOP, DP.Threshold for Reporting: Damage or
destruction of its Facility that results from actual or suspected intentional human action that
results in actions to avoid a BES Emergency.
Response: Thank you for your comment. Many suggestions were made regarding the language of certain events listed in
Attachment 1. Most of these comments are about a single event type and were made by only one stakeholder. The team has
Consideration of Comments: Project 2009-01
79
�Organization
Question 3 Comment
reviewed all of these comments. In several cases, the same or a similar suggestion was made on an earlier draft, and the team
considered it at that time. The SDT believes that stakeholder consensus has been achieved regarding these event types. The team
has elected to move forward to recirculation ballot.
Lewis County PUD
We are a small utility with little impact to the BES with a small hydro on the end of a 230kV
line. CIP-001 requires us to contact the FBI who has repeatedly instructed us to call the local
sheriff office. The sheriff office has instructed us to call 911 and they will contact the FBI as
needed. Therefore, 911 is our only contact number and our plan if vandalism, property
destruction or sabotage is to have a supervisor call 911 and report. I do not think calling 911 to
confirm the contact number serves any propose. Our plan will be simple with not a lot detail.
The drafting team should recognize the reality of small utilities and state the required plan
may be simple and not follow the flowchart in the draft standard.
Response: Thank you for your comment. The SDT did recognize your circumstances and set the requirements to provide the
flexibility to address the diversity of entities to which the standard is intended to apply.
SPP Standards Review Group
We have made previous comments in the past regarding the listing in the Entity with Reporting
Responsibility column of Attachment 1. While we concur with some of the changes that the
drafting team has made regarding the addition of a bright line in the Threshold for Reporting
column, there remain events where there is no line at all. For example, in the Transmission
loss event, the TOP is listed and there is no distinction regarding which TOP is required to file
the event report. Is it the TOP in whose TOP area the loss occurred or is it a neighboring TOP
who observes the loss. Clearly, the responsibility for reporting lies with the host system. There
are several other similar events where the bright line is non-existent and needs to be added.
We suggest that the drafting team return the deleted language to the Entity with Reporting
Responsibility column in those instances where the bright line has not been added in the
Threshold column. Regarding multiple reports for a single event, we again believe that only a
single report should be required. While additional information may be available from others,
let the Event Analysis personnel do their job investigating an event and eliminate any
redundant reporting that is currently required as the standard is written.
If not, this standard, if approved, would then appear to be a likely candidate for Phase 2 of the
Consideration of Comments: Project 2009-01
80
�Organization
Question 3 Comment
Paragraph 81 project.
Response: Thank you for your comment. Many suggestions were made regarding the language of certain events listed in
Attachment 1. Most of these comments are about a single event type and were made by only one stakeholder. The team has
reviewed all of these comments. In several cases, the same or a similar suggestion was made on an earlier draft, and the team
considered it at that time. The SDT believes that stakeholder consensus has been achieved regarding these event types. The team
has elected to move forward to recirculation ballot. On March 15, 2012, FERC issued an order on NERC’s Find, Fix and Track
process and in paragraph 81 (“P81”) invited NERC and other entities to propose to remove from Commission-approved Reliability
Standards unnecessary or redundant requirements. In response to P81 and the Commission’s request for comments to be
coordinated, during June and July 2012, various industry stakeholders, Trade Associations, staff from NERC and staff from the
NERC Regions jointly discussed consensus criteria and an initial list of Reliability Standard requirements that appeared to easily
satisfy the criteria, and, thus, could be retired. In Phase 1 of the Paragraph 81 effort, only two of the requirements (in total) from
CIP-001 and EOP-004 met the initial threshold for being included in the P81 Project. Both of these requirements will also be
retired by EOP-004-2. Phase 2 of the Paragraph 81 Project will evaluate all NERC Reliability Standards, including any modifications
to EOP-004-2. CIP-001-2a and EOP-004-1 are mandatory and enforceable NERC Reliability Standards. If EOP-004-2 is not
approved by the industry, those standards will remain as is and subject to the Compliance Monitoring and Enforcement Program.
As the SDT is moving forward with a Recirculation Ballot, your suggestions will be forwarded to NERC for future consideration.
SERC OC Standards Review Group
While this draft is an improvement on the previous draft, the proposed R2 is unacceptable,
and should be amended to, at a minimum, require reporting by the end of the next business
day, instead of within 24 hours. Events or situations affecting real time reliability to the system
already are required to be reported to appropriate Functional Entities that have the
responsibility to take action. Adding one more responsibility to system operators increases the
operator’s burden, which reduces the operator’s effectiveness when operating the system.
Care should be given when placing additional responsibility on the system operators. Allowing
reporting at the end of the next business day gives operators the flexibility to allow support
staff to assist with after-the-fact reporting requirements. For some event types where in order
to provide real time situational awareness over a wide area (for example coordinated sabotage
event) it may be appropriate to have more timely reporting .If the intent of this standard is to
address sabotage reporting there needs to be an understanding of the actions to be taken by
those receiving the reports so the reporting entities can incorporate those actions into their
Consideration of Comments: Project 2009-01
81
�Organization
Question 3 Comment
plan. As a minimum, NERC should have a process in place to assess the reports and take
appropriate actions.
Attachment 1: Threshold for reporting should not be defined such that multiple reports would
be required for the same event. For example, both the TOP and RC being required to report
the outage of a transmission line.
2nd event type (Damage or destruction of a Facility): Add the following sentence to the
Threshold for Reporting: “Do not report theft or damage unless it degrades normal operation
of a Facility.”
4th event type (Physical threats to a BES control center): The term “BES control center” needs
to be clarified.
5th, 6th, and 7th event types: In instances where a reliability directive is issued, is the
“initiating entity” the entity that issues the directive or the entity that carried out the directive.
9th event type (Voltage deviation on a Facility): Change “nominal” to “expected or scheduled.”
15th event type (Transmission loss): It is not clear what is meant by “contrary to design.” This
is so broad that it could be interpreted as requiring reporting misoperations within the
reporting time frame before even an initial investigation can begin. This needs to be clarified
and tied to the impact on the reliability of the BES. The comments expressed herein represent
a consensus of the views of the above named members of the SERC OC Standards Review
Group only and should not be construed as the position of SERC Reliability Corporation, its
board, or its officers.
Response: Thank you for your comment. Many suggestions were made regarding the language of certain events listed in
Attachment 1. Most of these comments are about a single event type and were made by only one stakeholder. The team has
reviewed all of these comments. In several cases, the same or a similar suggestion was made on an earlier draft, and the team
considered it at that time. The SDT believes that stakeholder consensus has been achieved regarding these event types. The team
has elected to move forward to recirculation ballot.
Tacoma Public Utilities
Why does the text “...but is not limited to...” in M1 have to be included? Does this mean that
Consideration of Comments: Project 2009-01
82
�Organization
Question 3 Comment
there are unwritten requirements that an auditor might look for? What if, in trying to validate
contact information, contacts do not confirm their information?
Regarding the Loss of firm load row in Attachment 1, an exception should be made for
weather or natural disaster related threats in the Threshold for Reporting.
Regarding the Transmission loss row in Attachment 1, it is not quite clear which types of BES
Elements would meet the Threshold for Reporting. Is it just lines, buses, and transformers?
What about reactive resources? What about generators that unexpectedly trip offline during a
fault on the transmission system?
Response: Thank you for your comment. In Measure M1 the text “but is not limited to” is intended to provide flexibility for each
entity to determine, based on its assets and unique situation, to develop an Operating Plan that appropriately supports reliability.
Many suggestions were made regarding the language of certain events listed in Attachment 1. Most of these comments are about
a single event type and were made by only one stakeholder. The team has reviewed all of these comments. In several cases, the
same or a similar suggestion was made on an earlier draft, and the team considered it at that time. The SDT believes that
stakeholder consensus has been achieved regarding these event types. The team has elected to move forward to recirculation
ballot.
MidAmerican Energy
Yes. 1) MidAmerican Energy agrees with and supports MRO NSRF comments.
2) Add additional wording to clearly provide for compliance when events are found more than
24 hours after an event. Add the following to the end of R2. Add, Events not identified until
sometime later after they occurred shall be reported within 24 hours.
3) In R3 add "external" for R3 to read Validate "external" contact information.
4) In EOP-004-2 Attachment 1 - the wording “Damage or destruction of its Facility that results
from actual or suspected intentional human action that results in actions to avoid a BES
Emergency” is not specific or measureable and therefore ambiguous. Zero defect standards
which carry penalties must be specific. Please reword to "Intentional human action to destroy
a NERC BES facility whose loss could result in actions to avoid a BES Emergency". This clearly
aligns with the EOP-004 intent of sabotage and emergency reporting. EOP-004 should not
report on unexpected conditions such as when a system operator attempts to reclose a line
Consideration of Comments: Project 2009-01
83
�Organization
Question 3 Comment
during a storm believing the line tripped for a temporary fault due to debris, when in fact the
fault was permanent and damaged a transformer.
Response: Thank you for your comment. See response to MRO NSF comments.
Many suggestions were made regarding the language of certain events listed in Attachment 1. Most of these comments are about
a single event type and were made by only one stakeholder. The team has reviewed all of these comments. In several cases, the
same or a similar suggestion was made on an earlier draft, and the team considered it at that time. The SDT believes that
stakeholder consensus has been achieved regarding these event types. The team has elected to move forward to recirculation
ballot.
american Transmission Company
Yes A. ATC requests that the Standards Drafting Team address the following concerns and
clarifications in Attachment 1:
a.) Reporting event #14 in Attachment 1, is duplicative with respect to Nuclear Reliability
Standard NUC-001-2.1 R 9.4.4. Reporting event #14 requires entities to report to NERC a
“Complete loss of off-site power to a nuclear generating plant” while Nuclear Reliability
Standard NUC-001-2.1 R9.4.4., i.e. includes “Provisions for supplying information necessary to
report to government agencies, as related to Nuclear Plant Interface Requirements (NPIRs)”.
In addition, ATC believes the reporting related to event #14 in Attachment 1 is not a
“reliability” issue, and more appropriately covered under Standard NUC-001 as a “Nuclear
Safety Shutdown” issue. Therefore, ATC recommends that Item #14 in Attachment 1 of EOP004-2 be deleted.
b.) In Attachment 1, reporting event #2, i.e. Damage or destruction of a Facility” could
obligate an entity to report any loss of copper grounds either on a T-Line or grounds associated
with a transformer or breakers. ATC believes this does not rise to a reporting level such as
NERC. ATC believes that additional qualifying language similar to reporting item #1 be
incorporated into the threshold and read as follows: “Damage or destruction of its Facility that
results from actual or suspected intentional human action that results in actions to avoid a BES
Emergency.”
c.) In Attachment 1, reporting event #3 i.e. “Physical threats to a Facility” needs clarification
Consideration of Comments: Project 2009-01
84
�Organization
Question 3 Comment
since a physical threat needs to be actual and confirmed so that the TO or TOP repositions the
system. In addition, the SDT needs to clarify what the phrase “normal operations” means. Is
this a ratings issue? Or a result in how the Operator operates the system.
d.) In Attachment 1, reporting event #3 threshold i.e. “Suspicious device or activity at a
Facility” needs clarification to determine when it raises to the level of reporting. These words
could be interpreted in several different ways. In addition, ATC believe that language needs to
be added that the threat causes the reporting entity to change to an abnormal operating state.
ATC recommends the threshold be revised to read: “Suspicious device or activity at a Facility
with the potential to degrade the normal operation of the Facility”.
e.) In Attachment 1, the term “Initiating entity” is used three times for reporting events and
needs to be clearly defined or reworded. Is it the entity that identifies the needs of a Public
Appeal or the entity that makes the public appeal the initiating entity? The Standard needs to
be clear on who has the responsibility as the “initiating” party, especially when multiple parties
may be involved. ATC recommends the following:1) For public appeal, under Entity with
Reporting Responsibility; it is the “entity that issues a public appeal to the public”2) For
system wide voltage reduction, under Entity with Reporting Responsibility; it is the “entity that
activates a voltage reduction”3) For manual load shedding, under Entity with Reporting
Responsibility; it is the “entity that activates manual load shedding”
f.) In Attachment 1, reporting event #15 i.e. “Transmission Loss”, the threshold includes the
phrase “contrary to design”. ATC recommends this be clarified to read “contrary to protection
system design”.
B. In EOP-004-2 Requirement 2/ Measure 2 both have the following language:”Each
Responsible Entity shall report events per their Operating Plan within 24 hours of meeting an
event type threshold for reporting.” ATC recommends adding “upon recognition” as a starting
point to the 24 hour reporting requirement. This would be revised to read: “Each Responsible
Entity shall report events per their Operating Plan within 24 hours of recognition of an event
type threshold”
Response: Thank you for your comment. A) Many suggestions were made regarding the language of certain events listed in
Consideration of Comments: Project 2009-01
85
�Organization
Question 3 Comment
Attachment 1. Most of these comments are about a single event type and were made by only one stakeholder. The team has
reviewed all of these comments. In several cases, the same or a similar suggestion was made on an earlier draft, and the team
considered it at that time. The SDT believes that stakeholder consensus has been achieved regarding these event types. The team
has elected to move forward to recirculation ballot.
B) This was the intent of the drafting team and we have made this clarification to R2 and M2.
END OF REPORT
Consideration of Comments: Project 2009-01
86
�EOP-004-2 — Event Reporting
Standard Development Timeline
This section is maintained by the drafting team during the development of the standard and will
be removed when the standard becomes effective.
Development Steps Completed
1. SC approved SAR for initial posting (April 2009).
2. SAR posted for comment (April 22 – May 21, 2009).
3. SC authorized moving the SAR forward to standard development (September 2009).
4. Concepts Paper posted for comment (March 17 – April 16, 2010).
5. Initial Informal Comment Period (September 15 – October 15, 2010).
6. Second Comment Period (Formal) (March 9 – April 8, 2011).
7. Third Comment Period and Initial Ballot (October 28 – December 12, 2011).
8. Fourth Comment Period and Successive Ballot (April 25 – May 24, 2012).
Proposed Action Plan and Description of Current Draft
This is the fifth posting of the proposed standard in accordance with Results-Based Standards
(RBS) criteria. The drafting team requests posting for a 30-day formal comment period
concurrent with the formation of the ballot pool and the successive ballot.
Future Development Plan
Anticipated Actions
Drafting team considers comments, makes conforming changes on
fourth posting
Anticipated Date
June - August 2012
Fifth Comment/Ballot period
Recirculation Ballot period
August –
September 2012
October 2012
Receive BOT approval
November 2012
File with regulatory authorities
December 2012
Draft 5: October 22, 2012
1 of 24
�EOP-004-2 — Event Reporting
Effective Dates
The first day of the first calendar quarter that is six months beyond the date that this standard is
approved by applicable regulatory authorities. In those jurisdictions where regulatory approval
is not required, the standard shall become effective on the first day of the first calendar quarter
that is six months beyond the date this standard is approved by the NERC Board of Trustees, or
as otherwise made effective pursuant to the laws applicable to such ERO governmental
authorities.
Version History
Version
2
Date
Draft 5: October 22, 2012
Action
Merged CIP-001-2a Sabotage Reporting
and EOP-004-1 Disturbance Reporting
into EOP-004-2 Event Reporting; Retire
CIP-001-2a Sabotage Reporting and
Retired EOP-004-1 Disturbance
Reporting.
Change Tracking
Revision to entire
standard (Project 200901)
2 of 24
�EOP-004-2 — Event Reporting
Definitions of Terms Used in Standard
This section includes all newly defined or revised terms used in the proposed standard. Terms
already defined in the Reliability Standards Glossary of Terms are not repeated here. New or
revised definitions listed below become approved when the proposed standard is approved.
When the standard becomes effective, these defined terms will be removed from the individual
standard and added to the Glossary.
None
Draft 5: October 22, 2012
3 of 24
�EOP-004-2 — Event Reporting
When this standard has received ballot approval, the text boxes will be moved to the Guideline
and Technical Basis Section.
A.
Introduction
1. Title:
Event Reporting
2. Number:
EOP-004-2
3. Purpose: To improve the reliability of the Bulk Electric System by requiring the reporting
of events by Responsible Entities.
4. Applicability
4.1.
Functional Entities: For the purpose of the Requirements and the EOP-004
Attachment 1 contained herein, the following functional entities will be collectively
referred to as “Responsible Entity.”
4.1.1. Reliability Coordinator
4.1.2. Balancing Authority
4.1.3. Transmission Owner
4.1.4. Transmission Operator
4.1.5. Generator Owner
4.1.6. Generator Operator
4.1.7. Distribution Provider
5. Background:
NERC established a SAR Team in 2009 to investigate and propose revisions to the CIP-001
and EOP-004 Reliability Standards. The team was asked to consider the following:
1.
2.
3.
4.
CIP-001 could be merged with EOP-004 to eliminate redundancies.
Acts of sabotage have to be reported to the DOE as part of EOP-004.
Specific references to the DOE form need to be eliminated.
EOP-004 had some ‘fill-in-the-blank’ components to eliminate.
The development included other improvements to the standards deemed appropriate by the
drafting team, with the consensus of stakeholders, consistent with establishing high quality,
enforceable and technically sufficient Bulk Electric System reliability standards.
The SAR for Project 2009-01, Disturbance and Sabotage Reporting was moved forward for
standard drafting by the NERC Standards Committee in August of 2009. The Disturbance
and Sabotage Reporting Standard Drafting Team (DSR SDT) was formed in late 2009.
Draft 5: October 22, 2012
4 of 24
�EOP-004-2 — Event Reporting
The DSR SDT developed a concept paper to solicit stakeholder input regarding the proposed
reporting concepts that the DSR SDT had developed. The posting of the concept paper
sought comments from stakeholders on the “road map” that will be used by the DSR SDT in
updating or revising CIP-001 and EOP-004. The concept paper provided stakeholders the
background information and thought process of the DSR SDT. The DSR SDT has reviewed
the existing standards, the SAR, issues from the NERC issues database and FERC Order 693
Directives in order to determine a prudent course of action with respect to revision of these
standards.
Draft 5: October 22, 2012
5 of 24
�EOP-004-2 — Event Reporting
B.
Requirements and Measures
R1. Each Responsible Entity shall have
an event reporting Operating Plan in
accordance with EOP-004-2
Attachment 1 that includes the
protocol(s) for reporting to the
Electric Reliability Organization
and other organizations (e.g., the
Regional Entity, company
personnel, the Responsible Entity’s
Reliability Coordinator, law
enforcement, or governmental
authority). [Violation Risk Factor:
Lower] [Time Horizon: Operations
Planning]
M1. Each Responsible Entity will have a
dated event reporting Operating
Plan that includes, but is not limited
to the protocol(s) and each
organization identified to receive an
event report for event types
specified in EOP-004-2 Attachment
1 and in accordance with the entity
responsible for reporting.
Draft 5: October 22, 2012
Rationale for R1
The requirement to have an Operating Plan for
reporting specific types of events provides the
entity with a method to have its operating
personnel recognize events that affect reliability
and to be able to report them to appropriate
parties; e.g., Regional Entities, applicable
Reliability Coordinators, and law enforcement
and other jurisdictional agencies when so
recognized. In addition, these event reports are
an input to the NERC Events Analysis Program.
These other parties use this information to
promote reliability, develop a culture of
reliability excellence, provide industry
collaboration and promote a learning
organization.
Every Registered Entity that owns or operates
elements or devices on the grid has a formal or
informal process, procedure, or steps it takes to
gather information regarding what happened
when events occur. This requirement has the
Responsible Entity establish documentation on
how that procedure, process, or plan is organized.
This documentation may be a single document or
a combination of various documents that achieve
the reliability objective.
The communication protocol(s) could include a
process flowchart, identification of internal and
external personnel or entities to be notified, or a
list of personnel by name and their associated
contact information. An existing procedure that
meets the requirements of CIP-001-2a may be
included in this Operating Plan along with other
processes, procedures or plans to meet this
requirement.
6 of 24
�EOP-004-2 — Event Reporting
R2. Each Responsible Entity shall report
events per their Operating Plan within
24 hours of recognition of meeting an
event type threshold for reporting or by
the end of the next business day if the
event occurs on a weekend (which is
recognized to be 4 PM local time on
Friday to 8 AM Monday local time).
[Violation Risk Factor: Medium]
[Time Horizon: Operations
Assessment]
Rationale for R2
Each Responsible Entity must report and
communicate events according to its
Operating Plan based on the information in
EOP-004-2 Attachment 1. By
implementing the event reporting Operating
Plan the Responsible Entity will assure
situational awareness to the Electric
Reliability Organization so that they may
develop trends and prepare for a possible
next event and mitigate the current event.
This will assure that the BES remains
secure and stable by mitigation actions that
the Responsible Entity has within its
function. By communicating events per the
Operating Plan, the Responsible Entity will
assure that people/agencies are aware of the
current situation and they may prepare to
mitigate current and further events.
M2. Each Responsible Entity will have as
evidence of reporting an event, copy of
the completed EOP-004-2 Attachment
2 form or a DOE-OE-417 form; and
evidence of submittal (e.g., operator log
or other operating documentation,
voice recording, electronic mail
message, or confirmation of facsimile)
demonstrating the event report was submitted within 24 hours of recognition of meeting the
threshold for reporting or by the end of the next business day if the event occurs on a
weekend (which is recognized to be 4 PM local time on Friday to 8 AM Monday local
time). (R2)
R3. Each Responsible Entity shall validate all
contact information contained in the
Operating Plan pursuant to Requirement
R1 each calendar year. [Violation Risk
Factor: Medium] [Time Horizon:
Operations Planning]
M3. Each Responsible Entity will have dated
records to show that it validated all
contact information contained in the
Operating Plan each calendar year. Such
evidence may include, but are not limited
to, dated voice recordings and operating
logs or other communication
documentation. (R3)
Draft 5: October 22, 2012
Rationale for R3
Requirement 3 calls for the Responsible
Entity to validate the contact information
contained in the Operating Plan each
calendar year. This requirement helps
ensure that the event reporting Operating
Plan is up to date and entities will be
able to effectively report events to assure
situational awareness to the Electric
Reliability Organization. If an entity
experiences an actual event,
communication evidence from the event
may be used to show compliance with
the validation requirement for the
specific contacts used for the event.
7 of 24
�EOP-004-2 — Event Reporting
C.
Compliance
1. Compliance Monitoring Process
1.1
Compliance Enforcement Authority
The Regional Entity shall serve as the Compliance Enforcement Authority (CEA)
unless the applicable entity is owned, operated, or controlled by the Regional Entity.
In such cases the ERO or a Regional Entity approved by FERC or other applicable
governmental authority shall serve as the CEA.
1.2
Evidence Retention
The Responsible Entity shall keep data or evidence to show compliance as
identified below unless directed by its Compliance Enforcement Authority to
retain specific evidence for a longer period of time as part of an investigation:
The following evidence retention periods identify the period of time an entity is
required to retain specific evidence to demonstrate compliance. For instances
where the evidence retention period specified below is shorter than the time since
the last audit, the Compliance Enforcement Authority may ask an entity to
provide other evidence to show that it was compliant for the full time period since
the last audit.
•
•
Each Responsible Entity shall retain the current Operating Plan plus each
version issued since the last audit for Requirements R1, and Measure M1.
Each Responsible Entity shall retain evidence of compliance since the last
audit for Requirements R2, R3 and Measure M2, M3.
If a Responsible Entity is found non-compliant, it shall keep information related
to the non-compliance until mitigation is complete and approved or for the duration
specified above, whichever is longer.
The Compliance Enforcement Authority shall keep the last audit records and all
requested and submitted subsequent audit records.
1.3
Compliance Monitoring and Enforcement Processes:
Compliance Audit
Self-Certification
Spot Checking
Compliance Investigation
Self-Reporting
Complaint
1.4
Additional Compliance Information
None
Draft 5: October 22, 2012
8 of 24
�EOP-004-2 — Event Reporting
Table of Compliance Elements
R#
R1
Time
Horizon
Operations
Planning
VRF
Lower
Violation Severity Levels
Lower VSL
Moderate VSL
High VSL
Severe VSL
The Responsible Entity
had an Operating Plan,
but failed to include
one applicable event
type.
The Responsible Entity
had an Operating Plan,
but failed to include
two applicable event
types.
The Responsible Entity
had an Operating Plan,
but failed to include
three applicable event
types.
The Responsible Entity
had an Operating Plan,
but failed to include
four or more
applicable event types.
OR
The Responsible Entity
failed to have an event
reporting Operating
Plan.
Draft 5: October 22, 2012
9 of 24
�EOP-004-2 — Event Reporting
R#
R2
Time
Horizon
Operations
Assessment
VRF
Medium
Violation Severity Levels
Lower VSL
Moderate VSL
High VSL
Severe VSL
The Responsible Entity
submitted an event
report (e.g., written or
verbal) to all required
recipients more than
24 hours but less than
or equal to 36 hours
after meeting an event
threshold for reporting.
The Responsible Entity
submitted an event
report (e.g., written or
verbal) to all required
recipients more than
36 hours but less than
or equal to 48 hours
after meeting an event
threshold for reporting.
The Responsible Entity
submitted an event
report (e.g., written or
verbal) to all required
recipients more than 48
hours but less than or
equal to 60 hours after
meeting an event
threshold for reporting.
The Responsible Entity
submitted an event
report (e.g., written or
verbal) to all required
recipients more than
60 hours after meeting
an event threshold for
reporting.
OR
OR
OR
The Responsible Entity
failed to submit an
event report (e.g.,
written or verbal) to
one entity identified in
its event reporting
Operating Plan within
24 hours.
The Responsible Entity
failed to submit an
event report (e.g.,
written or verbal) to
two entities identified
in its event reporting
Operating Plan within
24 hours.
The Responsible Entity
failed to submit an
event report (e.g.,
written or verbal) to
three entities identified
in its event reporting
Operating Plan within
24 hours.
OR
The Responsible Entity
failed to submit an
event report (e.g.,
written or verbal) to
four or more entities
identified in its event
reporting Operating
Plan within 24 hours.
OR
The Responsible Entity
failed to submit a
report for an event in
EOP-004 Attachment
1.
Draft 5: October 22, 2012
10 of 24
�EOP-004-2 — Event Reporting
R#
R3
Time
Horizon
Operations
Planning
VRF
Medium
Violation Severity Levels
Lower VSL
Moderate VSL
High VSL
Severe VSL
The Responsible Entity
validated all contact
information contained
in the Operating Plan
but was late by less
than one calendar
month.
The Responsible Entity
validated all contact
information contained
in the Operating Plan
but was late by one
calendar month or
more but less than two
calendar months.
The Responsible Entity
validated all contact
information contained
in the Operating Plan
but was late by two
calendar months or
more but less than
three calendar months.
The Responsible Entity
validated all contact
information contained
in the Operating Plan
but was late by three
calendar months or
more.
OR
The Responsible Entity
validated less than
25% of contact
information contained
in the Operating Plan.
OR
The Responsible Entity OR
validated 75% but less The Responsible Entity
than 100% of the
validated 50% and less
contact information
than 75% of the
contained in the
contact information
Operating Plan.
contained in the
Operating Plan.
D.
The Responsible Entity
validated 25% and less
than 50% of the
contact information
contained in the
Operating Plan.
OR
Variances
None.
E.
Interpretations
None.
F.
References
Guideline and Technical Basis (attached)
Draft 5: October 22, 2012
11 of 24
�EOP-004-2 — Event Reporting
EOP-004 - Attachment 1: Reportable Events
NOTE: Under certain adverse conditions (e.g. severe weather, multiple events) it may not be possible to report the damage caused by
an event and issue a written Event Report within the timing in the table below. In such cases, the affected Responsible Entity shall
notify parties per Requirement R2 and provide as much information as is available at the time of the notification. Submit reports to
the ERO via one of the following: e-mail: systemawareness@nerc.net, Facsimile 404-446-9770 or Voice: 404-446-9780.
Rationale Box for EOP-004 Attachment 1:
The DSR SDT used the defined term “Facility” to add clarity for several events listed in Attachment 1.
A Facility is defined as:
“A set of electrical equipment that operates as a single Bulk Electric System Element (e.g., a
line, a generator, a shunt compensator, transformer, etc.)”
The DSR SDT does not intend the use of the term Facility to mean a substation or any other facility
(not a defined term) that one might consider in everyday discussions regarding the grid. This is
intended to mean ONLY a Facility as defined above.
Draft 5: October 22, 2012
12 of 24
�EOP-004-2 — Event Reporting
Submit EOP-004 Attachment 2 (or DOE-OE-417) pursuant to Requirements R1 and R2.
Event Type
Entity with Reporting Responsibility
Threshold for Reporting
Damage or destruction of a Facility within its Reliability Coordinator
Area, Balancing Authority Area or Transmission Operator Area that
results in actions to avoid a BES Emergency.
Damage or destruction of a
Facility
RC, BA, TOP
Damage or destruction of a
Facility
BA, TO, TOP, GO, GOP, DP
Physical threats to a Facility
BA, TO, TOP, GO, GOP, DP
Physical threats to a BES
control center
RC, BA, TOP
BES Emergency requiring
public appeal for load
reduction
Initiating entity is responsible for
reporting
Public appeal for load reduction event.
BES Emergency requiring
system-wide voltage
reduction
Initiating entity is responsible for
reporting
System wide voltage reduction of 3% or more.
BES Emergency requiring
manual firm load shedding
Initiating entity is responsible for
reporting
Manual firm load shedding ≥ 100 MW.
Draft 5: October 22, 2012
Damage or destruction of its Facility that results from actual or
suspected intentional human action.
Physical threat to its Facility excluding weather or natural disaster
related threats, which has the potential to degrade the normal operation
of the Facility.
OR
Suspicious device or activity at a Facility.
Do not report theft unless it degrades normal operation of a Facility.
Physical threat to its BES control center, excluding weather or natural
disaster related threats, which has the potential to degrade the normal
operation of the control center.
OR
Suspicious device or activity at a BES control center.
13 of 24
�EOP-004-2 — Event Reporting
Event Type
Entity with Reporting Responsibility
Threshold for Reporting
BES Emergency resulting in
automatic firm load
shedding
DP, TOP
Automatic firm load shedding ≥ 100 MW (via automatic undervoltage or
underfrequency load shedding schemes, or SPS/RAS).
Voltage deviation on a
Facility
TOP
Observed within its area a voltage deviation of ± 10% of nominal
voltage sustained for ≥ 15 continuous minutes.
IROL Violation (all
Interconnections) or SOL
Violation for Major WECC
Transfer Paths (WECC only)
RC
Operate outside the IROL for time greater than IROL Tv (all
Interconnections) or Operate outside the SOL for more than 30 minutes
for Major WECC Transfer Paths (WECC only).
Loss of firm load
BA, TOP, DP
Loss of firm load for ≥ 15 Minutes:
≥ 300 MW for entities with previous year’s demand ≥ 3,000 MW
OR
≥ 200 MW for all other entities
System separation
(islanding)
RC, BA, TOP
Each separation resulting in an island ≥ 100 MW
Generation loss
BA, GOP
Total generation loss, within one minute, of :
≥ 2,000 MW for entities in the Eastern or Western Interconnection
OR
≥ 1,000 MW for entities in the ERCOT or Quebec Interconnection
Complete loss of off-site
power to a nuclear
generating plant (grid
supply)
Draft 5: October 22, 2012
TO, TOP
Complete loss of off-site power affecting a nuclear generating station
per the Nuclear Plant Interface Requirement
14 of 24
�EOP-004-2 — Event Reporting
Event Type
Entity with Reporting Responsibility
Threshold for Reporting
Unexpected loss within its area, contrary to design, of three or more
BES Elements caused by a common disturbance (excluding successful
automatic reclosing).
Transmission loss
TOP
Unplanned BES control
center evacuation
RC, BA, TOP
Unplanned evacuation from BES control center facility for 30
continuous minutes or more.
Complete loss of voice
communication capability
RC, BA, TOP
Complete loss of voice communication capability affecting a BES
control center for 30 continuous minutes or more.
Complete loss of monitoring
capability
RC, BA, TOP
Draft 5: October 22, 2012
Complete loss of monitoring capability affecting a BES control center
for 30 continuous minutes or more such that analysis capability (i.e.,
State Estimator or Contingency Analysis) is rendered inoperable.
15 of 24
�EOP-004-2 — Event Reporting
EOP-004 - Attachment 2: Event Reporting Form
EOP-004 Attachment 2: Event Reporting Form
Use this form to report events. The Electric Reliability Organization will accept the DOE OE-417
form in lieu of this form if the entity is required to submit an OE-417 report. Submit reports to
the ERO via one of the following: e-mail: systemawareness@nerc.net , Facsimile 404-446-9770
or voice: 404-446-9780.
Task
1.
2.
Comments
Entity filing the report include:
Company name:
Name of contact person:
Email address of contact person:
Telephone Number:
Submitted by (name):
Date and Time of recognized event.
Date: (mm/dd/yyyy)
Time: (hh:mm)
Time/Zone:
3.
4.
Did the event originate in your system?
Yes
No
Unknown
Event Identification and Description:
(Check applicable box)
Damage or destruction of a Facility
Physical Threat to a Facility
Physical Threat to a control center
BES Emergency:
public appeal for load reduction
system-wide voltage reduction
manual firm load shedding
automatic firm load shedding
Voltage deviation on a Facility
IROL Violation (all Interconnections) or
SOL Violation for Major WECC Transfer
Paths (WECC only)
Loss of firm load
System separation
Generation loss
Complete loss of off-site power to a
nuclear generating plant (grid supply)
Transmission loss
unplanned control center evacuation
Complete loss of voice communication
capability
Complete loss of monitoring capability
Draft 5: October 22, 2012
Written description (optional):
16 of 24
�EOP-004-2 — Event Reporting
Guideline and Technical Basis
Distribution Provider Applicability Discussion
The DSR SDT has included Distribution Providers (DP) as an applicable entity under this
standard. The team realizes that not all DPs will own BES Facilities and will not meet the
“Threshold for Reporting” for any event listed in Attachment 1. These DPs will not have any
reports to submit under Requirement R2. However, these DPs will be responsible for meeting
Requirements R1 and R3. The DSR SDT does not intend for these entities to have a detailed
Operating Plan to address events that are not applicable to them. In this instance, the DSR SDT
intends for the DP to have a very simple Operating Plan that includes a statement that there are
no applicable events in Attachment 1 (to meet R1) and that the DP will review the list of events
in Attachment 1 each year (to meet R3). The team does not think this will be a burden on any
entity as the development and annual validation of the Operating Plan should not take more that
30 minutes on an annual basis. If a DP discovers applicable events during the annual review, it
is expected that the DP will develop a more detailed Operating Plan to comply with the
requirements of the standard.
Multiple Reports for a Single Organization
For entities that have multiple registrations, the DSR SDT intends that these entities will only
have to submit one report for any individual event. For example, if an entity is registered as a
Reliability Coordinator, Balancing Authority and Transmission Operator, the entity would only
submit one report for a particular event rather submitting three reports as each individual
registered entity.
Summary of Key Concepts
The DSR SDT identified the following principles to assist them in developing the standard:
• Develop a single form to report disturbances and events that threaten the reliability of the
Bulk Electric System
• Investigate other opportunities for efficiency, such as development of an electronic form
and possible inclusion of regional reporting requirements
• Establish clear criteria for reporting
• Establish consistent reporting timelines
• Provide clarity around who will receive the information and how it will be used
During the development of concepts, the DSR SDT considered the FERC directive to “further
define sabotage”. There was concern among stakeholders that a definition may be ambiguous
and subject to interpretation. Consequently, the DSR SDT decided to eliminate the term
sabotage from the standard. The team felt that it was almost impossible to determine if an act or
event was sabotage or vandalism without the intervention of law enforcement. The DSR SDT
felt that attempting to define sabotage would result in further ambiguity with respect to reporting
events. The term “sabotage” is no longer included in the standard. The events listed in EOP-004
Attachment 1 were developed to provide guidance for reporting both actual events as well as
Draft 5: October 22, 2012
17 of 24
�EOP-004-2 — Event Reporting
events which may have an impact on the Bulk Electric System. The DSR SDT believes that this
is an equally effective and efficient means of addressing the FERC Directive.
The types of events that are required to be reported are contained within EOP-004 Attachment 1.
The DSR SDT has coordinated with the NERC Events Analysis Working Group to develop the
list of events that are to be reported under this standard. EOP-004 Attachment 1 pertains to those
actions or events that have impacted the Bulk Electric System. These events were previously
reported under EOP-004-1, CIP-001-1 or the Department of Energy form OE-417. EOP-004
Attachment 1 covers similar items that may have had an impact on the Bulk Electric System or
has the potential to have an impact and should be reported.
The DSR SDT wishes to make clear that the proposed Standard does not include any real-time
operating notifications for the events listed in EOP-004 Attachment 1. Real-time communication
is achieved is covered in other standards. The proposed standard deals exclusively with afterthe-fact reporting.
Data Gathering
The requirements of EOP-004-1 require that entities “promptly analyze Bulk Electric System
disturbances on its system or facilities” (Requirement R2). The requirements of EOP-004-2
specify that certain types of events are to be reported but do not include provisions to analyze
events. Events reported under EOP-004-2 may trigger further scrutiny by the ERO Events
Analysis Program. If warranted, the Events Analysis Program personnel may request that more
data for certain events be provided by the reporting entity or other entities that may have
experienced the event. Entities are encouraged to become familiar with the Events Analysis
Program and the NERC Rules of Procedure to learn more about with the expectations of the
program.
Law Enforcement Reporting
The reliability objective of EOP-004-2 is to improve the reliability of the Bulk Electric System
by requiring the reporting of events by Responsible Entities. Certain outages, such as those due
to vandalism and terrorism, may not be reasonably preventable. These are the types of events
that should be reported to law enforcement. Entities rely upon law enforcement agencies to
respond to and investigate those events which have the potential to impact a wider area of the
BES. The inclusion of reporting to law enforcement enables and supports reliability principles
such as protection of Bulk Electric System from malicious physical attack. The importance of
BES awareness of the threat around them is essential to the effective operation and planning to
mitigate the potential risk to the BES.
Stakeholders in the Reporting Process
• Industry
• NERC (ERO), Regional Entity
• FERC
• DOE
• NRC
Draft 5: October 22, 2012
18 of 24
�EOP-004-2 — Event Reporting
•
•
•
•
•
•
•
DHS – Federal
Homeland Security- State
State Regulators
Local Law Enforcement
State or Provincial Law Enforcement
FBI
Royal Canadian Mounted Police (RCMP)
The above stakeholders have an interest in the timely notification, communication and response
to an incident at a Facility. The stakeholders have various levels of accountability and have a
vested interest in the protection and response to ensure the reliability of the BES.
Present expectations of the industry under CIP-001-1a:
It has been the understanding by industry participants that an occurrence of sabotage has to be
reported to the FBI. The FBI has the jurisdictional requirements to investigate acts of sabotage
and terrorism. The CIP-001-1-1a standard requires a liaison relationship on behalf of the
industry and the FBI or RCMP. These requirements, under the standard, of the industry have not
been clear and have lead to misunderstandings and confusion in the industry as to how to
demonstrate that the liaison is in place and effective. As an example of proof of compliance with
Requirement R4, Responsible Entities have asked FBI Office personnel to provide, on FBI
letterhead, confirmation of the existence of a working relationship to report acts of sabotage, the
number of years the liaison relationship has been in existence, and the validity of the telephone
numbers for the FBI.
Coordination of Local and State Law Enforcement Agencies with the FBI
The Joint Terrorism Task Force (JTTF) came into being with the first task force being
established in 1980. JTTFs are small cells of highly trained, locally based, committed
investigators, analysts, linguists, SWAT experts, and other specialists from dozens of U.S. law
enforcement and intelligence agencies. The JTTF is a multi-agency effort led by the Justice
Department and FBI designed to combine the resources of federal, state, and local law
enforcement. Coordination and communications largely through the interagency National Joint
Terrorism Task Force, working out of FBI Headquarters, which makes sure that information and
intelligence flows freely among the local JTTFs. This information flow can be most beneficial to
the industry in analytical intelligence, incident response and investigation. Historically, the most
immediate response to an industry incident has been local and state law enforcement agencies to
suspected vandalism and criminal damages at industry facilities. Relying upon the JTTF
coordination between local, state and FBI law enforcement would be beneficial to effective
communications and the appropriate level of investigative response.
Coordination of Local and Provincial Law Enforcement Agencies with the RCMP
A similar law enforcement coordination hierarchy exists in Canada. Local and Provincial law
enforcement coordinate to investigate suspected acts of vandalism and sabotage. The Provincial
Draft 5: October 22, 2012
19 of 24
�EOP-004-2 — Event Reporting
law enforcement agency has a reporting relationship with the Royal Canadian Mounted Police
(RCMP).
A Reporting Process Solution – EOP-004
A proposal discussed with the FBI, FERC Staff, NERC Standards Project Coordinator and the
SDT Chair is reflected in the flowchart below (Reporting Hierarchy for Reportable Events).
Essentially, reporting an event to law enforcement agencies will only require the industry to
notify the state or provincial or local level law enforcement agency. The state or provincial or
local level law enforcement agency will coordinate with law enforcement with jurisdiction to
investigate. If the state or provincial or local level law enforcement agency decides federal
agency law enforcement or the RCMP should respond and investigate, the state or provincial or
local level law enforcement agency will notify and coordinate with the FBI or the RCMP.
Draft 5: October 22, 2012
20 of 24
�EOP-004-2 — Event Reporting
Example of Reporting Process including Law
Enforcement
Entity Experiencing An Event in Attachment 1
Report to Law Enforcement ?
Refer to Ops Plan for Reporting
NO
YES
Refer to Ops Plan for communicating
Communicate to
to law enforcement
Law
Enforcement
Report Event to ERO,
Reliability Coordinator
Notification Protocol to
State Agency Law
Enforcement
ERO conducts
investigation
*
State Agency Law
Enforcement coordinates
as appropriate with FBI
ERO
Events Analysis
Criminal act
invoking
federal
jurisdiction ?
ERO Reports Applicable
Events to FERC Per Rules
of Procedure
NO
YES
State Agency Law
Enforcement
Investigates
State Agency Law
Enforcement
notifies FBI
FBI Responds and
makes notification
to DHS
*
Draft 5: October 22, 2012
Canadian entities will follow law enforcement protocols applicable in
their jurisdictions
21 of 24
�EOP-004-2 — Event Reporting
Disturbance and Sabotage Reporting Standard Drafting Team (Project 2009-01) Reporting Concepts
Introduction
The SAR for Project 2009-01, Disturbance and Sabotage Reporting was moved forward for
standard drafting by the NERC Standards Committee in August of 2009. The Disturbance and
Sabotage Reporting Standard Drafting Team (DSR SDT) was formed in late 2009 and has
developed updated standards based on the SAR.
The standards listed under the SAR are:
• CIP-001 — Sabotage Reporting
• EOP-004 — Disturbance Reporting
The changes do not include any real-time operating notifications for the types of events covered
by CIP-001 and EOP-004. The real-time reporting requirements are achieved through the RCIS
and are covered in other standards (e.g. EOP-002-Capacity and Energy Emergencies). These
standards deal exclusively with after-the-fact reporting.
The DSR SDT has consolidated disturbance and sabotage event reporting under a single
standard. These two components and other key concepts are discussed in the following sections.
Summary of Concepts and Assumptions:
The Standard:
• Requires reporting of “events” that impact or may impact the reliability of the Bulk
Electric System
• Provides clear criteria for reporting
• Includes consistent reporting timelines
• Identifies appropriate applicability, including a reporting hierarchy in the case of
disturbance reporting
• Provides clarity around of who will receive the information
Discussion of Disturbance Reporting
Disturbance reporting requirements existed in the previous version of EOP-004. The current
approved definition of Disturbance from the NERC Glossary of Terms is:
1. An unplanned event that produces an abnormal system condition.
2. Any perturbation to the electric system.
3. The unexpected change in ACE that is caused by the sudden failure of generation or
interruption of load.
Draft 5: October 22, 2012
22 of 24
�EOP-004-2 — Event Reporting
Disturbance reporting requirements and criteria were in the previous EOP-004 standard and its
attachments. The DSR SDT discussed the reliability needs for disturbance reporting and
developed the list of events that are to be reported under this standard (EOP-004 Attachment 1).
Discussion of Event Reporting
There are situations worthy of reporting because they have the potential to impact reliability.
Event reporting facilitates industry awareness, which allows potentially impacted parties to
prepare for and possibly mitigate any associated reliability risk. It also provides the raw material,
in the case of certain potential reliability threats, to see emerging patterns.
Examples of such events include:
• Bolts removed from transmission line structures
• Train derailment adjacent to a Facility that either could have damaged a Facility directly
or could indirectly damage a Facility (e.g. flammable or toxic cargo that could pose fire
hazard or could cause evacuation of a control center)
• Destruction of Bulk Electric System equipment
What about sabotage?
One thing became clear in the DSR SDT’s discussion concerning sabotage: everyone has a
different definition. The current standard CIP-001 elicited the following response from FERC in
FERC Order 693, paragraph 471 which states in part: “. . . the Commission directs the ERO to
develop the following modifications to the Reliability Standard through the Reliability Standards
development process: (1) further define sabotage and provide guidance as to the triggering
events that would cause an entity to report a sabotage event.”
Often, the underlying reason for an event is unknown or cannot be confirmed. The DSR SDT
believes that by reporting material risks to the Bulk Electric System using the event
categorization in this standard, it will be easier to get the relevant information for mitigation,
awareness, and tracking, while removing the distracting element of motivation.
Certain types of events should be reported to NERC, the Department of Homeland Security
(DHS), the Federal Bureau of Investigation (FBI), and/or Provincial or local law enforcement.
Other types of events may have different reporting requirements. For example, an event that is
related to copper theft may only need to be reported to the local law enforcement authorities.
Potential Uses of Reportable Information
Event analysis, correlation of data, and trend identification are a few potential uses for the
information reported under this standard. The standard requires Functional entities to report the
incidents and provide known information at the time of the report. Further data gathering
necessary for event analysis is provided for under the Events Analysis Program and the NERC
Rules of Procedure. Other entities (e.g. – NERC, Law Enforcement, etc) will be responsible for
performing the analyses. The NERC Rules of Procedure (section 800) provide an overview of
the responsibilities of the ERO in regards to analysis and dissemination of information for
Draft 5: October 22, 2012
23 of 24
�EOP-004-2 — Event Reporting
reliability. Jurisdictional agencies (which may include DHS, FBI, NERC, RE, FERC, Provincial
Regulators, and DOE) have other duties and responsibilities.
Collection of Reportable Information or “One stop shopping”
The DSR SDT recognizes that some regions require reporting of additional information beyond
what is in EOP-004. The DSR SDT has updated the listing of reportable events in EOP-004
Attachment 1 based on discussions with jurisdictional agencies, NERC, Regional Entities and
stakeholder input. There is a possibility that regional differences still exist.
The reporting required by this standard is intended to meet the uses and purposes of NERC. The
DSR SDT recognizes that other requirements for reporting exist (e.g., DOE-417 reporting),
which may duplicate or overlap the information required by NERC. To the extent that other
reporting is required, the DSR SDT envisions that duplicate entry of information should not be
necessary, and the submission of the alternate report will be acceptable to NERC so long as all
information required by NERC is submitted. For example, if the NERC Report duplicates
information from the DOE form, the DOE report may be sent to the NERC in lieu of entering
that information on the NERC report.
Draft 5: October 22, 2012
24 of 24
�EOP-004-2 — Event Reporting
Standard Development Timeline
This section is maintained by the drafting team during the development of the standard and will
be removed when the standard becomes effective.
Development Steps Completed
1. SC approved SAR for initial posting (April 2009).
2. SAR posted for comment (April 22 – May 21, 2009).
3. SC authorized moving the SAR forward to standard development (September 2009).
4. Concepts Paper posted for comment (March 17 – April 16, 2010).
5. Initial Informal Comment Period (September 15 – October 15, 2010).
6. Second Comment Period (Formal) (March 9 – April 8, 2011).
7. Third Comment Period and Initial Ballot (October 28 – December 12, 2011).
8. Fourth Comment Period and Successive Ballot (April 25 – May 24, 2012).
Proposed Action Plan and Description of Current Draft
This is the fifth posting of the proposed standard in accordance with Results-Based Standards
(RBS) criteria. The drafting team requests posting for a 30-day formal comment period
concurrent with the formation of the ballot pool and the successive ballot.
Future Development Plan
Anticipated Actions
Drafting team considers comments, makes conforming changes on
fourth posting
Anticipated Date
June - August 2012
Fifth Comment/Ballot period
Recirculation Ballot period
August –
September 2012
October 2012
Receive BOT approval
November 2012
File with regulatory authorities
December 2012
Draft 5: October 22August 2, 2012
1 of 24
�EOP-004-2 — Event Reporting
Effective Dates
The first day of the first calendar quarter that is six months beyond the date that this standard is
approved by applicable regulatory authorities. In those jurisdictions where regulatory approval
is not required, the standard shall become effective on the first day of the first calendar quarter
that is six months beyond the date this standard is approved by the NERC Board of Trustees, or
as otherwise made effective pursuant to the laws applicable to such ERO governmental
authorities.
Version History
Version
2
Date
Action
Merged CIP-001-2a Sabotage Reporting
and EOP-004-1 Disturbance Reporting
into EOP-004-2 Event Reporting; Retire
CIP-001-2a Sabotage Reporting and
Retired EOP-004-1 Disturbance
Reporting.
Draft 5: October 22August 2, 2012
Change Tracking
Revision to entire
standard (Project 200901)
2 of 24
�EOP-004-2 — Event Reporting
Definitions of Terms Used in Standard
This section includes all newly defined or revised terms used in the proposed standard. Terms
already defined in the Reliability Standards Glossary of Terms are not repeated here. New or
revised definitions listed below become approved when the proposed standard is approved.
When the standard becomes effective, these defined terms will be removed from the individual
standard and added to the Glossary.
None
Draft 5: October 22August 2, 2012
3 of 24
�EOP-004-2 — Event Reporting
When this standard has received ballot approval, the text boxes will be moved to the Guideline
and Technical Basis Section.
A.
Introduction
1. Title:
Event Reporting
2. Number:
EOP-004-2
3. Purpose: To improve the reliability of the Bulk Electric System by requiring the reporting
of events by Responsible Entities.
4. Applicability
4.1.
Functional Entities: For the purpose of the Requirements and the EOP-004
Attachment 1 contained herein, the following functional entities will be collectively
referred to as “Responsible Entity.”
4.1.1. Reliability Coordinator
4.1.2. Balancing Authority
4.1.3. Transmission Owner
4.1.4. Transmission Operator
4.1.5. Generator Owner
4.1.6. Generator Operator
4.1.7. Distribution Provider
5. Background:
NERC established a SAR Team in 2009 to investigate and propose revisions to the CIP-001
and EOP-004 Reliability Standards. The team was asked to consider the following:
1.
2.
3.
4.
CIP-001 could be merged with EOP-004 to eliminate redundancies.
Acts of sabotage have to be reported to the DOE as part of EOP-004.
Specific references to the DOE form need to be eliminated.
EOP-004 had some ‘fill-in-the-blank’ components to eliminate.
The development included other improvements to the standards deemed appropriate by the
drafting team, with the consensus of stakeholders, consistent with establishing high quality,
enforceable and technically sufficient Bulk Electric System reliability standards.
The SAR for Project 2009-01, Disturbance and Sabotage Reporting was moved forward for
standard drafting by the NERC Standards Committee in August of 2009. The Disturbance
and Sabotage Reporting Standard Drafting Team (DSR SDT) was formed in late 2009.
Draft 5: October 22August 2, 2012
4 of 24
�EOP-004-2 — Event Reporting
The DSR SDT developed a concept paper to solicit stakeholder input regarding the proposed
reporting concepts that the DSR SDT had developed. The posting of the concept paper
sought comments from stakeholders on the “road map” that will be used by the DSR SDT in
updating or revising CIP-001 and EOP-004. The concept paper provided stakeholders the
background information and thought process of the DSR SDT. The DSR SDT has reviewed
the existing standards, the SAR, issues from the NERC issues database and FERC Order 693
Directives in order to determine a prudent course of action with respect to revision of these
standards.
Draft 5: October 22August 2, 2012
5 of 24
�EOP-004-2 — Event Reporting
B.
Requirements and Measures
R1. Each Responsible Entity shall have
an event reporting Operating Plan in
accordance with EOP-004-2
Attachment 1 that includes the
protocol(s) for reporting to the
Electric Reliability Organization
and other organizations (e.g., the
Rregional Eentity, company
personnel, the Responsible Entity’s
Reliability Coordinator, law
enforcement, or governmental
authority). [Violation Risk Factor:
Lower] [Time Horizon: Operations
Planning]
M1. Each Responsible Entity will have a
dated event reporting Operating
Plan that includes, but is not limited
to the protocol(s) and each
organization identified to receive an
event report for event types
specified in EOP-004-2 Attachment
1 and in accordance with the entity
responsible for reporting.
Draft 5: October 22August 2, 2012
Rationale for R1
The requirement to have an Operating Plan for
reporting specific types of events provides the
entity with a method to have its operating
personnel recognize events that affect reliability
and to be able to report them to appropriate
parties; e.g., Regional Entities, applicable
Reliability Coordinators, and law enforcement
and other jurisdictional agencies when so
recognized. In addition, these event reports are
an input to the NERC Events Analysis Program.
These other parties use this information to
promote reliability, develop a culture of
reliability excellence, provide industry
collaboration and promote a learning
organization.
Every Registered Entityindustry participant that
owns or operates elements or devices on the grid
has a formal or informal process, procedure, or
steps it takes to gather information regarding
what happened when events occur. This
requirement has the Responsible Entity establish
documentation on how that procedure, process,
or plan is organized. This documentation may be
a single document or a combination of various
documents that achieve the reliability objective.
The communication protocol(s) could include a
process flowchart, identification of internal and
external personnel or entities to be notified, or a
list of personnel by name and their associated
contact information. An existing procedure that
meets the requirements of CIP-001-2a may be
included in this Operating Plan along with other
processes, procedures or plans to meet this
requirement.
6 of 24
�EOP-004-2 — Event Reporting
R2. Each Responsible Entity shall report
events per their Operating Plan within
24 hours of recognition of meeting an
event type threshold for reporting or by
the end of the next business day if the
event occurs on a weekend (which is
recognized to be 4 PM local time on
Friday to 8 AM Monday local time).
[Violation Risk Factor: Medium]
[Time Horizon: Operations
Assessment]
Rationale for R2
Each Responsible Entity must report and
communicate events according to its
Operating Plan based on the information in
EOP-004-2 Attachment 1. By
implementing the event reporting Operating
Plan the Responsible Entity will assure
situational awareness to the Electric
Reliability Organization so that they may
develop trends and prepare for a possible
next event and mitigate the current event.
This will assure that the BES remains
secure and stable by mitigation actions that
the Responsible Entity has within its
function. By communicating events per the
Operating Plan, the Responsible Entity will
assure that people/agencies are aware of the
current situation and they may prepare to
mitigate current and further events.
M2. Each Responsible Entity will have as
evidence of reporting an event, copy of
the completed EOP-004-2 Attachment
2 form or a DOE-OE-417 form; and
evidence of submittal (e.g., operator log
or other operating documentation,
voice recording, electronic mail
message, or confirmation of facsimile)
demonstrating the event report was submitted within 24 hours of recognition of meeting the
threshold for reporting or by the end of the next business day if the event occurs on a
weekend (which is recognized to be 4 PM local time on Friday to 8 AM Monday local
time). (R2)
R3. Each Responsible Entity shall validate all
contact information contained in the
Operating Plan pursuant to Requirement
R1 each calendar year. [Violation Risk
Factor: Medium] [Time Horizon:
Operations Planning]
M3. Each Responsible Entity will have dated
records to show that it validated all
contact information contained in the
Operating Plan each calendar year. Such
evidence may include, but are not limited
to, dated voice recordings and operating
logs or other communication
documentation. (R3)
Draft 5: October 22August 2, 2012
Rationale for R3
Requirement 3 calls for the Responsible
Entity to validate the contact information
contained in the Operating Plan each
calendar year. This requirement helps
ensure that the event reporting Operating
Plan is up to date and entities will be
able to effectively report events to assure
situational awareness to the Electric
Reliability Organization. If an entity
experiences an actual event,
communication evidence from the event
may be used to show compliance with
the validation requirement for the
specific contacts used for the event.
7 of 24
�EOP-004-2 — Event Reporting
C.
Compliance
1. Compliance Monitoring Process
1.1
Compliance Enforcement Authority
The Regional Entity shall serve as the Compliance Enforcement Authority (CEA)
unless the applicable entity is owned, operated, or controlled by the Regional Entity.
In such cases the ERO or a Regional Entity approved by FERC or other applicable
governmental authority shall serve as the CEA.
1.2
Evidence Retention
The Responsible Entity shall keep data or evidence to show compliance as
identified below unless directed by its Compliance Enforcement Authority to
retain specific evidence for a longer period of time as part of an investigation:
The following evidence retention periods identify the period of time an entity is
required to retain specific evidence to demonstrate compliance. For instances
where the evidence retention period specified below is shorter than the time since
the last audit, the Compliance Enforcement Authority may ask an entity to
provide other evidence to show that it was compliant for the full time period since
the last audit.
•
•
Each Responsible Entity shall retain the current Operating Plan plus each
version issued since the last audit for Requirements R1, and Measure M1.
Each Responsible Entity shall retain evidence of compliance since the last
audit for Requirements R2, R3 and Measure M2, M3.
If a Responsible Entity is found non-compliant, it shall keep information related
to the non-compliance until mitigation is complete and approved or for the duration
specified above, whichever is longer.
The Compliance Enforcement Authority shall keep the last audit records and all
requested and submitted subsequent audit records.
1.3
Compliance Monitoring and Enforcement Processes:
Compliance Audit
Self-Certification
Spot Checking
Compliance Investigation
Self-Reporting
Complaint
1.4
Additional Compliance Information
None
Draft 5: October 22August 2, 2012
8 of 24
�EOP-004-2 — Event Reporting
Table of Compliance Elements
R#
R1
Time
Horizon
Operations
Planning
VRF
Lower
Violation Severity Levels
Lower VSL
Moderate VSL
High VSL
Severe VSL
The Responsible Entity
had an Operating Plan,
but failed to include
one applicable event
type. N/A
The Responsible Entity
had an Operating Plan,
but failed to include
two applicable event
types. N/A
The Responsible Entity
had an Operating Plan,
but failed to include
three applicable event
types. N/A
The Responsible Entity
had an Operating Plan,
but failed to include
four or more
applicable event types.
OR
The Responsible Entity
failed to have an event
reporting Operating
Plan.
Draft 5: October 22August 2, 2012
9 of 24
�EOP-004-2 — Event Reporting
R#
R2
Time
Horizon
Operations
Assessment
VRF
Medium
Violation Severity Levels
Lower VSL
Moderate VSL
High VSL
Severe VSL
The Responsible Entity
submitted an event
report (e.g., written or
verbal) to all required
recipients more than
24 hours but less than
or equal to 36 hours
after meeting an event
threshold for reporting.
The Responsible Entity
submitted an event
report (e.g., written or
verbal) to all required
recipients more than
36 hours but less than
or equal to 48 hours
after meeting an event
threshold for reporting.
The Responsible Entity
submitted an event
report (e.g., written or
verbal) to all required
recipients more than 48
hours but less than or
equal to 60 hours after
meeting an event
threshold for reporting.
The Responsible Entity
submitted an event
report (e.g., written or
verbal) to all required
recipients more than
60 hours after meeting
an event threshold for
reporting.
OR
OR
OR
The Responsible Entity
failed to submit an
event report (e.g.,
written or verbal) to
one entity identified in
its event reporting
Operating Plan within
24 hours.
The Responsible Entity
failed to submit an
event report (e.g.,
written or verbal) to
two entities identified
in its event reporting
Operating Plan within
24 hours.
The Responsible Entity
failed to submit an
event report (e.g.,
written or verbal) to
three entities identified
in its event reporting
Operating Plan within
24 hours.
OR
The Responsible Entity
failed to submit an
event report (e.g.,
written or verbal) to
four or more entities
identified in its event
reporting Operating
Plan within 24 hours.
OR
The Responsible Entity
failed to submit a
report for an event in
EOP-004 Attachment
1.
Draft 5: October 22August 2, 2012
10 of 24
�EOP-004-2 — Event Reporting
R#
R3
Time
Horizon
Operations
Planning
VRF
Medium
Violation Severity Levels
Lower VSL
Moderate VSL
High VSL
Severe VSL
The Responsible Entity
validated all contact
information contained
in the Operating Plan
but was late by less
than one calendar
month.
The Responsible Entity
validated all contact
information contained
in the Operating Plan
but was late by one
calendar month or
more but less than two
calendar months.
The Responsible Entity
validated all contact
information contained
in the Operating Plan
but was late by two
calendar months or
more but less than
three calendar months.
The Responsible Entity
validated all contact
information contained
in the Operating Plan
but was late by three
calendar months or
more.
OR
The Responsible Entity
validated less than
25% of contact
information contained
in the Operating Plan.
OR
The Responsible Entity OR
validated 75% but less The Responsible Entity
than 100% or more of validated 50% and less
the contact information than 75% of the
contained in the
contact information
Operating Plan.
contained in the
Operating Plan.
D.
The Responsible Entity
validated 25% and less
than 50% of the
contact information
contained in the
Operating Plan.
OR
Variances
None.
E.
Interpretations
None.
F.
References
Guideline and Technical Basis (attached)
Draft 5: October 22August 2, 2012
11 of 24
�EOP-004-2 — Event Reporting
EOP-004 - Attachment 1: Reportable Events
NOTE: Under certain adverse conditions (e.g. severe weather, multiple events) it may not be possible to report the damage caused by
an event and issue a written Event Report within the timing in the table below. In such cases, the affected Responsible Entity shall
notify parties per Requirement R2 and provide as much information as is available at the time of the notification. Submit reports to
the ERO via one of the following: e-mail: systemawareness@nerc.net, Facsimile 404-446-9770 or Voice: 404-446-9780.
Rationale Box for EOP-004 Attachment 1:
The DSR SDT used the defined term “Facility” to add clarity for several events listed in Attachment 1.
A Facility is defined as:
“A set of electrical equipment that operates as a single Bulk Electric System Element (e.g., a
line, a generator, a shunt compensator, transformer, etc.)”
The DSR SDT does not intend the use of the term Facility to mean a substation or any other facility
(not a defined term) that one might consider in everyday discussions regarding the grid. This is
intended to mean ONLY a Facility as defined above.
Draft 5: October 22August 2, 2012
12 of 24
�EOP-004-2 — Event Reporting
Submit EOP-004 Attachment 2 (or DOE-OE-417) pursuant to Requirements R1 and R2.
Event Type
Entity with Reporting Responsibility
Threshold for Reporting
Damage or destruction of a Facility within its Reliability Coordinator
Area, Balancing Authority Area or Transmission Operator Area that
results in actions to avoid a BES Emergency.
Damage or destruction of a
Facility
RC, BA, TOP
Damage or destruction of a
Facility
BA, TO, TOP, GO, GOP, DP
Physical threats to a Facility
BA, TO, TOP, GO, GOP, DP
Physical threats to a BES
control center
RC, BA, TOP
BES Emergency requiring
public appeal for load
reduction
Initiating entity is responsible for
reporting
Public appeal for load reduction event.
BES Emergency requiring
system-wide voltage
reduction
Initiating entity is responsible for
reporting
System wide voltage reduction of 3% or more.
BES Emergency requiring
manual firm load shedding
Initiating entity is responsible for
reporting
Manual firm load shedding ≥ 100 MW.
Draft 5: October 22August 2, 2012
Damage or destruction of its Facility that results from actual or
suspected intentional human action.
Physical threat to its Facility excluding weather or natural disaster
related threats, which has the potential to degrade the normal operation
of the Facility.
OR
Suspicious device or activity at a Facility.
Do not report theft unless it degrades normal operation of a Facility.
Physical threat to its BES control center, excluding weather or natural
disaster related threats, which has the potential to degrade the normal
operation of the control center.
OR
Suspicious device or activity at a BES control center.
13 of 24
�EOP-004-2 — Event Reporting
Event Type
Entity with Reporting Responsibility
Threshold for Reporting
BES Emergency resulting in
automatic firm load
shedding
DP, TOP
Automatic firm load shedding ≥ 100 MW (via automatic undervoltage or
underfrequency load shedding schemes, or SPS/RAS).
Voltage deviation on a
Facility
TOP
Observed within its area a voltage deviation of ± 10% of nominal
voltage sustained for ≥ 15 continuous minutes.
IROL Violation (all
Interconnections) or SOL
Violation for Major WECC
Transfer Paths (WECC only)
RC
Operate outside the IROL for time greater than IROL Tv (all
Interconnections) or Operate outside the SOL for more than 30 minutes
for Major WECC Transfer Paths (WECC only).
Loss of firm load
BA, TOP, DP
Loss of firm load for ≥ 15 Minutes:
≥ 300 MW for entities with previous year’s demand ≥ 3,000 MW
OR
≥ 200 MW for all other entities
System separation
(islanding)
RC, BA, TOP
Each separation resulting in an island ≥ 100 MW
Generation loss
BA, GOP
Total generation loss, within one minute, of :
≥ 2,000 MW for entities in the Eastern or Western Interconnection
OR
≥ 1,000 MW for entities in the ERCOT or Quebec Interconnection
Complete loss of off-site
power to a nuclear
generating plant (grid
supply)
TO, TOP
Draft 5: October 22August 2, 2012
Complete loss of off-site power affecting a nuclear generating station
per the Nuclear Plant Interface Requirement
14 of 24
�EOP-004-2 — Event Reporting
Event Type
Entity with Reporting Responsibility
Threshold for Reporting
Unexpected loss within its area, contrary to design, of three or more
BES Elements caused by a common disturbance (excluding successful
automatic reclosing).
Transmission loss
TOP
Unplanned BES control
center evacuation
RC, BA, TOP
Unplanned evacuation from BES control center facility for 30
continuous minutes or more.
Complete loss of voice
communication capability
RC, BA, TOP
Complete loss of voice communication capability affecting a BES
control center for 30 continuous minutes or more.
Complete loss of monitoring
capability
RC, BA, TOP
Draft 5: October 22August 2, 2012
Complete loss of monitoring capability affecting a BES control center
for 30 continuous minutes or more such that analysis capability (i.e.,
State Estimator or Contingency Analysis) is rendered inoperable.
15 of 24
�EOP-004-2 — Event Reporting
EOP-004 - Attachment 2: Event Reporting Form
EOP-004 Attachment 2: Event Reporting Form
Use this form to report events. The Electric Reliability Organization will accept the DOE OE-417
form in lieu of this form if the entity is required to submit an OE-417 report. Submit reports to
the ERO via one of the following: e-mail: systemawareness@nerc.net , Facsimile 404-446-9770
or voice: 404-446-9780.
Task
1.
2.
Comments
Entity filing the report include:
Company name:
Name of contact person:
Email address of contact person:
Telephone Number:
Submitted by (name):
Date and Time of recognized event.
Date: (mm/dd/yyyy)
Time: (hh:mm)
Time/Zone:
3.
4.
Did the event originate in your system?
Yes
No
Unknown
Event Identification and Description:
(Check applicable box)
Damage or destruction of a Facility
Physical Threat to a Facility
Physical Threat to a control center
BES Emergency:
public appeal for load reduction
system-wide voltage reduction
manual firm load shedding
automatic firm load shedding
Voltage deviation on a Facility
IROL Violation (all Interconnections) or
SOL Violation for Major WECC Transfer
Paths (WECC only)
Loss of firm load
System separation
Generation loss
Complete loss of off-site power to a
nuclear generating plant (grid supply)
Transmission loss
unplanned control center evacuation
Complete loss of voice communication
capability
Complete loss of monitoring capability
Draft 5: October 22August 2, 2012
Written description (optional):
16 of 24
�EOP-004-2 — Event Reporting
Guideline and Technical Basis
Distribution Provider Applicability Discussion
The DSR SDT has included Distribution Providers (DP) as an applicable entity under this
standard. The team realizes that not all DPs will own BES Facilities and will not meet the
“Threshold for Reporting” for any event listed in Attachment 1. These DPs will not have any
reports to submit under Requirement R2. However, these DPs will be responsible for meeting
Requirements R1 and R3. The DSR SDT does not intend for these entities to have a detailed
Operating Plan to address events that are not applicable to them. In this instance, the DSR SDT
intends for the DP to have a very simple Operating Plan that includes a statement that there are
no applicable events in Attachment 1 (to meet R1) and that the DP will review the list of events
in Attachment 1 each year (to meet R3). The team does not think this will be a burden on any
entity as the development and annual validation of the Operating Plan should not take more that
30 minutes on an annual basis. If a DP discovers applicable events during the annual review, it
is expected that the DP will develop a more detailed Operating Plan to comply with the
requirements of the standard.
Multiple Reports for a Single Organization
For entities that have multiple registrations, the DSR SDT intends that these entities will only
have to submit one report for any individual event. For example, if an entity is registered as a
Reliability Coordinator, Balancing Authority and Transmission Operator, the entity would only
submit one report for a particular event rather submitting three reports as each individual
registered entity.
Summary of Key Concepts
The DSR SDT identified the following principles to assist them in developing the standard:
• Develop a single form to report disturbances and events that threaten the reliability of the
Bulk Electric System
• Investigate other opportunities for efficiency, such as development of an electronic form
and possible inclusion of regional reporting requirements
• Establish clear criteria for reporting
• Establish consistent reporting timelines
• Provide clarity around who will receive the information and how it will be used
During the development of concepts, the DSR SDT considered the FERC directive to “further
define sabotage”. There was concern among stakeholders that a definition may be ambiguous
and subject to interpretation. Consequently, the DSR SDT decided to eliminate the term
sabotage from the standard. The team felt that it was almost impossible to determine if an act or
event was sabotage or vandalism without the intervention of law enforcement. The DSR SDT
felt that attempting to define sabotage would result in further ambiguity with respect to reporting
events. The term “sabotage” is no longer included in the standard. The events listed in EOP-004
Attachment 1 were developed to provide guidance for reporting both actual events as well as
Draft 5: October 22August 2, 2012
17 of 24
�EOP-004-2 — Event Reporting
events which may have an impact on the Bulk Electric System. The DSR SDT believes that this
is an equally effective and efficient means of addressing the FERC Directive.
The types of events that are required to be reported are contained within EOP-004 Attachment 1.
The DSR SDT has coordinated with the NERC Events Analysis Working Group to develop the
list of events that are to be reported under this standard. EOP-004 Attachment 1 pertains to those
actions or events that have impacted the Bulk Electric System. These events were previously
reported under EOP-004-1, CIP-001-1 or the Department of Energy form OE-417. EOP-004
Attachment 1 covers similar items that may have had an impact on the Bulk Electric System or
has the potential to have an impact and should be reported.
The DSR SDT wishes to make clear that the proposed Standard does not include any real-time
operating notifications for the events listed in EOP-004 Attachment 1. Real-time communication
is achieved is covered in other standards. The proposed standard deals exclusively with afterthe-fact reporting.
Data Gathering
The requirements of EOP-004-1 require that entities “promptly analyze Bulk Electric System
disturbances on its system or facilities” (Requirement R2). The requirements of EOP-004-2
specify that certain types of events are to be reported but do not include provisions to analyze
events. Events reported under EOP-004-2 may trigger further scrutiny by the ERO Events
Analysis Program. If warranted, the Events Analysis Program personnel may request that more
data for certain events be provided by the reporting entity or other entities that may have
experienced the event. Entities are encouraged to become familiar with the Events Analysis
Program and the NERC Rules of Procedure to learn more about with the expectations of the
program.
Law Enforcement Reporting
The reliability objective of EOP-004-2 is to improve the reliability of the Bulk Electric System
by requiring the reporting of events by Responsible Entities. Certain outages, such as those due
to vandalism and terrorism, may not be reasonably preventable. These are the types of events
that should be reported to law enforcement. Entities rely upon law enforcement agencies to
respond to and investigate those events which have the potential to impact a wider area of the
BES. The inclusion of reporting to law enforcement enables and supports reliability principles
such as protection of Bulk Electric System from malicious physical or cyber attack. The
Standard is intended to reduce the risk of Cascading events. The importance of BES awareness
of the threat around them is essential to the effective operation and planning to mitigate the
potential risk to the BES.
Stakeholders in the Reporting Process
• Industry
• NERC (ERO), Regional Entity
• FERC
• DOE
Draft 5: October 22August 2, 2012
18 of 24
�EOP-004-2 — Event Reporting
•
•
•
•
•
•
•
•
NRC
DHS – Federal
Homeland Security- State
State Regulators
Local Law Enforcement
State or Provincial Law Enforcement
FBI
Royal Canadian Mounted Police (RCMP)
The above stakeholders have an interest in the timely notification, communication and response
to an incident at a Facility. The stakeholders have various levels of accountability and have a
vested interest in the protection and response to ensure the reliability of the BES.
Present expectations of the industry under CIP-001-1a:
It has been the understanding by industry participants that an occurrence of sabotage has to be
reported to the FBI. The FBI has the jurisdictional requirements to investigate acts of sabotage
and terrorism. The CIP-001-1-1a standard requires a liaison relationship on behalf of the
industry and the FBI or RCMP. These requirements, under the standard, of the industry have not
been clear and have lead to misunderstandings and confusion in the industry as to how to
demonstrate that the liaison is in place and effective. As an example of proof of compliance with
Requirement R4, Responsible Entities have asked FBI Office personnel to provide, on FBI
letterhead, confirmation of the existence of a working relationship to report acts of sabotage, the
number of years the liaison relationship has been in existence, and the validity of the telephone
numbers for the FBI.
Coordination of Local and State Law Enforcement Agencies with the FBI
The Joint Terrorism Task Force (JTTF) came into being with the first task force being
established in 1980. JTTFs are small cells of highly trained, locally based, committed
investigators, analysts, linguists, SWAT experts, and other specialists from dozens of U.S. law
enforcement and intelligence agencies. The JTTF is a multi-agency effort led by the Justice
Department and FBI designed to combine the resources of federal, state, and local law
enforcement. Coordination and communications largely through the interagency National Joint
Terrorism Task Force, working out of FBI Headquarters, which makes sure that information and
intelligence flows freely among the local JTTFs. This information flow can be most beneficial to
the industry in analytical intelligence, incident response and investigation. Historically, the most
immediate response to an industry incident has been local and state law enforcement agencies to
suspected vandalism and criminal damages at industry facilities. Relying upon the JTTF
coordination between local, state and FBI law enforcement would be beneficial to effective
communications and the appropriate level of investigative response.
Coordination of Local and Provincial Law Enforcement Agencies with the RCMP
A similar law enforcement coordination hierarchy exists in Canada. Local and Provincial law
enforcement coordinate to investigate suspected acts of vandalism and sabotage. The Provincial
Draft 5: October 22August 2, 2012
19 of 24
�EOP-004-2 — Event Reporting
law enforcement agency has a reporting relationship with the Royal Canadian Mounted Police
(RCMP).
A Reporting Process Solution – EOP-004
A proposal discussed with the FBI, FERC Staff, NERC Standards Project Coordinator and the
SDT Chair is reflected in the flowchart below (Reporting Hierarchy for Reportable Events).
Essentially, reporting an event to law enforcement agencies will only require the industry to
notify the state or provincial or local level law enforcement agency. The state or provincial or
local level law enforcement agency will coordinate with law enforcement with jurisdiction to
investigate. If the state or provincial or local level law enforcement agency decides federal
agency law enforcement or the RCMP should respond and investigate, the state or provincial or
local level law enforcement agency will notify and coordinate with the FBI or the RCMP.
Draft 5: October 22August 2, 2012
20 of 24
�EOP-004-2 — Event Reporting
Example of Reporting Process including Law
Enforcement
Entity Experiencing An Event in Attachment 1
Report to Law Enforcement ?
Refer to Ops Plan for Reporting
NO
YES
Refer to Ops Plan for communicating
Communicate to
to law enforcement
Law
Enforcement
Report Event to ERO,
Reliability Coordinator
Notification Protocol to
State Agency Law
Enforcement
ERO conducts
investigation
*
State Agency Law
Enforcement coordinates
as appropriate with FBI
ERO
Events Analysis
Criminal act
invoking
federal
jurisdiction ?
ERO Reports Applicable
Events to FERC Per Rules
of Procedure
NO
YES
State Agency Law
Enforcement
Investigates
State Agency Law
Enforcement
notifies FBI
FBI Responds and
makes notification
to DHS
*
Draft 5: October 22August 2, 2012
Canadian entities will follow law enforcement protocols applicable in
their jurisdictions
21 of 24
�EOP-004-2 — Event Reporting
Disturbance and Sabotage Reporting Standard Drafting Team (Project 2009-01) Reporting Concepts
Introduction
The SAR for Project 2009-01, Disturbance and Sabotage Reporting was moved forward for
standard drafting by the NERC Standards Committee in August of 2009. The Disturbance and
Sabotage Reporting Standard Drafting Team (DSR SDT) was formed in late 2009 and has
developed updated standards based on the SAR.
The standards listed under the SAR are:
• CIP-001 — Sabotage Reporting
• EOP-004 — Disturbance Reporting
The changes do not include any real-time operating notifications for the types of events covered
by CIP-001 and EOP-004. The real-time reporting requirements are achieved through the RCIS
and are covered in other standards (e.g. EOP-002-Capacity and Energy Emergencies). These
standards deal exclusively with after-the-fact reporting.
The DSR SDT has consolidated disturbance and sabotage event reporting under a single
standard. These two components and other key concepts are discussed in the following sections.
Summary of Concepts and Assumptions:
The Standard:
• Requires reporting of “events” that impact or may impact the reliability of the Bulk
Electric System
• Provides clear criteria for reporting
• Includes consistent reporting timelines
• Identifies appropriate applicability, including a reporting hierarchy in the case of
disturbance reporting
• Provides clarity around of who will receive the information
Discussion of Disturbance Reporting
Disturbance reporting requirements existed in the previous version of EOP-004. The current
approved definition of Disturbance from the NERC Glossary of Terms is:
1. An unplanned event that produces an abnormal system condition.
2. Any perturbation to the electric system.
3. The unexpected change in ACE that is caused by the sudden failure of generation or
interruption of load.
Draft 5: October 22August 2, 2012
22 of 24
�EOP-004-2 — Event Reporting
Disturbance reporting requirements and criteria were in the previous EOP-004 standard and its
attachments. The DSR SDT discussed the reliability needs for disturbance reporting and
developed the list of events that are to be reported under this standard (EOP-004 Attachment 1).
Discussion of Event Reporting
There are situations worthy of reporting because they have the potential to impact reliability.
Event reporting facilitates industry awareness, which allows potentially impacted parties to
prepare for and possibly mitigate any associated reliability risk. It also provides the raw material,
in the case of certain potential reliability threats, to see emerging patterns.
Examples of such events include:
• Bolts removed from transmission line structures
• Train derailment adjacent to a Facility that either could have damaged a Facility directly
or could indirectly damage a Facility (e.g. flammable or toxic cargo that could pose fire
hazard or could cause evacuation of a control center)
• Destruction of Bulk Electric System equipment
What about sabotage?
One thing became clear in the DSR SDT’s discussion concerning sabotage: everyone has a
different definition. The current standard CIP-001 elicited the following response from FERC in
FERC Order 693, paragraph 471 which states in part: “. . . the Commission directs the ERO to
develop the following modifications to the Reliability Standard through the Reliability Standards
development process: (1) further define sabotage and provide guidance as to the triggering
events that would cause an entity to report a sabotage event.”
Often, the underlying reason for an event is unknown or cannot be confirmed. The DSR SDT
believes that by reporting material risks to the Bulk Electric System using the event
categorization in this standard, it will be easier to get the relevant information for mitigation,
awareness, and tracking, while removing the distracting element of motivation.
Certain types of events should be reported to NERC, the Department of Homeland Security
(DHS), the Federal Bureau of Investigation (FBI), and/or Provincial or local law enforcement.
Other types of events may have different reporting requirements. For example, an event that is
related to copper theft may only need to be reported to the local law enforcement authorities.
Potential Uses of Reportable Information
Event analysis, correlation of data, and trend identification are a few potential uses for the
information reported under this standard. The standard requires Functional entities to report the
incidents and provide known information at the time of the report. Further data gathering
necessary for event analysis is provided for under the Events Analysis Program and the NERC
Rules of Procedure. Other entities (e.g. – NERC, Law Enforcement, etc) will be responsible for
performing the analyses. The NERC Rules of Procedure (section 800) provide an overview of
the responsibilities of the ERO in regards to analysis and dissemination of information for
Draft 5: October 22August 2, 2012
23 of 24
�EOP-004-2 — Event Reporting
reliability. Jurisdictional agencies (which may include DHS, FBI, NERC, RE, FERC, Provincial
Regulators, and DOE) have other duties and responsibilities.
Collection of Reportable Information or “One stop shopping”
The DSR SDT recognizes that some regions require reporting of additional information beyond
what is in EOP-004. The DSR SDT has updated the listing of reportable events in EOP-004
Attachment 1 based on discussions with jurisdictional agencies, NERC, Regional Entities and
stakeholder input. There is a possibility that regional differences still exist.
The reporting required by this standard is intended to meet the uses and purposes of NERC. The
DSR SDT recognizes that other requirements for reporting exist (e.g., DOE-417 reporting),
which may duplicate or overlap the information required by NERC. To the extent that other
reporting is required, the DSR SDT envisions that duplicate entry of information should not be
necessary, and the submission of the alternate report will be acceptable to NERC so long as all
information required by NERC is submitted. For example, if the NERC Report duplicates
information from the DOE form, the DOE report may be sent to the NERC in lieu of entering
that information on the NERC report.
Draft 5: October 22August 2, 2012
24 of 24
�Implementation Plan
Project 2009-01 Disturbance and Sabotage Reporting
Implementation Plan for EOP-004-2 – Event Reporting
Approvals Required
EOP-004-2 – Event Reporting
Prerequisite Approvals
None
R evisions to Glossary Term s
None
Applicable Entities
Reliability Coordinator
Balancing Authority
Transmission Owner
Transmission Operator
Generator Owner
Generator Operator
Distribution Provider
Conform ing Changes to Other Standards
None
Effective Dates
In those jurisdictions where regulatory approval is required, this standard shall become effective on the
first day of the first calendar quarter that is six months after applicable regulatory approval or as
otherwise made effective pursuant to the laws applicable to such ERO governmental authorities. In
those jurisdictions where no regulatory approval is required, this standard shall become effective on the
first day of the first calendar quarter that is six months beyond the date this standard is approved by the
Board of Trustees, or as otherwise made effective pursuant to the laws applicable to such ERO
governmental authorities.
�R etirem ents
EOP-004-1 – Disturbance Reporting and CIP-001-2a – Sabotage Reporting should be retired at midnight
of the day immediately prior to the Effective Date of EOP-004-2 in the particular jurisdiction in which
the new standard is becoming effective.
Project 2009-01 Disturbance and Sabotage Reporting
Implementation Plan
2
�Project 2009-01 Disturbance and Sabotage Reporting
Mapping Document
Translation of CIP-002-2a – Sabotage Reporting and EOP-004-1 – Disturbance Reporting into EOP-004-2 – Event Reporting
Standard: CIP-001-2a – Sabotage Reporting
Requirement in Approved Standard
Translation to
Proposed Language in EOP-004-2 - Event Reporting
New Standard or
Other Action
R1. Each Reliability Coordinator, Balancing
Moved into EOP- R1. Each Responsible Entity shall have an event reporting Operating
Plan in accordance with EOP-004-2 Attachment 1 that includes the
Authority, Transmission Operator, Generator
004-2, R1
protocol(s) for reporting to the Electric Reliability Organization and
Operator, and Load-Serving Entity shall have
other organizations (e.g., the regional entity, company personnel, the
procedures for the recognition of and for making
Responsible Entity’s Reliability Coordinator, law enforcement, or
their operating personnel aware of sabotage events
governmental authority). [Violation Risk Factor: Lower] [Time Horizon:
on its facilities and multi site sabotage affecting
Operations Planning]
larger portions of the Interconnection.
The specific list of events shown in Attachment 1 provides the
Responsible Entity with clarity of what is required to be reported under
this standard.
�Standard: CIP-001-2a – Sabotage Reporting
Requirement in Approved Standard
Translation to
Proposed Language in EOP-004-2 - Event Reporting
New Standard or
Other Action
R2. Each Reliability Coordinator, Balancing
Moved into EOP- R1. Each Responsible Entity shall have an event reporting Operating
Authority, Transmission Operator, Generator
004-2, R1 and R2. Plan in accordance with EOP-004-2 Attachment 1 that includes the
protocol(s) for reporting to the Electric Reliability Organization and
Operator, and Load-Serving Entity shall have
other organizations (e.g., the regional entity, company personnel, the
procedures for the communication of information
Responsible Entity’s Reliability Coordinator, law enforcement, or
concerning sabotage events to appropriate parties
governmental authority). [Violation Risk Factor: Lower] [Time Horizon:
in the Interconnection.
Operations Planning]
R2. Each Responsible Entity shall implement its event reporting
Operating Plan within 24 hours of meeting an event type threshold for
reporting. [Violation Risk Factor: Medium] [Time Horizon: Operations
Assessment]
These requirements specify that the Responsible Entity must have an
Operating Plan for reporting events listed in Attachment 1 to the
necessary parties, including law enforcement. NERC Situational
Awareness has an operating protocol to forward all event reports (for
events that occur within the United States) to FERC.
Project 2009-01 Disturbance and Sabotage Reporting
Mapping Document –December 9, 2012
2
�Standard: CIP-001-2a – Sabotage Reporting
Requirement in Approved Standard
Translation to
Proposed Language in EOP-004-2 - Event Reporting
New Standard or
Other Action
R3. Each Reliability Coordinator, Balancing
Moved into EOP- R1. Each Responsible Entity shall have an event reporting Operating
Plan in accordance with EOP-004-2 Attachment 1 that includes the
Authority, Transmission Operator, Generator
004-2, R1
protocol(s) for reporting to the Electric Reliability Organization and
Operator, and Load-Serving Entity shall provide its
other organizations (e.g., the regional entity, company personnel, the
operating personnel with sabotage response
Responsible Entity’s Reliability Coordinator, law enforcement, or
guidelines, including personnel to contact, for
governmental authority). [Violation Risk Factor: Lower] [Time Horizon:
reporting disturbances due to sabotage events.
Operations Planning]
This requirement specifies that the Responsible Entity must have an
Operating Plan for reporting events listed in Attachment 1 to the
necessary parties, including law enforcement.
R4. Each Reliability Coordinator, Balancing
Authority, Transmission Operator, Generator
Operator, and Load-Serving Entity shall establish
communications contacts, as applicable, with local
Federal Bureau of Investigation (FBI) or Royal
Canadian Mounted Police (RCMP) officials and
develop reporting procedures as appropriate to
their circumstances.
Project 2009-01 Disturbance and Sabotage Reporting
Mapping Document –December 9, 2012
Moved into EOP004-2, R1
R1. Each Responsible Entity shall have an event reporting Operating
Plan in accordance with EOP-004-2 Attachment 1 that includes the
protocol(s) for reporting to the Electric Reliability Organization and
other organizations (e.g., the regional entity, company personnel, the
Responsible Entity’s Reliability Coordinator, law enforcement, or
governmental authority). [Violation Risk Factor: Lower] [Time Horizon:
Operations Planning]
These requirements specify that the Responsible Entity must have an
Operating Plan for reporting events listed in Attachment 1 to the
necessary parties, including law enforcement.
3
�Requirement in Approved Standard
Standard: EOP-004-1 – Disturbance Reporting
Translation to
Proposed Language in EOP-004-2 - Event Reporting
New Standard or
Other Action
R1. Each Regional Reliability Organization shall
establish and maintain a Regional reporting
procedure to facilitate preparation of preliminary
and final disturbance reports.
Retire this fill-inthe-blank
requirement.
R2. A Reliability Coordinator, Balancing Authority,
Transmission Operator, Generator Operator or
Load-Serving Entity shall promptly analyze Bulk
Electric System disturbances on its system or
facilities.
The NERC Events
Analysis Process
The requirements of EOP-004-2 specify that an entity must report
certain types of events. The NERC EAWG has developed continent
wide reporting and analysis guidelines applicable under the NERC Rules
of Procedure, Section 800.
R3. A Reliability Coordinator, Balancing Authority,
Transmission Operator, Generator Operator or
Load-Serving Entity experiencing a reportable
incident shall provide a preliminary written report
to its Regional Reliability Organization and NERC.
Translated into
EOP-004-2, R2
R2. Each Responsible Entity shall implement its event reporting
Operating Plan within 24 hours of meeting an event type threshold for
reporting. [Violation Risk Factor: Medium] [Time Horizon: Operations
Assessment]
Project 2009-01 Disturbance and Sabotage Reporting
Mapping Document –December 9, 2012
Replace with new
reporting and
analysis
procedure
developed by
NERC EAWG.
The requirements of EOP-004-2 specify that an entity must report
certain types of events. The NERC EAWG has developed continent
wide reporting and analysis guidelines applicable under the NERC Rules
of Procedure, Section 800.
The requirements of EOP-004-2 specify that an entity must report
certain types of events.
4
�Requirement in Approved Standard
Standard: EOP-004-1 – Disturbance Reporting
Translation to
Proposed Language in EOP-004-2 - Event Reporting
New Standard or
Other Action
R3.1. The affected Reliability Coordinator, Balancing
Authority, Transmission Operator, Generator
Operator or Load-Serving Entity shall submit within
24 hours of the disturbance or unusual occurrence
either a copy of the report submitted to DOE, or, if
no DOE report is required, a copy of the NERC
Interconnection Reliability Operating Limit and
Preliminary Disturbance Report form. Events that
are not identified until sometime after they occur
shall be reported within 24 hours of being
recognized.
Translated into
EOP-004-2, R2
R3.2. Applicable reporting forms are provided in
Attachments 022-1 and 022-2.
Retire –
informational
statement
Project 2009-01 Disturbance and Sabotage Reporting
Mapping Document –December 9, 2012
R2. Each Responsible Entity shall implement its event reporting
Operating Plan within 24 hours of meeting an event type threshold for
reporting. [Violation Risk Factor: Medium] [Time Horizon: Operations
Assessment]
The requirements of EOP-004-2 specify that an entity must report
certain types of events.
5
�Requirement in Approved Standard
Standard: EOP-004-1 – Disturbance Reporting
Translation to
Proposed Language in EOP-004-2 - Event Reporting
New Standard or
Other Action
R3.3. Under certain adverse conditions, e.g., severe
weather, it may not be possible to assess the
damage caused by a disturbance and issue a written
Interconnection Reliability Operating Limit and
Preliminary Disturbance Report within 24 hours. In
such cases, the affected Reliability Coordinator,
Balancing Authority, Transmission Operator,
Generator Operator, or Load-Serving Entity shall
promptly notify its Regional Reliability
Organization(s) and NERC, and verbally provide as
much information as is available at that time. The
affected Reliability Coordinator, Balancing
Authority, Transmission Operator, Generator
Operator, or Load-Serving Entity shall then provide
timely, periodic verbal updates until adequate
information is available to issue a written
Preliminary Disturbance Report.
Project 2009-01 Disturbance and Sabotage Reporting
Mapping Document –December 9, 2012
Retire as a
requirement.
Added as a
“Note” to EOP004Attachment1Events Table
NOTE: Under certain adverse conditions (e.g. severe weather, multiple
events) it may not be possible to report the damage caused by an
event and issue a written Event Report. In such cases, the affected
Responsible Entity shall notify parties per Requirement R2 and provide
as much information as is available at the time of the notification.
Submit reports to the ERO via one of the following: e-mail:
systemawareness@nerc.net or Voice: 404-446-9780.
6
�Requirement in Approved Standard
Standard: EOP-004-1 – Disturbance Reporting
Translation to
Proposed Language in EOP-004-2 - Event Reporting
New Standard or
Other Action
R3.4. If, in the judgment of the Regional Reliability
Organization, after consultation with the Reliability
Coordinator, Balancing Authority, Transmission
Operator, Generator Operator, or Load-Serving
Entity in which a disturbance occurred, a final
report is required, the affected Reliability
Coordinator, Balancing Authority, Transmission
Operator, Generator Operator, or Load-Serving
Entity shall prepare this report within 60 days. As a
minimum, the final report shall have a discussion of
the events and its cause, the conclusions reached,
and recommendations to prevent recurrence of this
type of event. The report shall be subject to
Regional Reliability Organization approval.
Project 2009-01 Disturbance and Sabotage Reporting
Mapping Document –December 9, 2012
Retire this fill-inthe-blank
requirement.
The requirements of EOP-004-2 specify that an entity must report
certain types of events. The NERC EAWG has developed continent
wide reporting and analysis guidelines applicable under the NERC Rules
of Procedure, Section 800.
7
�Requirement in Approved Standard
Standard: EOP-004-1 – Disturbance Reporting
Translation to
Proposed Language in EOP-004-2 - Event Reporting
New Standard or
Other Action
R4. When a Bulk Electric System disturbance
occurs, the Regional Reliability Organization shall
make its representatives on the NERC Operating
Committee and Disturbance Analysis Working
Group available to the affected Reliability
Coordinator, Balancing Authority, Transmission
Operator, Generator Operator, or Load-Serving
Entity immediately affected by the disturbance for
the purpose of providing any needed assistance in
the investigation and to assist in the preparation of
a final report.
Project 2009-01 Disturbance and Sabotage Reporting
Mapping Document –December 9, 2012
Retire this fill-inthe-blank
requirement.
The requirements of EOP-004-2 specify that an entity must report
certain types of events. The NERC EAWG has developed continent
wide reporting and analysis guidelines applicable under the NERC Rules
of Procedure, Section 800.
8
�Project 2009-01 Disturbance and Sabotage Reporting
Consideration of Issues and Directives
Project 2009-01 Disturbance and Sabotage Reporting
Issue or Directive
Source
Consideration of Issue or Directive
CIP‐001‐1
NERC
The
DSR
SDT
has
been
in contact with FBI staff and developed a
"What is meant by: “establish contact with the
notification flow chart for law enforcement as it pertains to EOP-004.
FBI”? Is a phone number adequate? Many entities Audit
Observation
The “Background” section of the standard outlines the reporting
which call the FBI are referred back to the local
Team
hierarchy that exists between local, state, provincial and federal law
authority. The AOT noted that on the FBI website it
enforcement. The entity experiencing an event should notify the
states to contact the local authorities. Is this a
appropriate state or provincial law enforcement agency that will then
question for Homeland Security to deal with for
coordinate with local law enforcement for investigation. These local,
us?"
state and provincial agencies will coordinate with higher levels of law
Establish communications contacts, as applicable
enforcement or other governmental agencies.
with local FBI and RCMP officials. Some entities are
very remote and the sheriff is the only local
authority does the FBI still need to be contacted?
Registered Entities have sabotage reporting
processes and procedures in place but not all
personnel has been trained.
�Question: How do you “and make the operator aware”
CIP‐001‐1 NERC
Audit
Observation
Team
This has been removed from the standard.
Requirement R1 requires that the entity has an
Operating Plan for applicable events listed in
Attachment 1.
How does this standard pertain to Load Serving Entities, LSE's.
CIP‐001‐1 NERC
Audit
Observation
Team
CIP‐001‐1;
Order 693 at P
469
LSE has been removed as an applicable entity as there
are no applicable events.
Order No. 693 at Paragraph 469. We direct the ERO to explore ways
to address these concerns – including central coordination of
sabotage reports and a uniform reporting format – in developing
modifications to the Reliability Standard with the appropriate
governmental agencies that have levied the reporting requirements.
Project 2009-01 Disturbance and Sabotage Reporting
Consideration of Issues and Directives – December 11, 2012
See “Background” section of the standard as well as the
“Guidelines and Technical Basis” section.
2
�"Define “sabotage” and provide guidance on triggering events that
would cause an entity to report an event.
Order No. 693 at Paragraph 461. Several commenters agree with the
Commission’s concern that the term “sabotage” should be defined.
For the reasons stated in the NOPR, we direct that the ERO further
define the term and provide guidance on triggering events that
would cause an entity to report an event. However, we disagree with
those commenters that suggest the term “sabotage” is so vague as
to justify a delay in approval or the application of monetary
penalties. As explained in the NOPR, we believe that the term
sabotage is commonly understood and that common understanding
should suffice in most instances.
Order No. 693 at Paragraph 470. The ERO should consider
suggestions raised by commenters such as FirstEnergy and Xcel to
define the specified period for reporting an incident beginning from
when an event is discovered or suspected to be sabotage, and
APPA’s concerns regarding events at unstaffed or remote facilities,
and triggering events occurring outside staffed hours at small
entities.
Project 2009-01 Disturbance and Sabotage Reporting
Consideration of Issues and Directives – December 11, 2012
CIP‐001‐1;
Order 693 at P
461
The DSR SDT has not proposed a definition for inclusion
in the NERC Glossary because it is impractical to define
every event that should be reported without listing
them in the definition. Attachment 1 is the de facto
definition of “event”. The DSR SDT considered the
FERC directive to “further define sabotage” and
decided to eliminate the term sabotage from the
standard. The team felt that without the intervention
of law enforcement after the fact, it was almost
impossible to determine if an act or event was that of
sabotage or merely vandalism. The term “sabotage” is
no longer included in the standard and therefore it is
inappropriate to attempt to define it. The events listed
in Attachment 1 provide guidance for reporting both
actual events as well as events which may have an
impact on the Bulk Electric System. The DSR SDT
believes that this is an equally effective and efficient
means of addressing the FERC Directive.
CIP‐001‐1;
Order 693 at P
470
Attachment 1 defines the events which are to be
reported under this standard. The required reporting is
within 24 hours “of recognition of the event.”
3
�Order No. 693 at Paragraph 461. Modify CIP-001-1 1 to require an
applicable entity to contact appropriate governmental authorities in
the event of sabotage within a specific period of time, even if it is a
preliminary report. Further, in the interim while the matter is being
addressed by the Reliability Standards development process, we
direct the ERO to provide advice to entities that have concerns about
the reporting of particular circumstances as they arise.
Project 2009-01 Disturbance and Sabotage Reporting
Consideration of Issues and Directives – December 11, 2012
CIP‐001‐1;
Order 693 at P
461
Per Requirement R1, the entity is to develop an
Operating Plan which includes event reporting to law
enforcement and governmental agencies. The DSR SDT
has been in contact with NERC Situational Awareness
and has been informed that all event reports received
by NERC are being forwarded to FERC.
4
�Consider the need for wider application of the standard. Consider
CIP‐001‐1;
whether separate, less burdensome requirements for smaller entities Order 693 at PP
may be appropriate.
458-60
Order No. 693 at Paragraph 458. The Commission acknowledges the
concerns of the commenters about the applicability of CIP-001-1 to
small entities and has addressed the concerns of small entities
generally earlier in this Final Rule. Our approval of the ERO
Compliance Registry criteria to determine which users, owners and
operators are responsible for compliance addresses the concerns of
APPA and others.
Attachment 1 defines the events which are to be
reported under this standard. The applicable entities
are also identified for each type of event. Each event is
to be reported within 24 hours of recognition of the
event.
Order No. 693 at Paragraph 459. However, the Commission believes
that there are specific reasons for applying this Reliability Standard
to such entities, as discussed in the NOPR. APPA indicates that some
small LSEs do not own or operate “hard assets” that are normally
thought of as “at risk” to sabotage. The Commission is concerned
that, an adversary might determine that a small LSE is the
appropriate target when the adversary aims at a particular
population or facility. Or an adversary may target a small user, owner
or operator because it may have similar equipment or protections as
a larger facility, that is, the adversary may use an attack against a
smaller facility as a training “exercise.” {continued below}
Project 2009-01 Disturbance and Sabotage Reporting
Consideration of Issues and Directives – December 11, 2012
5
�The knowledge of sabotage events that occur at any facility
(including small facilities) may be helpful to those facilities that are
traditionally considered to be the primary targets of adversaries as
well as to all members of the electric sector, the law enforcement
community and other critical infrastructures.
Order No. 693 at Paragraph 460. For these reasons, the Commission
remains concerned that a wider application of CIP-001-1 may be
appropriate for Bulk Power System reliability. Balancing these
concerns with our earlier discussion of the applicability of Reliability
Standards to smaller entities, we will not direct the ERO to make any
specific modification to CIP-001-1 to address applicability. However,
we direct the ERO, as part of its Work Plan, to consider in the
Reliability Standards development process, possible revisions to CIP001-1 that address our concerns. Regarding the need for wider
application of the Reliability Standard. Further, when addressing such
applicability issues, the ERO should consider whether separate, less
burdensome requirements for smaller entities may be appropriate to
address these concerns.
Project 2009-01 Disturbance and Sabotage Reporting
Consideration of Issues and Directives – December 11, 2012
6
�Order No. 693 at Paragraph 466.
The Commission affirms the NOPR directive and directs the ERO to
incorporate a periodic review or updating of the sabotage reporting
procedures and for the periodic testing of the sabotage reporting
procedures. At this time, the commission does not specify a review
period as suggested by FirstEnergy and MRO and, rather, believes
that the appropriate period should be determined through the ERO’s
Reliability Standards development process. However, the
Commission directs that the ERO begin this process by considering a
staggered schedule of annual testing of the procedures with
modifications made when warranted formal review of the
procedures every two or three years.
Project 2009-01 Disturbance and Sabotage Reporting
Consideration of Issues and Directives – December 11, 2012
CIP‐001‐1;
Order 693 at P
466
The standard is responsive this directive with the
following language in Requirement R3:
R3. Each Responsible Entity shall validate all
contact information contained in the Operating
Plan pursuant to Requirement R1 each calendar
year. [Violation Risk Factor: Medium] [Time
Horizon: Operations Planning]
The DSR SDT envisions that this will include verification
that contact information contained in the Operating
Plan is correct. As an example, the annual validation
could include calling others as defined in the
Responsibility Entity’s Operating Plan to verify that
their contact information is correct and current. If any
discrepancies are noted, the Operating Plan would be
updated.
7
�Consider FirstEnergy’s suggestions to differentiate between cyber
and physical security sabotage and develop a threshold of
materiality.
CIP‐001‐1;
Order 693 at P
451, 467-68
This is addressed in Attachment 1. There are specific
event types for physical security with report submittal
requirements. Cyber security is addressed in the CIP
version 5 standards.
CIP‐001‐1;
Order 693 at P
471
This is addressed in Requirement R1 and Attachment 1.
There are specific event types for physical security
report submittal requirements. Cyber security is
addressed in the CIP version 5 standards.
Order No. 693 at Paragraph 451. A number of commenters agree
with the Commission’s concern that the term sabotage” needs to be
better defined and guidance provided on the triggering events that
would cause an entity to report an event. FirstEnergy states that this
definition should differentiate between cyber and physical sabotage
and should exclude unintentional operator error. It advocates a
threshold of materiality to exclude acts that do not threaten to
reduce the ability to provide service or compromise safety and
security. SoCal Edison states that clarification regarding the
meaning of sabotage and the triggering event for reporting would be
helpful and prevent over reporting.
471. As explained in the NOPR, while the Commission has identified
concerns regarding CIP-001-1, we believe that the proposal serves an
important purpose in ensuring that operating entities properly
respond to sabotage events to minimize the adverse impact on the
Bulk-Power System. Accordingly, the Commission approves
Reliability Standard CIP-001-1 as mandatory and enforceable. In
addition, pursuant to section 215(d)(5) of the FPA and § 39.5(f) of
our regulations, the Commission directs the ERO to develop the
following modifications to the Reliability Standard through the
Reliability Standards development process:… (2) specify baseline
requirements regarding what issues should be addressed in the
procedures for recognizing sabotage events and making personnel
aware of such events;
Project 2009-01 Disturbance and Sabotage Reporting
Consideration of Issues and Directives – December 11, 2012
8
�"Include a requirement to report a sabotage event to the proper
government authorities. Develop the language to specifically
implement this directive.
See “Guidelines and Technical Basis” section of
Standard.
Order No. 693 at Paragraph 467. CIP-001-1, Requirement R4,
requires that each applicable entity establish communications
contacts, as applicable, with the local FBI or Royal Canadian Mounted
Police officials and develop reporting procedures as appropriate to
its circumstances. The Commission in the NOPR expressed concern
that the Reliability Standard does not require an applicable entity to
actually contact the appropriate governmental or regulatory body in
the event of sabotage. Therefore, the Commission proposed that
NERC modify the Reliability Standard to require an applicable entity
to “contact appropriate federal authorities, such as the Department
of Homeland Security, in the event of sabotage within a specified
period of time.”
“A proposal discussed with FBI, FERC Staff, NERC
Standards Project Coordinator and SDT Chair is
reflected in the flowchart below (Reporting Hierarchy
for Event EOP-004-2). Essentially, reporting an event to
law enforcement agencies will only require the industry
to notify the state or provincial level law enforcement
agency. The state or provincial level law enforcement
agency will coordinate with local law enforcement to
investigate. If the state or provincial level law
enforcement agency decides federal agency law
enforcement or the RCMP should respond and
investigate, the state or provincial level law
enforcement agency will notify and coordinate with the
FBI or the RCMP.”
Order No. 693 at Paragraph 468. As mentioned above, NERC and
others object to the wording of the proposed directive as overly
prescriptive and note that the reference to “appropriate federal
authorities” fails to recognize the international application of the
Reliability Standard. The example of the Department of Homeland
Security as an “appropriate federal authority” was not intended to
be an exclusive designation. Nonetheless, the Commission agrees
that a reference to “federal authorities” could create confusion.
Accordingly, we modify the direction in the NOPR and now direct the
ERO to address our underlying concern regarding mandatory
reporting of a sabotage event. The ERO’s Reliability Standards
development process should develop the language to implement this
directive."
Project 2009-01 Disturbance and Sabotage Reporting
Consideration of Issues and Directives – December 11, 2012
At present NERC Situational Awareness staff forwards
applicable event reports to FERC. This only includes
reports for events that are subject to FERC jurisdiction
(i.e. – US entities).
9
�On March 4, 2008, NERC submitted a compliance filing in response to
a December 20, 2007 Order, in which the Commission reversed a
NERC decision to register three retail power marketers to comply
with Reliability Standards applicable to load serving entities (LSEs)
and directed NERC to submit a plan describing how it would address
a possible “reliability gap” that NERC asserted would result if the
LSEs were not registered.
CIP‐001‐1 and
EOP-004
Direct Energy
Services, LLC, et
al., 121 FERC ¶
61,274 (2007)
The LSE is no longer an applicable entity, since no
reportable event types in Attachment apply to an LSE.
If an entity owns distribution assets, that entity will be
registered as a Distribution Provider. Attachment 1
defines the timelines and events which are to be
reported under this standard. The applicable entities
are also identified for each type of event.
Compliance Filing of NERC in Response to December 20, 2007 Order
in Docket Nos. RC07-4-000, RC07-6-000, RC07-7-000 (March 4, 2008).
NERC’s compliance filing included the following proposal for a
short‐term plan and a long‐term plan to address the potential gap:
∙ Short‐term: Using a posting and open comment process, NERC will
revise the registration criteria to define “Non ‐Asset Owning LSEs” as
a subset of Load Serving Entities and will specify the reliability
standards applicable to that subset.
∙ Longer‐term: NERC will determine the changes necessary to terms
and requirements in reliability standards to address the issues
surrounding accountability for loads served by retail
marketers/suppliers and process them through execution of the
three‐year Reliability Standards Development Plan. In this revised
Reliability Standards Development Plan, NERC is commencing the
implementation of its stated long‐term plan to address the issues
surrounding accountability for loads served by retail
marketers/suppliers.
The NERC Reliability Standards Development Procedure will be used
to identify the changes necessary to terms and requirements in
reliability standards to address the issues surrounding accountability
Project
2009-01
Disturbance
and marketers/suppliers.
Sabotage Reporting
for loads
served
by retail
Specifically, the
Consideration of Issues and Directives – December 11, 2012
following description has been incorporated into the scope for
10
�affected projects in this revised Reliability Standards Development
Plan that includes a standard applicable to Load Serving Entities:
Source: Direct Energy Services, LLC, et al., 121 FERC ¶ 61,274 (2007)
Issue: In FERC’s December 20, 2007 Order, the Commission reversed
NERC’s Compliance Registry decisions with respect to three load
serving entities in the ReliabilityFirst (RFC) footprint. The
distinguishing feature of these three LSEs is that none own physical
assets. Both NERC and RFC assert that there will be a “reliability gap”
if retail marketers are not registered as LSEs. To avoid a possible gap,
a consistent, uniform approach to ensure that appropriate Reliability
Standards and associated requirements are applied to retail
marketers must be followed.
Each drafting team responsible for reliability standards that are
applicable to LSEs is to review and change as necessary,
requirements in the reliability standards to address the issues
surrounding accountability for loads served by retail
marketers/suppliers. For additional information see:
∙ FERC’s December 20, 2007 Order
(http://www.nerc.com/files/LSE_decision_order.pdf)
∙ NERC’s March 4, 2008
(http://www.nerc.com/files/FinalFiledLSE3408.pdf),
∙ FERC’s April 4, 2008 Order
(http://www.nerc.com/files/AcceptLSECompFiling‐040408.pdf), and
∙ NERC’s July 31, 2008
(http://www.nerc.com/files/FinalFiled‐compFiling‐LSE‐07312008.pdf)
compliance filings to FERC on this subject.
Project 2009-01 Disturbance and Sabotage Reporting
Consideration of Issues and Directives – December 11, 2012
11
�Object to multi‐site requirement
Version 0 Team
CIP-001-1
Definition of sabotage required
Version 0 Team
CIP-001-1
VRFs Team Adequate procedures will insure it is unlikely to lead to
bulk electric system instability, separation, or cascading failures.
Project 2009-01 Disturbance and Sabotage Reporting
Consideration of Issues and Directives – December 11, 2012
The Standard was revised for clarity. Attachment 1
defines the timelines and events which are to be
reported under this standard. The applicable entities
are also identified for each type of event.
No definition for sabotage was developed. The DSR SDT
has not proposed a definition for inclusion in the NERC
Glossary because it is impractical to define every event
that should be reported without listing them in the
definition. Attachment 1 is the de facto definition of
“event”. The DSR SDT considered the FERC directive to
“further define sabotage” and decided to eliminate the
term sabotage from the standard. The team felt that
without the intervention of law enforcement after the
fact, it was almost impossible to determine if an act or
event was that of sabotage or merely vandalism. The
term “sabotage” is no longer included in the standard
and therefore it is inappropriate to attempt to define it.
The events listed in Attachment 1 provide guidance for
reporting both actual events as well as events which
may have an impact on the Bulk Electric System. The
DSR SDT believes that this is an equally effective and
efficient means of addressing the FERC Directive.
12
�Coordination and follow up on lessons learned from event analyses
Consider adding to EOP‐004 – Disturbance Reporting Proposed
requirement: Regional Entities (REs) shall work together with
Reliability Coordinators, Transmission Owners, and Generation
Owners to develop an Event Analysis Process to prevent similar
events from happening and follow up with the recommendations.
This process shall be defined within the appropriate NERC Standard.
Consider changes to R1 and R3.4 to standardize the disturbance
reporting requirements (requirements for disturbance reporting
need to be added to this standard). Regions currently have
procedures, but not in the form of a standard. The drafting team will
need to review regional requirements to determine reporting
requirements for the North American standard.
Can there be a violation without an event?
Project 2009-01 Disturbance and Sabotage Reporting
Consideration of Issues and Directives – December 11, 2012
Events Analysis
Team Reliability
Issue
The DSR SDT envisions EOP-004-2 to be a reporting
standard. Any follow up investigation or analysis falls
under the purview of the NERC Events Analysis
Program under the NERC Rules of Procedure.
Fill in the Blank
Team
The DSR SDT envisions EOP-004-2 to be a continentwide reporting standard. Any follow up investigation or
analysis falls under the purview of the NERC Events
Analysis Program under the NERC Rules of Procedure.
NERC Audit
Observation
Team
The DSR SDT envisions EOP-004-2 to be a continentwide reporting standard. In the opinion of the DSR
SDT, there cannot be a violation of Requirement R2
without an event. Since Requirement R1 calls for an
Operating Plan, there can be a violation of R1 without
an event.
13
�Consider APPA’s concern about generator operators and LSEs
analyzing performance of their equipment and provide data and
information on the equipment to assist others with analysis.
Order No. 693 at Paragraph 607. APPA is concerned about the scope
of Requirement R2 because, in its opinion, Requirement R2 appears
to impose an open‐ended obligation on entities such as generation
operators and LSEs that may have neither the data nor the tools to
promptly analyze disturbances that could have originated elsewhere.
APPA proposes that Requirement R2 be modified to require affected
entities to promptly begin analyses to ensure timely reporting to
NERC and DOE.
EOP‐004‐1
Order 693 at PP
607, 612
The DSR SDT envisions EOP-004-2 to be a continentwide reporting standard. Any follow up investigation or
analysis falls under the purview of the NERC Events
Analysis Program under the NERC Rules of Procedure.
Order No. 693 at Paragraph 612. Requirement R2 of the Reliability
Standard requires reliability coordinators, balancing authorities,
transmission operators, generator operators and LSEs to promptly
analyze disturbances on their system or facilities. APPA is concerned
that generator operators and LSEs may be unable to promptly
analyze disturbances, particularly those disturbances that may have
originated outside of their systems, as they may have neither the
data nor the tools required for such analysis. The Commission
understands APPA’s concern and believes that, at a minimum,
generator operators and LSEs should analyze the performance of
their equipment and provide the data and information on their
equipment to assist others with their analyses. The Commission
directs the ERO to consider this concern in future revisions to the
Reliability Standard through the Reliability Standards development
process.
Project 2009-01 Disturbance and Sabotage Reporting
Consideration of Issues and Directives – December 11, 2012
14
�FERC request for DOE‐417s
Project 2009-01 Disturbance and Sabotage Reporting
Consideration of Issues and Directives – December 11, 2012
EOP‐004‐1
Other
Per Requirement R1, the entity is to develop an
Operating Plan which includes event reporting to law
enforcement and governmental agencies. The DSR SDT
has been in contact with NERC Situational Awareness
and has been informed that all event reports received
by NERC are being forwarded to FERC.
15
�Violation Risk Factor and Violation Severity Level Assignments
Project 2009-01 – Disturbance and Sabotage Reporting
This document provides the drafting team’s justification for assignment of violation risk factors (VRFs)
and violation severity levels (VSLs) for each requirement in
EOP-004-2 — Event Reporting
Each primary requirement is assigned a VRF and a set of one or more VSLs. These elements support the
determination of an initial value range for the Base Penalty Amount regarding violations of requirements
in FERC-approved Reliability Standards, as defined in the ERO Sanction Guidelines.
Justification for Assignment of Violation Risk Factors in EOP-004-2
The Disturbance and Sabotage Reporting Standard Drafting Team applied the following NERC criteria
when proposing VRFs for the requirements in EOP-004-2:
High Risk Requirement
A requirement that, if violated, could directly cause or contribute to bulk electric system
instability, separation, or a cascading sequence of failures, or could place the bulk electric system
at an unacceptable risk of instability, separation, or cascading failures; or, a requirement in a
planning time frame that, if violated, could, under emergency, abnormal, or restorative conditions
anticipated by the preparations, directly cause or contribute to bulk electric system instability,
separation, or a cascading sequence of failures, or could place the bulk electric system at an
unacceptable risk of instability, separation, or cascading failures, or could hinder restoration to a
normal condition.
Medium Risk Requirement
A requirement that, if violated, could directly affect the electrical state or the capability of the
bulk electric system, or the ability to effectively monitor and control the bulk electric system.
However, violation of a medium risk requirement is unlikely to lead to bulk electric system
instability, separation, or cascading failures; or, a requirement in a planning time frame that, if
violated, could, under emergency, abnormal, or restorative conditions anticipated by the
preparations, directly and adversely affect the electrical state or capability of the bulk electric
system, or the ability to effectively monitor, control, or restore the bulk electric system.
However, violation of a medium risk requirement is unlikely, under emergency, abnormal, or
restoration conditions anticipated by the preparations, to lead to bulk electric system instability,
separation, or cascading failures, nor to hinder restoration to a normal condition.
�Lower Risk Requirement
A requirement that is administrative in nature and a requirement that, if violated, would not be
expected to adversely affect the electrical state or capability of the bulk electric system, or the
ability to effectively monitor and control the bulk electric system; or, a requirement that is
administrative in nature and a requirement in a planning time frame that, if violated, would not,
under the emergency, abnormal, or restorative conditions anticipated by the preparations, be
expected to adversely affect the electrical state or capability of the bulk electric system, or the
ability to effectively monitor, control, or restore the bulk electric system. A planning requirement
that is administrative in nature.
The SDT also considered consistency with the FERC Violation Risk Factor Guidelines for setting
1
VRFs:
Guideline (1) — Consistency with the Conclusions of the Final Blackout Report
The Commission seeks to ensure that Violation Risk Factors assigned to Requirements of
Reliability Standards in these identified areas appropriately reflect their historical critical impact
on the reliability of the Bulk-Power System.
In the VSL Order, FERC listed critical areas (from the Final Blackout Report) where violations could
severely affect the reliability of the Bulk-Power System: 2
−
−
−
−
−
−
−
−
−
−
−
−
Emergency operations
Vegetation management
Operator personnel training
Protection systems and their coordination
Operating tools and backup facilities
Reactive power and voltage control
System modeling and data exchange
Communication protocol and facilities
Requirements to determine equipment ratings
Synchronized data recorders
Clearer criteria for operationally critical facilities
Appropriate use of transmission loading relief.
Guideline (2) — Consistency within a Reliability Standard
The Commission expects a rational connection between the sub-Requirement Violation Risk
Factor assignments and the main Requirement Violation Risk Factor assignment.
1
North American Electric Reliability Corp., 119 FERC ¶ 61,145, order on reh’g and compliance filing, 120 FERC ¶ 61,145
(2007) (“VRF Rehearing Order”).
2
Id. at footnote 15.
VRF and VSL Assignments – Project 2009-01 (August 2, 2012)
2
�Guideline (3) — Consistency among Reliability Standards
The Commission expects the assignment of Violation Risk Factors corresponding to
Requirements that address similar reliability goals in different Reliability Standards would be
treated comparably.
Guideline (4) — Consistency with NERC’s Definition of the Violation Risk Factor Level
Guideline (4) was developed to evaluate whether the assignment of a particular
Violation Risk Factor level conforms to NERC’s definition of that risk level.
Guideline (5) — Treatment of Requirements that Co-mingle More Than One Obligation
Where a single Requirement co-mingles a higher risk reliability objective and a lesser risk
reliability objective, the VRF assignment for such Requirements must not be watered down to
reflect the lower risk level associated with the less important objective of the Reliability
Standard.
The following discussion addresses how the SDT considered FERC’s VRF Guidelines 2 through 5. The
team did not address Guideline 1 directly because of an apparent conflict between Guidelines 1 and 4.
Whereas Guideline 1 identifies a list of topics that encompass nearly all topics within NERC’s
Reliability Standards and implies that these requirements should be assigned a “High” VRF, Guideline 4
directs assignment of VRFs based on the impact of a specific requirement to the reliability of the system.
The SDT believes that Guideline 4 is reflective of the intent of VRFs in the first instance and therefore
concentrated its approach on the reliability impact of the requirements.
VRF for EOP-004-2:
There are three requirements in EOP-004-2. Requirement R1 was assigned a Lower VRF while
Requirements R2 and R3 were assigned a Medium VRF.
VRF for EOP-004-2, Requirements R1:
•
FERC’s Guideline 2 — Consistency within a Reliability Standard. The Requirement specifies which
entities are required to have processes for recognition of events and for communicating with other
entities. This Requirement is the only administrative Requirement within the Standard. The VRF is
only applied at the Requirement level. FERC’s Guideline 3 — Consistency among Reliability
Standards. This requirement calls for an entity to have processes for recognition of events and
communicating with other entities. This requirement is administrative in nature and deals with the
means to report events after the fact. All event reporting requirements in Attachment 1 are for 24
hours after recognition that an event has occurred. The current approved VRFs for EOP-004-1 are
VRF and VSL Assignments – Project 2009-01 (August 2, 2012)
3
�all lower with the exception of Requirement R2 which is a requirement to analyze events. This
standard relates only to reporting events. The analysis portion is addressed through the NERC Rules
of Procedure and the Events Analysis Program.
•
FERC’s Guideline 4 — Consistency with NERC’s Definition of a VRF. Failure to have an event
reporting Operating Plan is not likely to directly affect the electrical state or the capability of the bulk
electric system. Development of the Operating Plan is a requirement that is administrative in nature
and is in a planning time frame that, if violated, would not, under emergency, abnormal, or
restorative conditions anticipated by the preparations, be expected to adversely affect the electrical
state or capability of the bulk electric system, or the ability to effectively monitor, control, or restore
the bulk electric system.. Therefore this requirement was assigned a Lower VRF.
•
FERC’s Guideline 5 — Treatment of Requirements that Co-mingle More Than One Objective.
EOP-004-2, Requirement R1 contains only one objective which is to have an Operating Plan with
two distinct processes. Since the requirement is to have an Operating Plan, only one VRF was
assigned.
VRF for EOP-004-2, Requirement R2:
•
FERC’s Guideline 2 — Consistency within a Reliability Standard. This Requirement calls for the
Responsible Entity to implements its Operating Plan and is assigned a Medium VRF. There is one
other similar Requirement in this Standard which specify an annual validation of the information
contained in the Operating Plan (R3). Both of these Requirements are assigned a Medium VRF.
•
FERC’s Guideline 3 — Consistency among Reliability Standards. EOP-004-2, Requirement R2 is a
requirement for entities to report events using the process for recognition of events per Attachment 1.
Failure to report events within 24 hours is not likely to “directly affect the electrical state or the
capability of the bulk electric system, or the ability to effectively monitor and control the bulk
electric system.” However, violation of a medium risk requirement should also be “unlikely to lead
to bulk electric system instability, separation, or cascading failures…” Such an instance could occur
if personnel do not report events. Therefore, this requirement was assigned a Medium VRF.
•
FERC’s Guideline 4 — Consistency with NERC’s Definition of a VRF. EOP-004-2, Requirement
R2 mandates that Responsible Entities implement their Operating Plan. Bulk power system
instability, separation, or cascading failures are not likely to occur due to a failure to notify another
entity of the event failure, but there is a slight chance that it could occur. Therefore, this requirement
was assigned a Medium VRF.
•
FERC’s Guideline 5 - Treatment of Requirements that Co-mingle More Than One Objective. EOP004-2, Requirement R2 addresses a single objective and has a single VRF.
VRF and VSL Assignments – Project 2009-01 (August 2, 2012)
4
�VRF for EOP-004-2, Requirement R3:
•
FERC’s Guideline 2 — Consistency within a Reliability Standard. This Requirement calls for the
Responsible Entity to perform an annual validation of the information contained in the Operating
Plan and is assigned a Medium VRF. There is one other similar Requirement in this Standard which
specifies that the Responsible Entity implement its Operating Plan (R2).. Both of these
Requirements is assigned a Medium VRF.
•
FERC’s Guideline 3 — Consistency among Reliability Standards. EOP-004-2, Requirement R3 is a
requirement for entities to perform an annual validation of the information contained of the
information in the Operating Plan. Failure to perform an annual validation of the information
contained in the Operating Plan is not likely to “directly affect the electrical state or the capability of
the bulk electric system, or the ability to effectively monitor and control the bulk electric system.”
However, violation of a medium risk requirement should also be “unlikely to lead to bulk electric
system instability, separation, or cascading failures…” Such an instance could occur if personnel do
not perform an annual test of the Operating Plan and it is out of date or contains erroneous
information. Therefore, this requirement was assigned a Medium VRF.
•
FERC’s Guideline 4 — Consistency with NERC’s Definition of a VRF. EOP-004-2, Requirement
R3 mandates that Responsible Entities perform an annual validation of the information contained of
the information in the Operating Plan. Bulk power system instability, separation, or cascading
failures are not likely to occur due to a failure to perform an annual test of the Operating Plan, but
there is a slight chance that it could occur if the Operating Plan is out of date or contains erroneous
information. Therefore, this requirement was assigned a Medium VRF.
•
FERC’s Guideline 5 - Treatment of Requirements that Co-mingle More Than One Objective. EOP004-2, Requirement R3 addresses a single objective and has a single VRF.
VRF and VSL Assignments – Project 2009-01 (August 2, 2012)
5
�Justification for Assignment of Violation Severity Levels for EOP-004-2:
In developing the VSLs for the EOP-004-2 standard, the SDT anticipated the evidence that would be
reviewed during an audit, and developed its VSLs based on the noncompliance an auditor may find
during a typical audit. The SDT based its assignment of VSLs on the following NERC criteria:
Lower
Missing a minor
element (or a small
percentage) of the
required performance
The performance or
product measured has
significant value as it
almost meets the full
intent of the
requirement.
Moderate
High
Severe
Missing at least one
significant element (or a
moderate percentage)
of the required
performance.
The performance or
product measured still
has significant value in
meeting the intent of the
requirement.
Missing more than one
significant element (or is
missing a high
percentage) of the
required performance or
is missing a single vital
component.
The performance or
product has limited
value in meeting the
intent of the
requirement.
Missing most or all of
the significant elements
(or a significant
percentage) of the
required performance.
The performance
measured does not
meet the intent of the
requirement or the
product delivered
cannot be used in
meeting the intent of the
requirement.
FERC’s VSL guidelines are presented below, followed by an analysis of whether the VSLs proposed for
each requirement in EOP-004-2 meet the FERC Guidelines for assessing VSLs:
Guideline 1: Violation Severity Level Assignments Should Not Have the Unintended Consequence
of Lowering the Current Level of Compliance
Compare the VSLs to any prior levels of non-compliance and avoid significant changes that may
encourage a lower level of compliance than was required when levels of non-compliance were
used.
Guideline 2: Violation Severity Level Assignments Should Ensure Uniformity and Consistency in
the Determination of Penalties
A violation of a “binary” type requirement must be a “Severe” VSL.
Do not use ambiguous terms such as “minor” and “significant” to describe noncompliant
performance.
Guideline 3: Violation Severity Level Assignment Should Be Consistent with the Corresponding
Requirement
VRF and VSL Assignments – Project 2009-01 (August 2, 2012)
6
�VSLs should not expand on what is required in the requirement.
Guideline 4: Violation Severity Level Assignment Should Be Based on A Single Violation, Not on A
Cumulative Number of Violations
. . . unless otherwise stated in the requirement, each instance of non-compliance with a
requirement is a separate violation. Section 4 of the Sanction Guidelines states that assessing
penalties on a per violation per day basis is the “default” for penalty calculations.
VRF and VSL Assignments – Project 2009-01 (August 2, 2012)
7
�VSLs for EOP-004-2 Requirements R1:
Compliance with
NERC’s VSL
Guidelines
R#
Guideline 1
Guideline 2
Violation Severity Level
Assignments Should Not
Have the Unintended
Consequence of Lowering
the Current Level of
Compliance
Violation Severity Level
Assignments Should Ensure
Uniformity and Consistency in the
Determination of Penalties
Guideline 2a: The Single Violation
Severity Level Assignment
Category for "Binary"
Requirements Is Not Consistent
Guideline 3
Guideline 4
Violation Severity Level
Assignment Should Be
Consistent with the
Corresponding
Requirement
Violation Severity
Level Assignment
Should Be Based on
A Single Violation,
Not on A
Cumulative Number
of Violations
The proposed binary VSL
uses the same terminology
as used in the associated
requirement, and is,
therefore, consistent with
the requirement.
The VSLs are based
on a single violation
and not cumulative
violations.
Guideline 2b: Violation Severity
Level Assignments that Contain
Ambiguous Language
R1
Meets NERC’s
VSL guidelines.
The requirement
calls for the
entity to have an
Operating Plan
and is binary in
nature. The VSL
is therefore set
to “Severe”.
The proposed
requirement is a revision
of CIP-001-1, R1-R4, and
EOP-004-1, R2. The
Requirement has no Parts
and is binary in nature.
The binary VSL does not
lower the current level of
Compliance.
The proposed VSL does not use
any ambiguous terminology,
thereby supporting uniformity and
consistency in the determination
of similar penalties for similar
violations.
VRF and VSL Assignments – Project 2009-01 (August 2, 2012)
8
�VSLs for EOP-004-2 Requirement R2:
Compliance with
NERC’s VSL
Guidelines
Guideline 1
Guideline 2
Violation Severity Level
Assignments Should Not
Have the Unintended
Consequence of Lowering
the Current Level of
Compliance
Violation Severity Level
Assignments Should Ensure
Uniformity and Consistency in
the Determination of
Penalties
R#
Guideline 3
Guideline 4
Violation Severity Level
Assignment Should Be
Consistent with the
Corresponding
Requirement
Violation Severity
Level Assignment
Should Be Based on
A Single Violation,
Not on A
Cumulative Number
of Violations
The proposed VSLs use the
same terminology as used
in the associated
requirement, and are,
therefore, consistent with
the requirement.
The VSLs are based
on a single violation
and not cumulative
violations.
Guideline 2a: The Single
Violation Severity Level
Assignment Category for
"Binary" Requirements Is Not
Consistent
Guideline 2b: Violation
Severity Level Assignments
that Contain Ambiguous
Language
R2
Meets NERC’s VSL
guidelines. There
is an incremental
aspect to the
violation and the
VSLs follow the
guidelines for
incremental
violations.
The proposed requirement is
a revision of EOP-004-1, R3.
There is only a Severe VSL for
that requirement. However,
the reporting of events is
based on timing intervals
listed in EOP-004 Attachment
1. Based on the VSL
Guidance, the DSR SDT
developed four VSLs based
on tardiness of the submittal
of the report. If a report is
not submitted, then the VSL
is Severe. This maintains the
current VSL.
The proposed VSLs do not use
any ambiguous terminology,
thereby supporting uniformity
and consistency in the
determination of similar
penalties for similar
violations.
VRF and VSL Assignments – Project 2009-01 (August 2, 2012)
9
�VSLs for EOP-004-2 Requirement R3:
Compliance with
NERC’s VSL
Guidelines
Guideline 1
Guideline 2
Violation Severity Level
Assignments Should Not
Have the Unintended
Consequence of Lowering
the Current Level of
Compliance
Violation Severity Level
Assignments Should Ensure
Uniformity and Consistency in
the Determination of
Penalties
R#
Guideline 3
Guideline 4
Violation Severity Level
Assignment Should Be
Consistent with the
Corresponding
Requirement
Violation Severity
Level Assignment
Should Be Based on
A Single Violation,
Not on A
Cumulative Number
of Violations
The proposed VSLs use the
same terminology as used
in the associated
requirement, and are,
therefore, consistent with
the requirement.
The VSLs are based
on a single violation
and not cumulative
violations.
Guideline 2a: The Single
Violation Severity Level
Assignment Category for
"Binary" Requirements Is Not
Consistent
Guideline 2b: Violation
Severity Level Assignments
that Contain Ambiguous
Language
R3
Meets NERC’s VSL
guidelines. There
is an incremental
aspect to the
violation and the
VSLs follow the
guidelines for
incremental
violations.
The proposed requirement is
a new Requirement. The
test of the Operating Plan is
based on the calendar year.
Based on the VSL Guidance,
the DSR SDT developed four
VSLs based on tardiness of
the submittal of the report.
If a test is not performed,
then the VSL is Severe.
The proposed VSLs do not use
any ambiguous terminology,
thereby supporting uniformity
and consistency in the
determination of similar
penalties for similar
violations.
VRF and VSL Assignments – Project 2009-01 (August 2, 2012)
10
�Standard CIP-001-2a— Sabotage Reporting
A. Introduction
1.
Title:
Sabotage Reporting
2.
Number:
CIP-001-2a
3.
Purpose:
Disturbances or unusual occurrences, suspected or determined to be caused by
sabotage, shall be reported to the appropriate systems, governmental agencies, and regulatory
bodies.
4.
Applicability
4.1. Reliability Coordinators.
4.2. Balancing Authorities.
4.3. Transmission Operators.
4.4. Generator Operators.
4.5. Load Serving Entities.
4.6. Transmission Owners (only in ERCOT Region).
4.7. Generator Owners (only in ERCOT Region).
5.
ERCOT Regional Variance will be effective the first day of
the first calendar quarter after applicable regulatory approval.
Effective Date:
B. Requirements
R1.
Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator, and Load Serving Entity shall have procedures for the recognition of and for making
their operating personnel aware of sabotage events on its facilities and multi-site sabotage
affecting larger portions of the Interconnection.
R2.
Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator, and Load Serving Entity shall have procedures for the communication of information
concerning sabotage events to appropriate parties in the Interconnection.
R3.
Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator, and Load Serving Entity shall provide its operating personnel with sabotage response
guidelines, including personnel to contact, for reporting disturbances due to sabotage events.
R4.
Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator, and Load Serving Entity shall establish communications contacts, as applicable, with
local Federal Bureau of Investigation (FBI) or Royal Canadian Mounted Police (RCMP)
officials and develop reporting procedures as appropriate to their circumstances.
C. Measures
M1. Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator, and Load Serving Entity shall have and provide upon request a procedure (either
electronic or hard copy) as defined in Requirement 1
M2. Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator, and Load Serving Entity shall have and provide upon request the procedures or
guidelines that will be used to confirm that it meets Requirements 2 and 3.
Page 1 of 6
�Standard CIP-001-2a— Sabotage Reporting
M3. Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator, and Load Serving Entity shall have and provide upon request evidence that could
include, but is not limited to procedures, policies, a letter of understanding, communication
records, or other equivalent evidence that will be used to confirm that it has established
communications contacts with the applicable, local FBI or RCMP officials to communicate
sabotage events (Requirement 4).
D. Compliance
1.
Compliance Monitoring Process
1.1. Compliance Monitoring Responsibility
Regional Reliability Organizations shall be responsible for compliance monitoring.
1.2. Compliance Monitoring and Reset Time Frame
One or more of the following methods will be used to verify compliance:
-
Self-certification (Conducted annually with submission according to schedule.)
-
Spot Check Audits (Conducted anytime with up to 30 days notice given to prepare.)
-
Periodic Audit (Conducted once every three years according to schedule.)
-
Triggered Investigations (Notification of an investigation must be made within 60
days of an event or complaint of noncompliance. The entity will have up to 30 days
to prepare for the investigation. An entity may request an extension of the
preparation period and the extension will be considered by the Compliance Monitor
on a case-by-case basis.)
The Performance-Reset Period shall be 12 months from the last finding of noncompliance.
1.3. Data Retention
Each Reliability Coordinator, Transmission Operator, Generator Operator, Distribution
Provider, and Load Serving Entity shall have current, in-force documents available as
evidence of compliance as specified in each of the Measures.
If an entity is found non-compliant the entity shall keep information related to the noncompliance until found compliant or for two years plus the current year, whichever is
longer.
Evidence used as part of a triggered investigation shall be retained by the entity being
investigated for one year from the date that the investigation is closed, as determined by
the Compliance Monitor,
The Compliance Monitor shall keep the last periodic audit report and all requested and
submitted subsequent compliance records.
1.4. Additional Compliance Information
None.
2.
Levels of Non-Compliance:
2.1. Level 1: There shall be a separate Level 1 non-compliance, for every one of the
following requirements that is in violation:
2.1.1
Does not have procedures for the recognition of and for making its operating
personnel aware of sabotage events (R1).
Page 2 of 6
�Standard CIP-001-2a— Sabotage Reporting
2.1.2
Does not have procedures or guidelines for the communication of information
concerning sabotage events to appropriate parties in the Interconnection (R2).
2.1.3
Has not established communications contacts, as specified in R4.
2.2. Level 2: Not applicable.
2.3. Level 3: Has not provided its operating personnel with sabotage response procedures or
guidelines (R3).
2.4. Level 4:.Not applicable.
E. ERCOT Interconnection-wide Regional Variance
Requirements
EA.1. Each Reliability Coordinator, Balancing Authority, Transmission Owner,
Transmission Operator, Generator Owner, Generator Operator, and Load Serving
Entity shall have procedures for the recognition of and for making their operating
personnel aware of sabotage events on its facilities and multi-site sabotage affecting
larger portions of the Interconnection.
EA.2. Each Reliability Coordinator, Balancing Authority, Transmission Owner,
Transmission Operator, Generator Owner, Generator Operator, and Load Serving
Entity shall have procedures for the communication of information concerning
sabotage events to appropriate parties in the Interconnection.
EA.3. Each Reliability Coordinator, Balancing Authority, Transmission Owner,
Transmission Operator, Generator Owner, Generator Operator, and Load Serving
Entity shall provide its operating personnel with sabotage response guidelines,
including personnel to contact, for reporting disturbances due to sabotage events.
EA.4. Each Reliability Coordinator, Balancing Authority, Transmission Owner,
Transmission Operator, Generator Owner, Generator Operator, and Load Serving
Entity shall establish communications contacts with local Federal Bureau of
Investigation (FBI) officials and develop reporting procedures as appropriate to their
circumstances.
Measures
M.A.1. Each Reliability Coordinator, Balancing Authority, Transmission Owner,
Transmission Operator, Generator Owner, Generator Operator, and Load Serving
Entity shall have and provide upon request a procedure (either electronic or hard
copy) as defined in Requirement EA1.
M.A.2. Each Reliability Coordinator, Balancing Authority, Transmission Owner,
Transmission Operator, Generator Owner, Generator Operator, and Load Serving
Entity shall have and provide upon request the procedures or guidelines that will be
used to confirm that it meets Requirements EA2 and EA3.
M.A.3. Each Reliability Coordinator, Balancing Authority, Transmission Owner,
Transmission Operator, Generator Owner, Generator Operator, and Load Serving
Entity shall have and provide upon request evidence that could include, but is not
limited to, procedures, policies, a letter of understanding, communication records,
Page 3 of 6
�Standard CIP-001-2a— Sabotage Reporting
or other equivalent evidence that will be used to confirm that it has established
communications contacts with the local FBI officials to communicate sabotage
events (Requirement EA4).
Compliance
1. Compliance Monitoring Process
1.1. Compliance Enforcement Authority
Regional Entity shall be responsible for compliance monitoring.
1.2. Data Retention
Each Reliability Coordinator, Balancing Authority, Transmission Owner,
Transmission Operator, Generator Owner, Generator Operator, and Load Serving
Entity shall have current, in-force documents available as evidence of compliance
as specified in each of the Measures.
If an entity is found non-compliant the entity shall keep information related to the
non-compliance until found compliant or for two years plus the current year,
whichever is longer.
Evidence used as part of a triggered investigation shall be retained by the entity
being investigated for one year from the date that the investigation is closed, as
determined by the Compliance Monitor,
The Compliance Monitor shall keep the last periodic audit report and all requested
and submitted subsequent compliance records.
Version History
Version
Date
Action
Change Tracking
0
April 1, 2005
Effective Date
New
0
August 8, 2005
Removed “Proposed” from Effective Date
Errata
1
November 1, 2006
Adopted by Board of Trustees
Amended
1
April 4, 2007
Regulatory Approval — Effective Date
New
1a
February 16, 2010
Added Appendix 1 — Interpretation of R2
approved by the NERC Board of Trustees
Addition
1a
February 2, 2011
Interpretation of R2 approved by FERC on
February 2, 2011
Same addition
June 10, 2010
TRE regional ballot approved variance
By Texas RE
August 24, 2010
Regional Variance Approved by Texas RE
Board of Directors
February 16, 2011
Approved by NERC Board of Trustees
2a
Page 4 of 6
�Standard CIP-001-2a— Sabotage Reporting
2a
August 2, 2011
FERC Order issued approving Texas RE
Regional Variance
Page 5 of 6
�Standard CIP-001-2a— Sabotage Reporting
Appendix 1
Requirement Number and Text of Requirement
CIP-001-1:
R2. Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator, and Load Serving Entity shall have procedures for the communication of information
concerning sabotage events to appropriate parties in the Interconnection.
Question
Please clarify what is meant by the term, “appropriate parties.” Moreover, who within the Interconnection
hierarchy deems parties to be appropriate?
Response
The drafting team interprets the phrase “appropriate parties in the Interconnection” to refer collectively to
entities with whom the reporting party has responsibilities and/or obligations for the communication of
physical or cyber security event information. For example, reporting responsibilities result from NERC
standards IRO-001 Reliability Coordination — Responsibilities and Authorities, COM-002-2
Communication and Coordination, and TOP-001 Reliability Responsibilities and Authorities, among
others. Obligations to report could also result from agreements, processes, or procedures with other
parties, such as may be found in operating agreements and interconnection agreements.
The drafting team asserts that those entities to which communicating sabotage events is appropriate would
be identified by the reporting entity and documented within the procedure required in CIP-001-1
Requirement R2.
Regarding “who within the Interconnection hierarchy deems parties to be appropriate,” the drafting team
knows of no interconnection authority that has such a role.
Page 6 of 6
�S ta n d a rd EOP -004-1 — Dis tu rb a n c e Re p o rtin g
A. Introduction
1.
Title:
Disturbance Reporting
2.
Number:
EOP-004-1
3.
Purpose: Disturbances or unusual occurrences that jeopardize the operation of the
Bulk Electric System, or result in system equipment damage or customer interruptions,
need to be studied and understood to minimize the likelihood of similar events in the
future.
4.
Applicability
4.1. Reliability Coordinators.
4.2. Balancing Authorities.
4.3. Transmission Operators.
4.4. Generator Operators.
4.5. Load Serving Entities.
4.6. Regional Reliability Organizations.
5.
Effective Date:
January 1, 2007
B. Requirements
R1.
Each Regional Reliability Organization shall establish and maintain a Regional
reporting procedure to facilitate preparation of preliminary and final disturbance
reports.
R2.
A Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator or Load Serving Entity shall promptly analyze Bulk Electric System
disturbances on its system or facilities.
R3.
A Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator or Load Serving Entity experiencing a reportable incident shall provide a
preliminary written report to its Regional Reliability Organization and NERC.
R3.1.
The affected Reliability Coordinator, Balancing Authority, Transmission
Operator, Generator Operator or Load Serving Entity shall submit within 24
hours of the disturbance or unusual occurrence either a copy of the report
submitted to DOE, or, if no DOE report is required, a copy of the NERC
Interconnection Reliability Operating Limit and Preliminary Disturbance
Report form. Events that are not identified until some time after they occur
shall be reported within 24 hours of being recognized.
R3.2.
Applicable reporting forms are provided in Attachments 1-EOP-004 and 2EOP-004.
R3.3.
Under certain adverse conditions, e.g., severe weather, it may not be possible
to assess the damage caused by a disturbance and issue a written
Interconnection Reliability Operating Limit and Preliminary Disturbance
Report within 24 hours. In such cases, the affected Reliability Coordinator,
Balancing Authority, Transmission Operator, Generator Operator, or Load
Serving Entity shall promptly notify its Regional Reliability Organization(s)
and NERC, and verbally provide as much information as is available at that
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 1 of 13
�S ta n d a rd EOP -004-1 — Dis tu rb a n c e Re p o rtin g
time. The affected Reliability Coordinator, Balancing Authority, Transmission
Operator, Generator Operator, or Load Serving Entity shall then provide
timely, periodic verbal updates until adequate information is available to issue
a written Preliminary Disturbance Report.
R3.4.
If, in the judgment of the Regional Reliability Organization, after consultation
with the Reliability Coordinator, Balancing Authority, Transmission Operator,
Generator Operator, or Load Serving Entity in which a disturbance occurred, a
final report is required, the affected Reliability Coordinator, Balancing
Authority, Transmission Operator, Generator Operator, or Load Serving Entity
shall prepare this report within 60 days. As a minimum, the final report shall
have a discussion of the events and its cause, the conclusions reached, and
recommendations to prevent recurrence of this type of event. The report shall
be subject to Regional Reliability Organization approval.
R4.
When a Bulk Electric System disturbance occurs, the Regional Reliability Organization
shall make its representatives on the NERC Operating Committee and Disturbance
Analysis Working Group available to the affected Reliability Coordinator, Balancing
Authority, Transmission Operator, Generator Operator, or Load Serving Entity
immediately affected by the disturbance for the purpose of providing any needed
assistance in the investigation and to assist in the preparation of a final report.
R5.
The Regional Reliability Organization shall track and review the status of all final
report recommendations at least twice each year to ensure they are being acted upon in
a timely manner. If any recommendation has not been acted on within two years, or if
Regional Reliability Organization tracking and review indicates at any time that any
recommendation is not being acted on with sufficient diligence, the Regional
Reliability Organization shall notify the NERC Planning Committee and Operating
Committee of the status of the recommendation(s) and the steps the Regional
Reliability Organization has taken to accelerate implementation.
C. Measures
M1. The Regional Reliability Organization shall have and provide upon request as
evidence, its current regional reporting procedure that is used to facilitate preparation
of preliminary and final disturbance reports. (Requirement 1)
M2. Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator, and Load-Serving Entity that has a reportable incident shall have and provide
upon request evidence that could include, but is not limited to, the preliminary report,
computer printouts, operator logs, or other equivalent evidence that will be used to
confirm that it prepared and delivered the NERC Interconnection Reliability Operating
Limit and Preliminary Disturbance Reports to NERC within 24 hours of its recognition
as specified in Requirement 3.1.
M3. Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator, and/or Load Serving Entity that has a reportable incident shall have and
provide upon request evidence that could include, but is not limited to, operator logs,
voice recordings or transcripts of voice recordings, electronic communications, or other
equivalent evidence that will be used to confirm that it provided information verbally
as time permitted, when system conditions precluded the preparation of a report in 24
hours. (Requirement 3.3)
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 2 of 13
�S ta n d a rd EOP -004-1 — Dis tu rb a n c e Re p o rtin g
D. Compliance
1.
Compliance Monitoring Process
1.1. Compliance Monitoring Responsibility
NERC shall be responsible for compliance monitoring of the Regional Reliability
Organizations.
Regional Reliability Organizations shall be responsible for compliance monitoring
of Reliability Coordinators, Balancing Authorities, Transmission Operators,
Generator Operators, and Load-serving Entities.
1.2. Compliance Monitoring and Reset Time Frame
One or more of the following methods will be used to assess compliance:
- Self-certification (Conducted annually with submission according to
schedule.)
- Spot Check Audits (Conducted anytime with up to 30 days notice given to
prepare.)
- Periodic Audit (Conducted once every three years according to schedule.)
- Triggered Investigations (Notification of an investigation must be made
within 60 days of an event or complaint of noncompliance. The entity will
have up to 30 days to prepare for the investigation. An entity may request an
extension of the preparation period and the extension will be considered by
the Compliance Monitor on a case-by-case basis.)
The Performance-Reset Period shall be 12 months from the last finding of noncompliance.
1.3. Data Retention
Each Regional Reliability Organization shall have its current, in-force, regional
reporting procedure as evidence of compliance. (Measure 1)
Each Reliability Coordinator, Balancing Authority, Transmission Operator,
Generator Operator, and/or Load Serving Entity that is either involved in a Bulk
Electric System disturbance or has a reportable incident shall keep data related to
the incident for a year from the event or for the duration of any regional
investigation, whichever is longer. (Measures 2 through 4)
If an entity is found non-compliant the entity shall keep information related to the
noncompliance until found compliant or for two years plus the current year,
whichever is longer.
Evidence used as part of a triggered investigation shall be retained by the entity
being investigated for one year from the date that the investigation is closed, as
determined by the Compliance Monitor,
The Compliance Monitor shall keep the last periodic audit report and all requested
and submitted subsequent compliance records.
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 3 of 13
�S ta n d a rd EOP -004-1 — Dis tu rb a n c e Re p o rtin g
1.4. Additional Compliance Information
See Attachments:
- EOP-004 Disturbance Reporting Form
- Table 1 EOP-004
Levels of Non-Compliance for a Regional Reliability Organization
2.
2.1. Level 1: Not applicable.
2.2. Level 2: Not applicable.
2.3. Level 3: Not applicable.
2.4. Level 4: No current procedure to facilitate preparation of preliminary and final
disturbance reports as specified in R1.
Levels of Non-Compliance for a Reliability Coordinator, Balancing Authority,
Transmission Operator, Generator Operator, and Load- Serving Entity:
3.
3.1. Level 1: There shall be a level one non-compliance if any of the following
conditions exist:
3.1.1
Failed to prepare and deliver the NERC Interconnection Reliability
Operating Limit and Preliminary Disturbance Reports to NERC within 24
hours of its recognition as specified in Requirement 3.1
3.1.2
Failed to provide disturbance information verbally as time permitted,
when system conditions precluded the preparation of a report in 24 hours
as specified in R3.3
3.1.3
Failed to prepare a final report within 60 days as specified in R3.4
3.2. Level 2: Not applicable.
3.3. Level 3: Not applicable
3.4. Level 4: Not applicable.
E. Regional Differences
None identified.
Version History
Version
Date
Action
Change Tracking
0
April 1, 2005
Effective Date
New
0
May 23, 2005
Fixed reference to attachments 1-EOP004-0 and 2-EOP-004-0, Changed chart
title 1-FAC-004-0 to 1-EOP-004-0,
Fixed title of Table 1 to read 1-EOP004-0, and fixed font.
Errata
0
July 6, 2005
Fixed email in Attachment 1-EOP-004-0 Errata
from info@nerc.com to
esisac@nerc.com.
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 4 of 13
�S ta n d a rd EOP -004-1 — Dis tu rb a n c e Re p o rtin g
0
July 26, 2005
Fixed Header on page 8 to read EOP004-0
Errata
0
August 8, 2005
Removed “Proposed” from Effective
Date
Errata
1
November 1,
2006
Adopted by Board of Trustees
Revised
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 5 of 13
�S ta n d a rd EOP -004-1 — Dis tu rb a n c e Re p o rtin g
Attachment 1-EOP-004
NERC Disturbance Report Form
Introduction
These disturbance reporting requirements apply to all Reliability Coordinators, Balancing
Authorities, Transmission Operators, Generator Operators, and Load Serving Entities, and
provide a common basis for all NERC disturbance reporting. The entity on whose system a
reportable disturbance occurs shall notify NERC and its Regional Reliability Organization of the
disturbance using the NERC Interconnection Reliability Operating Limit and Preliminary
Disturbance Report forms. Reports can be sent to NERC via email (esisac@nerc.com) by
facsimile (609-452-9550) using the NERC Interconnection Reliability Operating Limit and
Preliminary Disturbance Report forms. If a disturbance is to be reported to the U.S. Department
of Energy also, the responding entity may use the DOE reporting form when reporting to NERC.
Note: All Emergency Incident and Disturbance Reports (Schedules 1 and 2) sent to DOE shall be
simultaneously sent to NERC, preferably electronically at esisac@nerc.com.
The NERC Interconnection Reliability Operating Limit and Preliminary Disturbance Reports are
to be made for any of the following events:
1.
2.
3.
4.
5.
The loss of a bulk power transmission component that significantly affects the integrity of
interconnected system operations. Generally, a disturbance report will be required if the
event results in actions such as:
a.
Modification of operating procedures.
b.
Modification of equipment (e.g. control systems or special protection systems) to
prevent reoccurrence of the event.
c.
Identification of valuable lessons learned.
d.
Identification of non-compliance with NERC standards or policies.
e.
Identification of a disturbance that is beyond recognized criteria, i.e. three-phase fault
with breaker failure, etc.
f.
Frequency or voltage going below the under-frequency or under-voltage load shed
points.
The occurrence of an interconnected system separation or system islanding or both.
Loss of generation by a Generator Operator, Balancing Authority, or Load-Serving Entity
2,000 MW or more in the Eastern Interconnection or Western Interconnection and 1,000
MW or more in the ERCOT Interconnection.
Equipment failures/system operational actions which result in the loss of firm system
demands for more than 15 minutes, as described below:
a.
Entities with a previous year recorded peak demand of more than 3,000 MW are
required to report all such losses of firm demands totaling more than 300 MW.
b.
All other entities are required to report all such losses of firm demands totaling more
than 200 MW or 50% of the total customers being supplied immediately prior to the
incident, whichever is less.
Firm load shedding of 100 MW or more to maintain the continuity of the bulk electric
system.
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 6 of 13
�S ta n d a rd EOP -004-1 — Dis tu rb a n c e Re p o rtin g
6.
7.
8.
Any action taken by a Generator Operator, Transmission Operator, Balancing Authority, or
Load-Serving Entity that results in:
a.
Sustained voltage excursions equal to or greater than ±10%, or
b.
Major damage to power system components, or
c.
Failure, degradation, or misoperation of system protection, special protection schemes,
remedial action schemes, or other operating systems that do not require operator
intervention, which did result in, or could have resulted in, a system disturbance as
defined by steps 1 through 5 above.
An Interconnection Reliability Operating Limit (IROL) violation as required in reliability
standard TOP-007.
Any event that the Operating Committee requests to be submitted to Disturbance Analysis
Working Group (DAWG) for review because of the nature of the disturbance and the
insight and lessons the electricity supply and delivery industry could learn.
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 7 of 13
�S ta n d a rd EOP -004-1 — Dis tu rb a n c e Re p o rtin g
NERC Interconnection Reliability Operating Limit and Preliminary Disturbance
Report
Check here if this is an Interconnection Reliability Operating Limit (IROL) violation report.
1. Organization filing report.
2. Name of person filing report.
3. Telephone number.
4. Date and time of disturbance.
Date:(mm/dd/yy)
Time/Zone:
5. Did the disturbance originate in your
system?
Yes
No
6. Describe disturbance including: cause,
equipment damage, critical services
interrupted, system separation, key
scheduled and actual flows prior to
disturbance and in the case of a
disturbance involving a special
protection or remedial action scheme,
what action is being taken to prevent
recurrence.
7. Generation tripped.
MW Total
List generation tripped
8. Frequency.
Just prior to disturbance (Hz):
Immediately after disturbance (Hz
max.):
Immediately after disturbance (Hz
min.):
9. List transmission lines tripped (specify
voltage level of each line).
10.
FIRM
INTERRUPTIBLE
Demand tripped (MW):
Number of affected Customers:
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 8 of 13
�S ta n d a rd EOP -004-1 — Dis tu rb a n c e Re p o rtin g
Demand lost (MW-Minutes):
11. Restoration time.
INITIAL
FINAL
Transmission:
Generation:
Demand:
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 9 of 13
�S ta n d a rd EOP -004-1 — Dis tu rb a n c e Re p o rtin g
Attachment 2-EOP-004
U.S. Department of Energy Disturbance Reporting Requirements
Introduction
The U.S. Department of Energy (DOE), under its relevant authorities, has established mandatory
reporting requirements for electric emergency incidents and disturbances in the United States.
DOE collects this information from the electric power industry on Form EIA-417 to meet its
overall national security and Federal Energy Management Agency’s Federal Response Plan
(FRP) responsibilities. DOE will use the data from this form to obtain current information
regarding emergency situations on U.S. electric energy supply systems. DOE’s Energy
Information Administration (EIA) will use the data for reporting on electric power emergency
incidents and disturbances in monthly EIA reports. In addition, the data may be used to develop
legislative recommendations, reports to the Congress and as a basis for DOE investigations
following severe, prolonged, or repeated electric power reliability problems.
Every Reliability Coordinator, Balancing Authority, Transmission Operator, Generator Operator
or Load Serving Entity must use this form to submit mandatory reports of electric power system
incidents or disturbances to the DOE Operations Center, which operates on a 24-hour basis,
seven days a week. All other entities operating electric systems have filing responsibilities to
provide information to the Reliability Coordinator, Balancing Authority, Transmission Operator,
Generator Operator or Load Serving Entity when necessary for their reporting obligations and to
file form EIA-417 in cases where these entities will not be involved. EIA requests that it be
notified of those that plan to file jointly and of those electric entities that want to file separately.
Special reporting provisions exist for those electric utilities located within the United States, but
for whom Reliability Coordinator oversight responsibilities are handled by electrical systems
located across an international border. A foreign utility handling U.S. Balancing Authority
responsibilities, may wish to file this information voluntarily to the DOE. Any U.S.-based utility
in this international situation needs to inform DOE that these filings will come from a foreignbased electric system or file the required reports themselves.
Form EIA-417 must be submitted to the DOE Operations Center if any one of the following
applies (see Table 1-EOP-004-0 — Summary of NERC and DOE Reporting Requirements for
Major Electric System Emergencies):
1. Uncontrolled loss of 300 MW or more of firm system load for more than 15 minutes from a
2.
3.
4.
5.
single incident.
Load shedding of 100 MW or more implemented under emergency operational policy.
System-wide voltage reductions of 3 percent or more.
Public appeal to reduce the use of electricity for purposes of maintaining the continuity of the
electric power system.
Actual or suspected physical attacks that could impact electric power system adequacy or
reliability; or vandalism, which target components of any security system. Actual or
suspected cyber or communications attacks that could impact electric power system
adequacy or vulnerability.
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 10 of 13
�S ta n d a rd EOP -004-1 — Dis tu rb a n c e Re p o rtin g
6. Actual or suspected cyber or communications attacks that could impact electric power system
adequacy or vulnerability.
7. Fuel supply emergencies that could impact electric power system adequacy or reliability.
8. Loss of electric service to more than 50,000 customers for one hour or more.
9. Complete operational failure or shut-down of the transmission and/or distribution electrical
system.
The initial DOE Emergency Incident and Disturbance Report (form EIA-417 – Schedule 1) shall
be submitted to the DOE Operations Center within 60 minutes of the time of the system
disruption. Complete information may not be available at the time of the disruption. However,
provide as much information as is known or suspected at the time of the initial filing. If the
incident is having a critical impact on operations, a telephone notification to the DOE Operations
Center (202-586-8100) is acceptable, pending submission of the completed form EIA-417.
Electronic submission via an on-line web-based form is the preferred method of notification.
However, electronic submission by facsimile or email is acceptable.
An updated form EIA-417 (Schedule 1 and 2) is due within 48 hours of the event to provide
complete disruption information. Electronic submission via facsimile or email is the preferred
method of notification. Detailed DOE Incident and Disturbance reporting requirements can be
found at: http://www.eia.doe.gov/cneaf/electricity/page/form_417.html.
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 11 of 13
�S ta n d a rd EOP -004-1 — Dis tu rb a n c e Re p o rtin g
Table 1-EOP-004-0
Summary of NERC and DOE Reporting Requirements for Major Electric System
Emergencies
Incident
Report
Incident
Threshold
Time
No.
Required
EIA – SchUncontrolled loss
1 hour
1
of Firm System
≥ 300 MW – 15 minutes or more
48
1
EIA – SchLoad
hour
2
EIA – Sch1 hour
≥ 100 MW under emergency
1
Load Shedding
48
2
operational policy
EIA – Schhour
2
EIA – Sch1 hour
Voltage
1
3% or more – applied system-wide
48
3
EIA – SchReductions
hour
2
EIA – Sch1 hour
1
Emergency conditions to reduce
Public Appeals
48
4
EIA – Schdemand
hour
2
EIA – SchPhysical sabotage,
1 hour
On physical security systems –
1
terrorism or
48
5
suspected or real
EIA – Schvandalism
hour
2
EIA – SchCyber sabotage,
1 hour
If the attempt is believed to have or
1
terrorism or
48
6
did happen
EIA – Schvandalism
hour
2
EIA – Sch1 hour
Fuel supply
Fuel inventory or hydro storage levels 1
48
7
EIA – Schemergencies
≤ 50% of normal
hour
2
EIA – Sch1 hour
Loss of electric
1
≥
50,000
for
1
hour
or
more
48
8
service
EIA – Schhour
2
Complete
EIA – SchIf isolated or interconnected electrical
1 hour
operation failure
1
48
systems suffer total electrical system
9
of electrical
EIA – Schcollapse
hour
system
2
All DOE EIA-417 Schedule 1 reports are to be filed within 60-minutes after the start of an
incident or disturbance
All DOE EIA-417 Schedule 2 reports are to be filed within 48-hours after the start of an
incident or disturbance
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 12 of 13
�S ta n d a rd EOP -004-1 — Dis tu rb a n c e Re p o rtin g
All entities required to file a DOE EIA-417 report (Schedule 1 & 2) shall send a copy of these
reports to NERC simultaneously, but no later than 24 hours after the start of the incident or
disturbance.
Incident
Report
Incident
Threshold
Time
No.
Required
NERC
24
Loss of major
Significantly affects integrity of
Prelim
hour
1
system component
interconnected system operations
Final
60 day
report
Interconnected
NERC
Total system shutdown
24
system separation
Prelim
Partial shutdown, separation, or
hour
2
or system
Final
islanding
60 day
islanding
report
NERC
24
≥ 2,000 – Eastern Interconnection
Prelim
Loss of generation
≥ 2,000 – Western Interconnection
hour
3
Final
≥ 1,000 – ERCOT Interconnection
60 day
report
Entities with peak demand ≥3,000:
NERC
24
loss ≥300 MW
Prelim
Loss of firm load
hour
4
All others ≥200MW or 50% of total
Final
≥15-minutes
60 day
demand
report
NERC
24
Firm load
≥100 MW to maintain continuity of
Prelim
hour
5
shedding
bulk system
Final
60 day
report
• Voltage excursions ≥10%
System operation
NERC
24
• Major damage to system
or operation
Prelim
hour
6
components
actions resulting
Final
60 day
•
Failure,
degradation,
or
in:
report
misoperation of SPS
NERC
72
Prelim
IROL violation
Reliability standard TOP-007.
hour
7
Final
60 day
report
NERC
Due to nature of disturbance &
24
As requested by
Prelim
usefulness to industry (lessons
hour
8
ORS Chairman
Final
learned)
60 day
report
All NERC Operating Security Limit and Preliminary Disturbance reports will be filed within 24
hours after the start of the incident. If an entity must file a DOE EIA-417 report on an incident,
which requires a NERC Preliminary report, the Entity may use the DOE EIA-417 form for both
DOE and NERC reports.
Any entity reporting a DOE or NERC incident or disturbance has the responsibility to also
notify its Regional Reliability Organization.
Adopted by Board of Trustees: November 1, 2006
Effective Date: January 1, 2007
Page 13 of 13
�Standards Announcement
Project 2009-01 Disturbance and Sabotage Reporting
Recirculation Ballot and Non-Binding Poll Open Through 8 p.m. Friday,
November 2, 2012
Now Available
A recirculation ballot of EOP-004-2 – Event Reporting and a non-binding poll of the associated
VRFs/VSLs is open through 8 p.m. Eastern on Friday, November 2, 2012
After considering stakeholder comments from the formal comment period and successive ballot that
ended on September 27, 2012, the drafting team made no substantive changes to the Requirements of
the standard, but did make a clarifying change to Requirement R2 concerning the 24-hour reporting
obligation to provide flexibility for support staff to assist with after-the-fact reporting. In addition, the
team provided clarification in the Guideline and Technical Basis concerning how the standard is
intended to apply to Distribution Providers who do not own BES Facilities, and to clarify that entities
registered for multiple functions will only need to submit a single report of an individual event.
Finally, in response to stakeholder comments, the drafting team has revised the VSLs for Requirement
R1 to provide gradation in the VSL for failure to incorporate one or more event types in the entity’s
Operating Plan. NOTE: Although the drafting team was not required to conduct an additional nonbinding poll of the VSLs, they would like to gauge industry support for the VSLs as modified, and
therefore, a non-binding poll of the VRFs and VSLs is being conducted in conjunction with the
recirculation ballot.
Instructions
In the recirculation ballot, votes are counted by exception. Only members of the ballot pool may cast a
ballot; all ballot pool members may change their previously cast votes. A ballot pool member who failed to
cast a ballot during the last ballot window may cast a ballot in the recirculation ballot window. If a ballot
pool member does not participate in the recirculation ballot, that member’s vote cast in the previous ballot
will be carried over as that member’s vote in the recirculation ballot.
Members of the ballot pools associated with this project may log in and submit their votes and opinions for
the standard and VSL changes by clicking here.
�Next Steps
The drafting team plans to submit EOP-004-2 to the Board of Trustees for adoption in November and
then file the adopted standard with the appropriate regulatory authorities.
Background
The DSR SDT has developed EOP-004-2 to replace the current mandatory and enforceable EOP-004-1
and CIP-001-1a standards. The reporting obligations under EOP-004-2 serve to provide input to the
NERC Events Analysis Program. Analysis of events is not required under the proposed standard and any
analysis or investigation will fall under the Event Analysis Program under the NERC Rules of Procedure.
Additional information is available on the project page.
Standards Process
The Standard Processes Manual contains all the procedures governing the standards development
process. The success of the NERC standards development process depends on stakeholder
participation. We extend our thanks to all those who participate.
For more information or assistance, please contact Monica Benson,
Standards Development Administrator, at monica.benson@nerc.net or at 404-446-2560.
North American Electric Reliability Corporation
3353 Peachtree Rd.NE
Suite 600, North Tower
Atlanta, GA 30326
404-446-2560 | www.nerc.com
Standards Announcement: Project 2009-01 DSR
2
�Standards Announcement
Project 2009-01 Disturbance and Sabotage Reporting
Recirculation Ballot and Non-Binding Poll Results
Now Available
A recirculation ballot of EOP-004-2 – Event Reporting and a non-binding poll of the associated
VRFs/VSLs concluded on Monday, November 5, 2012.
Voting statistics for each ballot are listed below, and the Ballots Results page provides a link to the
detailed results.
Approval
Non-binding Poll Results
Quorum: 85.14%
Quorum:
78.93%
Approval: 71.39%
Supportive Opinions: 71.04%
Next Steps
The standard will be presented to the Board of Trustees for adoption and then filed with the
appropriate regulatory authorities.
Background
The DSR SDT has developed EOP-004-2 to replace the current mandatory and enforceable EOP-004-1
and CIP-001-2a standards. The reporting obligations under EOP-004-2 serve to provide input to the
NERC Events Analysis Program. Analysis of events is not required under the proposed standard and any
analysis or investigation will fall under the Event Analysis Program under the NERC Rules of Procedure.
Additional information is available on the project page.
Standards Process
The Standard Processes Manual contains all the procedures governing the standards development
process. The success of the NERC standards development process depends on stakeholder
participation. We extend our thanks to all those who participate.
�For more information or assistance, please contact Monica Benson,
Standards Development Administrator, at monica.benson@nerc.net or at 404-446-2560.
North American Electric Reliability Corporation
3353 Peachtree Rd.NE
Suite 600, North Tower
Atlanta, GA 30326
404-446-2560 | www.nerc.com
Standards Announcement: Project 2009-01 DSR
2
�NERC Standards
Newsroom • Site Map • Contact NERC
Advanced Search
User Name
Ballot Results
Ballot Name: Project 2009-01 DSR Recirculation Ballot October 2012_in
Password
Ballot Period: 10/24/2012 - 11/5/2012
Ballot Type: Initial
Log in
Total # Votes: 361
Register
Total Ballot Pool: 424
Quorum: 85.14 % The Quorum has been reached
-Ballot Pools
-Current Ballots
-Ballot Results
-Registered Ballot Body
-Proxy Voters
Weighted Segment
71.39 %
Vote:
Ballot Results: The Standard has Passed
Home Page
Summary of Ballot Results
Affirmative
Segment
1 - Segment 1.
2 - Segment 2.
3 - Segment 3.
4 - Segment 4.
5 - Segment 5.
6 - Segment 6.
7 - Segment 7.
8 - Segment 8.
9 - Segment 9.
10 - Segment 10.
Totals
Ballot Segment
Pool
Weight
104
11
108
37
91
53
0
8
4
8
424
#
Votes
1
0.8
1
1
1
1
0
0.7
0.3
0.6
7.4
#
Votes
Fraction
57
4
58
22
53
30
0
6
2
4
236
Negative
Fraction
0.704
0.4
0.674
0.759
0.757
0.789
0
0.6
0.2
0.4
5.283
Abstain
No
# Votes Vote
24
4
28
7
17
8
0
1
1
2
92
0.296
0.4
0.326
0.241
0.243
0.211
0
0.1
0.1
0.2
2.117
9
2
8
3
6
5
0
0
0
0
33
14
1
14
5
15
10
0
1
1
2
63
Individual Ballot Pool Results
Segment
1
1
1
1
1
1
1
1
Organization
Ameren Services
American Electric Power
American Transmission Company, LLC
Arizona Public Service Co.
Associated Electric Cooperative, Inc.
Austin Energy
Avista Corp.
Balancing Authority of Northern California
Member
Kirit Shah
Paul B. Johnson
Andrew Z Pusztai
Robert Smith
John Bussman
James Armke
Scott J Kinney
Kevin Smith
https://standards.nerc.net/BallotResults.aspx?BallotGUID=d11b7d42-5b08-416e-bbcd-d7e7da7ad7af[11/7/2012 8:39:45 AM]
Ballot
Negative
Affirmative
Affirmative
Affirmative
Affirmative
Affirmative
Affirmative
Comments
�NERC Standards
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
Baltimore Gas & Electric Company
BC Hydro and Power Authority
Beaches Energy Services
Black Hills Corp
Bonneville Power Administration
Brazos Electric Power Cooperative, Inc.
CenterPoint Energy Houston Electric, LLC
Central Maine Power Company
City of Tacoma, Department of Public
Utilities, Light Division, dba Tacoma Power
Clark Public Utilities
Colorado Springs Utilities
Consolidated Edison Co. of New York
CPS Energy
Dairyland Power Coop.
Dayton Power & Light Co.
Deseret Power
Dominion Virginia Power
Duke Energy Carolina
East Kentucky Power Coop.
Empire District Electric Co.
Entergy Services, Inc.
FirstEnergy Corp.
Florida Keys Electric Cooperative Assoc.
Florida Power & Light Co.
Gainesville Regional Utilities
Georgia Transmission Corporation
Grand River Dam Authority
Great River Energy
Hoosier Energy Rural Electric Cooperative,
Inc.
Hydro One Networks, Inc.
Hydro-Quebec TransEnergie
Idaho Power Company
Imperial Irrigation District
International Transmission Company Holdings
Corp
JEA
Kansas City Power & Light Co.
Keys Energy Services
Lakeland Electric
Lee County Electric Cooperative
Lincoln Electric System
Los Angeles Department of Water & Power
Lower Colorado River Authority
Manitoba Hydro
MEAG Power
MidAmerican Energy Co.
Minnkota Power Coop. Inc.
National Grid
Nebraska Public Power District
New Brunswick Power Transmission
Corporation
New York Power Authority
New York State Electric & Gas Corp.
Northeast Utilities
Northern Indiana Public Service Co.
NorthWestern Energy
Ohio Valley Electric Corp.
Oklahoma Gas and Electric Co.
Omaha Public Power District
Oncor Electric Delivery
Orlando Utilities Commission
PacifiCorp
PECO Energy
Platte River Power Authority
Portland General Electric Co.
Potomac Electric Power Co.
Gregory S Miller
Patricia Robertson
Joseph S Stonecipher
Eric Egge
Donald S. Watkins
Tony Kroskey
John Brockhan
Joseph Turano Jr.
Affirmative
Abstain
Negative
Chang G Choi
Affirmative
Jack Stamper
Paul Morland
Christopher L de Graffenried
Richard Castrejana
Robert W. Roddy
Hertzel Shamash
James Tucker
Michael S Crowley
Douglas E. Hils
George S. Carruba
Ralph F Meyer
Edward J Davis
William J Smith
Dennis Minton
Mike O'Neil
Luther E. Fair
Jason Snodgrass
James M Stafford
Gordon Pietsch
Negative
Affirmative
Affirmative
Affirmative
Affirmative
Bob Solomon
Affirmative
Negative
Negative
Affirmative
Negative
Negative
Negative
Affirmative
Affirmative
Affirmative
Negative
Affirmative
Affirmative
Negative
Negative
Ajay Garg
Bernard Pelletier
Ronald D Schellberg
Tino Zaragoza
Negative
Affirmative
Michael Moltane
Affirmative
Ted Hobson
Michael Gammon
Stanley T Rzad
Larry E Watt
John W Delucca
Doug Bantam
Ly M Le
Martyn Turner
Joe D Petaski
Danny Dees
Terry Harbour
Richard Burt
Saurabh Saksena
Cole C Brodine
Affirmative
Randy MacDonald
Arnold J. Schuff
Raymond P Kinney
David Boguslawski
Kevin M Largura
John Canavan
Robert Mattey
Marvin E VanBebber
Doug Peterchuck
Brenda Pulis
Brad Chase
Ryan Millard
Ronald Schloendorn
John C. Collins
John T Walker
David Thorne
https://standards.nerc.net/BallotResults.aspx?BallotGUID=d11b7d42-5b08-416e-bbcd-d7e7da7ad7af[11/7/2012 8:39:45 AM]
Abstain
Affirmative
Affirmative
Affirmative
Affirmative
Affirmative
Negative
Affirmative
Affirmative
Affirmative
Affirmative
Negative
Negative
Affirmative
Abstain
Affirmative
Abstain
Negative
Negative
Affirmative
Negative
Abstain
Affirmative
Abstain
Affirmative
Affirmative
Affirmative
�NERC Standards
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
2
PowerSouth Energy Cooperative
PPL Electric Utilities Corp.
Progress Energy Carolinas
Public Service Company of New Mexico
Public Service Electric and Gas Co.
Public Utility District No. 1 of Okanogan
County
Public Utility District No. 2 of Grant County
Puget Sound Energy, Inc.
Raj Rana
Rochester Gas and Electric Corp.
Sacramento Municipal Utility District
Salmon River Electric Cooperative
Salt River Project
Santee Cooper
SCE&G
Seattle City Light
Sho-Me Power Electric Cooperative
Sierra Pacific Power Co.
Snohomish County PUD No. 1
South California Edison Company
Southern Company Services, Inc.
Southern Illinois Power Coop.
Southwest Transmission Cooperative, Inc.
Sunflower Electric Power Corporation
Tampa Electric Co.
Tennessee Valley Authority
Tri-State G & T Association, Inc.
Tucson Electric Power Co.
United Illuminating Co.
Westar Energy
Western Area Power Administration
Xcel Energy, Inc.
Alberta Electric System Operator
2
BC Hydro
2
2
2
2
2
2
2
2
2
3
3
3
3
3
3
3
3
3
3
3
3
California ISO
Electric Reliability Council of Texas, Inc.
Independent Electricity System Operator
ISO New England, Inc.
Midwest ISO, Inc.
New Brunswick System Operator
New York Independent System Operator
PJM Interconnection, L.L.C.
Southwest Power Pool, Inc.
AEP
Alabama Power Company
Alameda Municipal Power
Ameren Services
American Public Power Association
Anaheim Public Utilities Dept.
APS
Arkansas Electric Cooperative Corporation
Atlantic City Electric Company
BC Hydro and Power Authority
Blachly-Lane Electric Co-op
Bonneville Power Administration
Central Electric Cooperative, Inc. (Redmond,
Oregon)
Central Lincoln PUD
City of Alexandria
City of Austin dba Austin Energy
City of Bartow, Florida
City of Clewiston
City of Farmington
City of Garland
City of Green Cove Springs
City of Palo Alto
1
3
3
3
3
3
3
3
3
3
3
Larry D Avery
Brenda L Truhe
Brett A. Koelsch
Laurie Williams
Kenneth D. Brown
Affirmative
Affirmative
Abstain
Abstain
Affirmative
Dale Dunckel
Affirmative
Kyle M. Hussey
Denise M Lietz
Rajendrasinh D Rana
John C. Allen
Tim Kelley
Kathryn J Spence
Robert Kondziolka
Terry L Blackwell
Henry Delk, Jr.
Pawel Krupa
Denise Stevens
Rich Salgo
Long T Duong
Steven Mavis
Robert A. Schaffeld
William Hutchison
James Jones
Noman Lee Williams
Beth Young
Larry G Akens
Tracy Sliman
John Tolo
Jonathan Appelbaum
Allen Klassen
Brandy A Dunn
Gregory L Pieper
Mark B Thompson
Venkataramakrishnan
Vinnakota
Rich Vine
Charles B Manning
Barbara Constantinescu
Kathleen Goodman
Marie Knox
Alden Briggs
Gregory Campoli
Tom Bowe
Charles H. Yeung
Michael E Deloach
Richard J. Mandes
Douglas Draeger
Mark Peters
Nathan Mitchell
Kelly Nguyen
Steven Norris
Philip Huff
NICOLE BUCKMAN
Pat G. Harrington
Bud Tracy
Rebecca Berdahl
Dave Markham
Steve Alexanderson
Michael Marcotte
Andrew Gallo
Matt Culverhouse
Lynne Mila
Linda R Jacobson
Ronnie C Hoeinghaus
Gregg R Griffin
Eric R Scott
https://standards.nerc.net/BallotResults.aspx?BallotGUID=d11b7d42-5b08-416e-bbcd-d7e7da7ad7af[11/7/2012 8:39:45 AM]
Negative
Abstain
Affirmative
Affirmative
Affirmative
Affirmative
Negative
Affirmative
Affirmative
Affirmative
Affirmative
Negative
Negative
Negative
Affirmative
Affirmative
Affirmative
Affirmative
Affirmative
Negative
Affirmative
Affirmative
Affirmative
Abstain
Abstain
Affirmative
Affirmative
Negative
Affirmative
Negative
Negative
Negative
Negative
Negative
Affirmative
Negative
Affirmative
Affirmative
Affirmative
Affirmative
Abstain
Negative
Affirmative
Negative
Affirmative
Affirmative
Affirmative
Affirmative
Abstain
Affirmative
Affirmative
�NERC Standards
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
City of Redding
Clatskanie People's Utility District
Clearwater Power Co.
Cleco Corporation
Colorado Springs Utilities
ComEd
Consolidated Edison Co. of New York
Constellation Energy
Consumers Energy
Consumers Power Inc.
Coos-Curry Electric Cooperative, Inc
Cowlitz County PUD
CPS Energy
Delmarva Power & Light Co.
Detroit Edison Company
Dominion Resources Services
Duke Energy Carolina
Entergy
Fall River Rural Electric Cooperative
FirstEnergy Energy Delivery
Florida Municipal Power Agency
Florida Power Corporation
Georgia Power Company
Georgia Systems Operations Corporation
Grays Harbor PUD
Great River Energy
Gulf Power Company
Hydro One Networks, Inc.
Imperial Irrigation District
JEA
Kansas City Power & Light Co.
Kissimmee Utility Authority
Kootenai Electric Cooperative
Lakeland Electric
Lane Electric Cooperative, Inc.
Lincoln Electric System
Los Angeles Department of Water & Power
Louisville Gas and Electric Co.
Manitoba Hydro
Manitowoc Public Utilities
MidAmerican Energy Co.
Mississippi Power
Modesto Irrigation District
Municipal Electric Authority of Georgia
Muscatine Power & Water
Nebraska Public Power District
New York Power Authority
Niagara Mohawk (National Grid Company)
North Carolina Electric Membership Corp.
Northern Indiana Public Service Co.
Northern Lights Inc.
Ocala Electric Utility
Old Dominion Electric Coop.
Orange and Rockland Utilities, Inc.
Orlando Utilities Commission
Owensboro Municipal Utilities
Pacific Gas and Electric Company
PacifiCorp
Platte River Power Authority
PNM Resources
Potomac Electric Power Co.
Progress Energy Carolinas
Public Service Electric and Gas Co.
Public Utility District No. 1 of Benton County
Public Utility District No. 1 of Clallam County
Puget Sound Energy, Inc.
Raft River Rural Electric Cooperative
Bill Hughes
Brian Fawcett
Dave Hagen
Michelle A Corley
Charles Morgan
Bruce Krawczyk
Peter T Yost
CJ Ingersoll
Richard Blumenstock
Roman Gillen
Roger Meader
Russell A Noble
Jose Escamilla
Michael R. Mayer
Kent Kujala
Michael F. Gildea
Henry Ernst-Jr
Joel T Plessinger
Bryan Case
Stephan Kern
Joe McKinney
Lee Schuster
Anthony L Wilson
William N. Phinney
Wesley W Gray
Brian Glover
Paul C Caldwell
David Kiguel
Jesus S. Alcaraz
Garry Baker
Charles Locke
Gregory D Woessner
Dave Kahly
Norman D Harryhill
Rick Crinklaw
Jason Fortik
Daniel D Kurowski
Charles A. Freibert
Greg C. Parent
Thomas E Reed
Thomas C. Mielnik
Jeff Franklin
Jack W Savage
Steven M. Jackson
John S Bos
Tony Eddleman
Marilyn Brown
Michael Schiavone
Doug White
William SeDoris
Jon Shelby
David Anderson
Bill Watson
David Burke
Ballard K Mutters
Thomas T Lyons
John H Hagen
Dan Zollner
Terry L Baker
Michael Mertz
Robert Reuter
Sam Waters
Jeffrey Mueller
Gloria Bender
David Proebstel
Erin Apperson
Heber Carpenter
https://standards.nerc.net/BallotResults.aspx?BallotGUID=d11b7d42-5b08-416e-bbcd-d7e7da7ad7af[11/7/2012 8:39:45 AM]
Affirmative
Negative
Affirmative
Affirmative
Affirmative
Affirmative
Abstain
Affirmative
Negative
Negative
Negative
Affirmative
Affirmative
Negative
Negative
Abstain
Affirmative
Negative
Affirmative
Affirmative
Negative
Negative
Affirmative
Affirmative
Negative
Negative
Negative
Abstain
Affirmative
Affirmative
Abstain
Negative
Affirmative
Affirmative
Affirmative
Negative
Affirmative
Affirmative
Negative
Affirmative
Affirmative
Affirmative
Negative
Affirmative
Affirmative
Affirmative
Affirmative
Negative
Affirmative
Affirmative
Affirmative
Negative
Affirmative
Affirmative
Affirmative
Abstain
Affirmative
Affirmative
Negative
Negative
�NERC Standards
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
5
5
5
5
5
5
5
5
5
Rutherford EMC
Sacramento Municipal Utility District
Salt River Project
Santee Cooper
Seattle City Light
Seminole Electric Cooperative, Inc.
Snohomish County PUD No. 1
South Carolina Electric & Gas Co.
Southern California Edison Co.
Southern Maryland Electric Coop.
Tacoma Public Utilities
Tampa Electric Co.
Tennessee Valley Authority
Tri-State G & T Association, Inc.
Umatilla Electric Cooperative
Westar Energy
Wisconsin Electric Power Marketing
Wisconsin Public Service Corp.
Xcel Energy, Inc.
Alliant Energy Corp. Services, Inc.
American Municipal Power
Arkansas Electric Cooperative Corporation
Blue Ridge Power Agency
Central Lincoln PUD
City of Austin dba Austin Energy
City of Clewiston
City of New Smyrna Beach Utilities
Commission
City of Redding
City Utilities of Springfield, Missouri
Consumers Energy
Cowlitz County PUD
Detroit Edison Company
Flathead Electric Cooperative
Florida Municipal Power Agency
Fort Pierce Utilities Authority
Georgia System Operations Corporation
Illinois Municipal Electric Agency
Imperial Irrigation District
Indiana Municipal Power Agency
Integrys Energy Group, Inc.
LaGen
Madison Gas and Electric Co.
North Carolina Electric Membership Corp.
Northern California Power Agency
Ohio Edison Company
Oklahoma Municipal Power Authority
Pacific Northwest Generating Cooperative
Public Utility District No. 1 of Douglas County
Public Utility District No. 1 of Snohomish
County
Sacramento Municipal Utility District
Seattle City Light
South Mississippi Electric Power Association
Tacoma Public Utilities
West Oregon Electric Cooperative, Inc.
White River Electric Association Inc.
Wisconsin Energy Corp.
AEP Service Corp.
AES Corporation
Amerenue
Arizona Public Service Co.
Avista Corp.
BC Hydro and Power Authority
Black Hills Corp
Boise-Kuna Irrigation District/dba Lucky peak
power plant project
Bonneville Power Administration
Thomas M Haire
James Leigh-Kendall
John T. Underhill
James M Poston
Dana Wheelock
James R Frauen
Mark Oens
Hubert C Young
David B Coher
Mark R Jones
Travis Metcalfe
Ronald L. Donahey
Ian S Grant
Janelle Marriott
Steve Eldrige
Bo Jones
James R Keller
Gregory J Le Grave
Michael Ibold
Kenneth Goldsmith
Kevin Koloini
Ronnie Frizzell
Duane S Dahlquist
Shamus J Gamache
Reza Ebrahimian
Kevin McCarthy
Affirmative
Affirmative
Affirmative
Negative
Affirmative
Affirmative
Affirmative
Affirmative
Affirmative
Affirmative
Negative
Negative
Affirmative
Abstain
Affirmative
Affirmative
Negative
Affirmative
Negative
Affirmative
Affirmative
Tim Beyrle
Affirmative
Nicholas Zettel
John Allen
David Frank Ronk
Rick Syring
Daniel Herring
Russ Schneider
Frank Gaffney
Thomas Richards
Guy Andrews
Bob C. Thomas
Diana U Torres
Jack Alvey
Christopher Plante
Richard Comeaux
Joseph DePoorter
Bob Beadle
Tracy R Bibb
Douglas Hohlbaugh
Ashley Stringer
Aleka K Scott
Henry E. LuBean
Affirmative
Affirmative
Affirmative
Negative
Negative
Negative
Affirmative
Affirmative
Affirmative
Affirmative
Abstain
Abstain
Affirmative
Affirmative
Affirmative
Affirmative
Negative
Affirmative
John D Martinsen
Affirmative
Mike Ramirez
Hao Li
Steven McElhaney
Keith Morisette
Marc M Farmer
Frank L. Sampson
Anthony Jankowski
Brock Ondayko
Leo Bernier
Sam Dwyer
Edward Cambridge
Edward F. Groce
Clement Ma
George Tatar
Affirmative
Affirmative
Mike D Kukla
Francis J. Halpin
https://standards.nerc.net/BallotResults.aspx?BallotGUID=d11b7d42-5b08-416e-bbcd-d7e7da7ad7af[11/7/2012 8:39:45 AM]
Affirmative
Negative
Abstain
Affirmative
Negative
Affirmative
Negative
Affirmative
Affirmative
Abstain
Affirmative
Abstain
Affirmative
�NERC Standards
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
BrightSource Energy, Inc.
Caithness Long Island, LLC
Chelan County Public Utility District #1
City and County of San Francisco
City of Austin dba Austin Energy
City of Redding
City of Tacoma, Department of Public
Utilities, Light Division, dba Tacoma Power
City of Tallahassee
City Water, Light & Power of Springfield
Cogentrix Energy, Inc.
Colorado Springs Utilities
Consolidated Edison Co. of New York
Constellation Power Source Generation, Inc.
Consumers Energy Company
Cowlitz County PUD
CPS Energy
Detroit Edison Company
Dominion Resources, Inc.
Duke Energy
Dynegy Inc.
E.ON Climate & Renewables North America,
LLC
Edison Mission Energy
Electric Power Supply Association
Exelon Nuclear
ExxonMobil Research and Engineering
FirstEnergy Solutions
Florida Municipal Power Agency
Great River Energy
Green Country Energy
Imperial Irrigation District
Indeck Energy Services, Inc.
JEA
Kissimmee Utility Authority
Lakeland Electric
Liberty Electric Power LLC
Lincoln Electric System
Los Angeles Department of Water & Power
Lower Colorado River Authority
Luminant Generation Company LLC
Manitoba Hydro
Massachusetts Municipal Wholesale Electric
Company
MEAG Power
MidAmerican Energy Co.
Muscatine Power & Water
Nebraska Public Power District
New York Power Authority
NextEra Energy
North Carolina Electric Membership Corp.
Northern California Power Agency
Northern Indiana Public Service Co.
Occidental Chemical
Omaha Public Power District
Orlando Utilities Commission
Pacific Gas and Electric Company
PacifiCorp
Platte River Power Authority
Portland General Electric Co.
PowerSouth Energy Cooperative
PPL Generation LLC
Progress Energy Carolinas
PSEG Fossil LLC
Public Utility District No. 1 of Lewis County
Puget Sound Energy, Inc.
Sacramento Municipal Utility District
Salt River Project
Chifong Thomas
Jason M Moore
John Yale
Daniel Mason
Jeanie Doty
Paul A. Cummings
Abstain
Negative
Affirmative
Affirmative
Max Emrick
Affirmative
Brian Horton
Steve Rose
Mike D Hirst
Jennifer Eckels
Wilket (Jack) Ng
Amir Y Hammad
David C Greyerbiehl
Bob Essex
Robert Stevens
Christy Wicke
Mike Garton
Dale Q Goodwine
Dan Roethemeyer
Affirmative
Affirmative
Affirmative
Affirmative
Affirmative
Affirmative
Negative
Affirmative
Negative
Negative
Negative
Affirmative
Dana Showalter
Ellen Oswald
John R Cashin
Michael Korchynsky
Martin Kaufman
Kenneth Dresner
David Schumann
Preston L Walsh
Greg Froehling
Marcela Y Caballero
Rex A Roehl
John J Babik
Mike Blough
James M Howard
Daniel Duff
Dennis Florom
Kenneth Silver
Tom Foreman
Mike Laney
S N Fernando
Affirmative
Affirmative
Affirmative
Negative
Affirmative
Affirmative
Affirmative
Affirmative
Negative
David Gordon
Affirmative
Steven Grego
Christopher Schneider
Mike Avesing
Don Schmit
Gerald Mannarino
Allen D Schriver
Jeffrey S Brame
Hari Modi
William O. Thompson
Michelle R DAntuono
Mahmood Z. Safi
Richard K Kinas
Richard J. Padilla
Sandra L. Shaffer
Roland Thiel
Gary L Tingley
Tim Hattaway
Annette M Bannon
Wayne Lewis
Tim Kucey
Steven Grega
Tom Flynn
Bethany Hunter
William Alkema
Affirmative
https://standards.nerc.net/BallotResults.aspx?BallotGUID=d11b7d42-5b08-416e-bbcd-d7e7da7ad7af[11/7/2012 8:39:45 AM]
Abstain
Abstain
Affirmative
Affirmative
Negative
Affirmative
Negative
Affirmative
Negative
Affirmative
Affirmative
Affirmative
Affirmative
Affirmative
Affirmative
Affirmative
Affirmative
Affirmative
Negative
Affirmative
Affirmative
Negative
Affirmative
Affirmative
Affirmative
�NERC Standards
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
Santee Cooper
Seattle City Light
Seminole Electric Cooperative, Inc.
Siemens PTI
Snohomish County PUD No. 1
South Mississippi Electric Power Association
Southern California Edison Co.
Southern Company Generation
Tampa Electric Co.
Tenaska, Inc.
Tennessee Valley Authority
Tri-State G & T Association, Inc.
U.S. Army Corps of Engineers
Vandolah Power Company L.L.C.
Wisconsin Electric Power Co.
Wisconsin Public Service Corp.
Xcel Energy, Inc.
ACES Power Marketing
AEP Marketing
Ameren Energy Marketing Co.
APS
Arkansas Electric Cooperative Corporation
Bonneville Power Administration
City of Austin dba Austin Energy
City of Redding
Cleco Power LLC
Colorado Springs Utilities
Consolidated Edison Co. of New York
Constellation Energy Commodities Group
Dominion Resources, Inc.
Duke Energy Carolina
Entergy Services, Inc.
Exelon Power Team
FirstEnergy Solutions
Florida Municipal Power Agency
Florida Municipal Power Pool
Florida Power & Light Co.
Imperial Irrigation District
Kansas City Power & Light Co.
Lakeland Electric
Lincoln Electric System
Los Angeles Department of Water & Power
Luminant Energy
Manitoba Hydro
MidAmerican Energy Co.
New York Power Authority
North Carolina Municipal Power Agency #1
Northern Indiana Public Service Co.
Omaha Public Power District
Orlando Utilities Commission
PacifiCorp
Platte River Power Authority
PPL EnergyPlus LLC
Progress Energy
PSEG Energy Resources & Trade LLC
Public Utility District No. 1 of Chelan County
Sacramento Municipal Utility District
Salt River Project
Santee Cooper
Seattle City Light
Seminole Electric Cooperative, Inc.
Snohomish County PUD No. 1
South California Edison Company
Southern Company Generation and Energy
Marketing
Tacoma Public Utilities
Tampa Electric Co.
Lewis P Pierce
Michael J. Haynes
Brenda K. Atkins
Edwin Cano
Sam Nietfeld
Jerry W Johnson
Denise Yaffe
William D Shultz
RJames Rocha
Scott M. Helyer
David Thompson
Barry Ingold
Melissa Kurtz
Douglas A. Jensen
Linda Horn
Leonard Rentmeester
Liam Noailles
Jason L Marshall
Edward P. Cox
Jennifer Richardson
Randy A. Young
Keith Sugg
Brenda S. Anderson
Lisa L Martin
Marvin Briggs
Robert Hirchak
Lisa C Rosintoski
Nickesha P Carrol
Brenda L Powell
Louis S. Slade
Walter Yeager
Terri F Benoit
Pulin Shah
Kevin Querry
Richard L. Montgomery
Thomas Washburn
Silvia P. Mitchell
Cathy Bretz
Jessica L Klinghoffer
Paul Shipps
Eric Ruskamp
Brad Packer
Brad Jones
Daniel Prowse
Dennis Kimm
William Palazzo
Matthew Schull
Joseph O'Brien
David Ried
Claston Augustus Sunanon
Scott L Smith
Carol Ballantine
Mark A Heimbach
John T Sturgeon
Peter Dolan
Hugh A. Owen
Diane Enderby
Steven J Hulet
Michael Brown
Dennis Sismaet
Trudy S. Novak
William T Moojen
Lujuanna Medina
John J. Ciza
Michael C Hill
Benjamin F Smith II
https://standards.nerc.net/BallotResults.aspx?BallotGUID=d11b7d42-5b08-416e-bbcd-d7e7da7ad7af[11/7/2012 8:39:45 AM]
Negative
Affirmative
Affirmative
Affirmative
Negative
Negative
Affirmative
Affirmative
Affirmative
Affirmative
Affirmative
Affirmative
Abstain
Affirmative
Abstain
Negative
Negative
Affirmative
Affirmative
Affirmative
Affirmative
Affirmative
Affirmative
Affirmative
Negative
Affirmative
Abstain
Affirmative
Affirmative
Affirmative
Abstain
Abstain
Affirmative
Affirmative
Affirmative
Affirmative
Negative
Negative
Affirmative
Affirmative
Affirmative
Affirmative
Affirmative
Affirmative
Affirmative
Affirmative
Affirmative
Negative
Affirmative
Affirmative
Abstain
Negative
Affirmative
�NERC Standards
6
6
6
6
8
8
8
8
8
8
8
8
9
9
9
9
10
10
10
10
10
10
10
10
Tennessee Valley Authority
Westar Energy
Western Area Power Administration - UGP
Marketing
Xcel Energy, Inc.
JDRJC Associates
Pacific Northwest Generating Cooperative
Power Energy Group LLC
Utility Services, Inc.
Volkmann Consulting, Inc.
California Energy Commission
Commonwealth of Massachusetts Department
of Public Utilities
National Association of Regulatory Utility
Commissioners
New York State Department of Public Service
Midwest Reliability Organization
New York State Reliability Council
Northeast Power Coordinating Council
ReliabilityFirst Corporation
SERC Reliability Corporation
Southwest Power Pool RE
Texas Reliability Entity, Inc.
Western Electricity Coordinating Council
Marjorie S. Parsons
Grant L Wilkerson
Affirmative
Negative
Peter H Kinney
Affirmative
David F Lemmons
Edward C Stein
Roger C Zaklukiewicz
James A Maenner
Jim Cyrulewski
Margaret Ryan
Peggy Abbadini
Brian Evans-Mongeon
Terry Volkmann
William M Chamberlain
Affirmative
Affirmative
Affirmative
Affirmative
Affirmative
Negative
Affirmative
Affirmative
Donald Nelson
Negative
Diane J. Barney
Affirmative
Thomas G. Dvorsky
James D Burley
Alan Adamson
Guy V. Zito
Anthony E Jablonski
Carter B. Edge
Emily Pennel
Donald G Jones
Steven L. Rueckert
Affirmative
Legal and Privacy
404.446.2560 voice : 404.446.2595 fax
Atlanta Office: 3353 Peachtree Road, N.E. : Suite 600, North Tower : Atlanta, GA 30326
Washington Office: 1325 G Street, N.W. : Suite 600 : Washington, DC 20005-3801
Copyright © 2012 by the North American Electric Reliability Corporation. : All rights reserved.
A New Jersey Nonprofit Corporation
https://standards.nerc.net/BallotResults.aspx?BallotGUID=d11b7d42-5b08-416e-bbcd-d7e7da7ad7af[11/7/2012 8:39:45 AM]
Negative
Affirmative
Affirmative
Negative
Affirmative
Affirmative
�Non-binding Poll Results
Project 2009-01
Non-binding Poll Results
Non-binding Poll Name: Project 2009-01 Non-binding Poll DSR
Poll Period: 10/24/2012 - 11/5/2012
Total # Opinions: 311
Total Ballot Pool: 394
78.93% of those who registered to participate provided an opinion for an
Summary Results: abstention; 71.04% of those who provided an opinion indicated support for the VRFs
and VSLs.
Individual Ballot Pool Results
Segment
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
Organization
Member
Ameren Services
Kirit Shah
American Electric Power
Paul B. Johnson
American Transmission Company, LLC
Andrew Z Pusztai
Arizona Public Service Co.
Robert Smith
Associated Electric Cooperative, Inc.
John Bussman
Avista Corp.
Scott J Kinney
Balancing Authority of Northern
Kevin Smith
California
Baltimore Gas & Electric Company
Gregory S Miller
BC Hydro and Power Authority
Patricia Robertson
Beaches Energy Services
Joseph S Stonecipher
Black Hills Corp
Eric Egge
Bonneville Power Administration
Donald S. Watkins
Brazos Electric Power Cooperative, Inc. Tony Kroskey
CenterPoint Energy Houston Electric, LLC John Brockhan
Central Maine Power Company
Joseph Turano Jr.
City of Tacoma, Department of Public
Utilities, Light Division, dba Tacoma
Chang G Choi
Power
Clark Public Utilities
Jack Stamper
Colorado Springs Utilities
Paul Morland
Christopher L de
Consolidated Edison Co. of New York
Graffenried
CPS Energy
Richard Castrejana
Dairyland Power Coop.
Robert W. Roddy
Dayton Power & Light Co.
Hertzel Shamash
Deseret Power
James Tucker
Dominion Virginia Power
Michael S Crowley
Duke Energy Carolina
Douglas E. Hils
East Kentucky Power Coop.
George S. Carruba
Empire District Electric Co.
Ralph F Meyer
Non-binding Poll Project 2009-01
Opinions
Comments
Abstain
Abstain
Affirmative
Affirmative
Affirmative
Abstain
Abstain
Negative
Affirmative
Negative
Abstain
Affirmative
Affirmative
Negative
Affirmative
Affirmative
Affirmative
Affirmative
Abstain
Negative
Negative
Affirmative
1
�1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
Entergy Services, Inc.
FirstEnergy Corp.
Florida Keys Electric Cooperative Assoc.
Florida Power & Light Co.
Gainesville Regional Utilities
Georgia Transmission Corporation
Grand River Dam Authority
Great River Energy
Hoosier Energy Rural Electric
Cooperative, Inc.
Hydro One Networks, Inc.
Hydro-Quebec TransEnergie
Idaho Power Company
Imperial Irrigation District
International Transmission Company
Holdings Corp
JEA
Kansas City Power & Light Co.
Keys Energy Services
Lakeland Electric
Lee County Electric Cooperative
Lincoln Electric System
Los Angeles Department of Water &
Power
Lower Colorado River Authority
Manitoba Hydro
MEAG Power
MidAmerican Energy Co.
Minnkota Power Coop. Inc.
National Grid
Nebraska Public Power District
New Brunswick Power Transmission
Corporation
New York Power Authority
New York State Electric & Gas Corp.
Northeast Utilities
Northern Indiana Public Service Co.
NorthWestern Energy
Ohio Valley Electric Corp.
Oklahoma Gas and Electric Co.
Omaha Public Power District
Oncor Electric Delivery
Orlando Utilities Commission
PacifiCorp
PECO Energy
Platte River Power Authority
Portland General Electric Co.
PowerSouth Energy Cooperative
Non-binding Poll Project 2009-01
Edward J Davis
William J Smith
Dennis Minton
Mike O'Neil
Luther E. Fair
Jason Snodgrass
James M Stafford
Gordon Pietsch
Bob Solomon
Ajay Garg
Bernard Pelletier
Ronald D. Schellberg
Tino Zaragoza
Michael Moltane
Ted Hobson
Michael Gammon
Stanley T Rzad
Larry E Watt
John W Delucca
Doug Bantam
Affirmative
Negative
Negative
Affirmative
Affirmative
Negative
Negative
Abstain
Affirmative
Abstain
Abstain
Affirmative
Affirmative
Affirmative
Affirmative
Affirmative
Ly M Le
Martyn Turner
Joe D Petaski
Danny Dees
Terry Harbour
Richard Burt
Saurabh Saksena
Cole C Brodine
Affirmative
Negative
Affirmative
Affirmative
Affirmative
Affirmative
Negative
Randy MacDonald
Abstain
Arnold J. Schuff
Raymond P Kinney
David Boguslawski
Kevin M Largura
John Canavan
Robert Mattey
Marvin E VanBebber
Doug Peterchuck
Brenda Pulis
Brad Chase
Ryan Millard
Ronald Schloendorn
John C. Collins
John T Walker
Larry D Avery
Affirmative
Abstain
Affirmative
Abstain
Negative
Negative
Affirmative
Abstain
Abstain
Abstain
Affirmative
Negative
2
�1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
2
2
2
2
2
2
2
2
2
2
3
3
3
3
3
PPL Electric Utilities Corp.
Progress Energy Carolinas
Public Service Company of New Mexico
Public Service Electric and Gas Co.
Public Utility District No. 1 of Okanogan
County
Puget Sound Energy, Inc.
Rochester Gas and Electric Corp.
Sacramento Municipal Utility District
Salmon River Electric Cooperative
Salt River Project
Santee Cooper
SCE&G
Seattle City Light
Sho-Me Power Electric Cooperative
Sierra Pacific Power Co.
Snohomish County PUD No. 1
South California Edison Company
Southern Company Services, Inc.
Southern Illinois Power Coop.
Southwest Transmission Cooperative,
Inc.
Southwestern Power Administration
Sunflower Electric Power Corporation
Tampa Electric Co.
Tennessee Valley Authority
Tri-State G & T Association, Inc.
Tucson Electric Power Co.
United Illuminating Co.
Westar Energy
Western Area Power Administration
Xcel Energy, Inc.
Alberta Electric System Operator
Brenda L Truhe
Brett A. Koelsch
Laurie Williams
Kenneth D. Brown
Affirmative
Abstain
Abstain
Abstain
Dale Dunckel
Affirmative
Denise M Lietz
John C. Allen
Tim Kelley
Kathryn J Spence
Robert Kondziolka
Terry L Blackwell
Henry Delk, Jr.
Pawel Krupa
Denise Stevens
Rich Salgo
Long T Duong
Steven Mavis
Robert A. Schaffeld
William Hutchison
Negative
Affirmative
Abstain
Affirmative
Affirmative
Negative
Abstain
Affirmative
Abstain
Affirmative
Negative
Negative
Negative
James Jones
Affirmative
Angela L Summer
Noman Lee Williams
Beth Young
Larry G Akens
Tracy Sliman
John Tolo
Jonathan Appelbaum
Allen Klassen
Brandy A Dunn
Gregory L Pieper
Mark B Thompson
Venkataramakrishnan
BC Hydro
Vinnakota
California ISO
Rich Vine
Electric Reliability Council of Texas, Inc. Charles B Manning
Independent Electricity System Operator Barbara Constantinescu
Midwest ISO, Inc.
Marie Knox
New Brunswick System Operator
Alden Briggs
New York Independent System Operator Gregory Campoli
PJM Interconnection, L.L.C.
Tom Bowe
Southwest Power Pool, Inc.
Charles H. Yeung
AEP
Michael E Deloach
Alabama Power Company
Richard J. Mandes
Ameren Services
Mark Peters
Anaheim Public Utilities Dept.
Kelly Nguyen
APS
Steven Norris
Non-binding Poll Project 2009-01
Abstain
Affirmative
Abstain
Affirmative
Affirmative
Negative
Affirmative
Abstain
Abstain
Abstain
Affirmative
Affirmative
Abstain
Abstain
Negative
Abstain
Affirmative
3
�3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
Arkansas Electric Cooperative
Corporation
BC Hydro and Power Authority
Bonneville Power Administration
Central Lincoln PUD
City of Austin dba Austin Energy
City of Bartow, Florida
City of Clewiston
City of Farmington
City of Garland
City of Green Cove Springs
City of Redding
Clatskanie People's Utility District
Cleco Corporation
Colorado Springs Utilities
ComEd
Consolidated Edison Co. of New York
Constellation Energy
Consumers Energy
Cowlitz County PUD
CPS Energy
Detroit Edison Company
Dominion Resources Services
Duke Energy Carolina
Entergy
FirstEnergy Energy Delivery
Florida Municipal Power Agency
Florida Power Corporation
Georgia Power Company
Georgia Systems Operations Corporation
Grays Harbor PUD
Great River Energy
Gulf Power Company
Hydro One Networks, Inc.
Imperial Irrigation District
JEA
Kansas City Power & Light Co.
Kissimmee Utility Authority
Kootenai Electric Cooperative
Lakeland Electric
Lincoln Electric System
Los Angeles Department of Water &
Power
Louisville Gas and Electric Co.
Manitoba Hydro
Manitowoc Public Utilities
MidAmerican Energy Co.
Mississippi Power
Non-binding Poll Project 2009-01
Philip Huff
Abstain
Pat G. Harrington
Rebecca Berdahl
Steve Alexanderson
Andrew Gallo
Matt Culverhouse
Lynne Mila
Linda R Jacobson
Ronnie C Hoeinghaus
Gregg R Griffin
Bill Hughes
Brian Fawcett
Michelle A Corley
Charles Morgan
Bruce Krawczyk
Peter T Yost
CJ Ingersoll
Richard Blumenstock
Russell A Noble
Jose Escamilla
Kent Kujala
Michael F. Gildea
Henry Ernst-Jr
Joel T Plessinger
Stephan Kern
Joe McKinney
Lee Schuster
Anthony L Wilson
William N. Phinney
Wesley W Gray
Brian Glover
Paul C Caldwell
David Kiguel
Jesus S. Alcaraz
Garry Baker
Charles Locke
Gregory D Woessner
Dave Kahly
Norman D Harryhill
Jason Fortik
Abstain
Affirmative
Abstain
Affirmative
Daniel D Kurowski
Affirmative
Charles A. Freibert
Greg C. Parent
Thomas E Reed
Thomas C. Mielnik
Jeff Franklin
Negative
Affirmative
Negative
Negative
Affirmative
Affirmative
Abstain
Affirmative
Affirmative
Negative
Affirmative
Affirmative
Abstain
Affirmative
Negative
Affirmative
Negative
Abstain
Affirmative
Affirmative
Affirmative
Negative
Affirmative
Affirmative
Negative
Negative
Abstain
Abstain
Affirmative
Affirmative
Abstain
Abstain
4
�3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
4
4
4
4
4
4
4
Modesto Irrigation District
Municipal Electric Authority of Georgia
Muscatine Power & Water
Nebraska Public Power District
New York Power Authority
Niagara Mohawk (National Grid
Company)
North Carolina Electric Membership
Corp.
Northern Indiana Public Service Co.
Ocala Electric Utility
Old Dominion Electric Coop.
Orange and Rockland Utilities, Inc.
Orlando Utilities Commission
Owensboro Municipal Utilities
Pacific Gas and Electric Company
PacifiCorp
Platte River Power Authority
PNM Resources
Potomac Electric Power Co.
Progress Energy Carolinas
Public Service Electric and Gas Co.
Public Utility District No. 1 of Clallam
County
Puget Sound Energy, Inc.
Rutherford EMC
Sacramento Municipal Utility District
Salt River Project
Santee Cooper
Seattle City Light
Seminole Electric Cooperative, Inc.
Snohomish County PUD No. 1
South Carolina Electric & Gas Co.
Southern Maryland Electric Coop.
Tacoma Public Utilities
Tampa Electric Co.
Tennessee Valley Authority
Tri-State G & T Association, Inc.
Westar Energy
Xcel Energy, Inc.
Alliant Energy Corp. Services, Inc.
American Municipal Power
Arkansas Electric Cooperative
Corporation
Blue Ridge Power Agency
Central Lincoln PUD
City of Austin dba Austin Energy
City of Clewiston
Non-binding Poll Project 2009-01
Jack W Savage
Steven M. Jackson
John S Bos
Tony Eddleman
Marilyn Brown
Affirmative
Affirmative
Affirmative
Abstain
Affirmative
Michael Schiavone
Affirmative
Doug White
Affirmative
William SeDoris
David Anderson
Bill Watson
David Burke
Ballard K Mutters
Thomas T Lyons
John H Hagen
Dan Zollner
Terry L Baker
Michael Mertz
Robert Reuter
Sam Waters
Jeffrey Mueller
Affirmative
Affirmative
Affirmative
Abstain
Negative
Affirmative
Abstain
Abstain
Abstain
David Proebstel
Erin Apperson
Thomas M Haire
James Leigh-Kendall
John T. Underhill
James M Poston
Dana Wheelock
James R Frauen
Mark Oens
Hubert C Young
Mark R Jones
Travis Metcalfe
Ronald L Donahey
Ian S Grant
Janelle Marriott
Bo Jones
Michael Ibold
Kenneth Goldsmith
Kevin Koloini
Negative
Affirmative
Abstain
Affirmative
Negative
Abstain
Affirmative
Affirmative
Affirmative
Abstain
Affirmative
Negative
Abstain
Affirmative
Negative
Ronnie Frizzell
Duane S Dahlquist
Shamus J Gamache
Reza Ebrahimian
Kevin McCarthy
Affirmative
Abstain
Affirmative
Affirmative
5
�4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
City of New Smyrna Beach Utilities
Commission
City of Redding
City Utilities of Springfield, Missouri
Consumers Energy
Cowlitz County PUD
Detroit Edison Company
Flathead Electric Cooperative
Florida Municipal Power Agency
Fort Pierce Utilities Authority
Georgia System Operations Corporation
Illinois Municipal Electric Agency
Imperial Irrigation District
Indiana Municipal Power Agency
Integrys Energy Group, Inc.
LaGen
Madison Gas and Electric Co.
Northern California Power Agency
Ohio Edison Company
Public Utility District No. 1 of Douglas
County
Public Utility District No. 1 of Snohomish
County
Sacramento Municipal Utility District
Seattle City Light
South Mississippi Electric Power
Association
Tacoma Public Utilities
Wisconsin Energy Corp.
AEP Service Corp.
AES Corporation
Amerenue
Arizona Public Service Co.
Avista Corp.
BC Hydro and Power Authority
Black Hills Corp
Boise-Kuna Irrigation District/dba Lucky
peak power plant project
Bonneville Power Administration
BrightSource Energy, Inc.
Caithness Long Island, LLC
Chelan County Public Utility District #1
City and County of San Francisco
City of Austin dba Austin Energy
City of Redding
City of Tacoma, Department of Public
Utilities, Light Division, dba Tacoma
Power
Non-binding Poll Project 2009-01
Tim Beyrle
Affirmative
Nicholas Zettel
John Allen
David Frank Ronk
Rick Syring
Daniel Herring
Russ Schneider
Frank Gaffney
Thomas Richards
Guy Andrews
Bob C. Thomas
Diana U Torres
Jack Alvey
Christopher Plante
Richard Comeaux
Joseph DePoorter
Tracy R Bibb
Douglas Hohlbaugh
Affirmative
Affirmative
Affirmative
Negative
Negative
Negative
Affirmative
Affirmative
Henry E. LuBean
Affirmative
John D Martinsen
Affirmative
Mike Ramirez
Hao Li
Affirmative
Abstain
Abstain
Abstain
Abstain
Abstain
Abstain
Abstain
Steven McElhaney
Keith Morisette
Anthony Jankowski
Brock Ondayko
Leo Bernier
Sam Dwyer
Edward Cambridge
Edward F. Groce
Clement Ma
George Tatar
Mike D Kukla
Affirmative
Affirmative
Negative
Affirmative
Abstain
Affirmative
Affirmative
Abstain
Affirmative
Abstain
Francis J. Halpin
Chifong Thomas
Jason M Moore
John Yale
Daniel Mason
Jeanie Doty
Paul A. Cummings
Affirmative
Abstain
Affirmative
Affirmative
Max Emrick
Affirmative
6
�5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
City of Tallahassee
City Water, Light & Power of Springfield
Cleco Power
Cogentrix Energy, Inc.
Colorado Springs Utilities
Consolidated Edison Co. of New York
Constellation Power Source Generation,
Inc.
Consumers Energy Company
Cowlitz County PUD
CPS Energy
Detroit Edison Company
Dominion Resources, Inc.
Duke Energy
Dynegy Inc.
E.ON Climate & Renewables North
America, LLC
Edison Mission Energy
Electric Power Supply Association
Exelon Nuclear
ExxonMobil Research and Engineering
FirstEnergy Solutions
Florida Municipal Power Agency
Gainesville Regional Utilities
Great River Energy
Green Country Energy
Imperial Irrigation District
Indeck Energy Services, Inc.
JEA
Kissimmee Utility Authority
Lakeland Electric
Liberty Electric Power LLC
Lincoln Electric System
Los Angeles Department of Water &
Power
Lower Colorado River Authority
Luminant Generation Company LLC
Manitoba Hydro
Massachusetts Municipal Wholesale
Electric Company
MEAG Power
MidAmerican Energy Co.
Muscatine Power & Water
Nebraska Public Power District
New York Power Authority
NextEra Energy
North Carolina Electric Membership
Corp.
Non-binding Poll Project 2009-01
Brian Horton
Steve Rose
Stephanie Huffman
Mike D Hirst
Jennifer Eckels
Wilket (Jack) Ng
Affirmative
Negative
Negative
Affirmative
Affirmative
Amir Y Hammad
David C Greyerbiehl
Bob Essex
Robert Stevens
Christy Wicke
Mike Garton
Dale Q Goodwine
Dan Roethemeyer
Affirmative
Negative
Affirmative
Negative
Abstain
Negative
Affirmative
Dana Showalter
Ellen Oswald
John R Cashin
Michael Korchynsky
Martin Kaufman
Kenneth Dresner
David Schumann
Karen C Alford
Preston L Walsh
Greg Froehling
Marcela Y Caballero
Rex A Roehl
John J Babik
Mike Blough
James M Howard
Daniel Duff
Dennis Florom
Abstain
Affirmative
Affirmative
Negative
Affirmative
Affirmative
Negative
Abstain
Kenneth Silver
Affirmative
Tom Foreman
Mike Laney
S N Fernando
Abstain
Affirmative
Negative
David Gordon
Abstain
Steven Grego
Christopher Schneider
Mike Avesing
Don Schmit
Gerald Mannarino
Allen D Schriver
Affirmative
Jeffrey S Brame
Affirmative
Affirmative
Negative
Affirmative
Negative
7
�5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
6
6
6
6
6
6
6
6
6
6
6
6
6
Northern California Power Agency
Northern Indiana Public Service Co.
Occidental Chemical
Omaha Public Power District
Orlando Utilities Commission
Pacific Gas and Electric Company
PacifiCorp
Platte River Power Authority
Portland General Electric Co.
PowerSouth Energy Cooperative
PPL Generation LLC
Progress Energy Carolinas
PSEG Fossil LLC
Public Utility District No. 1 of Lewis
County
Puget Sound Energy, Inc.
Sacramento Municipal Utility District
Salt River Project
Santee Cooper
Seattle City Light
Seminole Electric Cooperative, Inc.
Siemens PTI
Snohomish County PUD No. 1
South Mississippi Electric Power
Association
Southern California Edison Co.
Southern Company Generation
Tampa Electric Co.
Tenaska, Inc.
Tennessee Valley Authority
Tri-State G & T Association, Inc.
U.S. Army Corps of Engineers
Vandolah Power Company L.L.C.
Xcel Energy, Inc.
ACES Power Marketing
AEP Marketing
Ameren Energy Marketing Co.
APS
Arkansas Electric Cooperative
Corporation
Bonneville Power Administration
City of Austin dba Austin Energy
City of Redding
Cleco Power LLC
Colorado Springs Utilities
Consolidated Edison Co. of New York
Constellation Energy Commodities Group
Dominion Resources, Inc.
Non-binding Poll Project 2009-01
Hari Modi
William O. Thompson
Michelle R DAntuono
Mahmood Z. Safi
Richard K Kinas
Richard J. Padilla
Sandra L. Shaffer
Roland Thiel
Gary L Tingley
Tim Hattaway
Annette M Bannon
Wayne Lewis
Tim Kucey
Steven Grega
Tom Flynn
Bethany Hunter
William Alkema
Lewis P Pierce
Michael J. Haynes
Brenda K. Atkins
Edwin Cano
Sam Nietfeld
Affirmative
Affirmative
Affirmative
Negative
Affirmative
Abstain
Abstain
Affirmative
Negative
Affirmative
Abstain
Negative
Affirmative
Abstain
Affirmative
Negative
Abstain
Affirmative
Affirmative
Jerry W Johnson
Denise Yaffe
William D Shultz
RJames Rocha
Scott M. Helyer
David Thompson
Barry Ingold
Melissa Kurtz
Douglas A. Jensen
Liam Noailles
Jason L Marshall
Edward P. Cox
Jennifer Richardson
Randy A. Young
Negative
Negative
Affirmative
Abstain
Abstain
Affirmative
Abstain
Negative
Abstain
Affirmative
Keith Sugg
Brenda S. Anderson
Lisa L Martin
Marvin Briggs
Robert Hirchak
Lisa C Rosintoski
Nickesha P Carrol
Brenda Powell
Louis S. Slade
Affirmative
Affirmative
Affirmative
Negative
Affirmative
Abstain
8
�6
6
6
6
6
6
6
6
6
6
6
6
6
Duke Energy Carolina
Entergy Services, Inc.
Exelon Power Team
FirstEnergy Solutions
Florida Municipal Power Agency
Florida Municipal Power Pool
Florida Power & Light Co.
Imperial Irrigation District
Kansas City Power & Light Co.
Lakeland Electric
Lincoln Electric System
Los Angeles Department of Water &
Power
Luminant Energy
Manitoba Hydro
MidAmerican Energy Co.
New York Power Authority
North Carolina Municipal Power Agency
#1
Northern Indiana Public Service Co.
Omaha Public Power District
6
Orlando Utilities Commission
6
6
6
6
6
PacifiCorp
Platte River Power Authority
PPL EnergyPlus LLC
Progress Energy
PSEG Energy Resources & Trade LLC
Public Utility District No. 1 of Chelan
County
Sacramento Municipal Utility District
Salt River Project
Santee Cooper
Seattle City Light
Seminole Electric Cooperative, Inc.
Snohomish County PUD No. 1
South California Edison Company
Southern Company Generation and
Energy Marketing
Tacoma Public Utilities
Tampa Electric Co.
Tennessee Valley Authority
Westar Energy
Western Area Power Administration UGP Marketing
Xcel Energy, Inc.
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
8
8
Non-binding Poll Project 2009-01
Walter Yeager
Terri F Benoit
Pulin Shah
Kevin Querry
Richard L. Montgomery
Thomas Washburn
Silvia P. Mitchell
Cathy Bretz
Jessica L Klinghoffer
Paul Shipps
Eric Ruskamp
Abstain
Affirmative
Affirmative
Abstain
Abstain
Abstain
Affirmative
Affirmative
Affirmative
Brad Packer
Brad Jones
Daniel Prowse
Dennis Kimm
William Palazzo
Affirmative
Negative
Negative
Affirmative
Matthew Schull
Affirmative
Joseph O'Brien
David Ried
Claston Augustus
Sunanon
Scott L Smith
Carol Ballantine
Mark A Heimbach
John T Sturgeon
Peter Dolan
Affirmative
Affirmative
Abstain
Abstain
Abstain
Hugh A. Owen
Diane Enderby
Steven J Hulet
Michael Brown
Dennis Sismaet
Trudy S. Novak
William T Moojen
Lujuanna Medina
John J. Ciza
Abstain
Affirmative
Negative
Affirmative
Affirmative
Abstain
Negative
Michael C Hill
Benjamin F Smith II
Marjorie S. Parsons
Grant L Wilkerson
Affirmative
Peter H Kinney
Affirmative
David F. Lemmons
Roger C Zaklukiewicz
James A Maenner
Affirmative
Affirmative
Abstain
Negative
9
�8
8
8
8
8
8
9
9
9
10
10
10
10
10
10
10
10
APX
JDRJC Associates
Power Energy Group LLC
Utility Services, Inc.
Volkmann Consulting, Inc.
California Energy Commission
Central Lincoln PUD
Commonwealth of Massachusetts
Department of Public Utilities
Midwest Reliability Organization
New York State Reliability Council
Northeast Power Coordinating Council
ReliabilityFirst Corporation
SERC Reliability Corporation
Southwest Power Pool RE
Texas Reliability Entity, Inc.
Western Electricity Coordinating Council
Non-binding Poll Project 2009-01
Edward C Stein
Michael Johnson
Jim Cyrulewski
Peggy Abbadini
Brian Evans-Mongeon
Terry Volkmann
William M Chamberlain
Bruce Lovelin
Donald Nelson
James D Burley
Alan Adamson
Guy V. Zito
Anthony E Jablonski
Carter B. Edge
Emily Pennel
Donald G Jones
Steven L. Rueckert
Affirmative
Affirmative
Affirmative
Abstain
Affirmative
Abstain
Negative
Affirmative
Abstain
Negative
Abstain
Abstain
10
�Exhibit G
Standard Drafting Team Roster for NERC Standards Development Project 2009-01
�Project 2009-01 Disturbance and Sabotage Reporting
Drafting Team
Name and Title
Brian Evans‐
Mongeon – Chair
Company and
Address
Contact Info
Bio
Utility Services
25 Crossroad
Suite 201
802‐552‐4022
Brian.Evans‐
Mongeon@utilitysv
cs.com
Work Experience
Brian organized and created Utility Services in 2007
and has been working with registered
entities on NERC related activities since that time.
Prior to this, he worked for Vermont Public
Power Supply Authority and Green Mountain Power
Corporation in power supply, transmission,
system operations, and distribution activities. Tasks
have included contract negotiations,
administration of tariffs and rates, coordination
with transmission providers, and reporting of
operational and reliability considerations.
Waterbury, VT
05676
NERC and NPCC Specific Activities
While not a registered entity, Utility Services works
with the staffs of Registered Entities to
ensure compliance and consistency of the
standards and requirements. Presently, Utility
Services works with 70 Registered Entities with over
150 functional registrations throughout all
8 NERC regions. Within the regions, Utility Services
is a Member of NPCC, RFC, FRCC,
MRO, and WECC. Brian has served in a number of
committees, task forces, and working
groups regionally and nationally; including regional
standards for Disturbance Monitoring and
Under Frequency Load Shedding, Disturbance and
Sabotage Reporting, defining the Bulk
Electric System, and the NERC CIPC Compliance and
Enforcement Input WG (CEIWG)
Education
Brian has an Associates degree in Electric/Electronic
Technology from Vermont Technical
College and a Bachelors of Science in Business
Administration from the University of Vermont.
Joseph DePoorter – Madison Gas and
Vice‐Chair
Electric Company
133 South Blair St.,
Madison, Wisconsin
53703
608‐252‐1599,
jdepoorter@mge.c
om
Joseph DePoorter is the Director of NERC
Compliance and Generation Operations and joined
Madison Gas and Electric Company (MGE) in the
spring of 2001 after retiring from the United States
Marine Corps. Joe started at MGE as a Distribution
Operator and becoming NERC Certified (RA) in
January of 2003. Joe then became a System
Operator where duties were under the auspice of a
Control Area. MGE then started to enter into
agreements with the Midwest ISO and Joe assisted
�the real‐operations component for MGE. In March
of 2007, Joe became the Manager of Reliability
Compliance, focusing on the upcoming enforceable
NERC Standards. Joe has lead three on sight
compliance audits (from the MRO), is the Chair of
the MRO NERC Standards Review Forum, Chair of
the MRO Performance and Risk Oversight Sub‐
committee and the Vice Chair of Project 2009‐01.
Michelle Draxton
Exelon Corporation
300 Exelon Way
Suite 320
Kennett Square, PA
19348
Office:
610.765.6942
Mobile:
410.474.2993
Security Manager ‐
Generation
Corporate Security
Operations ‐ Client
Services
michelle.draxton@
exeloncorp.com
Michelle Draxton joined the Constellation Energy
Group (CEG)/Exelon Corporation in 1991 (CEG
merged with the Exelon Corporation in 2012),
following a short career in Education. During
Michelle’s 21 years with the company, she spent
the first ten (10) years of her career working in
Project Controls; Project Management and Long
Range Scheduling & Cost Control (supporting
shutdown safety scheduling); and the Diesel
Upgrade Project. She was a Nuclear Security
Training Specialist/ Nuclear Supervisor for the
Security Access & Fitness Duty Program, ensuring
compliance with Nuclear Regulatory Commission
(NRC) and Nuclear Energy Institute (NEI)
regulations/guidelines. When CE merged with
Nigra Mohawk ‐ Nine Mile Point Nuclear Facility
and the Rochester Gas Electric ‐ Ginna Nuclear
Station, Michelle performed strategic alignment
between the three nuclear facilities maintenance‐
training program and leadership programs as a
Senior Organizational Development and Training
Consultant.
Michelle has been with Corporate and Information
security for 11 years. In 2007/2008, Michelle led a
cross‐functional team to implement the initial NERC
Critical Infrastructure Protection (CIP) Cyber
Security Governance/Program and the Security
Awareness Program for CEG. Michelle currently
manages a team of security specialists who ensure
compliance with the organization’s policies and
procedures, as well as protect the personnel and
assets of generation facilities within the U.S. and
Canada. Michelle organizes and coordinates
investigations involving allegations of criminal
matters, fraud, computer crimes, intellectual
property and other security issues with her team
and develops risk assessments and security plans to
ensure compliance with multiple federal regulatory
bodies.
Jimmy Hartmann
Electric Reliability
Council of Texas
512‐248‐6986
jhartmann@ercot.c
Jimmy Hartmann is currently the Supervisor of
System Operations for the Electric Reliability
�(ERCOT)
2705 West Lake Dr.
Taylor, Texas 76574
om
Council of Texas, Inc (ERCOT). Overall, Jimmy has
more than thirty years of combined experience in
the Energy industry. His experiences include power
plant operations, power marketing and system
operations. In his twelve years of service to
ERCOT, Jimmy has served in many capacities
including System Operator, Outage Coordinator and
a Shift Supervisor, all of which are responsible for
ensuring the reliability of the ERCOT
interconnection. Jimmy currently holds
certifications as a NERC Reliability Coordinator and
as an ERCOT System Operator. Prior to ERCOT,
Jimmy was employed at South Texas Electric
Cooperative, Inc for five years working as a System
Operator, Wholesale Marketing Specialist/Energy
Trader and a Lead System Operator responsible for
making and carry through decisions that were
required to operate their system during normal and
adverse conditions. Prior to STEC, Jimmy was
employed at San Miguel Electric Cooperative, Inc
working at a 440MW Lignite Fired Power Plant
where he also had a multitude of operational
responsibilities spanning over a fourteen year
period.
Robert D. Canada
North American
Electric Reliability
Corporation
3353 Peachtree Rd
Suite 600 North
Tower
Atlanta, GA 30326,
Office 404‐446‐
9709
Cell 770‐608‐5666
bob.canada@nerc.
net
Bob Canada has been with NERC since October
2011 as a NERC Standards Specialist and is the
Critical Infrastructure Protection Committee
Secretary. He was with Southern Company for 29
years and served as a Business Assurance Principal
focused on systematic approach to operational
resiliency and physical security. He worked to
coordinate and achieve a consistent corporate
security strategy, policy and “all hazards” response
for the four operating companies – Georgia Power,
Alabama Power, Gulf Power and Mississippi Power.
Canada served twice in a leadership capacity as
Chairman for the Edison Electric Institute’s (EEI)
Security Committee, which is the electric industry
lobbyist in Washington D.C. Here he assisted with
strategic work on security issues facing the electric
industry such as a response to 9/11 and the many
federal guidelines for regulatory agencies.
Canada established the first Georgia Emergency
Management Agency liaison on behalf of the
Southern Company and Georgia Power with the
State of Georgia to coordinate utility response
during emergencies and disaster response. He
served the Southeastern Reliability Council (SERC)
for four years as Chairman of the Critical
Infrastructure Protection Committee and presently
represents SERC on the North American Electric
Reliability Corporation’s (NERC) Critical
�Infrastructure Committee (CIPC) as the physical
security representative and voting member.
Other responsibilities included directing the
Georgia Power and Southern Company Olympic
planning efforts and implementation of physical
security surveys and protective countermeasures to
ensure the continuity and mitigation of threats to
the 1996 Olympic Games. He consulted with
Federal, state and local law enforcement agencies
to protect the electrical infrastructure in Georgia
and Metropolitan Atlanta. Canada served on the
Atlanta Committee for the Olympic Games as a
corporate security liaison to the utilities in Georgia.
He presently serves as Vice Chair on the NERC CIPC
Executive Committee and has served on the
Electricity Sector Coordinating Council interfacing
on policy level decision making processes with
Department of Homeland Security (DHS) and the
Department of Energy for initiatives and protective
programs such as the Energy Sector’s National
Infrastructure Protection Plan. Honors included The
Security Executive Council Magazine’s “Most
Influential” in the electric utility for 2011.
Brian Harrell
CPP
Critical
Infrastructure
Department
North American
Electric Reliability
Corporation
3353 Peachtree Rd
Suite 600 North
Tower
Atlanta, GA 30326
(609) 651‐0671
Brian.Harrell@nerc
.net
Brian Harrell is the Manager of CIP Standards,
Training, and Awareness for NERC. In this capacity
he is responsible for managing ERO‐wide critical
infrastructure protection standards initiatives and
assisting in the development of the overall CIP
program strategy.
Harrell has 15 years of experience in the security
industry serving in organizations such as law
enforcement, the military and corporate security,
among others. Most recently, he served as the
Manager of Critical Infrastructure Protection for
SERC Reliability Corporation, where he oversaw all
security‐ and CIP reliability‐related matters for the
Region. Prior to joining SERC, Harrell was the Sector
Security Specialist for the Infrastructure Security
Compliance Division at the U.S. Department of
Homeland Security. He specialized in securing high
risk critical infrastructures and Continuity of
Operations (COOP) for the Department of
Homeland Security. Brian also served in the U.S.
Marine Corps as an Anti‐Terrorism and Force
Protection Instructor.
Harrell has a M.A. from Central Michigan University
and a B.A. from Hawaii Pacific University. He is also
board certified in security management.
Scott Mix
North American
215‐853‐8204
scott.mix@nerc.ne
Mr. Scott R. Mix, CISSP, joined NERC in October
2006 following more than 25 years of experience
�CIP Technical
Manager
Electric Reliability
Corporation
1325 G Street NW,
Suite 600
Washington, DC
20005
t
working in various facets of the electricity industry,
including as a consultant with KEMA, Inc.,
Infrastructure Security Manager with the Electric
Power Research Institute (EPRI), Senior Security
Analyst at the PJM Interconnection, and more than
ten years with Leeds & Northrup Co. as a
programmer/analyst and systems architect. For
more than ten years, he has focused on the areas of
Computer and Infrastructure Security for the
Electricity Sector. At NERC, he is responsible for
Critical Infrastructure Protection issues, primarily as
they relate to Real Time and Control System
Security, and the development of the revisions to
the NERC CIP Standards. He has also been the
NERC Staff Facilitator for the Critical Infrastructure
Protection Committee (CIPC) and several of its
working groups and task forces, and a member of
the Electricity Sector Information Sharing and
Analysis Center (ES‐ISAC) Staff.
Throughout his career, Mr. Mix has worked closely
with numerous industry and government
organizations, including NERC's Critical
Infrastructure Protection Committee (CIPC) and its
working teams, and is the former convener of the
Control System Security Working Group, has been
an active and vocal observer to the NERC Cyber
Security Standards Version 1 Drafting Team (and
the NERC 1200 process before that), and is a former
member of the OASIS “How” Working Group. He
has also worked with the Department of Energy,
the Department of Homeland Security, the FBI's
National Infrastructure Protection Center, and the
Federal Energy Regulatory Commission dealing with
specific Electric Sector Security Issues. He has
organized and presented at numerous industry
symposia, both domestically and internationally. He
has been a member and chapter secretary of the
Philadelphia Chapter of InfraGard, is a member of
the ISA and has participated in the ISA100
standards activities, and is a member of the IEEE as
well as its Computer Society, Power Engineering
Society, and Standards Association. He is a
Certified Information Systems Security Professional
(CISSP).
Mr. Mix is a graduate of the Bloomsburg University
of Pennsylvania with a Bachelor of Science degree
in Computer & Information Science and Chemistry.
Stephen Crutchfield North American
Electric Reliability
Corporation
Standards
3353 Peachtree Rd
Development
609‐651‐9455
Stephen.crutchfield
@nerc.net
Stephen Crutchfield is the NERC Staff Coordinator
for Project 2009‐01, Disturbance and Sabotage
Reporting. Stephen began his career with NERC in
May 2007. Prior to joining NERC, Stephen was a
�Coordinator
Suite 600 North
Tower
Atlanta, GA 30326
Project Manager with Shaw Energy Delivery
Services, managing engineering and construction
projects in the substation and transmission line
fields. Stephen’s background also includes
experience with PJM as Manager of RTO
Integration, working on the operations and markets
integration of new members (AEP, ComEd, Dayton,
Dominion and Duquesne) into PJM and southern
seams operations issues with Progress Energy, Duke
and TVA. Stephen also helped lead the team that
was developing GridSouth in the dual roles of
Organization Architect and Manager of Customer
Support. Prior to GridSouth, Stephen was the
Manager of Power System Operations Training at
Progress Energy where he spent over 10 years
training System Operators and Engineers. Overall,
Stephen was with Progress Energy for 16 years.
Stephen received his Bachelor of Arts in Physics
from the University of Virginia and Masters of
Science in Electrical Engineering from North
Carolina State University. Stephen also holds a
Master of Science in Management degree, also
from North Carolina State University.
�| File Type | application/pdf |
| File Title | Microsoft Word - Petition for Approval of EOP-004-2_FINAL |
| Author | heenane |
| File Modified | 2012-12-31 |
| File Created | 2012-12-31 |